FortiOS 7.0.9 CLI Reference

CLI Reference
FortiOS 7.0.9
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdoc@fortinet.com
December 06, 2022

FortiOS 7.0.9 CLI Reference
01-709-709094-20221206
TABLE OF CONTENTS
Change Log 19
FortiOS CLI reference 20
Availability of commands and options 20
Command tree 20
CLI configuration commands 22
alertemail 23
config alertemail setting 23
antivirus 30
config antivirus profile 30
config antivirus quarantine 58
config antivirus settings 63
application 65
config application custom 65
config application group 66
config application list 67
config application name 76
config application rule-settings 78
authentication 79
config authentication rule 79
config authentication scheme 81
config authentication setting 83
certificate 86
config certificate ca 86
config certificate crl 87
config certificate local 89
config certificate remote 92
dlp 94
config dlp filepattern 94
config dlp fp-doc-source 97
config dlp sensitivity 100
config dlp sensor 101
config dlp settings 106
dnsfilter 108
config dnsfilter domain-filter 108
config dnsfilter profile 109
dpdk 115
config dpdk cpus 115
config dpdk global 116
emailfilter 119
config emailfilter block-allow-list 119
config emailfilter bword 121
config emailfilter dnsbl 123
config emailfilter fortishield 124
config emailfilter iptrust 125
FortiOS 7.0.9 CLI Reference 3

Fortinet Inc.
config emailfilter mheader 126
config emailfilter options 128
config emailfilter profile 128
endpoint-control 136
config endpoint-control fctems 136
extender 141
config extender extender-info 141
config extender lte-carrier-by-mcc-mnc 141
config extender lte-carrier-list 142
config extender modem-status 142
config extender session-info 142
config extender sys-info 142
extender-controller 144
config extender-controller dataplan 144
config extender-controller extender-profile 147
config extender-controller extender 158
file-filter 162
config file-filter profile 162
firewall 165
config firewall DoS-policy 167
config firewall DoS-policy6 169
config firewall access-proxy-ssh-client-cert 172
config firewall access-proxy-virtual-host 174
config firewall access-proxy 175
config firewall access-proxy6 196
config firewall acl 217
config firewall acl6 219
config firewall address 220
config firewall address6-template 225
config firewall address6 227
config firewall addrgrp 230
config firewall addrgrp6 232
config firewall auth-portal 234
config firewall central-snat-map 234
config firewall city 237
config firewall country 237
config firewall decrypted-traffic-mirror 238
config firewall dnstranslation 239
config firewall identity-based-route 240
config firewall interface-policy 241
config firewall interface-policy6 244
config firewall internet-service-addition 247
config firewall internet-service-append 248
config firewall internet-service-botnet 249
config firewall internet-service-custom-group 249
config firewall internet-service-custom 250
config firewall internet-service-definition 251
config firewall internet-service-extension 253
config firewall internet-service-group 256

Fortinet Inc.
config firewall internet-service-ipbl-reason 257
config firewall internet-service-ipbl-vendor 257
config firewall internet-service-list 258
config firewall internet-service-name 258
config firewall internet-service-owner 259
config firewall internet-service-reputation 260
config firewall internet-service-sld 260
config firewall internet-service 261
config firewall ip-translation 263
config firewall ipmacbinding setting 263
config firewall ipmacbinding table 264
config firewall ippool 265
config firewall ippool6 269
config firewall iprope appctrl list 270
config firewall iprope appctrl status 271
config firewall iprope list 271
config firewall ipv6-eh-filter 271
config firewall ldb-monitor 273
config firewall local-in-policy 275
config firewall local-in-policy6 277
config firewall multicast-address 279
config firewall multicast-address6 280
config firewall multicast-policy 281
config firewall multicast-policy6 284
config firewall policy 286
config firewall profile-group 304
config firewall profile-protocol-options 306
config firewall proute 330
config firewall proute6 331
config firewall proxy-address 331
config firewall proxy-addrgrp 334
config firewall proxy-policy 336
config firewall region 343
config firewall schedule group 344
config firewall schedule onetime 345
config firewall schedule recurring 346
config firewall security-policy 347
config firewall service category 354
config firewall service custom 355
config firewall service group 359
config firewall shaper per-ip-shaper 360
config firewall shaper per-ip 362
config firewall shaper traffic-shaper 362
config firewall shaper traffic 364
config firewall shaping-policy 365
config firewall shaping-profile 369
config firewall sniffer 371
config firewall ssh host-key 377
config firewall ssh local-ca 379

Fortinet Inc.
config firewall ssh local-key 380
config firewall ssh setting 380
config firewall ssl-server 381
config firewall ssl-ssh-profile 384
config firewall ssl setting 412
config firewall traffic-class 414
config firewall ttl-policy 415
config firewall vendor-mac-summary 416
config firewall vendor-mac 416
config firewall vip 417
config firewall vip6 447
config firewall vipgrp 477
config firewall vipgrp6 478
config firewall wildcard-fqdn custom 479
config firewall wildcard-fqdn group 480
ftp-proxy 481
config ftp-proxy explicit 481
hardware 483
config hardware cpu 483
config hardware memory 483
config hardware nic 483
config hardware npu np6 dce 484
config hardware npu np6 ipsec-stats 485
config hardware npu np6 port-list 486
config hardware npu np6 session-stats 487
config hardware npu np6 sse-stats 488
config hardware npu np6 synproxy-stats 489
config hardware status 489
icap 490
config icap profile 490
config icap server 495
ips 497
config ips custom 497
config ips decoder 499
config ips global 499
config ips rule-settings 503
config ips rule 503
config ips sensor 506
config ips session 510
config ips settings 511
config ips view-map 511
ipsec 513
config ipsec tunnel 513
log 514
config log custom-field 515
config log disk filter 516
config log disk setting 519
config log eventfilter 525

Fortinet Inc.
config log fortianalyzer-cloud filter 527
config log fortianalyzer-cloud override-filter 531
config log fortianalyzer-cloud override-setting 534
config log fortianalyzer-cloud setting 535
config log fortianalyzer2 filter 538
config log fortianalyzer2 override-filter 542
config log fortianalyzer2 override-setting 545
config log fortianalyzer2 setting 549
config log fortianalyzer3 filter 553
config log fortianalyzer3 override-filter 556
config log fortianalyzer3 override-setting 560
config log fortianalyzer3 setting 564
config log fortianalyzer filter 568
config log fortianalyzer override-filter 571
config log fortianalyzer override-setting 574
config log fortianalyzer setting 578
config log fortiguard filter 582
config log fortiguard override-filter 585
config log fortiguard override-setting 589
config log fortiguard setting 590
config log gui-display 593
config log memory filter 594
config log memory global-setting 597
config log memory setting 598
config log null-device filter 598
config log null-device setting 601
config log setting 602
config log syslogd2 filter 606
config log syslogd2 override-filter 609
config log syslogd2 override-setting 612
config log syslogd2 setting 616
config log syslogd filter 648
config log syslogd override-filter 651
config log syslogd override-setting 654
config log syslogd setting 658
config log tacacs+accounting2 filter 662
config log tacacs+accounting2 setting 663
config log tacacs+accounting3 filter 663
config log tacacs+accounting3 setting 664
config log tacacs+accounting filter 665
config log tacacs+accounting setting 666

Fortinet Inc.
config log threat-weight 666
config log webtrends filter 677
config log webtrends setting 680
mgmt-data 681
config mgmt-data status 681
monitoring 682
config monitoring np6-ipsec-engine 682
config monitoring npu-hpe 683
nsxt 685
config nsxt service-chain 685
config nsxt setting 687
report 688
config report layout 688
config report setting 696
config report sql status 698
router 699
config router access-list 699
config router access-list6 701
config router aspath-list 702
config router auth-path 703
config router bfd 703
config router bfd6 705
config router bgp 706
config router community-list 748
config router info 749
config router info6 749
config router isis 749
config router key-chain 763
config router multicast-flow 764
config router multicast 765
config router multicast6 774
config router ospf 776
config router ospf6 792
config router policy 807
config router policy6 810
config router prefix-list 812
config router prefix-list6 813
config router rip 814
config router ripng 821
config router route-map 827
config router setting 833
config router static 833
config router static6 836
sctp-filter 839
config sctp-filter profile 839
ssh-filter 841
config ssh-filter profile 841
switch-controller 844

Fortinet Inc.
config switch-controller 802-1X-settings 845
config switch-controller auto-config custom 847
config switch-controller auto-config default 848
config switch-controller auto-config policy 849
config switch-controller custom-command 851
config switch-controller dsl link-time 852
config switch-controller dsl pkt-count 853
config switch-controller dsl pm-line-curr 854
config switch-controller dsl policy 855
config switch-controller dsl rate 857
config switch-controller dsl status 858
config switch-controller dsl summary 859
config switch-controller dsl version 860
config switch-controller dynamic-port-policy 861
config switch-controller flow-tracking 864
config switch-controller fortilink-settings 867
config switch-controller global 869
config switch-controller igmp-snooping 873
config switch-controller initial-config template 874
config switch-controller initial-config vlans 876
config switch-controller lldp-profile 877
config switch-controller lldp-settings 882
config switch-controller location 883
config switch-controller mac-policy 888
config switch-controller managed-switch 890
config switch-controller network-monitor-settings 925
config switch-controller ptp policy 926
config switch-controller ptp settings 927
config switch-controller qos dot1p-map 928
config switch-controller qos ip-dscp-map 932
config switch-controller qos qos-policy 934
config switch-controller qos queue-policy 936
config switch-controller quarantine 939
config switch-controller remote-log 940
config switch-controller security-policy 802-1X 943
config switch-controller security-policy local-access 946
config switch-controller sflow 948
config switch-controller snmp-community 949
config switch-controller snmp-sysinfo 952
config switch-controller snmp-trap-threshold 953
config switch-controller snmp-user 954
config switch-controller storm-control-policy 956
config switch-controller storm-control 958
config switch-controller stp-instance 960
config switch-controller stp-settings 961
config switch-controller switch-group 962
config switch-controller switch-interface-tag 963
config switch-controller switch-log 964
config switch-controller switch-profile 966

Fortinet Inc.
config switch-controller system 967
config switch-controller traffic-policy 969
config switch-controller traffic-sniffer 971
config switch-controller virtual-port-pool 973
config switch-controller vlan-policy 974
system 976
config system 3g-modem custom 980
config system accprofile 981
config system acme 991
config system admin 992
config system affinity-interrupt 999
config system affinity-packet-redistribution 1000
config system alarm 1001
config system alias 1004
config system api-user 1005
config system arp-table 1006
config system arp 1007
config system auto-install 1007
config system auto-script 1008
config system auto-update status 1009
config system auto-update versions 1009
config system automation-action 1009
config system automation-destination 1014
config system automation-stitch 1015
config system automation-trigger 1016
config system autoupdate schedule 1020
config system autoupdate tunneling 1021
config system bypass 1022
config system central-management 1024
config system central-mgmt 1029
config system checksum status 1029
config system cluster-sync 1029
config system cmdb 1032
config system console 1032
config system csf 1033
config system custom-language 1038
config system ddns 1038
config system dedicated-mgmt 1041
config system dhcp6 server 1042
config system dhcp server 1046
config system dnp3-proxy 1058
config system dns-database 1060
config system dns-server 1063
config system dns 1064
config system dns64 1066
config system dscp-based-priority 1067
config system dsl status 1068
config system elbc 1069
config system email-server 1070

Fortinet Inc.
config system external-resource 1072
config system federated-upgrade 1074
config system fips-cc 1077
config system fortianalyzer-connectivity 1078
config system fortiguard-log-service 1078
config system fortiguard-service 1078
config system fortiguard 1078
config system fortindr 1086
config system fortisandbox 1087
config system fsso-polling 1089
config system ftm-push 1089
config system geneve 1090
config system geoip-country 1091
config system geoip-override 1092
config system global 1093
config system gre-tunnel 1144
config system ha-monitor 1147
config system ha-nonsync-csum 1147
config system ha 1147
config system ike 1160
config system info admin ssh 1174
config system info admin status 1174
config system interface 1174
config system ip-conflict status 1233
config system ipam 1233
config system ipip-tunnel 1234
config system ips-urlfilter-dns 1235
config system ips-urlfilter-dns6 1236
config system ips 1236
config system ipsec-aggregate 1237
config system ipv6-neighbor-cache 1238
config system ipv6-tunnel 1238
config system isf-queue-profile 1240
config system link-monitor 1242
config system lldp network-policy 1247
config system lte-modem 1255
config system mac-address-table 1260
config system management-tunnel 1260
config system mgmt-csum 1262
config system mobile-tunnel 1262
config system modem 1265
config system nd-proxy 1272
config system netflow 1272
config system network-visibility 1274
config system np6 1275
config system np6xlite 1288
config system npu-setting prp 1300
config system npu-vlink 1301
config system npu 1302

Fortinet Inc.
config system ntp 1357
config system object-tagging 1360
config system password-policy-guest-admin 1361
config system password-policy 1363
config system performance firewall packet-distribution 1365
config system performance firewall statistics 1365
config system performance status 1365
config system performance top 1366
config system physical-switch 1366
config system pppoe-interface 1367
config system probe-response 1369
config system proxy-arp 1370
config system ptp 1371
config system replacemsg-group 1373
config system replacemsg-image 1385
config system replacemsg admin 1386
config system replacemsg alertmail 1387
config system replacemsg auth 1388
config system replacemsg automation 1389
config system replacemsg fortiguard-wf 1390
config system replacemsg ftp 1390
config system replacemsg http 1391
config system replacemsg icap 1392
config system replacemsg mail 1393
config system replacemsg nac-quar 1394
config system replacemsg spam 1395
config system replacemsg sslvpn 1396
config system replacemsg traffic-quota 1396
config system replacemsg utm 1397
config system replacemsg webproxy 1398
config system resource-limits 1399
config system saml 1402
config system sdn-connector 1405
config system sdwan 1414
config system session-helper-info list 1434
config system session-helper 1434
config system session-info expectation 1435
config system session-info full-stat 1436
config system session-info list 1436
config system session-info statistics 1436
config system session-info ttl 1436
config system session-ttl 1436
config system session 1437
config system session6 1438
config system settings 1438
config system sflow 1459
config system sit-tunnel 1460
config system smc-ntp 1462
config system sms-server 1463

Fortinet Inc.
config system snmp community 1464
config system snmp sysinfo 1471
config system snmp user 1473
config system source-ip status 1479
config system speed-test-schedule 1479
config system speed-test-server 1481
config system sso-admin 1483
config system sso-forticloud-admin 1483
config system standalone-cluster 1484
config system startup-error-log 1485
config system status 1485
config system storage 1485
config system stp 1487
config system switch-interface 1488
config system tos-based-priority 1490
config system vdom-dns 1491
config system vdom-exception 1493
config system vdom-link 1495
config system vdom-netflow 1496
config system vdom-property 1497
config system vdom-radius-server 1498
config system vdom-sflow 1499
config system vdom 1500
config system virtual-switch 1501
config system virtual-wire-pair 1503
config system vne-tunnel 1504
config system vxlan 1505
config system wccp 1506
config system wireless ap-status 1510
config system wireless detected-ap 1512
config system wireless settings 1513
config system zone 1516
test 1518
config test acd 1520
config test acsd 1520
config test autod 1520
config test awsd 1521
config test azd 1521
config test bfd 1521
config test chlbd 1522
config test confsyncd 1523
config test confsynchbd 1524
config test csfd 1524
config test ddnscd 1525
config test dhcp6c 1525
config test dhcp6r 1525
config test dhcprelay 1526
config test dlpfingerprint 1526
config test dlpfpcache 1527

Fortinet Inc.
config test dnsproxy 1528
config test dsd 1528
config test fas 1528
config test fcnacd 1529
config test fds_notify 1529
config test fnbamd 1529
config test forticldd 1530
config test forticron 1530
config test fsd 1530
config test fsvrd 1531
config test gcpd 1531
config test harelay 1531
config test hasync 1532
config test hatalk 1532
config test ibmd 1532
config test imap 1533
config test init 1533
config test iotd 1533
config test ipamd 1534
config test ipamsd 1534
config test ipldbd 1534
config test ipmc_sensord 1535
config test ipsengine 1535
config test ipsmonitor 1536
config test ipsufd 1536
config test kubed 1536
config test l2tpcd 1537
config test lnkmtd 1537
config test lted 1538
config test miglogd 1538
config test mrd 1539
config test netxd 1539
config test nntp 1539
config test ocid 1540
config test openstackd 1540
config test ovrd 1540
config test pop3 1541
config test pptpcd 1541
config test quarantined 1541
config test radius-das 1542
config test radiusd 1542
config test radvd 1542
config test reportd 1543
config test sdncd 1543
config test sdnd 1544
config test sepmd 1544
config test sessionsync 1544
config test sflowd 1545
config test sfupgraded 1545

Fortinet Inc.
config test smtp 1545
config test snmpd 1546
config test syslogd 1546
config test updated 1546
config test uploadd 1547
config test urlfilter 1547
config test vned 1547
config test wad 1548
config test wccpd 1548
config test wf_monitor 1548
config test wiredapd 1549
config test zebos_launcher 1549
user 1550
config user adgrp 1550
config user certificate 1551
config user domain-controller 1552
config user exchange 1555
config user fortitoken 1557
config user fsso-polling 1558
config user fsso 1560
config user group 1564
config user krb-keytab 1569
config user ldap 1570
config user local 1576
config user nac-policy 1579
config user password-policy 1581
config user peer 1582
config user peergrp 1584
config user pop3 1584
config user quarantine 1585
config user radius 1587
config user saml 1598
config user security-exempt-list 1602
config user setting 1603
config user tacacs+ 1607
videofilter 1610
config videofilter profile 1610
config videofilter youtube-channel-filter 1612
config videofilter youtube-key 1614
voip 1615
config voip profile 1615
vpn 1640
config vpn certificate ca 1641
config vpn certificate crl 1642
config vpn certificate local 1643
config vpn certificate ocsp-server 1647
config vpn certificate remote 1648
config vpn certificate setting 1648
config vpn ike gateway 1653

Fortinet Inc.
config vpn ipsec concentrator 1654
config vpn ipsec fec 1654
config vpn ipsec forticlient 1656
config vpn ipsec manualkey-interface 1657
config vpn ipsec manualkey 1659
config vpn ipsec phase1-interface 1661
config vpn ipsec phase1 1685
config vpn ipsec phase2-interface 1705
config vpn ipsec phase2 1714
config vpn ipsec stats crypto 1723
config vpn ipsec stats tunnel 1723
config vpn ipsec tunnel details 1724
config vpn ipsec tunnel name 1724
config vpn ipsec tunnel summary 1724
config vpn l2tp 1724
config vpn ocvpn 1725
config vpn pptp 1730
config vpn ssl client 1730
config vpn ssl monitor 1732
config vpn ssl settings 1732
config vpn ssl web host-check-software 1745
config vpn ssl web portal 1747
config vpn ssl web realm 1766
config vpn ssl web user-bookmark 1767
config vpn ssl web user-group-bookmark 1773
config vpn status l2tp 1779
config vpn status pptp 1780
config vpn status ssl hw-acceleration-status 1780
config vpn status ssl list 1780
waf 1781
config waf main-class 1781
config waf profile 1781
config waf signature 1806
config waf sub-class 1807
wanopt 1808
config wanopt auth-group 1808
config wanopt cache-service 1810
config wanopt content-delivery-network-rule 1813
config wanopt peer 1818
config wanopt profile 1819
config wanopt remote-storage 1828
config wanopt settings 1829
config wanopt webcache 1831
web-proxy 1835
config web-proxy debug-url 1835
config web-proxy explicit 1836
config web-proxy forward-server-group 1841
config web-proxy forward-server 1842
config web-proxy global 1844

Fortinet Inc.
config web-proxy profile 1846
config web-proxy url-match 1850
config web-proxy wisp 1851
webfilter 1853
config webfilter categories 1853
config webfilter content-header 1853
config webfilter content 1854
config webfilter fortiguard 1856
config webfilter ftgd-local-cat 1858
config webfilter ftgd-local-rating 1859
config webfilter ftgd-statistics 1860
config webfilter ips-urlfilter-cache-setting 1860
config webfilter ips-urlfilter-setting 1860
config webfilter ips-urlfilter-setting6 1861
config webfilter override-usr 1862
config webfilter override 1862
config webfilter profile 1863
config webfilter search-engine 1880
config webfilter status 1881
config webfilter urlfilter 1881
wireless-controller 1885
config wireless-controller access-control-list 1886
config wireless-controller address 1889
config wireless-controller addrgrp 1889
config wireless-controller ap-status 1890
config wireless-controller apcfg-profile 1891
config wireless-controller arrp-profile 1893
config wireless-controller ble-profile 1896
config wireless-controller bonjour-profile 1898
config wireless-controller client-info 1899
config wireless-controller global 1899
config wireless-controller hotspot20 anqp-3gpp-cellular 1903
config wireless-controller hotspot20 anqp-ip-address-type 1904
config wireless-controller hotspot20 anqp-nai-realm 1905
config wireless-controller hotspot20 anqp-network-auth-type 1909
config wireless-controller hotspot20 anqp-roaming-consortium 1909
config wireless-controller hotspot20 anqp-venue-name 1910
config wireless-controller hotspot20 anqp-venue-url 1911
config wireless-controller hotspot20 h2qp-advice-of-charge 1912
config wireless-controller hotspot20 h2qp-conn-capability 1913
config wireless-controller hotspot20 h2qp-operator-name 1916
config wireless-controller hotspot20 h2qp-osu-provider-nai 1917
config wireless-controller hotspot20 h2qp-osu-provider 1918
config wireless-controller hotspot20 h2qp-terms-and-conditions 1919
config wireless-controller hotspot20 h2qp-wan-metric 1920
config wireless-controller hotspot20 hs-profile 1921
config wireless-controller hotspot20 icon 1929
config wireless-controller hotspot20 qos-map 1930
config wireless-controller inter-controller 1932

Fortinet Inc.
config wireless-controller log 1934
config wireless-controller mpsk-profile 1938
config wireless-controller nac-profile 1940
config wireless-controller qos-profile 1941
config wireless-controller region 1944
config wireless-controller rf-analysis 1945
config wireless-controller scan 1945
config wireless-controller setting 1946
config wireless-controller snmp 1955
config wireless-controller spectral-info 1959
config wireless-controller ssid-policy 1959
config wireless-controller status 1960
config wireless-controller syslog-profile 1960
config wireless-controller timers 1962
config wireless-controller utm-profile 1964
config wireless-controller vap-group 1965
config wireless-controller vap-status 1965
config wireless-controller vap 1966
config wireless-controller wag-profile 1998
config wireless-controller wids-profile 1999
config wireless-controller wlchanlistlic 2007
config wireless-controller wtp-group 2007
config wireless-controller wtp-profile 2010
config wireless-controller wtp-status 2082
config wireless-controller wtp 2082

Fortinet Inc.
Change Log
Change Log
Date Change Description
2022-11-22 First automated release of the FortiOS 7.0.9 CLI Reference.
2022-12-06 Updated to include more reference models.

Fortinet Inc.
FortiOS CLI reference
This document describes FortiOS 7.0.9 CLI commands used to configure and manage a FortiGate unit from the
command line interface (CLI). For information on using the CLI, see the FortiOS 7.0.9 Administration Guide, which
contains information such as:
l Connecting to the CLI
l CLI basics
l Command syntax
l Subcommands
l Permissions
Availability of commands and options
Some FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an error message if
you attempt to enter a command or option that is not available. You can use the question mark ‘?’ to verify the commands
and options that are available.
Commands and options may not be available for the following reasons:
FortiGate model
All commands are not available on all FortiGate models. For example, a hardware switch can be configured only on
models which have the corresponding hardware switch chipset.
Hardware configuration
For example, settings like mediatype would only be available on units with SFPs.
FortiOS Carrier, FortiGate 5K/6K/7K, FortiGate with LTE, etc.
Commands for extended functionality are not available on all FortiGate models. The CLI Reference may not include all
commands.
Command tree
Enter tree to display the entire FortiOS CLI command tree. To capture the full output, connect to your device using a
terminal emulation program, such as PuTTY, and capture the output to a log file.
l To view all available commands, enter tree.
l To view a specific configuration branch of a tree, enter tree <branch>, for example: tree system.

Fortinet Inc.
FortiOS CLI reference
l To view all available diagnose commands, enter tree diagnose.

l To view all available execute commands, enter tree execute.

Fortinet Inc.
CLI configuration commands
Use configuration commands to configure and manage a FortiGate unit from the command line interface (CLI).
The CLI syntax is created by processing the schema from FortiGate models running FortiOS 7.0.9 and reformatting the
resultant CLI output.
If you have comments on this content, its format, or requests for commands that are not included, contact us at
techdoc@fortinet.com.

Fortinet Inc.
alertemail
This section includes syntax for the following commands:

l config alertemail setting on page 23
config alertemail setting
Configure alert email settings.

Description: Configure alert email settings.
set FDS-license-expiring-days {integer}
set FDS-license-expiring-warning [enable|disable]
set FDS-update-logs [enable|disable]
set FIPS-CC-errors [enable|disable]
set FSSO-disconnect-logs [enable|disable]
set HA-logs [enable|disable]
set IPS-logs [enable|disable]
set IPsec-errors-logs [enable|disable]
set PPP-errors-logs [enable|disable]
set admin-login-logs [enable|disable]
set alert-interval {integer}
set amc-interface-bypass-mode [enable|disable]
set antivirus-logs [enable|disable]
set configuration-changes-logs [enable|disable]
set critical-interval {integer}
set debug-interval {integer}
set email-interval {integer}
set emergency-interval {integer}
set error-interval {integer}
set filter-mode [category|threshold]
set firewall-authentication-failure-logs [enable|disable]
set fortiguard-log-quota-warning [enable|disable]
set information-interval {integer}
set local-disk-usage {integer}
set log-disk-usage-warning [enable|disable]
set mailto1 {string}
set notification-interval {integer}
set severity [emergency|alert|...]
set ssh-logs [enable|disable]
set sslvpn-authentication-errors-logs [enable|disable]
set username {string}
set violation-traffic-logs [enable|disable]
set warning-interval {integer}
set webfilter-logs [enable|disable]
end

Fortinet Inc.
Parameter Description Type Size Default
FDS-license- Number of days to send alert email prior to integer Minimum 15

expiring-days FortiGuard license expiration. value: 1
Maximum
value: 100
FDS-license- Enable/disable FortiGuard license expiration option - disable

expiring-warning warnings in alert email.
Option Description
enable Enable FortiGuard license expiration warnings in alert email.
disable Disable FortiGuard license expiration warnings in alert email.
FDS-update-logs Enable/disable FortiGuard update logs in alert email. option - disable
Option Description
enable Enable FortiGuard update logs in alert email.
disable Disable FortiGuard update logs in alert email.
FIPS-CC-errors Enable/disable FIPS and Common Criteria error logs option - disable
in alert email.
Option Description
enable Enable FIPS and Common Criteria error logs in alert email.
disable Disable FIPS and Common Criteria error logs in alert email.
FSSO- Enable/disable logging of FSSO collector agent option - disable

disconnect-logs disconnect.
Option Description
enable Enable logging of FSSO collector agent disconnect.
disable Disable logging of FSSO collector agent disconnect.
HA-logs Enable/disable HA logs in alert email. option - disable
Option Description
enable Enable HA logs in alert email.
disable Disable HA logs in alert email.
IPS-logs Enable/disable IPS logs in alert email. option - disable

Fortinet Inc.
Option Description
enable Enable IPS logs in alert email.
disable Disable IPS logs in alert email.
IPsec-errors-logs Enable/disable IPsec error logs in alert email. option - disable
Option Description
enable Enable IPsec error logs in alert email.
disable Disable IPsec error logs in alert email.
PPP-errors-logs Enable/disable PPP error logs in alert email. option - disable
Option Description
enable Enable PPP error logs in alert email.
disable Disable PPP error logs in alert email.
admin-login-logs Enable/disable administrator login/logout logs in alert option - disable

email.
Option Description
enable Enable administrator login/logout logs in alert email.
disable Disable administrator login/logout logs in alert email.
alert-interval Alert alert interval in minutes. integer Minimum 2

value: 1
Maximum
value:
99999
amc-interface- Enable/disable Fortinet Advanced Mezzanine Card option - disable

bypass-mode (AMC) interface bypass mode logs in alert email.
Option Description
enable Enable Fortinet Advanced Mezzanine Card (AMC) interface bypass mode
logs in alert email.
disable Disable Fortinet Advanced Mezzanine Card (AMC) interface bypass mode
logs in alert email.
antivirus-logs Enable/disable antivirus logs in alert email. option - disable

Fortinet Inc.
Option Description
enable Enable antivirus logs in alert email.
disable Disable antivirus logs in alert email.
configuration- Enable/disable configuration change logs in alert option - disable

changes-logs email.
Option Description
enable Enable configuration change logs in alert email.
disable Disable configuration change logs in alert email.
critical-interval Critical alert interval in minutes. integer Minimum 3

value: 1
Maximum
value:
99999
debug-interval Debug alert interval in minutes. integer Minimum 60

value: 1
Maximum
value:
99999
email-interval Interval between sending alert emails. integer Minimum 5

value: 1
Maximum
value:
99999
emergency- Emergency alert interval in minutes. integer Minimum 1

interval value: 1
Maximum
value:
99999
error-interval Error alert interval in minutes. integer Minimum 5

value: 1
Maximum
value:
99999
filter-mode How to filter log messages that are sent to alert option - category
emails.

Fortinet Inc.
Option Description
category Filter based on category.
threshold Filter based on severity.
firewall- Enable/disable firewall authentication failure logs in option - disable

authentication- alert email.
failure-logs
Option Description
enable Enable firewall authentication failure logs in alert email.
disable Disable firewall authentication failure logs in alert email.
fortiguard-log- Enable/disable FortiCloud log quota warnings in alert option - disable

quota-warning email.
Option Description
enable Enable FortiCloud log quota warnings in alert email.
disable Disable FortiCloud log quota warnings in alert email.
information- Information alert interval in minutes. integer Minimum 30

interval value: 1
Maximum
value:
99999
local-disk-usage Disk usage percentage at which to send alert email. integer Minimum 75
value: 1
Maximum
value: 99
log-disk-usage- Enable/disable disk usage warnings in alert email. option - disable

warning
Option Description
enable Enable disk usage warnings in alert email.
disable Disable disk usage warnings in alert email.
mailto1 Email address to send alert email to (usually a string Not

system administrator) (max. 63 characters). Specified
mailto2 Optional second email address to send alert email to string Not
(max. 63 characters). Specified

Fortinet Inc.
mailto3 Optional third email address to send alert email to string Not
notification- Notification alert interval in minutes. integer Minimum 20

interval value: 1
Maximum
value:
99999
severity Lowest severity level to log. option - alert
Option Description
emergency Emergency level.
alert Alert level.
critical Critical level.
error Error level.
warning Warning level.
notification Notification level.
information Information level.
debug Debug level.
ssh-logs Enable/disable SSH logs in alert email. option - disable
Option Description
enable Enable SSH logs in alert email.
disable Disable SSH logs in alert email.
sslvpn- Enable/disable SSL-VPN authentication error logs in option - disable

authentication- alert email.
errors-logs
Option Description
enable Enable SSL-VPN authentication error logs in alert email.
disable Disable SSL-VPN authentication error logs in alert email.
username Name that appears in the From: field of alert emails string Not
violation-traffic- Enable/disable violation traffic logs in alert email. option - disable

logs

Fortinet Inc.
Option Description
enable Enable violation traffic logs in alert email.
disable Disable violation traffic logs in alert email.
warning-interval Warning alert interval in minutes. integer Minimum 10

value: 1
Maximum
value:
99999
webfilter-logs Enable/disable web filter logs in alert email. option - disable
Option Description
enable Enable web filter logs in alert email.
disable Disable web filter logs in alert email.

Fortinet Inc.
antivirus

l config antivirus profile on page 30
l config antivirus quarantine on page 58
l config antivirus settings on page 63
config antivirus profile
Configure AntiVirus profiles.

Description: Configure AntiVirus profiles.
edit <name>
set analytics-accept-filetype {integer}
set analytics-db [disable|enable]
set analytics-ignore-filetype {integer}
set analytics-max-upload {integer}
set av-block-log [enable|disable]
set av-virus-log [enable|disable]
config cifs
Description: Configure CIFS AntiVirus options.
set av-scan [disable|block|...]
set outbreak-prevention [disable|block|...]
set external-blocklist [disable|block|...]
set fortindr [disable|block|...]
set quarantine [disable|enable]
set archive-block {option1}, {option2}, ...
set archive-log {option1}, {option2}, ...
set emulator [enable|disable]
end
set comment {var-string}
config content-disarm
Description: AV Content Disarm and Reconstruction settings.
set original-file-destination [fortisandbox|quarantine|...]
set error-action [block|log-only|...]
set office-macro [disable|enable]
set office-hylink [disable|enable]
set office-linked [disable|enable]
set office-embed [disable|enable]
set office-dde [disable|enable]
set office-action [disable|enable]
set pdf-javacode [disable|enable]
set pdf-embedfile [disable|enable]
set pdf-hyperlink [disable|enable]
set pdf-act-gotor [disable|enable]
set pdf-act-launch [disable|enable]
set pdf-act-sound [disable|enable]
set pdf-act-movie [disable|enable]

Fortinet Inc.
set pdf-act-java [disable|enable]
set pdf-act-form [disable|enable]
set cover-page [disable|enable]
set detect-only [disable|enable]
end
set ems-threat-feed [disable|enable]
set extended-log [enable|disable]
set external-blocklist <name1>, <name2>, ...
set external-blocklist-enable-all [disable|enable]
set feature-set [flow|proxy]
set fortindr-error-action [log-only|block|...]
set fortindr-timeout-action [log-only|block|...]
set ftgd-analytics [disable|suspicious|...]
config ftp
Description: Configure FTP AntiVirus options.
end
config http
Description: Configure HTTP AntiVirus options.
set unknown-content-encoding [block|inspect|...]
set content-disarm [disable|enable]
end
config imap
Description: Configure IMAP AntiVirus options.
set executables [default|virus]
end
config mapi
Description: Configure MAPI AntiVirus options.

Fortinet Inc.
end
set mobile-malware-db [disable|enable]
config nac-quar
Description: Configure AntiVirus quarantine settings.
set infected [none|quar-src-ip]
set expiry {user}
set log [enable|disable]
end
set name {string}
config nntp
Description: Configure NNTP AntiVirus options.
end
set outbreak-prevention-archive-scan [disable|enable]
config pop3
Description: Configure POP3 AntiVirus options.
end
set replacemsg-group {string}
set scan-mode [default|legacy]
config smtp
Description: Configure SMTP AntiVirus options.
end
config ssh
Description: Configure SFTP and SCP AntiVirus options.

Fortinet Inc.
end
next
end
analytics- Only submit files matching this DLP file-pattern to integer Minimum 0
accept-filetype FortiSandbox. value: 0
Maximum
value:
4294967295
analytics-db Enable/disable using the FortiSandbox signature option - disable

database to supplement the AV signature
databases.
Option Description
disable Use only the standard AV signature databases.
enable Also use the FortiSandbox signature database.
analytics- Do not submit files matching this DLP file-pattern to integer Minimum 0
ignore-filetype FortiSandbox. value: 0
Maximum
value:
4294967295
analytics-max- Maximum size of files that can be uploaded to integer Minimum 10

upload FortiSandbox. value: 1
Maximum
value: 1606 **
av-block-log Enable/disable logging for AntiVirus file blocking. option - enable
Option Description
enable Enable setting.
disable Disable setting.
av-virus-log Enable/disable AntiVirus logging. option - enable

Fortinet Inc.
Option Description
comment Comment. var-string Not Specified
ems-threat- Enable/disable use of EMS threat feed when option - disable

feed performing AntiVirus scan. Analyzes files including
the content of archives.
Option Description
disable Disable use of EMS threat feed when performing AntiVirus scan.
enable Enable use of EMS threat feed when performing AntiVirus scan.
extended-log Enable/disable extended logging for antivirus. option - disable
Option Description
external- One or more external malware block lists. string Maximum

blocklist External blocklist. length: 79
<name>
external- Enable/disable all external blocklists. option - disable

blocklist-
enable-all
Option Description
disable Use configured external blocklists.
enable Enable all external blocklists.
feature-set Flow/proxy feature set. option - flow
Option Description
flow Flow feature set.
proxy Proxy feature set.
fortindr-error- Action to take if FortiNDR encounters an error. option - log-only

action

Fortinet Inc.
Option Description
log-only Log FortiNDR error, but allow the file.
block Block the file on FortiNDR error.
ignore Do nothing on FortiNDR error.
fortindr- Action to take if FortiNDR encounters a scan timeout. option - log-only

timeout-action
Option Description
log-only Log FortiNDR scan timeout, but allow the file.
block Block the file on FortiNDR scan timeout.
ignore Do nothing on FortiNDR scan timeout.
ftgd-analytics Settings to control which files are uploaded to option - disable

FortiSandbox.
Option Description
disable Do not upload files to FortiSandbox.
suspicious Submit files supported by FortiSandbox if heuristics or other methods

determine they are suspicious.
everything Submit files supported by FortiSandbox and known infected files.
mobile- Enable/disable using the mobile malware signature option - enable

malware-db database.
Option Description
disable Do not use the mobile malware signature database.
enable Also use the mobile malware signature database.
name Profile name. string Not Specified
outbreak- Enable/disable outbreak-prevention archive option - enable

prevention- scanning.
archive-scan
Option Description
disable Analyze files as sent, not the content of archives.
enable Analyze files including the content of archives.

Fortinet Inc.
replacemsg- Replacement message group customized for this string Not Specified
group profile.
scan-mode Configure scan mode. option - default
Option Description
default On the fly decompression and scanning of certain archive files.
legacy Scan archive files only after the entire file is received.
** Values may differ between models.
config cifs
av-scan Enable AntiVirus scan service. option - disable
Option Description
disable Disable.
block Block the virus infected files.
monitor Log the virus infected files.
outbreak- Enable virus outbreak prevention service. option - disable

prevention
Option Description
disable Disable.
block Block the matched files.
monitor Log the matched files.
external- Enable external-blocklist. Analyzes files including the option - disable

blocklist content of archives.
Option Description
disable Disable.
fortindr Enable/disable scanning of files by FortiNDR. option - disable

Fortinet Inc.
Option Description
disable Disable.
block Block the FortiNDR detected infections.
monitor Log the FortiNDR detected infections.
quarantine Enable/disable quarantine for infected files. option - disable
Option Description
disable Disable quarantine for infected files.
enable Enable quarantine for infected files.
archive-block Select the archive types to block. option -
Option Description
encrypted Block encrypted archives.
corrupted Block corrupted archives.
partiallycorrupted Block partially corrupted archives.
multipart Block multipart archives.
nested Block nested archives that exceed uncompressed nest limit.
mailbomb Block mail bomb archives.
timeout Block scan timeout.
unhandled Block archives that FortiOS cannot open.
archive-log Select the archive types to log. option -
Option Description
encrypted Log encrypted archives.
corrupted Log corrupted archives.
partiallycorrupted Log partially corrupted archives.
multipart Log multipart archives.
nested Log nested archives that exceed uncompressed nest limit.
mailbomb Log mail bomb archives.
timeout Log scan timeout.
unhandled Log archives that FortiOS cannot open.
emulator Enable/disable the virus emulator. option - enable

Fortinet Inc.
Option Description
enable Enable the virus emulator.
disable Disable the virus emulator.
config content-disarm
original-file- Destination to send original file if active content is option - discard

destination removed.
Option Description
fortisandbox Send original file to configured FortiSandbox.
quarantine Send original file to quarantine.
discard Original file will be discarded after content disarm.
error-action Action to be taken if CDR engine encounters an option - log-only

unrecoverable error.
Option Description
block Block file on CDR error.
log-only Log CDR error, but allow file.
ignore Do nothing on CDR error.
office-macro Enable/disable stripping of macros in Microsoft Office option - enable

documents.
Option Description
disable Disable this Content Disarm and Reconstruction feature.
enable Enable this Content Disarm and Reconstruction feature.
office-hylink Enable/disable stripping of hyperlinks in Microsoft Office option - enable

documents.
Option Description
office-linked Enable/disable stripping of linked objects in Microsoft option - enable

Office documents.

Fortinet Inc.
Option Description
office-embed Enable/disable stripping of embedded objects in option - enable

Microsoft Office documents.
Option Description
office-dde Enable/disable stripping of Dynamic Data Exchange option - enable

events in Microsoft Office documents.
Option Description
office-action Enable/disable stripping of PowerPoint action events in option - enable

Microsoft Office documents.
Option Description
pdf-javacode Enable/disable stripping of JavaScript code in PDF option - enable

documents.
Option Description
pdf-embedfile Enable/disable stripping of embedded files in PDF option - enable

documents.
Option Description
pdf-hyperlink Enable/disable stripping of hyperlinks from PDF option - enable

documents.

Fortinet Inc.
Option Description
pdf-act-gotor Enable/disable stripping of PDF document actions that option - enable

access other PDF documents.
Option Description
pdf-act- Enable/disable stripping of PDF document actions that option - enable

launch launch other applications.
Option Description
pdf-act-sound Enable/disable stripping of PDF document actions that option - enable

play a sound.
Option Description
pdf-act-movie Enable/disable stripping of PDF document actions that option - enable

play a movie.
Option Description
pdf-act-java Enable/disable stripping of PDF document actions that option - enable

execute JavaScript code.
Option Description
pdf-act-form Enable/disable stripping of PDF document actions that option - enable

submit data to other targets.

Fortinet Inc.
Option Description
cover-page Enable/disable inserting a cover page into the disarmed option - enable
document.
Option Description
detect-only Enable/disable only detect disarmable files, do not alter option - disable
content.
Option Description
config ftp
Option Description
disable Disable.

prevention
Option Description
disable Disable.


Fortinet Inc.
Option Description
disable Disable.
Option Description
disable Disable.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
config http
Option Description
disable Disable.

prevention
Option Description
disable Disable.

Option Description
disable Disable.

Fortinet Inc.
Option Description
disable Disable.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
unknown- Configure the action the FortiGate unit will take on option - block
content- unknown content-encoding.
encoding
Option Description
block Block HTTP session when unknown content-encoding is detected.
inspect Inspect HTTP traffic as plain-text with AV scan when unknown content-
encoding is detected.
bypass Bypass AV scan when unknown content-encoding is detected.
content- Enable/disable Content Disarm and Reconstruction option - disable

disarm when performing AntiVirus scan.
Option Description
disable Disable Content Disarm and Reconstruction when performing AntiVirus scan.
enable Enable Content Disarm and Reconstruction when performing AntiVirus scan.
config imap
Option Description
disable Disable.

prevention
Option Description
disable Disable.

Fortinet Inc.

Option Description
disable Disable.
Option Description
disable Disable.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
executables Treat Windows executable files as viruses for the option - default
purpose of blocking or monitoring.
Option Description
default Perform standard AntiVirus scanning of Windows executable files.
virus Treat Windows executables as viruses.

Option Description
config mapi
Option Description
disable Disable.

Fortinet Inc.

prevention
Option Description
disable Disable.

Option Description
disable Disable.
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
config nac-quar
infected Enable/Disable quarantining infected hosts to the option - none

banned user list.
Option Description
none Do not quarantine infected hosts.
quar-src-ip Quarantine all traffic from the infected hosts source IP.
expiry Duration of quarantine. user Not 5m

Specified
log Enable/disable AntiVirus quarantine logging. option - disable

Fortinet Inc.
Option Description
enable Enable AntiVirus quarantine logging.
disable Disable AntiVirus quarantine logging.
config nntp
Option Description
disable Disable.

prevention
Option Description
disable Disable.

Option Description
disable Disable.
Option Description
disable Disable.

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
config pop3
Option Description
disable Disable.

prevention
Option Description
disable Disable.

Option Description
disable Disable.
Option Description
disable Disable.
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.

Option Description
config smtp
Option Description
disable Disable.

prevention
Option Description
disable Disable.

Option Description
disable Disable.
Option Description
disable Disable.

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description

Option Description
config ssh
Option Description
disable Disable.

prevention
Option Description
disable Disable.

Option Description
disable Disable.

Fortinet Inc.
Option Description
disable Disable.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
config antivirus quarantine
Configure quarantine options.

Description: Configure quarantine options.
set agelimit {integer}
set destination [NULL|disk|...]
set drop-blocked {option1}, {option2}, ...
set drop-infected {option1}, {option2}, ...
set drop-machine-learning {option1}, {option2}, ...
set lowspace [drop-new|ovrw-old]
set maxfilesize {integer}
set quarantine-quota {integer}
set store-blocked {option1}, {option2}, ...
set store-infected {option1}, {option2}, ...
set store-machine-learning {option1}, {option2}, ...
end
agelimit Age limit for quarantined files. integer Minimum 0

value: 0
Maximum
value: 479
destination Choose whether to quarantine files to the FortiGate option - disk **

disk or to FortiAnalyzer or to delete them instead of
quarantining them.
Option Description
NULL Files that would be quarantined are deleted.
disk Quarantine files to the FortiGate hard disk.
FortiAnalyzer FortiAnalyzer

Fortinet Inc.
drop-blocked Do not quarantine dropped files found in sessions option -

using the selected protocols. Dropped files are deleted
instead of being quarantined.
Option Description
imap IMAP.
smtp SMTP.
pop3 POP3.
http HTTP.
ftp FTP.
nntp NNTP.
imaps IMAPS.
smtps SMTPS.
pop3s POP3S.
ftps FTPS.
mapi MAPI.
cifs CIFS.
ssh SSH.
drop-infected Do not quarantine infected files found in sessions option -

using the selected protocols. Dropped files are deleted
instead of being quarantined.
Option Description
imap IMAP.
smtp SMTP.
pop3 POP3.
http HTTP.
ftp FTP.
nntp NNTP.
imaps IMAPS.
smtps SMTPS.
pop3s POP3S.

Fortinet Inc.
Option Description
https HTTPS.
ftps FTPS.
mapi MAPI.
cifs CIFS.
ssh SSH.
drop- Do not quarantine files detected by machine learning option -

machine- found in sessions using the selected protocols.
learning Dropped files are deleted instead of being
quarantined.
Option Description
imap IMAP.
smtp SMTP.
pop3 POP3.
http HTTP.
ftp FTP.
nntp NNTP.
imaps IMAPS.
smtps SMTPS.
pop3s POP3S.
https HTTPS.
ftps FTPS.
mapi MAPI.
cifs CIFS.
ssh SSH.
lowspace Select the method for handling additional files when option - ovrw-old
running low on disk space.
Option Description
drop-new Drop (delete) the most recently quarantined files.
ovrw-old Overwrite the oldest quarantined files. That is, the files that are closest to
being deleted from the quarantine.

Fortinet Inc.
maxfilesize Maximum file size to quarantine. integer Minimum 0

value: 0
Maximum
value: 500
quarantine- The amount of disk space to reserve for quarantining integer Minimum 0
quota files. value: 0
Maximum
value:
4294967295
store-blocked Quarantine blocked files found in sessions using the option - imap smtp
selected protocols. pop3 http
ftp nntp
imaps
smtps
pop3s ftps
mapi cifs
ssh
Option Description
imap IMAP.
smtp SMTP.
pop3 POP3.
http HTTP.
ftp FTP.
nntp NNTP.
imaps IMAPS.
smtps SMTPS.
pop3s POP3S.
ftps FTPS.
mapi MAPI.
cifs CIFS.
ssh SSH.

Fortinet Inc.
store-infected Quarantine infected files found in sessions using the option - imap smtp
selected protocols. pop3 http
ftp nntp
imaps
smtps
pop3s
https ftps
mapi cifs
ssh
Option Description
imap IMAP.
smtp SMTP.
pop3 POP3.
http HTTP.
ftp FTP.
nntp NNTP.
imaps IMAPS.
smtps SMTPS.
pop3s POP3S.
https HTTPS.
ftps FTPS.
mapi MAPI.
cifs CIFS.
ssh SSH.
store- Quarantine files detected by machine learning found in option - imap smtp
machine- sessions using the selected protocols. pop3 http
learning ftp nntp
imaps
smtps
pop3s
https ftps
mapi cifs
ssh
Option Description
imap IMAP.

Fortinet Inc.
Option Description
smtp SMTP.
pop3 POP3.
http HTTP.
ftp FTP.
nntp NNTP.
imaps IMAPS.
smtps SMTPS.
pop3s POP3S.
https HTTPS.
ftps FTPS.
mapi MAPI.
cifs CIFS.
ssh SSH.
config antivirus settings
Configure AntiVirus settings.

Description: Configure AntiVirus settings.
set cache-infected-result [enable|disable]
set grayware [enable|disable]
set machine-learning-detection [enable|monitor|...]
set override-timeout {integer}
set use-extreme-db [enable|disable]
end
cache- Enable/disable cache of infected scan results. option - enable

infected-result

Fortinet Inc.
Option Description
enable Enable cache of infected scan results.
disable Disable cache of infected scan results.
grayware Enable/disable grayware detection when an AntiVirus option - disable

profile is applied to traffic.
Option Description
enable Enable grayware detection.
disable Disable grayware detection.
machine- Use machine learning based malware detection. option - enable

learning-
detection
Option Description
enable Enable machine learning based malware detection.
monitor Enable machine learning based malware detection for monitoring only.
disable Disable machine learning based malware detection.
override- Override the large file scan timeout value in seconds. integer Minimum 0
timeout Zero is the default value and is used to disable this value: 30
command. When disabled, the daemon adjusts the Maximum
large file scan timeout based on the file size. value: 3600
use-extreme- Enable/disable the use of Extreme AVDB. option - disable

db
Option Description
enable Enable extreme AVDB.
disable Disable extreme AVDB.

Fortinet Inc.
application

l config application custom on page 65
l config application group on page 66
l config application list on page 67
l config application name on page 76
l config application rule-settings on page 78
config application custom
Configure custom application signatures.

Description: Configure custom application signatures.
edit <tag>
set behavior {user}
set category {integer}
set comment {string}
set id {integer}
set protocol {user}
set signature {var-string}
set tag {string}
set technology {user}
set vendor {user}
next
end
behavior Custom application signature behavior. user Not Specified
category Custom application category ID (use ? to view integer Minimum 0

available options). value: 0
Maximum
value:
4294967295
comment Comment. string Not Specified

Fortinet Inc.
id Custom application category ID (use ? to view integer Minimum 0

available options). value: 0
Maximum
value:
4294967295
protocol Custom application signature protocol. user Not Specified
signature The text that makes up the actual custom application var-string Not Specified
signature.
tag Signature tag. string Not Specified
technology Custom application signature technology. user Not Specified
vendor Custom application signature vendor. user Not Specified
config application group
Configure firewall application groups.

Description: Configure firewall application groups.
edit <name>
set application <id1>, <id2>, ...
set behavior {user}
set category <id1>, <id2>, ...
set name {string}
set popularity {option1}, {option2}, ...
set protocols {user}
set risk <level1>, <level2>, ...
set type [application|filter]
set vendor {user}
next
end
application Application ID list. integer Minimum

<id> Application IDs. value: 0
Maximum
value:
4294967295
behavior Application behavior filter. user Not Specified all

Fortinet Inc.
category Application category ID list. integer Minimum

<id> Category IDs. value: 0
Maximum
value:
4294967295
comment Comments. var-string Not Specified
name Application group name. string Not Specified
popularity Application popularity filter. option - 12345
Option Description
1 Popularity level 1.
protocols Application protocol filter. user Not Specified all
risk <level> Risk, or impact, of allowing traffic from this integer Minimum
application to occur (1 - 5; Low, Elevated, Medium, value: 0
High, and Critical). Maximum
Risk, or impact, of allowing traffic from this value:
application to occur (1 - 5; Low, Elevated, Medium, 4294967295
High, and Critical).
technology Application technology filter. user Not Specified all
type Application group type. option - application
Option Description
application Application ID.
filter Application filter.
vendor Application vendor filter. user Not Specified all
config application list
Configure application control lists.

Description: Configure application control lists.
edit <name>
set app-replacemsg [disable|enable]

Fortinet Inc.
set control-default-network-services [disable|enable]
set deep-app-inspection [disable|enable]
config default-network-services
Description: Default network service entries.
edit <id>
set id {integer}
set port {integer}
set services {option1}, {option2}, ...
set violation-action [pass|monitor|...]
next
end
set enforce-default-app-port [disable|enable]
config entries
Description: Application list entries.
edit <id>
set id {integer}
set risk <level1>, <level2>, ...
set protocols {user}
set vendor {user}
set behavior {user}
set popularity {option1}, {option2}, ...
set exclusion <id1>, <id2>, ...
config parameters
Description: Application parameters.
edit <id>
set id {integer}
config members
Description: Parameter tuple members.
edit <id>
set id {integer}
set name {string}
set value {string}
next
end
next
end
set action [pass|block|...]
set log [disable|enable]
set log-packet [disable|enable]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
set session-ttl {integer}
set shaper {string}
set shaper-reverse {string}
set per-ip-shaper {string}
set quarantine [none|attacker]
set quarantine-expiry {user}
set quarantine-log [disable|enable]
next
end

Fortinet Inc.
set force-inclusion-ssl-di-sigs [disable|enable]
set name {string}
set options {option1}, {option2}, ...
set other-application-action [pass|block]
set other-application-log [disable|enable]
set p2p-block-list {option1}, {option2}, ...
set unknown-application-action [pass|block]
set unknown-application-log [disable|enable]
next
end
app- Enable/disable replacement messages for blocked option - enable

replacemsg applications.
Option Description
disable Disable replacement messages for blocked applications.
enable Enable replacement messages for blocked applications.
comment Comments. var-string Not

Specified
control- Enable/disable enforcement of protocols over selected option - disable

default- ports.
network-
services
Option Description
disable Disable protocol enforcement over selected ports.
enable Enable protocol enforcement over selected ports.
deep-app- Enable/disable deep application inspection. option - enable

inspection
Option Description
disable Disable deep application inspection.
enable Enable deep application inspection.
enforce- Enable/disable default application port enforcement for option - disable

default-app- allowed applications.
port

Fortinet Inc.
Option Description
disable Disable default application port enforcement.
enable Enable default application port enforcement.
extended-log Enable/disable extended logging. option - disable
Option Description
force- Enable/disable forced inclusion of SSL deep inspection option - disable

inclusion-ssl- signatures.
di-sigs
Option Description
disable Disable forced inclusion of signatures which normally require SSL deep
inspection.
enable Enable forced inclusion of signatures which normally require SSL deep
inspection.
name List name. string Not

Specified
options Basic application protocol signatures allowed by option - allow-dns

default.
Option Description
allow-dns Allow DNS.
allow-icmp Allow ICMP.
allow-http Allow generic HTTP web browsing.
allow-ssl Allow generic SSL communication.
allow-quic Allow QUIC.
other- Action for other applications. option - pass

application-
action
Option Description
pass Allow sessions matching an application in this application list.
block Block sessions matching an application in this application list.

Fortinet Inc.
other- Enable/disable logging for other applications. option - disable

application-log
Option Description
disable Disable logging for other applications.
enable Enable logging for other applications.
p2p-block-list P2P applications to be block listed. option -
Option Description
skype Skype.
edonkey Edonkey.
bittorrent Bit torrent.
replacemsg- Replacement message group. string Not

group Specified
unknown- Pass or block traffic from unknown applications. option - pass

application-
action
Option Description
pass Pass or allow unknown applications.
block Drop or block unknown applications.
unknown- Enable/disable logging for unknown applications. option - disable

application-log
Option Description
disable Disable logging for unknown applications.
enable Enable logging for unknown applications.
config default-network-services
id Entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
port Port number. integer Minimum 0

value: 0
Maximum
value: 65535
services Network protocols. option -
Option Description
http HTTP.
ssh SSH.
telnet TELNET.
ftp FTP.
dns DNS.
smtp SMTP.
pop3 POP3.
imap IMAP.
snmp SNMP.
nntp NNTP.
https HTTPS.
violation- Action for protocols not in the allowlist for selected option - block
action port.
Option Description
pass Allow protocols not in the allowlist for selected port.
monitor Monitor protocols not in the allowlist for selected port.
block Block protocols not in the allowlist for selected port.
config entries

value: 0
Maximum
value:
4294967295

Fortinet Inc.
risk <level> Risk, or impact, of allowing traffic from this integer Minimum
application to occur (1 - 5; Low, Elevated, Medium, value: 0
High, and Critical). Maximum
Risk, or impact, of allowing traffic from this value:
application to occur (1 - 5; Low, Elevated, Medium, 4294967295
High, and Critical).
category Category ID list. integer Minimum

<id> Application category ID. value: 0
Maximum
value:
4294967295
application ID of allowed applications. integer Minimum

Maximum
value:
4294967295
protocols Application protocol filter. user Not Specified all
vendor Application vendor filter. user Not Specified all
technology Application technology filter. user Not Specified all
behavior Application behavior filter. user Not Specified all
popularity Application popularity filter. option - 12345
Option Description
exclusion ID of excluded applications. integer Minimum

<id> Excluded application IDs. value: 0
Maximum
value:
4294967295
action Pass or block traffic, or reset connection for traffic option - block
from this application.

Fortinet Inc.
Option Description
pass Pass or allow matching traffic.
block Block or drop matching traffic.
reset Reset sessions for matching traffic.
log Enable/disable logging for this application list. option - enable
Option Description
disable Disable logging.
enable Enable logging.
log-packet Enable/disable packet logging. option - disable
Option Description
disable Disable packet logging.
enable Enable packet logging.
rate-count Count of the rate. integer Minimum 0

value: 0
Maximum
value: 65535
rate-duration Duration (sec) of the rate. integer Minimum 60

value: 1
Maximum
value: 65535
rate-mode Rate limit mode. option - continuous
Option Description
periodical Allow configured number of packets every rate-duration.
continuous Block packets once the rate is reached.
rate-track Track the packet protocol field. option - none
Option Description
none none
src-ip Source IP.
dest-ip Destination IP.
dhcp-client-mac DHCP client.
dns-domain DNS domain.

Fortinet Inc.
session-ttl Session TTL. integer Minimum 0

value: 0
Maximum
value:
4294967295
shaper Traffic shaper. string Not Specified
shaper- Reverse traffic shaper. string Not Specified

reverse
per-ip-shaper Per-IP traffic shaper. string Not Specified
quarantine Quarantine method. option - none
Option Description
none Quarantine is disabled.
attacker Block all traffic sent from attacker's IP address. The attacker's IP address is
also added to the banned user list. The target's address is not affected.
quarantine- Duration of quarantine.. Requires quarantine set to user Not Specified 5m

expiry attacker.
quarantine- Enable/disable quarantine logging. option - enable

log
Option Description
disable Disable quarantine logging.
enable Enable quarantine logging.
config parameters
id Parameter tuple ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
config members
id Parameter. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Parameter name. string Not Specified
value Parameter value. string Not Specified
config application name
Configure application signatures.

Description: Configure application signatures.
edit <name>
set behavior {user}
set id {integer}
config metadata
Description: Meta data.
edit <id>
set id {integer}
set metaid {integer}
set valueid {integer}
next
end
set name {string}
config parameters
Description: Application parameters.
edit <name>
set name {string}
set default value {string}
next
end
set popularity {integer}
set protocol {user}
set risk {integer}
set vendor {user}
set weight {integer}
next
end

Fortinet Inc.
behavior Application behavior. user Not Specified
category Application category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
id Application ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Application name. string Not Specified
popularity Application popularity. integer Minimum 0

value: 0
Maximum
value: 255
protocol Application protocol. user Not Specified
risk Application risk. integer Minimum 0

value: 0
Maximum
value: 255
technology Application technology. user Not Specified
vendor Application vendor. user Not Specified
weight Application weight. integer Minimum 0

value: 0
Maximum
value: 255
config metadata
id ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config parameters
name Parameter name. string Not

Specified
default value Parameter default value. string Not

Specified
config application rule-settings
Configure application rule settings.

Description: Configure application rule settings.
edit <id>
set id {integer}
next
end
id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
authentication

l config authentication rule on page 79
l config authentication scheme on page 81
l config authentication setting on page 83
config authentication rule
Configure Authentication Rules.

Description: Configure Authentication Rules.
edit <name>
set active-auth-method {string}
set comments {var-string}
set dstaddr <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set ip-based [enable|disable]
set name {string}
set protocol [http|ftp|...]
set srcaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set srcintf <name1>, <name2>, ...
set sso-auth-method {string}
set status [enable|disable]
set transaction-based [enable|disable]
set web-auth-cookie [enable|disable]
set web-portal [enable|disable]
next
end
active-auth- Select an active authentication method. string Not

method Specified
comments Comment. var-string Not

Specified
dstaddr Select an IPv4 destination address from available string Maximum

<name> options. Required for web proxy authentication. length: 79
Address name.

Fortinet Inc.
dstaddr6 Select an IPv6 destination address from available string Maximum

<name> options. Required for web proxy authentication. length: 79
Address name.
ip-based Enable/disable IP-based authentication. When enabled, option - enable

previously authenticated users from the same IP
address will be exempted.
Option Description
enable Enable IP-based authentication.
disable Disable IP-based authentication.
name Authentication rule name. string Not

Specified
protocol Authentication is required for the selected protocol. option - http
Option Description
http HTTP traffic is matched and authentication is required.
ftp FTP traffic is matched and authentication is required.
socks SOCKS traffic is matched and authentication is required.
ssh SSH traffic is matched and authentication is required.
srcaddr Authentication is required for the selected IPv4 source string Maximum
<name> address. length: 79
Address name.
srcaddr6 Authentication is required for the selected IPv6 source string Maximum
<name> address. length: 79
Address name.
srcintf Incoming (ingress) interface. string Maximum

<name> Interface name. length: 79
sso-auth- Select a single-sign on (SSO) authentication method. string Not

method Specified
status Enable/disable this authentication rule. option - enable
Option Description
enable Enable this authentication rule.
disable Disable this authentication rule.
transaction- Enable/disable transaction based authentication. option - disable

based

Fortinet Inc.
Option Description
enable Enable transaction based authentication.
disable Disable transaction based authentication.
web-auth- Enable/disable Web authentication cookies. option - disable

cookie
Option Description
enable Enable Web authentication cookie.
disable Disable Web authentication cookie.
web-portal Enable/disable web portal for proxy transparent policy. option - enable
Option Description
enable Enable web-portal.
disable Disable web-portal.
config authentication scheme
Configure Authentication Schemes.

Description: Configure Authentication Schemes.
edit <name>
set domain-controller {string}
set fsso-agent-for-ntlm {string}
set fsso-guest [enable|disable]
set kerberos-keytab {string}
set method {option1}, {option2}, ...
set name {string}
set negotiate-ntlm [enable|disable]
set require-tfa [enable|disable]
set saml-server {string}
set saml-timeout {integer}
set ssh-ca {string}
set user-cert [enable|disable]
set user-database <name1>, <name2>, ...
next
end

Fortinet Inc.
domain- Domain controller setting. string Not

controller Specified
fsso-agent- FSSO agent to use for NTLM authentication. string Not

for-ntlm Specified
fsso-guest Enable/disable user fsso-guest authentication. option - disable
Option Description
enable Enable user fsso-guest authentication.
disable Disable user fsso-guest authentication.
kerberos- Kerberos keytab setting. string Not

keytab Specified
method Authentication methods. option -
Option Description
ntlm NTLM authentication.
basic Basic HTTP authentication.
digest Digest HTTP authentication.
form Form-based HTTP authentication.
negotiate Negotiate authentication.
fsso Fortinet Single Sign-On (FSSO) authentication.
rsso RADIUS Single Sign-On (RSSO) authentication.
ssh-publickey Public key based SSH authentication.
cert Client certificate authentication.
saml SAML authentication.
name Authentication scheme name. string Not

Specified
negotiate- Enable/disable negotiate authentication for NTLM. option - enable

ntlm
Option Description
enable Enable negotiate authentication for NTLM.
disable Disable negotiate authentication for NTLM.
require-tfa Enable/disable two-factor authentication. option - disable

Fortinet Inc.
Option Description
enable Enable two-factor authentication.
disable Disable two-factor authentication.
saml-server SAML configuration. string Not

Specified
saml-timeout SAML authentication timeout in seconds. integer Minimum 120

value: 30
Maximum
value: 1200
ssh-ca SSH CA name. string Not

Specified
user-cert Enable/disable authentication with user certificate. option - disable
Option Description
enable Enable client certificate field authentication.
disable Disable client certificate field authentication.
user- Authentication server to contain user information; "local" string Maximum

database (default) or "123" (for LDAP). length: 79
<name> Authentication server name.
config authentication setting
Configure authentication setting.

Description: Configure authentication setting.
set active-auth-scheme {string}
set auth-https [enable|disable]
set captive-portal {string}
set captive-portal-ip {ipv4-address-any}
set captive-portal-ip6 {ipv6-address}
set captive-portal-port {integer}
set captive-portal-ssl-port {integer}
set captive-portal-type [fqdn|ip]
set captive-portal6 {string}
set cert-auth [enable|disable]
set cert-captive-portal {string}
set cert-captive-portal-ip {ipv4-address-any}
set cert-captive-portal-port {integer}
set dev-range <name1>, <name2>, ...
set sso-auth-scheme {string}
set user-cert-ca <name1>, <name2>, ...
end

Fortinet Inc.
active-auth- Active authentication method (scheme name). string Not

scheme Specified
auth-https Enable/disable redirecting HTTP user authentication to option - enable

HTTPS.
Option Description
captive-portal Captive portal host name. string Not

Specified
captive- Captive portal IP address. ipv4- Not 0.0.0.0

portal-ip address- Specified
any
captive- Captive portal IPv6 address. ipv6- Not ::

portal-ip6 address Specified
captive- Captive portal port number. integer Minimum 7830

portal-port value: 1
Maximum
value:
65535
captive- Captive portal SSL port number. integer Minimum 7831

portal-ssl-port value: 1
Maximum
value:
65535
captive- Captive portal type. option - fqdn

portal-type
Option Description
fqdn Use FQDN for captive portal.
ip Use an IP address for captive portal.
captive- IPv6 captive portal host name. string Not

portal6 Specified
cert-auth Enable/disable redirecting certificate authentication to option - disable

HTTPS portal.

Fortinet Inc.
Option Description
cert-captive- Certificate captive portal host name. string Not

portal Specified
cert-captive- Certificate captive portal IP address. ipv4- Not 0.0.0.0

portal-ip address- Specified
any
cert-captive- Certificate captive portal port number. integer Minimum 7832

portal-port value: 1
Maximum
value:
65535
dev-range Address range for the IP based device query. string Maximum
<name> Address name. length: 79
sso-auth- Single-Sign-On authentication method (scheme name). string Not

scheme Specified
user-cert-ca CA certificate used for client certificate verification. string Maximum **

<name> CA certificate list. length: 79

Fortinet Inc.
certificate

l config certificate ca on page 86
l config certificate crl on page 87
l config certificate local on page 89
l config certificate remote on page 92
config certificate ca
CA certificate.
Description: CA certificate.
edit <name>
set auto-update-days {integer}
set auto-update-days-warning {integer}
set ca {user}
set ca-identifier {string}
set name {string}
set range [global|vdom]
set scep-url {string}
set source [factory|user|...]
set source-ip {ipv4-address}
set ssl-inspection-trusted [enable|disable]
next
end
auto-update- Number of days to wait before requesting an updated integer Minimum 0

days CA certificate. value: 0
Maximum
value:
4294967295
auto-update- Number of days before an expiry-warning message is integer Minimum 0

days-warning generated. value: 0
Maximum
value:
4294967295
ca CA certificate as a PEM file. user Not Specified

Fortinet Inc.
ca-identifier CA identifier of the SCEP server. string Not Specified
name Name. string Not Specified
range Either global or VDOM IP address range for the CA option - global
certificate.
Option Description
global Global range.
vdom VDOM IP address range.
scep-url URL of the SCEP server. string Not Specified
source CA certificate source type. option - user
Option Description
factory Factory installed certificate.
user User generated certificate.
bundle Bundle file certificate.
source-ip Source IP address for communications to the SCEP ipv4- Not Specified 0.0.0.0
server. address
ssl- Enable/disable this CA as a trusted CA for SSL option - enable

inspection- inspection.
trusted
Option Description
enable Trusted CA for SSL inspection.
disable Untrusted CA for SSL inspection.
config certificate crl
Certificate Revocation List as a PEM file.

Description: Certificate Revocation List as a PEM file.
edit <name>
set crl {user}
set http-url {string}
set ldap-password {password}
set ldap-server {string}
set ldap-username {string}
set name {string}
set scep-cert {string}

Fortinet Inc.
set update-interval {integer}
set update-vdom {string}
next
end
crl Certificate Revocation List as a PEM file. user Not Specified
http-url HTTP server URL for CRL auto-update. string Not Specified
ldap- LDAP server user password. password Not Specified

password
ldap-server LDAP server name for CRL auto-update. string Not Specified
ldap- LDAP server user name. string Not Specified

username
range Either global or VDOM IP address range for the option - global
certificate.
Option Description
scep-cert Local certificate for SCEP communication for CRL string Not Specified Fortinet_
auto-update. CA_SSL
scep-url SCEP server URL for CRL auto-update. string Not Specified
source Certificate source type. option - user
Option Description
source-ip Source IP address for communications to a HTTP or ipv4- Not Specified 0.0.0.0
SCEP CA server. address
update- Time in seconds before the FortiGate checks for an integer Minimum 0
interval updated CRL. Set to 0 to update only when it expires. value: 0
Maximum
value:
4294967295

Fortinet Inc.
update-vdom VDOM for CRL update. string Not Specified root
config certificate local
Local keys and certificates.

Description: Local keys and certificates.
edit <name>
set acme-ca-url {string}
set acme-domain {string}
set acme-email {string}
set acme-renew-window {integer}
set acme-rsa-key-size {integer}
set auto-regenerate-days {integer}
set auto-regenerate-days-warning {integer}
set certificate {user}
set cmp-path {string}
set cmp-regeneration-method [keyupate|renewal]
set cmp-server {string}
set cmp-server-cert {string}
set comments {string}
set csr {user}
set enroll-protocol [none|scep|...]
set ike-localid {string}
set ike-localid-type [asn1dn|fqdn]
set name {string}
set name-encoding [printable|utf8]
set password {password}
set private-key {user}
set scep-password {password}
set state {user}
next
end
acme-ca-url The URL for the ACME CA string Not Specified https://acme-
server. v02.api.letsencrypt.org/directory
acme-domain A valid domain that resolves string Not Specified

to this FortiGate unit.

Fortinet Inc.
acme-email Contact email address that string Not Specified

is required by some CAs like
LetsEncrypt.
acme-renew- Beginning of the renewal integer Minimum 30

window window. value: 1
Maximum
value: 60
acme-rsa-key- Length of the RSA private integer Minimum 2048

size key of the generated cert value: 2048
(Minimum 2048 bits). Maximum
value: 4096
auto- Number of days to wait integer Minimum 0

regenerate- before expiry of an updated value: 0
days local certificate is requested Maximum
(0 = disabled). value:
4294967295

regenerate- before an expiry warning value: 0
days-warning message is generated (0 = Maximum
disabled). value:
4294967295
ca-identifier CA identifier of the CA string Not Specified

server for signing via SCEP.
certificate PEM format certificate. user Not Specified
cmp-path Path location inside CMP string Not Specified

server.
cmp- CMP auto-regeneration option - keyupate

regeneration- method.
method
Option Description
keyupate Key Update.
renewal Renewal.
cmp-server Address and port for CMP string Not Specified

server (format =
address:port).
cmp-server-cert CMP server certificate. string Not Specified
comments Comment. string Not Specified
csr Certificate Signing Request. user Not Specified

Fortinet Inc.
enroll-protocol Certificate enrollment option - none

protocol.
Option Description
none None (default).
scep Simple Certificate Enrollment Protocol.
cmpv2 Certificate Management Protocol Version 2.
acme2 Automated Certificate Management Environment Version 2.
ike-localid Local ID the FortiGate uses string Not Specified

for authentication as a VPN
client.
ike-localid-type IKE local ID type. option - asn1dn
Option Description
asn1dn ASN.1 distinguished name.
fqdn Fully qualified domain name.
name-encoding Name encoding method for option - printable

auto-regeneration.
Option Description
printable Printable encoding (default).
utf8 UTF-8 encoding.
password Password as a PEM file. password Not Specified
private-key PEM format key encrypted user Not Specified

with a password.
range Either a global or VDOM IP option - global

address range for the
certificate.
Option Description
scep-password SCEP server challenge password Not Specified

password for auto-
regeneration.

Fortinet Inc.
scep-url SCEP server URL. string Not Specified
Option Description
source-ip Source IP address for ipv4- Not Specified 0.0.0.0

communications to the address
SCEP server.
state Certificate Signing Request user Not Specified

State.
config certificate remote
Remote certificate as a PEM file.

Description: Remote certificate as a PEM file.
edit <name>
set name {string}
set remote {user}
next
end
name Name. string Not

Specified
range Either the global or VDOM IP address range for the option - global
remote certificate.
Option Description
remote Remote certificate. user Not

Specified

Fortinet Inc.
source Remote certificate source type. option - user
Option Description

Fortinet Inc.
dlp

l config dlp filepattern on page 94
l config dlp fp-doc-source on page 97
l config dlp sensitivity on page 100
l config dlp sensor on page 101
l config dlp settings on page 106
config dlp filepattern
Configure file patterns used by DLP blocking.

Description: Configure file patterns used by DLP blocking.
edit <id>
config entries
Description: Configure file patterns used by DLP blocking.
edit <pattern>
set filter-type [pattern|type]
set pattern {string}
set file-type [7z|arj|...]
next
end
set id {integer}
set name {string}
next
end
comment Optional comments. var-string Not Specified

value: 0
Maximum
value:
4294967295
name Name of table containing the file pattern list. string Not Specified

Fortinet Inc.
config entries
filter-type Filter by file name pattern or by file type. option - pattern
Option Description
pattern Filter by file name pattern.
type Filter by file type.
pattern Add a file name pattern. string Not

Specified
file-type Select a file type. option - unknown
Option Description
7z Match 7-zip files.
arj Match arj compressed files.
cab Match Windows cab files.
lzh Match lzh compressed files.
rar Match rar archives.
tar Match tar files.
zip Match zip files.
bzip Match bzip files.
gzip Match gzip files.
bzip2 Match bzip2 files.
xz Match xz files.
bat Match Windows batch files.
uue Match uue files.
mime Match mime files.
base64 Match base64 files.
binhex Match binhex files.
elf Match elf files.
exe Match Windows executable files.
hta Match hta files.
html Match html files.
jad Match jad files.

Fortinet Inc.
Option Description
class Match class files.
cod Match cod files.
javascript Match javascript files.
msoffice Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
fsg Match fsg files.
upx Match upx files.
petite Match petite files.
aspack Match aspack files.
sis Match sis files.
hlp Match Windows help files.
activemime Match activemime files.
jpeg Match jpeg files.
gif Match gif files.
tiff Match tiff files.
png Match png files.
bmp Match bmp files.
unknown Match unknown files.
mpeg Match mpeg files.
mov Match mov files.
mp3 Match mp3 files.
wma Match wma files.
wav Match wav files.
pdf Match Acrobat PDF files.
avi Match avi files.
rm Match rm files.
torrent Match torrent files.
hibun Match special-file-23-support files.
msi Match Windows Installer msi files.

Fortinet Inc.
Option Description
mach-o Match Mach object files.
dmg Match Apple disk image files.
.net Match .NET files.
xar Match xar archive files.
chm Match Windows compiled HTML help files.
iso Match ISO archive files.
crx Match Chrome extension files.
flac Match flac files.
config dlp fp-doc-source
This command is available for model(s): FortiGate 1000D, FortiGate 101E, FortiGate 101F,
FortiGate 1101E, FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 1801F,
FortiGate 2000E, FortiGate 201E, FortiGate 201F, FortiGate 2201E, FortiGate 2500E,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3301E, FortiGate 3401E, FortiGate 3501F, FortiGate 3601E,
FortiGate 3700D, FortiGate 3800D, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F,
FortiGate 4201F, FortiGate 4401F, FortiGate 5001E1, FortiGate 501E, FortiGate 601E,
FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 80F Bypass,
FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D,
FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F,
FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi
80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 100EF, FortiGate 100E, FortiGate 100F, FortiGate 1100E,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 200E, FortiGate 200F,
FortiGate 2200E, FortiGate 300E, FortiGate 3300E, FortiGate 3400E, FortiGate 3500F,
FortiGate 3600E, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E,
FortiGate 4200F, FortiGate 4400F, FortiGate 5001E, FortiGate 500E, FortiGate 600E,
FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 80E-
POE, FortiGate 80E, FortiGate 80F-POE, FortiGate 80F, FortiGate 90E, FortiWiFi 60E DSL,
FortiWiFi 60E.
Create a DLP fingerprint database by allowing the FortiGate to access a file server containing files from which to create
fingerprints.
Description: Create a DLP fingerprint database by allowing the FortiGate to access a
file server containing files from which to create fingerprints.
edit <name>
set date {integer}
set file-path {string}

Fortinet Inc.
set file-pattern {string}
set keep-modified [enable|disable]
set name {string}
set period [none|daily|...]
set remove-deleted [enable|disable]
set scan-on-creation [enable|disable]
set scan-subdirectories [enable|disable]
set sensitivity {string}
set server {string}
set server-type {option}
set tod-hour {integer}
set tod-min {integer}
set vdom [mgmt|current]
set weekday [sunday|monday|...]
next
end
date Day of the month on which to scan the server. integer Minimum 1
value: 1
Maximum
value: 31
file-path Path on the server to the fingerprint files (max 119 string Not
characters). Specified
file-pattern Files matching this pattern on the server are string Not *
fingerprinted. Optionally use the * and ? wildcards. Specified
keep-modified Enable so that when a file is changed on the server option - enable
the FortiGate keeps the old fingerprint and adds a
new fingerprint to the database.
Option Description
enable Keep the old fingerprint and add a new fingerprint when a file is changed on
the server.
disable Replace the old fingerprint with the new fingerprint when a file is changed on
the server.
name Name of the DLP fingerprint database. string Not

Specified
password Password required to log into the file server. password Not
Specified
period Frequency for which the FortiGate checks the server option - none
for new or changed files.

Fortinet Inc.
Option Description
none Check the server when the FortiGate starts up.
daily Check the server once a day.
weekly Check the server once a week.
monthly Check the server once a month.
remove-deleted Enable to keep the fingerprint database up to date option - enable

when a file is deleted from the server.
Option Description
enable Keep the fingerprint database up to date when a file is deleted from the
server.
disable Do not check for deleted files on the server. Saves system resources.
scan-on- Enable to keep the fingerprint database up to date option - enable

creation when a file is added or changed on the server.
Option Description
enable Keep the fingerprint database up to date when a file is added or changed on
the server.
disable Do not check for added or changed files on the server. Saves system
resources.
scan- Enable/disable scanning subdirectories to find files to option - enable

subdirectories create fingerprints from.
Option Description
enable Scan subdirectories.
disable Do not scan subdirectories.
sensitivity Select a sensitivity or threat level for matches with string Not
this fingerprint database. Add sensitivities using Specified
sensitivity.
server IPv4 or IPv6 address of the server. string Not

Specified
server-type Protocol used to communicate with the file server. option - samba
Currently only Samba (SMB) servers are supported.
Option Description
samba SAMBA server.

Fortinet Inc.
tod-hour Hour of the day on which to scan the server. integer Minimum 1
value: 0
Maximum
value: 23
tod-min Minute of the hour on which to scan the server. integer Minimum 0
value: 0
Maximum
value: 59
username User name required to log into the file server. string Not
Specified
vdom Select the VDOM that can communicate with the file option - mgmt
server.
Option Description
mgmt Communicate with the file server through the management VDOM.
current Communicate with the file server through the VDOM containing this DLP
fingerprint database configuration.
weekday Day of the week on which to scan the server. option - sunday
Option Description
sunday Sunday
monday Monday
tuesday Tuesday
wednesday Wednesday
thursday Thursday
friday Friday
saturday Saturday
config dlp sensitivity
Create self-explanatory DLP sensitivity levels to be used when setting sensitivity under config fp-doc-source.
Description: Create self-explanatory DLP sensitivity levels to be used when setting
sensitivity under config fp-doc-source.
edit <name>
set name {string}
next
end

Fortinet Inc.
name DLP Sensitivity Levels. string Not

Specified
config dlp sensor
Configure DLP sensors.

config dlp sensor
Description: Configure DLP sensors.
edit <name>
set dlp-log [enable|disable]
config filter
Description: Set up DLP filters for this sensor.
edit <id>
set id {integer}
set name {string}
set severity [info|low|...]
set type [file|message]
set proto {option1}, {option2}, ...
set filter-by [credit-card|ssn|...]
set file-size {integer}
set company-identifier {string}
set sensitivity <name1>, <name2>, ...
set match-percentage {integer}
set file-type {integer}
set regexp {string}
set archive [disable|enable]
set action [allow|log-only|...]
set expiry {user}
next
end
set full-archive-proto {option1}, {option2}, ...
set nac-quar-log [enable|disable]
set name {string}
set summary-proto {option1}, {option2}, ...
next
end

Fortinet Inc.
config dlp sensor
comment Comment. var-string Not

Specified
dlp-log Enable/disable DLP logging. option - enable
Option Description
enable Enable DLP logging.
disable Disable DLP logging.
extended-log Enable/disable extended logging for data leak option - disable

prevention.
Option Description
Option Description
full-archive- Protocols to always content archive. option -

proto
Option Description
smtp SMTP.
pop3 POP3.
imap IMAP.
http-get HTTP GET.
http-post HTTP POST.
ftp FTP.
nntp NNTP.
mapi MAPI.
ssh SFTP and SCP.
cifs CIFS.
nac-quar-log Enable/disable NAC quarantine logging. option - disable

Fortinet Inc.
Option Description
enable Enable NAC quarantine logging.
disable Disable NAC quarantine logging.
name Name of the DLP sensor. string Not

Specified
replacemsg- Replacement message group used by this DLP sensor. string Not
group Specified
summary- Protocols to always log summary. option -

proto
Option Description
smtp SMTP.
pop3 POP3.
imap IMAP.
http-get HTTP GET.
ftp FTP.
nntp NNTP.
mapi MAPI.
ssh SFTP and SCP.
cifs CIFS.
config filter

value: 0
Maximum
value:
4294967295
name Filter name. string Not Specified
severity Select the severity or threat level that matches this option - medium
filter.

Fortinet Inc.
Option Description
info Informational.
low Low.
medium Medium.
high High.
critical Critical.
type Select whether to check the content of messages (an option - file
email message) or files (downloaded files or email
attachments).
Option Description
file Check the contents of downloaded or attached files.
message Check the contents of email messages, web pages, etc.
proto Check messages or files over one or more of these option -

protocols.
Option Description
smtp SMTP.
pop3 POP3.
imap IMAP.
http-get HTTP GET.
ftp FTP.
nntp NNTP.
mapi MAPI.
ssh SFTP and SCP.
cifs CIFS.
filter-by Select the type of content to match. option - credit-card
Option Description
credit-card Match credit cards.
ssn Match social security numbers.

Fortinet Inc.
Option Description
regexp Use a regular expression to match content.
file-type Match a DLP file pattern list.
file-size Match any file over with a size over the threshold.
fingerprint Match against a fingerprint sensitivity.
watermark Look for defined file watermarks.
encrypted Look for encrypted files.
file-size Match files this size or larger. integer Minimum 10 **

value: 0
Maximum
value:
4294967295
company- Enter a company identifier watermark to match. Only string Not Specified
identifier watermarks that your company has placed on the
files are matched.
sensitivity Select a DLP file pattern sensitivity to match. string Maximum

<name> Select a DLP sensitivity. length: 35
match- Percentage of fingerprints in the fingerprint integer Minimum 10

percentage * databases designated with the selected sensitivity to value: 1
match. Maximum
value: 100
file-type Select the number of a DLP file pattern table to integer Minimum 0
match. value: 0
Maximum
value:
4294967295
regexp Enter a regular expression to match (max. 255 string Not Specified
characters).
archive Enable/disable DLP archiving. option - disable
Option Description
disable No DLP archiving.
enable Enable full DLP archiving.
action Action to take with content that this DLP sensor option - allow
matches.

Fortinet Inc.
Option Description
allow Allow the content to pass through the FortiGate and do not create a log
message.
log-only Allow the content to pass through the FortiGate, but write a log message.
block Block the content and write a log message.
quarantine-ip Quarantine all traffic from the IP address and write a log message.
expiry Quarantine duration in days, hours, minutes (format = user Not Specified 5m
dddhhmm).
* This parameter may not exist in some models.

config dlp settings
FortiWiFi 60E.
Designate logical storage for DLP fingerprint database.

config dlp settings
Description: Designate logical storage for DLP fingerprint database.
set cache-mem-percent {integer}
set chunk-size {integer}
set db-mode [stop-adding|remove-modified-then-oldest|...]
set size {integer}

Fortinet Inc.
set storage-device {string}
end
config dlp settings
cache-mem- Maximum percentage of available memory allocated integer Minimum 2

percent to caching. value: 1
Maximum
value: 15
chunk-size Maximum fingerprint chunk size. Caution, changing integer Minimum 2800
this setting will flush the entire database. value: 100
Maximum
value: 100000
db-mode Behavior when the maximum size is reached. option - stop-adding
Option Description
stop-adding Stop adding entries.
remove- Remove modified chunks first, then oldest file entries.

modified-then-
oldest
remove-oldest Remove the oldest files first.
size Maximum total size of files within the storage (MB). integer Minimum 16
value: 16
Maximum
value:
4294967295
storage- Storage device name. string Not Specified

device

Fortinet Inc.
dnsfilter

l config dnsfilter domain-filter on page 108
l config dnsfilter profile on page 109
config dnsfilter domain-filter
Configure DNS domain filters.

Description: Configure DNS domain filters.
edit <id>
config entries
Description: DNS domain filter entries.
edit <id>
set id {integer}
set domain {string}
set type [simple|regex|...]
set action [block|allow|...]
next
end
set id {integer}
set name {string}
next
end

value: 0
Maximum
value:
4294967295
name Name of table. string Not Specified

Fortinet Inc.
config entries
id Id. integer Minimum 0

value: 0
Maximum
value:
4294967295
domain Domain entries to be filtered. string Not Specified
type DNS domain filter type. option - simple
Option Description
simple Simple domain string.
regex Regular expression domain string.
wildcard Wildcard domain string.
action Action to take for domain filter matches. option - block
Option Description
block Block DNS requests matching the domain filter.
allow Allow DNS requests matching the domain filter without logging.
monitor Allow DNS requests matching the domain filter with logging.
status Enable/disable this domain filter. option - enable
Option Description
enable Enable this domain filter.
disable Disable this domain filter.
config dnsfilter profile
Configure DNS domain filter profile.

Description: Configure DNS domain filter profile.
edit <name>
set block-action [block|redirect|...]
set block-botnet [disable|enable]
config dns-translation
Description: DNS translation settings.
edit <id>
set id {integer}
set addr-type [ipv4|ipv6]

Fortinet Inc.
set src {ipv4-address}
set dst {ipv4-address}
set netmask {ipv4-netmask}
set src6 {ipv6-address}
set dst6 {ipv6-address}
set prefix {integer}
next
end
config domain-filter
Description: Domain filter settings.
set domain-filter-table {integer}
end
set external-ip-blocklist <name1>, <name2>, ...
config ftgd-dns
Description: FortiGuard DNS Filter settings.
config filters
Description: FortiGuard DNS domain filters.
edit <id>
set id {integer}
set action [block|monitor]
next
end
end
set log-all-domain [enable|disable]
set name {string}
set redirect-portal {ipv4-address}
set redirect-portal6 {ipv6-address}
set safe-search [disable|enable]
set sdns-domain-log [enable|disable]
set sdns-ftgd-err-log [enable|disable]
set youtube-restrict [strict|moderate]
next
end
block-action Action to take for blocked domains. option - redirect
Option Description
block Return NXDOMAIN for blocked domains.
redirect Redirect blocked domains to SDNS portal.
block-sevrfail Return SERVFAIL for blocked domains.
block-botnet Enable/disable blocking botnet C&C DNS lookups. option - disable

Fortinet Inc.
Option Description
disable Disable blocking botnet C&C DNS lookups.
enable Enable blocking botnet C&C DNS lookups.

Specified
external-ip- One or more external IP block lists. string Maximum

blocklist External domain block list name. length: 79
<name>
log-all-domain Enable/disable logging of all domains visited (detailed option - disable

DNS logging).
Option Description
enable Enable logging of all domains visited.
disable Disable logging of all domains visited.
name Profile name. string Not

Specified
redirect-portal IPv4 address of the SDNS redirect portal. ipv4- Not 0.0.0.0
address Specified
redirect- IPv6 address of the SDNS redirect portal. ipv6- Not ::

portal6 address Specified
safe-search Enable/disable Google, Bing, YouTube, Qwant, option - disable

DuckDuckGo safe search.
Option Description
disable Disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.
enable Enable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.
sdns-domain- Enable/disable domain filtering and botnet domain option - enable

log logging.
Option Description
enable Enable domain filtering and botnet domain logging.
disable Disable domain filtering and botnet domain logging.
sdns-ftgd-err- Enable/disable FortiGuard SDNS rating error logging. option - enable

log

Fortinet Inc.
Option Description
enable Enable FortiGuard SDNS rating error logging.
disable Disable FortiGuard SDNS rating error logging.
youtube- Set safe search for YouTube restriction level. option - strict
restrict
Option Description
strict Enable strict safe seach for YouTube.
moderate Enable moderate safe search for YouTube.
config dns-translation

value: 0
Maximum
value:
4294967295
addr-type DNS translation type (IPv4 or IPv6). option - ipv4
Option Description
ipv4 IPv4 address type.
ipv6 IPv6 address type.
src IPv4 address or subnet on the internal ipv4- Not Specified 0.0.0.0
network to compare with the resolved address address
in DNS query replies. If the resolved address
matches, the resolved address is substituted
with dst.
dst IPv4 address or subnet on the external ipv4- Not Specified 0.0.0.0
network to substitute for the resolved address address
in DNS query replies. Can be single IP
address or subnet on the external network, but
number of addresses must equal number of
mapped IP addresses in src.
netmask If src and dst are subnets rather than single IP ipv4- Not Specified 255.255.255.255
addresses, enter the netmask for both src and netmask
dst.
status Enable/disable this DNS translation entry. option - enable

Fortinet Inc.
Option Description
enable Enable this DNS translation.
disable Disable this DNS translation.
src6 IPv6 address or subnet on the internal ipv6- Not Specified ::

with dst6.
dst6 IPv6 address or subnet on the external ipv6- Not Specified ::

mapped IP addresses in src6.
prefix If src6 and dst6 are subnets rather than single integer Minimum 128
IP addresses, enter the prefix for both src6 value: 1
and dst6. Maximum
value: 128
config domain-filter
domain-filter- DNS domain filter table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295
config ftgd-dns
options FortiGuard DNS filter options. option -
Option Description
error-allow Allow all domains when FortiGuard DNS servers fail.
ftgd-disable Disable FortiGuard DNS domain rating.

Fortinet Inc.
config filters
id ID number. integer Minimum 0

value: 0
Maximum
value: 255
category Category number. integer Minimum 0

value: 0
Maximum
value: 255
action Action to take for DNS requests matching the category. option - monitor
Option Description
block Block DNS requests matching the category.
monitor Allow DNS requests matching the category and log the result.
log Enable/disable DNS filter logging for this DNS profile. option - enable
Option Description
enable Enable DNS filter logging.
disable Disable DNS filter logging.

Fortinet Inc.
dpdk

l config dpdk cpus on page 115
l config dpdk global on page 116
config dpdk cpus
This command is available for model(s): FortiGate VM64.

It is not available for: FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 100F,
FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 1200D,
FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F,
FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 201E,
FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F,
FortiGate 2601F, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E,
FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D,
FortiGate 3800D, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate
400E, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate
4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate
500E, FortiGate 501E, FortiGate 600E, FortiGate 601E, FortiGate 60E DSLJ, FortiGate 60E
DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F,
FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-
POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F,
FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGateRugged 60F 3G4G,
FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E,
FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE,
FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
Configure CPUs enabled to run engines in each DPDK stage.

config dpdk cpus
Description: Configure CPUs enabled to run engines in each DPDK stage.
set rx-cpus {string}
set vnp-cpus {string}
set ips-cpus {string}
set tx-cpus {string}
set isolated-cpus {string}
end

Fortinet Inc.
config dpdk cpus
rx-cpus CPUs enabled to run DPDK RX engines. string Not all

Specified
vnp-cpus CPUs enabled to run DPDK VNP engines. string Not all
Specified
ips-cpus CPUs enabled to run DPDK IPS engines. string Not all
Specified
tx-cpus CPUs enabled to run DPDK TX engines. string Not all

Specified
isolated-cpus CPUs isolated to run only the DPDK engines with the string Not none
exception of processes that have affinity explicitly set by Specified
either a user configuration or by their implementation.
config dpdk global

Configure global DPDK options.

config dpdk global
Description: Configure global DPDK options.
set status [disable|enable]
set interface <interface-name1>, <interface-name2>, ...
set multiqueue [disable|enable]

Fortinet Inc.
set sleep-on-idle [disable|enable]
set elasticbuffer [disable|enable]
set per-session-accounting [disable|traffic-log-only|...]
set ipsec-offload [disable|enable]
set hugepage-percentage {integer}
set mbufpool-percentage {integer}
end
config dpdk global
status Enable/disable DPDK operation for the entire option - disable

system.
Option Description
disable Disable DPDK operation.
enable Enable DPDK operation. *The minimum system requirements for DPDK is
2 vCPUs and 4GB memory.
interface Physical interfaces that enable DPDK. string Maximum

<interface- Physical interface name. length: 31
name>
multiqueue Enable/disable multi-queue RX/TX support for all option - disable

DPDK ports.
Option Description
disable Disable multi-queue RX/TX support for DPDK ports.
enable Enable multi-queue RX/TX support for DPDK ports.
sleep-on-idle Enable/disable sleep-on-idle support for all FDH option - disable

engines.
Option Description
disable Disable sleep-on-idle support for FDH engines.
enable Enable sleep-on-idle support for FDH engines.
elasticbuffer Enable/disable elasticbuffer support for all DPDK option - disable

ports.
Option Description
disable Disable elasticbuffer support for DPDK ports.
enable Enable elasticbuffer support for DPDK ports.

Fortinet Inc.
per-session- Enable/disable per-session accounting. option - traffic-log-

accounting only
Option Description
disable Disable per-session accounting.
traffic-log-only Enable per-session accounting only for VNP sessions with traffic logging
turned on in firewall policy.
enable Enable per-session accounting for all VNP sessions. *Affect performance.
ipsec-offload Enable/disable DPDK IPsec phase 2 offloading. option - disable
Option Description
disable Disable DPDK IPsec phase 2 offloading.
enable Enable DPDK IPsec phase 2 offloading.
hugepage- Percentage of main memory allocated to hugepages, integer Minimum 30

percentage which are available for DPDK operation. value: 15
Maximum
value: 50
mbufpool- Percentage of main memory allocated to DPDK integer Minimum 25

percentage packet buffer. value: 10
Maximum
value: 45

Fortinet Inc.
emailfilter

l config emailfilter block-allow-list on page 119
l config emailfilter bword on page 121
l config emailfilter dnsbl on page 123
l config emailfilter fortishield on page 124
l config emailfilter iptrust on page 125
l config emailfilter mheader on page 126
l config emailfilter options on page 128
l config emailfilter profile on page 128
config emailfilter block-allow-list
Configure anti-spam block/allow list.

Description: Configure anti-spam block/allow list.
edit <id>
config entries
Description: Anti-spam block/allow entries.
edit <id>
set id {integer}
set type [ip|email]
set action [reject|spam|...]
set ip4-subnet {ipv4-classnet}
set ip6-subnet {ipv6-network}
set pattern-type [wildcard|regexp]
set email-pattern {string}
next
end
set id {integer}
set name {string}
next
end

Fortinet Inc.

value: 0
Maximum
value:
4294967295
config entries
status Enable/disable status. option - enable
Option Description
enable Enable status.
disable Disable status.

value: 0
Maximum
value:
4294967295
type Entry type. option - ip
Option Description
ip By IP address.
email By email address.
action Reject, mark as spam or good email. option - spam
Option Description
reject Reject the connection.
spam Mark as spam email.
clear Mark as good email.
addr-type IP address type. option - ipv4
Option Description
ipv4 IPv4 Address type.

Fortinet Inc.
ip4-subnet IPv4 network address/subnet mask bits. ipv4- Not Specified 0.0.0.0
classnet 0.0.0.0
ip6-subnet IPv6 network address/subnet mask bits. ipv6- Not Specified ::/128
network
pattern-type Wildcard pattern or regular expression. option - wildcard
Option Description
wildcard Wildcard pattern.
regexp Perl regular expression.
email-pattern Email address pattern. string Not Specified
config emailfilter bword
Configure AntiSpam banned word list.

Description: Configure AntiSpam banned word list.
edit <id>
config entries
Description: Spam filter banned word.
edit <id>
set id {integer}
set action [spam|clear]
set where [subject|body|...]
set language [western|simch|...]
set score {integer}
next
end
set id {integer}
set name {string}
next
end

Fortinet Inc.

value: 0
Maximum
value:
4294967295
config entries
Option Description
id Banned word entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
pattern Pattern for the banned word. string Not Specified
Option Description
action Mark spam or good. option - spam
Option Description
where Component of the email to be scanned. option - all
Option Description
subject Banned word in email subject.
body Banned word in email body.
all Banned word in both subject and body.

Fortinet Inc.
language Language for the banned word. option - western
Option Description
western Western.
simch Simplified Chinese.
trach Traditional Chinese.
japanese Japanese.
korean Korean.
french French.
thai Thai.
spanish Spanish.
score Score value. integer Minimum 10

value: 1
Maximum
value: 99999
config emailfilter dnsbl
Configure AntiSpam DNSBL/ORBL.

Description: Configure AntiSpam DNSBL/ORBL.
edit <id>
config entries
Description: Spam filter DNSBL and ORBL server.
edit <id>
set id {integer}
set server {string}
set action [reject|spam]
next
end
set id {integer}
set name {string}
next
end

Fortinet Inc.

value: 0
Maximum
value:
4294967295
config entries
Option Description
id DNSBL/ORBL entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
server DNSBL or ORBL server name. string Not Specified
action Reject connection or mark as spam email. option - spam
Option Description
reject Reject the connection.
config emailfilter fortishield
Configure FortiGuard - AntiSpam.

Description: Configure FortiGuard - AntiSpam.
set spam-submit-force [enable|disable]
set spam-submit-srv {string}
set spam-submit-txt2htm [enable|disable]
end

Fortinet Inc.
spam-submit- Enable/disable force insertion of a new mime option - enable

force entity for the submission text.
Option Description
spam-submit- Hostname of the spam submission server. string Not www.nospammer.net

srv Specified
spam-submit- Enable/disable conversion of text email to option - enable

txt2htm HTML email.
Option Description
config emailfilter iptrust
Configure AntiSpam IP trust.

Description: Configure AntiSpam IP trust.
edit <id>
config entries
Description: Spam filter trusted IP addresses.
edit <id>
set id {integer}
set ip4-subnet {ipv4-classnet}
set ip6-subnet {ipv6-network}
next
end
set id {integer}
set name {string}
next
end

Fortinet Inc.

value: 0
Maximum
value:
4294967295
config entries
Option Description
id Trusted IP entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
addr-type Type of address. option - ipv4
Option Description
ip4-subnet IPv4 network address or network address/subnet ipv4- Not Specified 0.0.0.0
mask bits. classnet 0.0.0.0
ip6-subnet IPv6 network address/subnet mask bits. ipv6- Not Specified ::/128
network
config emailfilter mheader
Configure AntiSpam MIME header.

Description: Configure AntiSpam MIME header.
edit <id>

Fortinet Inc.
config entries
Description: Spam filter mime header content.
edit <id>
set id {integer}
set fieldname {string}
set fieldbody {string}
set action [spam|clear]
next
end
set id {integer}
set name {string}
next
end

value: 0
Maximum
value:
4294967295
config entries
Option Description
id Mime header entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
fieldname Pattern for header field name. string Not Specified
fieldbody Pattern for the header field body. string Not Specified

Fortinet Inc.
Option Description
action Mark spam or good. option - spam
Option Description
config emailfilter options
Configure AntiSpam options.

Description: Configure AntiSpam options.
set dns-timeout {integer}
end
dns-timeout DNS query time out. integer Minimum 7

value: 1
Maximum
value: 30
config emailfilter profile
Configure Email Filter profiles.

Description: Configure Email Filter profiles.
edit <name>
set external [enable|disable]
config gmail
Description: Gmail.
set log-all [disable|enable]
end
config imap

Fortinet Inc.
Description: IMAP.
set action [pass|tag]
set tag-type {option1}, {option2}, ...
set tag-msg {string}
end
config mapi
Description: MAPI.
set action [pass|discard]
end
config msn-hotmail
Description: MSN Hotmail.
end
set name {string}
config other-webmails
Description: Other supported webmails.
end
config pop3
Description: POP3.
set action [pass|tag]
end
config smtp
Description: SMTP.
set action [pass|tag|...]
set hdrip [disable|enable]
set local-override [disable|enable]
end
set spam-bal-table {integer}
set spam-bword-table {integer}
set spam-bword-threshold {integer}
set spam-filtering [enable|disable]
set spam-iptrust-table {integer}
set spam-log [disable|enable]
set spam-log-fortiguard-response [disable|enable]
set spam-mheader-table {integer}
set spam-rbl-table {integer}
config yahoo-mail
Description: Yahoo! Mail.
end
next
end

Fortinet Inc.
external Enable/disable external Email inspection. option - disable
Option Description
Option Description
options Options. option -
Option Description
bannedword Content block.
spambal Block/allow list.
spamfsip Email IP address FortiGuard AntiSpam block list check.
spamfssubmit Add FortiGuard AntiSpam spam submission text.
spamfschksum Email checksum FortiGuard AntiSpam check.
spamfsurl Email content URL FortiGuard AntiSpam check.
spamhelodns Email helo/ehlo domain DNS check.
spamraddrdns Email return address DNS check.
spamrbl Email DNSBL & ORBL check.
spamhdrcheck Email mime header check.
spamfsphish Email content phishing URL FortiGuard AntiSpam check.
replacemsg- Replacement message group. string Not Specified

group
spam-bal-table Anti-spam block/allow list table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
spam-bword- Anti-spam banned word table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295
spam-bword- Spam banned word threshold. integer Minimum 10

threshold value: 0
Maximum
value:
2147483647
spam-filtering Enable/disable spam filtering. option - disable
Option Description
spam-iptrust- Anti-spam IP trust table ID. integer Minimum 0

table value: 0
Maximum
value:
4294967295
spam-log Enable/disable spam logging for email filtering. option - enable
Option Description
disable Disable spam logging for email filtering.
enable Enable spam logging for email filtering.
spam-log- Enable/disable logging FortiGuard spam response. option - disable

fortiguard-
response
Option Description
disable Disable logging FortiGuard spam response.
enable Enable logging FortiGuard spam response.
spam- Anti-spam MIME header table ID. integer Minimum 0

mheader-table value: 0
Maximum
value:
4294967295

Fortinet Inc.
spam-rbl-table Anti-spam DNSBL table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config gmail
log-all Enable/disable logging of all email traffic. option - disable
Option Description
disable Disable logging of all email traffic.
enable Enable logging of all email traffic.
config imap
Option Description
action Action for spam email. option - tag
Option Description
pass Allow spam email to pass through.
tag Tag spam email with configured text in subject or header.
tag-type Tag subject or header for spam email. option - subject

spaminfo
Option Description
subject Prepend text to spam email subject.
header Append a user defined mime header to spam email.
spaminfo Append spam info to spam email header.
tag-msg Subject text or header added to spam email. string Not Spam
Specified

Fortinet Inc.
config mapi
Option Description
action Action for spam email. option - pass
Option Description
discard Discard (block) spam email.
config msn-hotmail
Option Description
config other-webmails
Option Description
config pop3

Fortinet Inc.
Option Description
action Action for spam email. option - tag
Option Description

spaminfo
Option Description
Specified
config smtp
Option Description
action Action for spam email. option - discard
Option Description
discard Discard (block) spam email.

spaminfo

Fortinet Inc.
Option Description
Specified
hdrip Enable/disable SMTP email header IP checks for option - disable

spamfsip, spamrbl, and spambal filters.
Option Description
disable Disable SMTP email header IP checks for spamfsip, spamrbl, and spambal
filters.
enable Enable SMTP email header IP checks for spamfsip, spamrbl, and spambal
filters.
local-override Enable/disable local filter to override SMTP remote option - disable

check result.
Option Description
disable Disable local filter to override SMTP remote check result.
enable Enable local filter to override SMTP remote check result.
config yahoo-mail
Option Description

Fortinet Inc.
endpoint-control

l config endpoint-control fctems on page 136
config endpoint-control fctems
Configure FortiClient Enterprise Management Server (EMS) entries.

Description: Configure FortiClient Enterprise Management Server (EMS) entries.
edit <ems-id>
set call-timeout {integer}
set capabilities {option1}, {option2}, ...
set cloud-server-type [production|alpha|...]
set dirty-reason [none|mismatched-ems-sn]
set ems-id {integer}
set fortinetone-cloud-authentication [enable|disable]
set https-port {integer}
set interface {string}
set interface-select-method [auto|sdwan|...]
set name {string}
set out-of-sync-threshold {integer}
set preserve-ssl-session [enable|disable]
set pull-avatars [enable|disable]
set pull-malware-hash [enable|disable]
set pull-sysinfo [enable|disable]
set pull-tags [enable|disable]
set pull-vulnerabilities [enable|disable]
set serial-number {string}
set server {string}
set source-ip {ipv4-address-any}
set websocket-override [disable|enable]
next
end
call-timeout FortiClient EMS call timeout in seconds. integer Minimum 30

value: 1
Maximum
value: 180
capabilities List of EMS capabilities. option -

Fortinet Inc.
Option Description
fabric-auth Allow this FortiGate unit to load the authentication page provided by EMS to
authenticate itself with EMS.
silent-approval Allow silent approval of non-root or FortiGate HA clusters on EMS in the

Security Fabric.
websocket Enable/disable websockets for this FortiGate unit. Override behavior using
websocket-override.
websocket- Allow this FortiGate unit to request malware hash notifications over
malware websocket.
push-ca-certs Enable/disable syncing deep inspection certificates with EMS.
common-tags- Can recieve tag information from New Common Tags API from EMS.
api
cloud-server- Cloud server type. option - production

type
Option Description
production Production FortiClient EMS Cloud Controller.
alpha Alpha FortiClient EMS Cloud Controller. For testing only.
beta Beta FortiClient EMS Cloud Controller. For testing only.
dirty-reason Dirty Reason for FortiClient EMS. option - none
Option Description
none FortiClient EMS entry not dirty.
mismatched- FortiClient EMS entry dirty because EMS SN is mismatched with configured
ems-sn SN.
ems-id EMS ID in order integer Minimum 0

value: 1
Maximum
value: 5
fortinetone- Enable/disable authentication of FortiClient EMS option - disable

cloud- Cloud through FortiCloud account.
authentication
Option Description
enable Enable authentication of FortiClient EMS Cloud through the use of

FortiCloud account.

Fortinet Inc.
Option Description
disable Disable authentication of FortiClient EMS Cloud through the use of

FortiCloud account.
https-port FortiClient EMS HTTPS access port number.. integer Minimum 443
value: 1
Maximum
value:
65535
interface Specify outgoing interface to reach server. string Not

Specified
interface-select- Specify how to select outgoing interface to reach option - auto

method server.
Option Description
auto Set outgoing interface automatically.
sdwan Set outgoing interface by SD-WAN or policy routing rules.
specify Set outgoing interface manually.
name FortiClient Enterprise Management Server (EMS) string Not

name. Specified
out-of-sync- Outdated resource threshold in seconds. integer Minimum 180

threshold value: 10
Maximum
value: 3600
preserve-ssl- Enable/disable preservation of EMS SSL session option - disable

session connection. Warning, most users should not touch
this setting.
Option Description
enable Allow preservation of EMS SSL session connection.
disable Don't allow preservation of EMS SSL session connection.
pull-avatars Enable/disable pulling avatars from EMS. option - enable
Option Description
enable Enable pulling FortiClient user avatars from EMS.
disable Disable pulling FortiClient user avatars from EMS.

Fortinet Inc.
pull-malware- Enable/disable pulling FortiClient malware hash from option - enable

hash EMS.
Option Description
enable Enable pulling FortiClient malware hash from EMS.
disable Disable pulling FortiClient malware hash from EMS.
pull-sysinfo Enable/disable pulling SysInfo from EMS. option - enable
Option Description
enable Enable pulling FortiClient user SysInfo from EMS.
disable Disable pulling FortiClient user SysInfo from EMS.
pull-tags Enable/disable pulling FortiClient user tags from option - enable

EMS.
Option Description
enable Enable pulling FortiClient user tags from EMS.
disable Disable pulling FortiClient user tags from EMS.
pull- Enable/disable pulling vulnerabilities from EMS. option - enable

vulnerabilities
Option Description
enable Enable pulling client vulnerabilities from EMS.
disable Disable pulling client vulnerabilities from EMS.
serial-number EMS Serial Number. string Not

Specified
server FortiClient EMS FQDN or IPv4 address. string Not

Specified
source-ip REST API call source IP. ipv4- Not 0.0.0.0

address- Specified
any
status Enable or disable this EMS configuration. option - disable
Option Description
enable Enable EMS configuration and operation.
disable Disable EMS configuration and operation.

Fortinet Inc.
websocket- Enable/disable override behavior for how this option - disable

override FortiGate unit connects to EMS using a WebSocket
connection.
Option Description
disable Do not override the WebSocket connection. Connect to WebSocket of this

EMS server if it is capable (default).
enable Override the WebSocket connection. Do not connect to WebSocket even if

EMS is capable of a WebSocket connection.

Fortinet Inc.
extender

l config extender extender-info on page 141
l config extender lte-carrier-by-mcc-mnc on page 141
l config extender lte-carrier-list on page 142
l config extender modem-status on page 142
l config extender session-info on page 142
l config extender sys-info on page 142
config extender extender-info
Display FortiExtender struct information.

Description: Display FortiExtender struct information.
set <sn> {string}
end
<sn> FortiExtender serial number. string Not

Specified
config extender lte-carrier-by-mcc-mnc
Display FortiExtender modem carrier based on MCC and MNC.

Description: Display FortiExtender modem carrier based on MCC and MNC.
set <sn> {string}
end

Specified

Fortinet Inc.
config extender lte-carrier-list
Display FortiExtender modem carrier list.

Description: Display FortiExtender modem carrier list.
set <sn> {string}
end

Specified
config extender modem-status
Display detailed FortiExtender modem status.

Description: Display detailed FortiExtender modem status.
set <sn> {string}
end

Specified
config extender session-info
Display FortiExtender session information.

config extender session-info
Description: Display FortiExtender session information.
end
config extender sys-info
Display detailed FortiExtender system information.

Description: Display detailed FortiExtender system information.
set <sn> {string}
end

Fortinet Inc.

Specified

Fortinet Inc.
extender-controller

l config extender-controller dataplan on page 144
l config extender-controller extender-profile on page 147
l config extender-controller extender on page 158
config extender-controller dataplan
FortiExtender dataplan configuration.

Description: FortiExtender dataplan configuration.
edit <name>
set apn {string}
set auth-type [none|pap|...]
set billing-date {integer}
set capacity {integer}
set carrier {string}
set iccid {string}
set modem-id [modem1|modem2|...]
set monthly-fee {integer}
set name {string}
set overage [disable|enable]
set pdn [ipv4-only|ipv6-only|...]
set preferred-subnet {integer}
set private-network [disable|enable]
set signal-period {integer}
set signal-threshold {integer}
set slot [sim1|sim2]
set type [carrier|slot|...]
next
end
apn APN configuration. string Not Specified
auth-type Authentication type. option - none

Fortinet Inc.
Option Description
none No authentication.
pap PAP.
chap CHAP.
billing-date Billing day of the month. integer Minimum 1

value: 1
Maximum
value: 31
capacity Capacity in MB. integer Minimum 0

value: 0
Maximum
value:
102400000
carrier Carrier configuration. string Not Specified
iccid ICCID configuration. string Not Specified
modem-id Dataplan's modem specifics, if any. option - all
Option Description
modem1 Modem one.
modem2 Modem two.
all All modems.
monthly-fee Monthly fee of dataplan. integer Minimum 0

value: 0
Maximum
value:
1000000
name FortiExtender data plan name. string Not Specified
overage Enable/disable dataplan overage detection. option - disable
Option Description
disable Disable dataplan overage detection.
enable Enable dataplan overage detection.
password Password. password Not Specified
pdn PDN type. option - ipv4-only

Fortinet Inc.
Option Description
ipv4-only IPv4 only PDN activation.
ipv6-only IPv6 only PDN activation.
ipv4-ipv6 Both IPv4 and IPv6 PDN activations.
preferred- Preferred subnet mask. integer Minimum 0

subnet value: 0
Maximum
value: 32
private- Enable/disable dataplan private network support. option - disable

network
Option Description
disable Disable dataplan private network support.
enable Enable dataplan private network support.
signal-period Signal period (600 to 18000 seconds). integer Minimum 3600

value: 600
Maximum
value: 18000
signal- Signal threshold. Specify the range between 50 - 100, integer Minimum 100
threshold where 50/100 means -50/-100 dBm. value: 50
Maximum
value: 100
slot SIM slot configuration. option -
Option Description
sim1 Sim slot one.
sim2 Sim slot two.
type Type preferences configuration. option - generic
Option Description
carrier Assign by SIM carrier.
slot Assign to SIM slot 1 or 2.
iccid Assign to a specific SIM by ICCID.
generic Compatible with any SIM. Assigned if no other dataplan matches the chosen
SIM.
username Username. string Not Specified

Fortinet Inc.
config extender-controller extender-profile
FortiExtender extender profile configuration.

Description: FortiExtender extender profile configuration.
edit <name>
set allowaccess {option1}, {option2}, ...
set bandwidth-limit {integer}
config cellular
Description: FortiExtender cellular configuration.
set dataplan <name1>, <name2>, ...
config controller-report
Description: FortiExtender controller report configuration.
set interval {integer}
set signal-threshold {integer}
end
config sms-notification
Description: FortiExtender cellular SMS notification configuration.
config alert
Description: SMS alert list.
set system-reboot {string}
set data-exhausted {string}
set session-disconnect {string}
set low-signal-strength {string}
set os-image-fallback {string}
set mode-switch {string}
set fgt-backup-mode-switch {string}
end
config receiver
Description: SMS notification receiver list.
edit <name>
set name {string}
set phone-number {string}
set alert {option1}, {option2}, ...
next
end
end
config modem1
Description: Configuration options for modem 1.
set redundant-mode [disable|enable]
set redundant-intf {string}
set conn-status {integer}
set default-sim [sim1|sim2|...]
set gps [disable|enable]
set sim1-pin [disable|enable]
set sim1-pin-code {password}
set preferred-carrier {string}
config auto-switch
Description: FortiExtender auto switch configuration.
set disconnect [disable|enable]

Fortinet Inc.
set disconnect-threshold {integer}
set disconnect-period {integer}
set signal [disable|enable]
set dataplan [disable|enable]
set switch-back {option1}, {option2}, ...
set switch-back-time {string}
set switch-back-timer {integer}
end
end
config modem2
Description: Configuration options for modem 2.
set redundant-mode [disable|enable]
set redundant-intf {string}
set conn-status {integer}
set default-sim [sim1|sim2|...]
set gps [disable|enable]
set preferred-carrier {string}
config auto-switch
Description: FortiExtender auto switch configuration.
set disconnect [disable|enable]
set disconnect-period {integer}
set signal [disable|enable]
set dataplan [disable|enable]
set switch-back {option1}, {option2}, ...
set switch-back-time {string}
set switch-back-timer {integer}
end
end
end
set enforce-bandwidth [enable|disable]
set extension [wan-extension|lan-extension]
set id {integer}
config lan-extension
Description: FortiExtender lan extension configuration.
set link-loadbalance [activebackup|loadbalance]
set ipsec-tunnel {string}
set backhaul-interface {string}
set backhaul-ip {string}
config backhaul
Description: LAN extension backhaul tunnel configuration.
edit <name>
set name {string}
set port [wan|lte1|...]
set role [primary|secondary]
next
end
end
set login-password {password}
set login-password-change [yes|default|...]
set model [FX201E|FX211E|...]

Fortinet Inc.
set name {string}
next
end
allowaccess Control management access to the managed option -

extender. Separate entries with a space.
Option Description
ping PING access.
telnet TELNET access.
http HTTP access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
bandwidth- FortiExtender LAN extension bandwidth limit (Mbps). integer Minimum 1024
limit value: 1
Maximum
value:
16776000
enforce- Enable/disable enforcement of bandwidth on LAN option - disable

bandwidth extension interface.
Option Description
enable Enable to enforce bandwidth limit on LAN extension interface.
disable Disable to enforce bandwidth limit on LAN extension interface.
extension Extension option. option - wan-

extension
Option Description
wan-extension WAN extension.
lan-extension LAN extension.

value: 0
Maximum
value:
102400000

Fortinet Inc.
login- Set the managed extender's administrator password. password Not Specified
password
login- Change or reset the administrator password of a option - no

password- managed extender.
change
Option Description
yes Change the managed extender's administrator password. Use the login-
password option to set the password.
default Keep the managed extender's administrator password set to the factory
default.
no Do not change the managed extender's administrator password.
model Model. option - FX201E
Option Description
FX201E FEX-201E model.
FX211E FEX-211E model.
FX200F FEX-200F model.
FXA11F FEX-101F-AM model.
FXE11F FEX-101F-EA model.
FVG21F FEV-211F model.
FVA21F FEV-211F-AM model.
FVG22F FEV-212F model.
FVA22F FEV-212F-AM model.
FX04DA FX40D-AMEU model.

Fortinet Inc.
Option Description
FX04DN FX40D-NAM model,
FX04DI FX40D-INTL model,
name FortiExtender profile name. string Not Specified
config cellular
dataplan Dataplan names. string Maximum

<name> Dataplan name. length: 79
config controller-report
status FortiExtender controller report status. option - disable
Option Description
disable Controller is configured to not provide service to this FortiExtender.
enable Controller is configured to provide service to this FortiExtender.
interval Controller report interval. integer Minimum 300

value: 0
Maximum
value:
4294967295
signal- Controller report signal threshold. integer Minimum 10

threshold value: 10
Maximum
value: 50
config sms-notification
status FortiExtender SMS notification status. option - disable
Option Description
disable SMS notification is configured to not provide service to this FortiExtender.
enable SMS notification is configured to provide service to this FortiExtender.

Fortinet Inc.
config alert
system- Display string when system rebooted. string Not system will
reboot Specified reboot
data- Display string when data exhausted. string Not data plan is
exhausted Specified exhausted
session- Display string when session disconnected. string Not LTE data
disconnect Specified session is
disconnected
low-signal- Display string when signal strength is low. string Not LTE signal
strength Specified strength is too
low
os-image- Display string when falling back to a previous OS string Not system start to
fallback image. Specified fallback OS
image
mode-switch Display string when mode is switched. string Not system

Specified networking
mode switched
fgt-backup- Display string when FortiGate backup mode string Not FortiGate
mode-switch switched. Specified backup work
mode switched
config receiver
name FortiExtender SMS notification receiver name. string Not

Specified
status SMS notification receiver status. option - disable
Option Description
disable Disable SMS notification receiver.
enable Enable SMS notification receiver.
phone- Receiver phone number. Format: [+][country code][area string Not

number code][local phone number]. For example, Specified
+16501234567.
alert Alert multi-options. option -
Option Description
system-reboot System will reboot.

Fortinet Inc.
Option Description
data-exhausted Data plan is exhausted.
session- LTE data session is disconnected.

disconnect
low-signal- LTE signal strength is too low.

strength
mode-switch System is starting to use fallback OS image.
os-image- System networking mode switched.

fallback
fgt-backup- FortiGate backup work mode switched.

mode-switch
config modem1
redundant- FortiExtender mode. option - disable

mode
Option Description
disable Disable interface redundancy.
enable Enable interface redundancy.
redundant-intf Redundant interface. string Not Specified
conn-status Connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295
default-sim Default SIM selection. option - sim1
Option Description
sim1 Use SIM #1 by default.
carrier Assign default SIM based on carrier.
cost Assign default SIM based on cost.
gps FortiExtender GPS enable/disable. option - enable

Fortinet Inc.
Option Description
disable Disable GPS.
enable Enable GPS.
sim1-pin SIM #1 PIN status. option - disable
Option Description
disable Disable SIM #1 PIN.
enable Enable SIM #1 PIN.
Option Description
sim1-pin-code SIM #1 PIN password. password Not Specified
preferred- Preferred carrier. string Not Specified

carrier
config auto-switch
disconnect Auto switch by disconnect. option - disable
Option Description
disable Disable switching of SIM card based on cellular disconnections.
enable Enable switching of SIM card based on cellular disconnections.
disconnect- Automatically switch based on disconnect threshold. integer Minimum 3

threshold value: 1
Maximum
value: 100
disconnect- Automatically switch based on disconnect period. integer Minimum 600

period value: 600
Maximum
value: 18000
signal Automatically switch based on signal strength. option - disable

Fortinet Inc.
Option Description
disable Disable switching of SIM card based on cellular signal quality.
enable Enable switching of SIM card based on cellular signal quality.
dataplan Automatically switch based on data usage. option - disable
Option Description
disable Disable switching of SIM card based on cellular data usage.
enable Enable switching of SIM card based on cellular data usage.
switch-back Auto switch with switch back multi-options. option -
Option Description
time Switch back based on specific time in UTC (HH:MM).
timer Switch back based on an interval.
switch-back- Automatically switch over to preferred SIM/carrier at a string Not Specified 00:01
time specified time in UTC (HH:MM).
switch-back- Automatically switch over to preferred SIM/carrier integer Minimum 86400

timer after the given time. value: 3600
Maximum
value:
2147483647
config modem2
redundant- FortiExtender mode. option - disable

mode
Option Description
disable Disable interface redundancy.
enable Enable interface redundancy.
redundant-intf Redundant interface. string Not Specified
conn-status Connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
default-sim Default SIM selection. option - sim1
Option Description
carrier Assign default SIM based on carrier.
cost Assign default SIM based on cost.
gps FortiExtender GPS enable/disable. option - enable
Option Description
disable Disable GPS.
enable Enable GPS.
Option Description
Option Description
preferred- Preferred carrier. string Not Specified

carrier
config auto-switch
disconnect Auto switch by disconnect. option - disable
disconnect- Automatically switch based on disconnect threshold. integer Minimum 3

threshold value: 1
Maximum
value: 100

Fortinet Inc.
disconnect- Automatically switch based on disconnect period. integer Minimum 600

period value: 600
Maximum
value: 18000
signal Automatically switch based on signal strength. option - disable
dataplan Automatically switch based on data usage. option - disable
switch-back Auto switch with switch back multi-options. option -
switch-back- Automatically switch over to preferred SIM/carrier at a string Not Specified 00:01
time specified time in UTC (HH:MM).
switch-back- Automatically switch over to preferred SIM/carrier integer Minimum 86400

timer after the given time. value: 3600
Maximum
value:
2147483647
config lan-extension
link- LAN extension link load balance strategy. option - activebackup

loadbalance
Option Description
activebackup FortiExtender LAN extension active-backup.
loadbalance FortiExtender LAN extension load-balance.
ipsec-tunnel IPsec tunnel name. string Not

Specified
backhaul- IPsec phase1 interface. string Not

interface Specified
backhaul-ip IPsec phase1 IPv4/FQDN. Used to specify the string Not

external IP/FQDN when the FortiGate unit is behind Specified
a NAT device.
config backhaul
name FortiExtender LAN extension backhaul name. string Not

Specified
port FortiExtender uplink port. option - wan

Fortinet Inc.
Option Description
wan FortiExtender WAN port.
lte1 FortiExtender LTE1 port.
lte2 FortiExtender LTE2 port.
port1 FortiExtender port1 port.
sfp FortiExtender SFP port.
role FortiExtender uplink port. option - primary
Option Description
primary FortiExtender LAN extension primary role.
secondary FortiExtender LAN extension secondary role.
weight WRR weight parameter. integer Minimum 1

value: 1
Maximum
value: 256
config extender-controller extender
Extender controller configuration.

Description: Extender controller configuration.
edit <name>
set authorized [disable|enable]
set bandwidth-limit {integer}
set description {string}
set device-id {integer}
set enforce-bandwidth [enable|disable]
set ext-name {string}
set extension-type [wan-extension|lan-extension]
set id {string}
set login-password {password}
set login-password-change [yes|default|...]
set name {string}
set override-allowaccess [enable|disable]
set override-enforce-bandwidth [enable|disable]

Fortinet Inc.
set override-login-password-change [enable|disable]
set profile {string}
set vdom {integer}
config wan-extension
Description: FortiExtender wan extension configuration.
set modem1-extension {string}
set modem2-extension {string}
end
next
end
allowaccess Control management access to the managed option -

extender. Separate entries with a space.
Option Description
ping PING access.
http HTTP access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
authorized FortiExtender Administration (enable or disable). option - disable
Option Description
disable Controller is configured to not provide service to this FortiExtender.
enable Controller is configured to provide service to this FortiExtender.
bandwidth- FortiExtender LAN extension bandwidth limit (Mbps). integer Minimum 1024
limit value: 1
Maximum
value:
16776000
description Description. string Not Specified
device-id Device ID. integer Minimum 1024

value: 0
Maximum
value:
4294967295

Fortinet Inc.
enforce- Enable/disable enforcement of bandwidth on LAN option - disable

bandwidth extension interface.
Option Description
enable Enable to enforce bandwidth limit on LAN extension interface.
disable Disable to enforce bandwidth limit on LAN extension interface.
ext-name FortiExtender name. string Not Specified
extension-type Extension type for this FortiExtender. option -
Option Description
wan-extension FortiExtender wan-extension.
lan-extension FortiExtender lan-extension.
id FortiExtender serial number. string Not Specified
login- Set the managed extender's administrator password. password Not Specified
password
login- Change or reset the administrator password of a option - no

password- managed extender.
change
Option Description
yes Change the managed extender's administrator password. Use the login-
password option to set the password.
default Keep the managed extender's administrator password set to the factory
default.
no Do not change the managed extender's administrator password.
name FortiExtender entry name. string Not Specified
override- Enable to override the extender profile management option - disable

allowaccess access configuration.
Option Description
enable Override the extender profile management access configuration.
disable Use the extender profile management access configuration.
override- Enable to override the extender profile enforce- option - disable

enforce- bandwidth setting.
bandwidth

Fortinet Inc.
Option Description
enable Enable override of FortiExtender profile bandwidth setting.
disable Disable override of FortiExtender profile bandwidth setting.
override-login- Enable to override the extender profile login- option - disable

password- password (administrator password) setting.
change
Option Description
enable Override the WTP profile login-password (administrator password) setting.
disable Use the the WTP profile login-password (administrator password) setting.
profile FortiExtender profile configuration. string Not Specified
vdom VDOM. integer Minimum 0

value: 0
Maximum
value:
4294967295
config wan-extension
modem1- FortiExtender interface name. string Not

extension Specified
modem2- FortiExtender interface name. string Not

extension Specified

Fortinet Inc.
file-filter

l config file-filter profile on page 162
config file-filter profile
Configure file-filter profiles.

Description: Configure file-filter profiles.
edit <name>
set extended-log [disable|enable]
set name {string}
config rules
Description: File filter rules.
edit <name>
set name {string}
set protocol {option1}, {option2}, ...
set action [log-only|block]
set direction [incoming|outgoing|...]
set password-protected [yes|any]
set file-type <name1>, <name2>, ...
next
end
set scan-archive-contents [disable|enable]
next
end

Specified
extended-log Enable/disable file-filter extended logging. option - disable
Option Description
disable Disable extended logging.
enable Enable extended logging.

Fortinet Inc.
Option Description
log Enable/disable file-filter logging. option - enable
Option Description

Specified

group Specified
scan-archive- Enable/disable archive contents scan. option - enable

contents
Option Description
disable Disable scanning archive contents.
enable Enable scanning archive contents.
config rules
name File-filter rule name. string Not

Specified

Specified
protocol Protocols to apply rule to. option - http ftp

smtp imap
pop3 mapi
cifs ssh
Option Description
http Filter on HTTP.
ftp Filter on FTP.

Fortinet Inc.
Option Description
smtp Filter on SMTP.
imap Filter on IMAP.
pop3 Filter on POP3.
mapi Filter on MAPI. (Proxy mode only.)
cifs Filter on CIFS.
ssh Filter on SFTP and SCP. (Proxy mode only.)
action Action taken for matched file. option - log-only
Option Description
log-only Allow the content and write a log message.
block Block the content and write a log message.
direction Traffic direction (HTTP, FTP, SSH, CIFS only). option - any
Option Description
incoming Match files transmitted in the session's reply direction.
outgoing Match files transmitted in the session's originating direction.
any Match files transmitted in the session's originating and reply directions.
password- Match password-protected files. option - any

protected
Option Description
yes Match only password-protected files.
any Match any file.
file-type Select file type. string Maximum

<name> File type name. length: 39

Fortinet Inc.
firewall

l config firewall DoS-policy on page 167
l config firewall DoS-policy6 on page 169
l config firewall access-proxy-ssh-client-cert on page 172
l config firewall access-proxy-virtual-host on page 174
l config firewall access-proxy on page 175
l config firewall access-proxy6 on page 196
l config firewall acl on page 217
l config firewall acl6 on page 219
l config firewall address on page 220
l config firewall address6-template on page 225
l config firewall address6 on page 227
l config firewall addrgrp on page 230
l config firewall addrgrp6 on page 232
l config firewall auth-portal on page 234
l config firewall central-snat-map on page 234
l config firewall city on page 237
l config firewall country on page 237
l config firewall decrypted-traffic-mirror on page 238
l config firewall dnstranslation on page 239
l config firewall identity-based-route on page 240
l config firewall interface-policy on page 241
l config firewall interface-policy6 on page 244
l config firewall internet-service-addition on page 247
l config firewall internet-service-append on page 248
l config firewall internet-service-botnet on page 249
l config firewall internet-service-custom-group on page 249
l config firewall internet-service-custom on page 250
l config firewall internet-service-definition on page 251
l config firewall internet-service-extension on page 253
l config firewall internet-service-group on page 256
l config firewall internet-service-ipbl-reason on page 257
l config firewall internet-service-ipbl-vendor on page 257
l config firewall internet-service-list on page 258
l config firewall internet-service-name on page 258
l config firewall internet-service-owner on page 259
l config firewall internet-service-reputation on page 260
l config firewall internet-service-sld on page 260

Fortinet Inc.
l config firewall internet-service on page 261
l config firewall ip-translation on page 263
l config firewall ipmacbinding setting on page 263
l config firewall ipmacbinding table on page 264
l config firewall ippool on page 265
l config firewall ippool6 on page 269
l config firewall iprope appctrl list on page 270
l config firewall iprope appctrl status on page 271
l config firewall iprope list on page 271
l config firewall ipv6-eh-filter on page 271
l config firewall ldb-monitor on page 273
l config firewall local-in-policy on page 275
l config firewall local-in-policy6 on page 277
l config firewall multicast-address on page 279
l config firewall multicast-address6 on page 280
l config firewall multicast-policy on page 281
l config firewall multicast-policy6 on page 284
l config firewall policy on page 286
l config firewall profile-group on page 304
l config firewall profile-protocol-options on page 306
l config firewall proute on page 330
l config firewall proute6 on page 331
l config firewall proxy-address on page 331
l config firewall proxy-addrgrp on page 334
l config firewall proxy-policy on page 336
l config firewall region on page 343
l config firewall schedule group on page 344
l config firewall schedule onetime on page 345
l config firewall schedule recurring on page 346
l config firewall security-policy on page 347
l config firewall service category on page 354
l config firewall service custom on page 355
l config firewall service group on page 359
l config firewall shaper per-ip-shaper on page 360
l config firewall shaper per-ip on page 362
l config firewall shaper traffic-shaper on page 362
l config firewall shaper traffic on page 364
l config firewall shaping-policy on page 365
l config firewall shaping-profile on page 369
l config firewall sniffer on page 371
l config firewall ssh host-key on page 377
l config firewall ssh local-ca on page 379
l config firewall ssh local-key on page 380

Fortinet Inc.
l config firewall ssh setting on page 380
l config firewall ssl-server on page 381
l config firewall ssl-ssh-profile on page 384
l config firewall ssl setting on page 412
l config firewall traffic-class on page 414
l config firewall ttl-policy on page 415
l config firewall vendor-mac-summary on page 416
l config firewall vendor-mac on page 416
l config firewall vip on page 417
l config firewall vip6 on page 447
l config firewall vipgrp on page 477
l config firewall vipgrp6 on page 478
l config firewall wildcard-fqdn custom on page 479
l config firewall wildcard-fqdn group on page 480
config firewall DoS-policy
Configure IPv4 DoS policies.

Description: Configure IPv4 DoS policies.
edit <policyid>
config anomaly
Description: Anomaly name.
edit <name>
set name {string}
set action [pass|block]
set threshold {integer}
set threshold(default) {integer}
next
end
set name {string}
set policyid {integer}
set service <name1>, <name2>, ...
next
end

Fortinet Inc.

Specified
dstaddr Destination address name from available addresses. string Maximum

interface Incoming interface name from available interfaces. string Not

Specified
name Policy name. string Not

Specified
policyid Policy ID. integer Minimum 0

value: 0
Maximum
value: 9999
**
service Service object from available options. string Maximum

<name> Service name. length: 79
srcaddr Source address name from available addresses. string Maximum

status Enable/disable this policy. option - enable
Option Description
enable Enable this policy.
disable Disable this policy.
config anomaly
name Anomaly name. string Not Specified
status Enable/disable this anomaly. option - disable
Option Description
disable Disable this status.
enable Enable this status.
log Enable/disable anomaly logging. option - disable

Fortinet Inc.
Option Description
enable Enable anomaly logging.
disable Disable anomaly logging.
action Action taken when the threshold is reached. option - pass
Option Description
pass Allow traffic but record a log message if logging is enabled.
block Block traffic if this anomaly is found.
Option Description

expiry attacker.

log
Option Description
threshold Anomaly threshold. Number of detected instances integer Minimum 0

(packets per second or concurrent session number) value: 1
that triggers the anomaly action. Maximum
value:
2147483647
threshold Number of detected instances. Note that each integer Minimum 0

(default) anomaly has a different threshold value assigned to value: 0
it. Maximum
value:
4294967295
config firewall DoS-policy6
Configure IPv6 DoS policies.

Fortinet Inc.
Description: Configure IPv6 DoS policies.
edit <policyid>
config anomaly
Description: Anomaly name.
edit <name>
set name {string}
next
end
set name {string}
next
end

Specified
dstaddr Destination address name from available addresses. string Maximum

interface Incoming interface name from available interfaces. string Not

Specified

Specified

value: 0
Maximum
value: 9999
**


Fortinet Inc.
srcaddr Source address name from available addresses. string Maximum

Option Description
config anomaly
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.

expiry attacker.

log
Option Description

value:
2147483647

it. Maximum
value:
4294967295
config firewall access-proxy-ssh-client-cert
Configure Access Proxy SSH client certificate.

Description: Configure Access Proxy SSH client certificate.
edit <name>
set auth-ca {string}
config cert-extension
Description: Configure certificate extension for user certificate.
edit <name>
set name {string}
set critical [no|yes]
set type [fixed|user]
set data {string}
next
end
set name {string}
set permit-agent-forwarding [enable|disable]
set permit-port-forwarding [enable|disable]
set permit-pty [enable|disable]
set permit-user-rc [enable|disable]
set permit-x11-forwarding [enable|disable]
set source-address [enable|disable]
next
end

Fortinet Inc.
auth-ca Name of the SSH server public key authentication CA. string Not
Specified
name SSH client certificate name. string Not

Specified
permit-agent- Enable/disable appending permit-agent-forwarding option - enable

forwarding certificate extension.
Option Description
permit-port- Enable/disable appending permit-port-forwarding option - enable

Option Description
permit-pty Enable/disable appending permit-pty certificate option - enable

extension.
Option Description
permit-user-rc Enable/disable appending permit-user-rc certificate option - enable

extension.
Option Description
permit-x11- Enable/disable appending permit-x11-forwarding option - enable

Option Description

Fortinet Inc.
source- Enable/disable appending source-address certificate option - disable

address critical option. This option ensure certificate only
accepted from FortiGate source address.
Option Description
config cert-extension
name Name of certificate extension. string Not

Specified
critical Critical option. option - no
Option Description
no Certificate extension, server ignores the unsupported certificate extension.
yes Critical option, server refuses to authorize if it cannnot recognize the critical
option.
type Type of certificate extension. option - fixed
Option Description
fixed Fixed certificate extension entry.
user Certificate extension entry filled with authenticated username.
data Data of certificate extension. string Not

Specified
config firewall access-proxy-virtual-host
Configure Access Proxy virtual hosts.

Description: Configure Access Proxy virtual hosts.
edit <name>
set host {string}
set host-type [sub-string|wildcard]
set name {string}
set ssl-certificate {string}
next
end

Fortinet Inc.
host The host name. string Not

Specified
host-type Type of host pattern. option - sub-string
Option Description
sub-string Match the pattern if a string contains the sub-string.
wildcard Match the pattern with wildcards.
name Virtual host name. string Not

Specified
replacemsg- Access-proxy-virtual-host replacement message string Not

group override group. Specified
ssl-certificate SSL certificate for this host. string Not

Specified
config firewall access-proxy
Configure IPv4 access proxy.

Description: Configure IPv4 access proxy.
edit <name>
config api-gateway
Description: Set IPv4 API Gateway.
edit <id>
set id {integer}
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
config realservers
Description: Select the real servers that this Access Proxy will
distribute traffic to.
edit <id>
set id {integer}
set addr-type [ip|fqdn]
set address {string}
set ip {ipv4-address-any}
set domain {string}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set type [tcp-forwarding|ssh]

Fortinet Inc.
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set ssh-client-cert {string}
set ssh-host-key-validation [disable|enable]
set ssh-host-key <name1>, <name2>, ...
next
end
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-redirect [disable|enable]
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by
priority.
edit <priority>
set priority {integer}
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-vpn-web-portal {string}
next
end
config api-gateway6
edit <id>
set id {integer}
config realservers
edit <id>
set id {integer}
set ip {ipv6-address}
set domain {string}
set port {integer}

Fortinet Inc.
next
end
priority.
edit <priority>
next
end
next
end
set auth-portal [disable|enable]
set auth-virtual-host {string}
set client-cert [disable|enable]
set decrypted-traffic-mirror {string}
set empty-cert-action [accept|block]
set log-blocked-traffic [enable|disable]
set name {string}
set vip {string}
next
end
auth-portal Enable/disable authentication portal. option - disable

Fortinet Inc.
Option Description
disable Disable authentication portal.
enable Enable authentication portal.
auth-virtual- Virtual host for authentication portal. string Not

host Specified
client-cert Enable/disable to request client certificate. option - disable
Option Description
disable Disable client certificate request.
enable Enable client certificate request.
decrypted- Decrypted traffic mirror. string Not

traffic-mirror Specified
empty-cert- Action of an empty client certificate. option - block

action
Option Description
accept Accept the SSL handshake if the client certificate is empty.
block Block the SSL handshake if the client certificate is empty.
log-blocked- Enable/disable logging of blocked traffic. option - disable

traffic
Option Description
enable Log all traffic denied by this access proxy.
disable Do not log all traffic denied by this access proxy.
name Access Proxy name. string Not

Specified
vip Virtual IP name. string Not

Specified

Fortinet Inc.
config api-gateway
id API Gateway ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
url-map URL pattern to match. string Not Specified /
service Service. option - https
Option Description
http HTTP
https HTTPS
tcp-forwarding TCP-FORWARDING
samlsp SAML-SP
web-portal VPN-SSL-WEB-PORTAL
ldb-method Method used to distribute sessions to real servers. option - static
Option Description
static Distribute to server based on source IP.
round-robin Distribute to server based round robin order.
weighted Distribute to server based on weight.
first-alive Distribute to the first server that is alive.
http-host Distribute to server based on host field in HTTP header.
virtual-host Virtual host. string Not Specified
url-map-type Type of url-map. option - sub-string
Option Description
regex Match the pattern with a regular expression.
persistence Configure how to make sure that clients connect to option - none
the same server every time they make a request that
is part of the same session.

Fortinet Inc.
Option Description
none None.
http-cookie HTTP cookie.
http-cookie- Enable/disable use of HTTP cookie domain from host option - disable
domain-from- field in HTTP.
host
Option Description
disable Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-
domain setting).
enable Enable use of HTTP cookie domain from host field in HTTP.
http-cookie- Domain that HTTP cookie persistence should apply string Not Specified
domain to.
http-cookie- Limit HTTP cookie persistence to the specified path. string Not Specified
path
http-cookie- Generation of HTTP cookie to be accepted. Changing integer Minimum 0

generation invalidates all existing cookies. value: 0
Maximum
value:
4294967295
http-cookie- Time in minutes that client web browsers should keep integer Minimum 60
age a cookie. Default is 60 minutes. 0 = no time limit. value: 0
Maximum
value: 525600
http-cookie- Control sharing of cookies across API Gateway. Use option - same-ip
share of same-ip means a cookie from one virtual server
can be used by another. Disable stops cookie
sharing.
Option Description
disable Only allow HTTP cookie to match this API Gateway.
same-ip Allow HTTP cookie to match any API Gateway with same IP.
https-cookie- Enable/disable verification that inserted HTTPS option - disable

secure cookies are secure.

Fortinet Inc.
Option Description
disable Do not mark cookie as secure, allow sharing between an HTTP and HTTPS
connection.
enable Mark inserted cookie as secure, cookie can only be used for HTTPS a
connection.
saml-server SAML service provider configuration for VIP string Not Specified
authentication.
saml-redirect Enable/disable SAML redirection after successful option - disable

authentication.
Option Description
disable Do not support redirection after successful SAML authentication.
enable Support redirection after successful SAML authentication.
ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange option - 2048

for RSA encryption of SSL sessions.
Option Description
768 768-bit Diffie-Hellman prime.
ssl-algorithm Permitted encryption algorithms for the server side of option - high
SSL full mode sessions according to encryption
strength.
Option Description
high High encryption. Allow only AES and ChaCha.
medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
ssl-min- Lowest SSL/TLS version acceptable from a server. option - tls-1.1

version

Fortinet Inc.
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-max- Highest SSL/TLS version acceptable from a server. option - tls-1.3

version
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-vpn-web- SSL-VPN web portal. string Not Specified

portal
config realservers
id Real server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
addr-type Type of address. option - ip
Option Description
ip Standard IPv4 address.
fqdn Non-wildcard FQDN address object.
address Address or address group of the real server. string Not Specified
ip IPv6 address of the real server. ipv6- Not Specified ::

address
domain Wildcard domain name of the real server. string Not Specified

Fortinet Inc.
port Port for communicating with the real server. integer Minimum 443
value: 1
Maximum
value: 65535
mappedport Port for communicating with the real server. user Not Specified
status Set the status of the real server to active so that it option - active
can accept traffic, or on standby or disabled so no
traffic is sent.
Option Description
active Server status active.
standby Server status standby.
disable Server status disable.
type TCP forwarding server type. option - tcp-

forwarding
Option Description
tcp-forwarding TCP forwarding.
ssh SSH.
weight Weight of the real server. If weighted load balancing integer Minimum 1
is enabled, the server with the highest weight gets value: 1
more connections. Maximum
value: 255
http-host HTTP server domain name in HTTP header. string Not Specified
health-check Enable to check the responsiveness of the real option - disable

server before forwarding traffic.
Option Description
disable Disable per server health check.
enable Enable per server health check.
health-check- Protocol of the health check monitor to use when option - ping
proto polling to determine server's connectivity status.
Option Description
ping Use PING to test the link with the server.
http Use HTTP-GET to test the link with the server.
tcp-connect Use a full TCP connection to test the link with the server.

Fortinet Inc.
holddown- Enable/disable holddown timer. Server will be option - enable

interval considered active and reachable once the holddown
period has expired (30 seconds).
Option Description
enable Enable per server holddown.
disable Disable per server holddown.
ssh-client-cert Set access-proxy SSH client certificate profile. string Not Specified
ssh-host-key- Enable/disable SSH real server host key validation. option - disable
validation
Option Description
disable Disable SSH real server host key validation.
enable Enable SSH real server host key validation.
ssh-host-key One or more server host key. string Maximum

<name> Server host key name. length: 79
priority SSL/TLS cipher suites priority. integer Minimum 0

value: 0
Maximum
value:
4294967295
cipher Cipher suite name. option -
Option Description
TLS-AES-128- Cipher suite TLS-AES-128-GCM-SHA256.

GCM-SHA256

GCM-SHA384
TLS- Cipher suite TLS-CHACHA20-POLY1305-SHA256.

CHACHA20-
POLY1305-
SHA256

Fortinet Inc.
Option Description
TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

RSA-WITH-
CHACHA20-
POLY1305-
SHA256
TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

WITH-
CHACHA20-
POLY1305-
SHA256
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

WITH-AES-128-
CBC-SHA

Fortinet Inc.
Option Description

WITH-AES-256-
CBC-SHA
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

WITH-AES-128-
CBC-SHA256
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384
TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

RSA-WITH-AES-
128-CBC-SHA
TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

RSA-WITH-AES-
128-CBC-
SHA256
TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

RSA-WITH-AES-
128-GCM-
SHA256

RSA-WITH-AES-
256-CBC-SHA

RSA-WITH-AES-
256-CBC-
SHA384

RSA-WITH-AES-
256-GCM-
SHA384

Fortinet Inc.
Option Description
TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

ECDSA-WITH-
AES-128-CBC-
SHA
TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

ECDSA-WITH-
AES-128-CBC-
SHA256
TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

ECDSA-WITH-
AES-128-GCM-
SHA256

ECDSA-WITH-
AES-256-CBC-
SHA

ECDSA-WITH-
AES-256-CBC-
SHA384

ECDSA-WITH-
AES-256-GCM-
SHA384
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

AES-128-CBC-
SHA

AES-256-CBC-
SHA
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

AES-128-CBC-
SHA256
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

AES-128-GCM-
SHA256

Fortinet Inc.
Option Description

AES-256-CBC-
SHA256

AES-256-GCM-
SHA384
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

CAMELLIA-128-
CBC-SHA

CAMELLIA-256-
CBC-SHA
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

CAMELLIA-128-
CBC-SHA256

CAMELLIA-256-
CBC-SHA256
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA
TLS-DHE-DSS- Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

WITH-
CAMELLIA-256-
CBC-SHA

Fortinet Inc.
Option Description
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

WITH-SEED-
CBC-SHA
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

SEED-CBC-SHA

Fortinet Inc.
Option Description
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

ARIA-128-CBC-
SHA256

ARIA-256-CBC-
SHA384
TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

RSA-WITH-
ARIA-128-CBC-
SHA256

RSA-WITH-
ARIA-256-CBC-
SHA384
TLS-ECDHE- Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

ECDSA-WITH-
ARIA-128-CBC-
SHA256

ECDSA-WITH-
ARIA-256-CBC-
SHA384
TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

RSA-WITH-RC4-
128-SHA
TLS-ECDHE- Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

RSA-WITH-
3DES-EDE-
CBC-SHA
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

WITH-3DES-
EDE-CBC-SHA
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

3DES-EDE-
CBC-SHA
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-MD5.

RC4-128-MD5

Fortinet Inc.
Option Description
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-RC4-128-SHA.

RC4-128-SHA
TLS-DHE-RSA- Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA
TLS-DHE-DSS- Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

WITH-DES-
CBC-SHA
TLS-RSA-WITH- Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

DES-CBC-SHA
versions SSL/TLS versions that the cipher suite can be used option - tls-1.0 tls-
with. 1.1 tls-1.2
tls-1.3
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
config api-gateway6

value: 0
Maximum
value:
4294967295
Option Description
http HTTP
https HTTPS

Fortinet Inc.
Option Description
samlsp SAML-SP
Option Description
Option Description
Option Description
none None.
host
Option Description
domain setting).
domain to.

Fortinet Inc.
path

Maximum
value:
4294967295
Maximum
value: 525600
sharing.
Option Description

Option Description
connection.
connection.
authentication.

authentication.
Option Description


Fortinet Inc.
Option Description
strength.
Option Description

version
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

version
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

portal

Fortinet Inc.
config realservers

value: 0
Maximum
value:
4294967295

address
value: 1
Maximum
value: 65535
traffic is sent.

forwarding
value: 255


validation


Fortinet Inc.

value: 0
Maximum
value:
4294967295
with. 1.1 tls-1.2
tls-1.3
config firewall access-proxy6
Configure IPv6 access proxy.

Description: Configure IPv6 access proxy.
edit <name>
config api-gateway
edit <id>
set id {integer}
config realservers
edit <id>
set id {integer}
set domain {string}
set port {integer}
next

Fortinet Inc.
end
priority.
edit <priority>
next
end
next
end
config api-gateway6
edit <id>
set id {integer}
config realservers
edit <id>
set id {integer}
set domain {string}
set port {integer}

Fortinet Inc.
next
end
priority.
edit <priority>
next
end
next
end
set auth-portal [disable|enable]
set auth-virtual-host {string}
set client-cert [disable|enable]
set empty-cert-action [accept|block]
set log-blocked-traffic [enable|disable]
set name {string}
set vip {string}
next
end
auth-portal Enable/disable authentication portal. option - disable
Option Description
disable Disable authentication portal.
enable Enable authentication portal.
auth-virtual- Virtual host for authentication portal. string Not

host Specified

Fortinet Inc.
client-cert Enable/disable to request client certificate. option - disable
Option Description
disable Disable client certificate request.
enable Enable client certificate request.
decrypted- Decrypted traffic mirror. string Not

traffic-mirror Specified
empty-cert- Action of an empty client certificate. option - block

action
Option Description
accept Accept the SSL handshake if the client certificate is empty.
block Block the SSL handshake if the client certificate is empty.
log-blocked- Enable/disable logging of blocked traffic. option - disable

traffic
Option Description
enable Log all traffic denied by this access proxy.
disable Do not log all traffic denied by this access proxy.
name Access Proxy name. string Not

Specified
vip Virtual IP name. string Not

Specified
config api-gateway

value: 0
Maximum
value:
4294967295
Option Description
http HTTP

Fortinet Inc.
Option Description
https HTTPS
samlsp SAML-SP
Option Description
Option Description
Option Description
none None.
host

Fortinet Inc.
Option Description
domain setting).
domain to.
path

Maximum
value:
4294967295
Maximum
value: 525600
sharing.
Option Description

Option Description
connection.
connection.
authentication.

authentication.

Fortinet Inc.
Option Description

Option Description
strength.
Option Description

version
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

version

Fortinet Inc.
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

portal
config realservers

value: 0
Maximum
value:
4294967295
Option Description
fqdn Non-wildcard FQDN address object.

address
value: 1
Maximum
value: 65535
traffic is sent.
Option Description

Fortinet Inc.
Option Description

forwarding
Option Description
tcp-forwarding TCP forwarding.
ssh SSH.
value: 255

Option Description
Option Description

Option Description
enable Enable per server holddown.
disable Disable per server holddown.

Fortinet Inc.
validation
Option Description
disable Disable SSH real server host key validation.
enable Enable SSH real server host key validation.


value: 0
Maximum
value:
4294967295
Option Description

GCM-SHA256

GCM-SHA384

CHACHA20-
POLY1305-
SHA256

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

Fortinet Inc.
Option Description

WITH-
CHACHA20-
POLY1305-
SHA256

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

Fortinet Inc.
Option Description

WITH-AES-256-
GCM-SHA384

RSA-WITH-AES-
128-CBC-SHA

RSA-WITH-AES-
128-CBC-
SHA256

RSA-WITH-AES-
128-GCM-
SHA256

RSA-WITH-AES-
256-CBC-SHA

RSA-WITH-AES-
256-CBC-
SHA384

RSA-WITH-AES-
256-GCM-
SHA384

ECDSA-WITH-
AES-128-CBC-
SHA

ECDSA-WITH-
AES-128-CBC-
SHA256

ECDSA-WITH-
AES-128-GCM-
SHA256

Fortinet Inc.
Option Description

ECDSA-WITH-
AES-256-CBC-
SHA

ECDSA-WITH-
AES-256-CBC-
SHA384

ECDSA-WITH-
AES-256-GCM-
SHA384

AES-128-CBC-
SHA

AES-256-CBC-
SHA

AES-128-CBC-
SHA256

AES-128-GCM-
SHA256

AES-256-CBC-
SHA256

AES-256-GCM-
SHA384

CAMELLIA-128-
CBC-SHA

CAMELLIA-256-
CBC-SHA

Fortinet Inc.
Option Description

CAMELLIA-128-
CBC-SHA256

CAMELLIA-256-
CBC-SHA256

WITH-3DES-
EDE-CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

Fortinet Inc.
Option Description

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-SEED-
CBC-SHA

WITH-SEED-
CBC-SHA

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

SEED-CBC-SHA

ARIA-128-CBC-
SHA256

ARIA-256-CBC-
SHA384

RSA-WITH-
ARIA-128-CBC-
SHA256

RSA-WITH-
ARIA-256-CBC-
SHA384

Fortinet Inc.
Option Description

ECDSA-WITH-
ARIA-128-CBC-
SHA256

ECDSA-WITH-
ARIA-256-CBC-
SHA384

RSA-WITH-RC4-
128-SHA

RSA-WITH-
3DES-EDE-
CBC-SHA

WITH-3DES-
EDE-CBC-SHA

3DES-EDE-
CBC-SHA

RC4-128-MD5

RC4-128-SHA

WITH-DES-
CBC-SHA

WITH-DES-
CBC-SHA

DES-CBC-SHA
with. 1.1 tls-1.2
tls-1.3

Fortinet Inc.
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
config api-gateway6

value: 0
Maximum
value:
4294967295
Option Description
http HTTP
https HTTPS
samlsp SAML-SP
Option Description

Fortinet Inc.
Option Description
Option Description
none None.
host
Option Description
domain setting).
domain to.
path

Maximum
value:
4294967295
Maximum
value: 525600
sharing.

Fortinet Inc.
Option Description

Option Description
connection.
connection.
authentication.

authentication.
Option Description

Option Description
strength.

Fortinet Inc.
Option Description

version
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

version
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

portal
config realservers

value: 0
Maximum
value:
4294967295

address

Fortinet Inc.
value: 1
Maximum
value: 65535
traffic is sent.

forwarding
value: 255


validation


value: 0
Maximum
value:
4294967295

Fortinet Inc.
with. 1.1 tls-1.2
tls-1.3
config firewall acl
This command is available for model(s): FortiGate 100EF, FortiGate 100E, FortiGate 100F,
FortiGate 1801F, FortiGate 2000E, FortiGate 200F, FortiGate 201F, FortiGate 2200E,
FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D,
FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E,
FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F,
FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 4200F,
FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E,
FortiGate 600E, FortiGate 601E.
It is not available for: FortiGate 1000D, FortiGate 200E, FortiGate 201E, FortiGate 40F 3G4G,
FortiGate 40F, FortiGate 5001E1, FortiGate 5001E, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE,
FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F,
FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G,
Configure IPv4 access control list.

config firewall acl
Description: Configure IPv4 access control list.
edit <policyid>
set name {string}
next
end

Fortinet Inc.
config firewall acl

Specified
dstaddr Destination address name. string Maximum

interface Interface name. string Not

Specified

Specified

value: 0
Maximum
value: 9999
service Service name. string Maximum

srcaddr Source address name. string Maximum

status Enable/disable access control list status. option - enable
Option Description
enable Enable access control list status.
disable Disable access control list status.

Fortinet Inc.
config firewall acl6
FortiGate 1801F, FortiGate 2000E, FortiGate 200F, FortiGate 201F, FortiGate 2200E,
FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D,
FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F,
FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 4200F,
FortiGate 600E, FortiGate 601E.
It is not available for: FortiGate 1000D, FortiGate 200E, FortiGate 201E, FortiGate 40F 3G4G,
FortiGate 40F, FortiGate 5001E1, FortiGate 5001E, FortiGate 60E DSLJ, FortiGate 60E DSL,
FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate
Configure IPv6 access control list.

Description: Configure IPv6 access control list.
edit <policyid>
set name {string}
next
end

Specified


Fortinet Inc.

Specified

Specified

value: 0
Maximum
value: 9999
service Service name. string Maximum


status Enable/disable access control list status. option - enable
Option Description
enable Enable access control list status.
disable Disable access control list status.
config firewall address
Configure IPv4 addresses.

Description: Configure IPv4 addresses.
edit <name>
set allow-routing [enable|disable]
set associated-interface {string}
set cache-ttl {integer}
set clearpass-spt [unknown|healthy|...]
set color {integer}
set country {string}
set end-ip {ipv4-address-any}
set epg-name {string}
set fabric-object [enable|disable]
set filter {var-string}
set fqdn {string}
set fsso-group <name1>, <name2>, ...
config list
Description: IP address list.
edit <ip>
set ip {string}
next
end
set macaddr <macaddr1>, <macaddr2>, ...

Fortinet Inc.
set name {string}
set node-ip-only [enable|disable]
set obj-id {var-string}
set obj-tag {string}
set obj-type [ip|mac]
set organization {string}
set policy-group {string}
set sdn {string}
set sdn-addr-type [private|public|...]
set sdn-tag {string}
set start-ip {ipv4-address-any}
set sub-type [sdn|clearpass-spt|...]
set subnet {ipv4-classnet-any}
set subnet-name {string}
set tag-detection-level {string}
set tag-type {string}
config tagging
Description: Config object tagging.
edit <name>
set name {string}
set category {string}
set tags <name1>, <name2>, ...
next
end
set tenant {string}
set type [ipmask|iprange|...]
set uuid {uuid}
set wildcard {ipv4-classnet-any}
set wildcard-fqdn {string}
next
end
allow-routing Enable/disable use of this address in the static option - disable

route configuration.
Option Description
enable Enable use of this address in the static route configuration.
disable Disable use of this address in the static route configuration.
associated- Network interface associated with address. string Not

interface Specified
cache-ttl Defines the minimal TTL of individual IP integer Minimum 0

addresses in FQDN cache measured in seconds. value: 0
Maximum
value:
86400
clearpass-spt SPT (System Posture Token) value. option - unknown

Fortinet Inc.
Option Description
unknown UNKNOWN.
healthy HEALTHY.
quarantine QUARANTINE.
checkup CHECKUP.
transient TRANSIENT.
infected INFECTED.
color Color of icon on the GUI. integer Minimum 0

value: 0
Maximum
value: 32

Specified
country IP addresses associated to a specific country. string Not

Specified
end-ip Final IP address (inclusive) in the range for the ipv4- Not 0.0.0.0
address. address- Specified
any
epg-name Endpoint group name. string Not

Specified
fabric-object Security Fabric global object setting. option - disable
Option Description
enable Object is set as a security fabric-wide global object.
disable Object is local to this security fabric member.
filter Match criteria filter. var-string Not

Specified
fqdn Fully Qualified Domain Name address. string Not

Specified
fsso-group FSSO group(s). string Maximum

<name> FSSO group name. length: 511
interface Name of interface whose IP address is to be string Not

used. Specified
macaddr Multiple MAC address ranges. string Maximum

<macaddr> length: 127

Fortinet Inc.
MAC address ranges <start>[-<end>] separated

by space.
name Address name. string Not

Specified
node-ip-only Enable/disable collection of node addresses only option - disable

in Kubernetes.
Option Description
enable Enable collection of node addresses only in Kubernetes.
disable Disable collection of node addresses only in Kubernetes.
obj-id Object ID for NSX. var-string Not

Specified
obj-tag Tag of dynamic address object. string Not

Specified
obj-type Object type. option - ip
Option Description
ip IP address.
mac MAC address
organization Organization domain name (Syntax: string Not

organization/domain). Specified
policy-group Policy group name. string Not

Specified
sdn SDN. string Not

Specified
sdn-addr-type Type of addresses to collect. option - private
Option Description
private Collect private addresses only.
public Collect public addresses only.
all Collect both public and private addresses.
sdn-tag SDN Tag. string Not

Specified
start-ip First IP address (inclusive) in the range for the ipv4- Not 0.0.0.0
any

Fortinet Inc.
sub-type Sub-type of address. option - sdn
Option Description
sdn SDN address.
clearpass-spt ClearPass SPT (System Posture Token) address.
fsso FSSO address.
ems-tag FortiClient EMS tag.
fortivoice-tag FortiVoice tag.
fortinac-tag FortiNAC tag.
swc-tag Switch Controller NAC policy tag.
subnet IP address and subnet mask of address. ipv4- Not 0.0.0.0 0.0.0.0
classnet- Specified
any
subnet-name Subnet name. string Not

Specified
tag-detection- Tag detection level of dynamic address object. string Not

level Specified
tag-type Tag type of dynamic address object. string Not

Specified
tenant Tenant. string Not

Specified
type Type of address. option - ipmask
Option Description
ipmask Standard IPv4 address with subnet mask.
iprange Range of IPv4 addresses between two specified addresses (inclusive).
fqdn Fully Qualified Domain Name address.
geography IP addresses from a specified country.
wildcard Standard IPv4 using a wildcard subnet mask.
dynamic Dynamic address object.
interface-subnet IP and subnet of interface.
mac Range of MAC addresses.

Fortinet Inc.
uuid Universally Unique Identifier (UUID; automatically uuid Not 00000000-0000-

assigned but can be manually reset). Specified 0000-0000-
000000000000
wildcard IP address and wildcard netmask. ipv4- Not 0.0.0.0 0.0.0.0

classnet- Specified
any
wildcard-fqdn Fully Qualified Domain Name with wildcard string Not

characters. Specified
config list
ip IP. string Not

Specified
config tagging
name Tagging entry name. string Not

Specified
category Tag category. string Not

Specified
tags <name> Tags. string Maximum

Tag name. length: 79
config firewall address6-template
Configure IPv6 address templates.

Description: Configure IPv6 address templates.
edit <name>
set ip6 {ipv6-network}
set name {string}
config subnet-segment
Description: IPv6 subnet segments.
edit <id>
set id {integer}
set name {string}
set bits {integer}
set exclusive [enable|disable]
config values
Description: Subnet segment values.

Fortinet Inc.
edit <name>
set name {string}
set value {string}
next
end
next
end
set subnet-segment-count {integer}
next
end
Option Description
ip6 IPv6 address prefix. ipv6- Not ::/0

network Specified
name IPv6 address template name. string Not

Specified
subnet- Number of IPv6 subnet segments. integer Minimum 0

segment- value: 1
count Maximum
value: 6
id Subnet segment ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Subnet segment name. string Not Specified
bits Number of bits. integer Minimum 0

value: 1
Maximum
value: 16
exclusive Enable/disable exclusive value. option - disable

Fortinet Inc.
Option Description
enable Enable exclusive value.
disable Disable exclusive value.
config values
name Subnet segment value name. string Not

Specified
value Subnet segment value. string Not

Specified
config firewall address6
Configure IPv6 firewall addresses.

Description: Configure IPv6 firewall addresses.
edit <name>
set cache-ttl {integer}
set color {integer}
set end-ip {ipv6-address}
set fqdn {string}
set host {ipv6-address}
set host-type [any|specific]
config list
Description: IP address list.
edit <ip>
set ip {string}
next
end
set macaddr <macaddr1>, <macaddr2>, ...
set name {string}
set obj-id {var-string}
set sdn {string}
set start-ip {ipv6-address}
Description: IPv6 subnet segments.
edit <name>
set name {string}
set type [any|specific]
set value {string}
next

Fortinet Inc.
end
config tagging
edit <name>
set name {string}
next
end
set template {string}
set type [ipprefix|iprange|...]
set uuid {uuid}
next
end
cache-ttl Minimal TTL of individual IPv6 addresses in FQDN integer Minimum 0

cache. value: 0
Maximum
value:
86400
color Integer value to determine the color of the icon in integer Minimum 0
the GUI. value: 0
Maximum
value: 32

Specified
country IPv6 addresses associated to a specific country. string Not

Specified
end-ip Final IP address (inclusive) in the range for the ipv6- Not ::
address (format: address Specified
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).
Option Description
fqdn Fully qualified domain name. string Not

Specified
host Host Address. ipv6- Not ::

address Specified

Fortinet Inc.
host-type Host type. option - any
Option Description
any Wildcard.
specific Specific host address.
ip6 IPv6 address prefix (format: ipv6- Not ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx). network Specified
macaddr Multiple MAC address ranges. string Maximum

<macaddr> MAC address ranges <start>[-<end>] separated length: 127
by space.

Specified
obj-id Object ID for NSX. var-string Not

Specified
sdn SDN. string Not

Specified
start-ip First IP address (inclusive) in the range for the ipv6- Not ::
address (format: address Specified
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).
template IPv6 address template. string Not

Specified
type Type of IPv6 address object. option - ipprefix
Option Description
ipprefix Uses the IP prefix to define a range of IPv6 addresses.
iprange Range of IPv6 addresses between two specified addresses (inclusive).
geography IPv6 addresses from a specified country.
dynamic Dynamic address object for SDN.
template Template.
mac Range of MAC addresses.

000000000000

Fortinet Inc.
config list
ip IP. string Not

Specified

Specified
type Subnet segment type. option - any
Option Description
any Wildcard.
specific Specific subnet segment address.
value Subnet segment value. string Not

Specified
config tagging

Specified

Specified

config firewall addrgrp
Configure IPv4 address groups.

Description: Configure IPv4 address groups.
edit <name>
set allow-routing [enable|disable]
set category [default|ztna-ems-tag|...]
set color {integer}
set exclude [enable|disable]
set exclude-member <name1>, <name2>, ...

Fortinet Inc.
set member <name1>, <name2>, ...
set name {string}
config tagging
edit <name>
set name {string}
next
end
set type [default|folder]
set uuid {uuid}
next
end
allow-routing Enable/disable use of this group in the static route option - disable
configuration.
Option Description
enable Enable use of this group in the static route configuration.
disable Disable use of this group in the static route configuration.
category Address group category. option - default
Option Description
default Default address group category (cannot be used as ztna-ems-tag/ztna-geo-

tag in policy).
ztna-ems-tag Members must be ztna-ems-tag group or ems-tag address, can be used as

ztna-ems-tag in policy.
ztna-geo-tag Members must be ztna-geo-tag group or geographic address, can be used as

ztna-geo-tag in policy.

value: 0
Maximum
value: 32

Specified
exclude Enable/disable address exclusion. option - disable

Fortinet Inc.
Option Description
enable Enable address exclusion.
disable Disable address exclusion.
exclude- Address exclusion member. string Maximum

member Address name. length: 79
<name>
Option Description
member Address objects contained within the group. string Maximum

name Address group name. string Not

Specified
type Address group type. option - default
Option Description
default Default address group type (address may belong to multiple groups).
folder Address folder group (members may not belong to any other group).

000000000000
config tagging

Specified

Specified

config firewall addrgrp6
Configure IPv6 address groups.

Fortinet Inc.
Description: Configure IPv6 address groups.
edit <name>
set color {integer}
set name {string}
config tagging
edit <name>
set name {string}
next
end
set uuid {uuid}
next
end
the GUI. value: 0
Maximum
value: 32

Specified
Option Description
member Address objects contained within the group. string Maximum

<name> Address6/addrgrp6 name. length: 79
name IPv6 address group name. string Not

Specified

000000000000

Fortinet Inc.
config tagging

Specified

Specified

config firewall auth-portal
Configure firewall authentication portals.

Description: Configure firewall authentication portals.
set groups <name1>, <name2>, ...
set identity-based-route {string}
set portal-addr {string}
set portal-addr6 {string}
end
groups Firewall user groups permitted to authenticate through string Maximum

<name> this portal. Separate group names with spaces. length: 79
Group name.
identity- Name of the identity-based route that applies to this string Not
based-route portal. Specified
portal-addr Address (or FQDN) of the authentication portal. string Not

Specified
portal-addr6 IPv6 address (or FQDN) of authentication portal. string Not

Specified
config firewall central-snat-map
Configure IPv4 and IPv6 central SNAT policies.

Description: Configure IPv4 and IPv6 central SNAT policies.
edit <policyid>
set dst-addr <name1>, <name2>, ...

Fortinet Inc.
set dst-addr6 <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set nat [disable|enable]
set nat-ippool <name1>, <name2>, ...
set nat-ippool6 <name1>, <name2>, ...
set nat-port {user}
set nat46 [enable|disable]
set orig-addr <name1>, <name2>, ...
set orig-addr6 <name1>, <name2>, ...
set orig-port {user}
set protocol {integer}
set type [ipv4|ipv6]
set uuid {uuid}
next
end
comments Comment. var-string Not Specified
dst-addr IPv4 Destination address. string Maximum

dst-addr6 IPv6 Destination address. string Maximum

dstintf Destination interface name from available string Maximum

<name> interfaces. length: 79
Interface name.
nat Enable/disable source NAT. option - enable
Option Description
disable Disable source NAT.
enable Enable source NAT.
nat-ippool Name of the IP pools to be used to translate string Maximum

<name> addresses from available IP Pools. length: 79
IP pool name.
nat-ippool6 IPv6 pools to be used for source NAT. string Maximum

<name> IPv6 pool name. length: 79
nat-port Translated port or port range (1 to 65535, 0 user Not Specified

means any port).

Fortinet Inc.
nat46 Enable/disable NAT46. option - disable
Option Description
enable Enable NAT46.
disable Disable NAT46.
Option Description
orig-addr IPv4 Original address. string Maximum

orig-addr6 IPv6 Original address. string Maximum

orig-port Original TCP port (1 to 65535, 0 means any user Not Specified
port).

value: 0
Maximum
value:
4294967295
protocol Integer value for the protocol type. integer Minimum 0

value: 0
Maximum
value: 255
srcintf Source interface name from available interfaces. string Maximum

status Enable/disable the active status of this policy. option - enable
Option Description
type IPv4/IPv6 source NAT. option - ipv4
Option Description
ipv4 Perform IPv4 source NAT.

Fortinet Inc.
Option Description
ipv6 Perform IPv6 source NAT.
uuid Universally Unique Identifier (UUID; uuid Not Specified 00000000-0000-

automatically assigned but can be manually 0000-0000-
reset). 000000000000
config firewall city
Define city table.

Description: Define city table.
edit <id>
set id {integer}
set name {string}
next
end
id City ID. integer Minimum 0

value: 0
Maximum
value:
65535
name City name. string Not

Specified
config firewall country
Define country table.

Description: Define country table.
edit <id>
set id {integer}
set name {string}
set region <id1>, <id2>, ...
next
end

Fortinet Inc.
id Country ID. integer Minimum 0

value: 0
Maximum
value:
65535
name Country name. string Not

Specified
region <id> Region ID list. integer Minimum

Region ID. value: 0
Maximum
value:
65535
config firewall decrypted-traffic-mirror
Configure decrypted traffic mirror.

Description: Configure decrypted traffic mirror.
edit <name>
set dstmac {mac-address}
set interface <name1>, <name2>, ...
set name {string}
set traffic-source [client|server|...]
set traffic-type {option1}, {option2}, ...
next
end
dstmac Set destination MAC address for mirrored traffic. mac- Not ff:ff:ff:ff:ff:ff
address Specified
interface Decrypted traffic mirror interface. string Maximum

<name> Decrypted traffic mirror interface. length: 79

Specified
traffic-source Source of decrypted traffic to be mirrored. option - client

Fortinet Inc.
Option Description
client Mirror client side decrypted traffic.
server Mirror server side decrypted traffic.
both Mirror both client and server side decrypted traffic.
traffic-type Types of decrypted traffic to be mirrored. option - ssl
Option Description
ssl Mirror decrypted SSL traffic.
ssh Mirror decrypted SSH traffic.
config firewall dnstranslation
Configure DNS translation.

Description: Configure DNS translation.
edit <id>
set dst {ipv4-address}
set id {integer}
set src {ipv4-address}
next
end
dst IPv4 address or subnet on the external ipv4- Not Specified 0.0.0.0
mapped IP addresses in src.

value: 0
Maximum
value:
4294967295

Fortinet Inc.
netmask If src and dst are subnets rather than single IP ipv4- Not Specified 255.255.255.255
addresses, enter the netmask for both src and netmask
dst.
src IPv4 address or subnet on the internal ipv4- Not Specified 0.0.0.0
with dst.
config firewall identity-based-route
Configure identity based routing.

Description: Configure identity based routing.
edit <name>
set name {string}
config rule
Description: Rule.
edit <id>
set id {integer}
set gateway {ipv4-address}
set device {string}
next
end
next
end
comments Comments. string Not

Specified

Specified

Fortinet Inc.
config rule

value: 0
Maximum
value:
4294967295
gateway IPv4 address of the gateway (Format: xxx.xxx.xxx.xxx ipv4- Not Specified 0.0.0.0
, Default: 0.0.0.0). address
device Outgoing interface for the rule. string Not Specified
groups Select one or more group(s) from available groups string Maximum
<name> that are allowed to use this route. Separate group length: 79
names with a space.
Group name.
config firewall interface-policy
Configure IPv4 interface policies.

Description: Configure IPv4 interface policies.
edit <policyid>
set application-list {string}
set application-list-status [enable|disable]
set av-profile {string}
set av-profile-status [enable|disable]
set dlp-sensor {string}
set dlp-sensor-status [enable|disable]
set dsri [enable|disable]
set emailfilter-profile {string}
set emailfilter-profile-status [enable|disable]
set ips-sensor {string}
set ips-sensor-status [enable|disable]
set logtraffic [all|utm|...]
set webfilter-profile {string}
set webfilter-profile-status [enable|disable]
next
end

Fortinet Inc.
application- Application list name. string Not Specified

list
application- Enable/disable application control. option - disable

list-status
Option Description
enable Enable application control
disable Disable application control
av-profile Antivirus profile. string Not Specified
av-profile- Enable/disable antivirus. option - disable

status
Option Description
enable Enable antivirus
disable Disable antivirus
comments Comments. var-string Not Specified
dlp-sensor DLP sensor name. string Not Specified
dlp-sensor- Enable/disable DLP. option - disable

status
Option Description
dsri Enable/disable DSRI. option - disable
Option Description
enable Enable DSRI.
disable Disable DSRI.
dstaddr Address object to limit traffic monitoring to network string Maximum

<name> traffic sent to the specified address or range. length: 79
Address name.
emailfilter- Email filter profile. string Not Specified

profile
emailfilter- Enable/disable email filter. option - disable

profile-status

Fortinet Inc.
Option Description
enable Enable Email filter.
disable Disable Email filter.
interface Monitored interface name from available interfaces. string Not Specified
ips-sensor IPS sensor name. string Not Specified
ips-sensor- Enable/disable IPS. option - disable

status
Option Description
enable Enable IPS.
disable Disable IPS.
logtraffic Logging type to be used in this policy (Options: all | option - utm
utm | disable, Default: utm).
Option Description
all Log all sessions accepted or denied by this policy.
utm Log traffic that has a security profile applied to it.
disable Disable all logging for this policy.

value: 0
Maximum
value:
4294967295

srcaddr Address object to limit traffic monitoring to network string Maximum

<name> traffic sent from the specified address or range. length: 79
Address name.
Option Description
webfilter- Web filter profile. string Not Specified

profile

Fortinet Inc.
webfilter- Enable/disable web filtering. option - disable

profile-status
Option Description
enable Enable web filtering.
disable Disable web filtering.
config firewall interface-policy6
Configure IPv6 interface policies.

Description: Configure IPv6 interface policies.
edit <policyid>
set service6 <name1>, <name2>, ...
next
end
application- Application list name. string Not Specified

list
application- Enable/disable application control. option - disable

list-status

Fortinet Inc.
Option Description
enable Enable application control
disable Disable application control
av-profile Antivirus profile. string Not Specified
av-profile- Enable/disable antivirus. option - disable

status
Option Description
enable Enable antivirus
disable Disable antivirus
comments Comments. var-string Not Specified
dlp-sensor DLP sensor name. string Not Specified
dlp-sensor- Enable/disable DLP. option - disable

status
Option Description
Option Description
enable Enable DSRI.
dstaddr6 IPv6 address object to limit traffic monitoring to string Maximum

<name> network traffic sent to the specified address or range. length: 79
Address name.
emailfilter- Email filter profile. string Not Specified

profile
emailfilter- Enable/disable email filter. option - disable

profile-status
Option Description
enable Enable Email filter.
disable Disable Email filter.

Fortinet Inc.
interface Monitored interface name from available interfaces. string Not Specified
ips-sensor- Enable/disable IPS. option - disable

status
Option Description
enable Enable IPS.
disable Disable IPS.
logtraffic Logging type to be used in this policy (Options: all | option - utm
utm | disable, Default: utm).
Option Description

value: 0
Maximum
value:
4294967295
service6 Service name. string Maximum

srcaddr6 IPv6 address object to limit traffic monitoring to string Maximum

<name> network traffic sent from the specified address or length: 79
range.
Address name.
Option Description
webfilter- Web filter profile. string Not Specified

profile
webfilter- Enable/disable web filtering. option - disable

profile-status

Fortinet Inc.
Option Description
enable Enable web filtering.
disable Disable web filtering.
config firewall internet-service-addition
Configure Internet Services Addition.

Description: Configure Internet Services Addition.
edit <id>
config entry
Description: Entries added to the Internet Service addition database.
edit <id>
set id {integer}
config port-range
Description: Port ranges in the custom entry.
edit <id>
set id {integer}
set start-port {integer}
set end-port {integer}
next
end
next
end
set id {integer}
next
end
id Internet Service ID in the Internet Service database. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
config entry

value: 0
Maximum
value: 255
protocol Integer value for the protocol type as defined by IANA. integer Minimum 0
value: 0
Maximum
value: 255
config port-range
id Custom entry port range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
start-port Integer value for starting TCP/UDP/SCTP destination integer Minimum 1

port in range (0 to 65535). value: 0
Maximum
value: 65535
end-port Integer value for ending TCP/UDP/SCTP destination integer Minimum 65535
Maximum
value: 65535
config firewall internet-service-append
Configure additional port mappings for Internet Services.

Description: Configure additional port mappings for Internet Services.
set append-port {integer}
set match-port {integer}
end

Fortinet Inc.
append-port Appending TCP/UDP/SCTP destination port (1 to integer Minimum 0

65535). value: 1
Maximum
value:
65535
match-port Matching TCP/UDP/SCTP destination port (0 to 65535, integer Minimum 0

0 means any port). value: 0
Maximum
value:
65535
config firewall internet-service-botnet
Show Internet Service botnet.

Description: Show Internet Service botnet.
edit <id>
set id {integer}
set name {string}
next
end
id Internet Service Botnet ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Internet Service Botnet name. string Not Specified
config firewall internet-service-custom-group
Configure custom Internet Service group.

Description: Configure custom Internet Service group.
edit <name>
set name {string}

Fortinet Inc.
next
end

Specified
member Custom Internet Service group members. string Maximum

<name> Group member name. length: 79
name Custom Internet Service group name. string Not

Specified
config firewall internet-service-custom
Configure custom Internet Services.

Description: Configure custom Internet Services.
edit <name>
config entry
Description: Entries added to the Internet Service database and custom database.
edit <id>
set id {integer}
config port-range
edit <id>
set id {integer}
next
end
set dst <name1>, <name2>, ...
next
end
set name {string}
set reputation {integer}
next
end
name Internet Service name. string Not Specified

Fortinet Inc.
reputation Reputation level of the custom Internet Service. integer Minimum 3

value: 0
Maximum
value:
4294967295
config entry

value: 0
Maximum
value: 255
value: 0
Maximum
value: 255
dst <name> Destination address or address group name. string Maximum

Select the destination address or address group object length: 79
from available options.
config port-range

value: 0
Maximum
value:
4294967295

Maximum
value: 65535
Maximum
value: 65535
config firewall internet-service-definition
Configure Internet Service definition.

Fortinet Inc.
Description: Configure Internet Service definition.
edit <id>
config entry
Description: Protocol and port information in an Internet Service entry.
edit <seq-num>
set seq-num {integer}
set category-id {integer}
set name {string}
config port-range
Description: Port ranges in the definition entry.
edit <id>
set id {integer}
next
end
next
end
set id {integer}
next
end
id Internet Service application list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config entry
seq-num Entry sequence number. integer Minimum 7 **

value: 0
Maximum
value:
4294967295
category-id Internet Service category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
value: 0
Maximum
value: 255
config port-range

value: 0
Maximum
value:
4294967295
start-port Starting TCP/UDP/SCTP destination port (1 to integer Minimum 1

65535). value: 1
Maximum
value: 65535
end-port Ending TCP/UDP/SCTP destination port (1 to 65535). integer Minimum 65535

value: 1
Maximum
value: 65535
config firewall internet-service-extension
Configure Internet Services Extension.

Description: Configure Internet Services Extension.
edit <id>
config disable-entry
Description: Disable entries in the Internet Service database.
edit <id>
set id {integer}
config port-range
Description: Port ranges in the disable entry.
edit <id>
set id {integer}
next
end
config ip-range
Description: IP ranges in the disable entry.

Fortinet Inc.
edit <id>
set id {integer}
next
end
next
end
config entry
Description: Entries added to the Internet Service extension database.
edit <id>
set id {integer}
config port-range
edit <id>
set id {integer}
next
end
next
end
set id {integer}
next
end
id Internet Service ID in the Internet Service database. integer Minimum 0

value: 0
Maximum
value:
4294967295
config disable-entry
id Disable entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
value: 0
Maximum
value: 255
config port-range

value: 0
Maximum
value:
4294967295

Maximum
value: 65535
Maximum
value: 65535
config ip-range
id Disable entry range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
start-ip Start IP address. ipv4- Not Specified 0.0.0.0

address-
any
end-ip End IP address. ipv4- Not Specified 0.0.0.0

address-
any

Fortinet Inc.
config entry

value: 0
Maximum
value: 255
value: 0
Maximum
value: 255
dst <name> Destination address or address group name. string Maximum

Select the destination address or address group object length: 79
from available options.
config port-range

value: 0
Maximum
value:
4294967295

Maximum
value: 65535
Maximum
value: 65535
config firewall internet-service-group
Configure group of Internet Service.

Description: Configure group of Internet Service.
edit <name>
set direction [source|destination|...]
set name {string}
next
end

Fortinet Inc.

Specified
direction How this service may be used (source, destination or option - both
both).
Option Description
source As source when applied.
destination As destination when applied.
both Both directions when applied.
member Internet Service group member. string Maximum

<name> Internet Service name. length: 79
name Internet Service group name. string Not

Specified
config firewall internet-service-ipbl-reason
IP block list reason.

Description: IP block list reason.
edit <id>
set id {integer}
set name {string}
next
end
id IP block list reason ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name IP block list reason name. string Not Specified
config firewall internet-service-ipbl-vendor
IP block list vendor.

Fortinet Inc.
Description: IP block list vendor.
edit <id>
set id {integer}
set name {string}
next
end
id IP block list vendor ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name IP block list vendor name. string Not Specified
config firewall internet-service-list
Internet Service list.

Description: Internet Service list.
edit <id>
set id {integer}
set name {string}
next
end
id Internet Service category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Internet Service category name. string Not Specified
config firewall internet-service-name
Define internet service names.

Description: Define internet service names.

Fortinet Inc.
edit <name>
set city-id {integer}
set country-id {integer}
set internet-service-id {integer}
set name {string}
set region-id {integer}
set type [default|location]
next
end
city-id City ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
country-id Country or Area ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
internet- Internet Service ID. integer Minimum 0

service-id value: 0
Maximum
value:
4294967295
region-id Region ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
type Internet Service name type. option - default
Option Description
default Automatically generated Internet Service.
location Geography location based Internet Service.
config firewall internet-service-owner
Internet Service owner.

Fortinet Inc.
Description: Internet Service owner.
edit <id>
set id {integer}
set name {string}
next
end
id Internet Service owner ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Internet Service owner name. string Not Specified
config firewall internet-service-reputation
Show Internet Service reputation.

Description: Show Internet Service reputation.
edit <id>
set id {integer}
next
end
id Internet Service Reputation ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config firewall internet-service-sld
Internet Service Second Level Domain.

Description: Internet Service Second Level Domain.

Fortinet Inc.
edit <id>
set id {integer}
set name {string}
next
end
id Second Level Domain ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Second Level Domain name. string Not Specified
config firewall internet-service
Show Internet Service application.

Description: Show Internet Service application.
edit <id>
set database [isdb|irdb]
set direction [src|dst|...]
set extra-ip-range-number {integer}
set icon-id {integer}
set id {integer}
set ip-number {integer}
set ip-range-number {integer}
set name {string}
set obsolete {integer}
set singularity {integer}
next
end
database Database name this Internet Service belongs to. option - isdb
Option Description
isdb Internet Service Database.
irdb Internet RRR Database.

Fortinet Inc.
direction How this service may be used in a firewall policy option - both
(source, destination or both).
Option Description
src As source in the firewall policy.
dst As destination in the firewall policy.
both Both directions in the firewall policy.
extra-ip- Extra number of IP ranges. integer Minimum 0

range-number value: 0
Maximum
value:
4294967295
icon-id Icon ID of Internet Service. integer Minimum 0

value: 0
Maximum
value:
4294967295
id Internet Service ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip-number Total number of IP addresses. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip-range- Number of IP ranges. integer Minimum 0

number value: 0
Maximum
value:
4294967295
obsolete Indicates whether the Internet Service can be used. integer Minimum 0
value: 0
Maximum
value: 255
singularity Singular level of the Internet Service. integer Minimum 0

value: 0
Maximum
value: 65535

Fortinet Inc.
config firewall ip-translation
Configure firewall IP-translation.

Description: Configure firewall IP-translation.
edit <transid>
set endip {ipv4-address-any}
set map-startip {ipv4-address-any}
set startip {ipv4-address-any}
set transid {integer}
set type {option}
next
end
endip Final IPv4 address. ipv4- Not Specified 0.0.0.0

address-
any
map-startip Address to be used as the starting point for translation ipv4- Not Specified 0.0.0.0
in the range. address-
any
startip First IPv4 address. ipv4- Not Specified 0.0.0.0

address-
any
transid IP translation ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
type IP translation type (option: SCTP). option - SCTP
Option Description
SCTP SCTP
config firewall ipmacbinding setting
Configure IP to MAC binding settings.

Description: Configure IP to MAC binding settings.
set bindthroughfw [enable|disable]
set bindtofw [enable|disable]

Fortinet Inc.
set undefinedhost [allow|block]
end
bindthroughfw Enable/disable use of IP/MAC binding to filter packets option - disable

that would normally go through the firewall.
Option Description
enable Enable IP/MAC binding for packets that would normally go through the
firewall.
disable Disable IP/MAC binding for packets that would normally go through the
firewall.
bindtofw Enable/disable use of IP/MAC binding to filter packets option - disable

that would normally go to the firewall.
Option Description
enable Enable IP/MAC binding for packets that would normally go to the firewall.
disable Disable IP/MAC binding for packets that would normally go to the firewall.
undefinedhost Select action to take on packets with IP/MAC option - block

addresses not in the binding list.
Option Description
allow Allow packets from MAC addresses not in the IP/MAC list.
block Block packets from MAC addresses not in the IP/MAC list.
config firewall ipmacbinding table
Configure IP to MAC address pairs in the IP/MAC binding table.

Description: Configure IP to MAC address pairs in the IP/MAC binding table.
edit <seq-num>
set mac {mac-address}
set name {string}
next
end

Fortinet Inc.
ip IPv4 address portion of the pair (format: ipv4- Not Specified 0.0.0.0
xxx.xxx.xxx.xxx). address
mac MAC address portion of the pair (format = mac- Not Specified 00:00:00:00:00:00
xx:xx:xx:xx:xx:xx in hexadecimal). address
name Name of the pair. string Not Specified noname
seq-num Entry number. integer Minimum 0

value: 0
Maximum
value:
4294967295
status Enable/disable this IP-mac binding pair. option - disable
Option Description
enable Enable this IP-mac binding pair.
disable Disable this IP-mac binding pair.
config firewall ippool
Configure IPv4 IP pools.

Description: Configure IPv4 IP pools.
edit <name>
set add-nat64-route [disable|enable]
set arp-intf {string}
set arp-reply [disable|enable]
set block-size {integer}
set cgn-block-size {integer}
set cgn-client-endip {var-string}
set cgn-client-ipv6shift {integer}
set cgn-client-startip {var-string}
set cgn-fixedalloc [disable|enable]
set cgn-overload [disable|enable]
set cgn-port-end {integer}
set cgn-port-start {integer}
set cgn-spa [disable|enable]
set endip {ipv4-address-any}
set endport {integer}
set name {string}
set nat64 [disable|enable]
set num-blocks-per-user {integer}
set pba-timeout {integer}

Fortinet Inc.
set permit-any-host [disable|enable]
set port-per-user {integer}
set source-endip {ipv4-address-any}
set source-startip {ipv4-address-any}
set startip {ipv4-address-any}
set startport {integer}
set subnet-broadcast-in-ippool [disable|enable]
set type [overload|one-to-one|...]
set utilization-alarm-clear {integer}
set utilization-alarm-raise {integer}
next
end
add-nat64- Enable/disable adding NAT64 route. option - enable

route
Option Description
disable Disable adding NAT64 route.
enable Enable adding NAT64 route.
arp-intf Select an interface from available options that will reply string Not
to ARP requests. (If blank, any is selected). Specified
arp-reply Enable/disable replying to ARP requests when an IP option - enable

Pool is added to a policy.
Option Description
disable Disable ARP reply.
enable Enable ARP reply.
associated- Associated interface name. string Not

interface Specified
block-size Number of addresses in a block. integer Minimum 128

value: 64
Maximum
value: 4096
cgn-block- Number of ports in a block. integer Minimum 128

size * value: 64
Maximum
value: 4096
cgn-client- Final client IPv4 address (inclusive) (format var-string Not

endip * xxx.xxx.xxx.xxx, Default: 0.0.0.0). Specified

Fortinet Inc.
cgn-client- IPv6 shift for fixed-allocation. integer Minimum 0

ipv6shift * value: 0
Maximum
value: 127
cgn-client- First client IPv4 address (inclusive) (format var-string Not

startip * xxx.xxx.xxx.xxx, Default: 0.0.0.0). Specified
cgn-fixedalloc Enable/disable fixed-allocation mode. option - disable

*
Option Description
disable Disable fixed-allocation mode.
enable Enable fixed-allocation mode.
cgn-overload Enable/disable overload mode. option - disable

*
Option Description
disable Disable overload mode.
enable Enable overload mode.
cgn-port-end * Ending public port can be allocated. integer Minimum 65530

value: 1024
Maximum
value:
65535
cgn-port-start Starting public port can be allocated. integer Minimum 5117

* value: 1024
Maximum
value:
65535
cgn-spa * Enable/disable single port allocation mode. option - disable
Option Description
disable Disable SPA mode.
enable Enable SPA mode.

Specified
endip Final IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). address- Specified
any

Fortinet Inc.
endport Final port number (inclusive) in the range for the integer Minimum 65533
address pool (Default: 65533). value: 5117
Maximum
value:
65533
name IP pool name. string Not

Specified
Option Description
disable Disable DNAT64.
enable Enable DNAT64.
num-blocks- Number of addresses blocks that can be used by a user. integer Minimum 8
per-user value: 1
Maximum
value: 128
pba-timeout Port block allocation timeout (seconds). integer Minimum 30

value: 3
Maximum
value: 300
permit-any- Enable/disable full cone NAT. option - disable

host
Option Description
disable Disable full cone NAT.
enable Enable full cone NAT.
port-per-user Number of port for each user. integer Minimum 0

value: 32
Maximum
value:
60416
source-endip Final IPv4 address (inclusive) in the range of the source ipv4- Not 0.0.0.0
addresses to be translated (format xxx.xxx.xxx.xxx, address- Specified
Default: 0.0.0.0). any
source-startip First IPv4 address. ipv4- Not 0.0.0.0

address- Specified
any

Fortinet Inc.
startip First IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
address pool (format xxx.xxx.xxx.xxx, Default: 0.0.0.0). address- Specified
any
startport First port number (inclusive) in the range for the address integer Minimum 5117
pool (Default: 5117). value: 5117
Maximum
value:
65533
subnet- Enable/disable inclusion of the subnetwork address and option - enable

broadcast-in- broadcast IP address in the NAT64 IP pool.
ippool
Option Description
disable Do not include the subnetwork address and broadcast IP address in the
NAT64 IP pool.
enable Include the subnetwork address and broadcast IP address in the NAT64 IP
pool.
type IP pool type (overload, one-to-one, fixed port range, or option - overload
port block allocation).
Option Description
overload IP addresses in the IP pool can be shared by clients.
one-to-one One to one mapping.
fixed-port-range Fixed port range.
port-block- Port block allocation.

allocation
utilization- Pool utilization alarm clear threshold. integer Minimum 80

alarm-clear * value: 40
Maximum
value: 100
utilization- Pool utilization alarm raise threshold. integer Minimum 100

alarm-raise * value: 50
Maximum
value: 100
config firewall ippool6
Configure IPv6 IP pools.

Fortinet Inc.
Description: Configure IPv6 IP pools.
edit <name>
set endip {ipv6-address}
set name {string}
set startip {ipv6-address}
next
end
add-nat46-route Enable/disable adding NAT46 route. option - enable
Option Description

Specified
endip Final IPv6 address. ipv6- Not ::

address Specified
name IPv6 IP pool name. string Not

Specified
Option Description
startip First IPv6 address. ipv6- Not ::

address Specified
config firewall iprope appctrl list
List application control policies.

config firewall iprope appctrl list
Description: List application control policies.
end

Fortinet Inc.
config firewall iprope appctrl status
Application control policy status.

config firewall iprope appctrl status
Description: Application control policy status.
end
config firewall iprope list
List.
Description: List.
set <group_number> {string}
end
<group_number> Number, hexadecimal. string Not

Specified
config firewall ipv6-eh-filter
Configure IPv6 extension header filter.

Description: Configure IPv6 extension header filter.
set auth [enable|disable]
set dest-opt [enable|disable]
set fragment [enable|disable]
set hdopt-type {integer}
set hop-opt [enable|disable]
set no-next [enable|disable]
set routing [enable|disable]
set routing-type {integer}
end
auth Enable/disable blocking packets with the Authentication option - disable

header.

Fortinet Inc.
Option Description
enable Block packets with the Authentication header.
disable Allow packets with the Authentication header.
dest-opt Enable/disable blocking packets with Destination option - disable

Options headers.
Option Description
enable Enable blocking packets with Destination Options headers.
disable Disable blocking packets with Destination Options headers.
fragment Enable/disable blocking packets with the Fragment option - disable

header.
Option Description
enable Block packets with the Fragment header.
disable Allow packets with the Fragment header.
hdopt-type Block specific Hop-by-Hop and/or Destination Option integer Minimum

types (max. 7 types, each between 0 and 255). value: 0
Maximum
value: 255
hop-opt Enable/disable blocking packets with the Hop-by-Hop option - disable

Options header.
Option Description
enable Enable blocking packets with the Hop-by-Hop Options header.
disable Disable blocking packets with the Hop-by-Hop Options header.
no-next Enable/disable blocking packets with the No Next option - disable

header.
Option Description
enable Block packets with the No Next header.
disable Allow packets with the No Next header.
routing Enable/disable blocking packets with Routing headers. option - enable
Option Description
enable Block packets with Routing headers.

Fortinet Inc.
Option Description
disable Allow packets with Routing headers.
routing-type Block specific Routing header types. integer Minimum 0

value: 0
Maximum
value: 255
config firewall ldb-monitor
Configure server load balancing health monitors.

Description: Configure server load balancing health monitors.
edit <name>
set dns-match-ip {ipv4-address}
set dns-protocol [udp|tcp]
set dns-request-domain {string}
set http-get {string}
set http-match {string}
set http-max-redirects {integer}
set name {string}
set port {integer}
set retry {integer}
set src-ip {ipv4-address}
set timeout {integer}
set type [ping|tcp|...]
next
end
dns-match-ip Response IP expected from DNS server. ipv4- Not 0.0.0.0

address Specified
dns-protocol Select the protocol used by the DNS health check option - udp
monitor to check the health of the server (UDP | TCP).
Option Description
udp UDP.
tcp TCP.

Fortinet Inc.
dns-request- Fully qualified domain name to resolve for the DNS string Not
domain probe. Specified
http-get URL used to send a GET request to check the health of string Not
an HTTP server. Specified
http-match String to match the value expected in response to an string Not

HTTP-GET request. Specified
http-max- The maximum number of HTTP redirects to be allowed. integer Minimum 0

redirects value: 0
Maximum
value: 5
interval Time between health checks. integer Minimum 10

value: 5
Maximum
value:
65535
name Monitor name. string Not

Specified
port Service port used to perform the health check. If 0, integer Minimum 0
health check monitor inherits port configured for the value: 0
server. Maximum
value:
65535
retry Number health check attempts before the server is integer Minimum 3
considered down. value: 1
Maximum
value: 255
src-ip Source IP for ldb-monitor. ipv4- Not 0.0.0.0

address Specified
timeout Time to wait to receive response to a health check from integer Minimum 2
a server. Reaching the timeout means the health check value: 1
failed. Maximum
value: 255
type Select the Monitor type used by the health check option -
monitor to check the health of the server (PING | TCP |
HTTP | HTTPS | DNS).
Option Description
ping PING health monitor.
tcp TCP-connect health monitor.

Fortinet Inc.
Option Description
http HTTP-GET health monitor.
https HTTP-GET health monitor with SSL.
dns DNS health monitor.
config firewall local-in-policy
Configure user defined IPv4 local-in policies.

Description: Configure user defined IPv4 local-in policies.
edit <policyid>
set action [accept|deny]
set dstaddr-negate [enable|disable]
set ha-mgmt-intf-only [enable|disable]
set intf {string}
set schedule {string}
set service-negate [enable|disable]
set srcaddr-negate [enable|disable]
set uuid {uuid}
next
end
action Action performed on traffic matching the policy. option - deny
Option Description
accept Allow traffic matching this policy.
deny Deny or block traffic matching this policy.
dstaddr Destination address object from available string Maximum

<name> options. length: 79
Address name.

Fortinet Inc.
dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.
Option Description
enable Enable destination address negate.
disable Disable destination address negate.
ha-mgmt-intf- Enable/disable dedicating the HA management option - disable

only interface only for local-in policy.
Option Description
enable Enable dedicating HA management interface only for local-in policy.
disable Disable dedicating HA management interface only for local-in policy.
intf Incoming interface name from available options. string Not Specified
policyid User defined local in policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
schedule Schedule object from available options. string Not Specified

service- When enabled service specifies what the service option - disable
negate must NOT be.
Option Description
enable Enable negated service match.
disable Disable negated service match.
srcaddr Source address object from available options. string Maximum

srcaddr- When enabled srcaddr specifies what the source option - disable
negate address must NOT be.
Option Description
enable Enable source address negate.
disable Disable source address negate.
status Enable/disable this local-in policy. option - enable

Fortinet Inc.
Option Description
enable Enable this local-in policy.
disable Disable this local-in policy.

reset). 000000000000
config firewall local-in-policy6
Configure user defined IPv6 local-in policies.

Description: Configure user defined IPv6 local-in policies.
edit <policyid>
set intf {string}
set uuid {uuid}
next
end
action Action performed on traffic matching the policy. option - deny
Option Description
accept Allow local-in traffic matching this policy.
deny Deny or block local-in traffic matching this policy.
dstaddr Destination address object from available string Maximum

<name> options. length: 79
Address name.

Fortinet Inc.
dstaddr- When enabled dstaddr specifies what the option - disable

negate destination address must NOT be.
Option Description
intf Incoming interface name from available options. string Not Specified
policyid User defined local in policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
service Service object from available options. Separate string Maximum

<name> names with a space. length: 79
Service name.
service- When enabled service specifies what the service option - disable
negate must NOT be.
Option Description
srcaddr Source address object from available options. string Maximum

srcaddr- When enabled srcaddr specifies what the source option - disable
negate address must NOT be.
Option Description
status Enable/disable this local-in policy. option - enable
Option Description
enable Enable this local-in policy.
disable Disable this local-in policy.

Fortinet Inc.

reset). 000000000000
config firewall multicast-address
Configure multicast addresses.

Description: Configure multicast addresses.
edit <name>
set color {integer}
set name {string}
config tagging
edit <name>
set name {string}
next
end
set type [multicastrange|broadcastmask]
next
end
associated- Interface associated with the address object. When string Not
interface setting up a policy, only addresses associated with Specified
this interface are available.
the GUI. value: 0
Maximum
value: 32

Specified
end-ip Final IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
any

Fortinet Inc.
name Multicast address name. string Not

Specified
start-ip First IPv4 address (inclusive) in the range for the ipv4- Not 0.0.0.0
any
subnet Broadcast address and subnet. ipv4- Not 0.0.0.0 0.0.0.0

classnet- Specified
any
type Type of address object: multicast IP address range option - multicastrange

or broadcast IP/mask to be treated as a multicast
address.
Option Description
multicastrange Multicast range.
broadcastmask Broadcast IP/mask.
config tagging

Specified

Specified

config firewall multicast-address6
Configure IPv6 multicast address.

Description: Configure IPv6 multicast address.
edit <name>
set color {integer}
set name {string}
config tagging
edit <name>
set name {string}

Fortinet Inc.
next
end
next
end

value: 0
Maximum
value: 32

Specified
ip6 IPv6 address prefix (format: ipv6- Not ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx). network Specified
name IPv6 multicast address name. string Not

Specified
config tagging

Specified

Specified

config firewall multicast-policy
Configure multicast NAT policies.

Description: Configure multicast NAT policies.
edit <id>
set auto-asic-offload [enable|disable]
set dnat {ipv4-address-any}
set dstintf {string}
set id {integer}
set logtraffic [enable|disable]

Fortinet Inc.
set name {string}
set snat [enable|disable]
set snat-ip {ipv4-address}
set srcintf {string}
set uuid {uuid}
next
end
action Accept or deny traffic matching the policy. option - accept
Option Description
accept Accept traffic matching the policy.
deny Deny or block traffic matching the policy.
auto-asic- Enable/disable offloading policy traffic for option - enable

offload * hardware acceleration.
Option Description
enable Enable hardware acceleration offloading.
disable Disable offloading for hardware acceleration.
dnat IPv4 DNAT address used for multicast ipv4- Not Specified 0.0.0.0
destination addresses. address-
any
dstaddr Destination address objects. string Maximum

<name> Destination address objects. length: 79
dstintf Destination interface name. string Not Specified
end-port Integer value for ending TCP/UDP/SCTP integer Minimum 65535

destination port in range. value: 0
Maximum
value: 65535
id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294

Fortinet Inc.
logtraffic Enable/disable logging traffic accepted by this option - disable

policy.
Option Description
enable Enable logging traffic accepted by this policy.
disable Disable logging traffic accepted by this policy.
name Policy name. string Not Specified
protocol Integer value for the protocol type as defined by integer Minimum 0
IANA. value: 0
Maximum
value: 255
snat Enable/disable substitution of the outgoing option - disable

interface IP address for the original source IP
address (called source NAT or SNAT).
Option Description
enable Enable source NAT.
disable Disable source NAT.
snat-ip IPv4 address to be used as the source address ipv4- Not Specified 0.0.0.0
for NATed traffic. address
srcaddr Source address objects. string Maximum

<name> Source address objects. length: 79
srcintf Source interface name. string Not Specified
start-port Integer value for starting TCP/UDP/SCTP integer Minimum 1

Maximum
value: 65535
Option Description

reset). 000000000000

Fortinet Inc.
config firewall multicast-policy6
Configure IPv6 multicast NAT policies.

Description: Configure IPv6 multicast NAT policies.
edit <id>
set id {integer}
set logtraffic [enable|disable]
set name {string}
set uuid {uuid}
next
end
action Accept or deny traffic matching the policy. option - accept
Option Description
accept Accept.
deny Deny.
auto-asic- Enable/disable offloading policy traffic for option - enable

offload * hardware acceleration.
Option Description
enable Enable offloading policy traffic for hardware acceleration.
disable Disable offloading policy traffic for hardware acceleration.
dstaddr IPv6 destination address name. string Maximum

dstintf IPv6 destination interface name. string Not Specified

Fortinet Inc.
end-port Integer value for ending TCP/UDP/SCTP integer Minimum 65535

Maximum
value: 65535
id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967294
logtraffic Enable/disable logging traffic accepted by this option - disable

policy.
Option Description
enable Enable logging traffic accepted by this policy.
disable Disable logging traffic accepted by this policy.
protocol Integer value for the protocol type as defined by integer Minimum 0
IANA. value: 0
Maximum
value: 255
srcaddr IPv6 source address name. string Maximum

srcintf IPv6 source interface name. string Not Specified
start-port Integer value for starting TCP/UDP/SCTP integer Minimum 1

Maximum
value: 65535
Option Description

reset). 000000000000

Fortinet Inc.
config firewall policy
Configure IPv4/IPv6 policies.

Description: Configure IPv4/IPv6 policies.
edit <policyid>
set action [accept|deny|...]
set anti-replay [enable|disable]
set auth-cert {string}
set auth-path [enable|disable]
set auth-redirect-addr {string}
set block-notification [enable|disable]
set captive-portal-exempt [enable|disable]
set capture-packet [enable|disable]
set cifs-profile {string}
set custom-log-fields <field-id1>, <field-id2>, ...
set delay-tcp-npu-session [enable|disable]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set disclaimer [enable|disable]
set dnsfilter-profile {string}
set dynamic-shaping [enable|disable]
set email-collect [enable|disable]
set fec [enable|disable]
set file-filter-profile {string}
set firewall-session-dirty [check-all|check-new]
set fixedport [enable|disable]
set fsso-agent-for-ntlm {string}
set fsso-groups <name1>, <name2>, ...
set geoip-anycast [enable|disable]
set geoip-match [physical-location|registered-location]
set http-policy-redirect [enable|disable]
set icap-profile {string}
set identity-based-route {string}
set inbound [enable|disable]
set inspection-mode [proxy|flow]
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...

Fortinet Inc.
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]
set ippool [enable|disable]
set logtraffic-start [enable|disable]
set match-vip [enable|disable]
set match-vip-only [enable|disable]
set name {string}
set nat [enable|disable]
set natinbound [enable|disable]
set natip {ipv4-classnet}
set natoutbound [enable|disable]
set np-acceleration [enable|disable]
set ntlm [enable|disable]
set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
set ntlm-guest [enable|disable]
set outbound [enable|disable]
set passive-wan-health-measurement [enable|disable]
set permit-any-host [enable|disable]
set permit-stun-host [enable|disable]
set poolname <name1>, <name2>, ...
set poolname6 <name1>, <name2>, ...
set profile-group {string}
set profile-protocol-options {string}
set profile-type [single|group]
set radius-mac-auth-bypass [enable|disable]
set redirect-url {var-string}
set replacemsg-override-group {string}
set reputation-direction [source|destination]
set reputation-minimum {integer}
set rtp-addr <name1>, <name2>, ...
set rtp-nat [disable|enable]
set schedule-timeout [enable|disable]
set sctp-filter-profile {string}
set send-deny-packet [disable|enable]
set session-ttl {user}
set sgt <id1>, <id2>, ...
set sgt-check [enable|disable]
set src-vendor-mac <id1>, <id2>, ...

Fortinet Inc.
set ssh-filter-profile {string}
set ssh-policy-redirect [enable|disable]
set ssl-ssh-profile {string}
set tcp-mss-receiver {integer}
set tcp-mss-sender {integer}
set tcp-session-without-syn [all|data-only|...]
set timeout-send-rst [enable|disable]
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set users <name1>, <name2>, ...
set utm-status [enable|disable]
set uuid {uuid}
set videofilter-profile {string}
set vlan-cos-fwd {integer}
set vlan-cos-rev {integer}
set vlan-filter {user}
set voip-profile {string}
set vpntunnel {string}
set waf-profile {string}
set wanopt [enable|disable]
set wanopt-detection [active|passive|...]
set wanopt-passive-opt [default|transparent|...]
set wanopt-peer {string}
set wanopt-profile {string}
set wccp [enable|disable]
set webcache [enable|disable]
set webcache-https [disable|enable]
set webproxy-forward-server {string}
set webproxy-profile {string}
set ztna-ems-tag <name1>, <name2>, ...
set ztna-geo-tag <name1>, <name2>, ...
set ztna-status [enable|disable]
next
end
action Policy action (accept/deny/ipsec). option - deny
Option Description
accept Allows session that match the firewall policy.
deny Blocks sessions that match the firewall policy.
ipsec Firewall policy becomes a policy-based IPsec VPN policy.

Fortinet Inc.
anti-replay Enable/disable anti-replay check. option - enable
Option Description
enable Enable anti-replay check.
disable Disable anti-replay check.
application-list Name of an existing Application list. string Not Specified
auth-cert HTTPS server certificate for policy string Not Specified

authentication.
auth-path Enable/disable authentication-based routing. option - disable
Option Description
enable Enable authentication-based routing.
disable Disable authentication-based routing.
auth-redirect- HTTP-to-HTTPS redirect address for firewall string Not Specified

addr authentication.
auto-asic- Enable/disable policy traffic ASIC offloading. option - enable

offload *
Option Description
enable Enable auto ASIC offloading.
disable Disable ASIC offloading.
av-profile Name of an existing Antivirus profile. string Not Specified
block- Enable/disable block notification. option - disable

notification
Option Description
captive-portal- Enable to exempt some users from the captive option - disable
exempt portal.
Option Description
enable Enable exemption of captive portal.
disable Disable exemption of captive portal.
capture-packet * Enable/disable capture packets. option - disable

Fortinet Inc.
Option Description
enable Enable capture packets.
disable Disable capture packets.
cifs-profile Name of an existing CIFS profile. string Not Specified
custom-log- Custom fields to append to log messages for string Maximum

fields <field- this policy. length: 35
id> Custom log field.
decrypted- Decrypted traffic mirror. string Not Specified

traffic-mirror
delay-tcp-npu- Enable TCP NPU session delay to guarantee option - disable

session packet order of 3-way handshake.
Option Description
enable Enable TCP NPU session delay in order to guarantee packet order of 3-way
handshake.
disable Disable TCP NPU session delay in order to guarantee packet order of 3-way
handshake.
diffserv-forward Enable to change packet's DiffServ values to option - disable

the specified diffservcode-forward value.
Option Description
enable Enable setting forward (original) traffic Diffserv.
disable Disable setting forward (original) traffic Diffserv.
diffserv-reverse Enable to change packet's reverse (reply) option - disable

DiffServ values to the specified diffservcode-
rev value.
Option Description
enable Enable setting reverse (reply) traffic DiffServ.
disable Disable setting reverse (reply) traffic DiffServ.
diffservcode- Change packet's DiffServ to this value. user Not Specified

forward
diffservcode-rev Change packet's reverse (reply) DiffServ to user Not Specified

this value.

Fortinet Inc.
disclaimer Enable/disable user authentication disclaimer. option - disable
Option Description
enable Enable user authentication disclaimer.
disable Disable user authentication disclaimer.
dlp-sensor Name of an existing DLP sensor. string Not Specified
dnsfilter-profile Name of an existing DNS filter profile. string Not Specified
dsri Enable DSRI to ignore HTTP server option - disable

responses.
Option Description
enable Enable DSRI.
dstaddr <name> Destination IPv4 address and address group string Maximum
names. length: 79
Address name.
dstaddr-negate When enabled dstaddr/dstaddr6 specifies option - disable

what the destination address must NOT be.
Option Description
dstaddr6 Destination IPv6 address name and address string Maximum

<name> group names. length: 79
Address name.
dstintf <name> Outgoing (egress) interface. string Maximum

Interface name. length: 79
dynamic- Enable/disable dynamic RADIUS defined option - disable

shaping traffic shaping.
Option Description
enable Enable dynamic RADIUS defined traffic shaping.
disable Disable dynamic RADIUS defined traffic shaping.
email-collect Enable/disable email collection. option - disable

Fortinet Inc.
Option Description
enable Enable email collection.
disable Disable email collection.
emailfilter- Name of an existing email filter profile. string Not Specified

profile
fec Enable/disable Forward Error Correction on option - disable

traffic matching this policy on a FEC device.
Option Description
enable Enable Forward Error Correction.
disable Disable Forward Error Correction.
file-filter-profile Name of an existing file-filter profile. string Not Specified
firewall-session- How to handle sessions if the configuration of option - check-all

dirty this firewall policy changes.
Option Description
check-all Flush all current sessions accepted by this policy. These sessions must be
started and re-matched with policies.
check-new Continue to allow sessions already accepted by this policy.
fixedport Enable to prevent source NAT from changing option - disable

a session's source port.
Option Description
fsso-agent-for- FSSO agent to use for NTLM authentication. string Not Specified
ntlm
fsso-groups Names of FSSO groups. string Maximum

<name> Names of FSSO groups. length: 511
geoip-anycast Enable/disable recognition of anycast IP option - disable

addresses using the geography IP database.
Option Description
enable Enable recognition of anycast IP addresses using the geography IP

database.

Fortinet Inc.
Option Description
disable Disable recognition of anycast IP addresses using the geography IP

database.
geoip-match Match geography address based either on its option - physical-location

physical location or registered location.
Option Description
physical-location Match geography address to its physical location using the geography IP
database.
registered- Match geography address to its registered location using the geography IP
location database.
groups <name> Names of user groups that can authenticate string Maximum
with this policy. length: 79
Group name.
http-policy- Redirect HTTP(S) traffic to matching option - disable

redirect transparent web proxy policy.
Option Description
enable Enable HTTP(S) policy redirect.
disable Disable HTTP(S) policy redirect.
icap-profile Name of an existing ICAP profile. string Not Specified
identity-based- Name of identity-based routing rule. string Not Specified

route
inbound Policy-based IPsec VPN: only traffic from the option - disable
remote network can initiate a VPN.
Option Description
inspection- Policy inspection mode (Flow/proxy). Default option - flow

mode is Flow mode.
Option Description
proxy Proxy based inspection.
flow Flow based inspection.

Fortinet Inc.
internet-service Enable/disable use of Internet Services for this option - disable

policy. If enabled, destination address and
service are not used.
Option Description
enable Enable use of Internet Services in policy.
disable Disable use of Internet Services in policy.
internet-service- Custom Internet Service name. string Maximum

custom <name> Custom Internet Service name. length: 79
internet-service- Custom Internet Service group name. string Maximum

custom-group Custom Internet Service group name. length: 79
<name>
internet-service- Internet Service group name. string Maximum

group <name> Internet Service group name. length: 79
internet-service- Internet Service name. string Maximum

name <name> Internet Service name. length: 79
internet-service- When enabled internet-service specifies what option - disable

negate the service must NOT be.
Option Description
enable Enable negated Internet Service match.
disable Disable negated Internet Service match.
internet-service- Enable/disable use of Internet Services in option - disable

src source for this policy. If enabled, source
address is not used.
Option Description
enable Enable use of Internet Services source in policy.
disable Disable use of Internet Services source in policy.
internet-service- Custom Internet Service source name. string Maximum

src-custom Custom Internet Service name. length: 79
<name>
internet-service- Custom Internet Service source group name. string Maximum

src-custom- Custom Internet Service group name. length: 79
group <name>
internet-service- Internet Service source group name. string Maximum

src-group Internet Service group name. length: 79
<name>

Fortinet Inc.
internet-service- Internet Service source name. string Maximum

src-name Internet Service name. length: 79
<name>
internet-service- When enabled internet-service-src specifies option - disable

src-negate what the service must NOT be.
Option Description
enable Enable negated Internet Service source match.
disable Disable negated Internet Service source match.
ippool Enable to use IP Pools for source NAT. option - disable
Option Description
ips-sensor Name of an existing IPS sensor. string Not Specified
logtraffic Enable or disable logging. Log all sessions or option - utm

security profile sessions.
Option Description
logtraffic-start Record logs when a session starts. option - disable
Option Description
match-vip Enable to match packets that have had their option - disable
destination addresses changed by a VIP.
Option Description
enable Match DNATed packet.
disable Do not match DNATed packet.

Fortinet Inc.
match-vip-only Enable/disable matching of only those packets option - disable

that have had their destination addresses
changed by a VIP.
Option Description
enable Enable matching of only those packets that have had their destination
addresses changed by a VIP.
disable Disable matching of only those packets that have had their destination
addresses changed by a VIP.
nat Enable/disable source NAT. option - disable
Option Description
Option Description
Option Description
natinbound Policy-based IPsec VPN: apply destination option - disable

NAT to inbound traffic.
Option Description
natip Policy-based IPsec VPN: source NAT IP ipv4- Not Specified 0.0.0.0 0.0.0.0
address for outgoing traffic. classnet
natoutbound Policy-based IPsec VPN: apply source NAT to option - disable

outbound traffic.

Fortinet Inc.
Option Description
np-acceleration Enable/disable UTM Network Processor option - enable

* acceleration.
Option Description
enable Enable UTM Network Processor acceleration.
disable Disable UTM Network Processor acceleration.
ntlm Enable/disable NTLM authentication. option - disable
Option Description
ntlm-enabled- HTTP-User-Agent value of supported string Maximum

browsers browsers. length: 79
<user-agent- User agent string.
string>
ntlm-guest Enable/disable NTLM guest user access. option - disable
Option Description
outbound Policy-based IPsec VPN: only traffic from the option - enable
internal network can initiate a VPN.
Option Description
passive-wan- Enable/disable passive WAN health option - disable

health- measurement. When enabled, auto-asic-
measurement offload is disabled.
Option Description
enable Enable Passive WAN health measurement.

Fortinet Inc.
Option Description
disable Disable Passive WAN health measurement.
per-ip-shaper Per-IP traffic shaper. string Not Specified
permit-any-host Accept UDP packets from any host. option - disable
Option Description
permit-stun-host Accept UDP packets from any Session option - disable

Traversal Utilities for NAT (STUN) host.
Option Description

value: 0
Maximum
value:
4294967294
poolname IP Pool names. string Maximum

<name> IP pool name. length: 79
poolname6 IPv6 pool names. string Maximum

<name> IPv6 pool name. length: 79
profile-group Name of profile group. string Not Specified
profile-protocol- Name of an existing Protocol options profile. string Not Specified default
options
profile-type Determine whether the firewall policy allows option - single

security profile groups or single profiles only.
Option Description
single Do not allow security profile groups.
group Allow security profile groups.
radius-mac- Enable MAC authentication bypass. The option - disable

auth-bypass bypassed MAC address must be received
from RADIUS server.

Fortinet Inc.
Option Description
enable Enable MAC authentication bypass.
disable Disable MAC authentication bypass.
redirect-url URL users are directed to after seeing and var-string Not Specified
accepting the disclaimer or authenticating.
replacemsg- Override the default replacement message string Not Specified

override-group group for this policy.
reputation- Direction of the initial traffic for reputation to option - destination

direction take effect.
Option Description
source Check reputation for source address.
destination Check reputation for destination address.
reputation- Minimum Reputation to take action. integer Minimum 0

minimum value: 0
Maximum
value:
4294967295
rtp-addr Address names if this is an RTP NAT policy. string Maximum

rtp-nat Enable Real Time Protocol (RTP) NAT. option - disable
Option Description
schedule Schedule name. string Not Specified
schedule- Enable to force current sessions to end when option - disable

timeout the schedule object times out. Disable allows
them to end from inactivity.
Option Description
enable Enable schedule timeout.
disable Disable schedule timeout.
sctp-filter-profile Name of an existing SCTP filter profile. string Not Specified

Fortinet Inc.
send-deny- Enable to send a reply when a session is option - disable

packet denied or blocked by a firewall policy.
Option Description
disable Disable deny-packet sending.
enable Enable deny-packet sending.
service <name> Service and service group names. string Maximum

Service and service group names. length: 79
service-negate When enabled service specifies what the option - disable

service must NOT be.
Option Description
session-ttl TTL in seconds for sessions accepted by this user Not Specified
policy.
sgt <id> Security group tags. integer Minimum

Security group tag (1 - 65535). value: 1
Maximum
value: 65535
sgt-check Enable/disable security group tags (SGT) option - disable

check.
Option Description
enable Enable SGT check.
disable Disable SGT check.
src-vendor-mac Vendor MAC source ID. integer Minimum

<id> Vendor MAC ID. value: 0
Maximum
value:
4294967295
srcaddr <name> Source IPv4 address and address group string Maximum
names. length: 79
Address name.
srcaddr-negate When enabled srcaddr/srcaddr6 specifies option - disable

what the source address must NOT be.

Fortinet Inc.
Option Description
srcaddr6 Source IPv6 address name and address group string Maximum
<name> names. length: 79
Address name.
srcintf <name> Incoming (ingress) interface. string Maximum

ssh-filter-profile Name of an existing SSH filter profile. string Not Specified
ssh-policy- Redirect SSH traffic to matching transparent option - disable

redirect proxy policy.
Option Description
enable Enable SSH policy redirect.
disable Disable SSH policy redirect.
ssl-ssh-profile Name of an existing SSL SSH profile. string Not Specified no-inspection
status Enable or disable this policy. option - enable
Option Description
tcp-mss- Receiver TCP maximum segment size (MSS). integer Minimum 0

receiver value: 0
Maximum
value: 65535
tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum 0

value: 0
Maximum
value: 65535
tcp-session- Enable/disable creation of TCP session option - disable

without-syn without SYN flag.
Option Description
all Enable TCP session without SYN.
data-only Enable TCP session data only.

Fortinet Inc.
Option Description
disable Disable TCP session without SYN.
timeout-send-rst Enable/disable sending RST packets when option - disable

TCP sessions expire.
Option Description
enable Enable sending of RST packet upon TCP session expiration.
disable Disable sending of RST packet upon TCP session expiration.
tos ToS (Type of Service) value used for user Not Specified
comparison.
tos-mask Non-zero bit positions are used for comparison user Not Specified
while zero bit positions are ignored.
tos-negate Enable negated TOS match. option - disable
Option Description
enable Enable TOS match negate.
disable Disable TOS match negate.
traffic-shaper Traffic shaper. string Not Specified
traffic-shaper- Reverse traffic shaper. string Not Specified

reverse
users <name> Names of individual users that can string Maximum

authenticate with this policy. length: 79
Names of individual users that can
authenticate with this policy.
utm-status Enable to add one or more security profiles option - disable

(AV, IPS, etc.) to the firewall policy.
Option Description

reset). 000000000000
videofilter- Name of an existing VideoFilter profile. string Not Specified

profile

Fortinet Inc.
vlan-cos-fwd VLAN forward direction user priority: 255 integer Minimum 255
passthrough, 0 lowest, 7 highest. value: 0
Maximum
value: 7
vlan-cos-rev VLAN reverse direction user priority: 255 integer Minimum 255
passthrough, 0 lowest, 7 highest. value: 0
Maximum
value: 7
vlan-filter Set VLAN filters. user Not Specified
voip-profile Name of an existing VoIP profile. string Not Specified
vpntunnel Policy-based IPsec VPN: name of the IPsec string Not Specified
VPN Phase 1.
waf-profile Name of an existing Web application firewall string Not Specified

profile.
wanopt * Enable/disable WAN optimization. option - disable
Option Description
wanopt- WAN optimization auto-detection mode. option - active

detection *
Option Description
active Active WAN optimization peer auto-detection.
passive Passive WAN optimization peer auto-detection.
off Turn off WAN optimization peer auto-detection.
wanopt- WAN optimization passive mode options. This option - default

passive-opt * option decides what IP address will be used to
connect server.
Option Description
default Allow client side WAN opt peer to decide.
transparent Use address of client to connect to server.
non-transparent Use local FortiGate address to connect to server.
wanopt-peer * WAN optimization peer. string Not Specified
wanopt-profile * WAN optimization profile. string Not Specified

Fortinet Inc.
wccp Enable/disable forwarding traffic matching this option - disable

policy to a configured WCCP server.
Option Description
enable Enable WCCP setting.
disable Disable WCCP setting.
webcache * Enable/disable web cache. option - disable
Option Description
webcache-https Enable/disable web cache for HTTPS. option - disable

*
Option Description
disable Disable web cache for HTTPS.
enable Enable web cache for HTTPS.
webfilter-profile Name of an existing Web filter profile. string Not Specified
webproxy- Webproxy forward server name. string Not Specified

forward-server
webproxy- Webproxy profile name. string Not Specified

profile
ztna-ems-tag Source ztna-ems-tag names. string Maximum

ztna-geo-tag Source ztna-geo-tag names. string Maximum

ztna-status Enable/disable zero trust access. option - disable
Option Description
enable Enable zero trust network access.
disable Disable zero trust network access.
config firewall profile-group
Configure profile groups.

Fortinet Inc.
Description: Configure profile groups.
edit <name>
set name {string}
next
end
application- Name of an existing Application list. string Not

list Specified
av-profile Name of an existing Antivirus profile. string Not

Specified
cifs-profile Name of an existing CIFS profile. string Not

Specified
dlp-sensor Name of an existing DLP sensor. string Not

Specified
dnsfilter- Name of an existing DNS filter profile. string Not

profile Specified
emailfilter- Name of an existing email filter profile. string Not

profile Specified
file-filter- Name of an existing file-filter profile. string Not

profile Specified
icap-profile Name of an existing ICAP profile. string Not

Specified
ips-sensor Name of an existing IPS sensor. string Not

Specified

Fortinet Inc.
name Profile group name. string Not

Specified
profile- Name of an existing Protocol options profile. string Not default

protocol- Specified
options
sctp-filter- Name of an existing SCTP filter profile. string Not

profile Specified
ssh-filter- Name of an existing SSH filter profile. string Not

profile Specified
ssl-ssh-profile Name of an existing SSL SSH profile. string Not certificate-

Specified inspection
videofilter- Name of an existing VideoFilter profile. string Not

profile Specified
voip-profile Name of an existing VoIP profile. string Not

Specified
waf-profile Name of an existing Web application firewall profile. string Not

Specified
webfilter- Name of an existing Web filter profile. string Not

profile Specified
config firewall profile-protocol-options
Configure protocol options.

Description: Configure protocol options.
edit <name>
config cifs
Description: Configure CIFS protocol options.
set ports {integer}
set oversize-limit {integer}
set uncompressed-oversize-limit {integer}
set uncompressed-nest-limit {integer}
set scan-bzip2 [enable|disable]
set tcp-window-type [auto-tuning|system|...]
set tcp-window-minimum {integer}
set tcp-window-maximum {integer}
set tcp-window-size {integer}
set server-credential-type [none|credential-replication|...]
config server-keytab
Description: Server keytab.
edit <principal>

Fortinet Inc.
set principal {string}
set keytab {string}
next
end
end
config dns
Description: Configure DNS protocol options.
set ports {integer}
end
config ftp
Description: Configure FTP protocol options.
set ports {integer}
set inspect-all [enable|disable]
set comfort-interval {integer}
set comfort-amount {integer}
set stream-based-uncompressed-limit {integer}
set ssl-offloaded [no|yes]
set explicit-ftp-tls [enable|disable]
end
config http
Description: Configure HTTP protocol options.
set ports {integer}
set proxy-after-tcp-handshake [enable|disable]
set range-block [disable|enable]
set strip-x-forwarded-for [disable|enable]
set post-lang {option1}, {option2}, ...
set streaming-content-bypass [enable|disable]
set switching-protocols [bypass|block]
set unknown-http-version [reject|tunnel|...]
set tunnel-non-http [enable|disable]
set block-page-status-code {integer}
set retry-count {integer}

Fortinet Inc.
set address-ip-rating [enable|disable]
end
config imap
Description: Configure IMAP protocol options.
set ports {integer}
end
config mail-signature
Description: Configure Mail signature.
set signature {string}
end
config mapi
Description: Configure MAPI protocol options.
set ports {integer}
end
set name {string}
config nntp
Description: Configure NNTP protocol options.
set ports {integer}
end
set oversize-log [disable|enable]
config pop3
Description: Configure POP3 protocol options.
set ports {integer}

Fortinet Inc.
end
set rpc-over-http [enable|disable]
config smtp
Description: Configure SMTP protocol options.
set ports {integer}
set server-busy [enable|disable]
end
config ssh
Description: Configure SFTP and SCP protocol options.
end
set switching-protocols-log [disable|enable]
next
end
comment Optional comments. var-string Not

Specified

Specified
oversize-log Enable/disable logging for antivirus oversize file option - disable

blocking.

Fortinet Inc.
Option Description
disable Disable logging for antivirus oversize file blocking.
enable Enable logging for antivirus oversize file blocking.
replacemsg- Name of the replacement message group to be used. string Not

group Specified
rpc-over-http Enable/disable inspection of RPC over HTTP. option - disable
Option Description
enable Enable inspection of RPC over HTTP.
disable Disable inspection of RPC over HTTP.
switching- Enable/disable logging for HTTP/HTTPS switching option - disable

protocols-log protocols.
Option Description
disable Disable logging for HTTP/HTTPS switching protocols.
enable Enable logging for HTTP/HTTPS switching protocols.
config cifs
ports Ports to scan for content. integer Minimum

value: 1
Maximum
value:
65535
status Enable/disable the active status of scanning for this option - enable
protocol.
Option Description
options One or more options that can be applied to the option -

session.
Option Description
oversize Block oversized file.

Fortinet Inc.
oversize-limit Maximum in-memory file size that can be scanned. integer Minimum 10
value: 1
Maximum
value: 1606
**
uncompressed- Maximum in-memory uncompressed file size that integer Minimum 10

oversize-limit can be scanned. value: 1
Maximum
value: 1606
**
uncompressed- Maximum nested levels of compression that can be integer Minimum 12

nest-limit uncompressed and scanned. value: 2
Maximum
value: 100
scan-bzip2 Enable/disable scanning of BZip2 compressed files. option - enable
Option Description
tcp-window-type TCP window type to use for this protocol. option - auto-tuning
Option Description
auto-tuning Allow system to auto-tune TCP window size (default).
system Use system default TCP window size for this protocol.
static Manually specify TCP window size.
dynamic Vary TCP window size based on available memory and within limits of tcp-
window-minimum and tcp-window-maximum.
tcp-window- Minimum dynamic TCP window size. integer Minimum 131072

minimum value:
65536
Maximum
value:
1048576
tcp-window- Maximum dynamic TCP window size. integer Minimum 8388608

maximum value:
1048576
Maximum
value:
33554432

Fortinet Inc.
tcp-window-size Set TCP static window size. integer Minimum 262144

value:
65536
Maximum
value:
33554432
server-credential- CIFS server credential type. option - none

type
Option Description
none Credential derivation not set.
credential- Credential derived using Replication account on Domain Controller.

replication
credential- Credential derived using server keytab.

keytab
domain-controller Domain for which to decrypt CIFS traffic. string Not

Specified
config server-keytab
principal Service principal. For example, string Not

host/cifsserver.example.com@example.com. Specified
keytab Base64 encoded keytab file containing credential of the string Not
server. Specified
config dns

value: 1
Maximum
value:
65535
protocol.

Fortinet Inc.
Option Description
config ftp

value: 1
Maximum
value: 65535
status Enable/disable the active status of scanning for option - enable

this protocol.
Option Description
inspect-all Enable/disable the inspection of all ports for the option - disable
protocol.
Option Description

session.
Option Description
clientcomfort Prevent client timeout.
splice Enable splice mode.
bypass-rest- Bypass REST command.

command
bypass-mode- Bypass MODE command.

command

Fortinet Inc.
comfort-interval Period of time between start, or last transmission, integer Minimum 10

and the next client comfort transmission of data. value: 1
Maximum
value: 900
comfort-amount Amount of data to send in a transmission for client integer Minimum 1

comforting. value: 1
Maximum
value: 65535
oversize-limit Maximum in-memory file size that can be integer Minimum 10

scanned. value: 1
Maximum
value: 1606 **

Maximum
value: 1606 **
uncompressed- Maximum nested levels of compression that can integer Minimum 12

nest-limit be uncompressed and scanned. value: 2
Maximum
value: 100
stream-based- Maximum stream-based uncompressed data size integer Minimum 0

uncompressed- that will be scanned in megabytes. Stream-based value: 0
limit uncompression used only under certain Maximum
conditions. value:
4294967295
scan-bzip2 Enable/disable scanning of BZip2 compressed option - enable

files.
Option Description
Option Description

Fortinet Inc.

minimum value: 65536
Maximum
value:
1048576

maximum value:
1048576
Maximum
value:
33554432

value: 65536
Maximum
value:
33554432
ssl-offloaded SSL decryption and encryption performed by an option - no

external device.
Option Description
no SSL decryption and encryption performed by FortiGate when deep-

inspection is enabled.
yes SSL decryption and encryption performed by an external device.
explicit-ftp-tls Enable/disable FTP redirection for explicit FTPS. option - disable
Option Description
config http

value: 1
Maximum
value: 65535
status Enable/disable the active status of scanning for option - enable

this protocol.

Fortinet Inc.
Option Description
protocol.
Option Description
proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has option - disable
handshake been established (not before).
Option Description

session.
Option Description
servercomfort Prevent server timeout.
chunkedbypass Bypass chunked transfer encoded sites.

Maximum
value: 900

Maximum
value: 65535
range-block Enable/disable blocking of partial downloads. option - disable
Option Description
disable Disable range header blocking (allow partial file downloads)

Fortinet Inc.
Option Description
enable Enable range header blocking (treat all partial file downloads as full file
download)
strip-x-forwarded- Enable/disable stripping of HTTP X-Forwarded- option - disable

for For header.
Option Description
disable Disable changing of HTTP X-Forwarded-For header.
enable Enable replacement of X-Forwarded-For value with 1.1.1.1.
post-lang ID codes for character sets to be used to convert option -

to UTF-8 for banned words and DLP on HTTP
posts (maximum of 5 character sets).
Option Description
jisx0201 Japanese Industrial Standard 0201.
gb2312 Guojia Biaozhun 2312 (simplified Chinese).
ksc5601-ex Wansung Korean standard 5601.
euc-jp Extended Unicode Japanese.
sjis Shift Japanese Industrial Standard.
iso2022-jp ISO 2022 Japanese.
iso2022-jp-1 ISO 2022-1 Japanese.
euc-cn Extended Unicode Chinese.
ces-gbk Extended GB2312 (simplified Chinese).
hz Hanzi simplified Chinese.
ces-big5 Big-5 traditional Chinese.
euc-kr Extended Unicode Korean.
iso8859-1 ISO 8859 Part 1 (Western European).
tis620 Thai Industrial Standard 620.

Fortinet Inc.
Option Description
cp874 Code Page 874 (Thai).
cp1252 Code Page 1252 (Western European Latin).
cp1251 Code Page 1251 (Cyrillic).
streaming- Enable/disable bypassing of streaming content option - enable

content-bypass from buffering.
Option Description
switching- Bypass from scanning, or block a connection that option - bypass

protocols attempts to switch protocol.
Option Description
bypass Bypass connections when switching protocols.
block Block connections when switching protocols.
unknown-http- How to handle HTTP sessions that do not comply option - reject
version with HTTP 0.9, 1.0, or 1.1.
Option Description
reject Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
tunnel Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying
HTTP protocol optimization, byte-caching, or web caching. TCP protocol
optimization is applied.
best-effort Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session
uses a different HTTP version, it may not parse correctly and the
connection may be lost.
tunnel-non-http Configure how to process non-HTTP traffic when option - enable

a profile configured for HTTP traffic accepts a
non-HTTP session. Can occur if an application
sends non-HTTP traffic using an HTTP
destination port.

Fortinet Inc.
Option Description
enable Pass non-HTTP sessions through the tunnel without applying protocol
optimization, byte-caching, or web caching. TCP protocol optimization is
applied.
disable Drop or tear down non-HTTP sessions accepted by the profile.

scanned. value: 1
Maximum
value: 1606 **

Maximum
value: 1606 **

Maximum
value: 100

conditions. value:
4294967295

files.
Option Description
block-page- Code number returned for blocked HTTP pages. integer Minimum 403
status-code value: 100
Maximum
value: 599
retry-count Number of attempts to retry HTTP connection. integer Minimum 0

value: 0
Maximum
value: 100

Fortinet Inc.
Option Description

Maximum
value:
1048576

maximum value:
1048576
Maximum
value:
33554432

value: 65536
Maximum
value:
33554432

external device.
Option Description

address-ip-rating Enable/disable IP based URL rating. option - enable
Option Description

Fortinet Inc.
config imap

value: 1
Maximum
value:
65535
protocol.
Option Description
protocol.
Option Description
Option Description

session.
Option Description
fragmail Pass fragmented email.
oversize Block oversized email.
value: 1
Maximum
value: 1606
**

Fortinet Inc.

Maximum
value: 1606
**

Maximum
value: 100
Option Description

external device.
Option Description

config mail-signature
status Enable/disable adding an email signature to SMTP option - disable

email messages as they pass through the FortiGate.
Option Description
disable Disable mail signature.
enable Enable mail signature.
signature Email signature to be added to outgoing email (if the string Not
signature contains spaces, enclose with quotation Specified
marks).

Fortinet Inc.
config mapi

value: 1
Maximum
value:
65535
protocol.
Option Description

session.
Option Description
value: 1
Maximum
value: 1606
**

Maximum
value: 1606
**

Maximum
value: 100
Option Description

Fortinet Inc.
config nntp

value: 1
Maximum
value:
65535
protocol.
Option Description
protocol.
Option Description
Option Description

session.
Option Description
value: 1
Maximum
value: 1606
**

Fortinet Inc.

Maximum
value: 1606
**

Maximum
value: 100
Option Description
config pop3

value: 1
Maximum
value:
65535
protocol.
Option Description
protocol.
Option Description

Fortinet Inc.
Option Description

session.
Option Description
value: 1
Maximum
value: 1606
**

Maximum
value: 1606
**

Maximum
value: 100
Option Description

external device.
Option Description


Fortinet Inc.
config smtp

value: 1
Maximum
value:
65535
protocol.
Option Description
protocol.
Option Description
Option Description

session.
Option Description
value: 1
Maximum
value: 1606
**

Fortinet Inc.

Maximum
value: 1606
**

Maximum
value: 100
Option Description
server-busy Enable/disable SMTP server busy when server not option - disable
available.
Option Description

external device.
Option Description

config ssh

session.
Option Description

Fortinet Inc.
Option Description
servercomfort Prevent server timeout.

Maximum
value: 900

Maximum
value: 65535

scanned. value: 1
Maximum
value: 1606 **

Maximum
value: 1606 **

Maximum
value: 100

conditions. value:
4294967295

files.
Option Description
Option Description

Fortinet Inc.
Option Description

Maximum
value:
1048576

maximum value:
1048576
Maximum
value:
33554432

value: 65536
Maximum
value:
33554432

external device.
Option Description

config firewall proute
List policy routing.

Description: List policy routing.
set <policy route id> {string}
end

Fortinet Inc.
<policy route id> Number. string Not

Specified
config firewall proute6
List IPv6 policy routing.

config firewall proute6
Description: List IPv6 policy routing.
end
config firewall proxy-address
Configure web proxy address.

Description: Configure web proxy address.
edit <name>
set case-sensitivity [disable|enable]
set color {integer}
set header {string}
config header-group
Description: HTTP header group.
edit <id>
set id {integer}
set header-name {string}
set header {string}
next
end
set host {string}
set host-regex {string}
set method {option1}, {option2}, ...
set name {string}
set path {string}
set query {string}
set referrer [enable|disable]
config tagging
edit <name>
set name {string}
next
end

Fortinet Inc.
set type [host-regex|url|...]
set ua {option1}, {option2}, ...
set uuid {uuid}
next
end
case- Enable to make the pattern case sensitive. option - disable

sensitivity
Option Description
disable Case insensitive in pattern.
enable Case sensitive in pattern.
category FortiGuard category ID. integer Minimum

<id> FortiGuard category ID. value: 0
Maximum
value:
4294967295
the GUI. value: 0
Maximum
value: 32
header HTTP header name as a regular expression. string Not Specified
header-name Name of HTTP header. string Not Specified
host Address object for the host. string Not Specified
host-regex Host name as a regular expression. string Not Specified
method HTTP request methods to be used. option -
Option Description
get GET method.
post POST method.
put PUT method.
head HEAD method.
connect CONNECT method.
trace TRACE method.

Fortinet Inc.
Option Description
options OPTIONS method.
delete DELETE method.
name Address name. string Not Specified
path URL path as a regular expression. string Not Specified
query Match the query part of the URL as a regular string Not Specified
expression.
referrer Enable/disable use of referrer field in the HTTP option - disable

header to match the address.
Option Description
type Proxy address type. option - url
Option Description
host-regex Host regular expression.
url HTTP URL.
category FortiGuard URL catgegory.
method HTTP request method.
ua HTTP request user agent.
header HTTP request header.
src-advanced HTTP advanced source criteria.
dst-advanced HTTP advanced destination criteria.
ua Names of browsers to be used as user agent. option -
Option Description
chrome Google Chrome.
ms Microsoft Internet Explorer or EDGE.
firefox Mozilla Firefox.
safari Apple Safari.
other Other browsers.

Fortinet Inc.

reset). 000000000000
config header-group

value: 0
Maximum
value:
4294967295
header-name HTTP header. string Not Specified
header HTTP header regular expression. string Not Specified
case- Case sensitivity in pattern. option - disable

sensitivity
Option Description
config tagging

Specified

Specified

config firewall proxy-addrgrp
Configure web proxy address group.

Description: Configure web proxy address group.
edit <name>
set color {integer}

Fortinet Inc.
set name {string}
config tagging
edit <name>
set name {string}
next
end
set type [src|dst]
set uuid {uuid}
next
end
the GUI. value: 0
Maximum
value: 32

Specified
member Members of address group. string Maximum


Specified
type Source or destination address group type. option - src
Option Description
src Source group.
dst Destination group.

000000000000
config tagging

Specified

Specified

Fortinet Inc.

config firewall proxy-policy
Configure proxy policies.

Description: Configure proxy policies.
edit <policyid>
set access-proxy <name1>, <name2>, ...
set access-proxy6 <name1>, <name2>, ...
set action [accept|deny|...]
set block-notification [enable|disable]
set device-ownership [enable|disable]
set disclaimer [disable|domain|...]
set http-tunnel-auth [enable|disable]
set logtraffic-start [enable|disable]
set name {string}
set poolname <name1>, <name2>, ...
set proxy [explicit-web|transparent-web|...]
set redirect-url {var-string}
set session-ttl {integer}

Fortinet Inc.
set ssh-policy-redirect [enable|disable]
set transparent [enable|disable]
set uuid {uuid}
set webcache [enable|disable]
set webcache-https [disable|enable]
set webproxy-forward-server {string}
set ztna-ems-tag <name1>, <name2>, ...
set ztna-tags-match-logic [or|and]
next
end
access-proxy IPv4 access proxy. string Maximum

<name> Access Proxy name. length: 79
access-proxy6 IPv6 access proxy. string Maximum

<name> Access proxy name. length: 79
action Accept or deny traffic matching the policy option - deny

parameters.
Option Description
accept Action accept.
deny Action deny.
redirect Action redirect.
application-list Name of an existing Application list. string Not Specified
block- Enable/disable block notification. option - disable

notification

Fortinet Inc.
Option Description
comments Optional comments. var-string Not Specified
decrypted- Decrypted traffic mirror. string Not Specified

traffic-mirror
device- When enabled, the ownership enforcement will option - disable

ownership be done at policy level.
Option Description
enable Enable device ownership.
disable Disable device ownership.
disclaimer Web proxy disclaimer setting: by domain, option - disable

policy, or user.
Option Description
disable Disable disclaimer.
domain Display disclaimer for domain
policy Display disclaimer for policy
user Display disclaimer for current user

dstaddr- When enabled, destination addresses match option - disable

negate against any address EXCEPT the specified
destination addresses.
Option Description
dstaddr6 IPv6 destination address objects. string Maximum

dstintf <name> Destination interface names. string Maximum


Fortinet Inc.

profile
file-filter-profile Name of an existing file-filter profile. string Not Specified
groups Names of group objects. string Maximum

<name> Group name. length: 79
http-tunnel- Enable/disable HTTP tunnel authentication. option - disable

auth
Option Description
internet- Enable/disable use of Internet Services for this option - disable

service policy. If enabled, destination address and
Option Description
internet- Custom Internet Service name. string Maximum

service- Custom Internet Service name. length: 79
custom
<name>
internet- Custom Internet Service group name. string Maximum

service- Custom Internet Service group name. length: 79
custom-group
<name>
internet- Internet Service group name. string Maximum

service-group Internet Service group name. length: 79
<name>
internet- Internet Service name. string Maximum

service-name Internet Service name. length: 79
<name>
internet- When enabled, Internet Services match against option - disable

service-negate any internet service EXCEPT the selected
Internet Service.

Fortinet Inc.
Option Description
logtraffic Enable/disable logging traffic through the option - utm

policy.
Option Description
all Log all sessions.
utm UTM event and matched application traffic log.
disable Disable traffic and application log.
logtraffic-start Enable/disable policy log traffic start. option - disable
Option Description

value: 0
Maximum
value:
4294967295
poolname Name of IP pool object. string Maximum

<name> IP pool name. length: 79
profile- Name of an existing Protocol options profile. string Not Specified default
protocol-
options

Option Description
proxy Type of explicit proxy. option -

Fortinet Inc.
Option Description
explicit-web Explicit Web Proxy
transparent-web Transparent Web Proxy
ftp Explicit FTP Proxy
ssh SSH Proxy
ssh-tunnel SSH Tunnel
access-proxy Access Proxy
wanopt WANopt Tunnel
redirect-url Redirect URL for further explicit web proxy var-string Not Specified
processing.
replacemsg- Authentication replacement message override string Not Specified

override-group group.
schedule Name of schedule object. string Not Specified
service Name of service objects. string Maximum

service-negate When enabled, services match against any option - disable

service EXCEPT the specified destination
services.
Option Description
session-ttl TTL in seconds for sessions accepted by this integer Minimum 0

policy. value: 300
Maximum
value:
2764800

srcaddr- When enabled, source addresses match option - disable

negate against any address EXCEPT the specified
source addresses.
Option Description

Fortinet Inc.
Option Description
srcaddr6 IPv6 source address objects. string Maximum

srcintf <name> Source interface names. string Maximum

ssh-filter- Name of an existing SSH filter profile. string Not Specified

profile
ssh-policy- Redirect SSH traffic to matching transparent option - disable

redirect proxy policy.
Option Description
enable Enable SSH policy redirect.
disable Disable SSH policy redirect.
status Enable/disable the active status of the policy. option - enable
Option Description
transparent Enable to use the IP address of the client to option - disable

connect to the server.
Option Description
enable Enable use of IP address of client to connect to server.
disable Disable use of IP address of client to connect to server.
users <name> Names of user objects. string Maximum

Group name. length: 79
utm-status Enable the use of UTM profiles/sensors/lists. option - disable
Option Description

Fortinet Inc.

reset). 000000000000

profile
waf-profile Name of an existing Web application firewall string Not Specified

profile.
webcache * Enable/disable web caching. option - disable
Option Description
webcache- Enable/disable web caching for HTTPS option - disable

https * (Requires deep-inspection enabled in ssl-ssh-
profile).
Option Description
disable Disable web cache for HTTPS.
enable Enable web cache for HTTPS.
webfilter- Name of an existing Web filter profile. string Not Specified

profile
webproxy- Web proxy forward server name. string Not Specified

forward-server
webproxy- Name of web proxy profile. string Not Specified

profile
ztna-ems-tag ZTNA EMS Tag names. string Maximum

<name> EMS Tag name. length: 79
ztna-tags- ZTNA tag matching logic. option - or

match-logic
Option Description
or Match ZTNA tags using a logical OR operator.
and Match ZTNA tags using a logical AND operator.
config firewall region
Define region table.

Fortinet Inc.
Description: Define region table.
edit <id>
set city <id1>, <id2>, ...
set id {integer}
set name {string}
next
end
city <id> City ID list. integer Minimum

City ID. value: 0
Maximum
value:
65535
id Region ID. integer Minimum 0

value: 0
Maximum
value:
65535
name Region name. string Not

Specified
config firewall schedule group
Schedule group configuration.

Description: Schedule group configuration.
edit <name>
set color {integer}
set name {string}
next
end

value: 0
Maximum
value: 32

Fortinet Inc.
Option Description
member Schedules added to the schedule group. string Maximum

<name> Schedule name. length: 79
name Schedule group name. string Not

Specified
config firewall schedule onetime
Onetime schedule configuration.

Description: Onetime schedule configuration.
edit <name>
set color {integer}
set end {user}
set expiration-days {integer}
set name {string}
set start {user}
next
end

value: 0
Maximum
value: 32
end Schedule end date and time, format hh:mm user Not
yyyy/mm/dd. Specified
expiration- Write an event log message this many days before the integer Minimum 3
days schedule expires. value: 0
Maximum
value: 100

Fortinet Inc.
Option Description
name Onetime schedule name. string Not

Specified
start Schedule start date and time, format hh:mm user Not
yyyy/mm/dd. Specified
config firewall schedule recurring
Recurring schedule configuration.

Description: Recurring schedule configuration.
edit <name>
set color {integer}
set day {option1}, {option2}, ...
set end {user}
set name {string}
set start {user}
next
end

value: 0
Maximum
value: 32
day One or more days of the week on which the schedule is option - none
valid. Separate the names of the days with a space.
Option Description
sunday Sunday.
monday Monday.
tuesday Tuesday.
wednesday Wednesday.

Fortinet Inc.
Option Description
thursday Thursday.
friday Friday.
saturday Saturday.
none None.
end Time of day to end the schedule, format hh:mm. user Not
Specified
Option Description
name Recurring schedule name. string Not

Specified
start Time of day to start the schedule, format hh:mm. user Not
Specified
config firewall security-policy
Configure NGFW IPv4/IPv6 application policies.

Description: Configure NGFW IPv4/IPv6 application policies.
edit <policyid>
set app-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set enforce-default-app-port [enable|disable]
set fsso-groups <name1>, <name2>, ...

Fortinet Inc.
set internet-service-src-negate [enable|disable]
set learning-mode [enable|disable]
set name {string}
set send-deny-packet [disable|enable]
set url-category <id1>, <id2>, ...
set uuid {uuid}
next
end
action Policy action (accept/deny). option - deny
Option Description
accept Allows session that match the firewall policy.
deny Blocks sessions that match the firewall policy.

Fortinet Inc.
app-category Application category ID list. integer Minimum

<id> Category IDs. value: 0
Maximum
value:
4294967295
app-group Application group names. string Maximum

<name> Application group names. length: 79
application Application ID list. integer Minimum

Maximum
value:
4294967295
application- Name of an existing Application list. string Not Specified

list
cifs-profile Name of an existing CIFS profile. string Not Specified
dnsfilter- Name of an existing DNS filter profile. string Not Specified

profile
dstaddr Destination IPv4 address name and address string Maximum

Address name.
dstaddr- When enabled dstaddr/dstaddr6 specifies what option - disable

negate the destination address must NOT be.
Option Description
dstaddr6 Destination IPv6 address name and address string Maximum

Address name.
dstintf Outgoing (egress) interface. string Maximum


profile

Fortinet Inc.
enforce- Enable/disable default application port option - enable

default-app- enforcement for allowed applications.
port
Option Description
file-filter- Name of an existing file-filter profile. string Not Specified

profile
fsso-groups Names of FSSO groups. string Maximum

<name> Names of FSSO groups. length: 511
groups Names of user groups that can authenticate with string Maximum
<name> this policy. length: 79
User group name.
internet- Enable/disable use of Internet Services for this option - disable

service policy. If enabled, destination address and
Option Description

service- Custom Internet Service name. length: 79
custom
<name>

custom-group
<name>

<name>
internet- Internet Service name. string Maximum

<name>
internet- When enabled internet-service specifies what option - disable

service- the service must NOT be.
negate

Fortinet Inc.
Option Description
internet- Enable/disable use of Internet Services in option - disable

service-src source for this policy. If enabled, source address
is not used.
Option Description
enable Enable use of Internet Services source in policy.
disable Disable use of Internet Services source in policy.
internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>
internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>
internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group
<name>
internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name
<name>
internet- When enabled internet-service-src specifies option - disable

service-src- what the service must NOT be.
negate
Option Description
enable Enable negated Internet Service source match.
disable Disable negated Internet Service source match.
learning- Enable to allow everything, but log all of the option - disable
mode meaningful data for security information
gathering. A learning report will be generated.

Fortinet Inc.
Option Description
enable Enable learning mode.
disable Disable learning mode.
logtraffic Enable or disable logging. Log all sessions or option - utm

security profile sessions.
Option Description
Option Description
Option Description

value: 0
Maximum
value:
4294967294
profile- Name of an existing Protocol options profile. string Not Specified default
protocol-
options


Fortinet Inc.
Option Description
sctp-filter- Name of an existing SCTP filter profile. string Not Specified

profile
send-deny- Enable to send a reply when a session is denied option - disable

packet or blocked by a firewall policy.
Option Description
disable Disable deny-packet sending.
enable Enable deny-packet sending.
service Service and service group names. string Maximum

service- When enabled service specifies what the option - disable

negate service must NOT be.
Option Description
srcaddr Source IPv4 address name and address group string Maximum
Address name.
srcaddr- When enabled srcaddr/srcaddr6 specifies what option - disable

negate the source address must NOT be.
Option Description
srcaddr6 Source IPv6 address name and address group string Maximum
Address name.
srcintf Incoming (ingress) interface. string Maximum


Fortinet Inc.
ssh-filter- Name of an existing SSH filter profile. string Not Specified

profile
status Enable or disable this policy. option - enable
Option Description
url-category URL category ID list. integer Minimum

<id> URL category ID. value: 0
Maximum
value:
4294967295
users <name> Names of individual users that can authenticate string Maximum
with this policy. length: 79
User name.

reset). 000000000000

profile
voip-profile Name of an existing VoIP profile. string Not Specified
webfilter- Name of an existing Web filter profile. string Not Specified

profile
config firewall service category
Configure service categories.

Description: Configure service categories.
edit <name>
set name {string}
next
end

Fortinet Inc.

Specified
Option Description
name Service category name. string Not

Specified
config firewall service custom
Configure custom services.

Description: Configure custom services.
edit <name>
set app-service-type [disable|app-id|...]
set check-reset-range [disable|strict|...]
set color {integer}
set fqdn {string}
set helper [auto|disable|...]
set icmpcode {integer}
set icmptype {integer}
set iprange {user}
set name {string}
set protocol [TCP/UDP/SCTP|ICMP|...]
set protocol-number {integer}
set proxy [enable|disable]
set sctp-portrange {user}
set session-ttl {user}
set tcp-halfclose-timer {integer}
set tcp-halfopen-timer {integer}
set tcp-portrange {user}
set tcp-rst-timer {integer}
set tcp-timewait-timer {integer}
set udp-idle-timer {integer}
set udp-portrange {user}
set visibility [enable|disable]
next
end

Fortinet Inc.
app-category Application category ID. integer Minimum

<id> Application category id. value: 0
Maximum
value:
4294967295
app-service- Application service type. option - disable

type
Option Description
disable Disable application type.
app-id Application ID.
app-category Applicatin category.
application Application ID. integer Minimum

<id> Application id. value: 0
Maximum
value:
4294967295
category Service category. string Not Specified
check-reset- Configure the type of ICMP error message option - default

range verification.
Option Description
disable Disable RST range check.
strict Check RST range strictly.
default Using system default setting.

value: 0
Maximum
value: 32
Option Description

Fortinet Inc.
fqdn Fully qualified domain name. string Not Specified
helper Helper name. option - auto
Option Description
auto Automatically select helper based on protocol and port.
disable Disable helper.
ftp FTP.
tftp TFTP.
ras RAS.
h323 H323.
tns TNS.
mms MMS.
sip SIP.
pptp PPTP.
rtsp RTSP.
dns-udp DNS UDP.
dns-tcp DNS TCP.
pmap PMAP.
rsh RSH.
dcerpc DCERPC.
mgcp MGCP.
icmpcode ICMP code. integer Minimum

value: 0
Maximum
value: 255
icmptype ICMP type. integer Minimum

value: 0
Maximum
value:
4294967295
iprange Start and end of the IP range associated with user Not Specified
service.
name Custom service name. string Not Specified
protocol Protocol type based on IANA numbers. option - TCP/UDP/SCTP

Fortinet Inc.
Option Description
TCP/UDP/SCTP TCP, UDP and SCTP.
ICMP ICMP.
ICMP6 ICMP6.
IP IP.
HTTP HTTP - for web proxy.
FTP FTP - for web proxy.
CONNECT Connect - for web proxy.
SOCKS-TCP Socks TCP - for web proxy.
SOCKS-UDP Socks UDP - for web proxy.
ALL All - for web proxy.
protocol- IP protocol number. integer Minimum 0

number value: 0
Maximum
value: 254
proxy Enable/disable web proxy service. option - disable
Option Description
sctp- Multiple SCTP port ranges. user Not Specified

portrange
session-ttl Session TTL. user Not Specified
tcp-halfclose- Wait time to close a TCP session waiting for an integer Minimum 0
timer unanswered FIN packet. value: 0
Maximum
value: 86400
tcp-halfopen- Wait time to close a TCP session waiting for an integer Minimum 0
timer unanswered open session packet. value: 0
Maximum
value: 86400
tcp-portrange Multiple TCP port ranges. user Not Specified

Fortinet Inc.
tcp-rst-timer Set the length of the TCP CLOSE state in integer Minimum 0
seconds. value: 5
Maximum
value: 300
tcp-timewait- Set the length of the TCP TIME-WAIT state in integer Minimum 0
timer seconds. value: 0
Maximum
value: 300
udp-idle-timer UDP half close timeout. integer Minimum 0

value: 0
Maximum
value: 86400
udp-portrange Multiple UDP port ranges. user Not Specified
visibility Enable/disable the visibility of the service on option - enable

the GUI.
Option Description
enable Show in service selection.
disable Hide from service selection.
config firewall service group
Configure service groups.

Description: Configure service groups.
edit <name>
set color {integer}
set name {string}
set proxy [enable|disable]
next
end

Fortinet Inc.

value: 0
Maximum
value: 32

Specified
Option Description
member Service objects contained within the group. string Maximum


Specified
proxy Enable/disable web proxy service group. option - disable
Option Description
config firewall shaper per-ip-shaper
Configure per-IP traffic shaper.

Description: Configure per-IP traffic shaper.
edit <name>
set bandwidth-unit [kbps|mbps|...]
set max-bandwidth {integer}
set max-concurrent-session {integer}
set max-concurrent-tcp-session {integer}
set max-concurrent-udp-session {integer}
set name {string}
next
end

Fortinet Inc.
bandwidth-unit Unit of measurement for maximum bandwidth for this option - kbps
shaper (Kbps, Mbps or Gbps).
Option Description
kbps Kilobits per second.
mbps Megabits per second.
gbps Gigabits per second.
diffserv- Enable/disable changing the Forward (original) option - disable

forward DiffServ setting applied to traffic accepted by this
shaper.
Option Description
enable Enable setting forward (original) traffic DiffServ.
disable Disable setting forward (original) traffic DiffServ.
diffserv- Enable/disable changing the Reverse (reply) DiffServ option - disable

reverse setting applied to traffic accepted by this shaper.
Option Description
diffservcode- Forward (original) DiffServ setting to be applied to user Not

forward traffic accepted by this shaper. Specified
diffservcode- Reverse (reply) DiffServ setting to be applied to traffic user Not

rev accepted by this shaper. Specified
max-bandwidth Upper bandwidth limit enforced by this shaper. 0 integer Minimum 0

means no limit. Units depend on the bandwidth-unit value: 0
setting. Maximum
value:
80000000 **
max- Maximum number of concurrent sessions allowed by integer Minimum 0

concurrent- this shaper. 0 means no limit. value: 0
session Maximum
value:
2097000

Fortinet Inc.
max- Maximum number of concurrent TCP sessions allowed integer Minimum 0

concurrent-tcp- by this shaper. 0 means no limit. value: 0
session Maximum
value:
2097000
max- Maximum number of concurrent UDP sessions integer Minimum 0

concurrent- allowed by this shaper. 0 means no limit. value: 0
udp-session Maximum
value:
2097000
name Traffic shaper name. string Not

Specified
config firewall shaper per-ip
Per-IP traffic shapers.

config firewall shaper per-ip
Description: Per-IP traffic shapers.
end
config firewall shaper traffic-shaper
Configure shared traffic shaper.

Description: Configure shared traffic shaper.
edit <name>
set bandwidth-unit [kbps|mbps|...]
set diffserv [enable|disable]
set diffservcode {user}
set dscp-marking-method [multi-stage|static]
set exceed-bandwidth {integer}
set exceed-class-id {integer}
set exceed-dscp {user}
set guaranteed-bandwidth {integer}
set maximum-bandwidth {integer}
set maximum-dscp {user}
set name {string}
set overhead {integer}
set per-policy [disable|enable]
set priority [low|medium|...]
next
end

Fortinet Inc.
bandwidth-unit Unit of measurement for guaranteed and maximum option - kbps

bandwidth for this shaper (Kbps, Mbps or Gbps).
Option Description
kbps Kilobits per second.
mbps Megabits per second.
gbps Gigabits per second.
diffserv Enable/disable changing the DiffServ setting applied option - disable

to traffic accepted by this shaper.
Option Description
enable Enable setting traffic DiffServ.
disable Disable setting traffic DiffServ.
diffservcode DiffServ setting to be applied to traffic accepted by user Not Specified

this shaper.
dscp-marking- Select DSCP marking method. option - static

method
Option Description
multi-stage Multistage marking.
static Static marking.
exceed- Exceed bandwidth used for DSCP multi-stage integer Minimum 0

bandwidth marking. Units depend on the bandwidth-unit setting. value: 0
Maximum
value:
80000000 **
exceed-class- Class ID for traffic in guaranteed-bandwidth and integer Minimum 0

id maximum-bandwidth. value: 0
Maximum
value:
4294967295
exceed-dscp DSCP mark for traffic in guaranteed-bandwidth and user Not Specified
exceed-bandwidth.

Fortinet Inc.
guaranteed- Amount of bandwidth guaranteed for this shaper. integer Minimum 0

bandwidth Units depend on the bandwidth-unit setting. value: 0
Maximum
value:
80000000 **
maximum- Upper bandwidth limit enforced by this shaper. 0 integer Minimum 0

bandwidth means no limit. Units depend on the bandwidth-unit value: 0
setting. Maximum
value:
80000000 **
maximum- DSCP mark for traffic in exceed-bandwidth and user Not Specified
dscp maximum-bandwidth.
name Traffic shaper name. string Not Specified
overhead Per-packet size overhead used in rate computations. integer Minimum 0

value: 0
Maximum
value: 100
per-policy Enable/disable applying a separate shaper for each option - disable

policy. For example, if enabled the guaranteed
bandwidth is applied separately for each policy.
Option Description
disable All referring policies share one traffic shaper.
enable Each referring policy has its own traffic shaper.
priority Higher priority traffic is more likely to be forwarded option - high

without delays and without compromising the
guaranteed bandwidth.
Option Description
low Low priority.
medium Medium priority.
high High priority.
config firewall shaper traffic
Shared traffic shapers.

Fortinet Inc.
config firewall shaper traffic
Description: Shared traffic shapers.
end
config firewall shaping-policy
Configure shaping policies.

Description: Configure shaping policies.
edit <id>
set app-group <name1>, <name2>, ...
set class-id {integer}
set id {integer}
set ip-version [4|6]
set name {string}
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set url-category <id1>, <id2>, ...
next
end

Fortinet Inc.
app-category IDs of one or more application categories that this integer Minimum
<id> shaper applies application control traffic shaping to. value: 0
Category IDs. Maximum
value:
4294967295
app-group One or more application group names. string Maximum

<name> Application group name. length: 79
application IDs of one or more applications that this shaper integer Minimum
<id> applies application control traffic shaping to. value: 0
Application IDs. Maximum
value:
4294967295
class-id Traffic class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
diffserv- Enable to change packet's DiffServ values to the option - disable

forward specified diffservcode-forward value.
Option Description
enable Enable setting forward (original) traffic DiffServ.
disable Disable setting forward (original) traffic DiffServ.
diffserv- Enable to change packet's reverse (reply) DiffServ option - disable

reverse values to the specified diffservcode-rev value.
Option Description
diffservcode- Change packet's DiffServ to this value. user Not Specified

forward
diffservcode- Change packet's reverse (reply) DiffServ to this user Not Specified
rev value.
dstaddr IPv4 destination address and address group names. string Maximum

Fortinet Inc.
dstaddr6 IPv6 destination address and address group names. string Maximum
dstintf <name> One or more outgoing (egress) interfaces. string Maximum

groups Apply this traffic shaping policy to user groups that string Maximum
<name> have authenticated with the FortiGate. length: 79
Group name.
id Shaping policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
internet-service Enable/disable use of Internet Services for this option - disable

policy. If enabled, destination address and service
are not used.
Option Description
enable Enable use of Internet Service in shaping-policy.
disable Disable use of Internet Service in shaping-policy.

service-custom Custom Internet Service name. length: 79
<name>

custom-group
<name>

<name>
internet- Internet Service ID. string Maximum

<name>
internet- Enable/disable use of Internet Services in source for option - disable

service-src this policy. If enabled, source address is not used.
Option Description
enable Enable use of Internet Service source in shaping-policy.
disable Disable use of Internet Service source in shaping-policy.

Fortinet Inc.
internet- Custom Internet Service source name. string Maximum

service-src- Custom Internet Service name. length: 79
custom
<name>
internet- Custom Internet Service source group name. string Maximum

service-src- Custom Internet Service group name. length: 79
custom-group
<name>
internet- Internet Service source group name. string Maximum

service-src- Internet Service group name. length: 79
group <name>
internet- Internet Service source name. string Maximum

service-src- Internet Service name. length: 79
name <name>
ip-version Apply this traffic shaping policy to IPv4 or IPv6 traffic. option - 4
Option Description
4 Use IPv4 addressing for Configuration Method.
6 Use IPv6 addressing for Configuration Method.
name Shaping policy name. string Not Specified
per-ip-shaper Per-IP traffic shaper to apply with this policy. string Not Specified
service Service and service group names. string Maximum

srcaddr IPv4 source address and address group names. string Maximum
srcaddr6 IPv6 source address and address group names. string Maximum
srcintf <name> One or more incoming (ingress) interfaces. string Maximum

status Enable/disable this traffic shaping policy. option - enable
Option Description
enable Enable traffic shaping policy.
disable Disable traffic shaping policy.
tos ToS (Type of Service) value used for comparison. user Not Specified

Fortinet Inc.
tos-mask Non-zero bit positions are used for comparison while user Not Specified
zero bit positions are ignored.
tos-negate Enable negated TOS match. option - disable
Option Description
enable Enable TOS match negate.
disable Disable TOS match negate.
traffic-shaper Traffic shaper to apply to traffic forwarded by the string Not Specified
firewall policy.
traffic-shaper- Traffic shaper to apply to response traffic received string Not Specified
reverse by the firewall policy.
url-category IDs of one or more FortiGuard Web Filtering integer Minimum

<id> categories that this shaper applies traffic shaping to. value: 0
URL category ID. Maximum
value:
4294967295
users <name> Apply this traffic shaping policy to individual users string Maximum
that have authenticated with the FortiGate. length: 79
User name.
config firewall shaping-profile
Configure shaping profiles.

Description: Configure shaping profiles.
edit <profile-name>
set default-class-id {integer}
set profile-name {string}
config shaping-entries
Description: Define shaping entries of this shaping profile.
edit <id>
set id {integer}
set priority [top|critical|...]
set guaranteed-bandwidth-percentage {integer}
set maximum-bandwidth-percentage {integer}
set limit {integer}
set burst-in-msec {integer}
set cburst-in-msec {integer}
set red-probability {integer}
set min {integer}
set max {integer}
next

Fortinet Inc.
end
set type [policing|queuing]
next
end
default-class- Default class ID to handle unclassified packets integer Minimum 0

id (including all local traffic). value: 0
Maximum
value:
4294967295
profile-name Shaping profile name. string Not Specified
type Select shaping profile type: policing / queuing. option - policing
Option Description
policing Enable policing mode.
queuing Enable queuing mode.
config shaping-entries

value: 0
Maximum
value:
4294967295
class-id Class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
priority Priority. option - high
Option Description
top Top priority.
critical Critical priority.
high High priority.

Fortinet Inc.
Option Description
low Low priority.
guaranteed- Guaranteed bandwidth in percentage. integer Minimum 0

bandwidth- value: 0
percentage Maximum
value: 100
maximum- Maximum bandwidth in percentage. integer Minimum 1

bandwidth- value: 1
percentage Maximum
value: 100
limit Hard limit on the real queue size in packets. integer Minimum 1000
value: 5
Maximum
value: 10000
burst-in-msec Number of bytes that can be burst at maximum- integer Minimum 0

bandwidth speed. Formula: burst = maximum- value: 0
bandwidth*burst-in-msec. Maximum
value: 2000
cburst-in- Number of bytes that can be burst as fast as the integer Minimum 0
msec interface can transmit. Formula: cburst = maximum- value: 0
bandwidth*cburst-in-msec. Maximum
value: 2000
red-probability Maximum probability (in percentage) for RED integer Minimum 0

marking. value: 0
Maximum
value: 20
min Average queue size in packets at which RED drop integer Minimum 83
becomes a possibility. value: 3
Maximum
value: 3000
max Average queue size in packets at which RED drop integer Minimum 250
probability is maximal. value: 3
Maximum
value: 3000
config firewall sniffer
Configure sniffer.

Fortinet Inc.
Description: Configure sniffer.
edit <id>
config anomaly
Description: Configuration method to edit Denial of Service (DoS) anomaly
settings.
edit <name>
set name {string}
next
end
set file-filter-profile-status [enable|disable]
set host {string}
set id {integer}
set ip-threatfeed <name1>, <name2>, ...
set ip-threatfeed-status [enable|disable]
set ips-dos-status [enable|disable]
set ipv6 [enable|disable]
set max-packet-count {integer}
set non-ip [enable|disable]
set port {string}
set protocol {string}
set vlan {string}
next
end

Fortinet Inc.
application- Name of an existing application list. string Not

list Specified
application- Enable/disable application control profile. option - disable

list-status
Option Description
av-profile Name of an existing antivirus profile. string Not

Specified
av-profile- Enable/disable antivirus profile. option - disable

status
Option Description
dlp-sensor Name of an existing DLP sensor. string Not

Specified
dlp-sensor- Enable/disable DLP sensor. option - disable

status
Option Description
Option Description
enable Enable DSRI.
emailfilter- Name of an existing email filter profile. string Not

profile Specified
emailfilter- Enable/disable emailfilter. option - disable

profile-status

Fortinet Inc.
Option Description
file-filter- Name of an existing file-filter profile. string Not

profile Specified
file-filter- Enable/disable file filter. option - disable

profile-status
Option Description
host Hosts to filter for in sniffer traffic. string Not

Specified
id Sniffer ID. integer Minimum 0

value: 0
Maximum
value: 9999
interface Interface name that traffic sniffing will take place on. string Not
Specified
ip-threatfeed Name of an existing IP threat feed. string Maximum

<name> Threat feed name. length: 79
ip-threatfeed- Enable/disable IP threat feed. option - disable

status
Option Description
ips-dos-status Enable/disable IPS DoS anomaly detection. option - disable
Option Description
ips-sensor Name of an existing IPS sensor. string Not

Specified

Fortinet Inc.
ips-sensor- Enable/disable IPS sensor. option - disable

status
Option Description
ipv6 Enable/disable sniffing IPv6 packets. option - disable
Option Description
enable Enable sniffer for IPv6 packets.
disable Disable sniffer for IPv6 packets.
logtraffic Either log all sessions, only sessions that have a option - utm
security profile applied, or disable all logging for this
policy.
Option Description
max-packet- Maximum packet count. integer Minimum 4000

count value: 1
Maximum
value:
1000000 **
non-ip Enable/disable sniffing non-IP packets. option - disable
Option Description
enable Enable sniffer for non-IP packets.
disable Disable sniffer for non-IP packets.
port Ports to sniff. string Not

Specified
protocol Integer value for the protocol type as defined by IANA. string Not
Specified
status Enable/disable the active status of the sniffer. option - enable

Fortinet Inc.
Option Description
enable Enable sniffer status.
disable Disable sniffer status.
vlan List of VLANs to sniff. string Not

Specified
webfilter- Name of an existing web filter profile. string Not

profile Specified
webfilter- Enable/disable web filter profile. option - disable

profile-status
Option Description
config anomaly
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description

expiry attacker.

log
Option Description

value:
2147483647

it. Maximum
value:
4294967295
config firewall ssh host-key
SSH proxy host public keys.

Description: SSH proxy host public keys.
edit <name>
set hostname {string}
set name {string}
set nid [256|384|...]
set port {integer}
set public-key {var-string}
set status [trusted|revoked]
set type [RSA|DSA|...]
set usage [transparent-proxy|access-proxy]
next
end

Fortinet Inc.
hostname Hostname of the SSH server to match SSH string Not Specified
certificate principals.
ip IP address of the SSH server. ipv4- Not Specified 0.0.0.0

address-
any
name SSH public key name. string Not Specified
nid Set the nid of the ECDSA key. option - 256
Option Description
256 The NID is ecdsa-sha2-nistp256.
port Port of the SSH server. integer Minimum 22

value: 0
Maximum
value:
4294967295
public-key SSH public key. var-string Not Specified
status Set the trust status of the public key. option - trusted
Option Description
trusted The public key is trusted.
revoked The public key is revoked.
type Set the type of the public key. option - RSA
Option Description
RSA The type of the public key is RSA.
DSA The type of the public key is DSA.
ECDSA The type of the public key is ECDSA.
ED25519 The type of the public key is ED25519.
RSA-CA The type of the public key is from RSA CA.
DSA-CA The type of the public key is from DSA CA.
ECDSA-CA The type of the public key is from ECDSA CA.
ED25519-CA The type of the public key is from ED25519 CA.

Fortinet Inc.
usage Usage for this public key. option - transparent-

proxy
Option Description
transparent- Transparent proxy uses this public key to validate server.

proxy
access-proxy Access proxy uses this public key to validate server.
config firewall ssh local-ca
SSH proxy local CA.

Description: SSH proxy local CA.
edit <name>
set name {string}
set public-key {user}
set source [built-in|user]
next
end
name SSH proxy local CA name. string Not

Specified
password Password for SSH private key. password Not

Specified
private-key SSH proxy private key, encrypted with a password. user Not
Specified
public-key SSH proxy public key. user Not

Specified
source SSH proxy local CA source type. option - user
Option Description
built-in Built-in SSH proxy local keys.
user User imported SSH proxy local keys.

Fortinet Inc.
config firewall ssh local-key
SSH proxy local keys.

Description: SSH proxy local keys.
edit <name>
set name {string}
set public-key {user}
set source [built-in|user]
next
end
name SSH proxy local key name. string Not

Specified
password Password for SSH private key. password Not

Specified
private-key SSH proxy private key, encrypted with a password. user Not
Specified
public-key SSH proxy public key. user Not

Specified
source SSH proxy local key source type. option - user
Option Description
built-in Built-in SSH proxy local keys.
user User imported SSH proxy local keys.
config firewall ssh setting
SSH proxy settings.

Description: SSH proxy settings.
set caname {string}
set host-trusted-checking [enable|disable]
set hostkey-dsa1024 {string}
set hostkey-ecdsa256 {string}
set hostkey-ed25519 {string}
set hostkey-rsa2048 {string}

Fortinet Inc.
set untrusted-caname {string}
end
caname CA certificate used by SSH Inspection. string Not

Specified
host-trusted- Enable/disable host trusted checking. option - enable

checking
Option Description
enable Enable host key trusted checking.
disable Disable host key trusted checking.
hostkey- DSA certificate used by SSH proxy. string Not

dsa1024 Specified
hostkey- ECDSA nid256 certificate used by SSH proxy. string Not

ecdsa256 Specified

ecdsa384 Specified

ecdsa521 Specified
hostkey- ED25519 hostkey used by SSH proxy. string Not

ed25519 Specified
hostkey- RSA certificate used by SSH proxy. string Not

rsa2048 Specified
untrusted- Untrusted CA certificate used by SSH Inspection. string Not

caname Specified
config firewall ssl-server
Configure SSL servers.

Description: Configure SSL servers.
edit <name>
set add-header-x-forwarded-proto [enable|disable]
set mapped-port {integer}
set name {string}
set port {integer}
set ssl-cert {string}

Fortinet Inc.
set ssl-client-renegotiation [allow|deny|...]
set ssl-mode [half|full]
set ssl-send-empty-frags [enable|disable]
set url-rewrite [enable|disable]
next
end
add-header-x- Enable/disable adding an X-Forwarded-Proto header option - enable

forwarded- to forwarded requests.
proto
Option Description
enable Add X-Forwarded-Proto header.
disable Do not add X-Forwarded-Proto header.
ip IPv4 address of the SSL server. ipv4- Not 0.0.0.0

address- Specified
any
mapped-port Mapped server service port. integer Minimum 80

value: 1
Maximum
value:
65535
name Server name. string Not

Specified
port Server service port. integer Minimum 443

value: 1
Maximum
value:
65535
ssl-algorithm Relative strength of encryption algorithms accepted in option - high

negotiation.
Option Description
high High encryption. Allow only AES and ChaCha

Fortinet Inc.
ssl-cert Name of certificate for SSL connections to this server. string Not Fortinet_
Specified CA_SSL
ssl-client- Allow or block client renegotiation by server. option - allow

renegotiation
Option Description
allow Allow a SSL client to renegotiate.
deny Abort any SSL connection that attempts to renegotiate.
secure Reject any SSL connection that does not offer a RFC 5746 Secure
Renegotiation Indication.
ssl-dh-bits Bit-size of Diffie-Hellman. option - 2048
Option Description
ssl-max- Highest SSL/TLS version to negotiate. option - tls-1.3

version
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-min-version Lowest SSL/TLS version to negotiate. option - tls-1.1
Option Description
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-mode SSL/TLS mode for encryption and decryption of traffic. option - full

Fortinet Inc.
Option Description
half Client to FortiGate SSL.
full Client to FortiGate and FortiGate to Server SSL.
ssl-send- Enable/disable sending empty fragments to avoid option - enable

empty-frags attack on CBC IV.
Option Description
enable Send empty fragments.
disable Do not send empty fragments.
url-rewrite Enable/disable rewriting the URL. option - disable
Option Description
config firewall ssl-ssh-profile
Configure SSL/SSH protocol options.

Description: Configure SSL/SSH protocol options.
edit <name>
set allowlist [enable|disable]
set block-blocklisted-certificates [disable|enable]
set caname {string}
config dot
Description: Configure DNS over TLS options.
set status [disable|deep-inspection]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-version [allow|block]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ftps
Description: Configure FTPS options.
set ports {integer}

Fortinet Inc.
set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
end
config https
Description: Configure HTTPS options.
set ports {integer}
set status [disable|certificate-inspection|...]
set cert-probe-failure [allow|block]
end
config imaps
Description: Configure IMAPS options.
set ports {integer}
end
set mapi-over-https [enable|disable]
set name {string}
config pop3s
Description: Configure POP3S options.
set ports {integer}

Fortinet Inc.
end
set rpc-over-https [enable|disable]
set server-cert <name1>, <name2>, ...
set server-cert-mode [re-sign|replace]
config smtps
Description: Configure SMTPS options.
set ports {integer}
end
config ssh
Description: Configure SSH options.
set ports {integer}
set inspect-all [disable|deep-inspection]
set unsupported-version [bypass|block]
set ssh-tun-policy-check [disable|enable]
set ssh-algorithm [compatible|high-encryption]
end
config ssl
Description: Configure SSL options.
set inspect-all [disable|certificate-inspection|...]
set cert-probe-failure [allow|block]
end
set ssl-anomaly-log [disable|enable]
config ssl-exempt
Description: Servers to exempt from SSL inspection.

Fortinet Inc.
edit <id>
set id {integer}
set type [fortiguard-category|address|...]
set fortiguard-category {integer}
set address6 {string}
set regex {string}
next
end
set ssl-exemption-ip-rating [enable|disable]
set ssl-exemption-log [disable|enable]
set ssl-handshake-log [disable|enable]
set ssl-negotiation-log [disable|enable]
config ssl-server
Description: SSL server settings used for client certificate request.
edit <id>
set id {integer}
set https-client-certificate [bypass|inspect|...]
set smtps-client-certificate [bypass|inspect|...]
set pop3s-client-certificate [bypass|inspect|...]
set imaps-client-certificate [bypass|inspect|...]
set ftps-client-certificate [bypass|inspect|...]
set ssl-other-client-certificate [bypass|inspect|...]
next
end
set ssl-server-cert-log [disable|enable]
set supported-alpn [http1-1|http2|...]
set untrusted-caname {string}
set use-ssl-server [disable|enable]
next
end
allowlist Enable/disable exempting servers by FortiGuard option - disable

allowlist.
Option Description
block- Enable/disable blocking SSL-based botnet option - enable

blocklisted- communication by FortiGuard certificate blocklist.
certificates
Option Description
disable Disable FortiGuard certificate blocklist.

Fortinet Inc.
Option Description
enable Enable FortiGuard certificate blocklist.
caname CA certificate used by SSL Inspection. string Not Fortinet_

Specified CA_SSL

Specified
mapi-over- Enable/disable inspection of MAPI over HTTPS. option - disable

https
Option Description
enable Enable inspection of MAPI over HTTPS.
disable Disable inspection of MAPI over HTTPS.

Specified
rpc-over-https Enable/disable inspection of RPC over HTTPS. option - disable
Option Description
enable Enable inspection of RPC over HTTPS.
disable Disable inspection of RPC over HTTPS.
server-cert Certificate used by SSL Inspection to replace server string Maximum

<name> certificate. length: 35
Certificate list.
server-cert- Re-sign or replace the server's certificate. option - re-sign

mode
Option Description
re-sign Multiple clients connecting to multiple servers.
replace Protect an SSL server.
ssl-anomaly- Enable/disable logging of SSL anomalies. option - enable

log
Option Description
disable Disable logging of SSL anomalies.
enable Enable logging of SSL anomalies.

Fortinet Inc.
ssl- Enable/disable IP based URL rating. option - enable

exemption-ip-
rating
Option Description
enable Enable IP based URL rating.
disable Disable IP based URL rating.
ssl- Enable/disable logging SSL exemptions. option - disable

exemption-log
Option Description
disable Disable logging SSL exemptions.
enable Enable logging SSL exemptions.
ssl- Enable/disable logging of TLS handshakes. option - disable

handshake-
log
Option Description
disable Disable logging TLS handshakes.
enable Enable logging TLS handshakes.
ssl- Enable/disable logging SSL negotiation. option - disable

negotiation-
log
Option Description
disable Disable logging SSL negotiation.
enable Enable logging SSL negotiation.
ssl-server- Enable/disable logging of server certificate information. option - disable

cert-log
Option Description
disable Disable logging server certificate.
enable Enable logging server certificate.
supported- Configure ALPN option. option - all

alpn

Fortinet Inc.
Option Description
http1-1 Enable ALPN of HTTP1.1.
http2 Enable ALPN of HTTP2.
all Enable ALPN of HTTP1.1 and HTTP2.
none Do not use ALPN.
untrusted- Untrusted CA certificate used by SSL Inspection. string Not Fortinet_

caname Specified CA_
Untrusted
use-ssl-server Enable/disable the use of SSL server table for SSL option - disable
offloading.
Option Description
disable Don't use SSL server configuration.
enable Use SSL server configuration.
config dot
status Configure protocol inspection status. option - disable
Option Description
disable Disable.
deep-inspection Full SSL inspection.
proxy-after-tcp- Proxy traffic after the TCP 3-way handshake has been option - disable
handshake established (not before).
Option Description
client-certificate Action based on received client certificate. option - bypass
Option Description
bypass Bypass the session.
inspect Inspect the session.
block Block the session.

Fortinet Inc.
unsupported- Action based on the SSL version used being option - block
ssl-version unsupported.
Option Description
allow Bypass the session when the version is not supported.
block Block the session when the version is not supported.
unsupported- Action based on the SSL cipher used being option - allow
ssl-cipher unsupported.
Option Description
allow Bypass the session when the cipher is not supported.
block Block the session when the cipher is not supported.
unsupported- Action based on the SSL negotiation used being option - allow
ssl-negotiation unsupported.
Option Description
allow Bypass the session when the negotiation is not supported.
block Block the session when the negotiation is not supported.
expired-server- Action based on server certificate is expired. option - block

cert
Option Description
allow Allow the server certificate.
ignore Re-sign the server certificate as trusted.
revoked-server- Action based on server certificate is revoked. option - block

cert
Option Description
untrusted- Action based on server certificate is not issued by a option - allow

server-cert trusted CA.

Fortinet Inc.
Option Description
cert-validation- Action based on certificate validation timeout. option - allow

timeout
Option Description
cert-validation- Action based on certificate validation failure. option - block

failure
Option Description
sni-server-cert- Check the SNI in the client hello message with the CN option - enable
check or SAN fields in the returned server certificate.
Option Description
enable Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, use the CN in the server certificate
to do URL filtering.
strict Check the SNI in the client hello message with the CN or SAN fields in the
returned server certificate. If mismatched, close the connection.
disable Do not check the SNI in the client hello message with the CN or SAN fields in
the returned server certificate.

Fortinet Inc.
config ftps
ports Ports to use for scanning. integer Minimum

value: 1
Maximum
value:
65535
status Configure protocol inspection status. option - deep-

inspection
Option Description
disable Disable.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.

cert
Option Description

cert
Option Description

Option Description

timeout
Option Description

failure
Option Description

Fortinet Inc.
Option Description
min-allowed- Minimum SSL version to be allowed. option - tls-1.1

ssl-version
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
config https

value: 1
Maximum
value:
65535

inspection
Option Description
disable Disable.
certificate- Inspect SSL handshake only.

inspection

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description
Option Description

cert
Option Description

Fortinet Inc.
Option Description

cert
Option Description

Option Description

timeout
Option Description

failure
Option Description

Fortinet Inc.
Option Description
cert-probe- Action based on certificate probe failure. option - block

failure
Option Description
allow Bypass the session when unable to retrieve server's certificate for
inspection.
block Block the session when unable to retrieve server's certificate for inspection.

ssl-version
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
config imaps

value: 1
Maximum
value:
65535

inspection

Fortinet Inc.
Option Description
disable Disable.
Option Description
client-certificate Action based on received client certificate. option - inspect
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.

cert
Option Description

cert
Option Description

Option Description

timeout
Option Description

failure
Option Description

Fortinet Inc.
Option Description
config pop3s

value: 1
Maximum
value:
65535

inspection
Option Description
disable Disable.
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

cert
Option Description

cert
Option Description


Fortinet Inc.
Option Description

timeout
Option Description

failure
Option Description
Option Description

Fortinet Inc.
config smtps

value: 1
Maximum
value:
65535

inspection
Option Description
disable Disable.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description

cert
Option Description

cert
Option Description

Option Description

timeout
Option Description

failure

Fortinet Inc.
Option Description
Option Description
config ssh

value: 1
Maximum
value:
65535
status Configure protocol inspection status. option - disable
Option Description
disable Disable.
inspect-all Level of SSL inspection. option - disable
Option Description
disable Disable.

Fortinet Inc.
Option Description
unsupported- Action based on SSH version being unsupported. option - bypass

version
Option Description
ssh-tun-policy- Enable/disable SSH tunnel policy check. option - disable

check
Option Description
disable Disable SSH tunnel policy check.
enable Enable SSH tunnel policy check.
ssh-algorithm Relative strength of encryption algorithms accepted option - compatible

during negotiation.
Option Description
compatible Allow a broader set of encryption algorithms for best compatibility.
high-encryption Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.
config ssl
inspect-all Level of SSL inspection. option - disable
Option Description
disable Disable.
certificate- Inspect SSL handshake only.

inspection

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

cert
Option Description

cert
Option Description

Fortinet Inc.
Option Description

Option Description

timeout
Option Description

failure
Option Description
Option Description

Fortinet Inc.
cert-probe- Action based on certificate probe failure. option - block

failure
Option Description
allow Bypass the session when unable to retrieve server's certificate for
inspection.
block Block the session when unable to retrieve server's certificate for inspection.

ssl-version
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
config ssl-exempt

value: 0
Maximum
value: 512
type Type of address object (IPv4 or IPv6) or FortiGuard option - fortiguard-

category. category
Option Description
fortiguard- FortiGuard category.

category
address Firewall IPv4 address.
address6 Firewall IPv6 address.
wildcard-fqdn Fully Qualified Domain Name with wildcard characters.
regex Regular expression FQDN.

Fortinet Inc.
fortiguard- FortiGuard category ID. integer Minimum 0

category value: 0
Maximum
value: 255
address IPv4 address object. string Not

Specified
address6 IPv6 address object. string Not

Specified
wildcard-fqdn Exempt servers by wildcard FQDN. string Not

Specified
regex Exempt servers by regular expression. string Not

Specified
config ssl-server
id SSL server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip IPv4 address of the SSL server. ipv4- Not Specified 0.0.0.0

address-
any
https-client- Action based on received client certificate during the option - bypass
certificate HTTPS handshake.
Option Description
smtps-client- Action based on received client certificate during the option - bypass
certificate SMTPS handshake.
Option Description

Fortinet Inc.
pop3s-client- Action based on received client certificate during the option - bypass
certificate POP3S handshake.
Option Description
imaps-client- Action based on received client certificate during the option - bypass
certificate IMAPS handshake.
Option Description
ftps-client- Action based on received client certificate during the option - bypass
certificate FTPS handshake.
Option Description
ssl-other- Action based on received client certificate during an option - bypass

client- SSL protocol handshake.
certificate
Option Description
config firewall ssl setting
SSL proxy settings.

Description: SSL proxy settings.
set abbreviate-handshake [enable|disable]
set cert-cache-capacity {integer}
set cert-cache-timeout {integer}

Fortinet Inc.
set kxp-queue-threshold {integer}
set no-matching-cipher-action [bypass|drop]
set proxy-connect-timeout {integer}
set session-cache-capacity {integer}
set session-cache-timeout {integer}
set ssl-queue-threshold {integer}
end
abbreviate- Enable/disable use of SSL abbreviated handshake. option - enable

handshake
Option Description
enable Enable use of SSL abbreviated handshake.
disable Disable use of SSL abbreviated handshake.
cert-cache- Maximum capacity of the host certificate cache. integer Minimum 200
capacity value: 0
Maximum
value: 500
cert-cache- Time limit to keep certificate cache. integer Minimum 10

timeout value: 1
Maximum
value: 120
kxp-queue- Maximum length of the CP KXP queue. When the integer Minimum 16
threshold * queue becomes full, the proxy switches cipher functions value: 0
to the main CPU. Maximum
value: 512
no-matching- Bypass or drop the connection when no matching cipher option - bypass
cipher-action is found.
Option Description
bypass Bypass connection.
drop Drop connection.
proxy- Time limit to make an internal connection to the integer Minimum 30

connect- appropriate proxy process. value: 1
timeout Maximum
value: 60

Fortinet Inc.
session- Capacity of the SSL session cache. integer Minimum 500

cache- value: 0
capacity Maximum
value: 1000
session- Time limit to keep SSL session state. integer Minimum 20

cache-timeout value: 1
Maximum
value: 60
Option Description
ssl-queue- Maximum length of the CP SSL queue. When the queue integer Minimum 32
threshold * becomes full, the proxy switches cipher functions to the value: 0
main CPU. Maximum
value: 512
ssl-send- Enable/disable sending empty fragments to avoid attack option - enable

empty-frags on CBC IV (for SSL 3.0 and TLS 1.0 only).
Option Description
config firewall traffic-class
Configure names for shaping classes.

Description: Configure names for shaping classes.
edit <class-id>
set class-name {string}
next
end

Fortinet Inc.
class-id Class ID to be named. integer Minimum 0

value: 2
Maximum
value: 31
class-name Define the name for this class-id. string Not

Specified
config firewall ttl-policy
Configure TTL policies.

Description: Configure TTL policies.
edit <id>
set id {integer}
set ttl {user}
next
end
action Action to be performed on traffic matching this policy. option - deny
Option Description
accept Allow traffic matching this policy.
deny Deny or block traffic matching this policy.

value: 0
Maximum
value:
4294967295
service Service object(s) from available options. Separate string Maximum

<name> multiple names with a space. length: 79

Fortinet Inc.
Service name.
srcaddr Source address object(s) from available options. string Maximum

<name> Separate multiple names with a space. length: 79
Address name.
srcintf Source interface name from available interfaces. string Not Specified
status Enable/disable this TTL policy. option - enable
Option Description
enable Enable this TTL policy.
disable Disable this TTL policy.
ttl Value/range to match against the packet's Time to user Not Specified
Live value.
config firewall vendor-mac-summary
Vendor MAC database summary.

config firewall vendor-mac-summary
Description: Vendor MAC database summary.
end
config firewall vendor-mac
Show vendor and the MAC address they have.

Description: Show vendor and the MAC address they have.
edit <id>
set id {integer}
set mac-number {integer}
set name {string}
set obsolete {integer}
next
end

Fortinet Inc.
id Vendor ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
mac-number Total number of MAC addresses. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Vendor name. string Not Specified
obsolete Indicates whether the Vendor ID can be used. integer Minimum 0

value: 0
Maximum
value: 255
config firewall vip
Configure virtual IP for IPv4.

config firewall vip
Description: Configure virtual IP for IPv4.
edit <name>
set arp-reply [disable|enable]
set color {integer}
set dns-mapping-ttl {integer}
set extaddr <name1>, <name2>, ...
set extintf {string}
set extip {user}
set extport {user}
set gratuitous-arp-interval {integer}
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set http-multiplex [enable|disable]
set http-redirect [enable|disable]
set id {integer}
set ipv6-mappedip {user}

Fortinet Inc.
set ipv6-mappedport {user}
set mapped-addr {string}
set mappedip <range1>, <range2>, ...
set max-embryonic-connections {integer}
set monitor <name1>, <name2>, ...
set name {string}
set nat-source-vip [disable|enable]
set outlook-web-access [disable|enable]
set persistence [none|http-cookie|...]
set portforward [disable|enable]
set portmapping-type [1-to-1|m-to-n]
set protocol [tcp|udp|...]
config realservers
Description: Select the real servers that this server load balancing VIP will
edit <id>
set id {integer}
set type [ip|address]
set ip {user}
set port {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set max-connections {integer}
set client-ip {user}
next
end
set server-type [http|https|...]
set src-filter <range1>, <range2>, ...
set srcintf-filter <interface-name1>, <interface-name2>, ...
set ssl-accept-ffdhe-groups [enable|disable]
Description: SSL/TLS cipher suites acceptable from a client, ordered by
priority.
edit <priority>
next
end
set ssl-client-fallback [disable|enable]
set ssl-client-rekey-count {integer}
set ssl-client-session-state-max {integer}
set ssl-client-session-state-timeout {integer}

Fortinet Inc.
set ssl-client-session-state-type [disable|time|...]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-age {integer}
set ssl-hpkp-backup {string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hpkp-primary {string}
set ssl-hpkp-report-uri {var-string}
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-pfs [require|deny|...]
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
next
end
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-session-state-max {integer}
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-type [disable|time|...]
set type [static-nat|load-balance|...]
set uuid {uuid}
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
next
end
config firewall vip
add-nat46-route Enable/disable adding NAT46 route. option - enable
Option Description
arp-reply Enable to respond to ARP requests for this option - enable

virtual IP address. Enabled by default.

Fortinet Inc.
Option Description
disable Disable ARP reply.
enable Enable ARP reply.

value: 0
Maximum
value: 32
dns-mapping-ttl DNS mapping TTL. integer Minimum 0

value: 0
Maximum
value: 604800
extaddr <name> External FQDN address name. string Maximum

Address name. length: 79
extintf Interface connected to the source network string Not Specified

that receives the packets that will be
forwarded to the destination network.
extip IP address or address range on the external user Not Specified

interface that you want to map to an address
or address range on the destination network.
extport Incoming port number range that you want to user Not Specified
map to a port number range on the
destination network.
gratuitous-arp- Enable to have the VIP send gratuitous integer Minimum 0

interval ARPs. 0=disabled. Set from 5 up to 8640000 value: 5
seconds to enable. Maximum
value:
8640000
http-cookie-age Time in minutes that client web browsers integer Minimum 60

should keep a cookie. Default is 60 minutes. value: 0
0 = no time limit. Maximum
value: 525600
http-cookie- Domain that HTTP cookie persistence string Not Specified

domain should apply to.
http-cookie- Enable/disable use of HTTP cookie domain option - disable

domain-from- from host field in HTTP.
host

Fortinet Inc.
Option Description
disable Disable use of HTTP cookie domain from host field in HTTP (use http-
cooke-domain setting).
http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

generation Changing invalidates all existing cookies. value: 0
Maximum
value:
4294967295
http-cookie-path Limit HTTP cookie persistence to the string Not Specified

specified path.
http-cookie-share Control sharing of cookies across virtual option - same-ip

servers. Use of same-ip means a cookie from
one virtual server can be used by another.
Disable stops cookie sharing.
Option Description
disable Only allow HTTP cookie to match this virtual server.
same-ip Allow HTTP cookie to match any virtual server with same IP.
http-ip-header For HTTP multiplexing, enable to add the option - disable

original client IP address in the XForwarded-
For HTTP header.
Option Description
enable Enable adding HTTP header.
disable Disable adding HTTP header.
http-ip-header- For HTTP multiplexing, enter a custom string Not Specified

name HTTPS header name. The original client IP
address is added to this header. If empty, X-
Forwarded-For is used.
http-multiplex Enable/disable HTTP multiplexing. option - disable
Option Description
enable Enable HTTP session multiplexing.
disable Disable HTTP session multiplexing.
http-redirect Enable/disable redirection of HTTP to option - disable

HTTPS.

Fortinet Inc.
Option Description
enable Enable redirection of HTTP to HTTPS.
disable Disable redirection of HTTP to HTTPS.
https-cookie- Enable/disable verification that inserted option - disable

secure HTTPS cookies are secure.
Option Description
connection.
connection.
id Custom defined ID. integer Minimum 0

value: 0
Maximum
value: 65535
ipv6-mappedip Range of mapped IPv6 addresses. Specify user Not Specified

the start IPv6 address followed by a space
and the end IPv6 address.
ipv6-mappedport IPv6 port number range on the destination user Not Specified
network to which the external port number
range is mapped.
ldb-method Method used to distribute sessions to real option - static

servers.
Option Description
least-session Distribute to server with lowest session count.
least-rtt Distribute to server with lowest Round-Trip-Time.
mapped-addr Mapped FQDN address name. string Not Specified
mappedip IP address or address range on the string Maximum

<range> destination network to which the external IP length: 79
address is mapped.

Fortinet Inc.
Mapped IP range.
mappedport Port number range on the destination user Not Specified

network to which the external port number
range is mapped.
max-embryonic- Maximum number of incomplete integer Minimum 1000

connections connections. value: 0
Maximum
value: 100000
monitor <name> Name of the health check monitor to use string Maximum
when polling to determine a virtual server's length: 79
connectivity status.
Health monitor name.
name Virtual IP name. string Not Specified
nat-source-vip Enable/disable forcing the source NAT option - disable

mapped IP to the external IP for all traffic.
Option Description
disable Force only the source NAT mapped IP to the external IP for traffic
egressing the external interface of the VIP.
enable Force the source NAT mapped IP to the external IP for all traffic.
nat44 Enable/disable NAT44. option - enable
Option Description
Option Description
outlook-web- Enable to add the Front-End-Https header option - disable

access for Microsoft Outlook Web Access.
Option Description
disable Disable Outlook Web Access support.
enable Enable Outlook Web Access support.

Fortinet Inc.
persistence Configure how to make sure that clients option - none

connect to the same server every time they
make a request that is part of the same
session.
Option Description
none None.
ssl-session-id SSL session ID.
portforward Enable/disable port forwarding. option - disable
Option Description
disable Disable port forward.
enable Enable port forward.
portmapping- Port mapping type. option - 1-to-1

type
Option Description
1-to-1 One to one.
m-to-n Many to many.
protocol Protocol to use when forwarding packets. option - tcp
Option Description
tcp TCP.
udp UDP.
sctp SCTP.
icmp ICMP.
server-type Protocol to be load balanced by the virtual option -

server (also called the server load balance
virtual IP).
Option Description
http HTTP.
https HTTPS.
imaps IMAPS.

Fortinet Inc.
Option Description
pop3s POP3S.
smtps SMTPS.
ssl SSL.
tcp TCP.
udp UDP.
ip IP.
service <name> Service name. string Maximum

Service name. length: 79
src-filter Source address filter. Each address must be string Maximum

<range> either an IP/subnet (x.x.x.x/n) or a range length: 79
(x.x.x.x-y.y.y.y). Separate addresses with
spaces.
Source-filter range.
srcintf-filter Interfaces to which the VIP applies. Separate string Maximum

<interface- the names with spaces. length: 79
name> Interface name.
ssl-accept-ffdhe- Enable/disable FFDHE cipher suite for SSL option - enable

groups key exchange.
Option Description
enable Accept FFDHE groups.
disable Do not accept FFDHE groups.
ssl-algorithm Permitted encryption algorithms for SSL option - high

sessions according to encryption strength.
Option Description
custom Custom encryption. Use config ssl-cipher-suites to select the cipher suites
that are allowed.
ssl-certificate The name of the certificate to use for SSL string Not Specified
handshake.

Fortinet Inc.
ssl-client-fallback Enable/disable support for preventing option - enable

Downgrade Attacks on client connections
(RFC 7507).
Option Description
disable Disable.
enable Enable.
ssl-client-rekey- Maximum length of data in MB before integer Minimum 0

count triggering a client rekey (0 = disable). value: 200
Maximum
value:
1048576
ssl-client- Allow, deny, or require secure renegotiation option - secure

renegotiation of client sessions to comply with RFC 5746.
Option Description
deny Abort any client initiated SSL re-negotiation attempt.
secure Abort any client initiated SSL re-negotiation attempt that does not use RFC
5746 Secure Renegotiation.
ssl-client- Maximum number of client to FortiGate SSL integer Minimum 1000

session-state- session states to keep. value: 1
max Maximum
value: 10000
ssl-client- Number of minutes to keep client to integer Minimum 30

session-state- FortiGate SSL session state. value: 1
timeout Maximum
value: 14400
ssl-client- How to expire SSL sessions for the segment option - both
session-state- of the SSL connection between the client and
type the FortiGate.
Option Description
disable Do not keep session states.
time Expire session states after this many minutes.
count Expire session states when this maximum is reached.
both Expire session states based on time or count, whichever occurs first.

Fortinet Inc.
ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL
sessions.
Option Description
ssl-hpkp Enable/disable including HPKP header in option - disable

response.
Option Description
disable Do not add a HPKP header to each HTTP response.
enable Add a HPKP header to each a HTTP response.
report-only Add a HPKP Report-Only header to each HTTP response.
ssl-hpkp-age Number of seconds the client should honor integer Minimum 5184000
the HPKP setting. value: 60
Maximum
value:
157680000
ssl-hpkp-backup Certificate to generate backup HPKP pin string Not Specified

from.
ssl-hpkp-include- Indicate that HPKP header applies to all option - disable

subdomains subdomains.
Option Description
disable HPKP header does not apply to subdomains.
enable HPKP header applies to subdomains.
ssl-hpkp-primary Certificate to generate primary HPKP pin string Not Specified

from.
ssl-hpkp-report- URL to report HPKP violations to. var-string Not Specified

uri
ssl-hsts Enable/disable including HSTS header in option - disable

response.

Fortinet Inc.
Option Description
disable Do not add a HSTS header to each a HTTP response.
enable Add a HSTS header to each HTTP response.
ssl-hsts-age Number of seconds the client should honor integer Minimum 5184000
the HSTS setting. value: 60
Maximum
value:
157680000
ssl-hsts-include- Indicate that HSTS header applies to all option - disable

subdomains subdomains.
Option Description
disable HSTS header does not apply to subdomains.
enable HSTS header applies to subdomains.
ssl-http-location- Enable to replace HTTP with HTTPS in the option - disable

conversion reply's Location HTTP header field.
Option Description
enable Enable HTTP location conversion.
disable Disable HTTP location conversion.
ssl-http-match- Enable/disable HTTP host matching for option - enable

host location conversion.
Option Description
enable Match HTTP host in response header.
disable Do not match HTTP host.
ssl-max-version Highest SSL/TLS version acceptable from a option - tls-1.3

client.
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

Fortinet Inc.
ssl-min-version Lowest SSL/TLS version acceptable from a option - tls-1.1

client.
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-mode Apply SSL offloading between the client and option - half
the FortiGate (half) or from the client to the
FortiGate and from the FortiGate to the
server (full).
Option Description
ssl-pfs Select the cipher suites that can be used for option - require
SSL perfect forward secrecy (PFS). Applies
to both client and server sessions.
Option Description
require Allow only Diffie-Hellman cipher-suites, so PFS is applied.
deny Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
allow Allow use of any cipher suite so PFS may or may not be used depending on
the cipher suite selected.
ssl-send-empty- Enable/disable sending empty fragments to option - enable

frags avoid CBC IV attacks (SSL 3.0 & TLS 1.0
only). May need to be disabled for
compatibility with older systems.
Option Description
ssl-server- Permitted encryption algorithms for the option - client

algorithm server side of SSL full mode sessions
according to encryption strength.

Fortinet Inc.
Option Description
custom Custom encryption. Use ssl-server-cipher-suites to select the cipher suites

that are allowed.
client Use the same encryption algorithms for both client and server sessions.
ssl-server-max- Highest SSL/TLS version acceptable from a option - client

version server. Use the client setting by default.
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
client Use same value as client configuration.
ssl-server-min- Lowest SSL/TLS version acceptable from a option - client

Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-server- Maximum number of FortiGate to Server SSL integer Minimum 100

max Maximum
value: 10000

Fortinet Inc.
ssl-server- Number of minutes to keep FortiGate to integer Minimum 60

session-state- Server SSL session state. value: 1
timeout Maximum
value: 14400
ssl-server- How to expire SSL sessions for the segment option - both
session-state- of the SSL connection between the server
type and the FortiGate.
Option Description
status Enable/disable VIP. option - enable
Option Description
disable Disable the VIP.
enable Enable the VIP.
type Configure a static NAT, load balance, server option - static-nat

load balance, access proxy, DNS translation,
or FQDN VIP.
Option Description
static-nat Static NAT.
load-balance Load balance.
server-load- Server load balance.

balance
dns-translation DNS translation.
access-proxy Access proxy.

reset). 000000000000
weblogic-server Enable to add an HTTP header to indicate option - disable

SSL offloading for a WebLogic server.

Fortinet Inc.
Option Description
disable Do not add HTTP header indicating SSL offload for WebLogic server.
enable Add HTTP header indicating SSL offload for WebLogic server.
websphere- Enable to add an HTTP header to indicate option - disable

server SSL offloading for a WebSphere server.
Option Description
disable Do not add HTTP header indicating SSL offload for WebSphere server.
enable Add HTTP header indicating SSL offload for WebSphere server.
config realservers

value: 0
Maximum
value:
4294967295
type Type of address. option - ip
Option Description
address Dynamic address object.
address Dynamic address of the real server. string Not Specified
ip IP address of the real server. user Not Specified
port Port for communicating with the real server. Required integer Minimum 0
if port forwarding is enabled. value: 1
Maximum
value: 65535
status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic
is sent.
Option Description

Fortinet Inc.
value: 255
holddown- Time in seconds that the health check monitor integer Minimum 300
interval continues to monitor and unresponsive server that value: 30
should be active. Maximum
value: 65535
healthcheck Enable to check the responsiveness of the real option - vip

Option Description
vip Use health check defined in VIP.
max- Max number of active connections that can be integer Minimum 0

connections directed to the real server. When reached, sessions value: 0
are sent to other real servers. Maximum
value:
2147483647
monitor Name of the health check monitor to use when string Maximum
<name> polling to determine a virtual server's connectivity length: 79
status.
client-ip Only clients in this IP range can connect to this real user Not Specified
server.

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description

GCM-SHA256

GCM-SHA384

CHACHA20-
POLY1305-
SHA256

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

WITH-
CHACHA20-
POLY1305-
SHA256

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

Fortinet Inc.
Option Description

WITH-AES-256-
GCM-SHA384

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384

RSA-WITH-AES-
128-CBC-SHA

RSA-WITH-AES-
128-CBC-
SHA256

RSA-WITH-AES-
128-GCM-
SHA256

RSA-WITH-AES-
256-CBC-SHA

Fortinet Inc.
Option Description

RSA-WITH-AES-
256-CBC-
SHA384

RSA-WITH-AES-
256-GCM-
SHA384

ECDSA-WITH-
AES-128-CBC-
SHA

ECDSA-WITH-
AES-128-CBC-
SHA256

ECDSA-WITH-
AES-128-GCM-
SHA256

ECDSA-WITH-
AES-256-CBC-
SHA

ECDSA-WITH-
AES-256-CBC-
SHA384

ECDSA-WITH-
AES-256-GCM-
SHA384

AES-128-CBC-
SHA

AES-256-CBC-
SHA

Fortinet Inc.
Option Description

AES-128-CBC-
SHA256

AES-128-GCM-
SHA256

AES-256-CBC-
SHA256

AES-256-GCM-
SHA384

CAMELLIA-128-
CBC-SHA

CAMELLIA-256-
CBC-SHA

CAMELLIA-128-
CBC-SHA256

CAMELLIA-256-
CBC-SHA256

WITH-3DES-
EDE-CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

Fortinet Inc.
Option Description

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-SEED-
CBC-SHA

WITH-SEED-
CBC-SHA

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

Fortinet Inc.
Option Description

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

SEED-CBC-SHA

ARIA-128-CBC-
SHA256

ARIA-256-CBC-
SHA384

RSA-WITH-
ARIA-128-CBC-
SHA256

RSA-WITH-
ARIA-256-CBC-
SHA384

ECDSA-WITH-
ARIA-128-CBC-
SHA256

ECDSA-WITH-
ARIA-256-CBC-
SHA384

RSA-WITH-RC4-
128-SHA

RSA-WITH-
3DES-EDE-
CBC-SHA

Fortinet Inc.
Option Description

WITH-3DES-
EDE-CBC-SHA

3DES-EDE-
CBC-SHA

RC4-128-MD5

RC4-128-SHA

WITH-DES-
CBC-SHA

WITH-DES-
CBC-SHA

DES-CBC-SHA
versions SSL/TLS versions that the cipher suite can be used option - ssl-3.0 tls-
with. 1.0 tls-1.1
tls-1.2 tls-
1.3
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

Fortinet Inc.

value: 0
Maximum
value:
4294967295
Option Description

GCM-SHA256

GCM-SHA384

CHACHA20-
POLY1305-
SHA256

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

WITH-
CHACHA20-
POLY1305-
SHA256

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

Fortinet Inc.
Option Description

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384

RSA-WITH-AES-
128-CBC-SHA

RSA-WITH-AES-
128-CBC-
SHA256

RSA-WITH-AES-
128-GCM-
SHA256

Fortinet Inc.
Option Description

RSA-WITH-AES-
256-CBC-SHA

RSA-WITH-AES-
256-CBC-
SHA384

RSA-WITH-AES-
256-GCM-
SHA384

ECDSA-WITH-
AES-128-CBC-
SHA

ECDSA-WITH-
AES-128-CBC-
SHA256

ECDSA-WITH-
AES-128-GCM-
SHA256

ECDSA-WITH-
AES-256-CBC-
SHA

ECDSA-WITH-
AES-256-CBC-
SHA384

ECDSA-WITH-
AES-256-GCM-
SHA384

AES-128-CBC-
SHA

Fortinet Inc.
Option Description

AES-256-CBC-
SHA

AES-128-CBC-
SHA256

AES-128-GCM-
SHA256

AES-256-CBC-
SHA256

AES-256-GCM-
SHA384

CAMELLIA-128-
CBC-SHA

CAMELLIA-256-
CBC-SHA

CAMELLIA-128-
CBC-SHA256

CAMELLIA-256-
CBC-SHA256

WITH-3DES-
EDE-CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

Fortinet Inc.
Option Description

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-SEED-
CBC-SHA

WITH-SEED-
CBC-SHA

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

Fortinet Inc.
Option Description

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

SEED-CBC-SHA

ARIA-128-CBC-
SHA256

ARIA-256-CBC-
SHA384

RSA-WITH-
ARIA-128-CBC-
SHA256

RSA-WITH-
ARIA-256-CBC-
SHA384

ECDSA-WITH-
ARIA-128-CBC-
SHA256

ECDSA-WITH-
ARIA-256-CBC-
SHA384

RSA-WITH-RC4-
128-SHA

RSA-WITH-
3DES-EDE-
CBC-SHA

Fortinet Inc.
Option Description

WITH-3DES-
EDE-CBC-SHA

3DES-EDE-
CBC-SHA

RC4-128-MD5

RC4-128-SHA

WITH-DES-
CBC-SHA

WITH-DES-
CBC-SHA

DES-CBC-SHA
with. 1.0 tls-1.1
tls-1.2 tls-
1.3
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
config firewall vip6
Configure virtual IP for IPv6.

Description: Configure virtual IP for IPv6.
edit <name>
set color {integer}

Fortinet Inc.
set embedded-ipv4-address [disable|enable]
set extip {user}
set extport {user}
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set http-multiplex [enable|disable]
set http-redirect [enable|disable]
set id {integer}
set ipv4-mappedip {user}
set ipv4-mappedport {user}
set mappedip {user}
set max-embryonic-connections {integer}
set name {string}
set nat-source-vip [disable|enable]
set ndp-reply [disable|enable]
set outlook-web-access [disable|enable]
set persistence [none|http-cookie|...]
set portforward [disable|enable]
set protocol [tcp|udp|...]
config realservers
Description: Select the real servers that this server load balancing VIP will
edit <id>
set id {integer}
set ip {user}
set port {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set client-ip {user}
next
end
set server-type [http|https|...]
set src-filter <range1>, <range2>, ...
set ssl-accept-ffdhe-groups [enable|disable]
Description: SSL/TLS cipher suites acceptable from a client, ordered by

Fortinet Inc.
priority.
edit <priority>
next
end
set ssl-client-fallback [disable|enable]
set ssl-client-rekey-count {integer}
set ssl-client-session-state-max {integer}
set ssl-client-session-state-timeout {integer}
set ssl-client-session-state-type [disable|time|...]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-age {integer}
set ssl-hpkp-backup {string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hpkp-primary {string}
set ssl-hpkp-report-uri {var-string}
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-server-algorithm [high|medium|...]
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
next
end
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-session-state-max {integer}
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-type [disable|time|...]
set type [static-nat|server-load-balance|...]
set uuid {uuid}
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
next
end

Fortinet Inc.
add-nat64- Enable/disable adding NAT64 route. option - enable

route
Option Description

value: 0
Maximum
value: 32
embedded- Enable/disable use of the lower 32 bits of the option - disable

ipv4-address external IPv6 address as mapped IPv4
address.
Option Description
disable Disable use of the lower 32 bits of the external IPv6 address as mapped IPv4
address.
enable Enable use of the lower 32 bits of the external IPv6 address as mapped IPv4
address.
extip IPv6 address or address range on the external user Not Specified
interface that you want to map to an address or
address range on the destination network.
extport Incoming port number range that you want to user Not Specified
map to a port number range on the destination
network.
http-cookie-age Time in minutes that client web browsers integer Minimum 60

should keep a cookie. Default is 60 minutes. 0 value: 0
= no time limit. Maximum
value: 525600
http-cookie- Domain that HTTP cookie persistence should string Not Specified
domain apply to.
http-cookie- Enable/disable use of HTTP cookie domain option - disable

domain-from- from host field in HTTP.
host

Fortinet Inc.
Option Description
domain setting).
http-cookie- Generation of HTTP cookie to be accepted. integer Minimum 0

generation Changing invalidates all existing cookies. value: 0
Maximum
value:
4294967295
http-cookie- Limit HTTP cookie persistence to the specified string Not Specified
path path.
http-cookie- Control sharing of cookies across virtual option - same-ip

share servers. Use of same-ip means a cookie from
one virtual server can be used by another.
Disable stops cookie sharing.
Option Description
disable Only allow HTTP cookie to match this virtual server.
same-ip Allow HTTP cookie to match any virtual server with same IP.
http-ip-header For HTTP multiplexing, enable to add the option - disable

original client IP address in the XForwarded-
For HTTP header.
Option Description
enable Enable adding HTTP header.
disable Disable adding HTTP header.
http-ip-header- For HTTP multiplexing, enter a custom HTTPS string Not Specified
name header name. The original client IP address is
added to this header. If empty, X-Forwarded-
For is used.
http-multiplex Enable/disable HTTP multiplexing. option - disable
Option Description
enable Enable HTTP session multiplexing.
disable Disable HTTP session multiplexing.
http-redirect Enable/disable redirection of HTTP to HTTPS. option - disable

Fortinet Inc.
Option Description
enable Enable redirection of HTTP to HTTPS.
disable Disable redirection of HTTP to HTTPS.
https-cookie- Enable/disable verification that inserted option - disable

secure HTTPS cookies are secure.
Option Description
connection.
connection.
id Custom defined ID. integer Minimum 0

value: 0
Maximum
value: 65535
ipv4-mappedip Range of mapped IP addresses. Specify the user Not Specified

start IP address followed by a space and the
end IP address.
ipv4- IPv4 port number range on the destination user Not Specified
mappedport network to which the external port number
range is mapped.
ldb-method Method used to distribute sessions to real option - static

servers.
Option Description
static Distribute sessions based on source IP.
round-robin Distribute sessions based round robin order.
weighted Distribute sessions based on weight.
least-session Sends new sessions to the server with the lowest session count.
least-rtt Distribute new sessions to the server with lowest Round-Trip-Time.
first-alive Distribute sessions to the first server that is alive.
http-host Distribute sessions to servers based on host field in HTTP header.
mappedip Mapped IPv6 address range in the format user Not Specified
startIP-endIP.

Fortinet Inc.
mappedport Port number range on the destination network user Not Specified
to which the external port number range is
mapped.
max- Maximum number of incomplete connections. integer Minimum 1000

embryonic- value: 0
connections Maximum
value: 100000
<name> polling to determine a virtual server's length: 79
connectivity status.
name Virtual ip6 name. string Not Specified
nat-source-vip Enable to perform SNAT on traffic from option - disable

mappedip to the extip for all egress interfaces.
Option Description
disable Disable nat-source-vip.
enable Perform SNAT on traffic from mappedip to the extip for all egress interfaces.
nat64 Enable/disable DNAT64. option - disable
Option Description
nat66 Enable/disable DNAT66. option - enable
Option Description
ndp-reply Enable/disable this FortiGate unit's ability to option - enable

respond to NDP requests for this virtual IP
address.
Option Description
disable Disable this FortiGate unit's ability to respond to NDP requests for this virtual
IP address.
enable Enable this FortiGate unit's ability to respond to NDP requests for this virtual
IP address.

Fortinet Inc.
outlook-web- Enable to add the Front-End-Https header for option - disable

access Microsoft Outlook Web Access.
Option Description
disable Disable Outlook Web Access support.
enable Enable Outlook Web Access support.
persistence Configure how to make sure that clients option - none

connect to the same server every time they
make a request that is part of the same
session.
Option Description
none None.
ssl-session-id SSL session ID.
portforward Enable port forwarding. option - disable
Option Description
disable Disable port forward.
enable Enable/disable port forwarding.
protocol Protocol to use when forwarding packets. option - tcp
Option Description
tcp TCP.
udp UDP.
sctp SCTP.
server-type Protocol to be load balanced by the virtual option -

server (also called the server load balance
virtual IP).
Option Description
http HTTP.
https HTTPS.
imaps IMAPS.
pop3s POP3S.

Fortinet Inc.
Option Description
smtps SMTPS.
ssl SSL.
tcp TCP.
udp UDP.
ip IP.
src-filter Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate string Maximum

<range> addresses with spaces. length: 79
Source-filter range.
ssl-accept- Enable/disable FFDHE cipher suite for SSL option - enable

ffdhe-groups key exchange.
Option Description
enable Accept FFDHE groups.
disable Do not accept FFDHE groups.
ssl-algorithm Permitted encryption algorithms for SSL option - high

sessions according to encryption strength.
Option Description
high Use AES.
medium Use AES, 3DES, or RC4.
low Use AES, 3DES, RC4, or DES.
custom Use config ssl-cipher-suites to select the cipher suites that are allowed.
ssl-certificate The name of the certificate to use for SSL string Not Specified
handshake.
ssl-client- Enable/disable support for preventing option - enable

fallback Downgrade Attacks on client connections
(RFC 7507).
Option Description
disable Disable.
enable Enable.

Fortinet Inc.
ssl-client- Maximum length of data in MB before integer Minimum 0

rekey-count triggering a client rekey (0 = disable). value: 200
Maximum
value:
1048576
ssl-client- Allow, deny, or require secure renegotiation of option - secure

renegotiation client sessions to comply with RFC 5746.
Option Description
ssl-client- Maximum number of client to FortiGate SSL integer Minimum 1000

max Maximum
value: 10000
ssl-client- Number of minutes to keep client to FortiGate integer Minimum 30

session-state- SSL session state. value: 1
timeout Maximum
value: 14400
ssl-client- How to expire SSL sessions for the segment of option - both
session-state- the SSL connection between the client and the
type FortiGate.
Option Description
ssl-dh-bits Number of bits to use in the Diffie-Hellman option - 2048

exchange for RSA encryption of SSL sessions.
Option Description

Fortinet Inc.
Option Description
ssl-hpkp Enable/disable including HPKP header in option - disable

response.
Option Description
disable Do not add a HPKP header to each HTTP response.
enable Add a HPKP header to each a HTTP response.
report-only Add a HPKP Report-Only header to each HTTP response.
ssl-hpkp-age Number of minutes the web browser should integer Minimum 5184000
keep HPKP. value: 60
Maximum
value:
157680000
ssl-hpkp- Certificate to generate backup HPKP pin from. string Not Specified
backup
ssl-hpkp- Indicate that HPKP header applies to all option - disable

include- subdomains.
subdomains
Option Description
disable HPKP header does not apply to subdomains.
enable HPKP header applies to subdomains.
ssl-hpkp- Certificate to generate primary HPKP pin from. string Not Specified
primary
ssl-hpkp- URL to report HPKP violations to. var-string Not Specified

report-uri
ssl-hsts Enable/disable including HSTS header in option - disable

response.
Option Description
disable Do not add a HSTS header to each a HTTP response.
enable Add a HSTS header to each HTTP response.

Fortinet Inc.
ssl-hsts-age Number of seconds the client should honor the integer Minimum 5184000
HSTS setting. value: 60
Maximum
value:
157680000
ssl-hsts- Indicate that HSTS header applies to all option - disable

include- subdomains.
subdomains
Option Description
disable HSTS header does not apply to subdomains.
enable HSTS header applies to subdomains.
ssl-http- Enable to replace HTTP with HTTPS in the option - disable

location- reply's Location HTTP header field.
conversion
Option Description
enable Enable HTTP location conversion.
disable Disable HTTP location conversion.
ssl-http-match- Enable/disable HTTP host matching for option - enable

host location conversion.
Option Description
enable Match HTTP host in response header.
disable Do not match HTTP host.
ssl-max- Highest SSL/TLS version acceptable from a option - tls-1.3

version client.
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-min-version Lowest SSL/TLS version acceptable from a option - tls-1.1

client.

Fortinet Inc.
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-mode Apply SSL offloading between the client and option - half
the FortiGate (half) or from the client to the
FortiGate and from the FortiGate to the server
(full).
Option Description
ssl-pfs Select the cipher suites that can be used for option - require
SSL perfect forward secrecy (PFS). Applies to
both client and server sessions.
Option Description
require Allow only Diffie-Hellman cipher-suites, so PFS is applied.
deny Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
allow Allow use of any cipher suite so PFS may or may not be used depending on
the cipher suite selected.
ssl-send- Enable/disable sending empty fragments to option - enable

empty-frags avoid CBC IV attacks (SSL 3.0 & TLS 1.0
only). May need to be disabled for compatibility
with older systems.
Option Description
ssl-server- Permitted encryption algorithms for the server option - client

algorithm side of SSL full mode sessions according to
encryption strength.

Fortinet Inc.
Option Description
high Use AES.
medium Use AES, 3DES, or RC4.
low Use AES, 3DES, RC4, or DES.
custom Use config ssl-server-cipher-suites to select the cipher suites that are
allowed.
client Use the same encryption algorithms for client and server sessions.
ssl-server-max- Highest SSL/TLS version acceptable from a option - client

Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-server-min- Lowest SSL/TLS version acceptable from a option - client

Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-server- Maximum number of FortiGate to Server SSL integer Minimum 100

max Maximum
value: 10000

Fortinet Inc.
ssl-server- Number of minutes to keep FortiGate to Server integer Minimum 60

session-state- SSL session state. value: 1
timeout Maximum
value: 14400
ssl-server- How to expire SSL sessions for the segment of option - both
session-state- the SSL connection between the server and
type the FortiGate.
Option Description
type Configure a static NAT server load balance option - static-nat

VIP or access proxy.
Option Description
static-nat Static NAT.
server-load- Server load balance.

balance
access-proxy Access proxy.

reset). 000000000000
weblogic- Enable to add an HTTP header to indicate SSL option - disable

server offloading for a WebLogic server.
Option Description
disable Do not add HTTP header indicating SSL offload for WebLogic server.
enable Add HTTP header indicating SSL offload for WebLogic server.
websphere- Enable to add an HTTP header to indicate SSL option - disable

server offloading for a WebSphere server.
Option Description
disable Do not add HTTP header indicating SSL offload for WebSphere server.
enable Add HTTP header indicating SSL offload for WebSphere server.

Fortinet Inc.
config realservers

value: 0
Maximum
value:
4294967295
ip IP address of the real server. user Not Specified
port Port for communicating with the real server. Required integer Minimum 0
if port forwarding is enabled. value: 1
Maximum
value: 65535
status Set the status of the real server to active so that it can option - active
accept traffic, or on standby or disabled so no traffic
is sent.
Option Description
value: 255
holddown- Time in seconds that the health check monitor integer Minimum 300
interval continues to monitor an unresponsive server that value: 30
should be active. Maximum
value: 65535
healthcheck Enable to check the responsiveness of the real option - vip

Option Description
vip Use health check defined in VIP.

Fortinet Inc.
max- Max number of active connections that can directed integer Minimum 0
connections to the real server. When reached, sessions are sent value: 0
to other real servers. Maximum
value:
2147483647
<name> polling to determine a virtual server's connectivity length: 79
status.
client-ip Only clients in this IP range can connect to this real user Not Specified
server.

value: 0
Maximum
value:
4294967295
Option Description

GCM-SHA256

GCM-SHA384

CHACHA20-
POLY1305-
SHA256

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

Fortinet Inc.
Option Description

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

WITH-
CHACHA20-
POLY1305-
SHA256

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

Fortinet Inc.
Option Description

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384

RSA-WITH-AES-
128-CBC-SHA

RSA-WITH-AES-
128-CBC-
SHA256

RSA-WITH-AES-
128-GCM-
SHA256

RSA-WITH-AES-
256-CBC-SHA

RSA-WITH-AES-
256-CBC-
SHA384

RSA-WITH-AES-
256-GCM-
SHA384

ECDSA-WITH-
AES-128-CBC-
SHA

Fortinet Inc.
Option Description

ECDSA-WITH-
AES-128-CBC-
SHA256

ECDSA-WITH-
AES-128-GCM-
SHA256

ECDSA-WITH-
AES-256-CBC-
SHA

ECDSA-WITH-
AES-256-CBC-
SHA384

ECDSA-WITH-
AES-256-GCM-
SHA384

AES-128-CBC-
SHA

AES-256-CBC-
SHA

AES-128-CBC-
SHA256

AES-128-GCM-
SHA256

AES-256-CBC-
SHA256

AES-256-GCM-
SHA384

Fortinet Inc.
Option Description

CAMELLIA-128-
CBC-SHA

CAMELLIA-256-
CBC-SHA

CAMELLIA-128-
CBC-SHA256

CAMELLIA-256-
CBC-SHA256

WITH-3DES-
EDE-CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA256

Fortinet Inc.
Option Description

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-SEED-
CBC-SHA

WITH-SEED-
CBC-SHA

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

SEED-CBC-SHA

ARIA-128-CBC-
SHA256

ARIA-256-CBC-
SHA384

Fortinet Inc.
Option Description

RSA-WITH-
ARIA-128-CBC-
SHA256

RSA-WITH-
ARIA-256-CBC-
SHA384

ECDSA-WITH-
ARIA-128-CBC-
SHA256

ECDSA-WITH-
ARIA-256-CBC-
SHA384

RSA-WITH-RC4-
128-SHA

RSA-WITH-
3DES-EDE-
CBC-SHA

WITH-3DES-
EDE-CBC-SHA

3DES-EDE-
CBC-SHA

RC4-128-MD5

RC4-128-SHA

WITH-DES-
CBC-SHA

Fortinet Inc.
Option Description

WITH-DES-
CBC-SHA

DES-CBC-SHA
with. 1.0 tls-1.1
tls-1.2 tls-
1.3
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

value: 0
Maximum
value:
4294967295
Option Description

GCM-SHA256

GCM-SHA384

CHACHA20-
POLY1305-
SHA256

Fortinet Inc.
Option Description

RSA-WITH-
CHACHA20-
POLY1305-
SHA256

ECDSA-WITH-
CHACHA20-
POLY1305-
SHA256

WITH-
CHACHA20-
POLY1305-
SHA256

WITH-AES-128-
CBC-SHA

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384

WITH-AES-128-
CBC-SHA

Fortinet Inc.
Option Description

WITH-AES-256-
CBC-SHA

WITH-AES-128-
CBC-SHA256

WITH-AES-128-
GCM-SHA256

WITH-AES-256-
CBC-SHA256

WITH-AES-256-
GCM-SHA384

RSA-WITH-AES-
128-CBC-SHA

RSA-WITH-AES-
128-CBC-
SHA256

RSA-WITH-AES-
128-GCM-
SHA256

RSA-WITH-AES-
256-CBC-SHA

RSA-WITH-AES-
256-CBC-
SHA384

RSA-WITH-AES-
256-GCM-
SHA384

Fortinet Inc.
Option Description

ECDSA-WITH-
AES-128-CBC-
SHA

ECDSA-WITH-
AES-128-CBC-
SHA256

ECDSA-WITH-
AES-128-GCM-
SHA256

ECDSA-WITH-
AES-256-CBC-
SHA

ECDSA-WITH-
AES-256-CBC-
SHA384

ECDSA-WITH-
AES-256-GCM-
SHA384

AES-128-CBC-
SHA

AES-256-CBC-
SHA

AES-128-CBC-
SHA256

AES-128-GCM-
SHA256

Fortinet Inc.
Option Description

AES-256-CBC-
SHA256

AES-256-GCM-
SHA384

CAMELLIA-128-
CBC-SHA

CAMELLIA-256-
CBC-SHA

CAMELLIA-128-
CBC-SHA256

CAMELLIA-256-
CBC-SHA256

WITH-3DES-
EDE-CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-128-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA

WITH-
CAMELLIA-256-
CBC-SHA

Fortinet Inc.
Option Description

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-128-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-
CAMELLIA-256-
CBC-SHA256

WITH-SEED-
CBC-SHA

WITH-SEED-
CBC-SHA

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

WITH-ARIA-128-
CBC-SHA256

WITH-ARIA-256-
CBC-SHA384

SEED-CBC-SHA

Fortinet Inc.
Option Description

ARIA-128-CBC-
SHA256

ARIA-256-CBC-
SHA384

RSA-WITH-
ARIA-128-CBC-
SHA256

RSA-WITH-
ARIA-256-CBC-
SHA384

ECDSA-WITH-
ARIA-128-CBC-
SHA256

ECDSA-WITH-
ARIA-256-CBC-
SHA384

RSA-WITH-RC4-
128-SHA

RSA-WITH-
3DES-EDE-
CBC-SHA

WITH-3DES-
EDE-CBC-SHA

3DES-EDE-
CBC-SHA

RC4-128-MD5

Fortinet Inc.
Option Description

RC4-128-SHA

WITH-DES-
CBC-SHA

WITH-DES-
CBC-SHA

DES-CBC-SHA
with. 1.0 tls-1.1
tls-1.2 tls-
1.3
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
config firewall vipgrp
Configure IPv4 virtual IP groups.

Description: Configure IPv4 virtual IP groups.
edit <name>
set color {integer}
set name {string}
set uuid {uuid}
next
end

Fortinet Inc.
the GUI. value: 0
Maximum
value: 32

Specified
interface Interface. string Not

Specified
member Member VIP objects of the group (Separate string Maximum

<name> multiple objects with a space). length: 79
VIP name.
name VIP group name. string Not

Specified

000000000000
config firewall vipgrp6
Configure IPv6 virtual IP groups.

Description: Configure IPv6 virtual IP groups.
edit <name>
set color {integer}
set name {string}
set uuid {uuid}
next
end
the GUI. value: 0
Maximum
value: 32

Fortinet Inc.

Specified
member Member VIP objects of the group (Separate string Maximum

<name> multiple objects with a space). length: 79
IPv6 VIP name.
name IPv6 VIP group name. string Not

Specified

000000000000
config firewall wildcard-fqdn custom
Config global/VDOM Wildcard FQDN address.

Description: Config global/VDOM Wildcard FQDN address.
edit <name>
set color {integer}
set name {string}
set uuid {uuid}
next
end
color GUI icon color. integer Minimum 0

value: 0
Maximum
value: 32

Specified

Specified

000000000000
wildcard-fqdn Wildcard FQDN. string Not

Specified

Fortinet Inc.
config firewall wildcard-fqdn group
Config global Wildcard FQDN address groups.

Description: Config global Wildcard FQDN address groups.
edit <name>
set color {integer}
set name {string}
set uuid {uuid}
next
end
color GUI icon color. integer Minimum 0

value: 0
Maximum
value: 32

Specified
member Address group members. string Maximum


Specified

000000000000

Fortinet Inc.
ftp-proxy

l config ftp-proxy explicit on page 481
config ftp-proxy explicit
Configure explicit FTP proxy settings.

Description: Configure explicit FTP proxy settings.
set incoming-ip {ipv4-address-any}
set incoming-port {user}
set outgoing-ip {ipv4-address-any}
set sec-default-action [accept|deny]
set ssl [enable|disable]
end
incoming-ip Accept incoming FTP requests from this IP address. An ipv4- Not 0.0.0.0
interface must have this IP address. address- Specified
any
incoming-port Accept incoming FTP requests on one or more ports. user Not
Specified
outgoing-ip Outgoing FTP requests will leave from this IP address. ipv4- Not
An interface must have this IP address. address- Specified
any
sec-default- Accept or deny explicit FTP proxy sessions when no option - deny
action FTP proxy firewall policy exists.
Option Description
accept Accept requests. All explicit FTP proxy traffic is accepted whether there is an
explicit FTP proxy policy or not
deny Deny requests unless there is a matching explicit FTP proxy policy.
ssl Enable/disable the explicit FTPS proxy. option - disable

Fortinet Inc.
Option Description
enable Enable the explicit FTPS proxy.
disable Disable the explicit FTPS proxy.
ssl-algorithm Relative strength of encryption algorithms accepted in option - high

negotiation.
Option Description
high High encryption. Allow only AES and ChaCha
ssl-cert Name of certificate for SSL connections to this server. string Not Fortinet_
Specified CA_SSL
Option Description
status Enable/disable the explicit FTP proxy. option - disable
Option Description
enable Enable the explicit FTP proxy.
disable Disable the explicit FTP proxy.

Fortinet Inc.
hardware

l config hardware cpu on page 483
l config hardware memory on page 483
l config hardware nic on page 483
l config hardware npu np6 dce on page 484
l config hardware npu np6 ipsec-stats on page 485
l config hardware npu np6 port-list on page 486
l config hardware npu np6 session-stats on page 487
l config hardware npu np6 sse-stats on page 488
l config hardware npu np6 synproxy-stats on page 489
l config hardware status on page 489
config hardware cpu
Display detailed information for all installed CPU(s).

config hardware cpu
Description: Display detailed information for all installed CPU(s).
end
config hardware memory
Display system memory information.

config hardware memory
Description: Display system memory information.
end
config hardware nic
Display NIC information.

config hardware nic
Description: Display NIC information.
set <nic> {string}
end

Fortinet Inc.
config hardware nic
<nic> NIC name. string Not

Specified
config hardware npu np6 dce
This command is available for model(s): FortiGate 1000D, FortiGate 1100E, FortiGate 1101E,
FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 2000E, FortiGate 2200E,
FortiGate 2201E, FortiGate 2500E, FortiGate 3000D, FortiGate 300E, FortiGate 301E,
FortiGate 3100D, FortiGate 3200D, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E,
FortiGate 3401E, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D,
FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E,
FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 601E, FortiGate 800D, FortiGate 900D.
FortiGate 101F, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F,
FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2600F, FortiGate
2601F, FortiGate 3500F, FortiGate 3501F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate
4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 60E DSLJ, FortiGate
60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F,
FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate
80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 90E,
FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F,
FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F
2R-POE, FortiWiFi 81F 2R.
Show NP6 non-zero subengine drop counters.

Description: Show NP6 non-zero subengine drop counters.
set <dev_id> {string}
end
<dev_id> NP6 ID string Not

Specified

Fortinet Inc.
config hardware npu np6 ipsec-stats
Show NP6 IPsec offloading statistics.

config hardware npu np6 ipsec-stats
Description: Show NP6 IPsec offloading statistics.
end

Fortinet Inc.
config hardware npu np6 port-list
Show NP6 port list.

config hardware npu np6 port-list
Description: Show NP6 port list.
end

Fortinet Inc.
config hardware npu np6 session-stats
Show NP6 session offloading statistics counters.

Description: Show NP6 session offloading statistics counters.
end

Specified

Fortinet Inc.
config hardware npu np6 sse-stats
Show NP6 hardware session statistics counters.

Description: Show NP6 hardware session statistics counters.
end

Specified

Fortinet Inc.
config hardware npu np6 synproxy-stats
This command is available for model(s): FortiGate 1100E, FortiGate 1101E, FortiGate 1200D,
FortiGate 1500DT, FortiGate 1500D, FortiGate 2000E, FortiGate 2200E, FortiGate 2201E,
FortiGate 2500E, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 5001E1,
FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 601E.
FortiGate 101E, FortiGate 101F, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F,
FortiGate 1801F, FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate
2600F, FortiGate 2601F, FortiGate 3500F, FortiGate 3501F, FortiGate 40F 3G4G, FortiGate
40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 60E
DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass,
FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE,
FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F,
FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F
2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
Show NP6 synproxy statistics.

config hardware npu np6 synproxy-stats
Description: Show NP6 synproxy statistics.
end
config hardware status
Hardware status.
config hardware status
Description: Hardware status.
end

Fortinet Inc.
icap

l config icap profile on page 490
l config icap server on page 495
config icap profile
Configure ICAP profiles.

config icap profile
Description: Configure ICAP profiles.
edit <name>
set chunk-encap [disable|enable]
set extension-feature {option1}, {option2}, ...
set icap-block-log [disable|enable]
config icap-headers
Description: Configure ICAP forwarded request headers.
edit <id>
set id {integer}
set name {string}
set content {string}
set base64-encoding [disable|enable]
next
end
set methods {option1}, {option2}, ...
set name {string}
set preview [disable|enable]
set preview-data-length {integer}
set request [disable|enable]
set request-failure [error|bypass]
set request-path {string}
set request-server {string}
set respmod-default-action [forward|bypass]
config respmod-forward-rules
Description: ICAP response mode forward rules.
edit <name>
set name {string}
set host {string}
config header-group
Description: HTTP header group.
edit <id>
set id {integer}
set header {string}
next
end
set action [forward|bypass]

Fortinet Inc.
set http-resp-status-code <code1>, <code2>, ...
next
end
set response [disable|enable]
set response-failure [error|bypass]
set response-path {string}
set response-req-hdr [disable|enable]
set response-server {string}
set scan-progress-interval {integer}
set streaming-content-bypass [disable|enable]
next
end
config icap profile
chunk-encap Enable/disable chunked encapsulation. option - disable
Option Description
disable Do not encapsulate chunked data.
enable Encapsulate chunked data into a new chunk.
extension- Enable/disable ICAP extension features. option -

feature
Option Description
scan-progress Support X-Scan-Progress-Interval ICAP header.
icap-block-log Enable/disable UTM log when infection found. option - disable
Option Description
disable Disable UTM log when infection found.
enable Enable UTM log when infection found.
methods The allowed HTTP methods that will be sent to ICAP option - delete get
server for further processing. head
options
post put
trace other
Option Description
delete Forward HTTP request or response with DELETE method to ICAP server for
further processing.
get Forward HTTP request or response with GET method to ICAP server for
further processing.

Fortinet Inc.
Option Description
head Forward HTTP request or response with HEAD method to ICAP server for
further processing.
options Forward HTTP request or response with OPTIONS method to ICAP server for
further processing.
post Forward HTTP request or response with POST method to ICAP server for
further processing.
put Forward HTTP request or response with PUT method to ICAP server for
further processing.
trace Forward HTTP request or response with TRACE method to ICAP server for
further processing.
other Forward HTTP request or response with All other methods to ICAP server for
further processing.
name ICAP profile name. string Not

Specified
preview Enable/disable preview of data to ICAP server. option - disable
Option Description
disable Disable preview of data to ICAP server.
enable Enable preview of data to ICAP server.
preview-data- Preview data length to be sent to ICAP server. integer Minimum 0

length value: 0
Maximum
value: 4096

group Specified
request Enable/disable whether an HTTP request is passed to option - disable

an ICAP server.
Option Description
disable Disable HTTP request passing to ICAP server.
enable Enable HTTP request passing to ICAP server.
request-failure Action to take if the ICAP server cannot be contacted option - error
when processing an HTTP request.

Fortinet Inc.
Option Description
error Error.
bypass Bypass.
request-path Path component of the ICAP URI that identifies the string Not
HTTP request processing service. Specified
request-server ICAP server to use for an HTTP request. string Not

Specified
respmod- Default action to ICAP response modification option - forward

default-action (respmod) processing.
Option Description
forward Forward response to icap server unless a rule specifies not to.
bypass Don't forward request to icap server unless a rule specifies to forward the
request.
response Enable/disable whether an HTTP response is passed to option - disable

an ICAP server.
Option Description
disable Disable HTTP response passing to ICAP server.
enable Enable HTTP response passing to ICAP server.
response- Action to take if the ICAP server cannot be contacted option - error
failure when processing an HTTP response.
Option Description
error Error.
bypass Bypass.
response-path Path component of the ICAP URI that identifies the string Not
HTTP response processing service. Specified
response-req- Enable/disable addition of req-hdr for ICAP response option - enable

hdr modification (respmod) processing.
Option Description
disable Do not add req-hdr for response modification (respmod) processing.
enable Add req-hdr for response modification (respmod) processing.

Fortinet Inc.
response- ICAP server to use for an HTTP response. string Not

server Specified
scan- Scan progress interval value. integer Minimum 10

progress- value: 5
interval Maximum
value: 30
streaming- Enable/disable bypassing of ICAP server for streaming option - disable

content- content.
bypass
Option Description
disable Disable bypassing of ICAP server for streaming content.
enable Enable bypassing of ICAP server for streaming content.
config icap-headers
id HTTP forwarded header ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name HTTP forwarded header name. string Not Specified
content HTTP header content. string Not Specified
base64- Enable/disable use of base64 encoding of HTTP option - disable

encoding content.
Option Description
disable Disable use of base64 encoding of HTTP content.
enable Enable use of base64 encoding of HTTP content.
config respmod-forward-rules

Specified
host Address object for the host. string Not

Specified

Fortinet Inc.
action Action to be taken for ICAP server. option - forward
Option Description
forward Forward request to ICAP server when this rule is matched.
bypass Don't forward request to ICAP server when this rule is matched.
http-resp- HTTP response status code. integer Minimum 440275604 **

status-code HTTP response status code. value: 100
<code> Maximum
value: 599
config header-group

value: 0
Maximum
value:
4294967295
header-name HTTP header. string Not Specified
header HTTP header regular expression. string Not Specified
case- Enable/disable case sensitivity when matching option - disable

sensitivity header.
Option Description
disable Ignore case when matching header.
enable Do not ignore case when matching header.
config icap server
Configure ICAP servers.

config icap server
Description: Configure ICAP servers.
edit <name>
set ip-address {ipv4-address-any}
set ip6-address {ipv6-address}
set name {string}
set port {integer}
set secure [enable|disable]

Fortinet Inc.
next
end
config icap server
ip-address IPv4 address of the ICAP server. ipv4- Not 0.0.0.0

address- Specified
any
ip-version IP version. option - 4
Option Description
4 IPv4 ICAP address.
6 IPv6 ICAP address.
ip6-address IPv6 address of the ICAP server. ipv6- Not ::

address Specified
max- Maximum number of concurrent connections to ICAP integer Minimum 100

connections server. Must not be less than wad-worker-count. value: 1
Maximum
value:
65535

Specified
port ICAP server port. integer Minimum 1344

value: 1
Maximum
value:
65535
secure Enable/disable secure connection to ICAP server. option - disable
Option Description
enable Enable secure connection to ICAP server.
disable Disable secure connection to ICAP server.
ssl-cert CA certificate name. string Not

Specified

Fortinet Inc.
ips

l config ips custom on page 497
l config ips decoder on page 499
l config ips global on page 499
l config ips rule-settings on page 503
l config ips rule on page 503
l config ips sensor on page 506
l config ips session on page 510
l config ips settings on page 511
l config ips view-map on page 511
config ips custom
Configure IPS custom signature.

config ips custom
Description: Configure IPS custom signature.
edit <tag>
set application {user}
set location {user}
set os {user}
set protocol {user}
set rule-id {integer}
set severity {user}
set signature {var-string}
set tag {string}
next
end
config ips custom
action Default action (pass or block) for this signature. option - pass
Option Description

Fortinet Inc.
Option Description
application Applications to be protected. Blank for all user Not Specified

applications.
comment Comment. string Not Specified
location Protect client or server traffic. user Not Specified
log Enable/disable logging. option - enable
Option Description
Option Description
os Operating system(s) that the signature protects. user Not Specified

Blank for all operating systems.
protocol Protocol(s) that the signature scans. Blank for all user Not Specified
protocols.
rule-id Signature ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
severity Relative severity of the signature, from info to critical. user Not Specified
Log messages generated by the signature include the
severity.
signature Custom signature enclosed in single quotes. var-string Not Specified
status Enable/disable this signature. option - enable
Option Description
tag Signature tag. string Not Specified

Fortinet Inc.
config ips decoder
Configure IPS decoder.

config ips decoder
Description: Configure IPS decoder.
edit <name>
set name {string}
config parameter
Description: IPS group parameters.
edit <name>
set name {string}
set value {string}
next
end
next
end
config ips decoder
name Decoder name. string Not

Specified
config parameter
name Parameter name. string Not

Specified
value Parameter value. string Not

Specified
config ips global
Configure IPS global parameter.

config ips global
Description: Configure IPS global parameter.
set anomaly-mode [periodical|continuous]
set cp-accel-mode [none|basic|...]
set database [regular|extended]
set deep-app-insp-db-limit {integer}
set deep-app-insp-timeout {integer}
set engine-count {integer}
set exclude-signatures [none|industrial]
set fail-open [enable|disable]
set ips-reserve-cpu [disable|enable]
set ngfw-max-scan-range {integer}
set np-accel-mode [none|basic]

Fortinet Inc.
set packet-log-queue-depth {integer}
set session-limit-mode [accurate|heuristic]
set socket-size {integer}
set sync-session-ttl [enable|disable]
config tls-active-probe
Description: TLS active probe configuration.
set vdom {string}
set source-ip6 {ipv6-address}
end
set traffic-submit [enable|disable]
end
config ips global
anomaly- Global blocking mode for rate-based anomalies. option - continuous

mode
Option Description
periodical After an anomaly is detected, allow the number of packets per second
according to the anomaly configuration.
continuous Block packets once an anomaly is detected. Overrides individual anomaly

settings.
cp-accel- IPS Pattern matching acceleration/offloading to CPx option - advanced

mode * processors.
Option Description
none CPx acceleration/offloading disabled.
basic Offload basic pattern matching to CPx processors.
advanced Offload more types of pattern matching resulting in higher throughput than
basic mode. Requires two CP8s or one CP9.
database Regular or extended IPS database. Regular option - extended **

protects against the latest common and in-the-wild
attacks. Extended includes protection from legacy
attacks.
Option Description
regular IPS regular database package.
extended IPS extended database package.

Fortinet Inc.
deep-app- Limit on number of entries in deep application integer Minimum 0

insp-db-limit inspection database. value: 0
Maximum
value:
2147483647
deep-app- Timeout for Deep application inspection. integer Minimum 0

insp-timeout value: 0
Maximum
value:
2147483647
engine-count Number of IPS engines running. If set to the default integer Minimum 0
value of 0, FortiOS sets the number to optimize value: 0
performance depending on the number of CPU Maximum
cores. value: 255
exclude- Excluded signatures. option - industrial

signatures
Option Description
none No signatures excluded.
industrial Exclude industrial signatures.
fail-open Enable to allow traffic if the IPS buffer is full. Default option - disable
is disable and IPS traffic is blocked when the IPS
buffer is full.
Option Description
enable Enable IPS fail open.
disable Disable IPS fail open.
ips-reserve- Enable/disable IPS daemon's use of CPUs other option - disable

cpu * than CPU 0
Option Description
disable Disable IPS daemon's use of CPUs other than CPU 0 (all daemons run on all
CPUs).
enable Enable IPS daemon's use of CPUs other than CPU 0.
ngfw-max- NGFW policy-mode app detection threshold. integer Minimum 4096

scan-range value: 0
Maximum
value:
4294967295

Fortinet Inc.
np-accel- Acceleration mode for IPS processing by NPx option - basic

mode * processors.
Option Description
none NPx acceleration disabled.
basic NPx acceleration enabled.
packet-log- Packet/pcap log queue depth per IPS engine. integer Minimum 128
queue-depth value: 128
Maximum
value: 4096
session-limit- Method of counting concurrent sessions used by option - heuristic

mode session limit anomalies. Choose between greater
accuracy (accurate) or improved performance
(heuristics).
Option Description
accurate Accurately count concurrent sessions, demands more resources.
heuristic Use heuristics to estimate the number of concurrent sessions. Acceptable in

most cases.
socket-size IPS socket buffer size. Max and default value integer Minimum 128 **
depend on available memory. Can be changed to value: 0
tune performance. Maximum
value: 256 **
sync-session- Enable/disable use of kernel session TTL for IPS option - enable
ttl sessions.
Option Description
enable Enable use of kernel session TTL for IPS sessions.
disable Disable use of kernel session TTL for IPS sessions.
traffic-submit Enable/disable submitting attack data found by this option - disable

FortiGate to FortiGuard.
Option Description
enable Enable traffic submit.
disable Disable traffic submit.


Fortinet Inc.
config tls-active-probe
interface- Specify how to select outgoing interface to reach server. option - auto
select-method
Option Description

Specified
vdom Virtual domain name for TLS active probe. string Not
Specified
source-ip Source IP address used for TLS active probe. ipv4- Not 0.0.0.0
address Specified
source-ip6 Source IPv6 address used for TLS active probe. ipv6- Not ::
address Specified
config ips rule-settings
Configure IPS rule setting.

Description: Configure IPS rule setting.
edit <id>
set id {integer}
next
end

value: 0
Maximum
value:
4294967295
config ips rule
Configure IPS rules.

Fortinet Inc.
config ips rule
Description: Configure IPS rules.
edit <name>
set date {integer}
set group {string}
set location {user}
config metadata
Description: Meta data.
edit <id>
set id {integer}
set metaid {integer}
set valueid {integer}
next
end
set name {string}
set os {user}
set rev {integer}
set service {user}
set severity {user}
next
end
config ips rule
action Action. option - pass
Option Description
application Vulnerable applications. user Not Specified
date Date. integer Minimum 0

value: 0
Maximum
value:
4294967295
group Group. string Not Specified
location Vulnerable location. user Not Specified

Fortinet Inc.
Option Description
Option Description
name Rule name. string Not Specified
os Vulnerable operation systems. user Not Specified
rev Revision. integer Minimum 0

value: 0
Maximum
value:
4294967295
rule-id Rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
service Vulnerable service. user Not Specified
severity Severity. user Not Specified
Option Description
config metadata

value: 0
Maximum
value:
4294967295

Fortinet Inc.
metaid Meta ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
valueid Value ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config ips sensor
Configure IPS sensor.

config ips sensor
Description: Configure IPS sensor.
edit <name>
set block-malicious-url [disable|enable]
config entries
Description: IPS sensor filter.
edit <id>
set id {integer}
set rule <id1>, <id2>, ...
set location {user}
set severity {user}
set protocol {user}
set os {user}
set cve <cve-entry1>, <cve-entry2>, ...
set status [disable|enable|...]
set log-attack-context [disable|enable]
set action [pass|block|...]
set rate-count {integer}
set rate-duration {integer}
set rate-mode [periodical|continuous]
set rate-track [none|src-ip|...]
config exempt-ip
Description: Traffic from selected source or destination IP addresses is
exempt from this signature.
edit <id>
set id {integer}
set src-ip {ipv4-classnet}
set dst-ip {ipv4-classnet}
next
end

Fortinet Inc.
next
end
set name {string}
set scan-botnet-connections [disable|block|...]
next
end
config ips sensor
block- Enable/disable malicious URL blocking. option - disable

malicious-url
Option Description
disable Disable malicious URL blocking.
enable Enable malicious URL blocking.

Specified
Option Description
name Sensor name. string Not

Specified

group Specified
scan-botnet- Block or monitor connections to Botnet servers, or option - disable

connections disable Botnet scanning.
Option Description
disable Do not scan connections to botnet servers.
block Block connections to botnet servers.
monitor Log connections to botnet servers.

Fortinet Inc.
config entries
id Rule ID in IPS database. integer Minimum 0

value: 0
Maximum
value:
4294967295
rule <id> Identifies the predefined or custom IPS signatures integer Minimum
to add to the sensor. value: 0
Rule IPS. Maximum
value:
4294967295
location Protect client or server traffic. user Not Specified all
severity Relative severity of the signature, from info to user Not Specified all
critical. Log messages generated by the signature
include the severity.
protocol Protocols to be examined. Use all for every protocol user Not Specified all
and other for unlisted protocols.
os Operating systems to be protected. Use all for every user Not Specified all
operating system and other for unlisted operating
systems.
application Operating systems to be protected. Use all for every user Not Specified all
application and other for unlisted application.
cve <cve- List of CVE IDs of the signatures to add to the string Maximum
entry> sensor. length: 19
CVE IDs or CVE wildcards.
status Status of the signatures included in filter. Only those option - default
filters with a status to enable are used.
Option Description
disable Disable status of selected rules.
enable Enable status of selected rules.
default Default.
log Enable/disable logging of signatures included in option - enable

filter.
Option Description
disable Disable logging of selected rules.
enable Enable logging of selected rules.

Fortinet Inc.
log-packet Enable/disable packet logging. Enable to save the option - disable

packet that triggers the filter. You can download the
packets in pcap format for diagnostic use.
Option Description
disable Disable packet logging of selected rules.
enable Enable packet logging of selected rules.
log-attack- Enable/disable logging of attack context: URL option - disable

context buffer, header buffer, body buffer, packet buffer.
Option Description
disable Disable logging of detailed attack context.
enable Enable logging of detailed attack context.
action Action taken with traffic in which signatures are option - default
detected.
Option Description
default Pass or drop matching traffic, depending on the default action of the signature.
rate-count Count of the rate. integer Minimum 0

value: 0
Maximum
value: 65535
rate-duration Duration (sec) of the rate. integer Minimum 60

value: 1
Maximum
value: 65535
rate-mode Rate limit mode. option - continuous
Option Description
periodical Allow configured number of packets every rate-duration.
continuous Block packets once the rate is reached.
rate-track Track the packet protocol field. option - none

Fortinet Inc.
Option Description
none none
src-ip Source IP.
dhcp-client-mac DHCP client.
dns-domain DNS domain.
Option Description

expiry attacker.

log
Option Description
config exempt-ip
id Exempt IP ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
src-ip Source IP address and netmask (applies to packet ipv4- Not Specified 0.0.0.0
matching the signature). classnet 0.0.0.0
dst-ip Destination IP address and netmask (applies to ipv4- Not Specified 0.0.0.0
packet matching the signature). classnet 0.0.0.0
config ips session
Session status.

Fortinet Inc.
config ips session
Description: Session status.
end
config ips settings
Configure IPS VDOM parameter.

config ips settings
Description: Configure IPS VDOM parameter.
set ips-packet-quota {integer}
set packet-log-history {integer}
set packet-log-memory {integer}
set packet-log-post-attack {integer}
end
config ips settings
ips-packet- Maximum amount of disk space in MB for logged integer Minimum 0

quota packets when logging to disk. Range depends on disk value: 0
size. Maximum
value:
4294967295
packet-log- Number of packets to capture before and including integer Minimum 1

history the one in which the IPS signature is detected. value: 1
Maximum
value: 255
packet-log- Maximum memory can be used by packet log. integer Minimum 256
memory value: 64
Maximum
value: 8192
packet-log- Number of packets to log after the IPS signature is integer Minimum 0
post-attack detected. value: 0
Maximum
value: 255
config ips view-map
Configure IPS view-map.

config ips view-map
Description: Configure IPS view-map.
edit <id>
set id {integer}
set id-policy-id {integer}
set policy-id {integer}

Fortinet Inc.
set vdom-id {integer}
set which [firewall|interface|...]
next
end
config ips view-map
id View ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
id-policy-id ID-based policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
policy-id Policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
vdom-id VDOM ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
which Policy. option - firewall
Option Description
firewall Firewall policy.
interface Interface policy.
interface6 Interface policy6.
sniffer Sniffer policy.
sniffer6 Sniffer policy6.
explicit explicit proxy policy.

Fortinet Inc.
ipsec

l config ipsec tunnel on page 513
config ipsec tunnel
IPsec tunnel.
config ipsec tunnel
Description: IPsec tunnel.
end

Fortinet Inc.
log

l config log custom-field on page 515
l config log disk filter on page 516
l config log disk setting on page 519
l config log eventfilter on page 525
l config log fortianalyzer-cloud filter on page 527
l config log fortianalyzer-cloud override-filter on page 531
l config log fortianalyzer-cloud override-setting on page 534
l config log fortianalyzer-cloud setting on page 535
l config log fortianalyzer2 filter on page 538
l config log fortianalyzer2 override-filter on page 542
l config log fortianalyzer2 override-setting on page 545
l config log fortianalyzer2 setting on page 549
l config log fortianalyzer3 filter on page 553
l config log fortianalyzer3 override-filter on page 556
l config log fortianalyzer3 override-setting on page 560
l config log fortianalyzer3 setting on page 564
l config log fortianalyzer filter on page 568
l config log fortianalyzer override-filter on page 571
l config log fortianalyzer override-setting on page 574
l config log fortianalyzer setting on page 578
l config log fortiguard filter on page 582
l config log fortiguard override-filter on page 585
l config log fortiguard override-setting on page 589
l config log fortiguard setting on page 590
l config log gui-display on page 593
l config log memory filter on page 594
l config log memory global-setting on page 597
l config log memory setting on page 598
l config log null-device filter on page 598
l config log null-device setting on page 601
l config log setting on page 602
l config log syslogd2 filter on page 606
l config log syslogd2 override-filter on page 609
l config log syslogd2 override-setting on page 612
l config log syslogd2 setting on page 616

Fortinet Inc.
l config log syslogd filter on page 648
l config log syslogd override-filter on page 651
l config log syslogd override-setting on page 654
l config log syslogd setting on page 658
l config log tacacs+accounting2 filter on page 662
l config log tacacs+accounting2 setting on page 663
l config log tacacs+accounting3 filter on page 663
l config log tacacs+accounting3 setting on page 664
l config log tacacs+accounting filter on page 665
l config log tacacs+accounting setting on page 666
l config log threat-weight on page 666
l config log webtrends filter on page 677
l config log webtrends setting on page 680
config log custom-field
Configure custom log fields.

Description: Configure custom log fields.
edit <id>
set id {string}
set name {string}
set value {string}
next
end
id Field ID string. string Not

Specified
name Field name (max: 15 characters). string Not

Specified
value Field value (max: 15 characters). string Not

Specified

Fortinet Inc.
config log disk filter
Configure filters for local disk logging. Use these filters to determine the log messages to record according to severity
and type.
Description: Configure filters for local disk logging. Use these filters to determine
the log messages to record according to severity and type.
set anomaly [enable|disable]
set dlp-archive [enable|disable]
set forward-traffic [enable|disable]
config free-style
Description: Free style filters.
edit <id>
set id {integer}
set category [traffic|event|...]
set filter {string}
set filter-type [include|exclude]
next
end
set gtp [enable|disable]
set local-traffic [enable|disable]
set multicast-traffic [enable|disable]
set sniffer-traffic [enable|disable]
set voip [enable|disable]
set ztna-traffic [enable|disable]
end
anomaly Enable/disable anomaly logging. option - enable
Option Description
dlp-archive * Enable/disable DLP archive logging. option - enable
Option Description
enable Enable DLP archive logging.
disable Disable DLP archive logging.
forward-traffic Enable/disable forward traffic logging. option - enable

Fortinet Inc.
Option Description
enable Enable forward traffic logging.
disable Disable forward traffic logging.
gtp * Enable/disable GTP messages logging. option - enable
Option Description
enable Enable GTP messages logging.
disable Disable GTP messages logging.
local-traffic Enable/disable local in or out traffic logging. option - enable
Option Description
enable Enable local in or out traffic logging.
disable Disable local in or out traffic logging.
multicast- Enable/disable multicast traffic logging. option - enable

traffic
Option Description
enable Enable multicast traffic logging.
disable Disable multicast traffic logging.
severity Log to disk every message above and including this option - information
severity level.
Option Description
alert Alert level.
error Error level.
debug Debug level.
sniffer-traffic Enable/disable sniffer traffic logging. option - enable

Fortinet Inc.
Option Description
enable Enable sniffer traffic logging.
disable Disable sniffer traffic logging.
voip Enable/disable VoIP logging. option - enable
Option Description
enable Enable VoIP logging.
disable Disable VoIP logging.
ztna-traffic Enable/disable ztna traffic logging. option - enable
Option Description
enable Enable ztna traffic logging.
disable Disable ztna traffic logging.
config free-style

value: 0
Maximum
value:
4294967295
category Log category. option - traffic
Option Description
traffic Traffic log.
event Event log.
virus Antivirus log.
webfilter Web filter log.
attack Attack log.
spam Antispam log.
anomaly Anomaly log.
voip VoIP log.

Fortinet Inc.
Option Description
dlp DLP log.
app-ctrl Application control log.
waf Web application firewall log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
file-filter File filter log.
icap ICAP log.
filter Free style filter string. string Not Specified
filter-type Include/exclude logs that match the filter. option - include
Option Description
include Include logs that match the filter.
exclude Exclude logs that match the filter.
config log disk setting
Settings for local disk logging.

Description: Settings for local disk logging.
set diskfull [overwrite|nolog]
set dlp-archive-quota {integer}
set full-final-warning-threshold {integer}
set full-first-warning-threshold {integer}
set full-second-warning-threshold {integer}
set ips-archive [enable|disable]
set log-quota {integer}
set max-log-file-size {integer}
set max-policy-packet-capture-size {integer}
set maximum-log-age {integer}
set report-quota {integer}
set roll-day {option1}, {option2}, ...
set roll-schedule [daily|weekly]
set roll-time {user}
set upload [enable|disable]
set upload-delete-files [enable|disable]

Fortinet Inc.
set upload-destination {option}
set upload-ssl-conn [default|high|...]
set uploaddir {string}
set uploadip {ipv4-address}
set uploadpass {password}
set uploadport {integer}
set uploadsched [disable|enable]
set uploadtime {user}
set uploadtype {option1}, {option2}, ...
set uploaduser {string}
end
diskfull Action to take when disk is full. The system can option - overwrite
overwrite the oldest log messages or stop logging
when the disk is full.
Option Description
overwrite Overwrite the oldest logs when the log disk is full.
nolog Stop logging when the log disk is full.
dlp-archive- DLP archive quota (MB). integer Minimum 0

quota value: 0
Maximum
value:
4294967295
full-final- Log full final warning threshold as a percent. integer Minimum 95

warning- value: 3
threshold Maximum
value: 100
full-first- Log full first warning threshold as a percent. integer Minimum 75

warning- value: 1
threshold Maximum
value: 98
full-second- Log full second warning threshold as a percent. integer Minimum 90

warning- value: 2
threshold Maximum
value: 99
interface Specify outgoing interface to reach server. string Not Specified
interface- Specify how to select outgoing interface to reach option - auto

select-method server.

Fortinet Inc.
Option Description
ips-archive Enable/disable IPS packet archiving to the local option - enable

disk.
Option Description
enable Enable IPS packet archiving.
disable Disable IPS packet archiving.
log-quota Disk log quota (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295
max-log-file- Maximum log file size before rolling. integer Minimum 20

size value: 1
Maximum
value: 100
max-policy- Maximum size of policy sniffer in MB (0 means integer Minimum 100

packet- unlimited). value: 0
capture-size Maximum
value:
4294967295
maximum-log- Delete log files older than (days). integer Minimum 7

age value: 0
Maximum
value: 3650
report-quota * Report db quota (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295
roll-day Day of week on which to roll log file. option - sunday
Option Description
sunday Sunday

Fortinet Inc.
Option Description
monday Monday
tuesday Tuesday
wednesday Wednesday
thursday Thursday
friday Friday
saturday Saturday
roll-schedule Frequency to check log file for rolling. option - daily
Option Description
daily Check the log file once a day.
weekly Check the log file once a week.
roll-time Time of day to roll the log file (hh:mm). user Not Specified
source-ip Source IP address to use for uploading disk log ipv4- Not Specified 0.0.0.0
files. address
status Enable/disable local disk logging. option - disable **
Option Description
enable Log to local disk.
disable Do not log to local disk.
upload Enable/disable uploading log files when they are option - disable
rolled.
Option Description
enable Enable uploading log files when they are rolled.
disable Disable uploading log files when they are rolled.
upload-delete- Delete log files after uploading. option - enable

files
Option Description
enable Delete log files after uploading.
disable Do not delete log files after uploading.

Fortinet Inc.
upload- The type of server to upload log files to. Only FTP is option - ftp-server
destination currently supported.
Option Description
ftp-server Upload rolled log files to an FTP server.
upload-ssl- Enable/disable encrypted FTPS communication to option - default

conn upload log files.
Option Description
default FTPS with high and medium encryption algorithms.
high FTPS with high encryption algorithms.
low FTPS with low encryption algorithms.
disable Disable FTPS communication.
uploaddir The remote directory on the FTP server to upload string Not Specified
log files to.
uploadip IP address of the FTP server to upload log files to. ipv4- Not Specified 0.0.0.0
address
uploadpass Password required to log into the FTP server to password Not Specified
upload disk log files.
uploadport TCP port to use for communicating with the FTP integer Minimum 21
server. value: 0
Maximum
value: 65535
uploadsched Set the schedule for uploading log files to the FTP option - disable
server.
Option Description
disable Upload when rolling.
enable Scheduled upload.
uploadtime Time of day at which log files are uploaded if user Not Specified
uploadsched is enabled (hh:mm or hh).

Fortinet Inc.
uploadtype Types of log files to upload. Separate multiple option - traffic event
entries with a space. virus
webfilter
IPS
emailfilter
dlp-archive
anomaly
voip dlp
app-ctrl waf
dns ssh ssl
**
Option Description
traffic Upload traffic log.
event Upload event log.
virus Upload anti-virus log.
webfilter Upload web filter log.
IPS Upload IPS log.
emailfilter Upload spam filter log.
dlp-archive Upload DLP archive.
anomaly Upload anomaly log.
voip Upload VoIP log.
dlp Upload DLP log.
app-ctrl Upload application control log.
waf Upload web application firewall log.
dns Upload DNS log.
ssh Upload SSH log.
ssl Upload SSL log.
file-filter Upload file-filter log.
icap Upload ICAP log.
uploaduser Username required to log into the FTP server to string Not Specified
upload disk log files.


Fortinet Inc.
config log eventfilter
Configure log event filters.

Description: Configure log event filters.
set cifs [enable|disable]
set connector [enable|disable]
set endpoint [enable|disable]
set event [enable|disable]
set fortiextender [enable|disable]
set ha [enable|disable]
set rest-api [enable|disable]
set router [enable|disable]
set sdwan [enable|disable]
set security-rating [enable|disable]
set switch-controller [enable|disable]
set system [enable|disable]
set user [enable|disable]
set vpn [enable|disable]
set wan-opt [enable|disable]
set wireless-activity [enable|disable]
end
cifs Enable/disable CIFS logging. option - enable
Option Description
enable Enable CIFS logging.
disable Disable CIFS logging.
connector Enable/disable SDN connector logging. option - enable
Option Description
enable Enable SDN connector logging.
disable Disable SDN connector logging.
endpoint Enable/disable endpoint event logging. option - enable
Option Description
enable Enable endpoint event logging.
disable Disable endpoint event logging.
event Enable/disable event logging. option - enable

Fortinet Inc.
Option Description
enable Enable event logging.
disable Disable event logging.
fortiextender Enable/disable FortiExtender logging. option - enable
Option Description
enable Enable Forti-Extender logging.
disable Disable Forti-Extender logging.
ha Enable/disable ha event logging. option - enable
Option Description
enable Enable ha event logging.
disable Disable ha event logging.
rest-api Enable/disable REST API logging. option - enable
Option Description
enable Enable REST API logging.
disable Disable REST API logging.
router Enable/disable router event logging. option - enable
Option Description
enable Enable router event logging.
disable Disable router event logging.
sdwan Enable/disable SD-WAN logging. option - enable
Option Description
enable Enable SD-WAN logging.
disable Disable SD-WAN logging.
security-rating Enable/disable Security Rating result logging. option - enable
Option Description
enable Enable Security Fabric audit result logging.
disable Disable Security Fabric audit result logging.

Fortinet Inc.
switch- Enable/disable Switch-Controller logging. option - enable

controller
Option Description
enable Enable Switch-Controller logging.
disable Disable Switch-Controller logging.
system Enable/disable system event logging. option - enable
Option Description
enable Enable system event logging.
disable Disable system event logging.
user Enable/disable user authentication event logging. option - enable
Option Description
enable Enable user authentication event logging.
disable Disable user authentication event logging.
vpn Enable/disable VPN event logging. option - enable
Option Description
enable Enable VPN event logging.
disable Disable VPN event logging.
wan-opt Enable/disable WAN optimization event logging. option - enable
Option Description
enable Enable WAN optimization event logging.
disable Disable WAN optimization event logging.
wireless- Enable/disable wireless event logging. option - enable

activity
Option Description
enable Enable wireless event logging.
disable Disable wireless event logging.
config log fortianalyzer-cloud filter
Filters for FortiAnalyzer Cloud.

Fortinet Inc.
Description: Filters for FortiAnalyzer Cloud.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end
Option Description
dlp-archive Enable/disable DLP archive logging. option - disable
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description

traffic
Option Description
severity Lowest severity level to log. option - information
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description

Fortinet Inc.
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.

Fortinet Inc.
Option Description
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log fortianalyzer-cloud override-filter
Override filters for FortiAnalyzer Cloud.

Description: Override filters for FortiAnalyzer Cloud.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end

Fortinet Inc.
Option Description
dlp-archive Enable/disable DLP archive logging. option - disable
Option Description
Option Description
Option Description
Option Description

traffic
Option Description

Fortinet Inc.
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log fortianalyzer-cloud override-setting
Override FortiAnalyzer Cloud settings.

Description: Override FortiAnalyzer Cloud settings.
end

Fortinet Inc.
status Enable/disable logging to FortiAnalyzer. option - disable
Option Description
enable Enable logging to FortiAnalyzer.
disable Disable logging to FortiAnalyzer.
config log fortianalyzer-cloud setting
Global FortiAnalyzer Cloud settings.

Description: Global FortiAnalyzer Cloud settings.
set access-config [enable|disable]
set certificate {string}
set certificate-verification [enable|disable]
set conn-timeout {integer}
set enc-algorithm [high-medium|high|...]
set hmac-algorithm [sha256|sha1]
set max-log-rate {integer}
set monitor-failure-retry-period {integer}
set monitor-keepalive-period {integer}
set preshared-key {string}
set priority [default|low]
set serial <name1>, <name2>, ...
set source-ip {string}
set ssl-min-proto-version [default|SSLv3|...]
set upload-day {user}
set upload-interval [daily|weekly|...]
set upload-option [store-and-upload|realtime|...]
set upload-time {user}
end
access-config Enable/disable FortiAnalyzer access to configuration option - enable

and data.

Fortinet Inc.
Option Description
enable Enable FortiAnalyzer access to configuration and data.
disable Disable FortiAnalyzer access to configuration and data.
certificate Certificate used to communicate with FortiAnalyzer. string Not

Specified
certificate- Enable/disable identity verification of FortiAnalyzer by option - enable

verification use of certificate.
Option Description
enable Enable identity verification of FortiAnalyzer by use of certificate.
disable Disable identity verification of FortiAnalyzer by use of certificate.
conn-timeout FortiAnalyzer connection time-out in seconds (for status integer Minimum 10

and log buffer). value: 1
Maximum
value: 3600
enc-algorithm Configure the level of SSL protection for secure option - high
communication with FortiAnalyzer.
Option Description
high-medium Encrypt logs using high and medium encryption algorithms.
high Encrypt logs using high encryption algorithms.
low Encrypt logs using all encryption algorithms.
hmac- FortiAnalyzer IPsec tunnel HMAC algorithm. option - sha256

algorithm
Option Description
sha256 Use SHA256 as HMAC algorithm.
sha1 Step down to SHA1 as the HMAC algorithm.

Specified
select-method
Option Description

Fortinet Inc.
Option Description
ips-archive Enable/disable IPS packet archive logging. option - disable
Option Description
enable Enable IPS packet archive logging.
disable Disable IPS packet archive logging.
max-log-rate FortiAnalyzer maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000
monitor- Time between FortiAnalyzer connection retries in integer Minimum 5

failure-retry- seconds (for status and log buffer). value: 1
period Maximum
value:
86400
monitor- Time between OFTP keepalives in seconds (for status integer Minimum 5
keepalive- and log buffer). value: 1
period Maximum
value: 120
preshared- Preshared-key used for auto-authorization on string Not

key FortiAnalyzer. Specified
priority Set log transmission priority. option - default
Option Description
default Set FortiAnalyzer log transmission priority to default.
low Set FortiAnalyzer log transmission priority to low.
serial <name> Serial numbers of the FortiAnalyzer. string Maximum

Serial Number. length: 79
source-ip Source IPv4 or IPv6 address used to communicate with string Not
FortiAnalyzer. Specified
ssl-min-proto- Minimum supported protocol version for SSL/TLS option - default

version connections.

Fortinet Inc.
Option Description
default Follow system global setting.
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
Option Description
upload-day Day of week (month) to upload logs. user Not

Specified
upload- Frequency to upload log files to FortiAnalyzer. option - daily

interval
Option Description
daily Upload log files to FortiAnalyzer once a day.
weekly Upload log files to FortiAnalyzer once a week.
monthly Upload log files to FortiAnalyzer once a month.
upload-option Enable/disable logging to hard disk and then uploading option - 5-minute
to FortiAnalyzer.
Option Description
store-and-upload Log to hard disk and then upload to FortiAnalyzer.
realtime Log directly to FortiAnalyzer in real time.
1-minute Log directly to FortiAnalyzer at least every 1 minute.
5-minute Log directly to FortiAnalyzer at least every 5 minutes.
upload-time Time to upload logs (hh:mm). user Not

Specified
config log fortianalyzer2 filter
Filters for FortiAnalyzer.

Fortinet Inc.
Description: Filters for FortiAnalyzer.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end
Option Description
dlp-archive Enable/disable DLP archive logging. option - enable
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description

traffic
Option Description
severity Log every message above and including this severity option - information
level.
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description

Fortinet Inc.
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.

Fortinet Inc.
Option Description
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log fortianalyzer2 override-filter
Override filters for FortiAnalyzer.

Description: Override filters for FortiAnalyzer.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description
Option Description

traffic
Option Description
level.

Fortinet Inc.
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log fortianalyzer2 override-setting
Override FortiAnalyzer settings.

Description: Override FortiAnalyzer settings.

Fortinet Inc.
set reliable [enable|disable]
set server {string}
set use-management-vdom [enable|disable]
end

and data.
Option Description

Specified

Option Description
conn-timeout FortiAnalyzer connection time-out in seconds (for integer Minimum 10

status and log buffer). value: 1
Maximum
value: 3600

Fortinet Inc.
Option Description
hmac-algorithm FortiAnalyzer IPsec tunnel HMAC algorithm. option - sha256
Option Description

Specified

method server.
Option Description
ips-archive Enable/disable IPS packet archive logging. option - enable
Option Description
max-log-rate FortiAnalyzer maximum log rate in MBps (0 = integer Minimum 0

unlimited). value: 0
Maximum
value:
100000
monitor-failure- Time between FortiAnalyzer connection retries in integer Minimum 5

retry-period seconds (for status and log buffer). value: 1
Maximum
value:
86400

Fortinet Inc.
period Maximum
value: 120
preshared-key Preshared-key used for auto-authorization on string Not

Option Description
reliable Enable/disable reliable logging to FortiAnalyzer. option - disable
Option Description
enable Enable reliable logging to FortiAnalyzer.
disable Disable reliable logging to FortiAnalyzer.

server The remote FortiAnalyzer. string Not

Specified
source-ip Source IPv4 or IPv6 address used to communicate string Not

with FortiAnalyzer. Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
Option Description

Fortinet Inc.

Specified
upload-interval Frequency to upload log files to FortiAnalyzer. option - daily
Option Description
upload-option Enable/disable logging to hard disk and then option - 5-minute

uploading to FortiAnalyzer.
Option Description
store-and- Log to hard disk and then upload to FortiAnalyzer.

upload

Specified
use- Enable/disable use of management VDOM IP option - disable

management- address as source IP for logs sent to FortiAnalyzer.
vdom
Option Description
enable Enable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.
disable Disable use of management VDOM IP address as source IP for logs sent to
FortiAnalyzer.
config log fortianalyzer2 setting
Global FortiAnalyzer settings.

Description: Global FortiAnalyzer settings.

Fortinet Inc.
set server {string}
end

and data.
Option Description

Specified

Option Description

Maximum
value: 3600

Fortinet Inc.
Option Description

algorithm
Option Description

Specified
select-method
Option Description
Option Description

value: 0
Maximum
value:
100000

period Maximum
value:
86400

Fortinet Inc.
period Maximum
value: 120

Option Description
Option Description


Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
Option Description

Fortinet Inc.

Specified

interval
Option Description
to FortiAnalyzer.
Option Description

Specified

config free-style
edit <id>
set id {integer}
set filter {string}
next
end

Fortinet Inc.
end
Option Description
Option Description
Option Description
Option Description
Option Description

traffic
Option Description

Fortinet Inc.
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description

Fortinet Inc.
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description

Fortinet Inc.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description

traffic
Option Description
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description

Fortinet Inc.
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.

Fortinet Inc.
Option Description
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description

set server {string}
end

Fortinet Inc.

and data.
Option Description

Specified

Option Description

Maximum
value: 3600
Option Description
Option Description

Specified

method server.

Fortinet Inc.
Option Description
Option Description

Maximum
value:
100000

Maximum
value:
86400
period Maximum
value: 120

Option Description
Option Description

Fortinet Inc.


Specified


Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
Option Description

Specified
Option Description

Option Description

upload

Fortinet Inc.
Option Description

Specified

vdom
Option Description
FortiAnalyzer.
FortiAnalyzer.

set server {string}

Fortinet Inc.
end

and data.
Option Description

Specified

Option Description

Maximum
value: 3600
Option Description

algorithm
Option Description

Specified

Fortinet Inc.
select-method
Option Description
Option Description

value: 0
Maximum
value:
100000

period Maximum
value:
86400
period Maximum
value: 120

Option Description
Option Description

Fortinet Inc.
Option Description


Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
Option Description

Specified

interval
Option Description
to FortiAnalyzer.

Fortinet Inc.
Option Description

Specified
config log fortianalyzer filter

config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

traffic
Option Description
Option Description
alert Alert level.
error Error level.

Fortinet Inc.
Option Description
debug Debug level.
Option Description
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.

Fortinet Inc.
Option Description
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log fortianalyzer override-filter

config free-style
edit <id>
set id {integer}
set filter {string}

Fortinet Inc.
next
end
end
Option Description
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.

traffic
Option Description
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description

Fortinet Inc.
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log fortianalyzer override-setting

Fortinet Inc.
set server {string}
end

and data.
Option Description

Specified

Option Description

Fortinet Inc.

Maximum
value: 3600
Option Description
Option Description

Specified

method server.
Option Description
Option Description

Maximum
value:
100000

Fortinet Inc.

Maximum
value:
86400
period Maximum
value: 120

Option Description
Option Description


Specified


Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.

Fortinet Inc.
Option Description

Specified
Option Description

Option Description

upload

Specified

vdom
Option Description
FortiAnalyzer.
FortiAnalyzer.
config log fortianalyzer setting

Fortinet Inc.
set server {string}
end

and data.
Option Description

Specified

Option Description

Fortinet Inc.

Maximum
value: 3600
Option Description

algorithm
Option Description

Specified
select-method
Option Description
Option Description

value: 0
Maximum
value:
100000

Fortinet Inc.

period Maximum
value:
86400
period Maximum
value: 120

Option Description
Option Description


Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.

Fortinet Inc.
Option Description

Specified

interval
Option Description
to FortiAnalyzer.
Option Description

Specified
config log fortiguard filter
Filters for FortiCloud.

Description: Filters for FortiCloud.
config free-style
edit <id>
set id {integer}
set filter {string}
next

Fortinet Inc.
end
end
Option Description
Option Description
Option Description
Option Description

traffic
Option Description

Fortinet Inc.
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description

Fortinet Inc.
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log fortiguard override-filter
Override filters for FortiCloud.

Fortinet Inc.
Description: Override filters for FortiCloud.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description

traffic
Option Description
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description

Fortinet Inc.
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.

Fortinet Inc.
Option Description
config log fortiguard override-setting
Override global FortiCloud logging settings for this VDOM.

Description: Override global FortiCloud logging settings for this VDOM.
set override [enable|disable]
end
access-config Enable/disable FortiCloud access to configuration and option - enable

data.
Option Description
enable Enable FortiCloud access to configuration and data.
disable Disable FortiCloud access to configuration and data.
max-log-rate FortiCloud maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000
override Overriding FortiCloud settings for this VDOM or use option - disable
global settings.
Option Description
enable Override FortiCloud logging settings.
disable Use global FortiCloud logging settings.

Fortinet Inc.
Option Description
default Set FortiCloud log transmission priority to default.
low Set FortiCloud log transmission priority to low.
status Enable/disable logging to FortiCloud. option - disable
Option Description
enable Enable logging to FortiCloud.
disable Disable logging to FortiCloud.
upload-day Day of week to roll logs. user Not

Specified
upload- Frequency of uploading log files to FortiCloud. option - daily

interval
Option Description
daily Upload log files to FortiCloud once a day.
weekly Upload log files to FortiCloud once a week.
monthly Upload log files to FortiCloud once a month.
upload-option Configure how log messages are sent to FortiCloud. option - 5-minute
Option Description
store-and-upload Log to the hard disk and then upload logs to FortiCloud.
realtime Log directly to FortiCloud in real time.
1-minute Log directly to FortiCloud at 1-minute intervals.
upload-time Time of day to roll logs (hh:mm). user Not

Specified
config log fortiguard setting
Configure logging to FortiCloud.

Description: Configure logging to FortiCloud.

Fortinet Inc.
end
access-config Enable/disable FortiCloud access to configuration and option - enable

data.
Option Description
enable Enable FortiCloud access to configuration and data.
disable Disable FortiCloud access to configuration and data.
conn-timeout FortiGate Cloud connection timeout in seconds. integer Minimum 10

value: 1
Maximum
value: 3600
communication with FortiCloud.
Option Description
high-medium Encrypt logs using high and medium encryption.
high Encrypt logs using high encryption.
low Encrypt logs using low encryption.

Specified
select-method
Option Description

Fortinet Inc.
max-log-rate FortiCloud maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000
Option Description
default Set FortiCloud log transmission priority to default.
low Set FortiCloud log transmission priority to low.
source-ip Source IP address used to connect FortiCloud. ipv4- Not 0.0.0.0

address Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
status Enable/disable logging to FortiCloud. option - disable
Option Description
enable Enable logging to FortiCloud.
disable Disable logging to FortiCloud.
upload-day Day of week to roll logs. user Not

Specified
upload- Frequency of uploading log files to FortiCloud. option - daily

interval
Option Description
daily Upload log files to FortiCloud once a day.
weekly Upload log files to FortiCloud once a week.
monthly Upload log files to FortiCloud once a month.

Fortinet Inc.
upload-option Configure how log messages are sent to FortiCloud. option - 5-minute
Option Description
store-and-upload Log to the hard disk and then upload logs to FortiCloud.
realtime Log directly to FortiCloud in real time.
upload-time Time of day to roll logs (hh:mm). user Not

Specified
config log gui-display
Configure how log messages are displayed on the GUI.

Description: Configure how log messages are displayed on the GUI.
set fortiview-unscanned-apps [enable|disable]
set resolve-apps [enable|disable]
set resolve-hosts [enable|disable]
end
fortiview- Enable/disable showing unscanned traffic in FortiView option - disable

unscanned- application charts.
apps
Option Description
enable Enable showing unscanned traffic.
disable Disable showing unscanned traffic.
resolve-apps Resolve unknown applications on the GUI using option - enable

Fortinet's remote application database.
Option Description
enable Enable unknown applications on the GUI.
disable Disable unknown applications on the GUI.
resolve-hosts Enable/disable resolving IP addresses to hostname in option - enable

log messages on the GUI using reverse DNS lookup.

Fortinet Inc.
Option Description
enable Enable resolving IP addresses to hostnames.
disable Disable resolving IP addresses to hostnames.
config log memory filter
Filters for memory buffer.

Description: Filters for memory buffer.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end
Option Description
Option Description

Fortinet Inc.
Option Description
local-traffic Enable/disable local in or out traffic logging. option - enable **
Option Description

traffic
Option Description
level.
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description

Fortinet Inc.
Option Description
Option Description

config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.

Fortinet Inc.
Option Description
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log memory global-setting
Global settings for memory logging.

Description: Global settings for memory logging.
set full-final-warning-threshold {integer}
set full-first-warning-threshold {integer}
set full-second-warning-threshold {integer}
set max-size {integer}
end
full-final- Log full final warning threshold as a percent. integer Minimum 95

warning- value: 3
threshold Maximum
value: 100
full-first- Log full first warning threshold as a percent. integer Minimum 75

warning- value: 1
threshold Maximum
value: 98

Fortinet Inc.
full-second- Log full second warning threshold as a percent. integer Minimum 90

warning- value: 2
threshold Maximum
value: 99
max-size Maximum amount of memory that can be used for integer Minimum 168441200 **
memory logging in bytes. value: 0
Maximum
value:
4294967295
config log memory setting
Settings for memory buffer.

Description: Settings for memory buffer.
end
status Enable/disable logging to the FortiGate's memory. option - enable **
Option Description
enable Enable logging to memory.
disable Disable logging to memory.
config log null-device filter
Filters for null device logging.

Description: Filters for null device logging.
config free-style
edit <id>
set id {integer}

Fortinet Inc.
set filter {string}
next
end
end
Option Description
Option Description
Option Description
Option Description

traffic

Fortinet Inc.
Option Description
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description

Fortinet Inc.
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log null-device setting
Settings for null device logging.

Fortinet Inc.
Description: Settings for null device logging.
end
status Enable/disable statistics collection for when no external option - disable

logging destination, such as FortiAnalyzer, is present
(data is not saved).
Option Description
enable Enable statistics collection for when no external logging destination, such as
FortiAnalyzer, is present (data is not saved).
disable Disable statistics collection for when no external logging destination, such as
FortiAnalyzer, is present (data is not saved).
config log setting
Configure general log settings.

config log setting
Description: Configure general log settings.
set anonymization-hash {string}
set brief-traffic-format [enable|disable]
set custom-log-fields <field-id1>, <field-id2>, ...
set daemon-log [enable|disable]
set expolicy-implicit-log [enable|disable]
set faz-override [enable|disable]
set fortiview-weekly-data [enable|disable]
set fwpolicy-implicit-log [enable|disable]
set fwpolicy6-implicit-log [enable|disable]
set local-in-allow [enable|disable]
set local-in-deny-broadcast [enable|disable]
set local-in-deny-unicast [enable|disable]
set local-out [enable|disable]
set log-invalid-packet [enable|disable]
set log-policy-comment [enable|disable]
set log-user-in-upper [enable|disable]
set neighbor-event [enable|disable]
set resolve-ip [enable|disable]
set resolve-port [enable|disable]
set rest-api-get [enable|disable]
set rest-api-set [enable|disable]
set syslog-override [enable|disable]
set user-anonymize [enable|disable]
end

Fortinet Inc.
config log setting
anonymization- User name anonymization hash salt. string Not

hash Specified
brief-traffic-format Enable/disable brief format traffic logging. option - disable
Option Description
enable Enable brief format traffic logging.
disable Disable brief format traffic logging.
custom-log-fields Custom fields to append to all log messages. string Maximum

<field-id> Custom log field. length: 35
daemon-log Enable/disable daemon logging. option - disable
Option Description
enable Enable daemon logging.
disable Disable daemon logging.
expolicy-implicit- Enable/disable explicit proxy firewall implicit policy option - disable

log logging.
Option Description
enable Enable explicit proxy firewall implicit policy logging.
disable Disable explicit proxy firewall implicit policy logging.
faz-override Enable/disable override FortiAnalyzer settings. option - disable
Option Description
enable Enable override FortiAnalyzer settings.
disable Disable override FortiAnalyzer settings.
fortiview-weekly- Enable/disable FortiView weekly data. option - disable

data *
Option Description
enable Enable FortiView weekly data.
disable Disable FortiView weekly data.
fwpolicy-implicit- Enable/disable implicit firewall policy logging. option - disable

log

Fortinet Inc.
Option Description
enable Enable implicit firewall policy logging.
disable Disable implicit firewall policy logging.
fwpolicy6-implicit- Enable/disable implicit firewall policy6 logging. option - disable

log
Option Description
enable Enable implicit firewall policy6 logging.
disable Disable implicit firewall policy6 logging.
local-in-allow Enable/disable local-in-allow logging. option - disable
Option Description
enable Enable local-in-allow logging.
disable Disable local-in-allow logging.
local-in-deny- Enable/disable local-in-deny-broadcast logging. option - disable

broadcast
Option Description
enable Enable local-in-deny-broadcast logging.
disable Disable local-in-deny-broadcast logging.
local-in-deny- Enable/disable local-in-deny-unicast logging. option - disable

unicast
Option Description
enable Enable local-in-deny-unicast logging.
disable Disable local-in-deny-unicast logging.
local-out Enable/disable local-out logging. option - disable
Option Description
enable Enable local-out logging.
disable Disable local-out logging.
log-invalid-packet Enable/disable invalid packet traffic logging. option - disable

Fortinet Inc.
Option Description
enable Enable invalid packet traffic logging.
disable Disable invalid packet traffic logging.
log-policy- Enable/disable inserting policy comments into traffic option - disable

comment logs.
Option Description
enable Enable inserting policy comments into traffic logs.
disable Disable inserting policy comments into traffic logs.
log-user-in-upper Enable/disable logs with user-in-upper. option - disable
Option Description
enable Enable logs with user-in-upper.
disable Disable logs with user-in-upper.
neighbor-event Enable/disable neighbor event logging. option - disable
Option Description
enable Enable neighbor event logging.
disable Disable neighbor event logging.
resolve-ip Enable/disable adding resolved domain names to option - disable

traffic logs if possible.
Option Description
enable Enable adding resolved domain names to traffic logs.
disable Disable adding resolved domain names to traffic logs.
resolve-port Enable/disable adding resolved service names to option - enable

traffic logs.
Option Description
enable Enable adding resolved service names to traffic logs.
disable Disable adding resolved service names to traffic logs.
rest-api-get Enable/disable REST API GET request logging. option - disable

Fortinet Inc.
Option Description
enable Enable GET REST API logging.
disable Disable GET REST API logging.
rest-api-set Enable/disable REST API POST/PUT/DELETE option - disable

request logging.
Option Description
enable Enable POST/PUT/DELETE REST API logging.
disable Disable POST/PUT/DELETE REST API logging.
syslog-override Enable/disable override Syslog settings. option - disable
Option Description
enable Enable override Syslog settings.
disable Disable override Syslog settings.
user-anonymize Enable/disable anonymizing user names in log option - disable

messages.
Option Description
enable Enable anonymizing user names in log messages.
disable Disable anonymizing user names in log messages.
config log syslogd2 filter
Filters for remote system server.

Description: Filters for remote system server.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end

Fortinet Inc.
end
Option Description
Option Description
Option Description
Option Description

traffic
Option Description

Fortinet Inc.
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log syslogd2 override-filter
Override filters for remote system server.

Description: Override filters for remote system server.
config free-style
edit <id>

Fortinet Inc.
set id {integer}
set filter {string}
next
end
end
Option Description
Option Description
Option Description
Option Description

traffic

Fortinet Inc.
Option Description
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description

Fortinet Inc.
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log syslogd2 override-setting
Override settings for remote syslog server.

Fortinet Inc.
Description: Override settings for remote syslog server.
config custom-field-name
Description: Custom field name for CEF format logging.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set facility [kernel|user|...]
set format [default|csv|...]
set mode [udp|legacy-reliable|...]
set port {integer}
set server {string}
end
certificate Certificate used to communicate with Syslog server. string Not

Specified
enc-algorithm Enable/disable reliable syslogging with TLS encryption. option - disable
Option Description
high-medium SSL communication with high and medium encryption algorithms.
high SSL communication with high encryption algorithms.
low SSL communication with low encryption algorithms.
disable Disable SSL communication.
facility Remote syslog facility. option - local7
Option Description
kernel Kernel messages.
user Random user-level messages.
mail Mail system.

Fortinet Inc.
Option Description
daemon System daemons.
auth Security/authorization messages.
syslog Messages generated internally by syslog.
lpr Line printer subsystem.
news Network news subsystem.
uucp Network news subsystem.
cron Clock daemon.
authpriv Security/authorization messages (private).
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
local0 Reserved for local use.
format Log format. option - default
Option Description
default Syslog format.
csv CSV (Comma Separated Values) format.
cef CEF (Common Event Format) format.
rfc5424 Syslog RFC5424 format.

Specified

Fortinet Inc.
select-method
Option Description
max-log-rate Syslog maximum log rate in MBps (0 = unlimited). integer Minimum 0

value: 0
Maximum
value:
100000
mode Remote syslog logging over UDP/Reliable TCP. option - udp
Option Description
udp Enable syslogging over UDP.
legacy-reliable Enable legacy reliable syslogging by RFC3195 (Reliable Delivery for Syslog).
reliable Enable reliable syslogging by RFC6587 (Transmission of Syslog Messages

over TCP).
port Server listen port. integer Minimum 514

value: 0
Maximum
value:
65535
Option Description
default Set Syslog transmission priority to default.
low Set Syslog transmission priority to low.
server Address of remote syslog server. string Not

Specified
source-ip Source IP address of syslog. string Not

Specified


Fortinet Inc.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
status Enable/disable remote syslog logging. option - disable
Option Description
enable Log to remote syslog server.
disable Do not log to remote syslog server.

value: 0
Maximum
value: 255
name Field name. string Not

Specified
custom Field custom name. string Not

Specified
config log syslogd2 setting
Global settings for remote syslog server.

Description: Global settings for remote syslog server.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end

Fortinet Inc.
set port {integer}
set server {string}
end

Specified
Option Description
Option Description
mail Mail system.
cron Clock daemon.

Fortinet Inc.
Option Description
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
Option Description

Specified
select-method
Option Description

Fortinet Inc.

value: 0
Maximum
value:
100000
Option Description

over TCP).

value: 0
Maximum
value:
65535
Option Description

Specified

Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.

Fortinet Inc.
Option Description

value: 0
Maximum
value: 255

Specified

Specified

config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

traffic
Option Description
Option Description
alert Alert level.
error Error level.

Fortinet Inc.
Option Description
debug Debug level.
Option Description
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description

Fortinet Inc.
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description

config free-style
edit <id>
set id {integer}
set filter {string}

Fortinet Inc.
next
end
end
Option Description
Option Description
Option Description
Option Description

traffic
Option Description

Fortinet Inc.
Option Description
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description

Fortinet Inc.
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description

Fortinet Inc.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set port {integer}
set server {string}
end

Specified
Option Description
Option Description
mail Mail system.

Fortinet Inc.
Option Description
cron Clock daemon.
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
Option Description

Specified

Fortinet Inc.
select-method
Option Description

value: 0
Maximum
value:
100000
Option Description

over TCP).

value: 0
Maximum
value:
65535
Option Description

Specified

Specified


Fortinet Inc.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
Option Description

value: 0
Maximum
value: 255

Specified

Specified

edit <id>
set id {integer}
set name {string}
set custom {string}
next
end

Fortinet Inc.
set port {integer}
set server {string}
end

Specified
Option Description
Option Description
mail Mail system.
cron Clock daemon.

Fortinet Inc.
Option Description
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
Option Description

Specified
select-method
Option Description

Fortinet Inc.

value: 0
Maximum
value:
100000
Option Description

over TCP).

value: 0
Maximum
value:
65535
Option Description

Specified

Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.

Fortinet Inc.
Option Description

value: 0
Maximum
value: 255

Specified

Specified

config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

traffic
Option Description
Option Description
alert Alert level.
error Error level.

Fortinet Inc.
Option Description
debug Debug level.
Option Description
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description

Fortinet Inc.
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description

config free-style
edit <id>
set id {integer}
set filter {string}

Fortinet Inc.
next
end
end
Option Description
Option Description
Option Description
Option Description

traffic
Option Description

Fortinet Inc.
Option Description
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description

Fortinet Inc.
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description

Fortinet Inc.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set port {integer}
set server {string}
end

Specified
Option Description
Option Description
mail Mail system.

Fortinet Inc.
Option Description
cron Clock daemon.
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
Option Description

Specified

Fortinet Inc.
select-method
Option Description

value: 0
Maximum
value:
100000
Option Description

over TCP).

value: 0
Maximum
value:
65535
Option Description

Specified

Specified


Fortinet Inc.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
Option Description

value: 0
Maximum
value: 255

Specified

Specified

edit <id>
set id {integer}
set name {string}
set custom {string}
next
end

Fortinet Inc.
set port {integer}
set server {string}
end

Specified
Option Description
Option Description
mail Mail system.
cron Clock daemon.

Fortinet Inc.
Option Description
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
Option Description

Specified
select-method
Option Description

Fortinet Inc.

value: 0
Maximum
value:
100000
Option Description

over TCP).

value: 0
Maximum
value:
65535
Option Description

Specified

Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.

Fortinet Inc.
Option Description

value: 0
Maximum
value: 255

Specified

Specified
config log syslogd filter

config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

traffic
Option Description
Option Description
alert Alert level.
error Error level.

Fortinet Inc.
Option Description
debug Debug level.
Option Description
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description

Fortinet Inc.
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log syslogd override-filter

config free-style
edit <id>
set id {integer}
set filter {string}

Fortinet Inc.
next
end
end
Option Description
Option Description
Option Description
Option Description

traffic
Option Description

Fortinet Inc.
Option Description
Option Description
alert Alert level.
error Error level.
debug Debug level.
Option Description
Option Description
Option Description

Fortinet Inc.
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log syslogd override-setting

Fortinet Inc.
edit <id>
set id {integer}
set name {string}
set custom {string}
next
end
set port {integer}
set server {string}
end

Specified
Option Description
Option Description
mail Mail system.

Fortinet Inc.
Option Description
cron Clock daemon.
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
Option Description

Specified

Fortinet Inc.
select-method
Option Description

value: 0
Maximum
value:
100000
Option Description

over TCP).

value: 0
Maximum
value:
65535
Option Description

Specified

Specified


Fortinet Inc.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
Option Description

value: 0
Maximum
value: 255

Specified

Specified
config log syslogd setting

edit <id>
set id {integer}
set name {string}
set custom {string}
next
end

Fortinet Inc.
set port {integer}
set server {string}
end

Specified
Option Description
Option Description
mail Mail system.
cron Clock daemon.

Fortinet Inc.
Option Description
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.
Option Description

Specified
select-method
Option Description

Fortinet Inc.

value: 0
Maximum
value:
100000
Option Description

over TCP).

value: 0
Maximum
value:
65535
Option Description

Specified

Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.

Fortinet Inc.
Option Description

value: 0
Maximum
value: 255

Specified

Specified
config log tacacs+accounting2 filter
Settings for TACACS+ accounting events filter.

Description: Settings for TACACS+ accounting events filter.
set cli-cmd-audit [enable|disable]
set config-change-audit [enable|disable]
set login-audit [enable|disable]
end
cli-cmd-audit Enable/disable TACACS+ accounting for CLI option - enable

commands audit.
Option Description
enable Enable TACACS+ accounting for CLI commands audit.
disable Disable TACACS+ accounting for CLI commands audit.
config- Enable/disable TACACS+ accounting for configuration option - enable

change-audit change events audit.

Fortinet Inc.
Option Description
enable Enable TACACS+ accounting for configuration change events audit.
disable Disable TACACS+ accounting for configuration change events audit.
login-audit Enable/disable TACACS+ accounting for login events option - enable

audit.
Option Description
enable Enable TACACS+ accounting for login events audit.
disable Disable TACACS+ accounting for login events audit.
config log tacacs+accounting2 setting
Settings for TACACS+ accounting.

Description: Settings for TACACS+ accounting.
set server {string}
set server-key {password}
end
server Address of TACACS+ server. string Not

Specified
server-key Key to access the TACACS+ server. password Not

Specified
status Enable/disable TACACS+ accounting. option - disable
Option Description
enable Enable TACACS+ accounting.
disable Disable TACACS+ accounting.

Fortinet Inc.
end

commands audit.
Option Description

Option Description

audit.
Option Description

set server {string}
end

Fortinet Inc.

Specified

Specified
Option Description
config log tacacs+accounting filter

end

commands audit.
Option Description

Option Description

Fortinet Inc.

audit.
Option Description
config log tacacs+accounting setting

set server {string}
end

Specified

Specified
Option Description
config log threat-weight
Configure threat weight settings.

Description: Configure threat weight settings.
config application
Description: Application-control threat weight settings.
edit <id>
set id {integer}

Fortinet Inc.
set level [disable|low|...]
next
end
set blocked-connection [disable|low|...]
set botnet-connection-detected [disable|low|...]
set failed-connection [disable|low|...]
config geolocation
Description: Geolocation-based threat weight settings.
edit <id>
set id {integer}
next
end
config ips
Description: IPS threat weight settings.
set info-severity [disable|low|...]
set low-severity [disable|low|...]
set medium-severity [disable|low|...]
set high-severity [disable|low|...]
set critical-severity [disable|low|...]
end
config level
Description: Score mapping for threat weight levels.
set low {integer}
set medium {integer}
set high {integer}
set critical {integer}
end
config malware
Description: Anti-virus malware threat weight settings.
set virus-infected [disable|low|...]
set fortindr [disable|low|...]
set file-blocked [disable|low|...]
set command-blocked [disable|low|...]
set oversized [disable|low|...]
set virus-scan-error [disable|low|...]
set switch-proto [disable|low|...]
set mimefragmented [disable|low|...]
set virus-file-type-executable [disable|low|...]
set virus-outbreak-prevention [disable|low|...]
set content-disarm [disable|low|...]
set malware-list [disable|low|...]
set ems-threat-feed [disable|low|...]
set fsa-malicious [disable|low|...]
set fsa-high-risk [disable|low|...]
set fsa-medium-risk [disable|low|...]
end
set url-block-detected [disable|low|...]
config web
Description: Web filtering threat weight settings.
edit <id>
set id {integer}

Fortinet Inc.
next
end
end
blocked- Threat weight score for blocked connections. option - high

connection
Option Description
disable Disable threat weight scoring for blocked connections.
low Use the low level score for blocked connections.
medium Use the medium level score for blocked connections.
high Use the high level score for blocked connections.
critical Use the critical level score for blocked connections.
botnet- Threat weight score for detected botnet connections. option - critical
connection-
detected
Option Description
disable Disable threat weight scoring for detected botnet connections.
low Use the low level score for detected botnet connections.
medium Use the medium level score for detected botnet connections.
high Use the high level score for detected botnet connections.
critical Use the critical level score for detected botnet connections.
failed- Threat weight score for failed connections. option - low

connection
Option Description
disable Disable threat weight scoring for failed connections.
low Use the low level score for failed connections.
medium Use the medium level score for failed connections.
high Use the high level score for failed connections.
critical Use the critical level score for failed connections.
status Enable/disable the threat weight feature. option - enable

Fortinet Inc.
Option Description
enable Enable the threat weight feature.
disable Disable the threat weight feature.
url-block- Threat weight score for URL blocking. option - high

detected
Option Description
disable Disable threat weight scoring for URL blocking.
low Use the low level score for URL blocking.
medium Use the medium level score for URL blocking.
high Use the high level score for URL blocking.
critical Use the critical level score for URL blocking.
config application

value: 0
Maximum
value: 255
category Application category. integer Minimum 0

value: 0
Maximum
value:
65535
level Threat weight score for Application events. option - low
Option Description
disable Disable threat weight scoring for Application events.
low Use the low level score for Application events.
medium Use the medium level score for Application events.
high Use the high level score for Application events.
critical Use the critical level score for Application events.

Fortinet Inc.
config geolocation

value: 0
Maximum
value: 255
country Country code. string Not

Specified
level Threat weight score for Geolocation-based events. option - low
Option Description
disable Disable threat weight scoring for Geolocation-based events.
low Use the low level score for Geolocation-based events.
medium Use the medium level score for Geolocation-based events.
high Use the high level score for Geolocation-based events.
critical Use the critical level score for Geolocation-based events.
config ips
info-severity Threat weight score for IPS info severity events. option - disable
Option Description
disable Disable threat weight scoring for IPS info severity events.
low Use the low level score for IPS info severity events.
medium Use the medium level score for IPS info severity events.
high Use the high level score for IPS info severity events.
critical Use the critical level score for IPS info severity events.
low-severity Threat weight score for IPS low severity events. option - low
Option Description
disable Disable threat weight scoring for IPS low severity events.
low Use the low level score for IPS low severity events.
medium Use the medium level score for IPS low severity events.
high Use the high level score for IPS low severity events.
critical Use the critical level score for IPS low severity events.

Fortinet Inc.
medium- Threat weight score for IPS medium severity events. option - medium
severity
Option Description
disable Disable threat weight scoring for IPS medium severity events.
low Use the low level score for IPS medium severity events.
medium Use the medium level score for IPS medium severity events.
high Use the high level score for IPS medium severity events.
critical Use the critical level score for IPS medium severity events.
high-severity Threat weight score for IPS high severity events. option - high
Option Description
disable Disable threat weight scoring for IPS high severity events.
low Use the low level score for IPS high severity events.
medium Use the medium level score for IPS high severity events.
high Use the high level score for IPS high severity events.
critical Use the critical level score for IPS high severity events.
critical- Threat weight score for IPS critical severity events. option - critical
severity
Option Description
disable Disable threat weight scoring for IPS critical severity events.
low Use the low level score for IPS critical severity events.
medium Use the medium level score for IPS critical severity events.
high Use the high level score for IPS critical severity events.
critical Use the critical level score for IPS critical severity events.
config level
low Low level score value. integer Minimum 5

value: 1
Maximum
value: 100

Fortinet Inc.
medium Medium level score value. integer Minimum 10

value: 1
Maximum
value: 100
high High level score value. integer Minimum 30

value: 1
Maximum
value: 100
critical Critical level score value. integer Minimum 50

value: 1
Maximum
value: 100
config malware
virus-infected Threat weight score for virus (infected) detected. option - critical
Option Description
disable Disable threat weight scoring for virus (infected) detected.
low Use the low level score for virus (infected) detected.
medium Use the medium level score for virus (infected) detected.
high Use the high level score for virus (infected) detected.
critical Use the critical level score for virus (infected) detected.
fortindr Threat weight score for FortiNDR-detected virus. option - critical
Option Description
disable Disable threat weight scoring for virus detected by FortiNDR.
low Use the low level score for virus detected by FortiNDR.
medium Use the medium level score for virus detected by FortiNDR.
high Use the high level score for virus detected by FortiNDR.
critical Use the critical level score for virus detected by FortiNDR.
file-blocked Threat weight score for blocked file detected. option - low
Option Description
disable Disable threat weight scoring for blocked file detected.
low Use the low level score for blocked file detected.

Fortinet Inc.
Option Description
medium Use the medium level score for blocked file detected.
high Use the high level score for blocked file detected.
critical Use the critical level score for blocked file detected.
command-blocked Threat weight score for blocked command detected. option - disable
Option Description
disable Disable threat weight scoring for blocked command detected.
low Use the low level score for blocked command detected.
medium Use the medium level score for blocked command detected.
high Use the high level score for blocked command detected.
critical Use the critical level score for blocked command detected.
oversized Threat weight score for oversized file detected. option - disable
Option Description
disable Disable threat weight scoring for oversized file detected.
low Use the low level score for oversized file detected.
medium Use the medium level score for oversized file detected.
high Use the high level score for oversized file detected.
critical Use the critical level score for oversized file detected.
virus-scan-error Threat weight score for virus (scan error) detected. option - high
Option Description
disable Disable threat weight scoring for virus (scan error) detected.
low Use the low level score for virus (scan error) detected.
medium Use the medium level score for virus (scan error) detected.
high Use the high level score for virus (scan error) detected.
critical Use the critical level score for virus (scan error) detected.
switch-proto Threat weight score for switch proto detected. option - disable
Option Description
disable Disable threat weight scoring for switch proto detected.

Fortinet Inc.
Option Description
low Use the low level score for switch proto detected.
medium Use the medium level score for switch proto detected.
high Use the high level score for switch proto detected.
critical Use the critical level score for switch proto detected.
mimefragmented Threat weight score for mimefragmented detected. option - disable
Option Description
disable Disable threat weight scoring for mimefragmented detected.
low Use the low level score for mimefragmented detected.
medium Use the medium level score for mimefragmented detected.
high Use the high level score for mimefragmented detected.
critical Use the critical level score for mimefragmented detected.
virus-file-type- Threat weight score for virus (file type executable) option - medium
executable detected.
Option Description
disable Disable threat weight scoring for virus (filetype executable) detected.
low Use the low level score for virus (filetype executable) detected.
medium Use the medium level score for virus (filetype executable) detected.
high Use the high level score for virus (filetype executable) detected.
critical Use the critical level score for virus (filetype executable) detected.
virus-outbreak- Threat weight score for virus (outbreak prevention) option - critical
prevention event.
Option Description
disable Disable threat weight scoring for virus (outbreak prevention) event.
low Use the low level score for virus (outbreak prevention) event.
medium Use the medium level score for virus (outbreak prevention) event.
high Use the high level score for virus (outbreak prevention) event.
critical Use the critical level score for virus (outbreak prevention) event.
content-disarm Threat weight score for virus (content disarm) option - medium
detected.

Fortinet Inc.
Option Description
disable Disable threat weight scoring for virus (content disarm) detected.
low Use the low level score for virus (content disarm) detected.
medium Use the medium level score for virus (content disarm) detected.
high Use the high level score for virus (content disarm) detected.
critical Use the critical level score for virus (content disarm) detected.
malware-list Threat weight score for virus (malware list) detected. option - medium
Option Description
disable Disable threat weight scoring for virus (malware list) detected.
low Use the low level score for virus (malware list) detected.
medium Use the medium level score for virus (malware list) detected.
high Use the high level score for virus (malware list) detected.
critical Use the critical level score for virus (malware list) detected.
ems-threat-feed Threat weight score for virus (EMS threat feed) option - medium
detected.
Option Description
disable Disable threat weight scoring for virus (EMS threat feed) detected.
low Use the low level score for virus (EMS threat feed) detected.
medium Use the medium level score for virus (EMS threat feed) detected.
high Use the high level score for virus (EMS threat feed) detected.
critical Use the critical level score for virus (EMS threat feed) detected.
fsa-malicious Threat weight score for FortiSandbox malicious option - critical

malware detected.
Option Description
disable Disable threat weight scoring for FortiSandbox malicious malware

detected.
low Use the low level score for FortiSandbox malicious malware detected.
medium Use the medium level score for FortiSandbox malicious malware
detected.
high Use the high level score for FortiSandbox malicious malware detected.

Fortinet Inc.
Option Description
critical Use the critical level score for FortiSandbox malicious malware detected.
fsa-high-risk Threat weight score for FortiSandbox high risk option - high
malware detected.
Option Description
disable Disable threat weight scoring for FortiSandbox high risk malware
detected.
low Use the low level score for FortiSandbox high risk malware detected.
medium Use the medium level score for FortiSandbox high risk malware detected.
high Use the high level score for FortiSandbox high risk malware detected.
critical Use the critical level score for FortiSandbox high risk malware detected.
fsa-medium-risk Threat weight score for FortiSandbox medium risk option - medium
malware detected.
Option Description
disable Disable threat weight scoring for FortiSandbox medium risk malware
detected.
low Use the low level score for FortiSandbox medium risk malware detected.
medium Use the medium level score for FortiSandbox medium risk malware
detected.
high Use the high level score for FortiSandbox medium risk malware detected.
critical Use the critical level score for FortiSandbox medium risk malware
detected.
config web

value: 0
Maximum
value: 255
category Threat weight score for web category filtering matches. integer Minimum 0
value: 0
Maximum
value: 255
level Threat weight score for web category filtering matches. option - low

Fortinet Inc.
Option Description
disable Disable threat weight scoring for web category filtering matches.
low Use the low level score for web category filtering matches.
medium Use the medium level score for web category filtering matches.
high Use the high level score for web category filtering matches.
critical Use the critical level score for web category filtering matches.
config log webtrends filter
Filters for WebTrends.

Description: Filters for WebTrends.
config free-style
edit <id>
set id {integer}
set filter {string}
next
end
end
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

traffic
Option Description
severity Lowest severity level to log to WebTrends. option - information
Option Description
alert Alert level.
error Error level.
debug Debug level.

Fortinet Inc.
Option Description
Option Description
Option Description
config free-style

value: 0
Maximum
value:
4294967295
Option Description
event Event log.
attack Attack log.
spam Antispam log.
voip VoIP log.

Fortinet Inc.
Option Description
dlp DLP log.
dns DNS detail log.
ssh SSH log.
ssl SSL log.
icap ICAP log.
Option Description
config log webtrends setting
Settings for WebTrends.

Description: Settings for WebTrends.
set server {string}
end
server Address of the remote WebTrends server. string Not

Specified
status Enable/disable logging to WebTrends. option - disable
Option Description
enable Enable logging to WebTrends.
disable Disble logging to WebTrends.

Fortinet Inc.
mgmt-data

l config mgmt-data status on page 681
config mgmt-data status
Status for mgmt-data.

config mgmt-data status
Description: Status for mgmt-data.
end

Fortinet Inc.
monitoring

l config monitoring np6-ipsec-engine on page 682
l config monitoring npu-hpe on page 683
config monitoring np6-ipsec-engine
Configure NP6 IPsec engine status monitoring.

Description: Configure NP6 IPsec engine status monitoring.
set threshold {user}
end

Fortinet Inc.
interval IPsec engine status check interval. integer Minimum 1

value: 1
Maximum
value: 60
status Enable/disable NP6 IPsec engine status monitoring. option - disable
Option Description
threshold IPsec engine status check threshold. Example: Log is user Not
generated if IPsec engine 0 is busy each of every 15 Specified
consecutive interval checks.
config monitoring npu-hpe
FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F, FortiGate 1801F,
400E, FortiGate 401E, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 101F, FortiGate 140E-POE, FortiGate 140E, FortiGate 200E, FortiGate 200F,
FortiGate 201E, FortiGate 201F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 60E DSLJ,
FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E,
FortiGate 61F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-
FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiGateRugged 60F 3G4G,
Configure npu-hpe status monitoring.

Description: Configure npu-hpe status monitoring.
set multipliers {user}

Fortinet Inc.
end
interval HPE status check interval. integer Minimum 1

value: 1
Maximum
value: 60
multipliers HPE type interval multipliers. An event log is generated user Not
after every (interval * multiplier)seconds as configured Specified
for any HPE type when drops occur for that HPE type.
An attack log is generated after every (4 * multiplier)
number of continuous event logs.
status Enable/disable HPE status monitoring. option - disable
Option Description

Fortinet Inc.
nsxt

l config nsxt service-chain on page 685
l config nsxt setting on page 687
config nsxt service-chain

Configure NSX-T service chain.

Description: Configure NSX-T service chain.
edit <id>
set id {integer}
set name {string}
config service-index
Description: Configure service index.
edit <id>
set id {integer}
set reverse-index {integer}
set name {string}
set vd {string}
next
end

Fortinet Inc.
next
end
id Chain ID. integer Minimum 0

value: 0
Maximum
value: 1023
name Chain name. string Not

Specified
config service-index
id Service index. integer Minimum 0

value: 0
Maximum
value: 255
reverse-index Reverse service index. integer Minimum 1

value: 1
Maximum
value: 255
name Index name. string Not

Specified
vd VDOM name. string Not

Specified

Fortinet Inc.
config nsxt setting

Configure NSX-T setting.

config nsxt setting
Description: Configure NSX-T setting.
set liveness [enable|disable]
set service {string}
end
config nsxt setting
liveness Enable/disable liveness detection packet forwarding. option - disable
Option Description
enable Enable liveness detection packet forwarding.
disable Disable liveness detection packet forwarding.
service Service name. string Not

Specified

Fortinet Inc.
report

l config report layout on page 688
l config report setting on page 696
l config report sql status on page 698
config report layout
FortiGate 3700D, FortiGate 3800D, FortiGate 401E, FortiGate 4201F, FortiGate 4401F,
FortiGate 5001E1, FortiGate 501E, FortiGate 601E, FortiGate 61E, FortiGate 61F, FortiGate
800D, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate
900D, FortiGate 91E, FortiGate VM64, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 81F 2R 3G4G-
POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4400F, FortiGate 5001E,
FortiGate 500E, FortiGate 600E, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-
POE, FortiGate 60E, FortiGate 60F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F
Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 90E, FortiGateRugged 60F 3G4G,
FortiWiFi 60F, FortiWiFi 80F 2R.
Report layout configuration.

Description: Report layout configuration.
edit <name>
config body-item
Description: Configure report body item.
edit <id>
set id {integer}
set type [text|image|...]
set style {string}
set top-n {integer}
config parameters
Description: Parameters.
edit <id>

Fortinet Inc.
set id {integer}
set name {string}
set value {string}
next
end
set text-component [text|heading1|...]
set img-src {string}
set chart {string}
set chart-options {option1}, {option2}, ...
set misc-component [hline|page-break|...]
set title {string}
next
end
set cutoff-option [run-time|custom]
set cutoff-time {user}
set day [sunday|monday|...]
set email-recipients {string}
set email-send [enable|disable]
set format {option1}, {option2}, ...
set max-pdf-report {integer}
set name {string}
config page
Description: Configure report page.
set paper [a4|letter]
set column-break-before {option1}, {option2}, ...
set page-break-before {option1}, {option2}, ...
config header
Description: Configure report page header.
set style {string}
config header-item
Description: Configure report header item.
edit <id>
set id {integer}
set type [text|image]
set style {string}
next
end
end
config footer
Description: Configure report page footer.
set style {string}
config footer-item
Description: Configure report footer item.
edit <id>
set id {integer}
set type [text|image]
set style {string}

Fortinet Inc.
next
end
end
end
set schedule-type [demand|daily|...]
set style-theme {string}
set subtitle {string}
set time {user}
set title {string}
next
end
cutoff-option Cutoff-option is either run-time or custom. option - run-time
Option Description
run-time Run time.
custom Custom.
cutoff-time Custom cutoff time to generate report (format = user Not

hh:mm). Specified
day Schedule days of week to generate report. option - sunday
Option Description
sunday Sunday.
monday Monday.
tuesday Tuesday.
thursday Thursday.
friday Friday.
saturday Saturday.
description Description. string Not

Specified
email- Email recipients for generated reports. string Not

recipients Specified
email-send Enable/disable sending emails after reports are option - disable

generated.

Fortinet Inc.
Option Description
enable Enable sending emails after generating reports.
disable Disable sending emails after generating reports.
format Report format. option - pdf
Option Description
pdf PDF.
max-pdf- Maximum number of PDF reports to keep at one time integer Minimum 31
report (oldest report is overwritten). value: 1
Maximum
value: 365
name Report layout name. string Not

Specified
options Report layout options. option - include-table-

of-content
auto-
numbering-
heading view-
chart-as-
heading
Option Description
include-table-of- Include table of content in the report.

content
auto-numbering- Prepend heading with auto numbering.

heading
view-chart-as- Auto add heading for each chart.

heading
show-html- Show HTML navigation bar before each heading.

navbar-before-
heading
dummy-option Use this option if you need none of the above options.
schedule-type Report schedule type. option - daily
Option Description
demand Run on demand.

Fortinet Inc.
Option Description
daily Schedule daily.
weekly Schedule weekly.
style-theme Report style theme. string Not

Specified
subtitle Report subtitle. string Not

Specified
time Schedule time to generate report (format = hh:mm). user Not

Specified
title Report title. string Not

Specified
config body-item
id Report item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
type Report item type. option - text
Option Description
text Text.
image Image.
chart Chart.
misc Miscellaneous.
style Report item style. string Not Specified
top-n Value of top. integer Minimum 0

value: 0
Maximum
value:
4294967295
text- Report item text component. option - text

component

Fortinet Inc.
Option Description
text Normal text.
heading1 Heading 1.
heading2 Heading 2.
heading3 Heading 3.
content Report item text content. string Not Specified
img-src Report item image file name. string Not Specified
chart Report item chart name. string Not Specified
chart-options Report chart options. option - include-no-

data hide-
title show-
caption
Option Description
include-no-data Include chart with no data.
hide-title Hide chart title.
show-caption Show chart caption.
misc- Report item miscellaneous component. option - hline

component
Option Description
hline Horizontal line.
page-break Page break.
column-break Column break.
section-start Section start.
title Report section title. string Not Specified
config parameters

value: 0
Maximum
value:
4294967295

Fortinet Inc.
name Field name that match field of parameters defined in string Not Specified
dataset.
value Value to replace corresponding field of parameters string Not Specified

defined in dataset.
config page
paper Report page paper. option - a4
Option Description
a4 A4 paper.
letter Letter paper.
column- Report page auto column break before heading. option -

break-before
Option Description
heading1 Column break before heading 1.
page-break- Report page auto page break before heading. option -

before
Option Description
heading1 Page break before heading 1.
options Report page options. option -
Option Description
header-on-first- Show header on first page.

page
footer-on-first- Show footer on first page.

page

Fortinet Inc.
config header
style Report header style. string Not

Specified
config header-item

value: 0
Maximum
value:
4294967295
Option Description
text Text.
image Image.
config footer
style Report footer style. string Not

Specified
config footer-item

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
text Text.
image Image.
config report setting
Report setting configuration.

Description: Report setting configuration.
set fortiview [enable|disable]
set pdf-report [enable|disable]
set report-source {option1}, {option2}, ...
set top-n {integer}
set web-browsing-threshold {integer}
end

Fortinet Inc.
fortiview Enable/disable historical FortiView. option - enable **
Option Description
enable Enable historical FortiView.
disable Disable historical FortiView.
pdf-report Enable/disable PDF report. option - enable **
Option Description
enable Enable PDF report.
disable Disable PDF report.
report-source Report log source. option - forward-

traffic
Option Description
forward-traffic Report includes forward traffic logs.
sniffer-traffic Report includes sniffer traffic logs.
local-deny-traffic Report includes local deny traffic logs.
top-n Number of items to populate. integer Minimum 1000

value: 1000
Maximum
value:
20000
web- Web browsing time calculation threshold. integer Minimum 3

browsing- value: 3
threshold Maximum
value: 15

Fortinet Inc.
config report sql status
FortiGate 2601F, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3301E,
FortiGate 3401E, FortiGate 3501F, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D,
FortiGate 401E, FortiGate 4201F, FortiGate 4401F, FortiGate 5001E1, FortiGate 501E,
FortiGate 601E, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 81E, FortiGate 81F-
POE, FortiGate 81F, FortiGate 900D, FortiGate 91E, FortiGate VM64, FortiWiFi 61E,
FortiWiFi 61F, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
FortiGate 2200E, FortiGate 2600F, FortiGate 3000D, FortiGate 300E, FortiGate 3300E,
FortiGate 3400E, FortiGate 3500F, FortiGate 3600E, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate
4200F, FortiGate 4400F, FortiGate 5001E, FortiGate 500E, FortiGate 600E, FortiGate 60E
DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 80E-
POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate
81E-POE, FortiGate 90E, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F
3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 80F 2R.
Show report database status.

config report sql status
Description: Show report database status.
end

Fortinet Inc.
router

l config router access-list on page 699
l config router access-list6 on page 701
l config router aspath-list on page 702
l config router auth-path on page 703
l config router bfd on page 703
l config router bfd6 on page 705
l config router bgp on page 706
l config router community-list on page 748
l config router info on page 749
l config router info6 on page 749
l config router isis on page 749
l config router key-chain on page 763
l config router multicast-flow on page 764
l config router multicast on page 765
l config router multicast6 on page 774
l config router ospf on page 776
l config router ospf6 on page 792
l config router policy on page 807
l config router policy6 on page 810
l config router prefix-list on page 812
l config router prefix-list6 on page 813
l config router rip on page 814
l config router ripng on page 821
l config router route-map on page 827
l config router setting on page 833
l config router static on page 833
l config router static6 on page 836
config router access-list
Configure access lists.

Description: Configure access lists.
edit <name>
set name {string}
config rule

Fortinet Inc.
Description: Rule.
edit <id>
set id {integer}
set action [permit|deny]
set prefix {user}
set wildcard {user}
set exact-match [enable|disable]
next
end
next
end
comments Comment. string Not

Specified

Specified
config rule

value: 0
Maximum
value:
4294967295
action Permit or deny this IP address and netmask prefix. option - permit
Option Description
permit Permit or allow this IP address and netmask prefix.
deny Deny this IP address and netmask prefix.
prefix IPv4 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.
wildcard Wildcard to define Cisco-style wildcard filter criteria. user Not Specified
exact-match Enable/disable exact match. option - disable
Option Description
enable Enable exact match.
disable Disable exact match.

Fortinet Inc.
config router access-list6
Configure IPv6 access lists.

Description: Configure IPv6 access lists.
edit <name>
set name {string}
config rule
Description: Rule.
edit <id>
set id {integer}
set prefix6 {user}
set exact-match [enable|disable]
set flags {integer}
next
end
next
end

Specified

Specified
config rule

value: 0
Maximum
value:
4294967295
Option Description
permit Permit or allow this IP address and netmask prefix.
deny Deny this IP address and netmask prefix.
prefix6 IPv6 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.

Fortinet Inc.
exact-match Enable/disable exact prefix match. option - disable
Option Description
enable Enable exact match.
disable Disable exact match.
flags Flags. integer Minimum 0

value: 0
Maximum
value:
4294967295
config router aspath-list
Configure Autonomous System (AS) path lists.

Description: Configure Autonomous System (AS) path lists.
edit <name>
set name {string}
config rule
Description: AS path list rule.
edit <id>
set id {integer}
set action [deny|permit]
set regexp {string}
next
end
next
end
name AS path list name. string Not

Specified
config rule

value: 0
Maximum
value:
4294967295

Fortinet Inc.
action Permit or deny route-based operations, based on the option -

route's AS_PATH attribute.
Option Description
deny Deny route-based operations.
permit Permit route-based operations.
regexp Regular-expression to match the Border Gateway string Not Specified

Protocol (BGP) AS paths.
config router auth-path
Configure authentication based routing.

Description: Configure authentication based routing.
edit <name>
set device {string}
set name {string}
next
end
device Outgoing interface. string Not

Specified
gateway Gateway IP address. ipv4- Not 0.0.0.0

address Specified
name Name of the entry. string Not

Specified
config router bfd
Configure BFD.
config router bfd
Description: Configure BFD.
config multihop-template
Description: BFD multi-hop template table.
edit <id>
set id {integer}
set src {ipv4-classnet}

Fortinet Inc.
set dst {ipv4-classnet}
set bfd-desired-min-tx {integer}
set bfd-required-min-rx {integer}
set bfd-detect-mult {integer}
set auth-mode [none|md5]
set md5-key {password}
next
end
config neighbor
Description: Neighbor.
edit <ip>
next
end
end

value: 0
Maximum
value:
4294967295
src Source prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0
dst Destination prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0
bfd-desired- BFD desired minimal transmit interval (milliseconds). integer Minimum 250
min-tx value: 100
Maximum
value: 30000
bfd-required- BFD required minimal receive interval (milliseconds). integer Minimum 250
min-rx value: 100
Maximum
value: 30000
bfd-detect- BFD detection multiplier. integer Minimum 3

mult value: 3
Maximum
value: 50
auth-mode Authentication mode. option - none
Option Description
none None.
md5 Meticulous MD5 mode.

Fortinet Inc.
md5-key MD5 key of key ID 1. password Not Specified
config neighbor
ip IPv4 address of the BFD neighbor. ipv4- Not 0.0.0.0

address Specified

Specified
config router bfd6
Configure IPv6 BFD.

config router bfd6
Description: Configure IPv6 BFD.
Description: BFD IPv6 multi-hop template table.
edit <id>
set id {integer}
set src {ipv6-network}
set dst {ipv6-network}
set auth-mode [none|md5]
set md5-key {password}
next
end
config neighbor
Description: Configure neighbor of IPv6 BFD.
edit <ip6-address>
next
end
end

value: 0
Maximum
value:
4294967295

Fortinet Inc.
src Source prefix. ipv6- Not Specified ::/0

network
dst Destination prefix. ipv6- Not Specified ::/0

network
bfd-desired- BFD desired minimal transmit interval (milliseconds). integer Minimum 250
min-tx value: 100
Maximum
value: 30000
bfd-required- BFD required minimal receive interval (milliseconds). integer Minimum 250
min-rx value: 100
Maximum
value: 30000
bfd-detect- BFD detection multiplier. integer Minimum 3

mult value: 3
Maximum
value: 50
Option Description
none None.
md5 Meticulous MD5 mode.
md5-key MD5 key of key ID 1. password Not Specified
config neighbor
ip6-address IPv6 address of the BFD neighbor. ipv6- Not ::

address Specified
interface Interface to the BFD neighbor. string Not

Specified
config router bgp
Configure BGP.
config router bgp
Description: Configure BGP.
set additional-path [enable|disable]
set additional-path-select {integer}
set additional-path-select6 {integer}
set additional-path6 [enable|disable]
config admin-distance

Fortinet Inc.
Description: Administrative distance modifications.
edit <id>
set id {integer}
set neighbour-prefix {ipv4-classnet}
set route-list {string}
set distance {integer}
next
end
config aggregate-address
Description: BGP aggregate address table.
edit <id>
set id {integer}
set prefix {ipv4-classnet-any}
set as-set [enable|disable]
set summary-only [enable|disable]
next
end
config aggregate-address6
Description: BGP IPv6 aggregate address table.
edit <id>
set id {integer}
set prefix6 {ipv6-prefix}
set as-set [enable|disable]
set summary-only [enable|disable]
next
end
set always-compare-med [enable|disable]
set as {integer}
set bestpath-as-path-ignore [enable|disable]
set bestpath-cmp-confed-aspath [enable|disable]
set bestpath-cmp-routerid [enable|disable]
set bestpath-med-confed [enable|disable]
set bestpath-med-missing-as-worst [enable|disable]
set client-to-client-reflection [enable|disable]
set cluster-id {ipv4-address-any}
set confederation-identifier {integer}
set confederation-peers <peer1>, <peer2>, ...
set dampening [enable|disable]
set dampening-max-suppress-time {integer}
set dampening-reachability-half-life {integer}
set dampening-reuse {integer}
set dampening-route-map {string}
set dampening-suppress {integer}
set dampening-unreachability-half-life {integer}
set default-local-preference {integer}
set deterministic-med [enable|disable]
set distance-external {integer}
set distance-internal {integer}
set distance-local {integer}
set ebgp-multipath [enable|disable]
set enforce-first-as [enable|disable]
set fast-external-failover [enable|disable]
set graceful-end-on-timer [enable|disable]
set graceful-restart [enable|disable]
set graceful-restart-time {integer}
set graceful-stalepath-time {integer}

Fortinet Inc.
set graceful-update-delay {integer}
set holdtime-timer {integer}
set ibgp-multipath [enable|disable]
set ignore-optional-capability [enable|disable]
set keepalive-timer {integer}
set log-neighbour-changes [enable|disable]
set multipath-recursive-distance [enable|disable]
config neighbor
Description: BGP neighbor table.
edit <ip>
set ip {string}
set advertisement-interval {integer}
set allowas-in-enable [enable|disable]
set allowas-in-enable6 [enable|disable]
set allowas-in {integer}
set allowas-in6 {integer}
set attribute-unchanged {option1}, {option2}, ...
set attribute-unchanged6 {option1}, {option2}, ...
set activate [enable|disable]
set activate6 [enable|disable]
set bfd [enable|disable]
set capability-dynamic [enable|disable]
set capability-orf [none|receive|...]
set capability-orf6 [none|receive|...]
set capability-graceful-restart [enable|disable]
set capability-graceful-restart6 [enable|disable]
set capability-route-refresh [enable|disable]
set capability-default-originate [enable|disable]
set capability-default-originate6 [enable|disable]
set dont-capability-negotiate [enable|disable]
set ebgp-enforce-multihop [enable|disable]
set link-down-failover [enable|disable]
set stale-route [enable|disable]
set next-hop-self [enable|disable]
set next-hop-self6 [enable|disable]
set next-hop-self-rr [enable|disable]
set next-hop-self-rr6 [enable|disable]
set override-capability [enable|disable]
set passive [enable|disable]
set remove-private-as [enable|disable]
set remove-private-as6 [enable|disable]
set route-reflector-client [enable|disable]
set route-reflector-client6 [enable|disable]
set route-server-client [enable|disable]
set route-server-client6 [enable|disable]
set shutdown [enable|disable]
set soft-reconfiguration [enable|disable]
set soft-reconfiguration6 [enable|disable]
set as-override [enable|disable]
set as-override6 [enable|disable]
set strict-capability-match [enable|disable]
set default-originate-routemap {string}
set default-originate-routemap6 {string}
set distribute-list-in {string}
set distribute-list-in6 {string}

Fortinet Inc.
set distribute-list-out {string}
set distribute-list-out6 {string}
set ebgp-multihop-ttl {integer}
set filter-list-in {string}
set filter-list-in6 {string}
set filter-list-out {string}
set filter-list-out6 {string}
set maximum-prefix {integer}
set maximum-prefix6 {integer}
set maximum-prefix-threshold {integer}
set maximum-prefix-threshold6 {integer}
set maximum-prefix-warning-only [enable|disable]
set maximum-prefix-warning-only6 [enable|disable]
set prefix-list-in {string}
set prefix-list-in6 {string}
set prefix-list-out {string}
set prefix-list-out6 {string}
set remote-as {integer}
set local-as {integer}
set local-as-no-prepend [enable|disable]
set local-as-replace-as [enable|disable]
set retain-stale-time {integer}
set route-map-in {string}
set route-map-in6 {string}
set route-map-out {string}
set route-map-out-preferable {string}
set route-map-out6 {string}
set route-map-out6-preferable {string}
set send-community [standard|extended|...]
set send-community6 [standard|extended|...]
set keep-alive-timer {integer}
set connect-timer {integer}
set unsuppress-map {string}
set unsuppress-map6 {string}
set update-source {string}
set restart-time {integer}
set additional-path [send|receive|...]
set additional-path6 [send|receive|...]
set adv-additional-path {integer}
set adv-additional-path6 {integer}
config conditional-advertise
Description: Conditional advertisement.
edit <advertise-routemap>
set advertise-routemap {string}
set condition-routemap <name1>, <name2>, ...
set condition-type [exist|non-exist]
next
end
config conditional-advertise6
Description: IPv6 conditional advertisement.
edit <advertise-routemap>
set advertise-routemap {string}

Fortinet Inc.
set condition-routemap <name1>, <name2>, ...
set condition-type [exist|non-exist]
next
end
next
end
config neighbor-group
Description: BGP neighbor group table.
edit <name>
set name {string}
set advertisement-interval {integer}
set allowas-in-enable [enable|disable]
set allowas-in-enable6 [enable|disable]
set allowas-in {integer}
set allowas-in6 {integer}
set attribute-unchanged {option1}, {option2}, ...
set attribute-unchanged6 {option1}, {option2}, ...
set activate [enable|disable]
set activate6 [enable|disable]
set capability-dynamic [enable|disable]
set capability-orf [none|receive|...]
set capability-orf6 [none|receive|...]
set capability-graceful-restart [enable|disable]
set capability-graceful-restart6 [enable|disable]
set capability-route-refresh [enable|disable]
set capability-default-originate [enable|disable]
set capability-default-originate6 [enable|disable]
set dont-capability-negotiate [enable|disable]
set ebgp-enforce-multihop [enable|disable]
set link-down-failover [enable|disable]
set stale-route [enable|disable]
set next-hop-self [enable|disable]
set next-hop-self6 [enable|disable]
set next-hop-self-rr [enable|disable]
set next-hop-self-rr6 [enable|disable]
set override-capability [enable|disable]
set remove-private-as [enable|disable]
set remove-private-as6 [enable|disable]
set route-reflector-client [enable|disable]
set route-reflector-client6 [enable|disable]
set route-server-client [enable|disable]
set route-server-client6 [enable|disable]
set shutdown [enable|disable]
set soft-reconfiguration [enable|disable]
set soft-reconfiguration6 [enable|disable]
set as-override [enable|disable]
set as-override6 [enable|disable]
set strict-capability-match [enable|disable]
set default-originate-routemap {string}
set default-originate-routemap6 {string}
set distribute-list-in6 {string}
set distribute-list-out {string}

Fortinet Inc.
set distribute-list-out6 {string}
set ebgp-multihop-ttl {integer}
set filter-list-in {string}
set filter-list-in6 {string}
set filter-list-out {string}
set filter-list-out6 {string}
set maximum-prefix {integer}
set maximum-prefix6 {integer}
set maximum-prefix-threshold {integer}
set maximum-prefix-threshold6 {integer}
set maximum-prefix-warning-only [enable|disable]
set maximum-prefix-warning-only6 [enable|disable]
set prefix-list-in {string}
set prefix-list-in6 {string}
set prefix-list-out {string}
set prefix-list-out6 {string}
set remote-as {integer}
set local-as {integer}
set local-as-no-prepend [enable|disable]
set local-as-replace-as [enable|disable]
set retain-stale-time {integer}
set route-map-in {string}
set route-map-in6 {string}
set route-map-out {string}
set route-map-out-preferable {string}
set route-map-out6 {string}
set route-map-out6-preferable {string}
set send-community [standard|extended|...]
set send-community6 [standard|extended|...]
set keep-alive-timer {integer}
set connect-timer {integer}
set unsuppress-map {string}
set unsuppress-map6 {string}
set update-source {string}
set restart-time {integer}
set additional-path [send|receive|...]
set additional-path6 [send|receive|...]
set adv-additional-path {integer}
set adv-additional-path6 {integer}
next
end
config neighbor-range
Description: BGP neighbor range table.
edit <id>
set id {integer}
set prefix {ipv4-classnet}
set max-neighbor-num {integer}
set neighbor-group {string}
next
end
config neighbor-range6
Description: BGP IPv6 neighbor range table.
edit <id>

Fortinet Inc.
set id {integer}
set prefix6 {ipv6-network}
set max-neighbor-num {integer}
set neighbor-group {string}
next
end
config network
Description: BGP network table.
edit <id>
set id {integer}
set network-import-check [global|enable|...]
set backdoor [enable|disable]
set route-map {string}
next
end
set network-import-check [enable|disable]
config network6
Description: BGP IPv6 network table.
edit <id>
set id {integer}
set network-import-check [global|enable|...]
set backdoor [enable|disable]
next
end
set recursive-next-hop [enable|disable]
config redistribute
Description: BGP IPv4 redistribute table.
edit <name>
set name {string}
next
end
config redistribute6
Description: BGP IPv6 redistribute table.
edit <name>
set name {string}
next
end
set router-id {ipv4-address-any}
set scan-time {integer}
set synchronization [enable|disable]
set tag-resolve-mode [disable|preferred|...]
config vrf-leak
Description: BGP VRF leaking table.
edit <vrf>
set vrf {string}
config target
Description: Target VRF table.
edit <vrf>
set vrf {string}

Fortinet Inc.
next
end
next
end
config vrf-leak6
Description: BGP IPv6 VRF leaking table.
edit <vrf>
set vrf {string}
config target
Description: Target VRF table.
edit <vrf>
set vrf {string}
next
end
next
end
end
config router bgp
additional-path Enable/disable selection of BGP IPv4 additional option - disable

paths.
Option Description
additional-path- Number of additional paths to be selected for integer Minimum 2

select each IPv4 NLRI. value: 2
Maximum
value: 255
additional-path- Number of additional paths to be selected for integer Minimum 2

select6 each IPv6 NLRI. value: 2
Maximum
value: 255
additional-path6 Enable/disable selection of BGP IPv6 additional option - disable

paths.
Option Description

Fortinet Inc.
always-compare- Enable/disable always compare MED. option - disable

med
Option Description
as Router AS number, valid from 1 to 4294967295, 0 integer Minimum 0

to disable BGP. value: 0
Maximum
value:
4294967295
bestpath-as-path- Enable/disable ignore AS path. option - disable

ignore
Option Description
bestpath-cmp- Enable/disable compare federation AS path option - disable

confed-aspath length.
Option Description
bestpath-cmp- Enable/disable compare router ID for identical option - disable

routerid EBGP paths.
Option Description
bestpath-med- Enable/disable compare MED among option - disable

confed confederation paths.
Option Description
bestpath-med- Enable/disable treat missing MED as least option - disable

missing-as-worst preferred.

Fortinet Inc.
Option Description
client-to-client- Enable/disable client-to-client route reflection. option - enable

reflection
Option Description
cluster-id Route reflector cluster ID. ipv4- Not Specified 0.0.0.0

address-
any
confederation- Confederation identifier. integer Minimum 0

identifier value: 1
Maximum
value:
4294967295
confederation- Confederation peers. string Maximum

peers <peer> Peer ID. length: 79
dampening Enable/disable route-flap dampening. option - disable
Option Description
dampening-max- Maximum minutes a route can be suppressed. integer Minimum 60

suppress-time value: 1
Maximum
value: 255
dampening- Reachability half-life time for penalty (min). integer Minimum 15

reachability-half- value: 1
life Maximum
value: 45
dampening-reuse Threshold to reuse routes. integer Minimum 750

value: 1
Maximum
value: 20000

Fortinet Inc.
dampening-route- Criteria for dampening. string Not Specified

map
dampening- Threshold to suppress routes. integer Minimum 2000

suppress value: 1
Maximum
value: 20000
dampening- Unreachability half-life time for penalty (min). integer Minimum 15

unreachability- value: 1
half-life Maximum
value: 45
default-local- Default local preference. integer Minimum 100

preference value: 0
Maximum
value:
4294967295
deterministic-med Enable/disable enforce deterministic comparison option - disable

of MED.
Option Description
distance-external Distance for routes external to the AS. integer Minimum 20

value: 1
Maximum
value: 255
distance-internal Distance for routes internal to the AS. integer Minimum 200
value: 1
Maximum
value: 255
distance-local Distance for routes local to the AS. integer Minimum 200
value: 1
Maximum
value: 255
ebgp-multipath Enable/disable EBGP multi-path. option - disable
Option Description
enforce-first-as Enable/disable enforce first AS for EBGP routes. option - enable

Fortinet Inc.
Option Description
fast-external- Enable/disable reset peer BGP session if link option - enable

failover goes down.
Option Description
graceful-end-on- Enable/disable to exit graceful restart on timer option - disable

timer only.
Option Description
graceful-restart Enable/disable BGP graceful restart capabilities. option - disable
Option Description
graceful-restart- Time needed for neighbors to restart (sec). integer Minimum 120
time value: 1
Maximum
value: 3600
graceful- Time to hold stale paths of restarting neighbor integer Minimum 360
stalepath-time (sec). value: 1
Maximum
value: 3600
graceful-update- Route advertisement/selection delay after restart integer Minimum 120

delay (sec). value: 1
Maximum
value: 3600
holdtime-timer Number of seconds to mark peer as dead. integer Minimum 180

value: 3
Maximum
value: 65535

Fortinet Inc.
ibgp-multipath Enable/disable IBGP multi-path. option - disable
Option Description
ignore-optional- Do not send unknown optional capability option - enable

capability notification message.
Option Description
keepalive-timer Frequency to send keep alive requests. integer Minimum 60

value: 0
Maximum
value: 65535
log-neighbour- Log BGP neighbor changes. option - enable

changes
Option Description
multipath- Enable/disable use of recursive distance to select option - disable

recursive- multipath.
distance
Option Description
network-import- Enable/disable ensure BGP network route exists option - enable

check in IGP.
Option Description
recursive-next- Enable/disable recursive resolution of next-hop option - disable

hop using BGP route.

Fortinet Inc.
Option Description
router-id Router ID. ipv4- Not Specified

address-
any
scan-time Background scanner interval (sec), 0 to disable it. integer Minimum 60

value: 5
Maximum
value: 60
synchronization Enable/disable only advertise routes from iBGP if option - disable

routes present in an IGP.
Option Description
tag-resolve-mode Configure tag-match mode. Resolves BGP routes option - disable

with other routes containing the same tag.
Option Description
disable Disable tag-match mode.
preferred Use tag-match if a BGP route resolution with another route containing the
same tag is successful.
merge Merge tag-match with best-match if they are using different routes. The
result will exclude the next hops of tag-match whose interfaces have
appeared in best-match.
config admin-distance

value: 0
Maximum
value:
4294967295
neighbour- Neighbor address prefix. ipv4- Not Specified 0.0.0.0

prefix classnet 0.0.0.0
route-list Access list of routes to apply new distance to. string Not Specified

Fortinet Inc.
distance Administrative distance to apply. integer Minimum 0

value: 1
Maximum
value: 255

value: 0
Maximum
value:
4294967295
prefix Aggregate prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any
as-set Enable/disable generate AS set path information. option - disable
Option Description
summary-only Enable/disable filter more specific routes from option - disable

updates.
Option Description
config aggregate-address6

value: 0
Maximum
value:
4294967295
prefix6 Aggregate IPv6 prefix. ipv6-prefix Not Specified ::/0
as-set Enable/disable generate AS set path information. option - disable

Fortinet Inc.
Option Description
summary-only Enable/disable filter more specific routes from option - disable

updates.
Option Description
config neighbor
ip IP/IPv6 address of neighbor. string Not Specified
advertisement- Minimum interval (sec) between sending integer Minimum 30

interval updates. value: 0
Maximum
value: 600
allowas-in-enable Enable/disable IPv4 Enable to allow my AS in option - disable

AS path.
Option Description
allowas-in- Enable/disable IPv6 Enable to allow my AS in option - disable

enable6 AS path.
Option Description
allowas-in IPv4 The maximum number of occurrence of integer Minimum 3

my AS number allowed. value: 1
Maximum
value: 10

Fortinet Inc.
allowas-in6 IPv6 The maximum number of occurrence of integer Minimum 3

Maximum
value: 10
attribute- IPv4 List of attributes that should be option -

unchanged unchanged.
Option Description
as-path AS path.
med MED.
next-hop Next hop.

unchanged6 unchanged.
Option Description
as-path AS path.
med MED.
next-hop Next hop.
activate Enable/disable address family IPv4 for this option - enable

neighbor.
Option Description
activate6 Enable/disable address family IPv6 for this option - enable

neighbor.
Option Description
bfd Enable/disable BFD for this neighbor. option - disable
Option Description

Fortinet Inc.
capability-dynamic Enable/disable advertise dynamic capability option - disable

to this neighbor.
Option Description
capability-orf Accept/Send IPv4 ORF lists to/from this option - none

neighbor.
Option Description
none None.
receive Receive ORF lists.
send Send ORF list.
both Send and receive ORF lists.
capability-orf6 Accept/Send IPv6 ORF lists to/from this option - none

neighbor.
Option Description
none None.
send Send ORF list.
capability- Enable/disable advertise IPv4 graceful option - disable

graceful-restart restart capability to this neighbor.
Option Description
capability- Enable/disable advertise IPv6 graceful option - disable

graceful-restart6 restart capability to this neighbor.
Option Description
capability-route- Enable/disable advertise route refresh option - enable

refresh capability to this neighbor.

Fortinet Inc.
Option Description
capability-default- Enable/disable advertise default IPv4 route to option - disable

originate this neighbor.
Option Description

originate6 this neighbor.
Option Description
dont-capability- Do not negotiate capabilities with this option - disable

negotiate neighbor.
Option Description
ebgp-enforce- Enable/disable allow multi-hop EBGP option - disable

multihop neighbors.
Option Description
link-down-failover Enable/disable failover upon link down. option - disable
Option Description
stale-route Enable/disable stale route after neighbor option - disable

down.

Fortinet Inc.
Option Description
next-hop-self Enable/disable IPv4 next-hop calculation for option - disable

this neighbor.
Option Description
next-hop-self6 Enable/disable IPv6 next-hop calculation for option - disable

this neighbor.
Option Description
next-hop-self-rr Enable/disable setting nexthop's address to option - disable

interface's IPv4 address for route-reflector
routes.
Option Description
next-hop-self-rr6 Enable/disable setting nexthop's address to option - disable

routes.
Option Description
override-capability Enable/disable override result of capability option - disable

negotiation.
Option Description

Fortinet Inc.
passive Enable/disable sending of open messages to option - disable

this neighbor.
Option Description
remove-private-as Enable/disable remove private AS number option - disable

from IPv4 outbound updates.
Option Description
remove-private- Enable/disable remove private AS number option - disable

as6 from IPv6 outbound updates.
Option Description
route-reflector- Enable/disable IPv4 AS route reflector client. option - disable

client
Option Description

client6
Option Description
route-server-client Enable/disable IPv4 AS route server client. option - disable
Option Description

Fortinet Inc.
route-server- Enable/disable IPv6 AS route server client. option - disable

client6
Option Description
shutdown Enable/disable shutdown this neighbor. option - disable
Option Description
soft- Enable/disable allow IPv4 inbound soft option - disable

reconfiguration reconfiguration.
Option Description

reconfiguration6 reconfiguration.
Option Description
as-override Enable/disable replace peer AS with own AS option - disable

for IPv4.
Option Description
as-override6 Enable/disable replace peer AS with own AS option - disable

for IPv6.
Option Description

Fortinet Inc.
strict-capability- Enable/disable strict capability matching. option - disable

match
Option Description
default-originate- Route map to specify criteria to originate IPv4 string Not Specified
routemap default.
routemap6 default.
distribute-list-in Filter for IPv4 updates from this neighbor. string Not Specified
distribute-list-in6 Filter for IPv6 updates from this neighbor. string Not Specified
distribute-list-out Filter for IPv4 updates to this neighbor. string Not Specified
distribute-list-out6 Filter for IPv6 updates to this neighbor. string Not Specified
ebgp-multihop-ttl EBGP multihop TTL for this peer. integer Minimum 255
value: 1
Maximum
value: 255
filter-list-in BGP filter for IPv4 inbound routes. string Not Specified
filter-list-in6 BGP filter for IPv6 inbound routes. string Not Specified
filter-list-out BGP filter for IPv4 outbound routes. string Not Specified
filter-list-out6 BGP filter for IPv6 outbound routes. string Not Specified
interface Specify outgoing interface for peer string Not Specified

connection. For IPv6 peer, the interface
should have link-local address.
maximum-prefix Maximum number of IPv4 prefixes to accept integer Minimum 0

from this peer. value: 1
Maximum
value:
4294967295
maximum-prefix6 Maximum number of IPv6 prefixes to accept integer Minimum 0

Maximum
value:
4294967295

Fortinet Inc.
maximum-prefix- Maximum IPv4 prefix threshold value. integer Minimum 75

threshold value: 1
Maximum
value: 100

threshold6 value: 1
Maximum
value: 100
maximum-prefix- Enable/disable IPv4 Only give warning option - disable

warning-only message when limit is exceeded.
Option Description

warning-only6 message when limit is exceeded.
Option Description
prefix-list-in IPv4 Inbound filter for updates from this string Not Specified
neighbor.
prefix-list-in6 IPv6 Inbound filter for updates from this string Not Specified
neighbor.
prefix-list-out IPv4 Outbound filter for updates to this string Not Specified
neighbor.
prefix-list-out6 IPv6 Outbound filter for updates to this string Not Specified
neighbor.
remote-as AS number of neighbor. integer Minimum 0

value: 1
Maximum
value:
4294967295
local-as Local AS number of neighbor. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
local-as-no- Do not prepend local-as to incoming updates. option - disable

prepend
Option Description
local-as-replace- Replace real AS with local-as in outgoing option - disable

as updates.
Option Description
retain-stale-time Time to retain stale routes. integer Minimum 0

value: 0
Maximum
value: 65535
route-map-in IPv4 Inbound route map filter. string Not Specified
route-map-in6 IPv6 Inbound route map filter. string Not Specified
route-map-out IPv4 outbound route map filter. string Not Specified
route-map-out- IPv4 outbound route map filter if the peer is string Not Specified
preferable preferred.
route-map-out6 IPv6 Outbound route map filter. string Not Specified
route-map-out6- IPv6 outbound route map filter if the peer is string Not Specified
send-community IPv4 Send community attribute to neighbor. option - both
Option Description
standard Standard.
extended Extended.
both Both.
disable Disable
send-community6 IPv6 Send community attribute to neighbor. option - both
Option Description
standard Standard.

Fortinet Inc.
Option Description
extended Extended.
both Both.
disable Disable
keep-alive-timer Keep alive timer interval (sec). integer Minimum 4294967295

value: 0
Maximum
value: 65535
holdtime-timer Interval (sec) before peer considered dead. integer Minimum 4294967295
value: 3
Maximum
value: 65535
connect-timer Interval (sec) for connect timer. integer Minimum 4294967295

value: 0
Maximum
value: 65535
unsuppress-map IPv4 Route map to selectively unsuppress string Not Specified

suppressed routes.
unsuppress-map6 IPv6 Route map to selectively unsuppress string Not Specified

suppressed routes.
update-source Interface to use as source IP/IPv6 address of string Not Specified

TCP connections.
weight Neighbor weight. integer Minimum 4294967295

value: 0
Maximum
value: 65535
restart-time Graceful restart delay time. integer Minimum 0

value: 0
Maximum
value: 3600
additional-path Enable/disable IPv4 additional-path option - disable

capability.
Option Description
send Enable sending additional paths.
receive Enable receiving additional paths.
both Enable sending and receiving additional paths.

Fortinet Inc.
Option Description
disable Disable additional paths.
additional-path6 Enable/disable IPv6 additional-path option - disable

capability.
Option Description
adv-additional- Number of IPv4 additional paths that can be integer Minimum 2

path advertised to this neighbor. value: 2
Maximum
value: 255

path6 advertised to this neighbor. value: 2
Maximum
value: 255
password Password used in MD5 authentication. password Not Specified
config conditional-advertise
advertise- Name of advertising route map. string Not

routemap Specified
condition- List of conditional route maps. string Maximum

routemap route map length: 79
<name>
condition-type Type of condition. option - exist
Option Description
exist True if condition route map is matched.
non-exist True if condition route map is not matched.

Fortinet Inc.
config conditional-advertise6
advertise- Name of advertising route map. string Not

routemap Specified
condition- List of conditional route maps. string Maximum

routemap route map length: 79
<name>
condition-type Type of condition. option - exist
Option Description
exist True if condition route map is matched.
non-exist True if condition route map is not matched.
config neighbor-group
name Neighbor group name. string Not Specified
advertisement- Minimum interval (sec) between sending integer Minimum 30

interval updates. value: 0
Maximum
value: 600
allowas-in-enable Enable/disable IPv4 Enable to allow my AS in option - disable

AS path.
Option Description
allowas-in- Enable/disable IPv6 Enable to allow my AS in option - disable

enable6 AS path.
Option Description
allowas-in IPv4 The maximum number of occurrence of integer Minimum 3

Maximum
value: 10

Fortinet Inc.
allowas-in6 IPv6 The maximum number of occurrence of integer Minimum 3

Maximum
value: 10

unchanged unchanged.
Option Description
as-path AS path.
med MED.
next-hop Next hop.

unchanged6 unchanged.
Option Description
as-path AS path.
med MED.
next-hop Next hop.
activate Enable/disable address family IPv4 for this option - enable

neighbor.
Option Description
activate6 Enable/disable address family IPv6 for this option - enable

neighbor.
Option Description
bfd Enable/disable BFD for this neighbor. option - disable
Option Description

Fortinet Inc.
capability-dynamic Enable/disable advertise dynamic capability to option - disable

this neighbor.
Option Description
capability-orf Accept/Send IPv4 ORF lists to/from this option - none

neighbor.
Option Description
none None.
send Send ORF list.
capability-orf6 Accept/Send IPv6 ORF lists to/from this option - none

neighbor.
Option Description
none None.
send Send ORF list.
capability- Enable/disable advertise IPv4 graceful restart option - disable

graceful-restart capability to this neighbor.
Option Description
capability- Enable/disable advertise IPv6 graceful restart option - disable

graceful-restart6 capability to this neighbor.
Option Description
capability-route- Enable/disable advertise route refresh option - enable

refresh capability to this neighbor.

Fortinet Inc.
Option Description

originate this neighbor.
Option Description

originate6 this neighbor.
Option Description
dont-capability- Do not negotiate capabilities with this option - disable

negotiate neighbor.
Option Description
ebgp-enforce- Enable/disable allow multi-hop EBGP option - disable

multihop neighbors.
Option Description
link-down-failover Enable/disable failover upon link down. option - disable
Option Description
stale-route Enable/disable stale route after neighbor option - disable

down.

Fortinet Inc.
Option Description
next-hop-self Enable/disable IPv4 next-hop calculation for option - disable

this neighbor.
Option Description
next-hop-self6 Enable/disable IPv6 next-hop calculation for option - disable

this neighbor.
Option Description
next-hop-self-rr Enable/disable setting nexthop's address to option - disable

routes.
Option Description
next-hop-self-rr6 Enable/disable setting nexthop's address to option - disable

routes.
Option Description
override-capability Enable/disable override result of capability option - disable

negotiation.
Option Description

Fortinet Inc.
passive Enable/disable sending of open messages to option - disable

this neighbor.
Option Description
remove-private-as Enable/disable remove private AS number option - disable

from IPv4 outbound updates.
Option Description
remove-private- Enable/disable remove private AS number option - disable

as6 from IPv6 outbound updates.
Option Description

client
Option Description

client6
Option Description
route-server-client Enable/disable IPv4 AS route server client. option - disable
Option Description

Fortinet Inc.
route-server- Enable/disable IPv6 AS route server client. option - disable

client6
Option Description
shutdown Enable/disable shutdown this neighbor. option - disable
Option Description

reconfiguration reconfiguration.
Option Description

reconfiguration6 reconfiguration.
Option Description
as-override Enable/disable replace peer AS with own AS option - disable

for IPv4.
Option Description
as-override6 Enable/disable replace peer AS with own AS option - disable

for IPv6.
Option Description

Fortinet Inc.
strict-capability- Enable/disable strict capability matching. option - disable

match
Option Description
routemap default.
routemap6 default.
distribute-list-in Filter for IPv4 updates from this neighbor. string Not Specified
distribute-list-in6 Filter for IPv6 updates from this neighbor. string Not Specified
distribute-list-out Filter for IPv4 updates to this neighbor. string Not Specified
distribute-list-out6 Filter for IPv6 updates to this neighbor. string Not Specified
ebgp-multihop-ttl EBGP multihop TTL for this peer. integer Minimum 255
value: 1
Maximum
value: 255
filter-list-in BGP filter for IPv4 inbound routes. string Not Specified
filter-list-in6 BGP filter for IPv6 inbound routes. string Not Specified
filter-list-out BGP filter for IPv4 outbound routes. string Not Specified
filter-list-out6 BGP filter for IPv6 outbound routes. string Not Specified
interface Specify outgoing interface for peer connection. string Not Specified
For IPv6 peer, the interface should have link-
local address.
maximum-prefix Maximum number of IPv4 prefixes to accept integer Minimum 0

Maximum
value:
4294967295
maximum-prefix6 Maximum number of IPv6 prefixes to accept integer Minimum 0

Maximum
value:
4294967295

Fortinet Inc.

threshold value: 1
Maximum
value: 100

threshold6 value: 1
Maximum
value: 100

warning-only message when limit is exceeded.
Option Description

warning-only6 message when limit is exceeded.
Option Description
prefix-list-in IPv4 Inbound filter for updates from this string Not Specified
neighbor.
prefix-list-in6 IPv6 Inbound filter for updates from this string Not Specified
neighbor.
prefix-list-out IPv4 Outbound filter for updates to this string Not Specified
neighbor.
prefix-list-out6 IPv6 Outbound filter for updates to this string Not Specified
neighbor.
remote-as AS number of neighbor. integer Minimum 0

value: 1
Maximum
value:
4294967295
local-as Local AS number of neighbor. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
local-as-no- Do not prepend local-as to incoming updates. option - disable

prepend
Option Description
local-as-replace- Replace real AS with local-as in outgoing option - disable

as updates.
Option Description
retain-stale-time Time to retain stale routes. integer Minimum 0

value: 0
Maximum
value: 65535
route-map-in IPv4 Inbound route map filter. string Not Specified
route-map-in6 IPv6 Inbound route map filter. string Not Specified
route-map-out IPv4 outbound route map filter. string Not Specified
route-map-out- IPv4 outbound route map filter if the peer is string Not Specified
route-map-out6 IPv6 Outbound route map filter. string Not Specified
route-map-out6- IPv6 outbound route map filter if the peer is string Not Specified
send-community IPv4 Send community attribute to neighbor. option - both
Option Description
standard Standard.
extended Extended.
both Both.
disable Disable
send-community6 IPv6 Send community attribute to neighbor. option - both
Option Description
standard Standard.

Fortinet Inc.
Option Description
extended Extended.
both Both.
disable Disable
keep-alive-timer Keep alive timer interval (sec). integer Minimum 4294967295

value: 0
Maximum
value: 65535
holdtime-timer Interval (sec) before peer considered dead. integer Minimum 4294967295
value: 3
Maximum
value: 65535
connect-timer Interval (sec) for connect timer. integer Minimum 4294967295

value: 0
Maximum
value: 65535
unsuppress-map IPv4 Route map to selectively unsuppress string Not Specified

suppressed routes.
unsuppress-map6 IPv6 Route map to selectively unsuppress string Not Specified

suppressed routes.
update-source Interface to use as source IP/IPv6 address of string Not Specified

TCP connections.
weight Neighbor weight. integer Minimum 4294967295

value: 0
Maximum
value: 65535
restart-time Graceful restart delay time. integer Minimum 0

value: 0
Maximum
value: 3600
additional-path Enable/disable IPv4 additional-path capability. option - disable
Option Description

Fortinet Inc.
additional-path6 Enable/disable IPv6 additional-path capability. option - disable
Option Description

path advertised to this neighbor. value: 2
Maximum
value: 255

path6 advertised to this neighbor. value: 2
Maximum
value: 255
config neighbor-range
id Neighbor range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
prefix Neighbor range prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0
max- Maximum number of neighbors. integer Minimum 0

neighbor-num value: 1
Maximum
value: 1000
neighbor- Neighbor group name. string Not Specified

group

Fortinet Inc.
config neighbor-range6
id IPv6 neighbor range ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
prefix6 IPv6 prefix. ipv6- Not Specified ::/0

network
max- Maximum number of neighbors. integer Minimum 0

neighbor-num value: 1
Maximum
value: 1000
neighbor- Neighbor group name. string Not Specified

group
config network

value: 0
Maximum
value:
4294967295
prefix Network prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0
network- Configure insurance of BGP network route existence option - global

import-check in IGP.
Option Description
global Use global network sync value.
enable Enable network sync per prefix.
disable Disable network sync per prefix.
backdoor Enable/disable route as backdoor. option - disable
Option Description
route-map Route map to modify generated route. string Not Specified

Fortinet Inc.
config network6

value: 0
Maximum
value:
4294967295
prefix6 Network IPv6 prefix. ipv6- Not Specified ::/0

network
network- Configure insurance of BGP network route existence option - global

import-check in IGP.
Option Description
global Use global network sync value.
enable Enable network sync per prefix.
disable Disable network sync per prefix.
backdoor Enable/disable route as backdoor. option - disable
Option Description
route-map Route map to modify generated route. string Not Specified
config redistribute
name Distribute list entry name. string Not

Specified
status Status. option - disable
Option Description
route-map Route map name. string Not

Specified

Fortinet Inc.
name Distribute list entry name. string Not

Specified
Option Description
route-map Route map name. string Not

Specified
config vrf-leak
vrf Origin VRF ID. string Not

Specified
config target
vrf Target VRF ID. string Not

Specified
route-map Route map of VRF leaking. string Not

Specified
interface Interface which is used to leak routes to target VRF. string Not
Specified
config vrf-leak6
vrf Origin VRF ID. string Not

Specified
config target
vrf Target VRF ID. string Not

Specified

Fortinet Inc.
route-map Route map of VRF leaking. string Not

Specified
interface Interface which is used to leak routes to target VRF. string Not
Specified
config router community-list
Configure community lists.

Description: Configure community lists.
edit <name>
set name {string}
config rule
Description: Community list rule.
edit <id>
set id {integer}
set regexp {string}
set match {string}
next
end
set type [standard|expanded]
next
end
name Community list name. string Not

Specified
type Community list type (standard or expanded). option - standard
Option Description
standard Standard community list type.
expanded Expanded community list type.

Fortinet Inc.
config rule

value: 0
Maximum
value:
4294967295
action Permit or deny route-based operations, based on the option -

route's COMMUNITY attribute.
Option Description
deny Deny route-based operations.
permit Permit or allow route-based operations.
regexp Ordered list of COMMUNITY attributes as a regular string Not Specified

expression.
match Community specifications for matching a reserved string Not Specified

community.
config router info
Show routing information.

config router info
Description: Show routing information.
end
config router info6
Show IPv6 routing information.

config router info6
Description: Show IPv6 routing information.
end
config router isis
Configure IS-IS.
config router isis
Description: Configure IS-IS.
set adjacency-check [enable|disable]
set adjacency-check6 [enable|disable]
set adv-passive-only [enable|disable]
set adv-passive-only6 [enable|disable]
set auth-keychain-l1 {string}

Fortinet Inc.
set auth-mode-l1 [password|md5]
set auth-mode-l2 [password|md5]
set auth-password-l1 {password}
set auth-sendonly-l1 [enable|disable]
set auth-sendonly-l2 [enable|disable]
set default-originate [enable|disable]
set default-originate6 [enable|disable]
set dynamic-hostname [enable|disable]
set ignore-lsp-errors [enable|disable]
set is-type [level-1-2|level-1|...]
config isis-interface
Description: IS-IS interface configuration.
edit <name>
set name {string}
set status6 [enable|disable]
set network-type [broadcast|point-to-point|...]
set circuit-type [level-1-2|level-1|...]
set csnp-interval-l1 {integer}
set csnp-interval-l2 {integer}
set hello-interval-l1 {integer}
set hello-interval-l2 {integer}
set hello-multiplier-l1 {integer}
set hello-multiplier-l2 {integer}
set hello-padding [enable|disable]
set lsp-interval {integer}
set lsp-retransmit-interval {integer}
set metric-l1 {integer}
set metric-l2 {integer}
set wide-metric-l1 {integer}
set wide-metric-l2 {integer}
set auth-send-only-l1 [enable|disable]
set auth-send-only-l2 [enable|disable]
set auth-mode-l1 [md5|password]
set auth-mode-l2 [md5|password]
set priority-l1 {integer}
set priority-l2 {integer}
set mesh-group [enable|disable]
set mesh-group-id {integer}
next
end
config isis-net
Description: IS-IS net configuration.
edit <id>
set id {integer}
set net {user}
next
end
set lsp-gen-interval-l1 {integer}
set lsp-gen-interval-l2 {integer}

Fortinet Inc.
set lsp-refresh-interval {integer}
set max-lsp-lifetime {integer}
set metric-style [narrow|wide|...]
set overload-bit [enable|disable]
set overload-bit-on-startup {integer}
set overload-bit-suppress {option1}, {option2}, ...
config redistribute
Description: IS-IS redistribute protocols.
edit <protocol>
set metric {integer}
set metric-type [external|internal]
set level [level-1-2|level-1|...]
set routemap {string}
next
end
set redistribute-l1 [enable|disable]
set redistribute-l1-list {string}
set redistribute-l2 [enable|disable]
set redistribute-l2-list {string}
Description: IS-IS IPv6 redistribution for routing protocols.
edit <protocol>
set metric-type [external|internal]
next
end
set redistribute6-l1 [enable|disable]
set redistribute6-l1-list {string}
set redistribute6-l2 [enable|disable]
set redistribute6-l2-list {string}
set spf-interval-exp-l1 {user}
set spf-interval-exp-l2 {user}
config summary-address
Description: IS-IS summary addresses.
edit <id>
set id {integer}
next
end
config summary-address6
Description: IS-IS IPv6 summary address.
edit <id>
set id {integer}
next
end
end

Fortinet Inc.
config router isis
adjacency- Enable/disable adjacency check. option - disable

check
Option Description
enable Enable adjacency check.
disable Disable adjacency check.
adjacency- Enable/disable IPv6 adjacency check. option - disable

check6
Option Description
enable Enable IPv6 adjacency check.
disable Disable IPv6 adjacency check.
adv-passive- Enable/disable IS-IS advertisement of passive option - disable

only interfaces only.
Option Description
enable Advertise passive interfaces only.
disable Advertise all IS-IS enabled interfaces.
adv-passive- Enable/disable IPv6 IS-IS advertisement of passive option - disable

only6 interfaces only.
Option Description
enable Advertise passive interfaces only.
disable Advertise all IS-IS enabled interfaces.
auth-keychain- Authentication key-chain for level 1 PDUs. string Not

l1 Specified
auth-keychain- Authentication key-chain for level 2 PDUs. string Not

l2 Specified
auth-mode-l1 Level 1 authentication mode. option - password
Option Description
password Password.
md5 MD5.

Fortinet Inc.
Option Description
password Password.
md5 MD5.
auth-password- Authentication password for level 1 PDUs. password Not

l1 Specified
auth-password- Authentication password for level 2 PDUs. password Not

l2 Specified
auth-sendonly- Enable/disable level 1 authentication send-only. option - disable

l1
Option Description
enable Enable level 1 authentication send-only.
disable Disable level 1 authentication send-only.
auth-sendonly- Enable/disable level 2 authentication send-only. option - disable

l2
Option Description
enable Enable level 2 authentication send-only.
disable Disable level 2 authentication send-only.
default- Enable/disable distribution of default route option - disable

originate information.
Option Description
enable Enable distribution of default route information.
disable Disable distribution of default route information.
default- Enable/disable distribution of default IPv6 route option - disable

originate6 information.
Option Description
enable Enable distribution of default IPv6 route information.
disable Disable distribution of default IPv6 route information.
dynamic- Enable/disable dynamic hostname. option - disable

hostname

Fortinet Inc.
Option Description
enable Enable dynamic hostname.
disable Disable dynamic hostname.
ignore-lsp- Enable/disable ignoring of LSP errors with bad option - disable

errors checksums.
Option Description
enable Enable ignoring of LSP errors with bad checksums.
disable Disable ignoring of LSP errors with bad checksums.
is-type IS type. option - level-1-2
Option Description
level-1-2 Level 1 and 2.
level-1 Level 1 only.
level-2-only Level 2 only.
lsp-gen- Minimum interval for level 1 LSP regenerating. integer Minimum 30

interval-l1 value: 1
Maximum
value: 120
lsp-gen- Minimum interval for level 2 LSP regenerating. integer Minimum 30

interval-l2 value: 1
Maximum
value: 120
lsp-refresh- LSP refresh time in seconds. integer Minimum 900

interval value: 1
Maximum
value:
65535
max-lsp- Maximum LSP lifetime in seconds. integer Minimum 1200

lifetime value: 350
Maximum
value:
65535
metric-style Use old-style (ISO 10589) or new-style packet option - narrow

formats.

Fortinet Inc.
Option Description
narrow Use old style of TLVs with narrow metric.
wide Use new style of TLVs to carry wider metric.
transition Send and accept both styles of TLVs during transition.
narrow-transition Narrow and accept both styles of TLVs during transition.
narrow- Narrow-transition level-1 only.

transition-l1
narrow- Narrow-transition level-2 only.

transition-l2
wide-l1 Wide level-1 only.
wide-l2 Wide level-2 only.
wide-transition Wide and accept both styles of TLVs during transition.
wide-transition-l1 Wide-transition level-1 only.
wide-transition-l2 Wide-transition level-2 only.
transition-l1 Transition level-1 only.
transition-l2 Transition level-2 only.
overload-bit Enable/disable signal other routers not to use us in option - disable

SPF.
Option Description
enable Enable overload bit.
disable Disable overload bit.
overload-bit- Overload-bit only temporarily after reboot. integer Minimum 0

on-startup value: 5
Maximum
value:
86400
overload-bit- Suppress overload-bit for the specific prefixes. option -

suppress
Option Description
external External.
interlevel Inter-level.

Fortinet Inc.
redistribute-l1 Enable/disable redistribution of level 1 routes into option - disable

level 2.
Option Description
enable Enable redistribution of level 1 routes into level 2.
disable Disable redistribution of level 1 routes into level 2.
redistribute-l1- Access-list for route redistribution from l1 to l2. string Not

list Specified
redistribute-l2 Enable/disable redistribution of level 2 routes into option - disable

level 1.
Option Description
enable Enable redistribution of level 2 routes into level 1.
disable Disable redistribution of level 2 routes into level 1.
redistribute-l2- Access-list for route redistribution from l2 to l1. string Not

list Specified
redistribute6-l1 Enable/disable redistribution of level 1 IPv6 routes option - disable

into level 2.
Option Description
enable Enable redistribution of level 1 IPv6 routes into level 2.
disable Disable redistribution of level 1 IPv6 routes into level 2.
redistribute6-l1- Access-list for IPv6 route redistribution from l1 to l2. string Not
list Specified
redistribute6-l2 Enable/disable redistribution of level 2 IPv6 routes option - disable

into level 1.
Option Description
enable Enable redistribution of level 2 IPv6 routes into level 1.
disable Disable redistribution of level 2 IPv6 routes into level 1.
redistribute6-l2- Access-list for IPv6 route redistribution from l2 to l1. string Not
list Specified
spf-interval- Level 1 SPF calculation delay. user Not

exp-l1 Specified
spf-interval- Level 2 SPF calculation delay. user Not

exp-l2 Specified

Fortinet Inc.
config isis-interface
name IS-IS interface name. string Not Specified
status Enable/disable interface for IS-IS. option - disable
Option Description
enable Enable interface for IS-IS.
disable Disable interface for IS-IS.
status6 Enable/disable IPv6 interface for IS-IS. option - disable
Option Description
enable Enable IPv6 interface for IS-IS.
disable Disable IPv6 interface for IS-IS.
network-type IS-IS interface's network type. option -
Option Description
broadcast Broadcast.
point-to-point Point-to-point.
loopback Loopback.
circuit-type IS-IS interface's circuit type. option - level-1-2
Option Description
level-1 Level 1.
level-2 Level 2.
csnp-interval- Level 1 CSNP interval. integer Minimum 10

l1 value: 1
Maximum
value: 65535
csnp-interval- Level 2 CSNP interval. integer Minimum 10

l2 value: 1
Maximum
value: 65535
hello-interval- Level 1 hello interval. integer Minimum 10

l1 value: 0
Maximum
value: 65535

Fortinet Inc.
hello-interval- Level 2 hello interval. integer Minimum 10

l2 value: 0
Maximum
value: 65535
hello- Level 1 multiplier for Hello holding time. integer Minimum 3

multiplier-l1 value: 2
Maximum
value: 100
hello- Level 2 multiplier for Hello holding time. integer Minimum 3

multiplier-l2 value: 2
Maximum
value: 100
hello-padding Enable/disable padding to IS-IS hello packets. option - enable
Option Description
enable Enable padding to IS-IS hello packets.
disable Disable padding to IS-IS hello packets.
lsp-interval LSP transmission interval (milliseconds). integer Minimum 33

value: 1
Maximum
value:
4294967295
lsp- LSP retransmission interval (sec). integer Minimum 5

retransmit- value: 1
interval Maximum
value: 65535
metric-l1 Level 1 metric for interface. integer Minimum 10

value: 1
Maximum
value: 63
metric-l2 Level 2 metric for interface. integer Minimum 10

value: 1
Maximum
value: 63
wide-metric-l1 Level 1 wide metric for interface. integer Minimum 10

value: 1
Maximum
value:
16777214

Fortinet Inc.
wide-metric-l2 Level 2 wide metric for interface. integer Minimum 10

value: 1
Maximum
value:
16777214
auth- Authentication password for level 1 PDUs. password Not Specified

password-l1
auth- Authentication password for level 2 PDUs. password Not Specified

password-l2
auth- Authentication key-chain for level 1 PDUs. string Not Specified

keychain-l1
auth- Authentication key-chain for level 2 PDUs. string Not Specified

keychain-l2
auth-send- Enable/disable authentication send-only for level 1 option - disable

only-l1 PDUs.
Option Description
enable Enable authentication send-only for level 1 PDUs.
disable Disable authentication send-only for level 1 PDUs.
auth-send- Enable/disable authentication send-only for level 2 option - disable

only-l2 PDUs.
Option Description
enable Enable authentication send-only for level 2 PDUs.
disable Disable authentication send-only for level 2 PDUs.
Option Description
md5 MD5.
password Password.
Option Description
md5 MD5.
password Password.

Fortinet Inc.
priority-l1 Level 1 priority. integer Minimum 64

value: 0
Maximum
value: 127
priority-l2 Level 2 priority. integer Minimum 64

value: 0
Maximum
value: 127
mesh-group Enable/disable IS-IS mesh group. option - disable
Option Description
enable Enable IS-IS mesh group.
disable Disable IS-IS mesh group.
mesh-group- Mesh group ID <0-4294967295>, 0: mesh-group integer Minimum 0

id blocked. value: 0
Maximum
value:
4294967295
config isis-net
id ISIS network ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
net IS-IS networks (format = xx.xxxx. .xxxx.xx.). user Not Specified
config redistribute
protocol Protocol name. string Not Specified
Option Description
enable Enable.
disable Disable.

Fortinet Inc.
metric Metric. integer Minimum 0

value: 0
Maximum
value:
4261412864
metric-type Metric type. option - internal
Option Description
external External.
internal Internal.
level Level. option - level-2
Option Description
level-1 Level 1.
level-2 Level 2.
routemap Route map name. string Not Specified
protocol Protocol name. string Not Specified
status Enable/disable redistribution. option - disable
Option Description
enable Enable redistribution.
disable Disable redistribution.
metric Metric. integer Minimum 0

value: 0
Maximum
value:
4261412864
metric-type Metric type. option - internal
Option Description
external External metric type.
internal Internal metric type.

Fortinet Inc.
Option Description
level-1 Level 1.
level-2 Level 2.
id Summary address entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
prefix Prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any
Option Description
level-1 Level 1.
level-2 Level 2.
config summary-address6
id Prefix entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
prefix6 IPv6 prefix. ipv6-prefix Not Specified ::/0

Fortinet Inc.
Option Description
level-1 Level 1.
level-2 Level 2.
config router key-chain
Configure key-chain.
Description: Configure key-chain.
edit <name>
config key
Description: Configuration method to edit key settings.
edit <id>
set id {string}
set accept-lifetime {user}
set send-lifetime {user}
set key-string {password}
set algorithm [md5|hmac-sha1|...]
next
end
set name {string}
next
end
name Key-chain name. string Not

Specified
config key
id Key ID. string Not

Specified
accept- Lifetime of received authentication key (format: user Not

lifetime hh:mm:ss day month year). Specified
send-lifetime Lifetime of sent authentication key (format: hh:mm:ss user Not

day month year). Specified

Fortinet Inc.
key-string Password for the key (maximum = 64 characters). password Not

Specified
algorithm Cryptographic algorithm. option - md5
Option Description
md5 MD5.
hmac-sha1 HMAC-SHA1.
config router multicast-flow
Configure multicast-flow.
Description: Configure multicast-flow.
edit <name>
config flows
Description: Multicast-flow entries.
edit <id>
set id {integer}
set group-addr {ipv4-address-any}
set source-addr {ipv4-address-any}
next
end
set name {string}
next
end

Specified

Specified

Fortinet Inc.
config flows
id Flow ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
group-addr Multicast group IP address. ipv4- Not Specified 0.0.0.0

address-
any
source-addr Multicast source IP address. ipv4- Not Specified 0.0.0.0

address-
any
config router multicast
Configure router multicast.

Description: Configure router multicast.
config interface
Description: PIM interfaces.
edit <name>
set name {string}
set ttl-threshold {integer}
set pim-mode [sparse-mode|dense-mode]
set neighbour-filter {string}
set hello-interval {integer}
set hello-holdtime {integer}
set cisco-exclude-genid [enable|disable]
set dr-priority {integer}
set propagation-delay {integer}
set state-refresh-interval {integer}
set rp-candidate [enable|disable]
set rp-candidate-group {string}
set rp-candidate-priority {integer}
set rp-candidate-interval {integer}
set multicast-flow {string}
set static-group {string}
set rpf-nbr-fail-back [enable|disable]
set rpf-nbr-fail-back-filter {string}
config join-group
Description: Join multicast groups.
edit <address>
set address {ipv4-address-any}
next
end
config igmp

Fortinet Inc.
Description: IGMP configuration options.
set access-group {string}
set version [3|2|...]
set immediate-leave-group {string}
set last-member-query-interval {integer}
set last-member-query-count {integer}
set query-max-response-time {integer}
set query-interval {integer}
set query-timeout {integer}
set router-alert-check [enable|disable]
end
next
end
set multicast-routing [enable|disable]
config pim-sm-global
Description: PIM sparse-mode global settings.
set message-interval {integer}
set join-prune-holdtime {integer}
set accept-register-list {string}
set accept-source-list {string}
set bsr-candidate [enable|disable]
set bsr-interface {string}
set bsr-priority {integer}
set bsr-hash {integer}
set bsr-allow-quick-refresh [enable|disable]
set cisco-register-checksum [enable|disable]
set cisco-register-checksum-group {string}
set cisco-crp-prefix [enable|disable]
set cisco-ignore-rp-set-priority [enable|disable]
set register-rp-reachability [enable|disable]
set register-source [disable|interface|...]
set register-source-interface {string}
set register-source-ip {ipv4-address}
set register-supression {integer}
set null-register-retries {integer}
set rp-register-keepalive {integer}
set spt-threshold [enable|disable]
set spt-threshold-group {string}
set ssm [enable|disable]
set ssm-range {string}
set register-rate-limit {integer}
config rp-address
Description: Statically configure RP addresses.
edit <id>
set id {integer}
set ip-address {ipv4-address}
set group {string}
next
end
end
set route-limit {integer}
set route-threshold {integer}
end

Fortinet Inc.
multicast- Enable/disable IP multicast routing. option - disable

routing
Option Description
enable Enable IP multicast routing.
disable Disable IP multicast routing.
route-limit Maximum number of multicast routes. integer Minimum 2147483647

value: 1
Maximum
value:
2147483647
route- Generate warnings when the number of multicast integer Minimum

threshold routes exceeds this number, must not be greater value: 1
than route-limit. Maximum
value:
2147483647
config interface
name Interface name. string Not Specified
ttl-threshold Minimum TTL of multicast packets that will be integer Minimum 1

forwarded. value: 1
Maximum
value: 255
pim-mode PIM operation mode. option - sparse-

mode
Option Description
sparse-mode sparse-mode
dense-mode dense-mode
passive Enable/disable listening to IGMP but not participating option - disable

in PIM.
Option Description
enable Listen only.
disable Participate in PIM.

Fortinet Inc.
bfd Enable/disable Protocol Independent Multicast (PIM) option - disable

Bidirectional Forwarding Detection (BFD).
Option Description
enable Enable Protocol Independent Multicast (PIM) Bidirectional Forwarding

Detection (BFD).
disable Disable Protocol Independent Multicast (PIM) Bidirectional Forwarding

Detection (BFD).
neighbour-filter Routers acknowledged as neighbor routers. string Not Specified
hello-interval Interval between sending PIM hello messages. integer Minimum 30

value: 1
Maximum
value: 65535
hello-holdtime Time before old neighbor information expires. integer Minimum

value: 1
Maximum
value: 65535
cisco-exclude- Exclude GenID from hello packets (compatibility with option - disable
genid old Cisco IOS).
Option Description
enable Do not send GenID.
disable Send GenID according to standard.
dr-priority DR election priority. integer Minimum 1

value: 1
Maximum
value:
4294967295
propagation- Delay flooding packets on this interface. integer Minimum 500

delay value: 100
Maximum
value: 5000
state-refresh- Interval between sending state-refresh packets. integer Minimum 60

interval value: 1
Maximum
value: 100
rp-candidate Enable/disable compete to become RP in elections. option - disable

Fortinet Inc.
Option Description
enable Compete for RP elections.
disable Do not compete for RP elections.
rp-candidate- Multicast groups managed by this RP. string Not Specified

group
rp-candidate- Router's priority as RP. integer Minimum 192

priority value: 0
Maximum
value: 255
rp-candidate- RP candidate advertisement interval. integer Minimum 60

interval value: 1
Maximum
value: 16383
multicast-flow Acceptable source for multicast group. string Not Specified
static-group Statically set multicast groups to forward out. string Not Specified
rpf-nbr-fail- Enable/disable fail back for RPF neighbor query. option - disable
back
Option Description
enable Enable fail back for RPF neighbor query.
disable Disable fail back for RPF neighbor query.
rpf-nbr-fail- Filter for fail back RPF neighbors. string Not Specified
back-filter
config join-group
address Multicast group IP address. ipv4- Not 0.0.0.0

address- Specified
any
config igmp
access-group Groups IGMP hosts are allowed to join. string Not

Specified
version Maximum version of IGMP to support. option - 3

Fortinet Inc.
Option Description
3 Version 3 and lower.
2 Version 2 and lower.
1 Version 1.
immediate- Groups to drop membership for immediately after string Not

leave-group receiving IGMPv2 leave. Specified
last-member- Timeout between IGMPv2 leave and removing group. integer Minimum 1000
query-interval value: 1
Maximum
value:
65535
last-member- Number of group specific queries before removing integer Minimum 2

query-count group. value: 2
Maximum
value: 7
query-max- Maximum time to wait for a IGMP query response. integer Minimum 10
response- value: 1
time Maximum
value: 25
query-interval Interval between queries to IGMP hosts. integer Minimum 125

value: 1
Maximum
value:
65535
query-timeout Timeout between queries before becoming querying integer Minimum 255
unit for network. value: 60
Maximum
value: 900
router-alert- Enable/disable require IGMP packets contain router option - disable

check alert option.
Option Description
enable Require Router Alert option in IGMP packets.
disable don't require Router Alert option in IGMP packets

Fortinet Inc.
message- Period of time between sending periodic PIM join/prune integer Minimum 60
interval messages in seconds. value: 1
Maximum
value:
65535
join-prune- Join/prune holdtime. integer Minimum 210

holdtime value: 1
Maximum
value:
65535
accept- Sources allowed to register packets with this string Not

register-list Rendezvous Point (RP). Specified
accept- Sources allowed to send multicast traffic. string Not

source-list Specified
bsr-candidate Enable/disable allowing this router to become a option - disable

bootstrap router (BSR).
Option Description
enable Allow this router to function as a BSR.
disable Do not allow this router to function as a BSR.
bsr-interface Interface to advertise as candidate BSR. string Not

Specified
bsr-priority BSR priority. integer Minimum 0

value: 0
Maximum
value: 255
bsr-hash BSR hash length. integer Minimum 10

value: 0
Maximum
value: 32
bsr-allow- Enable/disable accept BSR quick refresh packets from option - disable
quick-refresh neighbors.
Option Description
enable Allow quick refresh packets.
disable Do not allow quick refresh packets.
cisco-register- Checksum entire register packet(for old Cisco IOS option - disable
checksum compatibility).

Fortinet Inc.
Option Description
enable register checksum entire packet.
disable Do not register checksum entire packet.
cisco-register- Cisco register checksum only these groups. string Not

checksum- Specified
group
cisco-crp- Enable/disable making candidate RP compatible with option - disable

prefix old Cisco IOS.
Option Description
enable Do not allow sending group prefix of zero.
disable Allow sending group prefix of zero.
cisco-ignore- Use only hash for RP selection (compatibility with old option - disable
rp-set-priority Cisco IOS).
Option Description
enable Ignore RP-SET priority value.
disable Do not ignore RP-SET priority value.
register-rp- Enable/disable check RP is reachable before registering option - enable

reachability packets.
Option Description
enable Check target RP is unicast reachable before registering.
disable Do not check RP unicast reachability.
register- Override source address in register packets. option - disable

source
Option Description
disable Use source address of RPF interface.
interface Use primary IP of an interface.
ip-address Use a local IP address.
register- Override with primary interface address. string Not

source- Specified
interface

Fortinet Inc.
register- Override with local IP address. ipv4- Not 0.0.0.0

source-ip address Specified
register- Period of time to honor register-stop message. integer Minimum 60

supression value: 1
Maximum
value:
65535
null-register- Maximum retries of null register. integer Minimum 1

retries value: 1
Maximum
value: 20
rp-register- Timeout for RP receiving data on. integer Minimum 185

keepalive value: 1
Maximum
value:
65535
spt-threshold Enable/disable switching to source specific trees. option - enable
Option Description
enable Switch to Source tree when available.
disable Do not switch to Source tree when available.
spt-threshold- Groups allowed to switch to source tree. string Not

group Specified
ssm Enable/disable source specific multicast. option - disable
Option Description
enable Allow source specific multicast.
disable Do not allow source specific multicast.
ssm-range Groups allowed to source specific multicast. string Not

Specified
register-rate- Limit of packets/sec per source registered through this integer Minimum 0
limit RP. value: 0
Maximum
value:
65535

Fortinet Inc.
config rp-address

value: 0
Maximum
value:
4294967295
ip-address RP router address. ipv4- Not Specified 0.0.0.0

address
group Groups to use this RP. string Not Specified
config router multicast6
Configure IPv6 multicast.

Description: Configure IPv6 multicast.
config interface
Description: Protocol Independent Multicast (PIM) interfaces.
edit <name>
set name {string}
set hello-holdtime {integer}
next
end
set multicast-pmtu [enable|disable]
set multicast-routing [enable|disable]
Description: PIM sparse-mode global settings.
set register-rate-limit {integer}
config rp-address
Description: Statically configured RP addresses.
edit <id>
set id {integer}
next
end
end
end
multicast-pmtu Enable/disable PMTU for IPv6 multicast. option - disable

Fortinet Inc.
Option Description
enable Enable PMTU for IPv6 multicast.
disable Disable PMTU for IPv6 multicast.
multicast-routing Enable/disable IPv6 multicast routing. option - disable
Option Description
enable Enable IPv6 multicast routing.
disable Disable IPv6 multicast routing.
config interface
name Interface name. string Not

Specified
hello-interval Interval between sending PIM hello messages in integer Minimum 30

seconds. value: 1
Maximum
value:
65535
hello-holdtime Time before old neighbor information expires in integer Minimum

seconds. value: 1
Maximum
value:
65535
register-rate- Limit of packets/sec per source registered through this integer Minimum 0
limit RP (0 means unlimited). value: 0
Maximum
value:
65535

Fortinet Inc.
config rp-address
id ID of the entry. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip6-address RP router IPv6 address. ipv6- Not Specified ::

address
config router ospf
Configure OSPF.
config router ospf
Description: Configure OSPF.
set abr-type [cisco|ibm|...]
config area
Description: OSPF area configuration.
edit <id>
set id {ipv4-address-any}
set shortcut [disable|enable|...]
set authentication [none|text|...]
set default-cost {integer}
set nssa-translator-role [candidate|never|...]
set stub-type [no-summary|summary]
set type [regular|nssa|...]
set nssa-default-information-originate [enable|always|...]
set nssa-default-information-originate-metric {integer}
set nssa-default-information-originate-metric-type [1|2]
set nssa-redistribution [enable|disable]
config range
Description: OSPF area range configuration.
edit <id>
set id {integer}
set advertise [disable|enable]
set substitute {ipv4-classnet-any}
set substitute-status [enable|disable]
next
end
config virtual-link
Description: OSPF virtual link configuration.
edit <name>
set name {string}
set authentication-key {password}
set keychain {string}
set dead-interval {integer}

Fortinet Inc.
set retransmit-interval {integer}
set transmit-delay {integer}
set peer {ipv4-address-any}
config md5-keys
Description: MD5 key.
edit <id>
set id {integer}
next
end
next
end
config filter-list
Description: OSPF area filter-list configuration.
edit <id>
set id {integer}
set list {string}
set direction [in|out]
next
end
next
end
set auto-cost-ref-bandwidth {integer}
set database-overflow [enable|disable]
set database-overflow-max-lsas {integer}
set database-overflow-time-to-recover {integer}
set default-information-metric {integer}
set default-information-metric-type [1|2]
set default-information-originate [enable|always|...]
set default-information-route-map {string}
set default-metric {integer}
set distance-external {integer}
set distance-inter-area {integer}
set distance-intra-area {integer}
config distribute-list
Description: Distribute list configuration.
edit <id>
set id {integer}
set access-list {string}
set protocol [connected|static|...]
next
end
set distribute-route-map-in {string}
config neighbor
Description: OSPF neighbor configuration are used when OSPF runs on non-broadcast
media.
edit <id>
set id {integer}
set poll-interval {integer}
set cost {integer}

Fortinet Inc.
next
end
config network
Description: OSPF network configuration.
edit <id>
set id {integer}
set area {ipv4-address-any}
next
end
config ospf-interface
Description: OSPF interface configuration.
edit <name>
set name {string}
set authentication-key {password}
set keychain {string}
set prefix-length {integer}
set cost {integer}
set hello-multiplier {integer}
set database-filter-out [enable|disable]
set mtu {integer}
set mtu-ignore [enable|disable]
set network-type [broadcast|non-broadcast|...]
set bfd [global|enable|...]
set resync-timeout {integer}
config md5-keys
Description: MD5 key.
edit <id>
set id {integer}
next
end
next
end
set passive-interface <name1>, <name2>, ...
config redistribute
Description: Redistribute configuration.
edit <name>
set name {string}
set metric-type [1|2]
set tag {integer}
next

Fortinet Inc.
end
set restart-mode [none|lls|...]
set restart-period {integer}
set rfc1583-compatible [enable|disable]
set spf-timers {user}
Description: IP address summary configuration.
edit <id>
set id {integer}
set tag {integer}
next
end
end
config router ospf
abr-type Area border router type. option - standard
Option Description
cisco Cisco.
ibm IBM.
shortcut Shortcut.
standard Standard.
auto-cost-ref- Reference bandwidth in terms of megabits per integer Minimum 1000

bandwidth second. value: 1
Maximum
value:
1000000
bfd Bidirectional Forwarding Detection (BFD). option - disable
Option Description
database- Enable/disable database overflow. option - disable

overflow
Option Description

Fortinet Inc.
database- Database overflow maximum LSAs. integer Minimum 10000

overflow-max- value: 0
lsas Maximum
value:
4294967295
database- Database overflow time to recover (sec). integer Minimum 300

overflow-time- value: 0
to-recover Maximum
value: 65535
default- Default information metric. integer Minimum 10

information- value: 1
metric Maximum
value:
16777214
default- Default information metric type. option - 2

information-
metric-type
Option Description
1 Type 1.
2 Type 2.
default- Enable/disable generation of default route. option - disable

information-
originate
Option Description
always Always advertise the default router.
default- Default information route map. string Not Specified

information-
route-map
default-metric Default metric of redistribute routes. integer Minimum 10

value: 1
Maximum
value:
16777214

Fortinet Inc.
distance Distance of the route. integer Minimum 110

value: 1
Maximum
value: 255
distance- Administrative external distance. integer Minimum 110

external value: 1
Maximum
value: 255
distance-inter- Administrative inter-area distance. integer Minimum 110

area value: 1
Maximum
value: 255
distance-intra- Administrative intra-area distance. integer Minimum 110

area value: 1
Maximum
value: 255
distribute-list- Filter incoming routes. string Not Specified

in
distribute- Filter incoming external routes by route-map. string Not Specified

route-map-in
log- Log of OSPF neighbor changes. option - enable

neighbour-
changes
Option Description
passive- Passive interface configuration. string Maximum

interface Passive interface name. length: 79
<name>
restart-mode OSPF restart mode (graceful or LLS). option - none
Option Description
none Hitless restart disabled.
lls LLS mode.
graceful-restart Graceful Restart Mode.

Fortinet Inc.
restart-period Graceful restart period. integer Minimum 120

value: 1
Maximum
value: 3600
rfc1583- Enable/disable RFC1583 compatibility. option - disable

compatible
Option Description
router-id Router ID. ipv4- Not Specified 0.0.0.0

address-
any
spf-timers SPF calculation frequency. user Not Specified
config area
id Area entry IP address. ipv4- Not Specified 0.0.0.0

address-
any
shortcut Enable/disable shortcut option. option - disable
Option Description
disable Disable shortcut option.
enable Enable shortcut option.
default Default shortcut option.
authentication Authentication type. option - none
Option Description
none None.
text Text.
message-digest Message digest.
default-cost Summary default cost of stub or NSSA area. integer Minimum 10

value: 0
Maximum
value:
4294967295

Fortinet Inc.
nssa-translator- NSSA translator role type. option - candidate

role
Option Description
candidate Candidate.
never Never.
always Always.
stub-type Stub summary setting. option - summary
Option Description
no-summary No summary.
summary Summary.
type Area type setting. option - regular
Option Description
regular Regular.
nssa NSSA.
stub Stub.
nssa-default- Redistribute, advertise, or do not originate Type-7 option - disable

information- default route into NSSA area.
originate
Option Description
enable Redistribute Type-7 default route from routing table.
always Advertise a self-originated Type-7 default route.
disable Do not advertise Type-7 default route.
nssa-default- OSPF default metric. integer Minimum 10

originate-metric Maximum
value:
16777214
nssa-default- OSPF metric type for default routes. option - 2

information-
originate-metric-
type

Fortinet Inc.
Option Description
1 Type 1.
2 Type 2.
nssa- Enable/disable redistribute into NSSA area. option - enable

redistribution
Option Description
enable Enable redistribute into NSSA area.
disable Disable redistribute into NSSA area.
config range
id Range entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

classnet- 0.0.0.0
any
advertise Enable/disable advertise status. option - enable
Option Description
disable Disable advertise status.
enable Enable advertise status.
substitute Substitute prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any
substitute- Enable/disable substitute status. option - disable

status
Option Description
enable Enable substitute status.
disable Disable substitute status.

Fortinet Inc.
config virtual-link
name Virtual link entry name. string Not

Specified
Option Description
none None.
text Text.
authentication- Authentication key. password Not

key Specified
keychain Message-digest key-chain name. string Not

Specified
dead-interval Dead interval. integer Minimum 40

value: 1
Maximum
value:
65535
hello-interval Hello interval. integer Minimum 10

value: 1
Maximum
value:
65535
retransmit- Retransmit interval. integer Minimum 5

interval value: 1
Maximum
value:
65535
transmit-delay Transmit delay. integer Minimum 1

value: 1
Maximum
value:
65535
peer Peer IP. ipv4- Not 0.0.0.0

address- Specified
any

Fortinet Inc.
config md5-keys
id Key ID. integer Minimum 0

value: 1
Maximum
value: 255
key-string Password for the key. password Not

Specified
config md5-keys

value: 1
Maximum
value: 255

Specified
config filter-list
id Filter list entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
list Access-list or prefix-list name. string Not Specified
direction Direction. option - out
Option Description
in In.
out Out.

Fortinet Inc.
id Distribute list entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
access-list Access list name. string Not Specified
protocol Protocol type. option - connected
Option Description
connected Connected type.
static Static type.
rip RIP type.
config neighbor
id Neighbor entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip Interface IP address of the neighbor. ipv4- Not Specified 0.0.0.0

address
poll-interval Poll interval time in seconds. integer Minimum 10

value: 1
Maximum
value: 65535
cost Cost of the interface, value range from 0 to 65535, 0 integer Minimum 0
means auto-cost. value: 0
Maximum
value: 65535
priority Priority. integer Minimum 1

value: 0
Maximum
value: 255

Fortinet Inc.
config network
id Network entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

classnet 0.0.0.0
area Attach the network to area. ipv4- Not Specified 0.0.0.0

address-
any
config ospf-interface
name Interface entry name. string Not

Specified

Specified
interface Configuration interface name. string Not

Specified
ip IP address. ipv4- Not 0.0.0.0

address Specified
Option Description
none None.
text Text.
authentication- Authentication key. password Not

key Specified
keychain Message-digest key-chain name. string Not

Specified
prefix-length Prefix length. integer Minimum 0

value: 0
Maximum
value: 32

Fortinet Inc.

interval value: 1
Maximum
value:
65535

value: 1
Maximum
value:
65535
Maximum
value:
65535

value: 0
Maximum
value: 255

value: 0
Maximum
value:
65535

value: 0
Maximum
value:
65535
hello-multiplier Number of hello packets within dead interval. integer Minimum 0

value: 3
Maximum
value: 10
database-filter- Enable/disable control of flooding out LSAs. option - disable

out
Option Description

Fortinet Inc.
mtu MTU for database description packets. integer Minimum 0

value: 576
Maximum
value:
65535
mtu-ignore Enable/disable ignore MTU. option - disable
Option Description
network-type Network type. option - broadcast
Option Description
broadcast Broadcast.
non-broadcast Non-broadcast.
point-to-point Point-to-point.
point-to- Point-to-multipoint.
multipoint
point-to- Point-to-multipoint and non-broadcast.

multipoint-non-
broadcast
bfd Bidirectional Forwarding Detection (BFD). option - global
Option Description
global Follow global configuration.
enable Enable BFD on this interface.
disable Disable BFD on this interface.
Option Description
resync-timeout Graceful restart neighbor resynchronization timeout. integer Minimum 40

value: 1
Maximum
value: 3600

Fortinet Inc.
config md5-keys

value: 1
Maximum
value: 255

Specified
config md5-keys

value: 1
Maximum
value: 255

Specified
config redistribute
name Redistribute name. string Not Specified
Option Description
metric Redistribute metric setting. integer Minimum 0

value: 0
Maximum
value:
16777214
metric-type Metric type. option - 2
Option Description
1 Type 1.
2 Type 2.

Fortinet Inc.
tag Tag value. integer Minimum 0

value: 0
Maximum
value:
4294967295

value: 0
Maximum
value:
4294967295

classnet 0.0.0.0

value: 0
Maximum
value:
4294967295
Option Description
disable Disable advertise status.
enable Enable advertise status.
config router ospf6
Configure IPv6 OSPF.

config router ospf6
Description: Configure IPv6 OSPF.
set abr-type [cisco|ibm|...]
config area
Description: OSPF6 area configuration.
edit <id>
set id {ipv4-address-any}
set default-cost {integer}
set nssa-translator-role [candidate|never|...]
set stub-type [no-summary|summary]
set type [regular|nssa|...]
set nssa-default-information-originate [enable|disable]
set nssa-default-information-originate-metric {integer}
set nssa-default-information-originate-metric-type [1|2]

Fortinet Inc.
set nssa-redistribution [enable|disable]
set authentication [none|ah|...]
set key-rollover-interval {integer}
set ipsec-auth-alg [md5|sha1|...]
set ipsec-enc-alg [null|des|...]
config ipsec-keys
Description: IPsec authentication and encryption keys.
edit <spi>
set spi {integer}
set auth-key {password}
set enc-key {password}
next
end
config range
Description: OSPF6 area range configuration.
edit <id>
set id {integer}
next
end
config virtual-link
Description: OSPF6 virtual link configuration.
edit <name>
set name {string}
set peer {ipv4-address-any}
config ipsec-keys
edit <spi>
set spi {integer}
next
end
next
end
next
end
set auto-cost-ref-bandwidth {integer}
set default-information-metric {integer}
set default-information-metric-type [1|2]
set default-information-originate [enable|always|...]
set default-information-route-map {string}
config ospf6-interface
Description: OSPF6 interface configuration.

Fortinet Inc.
edit <name>
set name {string}
set area-id {ipv4-address-any}
set cost {integer}
set network-type [broadcast|point-to-point|...]
set mtu {integer}
set mtu-ignore [enable|disable]
config ipsec-keys
edit <spi>
set spi {integer}
next
end
config neighbor
Description: OSPFv3 neighbors are used when OSPFv3 runs on non-broadcast
media.
edit <ip6>
set ip6 {ipv6-address}
set cost {integer}
next
end
next
end
config redistribute
edit <name>
set name {string}
set metric-type [1|2]
next
end
set spf-timers {user}
Description: IPv6 address summary configuration.
edit <id>
set id {integer}

Fortinet Inc.
set tag {integer}
next
end
end
config router ospf6
abr-type Area border router type. option - standard
Option Description
cisco Cisco.
ibm IBM.
standard Standard.
auto-cost-ref- Reference bandwidth in terms of megabits per second. integer Minimum 1000
bandwidth value: 1
Maximum
value:
1000000
bfd Enable/disable Bidirectional Forwarding Detection option - disable

(BFD).
Option Description
enable Enable Bidirectional Forwarding Detection (BFD).
disable Disable Bidirectional Forwarding Detection (BFD).
default- Default information metric. integer Minimum 10

metric Maximum
value:
16777214
default- Default information metric type. option - 2

information-
metric-type
Option Description
1 Type 1.
2 Type 2.

Fortinet Inc.

information-
originate
Option Description
always Always advertise the default router.
default- Default information route map. string Not

information- Specified
route-map
default-metric Default metric of redistribute routes. integer Minimum 10

value: 1
Maximum
value:
16777214
log- Log OSPFv3 neighbor changes. option - enable

neighbour-
changes
Option Description

<name>
router-id A.B.C.D, in IPv4 address format. ipv4- Not 0.0.0.0

address- Specified
any
spf-timers SPF calculation frequency. user Not

Specified
config area
id Area entry IP address. ipv4- Not 0.0.0.0

address- Specified
any

Fortinet Inc.
default-cost Summary default cost of stub or NSSA area. integer Minimum 10

value: 0
Maximum
value:
16777215
nssa-translator- NSSA translator role type. option - candidate

role
Option Description
candidate Candidate.
never Never.
always Always.
stub-type Stub summary setting. option - summary
Option Description
no-summary No summary.
summary Summary.
type Area type setting. option - regular
Option Description
regular Regular.
nssa NSSA.
stub Stub.
nssa-default- Enable/disable originate type 7 default into NSSA option - disable

information- area.
originate
Option Description
enable Enable originate type 7 default into NSSA area.
disable Disable originate type 7 default into NSSA area.
nssa-default- OSPFv3 default metric. integer Minimum 10

originate-metric Maximum
value:
16777214

Fortinet Inc.
nssa-default- OSPFv3 metric type for default routes. option - 2

information-
originate-metric-
type
Option Description
1 Type 1.
2 Type 2.
nssa- Enable/disable redistribute into NSSA area. option - enable

redistribution
Option Description
enable Enable redistribute into NSSA area.
disable Disable redistribute into NSSA area.
authentication Authentication mode. option - none
Option Description
none Disable authentication.
ah Authentication Header.
esp Encapsulating Security Payload.
key-rollover- Key roll-over interval. integer Minimum 300

interval value: 300
Maximum
value:
216000
ipsec-auth-alg Authentication algorithm. option - md5
Option Description
md5 MD5.
sha1 SHA1.
sha256 SHA256.
sha384 SHA384.
sha512 SHA512.
ipsec-enc-alg Encryption algorithm. option - null

Fortinet Inc.
Option Description
null No encryption.
des DES.
3des 3DES.
aes128 AES128.
aes192 AES192.
aes256 AES256.
config ipsec-keys
spi Security Parameters Index. integer Minimum 0

value: 256
Maximum
value:
4294967295
auth-key Authentication key. password Not Specified
enc-key Encryption key. password Not Specified
config ipsec-keys

value: 256
Maximum
value:
4294967295

Fortinet Inc.
config range
id Range entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

network
Option Description
disable disable
enable enable
config virtual-link
name Virtual link entry name. string Not

Specified

value: 1
Maximum
value:
65535

value: 1
Maximum
value:
65535

interval value: 1
Maximum
value:
65535

value: 1
Maximum
value:
65535

Fortinet Inc.
peer A.B.C.D, peer router ID. ipv4- Not 0.0.0.0

address- Specified
any
authentication Authentication mode. option - area
Option Description
area Use the routing area's authentication configuration.

interval value: 300
Maximum
value:
216000
Option Description
md5 MD5.
sha1 SHA1.
sha256 SHA256.
sha384 SHA384.
sha512 SHA512.
Option Description
null No encryption.
des DES.
3des 3DES.
aes128 AES128.
aes192 AES192.
aes256 AES256.

Fortinet Inc.
config ipsec-keys

value: 256
Maximum
value:
4294967295
config ipsec-keys

value: 256
Maximum
value:
4294967295
config ospf6-interface
name Interface entry name. string Not

Specified
area-id A.B.C.D, in IPv4 address format. ipv4- Not 0.0.0.0

address- Specified
any
interface Configuration interface name. string Not

Specified

interval value: 1
Maximum
value:
65535

Fortinet Inc.

value: 1
Maximum
value:
65535
Maximum
value:
65535

value: 0
Maximum
value: 255

value: 1
Maximum
value:
65535

value: 1
Maximum
value:
65535
status Enable/disable OSPF6 routing on this interface. option - enable
Option Description
disable Disable OSPF6 routing.
enable Enable OSPF6 routing.
network-type Network type. option - broadcast
Option Description
broadcast broadcast
point-to-point point-to-point
non-broadcast non-broadcast
point-to- point-to-multipoint
multipoint

Fortinet Inc.
Option Description
point-to- point-to-multipoint and non-broadcast.

multipoint-non-
broadcast
bfd Enable/disable Bidirectional Forwarding Detection option - global

(BFD).
Option Description
global Use global configuration of Bidirectional Forwarding Detection (BFD).
enable Enable Bidirectional Forwarding Detection (BFD) on this interface.
disable Disable Bidirectional Forwarding Detection (BFD) on this interface.
mtu MTU for OSPFv3 packets. integer Minimum 0

value: 576
Maximum
value:
65535
mtu-ignore Enable/disable ignoring MTU field in DBD packets. option - disable
Option Description
enable Ignore MTU field in DBD packets.
disable Do not ignore MTU field in DBD packets.
authentication Authentication mode. option - area
Option Description
area Use the routing area's authentication configuration.

interval value: 300
Maximum
value:
216000

Fortinet Inc.
Option Description
md5 MD5.
sha1 SHA1.
sha256 SHA256.
sha384 SHA384.
sha512 SHA512.
Option Description
null No encryption.
des DES.
3des 3DES.
aes128 AES128.
aes192 AES192.
aes256 AES256.
config ipsec-keys

value: 256
Maximum
value:
4294967295
config ipsec-keys

value: 256
Maximum
value:
4294967295

Fortinet Inc.
config neighbor
ip6 IPv6 link local address of the neighbor. ipv6- Not ::

address Specified
poll-interval Poll interval time in seconds. integer Minimum 10

value: 1
Maximum
value:
65535
Maximum
value:
65535

value: 0
Maximum
value: 255
config redistribute
name Redistribute name. string Not

Specified
Option Description

value: 0
Maximum
value:
16777214
routemap Route map name. string Not

Specified

Fortinet Inc.
metric-type Metric type. option - 2
Option Description
1 Type 1.
2 Type 2.

value: 0
Maximum
value:
4294967295

network
Option Description
disable disable
enable enable

value: 0
Maximum
value:
4294967295
config router policy
Configure IPv4 routing policies.

Description: Configure IPv4 routing policies.
edit <seq-num>
set dst <subnet1>, <subnet2>, ...
set dst-negate [enable|disable]
set end-source-port {integer}
set input-device <name1>, <name2>, ...

Fortinet Inc.
set input-device-negate [enable|disable]
set internet-service-id <id1>, <id2>, ...
set output-device {string}
set src <subnet1>, <subnet2>, ...
set src-negate [enable|disable]
set start-source-port {integer}
set tos {user}
set tos-mask {user}
next
end
action Action of the policy route. option - permit
Option Description
deny Do not search policy route table.
permit Use this policy route for forwarding.
comments Optional comments. var-string Not Specified
dst Destination IP and mask (x.x.x.x/x). string Maximum

<subnet> IP and mask. length: 79
dst-negate Enable/disable negating destination address match. option - disable
Option Description
enable Enable destination address negation.
disable Disable destination address negation.

<name> Address/group name. length: 79
end-port End destination port number. integer Minimum 65535

value: 0
Maximum
value: 65535
end-source- End source port number. integer Minimum 65535

port value: 0
Maximum
value: 65535

Fortinet Inc.
gateway IP address of the gateway. ipv4- Not Specified 0.0.0.0

address
input-device Incoming interface name. string Maximum

input-device- Enable/disable negation of input device match. option - disable

negate
Option Description
enable Enable negation of input device match.
disable Disable negation of input device match.
internet- Custom Destination Internet Service name. string Maximum

service- Custom Destination Internet Service name. length: 79
custom
<name>
internet- Destination Internet Service ID. integer Minimum

service-id Destination Internet Service ID. value: 0
<id> Maximum
value:
4294967295
output-device Outgoing interface name. string Not Specified
protocol Protocol number. integer Minimum 0

value: 0
Maximum
value: 255
seq-num Sequence number. integer Minimum 0

value: 1
Maximum
value: 65535
src Source IP and mask (x.x.x.x/x). string Maximum

<subnet> IP and mask. length: 79
src-negate Enable/disable negating source address match. option - disable
Option Description
enable Enable source address negation.
disable Disable source address negation.

<name> Address/group name. length: 79

Fortinet Inc.
start-port Start destination port number. integer Minimum 0

value: 0
Maximum
value: 65535
start-source- Start source port number. integer Minimum 0

port value: 0
Maximum
value: 65535
status Enable/disable this policy route. option - enable
Option Description
enable Enable this policy route.
disable Disable this policy route.
tos Type of service bit pattern. user Not Specified
tos-mask Type of service evaluated bits. user Not Specified
config router policy6
Configure IPv6 routing policies.

Description: Configure IPv6 routing policies.
edit <seq-num>
set output-device {string}
set src {ipv6-network}
set tos {user}
set tos-mask {user}
next
end

Fortinet Inc.
comments Optional comments. var-string Not

Specified
dst Destination IPv6 prefix. ipv6- Not ::/0

network Specified

value: 1
Maximum
value:
65535
gateway IPv6 address of the gateway. ipv6- Not ::

address Specified
input-device Incoming interface name. string Maximum

output-device Outgoing interface name. string Not

Specified

value: 0
Maximum
value: 255

value: 1
Maximum
value:
65535
src Source IPv6 prefix. ipv6- Not ::/0

network Specified

value: 1
Maximum
value:
65535
status Enable/disable this policy route. option - enable
Option Description
enable Enable this policy route.
disable Disable this policy route.

Fortinet Inc.
tos Type of service bit pattern. user Not

Specified
tos-mask Type of service evaluated bits. user Not

Specified
config router prefix-list
Configure IPv4 prefix lists.

Description: Configure IPv4 prefix lists.
edit <name>
set name {string}
config rule
Description: IPv4 prefix list rule.
edit <id>
set id {integer}
set prefix {user}
set ge {integer}
set le {integer}
next
end
next
end

Specified

Specified
config rule

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
permit Allow or permit packets that match this rule.
deny Deny packets that match this rule.
prefix IPv4 prefix to define regular filter criteria, such as user Not Specified 0.0.0.0
"any" or subnets. 0.0.0.0
ge Minimum prefix length to be matched. integer Minimum

value: 0
Maximum
value: 32
le Maximum prefix length to be matched. integer Minimum

value: 0
Maximum
value: 32
config router prefix-list6
Configure IPv6 prefix lists.

Description: Configure IPv6 prefix lists.
edit <name>
set name {string}
config rule
Description: IPv6 prefix list rule.
edit <id>
set id {integer}
set prefix6 {user}
set ge {integer}
set le {integer}
set flags {integer}
next
end
next
end

Specified

Specified

Fortinet Inc.
config rule

value: 0
Maximum
value:
4294967295
action Permit or deny packets that match this rule. option - permit
Option Description
permit Allow or permit packets that match this rule.
deny Deny packets that match this rule.
prefix6 IPv6 prefix to define regular filter criteria, such as user Not Specified
"any" or subnets.
ge Minimum prefix length to be matched. integer Minimum

value: 0
Maximum
value: 128
le Maximum prefix length to be matched. integer Minimum

value: 0
Maximum
value: 128

value: 0
Maximum
value:
4294967295
config router rip
Configure RIP.
config router rip
Description: Configure RIP.
set default-information-originate [enable|disable]
config distance
Description: Distance.
edit <id>
set id {integer}
next
end

Fortinet Inc.
Description: Distribute list.
edit <id>
set id {integer}
set listname {string}
next
end
set garbage-timer {integer}
config interface
Description: RIP interface configuration.
edit <name>
set name {string}
set auth-keychain {string}
set auth-mode [none|text|...]
set auth-string {password}
set receive-version {option1}, {option2}, ...
set send-version {option1}, {option2}, ...
set send-version2-broadcast [disable|enable]
set split-horizon-status [enable|disable]
set split-horizon [poisoned|regular]
set flags {integer}
next
end
set max-out-metric {integer}
config neighbor
edit <id>
set id {integer}
next
end
config network
Description: Network.
edit <id>
set id {integer}
next
end
config offset-list
Description: Offset list.
edit <id>
set id {integer}
set offset {integer}
next
end
config redistribute
edit <name>

Fortinet Inc.
set name {string}
next
end
set timeout-timer {integer}
set update-timer {integer}
set version [1|2]
end
config router rip

information-
originate
Option Description
default-metric Default metric. integer Minimum 1

value: 1
Maximum
value: 16
garbage-timer Garbage timer in seconds. integer Minimum 120

value: 5
Maximum
value:
2147483647
max-out- Maximum metric allowed to output(0 means 'not set'). integer Minimum 0
metric value: 0
Maximum
value: 15

<name>
timeout-timer Timeout timer in seconds. integer Minimum 180

value: 5
Maximum
value:
2147483647

Fortinet Inc.
update-timer Update timer in seconds. integer Minimum 30

value: 1
Maximum
value:
2147483647
version RIP version. option - 2
Option Description
1 Version 1.
2 Version 2.
config distance
id Distance ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
prefix Distance prefix. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
any
distance Distance. integer Minimum 0

value: 1
Maximum
value: 255
access-list Access list for route destination. string Not Specified
id Distribute list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
direction Distribute list direction. option - out
Option Description
in Filter incoming packets.
out Filter outgoing packets.
listname Distribute access/prefix list name. string Not Specified
interface Distribute list interface name. string Not Specified
config interface

Specified
auth-keychain Authentication key-chain name. string Not

Specified
Option Description
none None.
text Text.
md5 MD5.
auth-string Authentication string/password. password Not

Specified
receive- Receive version. option -

version
Option Description
1 Version 1.
2 Version 2.
send-version Send version. option -

Fortinet Inc.
Option Description
1 Version 1.
2 Version 2.
send- Enable/disable broadcast version 1 compatible packets. option - disable

version2-
broadcast
Option Description
disable Disable broadcasting.
enable Enable broadcasting.
split-horizon- Enable/disable split horizon. option - enable

status
Option Description
split-horizon Enable/disable split horizon. option - poisoned
Option Description
poisoned Poisoned.
regular Regular.

value: 0
Maximum
value: 255
config neighbor

value: 0
Maximum
value:
4294967295
ip IP address. ipv4- Not Specified 0.0.0.0

address

Fortinet Inc.
config network

value: 0
Maximum
value:
4294967295
prefix Network prefix. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0
config offset-list
id Offset-list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
status Status. option - enable
Option Description
direction Offset list direction. option - out
Option Description
access-list Access list name. string Not Specified
offset Offset. integer Minimum 0

value: 1
Maximum
value: 16
interface Interface name. string Not Specified

Fortinet Inc.
config redistribute

Specified
Option Description

value: 1
Maximum
value: 16

Specified
config router ripng
Configure RIPng.
config router ripng
Description: Configure RIPng.
Description: Aggregate address.
edit <id>
set id {integer}
next
end
set default-information-originate [enable|disable]
config distance
Description: Distance.
edit <id>
set id {integer}
set access-list6 {string}
next
end
Description: Distribute list.
edit <id>
set id {integer}
set listname {string}

Fortinet Inc.
next
end
set garbage-timer {integer}
config interface
Description: RIPng interface configuration.
edit <name>
set name {string}
set split-horizon-status [enable|disable]
set split-horizon [poisoned|regular]
set flags {integer}
next
end
set max-out-metric {integer}
config neighbor
edit <id>
set id {integer}
next
end
config network
Description: Network.
edit <id>
set id {integer}
set prefix {ipv6-prefix}
next
end
config offset-list
Description: Offset list.
edit <id>
set id {integer}
set access-list6 {string}
set offset {integer}
next
end
config redistribute
edit <name>
set name {string}
next
end
set timeout-timer {integer}
set update-timer {integer}
end

Fortinet Inc.
config router ripng

information-
originate
Option Description
default-metric Default metric. integer Minimum 1

value: 1
Maximum
value: 16
garbage-timer Garbage timer. integer Minimum 120

value: 5
Maximum
value:
2147483647
max-out- Maximum metric allowed to output(0 means 'not set'). integer Minimum 0
metric value: 0
Maximum
value: 15

<name>
timeout-timer Timeout timer. integer Minimum 180

value: 5
Maximum
value:
2147483647
update-timer Update timer. integer Minimum 30

value: 5
Maximum
value:
2147483647

Fortinet Inc.
id Aggregate address entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
prefix6 Aggregate address prefix. ipv6-prefix Not Specified ::/0
config distance
id Distance ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
distance Distance. integer Minimum 0

value: 1
Maximum
value: 255
prefix6 Distance prefix6. ipv6-prefix Not Specified ::/0
access-list6 Access list for route destination. string Not Specified
id Distribute list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
Option Description
direction Distribute list direction. option - out

Fortinet Inc.
Option Description
listname Distribute access/prefix list name. string Not Specified
interface Distribute list interface name. string Not Specified
config interface

Specified
split-horizon- Enable/disable split horizon. option - enable

status
Option Description
split-horizon Enable/disable split horizon. option - poisoned
Option Description
poisoned Poisoned.
regular Regular.

value: 0
Maximum
value: 255
config neighbor

value: 0
Maximum
value:
4294967295
ip6 IPv6 link-local address. ipv6- Not Specified ::

address

Fortinet Inc.
config network

value: 0
Maximum
value:
4294967295
prefix Network IPv6 link-local prefix. ipv6-prefix Not Specified ::/0
config offset-list
id Offset-list ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
status Status. option - enable
Option Description
direction Offset list direction. option - out
Option Description
access-list6 IPv6 access list name. string Not Specified
offset Offset. integer Minimum 0

value: 1
Maximum
value: 16
config redistribute

Specified

Fortinet Inc.
Option Description

value: 1
Maximum
value: 16

Specified
config router route-map
Configure route maps.

Description: Configure route maps.
edit <name>
set name {string}
config rule
Description: Rule.
edit <id>
set id {integer}
set match-as-path {string}
set match-community {string}
set match-community-exact [enable|disable]
set match-origin [none|egp|...]
set match-interface {string}
set match-ip-address {string}
set match-ip6-address {string}
set match-ip-nexthop {string}
set match-ip6-nexthop {string}
set match-metric {integer}
set match-route-type [external-type1|external-type2|...]
set match-tag {integer}
set match-vrf {integer}
set set-aggregator-as {integer}
set set-aggregator-ip {ipv4-address-any}
set set-aspath-action [prepend|replace]
set set-aspath <as1>, <as2>, ...
set set-atomic-aggregate [enable|disable]
set set-community-delete {string}
set set-community <community1>, <community2>, ...
set set-community-additive [enable|disable]
set set-dampening-reachability-half-life {integer}
set set-dampening-reuse {integer}

Fortinet Inc.
set set-dampening-suppress {integer}
set set-dampening-max-suppress {integer}
set set-dampening-unreachability-half-life {integer}
set set-extcommunity-rt <community1>, <community2>, ...
set set-extcommunity-soo <community1>, <community2>, ...
set set-ip-nexthop {ipv4-address}
set set-ip6-nexthop {ipv6-address}
set set-ip6-nexthop-local {ipv6-address}
set set-local-preference {integer}
set set-metric {integer}
set set-metric-type [external-type1|external-type2|...]
set set-originator-id {ipv4-address-any}
set set-origin [none|egp|...]
set set-tag {integer}
set set-weight {integer}
set set-route-tag {integer}
next
end
next
end
comments Optional comments. string Not

Specified

Specified
config rule

value: 0
Maximum
value:
4294967295
action Action. option - permit
Option Description
permit Permit.
deny Deny.
match-as-path Match BGP AS path list. string Not Specified
match- Match BGP community list. string Not Specified

community

Fortinet Inc.
match- Enable/disable exact matching of communities. option - disable

community-exact
Option Description
enable Enable exact matching of communities.
disable Disable exact matching of communities.
match-origin Match BGP origin code. option - none
Option Description
none None.
egp Remote EGP.
igp Local IGP.
incomplete Unknown heritage.
match-interface Match interface configuration. string Not Specified
match-ip-address Match IP address permitted by access-list or string Not Specified

prefix-list.
match-ip6- Match IPv6 address permitted by access-list6 or string Not Specified

address prefix-list6.
match-ip-nexthop Match next hop IP address passed by access-list string Not Specified
or prefix-list.
match-ip6- Match next hop IPv6 address passed by access- string Not Specified
nexthop list6 or prefix-list6.
match-metric Match metric for redistribute routes. integer Minimum

value: 0
Maximum
value:
4294967295
match-route-type Match route type. option -
Option Description
external-type1 External type 1.
none No type specified.

Fortinet Inc.
match-tag Match tag. integer Minimum

value: 0
Maximum
value:
4294967295
match-vrf Match VRF ID. integer Minimum

value: 0
Maximum
value: 31
set-aggregator- BGP aggregator AS. integer Minimum 0

as value: 0
Maximum
value:
4294967295
set-aggregator-ip BGP aggregator IP. ipv4- Not Specified 0.0.0.0

address-
any
set-aspath-action Specify preferred action of set-aspath. option - prepend
Option Description
prepend Prepend.
replace Replace.
set-aspath <as> Prepend BGP AS path attribute. string Maximum

AS number (0 - 4294967295). Use quotes for length: 79
repeating numbers, For example, "1 1 2".
set-atomic- Enable/disable BGP atomic aggregate attribute. option - disable

aggregate
Option Description
enable Enable BGP atomic aggregate attribute.
disable Disable BGP atomic aggregate attribute.
set-community- Delete communities matching community list. string Not Specified

delete
set-community BGP community attribute. string Maximum

<community> Attribute: AA|AA:NN|internet|local-AS|no- length: 79
advertise|no-export.
set-community- Enable/disable adding set-community to existing option - disable

additive community.

Fortinet Inc.
Option Description
enable Enable adding set-community to existing community.
disable Disable adding set-community to existing community.
set-dampening- Reachability half-life time for the penalty. integer Minimum 0

reachability-half- value: 0
life Maximum
value: 45
set-dampening- Value to start reusing a route. integer Minimum 0

reuse value: 0
Maximum
value: 20000
set-dampening- Value to start suppressing a route. integer Minimum 0

suppress value: 0
Maximum
value: 20000
set-dampening- Maximum duration to suppress a route. integer Minimum 0

max-suppress value: 0
Maximum
value: 255
set-dampening- Unreachability Half-life time for the penalty. integer Minimum 0

unreachability- value: 0
half-life Maximum
value: 45
set- Route Target extended community. string Maximum

extcommunity-rt AA:NN. length: 79
<community>
set- Site-of-Origin extended community. string Maximum

extcommunity- Community (format = AA:NN). length: 79
soo
<community>
set-ip-nexthop IP address of next hop. ipv4- Not Specified

address
set-ip6-nexthop IPv6 global address of next hop. ipv6- Not Specified

address
set-ip6-nexthop- IPv6 local address of next hop. ipv6- Not Specified

local address

Fortinet Inc.
set-local- BGP local preference path attribute. integer Minimum

preference value: 0
Maximum
value:
4294967295
set-metric Metric value. integer Minimum

value: 0
Maximum
value:
4294967295
set-metric-type Metric type. option -
Option Description
none No type specified.
set-originator-id BGP originator ID attribute. ipv4- Not Specified

address-
any
set-origin BGP origin code. option - none
Option Description
none None.
egp Remote EGP.
igp Local IGP.
incomplete Unknown heritage.
set-tag Tag value. integer Minimum

value: 0
Maximum
value:
4294967295
set-weight BGP weight for routing table. integer Minimum

value: 0
Maximum
value:
4294967295

Fortinet Inc.
set-route-tag Route tag for routing table. integer Minimum

value: 0
Maximum
value:
4294967295
config router setting
Configure router settings.

Description: Configure router settings.
set show-filter {string}
end
hostname Hostname for this virtual domain router. string Not

Specified
show-filter Prefix-list as filter for showing routes. string Not

Specified
config router static
Configure IPv4 static routing tables.

Description: Configure IPv4 static routing tables.
edit <seq-num>
set blackhole [enable|disable]
set device {string}
set dstaddr {string}
set dynamic-gateway [enable|disable]
set internet-service {integer}
set internet-service-custom {string}
set link-monitor-exempt [enable|disable]
set sdwan-zone <name1>, <name2>, ...
set src {ipv4-classnet}

Fortinet Inc.
set vrf {integer}
next
end

(BFD).
Option Description
blackhole Enable/disable black hole. option - disable
Option Description
enable Enable black hole.
disable Disable black hole.
device Gateway out interface or tunnel. string Not Specified
distance Administrative distance. integer Minimum 10

value: 1
Maximum
value: 255
dst Destination IP and mask for this route. ipv4- Not Specified 0.0.0.0
classnet 0.0.0.0
dstaddr Name of firewall address or address group. string Not Specified
dynamic- Enable use of dynamic gateway retrieved from a option - disable

gateway DHCP or PPP server.
Option Description
enable Enable dynamic gateway.
disable Disable dynamic gateway.
gateway Gateway IP for this route. ipv4- Not Specified 0.0.0.0

address

Fortinet Inc.
internet- Application ID in the Internet service database. integer Minimum 0

service value: 0
Maximum
value:
4294967295
internet- Application name in the Internet service custom string Not Specified
service- database.
custom
link-monitor- Enable/disable withdrawal of this static route when option - disable

exempt link monitor or health check is down.
Option Description
enable Keep this static route when link monitor or health check is down.
disable Withdraw this static route when link monitor or health check is down. (default)
priority Administrative priority. integer Minimum 1

value: 1
Maximum
value: 65535
sdwan-zone Choose SD-WAN Zone. string Maximum

<name> SD-WAN zone name. length: 79

value: 0
Maximum
value:
4294967295
src Source prefix for this route. ipv4- Not Specified 0.0.0.0
classnet 0.0.0.0
status Enable/disable this static route. option - enable
Option Description
enable Enable static route.
disable Disable static route.
vrf Virtual Routing Forwarding ID. integer Minimum 0

value: 0
Maximum
value: 31
weight Administrative weight. integer Minimum 0

value: 0
Maximum
value: 255

Fortinet Inc.
config router static6
Configure IPv6 static routing tables.

Description: Configure IPv6 static routing tables.
edit <seq-num>
set blackhole [enable|disable]
set device {string}
set devindex {integer}
set dynamic-gateway [enable|disable]
set link-monitor-exempt [enable|disable]
set sdwan-zone <name1>, <name2>, ...
set vrf {integer}
next
end

(BFD).
Option Description
blackhole Enable/disable black hole. option - disable
Option Description
enable Enable black hole.
disable Disable black hole.
device Gateway out interface or tunnel. string Not Specified
devindex Device index. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
distance Administrative distance. integer Minimum 10

value: 1
Maximum
value: 255
dst Destination IPv6 prefix. ipv6- Not Specified ::/0

network
dynamic- Enable use of dynamic gateway retrieved from Router option - disable
gateway Advertisement (RA).
Option Description
enable Enable dynamic gateway.
disable Disable dynamic gateway.
gateway IPv6 address of the gateway. ipv6- Not Specified ::

address
link-monitor- Enable/disable withdrawal of this static route when option - disable

exempt link monitor or health check is down.
Option Description
enable Keep this static route when link monitor or health check is down.
disable Withdraw this static route when link monitor or health check is down. (default)
priority Administrative priority. integer Minimum 1024

value: 1
Maximum
value: 65535
sdwan-zone Choose SD-WAN Zone. string Maximum

<name> SD-WAN zone name. length: 79

value: 0
Maximum
value:
4294967295
status Enable/disable this static route. option - enable
Option Description
enable Enable static route.
disable Disable static route.

Fortinet Inc.

value: 0
Maximum
value: 31

Fortinet Inc.
sctp-filter

l config sctp-filter profile on page 839
config sctp-filter profile
Configure SCTP filter profiles.

Description: Configure SCTP filter profiles.
edit <name>
set name {string}
config ppid-filters
Description: PPID filters list.
edit <id>
set id {integer}
set ppid {integer}
set action [pass|reset|...]
next
end
next
end

Specified

Specified
config ppid-filters

value: 0
Maximum
value:
4294967295

Fortinet Inc.
ppid Payload protocol identifier. integer Minimum

value: 0
Maximum
value:
4294967295
action Action taken when PPID is matched. option - reset
Option Description
pass Pass data chunk.
reset Reset SCTP session.
replace Replace data chunk.

Fortinet Inc.
ssh-filter

l config ssh-filter profile on page 841
config ssh-filter profile
Configure SSH filter profile.

Description: Configure SSH filter profile.
edit <name>
set block {option1}, {option2}, ...
set default-command-log [enable|disable]
set log {option1}, {option2}, ...
set name {string}
config shell-commands
Description: SSH command filter.
edit <id>
set id {integer}
set type [simple|regex]
set action [block|allow]
set alert [enable|disable]
set severity [low|medium|...]
next
end
next
end
block SSH blocking options. option -
Option Description
x11 X server forwarding.
shell SSH shell.
exec SSH execution.
port-forward Port forwarding.
tun-forward Tunnel forwarding.

Fortinet Inc.
Option Description
sftp SFTP.
scp SCP.
unknown Unknown channel.
default- Enable/disable logging unmatched shell commands. option - disable

command-log
Option Description
enable Enable log unmatched shell commands.
disable Disable log unmatched shell commands.
log SSH logging options. option -
Option Description
x11 X server forwarding.
shell SSH shell.
exec SSH execution.
port-forward Port forwarding.
tun-forward Tunnel forwarding.
sftp SFTP.
scp SCP.
unknown Unknown channel.
name SSH filter profile name. string Not

Specified
config shell-commands

value: 0
Maximum
value:
4294967295
type Matching type. option - simple

Fortinet Inc.
Option Description
simple Match single command.
regex Match command line using regular expression.
pattern SSH shell command pattern. string Not Specified
action Action to take for SSH shell command matches. option - block
Option Description
block Block the SSH shell command.
allow Allow the SSH shell command.
log Enable/disable logging. option - disable
Option Description
alert Enable/disable alert. option - disable
Option Description
enable Enable alert.
disable Disable alert.
severity Log severity. option - medium
Option Description
low Severity low.
medium Severity medium.
high Severity high.
critical Severity critical.

Fortinet Inc.
switch-controller

l config switch-controller 802-1X-settings on page 845
l config switch-controller auto-config custom on page 847
l config switch-controller auto-config default on page 848
l config switch-controller auto-config policy on page 849
l config switch-controller custom-command on page 851
l config switch-controller dsl link-time on page 852
l config switch-controller dsl pkt-count on page 853
l config switch-controller dsl pm-line-curr on page 854
l config switch-controller dsl policy on page 855
l config switch-controller dsl rate on page 857
l config switch-controller dsl status on page 858
l config switch-controller dsl summary on page 859
l config switch-controller dsl version on page 860
l config switch-controller dynamic-port-policy on page 861
l config switch-controller flow-tracking on page 864
l config switch-controller fortilink-settings on page 867
l config switch-controller global on page 869
l config switch-controller igmp-snooping on page 873
l config switch-controller initial-config template on page 874
l config switch-controller initial-config vlans on page 876
l config switch-controller lldp-profile on page 877
l config switch-controller lldp-settings on page 882
l config switch-controller location on page 883
l config switch-controller mac-policy on page 888
l config switch-controller managed-switch on page 890
l config switch-controller network-monitor-settings on page 925
l config switch-controller ptp policy on page 926
l config switch-controller ptp settings on page 927
l config switch-controller qos dot1p-map on page 928
l config switch-controller qos ip-dscp-map on page 932
l config switch-controller qos qos-policy on page 934
l config switch-controller qos queue-policy on page 936
l config switch-controller quarantine on page 939
l config switch-controller remote-log on page 940
l config switch-controller security-policy 802-1X on page 943
l config switch-controller security-policy local-access on page 946
l config switch-controller sflow on page 948

Fortinet Inc.
l config switch-controller snmp-community on page 949
l config switch-controller snmp-sysinfo on page 952
l config switch-controller snmp-trap-threshold on page 953
l config switch-controller snmp-user on page 954
l config switch-controller storm-control-policy on page 956
l config switch-controller storm-control on page 958
l config switch-controller stp-instance on page 960
l config switch-controller stp-settings on page 961
l config switch-controller switch-group on page 962
l config switch-controller switch-interface-tag on page 963
l config switch-controller switch-log on page 964
l config switch-controller switch-profile on page 966
l config switch-controller system on page 967
l config switch-controller traffic-policy on page 969
l config switch-controller traffic-sniffer on page 971
l config switch-controller virtual-port-pool on page 973
l config switch-controller vlan-policy on page 974
config switch-controller 802-1X-settings
This command is available for model(s): FortiGate 1000D, FortiGate 100EF, FortiGate 100E,
FortiGate 100F, FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E,
FortiGate 1200D, FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D,
FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 300E, FortiGate 301E,
FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E,
FortiGate 3700D, FortiGate 3800D, FortiGate 3960E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 400E, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate
4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E,
POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate
80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F,
It is not available for: FortiGate 5001E1, FortiGate 5001E.
Configure global 802.1X settings.

Description: Configure global 802.1X settings.
set link-down-auth [set-unauth|no-action]

Fortinet Inc.
set max-reauth-attempt {integer}
set reauth-period {integer}
set tx-period {integer}
end
link-down- Interface-reauthentication state to set if a link is down. option - set-unauth

auth
Option Description
set-unauth Interface set to unauth when down. Reauthentication is needed.
no-action Interface reauthentication is not needed.
max-reauth- Maximum number of authentication attempts. integer Minimum 3

attempt value: 0
Maximum
value: 15
reauth-period Period of time to allow for reauthentication. integer Minimum 60

value: 0
Maximum
value: 1440
tx-period 802.1X Tx period. integer Minimum 30

value: 4
Maximum
value: 60

Fortinet Inc.
config switch-controller auto-config custom
Policies which can override the 'default' for specific ISL/ICL/FortiLink interface.
Description: Policies which can override the 'default' for specific ISL/ICL/FortiLink
interface.
edit <name>
set name {string}
config switch-binding
Description: Switch binding list.
edit <switch-id>
set switch-id {string}
set policy {string}
next
end
next
end
name Auto-Config FortiLink or ISL/ICL interface name. string Not

Specified

Fortinet Inc.
config switch-binding
switch-id Switch name. string Not

Specified
policy Custom auto-config policy. string Not default

Specified
config switch-controller auto-config default
Policies which are applied automatically to all ISL/ICL/FortiLink interfaces.

Description: Policies which are applied automatically to all ISL/ICL/FortiLink
interfaces.
set fgt-policy {string}
set icl-policy {string}
set isl-policy {string}
end

Fortinet Inc.
fgt-policy Default FortiLink auto-config policy. string Not default

Specified
icl-policy Default ICL auto-config policy. string Not default-icl

Specified
isl-policy Default ISL auto-config policy. string Not default

Specified
config switch-controller auto-config policy
Policy definitions which can define the behavior on auto configured interfaces.
Description: Policy definitions which can define the behavior on auto configured
interfaces.
edit <name>
set igmp-flood-report [enable|disable]
set igmp-flood-traffic [enable|disable]
set name {string}
set poe-status [enable|disable]
set qos-policy {string}
set storm-control-policy {string}
next
end

Fortinet Inc.
igmp-flood-report Enable/disable IGMP flood report. option - disable
Option Description
enable Enable IGMP flood report.
disable Disable IGMP flood report.
igmp-flood-traffic Enable/disable IGMP flood traffic. option - disable
Option Description
enable Enable IGMP flood traffic.
disable Disable IGMP flood traffic.
name Auto-config policy name. string Not

Specified
poe-status Enable/disable PoE status. option - enable
Option Description
enable Enable PoE status.
disable Disable PoE status.
qos-policy Auto-Config QoS policy. string Not default

Specified
storm-control- Auto-Config storm control policy. string Not auto-

policy Specified config

Fortinet Inc.
config switch-controller custom-command
Configure the FortiGate switch controller to send custom commands to managed FortiSwitch devices.
Description: Configure the FortiGate switch controller to send custom commands to
managed FortiSwitch devices.
edit <command-name>
set command {var-string}
set command-name {string}
next
end
command String of commands to send to FortiSwitch devices (For var-string Not

example (%0a = return key): config switch trunk %0a Specified
edit myTrunk %0a set members port1 port2 %0a end
%0a).
command- Command name called by the FortiGate switch string Not

name controller in the execute command. Specified

Specified

Fortinet Inc.
config switch-controller dsl link-time
This command is available for model(s): FortiGate 40F 3G4G, FortiGate 60F, FortiGate 80F
Bypass, FortiGate 80F, FortiGate 81F, FortiGateRugged 60F 3G4G, FortiGateRugged 60F.
FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E,
POE, FortiGate 60E, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 80E-POE,
FortiGate 80E, FortiGate 80F-POE, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE,
FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiWiFi 40F 3G4G,
FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F,
FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
DSL module link time.

Description: DSL module link time.
set <switch> {string}
end
<switch> SWITCH. string Not

Specified

Fortinet Inc.
config switch-controller dsl pkt-count
DSL module packet count.

Description: DSL module packet count.
end

Specified

Fortinet Inc.
config switch-controller dsl pm-line-curr
DSL module pm-line-curr.

Description: DSL module pm-line-curr.
end

Specified

Fortinet Inc.
config switch-controller dsl policy
DSL policy.
Description: DSL policy.
edit <name>
set append_padding [disable|enable]
set cpe-aele [disable|enable]
set cpe-aele-mode [ELE_M0|ELE_DS|...]
set cs {option1}, {option2}, ...
set ds-bitswap [disable|enable]
set name {string}
set pause-frame [disable|enable]
set profile [auto-30a|auto-17a|...]
set type {option}
set us-bitswap [disable|enable]
next
end
append_ device pause frame configuration. option - enable

padding

Fortinet Inc.
Option Description
disable Disable.
enable Enable.
cpe-aele cpe AELE. option - enable
Option Description
disable Disable.
enable Enable.
cpe-aele-mode cpe AELE-Mode with given string. option - ELE_MIN
Option Description
ELE_M0 cpe AELE-Mode with given string.
ELE_DS cpe AELE-Mode with given string.
ELE_PB cpe AELE-Mode with given string.
ELE_MIN cpe AELE-Mode with given string.
cs CPE carrier set. option - A43 B43

A43C
Option Description
A43 CPE carrier set.
B43 CPE carrier set.
A43C CPE carrier set.
V43 CPE carrier set.
ds-bitswap Enable/disable bitswap. option - enable
Option Description
disable Disable.
enable Enable.

Specified
pause-frame device pause frame configuration. option - enable

Fortinet Inc.
Option Description
disable Disable.
enable Enable.
profile vdsl CPE profile. option - auto-30a
Option Description
auto-30a vdsl CPE profile.
auto-17a vdsl CPE profile.
auto-12ab vdsl CPE profile.
type Type. option - Proscend
Option Description
Proscend Proscend.
us-bitswap Enable/disable bitswap. option - enable
Option Description
disable Disable.
enable Enable.
config switch-controller dsl rate

Fortinet Inc.
DSL module rate.
Description: DSL module rate.
end

Specified
config switch-controller dsl status
DSL module status.

Description: DSL module status.
end

Fortinet Inc.

Specified
config switch-controller dsl summary
DSL module summary.

Description: DSL module summary.
end

Specified

Fortinet Inc.
config switch-controller dsl version
DSL module version.

Description: DSL module version.
end

Specified

Fortinet Inc.
config switch-controller dynamic-port-policy
Configure Dynamic port policy to be applied on the managed FortiSwitch ports through DPP device.
Description: Configure Dynamic port policy to be applied on the managed FortiSwitch
ports through DPP device.
edit <name>
set fortilink {string}
set name {string}
config policy
Description: Port policies with matching criteria and actions.
edit <name>
set name {string}
set category [device|interface-tag]
set interface-tags <tag-name1>, <tag-name2>, ...
set mac {string}
set hw-vendor {string}
set type {string}
set family {string}
set host {string}
set lldp-profile {string}
set 802-1x {string}
set vlan-policy {string}
set bounce-port-link [disable|enable]
next
end

Fortinet Inc.
next
end
description Description for the Dynamic port policy. string Not

Specified
fortilink FortiLink interface for which this Dynamic port policy string Not
belongs to. Specified
name Dynamic port policy name. string Not

Specified
config policy

Specified
description Description for the policy. string Not

Specified
status Enable/disable policy. option - enable
Option Description
enable Enable policy.
disable Disable policy.
category Category of Dynamic port policy. option - device
Option Description
device Device category.
interface-tag Interface Tag category.
interface-tags Match policy based on the FortiSwitch interface object string Maximum
<tag-name> tags. length: 63
FortiSwitch port tag name.
mac Match policy based on MAC address. string Not

Specified
hw-vendor Match policy based on hardware vendor. string Not

Specified
type Match policy based on type. string Not

Specified

Fortinet Inc.
family Match policy based on family. string Not

Specified
host Match policy based on host. string Not

Specified
lldp-profile LLDP profile to be applied when using this policy. string Not
Specified
qos-policy QoS policy to be applied when using this policy. string Not
Specified
802-1x 802.1x security policy to be applied when using this string Not
policy. Specified
vlan-policy VLAN policy to be applied when using this policy. string Not
Specified
bounce-port- Enable/disable bouncing (administratively bring the link option - enable

link down, up) of a switch port where this policy is applied.
Helps to clear and reassign VLAN from lldp-profile.
Option Description
disable Disable bouncing (administratively bring the link down, up) of a switch port
where this policy is applied.
enable Enable bouncing (administratively bring the link down, up) of a switch port
where this policy is applied.

Fortinet Inc.
config switch-controller flow-tracking
Configure FortiSwitch flow tracking and export via ipfix/netflow.

Description: Configure FortiSwitch flow tracking and export via ipfix/netflow.
config aggregates
Description: Configure aggregates in which all traffic sessions matching the IP
Address will be grouped into the same flow.
edit <id>
set id {integer}
set ip {ipv4-classnet}
next
end
set collector-ip {ipv4-address}
set collector-port {integer}
set format [netflow1|netflow5|...]
set level [vlan|ip|...]
set max-export-pkt-size {integer}
set sample-mode [local|perimeter|...]
set sample-rate {integer}
set timeout-general {integer}
set timeout-icmp {integer}
set timeout-max {integer}
set timeout-tcp {integer}
set timeout-tcp-fin {integer}
set timeout-tcp-rst {integer}
set timeout-udp {integer}
set transport [udp|tcp|...]
end

Fortinet Inc.
collector-ip Configure collector ip address. ipv4-address Not Specified 0.0.0.0
collector-port Configure collector port number. integer Minimum value: 0

0 Maximum
value: 65535
format Configure flow tracking protocol. option - netflow9
Option Description
netflow1 Netflow version 1 sampling.
ipfix Ipfix sampling.
level Configure flow tracking level. option - ip
Option Description
vlan Collects srcip/dstip/srcport/dstport/protocol/tos/vlan from the sample packet.
ip Collects srcip/dstip from the sample packet.
port Collects srcip/dstip/srcport/dstport/protocol from the sample packet.
proto Collects srcip/dstip/protocol from the sample packet.
mac Collects smac/dmac from the sample packet.
max-export- Configure flow max export packet size. integer Minimum value: 512
pkt-size 512 Maximum
value: 9216
sample-mode Configure sample mode for the flow tracking. option - perimeter
Option Description
local Set local mode which samples on the specific switch port.
perimeter Set perimeter mode which samples on all switch fabric ports and fortilink port
at the ingress.
device-ingress Set device -ingress mode which samples across all switch ports at the ingress.
sample-rate Configure sample rate for the perimeter and integer Minimum value: 512
device-ingress sampling. 0 Maximum
value: 99999

Fortinet Inc.
timeout- Configure flow session general timeout. integer Minimum value: 3600
general 60 Maximum
value: 604800
timeout-icmp Configure flow session ICMP timeout. integer Minimum value: 300
60 Maximum
value: 604800
timeout-max Configure flow session max timeout. integer Minimum value: 604800
60 Maximum
value: 604800
timeout-tcp Configure flow session TCP timeout. integer Minimum value: 3600
60 Maximum
value: 604800
timeout-tcp- Configure flow session TCP FIN timeout. integer Minimum value: 300
fin 60 Maximum
value: 604800
timeout-tcp- Configure flow session TCP RST timeout. integer Minimum value: 120
rst 60 Maximum
value: 604800
timeout-udp Configure flow session UDP timeout. integer Minimum value: 300
60 Maximum
value: 604800
transport Configure L4 transport protocol for exporting option - udp

packets.
Option Description
udp UDP protocol.
tcp TCP protocol.
sctp SCTP protocol.
config aggregates
id Aggregate id. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip IP address to group all matching traffic sessions to a ipv4- Not Specified 0.0.0.0
flow. classnet 0.0.0.0

Fortinet Inc.
config switch-controller fortilink-settings
Configure integrated FortiLink settings for FortiSwitch.

Description: Configure integrated FortiLink settings for FortiSwitch.
edit <name>
set inactive-timer {integer}
set link-down-flush [disable|enable]
config nac-ports
Description: NAC specific configuration.
set onboarding-vlan {string}
set lan-segment [enabled|disabled]
set nac-lan-interface {string}
set nac-segment-vlans <vlan-name1>, <vlan-name2>, ...
set parent-key {string}
set member-change {integer}
end
set name {string}
next
end
fortilink FortiLink interface to which this fortilink-setting belongs. string Not

Specified

Fortinet Inc.
inactive-timer Time interval(minutes) to be included in the inactive integer Minimum 15

devices expiry calculation (mac age-out + inactive-time value: 1
+ periodic scan interval). Maximum
value: 1440
link-down- Clear NAC and dynamic devices on switch ports on link option - enable
flush down event.
Option Description
disable Disable clearing NAC and dynamic devices on a switch port when link down
event happens.
enable Enable clearing NAC and dynamic devices on a switch port when link down
event happens.
name FortiLink settings name. string Not

Specified
config nac-ports
onboarding- Default NAC Onboarding VLAN when NAC devices are string Not
vlan discovered. Specified
lan-segment Enable/disable LAN segment feature on the FortiLink option - disabled

interface.
Option Description
enabled Enable lan-segment on this interface.
disabled Disable lan-segment on this interface.
nac-lan- Configure NAC LAN interface. string Not

interface Specified
nac-segment- Configure NAC segment VLANs. string Maximum

vlans <vlan- VLAN interface name. length: 79
name>
parent-key Parent key name. string Not

Specified
member- Member change flag. integer Minimum 0

change value: 0
Maximum
value: 255

Fortinet Inc.
config switch-controller global
Configure FortiSwitch global settings.

Description: Configure FortiSwitch global settings.
set bounce-quarantined-link [disable|enable]
config custom-command
Description: List of custom commands to be pushed to all FortiSwitches in the VDOM.
edit <command-entry>
set command-entry {string}
next
end
set default-virtual-switch-vlan {string}
set dhcp-server-access-list [enable|disable]
set disable-discovery <name1>, <name2>, ...
set fips-enforce [disable|enable]
set firmware-provision-on-authorization [enable|disable]
set https-image-push [enable|disable]
set log-mac-limit-violations [enable|disable]
set mac-aging-interval {integer}
set mac-event-logging [enable|disable]
set mac-retention-period {integer}
set mac-violation-timer {integer}
set quarantine-mode [by-vlan|by-redirect]
set sn-dns-resolution [enable|disable]
set update-user-device {option1}, {option2}, ...
set vlan-all-mode [all|defined]
set vlan-optimization [enable|disable]
end

Fortinet Inc.
bounce- Enable/disable bouncing (administratively bring the option - disable

quarantined- link down, up) of a switch port where a quarantined
link device was seen last. Helps to re-initiate the DHCP
process for a device.
Option Description
where a quarantined device was seen last.
where a quarantined device was seen last.
default-virtual- Default VLAN for ports when added to the virtual- string Not Specified
switch-vlan switch.
dhcp-server- Enable/disable DHCP snooping server access list. option - disable

access-list
Option Description
enable Enable DHCP server access list.
disable Disable DHCP server access list.
disable- Prevent this FortiSwitch from discovering. string Maximum

discovery Managed device ID. length: 79
<name>
fips-enforce Enable/disable enforcement of FIPS on managed option - enable

FortiSwitch devices.
Option Description
disable Disable enforcement of FIPS on managed FortiSwitch devices.
enable Enable enforcement of FIPS on managed FortiSwitch devices.
firmware- Enable/disable automatic provisioning of latest option - disable

provision-on- firmware on authorization.
authorization
Option Description
enable Enable firmware provision on authorization.
disable Disable firmware provision on authorization.
https-image- Enable/disable image push to FortiSwitch using option - enable

push HTTPS.

Fortinet Inc.
Option Description
enable Enable image push to FortiSwitch using HTTPS.
disable Disable image push to FortiSwitch using HTTPS.
log-mac-limit- Enable/disable logs for Learning Limit Violations. option - disable

violations
Option Description
enable Enable Learn Limit Violation.
disable Disable Learn Limit Violation.
mac-aging- Time after which an inactive MAC is aged out. integer Minimum 300
interval value: 10
Maximum
value:
1000000
mac-event- Enable/disable MAC address event logging. option - disable

logging
Option Description
enable Enable MAC address event logging.
disable Disable MAC address event logging.
mac-retention- Time in hours after which an inactive MAC is integer Minimum 24

period removed from client DB (0 = aged out based on value: 0
mac-aging-interval). Maximum
value: 168
mac-violation- Set timeout for Learning Limit Violations (0 = integer Minimum 0

timer disabled). value: 0
Maximum
value:
4294967295
quarantine- Quarantine mode. option - by-vlan

mode
Option Description
by-vlan Quarantined device traffic is sent to FortiGate on a separate quarantine

VLAN.
by-redirect Quarantined device traffic is redirected only to the FortiGate on the received
VLAN.

Fortinet Inc.
sn-dns- Enable/disable DNS resolution of the FortiSwitch option - enable

resolution unit's IP address by use of its serial number.
Option Description
enable Enable DNS resolution of the FortiSwitch unit's IP address by use of its serial
number.
disable Disable DNS resolution of the FortiSwitch unit's IP address by use of its serial
number.
update-user- Control which sources update the device user list. option - mac-cache
device lldp dhcp-
snooping l2-
db l3-db
Option Description
mac-cache Update MAC address from switch-controller mac-cache.
lldp Update from FortiSwitch LLDP neighbor database.
dhcp-snooping Update from FortiSwitch DHCP snooping client and server databases.
l2-db Update from FortiSwitch Network-monitor Layer 2 tracking database.
l3-db Update from FortiSwitch Network-monitor Layer 3 tracking database.
vlan-all-mode VLAN configuration mode, user-defined-vlans or all- option - defined

possible-vlans.
Option Description
all Include all possible VLANs (1-4093).
defined Include user defined VLANs.
vlan- FortiLink VLAN optimization. option - enable

optimization
Option Description
enable Enable VLAN optimization on FortiSwitch units for auto-generated trunks.
disable Disable VLAN optimization on FortiSwitch units for auto-generated trunks.
command- List of FortiSwitch commands. string Not

entry Specified

Fortinet Inc.
command- Name of custom command to push to all FortiSwitches string Not

name in VDOM. Specified
config switch-controller igmp-snooping
Configure FortiSwitch IGMP snooping global settings.

Description: Configure FortiSwitch IGMP snooping global settings.
set aging-time {integer}
set flood-unknown-multicast [enable|disable]
set query-interval {integer}
end
aging-time Maximum number of seconds to retain a multicast integer Minimum 300

snooping entry for which no packets have been seen. value: 15
Maximum
value: 3600

Fortinet Inc.
flood- Enable/disable unknown multicast flooding. option - disable

unknown-
multicast
Option Description
enable Enable unknown multicast flooding.
disable Disable unknown multicast flooding.
query-interval Maximum time after which IGMP query will be sent. integer Minimum 125
value: 10
Maximum
value: 1200
config switch-controller initial-config template
Configure template for auto-generated VLANs.

Description: Configure template for auto-generated VLANs.
edit <name>
set auto-ip [enable|disable]
set dhcp-server [enable|disable]
set ip {ipv4-classnet-host}
set name {string}

Fortinet Inc.
set vlanid {integer}
next
end
allowaccess Permitted types of management access to this option -

interface.
Option Description
ping PING access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
http HTTP access.
fgfm FortiManager access.
radius-acct RADIUS accounting access.
probe-response Probe access.
fabric Security Fabric access.
ftm FTM access.
auto-ip Automatically allocate interface address and subnet option - enable

block.
Option Description
enable Enable auto-ip status.
disable Disable auto-ip status.
dhcp-server Enable/disable a DHCP server on this interface. option - disable
Option Description
enable Enable DHCP server.
disable Disable DHCP server.
ip Interface IPv4 address and subnet mask. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
host

Fortinet Inc.
name Initial config template name. string Not

Specified
vlanid Unique VLAN ID. integer Minimum 0

value: 1
Maximum
value: 4094
config switch-controller initial-config vlans
Configure initial template for auto-generated VLAN interfaces.

Description: Configure initial template for auto-generated VLAN interfaces.
set default-vlan {string}
set nac {string}
set nac-segment {string}
set quarantine {string}
set rspan {string}
set video {string}
set voice {string}
end

Fortinet Inc.
default-vlan Default VLAN (native) assigned to all switch ports string Not _default
upon discovery. Specified
nac VLAN for NAC onboarding devices. string Not onboarding

Specified
nac-segment VLAN for NAC segment primary interface. string Not nac_segment
Specified
quarantine VLAN for quarantined traffic. string Not quarantine

Specified
rspan VLAN for RSPAN/ERSPAN mirrored traffic. string Not rspan

Specified
video VLAN dedicated for video devices. string Not video

Specified
voice VLAN dedicated for voice devices. string Not voice

Specified
config switch-controller lldp-profile
Configure FortiSwitch LLDP profiles.

Fortinet Inc.
Description: Configure FortiSwitch LLDP profiles.
edit <name>
set 802 1-tlvs {option1}, {option2}, ...
set 802 3-tlvs {option1}, {option2}, ...
set auto-isl [disable|enable]
set auto-isl-hello-timer {integer}
set auto-isl-port-group {integer}
set auto-isl-receive-timeout {integer}
set auto-mclag-icl [disable|enable]
config custom-tlvs
Description: Configuration method to edit custom TLV entries.
edit <name>
set name {string}
set oui {user}
set subtype {integer}
set information-string {user}
next
end
config med-location-service
Description: Configuration method to edit Media Endpoint Discovery (MED)
location service type-length-value (TLV) categories.
edit <name>
set name {string}
set sys-location-id {string}
next
end
config med-network-policy
Description: Configuration method to edit Media Endpoint Discovery (MED) network
policy type-length-value (TLV) categories.
edit <name>
set name {string}
set vlan-intf {string}
set assign-vlan [disable|enable]
set dscp {integer}
next
end
set med-tlvs {option1}, {option2}, ...
set name {string}
next
end
802 1-tlvs Transmitted IEEE 802.1 TLVs. option -
Option Description
port-vlan-id Port native VLAN TLV.

Fortinet Inc.
802 3-tlvs Transmitted IEEE 802.3 TLVs. option -
Option Description
max-frame-size Maximum frame size TLV.
power- PoE+ classification TLV.

negotiation
auto-isl Enable/disable auto inter-switch LAG. option - enable
Option Description
disable Disable automatic MCLAG inter chassis link.
enable Enable automatic MCLAG inter chassis link.
auto-isl-hello- Auto inter-switch LAG hello timer duration. integer Minimum 3

timer value: 1
Maximum
value: 30
auto-isl-port- Auto inter-switch LAG port group ID. integer Minimum 0

group value: 0
Maximum
value: 9
auto-isl- Auto inter-switch LAG timeout if no response is integer Minimum 60

receive- received. value: 0
timeout Maximum
value: 90
auto-mclag-icl Enable/disable MCLAG inter chassis link. option - disable
Option Description
disable Disable auto inter-switch-LAG.
enable Enable auto inter-switch-LAG.
med-tlvs Transmitted LLDP-MED TLVs (type-length-value option -

descriptions).
Option Description
inventory- Inventory management TLVs.

management
network-policy Network policy TLVs.
power- Power manangement TLVs.

management

Fortinet Inc.
Option Description
location- Location identificaion TLVs.

identification

Specified
config custom-tlvs
name TLV name (not sent). string Not

Specified
oui Organizationally unique identifier (OUI), a 3-byte user Not 000000

hexadecimal number, for this TLV. Specified
subtype Organizationally defined subtype. integer Minimum 0

value: 0
Maximum
value: 255
information- Organizationally defined information string. user Not

string Specified
config med-location-service
name Location service type name. string Not

Specified
status Enable or disable this TLV. option - disable
Option Description
disable Do not transmit this location service TLV.
enable Transmit this location service TLV.
sys-location-id Location service ID. string Not

Specified

Fortinet Inc.
config med-network-policy
name Policy type name. string Not

Specified
status Enable or disable this TLV. option - disable
Option Description
disable Do not transmit this network policy TLV.
enable Transmit this TLV if a VLAN has been addded to the port.
vlan-intf VLAN interface to advertise; if configured on port. string Not

Specified
assign-vlan Enable/disable VLAN assignment when this profile is option - disable

applied on managed FortiSwitch port.
Option Description
disable Disable VLAN assignment when this profile is applied on port.
enable Enable VLAN assignment when this profile is applied on port.
priority Advertised Layer 2 priority. integer Minimum 0

value: 0
Maximum
value: 7
dscp Advertised Differentiated Services Code Point (DSCP) integer Minimum 0

value, a packet header value indicating the level of value: 0
service requested for traffic, such as high priority or best Maximum
effort delivery. value: 63

Fortinet Inc.
config switch-controller lldp-settings
Configure FortiSwitch LLDP settings.

Description: Configure FortiSwitch LLDP settings.
set device-detection [disable|enable]
set fast-start-interval {integer}
set management-interface [internal|mgmt]
set tx-hold {integer}
set tx-interval {integer}
end
device-detection Enable/disable dynamic detection of LLDP neighbor option - enable

devices for VLAN assignment.
Option Description
disable Disable dynamic detection of LLDP neighbor devices.
enable Enable dynamic detection of LLDP neighbor devices.

Fortinet Inc.
fast-start- Frequency of LLDP PDU transmission from integer Minimum 2

interval FortiSwitch for the first 4 packets when the link is up. value: 0
Maximum
value: 255
management- Primary management interface to be advertised in option - internal

interface LLDP and CDP PDUs.
Option Description
internal Use internal interface.
mgmt Use management interface.
tx-hold Number of tx-intervals before local LLDP data expires. integer Minimum 4
Packet TTL is tx-hold * tx-interval. value: 1
Maximum
value: 16
tx-interval Frequency of LLDP PDU transmission from integer Minimum 30

FortiSwitch. Packet TTL is tx-hold * tx-interval. value: 5
Maximum
value: 4095
config switch-controller location
Configure FortiSwitch location services.

Fortinet Inc.
Description: Configure FortiSwitch location services.
edit <name>
config address-civic
Description: Configure location civic address.
set additional {string}
set additional-code {string}
set block {string}
set branch-road {string}
set building {string}
set city {string}
set city-division {string}
set country-subdivision {string}
set county {string}
set direction {string}
set floor {string}
set landmark {string}
set language {string}
set name {string}
set number {string}
set number-suffix {string}
set place-type {string}
set post-office-box {string}
set postal-community {string}
set primary-road {string}
set road-section {string}
set room {string}
set script {string}
set seat {string}
set street {string}
set street-name-post-mod {string}
set street-name-pre-mod {string}
set street-suffix {string}
set sub-branch-road {string}
set trailing-str-suffix {string}
set unit {string}
set zip {string}
end
config coordinates
Description: Configure location GPS coordinates.
set altitude {string}
set altitude-unit [m|f]
set datum [WGS84|NAD83|...]
set latitude {string}
set longitude {string}
end
config elin-number
Description: Configure location ELIN number.
set elin-num {string}
end
set name {string}
next

Fortinet Inc.
end
name Unique location item name. string Not

Specified
config address-civic
additional Location additional details. string Not

Specified
additional- Location additional code details. string Not

code Specified
block Location block details. string Not

Specified
branch-road Location branch road details. string Not

Specified
building Location building details. string Not

Specified
city Location city details. string Not

Specified
city-division Location city division details. string Not

Specified
country The two-letter ISO 3166 country code in capital ASCII string Not
letters eg. US, CA, DK, DE. Specified
country- National subdivisions (state, canton, region, province, or string Not

subdivision prefecture). Specified
county County, parish, gun (JP), or district (IN). string Not

Specified
direction Leading street direction. string Not

Specified
floor Floor. string Not

Specified
landmark Landmark or vanity address. string Not

Specified
language Language. string Not

Specified

Fortinet Inc.
name Name (residence and office occupant). string Not

Specified
number House number. string Not

Specified
number-suffix House number suffix. string Not

Specified
place-type Place type. string Not

Specified
post-office- Post office box. string Not

box Specified
postal- Postal community name. string Not

community Specified
primary-road Primary road name. string Not

Specified
road-section Road section. string Not

Specified
room Room number. string Not

Specified
script Script used to present the address information. string Not

Specified
seat Seat number. string Not

Specified
street Street. string Not

Specified
street-name- Street name post modifier. string Not

post-mod Specified
street-name- Street name pre modifier. string Not

pre-mod Specified
street-suffix Street suffix. string Not

Specified
sub-branch- Sub branch road name. string Not

road Specified
trailing-str- Trailing street suffix. string Not

suffix Specified
unit Unit (apartment, suite). string Not

Specified

Fortinet Inc.
zip Postal/zip code. string Not

Specified

Specified
config coordinates
altitude Plus or minus floating point number. For example, string Not
117.47. Specified
altitude-unit Configure the unit for which the altitude is to (m = option - m

meters, f = floors of a building).
Option Description
m set altitude unit meters
f set altitude unit floors
datum WGS84, NAD83, NAD83/MLLW. option - WGS84
Option Description
WGS84 set coordinates datum WGS84
NAD83 set coordinates datum NAD83
NAD83/MLLW set coordinates datum NAD83/MLLW
latitude Floating point starting with +/- or ending with (N or S). string Not
For example, +/-16.67 or 16.67N. Specified
longitude Floating point starting with +/- or ending with (N or S). string Not
For example, +/-26.789 or 26.789E. Specified

Specified
config elin-number
elin-num Configure ELIN callback number. string Not

Specified

Specified

Fortinet Inc.
config switch-controller mac-policy
Configure MAC policy to be applied on the managed FortiSwitch devices through NAC device.
Description: Configure MAC policy to be applied on the managed FortiSwitch devices
through NAC device.
edit <name>
set bounce-port-link [disable|enable]
set count [disable|enable]
set name {string}
set traffic-policy {string}
set vlan {string}
next
end
bounce-port- Enable/disable bouncing (administratively bring the link option - enable

link down, up) of a switch port where this mac-policy is
applied.

Fortinet Inc.
Option Description
where this mac-policy is applied.
where this mac-policy is applied.
count Enable/disable packet count on the NAC device. option - disable
Option Description
disable Enable packet count on the NAC device.
enable Disable packet count on the NAC device.
description Description for the MAC policy. string Not

Specified
fortilink FortiLink interface for which this MAC policy belongs to. string Not
Specified
name MAC policy name. string Not

Specified
traffic-policy Traffic policy to be applied when using this MAC policy. string Not
Specified
vlan Ingress traffic VLAN assignment for the MAC address string Not
matching this MAC policy. Specified

Fortinet Inc.
config switch-controller managed-switch
Configure FortiSwitch devices that are managed by this FortiGate.

Description: Configure FortiSwitch devices that are managed by this FortiGate.
edit <switch-id>
config 802-1X-settings
Description: Configuration method to edit FortiSwitch 802.1X global settings.
set local-override [enable|disable]
set link-down-auth [set-unauth|no-action]
set reauth-period {integer}
set max-reauth-attempt {integer}
set tx-period {integer}
end
set access-profile {string}
Description: Configuration method to edit FortiSwitch commands to be pushed to
this FortiSwitch device upon rebooting the FortiGate switch controller or the FortiSwitch.
edit <command-entry>
set command-entry {string}
next
end
set delayed-restart-trigger {integer}
set dhcp-server-access-list [global|enable|...]
set directly-connected {integer}
set dynamic-capability {user}
set dynamically-discovered {integer}
set firmware-provision [enable|disable]

Fortinet Inc.
set firmware-provision-latest [disable|once]
set firmware-provision-version {string}
set flow-identity {user}
set fsw-wan1-admin [discovered|disable|...]
set fsw-wan1-peer {string}
config igmp-snooping
Description: Configure FortiSwitch IGMP snooping global settings.
set aging-time {integer}
set flood-unknown-multicast [enable|disable]
config vlans
Description: Configure IGMP snooping VLAN.
edit <vlan-name>
set vlan-name {string}
set proxy [disable|enable|...]
set querier [disable|enable]
set querier-addr {ipv4-address}
set version {integer}
next
end
end
config ip-source-guard
Description: IP source guard.
edit <port>
set port {string}
config binding-entry
Description: IP and MAC address configuration.
edit <entry-name>
set entry-name {string}
next
end
next
end
set l3-discovered {integer}
set max-allowed-trunk-members {integer}
set mclag-igmp-snooping-aware [enable|disable]
config mirror
Description: Configuration method to edit FortiSwitch packet mirror.
edit <name>
set name {string}
set status [active|inactive]
set switching-packet [enable|disable]
set dst {string}
set src-ingress <name1>, <name2>, ...
set src-egress <name1>, <name2>, ...
next
end
set name {string}
set override-snmp-community [enable|disable]
set override-snmp-sysinfo [disable|enable]
set override-snmp-trap-threshold [enable|disable]
set override-snmp-user [enable|disable]
set owner-vdom {string}

Fortinet Inc.
set poe-detection-type {integer}
set poe-pre-standard-detection [enable|disable]
config ports
Description: Managed-switch port list.
edit <port-name>
set port-name {string}
set port-owner {string}
set speed [10half|10full|...]
set status [up|down]
set poe-status [enable|disable]
set ip-source-guard [disable|enable]
set ptp-policy {string}
set aggregator-mode [bandwidth|count]
set rpvst-port [disabled|enabled]
set poe-pre-standard-detection [enable|disable]
set port-number {integer}
set port-prefix-type {integer}
set fortilink-port {integer}
set poe-capable {integer}
set stacking-port {integer}
set p2p-port {integer}
set mclag-icl-port {integer}
set fiber-port {integer}
set media-type {string}
set poe-standard {string}
set poe-max-power {string}
set flags {integer}
set isl-local-trunk-name {string}
set isl-peer-port-name {string}
set isl-peer-device-name {string}
set fgt-peer-port-name {string}
set fgt-peer-device-name {string}
set vlan {string}
set allowed-vlans-all [enable|disable]
set allowed-vlans <vlan-name1>, <vlan-name2>, ...
set untagged-vlans <vlan-name1>, <vlan-name2>, ...
set type [physical|trunk]
set access-mode [dynamic|nac|...]
set matched-dpp-policy {string}
set matched-dpp-intf-tags {string}
set dhcp-snooping [untrusted|trusted]
set dhcp-snoop-option82-trust [enable|disable]
set arp-inspection-trust [untrusted|trusted]
set igmps-flood-reports [enable|disable]
set igmps-flood-traffic [enable|disable]
set stp-state [enabled|disabled]
set stp-root-guard [enabled|disabled]
set stp-bpdu-guard [enabled|disabled]
set stp-bpdu-guard-timeout {integer}
set edge-port [enable|disable]
set discard-mode [none|all-untagged|...]
set packet-sampler [enabled|disabled]
set packet-sample-rate {integer}
set sflow-counter-interval {integer}
set sample-direction [tx|rx|...]

Fortinet Inc.
set fec-capable {integer}
set fec-state [disabled|cl74|...]
set flow-control [disable|tx|...]
set pause-meter {integer}
set pause-meter-resume [75%|50%|...]
set loop-guard [enabled|disabled]
set loop-guard-timeout {integer}
set port-policy {string}
set storm-control-policy {string}
set port-security-policy {string}
set export-to-pool {string}
set interface-tags <tag-name1>, <tag-name2>, ...
set learning-limit {integer}
set sticky-mac [enable|disable]
set lldp-status [disable|rx-only|...]
set lldp-profile {string}
set export-to {string}
set mac-addr {mac-address}
set port-selection-criteria [src-mac|dst-mac|...]
set lacp-speed [slow|fast]
set mode [static|lacp-passive|...]
set bundle [enable|disable]
set member-withdrawal-behavior [forward|block]
set mclag [enable|disable]
set min-bundle {integer}
set max-bundle {integer}
set members <member-name1>, <member-name2>, ...
next
end
set pre-provisioned {integer}
set qos-drop-policy [taildrop|random-early-detection]
set qos-red-probability {integer}
config remote-log
Description: Configure logging by FortiSwitch device to a remote syslog server.
edit <name>
set name {string}
set server {string}
set port {integer}
set csv [enable|disable]
next
end
config snmp-community
Description: Configuration method to edit Simple Network Management Protocol
(SNMP) communities.
edit <id>
set id {integer}
set name {string}
config hosts
Description: Configure IPv4 SNMP managers (hosts).
edit <id>

Fortinet Inc.
set id {integer}
set ip {user}
next
end
set query-v1-status [disable|enable]
set query-v1-port {integer}
set query-v2c-status [disable|enable]
set query-v2c-port {integer}
set trap-v1-status [disable|enable]
set trap-v1-lport {integer}
set trap-v1-rport {integer}
set trap-v2c-status [disable|enable]
set trap-v2c-lport {integer}
set trap-v2c-rport {integer}
set events {option1}, {option2}, ...
next
end
config snmp-sysinfo
(SNMP) system info.
set engine-id {string}
set contact-info {string}
set location {string}
end
config snmp-trap-threshold
(SNMP) trap threshold values.
set trap-high-cpu-threshold {integer}
set trap-low-memory-threshold {integer}
set trap-log-full-threshold {integer}
end
config snmp-user
(SNMP) users.
edit <name>
set name {string}
set queries [disable|enable]
set query-port {integer}
set security-level [no-auth-no-priv|auth-no-priv|...]
set auth-proto [md5|sha1|...]
set auth-pwd {password}
set priv-proto [aes128|aes192|...]
set priv-pwd {password}
next
end
set staged-image-version {string}
config static-mac
Description: Configuration method to edit FortiSwitch Static and Sticky MAC.
edit <id>
set id {integer}
set type [static|sticky]
set vlan {string}

Fortinet Inc.
next
end
config storm-control
Description: Configuration method to edit FortiSwitch storm control for
measuring traffic activity using data rates to prevent traffic disruption.
set rate {integer}
set unknown-unicast [enable|disable]
set unknown-multicast [enable|disable]
set broadcast [enable|disable]
end
config stp-instance
Description: Configuration method to edit Spanning Tree Protocol (STP)
instances.
edit <id>
set id {string}
set priority [0|4096|...]
next
end
config stp-settings
Description: Configuration method to edit Spanning Tree Protocol (STP) settings
used to prevent bridge loops.
set name {string}
set revision {integer}
set hello-time {integer}
set forward-time {integer}
set max-age {integer}
set max-hops {integer}
set pending-timer {integer}
end
set switch-device-tag {string}
set switch-dhcp_opt43_key {string}
config switch-log
Description: Configuration method to edit FortiSwitch logging settings (logs are
transferred to and inserted into the FortiGate event log).
end
set switch-profile {string}
set tdr-supported {string}
set type [virtual|physical]
set version {integer}
next
end

Fortinet Inc.
access-profile FortiSwitch access string Not default

profile. Specified
delayed- Delayed restart integer Minimum 0

restart-trigger triggered for this value: 0
FortiSwitch. Maximum
value: 255

Specified
dhcp-server- DHCP snooping server option - global

access-list access list.
Option Description
global Use global setting for DHCP snooping server access list.
enable Override global setting and enable DHCP server access list.
disable Override global setting and disable DHCP server access list.
directly- Directly connected integer Minimum 0

connected FortiSwitch. value: 0
Maximum
value: 1
dynamic- List of features this user Not 0x00000000000000000000000000000000

capability FortiSwitch supports Specified
(not configurable) that is
sent to the FortiGate
device for subsequent
configuration initiated
by the FortiGate device.
dynamically- Dynamically discovered integer Minimum 0

discovered FortiSwitch. value: 0
Maximum
value: 1
firmware- Enable/disable option - disable

provision provisioning of firmware
to FortiSwitches on join
connection.
Option Description
enable Enable firmware-provision.
disable Disable firmware-provision.

Fortinet Inc.
firmware- Enable/disable one- option - disable

provision- time automatic
latest provisioning of the
latest firmware version.
Option Description
disable Do not automatically provision the latest available firmware.
once Automatically attempt a one-time upgrade to the latest available firmware

version.
firmware- Firmware version to string Not

provision- provision to this Specified
version FortiSwitch on bootup
(major.minor.build, i.e.
6.2.1234).
flow-identity Flow-tracking netflow user Not 00000000

ipfix switch identity in Specified
hex format.
fsw-wan1- FortiSwitch WAN1 option - discovered

admin admin status; enable to
authorize the
FortiSwitch as a
managed switch.
Option Description
discovered Link waiting to be authorized.
disable Link unauthorized.
enable Link authorized.
fsw-wan1-peer FortiSwitch WAN1 peer string Not

port. Specified
l3-discovered Layer 3 management integer Minimum 0

discovered. value: 0
Maximum
value: 1
max-allowed- FortiSwitch maximum integer Minimum 0

trunk- allowed trunk members. value: 0
members Maximum
value: 255

Fortinet Inc.
mclag-igmp- Enable/disable MCLAG option - enable

snooping- IGMP-snooping
aware awareness.
Option Description
enable Enable MCLAG IGMP-snooping awareness.
disable Disable MCLAG IGMP-snooping awareness.
name Managed-switch name. string Not

Specified
override- Enable/disable option - disable

snmp- overriding the global
community SNMP communities.
Option Description
enable Override the global SNMP communities.
disable Use the global SNMP communities.

snmp-sysinfo overriding the global
SNMP system
information.
Option Description
disable Use the global SNMP system information.
enable Override the global SNMP system information.

snmp-trap- overriding the global
threshold SNMP trap threshold
values.
Option Description
enable Override the global SNMP trap threshold values.
disable Use the global SNMP trap threshold values.

snmp-user overriding the global
SNMP users.

Fortinet Inc.
Option Description
enable Override the global SNMPv3 users.
disable Use the global SNMPv3 users.
owner-vdom VDOM which owner of string Not

port belongs to. Specified
poe-detection- PoE detection type for integer Minimum 0

type FortiSwitch. value: 0
Maximum
value: 255
poe-pre- Enable/disable PoE option - disable

standard- pre-standard detection.
detection
Option Description
enable Enable PoE pre-standard detection.
disable Disable PoE pre-standard detection.
pre- Pre-provisioned integer Minimum 0

provisioned managed switch. value: 0
Maximum
value: 255
qos-drop- Set QoS drop-policy. option - taildrop

policy
Option Description
taildrop Taildrop policy.
random-early- Random early detection drop policy.

detection
qos-red- Set QoS RED/WRED integer Minimum 12

probability drop probability. value: 0
Maximum
value: 100
staged-image- Staged image version string Not

version for FortiSwitch. Specified
switch-device- User definable string Not

tag label/tag. Specified
switch-dhcp_ DHCP option43 key. string Not

opt43_key Specified

Fortinet Inc.
switch-id Managed-switch id. string Not

Specified
switch-profile FortiSwitch profile. string Not default

Specified
tdr-supported TDR supported. string Not

Specified
type Indication of switch option - physical

type, physical or virtual.
Option Description
virtual Switch is of type virtual.
physical Switch is of type physical.
version FortiSwitch version. integer Minimum 0

value: 0
Maximum
value: 255
config 802-1X-settings
local-override Enable to override global 802.1X settings on individual option - disable

FortiSwitches.
Option Description
enable Override global 802.1X settings.
disable Use global 802.1X settings.
link-down- Authentication state to set if a link is down. option - set-unauth

auth
Option Description
set-unauth Interface set to unauth when down. Reauthentication is needed.
no-action Interface reauthentication is not needed.
reauth-period Reauthentication time interval. integer Minimum 60

value: 0
Maximum
value: 1440

Fortinet Inc.
max-reauth- Maximum number of authentication attempts. integer Minimum 3

attempt value: 0
Maximum
value: 15
tx-period 802.1X Tx period. integer Minimum 30

value: 4
Maximum
value: 60
command- List of FortiSwitch commands. string Not

entry Specified
command- Names of commands to be pushed to this FortiSwitch string Not

name device, as configured under config switch-controller Specified
custom-command.
config igmp-snooping
local-override Enable/disable overriding the global IGMP snooping option - disable

configuration.
Option Description
enable Override the global IGMP snooping configuration.
disable Use the global IGMP snooping configuration.
aging-time Maximum time to retain a multicast snooping entry for integer Minimum 300
which no packets have been seen. value: 15
Maximum
value: 3600
flood- Enable/disable unknown multicast flooding. option - disable

unknown-
multicast
Option Description
enable Enable unknown multicast flooding.
disable Disable unknown multicast flooding.

Fortinet Inc.
config vlans
vlan-name List of FortiSwitch VLANs. string Not default

Specified
proxy IGMP snooping proxy for the VLAN interface. option - global
Option Description
disable Disable IGMP snooping proxy on VLAN interface.
enable Enable IGMP snooping proxy on VLAN interface.
global Use global setting for IGMP snooping proxy on VLAN interface.
querier Enable/disable IGMP snooping querier for the VLAN option - disable
interface.
Option Description
disable Disable IGMP snooping querier on VLAN interface.
enable Enable IGMP snooping querier on VLAN interface.
querier-addr IGMP snooping querier address. ipv4- Not 0.0.0.0

address Specified
version IGMP snooping querying version. integer Minimum 2

value: 2
Maximum
value: 3
config ip-source-guard
port Ingress interface to which source guard is bound. string Not

Specified

Specified
config binding-entry
entry-name Configure binding pair. string Not

Specified

Fortinet Inc.
ip Source IP for this rule. ipv4- Not 0.0.0.0

address- Specified
any
mac MAC address for this rule. mac- Not 00:00:00:00:00:00

address Specified
config mirror
name Mirror name. string Not

Specified
status Active/inactive mirror configuration. option - inactive
Option Description
active Activate mirror configuration.
inactive Deactivate mirror configuration.
switching- Enable/disable switching functionality when mirroring. option - disable

packet
Option Description
enable Enable switching functionality when mirroring.
disable Disable switching functionality when mirroring.
dst Destination port. string Not

Specified
src-ingress Source ingress interfaces. string Maximum

src-egress Source egress interfaces. string Maximum

config ports
port-name Switch port name. string Not Specified
port-owner Switch port name. string Not Specified
switch-id Switch id. string Not Specified
speed Switch port speed; default and available option - auto

settings depend on hardware.

Fortinet Inc.
Option Description
10half 10M half-duplex.
10full 10M full-duplex.
1000auto Auto-negotiation (1G full-duplex only).
1000full-fiber 1G full-duplex (fiber SFPs only)
1000full 1G full-duplex
auto Auto-negotiation.
auto-module Auto Module.
100FX-half 100Mbps half-duplex.100Base-FX.
100FX-full 100Mbps full-duplex.100Base-FX.
100000full 100Gbps full-duplex.
2500auto Auto-Negotiation (2.5Gbps Only).
10000cr 10Gbps copper interface.
10000sr 10Gbps SFI interface.
100000sr4 100Gbps SFI interface.
100000cr4 100Gbps copper interface.
40000sr4 40Gbps SFI interface.
40000cr4 40Gbps copper interface.
5000auto 5Gbps full-duplex.
status Switch port admin status: up or down. option - up

Fortinet Inc.
Option Description
up Set admin status up.
down Set admin status down.
poe-status Enable/disable PoE status. option - enable
Option Description
ip-source- Enable/disable IP source guard. option - disable

guard
Option Description
disable Disable IP source guard.
enable Enable IP source guard.
ptp-policy PTP policy configuration. string Not Specified default
aggregator- LACP member select mode. option - bandwidth

mode
Option Description
bandwidth Member selection based on largest total bandwidth of links of similar speed.
count Member selection based on largest count of similar link speed.
rpvst-port Enable/disable inter-operability with rapid option - disabled

PVST on this interface.
Option Description
disabled Disable inter-operability with rapid PVST on this interface.
enabled Enable inter-operability with rapid PVST on this interface.
poe-pre- Enable/disable PoE pre-standard detection. option - disable

standard-
detection
Option Description
enable Enable PoE pre-standard detection.
disable Disable PoE pre-standard detection.

Fortinet Inc.
port-number Port number. integer Minimum 0

value: 1
Maximum
value: 64
port-prefix- Port prefix type. integer Minimum 0

type value: 0
Maximum
value: 1
fortilink-port FortiLink uplink port. integer Minimum 0

value: 0
Maximum
value: 1
poe-capable PoE capable. integer Minimum 0

value: 0
Maximum
value: 1
stacking-port Stacking port. integer Minimum 0

value: 0
Maximum
value: 1
p2p-port General peer to peer tunnel port. integer Minimum 0

value: 0
Maximum
value: 1
mclag-icl-port MCLAG-ICL port. integer Minimum 0

value: 0
Maximum
value: 1
fiber-port Fiber-port. integer Minimum 0

value: 0
Maximum
value: 1
media-type Media type. string Not Specified
poe-standard PoE standard supported. string Not Specified
poe-max- PoE maximum power. string Not Specified

power

Fortinet Inc.
flags Port properties flags. integer Minimum 0

value: 0
Maximum
value:
4294967295
isl-local-trunk- ISL local trunk name. string Not Specified

name
isl-peer-port- ISL peer port name. string Not Specified

name
isl-peer- ISL peer device name. string Not Specified

device-name
fgt-peer-port- FGT peer port name. string Not Specified

name
fgt-peer- FGT peer device name. string Not Specified

device-name
vlan Assign switch ports to a VLAN. string Not Specified
allowed- Enable/disable all defined vlans on this port. option - disable

vlans-all
Option Description
enable Enable all defined VLANs on this port.
disable Disable all defined VLANs on this port.
allowed-vlans Configure switch port tagged VLANs. string Maximum

<vlan- VLAN name. length: 79
name>
untagged- Configure switch port untagged VLANs. string Maximum

vlans <vlan- VLAN name. length: 79
name>
type Interface type: physical or trunk port. option - physical
Option Description
physical Physical port.
trunk Trunk port.
access-mode Access mode of the port. option - static

Fortinet Inc.
Option Description
dynamic Dynamic mode.
nac NAC mode.
static Static mode.
matched-dpp- Matched child policy in the dynamic port string Not Specified
policy policy.
matched-dpp- Matched interface tags in the dynamic port string Not Specified
intf-tags policy.
dhcp- Trusted or untrusted DHCP-snooping option - untrusted

snooping interface.
Option Description
untrusted Untrusted DHCP snooping interface.
trusted Trusted DHCP snooping interface.
dhcp-snoop- Enable/disable allowance of DHCP with option - disable

option82-trust option-82 on untrusted interface.
Option Description
enable Enable allowance of DHCP with option-82 on untrusted interface.
disable Disable allowance of DHCP with option-82 on untrusted interface.
arp- Trusted or untrusted dynamic ARP option - untrusted

trust
Option Description
untrusted Untrusted dynamic ARP inspection.
trusted Trusted dynamic ARP inspection.
igmps-flood- Enable/disable flooding of IGMP reports to option - disable

reports this interface when igmp-snooping enabled.
Option Description
enable Enable flooding of IGMP snooping reports to this interface.
disable Disable flooding of IGMP snooping reports to this interface.
igmps-flood- Enable/disable flooding of IGMP snooping option - disable

traffic traffic to this interface.

Fortinet Inc.
Option Description
enable Enable flooding of IGMP snooping traffic to this interface.
disable Disable flooding of IGMP snooping traffic to this interface.
stp-state Enable/disable Spanning Tree Protocol (STP) option - enabled

on this interface.
Option Description
enabled Enable STP on this interface.
disabled Disable STP on this interface.
stp-root-guard Enable/disable STP root guard on this option - disabled

interface.
Option Description
enabled Enable STP root-guard on this interface.
disabled Disable STP root-guard on this interface.
stp-bpdu- Enable/disable STP BPDU guard on this option - disabled

guard interface.
Option Description
enabled Enable STP BPDU guard on this interface.
disabled Disable STP BPDU guard on this interface.
stp-bpdu- BPDU Guard disabling protection. integer Minimum 5

guard-timeout value: 0
Maximum
value: 120
edge-port Enable/disable this interface as an edge port, option - enable

bridging connections between workstations
and/or computers.
Option Description
enable Enable this interface as an edge port.
disable Disable this interface as an edge port.
discard-mode Configure discard mode for port. option - none

Fortinet Inc.
Option Description
none Discard disabled.
all-untagged Discard all frames that are untagged.
all-tagged Discard all frames that are tagged.
packet- Enable/disable packet sampling on this option - disabled

sampler interface.
Option Description
enabled Enable packet sampling on this interface.
disabled Disable packet sampling on this interface.
packet- Packet sampling rate. integer Minimum 512

sample-rate value: 0
Maximum
value: 99999
sflow-counter- sFlow sampling counter polling interval in integer Minimum 0

interval seconds. value: 0
Maximum
value: 255
sample- Packet sampling direction. option - both

direction
Option Description
tx Monitor transmitted traffic.
rx Monitor received traffic.
both Monitor transmitted and received traffic.
fec-capable FEC capable. integer Minimum 0

value: 0
Maximum
value: 1
fec-state State of forward error correction. option - cl91
Option Description
disabled Disable forward error correction.
cl74 Enable Clause 74 FC-FEC, which only applies to 25Gbps.
cl91 Enable Clause 91 RS-FEC, which only applies to 100Gbps.

Fortinet Inc.
flow-control Flow control direction. option - disable
Option Description
disable Disable flow control.
tx Enable flow control for transmission pause control frames.
rx Enable flow control for receive pause control frames.
both Enable flow control for both transmission and receive pause control frames.
pause-meter Configure ingress pause metering rate, in integer Minimum 0

kbps. value: 128
Maximum
value:
2147483647
pause-meter- Resume threshold for resuming traffic on option - 50%

resume ingress port.
Option Description
75% Back pressure state won't be cleared until bucket count falls below 75% of
pause threshold.
pause threshold.
pause threshold.
loop-guard Enable/disable loop-guard on this interface, option - disabled

an STP optimization used to prevent network
loops.
Option Description
enabled Enable loop-guard on this interface.
disabled Disable loop-guard on this interface.
loop-guard- Loop-guard timeout. integer Minimum 45

timeout value: 0
Maximum
value: 120
port-policy Switch controller dynamic port policy from string Not Specified
available options.
qos-policy Switch controller QoS policy from available string Not Specified default
options.

Fortinet Inc.
storm-control- Switch controller storm control policy from string Not Specified default
policy available options.
port-security- Switch controller authentication policy to string Not Specified

policy apply to this managed switch from available
options.
export-to-pool Switch controller export port to pool-list. string Not Specified
interface-tags Tag(s) associated with the interface for string Maximum

<tag-name> various features including virtual port pool, length: 63
dynamic port policy.
FortiSwitch port tag name when exported to a
virtual port pool or matched to dynamic port
policy.
learning-limit Limit the number of dynamic MAC addresses integer Minimum 0

on this Port. value: 0
Maximum
value: 128
sticky-mac Enable or disable sticky-mac on the interface. option - disable
Option Description
enable Enable sticky mac on the interface.
disable Disable sticky mac on the interface.
lldp-status LLDP transmit and receive status. option - tx-rx
Option Description
disable Disable LLDP TX and RX.
rx-only Enable LLDP as RX only.
tx-only Enable LLDP as TX only.
tx-rx Enable LLDP TX and RX.
lldp-profile LLDP port TLV profile. string Not Specified default-auto-isl
export-to Export managed-switch port to a tenant string Not Specified

VDOM.
mac-addr Port/Trunk MAC. mac- Not Specified 00:00:00:00:00:00

address
port- Algorithm for aggregate port selection. option - src-dst-ip

selection-
criteria

Fortinet Inc.
Option Description
src-mac Source MAC address.
dst-mac Destination MAC address.
src-dst-mac Source and destination MAC address.
src-ip Source IP address.
dst-ip Destination IP address.
src-dst-ip Source and destination IP address.
description Description for port. string Not Specified
lacp-speed End Link Aggregation Control Protocol option - slow

(LACP) messages every 30 seconds (slow) or
every second (fast).
Option Description
slow Send LACP message every 30 seconds.
fast Send LACP message every second.
mode LACP mode: ignore and do not send control option - static
messages, or negotiate 802.3ad aggregation
passively or actively.
Option Description
static Static aggregation, do not send and ignore any control messages.
lacp-passive Passively use LACP to negotiate 802.3ad aggregation.
lacp-active Actively use LACP to negotiate 802.3ad aggregation.
bundle Enable/disable Link Aggregation Group option - disable

(LAG) bundling for non-FortiLink interfaces.
Option Description
enable Enable bundling.
disable Disable bundling.
member- Port behavior after it withdraws because of option - block

withdrawal- loss of control packets.
behavior
Option Description
forward Forward traffic.

Fortinet Inc.
Option Description
block Block traffic.
mclag Enable/disable multi-chassis link aggregation option - disable

(MCLAG).
Option Description
enable Enable MCLAG.
disable Disable MCLAG.
min-bundle Minimum size of LAG bundle. integer Minimum 1

value: 1
Maximum
value: 24
max-bundle Maximum size of LAG bundle. integer Minimum 24

value: 1
Maximum
value: 24
members Aggregated LAG bundle interfaces. string Maximum

<member- Interface name from available options. length: 79
name>
config remote-log
name Remote log name. string Not

Specified
status Enable/disable logging by FortiSwitch device to a option - disable

remote syslog server.
Option Description
enable Enable logging by FortiSwitch device to a remote syslog server.
disable Disable logging by FortiSwitch device to a remote syslog server.
server IPv4 address of the remote syslog server. string Not

Specified
port Remote syslog server listening port. integer Minimum 514

value: 0
Maximum
value:
65535

Fortinet Inc.
severity Severity of logs to be transferred to remote log server. option - information
Option Description
alert Alert level.
error Error level.
debug Debug level.
csv Enable/disable comma-separated value (CSV) strings. option - disable
Option Description
enable Enable comma-separated value (CSV) strings.
disable Disable comma-separated value (CSV) strings.
facility Facility to log to remote syslog server. option - local7
Option Description
mail Mail system.
syslog Messages generated internally by syslogd.
uucp UUCP server messages.
cron Clock daemon.
ftp FTP daemon.
ntp NTP daemon.

Fortinet Inc.
Option Description
audit Log audit.
alert Log alert.
clock Clock daemon.
config snmp-community
id SNMP community ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name SNMP community name. string Not Specified
status Enable/disable this SNMP community. option - enable
Option Description
disable Disable SNMP community.
enable Enable SNMP community.
query-v1- Enable/disable SNMP v1 queries. option - enable

status
Option Description
disable Disable SNMP v1 queries.
enable Enable SNMP v1 queries.

Fortinet Inc.
query-v1-port SNMP v1 query port. integer Minimum 161

value: 0
Maximum
value: 65535
query-v2c- Enable/disable SNMP v2c queries. option - enable

status
Option Description
disable Disable SNMP v2c queries.
enable Enable SNMP v2c queries.
query-v2c- SNMP v2c query port. integer Minimum 161

port value: 0
Maximum
value: 65535
trap-v1-status Enable/disable SNMP v1 traps. option - enable
Option Description
disable Disable SNMP v1 traps.
enable Enable SNMP v1 traps.
trap-v1-lport SNMP v2c trap local port. integer Minimum 162

value: 0
Maximum
value: 65535
trap-v1-rport SNMP v2c trap remote port. integer Minimum 162

value: 0
Maximum
value: 65535
trap-v2c- Enable/disable SNMP v2c traps. option - enable

status
Option Description
disable Disable SNMP v2c traps.
enable Enable SNMP v2c traps.
trap-v2c-lport SNMP v2c trap local port. integer Minimum 162

value: 0
Maximum
value: 65535

Fortinet Inc.
trap-v2c-rport SNMP v2c trap remote port. integer Minimum 162

value: 0
Maximum
value: 65535
events SNMP notifications (traps) to send. option - cpu-high

mem-low
log-full intf-
ip ent-conf-
change
Option Description
cpu-high Send a trap when CPU usage too high.
mem-low Send a trap when available memory is low.
log-full Send a trap when log disk space becomes low.
intf-ip Send a trap when an interface IP address is changed.
ent-conf-change Send a trap when an entity MIB change occurs (RFC4133).
config hosts
id Host entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip IPv4 address of the SNMP manager (host). user Not Specified
config snmp-sysinfo
status Enable/disable SNMP. option - disable
Option Description
disable Disable SNMP.
enable Enable SNMP.
engine-id Local SNMP engine ID string (max 24 char). string Not

Specified

Fortinet Inc.
description System description. string Not

Specified
contact-info Contact information. string Not

Specified
location System location. string Not

Specified
config snmp-trap-threshold
trap-high-cpu- CPU usage when trap is sent. integer Minimum 80

threshold value: 0
Maximum
value:
4294967295
trap-low- Memory usage when trap is sent. integer Minimum 80

memory- value: 0
threshold Maximum
value:
4294967295
trap-log-full- Log disk usage when trap is sent. integer Minimum 90

threshold value: 0
Maximum
value:
4294967295
config snmp-user
name SNMP user name. string Not

Specified
queries Enable/disable SNMP queries for this user. option - enable
Option Description
disable Disable SNMP queries for this user.
enable Enable SNMP queries for this user.
query-port SNMPv3 query port. integer Minimum 161

value: 0
Maximum
value:
65535

Fortinet Inc.
security-level Security level for message authentication and option - no-auth-no-

encryption. priv
Option Description
no-auth-no-priv Message with no authentication and no privacy (encryption).
auth-no-priv Message with authentication but no privacy (encryption).
auth-priv Message with authentication and privacy (encryption).
auth-proto Authentication protocol. option - sha256
Option Description
md5 HMAC-MD5-96 authentication protocol.
sha1 HMAC-SHA-1 authentication protocol.
auth-pwd Password for authentication protocol. password Not

Specified
priv-proto Privacy (encryption) protocol. option - aes128
Option Description
aes128 CFB128-AES-128 symmetric encryption protocol.
aes192c CFB128-AES-192-C symmetric encryption protocol.
des CBC-DES symmetric encryption protocol.
priv-pwd Password for privacy (encryption) protocol. password Not

Specified

Fortinet Inc.
config static-mac

value: 0
Maximum
value:
4294967295
type Type. option - static
Option Description
static Static MAC.
sticky Sticky MAC.
vlan Vlan. string Not Specified
mac MAC address. mac- Not Specified 00:00:00:00:00:00

address
config storm-control
local-override Enable to override global FortiSwitch storm control option - disable

settings for this FortiSwitch.
Option Description
enable Override global storm control settings.
disable Use global storm control settings.
rate Rate in packets per second at which storm traffic is integer Minimum 500
controlled. Storm control drops excess traffic data rates value: 1
beyond this threshold. Maximum
value:
10000000
unknown- Enable/disable storm control to drop unknown unicast option - disable

unicast traffic.
Option Description
enable Drop unknown unicast traffic.
disable Allow unknown unicast traffic.

Fortinet Inc.
unknown- Enable/disable storm control to drop unknown multicast option - disable

multicast traffic.
Option Description
enable Drop unknown multicast traffic.
disable Allow unknown multicast traffic.
broadcast Enable/disable storm control to drop broadcast traffic. option - disable
Option Description
enable Drop broadcast traffic.
disable Allow broadcast traffic.
config stp-instance
id Instance ID. string Not

Specified
priority Priority. option - 32768
Option Description
0 0.
4096 4096.
8192 8192.
12288 12288.
16384 16384.
20480 20480.
24576 24576.
28672 28672.
32768 32768.
36864 36864.
40960 40960.
45056 45056.
49152 49152.
53248 53248.

Fortinet Inc.
Option Description
57344 57344.
61440 61440.
config stp-settings
local-override Enable to configure local STP settings that override option - disable
global STP settings.
Option Description
enable Override global STP settings.
disable Use global STP settings.
name Name of local STP settings configuration. string Not

Specified
revision STP revision number. integer Minimum 0

value: 0
Maximum
value:
65535
hello-time Period of time between successive STP frame Bridge integer Minimum 2
Protocol Data Units. value: 1
Maximum
value: 10
forward-time Period of time a port is in listening and learning state. integer Minimum 15
value: 4
Maximum
value: 30
max-age Maximum time before a bridge port saves its integer Minimum 20
configuration BPDU information. value: 6
Maximum
value: 40
max-hops Maximum number of hops between the root bridge and integer Minimum 20
the furthest bridge. value: 1
Maximum
value: 40
pending-timer Pending time. integer Minimum 4

value: 1
Maximum
value: 15

Fortinet Inc.
config switch-log
local-override Enable to configure local logging settings that override option - disable
global logging settings.
Option Description
enable Override global logging settings.
disable Use global logging settings.
status Enable/disable adding FortiSwitch logs to the FortiGate option - enable

event log.
Option Description
enable Add FortiSwitch logs to the FortiGate event log.
disable Do not add FortiSwitch logs to the FortiGate event log.
severity Severity of FortiSwitch logs that are added to the option - notification
FortiGate event log.
Option Description
alert Alert level.
error Error level.
debug Debug level.

Fortinet Inc.
config switch-controller network-monitor-settings
Configure network monitor settings.

Description: Configure network monitor settings.
set network-monitoring [enable|disable]
end
network- Enable/disable passive gathering of information by option - disable

monitoring FortiSwitch units concerning other network devices.
Option Description
enable Enable network monitoring on FortiSwitch.
disable Disable network monitoring on FortiSwitch.

Fortinet Inc.
config switch-controller ptp policy
PTP policy configuration.

Description: PTP policy configuration.
edit <name>
set name {string}
next
end

Specified
status Enable/disable PTP policy. option - enable
Option Description
disable Disable PTP policy.
enable Enable PTP policy.

Fortinet Inc.
config switch-controller ptp settings
Global PTP settings.

Description: Global PTP settings.
set mode [disable|transparent-e2e|...]
end
mode Enable/disable PTP mode. option - disable
Option Description
disable Disable PTP function. Packets are forwarded with no action.
transparent-e2e Enable end-to-end transparent clock.
transparent-p2p Enable peer-to-peer transparent clock.

Fortinet Inc.
config switch-controller qos dot1p-map
Configure FortiSwitch QoS 802.1p.

Description: Configure FortiSwitch QoS 802.1p.
edit <name>
set egress-pri-tagging [disable|enable]
set name {string}
set priority-0 [queue-0|queue-1|...]
next
end
description Description of the 802.1p name. string Not

Specified

Fortinet Inc.
egress-pri- Enable/disable egress priority-tag frame. option - disable

tagging
Option Description
disable Disable egress priority tagging.
enable Enable egress priority tagging.
name Dot1p map name. string Not

Specified
priority-0 COS queue mapped to dot1p priority number. option - queue-0
Option Description
queue-0 COS queue 0 (lowest priority).
queue-1 COS queue 1.
queue-7 COS queue 7 (highest priority).
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
config switch-controller qos ip-dscp-map
Configure FortiSwitch QoS IP precedence/DSCP.

Description: Configure FortiSwitch QoS IP precedence/DSCP.
edit <name>
config map
Description: Maps between IP-DSCP value to COS queue.
edit <name>
set name {string}
set cos-queue {integer}
set diffserv {option1}, {option2}, ...
set ip-precedence {option1}, {option2}, ...
set value {user}
next
end
set name {string}
next
end
description Description of the ip-dscp map name. string Not

Specified

Fortinet Inc.
name Dscp map name. string Not

Specified
config map
name Dscp mapping entry name. string Not

Specified
cos-queue COS queue number. integer Minimum 0

value: 0
Maximum
value: 7
diffserv Differentiated service. option -
Option Description
CS0 DSCP CS0.
CS1 DSCP CS1.
AF11 DSCP AF11.
AF12 DSCP AF12.
AF13 DSCP AF13.
CS2 DSCP CS2.
AF21 DSCP AF21.
AF22 DSCP AF22.
AF23 DSCP AF23.
CS3 DSCP CS3.
AF31 DSCP AF31.
AF32 DSCP AF32.
AF33 DSCP AF33.
CS4 DSCP CS4.
AF41 DSCP AF41.
AF42 DSCP AF42.
AF43 DSCP AF43.
CS5 DSCP CS5.
EF DSCP EF.

Fortinet Inc.
Option Description
CS6 DSCP CS6.
CS7 DSCP CS7.
ip-precedence IP Precedence. option -
Option Description
network-control Network control.
internetwork- Internetwork control.

control
critic-ecp Critic ECP.
flashoverride Flash override.
flash Flash.
immediate Immediate.
priority Priority.
routine Routine.
value Raw values of DSCP. user Not

Specified
config switch-controller qos qos-policy

Fortinet Inc.
Configure FortiSwitch QoS policy.
Description: Configure FortiSwitch QoS policy.
edit <name>
set default-cos {integer}
set name {string}
set queue-policy {string}
set trust-dot1p-map {string}
set trust-ip-dscp-map {string}
next
end
default-cos Default cos queue for untagged packets. integer Minimum 0

value: 0
Maximum
value: 7
name QoS policy name. string Not

Specified
queue-policy QoS egress queue policy. string Not default

Specified
trust-dot1p- QoS trust 802.1p map. string Not

map Specified
trust-ip-dscp- QoS trust ip dscp map. string Not

map Specified

Fortinet Inc.
config switch-controller qos queue-policy
Configure FortiSwitch QoS egress queue policy.

Description: Configure FortiSwitch QoS egress queue policy.
edit <name>
config cos-queue
Description: COS queue configuration.
edit <name>
set name {string}
set min-rate {integer}
set max-rate {integer}
set min-rate-percent {integer}
set max-rate-percent {integer}
set drop-policy [taildrop|weighted-random-early-detection]
set ecn [disable|enable]
next
end
set name {string}
set rate-by [kbps|percent]
set schedule [strict|round-robin|...]
next
end

Fortinet Inc.
name QoS policy name. string Not

Specified
rate-by COS queue rate by kbps or percent. option - kbps
Option Description
kbps Rate by kbps.
percent Rate by percent.
schedule COS queue scheduling. option - round-robin
Option Description
strict Strict scheduling (queue7: highest priority, queue0: lowest priority).
round-robin Round robin scheduling.
weighted Weighted round robin scheduling.
config cos-queue
name Cos queue ID. string Not Specified
description Description of the COS queue. string Not Specified
min-rate Minimum rate. integer Minimum 0

value: 0
Maximum
value:
4294967295
max-rate Maximum rate. integer Minimum 0

value: 0
Maximum
value:
4294967295
min-rate- Minimum rate (% of link speed). integer Minimum 0

percent value: 0
Maximum
value:
4294967295

Fortinet Inc.
max-rate- Maximum rate (% of link speed). integer Minimum 0

percent value: 0
Maximum
value:
4294967295
drop-policy COS queue drop policy. option - taildrop
Option Description
taildrop Taildrop policy.
weighted- Weighted random early detection drop policy.

random-early-
detection
ecn Enable/disable ECN packet marking to drop eligible option - disable

packets.
Option Description
disable Disable ECN packet marking to drop eligible packets.
enable Enable ECN packet marking to drop eligible packets.
weight Weight of weighted round robin scheduling. integer Minimum 1

value: 0
Maximum
value:
4294967295

Fortinet Inc.
config switch-controller quarantine
Configure FortiSwitch quarantine support.

Description: Configure FortiSwitch quarantine support.
set quarantine [enable|disable]
config targets
Description: Quarantine MACs.
edit <mac>
set tag <tags1>, <tags2>, ...
next
end
end
quarantine Enable/disable quarantine. option - disable
Option Description
enable Enable quarantine.
disable Disable quarantine.

Fortinet Inc.
config targets
mac Quarantine MAC. mac- Not 00:00:00:00:00:00

address Specified
description Description for the quarantine MAC. string Not

Specified
tag <tags> Tags for the quarantine MAC. string Maximum

Tag string. For example, string1 string2 string3. length: 63
config switch-controller remote-log
Configure logging by FortiSwitch device to a remote syslog server.

Description: Configure logging by FortiSwitch device to a remote syslog server.
edit <name>
set csv [enable|disable]
set name {string}
set port {integer}
set server {string}
next
end

Fortinet Inc.
csv Enable/disable comma-separated value (CSV) strings. option - disable
Option Description
enable Enable comma-separated value (CSV) strings.
disable Disable comma-separated value (CSV) strings.
facility Facility to log to remote syslog server. option - local7
Option Description
mail Mail system.
syslog Messages generated internally by syslogd.
uucp UUCP server messages.
cron Clock daemon.
ftp FTP daemon.
ntp NTP daemon.
audit Log audit.
alert Log alert.
clock Clock daemon.

Fortinet Inc.
Option Description
name Remote log name. string Not

Specified
port Remote syslog server listening port. integer Minimum 514

value: 0
Maximum
value:
65535
server IPv4 address of the remote syslog server. string Not

Specified
severity Severity of logs to be transferred to remote log server. option - information
Option Description
alert Alert level.
error Error level.
debug Debug level.
status Enable/disable logging by FortiSwitch device to a option - disable

remote syslog server.
Option Description
enable Enable logging by FortiSwitch device to a remote syslog server.
disable Disable logging by FortiSwitch device to a remote syslog server.

Fortinet Inc.
config switch-controller security-policy 802-1X
Configure 802.1x MAC Authentication Bypass (MAB) policies.

Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
edit <name>
set auth-fail-vlan [disable|enable]
set auth-fail-vlan-id {string}
set authserver-timeout-period {integer}
set authserver-timeout-vlan [disable|enable]
set authserver-timeout-vlanid {string}
set eap-auto-untagged-vlans [disable|enable]
set eap-passthru [disable|enable]
set framevid-apply [disable|enable]
set guest-auth-delay {integer}
set guest-vlan [disable|enable]
set guest-vlan-id {string}
set mac-auth-bypass [disable|enable]
set name {string}
set open-auth [disable|enable]
set policy-type {option}
set radius-timeout-overwrite [disable|enable]
set security-mode [802.1X|802.1X-mac-based]
set user-group <name1>, <name2>, ...
next
end

Fortinet Inc.
auth-fail-vlan Enable to allow limited access to clients that cannot option - disable
authenticate.
Option Description
disable Disable authentication fail VLAN on this interface.
enable Enable authentication fail VLAN on this interface.
auth-fail-vlan- VLAN ID on which authentication failed. string Not

id Specified
authserver- Authentication server timeout period. integer Minimum 3

timeout- value: 3
period Maximum
value: 15
authserver- Enable/disable the authentication server timeout VLAN option - disable

timeout-vlan to allow limited access when RADIUS is unavailable.
Option Description
disable Disable authentication server timeout VLAN on this interface.
enable Enable authentication server timeout VLAN on this interface.
authserver- Authentication server timeout VLAN name. string Not

timeout-vlanid Specified
eap-auto- Enable/disable automatic inclusion of untagged VLANs. option - enable

untagged-
vlans
Option Description
disable Disable automatic inclusion of untagged VLANs.
enable Enable automatic inclusion of untagged VLANs.
eap-passthru Enable/disable EAP pass-through mode, allowing option - enable

protocols (such as LLDP) to pass through ports for more
flexible authentication.
Option Description
disable Disable EAP pass-through mode on this interface.
enable Enable EAP pass-through mode on this interface.
framevid- Enable/disable the capability to apply the EAP/MAB option - enable

apply frame VLAN to the port native VLAN.

Fortinet Inc.
Option Description
disable Disable the capability to apply the EAP/MAB frame VLAN to the port native
VLAN.
enable Enable the capability to apply the EAP/MAB frame VLAN to the port native
VLAN.
guest-auth- Guest authentication delay. integer Minimum 30

delay value: 1
Maximum
value: 900
guest-vlan Enable the guest VLAN feature to allow limited access option - disable
to non-802.1X-compliant clients.
Option Description
disable Disable guest VLAN on this interface.
enable Enable guest VLAN on this interface.
guest-vlan-id Guest VLAN name. string Not

Specified
mac-auth- Enable/disable MAB for this policy. option - disable

bypass
Option Description
disable Disable MAB.
enable Enable MAB.

Specified
open-auth Enable/disable open authentication for this policy. option - disable
Option Description
disable Disable open authentication.
enable Enable open authentication.
policy-type Policy type. option - 802.1X
Option Description
802.1X 802.1X security policy.

Fortinet Inc.
radius- Enable to override the global RADIUS session timeout. option - disable
timeout-
overwrite
Option Description
disable Override the global RADIUS session timeout.
enable Use the global RADIUS session timeout.
security-mode Port or MAC based 802.1X security mode. option - 802.1X
Option Description
802.1X 802.1X port based authentication.
802.1X-mac- 802.1X MAC based authentication.

based
user-group Name of user-group to assign to this MAC string Maximum

<name> Authentication Bypass (MAB) policy. length: 79
Group name.
config switch-controller security-policy local-access
Configure allowaccess list for mgmt and internal interfaces on managed FortiSwitch units.

Fortinet Inc.
Description: Configure allowaccess list for mgmt and internal interfaces on managed
FortiSwitch units.
edit <name>
set internal-allowaccess {option1}, {option2}, ...
set mgmt-allowaccess {option1}, {option2}, ...
set name {string}
next
end
internal- Allowed access on the switch internal interface. option - https ping
allowaccess ssh
Option Description
https HTTPS access.
ping PING access.
ssh SSH access.
snmp SNMP access.
http HTTP access.
mgmt- Allowed access on the switch management interface. option - https ping
allowaccess ssh
Option Description
https HTTPS access.
ping PING access.
ssh SSH access.
snmp SNMP access.
http HTTP access.

Specified

Fortinet Inc.
config switch-controller sflow
Configure FortiSwitch sFlow.

Description: Configure FortiSwitch sFlow.
end
collector-ip Collector IP. ipv4- Not 0.0.0.0

address Specified
collector-port SFlow collector port. integer Minimum 6343

value: 0
Maximum
value:
65535

Fortinet Inc.
config switch-controller snmp-community
Configure FortiSwitch SNMP v1/v2c communities globally.

Description: Configure FortiSwitch SNMP v1/v2c communities globally.
edit <id>
config hosts
edit <id>
set id {integer}
set ip {user}
next
end
set id {integer}
set name {string}
set query-v1-status [disable|enable]
set query-v2c-status [disable|enable]
set trap-v1-status [disable|enable]
set trap-v2c-status [disable|enable]
next
end

Fortinet Inc.
events SNMP notifications (traps) to send. option - cpu-high

mem-low
log-full intf-
ip ent-conf-
change
Option Description
cpu-high Send a trap when CPU usage too high.
id SNMP community ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name SNMP community name. string Not Specified

value: 0
Maximum
value: 65535

status
Option Description
disable Disable SNMP v1 queries.
enable Enable SNMP v1 queries.

port value: 0
Maximum
value: 65535

status
Option Description
disable Disable SNMP v2c queries.

Fortinet Inc.
Option Description
enable Enable SNMP v2c queries.
Option Description
disable Disable SNMP community.
enable Enable SNMP community.
trap-v1-lport SNMP v2c trap local port. integer Minimum 162

value: 0
Maximum
value: 65535
trap-v1-rport SNMP v2c trap remote port. integer Minimum 162

value: 0
Maximum
value: 65535
Option Description
disable Disable SNMP v1 traps.
enable Enable SNMP v1 traps.

value: 0
Maximum
value: 65535

value: 0
Maximum
value: 65535

status
Option Description
disable Disable SNMP v2c traps.
enable Enable SNMP v2c traps.

Fortinet Inc.
config hosts

value: 0
Maximum
value:
4294967295
config switch-controller snmp-sysinfo
Configure FortiSwitch SNMP system information globally.

Description: Configure FortiSwitch SNMP system information globally.
end

Fortinet Inc.
contact-info Contact information. string Not

Specified
description System description. string Not

Specified
engine-id Local SNMP engine ID string (max 24 char). string Not

Specified
location System location. string Not

Specified
Option Description
disable Disable SNMP.
enable Enable SNMP.
config switch-controller snmp-trap-threshold
Configure FortiSwitch SNMP trap threshold values globally.

Description: Configure FortiSwitch SNMP trap threshold values globally.

Fortinet Inc.
end

threshold value: 0
Maximum
value:
4294967295

threshold value: 0
Maximum
value:
4294967295

memory- value: 0
threshold Maximum
value:
4294967295
config switch-controller snmp-user

Fortinet Inc.
Configure FortiSwitch SNMP v3 users globally.
Description: Configure FortiSwitch SNMP v3 users globally.
edit <name>
set auth-proto [md5|sha1|...]
set name {string}
set priv-proto [aes128|aes192|...]
set queries [disable|enable]
next
end
auth-proto Authentication protocol. option - sha256
Option Description

Specified

Specified
priv-proto Privacy (encryption) protocol. option - aes128
Option Description

Fortinet Inc.

Specified
Option Description
disable Disable SNMP queries for this user.
enable Enable SNMP queries for this user.

value: 0
Maximum
value:
65535

encryption. priv
Option Description
config switch-controller storm-control-policy

Fortinet Inc.
Configure FortiSwitch storm control policy to be applied on managed-switch ports.
Description: Configure FortiSwitch storm control policy to be applied on managed-switch
ports.
edit <name>
set name {string}
set rate {integer}
set storm-control-mode [global|override|...]
next
end
broadcast Enable/disable storm control to drop/allow broadcast option - disable

traffic in override mode.
Option Description
enable Enable storm control for broadcast traffic to drop packets which exceed
configured rate limits.
disable Disable storm control for broadcast traffic to allow all packets.
description Description of the storm control policy. string Not

Specified
name Storm control policy name. string Not

Specified
rate Threshold rate in packets per second at which storm integer Minimum 500
traffic is controlled in override mode. value: 0
Maximum
value:
10000000
storm-control- Set Storm control mode. option - global

mode
Option Description
global Apply Global or switch level storm control configuration.
override Override global and switch level storm control to use port level configuration.
disabled Disable storm control on the port entirely overriding global and switch level
storm control.

Fortinet Inc.
unknown- Enable/disable storm control to drop/allow unknown option - disable

multicast multicast traffic in override mode.
Option Description
enable Enable storm control for unknown multicast traffic to drop packets which
exceed configured rate limits.
disable Disable storm control for unknown multicast traffic to allow all packets.
unknown- Enable/disable storm control to drop/allow unknown option - disable

unicast unicast traffic in override mode.
Option Description
enable Enable storm control for unknown unicast traffic to drop packets which exceed
configured rate limits.
disable Disable storm control for unknown unicast traffic to allow all packets.
config switch-controller storm-control
Configure FortiSwitch storm control.

Description: Configure FortiSwitch storm control.

Fortinet Inc.
set rate {integer}
end
broadcast Enable/disable storm control to drop broadcast traffic. option - disable
Option Description
enable Enable broadcast storm control.
disable Disable broadcast storm control.
rate Rate in packets per second at which storm traffic is integer Minimum 500
controlled. Storm control drops excess traffic data rates value: 1
beyond this threshold. Maximum
value:
10000000
unknown- Enable/disable storm control to drop unknown multicast option - disable

multicast traffic.
Option Description
enable Enable unknown multicast storm control.
disable Disable unknown multicast storm control.
unknown- Enable/disable storm control to drop unknown unicast option - disable

unicast traffic.
Option Description
enable Enable unknown unicast storm control.
disable Disable unknown unicast storm control.

Fortinet Inc.
config switch-controller stp-instance
Configure FortiSwitch multiple spanning tree protocol (MSTP) instances.

Description: Configure FortiSwitch multiple spanning tree protocol (MSTP) instances.
edit <id>
set id {string}
set vlan-range <vlan-name1>, <vlan-name2>, ...
next
end
id Instance ID. string Not

Specified
vlan-range Configure VLAN range for STP instance. string Maximum

<vlan- VLAN name. length: 79
name>

Fortinet Inc.
config switch-controller stp-settings
Configure FortiSwitch spanning tree protocol (STP).

Description: Configure FortiSwitch spanning tree protocol (STP).
set forward-time {integer}
set name {string}
set pending-timer {integer}
set revision {integer}
end
forward-time Period of time a port is in listening and learning state. integer Minimum 15
value: 4
Maximum
value: 30
hello-time Period of time between successive STP frame Bridge integer Minimum 2
Protocol Data Units. value: 1
Maximum
value: 10

Fortinet Inc.
max-age Maximum time before a bridge port expires its integer Minimum 20
configuration BPDU information. value: 6
Maximum
value: 40
max-hops Maximum number of hops between the root bridge and integer Minimum 20
the furthest bridge. value: 1
Maximum
value: 40
name Name of global STP settings configuration. string Not

Specified
pending-timer Pending time. integer Minimum 4

value: 1
Maximum
value: 15
revision STP revision number. integer Minimum 0

value: 0
Maximum
value:
65535
config switch-controller switch-group
Configure FortiSwitch switch groups.

Fortinet Inc.
Description: Configure FortiSwitch switch groups.
edit <name>
set members <switch-id1>, <switch-id2>, ...
set name {string}
next
end
description Optional switch group description. string Not

Specified
fortilink FortiLink interface to which switch group members string Not

belong. Specified
members FortiSwitch members belonging to this switch group. string Maximum

<switch- Managed device ID. length: 79
id>
name Switch group name. string Not

Specified
config switch-controller switch-interface-tag

Fortinet Inc.
Configure switch object tags.
Description: Configure switch object tags.
edit <name>
set name {string}
next
end
name Tag name. string Not

Specified
config switch-controller switch-log
Configure FortiSwitch logging (logs are transferred to and inserted into FortiGate event log).
Description: Configure FortiSwitch logging (logs are transferred to and inserted into
FortiGate event log).
end

Fortinet Inc.
severity Severity of FortiSwitch logs that are added to the option - notification
FortiGate event log.
Option Description
alert Alert level.
error Error level.
debug Debug level.
status Enable/disable adding FortiSwitch logs to FortiGate option - enable

event log.
Option Description
enable Add FortiSwitch logs to FortiGate event log.
disable Do not add FortiSwitch logs to FortiGate event log.

Fortinet Inc.
config switch-controller switch-profile
Configure FortiSwitch switch profile.

Description: Configure FortiSwitch switch profile.
edit <name>
set login-passwd {password}
set login-passwd-override [enable|disable]
set name {string}
next
end
login-passwd Login password of managed FortiSwitch. password Not

Specified
login-passwd- Enable/disable overriding the admin administrator option - disable

override password for a managed FortiSwitch with the FortiGate
admin administrator account password.
Option Description
enable Override a managed FortiSwitch's admin administrator password.
disable Use the managed FortiSwitch admin administrator account password.

Fortinet Inc.
name FortiSwitch Profile name. string Not

Specified
config switch-controller system
Configure system-wide switch controller settings.

Description: Configure system-wide switch controller settings.
set data-sync-interval {integer}
set dynamic-periodic-interval {integer}
set iot-holdoff {integer}
set iot-mac-idle {integer}
set iot-scan-interval {integer}
set iot-weight-threshold {integer}
set nac-periodic-interval {integer}
set parallel-process {integer}
set parallel-process-override [disable|enable]
set tunnel-mode [compatible|strict]
end

Fortinet Inc.
data-sync- Time interval between collection of switch data. integer Minimum 60

interval value: 30
Maximum
value: 1800
dynamic- Periodic time interval to run Dynamic port policy integer Minimum 15
periodic- engine. value: 5
interval Maximum
value: 60
iot-holdoff MAC entry's creation time. Time must be greater than integer Minimum 5
this value for an entry to be created. value: 0
Maximum
value:
10080
iot-mac-idle MAC entry's idle time. MAC entry is removed after this integer Minimum 1440
value. value: 0
Maximum
value:
10080
iot-scan- IoT scan interval. integer Minimum 60

interval value: 2
Maximum
value:
10080
iot-weight- MAC entry's confidence value. Value is re-queried integer Minimum 1

threshold when below this value. value: 0
Maximum
value: 255
nac-periodic- Periodic time interval to run NAC engine. integer Minimum 15

interval value: 5
Maximum
value: 60
parallel- Maximum number of parallel processes. integer Minimum 1

process value: 1
Maximum
value: 128
**
parallel- Enable/disable parallel process override. option - disable

process-
override

Fortinet Inc.
Option Description
disable Disable maximum parallel process override.
enable Enable maximum parallel process override.
tunnel-mode Compatible/strict tunnel mode. option - compatible
Option Description
compatible Allow for backward compatible ciphers.
strict Follow system.strong-crypto ciphers.
config switch-controller traffic-policy
Configure FortiSwitch traffic policy.

Description: Configure FortiSwitch traffic policy.
edit <name>
set cos-queue {integer}
set guaranteed-burst {integer}
set maximum-burst {integer}

Fortinet Inc.
set name {string}
set policer-status [enable|disable]
set type [ingress|egress]
next
end
cos-queue COS queue, or unset to disable. integer Minimum

value: 0
Maximum
value: 7
description Description of the traffic policy. string Not Specified
guaranteed- Guaranteed bandwidth in kbps (max value = integer Minimum 10000

bandwidth 524287000). value: 0
Maximum
value:
524287000
guaranteed- Guaranteed burst size in bytes (max value = integer Minimum 45000
burst 4294967295). value: 0
Maximum
value:
4294967295
maximum- Maximum burst size in bytes (max value = integer Minimum 67500
burst 4294967295). value: 0
Maximum
value:
4294967295
name Traffic policy name. string Not Specified
policer-status Enable/disable policer config on the traffic policy. option - enable
Option Description
enable Enable policer config on the traffic policy.
disable Disable policer config on the traffic policy.
type Configure type of policy(ingress/egress). option - ingress
Option Description
ingress Ingress policy.
egress Egress policy.

Fortinet Inc.
config switch-controller traffic-sniffer
Configure FortiSwitch RSPAN/ERSPAN traffic sniffing parameters.

Description: Configure FortiSwitch RSPAN/ERSPAN traffic sniffing parameters.
set erspan-ip {ipv4-address}
set mode [erspan-auto|rspan|...]
config target-ip
Description: Sniffer IPs to filter.
edit <ip>
next
end
config target-mac
Description: Sniffer MACs to filter.
edit <mac>
next
end
config target-port
Description: Sniffer ports to filter.
edit <switch-id>
set in-ports <name1>, <name2>, ...
set out-ports <name1>, <name2>, ...
next

Fortinet Inc.
end
end
erspan-ip Configure ERSPAN collector IP address. ipv4- Not 0.0.0.0

address Specified
mode Configure traffic sniffer mode. option - erspan-

auto
Option Description
erspan-auto Mirror traffic using a GRE tunnel.
rspan Mirror traffic on a layer2 VLAN.
none Disable traffic mirroring (sniffer).
config target-ip
ip Sniffer IP. ipv4- Not 0.0.0.0

address Specified
description Description for the sniffer IP. string Not

Specified
config target-mac
mac Sniffer MAC. mac- Not 00:00:00:00:00:00

address Specified
description Description for the sniffer MAC. string Not

Specified
config target-port
switch-id Managed-switch ID. string Not

Specified
description Description for the sniffer port entry. string Not

Specified

Fortinet Inc.
in-ports Configure source ingress port interfaces. string Maximum

out-ports Configure source egress port interfaces. string Maximum

config switch-controller virtual-port-pool
Configure virtual pool.

Description: Configure virtual pool.
edit <name>
set name {string}
next
end
description Virtual switch pool description. string Not

Specified

Fortinet Inc.
name Virtual switch pool name. string Not

Specified
config switch-controller vlan-policy
Configure VLAN policy to be applied on the managed FortiSwitch ports through dynamic-port-policy.
Description: Configure VLAN policy to be applied on the managed FortiSwitch ports
through dynamic-port-policy.
edit <name>
set allowed-vlans <vlan-name1>, <vlan-name2>, ...
set allowed-vlans-all [enable|disable]
set discard-mode [none|all-untagged|...]
set name {string}
set untagged-vlans <vlan-name1>, <vlan-name2>, ...
set vlan {string}
next
end

Fortinet Inc.
allowed-vlans Allowed VLANs to be applied when using this VLAN string Maximum
<vlan- policy. length: 79
name> VLAN name.
allowed- Enable/disable all defined VLANs when using this VLAN option - disable
vlans-all policy.
Option Description
enable Enable all defined VLANs.
disable Disable all defined VLANs.
description Description for the VLAN policy. string Not

Specified
discard-mode Discard mode to be applied when using this VLAN option - none
policy.
Option Description
none Discard disabled.
all-untagged Discard all frames that are untagged.
all-tagged Discard all frames that are tagged.
fortilink FortiLink interface for which this VLAN policy belongs to. string Not
Specified
name VLAN policy name. string Not

Specified
untagged- Untagged VLANs to be applied when using this VLAN string Maximum
vlans <vlan- policy. length: 79
name> VLAN name.
vlan Native VLAN to be applied when using this VLAN policy. string Not
Specified

Fortinet Inc.
system

l config system 3g-modem custom on page 980
l config system accprofile on page 981
l config system acme on page 991
l config system admin on page 992
l config system affinity-interrupt on page 999
l config system affinity-packet-redistribution on page 1000
l config system alarm on page 1001
l config system alias on page 1004
l config system api-user on page 1005
l config system arp-table on page 1006
l config system arp on page 1007
l config system auto-install on page 1007
l config system auto-script on page 1008
l config system auto-update status on page 1009
l config system auto-update versions on page 1009
l config system automation-action on page 1009
l config system automation-destination on page 1014
l config system automation-stitch on page 1015
l config system automation-trigger on page 1016
l config system autoupdate schedule on page 1020
l config system autoupdate tunneling on page 1021
l config system bypass on page 1022
l config system central-management on page 1024
l config system central-mgmt on page 1029
l config system checksum status on page 1029
l config system cluster-sync on page 1029
l config system cmdb on page 1032
l config system console on page 1032
l config system csf on page 1033
l config system custom-language on page 1038
l config system ddns on page 1038
l config system dedicated-mgmt on page 1041
l config system dhcp6 server on page 1042
l config system dhcp server on page 1046
l config system dnp3-proxy on page 1058
l config system dns-database on page 1060
l config system dns-server on page 1063

Fortinet Inc.
l config system dns on page 1064
l config system dns64 on page 1066
l config system dscp-based-priority on page 1067
l config system dsl status on page 1068
l config system elbc on page 1069
l config system email-server on page 1070
l config system external-resource on page 1072
l config system federated-upgrade on page 1074
l config system fips-cc on page 1077
l config system fortianalyzer-connectivity on page 1078
l config system fortiguard-log-service on page 1078
l config system fortiguard-service on page 1078
l config system fortiguard on page 1078
l config system fortindr on page 1086
l config system fortisandbox on page 1087
l config system fsso-polling on page 1089
l config system ftm-push on page 1089
l config system geneve on page 1090
l config system geoip-country on page 1091
l config system geoip-override on page 1092
l config system global on page 1093
l config system gre-tunnel on page 1144
l config system ha-monitor on page 1147
l config system ha-nonsync-csum on page 1147
l config system ha on page 1147
l config system ike on page 1160
l config system info admin ssh on page 1174
l config system info admin status on page 1174
l config system interface on page 1174
l config system ip-conflict status on page 1233
l config system ipam on page 1233
l config system ipip-tunnel on page 1234
l config system ips-urlfilter-dns on page 1235
l config system ips-urlfilter-dns6 on page 1236
l config system ips on page 1236
l config system ipsec-aggregate on page 1237
l config system ipv6-neighbor-cache on page 1238
l config system ipv6-tunnel on page 1238
l config system isf-queue-profile on page 1240
l config system link-monitor on page 1242
l config system lldp network-policy on page 1247
l config system lte-modem on page 1255
l config system mac-address-table on page 1260

Fortinet Inc.
l config system management-tunnel on page 1260
l config system mgmt-csum on page 1262
l config system mobile-tunnel on page 1262
l config system modem on page 1265
l config system nd-proxy on page 1272
l config system netflow on page 1272
l config system network-visibility on page 1274
l config system np6 on page 1275
l config system np6xlite on page 1288
l config system npu-setting prp on page 1300
l config system npu-vlink on page 1301
l config system npu on page 1302
l config system ntp on page 1357
l config system object-tagging on page 1360
l config system password-policy-guest-admin on page 1361
l config system password-policy on page 1363
l config system performance firewall packet-distribution on page 1365
l config system performance firewall statistics on page 1365
l config system performance status on page 1365
l config system performance top on page 1366
l config system physical-switch on page 1366
l config system pppoe-interface on page 1367
l config system probe-response on page 1369
l config system proxy-arp on page 1370
l config system ptp on page 1371
l config system replacemsg-group on page 1373
l config system replacemsg-image on page 1385
l config system replacemsg admin on page 1386
l config system replacemsg alertmail on page 1387
l config system replacemsg auth on page 1388
l config system replacemsg automation on page 1389
l config system replacemsg fortiguard-wf on page 1390
l config system replacemsg ftp on page 1390
l config system replacemsg http on page 1391
l config system replacemsg icap on page 1392
l config system replacemsg mail on page 1393
l config system replacemsg nac-quar on page 1394
l config system replacemsg spam on page 1395
l config system replacemsg sslvpn on page 1396
l config system replacemsg traffic-quota on page 1396
l config system replacemsg utm on page 1397
l config system replacemsg webproxy on page 1398
l config system resource-limits on page 1399

Fortinet Inc.
l config system saml on page 1402
l config system sdn-connector on page 1405
l config system sdwan on page 1414
l config system session-helper-info list on page 1434
l config system session-helper on page 1434
l config system session-info expectation on page 1435
l config system session-info full-stat on page 1436
l config system session-info list on page 1436
l config system session-info statistics on page 1436
l config system session-info ttl on page 1436
l config system session-ttl on page 1436
l config system session on page 1437
l config system session6 on page 1438
l config system settings on page 1438
l config system sflow on page 1459
l config system sit-tunnel on page 1460
l config system smc-ntp on page 1462
l config system sms-server on page 1463
l config system snmp community on page 1464
l config system snmp sysinfo on page 1471
l config system snmp user on page 1473
l config system source-ip status on page 1479
l config system speed-test-schedule on page 1479
l config system speed-test-server on page 1481
l config system sso-admin on page 1483
l config system sso-forticloud-admin on page 1483
l config system standalone-cluster on page 1484
l config system startup-error-log on page 1485
l config system status on page 1485
l config system storage on page 1485
l config system stp on page 1487
l config system switch-interface on page 1488
l config system tos-based-priority on page 1490
l config system vdom-dns on page 1491
l config system vdom-exception on page 1493
l config system vdom-link on page 1495
l config system vdom-netflow on page 1496
l config system vdom-property on page 1497
l config system vdom-radius-server on page 1498
l config system vdom-sflow on page 1499
l config system vdom on page 1500
l config system virtual-switch on page 1501
l config system virtual-wire-pair on page 1503

Fortinet Inc.
l config system vne-tunnel on page 1504
l config system vxlan on page 1505
l config system wccp on page 1506
l config system wireless ap-status on page 1510
l config system wireless detected-ap on page 1512
l config system wireless settings on page 1513
l config system zone on page 1516
config system 3g-modem custom
4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate
5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 601E, FortiGate 60E
FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGateRugged 60F 3G4G,
It is not available for: FortiGate VM64.
3G MODEM custom.
Description: 3G MODEM custom.
edit <id>
set class-id {user}
set id {integer}
set init-string {string}
set model {string}
set modeswitch-string {string}
set product-id {user}
set vendor {string}
set vendor-id {user}
next
end

Fortinet Inc.
class-id USB interface class in hexadecimal format (00-ff). user Not Specified

value: 0
Maximum
value:
4294967295
init-string Init string in hexadecimal format (even length). string Not Specified
model MODEM model name. string Not Specified
modeswitch- USB modeswitch arguments. e.g: '-v 1410 -p 9030 -V string Not Specified
string 1410 -P 9032 -u 3'
product-id USB product ID in hexadecimal format (0000-ffff). user Not Specified
vendor MODEM vendor name. string Not Specified
vendor-id USB vendor ID in hexadecimal format (0000-ffff). user Not Specified
config system accprofile
Configure access profiles for system administrators.

Description: Configure access profiles for system administrators.
edit <name>
set admintimeout {integer}
set admintimeout-override [enable|disable]
set authgrp [none|read|...]
set ftviewgrp [none|read|...]
set fwgrp [none|read|...]
config fwgrp-permission
Description: Custom firewall permission.
set policy [none|read|...]
set address [none|read|...]
set service [none|read|...]
set schedule [none|read|...]
set others [none|read|...]
end
set loggrp [none|read|...]
config loggrp-permission
Description: Custom Log & Report permission.
set config [none|read|...]
set data-access [none|read|...]
set report-access [none|read|...]
set threat-weight [none|read|...]
end
set name {string}

Fortinet Inc.
set netgrp [none|read|...]
config netgrp-permission
Description: Custom network permission.
set cfg [none|read|...]
set packet-capture [none|read|...]
set route-cfg [none|read|...]
end
set scope [vdom|global]
set secfabgrp [none|read|...]
set sysgrp [none|read|...]
config sysgrp-permission
Description: Custom system permission.
set admin [none|read|...]
set upd [none|read|...]
set cfg [none|read|...]
set mnt [none|read|...]
end
set system-diagnostics [enable|disable]
set utmgrp [none|read|...]
config utmgrp-permission
Description: Custom Security Profile permissions.
set antivirus [none|read|...]
set ips [none|read|...]
set webfilter [none|read|...]
set emailfilter [none|read|...]
set data-loss-prevention [none|read|...]
set file-filter [none|read|...]
set application-control [none|read|...]
set icap [none|read|...]
set voip [none|read|...]
set waf [none|read|...]
set dnsfilter [none|read|...]
set endpoint-control [none|read|...]
end
set vpngrp [none|read|...]
set wanoptgrp [none|read|...]
set wifi [none|read|...]
next
end
admintimeout Administrator timeout for this access profile. integer Minimum 10

value: 1
Maximum
value: 480
admintimeout- Enable/disable overriding the global administrator idle option - disable

override timeout.

Fortinet Inc.
Option Description
enable Enable overriding the global administrator idle timeout.
disable Disable overriding the global administrator idle timeout.
authgrp Administrator access to Users and Devices. option - none
Option Description
none No access.
read Read access.
read-write Read/write access.

Specified
ftviewgrp FortiView. option - none
Option Description
none No access.
read Read access.
fwgrp Administrator access to the Firewall configuration. option - none
Option Description
none No access.
read Read access.
custom Customized access.
loggrp Administrator access to Logging and Reporting option - none

including viewing log messages.
Option Description
none No access.
read Read access.

Fortinet Inc.

Specified
netgrp Network Configuration. option - none
Option Description
none No access.
read Read access.
scope Scope of admin access: global or specific VDOM(s). option - vdom
Option Description
vdom VDOM access.
global Global access.
secfabgrp Security Fabric. option - none
Option Description
none No access.
read Read access.
sysgrp System Configuration. option - none
Option Description
none No access.
read Read access.
system- Enable/disable permission to run system diagnostic option - enable

diagnostics commands.
Option Description
enable Enable permission to run system diagnostic commands.
disable Disable permission to run system diagnostic commands.
utmgrp Administrator access to Security Profiles. option - none

Fortinet Inc.
Option Description
none No access.
read Read access.
vpngrp Administrator access to IPsec, SSL, PPTP, and L2TP option - none
VPN.
Option Description
none No access.
read Read access.
wanoptgrp * Administrator access to WAN Opt & Cache. option - none
Option Description
none No access.
read Read access.
wifi Administrator access to the WiFi controller and Switch option - none
controller.
Option Description
none No access.
read Read access.
config fwgrp-permission
policy Policy Configuration. option - none
Option Description
none No access.

Fortinet Inc.
Option Description
read Read access.
address Address Configuration. option - none
Option Description
none No access.
read Read access.
service Service Configuration. option - none
Option Description
none No access.
read Read access.
schedule Schedule Configuration. option - none
Option Description
none No access.
read Read access.
others Other Firewall Configuration. option - none
Option Description
none No access.
read Read access.
config loggrp-permission
config Log & Report configuration. option - none

Fortinet Inc.
Option Description
none No access.
read Read access.
data-access Log & Report Data Access. option - none
Option Description
none No access.
read Read access.
report-access Log & Report Report Access. option - none
Option Description
none No access.
read Read access.
threat-weight Log & Report Threat Weight. option - none
Option Description
none No access.
read Read access.
config netgrp-permission
cfg Network Configuration. option - none
Option Description
none No access.
read Read access.
packet-capture Packet Capture Configuration. option - none

Fortinet Inc.
Option Description
none No access.
read Read access.
route-cfg Router Configuration. option - none
Option Description
none No access.
read Read access.
config sysgrp-permission
admin Administrator Users. option - none
Option Description
none No access.
read Read access.
upd FortiGuard Updates. option - none
Option Description
none No access.
read Read access.
cfg System Configuration. option - none
Option Description
none No access.
read Read access.
mnt Maintenance. option - none

Fortinet Inc.
Option Description
none No access.
read Read access.
config utmgrp-permission
antivirus Antivirus profiles and settings. option - none
Option Description
none No access.
read Read access.
ips IPS profiles and settings. option - none
Option Description
none No access.
read Read access.
webfilter Web Filter profiles and settings. option - none
Option Description
none No access.
read Read access.
emailfilter Email Filter and settings. option - none
Option Description
none No access.
read Read access.
data-loss- DLP profiles and settings. option - none

prevention

Fortinet Inc.
Option Description
none No access.
read Read access.
file-filter File-filter profiles and settings. option - none
Option Description
none No access.
read Read access.
application- Application Control profiles and settings. option - none

control
Option Description
none No access.
read Read access.
icap ICAP profiles and settings. option - none
Option Description
none No access.
read Read access.
voip VoIP profiles and settings. option - none
Option Description
none No access.
read Read access.
waf Web Application Firewall profiles and settings. option - none
Option Description
none No access.

Fortinet Inc.
Option Description
read Read access.
dnsfilter DNS Filter profiles and settings. option - none
Option Description
none No access.
read Read access.
endpoint- FortiClient Profiles. option - none

control
Option Description
none No access.
read Read access.
config system acme
Configure ACME client.

config system acme
Description: Configure ACME client.
config accounts
Description: ACME accounts list.
edit <id>
set id {string}
set status {string}
set url {string}
set ca_url {string}
set email {string}
set privatekey {string}
next
end
end

Fortinet Inc.
config system acme
interface Interface(s) on which the ACME client will listen for string Maximum
<interface- challenges. length: 79
name> Interface name.
source-ip Source IPv4 address used to connect to the ACME ipv4- Not 0.0.0.0
server. address Specified
source-ip6 Source IPv6 address used to connect to the ACME ipv6- Not ::
config accounts
id Account id. string Not

Specified
status Account status. string Not

Specified
url Account url. string Not

Specified
ca_url Account ca_url. string Not

Specified
email Account email. string Not

Specified
privatekey Account Private Key. string Not

Specified
config system admin
Configure admin users.

config system admin
Description: Configure admin users.
edit <name>
set accprofile {string}
set accprofile-override [enable|disable]
set allow-remove-admin-session [enable|disable]
set email-to {string}
set force-password-change [enable|disable]
set fortitoken {string}
set guest-auth [disable|enable]
set guest-lang {string}
set guest-usergroups <name1>, <name2>, ...

Fortinet Inc.
set ip6-trusthost1 {ipv6-prefix}
set name {string}
set password {password-2}
set password-expire {user}
set peer-auth [enable|disable]
set peer-group {string}
set radius-vdom-override [enable|disable]
set remote-auth [enable|disable]
set remote-group {string}
set sms-custom-server {string}
set sms-phone {string}
set sms-server [fortiguard|custom]
set ssh-certificate {string}
set ssh-public-key1 {user}
set trusthost1 {ipv4-classnet}
set two-factor [disable|fortitoken|...]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set vdom <name1>, <name2>, ...
set wildcard [enable|disable]
next
end
config system admin
accprofile Access profile for this administrator. Access profiles string Not
control administrator access to FortiGate features. Specified

Fortinet Inc.
accprofile- Enable to use the name of an access profile option - disable

override provided by the remote authentication server to
control the FortiGate features that this administrator
can access.
Option Description
enable Enable access profile override.
disable Disable access profile override.
allow-remove- Enable/disable allow admin session to be removed option - enable

admin-session by privileged admin users.
Option Description
enable Enable allow-remove option.
disable Disable allow-remove option.

Specified
email-to This administrator's email address. string Not

Specified
force-password- Enable/disable force password change on next option - disable

change login.
Option Description
enable Enable force password change on next login.
disable Disable force password change on next login.
fortitoken This administrator's FortiToken serial number. string Not

Specified
guest-auth Enable/disable guest authentication. option - disable
Option Description
disable Disable guest authentication.
enable Enable guest authentication.
guest-lang Guest management portal language. string Not

Specified
guest- Select guest user groups. string Maximum

usergroups Select guest user groups. length: 79
<name>

Fortinet Inc.
ip6-trusthost1 Any IPv6 address from which the administrator can ipv6-prefix Not ::/0
connect to the FortiGate unit. Default allows access Specified
from any IPv6 address.
name User name. string Not

Specified
password Admin user password. password-2 Not

Specified
password-expire Password expire time. user Not

Specified
peer-auth Set to enable peer certificate authentication (for option - disable

HTTPS admin access).

Fortinet Inc.
Option Description
enable Enable peer.
disable Disable peer.
peer-group Name of peer group defined under config user group string Not
which has PKI members. Used for peer certificate Specified
authentication (for HTTPS admin access).
radius-vdom- Enable to use the names of VDOMs provided by the option - disable
override remote authentication server to control the VDOMs
that this administrator can access.
Option Description
enable Enable VDOM override.
disable Disable VDOM override.
remote-auth Enable/disable authentication using a remote option - disable

RADIUS, LDAP, or TACACS+ server.
Option Description
enable Enable remote authentication.
disable Disable remote authentication.
remote-group User group name used for remote auth. string Not
Specified
schedule Firewall schedule used to restrict when the string Not

administrator can log in. No schedule means no Specified
restrictions.
sms-custom- Custom SMS server to send SMS messages to. string Not
server Specified
sms-phone Phone number on which the administrator receives string Not

SMS messages. Specified
sms-server Send SMS messages using the FortiGuard SMS option - fortiguard
server or a custom server.
Option Description
fortiguard Send SMS by FortiGuard.
custom Send SMS by custom server.
ssh-certificate Select the certificate to be used by the FortiGate for string Not
authentication with an SSH client. Specified

Fortinet Inc.
ssh-public-key1 Public key of an SSH client. The client is user Not

authenticated without being asked for credentials. Specified
Create the public-private key pair in the SSH client
application.

application.

application.
trusthost1 Any IPv4 address or subnet address and netmask ipv4- Not 0.0.0.0
from which the administrator can connect to the classnet Specified 0.0.0.0
FortiGate unit. Default allows access from any IPv4
address.
address.
address.
address.
address.
address.
address.

Fortinet Inc.
address.
address.
address.
two-factor Enable/disable two-factor authentication. option - disable
Option Description
disable Disable two-factor authentication.
fortitoken Use FortiToken or FortiToken mobile two-factor authentication.
fortitoken-cloud FortiToken Cloud Service.
email Send a two-factor authentication code to the configured email-to email

address.
sms Send a two-factor authentication code to the configured sms-server and

sms-phone.
two-factor- Authentication method by FortiToken Cloud. option -

authentication
Option Description
fortitoken FortiToken authentication.
email Email one time password.
sms SMS one time password.
two-factor- Notification method for user activation by FortiToken option -

notification Cloud.
Option Description
email Email notification for activation code.
sms SMS notification for activation code.
vdom <name> Virtual domain(s) that the administrator can access. string Maximum
Virtual domain name. length: 79

Fortinet Inc.
wildcard Enable/disable wildcard RADIUS authentication. option - disable
Option Description
enable Enable username wildcard.
disable Disable username wildcard.
config system affinity-interrupt

Configure interrupt affinity.

Description: Configure interrupt affinity.
edit <id>
set id {integer}
set interrupt {string}
set affinity-cpumask {string}
next
end

Fortinet Inc.
id ID of the interrupt affinity setting. integer Minimum 0

value: 0
Maximum
value:
4294967295
interrupt Interrupt name. string Not Specified
affinity- Affinity setting for VM throughput (64-bit hexadecimal string Not Specified
cpumask value in the format of 0xxxxxxxxxxxxxxxxx).
config system affinity-packet-redistribution

Configure packet redistribution.

Description: Configure packet redistribution.
edit <id>
set id {integer}
set rxqid {integer}
set affinity-cpumask {string}
next
end

Fortinet Inc.
id ID of the packet redistribution setting. integer Minimum 0

value: 0
Maximum
value:
4294967295
interface Physical interface name on which to perform packet string Not Specified
redistribution.
rxqid ID of the receive queue (when the interface has integer Minimum 0
multiple queues) on which to perform packet value: 0
redistribution. Maximum
value: 255
affinity- Affinity setting for VM throughput (64-bit hexadecimal string Not Specified
cpumask value in the format of 0xxxxxxxxxxxxxxxxx).
config system alarm
Configure alarm.
config system alarm
Description: Configure alarm.
set audible [enable|disable]
config groups
Description: Alarm groups.
edit <id>
set id {integer}
set period {integer}
set admin-auth-failure-threshold {integer}
set admin-auth-lockout-threshold {integer}
set user-auth-failure-threshold {integer}
set user-auth-lockout-threshold {integer}
set replay-attempt-threshold {integer}
set self-test-failure-threshold {integer}
set log-full-warning-threshold {integer}
set encryption-failure-threshold {integer}
set decryption-failure-threshold {integer}
config fw-policy-violations
Description: Firewall policy violations.
edit <id>
set id {integer}
set src-ip {ipv4-address}
set dst-ip {ipv4-address}
set src-port {integer}
set dst-port {integer}
next
end
set fw-policy-id {integer}

Fortinet Inc.
set fw-policy-id-threshold {integer}
next
end
end
config system alarm
audible Enable/disable audible alarm. option - disable
Option Description
enable Enable audible alarm.
disable Disable audible alarm.
status Enable/disable alarm. option - disable
Option Description
enable Enable alarm.
disable Disable alarm.
config groups
id Group ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
period Time period in seconds (0 = from start up). integer Minimum 0

value: 0
Maximum
value:
4294967295
admin-auth- Admin authentication failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1024
admin-auth- Admin authentication lockout threshold. integer Minimum 0

lockout- value: 0
threshold Maximum
value: 1024

Fortinet Inc.
user-auth- User authentication failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1024
user-auth- User authentication lockout threshold. integer Minimum 0

lockout- value: 0
threshold Maximum
value: 1024
replay- Replay attempt threshold. integer Minimum 0

attempt- value: 0
threshold Maximum
value: 1024
self-test- Self-test failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1
log-full- Log full warning threshold. integer Minimum 0

warning- value: 0
threshold Maximum
value: 1024
encryption- Encryption failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1024
decryption- Decryption failure threshold. integer Minimum 0

failure- value: 0
threshold Maximum
value: 1024
fw-policy-id Firewall policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
fw-policy-id- Firewall policy ID threshold. integer Minimum 0

threshold value: 0
Maximum
value: 1024

Fortinet Inc.
config fw-policy-violations
id Firewall policy violations ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
threshold Firewall policy violation threshold. integer Minimum 0

value: 0
Maximum
value: 1024
src-ip Source IP (0=all). ipv4- Not Specified 0.0.0.0

address
dst-ip Destination IP (0=all). ipv4- Not Specified 0.0.0.0

address
src-port Source port (0=all). integer Minimum 0

value: 0
Maximum
value: 65535
dst-port Destination port (0=all). integer Minimum 0

value: 0
Maximum
value: 65535
config system alias
Configure alias command.

config system alias
Description: Configure alias command.
edit <name>
set command {var-string}
set name {string}
next
end
config system alias
command Command list to execute. var-string Not

Specified
name Alias command name. string Not

Specified

Fortinet Inc.
config system api-user
Configure API users.

Description: Configure API users.
edit <name>
set api-key {password-2}
set cors-allow-origin {string}
set name {string}
set peer-auth [enable|disable]
set peer-group {string}
config trusthost
Description: Trusthost.
edit <id>
set id {integer}
set type [ipv4-trusthost|ipv6-trusthost]
set ipv4-trusthost {ipv4-classnet}
set ipv6-trusthost {ipv6-prefix}
next
end
next
end
accprofile Admin user access profile. string Not

Specified
api-key Admin user password. password-2 Not

Specified

Specified
cors-allow- Value for Access-Control-Allow-Origin on API string Not

origin responses. Avoid using '*' if possible. Specified
name User name. string Not

Specified
peer-auth Enable/disable peer authentication. option - disable
Option Description
enable Enable peer.
disable Disable peer.

Fortinet Inc.
peer-group Peer group name. string Not

Specified
schedule Schedule name. string Not

Specified
vdom <name> Virtual domains. string Maximum

config trusthost

value: 0
Maximum
value:
4294967295
type Trusthost type. option - ipv4-

trusthost
Option Description
ipv4-trusthost IPv4 trusthost.
ipv6-trusthost IPv6 trusthost.
ipv4-trusthost IPv4 trusted host address. ipv4- Not Specified 0.0.0.0

classnet 0.0.0.0
ipv6-trusthost IPv6 trusted host address. ipv6-prefix Not Specified ::/0
config system arp-table
Configure ARP table.

Description: Configure ARP table.
edit <id>
set id {integer}
next
end

Fortinet Inc.
id Unique integer ID of the entry. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip IP address. ipv4- Not Specified 0.0.0.0

address

address
config system arp
IPv4 ARP table.

config system arp
Description: IPv4 ARP table.
end
config system auto-install
Configure USB auto installation.

Description: Configure USB auto installation.
set auto-install-config [enable|disable]
set auto-install-image [enable|disable]
set default-config-file {string}
set default-image-file {string}
end
auto-install- Enable/disable auto install the config in USB disk. option - disable
config
Option Description
enable Enable config.
disable Disable config.

Fortinet Inc.
auto-install- Enable/disable auto install the image in USB disk. option - disable
image
Option Description
enable Enable config.
disable Disable config.
default- Default config file name in USB disk. string Not fgt_
config-file Specified system.conf
default- Default image file name in USB disk. string Not image.out
image-file Specified
config system auto-script
Configure auto script.

Description: Configure auto script.
edit <name>
set name {string}
set output-size {integer}
set repeat {integer}
set script {var-string}
set start [manual|auto]
next
end
interval Repeat interval in seconds. integer Minimum 0

value: 0
Maximum
value:
31557600
name Auto script name. string Not

Specified
output-size Number of megabytes to limit script output to. integer Minimum 10

value: 10
Maximum
value: 1024

Fortinet Inc.
repeat Number of times to repeat this script (0 = infinite). integer Minimum 1

value: 0
Maximum
value:
65535
script List of FortiOS CLI commands to repeat. var-string Not

Specified
start Script starting mode. option - manual
Option Description
manual Starting manually.
auto Starting automatically.
timeout Maximum running time for this script in seconds (0 = no integer Minimum 0
timeout). value: 0
Maximum
value: 300
config system auto-update status
Status of automatic updates.

config system auto-update status
Description: Status of automatic updates.
end
config system auto-update versions
Update object versions.

config system auto-update versions
Description: Update object versions.
end
config system automation-action
Action for automation stitches.

Description: Action for automation stitches.
edit <name>
set action-type [email|fortiexplorer-notification|...]
set alicloud-access-key-id {string}
set alicloud-access-key-secret {password}
set alicloud-function-authorization [anonymous|function]

Fortinet Inc.
set aws-api-key {password}
set azure-api-key {password}
set azure-function-authorization [anonymous|function|...]
set description {var-string}
set email-from {var-string}
set email-subject {var-string}
set email-to <name1>, <name2>, ...
set execute-security-fabric [enable|disable]
set http-body {var-string}
config http-headers
Description: Request headers.
edit <id>
set id {integer}
set key {var-string}
set value {var-string}
next
end
set message {string}
set message-type [text|json]
set method [post|put|...]
set minimum-interval {integer}
set name {string}
set port {integer}
set protocol [http|https]
set replacement-message [enable|disable]
set script {var-string}
set sdn-connector <name1>, <name2>, ...
set security-tag {string}
set tls-certificate {string}
set uri {var-string}
set verify-host-cert [enable|disable]
next
end
accprofile Access profile for CLI script action to access string Not
FortiGate features. Specified
action-type Action type. option - alert
Option Description
email Send notification email.
fortiexplorer- Send push notification to FortiExplorer.

notification
alert Generate FortiOS dashboard alert.
disable-ssid Disable interface.

Fortinet Inc.
Option Description
quarantine Quarantine host.
quarantine- Quarantine FortiClient by EMS.

forticlient
quarantine-nsx Quarantine NSX instance.
quarantine- Quarantine host by FortiNAC.

fortinac
ban-ip Ban IP address.
aws-lambda Send log data to integrated AWS service.
azure-function Send log data to an Azure function.
google-cloud- Send log data to a Google Cloud function.

function
alicloud-function Send log data to an AliCloud function.
webhook Send an HTTP request.
cli-script Run CLI script.
slack-notification Send a notification message to a Slack incoming webhook.
microsoft-teams- Send a notification message to a Microsoft Teams incoming webhook.

notification
alicloud- AliCloud AccessKey ID. string Not

access-key-id Specified
alicloud- AliCloud AccessKey secret. password Not

access-key- Specified
secret
alicloud- AliCloud function authorization type. option - anonymous

function-
authorization
Option Description
anonymous Anonymous authorization (No authorization required).
function Function authorization (Authorization required).
aws-api-key AWS API Gateway API key. password Not

Specified
azure-api-key Azure function API key. password Not

Specified

Fortinet Inc.
azure-function- Azure function authorization level. option - anonymous

authorization
Option Description
anonymous Anonymous authorization level (No authorization required).
function Function authorization level (Function or Host Key required).
admin Admin authorization level (Master Host Key required).
description Description. var-string Not

Specified
email-from Email sender name. var-string Not

Specified
email-subject Email subject. var-string Not

Specified
email-to Email addresses. string Maximum

<name> Email address. length: 255
execute- Enable/disable execution of CLI script on all or only option - disable

security-fabric one FortiGate unit in the Security Fabric.
Option Description
enable CLI script executes on all FortiGate units in the Security Fabric.
disable CLI script executes only on the FortiGate unit that the stitch is triggered.
http-body Request body (if necessary). Should be serialized var-string Not

json string. Specified
message Message content. string Not %%log%%

Specified
message-type Message type. option - text
Option Description
text Plaintext.
json Custom JSON.
method Request method (POST, PUT, GET, PATCH or option - post

DELETE).
Option Description
post POST.

Fortinet Inc.
Option Description
put PUT.
get GET.
patch PATCH.
delete DELETE.
minimum- Limit execution to no more than once in this interval integer Minimum 0
interval (in seconds). value: 0
Maximum
value:
2592000

Specified
port Protocol port. integer Minimum 0

value: 1
Maximum
value:
65535
protocol Request protocol. option - http
Option Description
http HTTP.
https HTTPS.
replacement- Enable/disable replacement message. option - disable

message
Option Description
enable Enable replacement message.
disable Disable replacement message.

group Specified
script CLI script. var-string Not

Specified
sdn-connector NSX SDN connector names. string Maximum

<name> SDN connector name. length: 79
security-tag NSX security tag. string Not

Specified

Fortinet Inc.
tls-certificate Custom TLS certificate for API request. string Not

Specified
uri Request API URI. var-string Not

Specified
verify-host-cert Enable/disable verification of the remote host option - enable

certificate.
Option Description
enable Enable verification of the remote host certificate.
disable Disable verification of the remote host certificate.
config http-headers

value: 0
Maximum
value:
4294967295
key Request header key. var-string Not Specified
value Request header value. var-string Not Specified
config system automation-destination
Automation destinations.
Description: Automation destinations.
edit <name>
set destination <name1>, <name2>, ...
set ha-group-id {integer}
set name {string}
set type [fortigate|ha-cluster]
next
end
destination Destinations. string Maximum

<name> Destination. length: 31

Fortinet Inc.
ha-group-id Cluster group ID set for this destination. integer Minimum 0

value: 0
Maximum
value: 255

Specified
type Destination type. option - fortigate
Option Description
fortigate FortiGate set as destination.
ha-cluster HA cluster set as destination.
config system automation-stitch
Automation stitches.
Description: Automation stitches.
edit <name>
config actions
Description: Configure stitch actions.
edit <id>
set id {integer}
set action {string}
set delay {integer}
set required [enable|disable]
next
end
set destination <name1>, <name2>, ...
set name {string}
set trigger {string}
next
end

Specified
destination Serial number/HA group-name of destination devices. string Maximum

<name> Destination name. length: 79

Fortinet Inc.

Specified
status Enable/disable this stitch. option - enable
Option Description
enable Enable stitch.
disable Disable stitch.
trigger Trigger name. string Not

Specified
config actions

value: 0
Maximum
value:
4294967295
action Action name. string Not Specified
delay Delay before execution (in seconds). integer Minimum 0

value: 0
Maximum
value: 3600
required Required in action chain. option - disable
Option Description
enable Required in action chain.
disable Not required in action chain.
config system automation-trigger
Trigger for automation stitches.

Description: Trigger for automation stitches.
edit <name>
set event-type [ioc|event-log|...]
set fabric-event-name {var-string}
set fabric-event-severity {var-string}
set faz-event-name {var-string}
set faz-event-severity {var-string}

Fortinet Inc.
set faz-event-tags {var-string}
config fields
Description: Customized trigger field settings.
edit <id>
set id {integer}
set name {string}
next
end
set license-type [forticare-support|fortiguard-webfilter|...]
set logid <id1>, <id2>, ...
set name {string}
set report-type [posture|coverage|...]
set serial {var-string}
set trigger-day {integer}
set trigger-frequency [hourly|daily|...]
set trigger-hour {integer}
set trigger-minute {integer}
set trigger-type [event-based|scheduled]
set trigger-weekday [sunday|monday|...]
next
end

Specified
event-type Event type. option - ioc
Option Description
ioc Indicator of compromise detected.
event-log Use log ID as trigger.
reboot Device reboot.
low-memory Conserve mode due to low memory.
high-cpu High CPU usage.
license-near- License near expiration date.

expiry
ha-failover HA failover.
config-change Configuration change.
security-rating- Security rating summary.

summary

Fortinet Inc.
Option Description
virus-ips-db- Virus and IPS database updated.

updated
faz-event FortiAnalyzer event.
incoming- Incoming webhook call.

webhook
fabric-event Fabric connector event.
fabric-event- Fabric connector event handler name. var-string Not

name Specified
fabric-event- Fabric connector event severity. var-string Not

severity Specified
faz-event- FortiAnalyzer event handler name. var-string Not

name Specified
faz-event- FortiAnalyzer event severity. var-string Not

severity Specified
faz-event- FortiAnalyzer event tags. var-string Not

tags Specified
license-type License type. option - forticare-

support
Option Description
forticare-support FortiCare support license.
fortiguard- FortiGuard web filter license.

webfilter
fortiguard- FortiGuard antispam license.

antispam
fortiguard- FortiGuard AntiVirus license.

antivirus
fortiguard-ips FortiGuard IPS license.
fortiguard- FortiGuard management service license.

management
forticloud FortiCloud license.
any Any license.

Fortinet Inc.
logid <id> Log IDs to trigger event. integer Minimum

Log ID. value: 1
Maximum
value:
65535

Specified
report-type Security Rating report. option - posture
Option Description
posture Posture report.
coverage Coverage report.
optimization Optimization report
any Any report.
serial Fabric connector serial number. var-string Not

Specified
trigger-day Day within a month to trigger. integer Minimum 1

value: 1
Maximum
value: 31
trigger- Scheduled trigger frequency. option - daily

frequency
Option Description
hourly Run hourly.
daily Run daily.
weekly Run weekly.
monthly Run monthly.
trigger-hour Hour of the day on which to trigger. integer Minimum 0

value: 0
Maximum
value: 23
trigger-minute Minute of the hour on which to trigger. integer Minimum 0

value: 0
Maximum
value: 59

Fortinet Inc.
trigger-type Trigger type. option - event-

based
Option Description
event-based Event based trigger.
scheduled Scheduled trigger.
trigger- Day of week for trigger. option -

weekday
Option Description
sunday Sunday.
monday Monday.
tuesday Tuesday.
thursday Thursday.
friday Friday.
saturday Saturday.
config fields

value: 0
Maximum
value:
4294967295
value Value. var-string Not Specified
config system autoupdate schedule
Configure update schedule.

Description: Configure update schedule.
set day [Sunday|Monday|...]
set frequency [every|daily|...]
set time {user}
end

Fortinet Inc.
day Update day. option - Monday
Option Description
Sunday Update every Sunday.
Monday Update every Monday.
Tuesday Update every Tuesday.
Wednesday Update every Wednesday.
Thursday Update every Thursday.
Friday Update every Friday.
Saturday Update every Saturday.
frequency Update frequency. option - automatic
Option Description
every Time interval.
daily Every day.
weekly Every week.
automatic Update automatically within every one hour period.
status Enable/disable scheduled updates. option - enable
Option Description
time Update time. user Not

Specified
config system autoupdate tunneling
Configure web proxy tunneling for the FDN.

Description: Configure web proxy tunneling for the FDN.
set port {integer}

Fortinet Inc.
end
address Web proxy IP address or FQDN. string Not

Specified
password Web proxy password. password Not

Specified
port Web proxy port. integer Minimum 0

value: 0
Maximum
value:
65535
status Enable/disable web proxy tunneling. option - disable
Option Description
username Web proxy username. string Not

Specified
config system bypass
This command is available for model(s): FortiGate 2500E, FortiGate 400E Bypass, FortiGate
800D, FortiGate 80F Bypass, FortiGateRugged 60F 3G4G, FortiGateRugged 60F.
FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2600F, FortiGate 2601F,
FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D,
FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3800D,
FortiGate 3960E, FortiGate 3980E, FortiGate 400E, FortiGate 401E, FortiGate 40F 3G4G,
FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F,
FortiGate 601E, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E,
FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 80E-POE, FortiGate 80E, FortiGate
80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate
81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate VM64, FortiWiFi 40F 3G4G,

Fortinet Inc.
Configure system bypass.
Description: Configure system bypass.
set auto-recover [enable|disable]
set bypass-timeout [2|4|...]
set bypass-watchdog [enable|disable]
set poweroff-bypass [enable|disable]
end
auto-recover * Automatically recover from bypass mode after system option - enable
reboot.
Option Description
enable Recover interfaces from bypass mode. The actual mode is determined by
poweron-bypass setting.
disable Keep interfaces in bypass mode if bypass was previously triggered.
bypass- timeout setting for bypass watchdog option - 10

timeout *
Option Description
2 2 second
4 4 second
6 6 second
8 8 second
10 10 second
12 12 second
14 14 second
bypass- watchdog to bypass interfaces in case of option - disable

watchdog software/hardware failure
Option Description
enable Enable watchdog for bypass interfaces.
disable Disable watchdog for bypass interfaces.
poweroff- set interface bypass state in power off option - disable

bypass *

Fortinet Inc.
Option Description
enable Enable bypass when power off.
disable Disable bypass when power off.
config system central-management
Configure central management.

Description: Configure central management.
set allow-monitor [enable|disable]
set allow-push-configuration [enable|disable]
set allow-push-firmware [enable|disable]
set allow-remote-firmware-upgrade [enable|disable]
set allow-remote-lte-firmware-upgrade [enable|disable]
set ca-cert {user}
set enc-algorithm [default|high|...]
set fmg {user}
set fmg-source-ip {ipv4-address}
set fmg-source-ip6 {ipv6-address}
set fmg-update-port [8890|443]
set include-default-servers [enable|disable]
set local-cert {string}
set ltefw-upgrade-frequency [everyHour|every12hour|...]
set ltefw-upgrade-time {string}
set mode [normal|backup]
set schedule-config-restore [enable|disable]
set schedule-script-restore [enable|disable]
set serial-number {user}
config server-list
Description: Additional severs that the FortiGate can use for updates (for AV, IPS,
updates) and ratings (for web filter and antispam ratings) servers.
edit <id>
set id {integer}
set server-type {option1}, {option2}, ...
set addr-type [ipv4|ipv6|...]
set server-address {ipv4-address}
set server-address6 {ipv6-address}
set fqdn {string}
next
end
set type [fortimanager|fortiguard|...]
set use-elbc-vdom [enable|disable]
set vdom {string}
end

Fortinet Inc.
allow-monitor Enable/disable allowing the central management option - enable

server to remotely monitor this FortiGate unit.
Option Description
enable Enable remote monitoring of device.
disable Disable remote monitoring of device.
allow-push- Enable/disable allowing the central management option - enable

configuration server to push configuration changes to this FortiGate.
Option Description
enable Enable push configuration.
disable Disable push configuration.
allow-push- Enable/disable allowing the central management option - enable

firmware server to push firmware updates to this FortiGate.
Option Description
enable Enable push firmware.
disable Disable push firmware.
allow-remote- Enable/disable remotely upgrading the firmware on this option - enable

firmware- FortiGate from the central management server.
upgrade
Option Description
enable Enable remote firmware upgrade.
disable Disable remote firmware upgrade.
allow-remote- Enable/disable remotely upgrading the lte firmware on option - enable

lte-firmware- this FortiGate from the central management server.
upgrade *
Option Description
enable Enable remote lte firmware upgrade.
disable Disable remote lte firmware upgrade.
ca-cert CA certificate to be used by FGFM protocol. user Not

Specified
enc-algorithm Encryption strength for communications between the option - high

FortiGate and central management.

Fortinet Inc.
Option Description
default High strength algorithms and medium-strength 128-bit key length algorithms.
high 128-bit and larger key length algorithms.
low 64-bit or 56-bit key length algorithms without export restrictions.
fmg IP address or FQDN of the FortiManager. user Not

Specified
fmg-source-ip IPv4 source address that this FortiGate uses when ipv4- Not 0.0.0.0
communicating with FortiManager. address Specified
fmg-source-ip6 IPv6 source address that this FortiGate uses when ipv6- Not ::
communicating with FortiManager. address Specified
fmg-update- Port used to communicate with FortiManager that is option - 8890

port acting as a FortiGuard update server.
Option Description
8890 Use port 8890 to communicate with FortiManager that is acting as a

FortiGuard update server.
443 Use port 443 to communicate with FortiManager that is acting as a

FortiGuard update server.
include-default- Enable/disable inclusion of public FortiGuard servers in option - enable

servers the override server list.
Option Description
enable Enable inclusion of public FortiGuard servers in the override server list.
disable Disable inclusion of public FortiGuard servers in the override server list.

Specified

Option Description
local-cert Certificate to be used by FGFM protocol. string Not

Specified

Fortinet Inc.
ltefw-upgrade- Set LTE firmware auto pushdown frequency. option -

frequency *
Option Description
everyHour Auto check and pushdown LTE firmware every hour
every12hour Auto check and pushdown LTE firmware every 12 hours
everyDay Auto check and pushdown LTE firmware every day
everyWeek Auto check and pushdown LTE firmware every week
ltefw-upgrade- Schedule next LTE firmware upgrade time (Local string Not
time * Time). Format: YYYY-MM-DD HH:MM:SS Specified
mode Central management mode. option - normal
Option Description
normal Manage and configure this FortiGate from FortiManager.
backup Manage and configure this FortiGate locally and back up its configuration to
FortiManager.
schedule- Enable/disable allowing the central management option - enable

config-restore server to restore the configuration of this FortiGate.
Option Description
enable Enable scheduled configuration restore.
disable Disable scheduled configuration restore.
schedule- Enable/disable allowing the central management option - enable

script-restore server to restore the scripts stored on this FortiGate.
Option Description
enable Enable scheduled script restore.
disable Disable scheduled script restore.
serial-number Serial number. user Not

Specified
type Central management type. option - none
Option Description
fortimanager FortiManager.
fortiguard Central management of this FortiGate using FortiCloud.
none No central management.

Fortinet Inc.
use-elbc-vdom Enable/disable use of special ELBC config sync VDOM option - disable
* to connect to FortiManager.
Option Description
enable enable
disable disable
vdom Virtual domain (VDOM) name to use when string Not root
communicating with FortiManager. Specified
config server-list

value: 0
Maximum
value:
4294967295
server-type FortiGuard service type. option -
Option Description
update AV, IPS, and AV-query update server.
rating Web filter and anti-spam rating server.
addr-type Indicate whether the FortiGate communicates with option - ipv4

the override server using an IPv4 address, an IPv6
address or a FQDN.
Option Description
ipv4 IPv4 address.
ipv6 IPv6 address.
fqdn FQDN.
server- IPv4 address of override server. ipv4- Not Specified 0.0.0.0

address address
server- IPv6 address of override server. ipv6- Not Specified ::

address6 address
fqdn FQDN address of override server. string Not Specified

Fortinet Inc.
config system central-mgmt
Configuration of Central Management Service.

config system central-mgmt
Description: Configuration of Central Management Service.
end
config system checksum status
System checksum.
config system checksum status
Description: System checksum.
end
config system cluster-sync
Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

Description: Configure FortiGate Session Life Support Protocol (FGSP) session
synchronization.
edit <sync-id>
set down-intfs-before-sess-sync <name1>, <name2>, ...
set hb-interval {integer}
set hb-lost-threshold {integer}
set ipsec-tunnel-sync [enable|disable]
set peerip {ipv4-address}
set peervd {string}
set secondary-add-ipsec-routes [enable|disable]
config session-sync-filter
Description: Add one or more filters if you only want to synchronize some
sessions. Use the filter to configure the types of sessions to synchronize.
set srcaddr {ipv4-classnet-any}
set dstaddr {ipv4-classnet-any}
set srcaddr6 {ipv6-network}
set dstaddr6 {ipv6-network}
config custom-service
Description: Only sessions using these custom services are synchronized. Use
source and destination port ranges to define these custom services.
edit <id>
set id {integer}
set src-port-range {user}
set dst-port-range {user}
next
end
end
set sync-id {integer}
set syncvd <name1>, <name2>, ...

Fortinet Inc.
next
end
down-intfs- List of interfaces to be turned down before session string Maximum

before-sess- synchronization is complete. length: 79
sync <name> Interface name.
hb-interval Heartbeat interval. Increase to reduce false positives. integer Minimum 2

value: 1
Maximum
value: 20
hb-lost- Lost heartbeat threshold. Increase to reduce false integer Minimum 10

threshold positives. value: 1
Maximum
value: 60
ipsec-tunnel- Enable/disable IPsec tunnel synchronization. option - enable

sync
Option Description
enable Enable IPsec tunnel synchronization.
disable Disable IPsec tunnel synchronization.
peerip IP address of the interface on the peer unit that is ipv4- Not Specified 0.0.0.0
used for the session synchronization link. address
peervd VDOM that contains the session synchronization link string Not Specified root
interface on the peer unit. Usually both peers would
have the same peervd.
secondary- Enable/disable IKE route announcement on the option - enable

add-ipsec- backup unit.
routes
Option Description
enable Add IKE routes to the backup unit.
disable Do not add IKE routes to the backup unit.
sync-id Sync ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
syncvd Sessions from these VDOMs are synchronized using string Maximum
<name> this session synchronization configuration. length: 79
VDOM name.
config session-sync-filter
srcintf Only sessions from this interface are synchronized. You string Not
can only enter one interface name. To synchronize Specified
sessions for multiple source interfaces, add multiple
filters.
dstintf Only sessions to this interface are synchronized. You string Not
can only enter one interface name. To synchronize Specified
sessions to multiple destination interfaces, add multiple
filters.
srcaddr Only sessions from this IPv4 address are synchronized. ipv4- Not 0.0.0.0
You can only enter one address. To synchronize classnet- Specified 0.0.0.0
sessions from multiple source addresses, add multiple any
filters.
dstaddr Only sessions to this IPv4 address are synchronized. ipv4- Not 0.0.0.0
You can only enter one address. To synchronize classnet- Specified 0.0.0.0
sessions for multiple destination addresses, add any
multiple filters.
srcaddr6 Only sessions from this IPv6 address are synchronized. ipv6- Not ::/0
You can only enter one address. To synchronize network Specified
sessions from multiple source addresses, add multiple
filters.
dstaddr6 Only sessions to this IPv6 address are synchronized. ipv6- Not ::/0
You can only enter one address. To synchronize network Specified
sessions for multiple destination addresses, add
multiple filters.
config custom-service
id Custom service ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
src-port-range Custom service source port range. user Not Specified 0-0
dst-port-range Custom service destination port range. user Not Specified 0-0

Fortinet Inc.
config system cmdb
System CMDB information.

config system cmdb
Description: System CMDB information.
end
config system console
Configure console.
Description: Configure console.
set baudrate [9600|19200|...]
set fortiexplorer [enable|disable]
set login [enable|disable]
set mode [batch|line]
set output [standard|more]
end
baudrate Console baud rate. option - 9600
Option Description
9600 9600
19200 19200
38400 38400
57600 57600
115200 115200
fortiexplorer * Enable/disable access for FortiExplorer. option - enable
Option Description
enable Enable FortiExplorer access.
disable Disable FortiExplorer access.
login Enable/disable serial console and FortiExplorer. option - enable
Option Description
enable Console login enable.
disable Console login disable.

Fortinet Inc.
mode Console mode. option - line
Option Description
batch Batch mode.
line Line mode.
output Console output mode. option - more
Option Description
standard Standard output.
more More page output.
config system csf
Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
config system csf
Description: Add this FortiGate to a Security Fabric or set up a new Security Fabric on
this FortiGate.
set accept-auth-by-cert [disable|enable]
set authorization-request-type [serial|certificate]
set configuration-sync [default|local]
set downstream-access [enable|disable]
set downstream-accprofile {string}
config fabric-connector
Description: Fabric connector configuration.
edit <serial>
set serial {string}
set configuration-write-access [enable|disable]
next
end
config fabric-device
Description: Fabric device configuration.
edit <name>
set name {string}
set device-ip {ipv4-address}
set https-port {integer}
set access-token {varlen_password}
next
end
set fabric-object-unification [default|local]
set fabric-workers {integer}
set forticloud-account-enforcement [enable|disable]
set group-name {string}
set group-password {password}

Fortinet Inc.
set log-unification [disable|enable]
set saml-configuration-sync [default|local]
config trusted-list
Description: Pre-authorized and blocked security fabric nodes.
edit <name>
set name {string}
set authorization-type [serial|certificate]
set serial {string}
set certificate {var-string}
set ha-members {string}
set downstream-authorization [enable|disable]
next
end
set upstream {string}
set upstream-port {integer}
end
config system csf
accept-auth-by- Accept connections with unknown certificates and ask option - enable
cert admin for approval.
Option Description
disable Do not accept SSL connections with unknown certificates.
enable Accept SSL connections without automatic certificate verification.
authorization- Authorization request type. option - serial

request-type
Option Description
serial Request verification by serial number.
certificate Request verification by certificate.
certificate Certificate. string Not

Specified
configuration- Configuration sync mode. option - default

sync
Option Description
default Synchronize configuration for IPAM, FortiAnalyzer, FortiSandbox, and

Central Management to root node.
local Do not synchronize configuration with root node.

Fortinet Inc.
downstream- Enable/disable downstream device access to this option - disable

access device's configuration and data.
Option Description
enable Enable downstream device access to this device's configuration and data.
disable Disable downstream device access to this device's configuration and data.
downstream- Default access profile for requests from downstream string Not
accprofile devices. Specified
fabric-object- Fabric CMDB Object Unification. option - default

unification
Option Description
default Global CMDB objects will be synchronized in Security Fabric.
local Global CMDB objects will not be synchronized to and from this device.
fabric-workers Number of worker processes for Security Fabric integer Minimum 2

daemon. value: 1
Maximum
value: 4
forticloud- Fabric FortiCloud account unification. option - enable

account-
enforcement
Option Description
enable Enable FortiCloud account ID matching for Security Fabric.
disable Disable FortiCloud accound ID matching for Security Fabric.
group-name Security Fabric group name. All FortiGates in a string Not

Security Fabric must have the same group name. Specified
group-password Security Fabric group password. All FortiGates in a password Not

Security Fabric must have the same group password. Specified
log-unification Enable/disable broadcast of discovery messages for option - enable

log unification.
Option Description
disable Disable broadcast of discovery messages for log unification.
enable Enable broadcast of discovery messages for log unification.

Fortinet Inc.
saml- SAML setting configuration synchronization. option - default

configuration-
sync
Option Description
default SAML setting for fabric members is created by fabric root.
local Do not apply SAML configuration generated by root.
status Enable/disable Security Fabric. option - disable
Option Description
enable Enable Security Fabric.
disable Disable Security Fabric.
upstream IP/FQDN of the FortiGate upstream from this string Not

FortiGate in the Security Fabric. Specified
upstream-port The port number to use to communicate with the integer Minimum 8013
FortiGate upstream from this FortiGate in the Security value: 1
Fabric. Maximum
value:
65535
config fabric-connector
serial Serial. string Not

Specified
accprofile Override access profile. string Not

Specified
configuration- Enable/disable downstream device write access to option - disable

write-access configuration.
Option Description
enable Enable downstream device write access to configuration.
disable Disable downstream device write access to configuration.

Fortinet Inc.
config fabric-device
name Device name. string Not

Specified
device-ip Device IP. ipv4- Not 0.0.0.0

address Specified
https-port HTTPS port for fabric device. integer Minimum 443

value: 1
Maximum
value:
65535
access-token Device access token. varlen_ Not

password Specified
config trusted-list

Specified
authorization- Authorization type. option - serial

type
Option Description
serial Verify downstream by serial number.
certificate Verify downstream by certificate.
serial Serial. string Not

Specified
certificate Certificate. var-string Not

Specified
action Security fabric authorization action. option - accept
Option Description
accept Accept authorization request.
deny Deny authorization request.
ha-members HA members. string Not

Specified
downstream- Trust authorizations by this node's administrator. option - disable

authorization

Fortinet Inc.
Option Description
enable Enable downstream authorization.
disable Disable downstream authorization.
config system custom-language
Configure custom languages.

Description: Configure custom languages.
edit <name>
set filename {string}
set name {string}
next
end

Specified
filename Custom language file path. string Not

Specified

Specified
config system ddns
Configure DDNS.
config system ddns
Description: Configure DDNS.
edit <ddnsid>
set bound-ip {string}
set clear-text [disable|enable]
set ddns-auth [disable|tsig]
set ddns-domain {string}
set ddns-key {password_aes256}
set ddns-keyname {string}
set ddns-password {password}
set ddns-server [dyndns.org|dyns.net|...]
set ddns-server-addr <addr1>, <addr2>, ...

Fortinet Inc.
set ddns-sn {string}
set ddns-ttl {integer}
set ddns-username {string}
set ddns-zone {string}
set ddnsid {integer}
set monitor-interface <interface-name1>, <interface-name2>, ...
set server-type [ipv4|ipv6]
set use-public-ip [disable|enable]
next
end
config system ddns
addr-type Address type of interface address in DDNS option - ipv4

update.
Option Description
ipv4 Use IPv4 address of the interface.
ipv6 Use IPv6 address of the interface.
bound-ip Bound IP address. string Not Specified
clear-text Enable/disable use of clear text connections. option - disable
Option Description
disable Disable use of clear text connections.
enable Enable use of clear text connections.
ddns-auth Enable/disable TSIG authentication for your option - disable

DDNS server.
Option Description
disable Disable DDNS authentication.
tsig Enable TSIG authentication based on RFC2845.
ddns-domain Your fully qualified domain name. For string Not Specified
example, yourname.ddns.com.
ddns-key DDNS update key (base 64 encoding). password_ Not Specified

aes256
ddns-keyname DDNS update key name. string Not Specified
ddns-password DDNS password. password Not Specified

Fortinet Inc.
ddns-server Select a DDNS service provider. option -
Option Description
dyndns.org members.dyndns.org and dnsalias.com
dyns.net www.dyns.net
tzo.com rh.tzo.com
vavic.com Peanut Hull
dipdns.net dipdnsserver.dipdns.com
now.net.cn ip.todayisp.com
dhs.org members.dhs.org
easydns.com members.easydns.com
genericDDNS Generic DDNS based on RFC2136.
FortiGuardDDNS FortiGuard DDNS service.
noip.com dynupdate.no-ip.com
ddns-server-addr Generic DDNS server IP/FQDN list. string Maximum

<addr> IP address or FQDN of the server. length: 256
ddns-sn DDNS Serial Number. string Not Specified
ddns-ttl Time-to-live for DDNS packets. integer Minimum 300

value: 60
Maximum
value: 86400
ddns-username DDNS user name. string Not Specified
ddns-zone Zone of your domain name (for example, string Not Specified
DDNS.com).
ddnsid DDNS ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
monitor-interface Monitored interface. string Maximum

<interface- Interface name. length: 79
name>
server-type Address type of the DDNS server. option - ipv4

Fortinet Inc.
Option Description
ipv4 Use IPv4 addressing.
ipv6 Use IPv6 addressing.
ssl-certificate Name of local certificate for SSL connections. string Not Specified Fortinet_
Factory
update-interval DDNS update interval. integer Minimum 0

value: 60
Maximum
value:
2592000
use-public-ip Enable/disable use of public IP address. option - disable
Option Description
disable Disable use of public IP address.
enable Enable use of public IP address.
config system dedicated-mgmt
Configure dedicated management.

Description: Configure dedicated management.
set default-gateway {ipv4-address}
set dhcp-end-ip {ipv4-address}
set dhcp-netmask {ipv4-netmask}
set dhcp-server [enable|disable]
set dhcp-start-ip {ipv4-address}
end
default- Default gateway for dedicated management interface. ipv4- Not 0.0.0.0
gateway address Specified
dhcp-end-ip DHCP end IP for dedicated management. ipv4- Not 0.0.0.0

address Specified
dhcp-netmask DHCP netmask. ipv4- Not 0.0.0.0

netmask Specified

Fortinet Inc.
dhcp-server Enable/disable DHCP server on management interface. option - disable
Option Description
enable Enable DHCP server on management port.
disable Disable DHCP server on management port.
dhcp-start-ip DHCP start IP for dedicated management. ipv4- Not 0.0.0.0

address Specified
interface Dedicated management interface. string Not

Specified
status Enable/disable dedicated management. option - disable
Option Description
config system dhcp6 server
Configure DHCPv6 servers.

Description: Configure DHCPv6 servers.
edit <id>
set delegated-prefix-iaid {integer}
set dns-search-list [delegated|specify]
set dns-server1 {ipv6-address}
set dns-service [delegated|default|...]
set domain {string}
set id {integer}
set ip-mode [range|delegated]
config ip-range
Description: DHCP IP range configuration.
edit <id>
set id {integer}
next
end
set lease-time {integer}
set option1 {user}
set option2 {user}
set option3 {user}
set prefix-mode [dhcp6|ra]

Fortinet Inc.
config prefix-range
Description: DHCP prefix configuration.
edit <id>
set id {integer}
set start-prefix {ipv6-address}
set end-prefix {ipv6-address}
set prefix-length {integer}
next
end
set rapid-commit [disable|enable]
set subnet {ipv6-prefix}
set upstream-interface {string}
next
end
delegated- IAID of obtained delegated-prefix from the upstream integer Minimum 0

prefix-iaid interface. value: 0
Maximum
value:
4294967295
dns-search- DNS search list options. option - specify

list
Option Description
delegated Delegated the DNS search list.
specify Specify the DNS search list.
dns-server1 DNS server 1. ipv6- Not Specified ::

address

address

address

address
dns-service Options for assigning DNS servers to DHCPv6 clients. option - specify
Option Description
delegated Delegated DNS settings.
default Clients are assigned the FortiGate's configured DNS servers.

Fortinet Inc.
Option Description
specify Specify up to 3 DNS servers in the DHCPv6 server configuration.
domain Domain name suffix for the IP addresses that the string Not Specified
DHCP server assigns to clients.

value: 0
Maximum
value:
4294967295
interface DHCP server can assign IP configurations to clients string Not Specified
connected to this interface.
ip-mode Method used to assign client IP. option - range
Option Description
range Use range defined by start IP/end IP to assign client IP.
delegated Use delegated prefix method to assign client IP.
lease-time Lease time in seconds, 0 means unlimited. integer Minimum 604800

value: 300
Maximum
value:
8640000
option1 Option 1. user Not Specified
prefix-mode Assigning a prefix from a DHCPv6 client or RA. option - dhcp6
Option Description
dhcp6 Use delegated prefix from a DHCPv6 client.
ra Use prefix from RA.
rapid-commit Enable/disable allow/disallow rapid commit. option - disable
Option Description
disable Do not allow rapid commit.
enable Allow rapid commit.
status Enable/disable this DHCPv6 configuration. option - enable

Fortinet Inc.
Option Description
disable Enable this DHCPv6 server configuration.
enable Disable this DHCPv6 server configuration.
subnet Subnet or subnet-id if the IP mode is delegated. ipv6-prefix Not Specified ::/0
upstream- Interface name from where delegated information is string Not Specified
interface provided.
config ip-range

value: 0
Maximum
value:
4294967295
start-ip Start of IP range. ipv6- Not Specified ::

address
end-ip End of IP range. ipv6- Not Specified ::

address
config prefix-range

value: 0
Maximum
value:
4294967295
start-prefix Start of prefix range. ipv6- Not Specified ::

address
end-prefix End of prefix range. ipv6- Not Specified ::

address
prefix-length Prefix length. integer Minimum 0

value: 1
Maximum
value: 128

Fortinet Inc.
config system dhcp server
Configure DHCP servers.

Description: Configure DHCP servers.
edit <id>
set auto-configuration [disable|enable]
set auto-managed-status [disable|enable]
set conflicted-ip-timeout {integer}
set ddns-auth [disable|tsig]
set ddns-key {password_aes256}
set ddns-keyname {string}
set ddns-server-ip {ipv4-address}
set ddns-ttl {integer}
set ddns-update [disable|enable]
set ddns-update-override [disable|enable]
set ddns-zone {string}
set default-gateway {ipv4-address}
set dhcp-settings-from-fortiipam [disable|enable]
set dns-service [local|default|...]
set domain {string}
config exclude-range
Description: Exclude one or more ranges of IP addresses from being assigned to
clients.
edit <id>
set id {integer}
next
end
set forticlient-on-net-status [disable|enable]
set id {integer}
set ip-mode [range|usrgrp]
config ip-range
Description: DHCP IP range configuration.
edit <id>
set id {integer}
next
end
set ipsec-lease-hold {integer}
set lease-time {integer}
set mac-acl-default-action [assign|block]
set next-server {ipv4-address}
set ntp-server1 {ipv4-address}

Fortinet Inc.
set ntp-service [local|default|...]
config options
Description: DHCP options.
edit <id>
set id {integer}
set code {integer}
set type [hex|string|...]
set value {string}
set ip {user}
next
end
config reserved-address
Description: Options for the DHCP server to assign IP settings to specific MAC
addresses.
edit <id>
set id {integer}
set type [mac|option82]
set action [assign|block|...]
set circuit-id-type [hex|string]
set circuit-id {string}
set remote-id-type [hex|string]
set remote-id {string}
next
end
set server-type [regular|ipsec]
set tftp-server <tftp-server1>, <tftp-server2>, ...
set timezone [01|02|...]
set timezone-option [disable|default|...]
set vci-match [disable|enable]
set vci-string <vci-string1>, <vci-string2>, ...
set wifi-ac-service [specify|local]
set wifi-ac1 {ipv4-address}
set wins-server1 {ipv4-address}
next
end
auto- Enable/disable auto configuration. option - enable

configuration
Option Description
disable Disable auto configuration.

Fortinet Inc.
Option Description
enable Enable auto configuration.
auto-managed- Enable/disable use of this DHCP server once this option - enable
status interface has been assigned an IP address from
FortiIPAM.
Option Description
disable Disable use of this DHCP server once this interface has been assigned an IP
address from FortiIPAM.
enable Enable use of this DHCP server once this interface has been assigned an IP
address from FortiIPAM.
conflicted-ip- Time in seconds to wait after a conflicted IP integer Minimum 1800

timeout address is removed from the DHCP range before it value: 60
can be reused. Maximum
value:
8640000
ddns-auth DDNS authentication mode. option - disable
Option Description
disable Disable DDNS authentication.
tsig TSIG based on RFC2845.
ddns-key DDNS update key (base 64 encoding). password_ Not Specified

aes256
ddns-keyname DDNS update key name. string Not Specified
ddns-server-ip DDNS server IP. ipv4-address Not Specified 0.0.0.0
ddns-ttl TTL. integer Minimum 300

value: 60
Maximum
value: 86400
ddns-update Enable/disable DDNS update for DHCP. option - disable
Option Description
disable Disable DDNS update for DHCP.
enable Enable DDNS update for DHCP.
ddns-update- Enable/disable DDNS update override for DHCP. option - disable

override

Fortinet Inc.
Option Description
disable Disable DDNS update override for DHCP.
enable Enable DDNS update override for DHCP.
ddns-zone Zone of your domain name (ex. DDNS.com). string Not Specified
default- Default gateway IP address assigned by the DHCP ipv4-address Not Specified 0.0.0.0
gateway server.
dhcp-settings- Enable/disable populating of DHCP server settings option - disable

from-fortiipam from FortiIPAM.
Option Description
disable Disable populating of DHCP server settings from FortiIPAM.
enable Enable populating of DHCP server settings from FortiIPAM.
dns-server1 DNS server 1. ipv4-address Not Specified 0.0.0.0
dns-service Options for assigning DNS servers to DHCP option - specify

clients.
Option Description
local IP address of the interface the DHCP server is added to becomes the client's
DNS server IP address.
default Clients are assigned the FortiGate's configured DNS servers.
specify Specify up to 3 DNS servers in the DHCP server configuration.
domain Domain name suffix for the IP addresses that the string Not Specified
DHCP server assigns to clients.
filename Name of the boot file on the TFTP server. string Not Specified
forticlient-on- Enable/disable FortiClient-On-Net service for this option - enable

net-status DHCP server.
Option Description
disable Disable FortiClient On-Net Status.
enable Enable FortiClient On-Net Status.

Fortinet Inc.

value: 0
Maximum
value:
4294967295
interface DHCP server can assign IP configurations to string Not Specified

clients connected to this interface.
ip-mode Method used to assign client IP. option - range
Option Description
range Use range defined by start-ip/end-ip to assign client IP.
usrgrp Use user-group defined method to assign client IP.
ipsec-lease- DHCP over IPsec leases expire this many seconds integer Minimum 60
hold after tunnel down (0 to disable forced-expiry). value: 0
Maximum
value:
8640000
lease-time Lease time in seconds, 0 means unlimited. integer Minimum 604800

value: 300
Maximum
value:
8640000
mac-acl- MAC access control default action (allow or block option - assign
default-action assigning IP settings).
Option Description
assign Allow the DHCP server to assign IP settings to clients on the MAC access
control list.
block Block the DHCP server from assigning IP settings to clients on the MAC
access control list.
netmask Netmask assigned by the DHCP server. ipv4-netmask Not Specified 0.0.0.0
next-server IP address of a server (for example, a TFTP sever) ipv4-address Not Specified 0.0.0.0
that DHCP clients can download a boot file from.
ntp-server1 NTP server 1. ipv4-address Not Specified 0.0.0.0
ntp-service Options for assigning Network Time Protocol option - specify

(NTP) servers to DHCP clients.

Fortinet Inc.
Option Description
NTP server IP address.
default Clients are assigned the FortiGate's configured NTP servers.
specify Specify up to 3 NTP servers in the DHCP server configuration.
server-type DHCP server can be a normal DHCP server or an option - regular

IPsec DHCP server.
Option Description
regular Regular DHCP service.
ipsec DHCP over IPsec service.
status Enable/disable this DHCP configuration. option - enable
Option Description
disable Do not use this DHCP server configuration.
enable Use this DHCP server configuration.
tftp-server One or more hostnames or IP addresses of the string Maximum

<tftp- TFTP servers in quotes separated by spaces. length: 63
server> TFTP server.
timezone Select the time zone to be assigned to DHCP option - 00

clients.
Option Description
01 (GMT-11:00) Midway Island, Samoa
02 (GMT-10:00) Hawaii
03 (GMT-9:00) Alaska
04 (GMT-8:00) Pacific Time (US & Canada)
05 (GMT-7:00) Arizona
81 (GMT-7:00) Baja California Sur, Chihuahua
06 (GMT-7:00) Mountain Time (US & Canada)
07 (GMT-6:00) Central America
08 (GMT-6:00) Central Time (US & Canada)
09 (GMT-6:00) Mexico City

Fortinet Inc.
Option Description
10 (GMT-6:00) Saskatchewan
11 (GMT-5:00) Bogota, Lima,Quito
12 (GMT-5:00) Eastern Time (US & Canada)
13 (GMT-5:00) Indiana (East)
74 (GMT-4:00) Caracas
14 (GMT-4:00) Atlantic Time (Canada)
77 (GMT-4:00) Georgetown
15 (GMT-4:00) La Paz
87 (GMT-4:00) Paraguay
16 (GMT-3:00) Santiago
17 (GMT-3:30) Newfoundland
18 (GMT-3:00) Brasilia
19 (GMT-3:00) Buenos Aires
20 (GMT-3:00) Nuuk (Greenland)
75 (GMT-3:00) Uruguay
21 (GMT-2:00) Mid-Atlantic
22 (GMT-1:00) Azores
23 (GMT-1:00) Cape Verde Is.
24 (GMT) Monrovia
80 (GMT) Greenwich Mean Time
79 (GMT) Casablanca
25 (GMT) Dublin, Edinburgh, Lisbon, London, Canary Is.
26 (GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
27 (GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
28 (GMT+1:00) Brussels, Copenhagen, Madrid, Paris
78 (GMT+1:00) Namibia
29 (GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb
30 (GMT+1:00) West Central Africa
31 (GMT+2:00) Athens, Sofia, Vilnius

Fortinet Inc.
Option Description
32 (GMT+2:00) Bucharest
33 (GMT+2:00) Cairo
34 (GMT+2:00) Harare, Pretoria
35 (GMT+2:00) Helsinki, Riga, Tallinn
36 (GMT+2:00) Jerusalem
37 (GMT+3:00) Baghdad
38 (GMT+3:00) Kuwait, Riyadh
83 (GMT+3:00) Moscow
84 (GMT+3:00) Minsk
40 (GMT+3:00) Nairobi
85 (GMT+3:00) Istanbul
41 (GMT+3:30) Tehran
42 (GMT+4:00) Abu Dhabi, Muscat
43 (GMT+4:00) Baku
39 (GMT+3:00) St. Petersburg, Volgograd
44 (GMT+4:30) Kabul
46 (GMT+5:00) Islamabad, Karachi, Tashkent
47 (GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi
51 (GMT+5:30) Sri Jayawardenepara
48 (GMT+5:45) Kathmandu
45 (GMT+5:00) Ekaterinburg
49 (GMT+6:00) Almaty, Novosibirsk
50 (GMT+6:00) Astana, Dhaka
52 (GMT+6:30) Rangoon
53 (GMT+7:00) Bangkok, Hanoi, Jakarta
54 (GMT+7:00) Krasnoyarsk
55 (GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk
56 (GMT+8:00) Ulaan Bataar
57 (GMT+8:00) Kuala Lumpur, Singapore

Fortinet Inc.
Option Description
58 (GMT+8:00) Perth
59 (GMT+8:00) Taipei
60 (GMT+9:00) Osaka, Sapporo, Tokyo, Seoul
62 (GMT+9:30) Adelaide
63 (GMT+9:30) Darwin
61 (GMT+9:00) Yakutsk
64 (GMT+10:00) Brisbane
65 (GMT+10:00) Canberra, Melbourne, Sydney
66 (GMT+10:00) Guam, Port Moresby
67 (GMT+10:00) Hobart
68 (GMT+10:00) Vladivostok
69 (GMT+10:00) Magadan
70 (GMT+11:00) Solomon Is., New Caledonia
71 (GMT+12:00) Auckland, Wellington
72 (GMT+12:00) Fiji, Kamchatka, Marshall Is.
00 (GMT+12:00) Eniwetok, Kwajalein
82 (GMT+12:45) Chatham Islands
73 (GMT+13:00) Nuku'alofa
86 (GMT+13:00) Samoa
76 (GMT+14:00) Kiritimati
timezone- Options for the DHCP server to set the client's time option - disable
option zone.
Option Description
disable Do not set the client's time zone.
default Clients are assigned the FortiGate's configured time zone.
specify Specify the time zone to be assigned to DHCP clients.
vci-match Enable/disable vendor class identifier (VCI) option - disable

matching. When enabled only DHCP requests with
a matching VCI are served.

Fortinet Inc.
Option Description
disable Disable VCI matching.
enable Enable VCI matching.
vci-string One or more VCI strings in quotes separated by string Maximum

<vci- spaces. length: 255
string> VCI strings.
wifi-ac-service Options for assigning WiFi access controllers to option - specify

DHCP clients.
Option Description
specify Specify up to 3 WiFi Access Controllers in the DHCP server configuration.
WiFi Access Controller IP address.
wifi-ac1 WiFi Access Controller 1 IP address (DHCP option ipv4-address Not Specified 0.0.0.0
138, RFC 5417).
138, RFC 5417).
138, RFC 5417).
wins-server1 WINS server 1. ipv4-address Not Specified 0.0.0.0
wins-server2 WINS server 2. ipv4-address Not Specified 0.0.0.0
config exclude-range

value: 0
Maximum
value:
4294967295
start-ip Start of IP range. ipv4- Not Specified 0.0.0.0

address
end-ip End of IP range. ipv4- Not Specified 0.0.0.0

address

Fortinet Inc.
config ip-range

value: 0
Maximum
value:
4294967295
start-ip Start of IP range. ipv4- Not Specified 0.0.0.0

address
end-ip End of IP range. ipv4- Not Specified 0.0.0.0

address
config options

value: 0
Maximum
value:
4294967295
code DHCP option code. integer Minimum 0

value: 0
Maximum
value: 255
type DHCP option type. option - hex
Option Description
hex DHCP option in hex.
string DHCP option in string.
ip DHCP option in IP.
fqdn DHCP option in domain search option format.
value DHCP option value. string Not Specified
ip DHCP option IPs. user Not Specified

Fortinet Inc.
config reserved-address

value: 0
Maximum
value:
4294967295
type DHCP reserved-address type. option - mac
Option Description
mac Match with MAC address.
option82 Match with DHCP option 82.
ip IP address to be reserved for the MAC ipv4- Not Specified 0.0.0.0

address. address
mac MAC address of the client that will get the mac- Not Specified 00:00:00:00:00:00
reserved IP address. address
action Options for the DHCP server to configure option - reserved

the client with the reserved MAC address.
Option Description
assign Configure the client with this MAC address like any other client.
block Block the DHCP server from assigning IP settings to the client with this MAC
address.
reserved Assign the reserved IP address to the client with this MAC address.
circuit-id-type DHCP option type. option - string
Option Description
circuit-id Option 82 circuit-ID of the client that will get string Not Specified
the reserved IP address.
remote-id- DHCP option type. option - string

type
Option Description

Fortinet Inc.
remote-id Option 82 remote-ID of the client that will get string Not Specified
the reserved IP address.
description Description. var-string Not Specified
config system dnp3-proxy
This command is available for model(s): FortiGateRugged 60F 3G4G, FortiGateRugged 60F.
Configure dnpproxy settings.

Description: Configure dnpproxy settings.
set port {integer}
set term-baudrate [19200|38400|...]
set term-databits {integer}
set term-flowcontrol [none|xon_xoff|...]
set term-parity [none|odd|...]
set term-stopbits {integer}
end

Fortinet Inc.
port DNP3 TCPServer Port. integer Minimum 20000

value: 1
Maximum
value:
65535
status Enable/disable DNP daemon. option - disable
Option Description
enable Enable DNP daemon.
disable Disable DNP daemon.
term-baudrate Term Baudrate. option - 19200
Option Description
19200 set DNP baudrate to 19200
term-databits Term Data Bits. integer Minimum 8

value: 0
Maximum
value:
65535
term- Term Flow Control option - none

flowcontrol
Option Description
none No flow control.
xon_xoff Enable software flow control on both input and output.
hardware Enable hardware flow control.
term-parity Term Parity option - none
Option Description
none No parity check.
odd Odd parity check.
even Even parity check.

Fortinet Inc.
term-stopbits Term Stop Bits. integer Minimum 1

value: 0
Maximum
value:
65535
config system dns-database
Configure DNS databases.

Description: Configure DNS databases.
edit <name>
set allow-transfer {user}
set authoritative [enable|disable]
set contact {string}
config dns-entry
Description: DNS entry.
edit <id>
set id {integer}
set type [A|NS|...]
set ttl {integer}
set preference {integer}
set ipv6 {ipv6-address}
set canonical-name {string}
next
end
set domain {string}
set forwarder {user}
set ip-primary {ipv4-address-any}
set name {string}
set primary-name {string}
set rr-max {integer}
set ttl {integer}
set type [primary|secondary]
set view [shadow|public]
next
end
allow-transfer DNS zone transfer IP address list. user Not Specified

Fortinet Inc.
authoritative Enable/disable authoritative zone. option - enable
Option Description
enable Enable authoritative zone.
disable Disable authoritative zone.
contact Email address of the administrator for this zone. You string Not Specified host
can specify only the username, such as admin or the
full email address, such as admin@test.com When
using only a username, the domain of the email will
be this zone.
domain Domain name. string Not Specified
forwarder DNS zone forwarder IP address list. user Not Specified
ip-primary IP address of primary DNS server. Entries in this ipv4- Not Specified 0.0.0.0
primary DNS server and imported into the DNS address-
zone. any
name Zone name. string Not Specified
primary-name Domain name of the default DNS server for this string Not Specified dns
zone.
rr-max Maximum number of resource records. integer Minimum 16384

value: 10
Maximum
value: 65536
source-ip Source IP for forwarding to DNS server. ipv4- Not Specified 0.0.0.0
address
status Enable/disable this DNS zone. option - enable
Option Description
ttl Default time-to-live value for the entries of this DNS integer Minimum 86400
zone. value: 0
Maximum
value:
2147483647
type Zone type (primary to manage entries directly, option - primary

secondary to import entries from other zones).

Fortinet Inc.
Option Description
primary Primary DNS zone, to manage entries directly.
secondary Secondary DNS zone, to import entries from other DNS zones.
view Zone view (public to serve public clients, shadow to option - shadow
serve internal clients).
Option Description
shadow Shadow DNS zone to serve internal clients.
public Public DNS zone to serve public clients.
config dns-entry
id DNS entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
status Enable/disable resource record status. option - enable
Option Description
enable Enable resource record status.
disable Disable resource record status.
type Resource record type. option - A
Option Description
A Host type.
NS Name server type.
CNAME Canonical name type.
MX Mail exchange type.
AAAA IPv6 host type.
PTR Pointer type.
PTR_V6 IPv6 pointer type.

Fortinet Inc.
ttl Time-to-live for this entry. integer Minimum 0

value: 0
Maximum
value:
2147483647
preference DNS entry preference. integer Minimum 10

value: 0
Maximum
value: 65535
ip IPv4 address of the host. ipv4- Not Specified 0.0.0.0

address-
any
ipv6 IPv6 address of the host. ipv6- Not Specified ::

address
hostname Name of the host. string Not Specified
canonical- Canonical name of the host. string Not Specified

name
config system dns-server
Configure DNS servers.

Description: Configure DNS servers.
edit <name>
set doh [enable|disable]
set mode [recursive|non-recursive|...]
set name {string}
next
end
dnsfilter-profile DNS filter profile. string Not

Specified
doh DNS over HTTPS/443. option - disable
Option Description
enable Enable DNS over HTTPS.
disable Disable DNS over HTTPS.

Fortinet Inc.
mode DNS server mode. option - recursive
Option Description
recursive Shadow DNS database and forward.
non-recursive Public DNS database only.
forward-only Forward only.
name DNS server name. string Not

Specified
config system dns
Configure DNS.
config system dns
Description: Configure DNS.
set alt-primary {ipv4-address}
set alt-secondary {ipv4-address}
set cache-notfound-responses [disable|enable]
set dns-cache-limit {integer}
set dns-cache-ttl {integer}
set domain <domain1>, <domain2>, ...
set ip6-primary {ipv6-address}
set ip6-secondary {ipv6-address}
set log [disable|error|...]
set primary {ipv4-address}
set retry {integer}
set secondary {ipv4-address}
set server-hostname <hostname1>, <hostname2>, ...
set server-select-method [least-rtt|failover]
end
config system dns
alt-primary Alternate primary DNS server. This is not used as a ipv4- Not Specified 0.0.0.0
failover DNS server. address
alt-secondary Alternate secondary DNS server. This is not used ipv4- Not Specified 0.0.0.0
as a failover DNS server. address

Fortinet Inc.
cache- Enable/disable response from the DNS server when option - disable
notfound- a record is not in cache.
responses
Option Description
disable Disable cache NOTFOUND responses from DNS server.
enable Enable cache NOTFOUND responses from DNS server.
dns-cache-limit Maximum number of records in the DNS cache. integer Minimum 5000
value: 0
Maximum
value:
4294967295
dns-cache-ttl Duration in seconds that the DNS cache retains integer Minimum 1800
information. value: 60
Maximum
value: 86400
domain Search suffix list for hostname lookup. string Maximum

<domain> DNS search domain list separated by space length: 127
(maximum 8 domains).

method server.
Option Description
ip6-primary Primary DNS server IPv6 address. ipv6- Not Specified ::

address
ip6-secondary Secondary DNS server IPv6 address. ipv6- Not Specified ::

address
log Local DNS log setting. option - disable
Option Description
disable Disable.
error Enable local DNS error log.
all Enable local DNS log.

Fortinet Inc.
primary Primary DNS server IP address. ipv4- Not Specified 0.0.0.0

address
protocol DNS transport protocols. option - cleartext
Option Description
cleartext DNS over UDP/53, DNS over TCP/53.
dot DNS over TLS/853.
doh DNS over HTTPS/443.
retry Number of times to retry. integer Minimum 2

value: 0
Maximum
value: 5
secondary Secondary DNS server IP address. ipv4- Not Specified 0.0.0.0

address
server- DNS server host name list. string Maximum

hostname DNS server host name list separated by space length: 127
<hostname> (maximum 4 domains).
server-select- Specify how configured servers are prioritized. option - least-rtt

method
Option Description
least-rtt Select servers based on least round trip time.
failover Select servers based on the order they are configured.
source-ip IP address used by the DNS server as its source IP. ipv4- Not Specified 0.0.0.0
address
ssl-certificate Name of local certificate for SSL connections. string Not Specified Fortinet_
Factory
timeout DNS query timeout interval in seconds. integer Minimum 5

value: 1
Maximum
value: 10
config system dns64
Configure DNS64.
config system dns64
Description: Configure DNS64.
set always-synthesize-aaaa-record [enable|disable]
set dns64-prefix {ipv6-prefix}

Fortinet Inc.
end
config system dns64
always- Enable/disable AAAA record synthesis. option - enable

synthesize-
aaaa-record
Option Description
enable Enable AAAA record synthesis.
disable Disable AAAA record synthesis.
dns64-prefix DNS64 prefix must be ::/96. ipv6-prefix Not 64:ff9b::/96

Specified
status Enable/disable DNS64. option - disable
Option Description
enable Enable DNS64.
disable Disable DNS64.
config system dscp-based-priority
Configure DSCP based priority table.

Description: Configure DSCP based priority table.
edit <id>
set ds {integer}
set id {integer}
next
end
ds DSCP. integer Minimum 0

value: 0
Maximum
value: 63

Fortinet Inc.
id Item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
priority DSCP based priority level. option - high
Option Description
low Low priority.
high High priority.
config system dsl status
This command is available for model(s): FortiGate 40F 3G4G, FortiGate 60E DSLJ, FortiGate
60E DSL, FortiGate 60F, FortiGate 80F Bypass, FortiGate 80F, FortiGate 81F,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 60E DSL.
FortiGate 600E, FortiGate 601E, FortiGate 60E-POE, FortiGate 60E, FortiGate 61E, FortiGate
61F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F-POE, FortiGate 81E-
POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 900D, FortiGate 90E, FortiGate 91E,
FortiGate VM64, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi
61E, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE,
FortiWiFi 81F 2R.
status of DSL
config system dsl status
Description: status of DSL
end

Fortinet Inc.
config system elbc
This command is available for model(s): FortiGate 5001E1, FortiGate 5001E.

4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E, FortiGate 600E,
FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 80E-POE, FortiGate
80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE,
FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate
91E, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F
3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E,
FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE,
FortiWiFi 81F 2R.
Configure enhanced load balance cluster.

config system elbc
Description: Configure enhanced load balance cluster.
set graceful-upgrade [enable|disable]
set hb-device <name1>, <name2>, ...
set inter-chassis-support [enable|disable]
set mode [none|forticontroller|...]
end
config system elbc
graceful- enable/disable graceful upgrade option - enable

upgrade
Option Description
hb-device ELBC heartbeat device. string Maximum

<name> set interface name length: 79

Fortinet Inc.
inter-chassis- Enable/disable content-cluster across multiple chassis. option - disable

support
Option Description
enable Enable content-cluster across multiple chassis.
disable Disable content-cluster across multiple chassis.
mode ELBC mode. option - none
Option Description
none ELBC mode disabled.
forticontroller FortiController.
dual- Dual-FortiController.
forticontroller
config system email-server
Configure the email server used by the FortiGate various things. For example, for sending email messages to users to
support user authentication features.
Description: Configure the email server used by the FortiGate various things. For
example, for sending email messages to users to support user authentication features.
set authenticate [enable|disable]
set port {integer}
set reply-to {string}
set security [none|starttls|...]
set server {string}
set type {option}
set validate-server [enable|disable]
end
authenticate Enable/disable authentication. option - disable

Fortinet Inc.
Option Description
enable Enable authentication.
disable Disable authentication.

Specified

Option Description
password SMTP server user password for authentication. password Not

Specified
port SMTP server port. integer Minimum 25

value: 1
Maximum
value:
65535
reply-to Reply-To email address. string Not

Specified
security Connection security used by the email server. option - none
Option Description
none None.
starttls STARTTLS.
smtps SSL/TLS.
server SMTP server IP address or hostname. string Not

Specified
source-ip SMTP server IPv4 source IP. ipv4- Not 0.0.0.0

address Specified
source-ip6 SMTP server IPv6 source IP. ipv6- Not ::

address Specified


Fortinet Inc.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
type Use FortiGuard Message service or custom email option - custom

server.
Option Description
custom Use custom email server.
username SMTP server user name for authentication. string Not

Specified
validate-server Enable/disable validation of server certificate. option - disable
Option Description
enable Enable validation of server certificate.
disable Disable validation of server certificate.
config system external-resource
Configure external resource.

Description: Configure external resource.
edit <name>
set name {string}
set refresh-rate {integer}
set resource {string}
set server-identity-check [none|basic|...]
set type [category|address|...]
set user-agent {var-string}
set uuid {uuid}

Fortinet Inc.
next
end
category User resource category. integer Minimum 0

value: 192
Maximum
value: 221

Specified

Specified

Option Description
name External resource name. string Not

Specified
password HTTP basic authentication password. password Not

Specified
refresh-rate Time interval to refresh external resource. integer Minimum 5

value: 1
Maximum
value:
43200
resource URI of external resource. string Not

Specified
server- Certificate verification option. option - none

identity-check
Option Description
none No certificate verification.
basic Check server certifcate only.
full Check server certificate and verify the domain matches in the server
certificate.

Fortinet Inc.
source-ip Source IPv4 address used to communicate with ipv4- Not 0.0.0.0
status Enable/disable user resource. option - enable
Option Description
enable Enable user resource.
disable Disable user resource.
type User resource type. option - category
Option Description
category FortiGuard category.
address Firewall IP address.
domain Domain Name.
malware Malware hash.
user-agent HTTP User-Agent header. var-string Not

Specified
username HTTP basic authentication user name. string Not

Specified

000000000000
config system federated-upgrade
Coordinate federated upgrades within the Security Fabric.

Description: Coordinate federated upgrades within the Security Fabric.
set failure-device {string}
set failure-reason [none|internal|...]
set next-path-index {integer}
config node-list
Description: Nodes which will be included in the upgrade.
edit <serial>
set serial {string}
set timing [immediate|scheduled]
set time {user}
set setup-time {user}
set upgrade-path {user}
set device-type [fortigate|fortiswitch|...]
set coordinating-fortigate {string}
next
end

Fortinet Inc.
set status [disabled|initialized|...]
set upgrade-id {integer}
end
failure-device Serial number of the node to include. string Not Specified
failure-reason Reason for upgrade failure. option - none
Option Description
none No failure.
internal An internal error occurred.
timeout The upgrade timed out.
device-type- The device type was not supported by the FortiGate.

unsupported
download-failed The image could not be downloaded.
device-missing The device was disconnected from the FortiGate.
version- An image matching the device and version could not be found.
unavailable
staging-failed The image could not be pushed to the device.
reboot-failed The device could not be rebooted.
device-not- The device did not reconnect after rebooting.

reconnected
node-not-ready A device in the CSF tree was not ready.
no-final- The coordinating FortiGate did not confirm the upgrade.

confirmation
no-confirmation- A downstream FortiGate did not initiate final confirmation.

query
next-path- The index of the next image to upgrade to. integer Minimum 0
index value: 0
Maximum
value: 10
status Current status of the upgrade. option - disabled
Option Description
disabled No federated upgrade has been configured.

Fortinet Inc.
Option Description
initialized The upgrade has been configured.
downloading The image is downloading in preparation for the upgrade.
device- The image downloads are complete, but one or more devices have
disconnected disconnected.
ready The image download finished and the upgrade is pending.
staging The upgrade is confirmed and images are being staged.
final-check The upgrade is ready and final checks are in progress.
upgrade-devices The upgrade is ready and devices are being rebooted.
cancelled The upgrade was cancelled due to the tree not being ready.
confirmed The upgrade was confirmed and reboots are running.
done The upgrade completed successfully.
failed The upgrade failed due to a local issue.
upgrade-id Unique identifier for this upgrade. integer Minimum 0

value: 0
Maximum
value:
4294967295
config node-list
serial Serial number of the node to include. string Not

Specified
timing Whether the upgrade should be run immediately, or at option - immediate

a scheduled time.
Option Description
immediate Begin the upgrade immediately.
scheduled Begin the upgrade at a configured time.
time Scheduled time for the upgrade. Format hh:mm user Not
yyyy/mm/dd UTC. Specified
setup-time When the upgrade was configured. Format hh:mm user Not
yyyy/mm/dd UTC. Specified

Fortinet Inc.
upgrade-path Image IDs to upgrade through. user Not

Specified
device-type What type of device this node represents. option - fortigate
Option Description
fortigate This device is a FortiGate.
fortiswitch This device is a FortiSwitch.
fortiap This device is a FortiAP.
coordinating- Serial number of the FortiGate unit that controls this string Not
fortigate device. Specified
config system fips-cc
Configure FIPS-CC mode.

Description: Configure FIPS-CC mode.
set entropy-token [enable|disable|...]
set key-generation-self-test [enable|disable]
set self-test-period {integer}
end
entropy-token Enable/disable/dynamic entropy token. option - enable
Option Description
enable Enable entropy token to be present during boot process.
disable Disable entropy token to be present during boot process.
dynamic Dynamic detect entropy token to be present during boot process.
key- Enable/disable self tests after key generation. option - disable

generation-
self-test
Option Description
enable Enable self tests after key generation.
disable Disable self tests after key generation.

Fortinet Inc.
self-test- Self test period. integer Minimum 1440

period value: 1
Maximum
value: 1440
status Enable/disable ciphers for FIPS mode of operation. option - disable
Option Description
enable Enable FIPS-CC mode.
disable Disable FIPS-CC mode.
config system fortianalyzer-connectivity
FortiAnalyzer Connectivity.
config system fortianalyzer-connectivity
Description: FortiAnalyzer Connectivity.
end
config system fortiguard-log-service
Configuration of FortiCloud log service.

config system fortiguard-log-service
Description: Configuration of FortiCloud log service.
end
config system fortiguard-service
Configuration of FortiGuard services.

config system fortiguard-service
Description: Configuration of FortiGuard services.
end
config system fortiguard
Configure FortiGuard services.

Description: Configure FortiGuard services.
set antispam-cache [enable|disable]
set antispam-cache-mpercent {integer}
set antispam-cache-ttl {integer}
set antispam-expiration {integer}
set antispam-force-off [enable|disable]

Fortinet Inc.
set antispam-license {integer}
set antispam-timeout {integer}
set anycast-sdns-server-ip {ipv4-address}
set anycast-sdns-server-port {integer}
set auto-join-forticloud [enable|disable]
set ddns-server-ip {ipv4-address}
set ddns-server-ip6 {ipv6-address}
set ddns-server-port {integer}
set fortiguard-anycast [enable|disable]
set fortiguard-anycast-source [fortinet|aws|...]
set load-balance-servers {integer}
set outbreak-prevention-cache [enable|disable]
set outbreak-prevention-cache-mpercent {integer}
set outbreak-prevention-cache-ttl {integer}
set outbreak-prevention-expiration {integer}
set outbreak-prevention-force-off [enable|disable]
set outbreak-prevention-license {integer}
set outbreak-prevention-timeout {integer}
set persistent-connection [enable|disable]
set port [8888|53|...]
set protocol [udp|http|...]
set proxy-password {password}
set proxy-server-ip {ipv4-address}
set proxy-server-port {integer}
set proxy-username {string}
set sandbox-region {string}
set sdns-options {option1}, {option2}, ...
set sdns-server-ip {user}
set sdns-server-port {integer}
set update-build-proxy [enable|disable]
set update-extdb [enable|disable]
set update-ffdb [enable|disable]
set update-server-location [automatic|usa|...]
set update-uwdb [enable|disable]
set videofilter-expiration {integer}
set videofilter-license {integer}
set webfilter-cache [enable|disable]
set webfilter-cache-ttl {integer}
set webfilter-expiration {integer}
set webfilter-force-off [enable|disable]
set webfilter-license {integer}
set webfilter-timeout {integer}
end

Fortinet Inc.
antispam- Enable/disable FortiGuard antispam request option - enable

cache caching. Uses a small amount of memory but
improves performance.
Option Description
enable Enable FortiGuard antispam request caching.
disable Disable FortiGuard antispam request caching.
antispam- Maximum percentage of FortiGate memory the integer Minimum 2

cache- antispam cache is allowed to use. value: 1
mpercent Maximum
value: 15
antispam- Time-to-live for antispam cache entries in integer Minimum 1800

cache-ttl seconds. Lower times reduce the cache size. value: 300
Higher times may improve performance since the Maximum
cache will have more entries. value: 86400
antispam- Expiration date of the FortiGuard antispam integer Minimum 0

expiration contract. value: 0
Maximum
value:
4294967295
antispam- Enable/disable turning off the FortiGuard option - disable

force-off antispam service.
Option Description
enable Turn off the FortiGuard antispam service.
disable Allow the FortiGuard antispam service.
antispam- Interval of time between license checks for the integer Minimum 4294967295
license FortiGuard antispam contract. value: 0
Maximum
value:
4294967295
antispam- Antispam query time out. integer Minimum 7

timeout value: 1
Maximum
value: 30
anycast-sdns- IP address of the FortiGuard anycast DNS rating ipv4- Not Specified 0.0.0.0
server-ip server. address

Fortinet Inc.
anycast-sdns- Port to connect to on the FortiGuard anycast DNS integer Minimum 853
server-port rating server. value: 1
Maximum
value: 65535
auto-join- Automatically connect to and login to FortiCloud. option - enable

forticloud *
Option Description
enable Enable automatic connection and login to FortiCloud.
disable Disable automatic connection and login to FortiCloud.
ddns-server- IP address of the FortiDDNS server. ipv4- Not Specified 0.0.0.0

ip address
ddns-server- IPv6 address of the FortiDDNS server. ipv6- Not Specified ::

ip6 address
ddns-server- Port used to communicate with FortiDDNS integer Minimum 443

port servers. value: 1
Maximum
value: 65535
fortiguard- Enable/disable use of FortiGuard's Anycast option - enable

anycast network.
Option Description
enable Enable use of FortiGuard's Anycast network.
disable Disable use of FortiGuard's Anycast network.
fortiguard- Configure which of Fortinet's servers to provide option - fortinet

anycast- FortiGuard services in FortiGuard's anycast
source network. Default is Fortinet.
Option Description
fortinet Use Fortinet's servers to provide FortiGuard services in FortiGuard's anycast

network.
aws Use Fortinet's AWS servers to provide FortiGuard services in FortiGuard's

anycast network.
debug Use Fortinet's internal test servers to provide FortiGuard services in

FortiGuard's anycast network.


Fortinet Inc.
Option Description
load-balance- Number of servers to alternate between as first integer Minimum 1

servers FortiGuard option. value: 1
Maximum
value: 266
outbreak- Enable/disable FortiGuard Virus Outbreak option - enable

prevention- Prevention cache.
cache
Option Description
enable Enable FortiGuard antivirus caching.
disable Disable FortiGuard antivirus caching.
outbreak- Maximum percent of memory FortiGuard Virus integer Minimum 2

prevention- Outbreak Prevention cache can use. value: 1
cache- Maximum
mpercent value: 15
outbreak- Time-to-live for FortiGuard Virus Outbreak integer Minimum 300

prevention- Prevention cache entries. value: 300
cache-ttl Maximum
value: 86400
outbreak- Expiration date of FortiGuard Virus Outbreak integer Minimum 0

prevention- Prevention contract. value: 0
expiration Maximum
value:
4294967295
outbreak- Turn off FortiGuard Virus Outbreak Prevention option - disable

prevention- service.
force-off
Option Description
enable Turn off FortiGuard antivirus service.
disable Allow the FortiGuard antivirus service.

Fortinet Inc.
outbreak- Interval of time between license checks for integer Minimum 4294967295
prevention- FortiGuard Virus Outbreak Prevention contract. value: 0
license Maximum
value:
4294967295
outbreak- FortiGuard Virus Outbreak Prevention time out. integer Minimum 7

prevention- value: 1
timeout Maximum
value: 30
persistent- Enable/disable use of persistent connection to option - disable

connection receive update notification from FortiGuard.
Option Description
enable Enable persistent connection to receive update notification from FortiGuard.
disable Disable persistent connection to receive update notification from FortiGuard.
port Port used to communicate with the FortiGuard option - 443

servers.
Option Description
8888 port 8888 for server communication.
protocol Protocol used to communicate with the FortiGuard option - https

servers.
Option Description
udp UDP for server communication (for use by FortiGuard or FortiManager).
http HTTP for server communication (for use only by FortiManager).
https HTTPS for server communication (for use by FortiGuard or FortiManager).
proxy- Proxy user password. password Not Specified

password
proxy-server- IP address of the proxy server. ipv4- Not Specified 0.0.0.0

ip address

Fortinet Inc.
proxy-server- Port used to communicate with the proxy server. integer Minimum 0
port value: 0
Maximum
value: 65535
proxy- Proxy user name. string Not Specified

username
sandbox- Cloud sandbox region. string Not Specified

region
sdns-options Customization options for the FortiGuard DNS option -

service.
Option Description
include-question- Include DNS question section in the FortiGuard DNS setup message.
section
sdns-server- IP address of the FortiGuard DNS rating server. user Not Specified
ip
sdns-server- Port to connect to on the FortiGuard DNS rating integer Minimum 53

port server. value: 1
Maximum
value: 65535
source-ip Source IPv4 address used to communicate with ipv4- Not Specified 0.0.0.0
FortiGuard. address
source-ip6 Source IPv6 address used to communicate with ipv6- Not Specified ::
FortiGuard. address
update-build- Enable/disable proxy dictionary rebuild. option - enable

proxy
Option Description
enable Enable proxy dictionary rebuild.
disable Disable proxy dictionary rebuild.
update-extdb Enable/disable external resource update. option - enable
Option Description
enable Enable external resource update.
disable Disable external resource update.
update-ffdb Enable/disable Internet Service Database update. option - enable

Fortinet Inc.
Option Description
enable Enable Internet Service Database update.
disable Disable Internet Service Database update.
update- Location from which to receive FortiGuard option - automatic

server- updates.
location
Option Description
automatic FortiGuard servers chosen based on closest proximity to FortiGate unit.
usa FortiGuard servers in United States.
eu FortiGuard servers in the European Union.
update-uwdb Enable/disable allowlist update. option - enable
Option Description
enable Enable allowlist update.
disable Disable allowlist update.
videofilter- Expiration date of the FortiGuard video filter integer Minimum 0

Maximum
value:
4294967295
videofilter- Interval of time between license checks for the integer Minimum 4294967295
license FortiGuard video filter contract. value: 0
Maximum
value:
4294967295
webfilter- Enable/disable FortiGuard web filter caching. option - enable

cache
Option Description
enable Enable FortiGuard web filter caching.
disable Disable FortiGuard web filter caching.
webfilter- Time-to-live for web filter cache entries in integer Minimum 3600
cache-ttl seconds. value: 300
Maximum
value: 86400

Fortinet Inc.
webfilter- Expiration date of the FortiGuard web filter integer Minimum 0

Maximum
value:
4294967295
webfilter- Enable/disable turning off the FortiGuard web option - disable

force-off filtering service.
Option Description
enable Turn off the FortiGuard web filtering service.
disable Allow the FortiGuard web filtering service to operate.
webfilter- Interval of time between license checks for the integer Minimum 4294967295
license FortiGuard web filter contract. value: 0
Maximum
value:
4294967295
webfilter- Web filter query time out. integer Minimum 15

timeout value: 1
Maximum
value: 30
config system fortindr
Configure FortiNDR.
Description: Configure FortiNDR.
end

Specified
select-method

Fortinet Inc.
Option Description
source-ip Source IP address for communications to FortiNDR. string Not

Specified
status Enable/disable FortiNDR. option - disable
Option Description
disable Disable FortiNDR.
enable Enable FortiNDR.
config system fortisandbox
Configure FortiSandbox.
Description: Configure FortiSandbox.
set email {string}
set enc-algorithm [default|high|...]
set forticloud [enable|disable]
set server {string}
end
email Notifier email address. string Not

Specified
enc-algorithm Configure the level of SSL protection for secure option - default
communication with FortiSandbox.
Option Description
default SSL communication with high and medium encryption algorithms.

Fortinet Inc.
Option Description
forticloud Enable/disable FortiSandbox Cloud. option - disable
Option Description
enable Enable FortiSandbox Cloud.
disable Disable FortiSandbox Cloud.

Specified
select-method
Option Description
server Server address of the remote FortiSandbox. string Not

Specified
source-ip Source IP address for communications to FortiSandbox. string Not

Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
status Enable/disable FortiSandbox. option - disable
Option Description
enable Enable FortiSandbox.
disable Disable FortiSandbox.

Fortinet Inc.
config system fsso-polling
Configure Fortinet Single Sign On (FSSO) server.

Description: Configure Fortinet Single Sign On (FSSO) server.
set auth-password {password}
set authentication [enable|disable]
set listening-port {integer}
end
auth-password Password to connect to FSSO Agent. password Not

Specified
authentication Enable/disable FSSO Agent Authentication. option - disable
Option Description
enable Enable FSSO Agent Authentication.
disable Disable FSSO Agent Authentication.
listening-port Listening port to accept clients. integer Minimum 8000

value: 1
Maximum
value:
65535
status Enable/disable FSSO Polling Mode. option - enable
Option Description
enable Enable FSSO Polling Mode.
disable Disable FSSO Polling Mode.
config system ftm-push
Configure FortiToken Mobile push services.

Description: Configure FortiToken Mobile push services.
set server {string}
set server-cert {string}
set server-ip {ipv4-address}
set server-port {integer}
end

Fortinet Inc.
server IPv4 address or domain name of FortiToken Mobile string Not

push services server. Specified
server-cert Name of the server certificate to be used for SSL. string Not Fortinet_
Specified Factory
server-ip IPv4 address of FortiToken Mobile push services server ipv4- Not 0.0.0.0
(format: xxx.xxx.xxx.xxx). address Specified
server-port Port to communicate with FortiToken Mobile push integer Minimum 4433
services server. value: 1
Maximum
value:
65535
status Enable/disable the use of FortiToken Mobile push option - disable

services.
Option Description
enable Enable FortiToken Mobile push services.
disable Disable FortiToken Mobile push services.
config system geneve
Configure GENEVE devices.

Description: Configure GENEVE devices.
edit <name>
set dstport {integer}
set ip-version [ipv4-unicast|ipv6-unicast]
set name {string}
set remote-ip {ipv4-address}
set remote-ip6 {ipv6-address}
set type [ethernet|ppp]
set vni {integer}
next
end

Fortinet Inc.
dstport GENEVE destination port. integer Minimum 6081

value: 1
Maximum
value:
65535
interface Outgoing interface for GENEVE encapsulated traffic. string Not

Specified
ip-version IP version to use for the GENEVE interface and so for option - ipv4-unicast
communication over the GENEVE. IPv4 or IPv6
unicast.
Option Description
ipv4-unicast Use IPv4 unicast addressing over the GENEVE.
ipv6-unicast Use IPv6 unicast addressing over the GENEVE.
name GENEVE device or interface name. Must be an unique string Not

interface name. Specified
remote-ip IPv4 address of the GENEVE interface on the device at ipv4- Not 0.0.0.0
the remote end of the GENEVE. address Specified
remote-ip6 IPv6 IP address of the GENEVE interface on the device ipv6- Not ::
at the remote end of the GENEVE. address Specified
type GENEVE type. option - ethernet
Option Description
ethernet Internal packet includes Ethernet header.
ppp Internal packet does not include Ethernet header.
vni GENEVE network ID. integer Minimum 0

value: 0
Maximum
value:
16777215
config system geoip-country
Define geoip country name-ID table.

Description: Define geoip country name-ID table.
edit <id>
set id {string}

Fortinet Inc.
set name {string}
next
end
id Country ID. string Not

Specified
name Country name. string Not

Specified
config system geoip-override
Configure geographical location mapping for IP address(es) to override mappings from FortiGuard.
Description: Configure geographical location mapping for IP address(es) to override
mappings from FortiGuard.
edit <name>
set country-id {string}
config ip-range
Description: Table of IP ranges assigned to country.
edit <id>
set id {integer}
next
end
config ip6-range
Description: Table of IPv6 ranges assigned to country.
edit <id>
set id {integer}
next
end
set name {string}
next
end
country-id Two character Country ID code. string Not

Specified

Fortinet Inc.

Specified
name Location name. string Not

Specified
config ip-range
id ID of individual entry in the IP range table. integer Minimum 0

value: 0
Maximum
value:
65535
start-ip Starting IP address, inclusive, of the address range ipv4- Not 0.0.0.0
end-ip Ending IP address, inclusive, of the address range ipv4- Not 0.0.0.0
config ip6-range
id ID of individual entry in the IPv6 range table. integer Minimum 0

value: 0
Maximum
value:
65535
start-ip Starting IP address, inclusive, of the address range ipv6- Not ::

(format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx). address Specified
end-ip Ending IP address, inclusive, of the address range ipv6- Not ::

(format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx). address Specified
config system global
Configure global attributes.

Description: Configure global attributes.
set admin-concurrent [enable|disable]
set admin-console-timeout {integer}
set admin-forticloud-sso-login [enable|disable]
set admin-host {string}
set admin-hsts-max-age {integer}
set admin-https-pki-required [enable|disable]

Fortinet Inc.
set admin-https-redirect [enable|disable]
set admin-https-ssl-banned-ciphers {option1}, {option2}, ...
set admin-https-ssl-ciphersuites {option1}, {option2}, ...
set admin-https-ssl-versions {option1}, {option2}, ...
set admin-lockout-duration {integer}
set admin-lockout-threshold {integer}
set admin-login-max {integer}
set admin-maintainer [enable|disable]
set admin-port {integer}
set admin-reset-button [enable|disable]
set admin-restrict-local [enable|disable]
set admin-scp [enable|disable]
set admin-server-cert {string}
set admin-sport {integer}
set admin-ssh-grace-time {integer}
set admin-ssh-password [enable|disable]
set admin-ssh-port {integer}
set admin-ssh-v1 [enable|disable]
set admin-telnet [enable|disable]
set admin-telnet-port {integer}
set admintimeout {integer}
set alias {string}
set allow-traffic-redirect [enable|disable]
set anti-replay [disable|loose|...]
set arp-max-entry {integer}
set auth-http-port {integer}
set auth-https-port {integer}
set auth-keepalive [enable|disable]
set auth-session-limit [block-new|logout-inactive]
set auto-auth-extension-device [enable|disable]
set autorun-log-fsck [enable|disable]
set av-affinity {string}
set av-failopen [pass|off|...]
set av-failopen-session [enable|disable]
set batch-cmdb [enable|disable]
set block-session-timer {integer}
set br-fdb-max-entry {integer}
set cert-chain-max {integer}
set cfg-revert-timeout {integer}
set cfg-save [automatic|manual|...]
set check-protocol-header [loose|strict]
set check-reset-range [strict|disable]
set cli-audit-log [enable|disable]
set cloud-communication [enable|disable]
set clt-cert-req [enable|disable]
set cmdbsvr-affinity {string}
set cpu-use-threshold {integer}
set csr-ca-attribute [enable|disable]
set daily-restart [enable|disable]
set default-service-source-port {user}
set device-idle-timeout {integer}
set dh-params [1024|1536|...]
set dnsproxy-worker-count {integer}
set dst [enable|disable]
set early-tcp-npu-session [enable|disable]

Fortinet Inc.
set edit-vdom-prompt [enable|disable]
set extender-controller-reserved-network {ipv4-classnet-host}
set failtime {integer}
set faz-disk-buffer-size {integer}
set fds-statistics [enable|disable]
set fds-statistics-period {integer}
set fgd-alert-subscription {option1}, {option2}, ...
set forticontroller-proxy [enable|disable]
set forticontroller-proxy-port {integer}
set fortiextender [disable|enable]
set fortiextender-data-port {integer}
set fortiextender-discovery-lockdown [disable|enable]
set fortiextender-vlan-mode [enable|disable]
set fortiservice-port {integer}
set fortitoken-cloud [enable|disable]
set gui-allow-default-hostname [enable|disable]
set gui-cdn-usage [enable|disable]
set gui-certificates [enable|disable]
set gui-custom-language [enable|disable]
set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]
set gui-date-time-source [system|browser]
set gui-device-latitude {string}
set gui-device-longitude {string}
set gui-display-hostname [enable|disable]
set gui-firmware-upgrade-warning [enable|disable]
set gui-forticare-registration-setup-warning [enable|disable]
set gui-fortigate-cloud-sandbox [enable|disable]
set gui-fortiguard-resource-fetch [enable|disable]
set gui-ipv6 [enable|disable]
set gui-local-out [enable|disable]
set gui-replacement-message-groups [enable|disable]
set gui-rest-api-cache [enable|disable]
set gui-theme [jade|neutrino|...]
set gui-wireless-opensecurity [enable|disable]
set ha-affinity {string}
set honor-df [enable|disable]
set hyper-scale-vdom-num {integer}
set igmp-state-limit {integer}
set internal-switch-speed {option1}, {option2}, ...
set internet-service-database [mini|standard|...]
set ip-fragment-mem-thresholds {integer}
set ip-src-port-range {user}
set ips-affinity {string}
set ipsec-asic-offload [enable|disable]
set ipsec-ha-seqjump-rate {integer}
set ipsec-hmac-offload [enable|disable]
set ipsec-round-robin [enable|disable]
set ipsec-soft-dec-async [enable|disable]
set ipv6-accept-dad {integer}
set ipv6-allow-anycast-probe [enable|disable]
set ipv6-allow-local-in-slient-drop [enable|disable]
set ipv6-allow-multicast-probe [enable|disable]
set ipv6-allow-traffic-redirect [enable|disable]
set irq-time-accounting [auto|force]

Fortinet Inc.
set language [english|french|...]
set ldapconntimeout {integer}
set legacy-poe-device-support [enable|disable]
set lldp-reception [enable|disable]
set lldp-transmission [enable|disable]
set log-ssl-connection [enable|disable]
set log-uuid-address [enable|disable]
set login-timestamp [enable|disable]
set long-vdom-name [enable|disable]
set management-ip {string}
set management-port {integer}
set management-port-use-admin-sport [enable|disable]
set management-vdom {string}
set max-route-cache-size {integer}
set memory-use-threshold-extreme {integer}
set memory-use-threshold-green {integer}
set memory-use-threshold-red {integer}
set miglog-affinity {string}
set miglogd-children {integer}
set multi-factor-authentication [optional|mandatory]
set ndp-max-entry {integer}
set per-user-bal [enable|disable]
set pmtu-discovery [enable|disable]
set policy-auth-concurrent {integer}
set post-login-banner [disable|enable]
set pre-login-banner [enable|disable]
set private-data-encryption [disable|enable]
set proxy-auth-lifetime [enable|disable]
set proxy-auth-lifetime-timeout {integer}
set proxy-auth-timeout {integer}
set proxy-cert-use-mgmt-vdom [enable|disable]
set proxy-hardware-acceleration [disable|enable]
set proxy-re-authentication-mode [session|traffic|...]
set proxy-resource-mode [enable|disable]
set proxy-worker-count {integer}
set radius-port {integer}
set reboot-upon-config-restore [enable|disable]
set refresh {integer}
set remoteauthtimeout {integer}
set reset-sessionless-tcp [enable|disable]
set restart-time {user}
set revision-backup-on-logout [enable|disable]
set revision-image-auto-backup [enable|disable]
set scanunit-count {integer}
set security-rating-result-submission [enable|disable]
set security-rating-run-on-schedule [enable|disable]
set send-pmtu-icmp [enable|disable]
set show-backplane-intf [enable|disable]
set snat-route-change [enable|disable]
set special-file-23-support [disable|enable]
set speedtest-server [enable|disable]
set split-port {string}
set ssd-trim-date {integer}
set ssd-trim-freq [never|hourly|...]
set ssd-trim-hour {integer}
set ssd-trim-min {integer}

Fortinet Inc.
set ssd-trim-weekday [sunday|monday|...]
set ssh-enc-algo {option1}, {option2}, ...
set ssh-kex-algo {option1}, {option2}, ...
set ssh-mac-algo {option1}, {option2}, ...
set ssl-min-proto-version [SSLv3|TLSv1|...]
set ssl-static-key-ciphers [enable|disable]
set sslvpn-cipher-hardware-acceleration [enable|disable]
set sslvpn-ems-sn-check [enable|disable]
set sslvpn-kxp-hardware-acceleration [enable|disable]
set sslvpn-max-worker-count {integer}
set sslvpn-plugin-version-check [enable|disable]
set strict-dirty-session-check [enable|disable]
set strong-crypto [enable|disable]
set switch-controller [disable|enable]
set switch-controller-reserved-network {ipv4-classnet-host}
set sys-perf-log-interval {integer}
set tcp-halfclose-timer {integer}
set tcp-halfopen-timer {integer}
set tcp-option [enable|disable]
set tcp-rst-timer {integer}
set tcp-timewait-timer {integer}
set tftp [enable|disable]
set timezone [01|02|...]
set traffic-priority [tos|dscp]
set traffic-priority-level [low|medium|...]
set two-factor-email-expiry {integer}
set two-factor-fac-expiry {integer}
set two-factor-ftk-expiry {integer}
set two-factor-ftm-expiry {integer}
set two-factor-sms-expiry {integer}
set udp-idle-timer {integer}
set url-filter-affinity {string}
set url-filter-count {integer}
set user-device-store-max-devices {integer}
set user-device-store-max-unified-mem {integer}
set user-device-store-max-users {integer}
set user-server-cert {string}
set vdom-mode [no-vdom|split-vdom|...]
set vip-arp-range [unlimited|restricted]
set virtual-switch-vlan [enable|disable]
set wad-affinity {string}
set wad-csvc-cs-count {integer}
set wad-csvc-db-count {integer}
set wad-memory-change-granularity {integer}
set wad-source-affinity [disable|enable]
set wad-worker-count {integer}
set wifi-ca-certificate {string}
set wifi-certificate {string}
set wimax-4g-usb [enable|disable]
set wireless-controller [enable|disable]
set wireless-controller-port {integer}
set wireless-mode [ac|client|...]
end

Fortinet Inc.
admin-concurrent Enable/disable option - enable

concurrent administrator
logins. Use policy-auth-
concurrent for firewall
authenticated users.
Option Description
enable Enable admin concurrent login.
disable Disable admin concurrent login.
admin-console- Console login timeout integer Minimum value: 0

timeout that overrides the admin 15 Maximum
timeout value. value: 300
admin-forticloud-sso- Enable/disable option - disable

login FortiCloud admin login
via SSO.
Option Description
enable Enable FortiCloud admin login via SSO.
disable Disable FortiCloud admin login via SSO.
admin-host Administrative host for string Not Specified

HTTP and HTTPS.
When set, will be used in
lieu of the client's Host
header for any
redirection.
admin-hsts-max-age HTTPS Strict-Transport- integer Minimum value: 15552000

Security header max- 0 Maximum
age in seconds. A value value:
of 0 will reset any HSTS 2147483647
records in the
browser.When admin-
https-redirect is disabled
the header max-age will
be 0.

Fortinet Inc.
admin-https-pki- Enable/disable admin option - disable

required login method. Enable to
force administrators to
provide a valid certificate
to log in if PKI is enabled.
Disable to allow
administrators to log in
with a certificate or
password.
Option Description
enable Admin users must provide a valid certificate when PKI is enabled for
HTTPS admin access.
disable Admin users can login by providing a valid certificate or password.
admin-https-redirect Enable/disable option - enable

redirection of HTTP
administration access to
HTTPS.
Option Description
enable Enable redirecting HTTP administration access to HTTPS.
disable Disable redirecting HTTP administration access to HTTPS.
admin-https-ssl- Select one or more option -

banned-ciphers cipher technologies that
cannot be used in GUI
HTTPS negotiations.
Only applies to TLS 1.2
and below.
Option Description
RSA Ban the use of cipher suites using RSA key.
DHE Ban the use of cipher suites using authenticated ephemeral DH key
agreement.
ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key
agreement.
DSS Ban the use of cipher suites using DSS authentication.
ECDSA Ban the use of cipher suites using ECDSA authentication.
AES Ban the use of cipher suites using either 128 or 256 bit AES.

Fortinet Inc.
Option Description
AESGCM Ban the use of cipher suites using AES in Galois Counter Mode (GCM).
CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES Ban the use of cipher suites using triple DES.
SHA1 Ban the use of cipher suites using HMAC-SHA1.
STATIC Ban the use of cipher suites using static keys.
CHACHA20 Ban the use of cipher suites using ChaCha20.
ARIA Ban the use of cipher suites using ARIA.
AESCCM Ban the use of cipher suites using AESCCM.
admin-https-ssl- Select one or more TLS option - TLS-AES-128-GCM-

ciphersuites 1.3 ciphersuites to SHA256 TLS-AES-256-
enable. Does not affect GCM-SHA384 TLS-
ciphers in TLS 1.2 and CHACHA20-POLY1305-
below. At least one must SHA256
be enabled. To disable
all, remove TLS1.3 from
admin-https-ssl-
versions.
Option Description
TLS-AES-128- Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

GCM-SHA256

GCM-SHA384
TLS- Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

CHACHA20-
POLY1305-
SHA256
TLS-AES-128- Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

CCM-SHA256
TLS-AES-128- Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

CCM-8-
SHA256

Fortinet Inc.
admin-https-ssl- Allowed TLS versions for option - tlsv1-2 tlsv1-3

versions web administration.
Option Description
tlsv1-1 TLS 1.1.
tlsv1-2 TLS 1.2.
tlsv1-3 TLS 1.3.
admin-lockout- Amount of time in integer Minimum value: 60

duration seconds that an 1 Maximum
administrator account is value:
locked out after reaching 2147483647
the admin-lockout-
threshold for repeated
failed login attempts.
admin-lockout- Number of failed login integer Minimum value: 3

threshold attempts before an 1 Maximum
administrator account is value: 10
locked out for the admin-
lockout-duration.
admin-login-max Maximum number of integer Minimum value: 100

administrators who can 1 Maximum
be logged in at the same value: 100
time.
admin-maintainer Enable/disable option - enable

maintainer administrator
login. When enabled, the
maintainer account can
be used to log in from the
console after a hard
reboot. The password is
"bcpb" followed by the
FortiGate unit serial
number. You have
limited time to complete
this login.
Option Description
enable Enable login for special user (maintainer).
disable Disable login for special user (maintainer).

Fortinet Inc.
admin-port Administrative access integer Minimum value: 80

port for HTTP.. 1 Maximum
value: 65535
admin-reset-button * press the reset button option - enable

can reset to factory
default
Option Description
enable press the reset button can reset to factory default
disable press the reset button cannot reset to factory default
admin-restrict-local Enable/disable local option - disable

admin authentication
restriction when remote
authenticator is up and
running.
Option Description
enable Enable local admin authentication restriction.
disable Disable local admin authentication restriction.
admin-scp Enable/disable using option - disable

SCP to download the
system configuration.
You can use SCP as an
alternative method for
backing up the
configuration.
Option Description
enable Enable allow system configuration download by SCP.
disable Disable allow system configuration download by SCP.
admin-server-cert Server certificate that the string Not Specified self-sign

FortiGate uses for
HTTPS administrative
connections.
admin-sport Administrative access integer Minimum value: 443

port for HTTPS.. 1 Maximum
value: 65535

Fortinet Inc.
admin-ssh-grace- Maximum time in integer Minimum value: 120

time seconds permitted 10 Maximum
between making an SSH value: 3600
connection to the
FortiGate unit and
authenticating.
admin-ssh-password Enable/disable option - enable

password authentication
for SSH admin access.
Option Description
enable Enable password authentication for SSH admin access.
disable Disable password authentication for SSH admin access.
admin-ssh-port Administrative access integer Minimum value: 22

port for SSH.. 1 Maximum
value: 65535
admin-ssh-v1 Enable/disable SSH v1 option - disable

compatibility.
Option Description
enable Enable SSH v1 compatibility.
disable Disable SSH v1 compatibility.
admin-telnet Enable/disable TELNET option - enable

service.
Option Description
enable Enable TELNET service.
disable Disable TELNET service.
admin-telnet-port Administrative access integer Minimum value: 23

port for TELNET.. 1 Maximum
value: 65535
admintimeout Number of minutes integer Minimum value: 5

before an idle 1 Maximum
administrator session value: 480
times out. A shorter idle
timeout is more secure.
alias Alias for your FortiGate string Not Specified

unit.

Fortinet Inc.
allow-traffic-redirect Disable to prevent traffic option - enable

with same local ingress
and egress interface
from being forwarded
without policy check.
Option Description
enable Enable allow traffic redirect.
disable Disable allow traffic redirect.
anti-replay Level of checking for option - strict

packet replay and TCP
sequence checking.
Option Description
disable Disable anti-replay check.
loose Loose anti-replay check.
strict Strict anti-replay check.
arp-max-entry Maximum number of integer Minimum value: 131072

dynamically learned 131072
MAC addresses that can Maximum value:
be added to the ARP 2147483647
table.
auth-cert Server certificate that the string Not Specified Fortinet_Factory

FortiGate uses for
HTTPS firewall
authentication
connections.
auth-http-port User authentication integer Minimum value: 1000

HTTP port.. 1 Maximum
value: 65535
auth-https-port User authentication integer Minimum value: 1003

HTTPS port.. 1 Maximum
value: 65535
auth-keepalive Enable to prevent user option - disable

authentication sessions
from timing out when
idle.

Fortinet Inc.
Option Description
enable Enable use of keep alive to extend authentication.
disable Disable use of keep alive to extend authentication.
auth-session-limit Action to take when the option - block-new

number of allowed user
authenticated sessions
is reached.
Option Description
block-new Block new user authentication attempts.
logout-inactive Logout the most inactive user authenticated sessions.
auto-auth-extension- Enable/disable option - enable

device automatic authorization
of dedicated Fortinet
extension devices.
Option Description
enable Enable automatic authorization of dedicated Fortinet extension device

globally.
disable Disable automatic authorization of dedicated Fortinet extension device

globally.
autorun-log-fsck Enable/disable option - disable

automatic log partition
check after ungraceful
shutdown.
Option Description
enable Enable automatic log partition check after ungraceful shutdown.
disable Disable automatic log partition check after ungraceful shutdown.
av-affinity * Affinity setting for AV string Not Specified 0

scanning (hexadecimal
value up to 256 bits in
the format of
xxxxxxxxxxxxxxxx).

Fortinet Inc.
av-failopen Set the action to take if option - pass

the FortiGate is running
low on memory or the
proxy connection limit
has been reached.
Option Description
pass Bypass the antivirus system when memory is low. Antivirus scanning
resumes when the low memory condition is resolved.
off Stop accepting new AV sessions when entering conserve mode, but
continue to process current active sessions.
one-shot Bypass the antivirus system when memory is low.
av-failopen-session When enabled and a option - disable

proxy for a protocol runs
out of room in its session
table, that protocol goes
into failopen mode and
enacts the action
specified by av-failopen.
Option Description
enable Enable AV fail open session option.
disable Disable AV fail open session option.
batch-cmdb Enable/disable batch option - enable

mode, allowing you to
enter a series of CLI
commands that will
execute as a group once
they are loaded.
Option Description
enable Enable batch mode to execute in CMDB server.
disable Disable batch mode to execute in CMDB server.
block-session-timer Duration in seconds for integer Minimum value: 30

blocked sessions. 1 Maximum
value: 300
br-fdb-max-entry Maximum number of integer Minimum value: 8192

bridge forwarding 8192 Maximum
database (FDB) entries. value:
2147483647

Fortinet Inc.
cert-chain-max Maximum number of integer Minimum value: 8

certificates that can be 1 Maximum
traversed in a certificate value:
chain. 2147483647
cfg-revert-timeout Time-out for reverting to integer Minimum value: 600

the last saved 10 Maximum
configuration.. value:
4294967295
cfg-save Configuration file save option - automatic

mode for CLI changes.
Option Description
automatic Automatically save config.
manual Manually save config.
revert Manually save config and revert the config when timeout.
check-protocol- Level of checking option - loose

header performed on protocol
headers. Strict checking
is more thorough but
may affect performance.
Loose checking is OK in
most cases.
Option Description
loose Check protocol header loosely.
strict Check protocol header strictly.
check-reset-range Configure ICMP error option - disable

message verification.
You can either apply
strict RST range
checking or disable it.
Option Description
strict Check RST range strictly.
disable Disable RST range check.
cli-audit-log Enable/disable CLI audit option - disable

log.

Fortinet Inc.
Option Description
enable Enable CLI audit log.
disable Disable CLI audit log.
cloud-communication Enable/disable all cloud option - enable

communication.
Option Description
enable Allow cloud communication.
disable Disable all cloud-related settings.
clt-cert-req Enable/disable requiring option - disable

administrators to have a
client certificate to log
into the GUI using
HTTPS.
Option Description
enable Enable require client certificate for GUI login.
disable Disable require client certificate for GUI login.
cmdbsvr-affinity Affinity setting for string Not Specified 0

cmdbsvr (hexadecimal
the format of
xxxxxxxxxxxxxxxx).
cpu-use-threshold Threshold at which CPU integer Minimum value: 90

usage is reported. 50 Maximum
value: 99
csr-ca-attribute Enable/disable the CA option - enable

attribute in certificates.
Some CA servers reject
CSRs that have the CA
attribute.
Option Description
enable Enable CA attribute in CSR.
disable Disable CA attribute in CSR.

Fortinet Inc.
daily-restart Enable/disable daily option - disable

restart of FortiGate unit.
Use the restart-time
option to set the time of
day for the restart.
Option Description
enable Enable daily reboot of the FortiGate.
disable Disable daily reboot of the FortiGate.
default-service- Default service source user Not Specified

source-port port range.
device-idle-timeout Time in seconds that a integer Minimum value: 300

device must be idle to 30 Maximum
automatically log the value:
device user out.. 31536000
dh-params Number of bits to use in option - 2048

the Diffie-Hellman
exchange for
HTTPS/SSH protocols.
Option Description
1024 1024 bits.
1536 1536 bits.
2048 2048 bits.
3072 3072 bits.
4096 4096 bits.
6144 6144 bits.
8192 8192 bits.
dnsproxy-worker- DNS proxy worker count. integer Minimum value: 1

count For a FortiGate with 1 Maximum
multiple logical CPUs, value: 8 **
you can set the DNS
process number from 1
to the number of logical
CPUs.
dst Enable/disable daylight option - enable

saving time.

Fortinet Inc.
Option Description
enable Enable daylight saving time.
disable Disable daylight saving time.
early-tcp-npu- Enable/disable early option - disable

session TCP NPU session.
Option Description
enable Enable early TCP NPU session in order to guarantee packet order of 3-
way handshake.
disable Disable early TCP NPU session in order to guarantee packet order of 3-
way handshake.
edit-vdom-prompt * Enable/disable edit new option - disable

VDOM prompt.
Option Description
enable Enable edit new VDOM prompt.
disable Disable edit new VDOM prompt.
extender-controller- Configure reserved ipv4-classnet- Not Specified 10.252.0.1 255.255.0.0

reserved-network network subnet for host
managed LAN extension
FortiExtender units. This
is available when the
FortiExtender daemon is
running.
failtime Fail-time for server lost. integer Minimum value: 5

0 Maximum
value:
4294967295
faz-disk-buffer-size Maximum disk buffer integer Minimum value: 0

size to temporarily store 0 Maximum
logs destined for value:
FortiAnalyzer. To be 214748364
used in the event that
FortiAnalyzer is
unavailable.

Fortinet Inc.
fds-statistics Enable/disable sending option - enable

IPS, Application Control,
and AntiVirus data to
FortiGuard. This data is
used to improve
FortiGuard services and
is not shared with
external parties and is
protected by Fortinet's
privacy policy.
Option Description
enable Enable FortiGuard statistics.
disable Disable FortiGuard statistics.
fds-statistics-period FortiGuard statistics integer Minimum value: 60

collection period in 1 Maximum
minutes.. value: 1440
fgd-alert-subscription Type of alert to retrieve option -

from FortiGuard.
Option Description
advisory Retrieve FortiGuard advisories, report and news alerts.
latest-threat Retrieve latest FortiGuard threats alerts.
latest-virus Retrieve latest FortiGuard virus alerts.
latest-attack Retrieve latest FortiGuard attack alerts.
new-antivirus- Retrieve FortiGuard AV database release alerts.

db
new-attack-db Retrieve FortiGuard IPS database release alerts.
forticontroller-proxy * Enable/disable option - enable

FortiController proxy.
Option Description
forticontroller-proxy- FortiController proxy integer Minimum value: 11133

port * port. 1024 Maximum
value: 49150

Fortinet Inc.
fortiextender Enable/disable option - disable **

FortiExtender.
Option Description
disable Disable FortiExtender controller.
enable Enable FortiExtender controller.
fortiextender-data- FortiExtender data port. integer Minimum value: 25246

port 1024 Maximum
value: 49150
fortiextender- Enable/disable option - disable

discovery-lockdown FortiExtender CAPWAP
lockdown.
Option Description
disable Unlock down new FortiExtender device discovery.
enable Lock down new FortiExtender device discovery.
fortiextender-vlan- Enable/disable option - disable

mode FortiExtender VLAN
mode.
Option Description
enable Enable FortiExtender VLAN mode.
disable Disable FortiExtender VLAN mode.
fortiservice-port FortiService port. Used integer Minimum value: 8013

by FortiClient endpoint 1 Maximum
compliance. Older value: 65535
versions of FortiClient
used a different port.
fortitoken-cloud Enable/disable option - enable

FortiToken Cloud
service.
Option Description
enable Enable FortiToken Cloud service.
disable Disable FortiToken Cloud service.

Fortinet Inc.
gui-allow-default- Enable/disable the option - disable

hostname factory default hostname
warning on the GUI
setup wizard.
Option Description
enable Display the feature in GUI.
disable Do not display the feature in GUI.
gui-cdn-usage Enable/disable Load GUI option - enable

static files from a CDN.
Option Description
gui-certificates Enable/disable the option - enable **

System > Certificate GUI
page, allowing you to
add and configure
certificates from the GUI.
Option Description
gui-custom-language Enable/disable custom option - disable

languages in GUI.
Option Description
gui-date-format Default date format used option - yyyy/MM/dd

throughout GUI.
Option Description
yyyy/MM/dd Year/Month/Day.
dd/MM/yyyy Day/Month/Year.
MM/dd/yyyy Month/Day/Year.

Fortinet Inc.
Option Description
yyyy-MM-dd Year-Month-Day.
dd-MM-yyyy Day-Month-Year.
MM-dd-yyyy Month-Day-Year.
gui-date-time-source Source from which the option - system

FortiGate GUI uses to
display date and time
entries.
Option Description
system Use this FortiGate unit's configured timezone.
browser Use the web browser's timezone.
gui-device-latitude Add the latitude of the string Not Specified

location of this FortiGate
to position it on the
Threat Map.
gui-device-longitude Add the longitude of the string Not Specified

location of this FortiGate
to position it on the
Threat Map.
gui-display- Enable/disable option - disable

hostname displaying the
FortiGate's hostname on
the GUI login page.
Option Description
gui-firmware- Enable/disable the option - enable

upgrade-warning firmware upgrade
warning on the GUI.
Option Description

Fortinet Inc.
gui-forticare- Enable/disable the option - enable

registration-setup- FortiCare registration
warning setup warning on the
GUI.
Option Description
gui-fortigate-cloud- Enable/disable option - disable

sandbox displaying FortiGate
Cloud Sandbox on the
GUI.
Option Description
gui-fortiguard- Enable/disable retrieving option - enable

resource-fetch static GUI resources
from FortiGuard.
Disabling it will improve
GUI load time for air-
gapped environments.
Option Description
enable Enable retrieving static GUI resources from FortiGuard.
disable Disable retrieving static GUI resources from FortiGuard.
gui-ipv6 Enable/disable IPv6 option - disable

settings on the GUI.
Option Description
gui-local-out Enable/disable Local-out option - disable

traffic on the GUI.
Option Description

Fortinet Inc.
gui-replacement- Enable/disable option - disable

message-groups replacement message
groups on the GUI.
Option Description
gui-rest-api-cache Enable/disable REST option - enable **

API result caching on
FortiGate.
Option Description
enable Enable REST API result caching on FortiGate.
disable Disable REST API result caching on FortiGate.
gui-theme Color scheme for the option - jade

administration GUI.
Option Description
jade Jade theme.
neutrino Neutrino theme.
mariner Mariner theme.
graphite Graphite theme.
melongene Melongene theme.
retro FortiOS v3 Retro theme.
dark-matter Dark Matter theme.
onyx Onyx theme.
eclipse Eclipse theme.
gui-wireless- Enable/disable wireless option - disable

opensecurity open security option on
the GUI.
Option Description

Fortinet Inc.
ha-affinity Affinity setting for HA string Not Specified 0

daemons (hexadecimal
the format of
xxxxxxxxxxxxxxxx).
honor-df Enable/disable honoring option - enable

of Don't-Fragment (DF)
flag.
Option Description
enable Enable honoring of Don't-Fragment flag.
disable Disable honoring of Don't-Fragment flag.
hostname FortiGate unit's string Not Specified

hostname. Most models
will truncate names
longer than 24
characters. Some
models support
hostnames up to 35
characters.
hyper-scale-vdom- Number of VDOMs for integer Minimum value: 250

num * hyper scale license. 1 Maximum
value: 250
igmp-state-limit Maximum number of integer Minimum value: 3200

IGMP memberships. 96 Maximum
value: 128000
internal-switch-speed Internal port speed. option -

*
Option Description
auto auto
1000full 1000M Full
100full 100M full.
100half 100M half.
10full 10M full.
10half 10M half.

Fortinet Inc.
internet-service- Configure which Internet option - full **

database Service database size to
download from
FortiGuard and use.
Option Description
mini Small sized Internet Service database with very limited IP addresses.
standard Medium sized Internet Service database with most IP addresses.
full Full sized Internet Service database with all IP addresses.
interval Dead gateway detection integer Minimum value: 5

interval. 0 Maximum
value:
4294967295
ip-fragment-mem- Maximum memory (MB) integer Minimum value: 32

thresholds used to reassemble 32 Maximum
IPv4/IPv6 fragments. value: 2047
ip-src-port-range IP source port range user Not Specified 1024-25000

used for traffic
originating from the
FortiGate unit.
ips-affinity * Affinity setting for IPS string Not Specified 0

(hexadecimal value up to
256 bits in the format of
xxxxxxxxxxxxxxxx;
allowed CPUs must be
less than total number of
IPS engine daemons).
ipsec-asic-offload * Enable/disable ASIC option - enable

offloading (hardware
acceleration) for IPsec
VPN traffic. Hardware
acceleration can offload
IPsec VPN sessions and
accelerate encryption
and decryption.
Option Description
enable Enable ASIC offload for IPsec VPN.
disable Disable ASIC offload for IPsec VPN.

Fortinet Inc.
ipsec-ha-seqjump- ESP jump ahead rate integer Minimum value: 10

rate (1G - 10G pps 1 Maximum
equivalent). value: 10
ipsec-hmac-offload * Enable/disable option - enable

offloading (hardware
acceleration) of HMAC
processing for IPsec
VPN.
Option Description
enable Enable offload IPsec HMAC processing to hardware if possible.
disable Disable offload IPsec HMAC processing to hardware.
ipsec-round-robin * Enable/disable round- option - disable

robin redistribution to
multiple CPUs for IPsec
VPN traffic.
Option Description
enable Enable round-robin redistribution for IPsec VPN.
disable Disable round-robin redistribution for IPsec VPN.
ipsec-soft-dec-async Enable/disable software option - disable

decryption
asynchronization (using
multiple CPUs to do
decryption) for IPsec
VPN traffic.
Option Description
enable Enable software decryption asynchronization for IPsec VPN.
disable Disable software decryption asynchronization for IPsec VPN.
ipv6-accept-dad Enable/disable integer Minimum value: 1

acceptance of IPv6 0 Maximum
Duplicate Address value: 2
Detection (DAD).
ipv6-allow-anycast- Enable/disable IPv6 option - disable

probe address probe through
Anycast.

Fortinet Inc.
Option Description
enable Enable probing of IPv6 address space through Anycast
disable Disable probing of IPv6 address space through Anycast
ipv6-allow-local-in- Enable/disable silent option - enable

slient-drop drop of IPv6 local-in
traffic.
Option Description
enable Enable slient drop of IPv6 local-in traffic.
disable Disable slient drop of IPv6 local-in traffic.
ipv6-allow-multicast- Enable/disable IPv6 option - disable

probe address probe through
Multicast.
Option Description
enable Enable probing of IPv6 address space through Multicast.
disable Disable probing of IPv6 address space through Multicast.
ipv6-allow-traffic- Disable to prevent IPv6 option - enable

redirect traffic with same local
ingress and egress
interface from being
forwarded without policy
check.
Option Description
enable Enable allow traffic IPv6 redirect.
disable Disable allow traffic IPv6 redirect.
irq-time-accounting Configure CPU IRQ time option - auto

accounting mode.
Option Description
auto Automatically switch CPU accounting mode.
force Force the use of CPU IRQ time accounting mode.
language GUI display language. option - english

Fortinet Inc.
Option Description
english English.
french French.
spanish Spanish.
portuguese Portuguese.
japanese Japanese.
korean Korean.
ldapconntimeout Global timeout for integer Minimum value: 500

connections with remote 1 Maximum
LDAP servers in value: 300000
milliseconds.
legacy-poe-device- Enable/disable legacy option - disable

support * POE device support.
Option Description
enable Enable legacy POE device support.
disable Disable legacy POE device support.
lldp-reception Enable/disable Link option - disable

Layer Discovery Protocol
(LLDP) reception.
Option Description
enable Enable reception of Link Layer Discovery Protocol (LLDP).
disable Disable reception of Link Layer Discovery Protocol (LLDP).
lldp-transmission Enable/disable Link option - disable

Layer Discovery Protocol
(LLDP) transmission.
Option Description
enable Enable transmission of Link Layer Discovery Protocol (LLDP).
disable Disable transmission of Link Layer Discovery Protocol (LLDP).

Fortinet Inc.
log-ssl-connection Enable/disable logging option - disable

of SSL connection
events.
Option Description
enable Enable logging of SSL connection events.
disable Disable logging of SSL connection events.
log-uuid-address Enable/disable insertion option - disable

of address UUIDs to
traffic logs.
Option Description
enable Enable insertion of address UUID to traffic logs.
disable Disable insertion of address UUID to traffic logs.
login-timestamp Enable/disable login time option - disable

recording.
Option Description
enable Enable login time recording.
disable Disable login time recording.
long-vdom-name * Enable/disable long option - disable

VDOM name support.
Option Description
enable Enable long VDOM name support.
disable Disable long VDOM name support.
management-ip Management IP address string Not Specified

of this FortiGate. Used to
log into this FortiGate
from another FortiGate in
the Security Fabric.
management-port Overriding port for integer Minimum value: 443

management connection 1 Maximum
(Overrides admin port). value: 65535

Fortinet Inc.
management-port- Enable/disable use of option - enable

use-admin-sport the admin-sport setting
for the management
port. If disabled,
FortiGate will allow user
to specify management-
port.
Option Description
enable Enable use of the admin-sport setting for the management port.
disable Disable use of the admin-sport setting for the management port.
management-vdom Management virtual string Not Specified root

domain name.
max-route-cache- Maximum number of IP integer Minimum value: 0

size route cache entries. 0 Maximum
value:
2147483647
memory-use- Threshold at which integer Minimum value: 95

threshold-extreme memory usage is 70 Maximum
considered extreme. value: 97

threshold-green memory usage forces 70 Maximum
the FortiGate to exit value: 97
conserve mode.

threshold-red memory usage forces 70 Maximum
the FortiGate to enter value: 97
conserve mode.
miglog-affinity * Affinity setting for logging string Not Specified 0

(64-bit hexadecimal
value in the format of
xxxxxxxxxxxxxxxx).
miglogd-children Number of logging integer Minimum value: 0

(miglogd) processes to 0 Maximum
be allowed to run. Higher value: 15
number can reduce
performance; lower
number can slow log
processing time. No logs
will be dropped or lost if
the number is changed.

Fortinet Inc.
multi-factor- Enforce all login option - optional

authentication methods to require an
additional authentication
factor.
Option Description
optional Do not enforce all login methods to require an additional authentication

factor (controlled by user settings).
mandatory Enforce all login methods to require an additional authentication factor.
ndp-max-entry Maximum number of integer Minimum value: 0

NDP table entries (set to 65536
65,536 or higher; if set to Maximum value:
0, kernel holds 65,536 2147483647
entries).
per-user-bal * Enable/disable per-user option - disable

block/allow list filter.
Option Description
enable Enable per-user block/allow list filter.
disable Disable per-user block/allow list filter.
pmtu-discovery Enable/disable path option - disable

MTU discovery.
Option Description
enable Enable path MTU discovery.
disable Disable path MTU discovery.
policy-auth- Number of concurrent integer Minimum value: 0

concurrent firewall use logins from 0 Maximum
the same user. value: 100
post-login-banner Enable/disable option - disable

displaying the
administrator access
disclaimer message after
an administrator
successfully logs in.
Option Description
disable Disable post-login banner.
enable Enable post-login banner.

Fortinet Inc.
pre-login-banner Enable/disable option - disable

displaying the
administrator access
disclaimer message on
the login page before an
administrator logs in.
Option Description
enable Enable pre-login banner.
disable Disable pre-login banner.
private-data- Enable/disable private option - disable

encryption data encryption using an
AES 128-bit key or
passpharse.
Option Description
disable Disable private data encryption using an AES 128-bit key.
enable Enable private data encryption using an AES 128-bit key.
proxy-auth-lifetime Enable/disable option - disable

authenticated users
lifetime control. This is a
cap on the total time a
proxy user can be
authenticated for after
which re-authentication
will take place.
Option Description
enable Enable authenticated users lifetime control.
disable Disable authenticated users lifetime control.
proxy-auth-lifetime- Lifetime timeout in integer Minimum value: 480

timeout minutes for 5 Maximum
authenticated users. value: 65535
proxy-auth-timeout Authentication timeout in integer Minimum value: 10

minutes for 1 Maximum
authenticated users. value: 300
proxy-cert-use- Enable/disable using option - disable

mgmt-vdom management VDOM to
send requests.

Fortinet Inc.
Option Description
proxy-hardware- Enable/disable email option - enable

acceleration * proxy hardware
acceleration.
Option Description
disable Disable email proxy hardware acceleration.
enable Enable email proxy hardware acceleration.
proxy-re- Control if users must re- option - session

authentication-mode authenticate after a
session is closed, traffic
has been idle, or from
the point at which the
user was first created.
Option Description
session Proxy re-authentication timeout begins at the closure of the session.
traffic Proxy re-authentication timeout begins after traffic has not been
received.
absolute Proxy re-authentication timeout begins when the user was first created.
proxy-resource- Enable/disable use of option - disable

mode the maximum memory
usage on the FortiGate
unit's proxy processing
of resources, such as
block lists, allow lists,
and external resources.
Option Description
enable Enable use of the maximum memory usage.
disable Disable use of the maximum memory usage.
proxy-worker-count Proxy worker count. integer Minimum value: 0

1 Maximum
value: 8 **

Fortinet Inc.
radius-port RADIUS service port integer Minimum value: 1812

number. 1 Maximum
value: 65535
reboot-upon-config- Enable/disable reboot of option - enable

restore system upon restoring
configuration.
Option Description
enable Enable reboot of system upon restoring configuration.
disable Disable reboot of system upon restoring configuration.
refresh Statistics refresh interval integer Minimum value: 0

second(s) in GUI. 0 Maximum
value:
4294967295
remoteauthtimeout Number of seconds that integer Minimum value: 5

the FortiGate waits for 1 Maximum
responses from remote value: 300
RADIUS, LDAP, or
TACACS+
authentication servers..
reset-sessionless-tcp Action to perform if the option - disable

FortiGate receives a
TCP packet but cannot
find a corresponding
session in its session
table. NAT/Route mode
only.
Option Description
enable Enable reset session-less TCP.
disable Disable reset session-less TCP.
restart-time Daily restart time user Not Specified

(hh:mm).
revision-backup-on- Enable/disable back-up option - disable

logout of the latest configuration
revision when an
administrator logs out of
the CLI or GUI.

Fortinet Inc.
Option Description
enable Enable revision config backup automatically when logout.
disable Disable revision config backup automatically when logout.
revision-image-auto- Enable/disable back-up option - disable

backup of the latest image
revision after the
firmware is upgraded.
Option Description
enable Enable revision image backup automatically when upgrading image.
disable Disable revision image backup automatically when upgrading image.
scanunit-count Number of scanunits. integer Minimum value: 0

The range and the 2 Maximum
default depend on the value: 8 **
number of CPUs. Only
available on FortiGate
units with multiple CPUs.
security-rating-result- Enable/disable the option - enable

submission submission of Security
Rating results to
FortiGuard.
Option Description
enable Enable submission of Security Rating results to FortiGuard.
disable Disable submission of Security Rating results to FortiGuard.
security-rating-run- Enable/disable option - enable

on-schedule scheduled runs of
Security Rating.
Option Description
enable Enable scheduled runs of Security Rating.
disable Disable scheduled runs of Security Rating.

Fortinet Inc.
send-pmtu-icmp Enable/disable sending option - enable

of path maximum
transmission unit
(PMTU) - ICMP
destination unreachable
packet and to support
PMTUD protocol on your
network to reduce
fragmentation of
packets.
Option Description
enable Enable sending of PMTU ICMP destination unreachable packet.
disable Disable sending of PMTU ICMP destination unreachable packet.
show-backplane-intf show/hide backplane option - disable

* interfaces
Option Description
enable show backplane interfaces
disable hide backplane interfaces
snat-route-change Enable/disable the ability option - disable

to change the static NAT
route.
Option Description
enable Enable SNAT route change.
disable Disable SNAT route change.
special-file-23- Enable/disable detection option - disable

support of those special format
files when using Data
Leak Protection.
Option Description
disable Disable detection of those special format files when using Data Leak
Protection.
enable Enable detection of those special format files when using Data Leak
Protection.
speedtest-server Enable/disable speed option - disable

test server.

Fortinet Inc.
Option Description
enable Enable speed test server service.
disable Disable speed test server service.
split-port * Split port(s) to multiple string Not Specified

10Gbps ports.
ssd-trim-date * Date within a month to integer Minimum value: 1

run ssd trim. 1 Maximum
value: 31
ssd-trim-freq * How often to run SSD option - weekly

Trim. SSD Trim prevents
SSD drive data loss by
finding and isolating
errors.
Option Description
never Never Run SSD Trim.
hourly Run SSD Trim Hourly.
daily Run SSD Trim Daily.
weekly Run SSD Trim Weekly.
monthly Run SSD Trim Monthly.
ssd-trim-hour * Hour of the day on which integer Minimum value: 1

to run SSD Trim. 0 Maximum
value: 23
ssd-trim-min * Minute of the hour on integer Minimum value: 60

which to run SSD Trim. 0 Maximum
value: 60
ssd-trim-weekday * Day of week to run SSD option - sunday

Trim.
Option Description
sunday Sunday
monday Monday
tuesday Tuesday
wednesday Wednesday
thursday Thursday

Fortinet Inc.
Option Description
friday Friday
saturday Saturday
ssh-enc-algo Select one or more SSH option - chacha20-

ciphers. poly1305@openssh.com
aes256-ctr aes256-
gcm@openssh.com
Option Description
chacha20- chacha20-poly1305@openssh.com
poly1305@openssh.com
aes128-ctr aes128-ctr
arcfour256 arcfour256
arcfour128 arcfour128
aes128-cbc aes128-cbc
3des-cbc 3des-cbc
blowfish-cbc blowfish-cbc
cast128-cbc cast128-cbc
arcfour arcfour
rijndael-cbc@lysator.liu.se rijndael-cbc@lysator.liu.se
aes128- aes128-gcm@openssh.com
gcm@openssh.com
aes256- aes256-gcm@openssh.com
gcm@openssh.com
ssh-kex-algo Select one or more SSH option - diffie-hellman-group-

kex algorithms. exchange-sha256
curve25519-
sha256@libssh.org ecdh-
sha2-nistp256 ecdh-sha2-
nistp384 ecdh-sha2-
nistp521

Fortinet Inc.
Option Description
diffie-hellman- diffie-hellman-group1-sha1
group1-sha1
diffie-hellman- diffie-hellman-group14-sha1
group14-sha1
diffie-hellman-group- diffie-hellman-group-exchange-sha1
exchange-sha1
diffie-hellman-group- diffie-hellman-group-exchange-sha256
exchange-sha256
curve25519- curve25519-sha256@libssh.org
sha256@libssh.org
ecdh-sha2-nistp256 ecdh-sha2-nistp256
ssh-mac-algo Select one or more SSH option - hmac-sha2-256 hmac-

MAC algorithms. sha2-256-
etm@openssh.com hmac-
sha2-512 hmac-sha2-512-
etm@openssh.com
Option Description
hmac-md5 hmac-md5
hmac-md5- hmac-md5-etm@openssh.com
etm@openssh.com
hmac-md5-96 hmac-md5-96
hmac-md5-96- hmac-md5-96-etm@openssh.com
etm@openssh.com
hmac-sha1 hmac-sha1
hmac-sha1- hmac-sha1-etm@openssh.com
etm@openssh.com
hmac-sha2-256 hmac-sha2-256
hmac-sha2-256- hmac-sha2-256-etm@openssh.com
etm@openssh.com
hmac-sha2-512 hmac-sha2-512

Fortinet Inc.
Option Description
hmac-sha2-512- hmac-sha2-512-etm@openssh.com
etm@openssh.com
hmac-ripemd160 hmac-ripemd160
hmac- hmac-ripemd160@openssh.com
ripemd160@openssh.com
hmac-ripemd160- hmac-ripemd160-etm@openssh.com
etm@openssh.com
umac-64@openssh.com umac-64@openssh.com
umac-128@openssh.com umac-128@openssh.com
umac-64- umac-64-etm@openssh.com
etm@openssh.com
umac-128- umac-128-etm@openssh.com
etm@openssh.com
ssl-min-proto-version Minimum supported option - TLSv1-2

protocol version for
SSL/TLS connections.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
TLSv1-3 TLSv1.3.
ssl-static-key-ciphers Enable/disable static key option - enable

ciphers in SSL/TLS
connections (e.g.
AES128-SHA, AES256-
SHA, AES128-SHA256,
AES256-SHA256).
Option Description
enable Enable static key ciphers in SSL/TLS connections.
disable Disable static key ciphers in SSL/TLS connections.

Fortinet Inc.
sslvpn-cipher- Enable/disable SSL- option - disable **

hardware- VPN hardware
acceleration * acceleration.
Option Description
enable Enable SSL-VPN cipher hardware acceleration.
disable Disable SSL-VPN cipher hardware acceleration.
sslvpn-ems-sn-check Enable/disable option - disable

verification of EMS serial
number in SSL-VPN
connection.
Option Description
enable Enable verification of EMS serial number in SSL-VPN connection.
disable Disable verification of EMS serial number in SSL-VPN connection.
sslvpn-kxp- Enable/disable SSL- option - disable **

hardware- VPN KXP hardware
acceleration * acceleration.
Option Description
enable Enable KXP SSL-VPN hardware acceleration.
disable Disable KXP SSL-VPN hardware acceleration.
sslvpn-max-worker- Maximum number of integer Minimum value: 0

count SSL-VPN processes. 0 Maximum
Upper limit for this value value: 8 **
is the number of CPUs
and depends on the
model. Default value of
zero means the SSLVPN
daemon decides the
number of worker
processes.
sslvpn-plugin- Enable/disable checking option - enable

version-check browser's plugin version
by SSL-VPN.
Option Description
enable Enable SSL-VPN automatic checking of browser plug-in version.
disable Disable SSL-VPN automatic checking of browser plug-in version.

Fortinet Inc.
strict-dirty-session- Enable to check the option - enable

check session against the
original policy when
revalidating. This can
prevent dropping of
redirected sessions
when web-filtering and
authentication are
enabled together. If this
option is enabled, the
FortiGate unit deletes a
session if a routing or
policy change causes
the session to no longer
match the policy that
originally allowed the
session.
Option Description
enable Enable strict dirty-session check.
disable Disable strict dirty-session check.
strong-crypto Enable to use strong option - enable

encryption and only
allow strong ciphers and
digest for
HTTPS/SSH/TLS/SSL
functions.
Option Description
enable Enable strong crypto for HTTPS/SSH/TLS/SSL.
disable Disable strong crypto for HTTPS/SSH/TLS/SSL.
switch-controller * Enable/disable switch option - disable

controller feature. Switch
controller allows you to
manage FortiSwitch from
the FortiGate itself.
Option Description
disable Disable switch controller feature.
enable Enable switch controller feature.

Fortinet Inc.
switch-controller- Configure reserved ipv4-classnet- Not Specified 10.255.0.0 255.255.0.0

reserved-network * network subnet for host
managed switches. This
is available when the
switch controller is
enabled.
sys-perf-log-interval Time in minutes between integer Minimum value: 5

updates of performance 0 Maximum
statistics logging.. value: 15
tcp-halfclose-timer Number of seconds the integer Minimum value: 120

FortiGate unit should 1 Maximum
wait to close a session value: 86400
after one peer has sent a
FIN packet but the other
has not responded.
tcp-halfopen-timer Number of seconds the integer Minimum value: 10

FortiGate unit should 1 Maximum
wait to close a session value: 86400
after one peer has sent
an open session packet
but the other has not
responded.
tcp-option Enable SACK, option - enable

timestamp and MSS
TCP options.
Option Description
enable Enable TCP option.
disable Disable TCP option.
tcp-rst-timer Length of the TCP integer Minimum value: 5

CLOSE state in seconds. 5 Maximum
value: 300
tcp-timewait-timer Length of the TCP TIME- integer Minimum value: 1

WAIT state in seconds. 0 Maximum
value: 300
tftp Enable/disable TFTP. option - enable
Option Description
enable Enable TFTP.
disable Disable TFTP.

Fortinet Inc.
timezone Number corresponding option - 00

to your time zone from
00 to 86. Enter set
timezone ? to view the
list of time zones and the
numbers that represent
them.
Option Description
01 (GMT-11:00) Midway Island, Samoa
02 (GMT-10:00) Hawaii
03 (GMT-9:00) Alaska
04 (GMT-8:00) Pacific Time (US & Canada)
05 (GMT-7:00) Arizona
81 (GMT-7:00) Baja California Sur, Chihuahua
06 (GMT-7:00) Mountain Time (US & Canada)
07 (GMT-6:00) Central America
08 (GMT-6:00) Central Time (US & Canada)
09 (GMT-6:00) Mexico City
10 (GMT-6:00) Saskatchewan
11 (GMT-5:00) Bogota, Lima,Quito
12 (GMT-5:00) Eastern Time (US & Canada)
13 (GMT-5:00) Indiana (East)
74 (GMT-4:00) Caracas
14 (GMT-4:00) Atlantic Time (Canada)
77 (GMT-4:00) Georgetown
15 (GMT-4:00) La Paz
87 (GMT-4:00) Paraguay
16 (GMT-3:00) Santiago
17 (GMT-3:30) Newfoundland
18 (GMT-3:00) Brasilia
19 (GMT-3:00) Buenos Aires
20 (GMT-3:00) Nuuk (Greenland)

Fortinet Inc.
Option Description
75 (GMT-3:00) Uruguay
21 (GMT-2:00) Mid-Atlantic
22 (GMT-1:00) Azores
23 (GMT-1:00) Cape Verde Is.
24 (GMT) Monrovia
80 (GMT) Greenwich Mean Time
79 (GMT) Casablanca
25 (GMT) Dublin, Edinburgh, Lisbon, London, Canary Is.
26 (GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
27 (GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
28 (GMT+1:00) Brussels, Copenhagen, Madrid, Paris
78 (GMT+1:00) Namibia
29 (GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb
30 (GMT+1:00) West Central Africa
31 (GMT+2:00) Athens, Sofia, Vilnius
32 (GMT+2:00) Bucharest
33 (GMT+2:00) Cairo
34 (GMT+2:00) Harare, Pretoria
35 (GMT+2:00) Helsinki, Riga, Tallinn
36 (GMT+2:00) Jerusalem
37 (GMT+3:00) Baghdad
38 (GMT+3:00) Kuwait, Riyadh
83 (GMT+3:00) Moscow
84 (GMT+3:00) Minsk
40 (GMT+3:00) Nairobi
85 (GMT+3:00) Istanbul
41 (GMT+3:30) Tehran
42 (GMT+4:00) Abu Dhabi, Muscat
43 (GMT+4:00) Baku

Fortinet Inc.
Option Description
39 (GMT+3:00) St. Petersburg, Volgograd
44 (GMT+4:30) Kabul
46 (GMT+5:00) Islamabad, Karachi, Tashkent
47 (GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi
51 (GMT+5:30) Sri Jayawardenepara
48 (GMT+5:45) Kathmandu
45 (GMT+5:00) Ekaterinburg
49 (GMT+6:00) Almaty, Novosibirsk
50 (GMT+6:00) Astana, Dhaka
52 (GMT+6:30) Rangoon
53 (GMT+7:00) Bangkok, Hanoi, Jakarta
54 (GMT+7:00) Krasnoyarsk
55 (GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk
56 (GMT+8:00) Ulaan Bataar
57 (GMT+8:00) Kuala Lumpur, Singapore
58 (GMT+8:00) Perth
59 (GMT+8:00) Taipei
60 (GMT+9:00) Osaka, Sapporo, Tokyo, Seoul
62 (GMT+9:30) Adelaide
63 (GMT+9:30) Darwin
61 (GMT+9:00) Yakutsk
64 (GMT+10:00) Brisbane
65 (GMT+10:00) Canberra, Melbourne, Sydney
66 (GMT+10:00) Guam, Port Moresby
67 (GMT+10:00) Hobart
68 (GMT+10:00) Vladivostok
69 (GMT+10:00) Magadan
70 (GMT+11:00) Solomon Is., New Caledonia
71 (GMT+12:00) Auckland, Wellington

Fortinet Inc.
Option Description
72 (GMT+12:00) Fiji, Kamchatka, Marshall Is.
00 (GMT+12:00) Eniwetok, Kwajalein
82 (GMT+12:45) Chatham Islands
73 (GMT+13:00) Nuku'alofa
86 (GMT+13:00) Samoa
76 (GMT+14:00) Kiritimati
traffic-priority Choose Type of Service option - tos

(ToS) or Differentiated
Services Code Point
(DSCP) for traffic
prioritization in traffic
shaping.
Option Description
tos IP TOS.
dscp DSCP (DiffServ) DS.
traffic-priority-level Default system-wide option - medium

level of priority for traffic
prioritization.
Option Description
low Low priority.
high High priority.
two-factor-email- Email-based two-factor integer Minimum value: 60

expiry authentication session 30 Maximum
timeout. value: 300
two-factor-fac-expiry FortiAuthenticator token integer Minimum value: 60

authentication session 10 Maximum
timeout. value: 3600
two-factor-ftk-expiry FortiToken integer Minimum value: 60

authentication session 60 Maximum
timeout. value: 600

Fortinet Inc.
two-factor-ftm-expiry FortiToken Mobile integer Minimum value: 72

session timeout. 1 Maximum
value: 168
two-factor-sms- SMS-based two-factor integer Minimum value: 60

expiry authentication session 30 Maximum
timeout. value: 300
udp-idle-timer UDP connection session integer Minimum value: 180

timeout. This command 1 Maximum
can be useful in value: 86400
managing CPU and
memory resources.
url-filter-affinity * URL filter CPU affinity. string Not Specified 0
url-filter-count URL filter daemon count. integer Minimum value: 1

1 Maximum
value: 1 **
user-device-store- Maximum number of integer Minimum value: 168441 **

max-devices devices allowed in user 84220
device store. Maximum value:
240630 **
user-device-store- Maximum unified integer Minimum value: 842206003 **

max-unified-mem memory allowed in user 168441200
1684412006 **
user-device-store- Maximum number of integer Minimum value: 168441 **

max-users users allowed in user 84220
240630 **
user-server-cert Certificate to use for string Not Specified Fortinet_Factory

https user
authentication.
vdom-mode * Enable/disable support option - no-vdom

for split/multiple virtual
domains (VDOMs).
Option Description
no-vdom Disable split/multiple VDOMs mode.
split-vdom Enable split VDOMs mode.
multi-vdom Enable multiple VDOMs mode.

Fortinet Inc.
vip-arp-range Controls the number of option - restricted

ARPs that the FortiGate
sends for a Virtual IP
(VIP) address range.
Option Description
unlimited Send ARPs for all addresses in VIP range.
restricted Send ARPs for the first 8192 addresses in VIP range.
virtual-switch-vlan * Enable/disable virtual option - disable

switch VLAN.
Option Description
enable Enable virtual switch VLAN.
disable Disable virtual switch VLAN.
wad-affinity * Affinity setting for wad string Not Specified 0

(hexadecimal value up to
256 bits in the format of
xxxxxxxxxxxxxxxx).
wad-csvc-cs-count Number of concurrent integer Minimum value: 1

WAD-cache-service 1 Maximum
object-cache processes. value: 1
wad-csvc-db-count Number of concurrent integer Minimum value: 0

WAD-cache-service 0 Maximum
byte-cache processes. value: 8 **
wad-memory- Minimum percentage integer Minimum value: 10

change-granularity change in system 5 Maximum
memory usage detected value: 25
by the wad daemon prior
to adjusting TCP window
size for any active
connection.
wad-source-affinity Enable/disable option - enable

dispatching traffic to
WAD workers based on
source affinity.
Option Description
disable Disable dispatching traffic to WAD workers based on source affinity.
enable Enable dispatching traffic to WAD workers based on source affinity.

Fortinet Inc.
wad-worker-count Number of explicit proxy integer Minimum value: 0

WAN optimization 0 Maximum
daemon (WAD) value: 8 **
processes. By default
WAN optimization,
explicit proxy, and web
caching is handled by all
of the CPU cores in a
FortiGate unit.
wifi-ca-certificate CA certificate that string Not Specified Fortinet_Wifi_CA

verifies the WiFi
certificate.
wifi-certificate Certificate to use for WiFi string Not Specified Fortinet_Wifi

authentication.
wimax-4g-usb Enable/disable option - disable

comparability with
WiMAX 4G USB
devices.
Option Description
enable Enable WiMax 4G.
disable Disable WiMax 4G.
wireless-controller Enable/disable the option - enable

wireless controller
feature to use the
FortiGate unit to manage
FortiAPs.
Option Description
enable Enable wireless controller.
disable Disable wireless controller.
wireless-controller- Port used for the control integer Minimum value: 5246
port channel in wireless 1024 Maximum
controller mode. value: 49150
wireless-mode * Wireless mode setting. option - ac
Option Description
ac Wireless controller with local wireless.
client Wireless client mode.
fwfap Obsolete wireless AP mode.

Fortinet Inc.
config system gre-tunnel
Configure GRE tunnel.

Description: Configure GRE tunnel.
edit <name>
set checksum-reception [disable|enable]
set checksum-transmission [disable|enable]
set dscp-copying [disable|enable]
set keepalive-failtimes {integer}
set keepalive-interval {integer}
set key-inbound {integer}
set key-outbound {integer}
set local-gw {ipv4-address-any}
set local-gw6 {ipv6-address}
set name {string}
set remote-gw {ipv4-address}
set remote-gw6 {ipv6-address}
set sequence-number-reception [disable|enable]
set sequence-number-transmission [disable|enable]
set use-sdwan [disable|enable]
next
end
auto-asic- Enable/disable automatic ASIC offloading. option - enable

offload *
Option Description
enable Enable automatic ASIC offloading.
disable Disable automatic ASIC offloading.
checksum- Enable/disable validating checksums in received option - disable

reception * GRE packets.
Option Description
disable Do not validate checksums in received GRE packets.

Fortinet Inc.
Option Description
enable Validate checksums in received GRE packets.
checksum- Enable/disable including checksums in transmitted option - disable

transmission * GRE packets.
Option Description
disable Do not include checksums in transmitted GRE packets.
enable Include checksums in transmitted GRE packets.
diffservcode DiffServ setting to be applied to GRE tunnel outer IP user Not Specified
header.
dscp-copying Enable/disable DSCP copying. option - disable
Option Description
disable Disable DSCP copying.
enable Enable DSCP copying.
ip-version IP version to use for VPN interface. option - 4
Option Description
4 Use IPv4 addressing for gateways.
keepalive- Number of consecutive unreturned keepalive integer Minimum 10

failtimes messages before a GRE connection is considered value: 1
down. Maximum
value: 255
keepalive- Keepalive message interval. integer Minimum 0

interval value: 0
Maximum
value: 32767
key-inbound * Require received GRE packets contain this key. integer Minimum 0
value: 0
Maximum
value:
4294967295

Fortinet Inc.
key-outbound * Include this key in transmitted GRE packets. integer Minimum 0

value: 0
Maximum
value:
4294967295
local-gw IP address of the local gateway. ipv4- Not Specified 0.0.0.0

address-
any
local-gw6 IPv6 address of the local gateway. ipv6- Not Specified ::

address
name Tunnel name. string Not Specified
remote-gw IP address of the remote gateway. ipv4- Not Specified 0.0.0.0

address
remote-gw6 IPv6 address of the remote gateway. ipv6- Not Specified ::

address
sequence- Enable/disable validating sequence numbers in option - disable

number- received GRE packets.
reception *
Option Description
disable Do not validate sequence number in received GRE packets.
enable Validate sequence numbers in received GRE packets.
sequence- Enable/disable including of sequence numbers in option - disable

number- transmitted GRE packets.
transmission *
Option Description
disable Include sequence numbers in transmitted GRE packets.
enable Do not include sequence numbers in transmitted GRE packets.
use-sdwan Enable/disable use of SD-WAN to reach remote option - disable

gateway.
Option Description
disable Disable use of SD-WAN to reach remote gateway.
enable Enable use of SD-WAN to reach remote gateway.

Fortinet Inc.
config system ha-monitor
Configure HA monitor.
Description: Configure HA monitor.
set monitor-vlan [enable|disable]
set vlan-hb-interval {integer}
set vlan-hb-lost-threshold {integer}
end
monitor-vlan Enable/disable monitor VLAN interfaces. option - disable
Option Description
enable Enable monitor VLAN interfaces.
disable Disable monitor VLAN interfaces.
vlan-hb- Configure heartbeat interval (seconds). integer Minimum 5

interval value: 1
Maximum
value: 30
vlan-hb-lost- VLAN lost heartbeat threshold. integer Minimum 3

threshold value: 1
Maximum
value: 60
config system ha-nonsync-csum
System checksum for FortiManager use only.

config system ha-nonsync-csum
Description: System checksum for FortiManager use only.
end
config system ha
Configure HA.
config system ha
Description: Configure HA.
set arps {integer}
set arps-interval {integer}
set cpu-threshold {user}

Fortinet Inc.
set encryption [enable|disable]
set failover-hold-time {integer}
set ftp-proxy-threshold {user}
set gratuitous-arps [enable|disable]
set group-id {integer}
set ha-direct [enable|disable]
set ha-eth-type {string}
config ha-mgmt-interfaces
Description: Reserve interfaces to manage individual cluster units.
edit <id>
set id {integer}
set gateway6 {ipv6-address}
next
end
set ha-mgmt-status [enable|disable]
set ha-uptime-diff-margin {integer}
set hb-interval {integer}
set hb-interval-in-milliseconds [100ms|10ms]
set hb-lost-threshold {integer}
set hbdev {user}
set hc-eth-type {string}
set hello-holddown {integer}
set http-proxy-threshold {user}
set imap-proxy-threshold {user}
set key {password}
set l2ep-eth-type {string}
set link-failed-signal [enable|disable]
set load-balance-all [enable|disable]
set logical-sn [enable|disable]
set memory-based-failover [enable|disable]
set memory-compatible-mode [enable|disable]
set memory-failover-flip-timeout {integer}
set memory-failover-monitor-period {integer}
set memory-failover-sample-rate {integer}
set memory-failover-threshold {integer}
set memory-threshold {user}
set mode [standalone|a-a|...]
set monitor {user}
set multicast-ttl {integer}
set nntp-proxy-threshold {user}
set override-wait-time {integer}
set pingserver-failover-threshold {integer}
set pingserver-flip-timeout {integer}
set pingserver-monitor-interface {user}
set pingserver-secondary-force-reset [enable|disable]
set pop3-proxy-threshold {user}
set route-hold {integer}
set route-ttl {integer}
set route-wait {integer}

Fortinet Inc.
set schedule [none|hub|...]
config secondary-vcluster
Description: Configure virtual cluster 2.
set vcluster-id {integer}
set override-wait-time {integer}
set monitor {user}
set pingserver-monitor-interface {user}
set pingserver-failover-threshold {integer}
set pingserver-secondary-force-reset [enable|disable]
set vdom {user}
end
set session-pickup [enable|disable]
set session-pickup-connectionless [enable|disable]
set session-pickup-delay [enable|disable]
set session-pickup-expectation [enable|disable]
set session-pickup-nat [enable|disable]
set session-sync-dev {user}
set smtp-proxy-threshold {user}
set ssd-failover [enable|disable]
set standalone-config-sync [enable|disable]
set standalone-mgmt-vdom [enable|disable]
set sync-config [enable|disable]
set sync-packet-balance [enable|disable]
set unicast-gateway {ipv4-address}
set unicast-hb [enable|disable]
set unicast-hb-netmask {ipv4-netmask}
set unicast-hb-peerip {ipv4-address}
config unicast-peers
Description: Number of unicast peers.
edit <id>
set id {integer}
set peer-ip {ipv4-address}
next
end
set unicast-status [enable|disable]
set uninterruptible-primary-wait {integer}
set uninterruptible-upgrade [enable|disable]
set vcluster2 [enable|disable]
set vdom {user}
set weight {user}
end
config system ha
arps Number of gratuitous ARPs. Lower to reduce integer Minimum 5

traffic. Higher to reduce failover time. value: 1
Maximum
value: 60

Fortinet Inc.
arps-interval Time between gratuitous ARPs . Lower to integer Minimum 8

reduce failover time. Higher to reduce traffic. value: 1
Maximum
value: 20
authentication Enable/disable heartbeat message option - disable

authentication.
Option Description
enable Enable heartbeat message authentication.
disable Disable heartbeat message authentication.
cpu-threshold Dynamic weighted load balancing CPU usage user Not Specified
weight and high and low thresholds.
encryption Enable/disable heartbeat message encryption. option - disable
Option Description
enable Enable heartbeat message encryption.
disable Disable heartbeat message encryption.
failover-hold-time Time to wait before failover , to avoid flip. integer Minimum 0

value: 0
Maximum
value: 300
ftp-proxy- Dynamic weighted load balancing weight and user Not Specified
threshold high and low number of FTP proxy sessions.
gratuitous-arps Enable/disable gratuitous ARPs. Disable if link- option - enable

failed-signal enabled.
Option Description
enable Enable gratuitous ARPs.
disable Disable gratuitous ARPs.
group-id HA group ID . Must be the same for all integer Minimum 0

members. value: 0
Maximum
value: 1023
group-name Cluster group name. Must be the same for all string Not Specified
members.

Fortinet Inc.
ha-direct Enable/disable using ha-mgmt interface for option - disable

syslog, SNMP, remote authentication
(RADIUS), FortiAnalyzer, FortiSandbox, sFlow,
and Netflow.
Option Description
enable Enable using ha-mgmt interface for syslog, SNMP, remote authentication
(RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.
disable Disable using ha-mgmt interface for syslog, SNMP, remote authentication
(RADIUS), FortiAnalyzer, FortiSandbox, sFlow, and Netflow.
ha-eth-type HA heartbeat packet Ethertype (4-digit hex). string Not Specified 8890
ha-mgmt-status Enable to reserve interfaces to manage option - disable

individual cluster units.
Option Description
ha-uptime-diff- Normally you would only reduce this value for integer Minimum 300
margin failover testing. value: 1
Maximum
value: 65535
hb-interval Time between sending heartbeat packets. integer Minimum 2

Increase to reduce false positives. value: 1
Maximum
value: 20
hb-interval-in- Number of milliseconds for each heartbeat option - 100ms

milliseconds interval: 100ms or 10ms.
Option Description
100ms Each heartbeat interval is 100ms.
10ms Each heartbeat interval is 10ms.
hb-lost-threshold Number of lost heartbeats to signal a failure. integer Minimum 6 **

Increase to reduce false positives. value: 1
Maximum
value: 60
hbdev Heartbeat interfaces. Must be the same for all user Not Specified
members. Enter <interface> <priority> pairs to
specify the priority of each heartbeat interface.
Higher priority takes precedence.

Fortinet Inc.
hc-eth-type Transparent mode HA heartbeat packet string Not Specified 8891

Ethertype (4-digit hex).
hello-holddown Time to wait before changing from hello to work integer Minimum 20
state. value: 5
Maximum
value: 300
http-proxy- Dynamic weighted load balancing weight and user Not Specified
threshold high and low number of HTTP proxy sessions.
imap-proxy- Dynamic weighted load balancing weight and user Not Specified
threshold high and low number of IMAP proxy sessions.
key Key. password Not Specified
l2ep-eth-type Telnet session HA heartbeat packet Ethertype string Not Specified 8893
(4-digit hex).
link-failed-signal Enable to shut down all interfaces for 1 sec after option - disable
a failover. Use if gratuitous ARPs do not update
network.
Option Description
load-balance-all Enable to load balance TCP sessions. Disable option - disable

to load balance proxy sessions only.
Option Description
enable Enable load balance.
disable Disable load balance.
logical-sn Enable/disable usage of the logical serial option - disable

number.
Option Description
enable Enable usage of the logical serial number.
disable Disable usage of the logical serial number.
memory-based- Enable/disable memory based failover. option - disable

failover

Fortinet Inc.
Option Description
memory- Enable/disable memory compatible mode. option - disable

compatible-mode
Option Description
memory-failover- Time to wait between subsequent memory integer Minimum 6

flip-timeout based failovers in minutes. value: 6
Maximum
value:
2147483647
memory-failover- Duration of high memory usage before memory integer Minimum 60

monitor-period based failover is triggered in seconds. value: 1
Maximum
value: 300
memory-failover- Rate at which memory usage is sampled in integer Minimum 1

sample-rate order to measure memory usage in seconds. value: 1
Maximum
value: 60
memory-failover- Memory usage threshold to trigger memory integer Minimum 0

threshold based failover (0 means using conserve mode value: 0
threshold in system.global). Maximum
value: 95
memory- Dynamic weighted load balancing memory user Not Specified

threshold usage weight and high and low thresholds.
mode HA mode. Must be the same for all members. option - standalone
FGSP requires standalone.
Option Description
standalone Standalone mode.
a-a Active-active mode.
a-p Active-passive mode.
monitor Interfaces to check for port monitoring (or link user Not Specified
failure).

Fortinet Inc.
multicast-ttl HA multicast TTL on primary. integer Minimum 600

value: 5
Maximum
value: 3600
nntp-proxy- Dynamic weighted load balancing weight and user Not Specified
threshold high and low number of NNTP proxy sessions.
override Enable and increase the priority of the unit that option - disable
should always be primary.
Option Description
override-wait- Delay negotiating if override is enabled. integer Minimum 0

time Reduces how often the cluster negotiates. value: 0
Maximum
value: 3600
password Cluster password. Must be the same for all password Not Specified
members.
pingserver- Remote IP monitoring failover threshold. integer Minimum 0

failover-threshold value: 0
Maximum
value: 50
pingserver-flip- Time to wait in minutes before renegotiating integer Minimum 60

timeout after a remote IP monitoring failover. value: 6
Maximum
value:
2147483647
pingserver- Interfaces to check for remote IP monitoring. user Not Specified

monitor-interface
pingserver- Enable to force the cluster to negotiate after a option - enable

secondary-force- remote IP monitoring failover.
reset
Option Description
enable Enable force reset of secondary after PING server failure.
disable Disable force reset of secondary after PING server failure.
pop3-proxy- Dynamic weighted load balancing weight and user Not Specified
threshold high and low number of POP3 proxy sessions.

Fortinet Inc.
priority Increase the priority to select the primary unit. integer Minimum 128
value: 0
Maximum
value: 255
route-hold Time to wait between routing table updates to integer Minimum 10

the cluster. value: 0
Maximum
value: 3600
route-ttl TTL for primary unit routes. Increase to maintain integer Minimum 10
active routes during failover. value: 5
Maximum
value: 3600
route-wait Time to wait before sending new routes to the integer Minimum 0
cluster. value: 0
Maximum
value: 3600
schedule Type of A-A load balancing. Use none if you option - round-robin
have external load balancers.
Option Description
none None.
hub Hub.
leastconnection Least connection.
round-robin Round robin.
weight-round-robin Weight round robin.
random Random.
ip IP.
ipport IP port.
session-pickup Enable/disable session pickup. Enabling it can option - disable

reduce session down time when fail over
happens.
Option Description
enable Enable session pickup.
disable Disable session pickup.
session-pickup- Enable/disable UDP and ICMP session sync. option - disable

connectionless

Fortinet Inc.
Option Description
session-pickup- Enable to sync sessions longer than 30 sec. option - disable

delay Only longer lived sessions need to be synced.
Option Description
session-pickup- Enable/disable session helper expectation option - disable

expectation session sync for FGSP.
Option Description
session-pickup- Enable/disable NAT session sync for FGSP. option - disable

nat
Option Description
session-sync-dev Offload session-sync process to kernel and user Not Specified

sync sessions using connected interface(s)
directly.
smtp-proxy- Dynamic weighted load balancing weight and user Not Specified
threshold high and low number of SMTP proxy sessions.
ssd-failover * Enable/disable automatic HA failover on SSD option - disable

disk failure.
Option Description
standalone- Enable/disable FGSP configuration option - disable

config-sync synchronization.

Fortinet Inc.
Option Description
standalone- Enable/disable standalone management option - disable

mgmt-vdom VDOM.
Option Description
sync-config Enable/disable configuration synchronization. option - enable
Option Description
enable Enable configuration synchronization.
disable Disable configuration synchronization.
sync-packet- Enable/disable HA packet distribution to option - disable

balance multiple CPUs.
Option Description
enable Enable HA packet distribution to multiple CPUs.
disable Disable HA packet distribution to multiple CPUs.
unicast-gateway Default route gateway for unicast interface. ipv4- Not Specified 0.0.0.0
* address
unicast-hb * Enable/disable unicast heartbeat. option - disable
Option Description
unicast-hb- Unicast heartbeat netmask. ipv4- Not Specified 0.0.0.0

netmask * netmask
unicast-hb-peerip Unicast heartbeat peer IP. ipv4- Not Specified 0.0.0.0

* address
unicast-status * Enable/disable unicast connection. option - disable

Fortinet Inc.
Option Description
uninterruptible- Number of minutes the primary HA unit waits integer Minimum 30

primary-wait before the secondary HA unit is considered value: 15
upgraded and the system is started before Maximum
starting its own upgrade. value: 300
uninterruptible- Enable to upgrade a cluster without blocking option - enable

upgrade network traffic.
Option Description
vcluster-id Cluster ID. integer Minimum 0

value: 0
Maximum
value: 255
vcluster2 Enable/disable virtual cluster 2 for virtual option - disable

clustering.
Option Description
vdom VDOMs in virtual cluster 1. user Not Specified
weight Weighted round robin weight for each cluster user Not Specified 0 40
unit. Syntax <priority> <weight>.

config ha-mgmt-interfaces
id Table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
interface Interface to reserve for HA management. string Not Specified
dst Default route destination for reserved HA ipv4- Not Specified 0.0.0.0
management interface. classnet 0.0.0.0
gateway Default route gateway for reserved HA management ipv4- Not Specified 0.0.0.0
interface. address
gateway6 Default IPv6 gateway for reserved HA management ipv6- Not Specified ::
interface. address
config secondary-vcluster
vcluster-id Cluster ID. integer Minimum 1

value: 0
Maximum
value: 255
override Enable and increase the priority of the unit that should option - enable
always be primary.
Option Description
priority Increase the priority to select the primary unit. integer Minimum 128
value: 0
Maximum
value: 255
override-wait- Delay negotiating if override is enabled. Reduces how integer Minimum 0

time often the cluster negotiates. value: 0
Maximum
value: 3600
monitor Interfaces to check for port monitoring (or link failure). user Not
Specified
pingserver- Interfaces to check for remote IP monitoring. user Not

monitor- Specified
interface
pingserver- Remote IP monitoring failover threshold. integer Minimum 0

failover- value: 0
threshold Maximum
value: 50

Fortinet Inc.
pingserver- Enable to force the cluster to negotiate after a remote IP option - enable
secondary- monitoring failover.
force-reset
Option Description
enable Enable force reset of secondary after PING server failure.
disable Disable force reset of secondary after PING server failure.
vdom VDOMs in virtual cluster 2. user Not

Specified
config unicast-peers
id Table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
peer-ip Unicast peer IP. ipv4- Not Specified 0.0.0.0

address
config system ike
Configure IKE global attributes.

config system ike
Description: Configure IKE global attributes.
config dh-group-1
Description: Diffie-Hellman group 1 (MODP-768).
set mode [software|hardware|...]
set keypair-cache [global|custom]
set keypair-count {integer}
end
config dh-group-14
end
config dh-group-15
end
config dh-group-16

Fortinet Inc.
end
config dh-group-17
end
config dh-group-18
end
config dh-group-19
Description: Diffie-Hellman group 19 (EC-P256).
end
config dh-group-2
end
config dh-group-20
end
config dh-group-21
end
config dh-group-27
Description: Diffie-Hellman group 27 (EC-P224BP).
end
config dh-group-28
end
config dh-group-29

Fortinet Inc.
end
config dh-group-30
end
config dh-group-31
Description: Diffie-Hellman group 31 (EC-X25519).
end
config dh-group-32
Description: Diffie-Hellman group 32 (EC-X448).
end
config dh-group-5
end
set dh-keypair-cache [enable|disable]
set dh-keypair-count {integer}
set dh-keypair-throttle [enable|disable]
set dh-mode [software|hardware]
set dh-multiprocess [enable|disable]
set dh-worker-count {integer}
set embryonic-limit {integer}
end
config system ike
dh-keypair- Enable/disable Diffie-Hellman key pair cache. option - enable

cache
Option Description
enable Enable Diffie-Hellman key pair cache.
disable Disable Diffie-Hellman key pair cache.

Fortinet Inc.
dh-keypair- Number of key pairs to pre-generate for each Diffie- integer Minimum 100 **
count Hellman group (per-worker). value: 0
Maximum
value:
50000
dh-keypair- Enable/disable Diffie-Hellman key pair cache CPU option - enable

throttle throttling.
Option Description
enable Enable Diffie-Hellman key pair cache CPU throttling.
disable Disable Diffie-Hellman key pair cache CPU throttling.
dh-mode Use software (CPU) or hardware (CPX) to perform option - hardware **

Diffie-Hellman calculations.
Option Description
software Prefer CPU to perform Diffie-Hellman calculations.
hardware Prefer CPX to perform Diffie-Hellman calculations.
dh- Enable/disable multiprocess Diffie-Hellman daemon for option - enable

multiprocess IKE.
Option Description
enable Enable multiprocess Diffie-Hellman for IKE.
disable Disable multiprocess Diffie-Hellman for IKE.
dh-worker- Number of Diffie-Hellman workers to start. integer Minimum 0

count value: 1
Maximum
value: 8 **
embryonic-limit Maximum number of IPsec tunnels to negotiate integer Minimum 5000 **

simultaneously. value: 50
Maximum
value:
20000

Fortinet Inc.
config dh-group-1
mode Use software (CPU) or hardware (CPX) to perform option - global

calculations for this Diffie-Hellman group.
Option Description
global Use global dh-mode setting.
keypair-cache Configure custom key pair cache size for this Diffie- option - global
Hellman group.
Option Description
global Use global Diffie-Hellman key pair cache setting.
custom Use custom Diffie-Hellman key pair cache setting.
keypair-count Number of key pairs to pre-generate for this Diffie- integer Minimum 0
Hellman group (per-worker). value: 0
Maximum
value:
50000
config dh-group-14

Option Description
Hellman group.
Option Description

Fortinet Inc.
Maximum
value:
50000
config dh-group-15

Option Description
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-16

Option Description

Fortinet Inc.
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-17

Option Description
Hellman group.
Option Description
Maximum
value:
50000

Fortinet Inc.
config dh-group-18

Option Description
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-19

Option Description
Hellman group.
Option Description

Fortinet Inc.
Maximum
value:
50000
config dh-group-2

Option Description
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-20

Option Description

Fortinet Inc.
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-21

Option Description
Hellman group.
Option Description
Maximum
value:
50000

Fortinet Inc.
config dh-group-27

Option Description
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-28

Option Description
Hellman group.
Option Description

Fortinet Inc.
Maximum
value:
50000
config dh-group-29

Option Description
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-30

Option Description

Fortinet Inc.
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-31

Option Description
Hellman group.
Option Description
Maximum
value:
50000

Fortinet Inc.
config dh-group-32

Option Description
Hellman group.
Option Description
Maximum
value:
50000
config dh-group-5

Option Description
Hellman group.
Option Description

Fortinet Inc.
Maximum
value:
50000
config system info admin ssh
Show SSH status.

config system info admin ssh
Description: Show SSH status.
end
config system info admin status
Show logged in administrators.

config system info admin status
Description: Show logged in administrators.
end
config system interface
Configure interfaces.
Description: Configure interfaces.
edit <name>
set ac-name {string}
set aggregate {string}
set algorithm [L2|L3|...]
set alias {string}
set ap-discover [enable|disable]
set arpforward [enable|disable]
set atm-protocol [none|ipoa]
set auth-portal-addr {string}
set auth-type [auto|pap|...]
set auto-auth-extension-device [enable|disable]
set bandwidth-measure-time {integer}
set broadcast-forward [enable|disable]
set cli-conn-status {integer}
config client-options

Fortinet Inc.
Description: DHCP client options.
edit <id>
set id {integer}
set code {integer}
set type [hex|string|...]
set value {string}
set ip {user}
next
end
set color {integer}
set dedicated-to [none|management]
set defaultgw [enable|disable]
set detected-peer-mtu {integer}
set detectprotocol {option1}, {option2}, ...
set detectserver {user}
set device-identification [enable|disable]
set device-user-identification [enable|disable]
set devindex {integer}
set dhcp-classless-route-addition [enable|disable]
set dhcp-client-identifier {string}
set dhcp-relay-agent-option [enable|disable]
set dhcp-relay-interface {string}
set dhcp-relay-interface-select-method [auto|sdwan|...]
set dhcp-relay-ip {user}
set dhcp-relay-link-selection {ipv4-address}
set dhcp-relay-request-all-server [disable|enable]
set dhcp-relay-service [disable|enable]
set dhcp-relay-type [regular|ipsec]
set dhcp-renew-time {integer}
config dhcp-snooping-server-list
Description: Configure DHCP server access list.
edit <name>
set name {string}
next
end
set disc-retry-timeout {integer}
set dns-server-override [enable|disable]
set dns-server-protocol {option1}, {option2}, ...
set drop-fragment [enable|disable]
set drop-overlapped-fragment [enable|disable]
set egress-cos [disable|cos0|...]
config egress-queues
Description: Configure queues of NP port on egress path.
set cos0 {string}
set cos1 {string}
set cos2 {string}
set cos3 {string}
set cos4 {string}
set cos5 {string}
set cos6 {string}
set cos7 {string}
end

Fortinet Inc.
set egress-shaping-profile {string}
set estimated-downstream-bandwidth {integer}
set estimated-upstream-bandwidth {integer}
set explicit-ftp-proxy [enable|disable]
set explicit-web-proxy [enable|disable]
set fail-action-on-extender [soft-restart|hard-restart|...]
set fail-alert-interfaces <name1>, <name2>, ...
set fail-alert-method [link-failed-signal|link-down]
set fail-detect [enable|disable]
set fail-detect-option {option1}, {option2}, ...
set fortilink [enable|disable]
set fortilink-backup-link {integer}
set fortilink-neighbor-detect [lldp|fortilink]
set fortilink-split-interface [enable|disable]
set forward-domain {integer}
set forward-error-correction [none|disable|...]
set gateway-address {ipv4-address}
set gwaddr {ipv4-address}
set gwdetect [enable|disable]
set ha-priority {integer}
set icmp-accept-redirect [enable|disable]
set icmp-send-redirect [enable|disable]
set ident-accept [enable|disable]
set idle-timeout {integer}
set inbandwidth {integer}
set ingress-cos [disable|cos0|...]
set ingress-shaping-profile {string}
set ingress-spillover-threshold {integer}
set internal {integer}
set ip-managed-by-fortiipam [enable|disable]
set ipmac [enable|disable]
set ips-sniffer-mode [enable|disable]
set ipunnumbered {ipv4-address}
config ipv6
Description: IPv6 of interface.
set ip6-mode [static|dhcp|...]
set nd-mode [basic|SEND-compatible]
set nd-cert {string}
set nd-security-level {integer}
set nd-timestamp-delta {integer}
set nd-timestamp-fuzz {integer}
set nd-cga-modifier {user}
set ip6-dns-server-override [enable|disable]
set ip6-address {ipv6-prefix}
config ip6-extra-addr
Description: Extra IPv6 address prefixes of interface.
edit <prefix>
set prefix {ipv6-prefix}
next
end
set ip6-allowaccess {option1}, {option2}, ...
set ip6-send-adv [enable|disable]
set icmp6-send-redirect [enable|disable]

Fortinet Inc.
set ip6-manage-flag [enable|disable]
set ip6-other-flag [enable|disable]
set ip6-max-interval {integer}
set ip6-min-interval {integer}
set ip6-link-mtu {integer}
set ra-send-mtu [enable|disable]
set ip6-reachable-time {integer}
set ip6-retrans-time {integer}
set ip6-default-life {integer}
set ip6-hop-limit {integer}
set autoconf [enable|disable]
set unique-autoconf-addr [enable|disable]
set interface-identifier {ipv6-address}
set ip6-prefix-mode [dhcp6|ra]
set ip6-upstream-interface {string}
set ip6-delegated-prefix-iaid {integer}
set ip6-subnet {ipv6-prefix}
config ip6-prefix-list
Description: Advertised prefix list.
edit <prefix>
set prefix {ipv6-network}
set autonomous-flag [enable|disable]
set onlink-flag [enable|disable]
set valid-life-time {integer}
set preferred-life-time {integer}
set rdnss {user}
set dnssl <domain1>, <domain2>, ...
next
end
config ip6-delegated-prefix-list
Description: Advertised IPv6 delegated prefix list.
edit <prefix-id>
set prefix-id {integer}
set upstream-interface {string}
set delegated-prefix-iaid {integer}
set autonomous-flag [enable|disable]
set onlink-flag [enable|disable]
set subnet {ipv6-network}
set rdnss-service [delegated|default|...]
set rdnss {user}
next
end
set dhcp6-relay-service [disable|enable]
set dhcp6-relay-type {option}
set dhcp6-relay-ip {user}
set dhcp6-client-options {option1}, {option2}, ...
set dhcp6-prefix-delegation [enable|disable]
set dhcp6-information-request [enable|disable]
config dhcp6-iapd-list
Description: DHCPv6 IA-PD list.
edit <iaid>
set iaid {integer}
set prefix-hint {ipv6-network}
set prefix-hint-plt {integer}
set prefix-hint-vlt {integer}
next

Fortinet Inc.
end
set cli-conn6-status {integer}
set vrrp-virtual-mac6 [enable|disable]
set vrip6_link_local {ipv6-address}
config vrrp6
Description: IPv6 VRRP configuration.
edit <vrid>
set vrid {integer}
set vrgrp {integer}
set vrip6 {ipv6-address}
set adv-interval {integer}
set start-time {integer}
set preempt [enable|disable]
set accept-mode [enable|disable]
set vrdst6 {ipv6-address}
next
end
end
set l2forward [enable|disable]
set l2tp-client [enable|disable]
config l2tp-client-settings
Description: L2TP client settings.
set user {string}
set peer-host {string}
set peer-mask {ipv4-netmask}
set peer-port {integer}
set mtu {integer}
set defaultgw [enable|disable]
end
set lacp-ha-slave [enable|disable]
set lacp-mode [static|passive|...]
set lacp-speed [slow|fast]
set lcp-echo-interval {integer}
set lcp-max-echo-fails {integer}
set link-up-delay {integer}
set lldp-network-policy {string}
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set macaddr {mac-address}
set managed-subnetwork-size [32|64|...]
set management-ip {ipv4-classnet-host}
set measured-downstream-bandwidth {integer}
set measured-upstream-bandwidth {integer}
set mediatype [serdes-sfp|sgmii-sfp|...]
set member <interface-name1>, <interface-name2>, ...
set min-links {integer}
set min-links-down [operational|administrative]
set mode [static|dhcp|...]

Fortinet Inc.
set monitor-bandwidth [enable|disable]
set mtu {integer}
set mtu-override [enable|disable]
set mux-type [llc-encaps|vc-encaps]
set name {string}
set ndiscforward [enable|disable]
set netbios-forward [disable|enable]
set netflow-sampler [disable|tx|...]
set np-qos-profile {integer}
set outbandwidth {integer}
set padt-retry-timeout {integer}
set phy-mode {option}
set ping-serv-status {integer}
set poe [enable|disable]
set polling-interval {integer}
set pppoe-unnumbered-negotiate [enable|disable]
set pptp-auth-type [auto|pap|...]
set pptp-client [enable|disable]
set pptp-password {password}
set pptp-server-ip {ipv4-address}
set pptp-timeout {integer}
set pptp-user {string}
set preserve-session-route [enable|disable]
set priority-override [enable|disable]
set proxy-captive-portal [enable|disable]
set pvc-atm-qos [cbr|rt-vbr|...]
set pvc-chan {integer}
set pvc-crc {integer}
set pvc-pcr {integer}
set pvc-scr {integer}
set pvc-vlan-id {integer}
set pvc-vlan-rx-id {integer}
set pvc-vlan-rx-op [pass-through|replace|...]
set pvc-vlan-tx-id {integer}
set pvc-vlan-tx-op [pass-through|replace|...]
set reachable-time {integer}
set redundant-interface {string}
set remote-ip {ipv4-classnet-host}
set retransmission [disable|enable]
set ring-rx {integer}
set ring-tx {integer}
set role [lan|wan|...]
set sample-direction [tx|rx|...]
set sample-rate {integer}
set secondary-IP [enable|disable]
config secondaryip
Description: Second IP address of interface.
edit <id>
set id {integer}
set gwdetect [enable|disable]
set ping-serv-status {integer}

Fortinet Inc.
set detectserver {user}
set detectprotocol {option1}, {option2}, ...
next
end
set security-8021x-dynamic-vlan-id {integer}
set security-8021x-master {string}
set security-8021x-mode [default|dynamic-vlan|...]
set security-exempt-list {string}
set security-external-logout {string}
set security-external-web {var-string}
set security-groups <name1>, <name2>, ...
set security-mac-auth-bypass [mac-auth-only|enable|...]
set security-mode [none|captive-portal|...]
set security-redirect-url {var-string}
set service-name {string}
set sflow-sampler [enable|disable]
set sfp-dsl [disable|enable]
set sfp-dsl-adsl-fallback [disable|enable]
set sfp-dsl-autodetect [disable|enable]
set sfp-dsl-mac {mac-address}
set snmp-index {integer}
set speed [auto|10full|...]
set spillover-threshold {integer}
set src-check [enable|disable]
set status [up|down]
set stp [disable|enable]
set stp-ha-secondary [disable|enable|...]
set stpforward [enable|disable]
set stpforward-mode [rpl-all-ext-id|rpl-bridge-ext-id|...]
set subst [enable|disable]
set substitute-dst-mac {mac-address}
set sw-algorithm [l2|l3|...]
set swc-first-create {integer}
set swc-vlan {integer}
set switch {string}
set switch-controller-access-vlan [enable|disable]
set switch-controller-arp-inspection [enable|disable]
set switch-controller-dhcp-snooping [enable|disable]
set switch-controller-dhcp-snooping-option82 [enable|disable]
set switch-controller-dhcp-snooping-verify-mac [enable|disable]
set switch-controller-dynamic {string}
set switch-controller-feature [none|default-vlan|...]
set switch-controller-igmp-snooping [enable|disable]
set switch-controller-igmp-snooping-fast-leave [enable|disable]
set switch-controller-igmp-snooping-proxy [enable|disable]
set switch-controller-iot-scanning [enable|disable]
set switch-controller-learning-limit {integer}
set switch-controller-mgmt-vlan {integer}
set switch-controller-nac {string}
set switch-controller-rspan-mode [disable|enable]
set switch-controller-source-ip [outbound|fixed]
set switch-controller-traffic-policy {string}
set system-id {mac-address}
set system-id-type [auto|user]
config tagging

Fortinet Inc.
edit <name>
set name {string}
next
end
set tc-mode {option}
set tcp-mss {integer}
set trunk [enable|disable]
set trust-ip-1 {ipv4-classnet-any}
set trust-ip6-1 {ipv6-prefix}
set type [physical|vlan|...]
set vci {integer}
set vdom {string}
set vectoring [disable|enable]
set vindex {integer}
set vlan-protocol [8021q|8021ad]
set vlanforward [enable|disable]
set vpi {integer}
set vrf {integer}
config vrrp
Description: VRRP configuration.
edit <vrid>
set vrid {integer}
set version [2|3]
set vrgrp {integer}
set vrip {ipv4-address-any}
set adv-interval {integer}
set start-time {integer}
set preempt [enable|disable]
set accept-mode [enable|disable]
set vrdst {ipv4-address-any}
set vrdst-priority {integer}
set ignore-default-route [enable|disable]
config proxy-arp
Description: VRRP Proxy ARP configuration.
edit <id>
set id {integer}
set ip {user}
next
end
next
end
set vrrp-virtual-mac [enable|disable]
set wccp [enable|disable]
set wifi-5g-threshold {string}

Fortinet Inc.
set wifi-acl [allow|deny]
set wifi-ap-band [any|5g-preferred|...]
set wifi-auth [PSK|radius|...]
set wifi-auto-connect [enable|disable]
set wifi-auto-save [enable|disable]
set wifi-broadcast-ssid [enable|disable]
set wifi-encrypt [TKIP|AES]
set wifi-fragment-threshold {integer}
set wifi-key {password}
set wifi-keyindex {integer}
set wifi-mac-filter [enable|disable]
config wifi-mac-list
Description: MAC filter list.
edit <id>
set id {integer}
next
end
config wifi-networks
Description: WiFi network table.
edit <id>
set id {integer}
set wifi-ssid {string}
set wifi-security [open|wep64|...]
set wifi-encrypt [TKIP|AES]
set wifi-keyindex {integer}
set wifi-key {password}
set wifi-passphrase {password}
next
end
set wifi-passphrase {password}
set wifi-radius-server {string}
set wifi-rts-threshold {integer}
set wifi-security [open|wep64|...]
set wifi-ssid {string}
set wifi-usergroup {string}
set wins-ip {ipv4-address}
next
end
ac-name PPPoE server name. string Not Specified
aggregate Aggregate interface. string Not Specified
algorithm Frame distribution algorithm. option - L4
Option Description
L2 Use layer 2 address for distribution.

Fortinet Inc.
Option Description
L4 Use layer 4 information for distribution.
alias Alias will be displayed with the interface string Not Specified
name to make it easier to distinguish.
allowaccess Permitted types of management access option -

to this interface.
Option Description
ping PING access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
http HTTP access.
ftm FTM access.
speed-test Speed test access.
ap-discover Enable/disable automatic registration of option - enable

unknown FortiAP devices.
Option Description
enable Enable automatic registration of unknown FortiAP devices.
disable Disable automatic registration of unknown FortiAP devices.
arpforward Enable/disable ARP forwarding. option - enable
Option Description
enable Enable ARP forwarding.
disable Disable ARP forwarding.
atm-protocol * ATM protocol. option - none

Fortinet Inc.
Option Description
none Not over ATM.
ipoa IPoA RFC2684.
auth-cert HTTPS server certificate. string Not Specified
auth-portal-addr Address of captive portal. string Not Specified
auth-type PPP authentication type to use. option - auto
Option Description
auto Automatically choose authentication.
pap PAP authentication.
chap CHAP authentication.
mschapv1 MS-CHAPv1 authentication.
auto-auth- Enable/disable automatic authorization option - disable

extension-device of dedicated Fortinet extension device
on this interface.
Option Description
enable Enable automatic authorization of dedicated Fortinet extension device on

this interface.
disable Disable automatic authorization of dedicated Fortinet extension device on

this interface.
bandwidth- Bandwidth measure time. integer Minimum 0

measure-time value: 0
Maximum
value:
4294967295
bfd Bidirectional Forwarding Detection option - global

(BFD) settings.
Option Description
global BFD behavior of this interface will be based on global configuration.
enable Enable BFD on this interface and ignore global configuration.
disable Disable BFD on this interface and ignore global configuration.

Fortinet Inc.
bfd-desired-min- BFD desired minimal transmit interval. integer Minimum 250

tx value: 1
Maximum
value: 100000
bfd-detect-mult BFD detection multiplier. integer Minimum 3

value: 1
Maximum
value: 50
bfd-required-min- BFD required minimal receive interval. integer Minimum 250

rx value: 1
Maximum
value: 100000
broadcast- Enable/disable broadcast forwarding. option - disable

forward
Option Description
enable Enable broadcast forwarding.
disable Disable broadcast forwarding.
cli-conn-status CLI connection status. integer Minimum 0

value: 0
Maximum
value:
4294967295

value: 0
Maximum
value: 32
dedicated-to Configure interface for single purpose. option - none
Option Description
none Interface not dedicated for any purpose.
management Dedicate this interface for management purposes only.
defaultgw Enable to get the gateway IP from the option - enable

DHCP or PPPoE server.
Option Description
enable Enable default gateway.
disable Disable default gateway.

Fortinet Inc.
detected-peer- MTU of detected peer. integer Minimum 0

mtu value: 0
Maximum
value:
4294967295
detectprotocol Protocols used to detect the server. option - ping
Option Description
ping PING.
tcp-echo TCP echo.
udp-echo UDP echo.
detectserver Gateway's ping server for this IP. user Not Specified
device- Enable/disable passively gathering of option - disable

identification device identity information about the
devices on the network connected to this
interface.
Option Description
enable Enable passive gathering of identity information about hosts.
disable Disable passive gathering of identity information about hosts.
device-user- Enable/disable passive gathering of user option - enable

identification identity information about users on this
interface.
Option Description
enable Enable passive gathering of user identity information about users.
disable Disable passive gathering of user identity information about users.
devindex Device Index. integer Minimum 0

value: 0
Maximum
value:
4294967295
dhcp-classless- Enable/disable addition of classless option - disable **

route-addition static routes retrieved from DHCP
server.

Fortinet Inc.
Option Description
enable Enable addition of classless static routes retrieved from DHCP server.
disable Disable addition of classless static routes retrieved from DHCP server.
dhcp-client- DHCP client identifier. string Not Specified

identifier
dhcp-relay- Enable/disable DHCP relay agent option. option - enable

agent-option
Option Description
enable Enable DHCP relay agent option.
disable Disable DHCP relay agent option.
dhcp-relay- Specify outgoing interface to reach string Not Specified

interface server.
dhcp-relay- Specify how to select outgoing interface option - auto

interface-select- to reach server.
method
Option Description
dhcp-relay-ip DHCP relay IP address. user Not Specified
dhcp-relay-link- DHCP relay link selection. ipv4- Not Specified 0.0.0.0

selection address
dhcp-relay- Enable/disable sending of DHCP option - disable

request-all- requests to all servers.
server
Option Description
disable Send DHCP requests only to a matching server.
enable Send DHCP requests to all servers.
dhcp-relay- Enable/disable allowing this interface to option - disable

service act as a DHCP relay.

Fortinet Inc.
Option Description
disable None.
enable DHCP relay agent.
dhcp-relay-type DHCP relay type (regular or IPsec). option - regular
Option Description
regular Regular DHCP relay.
ipsec DHCP relay for IPsec.
dhcp-renew-time DHCP renew time in seconds , 0 means integer Minimum 0

use the renew time provided by the value: 300
server. Maximum
value: 604800
disc-retry-timeout Time in seconds to wait before retrying to integer Minimum 1

start a PPPoE discovery, 0 means no value: 0
timeout. Maximum
value:
4294967295
disconnect- Time in milliseconds to wait before integer Minimum 0

threshold sending a notification that this interface is value: 0
down or disconnected. Maximum
value: 10000
distance Distance for routes learned through integer Minimum 5

PPPoE or DHCP, lower distance value: 1
indicates preferred route. Maximum
value: 255
dns-server- Enable/disable use DNS acquired by option - enable

override DHCP or PPPoE.
Option Description
enable Use DNS acquired by DHCP or PPPoE.
disable No not use DNS acquired by DHCP or PPPoE.
dns-server- DNS transport protocols. option - cleartext

protocol
Option Description

Fortinet Inc.
Option Description
drop-fragment Enable/disable drop fragment packets. option - disable
Option Description
enable Enable/disable drop fragment packets.
disable Do not drop fragment packets.
drop-overlapped- Enable/disable drop overlapped option - disable

fragment fragment packets.
Option Description
enable Enable drop of overlapped fragment packets.
disable Disable drop of overlapped fragment packets.
egress-cos * Override outgoing CoS in user VLAN tag. option - disable
Option Description
disable Disable.
cos0 CoS 0.
cos1 CoS 1.
cos2 CoS 2.
cos3 CoS 3.
cos4 CoS 4.
cos5 CoS 5.
cos6 CoS 6.
cos7 CoS 7.
egress-shaping- Outgoing traffic shaping profile. string Not Specified

profile
estimated- Estimated maximum downstream integer Minimum 0

downstream- bandwidth (kbps). Used to estimate link value: 0
bandwidth utilization. Maximum
value:
4294967295

Fortinet Inc.
estimated- Estimated maximum upstream integer Minimum 0

upstream- bandwidth (kbps). Used to estimate link value: 0
bandwidth utilization. Maximum
value:
4294967295
explicit-ftp-proxy Enable/disable the explicit FTP proxy on option - disable

this interface.
Option Description
enable Enable explicit FTP proxy on this interface.
disable Disable explicit FTP proxy on this interface.
explicit-web- Enable/disable the explicit web proxy on option - disable

proxy this interface.
Option Description
enable Enable explicit Web proxy on this interface.
disable Disable explicit Web proxy on this interface.
external Enable/disable identifying the interface option - disable

as an external interface (which usually
means it's connected to the Internet).
Option Description
enable Enable identifying the interface as an external interface.
disable Disable identifying the interface as an external interface.
fail-action-on- Action on FortiExtender when interface option - soft-restart

extender fail.
Option Description
soft-restart Soft-restart-on-extender.
hard-restart Hard-restart-on-extender.
reboot Reboot-on-extender.
fail-alert- Names of the FortiGate interfaces to string Maximum

interfaces which the link failure alert is sent. length: 79
<name> Names of the non-virtual interface.
fail-alert-method Select link-failed-signal or link-down option - link-down

method to alert about a failed link.

Fortinet Inc.
Option Description
link-failed-signal Link-failed-signal.
link-down Link-down.
fail-detect Enable/disable fail detection features for option - disable

this interface.
Option Description
enable Enable interface failed option status.
disable Disable interface failed option status.
fail-detect-option Options for detecting that this interface option - link-down

has failed.
Option Description
detectserver Use a ping server to determine if the interface has failed.
link-down Use port detection to determine if the interface has failed.
fortilink * Enable FortiLink to dedicate this option - disable

interface to manage other Fortinet
devices.
Option Description
enable Enable FortiLink to dedicated interface for managing FortiSwitch devices.
disable Disable FortiLink to dedicated interface for managing FortiSwitch devices.
fortilink-backup- FortiLink split interface backup link. integer Minimum 0

link value: 0
Maximum
value: 255
fortilink-neighbor- Protocol for FortiGate neighbor option - fortilink

detect discovery.
Option Description
lldp Detect FortiLink neighbors using LLDP protocol.
fortilink Detect FortiLink neighbors using FortiLink protocol.
fortilink-split- Enable/disable FortiLink split interface to option - enable

interface connect member link to different
FortiSwitch in stack for uplink
redundancy.

Fortinet Inc.
Option Description
enable Enable FortiLink split interface to connect member link to different

FortiSwitch in stack for uplink redundancy.
disable Disable FortiLink split interface.
forward-domain Transparent mode forward domain. integer Minimum 0

value: 0
Maximum
value:
2147483647
forward-error- Configure forward error correction option - none

correction * (FEC).
Option Description
none none
disable Disable forward error correction (FEC).
cl91-rs-fec Reed-Solomon (FEC CL91).
cl74-fc-fec Fire-Code (FEC CL74).
gateway-address Gateway address ipv4- Not Specified 0.0.0.0

* address
gwaddr * Gateway address ipv4- Not Specified 0.0.0.0

address
gwdetect Enable/disable detect gateway alive for option - disable

first.
Option Description
enable Enable detect gateway alive for first.
disable Disable detect gateway alive for first.
ha-priority HA election priority for the PING server. integer Minimum 1

value: 1
Maximum
value: 50
icmp-accept- Enable/disable ICMP accept redirect. option - enable

redirect
Option Description
enable Enable ICMP accept redirect.

Fortinet Inc.
Option Description
disable Disable ICMP accept redirect.
icmp-send- Enable/disable sending of ICMP option - enable

redirect redirects.
Option Description
enable Enable sending of ICMP redirects.
disable Disable sending of ICMP redirects.
ident-accept Enable/disable authentication for this option - disable

interface.
Option Description
enable Enable determining a user's identity from packet identification.
disable Disable determining a user's identity from packet identification.
idle-timeout PPPoE auto disconnect after idle timeout integer Minimum 0

seconds, 0 means no timeout. value: 0
Maximum
value: 32767
inbandwidth Bandwidth limit for incoming traffic , 0 integer Minimum 0

means unlimited. value: 0
Maximum
value:
80000000 **
ingress-cos * Override incoming CoS in user VLAN tag option - disable

on VLAN interface or assign a priority
VLAN tag on physical interface.
Option Description
disable Disable.
cos0 CoS 0.
cos1 CoS 1.
cos2 CoS 2.
cos3 CoS 3.
cos4 CoS 4.
cos5 CoS 5.

Fortinet Inc.
Option Description
cos6 CoS 6.
cos7 CoS 7.
ingress-shaping- Incoming traffic shaping profile. string Not Specified

profile
ingress-spillover- Ingress Spillover threshold , 0 means integer Minimum 0

threshold unlimited. value: 0
Maximum
value:
16776000
internal Implicitly created. integer Minimum 0

value: 0
Maximum
value: 255
ip Interface IPv4 address and subnet mask, ipv4- Not Specified 0.0.0.0 0.0.0.0
syntax: X.X.X.X/24. classnet-
host
ip-managed-by- Enable/disable automatic IP address option - disable

fortiipam assignment of this interface by
FortiIPAM.
Option Description
enable Enable automatic IP address assignment of this interface by FortiIPAM.
disable Disable automatic IP address assignment of this interface by FortiIPAM.
ipmac Enable/disable IP/MAC binding. option - disable
Option Description
enable Enable IP/MAC binding.
disable Disable IP/MAC binding.
ips-sniffer-mode Enable/disable the use of this interface option - disable

as a one-armed sniffer.
Option Description
enable Enable IPS sniffer mode.
disable Disable IPS sniffer mode.

Fortinet Inc.
ipunnumbered Unnumbered IP used for PPPoE ipv4- Not Specified 0.0.0.0

interfaces for which no unique local address
address is provided.
l2forward Enable/disable l2 forwarding. option - disable
Option Description
enable Enable L2 forwarding.
disable Disable L2 forwarding.
l2tp-client * Enable/disable this interface as a Layer 2 option - disable

Tunnelling Protocol (L2TP) client.
Option Description
enable Enable L2TP client.
disable Disable L2TP client.
lacp-ha-slave LACP HA slave. option - enable
Option Description
enable Allow HA slave to send/receive LACP messages.
disable Block HA slave from sending/receiving LACP messages.
lacp-mode LACP mode. option - active
Option Description
static Use static aggregation, do not send and ignore any LACP messages.
passive Passively use LACP to negotiate 802.3ad aggregation.
active Actively use LACP to negotiate 802.3ad aggregation.
lacp-speed How often the interface sends LACP option - slow

messages.
Option Description
slow Send LACP message every 30 seconds.
fast Send LACP message every second.
lcp-echo-interval Time in seconds between PPPoE Link integer Minimum 5

Control Protocol (LCP) echo requests. value: 0
Maximum
value: 32767

Fortinet Inc.
lcp-max-echo- Maximum missed LCP echo messages integer Minimum 3

fails before disconnect. value: 0
Maximum
value: 32767
link-up-delay Number of milliseconds to wait before integer Minimum 50

considering a link is up. value: 50
Maximum
value:
3600000
lldp-network- LLDP-MED network policy profile. string Not Specified

policy
lldp-reception Enable/disable Link Layer Discovery option - vdom

Protocol (LLDP) reception.
Option Description
enable Enable reception of Link Layer Discovery Protocol (LLDP).
disable Disable reception of Link Layer Discovery Protocol (LLDP).
vdom Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration
setting.
lldp-transmission Enable/disable Link Layer Discovery option - vdom

Protocol (LLDP) transmission.
Option Description
enable Enable transmission of Link Layer Discovery Protocol (LLDP).
disable Disable transmission of Link Layer Discovery Protocol (LLDP).
vdom Use VDOM Link Layer Discovery Protocol (LLDP) transmission

configuration setting.
macaddr Change the interface's MAC address. mac- Not Specified 00:00:00:00:00:00 **
address
managed- Number of IP addresses to be allocated option - 256

subnetwork-size by FortiIPAM and used by this FortiGate
unit's DHCP server settings.
Option Description
32 Allocate a subnet with 32 IP addresses.

Fortinet Inc.
Option Description
management-ip High Availability in-band management IP ipv4- Not Specified 0.0.0.0 0.0.0.0
address of this interface. classnet-
host
measured- Measured downstream bandwidth integer Minimum 0

downstream- (kbps). value: 0
bandwidth Maximum
value:
4294967295
measured- Measured upstream bandwidth (kbps). integer Minimum 0

upstream- value: 0
bandwidth Maximum
value:
4294967295
mediatype * Select SFP media interface type option - serdes-sfp
Option Description
serdes-sfp SFP using SerDes Media Interface
sgmii-sfp SFP using SGMII Media Interface
serdes-copper- Copper SFP using SerDes media Interface.

sfp
member Physical interfaces that belong to the string Maximum

<interface- aggregate or redundant interface. length: 79
name> Physical interface name.

Fortinet Inc.
min-links Minimum number of aggregated ports integer Minimum 1

that must be up. value: 1
Maximum
value: 32
min-links-down Action to take when less than the option - operational

configured minimum number of links are
active.
Option Description
operational Set the aggregate operationally down.
administrative Set the aggregate administratively down.
mode Addressing mode (static, DHCP, option - static

PPPoE).
Option Description
static Static setting.
dhcp External DHCP client mode.
pppoe External PPPoE mode.
monitor- Enable monitoring bandwidth on this option - disable

bandwidth interface.
Option Description
enable Enable monitoring bandwidth on this interface.
disable Disable monitoring bandwidth on this interface.
mtu MTU value for this interface. integer Minimum 1500

value: 0
Maximum
value:
4294967295
mtu-override Enable to set a custom MTU for this option - disable

interface.
Option Description
enable Override default MTU.
disable Use default MTU.
mux-type * Multiplexer type option - llc-encaps

Fortinet Inc.
Option Description
llc-encaps LLC encapsulation.
vc-encaps VC encapsulation.
ndiscforward Enable/disable NDISC forwarding. option - enable
Option Description
enable Enable NDISC forwarding.
disable Disable NDISC forwarding.
netbios-forward Enable/disable NETBIOS forwarding. option - disable
Option Description
disable Disable NETBIOS forwarding.
enable Enable NETBIOS forwarding.
netflow-sampler Enable/disable NetFlow on this interface option - disable

and set the data that NetFlow collects
(rx, tx, or both).
Option Description
disable Disable NetFlow protocol on this interface.
tx Monitor transmitted traffic on this interface.
rx Monitor received traffic on this interface.
both Monitor transmitted/received traffic on this interface.
np-qos-profile * NP QoS profile ID. integer Minimum 0

value: 0
Maximum
value: 15
outbandwidth Bandwidth limit for outgoing traffic. integer Minimum 0

value: 0
Maximum
value:
80000000 **

Fortinet Inc.
padt-retry- PPPoE Active Discovery Terminate integer Minimum 1

timeout (PADT) used to terminate sessions after value: 0
an idle time. Maximum
value:
4294967295
password PPPoE account's password. password Not Specified
phy-mode * DSL physical mode. option - vdsl
Option Description
vdsl VDSL.
ping-serv-status PING server status. integer Minimum 0

value: 0
Maximum
value: 255
poe * Enable/disable PoE status. option - enable
Option Description
polling-interval sFlow polling interval in seconds. integer Minimum 20

value: 1
Maximum
value: 255
pppoe- Enable/disable PPPoE unnumbered option - enable

unnumbered- negotiation.
negotiate
Option Description
enable Enable IP address negotiating for unnumbered.
disable Disable IP address negotiating for unnumbered.
pptp-auth-type PPTP authentication type. option - auto
Option Description

Fortinet Inc.
Option Description
pptp-client Enable/disable PPTP client. option - disable
Option Description
enable Enable PPTP client.
disable Disable PPTP client.
pptp-password PPTP password. password Not Specified
pptp-server-ip PPTP server IP address. ipv4- Not Specified 0.0.0.0

address
pptp-timeout Idle timer in minutes (0 for disabled). integer Minimum 0

value: 0
Maximum
value: 65535
pptp-user PPTP user name. string Not Specified
preserve- Enable/disable preservation of session option - disable

session-route route when dirty.
Option Description
enable Enable preservation of session route when dirty.
disable Disable preservation of session route when dirty.
priority Priority of learned routes. integer Minimum 1

value: 1
Maximum
value: 65535
priority-override Enable/disable fail back to higher priority option - enable

port once recovered.
Option Description
enable Enable fail back to higher priority port once recovered.
disable Disable fail back to higher priority port once recovered.
proxy-captive- Enable/disable proxy captive portal on option - disable

portal this interface.

Fortinet Inc.
Option Description
enable Enable proxy captive portal on this interface.
disable Disable proxy captive portal on this interface.
pvc-atm-qos * SFP-DSL ADSL Fallback PVC ATM option - cbr

QoS.
Option Description
cbr ATM QoS CBR.
rt-vbr ATM QoS rt-VBR.
nrt-vbr ATM QoS nrt-VBR.
cbr ATM QoS CCBR.
pvc-chan * SFP-DSL ADSL Fallback PVC Channel. integer Minimum 0

value: 0
Maximum
value: 7
pvc-crc * SFP-DSL ADSL Fallback PVC CRC integer Minimum 2

Option: bit0: sar LLC preserve, bit1: value: 0
ream LLC preserve, bit2: ream VC-MUX Maximum
has crc. value: 7
pvc-pcr * SFP-DSL ADSL Fallback PVC Packet integer Minimum 0

Cell Rate in cells. value: 0
Maximum
value: 5500
pvc-scr * SFP-DSL ADSL Fallback PVC integer Minimum 0

Sustainable Cell Rate in cells. value: 0
Maximum
value: 5500
pvc-vlan-id * SFP-DSL ADSL Fallback PVC VLAN ID. integer Minimum 7

value: 1
Maximum
value: 4094
pvc-vlan-rx-id * SFP-DSL ADSL Fallback PVC VLANID integer Minimum 7

RX. value: 1
Maximum
value: 4094
pvc-vlan-rx-op * SFP-DSL ADSL Fallback PVC VLAN RX option - pass-through

op.

Fortinet Inc.
Option Description
pass-through PVC VLAN Tag Passthrough.
replace PVC VLAN Tag Replace.
remove PVC VLAN Tag Remove.
pvc-vlan-tx-id * SFP-DSL ADSL Fallback PVC VLAN ID integer Minimum 7

TX. value: 1
Maximum
value: 4094
pvc-vlan-tx-op * SFP-DSL ADSL Fallback PVC VLAN TX option - remove

op.
Option Description
pass-through PVC VLAN Tag Passthrough.
replace PVC VLAN Tag Replace.
remove PVC VLAN Tag Remove.
reachable-time IPv4 reachable time in milliseconds. integer Minimum 30000

value: 30000
Maximum
value:
3600000
redundant- Redundant interface. string Not Specified

interface
remote-ip Remote IP address of tunnel. ipv4- Not Specified 0.0.0.0 0.0.0.0

classnet-
host
replacemsg- Replacement message override group. string Not Specified

override-group
retransmission * Enable/disable DSL retransmission. option - enable
Option Description
disable Disable retransmission.
enable Enable retransmission.
ring-rx * RX ring size. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
ring-tx * TX ring size. integer Minimum 0

value: 0
Maximum
value:
4294967295
role Interface role. option - undefined
Option Description
lan Connected to local network of endpoints.
wan Connected to Internet.
dmz Connected to server zone.
undefined Interface has no specific role.
sample-direction Data that NetFlow collects (rx, tx, or option - both

both).
Option Description
tx Monitor transmitted traffic on this interface.
rx Monitor received traffic on this interface.
both Monitor transmitted/received traffic on this interface.
sample-rate sFlow sample rate. integer Minimum 2000

value: 10
Maximum
value: 99999
secondary-IP Enable/disable adding a secondary IP to option - disable

this interface.
Option Description
enable Enable secondary IP.
disable Disable secondary IP.
security-8021x- VLAN ID for virtual switch. integer Minimum 0

dynamic-vlan-id * value: 0
Maximum
value: 4094
security-8021x- 802.1X master virtual-switch. string Not Specified

master *
security-8021x- 802.1X mode. option - default

mode *

Fortinet Inc.
Option Description
default 802.1X default mode.
dynamic-vlan 802.1X dynamic VLAN (master) mode.
fallback 802.1X fallback (master) mode.
slave 802.1X slave mode.
security-exempt- Name of security-exempt-list. string Not Specified

list
security-external- URL of external authentication logout string Not Specified

logout server.
security-external- URL of external authentication web var-string Not Specified

web server.
security-groups User groups that can authenticate with string Maximum

<name> the captive portal. length: 79
Names of user groups that can
authenticate with the captive portal.
security-mac- Enable/disable MAC authentication option - disable

auth-bypass bypass.
Option Description
mac-auth-only Enable MAC authentication bypass without EAP.
security-mode Turn on captive portal authentication for option - none

this interface.
Option Description
none No security option.
captive-portal Captive portal authentication.
802.1X 802.1X port-based authentication.
security-redirect- URL redirection after var-string Not Specified

url disclaimer/authentication.
service-name PPPoE service name. string Not Specified
sflow-sampler Enable/disable sFlow on this interface. option - disable

Fortinet Inc.
Option Description
enable Enable sFlow protocol on this interface.
disable Disable sFlow protocol on this interface.
sfp-dsl * Enable/disable SFP DSL. option - disable
Option Description
disable Disable SFP DSL.
enable Enable SFP DSL.
sfp-dsl-adsl- Enable/disable SFP DSL ADSL fallback. option - disable

fallback *
Option Description
disable Disable SFP DSL ADSL fallback.
enable Enable SFP DSL ADSL fallback.
sfp-dsl- Enable/disable SFP DSL MAC address option - enable

autodetect * autodetect.
Option Description
disable Disable SFP DSL MAC address autodetect.
enable Enable SFP DSL MAC address autodetect.
sfp-dsl-mac * SFP DSL MAC address. mac- Not Specified 00:00:00:00:00:00

address
snmp-index Permanent SNMP Index of the interface. integer Minimum 0

value: 1
Maximum
value:
2147483647
speed Interface speed. The default setting and option - auto

the options available depend on the
interface hardware.
Option Description
auto Automatically adjust speed.

Fortinet Inc.
Option Description
1000auto 1000M auto adjust.
10000full 10G full-duplex.
10000auto 10G auto.
spillover- Egress Spillover threshold , 0 means integer Minimum 0

threshold unlimited. value: 0
Maximum
value:
16776000
src-check Enable/disable source IP check. option - enable
Option Description
enable Enable source IP check.
disable Disable source IP check.
status Bring the interface up or shut the option - up

interface down.
Option Description
up Bring the interface up.
down Shut the interface down.
stp * Enable/disable STP. option - disable
Option Description
disable Disable STP.
enable Enable STP.
stp-ha-secondary Control STP behaviour on HA option - priority-adjust

* secondary.
Option Description
disable Disable STP negotiation on HA secondary.
enable Enable STP negotiation on HA secondary.

Fortinet Inc.
Option Description
priority-adjust Enable STP negotiation on HA secondary and make priority lower than HA
primary.
stpforward Enable/disable STP forwarding. option - disable
Option Description
enable Enable STP forwarding.
disable Disable STP forwarding.
stpforward-mode Configure STP forwarding mode. option - rpl-all-ext-id
Option Description
rpl-all-ext-id Replace all extension IDs (root, bridge).
rpl-bridge-ext-id Replace the bridge extension ID only.
rpl-nothing Replace nothing.
subst Enable to always send packets from this option - disable

interface to a destination MAC address.
Option Description
enable Send packets from this interface.
disable Do not send packets from this interface.
substitute-dst- Destination MAC address that all mac- Not Specified 00:00:00:00:00:00
mac packets are sent to from this interface. address
sw-algorithm * Frame distribution algorithm for switch. option - eh
Option Description
l2 Use layer 2 address for distribution.
l3 Use layer 3 address for distribution.
eh Use enhanced hashing for distribution.
swc-first-create * Initial create for switch-controller VLANs. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
swc-vlan * Creation status for switch-controller integer Minimum 0

VLANs. value: 0
Maximum
value:
4294967295
switch Contained in switch. string Not Specified
switch-controller- Block FortiSwitch port-to-port traffic. option - disable

access-vlan *
Option Description
enable Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to
and from the FortiGate.
disable Allow normal VLAN traffic.
switch-controller- Enable/disable FortiSwitch ARP option - disable

arp-inspection * inspection.
Option Description
enable Enable ARP inspection for FortiSwitch devices.
disable Disable ARP inspection for FortiSwitch devices.
switch-controller- Switch controller DHCP snooping. option - disable

dhcp-snooping *
Option Description
enable Enable DHCP snooping for FortiSwitch devices.
disable Disable DHCP snooping for FortiSwitch devices.
switch-controller- Switch controller DHCP snooping option - disable

dhcp-snooping- option82.
option82 *
Option Description
enable Enable DHCP snooping insert option82 for FortiSwitch devices.
disable Disable DHCP snooping insert option82 for FortiSwitch devices.
switch-controller- Switch controller DHCP snooping verify option - disable

dhcp-snooping- MAC.
verify-mac *

Fortinet Inc.
Option Description
enable Enable DHCP snooping verify source MAC for FortiSwitch devices.
disable Disable DHCP snooping verify source MAC for FortiSwitch devices.
switch-controller- Integrated FortiLink settings for string Not Specified

dynamic * managed FortiSwitch.
switch-controller- Interface's purpose when assigning option - none

feature * traffic (read only).
Option Description
none VLAN for generic purpose.
default-vlan Default VLAN (native) assigned to all switch ports upon discovery.
quarantine VLAN for quarantined traffic.
rspan VLAN for RSPAN/ERSPAN mirrored traffic.
voice VLAN dedicated for voice devices.
video VLAN dedicated for camera devices.
nac VLAN dedicated for NAC onboarding devices.
nac-segment VLAN dedicated for NAC segment devices.
switch-controller- Switch controller IGMP snooping. option - disable

igmp-snooping *
Option Description
enable Enable IGMP snooping.
disable Disable IGMP snooping.
switch-controller- Switch controller IGMP snooping fast- option - disable

igmp-snooping- leave.
fast-leave *
Option Description
enable Enable IGMP snooping fast-leave.
disable Disable IGMP snooping fast-leave.
switch-controller- Switch controller IGMP snooping proxy. option - disable

igmp-snooping-
proxy *

Fortinet Inc.
Option Description
enable Enable IGMP snooping proxy.
disable Disable IGMP snooping proxy.
switch-controller- Enable/disable managed FortiSwitch IoT option - disable

iot-scanning * scanning.
Option Description
enable Enable IoT scanning for managed FortiSwitch devices.
disable Disable IoT scanning for managed FortiSwitch devices.
switch-controller- Limit the number of dynamic MAC integer Minimum 0

learning-limit * addresses on this VLAN. value: 0
Maximum
value: 128
switch-controller- VLAN to use for FortiLink management integer Minimum 4094

mgmt-vlan * purposes. value: 1
Maximum
value: 4094
switch-controller- Integrated FortiLink settings for string Not Specified

nac * managed FortiSwitch.
switch-controller- Stop Layer2 MAC learning and option - disable

rspan-mode * interception of BPDUs and other packets
on this interface.
Option Description
disable Disable RSPAN passthrough mode on this VLAN interface.
enable Enable RSPAN passthrough mode on this VLAN interface.
switch-controller- Source IP address used in FortiLink over option - outbound

source-ip * L3 connections.
Option Description
outbound Source IP address is that of the outbound interface.
fixed Source IP address is that of the FortiLink interface.
switch-controller- Switch controller traffic policy for the string Not Specified
traffic-policy * VLAN.
system-id Define a system ID for the aggregate mac- Not Specified 00:00:00:00:00:00
interface. address

Fortinet Inc.
system-id-type Method in which system ID is generated. option - auto
Option Description
auto Use the MAC address of the first member.
user User-defined system ID.
tc-mode * DSL transfer mode. option - ptm
Option Description
ptm Packet transfer mode.
tcp-mss TCP maximum segment size. 0 means integer Minimum 0

do not change segment size. value: 48
Maximum
value: 65535
trunk * Enable/disable VLAN trunk. option - disable
Option Description
enable Enable VLAN trunk on this interface.
disable Disable VLAN trunk on this interface.
trust-ip-1 Trusted host for dedicated management ipv4- Not Specified 0.0.0.0 0.0.0.0
traffic (0.0.0.0/24 for all hosts). classnet-
any
any
any
trust-ip6-1 Trusted IPv6 host for dedicated ipv6-prefix Not Specified ::/0
management traffic (::/0 for all hosts).
type Interface type. option - vlan

Fortinet Inc.
Option Description
physical Physical interface.
vlan VLAN interface.
aggregate Aggregate interface.
redundant Redundant interface.
tunnel Tunnel interface.
vdom-link VDOM link interface.
loopback Loopback interface.
switch Software switch interface.
vap-switch VAP interface.
wl-mesh WLAN mesh interface.
fext-wan FortiExtender interface.
vxlan VXLAN interface.
geneve GENEVE interface.
hdlc T1/E1 interface.
switch-vlan Switch VLAN interface.
emac-vlan EMAC VLAN interface.
ssl SSL VPN client interface.
lan-extension LAN extension interface.
username Username of the PPPoE account, string Not Specified

provided by your ISP.
vci * Virtual Channel ID integer Minimum 35

value: 0
Maximum
value: 65535
vdom Interface is in this virtual domain string Not Specified

(VDOM).
vectoring * Enable/disable DSL vectoring. option - enable
Option Description
disable Disable vectoring.
enable Enable vectoring.

Fortinet Inc.
vindex * Switch control interface VLAN ID. integer Minimum 0

value: 0
Maximum
value: 65535
vlan-protocol Ethernet protocol of VLAN. option - 8021q
Option Description
8021q IEEE 802.1Q.
8021ad IEEE 802.1AD.
vlanforward Enable/disable traffic forwarding option - disable

between VLANs on this interface.
Option Description
enable Enable traffic forwarding.
disable Disable traffic forwarding.
vlanid VLAN ID. integer Minimum 0

value: 1
Maximum
value: 4094
vpi * Virtual Path ID. integer Minimum 0

value: 0
Maximum
value: 255

value: 0
Maximum
value: 31
vrrp-virtual-mac Enable/disable use of virtual MAC for option - disable

VRRP.
Option Description
enable Enable use of virtual MAC for VRRP.
disable Disable use of virtual MAC for VRRP.
wccp Enable/disable WCCP on this interface. option - disable

Used for encapsulated WCCP
communication between WCCP clients
and servers.

Fortinet Inc.
Option Description
enable Enable WCCP protocol on this interface.
disable Disable WCCP protocol on this interface.
weight Default weight for static routes (if route integer Minimum 0
has no weight configured). value: 0
Maximum
value: 255
wifi-5g-threshold Minimal signal strength to be considered string Not Specified -78

* as a good 5G AP.
wifi-acl * Access control for MAC addresses in the option - deny

MAC list.
Option Description
allow Allow.
deny Deny.
wifi-ap-band * How to select the AP to connect. option - any
Option Description
any Connect to the best 2G or 5G AP.
5g-preferred Connect to the 5G AP if a good 5G AP exists.
5g-only Only connect to the 5G AP.
wifi-auth * WiFi authentication. option - PSK
Option Description
PSK PSK.
radius RADIUS.
usergroup User group.
wifi-auto-connect Enable/disable WiFi network auto option - enable

* connect.
Option Description
enable Enable WiFi network auto connect.
disable Disable WiFi network auto connect.

Fortinet Inc.
wifi-auto-save * Enable/disable WiFi network automatic option - disable

save.
Option Description
enable Enable WiFi network automatic save.
disable Disable WiFi network automatic save.
wifi-broadcast- Enable/disable SSID broadcast in the option - enable

ssid * beacon.
Option Description
enable Enable SSID broadcast in the beacon.
disable Disable SSID broadcast in the beacon.
wifi-encrypt * Data encryption. option - AES
Option Description
TKIP TKIP.
AES AES.
wifi-fragment- WiFi fragment threshold. integer Minimum 2346

threshold * value: 800
Maximum
value: 2346
wifi-key * WiFi WEP Key. password Not Specified
wifi-keyindex * WEP key index. integer Minimum 1

value: 1
Maximum
value: 4
wifi-mac-filter * Enable/disable MAC filter status. option - disable
Option Description
enable Enable MAC filter.
disable Disable MAC filter.
wifi-passphrase * WiFi pre-shared key for WPA. password Not Specified
wifi-radius-server WiFi RADIUS server for WPA. string Not Specified

*

Fortinet Inc.
wifi-rts-threshold WiFi RTS threshold. integer Minimum 2346

* value: 256
Maximum
value: 2346
wifi-security * Wireless access security of SSID. option - wpa-personal
Option Description
open Open.
wep64 WEP64.
wep128 WEP128.
wpa-personal WPA personal.
wpa-enterprise WPA enterprise.
wpa-only- WPA personal only.

personal
wpa-only- WPA enterprise only.

enterprise
wpa2-only- WPA2 personal only.

personal
wpa2-only- WPA2 enterprise only.

enterprise
wifi-ssid * IEEE 802.11 Service Set Identifier. string Not Specified fortinet
wifi-usergroup * WiFi user group for WPA. string Not Specified
wins-ip WINS server IP. ipv4- Not Specified 0.0.0.0

address

config client-options

value: 0
Maximum
value:
4294967295

Fortinet Inc.
code DHCP client option code. integer Minimum 0

value: 0
Maximum
value: 255
type DHCP client option type. option - hex
Option Description
ip DHCP option in IP.
fqdn DHCP option in domain search option format.
value DHCP client option value. string Not Specified
ip DHCP option IPs. user Not Specified
config dhcp-snooping-server-list
name DHCP server name. string Not default

Specified
server-ip IP address for DHCP server. ipv4- Not 0.0.0.0

address Specified
config egress-queues
cos0 CoS profile name for CoS 0. string Not

Specified

Specified

Specified

Specified

Specified

Specified

Fortinet Inc.

Specified

Specified
config ipv6
ip6-mode Addressing mode (static, DHCP, delegated). option - static
Option Description
static Static setting.
dhcp DHCPv6 client mode.
pppoe IPv6 over PPPoE mode.
delegated IPv6 address with delegated prefix.
nd-mode Neighbor discovery mode. option - basic
Option Description
basic Do not support SEND.
SEND- Support SEND.

compatible
nd-cert Neighbor discovery certificate. string Not Specified
nd-security- Neighbor discovery security level. integer Minimum 0

level value: 0
Maximum
value: 7
nd-timestamp- Neighbor discovery timestamp delta value. integer Minimum 300

delta value: 1
Maximum
value: 3600
nd-timestamp- Neighbor discovery timestamp fuzz factor. integer Minimum 1

fuzz value: 1
Maximum
value: 60
nd-cga- Neighbor discovery CGA modifier. user Not Specified

modifier

Fortinet Inc.
ip6-dns- Enable/disable using the DNS server acquired by option - enable

server- DHCP.
override
Option Description
enable Enable using the DNS server acquired by DHCP.
disable Disable using the DNS server acquired by DHCP.
ip6-address Primary IPv6 address prefix. Syntax: ipv6-prefix Not Specified ::/0
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.
ip6- Allow management access to the interface. option -

allowaccess
Option Description
ping PING access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
http HTTP access.
fabric Fabric access.
ip6-send-adv Enable/disable sending advertisements about the option - disable

interface.
Option Description
enable Enable sending advertisements about this interface.
disable Disable sending advertisements about this interface.
icmp6-send- Enable/disable sending of ICMPv6 redirects. option - enable

redirect
Option Description
enable Enable sending of ICMPv6 redirects.
disable Disable sending of ICMPv6 redirects.
ip6-manage- Enable/disable the managed flag. option - disable

flag

Fortinet Inc.
Option Description
enable Enable the managed IPv6 flag.
disable Disable the managed IPv6 flag.
ip6-other-flag Enable/disable the other IPv6 flag. option - disable
Option Description
enable Enable the other IPv6 flag.
disable Disable the other IPv6 flag.
ip6-max- IPv6 maximum interval (4 to 1800 sec). integer Minimum 600

interval value: 4
Maximum
value: 1800
ip6-min- IPv6 minimum interval (3 to 1350 sec). integer Minimum 198

interval value: 3
Maximum
value: 1350
ip6-link-mtu IPv6 link MTU. integer Minimum 0

value: 1280
Maximum
value: 16000
ra-send-mtu Enable/disable sending link MTU in RA packet. option - enable
Option Description
enable Enable sending link MTU in RA packet.
disable Disable sending link MTU in RA packet.
ip6-reachable- IPv6 reachable time (milliseconds; 0 means integer Minimum 0

time unspecified). value: 0
Maximum
value:
3600000
ip6-retrans- IPv6 retransmit time (milliseconds; 0 means integer Minimum 0

time unspecified). value: 0
Maximum
value:
4294967295

Fortinet Inc.
ip6-default-life Default life (sec). integer Minimum 1800

value: 0
Maximum
value: 9000
ip6-hop-limit Hop limit (0 means unspecified). integer Minimum 0

value: 0
Maximum
value: 255
autoconf Enable/disable address auto config. option - disable
Option Description
enable Enable auto-configuration.
disable Disable auto-configuration.
unique- Enable/disable unique auto config address. option - disable

autoconf-addr
Option Description
enable Enable unique auto-configuration address.
disable Disable unique auto-configuration address.
interface- IPv6 interface identifier. ipv6- Not Specified ::

identifier address
ip6-prefix- Assigning a prefix from DHCP or RA. option - dhcp6

mode
Option Description
dhcp6 Use delegated prefix from a DHCPv6 client to form a delegated IPv6 address.
ra Use prefix from RA to form a delegated IPv6 address.
ip6-upstream- Interface name providing delegated information. string Not Specified

interface
ip6-delegated- IAID of obtained delegated-prefix from the upstream integer Minimum 0

Maximum
value:
4294967295
ip6-subnet Subnet to routing prefix. Syntax: ipv6-prefix Not Specified ::/0

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx.
dhcp6-relay- Enable/disable DHCPv6 relay. option - disable

service

Fortinet Inc.
Option Description
disable Disable DHCPv6 relay
enable Enable DHCPv6 relay.
dhcp6-relay- DHCPv6 relay type. option - regular

type
Option Description
regular Regular DHCP relay.
dhcp6-relay-ip DHCPv6 relay IP address. user Not Specified
dhcp6-client- DHCPv6 client options. option -

options
Option Description
rapid Send rapid commit option.
iapd Send including IA-PD option.
iana Send including IA-NA option.
dhcp6-prefix- Enable/disable DHCPv6 prefix delegation. option - disable

delegation
Option Description
enable Enable DHCPv6 prefix delegation.
disable Disable DHCPv6 prefix delegation.
dhcp6- Enable/disable DHCPv6 information request. option - disable

information-
request
Option Description
enable Enable DHCPv6 information request.
disable Disable DHCPv6 information request.
cli-conn6- CLI IPv6 connection status. integer Minimum 0

status value: 0
Maximum
value:
4294967295
vrrp-virtual- Enable/disable virtual MAC for VRRP. option - disable

mac6

Fortinet Inc.
Option Description
enable Enable virtual MAC for VRRP.
disable Disable virtual MAC for VRRP.
vrip6_link_ Link-local IPv6 address of virtual router. ipv6- Not Specified ::

local address
config ip6-extra-addr
prefix IPv6 address prefix. ipv6-prefix Not ::/0

Specified
config ip6-prefix-list
prefix IPv6 prefix. ipv6- Not Specified ::/0

network
autonomous- Enable/disable the autonomous flag. option - enable

flag
Option Description
enable Enable the autonomous flag.
disable Disable the autonomous flag.
onlink-flag Enable/disable the onlink flag. option - enable
Option Description
enable Enable the onlink flag.
disable Disable the onlink flag.
valid-life-time Valid life time (sec). integer Minimum 2592000

value: 0
Maximum
value:
4294967295
preferred-life- Preferred life time (sec). integer Minimum 604800

time value: 0
Maximum
value:
4294967295

Fortinet Inc.
rdnss Recursive DNS server option. user Not Specified
dnssl DNS search list option. string Maximum

<domain> Domain name. length: 79
config ip6-delegated-prefix-list
prefix-id Prefix ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
upstream- Name of the interface that provides delegated string Not Specified
interface information.
delegated- IAID of obtained delegated-prefix from the upstream integer Minimum 0

Maximum
value:
4294967295
autonomous- Enable/disable the autonomous flag. option - enable

flag
Option Description
enable Enable the autonomous flag.
disable Disable the autonomous flag.
onlink-flag Enable/disable the onlink flag. option - enable
Option Description
enable Enable the onlink flag.
disable Disable the onlink flag.
subnet Add subnet ID to routing prefix. ipv6- Not Specified ::/0

network
rdnss-service Recursive DNS service option. option - specify
Option Description
delegated Delegated RDNSS settings.
default System RDNSS settings.
specify Specify recursive DNS servers.

Fortinet Inc.
rdnss Recursive DNS server option. user Not Specified
config dhcp6-iapd-list
iaid Identity association identifier. integer Minimum 0

value: 0
Maximum
value:
4294967295
prefix-hint DHCPv6 prefix that will be used as a hint to the ipv6- Not Specified ::/0
upstream DHCPv6 server. network
prefix-hint-plt DHCPv6 prefix hint preferred life time (sec), 0 means integer Minimum 604800
unlimited lease time. value: 0
Maximum
value:
4294967295
prefix-hint-vlt DHCPv6 prefix hint valid life time (sec). integer Minimum 2592000
value: 0
Maximum
value:
4294967295
config vrrp6
vrid Virtual router identifier. integer Minimum 0

value: 1
Maximum
value: 255
vrgrp VRRP group ID. integer Minimum 0

value: 1
Maximum
value:
65535
vrip6 IPv6 address of the virtual router. ipv6- Not ::

address Specified
priority Priority of the virtual router. integer Minimum 100

value: 1
Maximum
value: 255

Fortinet Inc.
adv-interval Advertisement interval. integer Minimum 1

value: 1
Maximum
value: 255
start-time Startup time. integer Minimum 3

value: 1
Maximum
value: 255
preempt Enable/disable preempt mode. option - enable
Option Description
enable Enable preempt mode.
disable Disable preempt mode.
accept-mode Enable/disable accept mode. option - enable
Option Description
enable Enable accept mode.
disable Disable accept mode.
vrdst6 Monitor the route to this destination. ipv6- Not

address Specified
status Enable/disable VRRP. option - enable
Option Description
enable Enable VRRP.
disable Disable VRRP.
config l2tp-client-settings
user L2TP user name. string Not

Specified
password L2TP password. password Not

Specified
peer-host L2TP peer host address. string Not

Specified
peer-mask L2TP peer mask. ipv4- Not 255.255.255.255

netmask Specified

Fortinet Inc.
peer-port L2TP peer port number. integer Minimum 1701

value: 1
Maximum
value:
65535
auth-type L2TP authentication type. option - auto
Option Description
mtu L2TP MTU. integer Minimum 1460

value: 40
Maximum
value:
65535
distance Distance of learned routes. integer Minimum 2

value: 1
Maximum
value: 255

value: 1
Maximum
value:
65535
defaultgw Enable/disable default gateway. option - disable
Option Description
enable Enable default gateway.
disable Disable default gateway.
ip IP. ipv4- Not 0.0.0.0 0.0.0.0

classnet- Specified
host
hello-interval L2TP hello message interval in seconds. integer Minimum 60

value: 0
Maximum
value: 3600

Fortinet Inc.
config secondaryip

value: 0
Maximum
value:
4294967295
ip Secondary IP address of the interface. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
host
allowaccess Management access settings for the secondary IP option -

address.
Option Description
ping PING access.
https HTTPS access.
ssh SSH access.
snmp SNMP access.
http HTTP access.
ftm FTM access.
speed-test Speed test access.
gwdetect Enable/disable detect gateway alive for first. option - disable
Option Description
enable Enable detect gateway alive for first.
disable Disable detect gateway alive for first.
ping-serv-status PING server status. integer Minimum 0

value: 0
Maximum
value: 255
detectserver Gateway's ping server for this IP. user Not Specified
detectprotocol Protocols used to detect the server. option - ping

Fortinet Inc.
Option Description
ping PING.
tcp-echo TCP echo.
udp-echo UDP echo.
ha-priority HA election priority for the PING server. integer Minimum 1

value: 1
Maximum
value: 50
config tagging

Specified

Specified

config vrrp
vrid Virtual router identifier. integer Minimum 0

value: 1
Maximum
value: 255
version VRRP version. option - 2
Option Description
2 VRRP version 2.
3 VRRP version 3.
vrgrp VRRP group ID. integer Minimum 0

value: 1
Maximum
value:
65535

Fortinet Inc.
vrip IP address of the virtual router. ipv4- Not 0.0.0.0

address- Specified
any
priority Priority of the virtual router. integer Minimum 100

value: 1
Maximum
value: 255
adv-interval Advertisement interval. integer Minimum 1

value: 1
Maximum
value: 255
start-time Startup time. integer Minimum 3

value: 1
Maximum
value: 255
preempt Enable/disable preempt mode. option - enable
Option Description
enable Enable preempt mode.
disable Disable preempt mode.
accept-mode Enable/disable accept mode. option - enable
Option Description
enable Enable accept mode.
disable Disable accept mode.
vrdst Monitor the route to this destination. ipv4- Not

address- Specified
any
vrdst-priority Priority of the virtual router when the virtual router integer Minimum 0
destination becomes unreachable. value: 0
Maximum
value: 254
ignore- Enable/disable ignoring of default route when checking option - disable

default-route destination.
Option Description
enable Enable ignoring of default route when checking destination.
disable Disable ignoring of default route when checking destination.

Fortinet Inc.
status Enable/disable this VRRP configuration. option - enable
Option Description
enable Enable this VRRP configuration.
disable Disable this VRRP configuration.
config proxy-arp

value: 0
Maximum
value:
4294967295
ip Set IP addresses of proxy ARP. user Not Specified
config wifi-mac-list

value: 0
Maximum
value:
4294967295

address
config wifi-networks

value: 0
Maximum
value:
4294967295
wifi-ssid IEEE 802.11 Service Set Identifier. string Not Specified fortinet
wifi-security Wireless access security of SSID. option - wpa-

personal

Fortinet Inc.
Option Description
open Open.
wep64 WEP64.
wep128 WEP128.
wpa-personal WPA personal.
wpa-only- WPA personal only.

personal
wpa2-only- WPA2 personal only.

personal
wifi-encrypt Data encryption. option - AES
Option Description
TKIP TKIP.
AES AES.
wifi-keyindex WEP key index. integer Minimum 1

value: 1
Maximum
value: 4
wifi-key WiFi WEP Key. password Not Specified
wifi- WiFi pre-shared key for WPA. password Not Specified

passphrase
config system ip-conflict status
List interface names and IP addresses in conflict.

config system ip-conflict status
Description: List interface names and IP addresses in conflict.
end
config system ipam
Configure IP address management services.

config system ipam
Description: Configure IP address management services.
set pool-subnet {ipv4-classnet}
set server-type [cloud|fabric-root]
end

Fortinet Inc.
config system ipam
pool-subnet Configure IPAM pool subnet, Class A - Class B ipv4- Not 172.31.0.0
subnet. classnet Specified 255.255.0.0
server-type Configure the type of IPAM server to use. option - fabric-root
Option Description
cloud Use the FortiIPAM cloud server.
fabric-root Use the IPAM server running on the Security Fabric root.
status Enable/disable IP address management services. option - disable
Option Description
enable Enable integration with IP address management services.
disable Disable integration with IP address management services.
config system ipip-tunnel
Configure IP in IP Tunneling.
Description: Configure IP in IP Tunneling.
edit <name>
set name {string}
next
end
auto-asic- Enable/disable tunnel ASIC offloading. option - enable

offload *
Option Description

Fortinet Inc.
interface Interface name that is associated with the incoming string Not
traffic from available options. Specified
local-gw IPv4 address for the local gateway. ipv4- Not 0.0.0.0
address- Specified
any
name IPIP Tunnel name. string Not

Specified
remote-gw IPv4 address for the remote gateway. ipv4- Not 0.0.0.0
address Specified

gateway.
Option Description
config system ips-urlfilter-dns
Configure IPS URL filter DNS servers.

Description: Configure IPS URL filter DNS servers.
edit <address>
set address {ipv4-address}
set ipv6-capability [enable|disable]
next
end
address DNS server IP address. ipv4- Not 0.0.0.0

address Specified
ipv6- Enable/disable this server for IPv6 queries. option - disable

capability

Fortinet Inc.
Option Description
status Enable/disable using this DNS server for IPS URL filter option - enable
DNS queries.
Option Description
enable Enable this DNS server for IPS URL filter DNS queries.
disable Disable this DNS server for IPS URL filter DNS queries.
config system ips-urlfilter-dns6
Configure IPS URL filter IPv6 DNS servers.

Description: Configure IPS URL filter IPv6 DNS servers.
edit <address6>
set address6 {ipv6-address}
next
end
address6 IPv6 address of DNS server. ipv6- Not ::

address Specified
status Enable/disable this server for IPv6 DNS queries. option - enable
Option Description
config system ips
Configure IPS system settings.

config system ips
Description: Configure IPS system settings.
set override-signature-hold-by-id [enable|disable]

Fortinet Inc.
set signature-hold-time {user}
end
config system ips
override- Enable/disable override of hold of triggering signatures option - enable

signature- that are specified by IDs regardless of hold.
hold-by-id
Option Description
enable Allow the signatures specified by IDs to be triggered even if they are on hold.
disable Do not trigger the signatures that are on hold.
signature- Time to hold and monitor IPS signatures. Format user Not 0h
hold-time <#d##h>. Specified
config system ipsec-aggregate
Configure an aggregate of IPsec tunnels.

Description: Configure an aggregate of IPsec tunnels.
edit <name>
set algorithm [L3|L4|...]
set member <tunnel-name1>, <tunnel-name2>, ...
set name {string}
next
end
algorithm Frame distribution algorithm. option - round-robin
Option Description
L4 Use layer 4 information for distribution.
round-robin Per-packet round-robin distribution.
redundant Use first tunnel that is up for all traffic.
weighted-round- Weighted round-robin distribution.

robin

Fortinet Inc.
member Member tunnels of the aggregate. string Maximum

<tunnel- Tunnel name. length: 79
name>
name IPsec aggregate name. string Not

Specified
config system ipv6-neighbor-cache
Configure IPv6 neighbor cache table.

Description: Configure IPv6 neighbor cache table.
edit <id>
set id {integer}
set ipv6 {ipv6-address}
next
end

value: 0
Maximum
value:
4294967295
interface Select the associated interface name from string Not Specified
available options.
ipv6 IPv6 address (format: ipv6- Not Specified ::

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx). address
mac MAC address (format: xx:xx:xx:xx:xx:xx). mac- Not Specified 00:00:00:00:00:00

address
config system ipv6-tunnel
Configure IPv6/IPv4 in IPv6 tunnel.

Description: Configure IPv6/IPv4 in IPv6 tunnel.
edit <name>
set destination {ipv6-address}

Fortinet Inc.
set name {string}
set source {ipv6-address}
next
end

offload *
Option Description
destination Remote IPv6 address of the tunnel. ipv6- Not ::

address Specified

Specified
name IPv6 tunnel name. string Not

Specified
source Local IPv6 address of the tunnel. ipv6- Not ::

address Specified

gateway.
Option Description

Fortinet Inc.
config system isf-queue-profile
This command is available for model(s): FortiGate 1200D, FortiGate 1500DT, FortiGate
1500D, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate
3200D, FortiGate 3700D, FortiGate 400E, FortiGate 401E, FortiGate 800D.
FortiGate 101E, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 140E-POE,
FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E,
FortiGate 3601E, FortiGate 3800D, FortiGate 3960E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate
4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate
501E, FortiGate 600E, FortiGate 601E, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate
60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 80E-POE,
FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-
POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E,
Create a queue profile of switch.

Description: Create a queue profile of switch.
edit <name>
set bandwidth-unit [kbps|pps]
set burst-bps-granularity [disable|512-bytes|...]
set burst-pps-granularity [disable|half-packet|...]
set maximum-bandwidth {integer}
set name {string}
next
end
bandwidth-unit Unit of measurement for guaranteed and maximum option - kbps

bandwidth.
Option Description
kbps kilobits per second.
pps packets per second.

Fortinet Inc.
burst-bps- Burst granularity based on bytes per second. option - disable

granularity
Option Description
disable Disable burst control.
512-bytes 512 bytes.
1k-bytes 1K bytes.
2k-bytes 2K bytes.
4k-bytes 4K bytes.
8k-bytes 8K bytes.
16k-bytes 16K bytes.
32k-bytes 32K bytes.
burst-pps- Burst granularity based on packets per second. option - disable

granularity
Option Description
disable Disable burst control.
half-packet One burst unit equals two time slots in which one packet is sent.
1-packet 1 packet.
2-packets 2 packets.
guaranteed- Guaranteed bandwidth. integer Minimum 0

bandwidth value: 0
Maximum
value:
100000000
maximum- Upper bandwidth limit enforced. integer Minimum 0

bandwidth value: 0
Maximum
value:
100000000

Fortinet Inc.
config system link-monitor
Configure Link Health Monitor.

Description: Configure Link Health Monitor.
edit <name>
set addr-mode [ipv4|ipv6]
set fail-weight {integer}
set gateway-ip {ipv4-address-any}
set gateway-ip6 {ipv6-address}
set http-agent {string}
set name {string}
set packet-size {integer}
set port {integer}
set probe-count {integer}
set probe-timeout {integer}
set recoverytime {integer}
set route <subnet1>, <subnet2>, ...
set security-mode [none|authentication]
set server <address1>, <address2>, ...
set server-config [default|individual]
config server-list
Description: Servers for link-monitor to monitor.
edit <id>
set id {integer}
set dst {string}
set port {integer}
next
end
set service-detection [enable|disable]
set source-ip {ipv4-address-any}
set update-cascade-interface [enable|disable]
set update-policy-route [enable|disable]
set update-static-route [enable|disable]
next
end

Fortinet Inc.
addr-mode Address mode (IPv4 or IPv6). option - ipv4
Option Description
ipv4 IPv4 mode.
ipv6 IPv6 mode.
class-id Traffic class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
diffservcode Differentiated services code point (DSCP) in the IP user Not Specified
header of the probe packet.
fail-weight Threshold weight to trigger link failure alert. integer Minimum 0

value: 0
Maximum
value: 255
failtime Number of retry attempts before the server is integer Minimum 5

considered down. value: 1
Maximum
value: 3600
gateway-ip Gateway IP address used to probe the server. ipv4- Not Specified 0.0.0.0
address-
any
gateway-ip6 Gateway IPv6 address used to probe the server. ipv6- Not Specified ::
address
ha-priority HA election priority. integer Minimum 1

value: 1
Maximum
value: 50
http-agent String in the http-agent field in the HTTP header. string Not Specified Chrome/
Safari/
http-get If you are monitoring an HTML server you can send string Not Specified /
an HTTP-GET request with a custom string. Use this
option to define the string.
http-match String that you expect to see in the HTTP-GET string Not Specified
requests of the traffic to be monitored.

Fortinet Inc.
interval Detection interval in milliseconds. integer Minimum 500

value: 500
Maximum
value:
3600000
name Link monitor name. string Not Specified
packet-size Packet size of a TWAMP test session. integer Minimum 64

value: 64
Maximum
value: 1024
password TWAMP controller password in authentication password Not Specified

mode.
port Port number of the traffic to be used to monitor the integer Minimum 0
server. value: 1
Maximum
value: 65535
probe-count Number of most recent probes that should be used integer Minimum 30
to calculate latency and jitter. value: 5
Maximum
value: 30
probe-timeout Time to wait before a probe packet is considered integer Minimum 500
lost. value: 500
Maximum
value: 5000
protocol Protocols used to monitor the server. option - ping
Option Description
ping PING link monitor.
tcp-echo TCP echo link monitor.
udp-echo UDP echo link monitor.
http HTTP-GET link monitor.
twamp TWAMP link monitor.
recoverytime Number of successful responses received before integer Minimum 5

server is considered recovered. value: 1
Maximum
value: 3600
route Subnet to monitor. string Maximum

<subnet> IP and netmask (x.x.x.x/y). length: 79

Fortinet Inc.
security-mode Twamp controller security mode. option - none
Option Description
none Unauthenticated mode.
authentication Authenticated mode.
server IP address of the server(s) to be monitored. string Maximum

<address> Server address. length: 79
server-config Mode of server configuration. option - default
Option Description
default All servers share the same attributes.
individual Some attributes can be specified for individual servers.
service- Only use monitor to read quality values. If enabled, option - disable
detection static routes and cascade interfaces will not be
updated.
Option Description
enable Only use monitor for service-detection.
disable Monitor will update routes/interfaces on link failure.
source-ip Source IP address used in packet to the server. ipv4- Not Specified 0.0.0.0
address-
any
source-ip6 Source IPv6 address used in packet to the server. ipv6- Not Specified ::
address
srcintf Interface that receives the traffic to be monitored. string Not Specified
status Enable/disable this link monitor. option - enable
Option Description
enable Enable this link monitor.
disable Disable this link monitor.
update- Enable/disable update cascade interface. option - enable

cascade-
interface

Fortinet Inc.
Option Description
enable Enable update cascade interface.
disable Disable update cascade interface.
update-policy- Enable/disable updating the policy route. option - enable

route
Option Description
enable Enable updating the policy route.
disable Disable updating the policy route.
update-static- Enable/disable updating the static route. option - enable

route
Option Description
enable Enable updating the static route.
disable Disable updating the static route.
config server-list
id Server ID. integer Minimum 0

value: 1
Maximum
value: 32
dst IP address of the server to be monitored. string Not

Specified
protocol Protocols used to monitor the server. option - ping
Option Description
ping PING link monitor.
tcp-echo TCP echo link monitor.
udp-echo UDP echo link monitor.
http HTTP-GET link monitor.
twamp TWAMP link monitor.

Fortinet Inc.
port Port number of the traffic to be used to monitor the integer Minimum 0
server. value: 1
Maximum
value:
65535
weight Weight of the monitor to this dst. integer Minimum 0

value: 0
Maximum
value: 255
config system lldp network-policy
Configure LLDP network policy.

Description: Configure LLDP network policy.
edit <name>
config guest
Description: Guest.
set tag [none|dot1q|...]
set vlan {integer}
set dscp {integer}
end
config guest-voice-signaling
Description: Guest Voice Signaling.
set vlan {integer}
set dscp {integer}
end
set name {string}
config softphone
Description: Softphone.
set vlan {integer}
set dscp {integer}
end
config streaming-video
Description: Streaming Video.
set vlan {integer}
set dscp {integer}
end

Fortinet Inc.
config video-conferencing
Description: Video Conferencing.
set vlan {integer}
set dscp {integer}
end
config video-signaling
Description: Video Signaling.
set vlan {integer}
set dscp {integer}
end
config voice
Description: Voice.
set vlan {integer}
set dscp {integer}
end
config voice-signaling
Description: Voice signaling.
set vlan {integer}
set dscp {integer}
end
next
end

Specified
name LLDP network policy name. string Not

Specified
config guest
status Enable/disable advertising this policy. option - disable

Fortinet Inc.
Option Description
disable Disable advertising this LLDP network policy.
enable Enable advertising this LLDP network policy.
tag Advertise tagged or untagged traffic. option - none
Option Description
none Advertise that untagged frames should be used.
dot1q Advertise that 802.1Q (VLAN) tagging should be used.
dot1p Advertise that 802.1P priority tagging (VLAN 0) should be used.
vlan 802.1Q VLAN ID to advertise. integer Minimum 0

value: 1
Maximum
value: 4094
priority 802.1P CoS/PCP to advertise. integer Minimum 5

value: 0
Maximum
value: 7
dscp Differentiated Services Code Point (DSCP) value to integer Minimum 46

advertise. value: 0
Maximum
value: 63
config guest-voice-signaling
Option Description
Option Description

Fortinet Inc.

value: 1
Maximum
value: 4094

value: 0
Maximum
value: 7

advertise. value: 0
Maximum
value: 63
config softphone
Option Description
Option Description

value: 1
Maximum
value: 4094

value: 0
Maximum
value: 7

advertise. value: 0
Maximum
value: 63

Fortinet Inc.
config streaming-video
Option Description
Option Description

value: 1
Maximum
value: 4094

value: 0
Maximum
value: 7

advertise. value: 0
Maximum
value: 63
config video-conferencing
Option Description

Fortinet Inc.
Option Description

value: 1
Maximum
value: 4094

value: 0
Maximum
value: 7

advertise. value: 0
Maximum
value: 63
config video-signaling
Option Description
Option Description

value: 1
Maximum
value: 4094

Fortinet Inc.

value: 0
Maximum
value: 7

advertise. value: 0
Maximum
value: 63
config voice
Option Description
Option Description

value: 1
Maximum
value: 4094

value: 0
Maximum
value: 7

advertise. value: 0
Maximum
value: 63

Fortinet Inc.
config voice-signaling
Option Description
Option Description

value: 1
Maximum
value: 4094

value: 0
Maximum
value: 7

advertise. value: 0
Maximum
value: 63

Fortinet Inc.
config system lte-modem
Configure USB LTE/WIMAX devices.

Description: Configure USB LTE/WIMAX devices.
set allow-modify-mtu-size [enable|disable]
set allow-modify-wireless-profile-table [enable|disable]
set apn {string}
set authtype [none|pap|...]
set auto-connect [enable|disable]
set band-restrictions {string}
set billing-date {integer}
set connection-hot-swap [5-minutes|10-minutes|...]
set data-limit {integer}
set data-usage-tracking [enable|disable]
set extra-init {string}
set force-wireless-profile {integer}
set gps-port {integer}
set gps-service [enable|disable]
set holddown-timer {integer}
set image-preference [generic|att|...]
set manual-handover [enable|disable]
set mode [standalone|redundant]
set modem-port {integer}
set network-type [auto|umts-3g|...]
set override-gateway [enable|disable]
set passwd {password}
set sim-hot-swap [enable|disable]
set sim-slot {integer}

Fortinet Inc.
set sim1-pin {password}
set sim2-pin {password}
end
allow-modify- Allow FortiGate to modify the wireless WAN interface option - enable
mtu-size * MTU size.
Option Description
enable Allow LTE daemon to modify wireless profile table.
disable Do not allow LTE daemon to modify wireless profile table.
allow-modify- Allow FortiGate to modify the wireless profile table if option - enable
wireless- the internal LTE modem is running the GENERIC
profile-table * modem firmware.
Option Description
enable Allow LTE daemon to modify wireless profile table.
disable Do not allow LTE daemon to modify wireless profile table.
apn Login APN string for PDP-IP packet data calls. string Not
Specified
authtype Authentication type for PDP-IP packet data calls. option - none
Option Description
none Username and password not required.
pap Use PAP authentication.
chap Use CHAP authentication.
auto-connect Enable/disable modem auto connect. option - disable

*
Option Description
enable Enable modem auto connect.
disable Disable modem auto connect.
band- Bitmaps for the allowed 3G and LTE bands.Ex: string Not
restrictions * 0000000000000000-0000000000001008 (3G Mask- Specified
LTE Mask)

Fortinet Inc.
billing-date * LTE Modem billing date. integer Minimum 1

value: 1
Maximum
value: 31
connection- Set connection-based SIM card hot swap time option - 5-minutes
hot-swap * interval.
Option Description
5-minutes Perform SIM card hot swap if current card is not able to connect for 5 minutes.
10-minutes Perform SIM card hot swap if current card is not able to connect for 10
minutes.
never SIM card hot swap based on card presence only.
data-limit * LTE Modem data limit mega bytes, 0 for unlimited integer Minimum 0
data. value: 0
Maximum
value:
100000
data-usage- Enable/disable data usage tracking. option - disable

tracking *
Option Description
enable Enable data usage tracking.
disable Disable data usage tracking.
extra-init Extra initialization string for USB LTE/WIMAX devices. string Not
Specified
force- Force to use wireless profile index , 0 if don't force. integer Minimum 0
wireless- value: 0
profile * Maximum
value: 16
gps-port * Modem GPS port index. integer Minimum 255

value: 0
Maximum
value: 20
gps-service * Enable/disable GPS daemon. option - disable
Option Description
enable Enable GPS daemon.
disable Disable GPS daemon.

Fortinet Inc.
holddown- Hold down timer. integer Minimum 30

timer value: 10
Maximum
value: 60
image- Modem Image Preference. option - auto-sim

preference *
Option Description
generic Generic Firmware.
att AT&T Firmware.
verizon Verizon Firmware.
telus Telus Firmware.
docomo DOCOMO Firmware.
softbank Softbank Firmware.
sprint Sprint Firmware.
auto-sim Auto Select Firmware.
no-change Do not change.
interface The interface that the modem is acting as a redundant string Not
interface for. Specified
manual- Enable/Disable manual handover from 3G to LTE option - disable

handover * network.
Option Description
enable Enable 3G to LTE manual handover.
disable Disable 3G to LTE manual handover.
mode Modem operation mode. option - standalone
Option Description
standalone Standalone modem operation mode.
redundant Redundant modem operation mode where the modem is used as a backup
interface.
modem-port Modem port index. integer Minimum 255

value: 0
Maximum
value: 20

Fortinet Inc.
network-type Wireless network type. option - auto

*
Option Description
auto Automatic detection
umts-3g UMTS 3G -- For networks use GSM technology
lte LTE
cdma-hrpd CDMA and HRPD -- For networks use CDMA technology
override- Enable/disable LTE gateway override. option - disable

gateway *
Option Description
enable Override gateway to 0.0.0.0
disable Use gateway as assigned by ISP DHCP server.
passwd Authentication password for PDP-IP packet data calls. password Not
Specified
sim-hot-swap Enable/disable SIM card auto detection and hot swap. option - enable
*
Option Description
enable Enable SIM card auto detection.
disable Disable SIM card auto detection.
sim-slot * SIM card slot. 1: right slot. 2: left slot. integer Minimum 1
value: 1
Maximum
value: 2
sim1-pin * PIN code for SIM #1 (if applicable). password Not

Specified
sim2-pin * PIN code for SIM #2 (if applicable). password Not

Specified
status Enable/disable USB LTE/WIMAX device. option - disable **
Option Description
enable Enable USB LTE/WIMA device.
disable Disable USB LTE/WIMA device.
username Authentication username for PDP-IP packet data string Not

calls. Specified

Fortinet Inc.
config system mac-address-table
Configure MAC address tables.

Description: Configure MAC address tables.
edit <mac>
set reply-substitute {mac-address}
next
end

Specified
mac MAC address. mac- Not 00:00:00:00:00:00

address Specified
reply- New MAC for reply traffic. mac- Not 00:00:00:00:00:00

substitute address Specified
config system management-tunnel
Management tunnel configuration.

Description: Management tunnel configuration.
set allow-collect-statistics [enable|disable]
set allow-config-restore [enable|disable]
set allow-push-configuration [enable|disable]
set allow-push-firmware [enable|disable]
set authorized-manager-only [enable|disable]
set serial-number {user}
end

Fortinet Inc.
allow-collect- Enable/disable collection of run time statistics. option - enable

statistics
Option Description
enable Enable collection of run time statistics.
disable Disable collection of run time statistics.
allow-config- Enable/disable allow config restore. option - enable

restore
Option Description
enable Enable allow config restore.
disable Disable allow config restore.
allow-push- Enable/disable push configuration. option - enable

configuration
Option Description
enable Enable push configuration.
disable Disable push configuration.
allow-push- Enable/disable push firmware. option - enable

firmware
Option Description
enable Enable push firmware.
disable Disable push firmware.
authorized- Enable/disable restriction of authorized manager only. option - enable

manager-only
Option Description
enable Enable restriction of authorized manager only.
disable Disable restriction of authorized manager only.
serial-number Serial number. user Not

Specified
status Enable/disable FGFM tunnel. option - enable

Fortinet Inc.
Option Description
enable Enable management tunnel.
disable Disable management tunnel.
config system mgmt-csum
System checksum for FortiManager use only.

config system mgmt-csum
Description: System checksum for FortiManager use only.
end
config system mobile-tunnel
Configure Mobile tunnels, an implementation of Network Mobility (NEMO) extensions for Mobile IPv4 RFC5177.
Description: Configure Mobile tunnels, an implementation of Network Mobility (NEMO)
extensions for Mobile IPv4 RFC5177.
edit <name>
set hash-algorithm {option}
set home-address {ipv4-address}
set home-agent {ipv4-address}
set lifetime {integer}
set n-mhae-key {password_aes256}
set n-mhae-key-type [ascii|base64]
set n-mhae-spi {integer}
set name {string}
config network
Description: NEMO network configuration.
edit <id>
set id {integer}
next
end
set reg-interval {integer}
set reg-retry {integer}
set renew-interval {integer}
set roaming-interface {string}
set tunnel-mode {option}
next
end

Fortinet Inc.
hash- Hash Algorithm (Keyed MD5). option - hmac-md5

algorithm
Option Description
hmac-md5 Keyed MD5.
home- Home IP address (Format: xxx.xxx.xxx.xxx). ipv4-address Not Specified 0.0.0.0

address
home-agent IPv4 address of the NEMO HA (Format: ipv4-address Not Specified 0.0.0.0
xxx.xxx.xxx.xxx).
lifetime NMMO HA registration request lifetime. integer Minimum 65535

value: 180
Maximum
value: 65535
n-mhae-key NEMO authentication key. password_ Not Specified

aes256
n-mhae-key- NEMO authentication key type (ASCII or base64). option - ascii

type
Option Description
ascii The authentication key is an ASCII string.
base64 The authentication key is Base64 encoded.
n-mhae-spi NEMO authentication SPI. integer Minimum 256

value: 0
Maximum
value:
4294967295
name Tunnel name. string Not Specified
reg-interval NMMO HA registration interval. integer Minimum 5

value: 5
Maximum
value: 300
reg-retry Maximum number of NMMO HA registration retries. integer Minimum 3

value: 1
Maximum
value: 30

Fortinet Inc.
renew-interval Time before lifetime expiration to send NMMO HA integer Minimum 60

re-registration. value: 5
Maximum
value: 60
roaming- Select the associated interface name from available string Not Specified
interface options.
status Enable/disable this mobile tunnel. option - enable
Option Description
disable Disable this mobile tunnel.
enable Enable this mobile tunnel.
tunnel-mode NEMO tunnel mode (GRE tunnel). option - gre
Option Description
gre GRE tunnel.
config network

value: 0
Maximum
value:
4294967295
interface Select the associated interface name from available string Not Specified
options.
prefix Class IP and Netmask with correction ipv4- Not Specified 0.0.0.0
(Format:xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx or classnet 0.0.0.0
xxx.xxx.xxx.xxx/x).

Fortinet Inc.
config system modem
Configure MODEM.
config system modem
Description: Configure MODEM.
set action [dial|stop|...]
set altmode [enable|disable]
set authtype1 {option1}, {option2}, ...
set auto-dial [enable|disable]
set connect-timeout {integer}
set dial-cmd1 {string}
set dial-on-demand [enable|disable]
set dont-send-CR1 [enable|disable]
set extra-init1 {string}
set holddown-timer {integer}
set idle-timer {integer}
set lockdown-lac {string}
set mode [standalone|redundant]
set network-init {string}
set passwd1 {password}

Fortinet Inc.
set peer-modem1 [generic|actiontec|...]
set phone1 {string}
set phone2 {string}
set phone3 {string}
set pin-init {string}
set ppp-echo-request1 [enable|disable]
set redial [none|1|...]
set reset {integer}
set traffic-check [enable|disable]
set username1 {string}
set wireless-port {integer}
end
config system modem
action Dial up/stop MODEM. option - stop
Option Description
dial Dial up number.
stop Stop dialup.
none No action.
altmode Enable/disable altmode for installations using PPP option - enable

in China.
Option Description
authtype1 Allowed authentication types for ISP 1. option - pap chap

mschap
mschapv2
Option Description
pap PAP

Fortinet Inc.
Option Description
chap CHAP
mschap MSCHAP
mschapv2 MSCHAPv2

mschap
mschapv2
Option Description
pap PAP
chap CHAP
mschap MSCHAP
mschapv2 MSCHAPv2

mschap
mschapv2
Option Description
pap PAP
chap CHAP
mschap MSCHAP
mschapv2 MSCHAPv2
auto-dial Enable/disable auto-dial after a reboot or option - disable

disconnection.
Option Description
connect- Connection completion timeout. integer Minimum 90

timeout value: 30
Maximum
value: 255
dial-cmd1 Dial command (this is often an ATD or ATDT string Not Specified
command).

Fortinet Inc.
command).
command).
dial-on- Enable/disable to dial the modem when packets are option - disable
demand routed to the modem interface.
Option Description
distance Distance of learned routes. integer Minimum 1

value: 1
Maximum
value: 255
dont-send- Do not send CR when connected (ISP1). option - disable

CR1
Option Description

CR2
Option Description

CR3
Option Description
extra-init1 Extra initialization string to ISP 1. string Not Specified

Fortinet Inc.
holddown- Hold down timer in seconds. integer Minimum 60

timer value: 1
Maximum
value: 60
idle-timer MODEM connection idle time. integer Minimum 5

value: 1
Maximum
value: 9999
interface Name of redundant interface. string Not Specified
lockdown-lac Allow connection only to the specified Location string Not Specified
Area Code (LAC).
mode Set MODEM operation mode to redundant or option - standalone

standalone.
Option Description
standalone Standalone.
redundant Redundant for an interface.
network-init AT command to set the Network name/type string Not Specified

(AT+COPS=<mode>,[<format>,<oper>[,<AcT>]]).
passwd1 Password to access the specified dialup account. password Not Specified
peer-modem1 Specify peer MODEM type for phone1. option - generic
Option Description
generic All other modem type.
actiontec ActionTec modem.
ascend_TNT Ascend TNT modem.
Option Description

Fortinet Inc.
Option Description
phone1 Phone number to connect to the dialup account string Not Specified
(must not contain spaces, and should include
standard special characters).
pin-init AT command to set the PIN (AT+PIN=<pin>). string Not Specified
ppp-echo- Enable/disable PPP echo-request to ISP 1. option - enable

request1
Option Description

request2
Option Description

request3
Option Description

Fortinet Inc.

value: 0
Maximum
value:
4294967295
redial Redial limit. option - none
Option Description
none Forever.
1 One attempt.
2 Two attempts.
3 Three attempts.
4 Four attempts.
5 Five attempts.
6 Six attempts.
7 Seven attempts.
8 Eight attempts.
9 Nine attempts.
10 Ten attempts.
reset Number of dial attempts before resetting modem (0 integer Minimum 0

= never reset). value: 0
Maximum
value: 10
status Enable/disable Modem support (equivalent to option - disable

bringing an interface up or down).
Option Description
traffic-check Enable/disable traffic-check. option - disable
Option Description
username1 User name to access the specified dialup account. string Not Specified

Fortinet Inc.
wireless-port Enter wireless port number, 0 for default, 1 for first integer Minimum 0
port, ... value: 0
Maximum
value:
4294967295
config system nd-proxy
Configure IPv6 neighbor discovery proxy (RFC4389).

Description: Configure IPv6 neighbor discovery proxy (RFC4389).
end
member Interfaces using the neighbor discovery proxy. string Maximum

name>
status Enable/disable neighbor discovery proxy. option - disable
Option Description
enable Enable neighbor discovery proxy.
disable Disable neighbor discovery proxy.
config system netflow
Configure NetFlow.
Description: Configure NetFlow.
set active-flow-timeout {integer}
set inactive-flow-timeout {integer}

Fortinet Inc.
set template-tx-counter {integer}
set template-tx-timeout {integer}
end
active-flow- Timeout to report active flows. integer Minimum 1800

timeout value: 60
Maximum
value: 3600
collector-ip Collector IP. ipv4- Not 0.0.0.0

address Specified
collector-port NetFlow collector port number. integer Minimum 2055

value: 0
Maximum
value:
65535
inactive-flow- Timeout for periodic report of finished flows. integer Minimum 15

timeout value: 10
Maximum
value: 600

Specified
select-method
Option Description
source-ip Source IP address for communication with the NetFlow ipv4- Not 0.0.0.0
agent. address Specified
template-tx- Counter of flowset records before resending a template integer Minimum 20

counter flowset record. value: 10
Maximum
value: 6000
template-tx- Timeout for periodic template flowset transmission. integer Minimum 1800
timeout value: 60
Maximum
value:
86400

Fortinet Inc.
config system network-visibility
Configure network visibility settings.

Description: Configure network visibility settings.
set destination-hostname-visibility [disable|enable]
set destination-location [disable|enable]
set destination-visibility [disable|enable]
set hostname-limit {integer}
set hostname-ttl {integer}
set source-location [disable|enable]
end
destination- Enable/disable logging of destination hostname option - enable

hostname- visibility.
visibility
Option Description
disable Disable logging of destination hostname visibility.
enable Enable logging of destination hostname visibility.
destination- Enable/disable logging of destination geographical option - enable

location location visibility.
Option Description
disable Disable logging of destination geographical location visibility.
enable Enable logging of destination geographical location visibility.
destination- Enable/disable logging of destination visibility. option - enable

visibility
Option Description
disable Disable logging of destination visibility.
enable Enable logging of destination visibility.
hostname- Limit of the number of hostname table entries. integer Minimum 5000
limit value: 0
Maximum
value:
50000

Fortinet Inc.
hostname-ttl TTL of hostname table entries. integer Minimum 86400

value: 60
Maximum
value:
86400
source- Enable/disable logging of source geographical location option - enable

location visibility.
Option Description
disable Disable logging of source geographical location visibility.
enable Enable logging of source geographical location visibility.
config system np6
Configure NP6 attributes.

config system np6
Description: Configure NP6 attributes.
edit <name>
set fastpath [disable|enable]
config fp-anomaly
Description: NP6 IPv4 anomaly protection. trap-to-host forwards anomaly sessions
to the CPU.
set tcp-syn-fin [allow|drop|...]

Fortinet Inc.
set tcp-fin-noack [allow|drop|...]
set tcp-fin-only [allow|drop|...]
set tcp-no-flag [allow|drop|...]
set tcp-syn-data [allow|drop|...]
set tcp-winnuke [allow|drop|...]
set tcp-land [allow|drop|...]
set udp-land [allow|drop|...]
set icmp-land [allow|drop|...]
set icmp-frag [allow|drop|...]
set ipv4-land [allow|drop|...]
set ipv4-proto-err [allow|drop|...]
set ipv4-unknopt [allow|drop|...]
set ipv4-optrr [allow|drop|...]
set ipv4-optssrr [allow|drop|...]
set ipv4-optlsrr [allow|drop|...]
set ipv4-optstream [allow|drop|...]
set ipv4-optsecurity [allow|drop|...]
set ipv4-opttimestamp [allow|drop|...]
set ipv4-csum-err [drop|trap-to-host]
set tcp-csum-err [drop|trap-to-host]
set udp-csum-err [drop|trap-to-host]
set icmp-csum-err [drop|trap-to-host]
set ipv6-saddr-err [allow|drop|...]
set ipv6-daddr-err [allow|drop|...]
set ipv6-optralert [allow|drop|...]
set ipv6-optjumbo [allow|drop|...]
set ipv6-opttunnel [allow|drop|...]
set ipv6-opthomeaddr [allow|drop|...]
set ipv6-optnsap [allow|drop|...]
set ipv6-optendpid [allow|drop|...]
set ipv6-optinvld [allow|drop|...]
end
set garbage-session-collector [disable|enable]
config hpe
Description: HPE configuration.
set tcpsyn-max {integer}
set tcpsyn-ack-max {integer}
set tcpfin-rst-max {integer}
set tcp-max {integer}
set udp-max {integer}
set icmp-max {integer}
set sctp-max {integer}
set esp-max {integer}
set ip-frag-max {integer}
set ip-others-max {integer}
set arp-max {integer}
set l2-others-max {integer}
set pri-type-max {integer}
set enable-shaper [disable|enable]
end
set ipsec-ob-hash-function [switch-group-hash|global-hash|...]
set ipsec-outbound-hash [disable|enable]
set low-latency-mode [disable|enable]

Fortinet Inc.
set name {string}
set session-collector-interval {integer}
set session-timeout-fixed [disable|enable]
set session-timeout-interval {integer}
set session-timeout-random-range {integer}
next
end
config system np6
fastpath Enable/disable NP4 or NP6 offloading (also called fast option - enable
path).
Option Description
disable Disable NP4 or NP6 offloading (fast path).
enable Enable NP4 or NP6 offloading (fast path).
garbage- Enable/disable garbage session collector. option - disable

session-
collector
Option Description
disable Disable garbage session collector.
enable Enable garbage session collector.
ipsec-ob- Set hash function for IPSec outbound. option - switch-

hash-function group-hash
*
Option Description
switch-group- Hash outbound SA traffic within NPs connected to same switch.

hash
global-hash Hash outbound SA traffic among all NPs.
global-hash- Hash outbound SA traffic among all NPs with more weights on NPs connected
weighted to switch 0. It's applicable to the case that ingress traffic is from switch 1.
round-robin- Round-robin outbound SA traffic within NPs connected to same switch.

switch-group
round-robin- Round-robin outbound SA traffic among all NPs.

global

Fortinet Inc.
ipsec- Enable/disable hash function for IPsec outbound traffic. option - disable
outbound-
hash *
Option Description
disable Disable hash function for IPsec outbound traffic.
enable Enable hash function for IPsec outbound traffic.
low-latency- Enable/disable low latency mode. option - disable

mode
Option Description
disable Disable low latency mode.
enable Enable low latency mode.
name Device Name. string Not

Specified

accounting only
Option Description
traffic-log-only Per-session accounting only for sessions with traffic logging enabled in firewall
policy.
enable Per-session accounting for all sessions.
session- Set garbage session collection cleanup interval. integer Minimum 64

collector- value: 1
interval Maximum
value: 100
session- {disable | enable} Toggle between using fixed or random option - disable
timeout-fixed timeouts for refreshing NP6 sessions.
Option Description
disable Disable Refresh NP6 sessions at the configured fixed interval.
enable Enable Refresh NP6 sessions randomly where the time between refreshes is
within the random range.

Fortinet Inc.
session- Set the fixed timeout for refreshing NP6 sessions. integer Minimum 40
timeout- value: 0
interval Maximum
value: 1000
session- Set the random timeout range for refreshing NP6 integer Minimum 8
timeout- sessions. value: 0
random-range Maximum
value: 1000
config fp-anomaly
tcp-syn-fin TCP SYN flood SYN/FIN flag set anomalies. option - allow
Option Description
allow Allow TCP packets with syn_fin flag set to pass.
drop Drop TCP packets with syn_fin flag set.
trap-to-host Forward TCP packets with syn_fin flag set to FortiOS.
tcp-fin-noack TCP SYN flood with FIN flag set without ACK setting option - trap-to-host
anomalies.
Option Description
allow Allow TCP packets with FIN flag set without ack setting to pass.
drop Drop TCP packets with FIN flag set without ack setting.
trap-to-host Forward TCP packets with FIN flag set without ack setting to FortiOS.
tcp-fin-only TCP SYN flood with only FIN flag set anomalies. option - trap-to-host
Option Description
allow Allow TCP packets with FIN flag set only to pass.
drop Drop TCP packets with FIN flag set only.
trap-to-host Forward TCP packets with FIN flag set only to FortiOS.
tcp-no-flag TCP SYN flood with no flag set anomalies. option - allow
Option Description
allow Allow TCP packets without flag set to pass.

Fortinet Inc.
Option Description
drop Drop TCP packets without flag set.
trap-to-host Forward TCP packets without flag set to FortiOS.
tcp-syn-data TCP SYN flood packets with data anomalies. option - allow
Option Description
allow Allow TCP syn packets with data to pass.
drop Drop TCP syn packets with data.
trap-to-host Forward TCP syn packets with data to FortiOS.
tcp-winnuke TCP WinNuke anomalies. option - trap-to-host
Option Description
allow Allow TCP packets winnuke attack to pass.
drop Drop TCP packets winnuke attack.
trap-to-host Forward TCP packets winnuke attack to FortiOS.
tcp-land TCP land anomalies. option - trap-to-host
Option Description
allow Allow TCP land attack to pass.
drop Drop TCP land attack.
trap-to-host Forward TCP land attack to FortiOS.
udp-land UDP land anomalies. option - trap-to-host
Option Description
allow Allow UDP land attack to pass.
drop Drop UDP land attack.
trap-to-host Forward UDP land attack to FortiOS.
icmp-land ICMP land anomalies. option - trap-to-host
Option Description
allow Allow ICMP land attack to pass.
drop Drop ICMP land attack.
trap-to-host Forward ICMP land attack to FortiOS.

Fortinet Inc.
icmp-frag Layer 3 fragmented packets that could be part of layer option - allow
4 ICMP anomalies.
Option Description
allow Allow L3 fragment packet with L4 protocol as ICMP attack to pass.
drop Drop L3 fragment packet with L4 protocol as ICMP attack.
trap-to-host Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.
ipv4-land Land anomalies. option - trap-to-host
Option Description
allow Allow IPv4 land attack to pass.
drop Drop IPv4 land attack.
trap-to-host Forward IPv4 land attack to FortiOS.
ipv4-proto-err Invalid layer 4 protocol anomalies. option - trap-to-host
Option Description
allow Allow IPv4 invalid L4 protocol to pass.
drop Drop IPv4 invalid L4 protocol.
trap-to-host Forward IPv4 invalid L4 protocol to FortiOS.
ipv4-unknopt Unknown option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with unknown options to pass.
drop Drop IPv4 with unknown options.
trap-to-host Forward IPv4 with unknown options to FortiOS.
ipv4-optrr Record route option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with record route option to pass.
drop Drop IPv4 with record route option.
trap-to-host Forward IPv4 with record route option to FortiOS.
ipv4-optssrr Strict source record route option anomalies. option - trap-to-host

Fortinet Inc.
Option Description
allow Allow IPv4 with strict source record route option to pass.
drop Drop IPv4 with strict source record route option.
trap-to-host Forward IPv4 with strict source record route option to FortiOS.
ipv4-optlsrr Loose source record route option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with loose source record route option to pass.
drop Drop IPv4 with loose source record route option.
trap-to-host Forward IPv4 with loose source record route option to FortiOS.
ipv4-optstream Stream option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with stream option to pass.
drop Drop IPv4 with stream option.
trap-to-host Forward IPv4 with stream option to FortiOS.
ipv4-optsecurity Security option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with security option to pass.
drop Drop IPv4 with security option.
trap-to-host Forward IPv4 with security option to FortiOS.
ipv4- Timestamp option anomalies. option - trap-to-host

opttimestamp
Option Description
allow Allow IPv4 with timestamp option to pass.
drop Drop IPv4 with timestamp option.
trap-to-host Forward IPv4 with timestamp option to FortiOS.
ipv4-csum-err Invalid IPv4 IP checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid IP checksum.

Fortinet Inc.
Option Description
trap-to-host Forward IPv4 invalid IP checksum to main CPU for processing.
tcp-csum-err Invalid IPv4 TCP checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid TCP checksum.
trap-to-host Forward IPv4 invalid TCP checksum to main CPU for processing.
udp-csum-err Invalid IPv4 UDP checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid UDP checksum.
trap-to-host Forward IPv4 invalid UDP checksum to main CPU for processing.
icmp-csum-err Invalid IPv4 ICMP checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid ICMP checksum.
trap-to-host Forward IPv4 invalid ICMP checksum to main CPU for processing.
Option Description
ipv6-proto-err Layer 4 invalid protocol anomalies. option - trap-to-host
Option Description
allow Allow IPv6 L4 invalid protocol to pass.
drop Drop IPv6 L4 invalid protocol.
trap-to-host Forward IPv6 L4 invalid protocol to FortiOS.
Option Description

Fortinet Inc.
Option Description
ipv6-saddr-err Source address as multicast anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with source address as multicast to pass.
drop Drop IPv6 with source address as multicast.
trap-to-host Forward IPv6 with source address as multicast to FortiOS.
ipv6-daddr-err Destination address as unspecified or loopback option - trap-to-host

address anomalies.
Option Description
allow Allow IPv6 with destination address as unspecified or loopback address to

pass.
drop Drop IPv6 with destination address as unspecified or loopback address.
trap-to-host Forward IPv6 with destination address as unspecified or loopback address

to FortiOS.
ipv6-optralert Router alert option anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with router alert option to pass.
drop Drop IPv6 with router alert option.
trap-to-host Forward IPv6 with router alert option to FortiOS.
ipv6-optjumbo Jumbo options anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with jumbo option to pass.
drop Drop IPv6 with jumbo option.
trap-to-host Forward IPv6 with jumbo option to FortiOS.
ipv6-opttunnel Tunnel encapsulation limit option anomalies. option - trap-to-host

Fortinet Inc.
Option Description
allow Allow IPv6 with tunnel encapsulation limit to pass.
drop Drop IPv6 with tunnel encapsulation limit.
trap-to-host Forward IPv6 with tunnel encapsulation limit to FortiOS.
ipv6- Home address option anomalies. option - trap-to-host

opthomeaddr
Option Description
allow Allow IPv6 with home address option to pass.
drop Drop IPv6 with home address option.
trap-to-host Forward IPv6 with home address option to FortiOS.
ipv6-optnsap Network service access point address option option - trap-to-host

anomalies.
Option Description
allow Allow IPv6 with network service access point address option to pass.
drop Drop IPv6 with network service access point address option.
trap-to-host Forward IPv6 with network service access point address option to FortiOS.
ipv6-optendpid End point identification anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with end point identification option to pass.
drop Drop IPv6 with end point identification option.
trap-to-host Forward IPv6 with end point identification option to FortiOS.
ipv6-optinvld Invalid option anomalies.Invalid option anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with invalid option to pass.
drop Drop IPv6 with invalid option.
trap-to-host Forward IPv6 with invalid option to FortiOS.

Fortinet Inc.
config hpe
tcpsyn-max Maximum TCP SYN packet rate. integer Minimum 600000

value: 1000
Maximum
value:
1000000000
tcpsyn-ack- Maximum TCP carries SYN and ACK flags packet integer Minimum 600000
max rate. value: 1000
Maximum
value:
1000000000
tcpfin-rst-max Maximum TCP carries FIN or RST flags packet rate. integer Minimum 600000
value: 1000
Maximum
value:
1000000000
tcp-max Maximum TCP packet rate. integer Minimum 600000

value: 1000
Maximum
value:
1000000000
udp-max Maximum UDP packet rate. integer Minimum 600000

value: 1000
Maximum
value:
1000000000
icmp-max Maximum ICMP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000
sctp-max Maximum SCTP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000
esp-max Maximum ESP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000

Fortinet Inc.
ip-frag-max Maximum fragmented IP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000
ip-others-max Maximum IP packet rate for other packets. integer Minimum 200000
value: 1000
Maximum
value:
1000000000
arp-max Maximum ARP packet rate. integer Minimum 200000

value: 1000
Maximum
value:
1000000000
l2-others-max Maximum L2 packet rate for L2 packets that are not integer Minimum 200000
ARP packets. value: 1000
Maximum
value:
1000000000
pri-type-max Maximum overflow rate of priority type traffic. integer Minimum 200000
Includes L2: HA, 802.3ad LACP, heartbeats. L3: value: 1000
OSPF. L4_TCP: BGP. L4_UDP: IKE, SLBC, BFD. Maximum
value:
1000000000
enable- Enable/Disable NPU Host Protection Engine(HPE) option - disable

shaper for packet type shaper.
Option Description
disable Disable NPU HPE shaping based on packet type.
enable Enable NPU HPE shaping based on packet type.

Fortinet Inc.
config system np6xlite
This command is available for model(s): FortiGate 100F, FortiGate 101F, FortiGate 200F,
FortiGate 201F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 60F, FortiGate 61F, FortiGate
80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81F-POE, FortiGate 81F,
FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi 40F,
FortiWiFi 60F, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F
It is not available for: FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 101E,
FortiGate 1100E, FortiGate 1101E, FortiGate 1200D, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E,
FortiGate 200E, FortiGate 201E, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E,
Bypass, FortiGate 400E, FortiGate 401E, FortiGate 4200F, FortiGate 4201F, FortiGate
4400F, FortiGate 4401F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate
501E, FortiGate 600E, FortiGate 601E, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate
60E-POE, FortiGate 60E, FortiGate 61E, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E,
FortiGate 81E-POE, FortiGate 81E, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate
VM64, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 61E.
Configure NP6XLITE attributes.

Description: Configure NP6XLITE attributes.
edit <name>
config fp-anomaly
Description: NP6XLITE IPv4 anomaly protection. trap-to-host forwards anomaly
sessions to the CPU.
set tcp-syn-fin [allow|drop|...]
set tcp-fin-noack [allow|drop|...]
set tcp-fin-only [allow|drop|...]
set tcp-no-flag [allow|drop|...]
set tcp-syn-data [allow|drop|...]
set tcp-winnuke [allow|drop|...]
set tcp-land [allow|drop|...]
set udp-land [allow|drop|...]
set icmp-land [allow|drop|...]
set icmp-frag [allow|drop|...]
set ipv4-optrr [allow|drop|...]
set ipv4-optssrr [allow|drop|...]
set ipv4-optlsrr [allow|drop|...]
set ipv4-optstream [allow|drop|...]
set ipv4-optsecurity [allow|drop|...]
set ipv4-opttimestamp [allow|drop|...]

Fortinet Inc.
set ipv6-saddr-err [allow|drop|...]
set ipv6-daddr-err [allow|drop|...]
set ipv6-optralert [allow|drop|...]
set ipv6-optjumbo [allow|drop|...]
set ipv6-opttunnel [allow|drop|...]
set ipv6-opthomeaddr [allow|drop|...]
set ipv6-optnsap [allow|drop|...]
set ipv6-optendpid [allow|drop|...]
set ipv6-optinvld [allow|drop|...]
end
set garbage-session-collector [disable|enable]
config hpe
Description: HPE configuration.
end
set ipsec-STS-timeout [1|2|...]
set ipsec-inner-fragment [disable|enable]
set ipsec-throughput-msg-frequency [disable|32KB|...]
set name {string}
set session-collector-interval {integer}
set session-timeout-fixed [disable|enable]
set session-timeout-interval {integer}
set session-timeout-random-range {integer}
next
end
fastpath Enable/disable NP4 or NP6XLITE offloading (also option - enable

called fast path).
Option Description
disable Disable NP4 or NP6XLITE offloading (fast path).

Fortinet Inc.
Option Description
enable Enable NP4 or NP6XLITE offloading (fast path).
garbage- Enable/disable garbage session collector. option - disable

session-
collector
Option Description
disable Disable garbage session collector.
enable Enable garbage session collector.
ipsec-STS- Set NP6XLite IPsec STS msg timeout. option - 5

timeout
Option Description
1 Set NP6Xlite STS message timeout to 1 sec (recommended for IPSec

throughput GUI).
2 Set NP6Xlite STS message timeout to 2 sec.
5 Set NP6Xlite STS message timeout to 5 sec (default).
ipsec-inner- Enable/disable NP6XLite IPsec fragmentation type: option - disable

fragment inner.
Option Description
disable NP6XLite ipsec fragmentation type: outer.
enable Enable NP6XLite ipsec fragmentation type: inner.
ipsec- Set NP6XLite IPsec throughput msg frequency: 0-- option - disable
throughput- disable 1--32KB 3--64KB ... 0x3fff--256MB 0x7fff--
msg- 512MB 0xffff--1GB.
frequency

Fortinet Inc.
Option Description
disable Disable NP6Xlite throughput update message.
32KB Set NP6Xlite throughput update message frequency to 32KB.
1MB Set NP6Xlite throughput update message frequency to 1MB.
1GB Set NP6Xlite throughput update message frequency to 1GB.
name Device Name. string Not

Specified

accounting only
Option Description
traffic-log-only Per-session accounting only for sessions with traffic logging enabled in firewall
policy.
session- Set garbage session collection cleanup interval. integer Minimum 64

collector- value: 1
interval Maximum
value: 100

Fortinet Inc.
session- Enable/disable fixed timeout interval mode. option - disable

timeout-fixed
Option Description
disable Disable NPU session timeout at fixed interval.
enable Enable NPU session timeout at fixed interval.
session- Set session timeout interval. integer Minimum 40

timeout- value: 0
interval Maximum
value: 1000
session- Set the randomization range. integer Minimum 8

timeout- value: 0
random-range Maximum
value: 1000
config fp-anomaly
tcp-syn-fin TCP SYN flood SYN/FIN flag set anomalies. option - allow
Option Description
allow Allow TCP packets with syn_fin flag set to pass.
drop Drop TCP packets with syn_fin flag set.
trap-to-host Forward TCP packets with syn_fin flag set to FortiOS.
tcp-fin-noack TCP SYN flood with FIN flag set without ACK setting option - trap-to-host
anomalies.
Option Description
allow Allow TCP packets with FIN flag set without ack setting to pass.
drop Drop TCP packets with FIN flag set without ack setting.
trap-to-host Forward TCP packets with FIN flag set without ack setting to FortiOS.
tcp-fin-only TCP SYN flood with only FIN flag set anomalies. option - trap-to-host
Option Description
allow Allow TCP packets with FIN flag set only to pass.
drop Drop TCP packets with FIN flag set only.
trap-to-host Forward TCP packets with FIN flag set only to FortiOS.

Fortinet Inc.
tcp-no-flag TCP SYN flood with no flag set anomalies. option - allow
Option Description
allow Allow TCP packets without flag set to pass.
drop Drop TCP packets without flag set.
trap-to-host Forward TCP packets without flag set to FortiOS.
tcp-syn-data TCP SYN flood packets with data anomalies. option - allow
Option Description
allow Allow TCP syn packets with data to pass.
drop Drop TCP syn packets with data.
trap-to-host Forward TCP syn packets with data to FortiOS.
tcp-winnuke TCP WinNuke anomalies. option - trap-to-host
Option Description
allow Allow TCP packets winnuke attack to pass.
drop Drop TCP packets winnuke attack.
trap-to-host Forward TCP packets winnuke attack to FortiOS.
tcp-land TCP land anomalies. option - trap-to-host
Option Description
allow Allow TCP land attack to pass.
drop Drop TCP land attack.
trap-to-host Forward TCP land attack to FortiOS.
udp-land UDP land anomalies. option - trap-to-host
Option Description
allow Allow UDP land attack to pass.
drop Drop UDP land attack.
trap-to-host Forward UDP land attack to FortiOS.
icmp-land ICMP land anomalies. option - trap-to-host

Fortinet Inc.
Option Description
allow Allow ICMP land attack to pass.
drop Drop ICMP land attack.
trap-to-host Forward ICMP land attack to FortiOS.
icmp-frag Layer 3 fragmented packets that could be part of layer option - allow
4 ICMP anomalies.
Option Description
allow Allow L3 fragment packet with L4 protocol as ICMP attack to pass.
drop Drop L3 fragment packet with L4 protocol as ICMP attack.
trap-to-host Forward L3 fragment packet with L4 protocol as ICMP attack to FortiOS.
Option Description
ipv4-proto-err Invalid layer 4 protocol anomalies. option - trap-to-host
Option Description
allow Allow IPv4 invalid L4 protocol to pass.
drop Drop IPv4 invalid L4 protocol.
trap-to-host Forward IPv4 invalid L4 protocol to FortiOS.
Option Description
ipv4-optrr Record route option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with record route option to pass.

Fortinet Inc.
Option Description
drop Drop IPv4 with record route option.
trap-to-host Forward IPv4 with record route option to FortiOS.
ipv4-optssrr Strict source record route option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with strict source record route option to pass.
drop Drop IPv4 with strict source record route option.
trap-to-host Forward IPv4 with strict source record route option to FortiOS.
ipv4-optlsrr Loose source record route option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with loose source record route option to pass.
drop Drop IPv4 with loose source record route option.
trap-to-host Forward IPv4 with loose source record route option to FortiOS.
ipv4-optstream Stream option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with stream option to pass.
drop Drop IPv4 with stream option.
trap-to-host Forward IPv4 with stream option to FortiOS.
ipv4-optsecurity Security option anomalies. option - trap-to-host
Option Description
allow Allow IPv4 with security option to pass.
drop Drop IPv4 with security option.
trap-to-host Forward IPv4 with security option to FortiOS.
ipv4- Timestamp option anomalies. option - trap-to-host

opttimestamp
Option Description
allow Allow IPv4 with timestamp option to pass.
drop Drop IPv4 with timestamp option.

Fortinet Inc.
Option Description
trap-to-host Forward IPv4 with timestamp option to FortiOS.
ipv4-csum-err Invalid IPv4 IP checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid IP checksum.
trap-to-host Forward IPv4 invalid IP checksum to main CPU for processing.
tcp-csum-err Invalid IPv4 TCP checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid TCP checksum.
trap-to-host Forward IPv4 invalid TCP checksum to main CPU for processing.
udp-csum-err Invalid IPv4 UDP checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid UDP checksum.
trap-to-host Forward IPv4 invalid UDP checksum to main CPU for processing.
icmp-csum-err Invalid IPv4 ICMP checksum anomalies. option - drop
Option Description
Option Description
ipv6-proto-err Layer 4 invalid protocol anomalies. option - trap-to-host
Option Description
allow Allow IPv6 L4 invalid protocol to pass.
drop Drop IPv6 L4 invalid protocol.
trap-to-host Forward IPv6 L4 invalid protocol to FortiOS.

Fortinet Inc.
Option Description
ipv6-saddr-err Source address as multicast anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with source address as multicast to pass.
drop Drop IPv6 with source address as multicast.
trap-to-host Forward IPv6 with source address as multicast to FortiOS.
ipv6-daddr-err Destination address as unspecified or loopback option - trap-to-host

address anomalies.
Option Description
allow Allow IPv6 with destination address as unspecified or loopback address to

pass.
drop Drop IPv6 with destination address as unspecified or loopback address.
trap-to-host Forward IPv6 with destination address as unspecified or loopback address

to FortiOS.
ipv6-optralert Router alert option anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with router alert option to pass.
drop Drop IPv6 with router alert option.
trap-to-host Forward IPv6 with router alert option to FortiOS.
ipv6-optjumbo Jumbo options anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with jumbo option to pass.
drop Drop IPv6 with jumbo option.
trap-to-host Forward IPv6 with jumbo option to FortiOS.
ipv6-opttunnel Tunnel encapsulation limit option anomalies. option - trap-to-host

Fortinet Inc.
Option Description
allow Allow IPv6 with tunnel encapsulation limit to pass.
drop Drop IPv6 with tunnel encapsulation limit.
trap-to-host Forward IPv6 with tunnel encapsulation limit to FortiOS.
ipv6- Home address option anomalies. option - trap-to-host

opthomeaddr
Option Description
allow Allow IPv6 with home address option to pass.
drop Drop IPv6 with home address option.
trap-to-host Forward IPv6 with home address option to FortiOS.
ipv6-optnsap Network service access point address option option - trap-to-host

anomalies.
Option Description
allow Allow IPv6 with network service access point address option to pass.
drop Drop IPv6 with network service access point address option.
trap-to-host Forward IPv6 with network service access point address option to FortiOS.
ipv6-optendpid End point identification anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with end point identification option to pass.
drop Drop IPv6 with end point identification option.
trap-to-host Forward IPv6 with end point identification option to FortiOS.
ipv6-optinvld Invalid option anomalies.Invalid option anomalies. option - trap-to-host
Option Description
allow Allow IPv6 with invalid option to pass.
drop Drop IPv6 with invalid option.
trap-to-host Forward IPv6 with invalid option to FortiOS.

Fortinet Inc.
config hpe

value: 10000
Maximum
value:
4000000000

value: 10000
Maximum
value:
4000000000

value: 10000
Maximum
value:
4000000000

value: 10000
Maximum
value:
4000000000

value: 10000
Maximum
value:
4000000000

value: 10000
Maximum
value:
4000000000

value: 10000
Maximum
value:
4000000000
value: 10000
Maximum
value:
4000000000

Fortinet Inc.

value: 10000
Maximum
value:
4000000000
Maximum
value:
4000000000
enable- Enable/Disable NPU host protection engine (HPE) option - disable

shaper shaper.
Option Description
config system npu-setting prp
FortiGate 61F, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 60F, FortiWiFi
61F.
It is not available for: FortiGate 1000D, FortiGate 100EF, FortiGate 100E, FortiGate 101E,
FortiGate 1100E, FortiGate 1101E, FortiGate 1200D, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1500DT, FortiGate 1500D, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E,
FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate
2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate
300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E, FortiGate 3301E,
FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E,
FortiGate 3601E, FortiGate 3700D, FortiGate 3800D, FortiGate 3960E, FortiGate 3980E,
FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 40F 3G4G, FortiGate 40F,
FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 5001E1,
FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 601E, FortiGate
60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 61E, FortiGate
FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 61E, FortiWiFi 80F 2R, FortiWiFi
81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
Configure NPU PRP attributes.

Description: Configure NPU PRP attributes.

Fortinet Inc.
set prp-port-in <interface-name1>, <interface-name2>, ...
set prp-port-out <interface-name1>, <interface-name2>, ...
end
prp-port-in Ingress port configured to allow the PRP trailer not string Maximum
<interface- be stripped off when the PRP packets come in. All of length: 35
name> the traffic originating from these ports will always be
sent to the host.
Physical interface name.
prp-port-out Egress port configured to allow the PRP trailer not be string Maximum
<interface- stripped off when the PRP packets go out. length: 35
config system npu-vlink
FortiGate 4400F, FortiGate 4401F.
FortiGate 140E-POE, FortiGate 140E, FortiGate 1500DT, FortiGate 1500D, FortiGate 2000E,
FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate
2201E, FortiGate 2500E, FortiGate 3000D, FortiGate 300E, FortiGate 301E, FortiGate 3100D,
FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 401E, FortiGate 40F
3G4G, FortiGate 40F, FortiGate 5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E,
Configure NPU VDOM link.

Description: Configure NPU VDOM link.
edit <name>
set name {string}
next
end

Fortinet Inc.
name NPU VDOM link name (maximum = 14 characters). string Not

Specified
config system npu
FortiGate 81F, FortiGate 900D, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi
40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E,
FortiWiFi 81F 2R.
It is not available for: FortiGate 90E, FortiGate 91E, FortiGate VM64.
Configure NPU attributes.

config system npu
Description: Configure NPU attributes.
set capwap-offload [enable|disable]
set dedicated-management-affinity {string}
set dedicated-management-cpu [enable|disable]
set default-qos-type [policing|shaping]
config dos-options
Description: NPU DoS configurations.
set npu-dos-meter-mode [global|local]
set npu-dos-tpe-mode [enable|disable]
end
set double-level-mcast-offload [enable|disable]
config dsw-dts-profile
Description: Configure NPU DSW DTS profile.
edit <profile-id>
set profile-id {integer}
set min-limit {integer}
set step {integer}

Fortinet Inc.
set action [wait|drop|...]
next
end
config dsw-queue-dts-profile
Description: Configure NPU DSW Queue DTS profile.
edit <name>
set name {string}
set iport [EIF0|EIF1|...]
set oport [EIF0|EIF1|...]
set profile-id {integer}
set queue-select {integer}
next
end
config fp-anomaly
Description: NP6Lite anomaly protection (packet drop or send trap to host).
set ipv4-ver-err [drop|trap-to-host]
set ipv4-ihl-err [drop|trap-to-host]
set ipv4-len-err [drop|trap-to-host]
set ipv4-ttlzero-err [drop|trap-to-host]
set ipv4-opt-err [drop|trap-to-host]
set tcp-hlen-err [drop|trap-to-host]
set tcp-plen-err [drop|trap-to-host]
set udp-plen-err [drop|trap-to-host]
set udp-hlen-err [drop|trap-to-host]
set udp-len-err [drop|trap-to-host]
set udplite-cover-err [drop|trap-to-host]
set udplite-csum-err [drop|trap-to-host]
set icmp-minlen-err [drop|trap-to-host]
set esp-minlen-err [drop|trap-to-host]
set unknproto-minlen-err [drop|trap-to-host]
set ipv6-ver-err [drop|trap-to-host]
set ipv6-ihl-err [drop|trap-to-host]
set ipv6-plen-zero [drop|trap-to-host]
set ipv6-exthdr-order-err [drop|trap-to-host]
set ipv6-exthdr-len-err [drop|trap-to-host]
end
set gtp-enhanced-cpu-range [0|1|...]
set gtp-enhanced-mode [enable|disable]
set gtp-support [enable|disable]
set hash-tbl-spread [enable|disable]
set host-shortcut-mode [bi-directional|host-shortcut]
config hpe
Description: Host protection engine configuration.
set all-protocol {integer}
set tcpsyn-ack-max {integer}
set tcpfin-rst-max {integer}

Fortinet Inc.
set high-priority {integer}
end
set htab-dedi-queue-nr {integer}
set htab-msg-queue [data|idle|...]
set htx-gtse-quota [100Mbps|200Mbps|...]
set htx-icmp-csum-chk [drop|pass]
set inbound-dscp-copy-port <interface1>, <interface2>, ...
set intf-shaping-offload [enable|disable]
set ip-fragment-offload [disable|enable]
config ip-reassembly
Description: IP reassebmly engine configuration.
set min-timeout {integer}
set max-timeout {integer}
end
set iph-rsvd-re-cksum [enable|disable]
set ipsec-dec-subengine-mask {user}
set ipsec-enc-subengine-mask {user}
set ipsec-inbound-cache [enable|disable]
set ipsec-mtu-override [disable|enable]
set ipsec-ob-np-sel [rr|Packet|...]
set ipsec-over-vlink [enable|disable]
config isf-np-queues
Description: Configure queues of switch port connected to NP6 XAUI on ingress path.
set cos0 {string}
set cos1 {string}
set cos2 {string}
set cos3 {string}
set cos4 {string}
set cos5 {string}
set cos6 {string}
set cos7 {string}
end
set lag-out-port-select [disable|enable]
set max-session-timeout {integer}
set mcast-session-accounting [tpe-based|session-based|...]
set napi-break-interval {integer}
config np-queues
Description: Configure queue assignment on NP7.
config profile
Description: Configure a NP7 class profile.
edit <id>
set id {integer}
set type [cos|dscp]
set cos0 [queue0|queue1|...]

Fortinet Inc.
set dscp0 [queue0|queue1|...]

Fortinet Inc.
next
end
config ethernet-type
Description: Configure a NP7 QoS Ethernet Type.
edit <name>
set name {string}
set type {ether-type}
set queue {integer}
next
end
config ip-protocol
Description: Configure a NP7 QoS IP Protocol.
edit <name>
set name {string}
set queue {integer}
next
end
config ip-service
Description: Configure a NP7 QoS IP Service.
edit <name>
set name {string}
set sport {integer}
set dport {integer}
set queue {integer}
next
end
config scheduler
Description: Configure a NP7 QoS Scheduler.
edit <name>
set name {string}
set mode [none|priority|...]
next
end
end
set np6-cps-optimization-mode [enable|disable]
set per-policy-accounting [disable|enable]
set policy-offload-level [disable|dos-offload]
config port-cpu-map
Description: Configure NPU interface to CPU core mapping.

Fortinet Inc.
edit <interface>
set cpu-core {string}
next
end
config port-npu-map
Description: Configure port to NPU group mapping.
edit <interface>
set npu-group-index {integer}
next
end
config port-path-option
Description: Configure port using NPU or Intel-NIC.
set ports-using-npu <interface-name1>, <interface-name2>, ...
end
config priority-protocol
Description: Configure NPU priority protocol.
set bgp [enable|disable]
set slbc [enable|disable]
end
set qos-mode [disable|priority|...]
set qtm-buf-mode [6ch|4ch]
set rdp-offload [enable|disable]
set recover-np6-link [enable|disable]
set session-acct-interval {integer}
set session-denied-offload [disable|enable]
set sse-backpressure [enable|disable]
set strip-clear-text-padding [enable|disable]
set strip-esp-padding [enable|disable]
config sw-eh-hash
Description: Configure switch enhanced hashing.
set computation [xor16|xor8|...]
set ip-protocol [include|exclude]
set source-ip-upper-16 [include|exclude]
set source-ip-lower-16 [include|exclude]
set destination-ip-upper-16 [include|exclude]
set destination-ip-lower-16 [include|exclude]
set source-port [include|exclude]
set destination-port [include|exclude]
set netmask-length {integer}
end
set sw-np-bandwidth [0G|2G|...]
set switch-np-hash [src-ip|dst-ip|...]
set uesp-offload [enable|disable]
set vlan-lookup-cache [enable|disable]
end

Fortinet Inc.
config system npu
capwap-offload * Enable/disable offloading managed FortiAP and option - enable

FortiLink CAPWAP sessions.
Option Description
enable Enable CAPWAP offload.
disable Disable CAPWAP offload.
dedicated- Affinity setting for management deamons string Not 1

management- (hexadecimal value up to 256 bits in the format of Specified
affinity * xxxxxxxxxxxxxxxx).
dedicated- Enable to dedicate one CPU for GUI and CLI option - disable
management- connections when NPs are busy.
cpu *
Option Description
enable Enable dedication of CPU #0 for management tasks.
disable Disable dedication of CPU #0 for management tasks.
default-qos-type Set default QoS type. option - shaping

*
Option Description
policing QoS type policing.
shaping QoS type shaping.
double-level- Enable double level mcast offload. option - disable

mcast-offload *
Option Description
enable Enable double level mcast offload.
disable Disable double level mcast offload.
fastpath * Enable/disable NP6 offloading (also called fast option - enable

path).
Option Description
disable Disable NP6 offloading (fast path).
enable Enable NP6 offloading (fast path).
gtp-enhanced- GTP enhanced CPU range option. option - 0

cpu-range *

Fortinet Inc.
Option Description
0 Inspect GTPU packets by all CPUs.
1 Inspect GTPU packets by Master CPUs.
2 Inspect GTPU packets by Slave CPUs.
gtp-enhanced- Enable/disable GTP enhanced mode. option - disable

mode *
Option Description
enable Enable GTP enhanced mode.
disable Disable GTP enhanced mode.
gtp-support * Enable/Disable NP7 GTP support option - disable
Option Description
enable Enable NP7 GTP support
disable Disable NP7 GTP support
hash-tbl-spread * Enable/disable hash table entry spread. option - enable
Option Description
enable Enable hash table entry spread.
disable Disable hash table entry spread.
host-shortcut- Set NP6 host shortcut mode. option - bi-directional

mode *
Option Description
bi-directional Offload TCP and IP Tunnel sessions in both directions between 10G and
1G interfaces (normal operation).
host-shortcut Only offload TCP and IP Tunnel sessions received by 1G interfaces. Select
if packets are dropped for offloaded traffic between 10G to 1G interfaces.
htab-dedi-queue- Set the number of dedicate queue for hash table integer Minimum 1
nr * messages. value: 1
Maximum
value: 2
htab-msg-queue Set hash table message queue mode. option - data

*

Fortinet Inc.
Option Description
data Use data queue.
idle Use idle queue.
dedicated Use dedicated queue.
htx-gtse-quota * Configure HTX GTSE quota. option - 1Gbps
Option Description
100Mbps 100Mbps.
200Mbps 200Mbps.
300Mbps 300Mbps.
400Mbps 400Mbps.
500Mbps 500Mbps.
600Mbps 600Mbps.
700Mbps 700Mbps.
800Mbps 800Mbps.
900Mbps 900Mbps.
1Gbps 1Gbps.
2Gbps 2Gbps.
4Gbps 4Gbps.
8Gbps 8Gbps.
10Gbps 10Gbps.
htx-icmp-csum- Set HTX icmp csum checking mode. option - drop

chk *
Option Description
drop Drop bad icmp csum.
pass Pass bad icmp csum.
inbound-dscp- Physical interfaces that support inbound-dscp-copy. string Maximum

copy-port Physical interface name. length: 15
<interface> *
intf-shaping- Enable/disable NPU offload when doing interface- option - disable

offload * based traffic shaping according to the egress-
shaping-profile.

Fortinet Inc.
Option Description
enable Enable NPU offload when doing interface-based traffic shaping according
to the egress-shaping-profile.
disable Disable NPU offload when doing interface-based traffic shaping according
to the egress-shaping-profile.
ip-fragment- Enable/disable NP7 NPU IP fragment offload. option - enable

offload *
Option Description
disable Disable IP fragment offload.
enable Enable IP fragment offload.
iph-rsvd-re- Enable/disable IP checksum re-calculation for option - disable

cksum * packets with iph.reserved bit set.
Option Description
enable Enable IP checksum re-calculation for packets with iph.reserved bit set.
disable Disable IP checksum re-calculation for packets with iph.reserved bit set.
ipsec-dec- IPsec decryption subengine mask. user Not

subengine-mask Specified
*
ipsec-enc- IPsec encryption subengine mask. user Not

subengine-mask Specified
*
ipsec-inbound- Enable/disable IPsec inbound cache for anti-replay. option - enable

cache *
Option Description
enable Enable inbound cache always.
disable Disable inbound cache when IPsec anti-replay is on.
ipsec-mtu- Enable/disable NP6 IPsec MTU override. option - disable

override *
Option Description
disable Disable NP6 IPsec MTU override.
enable Enable NP6 IPsec MTU override.
ipsec-ob-np-sel * IPsec NP selection for OB SA offloading. option - rr

Fortinet Inc.
Option Description
rr Round Robin.
Packet NPU of the first packet.
Hash Hash.
ipsec-over-vlink * Enable/disable IPsec over vlink. option - disable
Option Description
enable Enable IPSEC over vlink.
disable Disable IPSEC over vlink.
lag-out-port- Enable/disable LAG outgoing port selection based option - disable

select * on incoming traffic port.
Option Description
disable Disable LAG outgoing trunk in switch.
enable Enable LAG outgoing trunk in switch.
max-session- Maximum time interval for refreshing NPU-offloaded integer Minimum 40

timeout * sessions. value: 10
Maximum
value: 1000
mcast-session- Enable/disable traffic accounting for each multicast option - tpe-based

accounting * session through TAE counter.
Option Description
tpe-based Enable TPE-based multicast session accounting.
session-based Enable session-based multicast session accounting.
disable Disable multicast session accounting.
napi-break- NAPI break interval. integer Minimum 0

interval * value: 0
Maximum
value:
65535
np6-cps- Enable/disable NP6 connection per second (CPS) option - disable

optimization- optimization mode.
mode *

Fortinet Inc.
Option Description
enable Enable NP6 connection per second (CPS) optimization mode.
disable Disable NP6 connection per second (CPS) optimization mode.
per-policy- Set per-policy accounting. option - disable

accounting *
Option Description
disable Disable per-policy hit count.
enable Enable per-policy hit count

accounting * only
Option Description
traffic-log-only Per-session accounting only for sessions with traffic logging enabled in
firewall policy.
policy-offload- Configure firewall policy offload level. option - disable

level *
Option Description
disable Disable policy offloading
dos-offload Only enable DoS policy offloading
qos-mode * QoS mode on switch and NP. option - disable
Option Description
disable Disable QoS on switch and NP.
priority Priority based.
round-robin Round robin scheduler.
qtm-buf-mode * QTM channel configuration for packet buffer. option - 6ch
Option Description
6ch 6 DRAM channels for packet buffer.
4ch 4 DRAM channels for packet buffer.

Fortinet Inc.
rdp-offload * Enable/disable RDP offload. option - enable
Option Description
enable Enable reliable datagram protocol traffic offload.
disable Disable reliable datagram protocol traffic offload.
recover-np6-link Enable/disable internal link failure check and option - disable

* recovery after boot up.
Option Description
enable Enable internal link failure check and recovery after boot up.
disable Disable internal link failure check and recovery after boot up.
session-acct- Session accounting update interval. integer Minimum 5

interval * value: 1
Maximum
value: 10
session-denied- Enable/disable offloading of denied sessions. option - disable

offload * Requires ses-denied-traffic to be set.
Option Description
disable Disable offloading of denied sessions.
enable Enable offloading of denied sessions.
sse- Enable/disable SSE backpressure. option - disable

backpressure *
Option Description
enable Enable SSE backpressureg.
disable Disable SSE backpressureg.
strip-clear-text- Enable/disable stripping clear text padding. option - disable

padding *
Option Description
enable Enable stripping clear text padding.
disable Disable stripping clear text padding.
strip-esp-padding Enable/disable stripping ESP padding. option - disable

*

Fortinet Inc.
Option Description
enable Enable stripping ESP padding.
disable Disable stripping ESP padding.
sw-np-bandwidth Bandwidth from switch to NP. option - 0G

*
Option Description
0G Default value. No bandwidth control.
2G 2Gbps.
4G 4Gbps.
5G 5Gbps.
6G 6Gbps.
switch-np-hash * Switch-NP trunk port selection Criteria. option - src-dst-ip
Option Description
src-ip Source IP address.
dst-ip Destination IP address.
src-dst-ip Source+dest IP address.
uesp-offload * Enable/disable UDP-encapsulated ESP offload. option - disable
Option Description
enable Enable UDP-encapsulated ESP traffic offload.
disable Disable UDP-encapsulated ESP traffic offload.
vlan-lookup- Enable/disable vlan lookup cache. option - enable

cache *
Option Description
enable Enable VLAN lookup cache.
disable Disable VLAN lookup cache.

Fortinet Inc.
config dos-options
npu-dos- Set DoS meter NPU offloading mode. option - global

meter-mode
Option Description
global Install DoS meter to all NPs.
local Install DoS meter only to the NP assigned to the traffic.
npu-dos-tpe- Enable/disable insertion of DoS meter ID to session option - enable

mode table.
Option Description
enable Enable insertion of DoS meter ID to session table.
disable Disable insertion of DoS meter ID to session table.
config dsw-dts-profile
profile-id Set NPU DSW DTS profile profile id. integer Minimum 0
value: 1
Maximum
value: 32
min-limit Set NPU DSW DTS profile min-limt. integer Minimum 0

value: 32
Maximum
value: 2048
step Set NPU DSW DTS profile step. integer Minimum 0

value: 0
Maximum
value: 64
action Set NPU DSW DTS profile action. option - wait
Option Description
wait DSW DTS profile WAIT indefinitely.
drop DSW DTS profile DROP immediately.
drop_tmr_0 DSW DTS profile DROP after interval #0 time-out.
drop_tmr_1 DSW DTS profile DROP after interval #1 time-out.
enque DSW DTS profile ENQUE immediately.

Fortinet Inc.
Option Description
enque_0 DSW DTS profile ENQUE after interval #0 time-out.
enque_1 DSW DTS profile ENQUE after interval #1 time-out.
config dsw-queue-dts-profile

Specified
iport Set NPU DSW DTS in port. option - EIF0
Option Description
EIF0 DSW IPORT EIF0.
HTX0 DSW IPORT HTX0.
HTX1 DSW IPORT HTX1.
SSE0 DSW IPORT SSE0.
RLT DSW IPORT RLT.
DFR DSW IPORT DFR.
IPSECI DSW IPORT IPSECI.
IPSECO DSW IPORT IPSECO.
IPTI DSW IPORT IPTI.
IPTO DSW IPORT IPTO.

Fortinet Inc.
Option Description
VEP0 DSW IPORT VEP0.
IVS DSW IPORT IVS.
L2TI1 DSW IPORT L2TI1.
L2TO DSW IPORT L2TO.
L2TI0 DSW IPORT L2TI0.
PLE DSW IPORT PLE.
SPATH DSW IPORT SPATH.
QTM DSW IPORT QTM.
oport Set NPU DSW DTS out port. option - EIF0
Option Description
EIF0 DSW OPORT EIF0.
HRX DSW OPORT HRX.
SSE0 DSW OPORT SSE0.
RLT DSW OPORT RLT.
DFR DSW OPORT DFR.

Fortinet Inc.
Option Description
IPSECI DSW OPORT IPSECI.
IPSECO DSW OPORT IPSECO.
IPTI DSW OPORT IPTI.
IPTO DSW OPORT IPTO.
VEP0 DSW OPORT VEP0.
IVS DSW OPORT IVS.
L2TI1 DSW OPORT L2TI1.
L2TO DSW OPORT L2TO.
L2TI0 DSW OPORT L2TI0.
PLE DSW OPORT PLE.
SYNK DSW OPORT SYNK.
NSS DSW OPORT NSS.
TSK DSW OPORT TSK.
QTM DSW OPORT QTM.
profile-id Set NPU DSW DTS profile ID. integer Minimum 0

value: 1
Maximum
value: 32
queue-select Set NPU DSW DTS queue ID select. integer Minimum 0

value: 0
Maximum
value: 4095
config fp-anomaly
ipv4-ver-err * Invalid IPv4 header version anomalies. option - drop
Option Description
drop Drop IPv4 invalid header version.

Fortinet Inc.
Option Description
trap-to-host Forward IPv4 invalid header version to main CPU for processing.
ipv4-ihl-err * Invalid IPv4 header length anomalies. option - drop
Option Description
drop Drop IPv4 invalid header length.
trap-to-host Forward IPv4 invalid header length to main CPU for processing.
ipv4-len-err * Invalid IPv4 packet length anomalies. option - drop
Option Description
drop Drop IPv4 invalid packet length.
trap-to-host Forward IPv4 invalid packet length to main CPU for processing.
ipv4-ttlzero- Invalid IPv4 TTL field zero anomalies. option - drop

err *
Option Description
drop Drop IPv4 invalid TTL field zero.
trap-to-host Forward IPv4 invalid TTL field zero to main CPU for processing.
ipv4-csum-err Invalid IPv4 packet checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid L3 checksum.
trap-to-host Forward IPv4 invalid L3 checksum to main CPU for processing.
ipv4-opt-err * Invalid IPv4 option parsing anomalies. option - drop
Option Description
drop Drop IPv4 invalid option parsing.
trap-to-host Forward IPv4 invalid option parsing to main CPU for processing.
tcp-hlen-err * Invalid IPv4 TCP header length anomalies. option - drop
Option Description
drop Drop IPv4 invalid TCP packet header length.
trap-to-host Forward IPv4 invalid TCP packet header length to main CPU for processing.

Fortinet Inc.
tcp-plen-err * Invalid IPv4 TCP packet length anomalies. option - drop
Option Description
drop Drop IPv4 invalid TCP packet length.
trap-to-host Forward IPv4 invalid TCP packet length to main CPU for processing.
tcp-csum-err Invalid IPv4 TCP packet checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid TCP packet checksum.
trap-to-host Forward IPv4 invalid TCP packet checksum to main CPU for processing.
udp-plen-err * Invalid IPv4 UDP packet minimum length anomalies. option - drop
Option Description
drop Drop IPv4 invalid UDP packet minimum length.
trap-to-host Forward IPv4 invalid UDP packet minimum length to main CPU for
processing.
udp-hlen-err * Invalid IPv4 UDP packet header length anomalies. option - drop
Option Description
drop Drop IPv4 invalid UDP header length.
trap-to-host Forward IPv4 invalid UDP header length to main CPU for processing.
udp-csum-err Invalid IPv4 UDP packet checksum anomalies. option - drop
Option Description
drop Drop IPv4 invalid UDP packet checksum.
trap-to-host Forward IPv4 invalid UDP packet checksum to main CPU for processing.
udp-len-err * Invalid IPv4 UDP packet length anomalies. option - drop
Option Description
drop Drop IPv4 invalid UDP packet length.
trap-to-host Forward IPv4 invalid UDP packet length to main CPU for processing.
udplite-cover- Invalid IPv4 UDP-Lite packet coverage anomalies. option - drop

err *

Fortinet Inc.
Option Description
drop Drop IPv4 invalid UDP-Lite packet coverage.
trap-to-host Forward IPv4 invalid UDP-Lite packet coverage to main CPU for processing.
udplite-csum- Invalid IPv4 UDP-Lite packet checksum anomalies. option - drop

err *
Option Description
drop Drop IPv4 invalid UDP-Lite packet checksum.
trap-to-host Forward IPv4 invalid UDP-Lite packet checksum to main CPU for processing.
icmp-minlen- Invalid IPv4 ICMP short packet anomalies. option - drop

err *
Option Description
drop Drop IPv4 invalid ICMP short packet.
trap-to-host Forward IPv4 invalid ICMP short packet to main CPU for processing.
icmp-csum- Invalid IPv4 ICMP packet checksum anomalies. option - drop

err
Option Description
esp-minlen- Invalid IPv4 ESP short packet anomalies. option - drop

err *
Option Description
drop Drop IPv4 invalid ESP short packet.
trap-to-host Forward IPv4 invalid ESP short packet to main CPU for processing.
unknproto- Invalid IPv4 L4 unknown protocol short packet option - drop

minlen-err * anomalies.
Option Description
drop Drop IPv4 invalid L4 unknown protocol short packet.
trap-to-host Forward IPv4 invalid L4 unknown protocol short packet to main CPU for
processing.
ipv6-ver-err * Invalid IPv6 packet version anomalies. option - drop

Fortinet Inc.
Option Description
drop Drop IPv6 with invalid packet version.
trap-to-host Forward IPv6 with invalid packet version to FortiOS.
ipv6-ihl-err * Invalid IPv6 packet length anomalies. option - drop
Option Description
drop Drop IPv6 with invalid packet length.
trap-to-host Forward IPv6 with invalid packet length to FortiOS.
ipv6-plen- Invalid IPv6 packet payload length zero anomalies. option - drop
zero *
Option Description
drop Drop IPv6 with invalid packet payload length zero.
trap-to-host Forward IPv6 with invalid packet payload length zero to FortiOS.
ipv6-exthdr- Invalid IPv6 packet extension header ordering option - drop

order-err * anomalies.
Option Description
drop Drop IPv6 with invalid packet extension header ordering.
trap-to-host Forward IPv6 with invalid packet extension header ordering to FortiOS.
ipv6-exthdr- Invalid IPv6 packet chain extension header total length option - drop
len-err * anomalies.
Option Description
drop Drop IPv6 with invalid packet chain extension header total length.
trap-to-host Forward IPv6 with invalid packet chain extension header total length to
FortiOS.
config hpe
all-protocol Maximum packet rate of each host queue except high integer Minimum 400000
priority traffic, set 0 to disable. value: 0
Maximum
value:
32000000

Fortinet Inc.

value: 1000
Maximum
value:
32000000
tcpsyn-ack- Maximum TCP carries SYN and ACK flags packet rate. integer Minimum 40000
max value: 1000
Maximum
value:
32000000
tcpfin-rst-max Maximum TCP carries FIN or RST flags packet rate. integer Minimum 40000
value: 1000
Maximum
value:
32000000

value: 1000
Maximum
value:
32000000

value: 1000
Maximum
value:
32000000

value: 1000
Maximum
value:
32000000

value: 1000
Maximum
value:
32000000

value: 1000
Maximum
value:
32000000

Fortinet Inc.

value: 1000
Maximum
value:
32000000
value: 1000
Maximum
value:
32000000

value: 1000
Maximum
value:
32000000
Maximum
value:
32000000
high-priority Maximum packet rate for high priority traffic packets. integer Minimum 400000
value: 1000
Maximum
value:
32000000
enable- Enable/Disable NPU Host Protection Engine (HPE) for option - disable
shaper packet type shaper.
Option Description
config ip-reassembly
min-timeout Minimum timeout value for IP reassembly (5 us - integer Minimum 64

600,000,000 us). value: 5
Maximum
value:
600000000

Fortinet Inc.
max-timeout Maximum timeout value for IP reassembly (5 us - integer Minimum 200000

600,000,000 us). value: 5
Maximum
value:
600000000
status Set IP reassembly processing status. option - disable
Option Description
disable Disable IP reassembly.
enable Enable IP reassembly.
config isf-np-queues

Specified

Specified

Specified

Specified

Specified

Specified

Specified

Specified
config profile
id Profile ID. integer Minimum 0

value: 0
Maximum
value: 255

Fortinet Inc.
type Profile type. option - cos
Option Description
cos VLAN priority.
dscp IP differentiated services code point.
weight Class weight. integer Minimum 6

value: 0
Maximum
value: 15
cos0 Queue number of CoS 0. option - queue0
Option Description
queue0 Queue number 0.
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
dscp0 Queue number of DSCP 0. option - queue0
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description
Option Description

Fortinet Inc.
Option Description
Option Description
Option Description

Fortinet Inc.
config ethernet-type
name Ethernet Type Name. string Not

Specified
type Ethernet Type. ether-type Not 0

Specified
queue Queue Number. integer Minimum 0

value: 0
Maximum
value: 11
weight Class Weight. integer Minimum 15

value: 0
Maximum
value: 15
config ip-protocol
name IP Protocol Name. string Not

Specified
protocol IP Protocol. integer Minimum 0

value: 0
Maximum
value: 255
queue Queue Number. integer Minimum 0

value: 0
Maximum
value: 11
weight Class Weight. integer Minimum 14

value: 0
Maximum
value: 15
config ip-service
name IP service name. string Not

Specified

Fortinet Inc.
protocol IP protocol. integer Minimum 0

value: 0
Maximum
value: 255
sport Source port. integer Minimum 0

value: 0
Maximum
value:
65535
dport Destination port. integer Minimum 0

value: 0
Maximum
value:
65535
queue Queue number. integer Minimum 0

value: 0
Maximum
value: 11
weight Class weight. integer Minimum 13

value: 0
Maximum
value: 15
config scheduler
name Scheduler name. string Not

Specified
mode Scheduler mode. option - none
Option Description
none Disable QoS on NP7.
priority Priority Based.
round-robin Round Robin Scheduler.
config port-cpu-map
interface The interface to map to a CPU core. string Not

Specified

Fortinet Inc.
cpu-core The CPU core to map to an interface. string Not all

Specified
config port-npu-map
interface Set NPU interface port for NPU group mapping. string Not Specified
npu-group- Mapping NPU group index. integer Minimum 0

index value: 0
Maximum
value:
4294967295
config port-path-option
ports-using-npu Set ha/aux ports to handle traffic with NPU (otherise string Maximum
<interface- traffic goes to Intel-NIC and then CPU). length: 15
name> Available interfaces for NPU path.
config priority-protocol
bgp Enable/disable NPU BGP priority protocol. option - enable
Option Description
enable Enable NPU BGP priority protocol.
disable Disable NPU BGP priority protocol.
slbc Enable/disable NPU SLBC priority protocol. option - enable
Option Description
enable Enable NPU SLBC priority protocol.
disable Disable NPU SLBC priority protocol.
bfd Enable/disable NPU BFD priority protocol. option - enable
Option Description
enable Enable NPU BFD priority protocol.
disable Disable NPU BFD priority protocol.

Fortinet Inc.
config sw-eh-hash
computation Set hashing computation. option - xor16
Option Description
xor16 Use XOR operator to make 16 bits hash.
crc16 Use CRC-16-CCITT polynomial to make 16 bits hash.
ip-protocol Include/exclude IP protocol. option - include
Option Description
include Include IP protocol.
exclude Exclude IP protocol.
source-ip- Include/exclude source IP address upper 16 bits. option - include

upper-16
Option Description
include Include source IP address upper 16 bits.
exclude Exclude source IP address upper 16 bits.
source-ip- Include/exclude source IP address lower 16 bits. option - include

lower-16
Option Description
include Include source IP address lower 16 bits.
exclude Exclude source IP address lower 16 bits.
destination-ip- Include/exclude destination IP address upper 16 bits. option - include

upper-16
Option Description
include Include destination IP address upper 16 bits.
exclude Exclude destination IP address upper 16 bits.
destination-ip- Include/exclude destination IP address lower 16 bits. option - include

lower-16

Fortinet Inc.
Option Description
include Include destination IP address lower 16 bits.
exclude Exclude destination IP address lower 16 bits.
source-port Include/exclude source port if TCP/UDP. option - include
Option Description
include Include source port if TCP/UDP.
exclude Exclude source port if TCP/UDP.
destination- Include/exclude destination port if TCP/UDP. option - include

port
Option Description
include Include destination port if TCP/UDP.
exclude Exclude destination port if TCP/UDP.
netmask- Network mask length. integer Minimum 32

length value: 17
Maximum
value: 32
config system ntp
Configure system NTP information.

config system ntp
Description: Configure system NTP information.
set key {password}
set key-id {integer}
set key-type [MD5|SHA1]
config ntpserver
Description: Configure the FortiGate to connect to any available third-party NTP
server.
edit <id>
set id {integer}
set server {string}
set ntpv3 [enable|disable]
set key {password}
set key-id {integer}
next
end

Fortinet Inc.
set ntpsync [enable|disable]
set server-mode [enable|disable]
set syncinterval {integer}
set type [fortiguard|custom]
end
config system ntp
authentication Enable/disable authentication. option - disable
Option Description
enable Enable authentication.
disable Disable authentication.
interface FortiGate interface(s) with NTP server mode string Maximum

<interface- enabled. Devices on your network can contact length: 79
name> these interfaces for NTP services.
Interface name.
key Key for authentication. password Not Specified
key-id Key ID for authentication. integer Minimum 0

value: 0
Maximum
value:
4294967295
key-type Key type for authentication (MD5, SHA1). option - MD5
Option Description
MD5 Use MD5 to authenticate the message.
SHA1 Use SHA1 to authenticate the message.
ntpsync Enable/disable setting the FortiGate system time option - disable

by synchronizing with an NTP Server.
Option Description
enable Enable synchronization with NTP Server.
disable Disable synchronization with NTP Server.
server-mode Enable/disable FortiGate NTP Server Mode. option - disable

Your FortiGate becomes an NTP server for other
devices on your network. The FortiGate relays
NTP requests to its configured NTP server.

Fortinet Inc.
Option Description
enable Enable FortiGate NTP Server Mode.
disable Disable FortiGate NTP Server Mode.
source-ip Source IP address for communication to the NTP ipv4- Not Specified 0.0.0.0
server. address
source-ip6 Source IPv6 address for communication to the ipv6- Not Specified ::
NTP server. address
syncinterval NTP synchronization interval. integer Minimum 60

value: 1
Maximum
value: 1440
type Use the FortiGuard NTP server or any other option - fortiguard
available NTP Server.
Option Description
fortiguard Use the FortiGuard NTP server.
custom Use any other available NTP server.
config ntpserver
id NTP server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
server IP address or hostname of the NTP Server. string Not Specified
ntpv3 Enable to use NTPv3 instead of NTPv4. option - disable
Option Description
enable Enable NTPv3.
disable Disable NTPv3 (use NTPv4).
authentication Enable/disable MD5(NTPv3)/SHA1(NTPv4) option - disable

authentication.

Fortinet Inc.
Option Description
enable Enable MD5(NTPv3)/SHA1(NTPv4) authentication.
disable Disable MD5(NTPv3)/SHA1(NTPv4) authentication.
key Key for MD5(NTPv3)/SHA1(NTPv4) authentication. password Not Specified
key-id Key ID for authentication. integer Minimum 0

value: 0
Maximum
value:
4294967295

method server.
Option Description
config system object-tagging
Configure object tagging.

Description: Configure object tagging.
edit <category>
set address [disable|mandatory|...]
set color {integer}
set device [disable|mandatory|...]
set interface [disable|mandatory|...]
set multiple [enable|disable]
next
end
address Address. option - optional

Fortinet Inc.
Option Description
disable Disable.
mandatory Mandatory.
optional Optional.
category Tag Category. string Not

Specified

value: 0
Maximum
value: 32
device Device. option - optional
Option Description
disable Disable.
optional Optional.
interface Interface. option - optional
Option Description
disable Disable.
optional Optional.
multiple Allow multiple tag selection. option - enable
Option Description
enable Enable multi-tagging.
disable Disable multi-tagging.

config system password-policy-guest-admin
Configure the password policy for guest administrators.

Description: Configure the password policy for guest administrators.
set apply-to {option1}, {option2}, ...

Fortinet Inc.
set expire-day {integer}
set expire-status [enable|disable]
set min-change-characters {integer}
set min-lower-case-letter {integer}
set min-non-alphanumeric {integer}
set min-number {integer}
set min-upper-case-letter {integer}
set minimum-length {integer}
set reuse-password [enable|disable]
end
apply-to Guest administrator to which this password policy option - guest-

applies. admin-
password
Option Description
guest-admin- Apply to guest administrator password.

password
expire-day Number of days after which passwords expire. integer Minimum 90

value: 1
Maximum
value: 999
expire-status Enable/disable password expiration. option - disable
Option Description
enable Passwords expire after expire-day days.
disable Passwords do not expire.
min-change- Minimum number of unique characters in new integer Minimum 0

characters password which do not exist in old password. value: 0
Maximum
value: 128
min-lower-case- Minimum number of lowercase characters in integer Minimum 0

letter password. value: 0
Maximum
value: 128
min-non- Minimum number of non-alphanumeric characters in integer Minimum 0

alphanumeric password. value: 0
Maximum
value: 128

Fortinet Inc.
min-number Minimum number of numeric characters in password. integer Minimum 0

value: 0
Maximum
value: 128
min-upper- Minimum number of uppercase characters in integer Minimum 0

case-letter password. value: 0
Maximum
value: 128
minimum-length Minimum password length. integer Minimum 8

value: 8
Maximum
value: 128
reuse-password Enable/disable reuse of password. If both reuse- option - enable

password and min-change-characters are enabled,
min-change-characters overrides.
Option Description
enable Administrators are allowed to reuse the same password.
disable Administrators must create a new password.
status Enable/disable setting a password policy for locally option - disable

defined administrator passwords and IPsec VPN pre-
shared keys.
Option Description
enable Enable password policy.
disable Disable password policy.
config system password-policy
Configure password policy for locally defined administrator passwords and IPsec VPN pre-shared keys.
Description: Configure password policy for locally defined administrator passwords and
IPsec VPN pre-shared keys.
set apply-to {option1}, {option2}, ...
set expire-day {integer}
set expire-status [enable|disable]
set min-change-characters {integer}
set min-lower-case-letter {integer}
set min-non-alphanumeric {integer}
set min-number {integer}
set min-upper-case-letter {integer}
set minimum-length {integer}
set reuse-password [enable|disable]

Fortinet Inc.
end
apply-to Apply password policy to administrator passwords or option - admin-

IPsec pre-shared keys or both. Separate entries with password
a space.
Option Description
admin-password Apply to administrator passwords.
ipsec-preshared- Apply to IPsec pre-shared keys.

key
expire-day Number of days after which passwords expire. integer Minimum 90

value: 1
Maximum
value: 999
expire-status Enable/disable password expiration. option - disable
Option Description
enable Passwords expire after expire-day days.
disable Passwords do not expire.
min-change- Minimum number of unique characters in new integer Minimum 0

characters password which do not exist in old password. value: 0
Maximum
value: 128
min-lower-case- Minimum number of lowercase characters in integer Minimum 0

letter password. value: 0
Maximum
value: 128
min-non- Minimum number of non-alphanumeric characters in integer Minimum 0

alphanumeric password. value: 0
Maximum
value: 128
min-number Minimum number of numeric characters in password. integer Minimum 0

value: 0
Maximum
value: 128

Fortinet Inc.
min-upper- Minimum number of uppercase characters in integer Minimum 0

case-letter password. value: 0
Maximum
value: 128
minimum-length Minimum password length. integer Minimum 8

value: 8
Maximum
value: 128
reuse-password Enable/disable reuse of password. If both reuse- option - enable

password and min-change-characters are enabled,
min-change-characters overrides.
Option Description
enable Administrators are allowed to reuse the same password.
disable Administrators must create a new password.
status Enable/disable setting a password policy for locally option - disable

defined administrator passwords and IPsec VPN pre-
shared keys.
Option Description
enable Enable password policy.
disable Disable password policy.
config system performance firewall packet-distribution
Show distribution statistics.

config system performance firewall packet-distribution
Description: Show distribution statistics.
end
config system performance firewall statistics
Show traffic stats.

config system performance firewall statistics
Description: Show traffic stats.
end
config system performance status
System performance status.

Fortinet Inc.
config system performance status
Description: System performance status.
end
config system performance top
Display information about the top CPU processes.

Description: Display information about the top CPU processes.
set <delay> {string}
end
<delay> Delay in seconds. string Not

Specified
config system physical-switch
FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 200F, FortiGate 201F,
FortiGate 3501F, FortiGate 3800D, FortiGate 400E, FortiGate 401E, FortiGate 40F 3G4G,
FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F,
FortiGate 61E, FortiGate 61F, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass,
FortiGate 81F, FortiGate 90E, FortiGate 91E, FortiGateRugged 60F 3G4G, FortiGateRugged
60F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F,
It is not available for: FortiGate 1000D, FortiGate 1200D, FortiGate 1500DT, FortiGate 1500D,
FortiGate 2500E, FortiGate 3000D, FortiGate 3100D, FortiGate 3200D, FortiGate 3300E,
5001E1, FortiGate 5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 601E,
FortiGate 800D, FortiGate 900D, FortiGate VM64.
Configure physical switches.

Description: Configure physical switches.
edit <name>

Fortinet Inc.
set age-enable [enable|disable]
set age-val {integer}
set name {string}
next
end
age-enable Enable/disable layer 2 age timer. option - disable
Option Description
enable Enable layer 2 ageing timer.
disable Disable layer 2 ageing timer.
age-val Layer 2 table age timer value. integer Minimum 3158067

value: 0
Maximum
value:
4294967295
config system pppoe-interface
Configure the PPPoE interfaces.

Description: Configure the PPPoE interfaces.
edit <name>
set ac-name {string}
set device {string}
set dial-on-demand [enable|disable]
set disc-retry-timeout {integer}
set ipunnumbered {ipv4-address}
set ipv6 [enable|disable]
set name {string}
set padt-retry-timeout {integer}
set pppoe-unnumbered-negotiate [enable|disable]
set service-name {string}
next
end

Fortinet Inc.
ac-name PPPoE AC name. string Not Specified
auth-type PPP authentication type to use. option - auto
Option Description
auto Automatically choose the authentication method.
device Name for the physical interface. string Not Specified
dial-on-demand Enable/disable dial on demand to dial the PPPoE option - disable

interface when packets are routed to the PPPoE
interface.
Option Description
enable Enable dial on demand.
disable Disable dial on demand.
disc-retry- PPPoE discovery init timeout value in. integer Minimum 1

timeout value: 0
Maximum
value:
4294967295
idle-timeout PPPoE auto disconnect after idle timeout. integer Minimum 0

value: 0
Maximum
value:
4294967295
ipunnumbered PPPoE unnumbered IP. ipv4- Not Specified 0.0.0.0

address
ipv6 Enable/disable IPv6 Control Protocol (IPv6CP). option - disable
Option Description
enable Enable IPv6CP.
disable Disable IPv6CP.

Fortinet Inc.
lcp-echo-interval Time in seconds between PPPoE Link Control integer Minimum 5

Protocol (LCP) echo requests. value: 0
Maximum
value: 32767
lcp-max-echo- Maximum missed LCP echo messages before integer Minimum 3

fails disconnect. value: 0
Maximum
value: 32767
name Name of the PPPoE interface. string Not Specified
padt-retry- PPPoE terminate timeout value in. integer Minimum 1

timeout value: 0
Maximum
value:
4294967295
password Enter the password. password Not Specified
pppoe- Enable/disable PPPoE unnumbered negotiation. option - enable

unnumbered-
negotiate
Option Description
enable Enable PPPoE unnumbered negotiation.
disable Disable PPPoE unnumbered negotiation.
service-name PPPoE service name. string Not Specified
username User name. string Not Specified
config system probe-response
Configure system probe response.

Description: Configure system probe response.
set http-probe-value {string}
set mode [none|http-probe|...]
set port {integer}
set ttl-mode [reinit|decrease|...]
end

Fortinet Inc.
http-probe- Value to respond to the monitoring server. string Not OK

value Specified
mode SLA response mode. option - none
Option Description
none Disable probe.
http-probe HTTP probe.
twamp Two way active measurement protocol.
password TWAMP responder password in authentication mode. password Not

Specified
port Port number to response. integer Minimum 8008

value: 1
Maximum
value:
65535
security-mode TWAMP responder security mode. option - none
Option Description
timeout An inactivity timer for a twamp test session. integer Minimum 300
value: 10
Maximum
value: 3600
ttl-mode Mode for TWAMP packet TTL modification. option - retain
Option Description
reinit Reinitialize TTL.
decrease Decrease TTL.
retain Retain TTL.
config system proxy-arp
Configure proxy-ARP.
Description: Configure proxy-ARP.

Fortinet Inc.
edit <id>
set id {integer}
next
end
end-ip End IP of IP range to be proxied. ipv4- Not Specified 0.0.0.0

address

value: 0
Maximum
value:
4294967295
interface Interface acting proxy-ARP. string Not Specified
ip IP address or start IP to be proxied. ipv4- Not Specified 0.0.0.0

address
config system ptp
Configure system PTP information.

config system ptp
Description: Configure system PTP information.
set delay-mechanism [E2E|P2P]
set mode [multicast|hybrid]
set request-interval {integer}
config server-interface
Description: FortiGate interface(s) with PTP server mode enabled. Devices on your
network can contact these interfaces for PTP services.
edit <id>
set id {integer}
set server-interface-name {string}
set delay-mechanism [E2E|P2P]
next
end
set server-mode [enable|disable]
end

Fortinet Inc.
config system ptp
delay- End to end delay detection or peer to peer delay option - E2E
mechanism detection.
Option Description
E2E End to end delay detection.
P2P Peer to peer delay detection.
interface PTP client will reply through this interface. string Not
Specified
mode Multicast transmission or hybrid transmission. option - multicast
Option Description
multicast Send PTP packets with multicast.
hybrid Send PTP packets with unicast and multicast.
request- The delay request value is the logarithmic mean interval integer Minimum 1
interval in seconds between the delay request messages sent value: 1
by the slave to the master. Maximum
value: 6
server-mode Enable/disable FortiGate PTP server mode. Your option - disable

FortiGate becomes an PTP server for other devices on
your network.
Option Description
enable Enable FortiGate PTP server mode.
disable Disable FortiGate PTP server mode.
status Enable/disable setting the FortiGate system time by option - disable

synchronizing with an PTP Server.
Option Description
enable Enable synchronization with PTP Server.
disable Disable synchronization with PTP Server.

Fortinet Inc.
config server-interface

value: 0
Maximum
value:
4294967295
server- Interface name. string Not Specified

interface-
name
delay- End to end delay detection or peer to peer delay option - E2E
mechanism detection.
Option Description
E2E End to end delay detection.
P2P Peer to peer delay detection.
config system replacemsg-group
Configure replacement message groups.

Description: Configure replacement message groups.
edit <name>
config admin
Description: Replacement message table entries.
edit <msg-type>
set msg-type {string}
set buffer {var-string}
set header [none|http|...]
set format [none|text|...]
next
end
config alertmail
edit <msg-type>
next
end
config auth
edit <msg-type>

Fortinet Inc.
next
end
config automation
edit <msg-type>
next
end
config custom-message
edit <msg-type>
next
end
config fortiguard-wf
edit <msg-type>
next
end
config ftp
edit <msg-type>
next
end
set group-type [default|utm|...]
config http
edit <msg-type>
next
end
config icap
edit <msg-type>

Fortinet Inc.
next
end
config mail
edit <msg-type>
next
end
config nac-quar
edit <msg-type>
next
end
set name {string}
config spam
edit <msg-type>
next
end
config sslvpn
edit <msg-type>
next
end
config traffic-quota
edit <msg-type>
next
end
config utm
edit <msg-type>

Fortinet Inc.
next
end
config webproxy
edit <msg-type>
next
end
next
end

Specified
group-type Group type. option - default
Option Description
default Per-vdom replacement messages.
utm For use with UTM settings in firewall policies.
auth For use with authentication pages in firewall policies.
name Group name. string Not

Specified
config admin
msg-type Message type. string Not

Specified
buffer Message string. var-string Not

Specified
header Header flag. option - none
Option Description
none No header type.
http HTTP
8bit 8 bit.

Fortinet Inc.
format Format flag. option - none
Option Description
none No format type.
text Text format.
html HTML format.
config alertmail

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config auth

Specified

Specified

Fortinet Inc.
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config automation

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.

Fortinet Inc.
config custom-message

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config fortiguard-wf

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description

Fortinet Inc.
Option Description
text Text format.
html HTML format.
config ftp

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config http

Specified

Specified
Option Description

Fortinet Inc.
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config icap

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config mail

Specified

Fortinet Inc.

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config nac-quar

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.

Fortinet Inc.
config spam

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config sslvpn

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description

Fortinet Inc.
Option Description
text Text format.
html HTML format.
config traffic-quota

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config utm

Specified

Specified
Option Description

Fortinet Inc.
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config webproxy

Specified

Specified
Option Description
http HTTP
8bit 8 bit.
Option Description
text Text format.
html HTML format.
config system replacemsg-image
Configure replacement message images.

Description: Configure replacement message images.
edit <name>

Fortinet Inc.
set image-base64 {var-string}
set image-type [gif|jpg|...]
set name {string}
next
end
image-base64 Image data. var-string Not

Specified
image-type Image type. option - png
Option Description
gif GIF image.
jpg JPEG image.
tiff TIFF image.
png PNG image.
name Image name. string Not

Specified
config system replacemsg admin
Replacement messages.
Description: Replacement messages.
edit <msg-type>
next
end

Specified
format Format flag. option -

Fortinet Inc.
Option Description
text Text format.
html HTML format.
header Header flag. option -
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg alertmail
edit <msg-type>
next
end

Specified
Option Description
text Text format.
html HTML format.

Fortinet Inc.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg auth
edit <msg-type>
next
end

Specified
Option Description
text Text format.
html HTML format.
Option Description

Fortinet Inc.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg automation
edit <msg-type>
next
end

Specified
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified

Fortinet Inc.
config system replacemsg fortiguard-wf
edit <msg-type>
next
end

Specified
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg ftp
edit <msg-type>

Fortinet Inc.
next
end

Specified
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg http
edit <msg-type>
next
end

Fortinet Inc.

Specified
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg icap
edit <msg-type>
next
end

Specified

Fortinet Inc.
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg mail
edit <msg-type>
next
end

Specified
Option Description
text Text format.
html HTML format.

Fortinet Inc.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg nac-quar
edit <msg-type>
next
end

Specified
Option Description
text Text format.
html HTML format.
Option Description

Fortinet Inc.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg spam
edit <msg-type>
next
end

Specified
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified

Fortinet Inc.
config system replacemsg sslvpn
edit <msg-type>
next
end

Specified
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg traffic-quota
edit <msg-type>

Fortinet Inc.
next
end

Specified
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg utm
edit <msg-type>
next
end

Fortinet Inc.

Specified
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified
config system replacemsg webproxy
edit <msg-type>
next
end

Specified

Fortinet Inc.
Option Description
text Text format.
html HTML format.
Option Description
http HTTP
8bit 8 bit.

Specified
config system resource-limits
Configure resource limits.

Description: Configure resource limits.
set custom-service {integer}
set dialup-tunnel {integer}
set firewall-address {integer}
set firewall-addrgrp {integer}
set firewall-policy {integer}
set ipsec-phase1 {integer}
set ipsec-phase1-interface {integer}
set ipsec-phase2 {integer}
set ipsec-phase2-interface {integer}
set log-disk-quota {integer}
set onetime-schedule {integer}
set proxy {integer}
set recurring-schedule {integer}
set service-group {integer}
set session {integer}
set sslvpn {integer}
set user {integer}
set user-group {integer}
end

Fortinet Inc.
custom- Maximum number of firewall custom services. integer Minimum

service value: 0
Maximum
value:
4294967295
dialup-tunnel Maximum number of dial-up tunnels. integer Minimum

value: 0
Maximum
value:
4294967295
firewall- Maximum number of firewall addresses (IPv4, IPv6, integer Minimum

address multicast). value: 0
Maximum
value:
4294967295
firewall- Maximum number of firewall address groups (IPv4, integer Minimum

addrgrp IPv6). value: 0
Maximum
value:
4294967295
firewall-policy Maximum number of firewall policies (policy, DoS- integer Minimum

policy4, DoS-policy6, multicast). value: 0
Maximum
value:
4294967295
ipsec-phase1 Maximum number of VPN IPsec phase1 tunnels. integer Minimum

value: 0
Maximum
value:
4294967295
ipsec-phase1- Maximum number of VPN IPsec phase1 interface integer Minimum

interface tunnels. value: 0
Maximum
value:
4294967295
ipsec-phase2 Maximum number of VPN IPsec phase2 tunnels. integer Minimum

value: 0
Maximum
value:
4294967295

Fortinet Inc.
ipsec-phase2- Maximum number of VPN IPsec phase2 interface integer Minimum

interface tunnels. value: 0
Maximum
value:
4294967295
log-disk-quota Log disk quota in megabytes (MB). integer Minimum 0

value: 0
Maximum
value:
4294967295 **
onetime- Maximum number of firewall one-time schedules. integer Minimum

schedule value: 0
Maximum
value:
4294967295
proxy Maximum number of concurrent proxy users. integer Minimum

value: 0
Maximum
value:
4294967295
recurring- Maximum number of firewall recurring schedules. integer Minimum

schedule value: 0
Maximum
value:
4294967295
service-group Maximum number of firewall service groups. integer Minimum

value: 0
Maximum
value:
4294967295
session Maximum number of sessions. integer Minimum

value: 0
Maximum
value:
4294967295
sslvpn Maximum number of SSL-VPN. integer Minimum

value: 0
Maximum
value:
4294967295

Fortinet Inc.
user Maximum number of local users. integer Minimum

value: 0
Maximum
value:
4294967295
user-group Maximum number of user groups. integer Minimum

value: 0
Maximum
value:
4294967295
config system saml
Global settings for SAML authentication.

config system saml
Description: Global settings for SAML authentication.
set binding-protocol [post|redirect]
set cert {string}
set default-login-page [normal|sso]
set default-profile {string}
set entity-id {string}
set idp-cert {string}
set idp-entity-id {string}
set idp-single-logout-url {string}
set idp-single-sign-on-url {string}
set life {integer}
set portal-url {string}
set role [identity-provider|service-provider]
set server-address {string}
config service-providers
Description: Authorized service providers.
edit <name>
set name {string}
set prefix {string}
set sp-binding-protocol [post|redirect]
set sp-cert {string}
set sp-entity-id {string}
set sp-single-sign-on-url {string}
set sp-single-logout-url {string}
set sp-portal-url {string}
config assertion-attributes
Description: Customized SAML attributes to send along with assertion.
edit <name>
set name {string}
set type [username|email|...]

Fortinet Inc.
next
end
next
end
set single-logout-url {string}
set single-sign-on-url {string}
set tolerance {integer}
end
config system saml
binding- IdP Binding protocol. option - redirect

protocol
Option Description
post HTTP POST binding.
redirect HTTP Redirect binding.
cert Certificate to sign SAML messages. string Not Specified
default-login- Choose default login page. option - normal

page
Option Description
normal Use local login page as default.
sso Use IdP's Single Sign-On page as default.
default-profile Default profile for new SSO admin. string Not Specified
entity-id SP entity ID. string Not Specified
idp-cert IDP certificate name. string Not Specified
idp-entity-id IDP entity ID. string Not Specified
idp-single- IDP single logout URL. string Not Specified

logout-url
idp-single- IDP single sign-on URL. string Not Specified

sign-on-url
life Length of the range of time when the assertion is valid integer Minimum 30
(in minutes). value: 0
Maximum
value:
4294967295
portal-url SP portal URL. string Not Specified

Fortinet Inc.
role SAML role. option - service-

provider
Option Description
identity-provider Identity Provider.
service-provider Service Provider.
server- Server address. string Not Specified

address
single-logout- SP single logout URL. string Not Specified

url
single-sign- SP single sign-on URL. string Not Specified

on-url
status Enable/disable SAML authentication. option - disable
Option Description
enable Enable SAML authentication.
disable Disable SAML authentication.
tolerance Tolerance to the range of time when the assertion is integer Minimum 5
valid (in minutes). value: 0
Maximum
value:
4294967295
config service-providers

Specified
prefix Prefix. string Not

Specified
sp-binding-protocol SP binding protocol. option - post
Option Description
post HTTP POST binding.
redirect HTTP Redirect binding.
sp-cert SP certificate name. string Not

Specified

Fortinet Inc.
sp-entity-id SP entity ID. string Not

Specified
sp-single-sign-on-url SP single sign-on URL. string Not

Specified
sp-single-logout-url SP single logout URL. string Not

Specified
sp-portal-url SP portal URL. string Not

Specified
idp-entity-id IDP entity ID. string Not

Specified
idp-single-sign-on- IDP single sign-on URL. string Not

url Specified
idp-single-logout-url IDP single logout URL. string Not

Specified
config assertion-attributes

Specified
type Type. option - username
Option Description
username User Name.
email Email Address.
profile-name Profile Name.
config system sdn-connector
Configure connection to SDN Connector.

Description: Configure connection to SDN Connector.
edit <name>
set access-key {string}
set api-key {password}
set azure-region [global|china|...]
set client-id {string}
set client-secret {password}
set compartment-id {string}
set compute-generation {integer}
set domain {string}

Fortinet Inc.
config external-account-list
Description: Configure AWS external account list.
edit <role-arn>
set role-arn {string}
set external-id {string}
set region-list <region1>, <region2>, ...
next
end
config external-ip
Description: Configure GCP external IP.
edit <name>
set name {string}
next
end
config forwarding-rule
Description: Configure GCP forwarding rule.
edit <rule-name>
set rule-name {string}
set target {string}
next
end
config gcp-project-list
Description: Configure GCP project list.
edit <id>
set id {string}
set gcp-zone-list <name1>, <name2>, ...
next
end
set ha-status [disable|enable]
set ibm-region [dallas|washington-dc|...]
set login-endpoint {string}
set name {string}
config nic
Description: Configure Azure network interface.
edit <name>
set name {string}
config ip
Description: Configure IP configuration.
edit <name>
set name {string}
set public-ip {string}
set resource-group {string}
next
end
next
end
set oci-cert {string}
set oci-fingerprint {string}
set oci-region {string}
set oci-region-type [commercial|government]
set password {password_aes256}
set region {string}
set resource-url {string}

Fortinet Inc.
config route
Description: Configure GCP route.
edit <name>
set name {string}
next
end
config route-table
Description: Configure Azure route table.
edit <name>
set name {string}
set subscription-id {string}
config route
Description: Configure Azure route.
edit <name>
set name {string}
set next-hop {string}
next
end
next
end
set secret-key {password}
set secret-token {user}
set server {string}
set server-list <ip1>, <ip2>, ...
set service-account {string}
set subscription-id {string}
set tenant-id {string}
set type [aci|alicloud|...]
set use-metadata-iam [disable|enable]
set user-id {string}
set vcenter-password {password_aes256}
set vcenter-server {string}
set vcenter-username {string}
set verify-certificate [disable|enable]
set vpc-id {string}
next
end
access-key AWS / ACS access key ID. string Not

Specified
api-key IBM cloud API key or service ID API key. password Not
Specified
azure-region Azure server region. option - global

Fortinet Inc.
Option Description
global Global Azure Server.
china China Azure Server.
germany Germany Azure Server.
usgov US Government Azure Server.
local Azure Stack Local Server.
client-id Azure client ID (application ID). string Not

Specified
client-secret Azure client secret (application key). password Not

Specified
compartment-id Compartment ID. string Not

Specified
compute- Compute generation for IBM cloud infrastructure. integer Minimum 2

generation value: 1
Maximum
value: 2
domain Domain name. string Not

Specified
group-name Group name of computers. string Not

Specified
ha-status Enable/disable use for FortiGate HA service. option - disable
Option Description
disable Disable use for FortiGate HA service.
enable Enable use for FortiGate HA service.
ibm-region IBM cloud region name. option - dallas
Option Description
dallas US South (Dallas) Public Endpoint.
washington-dc US East (Washington DC) Public Endpoint.
london United Kingdom (London) Public Endpoint.
frankfurt Germany (Frankfurt) Public Endpoint.
sydney Australia (Sydney) Public Endpoint.

Fortinet Inc.
Option Description
tokyo Japan (Tokyo) Public Endpoint.
osaka Japan (Osaka) Public Endpoint.
toronto Canada (Toronto) Public Endpoint.
sao-paulo Brazil (Sao Paulo) Public Endpoint.
login-endpoint Azure Stack login endpoint. string Not

Specified
name SDN connector name. string Not

Specified
oci-cert OCI certificate. string Not

Specified
oci-fingerprint OCI pubkey fingerprint. string Not

Specified
oci-region OCI server region. string Not

Specified
oci-region-type OCI region type. option - commercial
Option Description
commercial Commercial region.
government Government region.
password Password of the remote SDN connector as login password_ Not

credentials. aes256 Specified
private-key Private key of GCP service account. user Not

Specified
region AWS / ACS region name. string Not

Specified
resource-group Azure resource group. string Not

Specified
resource-url Azure Stack resource URL. string Not

Specified
secret-key AWS / ACS secret access key. password Not

Specified
secret-token Secret token of Kubernetes service account. user Not

Specified

Fortinet Inc.
server Server address of the remote SDN connector. string Not

Specified
server-list <ip> Server address list of the remote SDN connector. string Maximum
IPv4 address. length: 15
server-port Port number of the remote SDN connector. integer Minimum 0

value: 0
Maximum
value:
65535
service-account GCP service account email. string Not

Specified
status Enable/disable connection to the remote SDN option - enable

connector.
Option Description
disable Disable connection to this SDN Connector.
enable Enable connection to this SDN Connector.
subscription-id Azure subscription ID. string Not

Specified
tenant-id Tenant ID (directory ID). string Not

Specified
type Type of SDN connector. option - aws
Option Description
aci Application Centric Infrastructure (ACI).
alicloud AliCloud Service (ACS).
aws Amazon Web Services (AWS).
azure Microsoft Azure.
gcp Google Cloud Platform (GCP).
nsx VMware NSX.
nuage Nuage VSP.
oci Oracle Cloud Infrastructure.
openstack OpenStack.
kubernetes Kubernetes.

Fortinet Inc.
Option Description
vmware VMware vSphere (vCenter & ESXi).
sepm Symantec Endpoint Protection Manager.
aci-direct Application Centric Infrastructure (ACI Direct Connection).
ibm IBM Cloud Infrastructure.
nutanix Nutanix Prism Central.
update-interval Dynamic object update interval. integer Minimum 60

value: 0
Maximum
value: 3600
use-metadata- Enable/disable use of IAM role from metadata to option - disable

iam call API.
Option Description
disable Disable using IAM role to call API.
enable Enable using IAM role to call API.
user-id User ID. string Not

Specified
username Username of the remote SDN connector as login string Not

credentials. Specified
vcenter- vCenter server password for NSX quarantine. password_ Not

password aes256 Specified
vcenter-server vCenter server address for NSX quarantine. string Not

Specified
vcenter- vCenter server username for NSX quarantine. string Not

username Specified
verify-certificate Enable/disable server certificate verification. option - enable
Option Description
disable Disable server certificate verification.
enable Enable server certificate verification.
vpc-id AWS VPC ID. string Not

Specified

Fortinet Inc.
config external-account-list
role-arn AWS role ARN to assume. string Not

Specified
external-id AWS external ID. string Not

Specified
region-list AWS region name list. string Maximum

<region> AWS region name. length: 31
config external-ip
name External IP name. string Not

Specified
config forwarding-rule
rule-name Forwarding rule name. string Not

Specified
target Target instance name. string Not

Specified
config gcp-project-list
id GCP project ID. string Not

Specified
gcp-zone-list Configure GCP zone list. string Maximum

<name> GCP zone name. length: 127
config nic
name Network interface name. string Not

Specified

Fortinet Inc.
config ip
name IP configuration name. string Not

Specified
public-ip Public IP name. string Not

Specified
resource-group Resource group of Azure public IP. string Not

Specified
config route
name Route name. string Not

Specified
config route

Specified
next-hop Next hop address. string Not

Specified
config route-table
name Route table name. string Not

Specified
subscription-id Subscription ID of Azure route table. string Not

Specified
resource-group Resource group of Azure route table. string Not

Specified
config route

Specified

Fortinet Inc.
config route

Specified
next-hop Next hop address. string Not

Specified
config system sdwan
Configure redundant Internet connections with multiple outbound links and health-check profiles.
config system sdwan
Description: Configure redundant Internet connections with multiple outbound links and
health-check profiles.
config duplication
Description: Create SD-WAN duplication rule.
edit <id>
set id {integer}
set service-id <id1>, <id2>, ...
set packet-duplication [disable|force|...]
set packet-de-duplication [enable|disable]
next
end
set duplication-max-num {integer}
set fail-alert-interfaces <name1>, <name2>, ...
set fail-detect [enable|disable]
config health-check
Description: SD-WAN status checking or health checking. Identify a server on the
Internet and determine how SD-WAN verifies that the FortiGate can communicate with it.
edit <name>
set name {string}
set probe-packets [disable|enable]
set system-dns [disable|enable]
set server {string}
set detect-mode [active|passive|...]
set protocol [ping|tcp-echo|...]
set port {integer}
set quality-measured-method [half-open|half-close]
set user {string}
set packet-size {integer}

Fortinet Inc.
set ftp-mode [passive|port]
set ftp-file {string}
set http-agent {string}
set dns-request-domain {string}
set dns-match-ip {ipv4-address}
set probe-timeout {integer}
set recoverytime {integer}
set probe-count {integer}
set update-cascade-interface [enable|disable]
set update-static-route [enable|disable]
set sla-fail-log-period {integer}
set sla-pass-log-period {integer}
set threshold-warning-packetloss {integer}
set threshold-alert-packetloss {integer}
set threshold-warning-latency {integer}
set threshold-alert-latency {integer}
set threshold-warning-jitter {integer}
set threshold-alert-jitter {integer}
set members <seq-num1>, <seq-num2>, ...
config sla
Description: Service level agreement (SLA).
edit <id>
set id {integer}
set link-cost-factor {option1}, {option2}, ...
set latency-threshold {integer}
set jitter-threshold {integer}
set packetloss-threshold {integer}
next
end
next
end
set load-balance-mode [source-ip-based|weight-based|...]
config members
Description: FortiGate interfaces added to the SD-WAN.
edit <seq-num>
set zone {string}
set source6 {ipv6-address}
set cost {integer}
set priority6 {integer}
set spillover-threshold {integer}
set ingress-spillover-threshold {integer}
set volume-ratio {integer}

Fortinet Inc.
next
end
config neighbor
Description: Create SD-WAN neighbor from BGP neighbor table to control route
advertisements according to SLA status.
edit <ip>
set ip {string}
set member {integer}
set mode [sla|speedtest]
set role [standalone|primary|...]
set health-check {string}
set sla-id {integer}
next
end
set neighbor-hold-boot-time {integer}
set neighbor-hold-down [enable|disable]
set neighbor-hold-down-time {integer}
config service
Description: Create SD-WAN rules (also called services) to control how sessions are
distributed to interfaces in the SD-WAN.
edit <id>
set id {integer}
set name {string}
set input-device-negate [enable|disable]
set mode [auto|manual|...]
set minimum-sla-meet-members {integer}
set hash-mode [round-robin|source-ip-based|...]
set role [standalone|primary|...]
set standalone-action [enable|disable]
set quality-link {integer}
set tos {user}
set tos-mask {user}
set route-tag {integer}
set dst-negate [enable|disable]
set src <name1>, <name2>, ...
set dst6 <name1>, <name2>, ...
set src6 <name1>, <name2>, ...
set src-negate [enable|disable]
set internet-service-app-ctrl <id1>, <id2>, ...
set internet-service-app-ctrl-group <name1>, <name2>, ...
set health-check <name1>, <name2>, ...
set link-cost-factor [latency|jitter|...]
set packet-loss-weight {integer}

Fortinet Inc.
set latency-weight {integer}
set jitter-weight {integer}
set bandwidth-weight {integer}
set link-cost-threshold {integer}
set hold-down-time {integer}
set dscp-forward [enable|disable]
set dscp-reverse [enable|disable]
set dscp-forward-tag {user}
set dscp-reverse-tag {user}
config sla
Description: Service level agreement (SLA).
edit <health-check>
set health-check {string}
set id {integer}
next
end
set priority-members <seq-num1>, <seq-num2>, ...
set priority-zone <name1>, <name2>, ...
set gateway [enable|disable]
set default [enable|disable]
set sla-compare-method [order|number]
set tie-break [zone|cfg-order|...]
set use-shortcut-sla [enable|disable]
set passive-measurement [enable|disable]
next
end
set speedtest-bypass-routing [disable|enable]
config zone
Description: Configure SD-WAN zones.
edit <name>
set name {string}
set service-sla-tie-break [cfg-order|fib-best-match]
next
end
end
config system sdwan
duplication- Maximum number of interface members a packet is integer Minimum 2

max-num duplicated in the SD-WAN zone. value: 2
Maximum
value: 4
fail-alert- Physical interfaces that will be alerted. string Maximum

interfaces Physical interface name. length: 79
<name>
fail-detect Enable/disable SD-WAN Internet connection status option - disable

checking (failure detection).

Fortinet Inc.
Option Description
enable Enable status checking.
disable Disable status checking.
load-balance- Algorithm or mode to use for load balancing Internet option - source-ip-
mode traffic to SD-WAN members. based
Option Description
source-ip-based Source IP load balancing. All traffic from a source IP is sent to the same
interface.
weight-based Weight-based load balancing. Interfaces with higher weights have higher
priority and get more traffic.
usage-based Usage-based load balancing. All traffic is sent to the first interface on the list.
When the bandwidth on that interface exceeds the spill-over limit new traffic is
sent to the next interface.
source-dest-ip- Source and destination IP load balancing. All traffic from a source IP to a
based destination IP is sent to the same interface.
measured- Volume-based load balancing. Traffic is load balanced based on traffic volume
volume-based (in bytes). More traffic is sent to interfaces with higher volume ratios.
neighbor- Waiting period in seconds when switching from the integer Minimum 0
hold-boot- primary neighbor to the secondary neighbor from the value: 0
time neighbor start.. Maximum
value:
10000000
neighbor- Enable/disable hold switching from the secondary option - disable

hold-down neighbor to the primary neighbor.
Option Description
enable Enable hold switching from the secondary neighbor to the primary neighbor.
disable Disable hold switching from the secondary neighbor to the primary neighbor.
neighbor- Waiting period in seconds when switching from the integer Minimum 0
hold-down- secondary neighbor to the primary neighbor when hold- value: 0
time down is disabled.. Maximum
value:
10000000
speedtest- Enable/disable bypass routing when speedtest on a option - disable

bypass- SD-WAN member.
routing

Fortinet Inc.
Option Description
disable Disable SD-WAN.
enable Enable SD-WAN.
status Enable/disable SD-WAN. option - disable
Option Description
disable Disable SD-WAN.
enable Enable SD-WAN.
config duplication
id Duplication rule ID. integer Minimum 0

value: 1
Maximum
value: 255
service-id SD-WAN service rule ID list. integer Minimum

<id> SD-WAN service rule ID. value: 0
Maximum
value:
4294967295
srcaddr Source address or address group names. string Maximum

<name> Address or address group name. length: 79
dstaddr Destination address or address group names. string Maximum

<name> Address or address group name. length: 79
srcaddr6 Source address6 or address6 group names. string Maximum

<name> Address6 or address6 group name. length: 79
dstaddr6 Destination address6 or address6 group names. string Maximum

<name> Address6 or address6 group name. length: 79
srcintf Incoming (ingress) interfaces or zones. string Maximum

<name> Interface, zone or SDWAN zone name. length: 79
dstintf Outgoing (egress) interfaces or zones. string Maximum

<name> Interface, zone or SDWAN zone name. length: 79
service Service and service group name. string Maximum

<name> Service and service group name. length: 79

Fortinet Inc.
packet- Configure packet duplication method. option - disable

duplication
Option Description
disable Disable packet duplication.
force Duplicate packets across all interface members of the SD-WAN zone.
on-demand Duplicate packets across all interface members of the SD-WAN zone based
on the link quality.
packet-de- Enable/disable discarding of packets that have been option - disable

duplication duplicated.
Option Description
enable Enable discarding of packets that have been duplicated.
disable Disable discarding of packets that have been duplicated.
config health-check
name Status check or health check name. string Not Specified
probe-packets Enable/disable transmission of probe option - enable

packets.
Option Description
disable Disable transmission of probe packets.
enable Enable transmission of probe packets.
Option Description
ipv4 IPv4 mode.
ipv6 IPv6 mode.
system-dns Enable/disable system DNS as the probe option - disable

server.
Option Description
disable Disable system DNS as the probe server.
enable Enable system DNS as the probe server.

Fortinet Inc.
server IP address or FQDN name of the server. string Not Specified
detect-mode The mode determining how to detect the option - active

server.
Option Description
active The probes are sent actively.
passive The traffic measures health without probes.
prefer-passive The probes are sent in case of no new traffic.
protocol Protocol used to determine if the option - ping

FortiGate can communicate with the
server.
Option Description
tcp-echo Use TCP echo to test the link with the server.
udp-echo Use UDP echo to test the link with the server.
twamp Use TWAMP to test the link with the server.
dns Use DNS query to test the link with the server.
ftp Use FTP to test the link with the server.
port Port number used to communicate with integer Minimum 0

the server over the selected protocol. value: 0
Maximum
value: 65535
quality- Method to measure the quality of tcp- option - half-open

measured- connect.
method
Option Description
half-open Measure the round trip between syn and ack.
half-close Measure the round trip between fin and ack.
security-mode Twamp controller security mode. option - none

Fortinet Inc.
Option Description
user The user name to access probe server. string Not Specified
password TWAMP controller password in password Not Specified

authentication mode.
packet-size Packet size of a TWAMP test session. integer Minimum 64

value: 64
Maximum
value: 1024
ha-priority HA election priority. integer Minimum 1

value: 1
Maximum
value: 50
ftp-mode FTP mode. option - passive
Option Description
passive The FTP health-check initiates and establishes the data connection.
port The FTP server initiates and establishes the data connection.
ftp-file Full path and file name on the FTP server string Not Specified
to download for FTP health-check to
probe.
http-get URL used to communicate with the server string Not Specified /
if the protocol if the protocol is HTTP.
http-agent String in the http-agent field in the HTTP string Not Specified Chrome/ Safari/
header.
http-match Response string expected from the server string Not Specified
if the protocol is HTTP.
dns-request- Fully qualified domain name to resolve for string Not Specified www.example.com
domain the DNS probe.
dns-match-ip Response IP expected from DNS server if ipv4- Not Specified 0.0.0.0
the protocol is DNS. address
interval Status check interval in milliseconds, or integer Minimum 500

the time between attempting to connect to value: 500
the server. Maximum
value:
3600000

Fortinet Inc.
probe-timeout Time to wait before a probe packet is integer Minimum 500

considered lost. value: 500
Maximum
value:
3600000
failtime Number of failures before server is integer Minimum 5

considered lost. value: 1
Maximum
value: 3600
recoverytime Number of successful responses received integer Minimum 5

before server is considered recovered. value: 1
Maximum
value: 3600
probe-count Number of most recent probes that should integer Minimum 30

be used to calculate latency and jitter. value: 5
Maximum
value: 30
diffservcode Differentiated services code point (DSCP) user Not Specified

in the IP header of the probe packet.
update- Enable/disable update cascade interface. option - enable

cascade-
interface
Option Description
enable Enable update cascade interface.
disable Disable update cascade interface.
update-static- Enable/disable updating the static route. option - enable

route
Option Description
enable Enable updating the static route.
disable Disable updating the static route.
sla-fail-log- Time interval in seconds that SLA fail log integer Minimum 0
period messages will be generated. value: 0
Maximum
value: 3600

Fortinet Inc.
sla-pass-log- Time interval in seconds that SLA pass integer Minimum 0

period log messages will be generated. value: 0
Maximum
value: 3600
threshold- Warning threshold for packet loss. integer Minimum 0

warning- value: 0
packetloss Maximum
value: 100
threshold-alert- Alert threshold for packet loss. integer Minimum 0

packetloss value: 0
Maximum
value: 100
threshold- Warning threshold for latency. integer Minimum 0

warning- value: 0
latency Maximum
value:
4294967295
threshold-alert- Alert threshold for latency. integer Minimum 0

latency value: 0
Maximum
value:
4294967295
threshold- Warning threshold for jitter. integer Minimum 0

warning-jitter value: 0
Maximum
value:
4294967295
threshold-alert- Alert threshold for jitter. integer Minimum 0

jitter value: 0
Maximum
value:
4294967295
members Member sequence number list. integer Minimum

<seq-num> Member sequence number. value: 0
Maximum
value:
4294967295
config sla
health-check SD-WAN health-check. string Not Specified

Fortinet Inc.
id SLA ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config members

value: 0
Maximum
value: 512
zone Zone name. string Not Specified virtual-wan-

link
gateway The default gateway for this interface. Usually the ipv4- Not Specified 0.0.0.0
default gateway of the Internet service provider that address
this interface is connected to.
source Source IP address used in the health-check packet to ipv4- Not Specified 0.0.0.0
the server. address
gateway6 IPv6 gateway. ipv6- Not Specified ::

address
source6 Source IPv6 address used in the health-check packet ipv6- Not Specified ::
to the server. address
cost Cost of this interface for services in SLA mode. integer Minimum 0
value: 0
Maximum
value:
4294967295
weight Weight of this interface for weighted load balancing. integer Minimum 1
More traffic is directed to interfaces with higher value: 1
weights. Maximum
value: 255
priority Priority of the interface for IPv4. Used for SD-WAN integer Minimum 1
rules or priority rules. value: 1
Maximum
value: 65535

Fortinet Inc.
priority6 Priority of the interface for IPv6. Used for SD-WAN integer Minimum 1024
rules or priority rules. value: 1
Maximum
value: 65535
spillover- Egress spillover threshold for this interface. When integer Minimum 0
threshold this traffic volume threshold is reached, new sessions value: 0
spill over to other interfaces in the SD-WAN. Maximum
value:
16776000
ingress- Ingress spillover threshold for this interface. When integer Minimum 0
spillover- this traffic volume threshold is reached, new sessions value: 0
threshold spill over to other interfaces in the SD-WAN. Maximum
value:
16776000
volume-ratio Measured volume ratio. integer Minimum 1

value: 1
Maximum
value: 255
status Enable/disable this interface in the SD-WAN. option - enable
Option Description
disable Disable this interface in the SD-WAN.
enable Enable this interface in the SD-WAN.
config neighbor
ip IP/IPv6 address of neighbor. string Not Specified
member Member sequence number. integer Minimum 0

value: 0
Maximum
value:
4294967295
mode What metric to select the neighbor. option - sla
Option Description
sla Select neighbor based on SLA link quality.
speedtest Select neighbor based on the speedtest status.

Fortinet Inc.
role Role of neighbor. option - standalone
Option Description
standalone Standalone neighbor.
primary Primary neighbor.
secondary Secondary neighbor.
health-check SD-WAN health-check name. string Not Specified
sla-id SLA ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config service
id SD-WAN rule ID. integer Minimum 0

value: 1
Maximum
value: 4000
name SD-WAN rule name. string Not Specified
Option Description
ipv4 IPv4 mode.
ipv6 IPv6 mode.
input-device Source interface name. string Maximum

input-device- Enable/disable negation of input device match. option - disable

negate
Option Description
enable Enable negation of input device match.
disable Disable negation of input device match.
mode Control how the SD-WAN rule sets the priority of option - manual
interfaces in the SD-WAN.

Fortinet Inc.
Option Description
auto Assign interfaces a priority based on quality.
manual Assign interfaces a priority manually.
priority Assign interfaces a priority based on the link-cost-factor quality of the

interface.
sla Assign interfaces a priority based on selected SLA settings.
load-balance Distribute traffic among all available links based on round robin. ADVPN
feature is not supported in the mode.
minimum-sla- Minimum number of members which meet SLA. integer Minimum 0

meet-members value: 0
Maximum
value: 255
hash-mode Hash algorithm for selected priority members for option - round-robin
load balance mode.
Option Description
round-robin All traffic are distributed to selected interfaces in equal portions and circular
order.
source-ip-based All traffic from a source IP is sent to the same interface.
source-dest-ip- All traffic from a source IP to a destination IP is sent to the same interface.
based
inbandwidth All traffic are distributed to a selected interface with most available
bandwidth for incoming traffic.
outbandwidth All traffic are distributed to a selected interface with most available
bandwidth for outgoing traffic.
bibandwidth All traffic are distributed to a selected interface with most available
bandwidth for both incoming and outgoing traffic.
role Service role to work with neighbor. option - standalone
Option Description
standalone Standalone service.
primary Primary service for primary neighbor.
secondary Secondary service for secondary neighbor.

Fortinet Inc.
standalone- Enable/disable service when selected neighbor option - disable

action role is standalone while service role is not
standalone.
Option Description
enable Enable service when selected neighbor role is standalone.
disable Disable service when selected neighbor role is standalone.
quality-link Quality grade. integer Minimum 0

value: 0
Maximum
value: 255
tos Type of service bit pattern. user Not Specified
tos-mask Type of service evaluated bits. user Not Specified

value: 0
Maximum
value: 255

value: 0
Maximum
value: 65535

value: 0
Maximum
value: 65535
route-tag IPv4 route map route-tag. integer Minimum 0

value: 0
Maximum
value:
4294967295
dst <name> Destination address name. string Maximum

Address or address group name. length: 79
dst-negate Enable/disable negation of destination address option - disable

match.
Option Description
enable Enable destination address negation.
disable Disable destination address negation.

Fortinet Inc.
src <name> Source address name. string Maximum

Address or address group name. length: 79
dst6 <name> Destination address6 name. string Maximum

Address6 or address6 group name. length: 79
src6 <name> Source address6 name. string Maximum

Address6 or address6 group name. length: 79
src-negate Enable/disable negation of source address match. option - disable
Option Description
enable Enable source address negation.
disable Disable source address negation.
users <name> User name. string Maximum

User name. length: 79
groups <name> User groups. string Maximum

Group name. length: 79
internet-service Enable/disable use of Internet service for option - disable

application-based load balancing.
Option Description
enable Enable cloud service to support application-based load balancing.
disable Disable cloud service to support application-based load balancing.
internet-service- Custom Internet service name list. string Maximum

custom <name> Custom Internet service name. length: 79
internet-service- Custom Internet Service group list. string Maximum

custom-group Custom Internet Service group name. length: 79
<name>
internet-service- Internet service name list. string Maximum

name <name> Internet service name. length: 79
internet-service- Internet Service group list. string Maximum

group <name> Internet Service group name. length: 79
internet-service- Application control based Internet Service ID list. integer Minimum

app-ctrl <id> Application control based Internet Service ID. value: 0
Maximum
value:
4294967295

Fortinet Inc.
internet-service- Application control based Internet Service group string Maximum

app-ctrl-group list. length: 79
<name> Application control based Internet Service group
name.
health-check Health check list. string Maximum

<name> Health check name. length: 79
link-cost-factor Link cost factor. option - latency
Option Description
latency Select link based on latency.
jitter Select link based on jitter.
packet-loss Select link based on packet loss.
inbandwidth Select link based on available bandwidth of incoming traffic.
outbandwidth Select link based on available bandwidth of outgoing traffic.
bibandwidth Select link based on available bandwidth of bidirectional traffic.
custom-profile-1 Select link based on customized profile.
packet-loss- Coefficient of packet-loss in the formula of integer Minimum 0

weight custom-profile-1. value: 0
Maximum
value:
10000000
latency-weight Coefficient of latency in the formula of custom- integer Minimum 0

profile-1. value: 0
Maximum
value:
10000000
jitter-weight Coefficient of jitter in the formula of custom-profile- integer Minimum 0

1. value: 0
Maximum
value:
10000000
bandwidth- Coefficient of reciprocal of available bidirectional integer Minimum 0

weight bandwidth in the formula of custom-profile-1. value: 0
Maximum
value:
10000000

Fortinet Inc.
link-cost- Percentage threshold change of link cost values integer Minimum 10

threshold that will result in policy route regeneration. value: 0
Maximum
value:
10000000
hold-down-time Waiting period in seconds when switching from integer Minimum 0

the back-up member to the primary member. value: 0
Maximum
value:
10000000
dscp-forward Enable/disable forward traffic DSCP tag. option - disable
Option Description
enable Enable use of forward DSCP tag.
disable Disable use of forward DSCP tag.
dscp-reverse Enable/disable reverse traffic DSCP tag. option - disable
Option Description
enable Enable use of reverse DSCP tag.
disable Disable use of reverse DSCP tag.
dscp-forward- Forward traffic DSCP tag. user Not Specified

tag
dscp-reverse- Reverse traffic DSCP tag. user Not Specified

tag
priority- Member sequence number list. integer Minimum

members Member sequence number. value: 0
<seq-num> Maximum
value:
4294967295
priority-zone Priority zone name list. string Maximum

<name> Priority zone name. length: 79
status Enable/disable SD-WAN service. option - enable
Option Description
enable Enable SD-WAN service.
disable Disable SD-WAN service.
gateway Enable/disable SD-WAN service gateway. option - disable

Fortinet Inc.
Option Description
enable Enable SD-WAN service gateway.
disable Disable SD-WAN service gateway.
default Enable/disable use of SD-WAN as default service. option - disable
Option Description
enable Enable use of SD-WAN as default service.
disable Disable use of SD-WAN as default service.
sla-compare- Method to compare SLA value for SLA mode. option - order
method
Option Description
order Compare SLA value based on the order of health-check.
number Compare SLA value based on the number of satisfied health-check. Limits
health-checks to only configured member interfaces.
tie-break Method of selecting member if more than one option - zone

meets the SLA.
Option Description
zone Use the setting that is configured for the members' zone.
cfg-order Members that meet the SLA are selected in the order they are configured.
fib-best-match Members that meet the SLA are selected that match the longest prefix in the
routing table.
use-shortcut-sla Enable/disable use of ADVPN shortcut for quality option - enable

comparison.
Option Description
enable Enable use of ADVPN shortcut for quality comparison.
disable Disable use of ADVPN shortcut for quality comparison.
passive- Enable/disable passive measurement based on option - disable

measurement the service criteria.
Option Description
enable Enable passive measurement of user traffic.
disable Disable passive measurement of user traffic.

Fortinet Inc.
config sla
health-check SD-WAN health-check. string Not Specified
id SLA ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config zone
name Zone name. string Not

Specified
service-sla- Method of selecting member if more than one meets the option - cfg-order
tie-break SLA.
Option Description
cfg-order Members that meet the SLA are selected in the order they are configured.
fib-best-match Members that meet the SLA are selected that match the longest prefix in the
routing table.
config system session-helper-info list
List session helper.

config system session-helper-info list
Description: List session helper.
end
config system session-helper
Configure session helper.

Description: Configure session helper.
edit <id>
set id {integer}
set name [ftp|tftp|...]
set port {integer}
next
end

Fortinet Inc.
id Session helper ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Helper name. option -
Option Description
ftp FTP.
tftp TFTP.
ras RAS.
h323 H323.
tns TNS.
mms MMS.
sip SIP.
pptp PPTP.
rtsp RTSP.
dns-udp DNS UDP.
dns-tcp DNS TCP.
pmap PMAP.
rsh RSH.
dcerpc DCERPC.
mgcp MGCP.
port Protocol port. integer Minimum 0

value: 1
Maximum
value: 65535

value: 0
Maximum
value: 255
config system session-info expectation
List expectation session.

Fortinet Inc.
config system session-info expectation
Description: List expectation session.
end
config system session-info full-stat
Fully stat session.

config system session-info full-stat
Description: Fully stat session.
end
config system session-info list
List session.
config system session-info list
Description: List session.
end
config system session-info statistics
Session statistics.
config system session-info statistics
Description: Session statistics.
end
config system session-info ttl
TTL session.
config system session-info ttl
Description: TTL session.
end
config system session-ttl
Configure global session TTL timers for this FortiGate.

Description: Configure global session TTL timers for this FortiGate.
set default {user}
config port
Description: Session TTL port.
edit <id>
set id {integer}

Fortinet Inc.
set timeout {user}
next
end
end
default Default timeout. user Not

Specified
config port
id Table entry ID. integer Minimum 0

value: 0
Maximum
value:
65535
protocol Protocol. integer Minimum 0

value: 0
Maximum
value: 255
start-port Start port number. integer Minimum 0

value: 0
Maximum
value:
65535
end-port End port number. integer Minimum 0

value: 0
Maximum
value:
65535
timeout Session timeout (TTL). user Not

Specified
config system session
System IPv4 session.

config system session
Description: System IPv4 session.
end

Fortinet Inc.
config system session6
System IPv6 session.

config system session6
Description: System IPv6 session.
end
config system settings
Configure VDOM settings.

Description: Configure VDOM settings.
set allow-linkdown-path [enable|disable]
set allow-subnet-overlap [enable|disable]
set application-bandwidth-tracking [disable|enable]
set asymroute [enable|disable]
set asymroute-icmp [enable|disable]
set asymroute6 [enable|disable]
set asymroute6-icmp [enable|disable]
set auxiliary-session [enable|disable]
set bfd-dont-enforce-src-port [enable|disable]
set block-land-attack [disable|enable]
set central-nat [enable|disable]
set default-voip-alg-mode [proxy-based|kernel-helper-based]
set deny-tcp-with-icmp [enable|disable]
set device {string}
set dhcp-proxy [enable|disable]
set dhcp-proxy-interface {string}
set dhcp-proxy-interface-select-method [auto|sdwan|...]
set dhcp-server-ip {user}
set dhcp6-server-ip {user}
set discovered-device-timeout {integer}
set ecmp-max-paths {integer}
set email-portal-check-dns [disable|enable]
set firewall-session-dirty [check-all|check-new|...]
set fw-session-hairpin [enable|disable]
set gui-advanced-policy [enable|disable]
set gui-allow-unnamed-policy [enable|disable]
set gui-antivirus [enable|disable]
set gui-ap-profile [enable|disable]
set gui-application-control [enable|disable]
set gui-default-policy-columns <name1>, <name2>, ...
set gui-dhcp-advanced [enable|disable]
set gui-dns-database [enable|disable]
set gui-dnsfilter [enable|disable]
set gui-dos-policy [enable|disable]

Fortinet Inc.
set gui-dynamic-routing [enable|disable]
set gui-email-collection [enable|disable]
set gui-endpoint-control [enable|disable]
set gui-endpoint-control-advanced [enable|disable]
set gui-explicit-proxy [enable|disable]
set gui-file-filter [enable|disable]
set gui-fortiap-split-tunneling [enable|disable]
set gui-fortiextender-controller [enable|disable]
set gui-icap [enable|disable]
set gui-implicit-policy [enable|disable]
set gui-ips [enable|disable]
set gui-load-balance [enable|disable]
set gui-local-in-policy [enable|disable]
set gui-local-reports [enable|disable]
set gui-multicast-policy [enable|disable]
set gui-multiple-interface-policy [enable|disable]
set gui-object-colors [enable|disable]
set gui-policy-based-ipsec [enable|disable]
set gui-policy-disclaimer [enable|disable]
set gui-security-profile-group [enable|disable]
set gui-spamfilter [enable|disable]
set gui-sslvpn-personal-bookmarks [enable|disable]
set gui-sslvpn-realms [enable|disable]
set gui-switch-controller [enable|disable]
set gui-threat-weight [enable|disable]
set gui-traffic-shaping [enable|disable]
set gui-videofilter [enable|disable]
set gui-voip-profile [enable|disable]
set gui-vpn [enable|disable]
set gui-waf-profile [enable|disable]
set gui-wan-load-balancing [enable|disable]
set gui-wanopt-cache [enable|disable]
set gui-webfilter [enable|disable]
set gui-webfilter-advanced [enable|disable]
set gui-wireless-controller [enable|disable]
set gui-ztna [enable|disable]
set h323-direct-model [disable|enable]
set http-external-dest [fortiweb|forticache]
set ike-dn-format [with-space|no-space]
set ike-policy-route [enable|disable]
set ike-port {integer}
set ike-quick-crash-detect [enable|disable]
set ike-session-resume [enable|disable]
set ip6 {ipv6-prefix}
set link-down-access [enable|disable]
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set location-id {ipv4-address}
set mac-ttl {integer}
set manageip {user}
set manageip6 {ipv6-prefix}
set multicast-forward [enable|disable]
set multicast-skip-policy [enable|disable]
set multicast-ttl-notchange [enable|disable]
set nat46-force-ipv4-packet-forwarding [enable|disable]

Fortinet Inc.
set nat46-generate-ipv6-fragment-header [enable|disable]
set nat64-force-ipv6-packet-forwarding [enable|disable]
set ngfw-mode [profile-based|policy-based]
set opmode [nat|transparent]
set policy-offload-level [disable|dos-offload]
set prp-trailer-action [enable|disable]
set sccp-port {integer}
set sctp-session-without-init [enable|disable]
set ses-denied-traffic [enable|disable]
set sip-expectation [enable|disable]
set sip-nat-trace [enable|disable]
set sip-ssl-port {integer}
set sip-tcp-port {integer}
set sip-udp-port {integer}
set snat-hairpin-traffic [enable|disable]
set strict-src-check [enable|disable]
set tcp-session-without-syn [enable|disable]
set utf8-spam-tagging [enable|disable]
set v4-ecmp-mode [source-ip-based|weight-based|...]
set vpn-stats-log {option1}, {option2}, ...
set vpn-stats-period {integer}
set wccp-cache-engine [enable|disable]
end
allow-linkdown- Enable/disable link down path. option - disable

path
Option Description
enable Allow link down path.
disable Do not allow link down path.
allow-subnet- Enable/disable allowing interface subnets to use option - disable

overlap overlapping IP addresses.
Option Description
enable Enable overlapping subnets.
disable Disable overlapping subnets.
application- Enable/disable application bandwidth tracking. option - disable

bandwidth-
tracking

Fortinet Inc.
Option Description
disable Disable application bandwidth tracking.
enable Enable application bandwidth tracking.
asymroute Enable/disable IPv4 asymmetric routing. option - disable
Option Description
enable Enable IPv4 asymmetric routing.
disable Disable IPv4 asymmetric routing.
asymroute- Enable/disable ICMP asymmetric routing. option - disable

icmp
Option Description
enable Enable ICMP asymmetric routing.
disable Disable ICMP asymmetric routing.
asymroute6 Enable/disable asymmetric IPv6 routing. option - disable
Option Description
enable Enable asymmetric IPv6 routing.
disable Disable asymmetric IPv6 routing.
asymroute6- Enable/disable asymmetric ICMPv6 routing. option - disable

icmp
Option Description
enable Enable asymmetric ICMPv6 routing.
disable Disable asymmetric ICMPv6 routing.
auxiliary- Enable/disable auxiliary session. option - disable

session *
Option Description
enable Enable auxiliary session for this VDOM.
disable Disable auxiliary session for this VDOM.
bfd Enable/disable Bi-directional Forwarding Detection option - disable

(BFD) on all interfaces.

Fortinet Inc.
Option Description
enable Enable Bi-directional Forwarding Detection (BFD) on all interfaces.
disable Disable Bi-directional Forwarding Detection (BFD) on all interfaces.
bfd-desired- BFD desired minimal transmit interval. integer Minimum 250

min-tx value: 1
Maximum
value: 100000
bfd-detect-mult BFD detection multiplier. integer Minimum 3

value: 1
Maximum
value: 50
bfd-dont- Enable to not enforce verifying the source port of option - disable
enforce-src- BFD Packets.
port
Option Description
enable Enable verifying the source port of BFD Packets.
disable Disable verifying the source port of BFD Packets.
bfd-required- BFD required minimal receive interval. integer Minimum 250

min-rx value: 1
Maximum
value: 100000
block-land- Enable/disable blocking of land attacks. option - disable

attack
Option Description
disable Do not block land attack.
enable Block land attack.
central-nat Enable/disable central NAT. option - disable
Option Description
enable Enable central NAT.
disable Disable central NAT.
comments VDOM comments. var-string Not Specified

Fortinet Inc.
default-voip- Configure how the FortiGate handles VoIP traffic option - proxy-
alg-mode when a policy that accepts the traffic doesn't include based
a VoIP profile.
Option Description
proxy-based Use a default proxy-based VoIP ALG.
kernel-helper- Use the SIP session helper.

based
deny-tcp-with- Enable/disable denying TCP by sending an ICMP option - disable

icmp communication prohibited packet.
Option Description
enable Deny TCP with ICMP.
disable Disable denying TCP with ICMP.
device Interface to use for management access for NAT string Not Specified
mode.
dhcp-proxy Enable/disable the DHCP Proxy. option - disable
Option Description
enable Enable the DHCP proxy.
disable Disable the DHCP proxy.
dhcp-proxy- Specify outgoing interface to reach server. string Not Specified

interface
dhcp-proxy- Specify how to select outgoing interface to reach option - auto

interface- server.
select-method
Option Description
dhcp-server-ip DHCP Server IPv4 address. user Not Specified
dhcp6-server-ip DHCPv6 server IPv6 address. user Not Specified

Fortinet Inc.
discovered- Timeout for discovered devices. integer Minimum 28

device-timeout value: 1
Maximum
value: 365
ecmp-max- Maximum number of Equal Cost Multi-Path. integer Minimum 255

paths value: 1
Maximum
value: 255
email-portal- Enable/disable using DNS to validate email option - enable

check-dns addresses collected by a captive portal.
Option Description
disable Disable email address checking with DNS.
enable Enable email address checking with DNS.
firewall- Select how to manage sessions affected by firewall option - check-all

session-dirty policy configuration changes.
Option Description
check-all All sessions affected by a firewall policy change are flushed from the session
table. When new packets are recived they are re-evaluated by stateful
inspection and re-added to the session table.
check-new Estabished sessions for changed firewall policies continue without being
affected by the policy configuration change. New sessions are evaluated
according to the new firewall policy configuration.
check-policy- Sessions are managed individually depending on the firewall policy. Some
option sessions may restart. Some may continue.
fw-session- Enable/disable checking for a matching policy each option - disable

hairpin time hairpin traffic goes through the FortiGate.
Option Description
enable Perform a policy check every time.
disable Perform a policy check only the first time the session is received.
gateway Transparent mode IPv4 default gateway IP ipv4- Not Specified 0.0.0.0
address. address
gateway6 Transparent mode IPv4 default gateway IP ipv6- Not Specified ::

address. address
gui-advanced- Enable/disable advanced policy configuration on option - disable

policy the GUI.

Fortinet Inc.
Option Description
enable Enable advanced policy configuration on the GUI.
disable Disable advanced policy configuration on the GUI.
gui-allow- Enable/disable the requirement for policy naming option - disable

unnamed- on the GUI.
policy
Option Description
enable Enable the requirement for policy naming on the GUI.
disable Disable the requirement for policy naming on the GUI.
gui-antivirus Enable/disable AntiVirus on the GUI. option - enable
Option Description
enable Enable AntiVirus on the GUI.
disable Disable AntiVirus on the GUI.
gui-ap-profile Enable/disable FortiAP profiles on the GUI. option - enable
Option Description
enable Enable FortiAP profiles on the GUI.
disable Disable FortiAP profiles on the GUI.
gui-application- Enable/disable application control on the GUI. option - enable

control
Option Description
enable Enable application control on the GUI.
disable Disable application control on the GUI.
gui-default- Default columns to display for policy lists on GUI. string Maximum
policy-columns Select column name. length: 79
<name>
gui-dhcp- Enable/disable advanced DHCP options on the option - enable

advanced GUI.
Option Description
enable Enable advanced DHCP options on the GUI.
disable Disable advanced DHCP options on the GUI.

Fortinet Inc.
gui-dns- Enable/disable DNS database settings on the GUI. option - disable

database
Option Description
enable Enable DNS database settings on the GUI.
disable Disable DNS database settings on the GUI.
gui-dnsfilter Enable/disable DNS Filtering on the GUI. option - enable **
Option Description
enable Enable DNS Filtering on the GUI.
disable Disable DNS Filtering on the GUI.
gui-dos-policy Enable/disable DoS policies on the GUI. option - enable **
Option Description
enable Enable DoS policies on the GUI.
disable Disable DoS policies on the GUI.
gui-dynamic- Enable/disable dynamic routing on the GUI. option - enable **

routing
Option Description
enable Enable dynamic routing on the GUI.
disable Disable dynamic routing on the GUI.
gui-email- Enable/disable email collection on the GUI. option - disable

collection
Option Description
enable Enable email collection on the GUI.
disable Disable email collection on the GUI.
gui-endpoint- Enable/disable endpoint control on the GUI. option - enable

control
Option Description
enable Enable endpoint control on the GUI.
disable Disable endpoint control on the GUI.

Fortinet Inc.
gui-endpoint- Enable/disable advanced endpoint control options option - disable

control- on the GUI.
advanced
Option Description
enable Enable advanced endpoint control options on the GUI.
disable Disable advanced endpoint control options on the GUI.
gui-explicit- Enable/disable the explicit proxy on the GUI. option - disable

proxy
Option Description
enable Enable the explicit proxy on the GUI.
disable Disable the explicit proxy on the GUI.
gui-file-filter Enable/disable File-filter on the GUI. option - enable **
Option Description
enable Enable File-filter on the GUI.
disable Disable File-filter on the GUI.
gui-fortiap-split- Enable/disable FortiAP split tunneling on the GUI. option - disable

tunneling
Option Description
enable Enable FortiAP split tunneling on the GUI.
disable Disable FortiAP split tunneling on the GUI.
gui- Enable/disable FortiExtender on the GUI. option - disable **

fortiextender-
controller
Option Description
enable Enable FortiExtender on the GUI.
disable Disable FortiExtender on the GUI.
gui-icap Enable/disable ICAP on the GUI. option - disable
Option Description
enable Enable ICAP on the GUI.
disable Disable ICAP on the GUI.

Fortinet Inc.
gui-implicit- Enable/disable implicit firewall policies on the GUI. option - enable

policy
Option Description
enable Enable implicit firewall policies on the GUI.
disable Disable implicit firewall policies on the GUI.
gui-ips Enable/disable IPS on the GUI. option - enable **
Option Description
enable Enable IPS on the GUI.
disable Disable IPS on the GUI.
gui-load- Enable/disable server load balancing on the GUI. option - disable

balance
Option Description
enable Enable server load balancing on the GUI.
disable Disable server load balancing on the GUI.
gui-local-in- Enable/disable Local-In policies on the GUI. option - disable

policy
Option Description
enable Enable Local-In policies on the GUI.
disable Disable Local-In policies on the GUI.
gui-local- Enable/disable local reports on the GUI. option - disable

reports *
Option Description
enable Enable local reports on the GUI.
disable Disable local reports on the GUI.
gui-multicast- Enable/disable multicast firewall policies on the option - disable

policy GUI.
Option Description
enable Enable multicast firewall policies on the GUI.
disable Disable multicast firewall policies on the GUI.

Fortinet Inc.
gui-multiple- Enable/disable adding multiple interfaces to a policy option - disable

interface-policy on the GUI.
Option Description
enable Enable adding multiple interfaces to a policy on the GUI.
disable Disable adding multiple interfaces to a policy on the GUI.
gui-object- Enable/disable object colors on the GUI. option - enable

colors
Option Description
enable Enable object colors on the GUI.
disable Disable object colors on the GUI.
gui-policy- Enable/disable policy-based IPsec VPN on the GUI. option - disable

based-ipsec
Option Description
enable Enable policy-based IPsec VPN on the GUI.
disable Disable policy-based IPsec VPN on the GUI.
gui-policy- Enable/disable policy disclaimer on the GUI. option - disable

disclaimer
Option Description
enable Enable policy disclaimer on the GUI.
disable Disable policy disclaimer on the GUI.
gui-security- Enable/disable Security Profile Groups on the GUI. option - disable

profile-group
Option Description
enable Enable Security Profile Groups on the GUI.
disable Disable Security Profile Groups on the GUI.
gui-spamfilter Enable/disable Antispam on the GUI. option - disable
Option Description
enable Enable Antispam on the GUI.
disable Disable Antispam on the GUI.

Fortinet Inc.
gui-sslvpn- Enable/disable SSL-VPN personal bookmark option - disable

personal- management on the GUI.
bookmarks
Option Description
enable Enable SSL-VPN personal bookmark management on the GUI.
disable Disable SSL-VPN personal bookmark management on the GUI.
gui-sslvpn- Enable/disable SSL-VPN realms on the GUI. option - disable

realms
Option Description
enable Enable SSL-VPN realms on the GUI.
disable Disable SSL-VPN realms on the GUI.
gui-switch- Enable/disable the switch controller on the GUI. option - enable

controller *
Option Description
enable Enable the switch controller on the GUI.
disable Disable the switch controller on the GUI.
gui-threat- Enable/disable threat weight on the GUI. option - enable

weight
Option Description
enable Enable threat weight on the GUI.
disable Disable threat weight on the GUI.
gui-traffic- Enable/disable traffic shaping on the GUI. option - enable

shaping
Option Description
enable Enable traffic shaping on the GUI.
disable Disable traffic shaping on the GUI.
gui-videofilter Enable/disable Video filtering on the GUI. option - enable **
Option Description
enable Enable Video filtering on the GUI.
disable Disable Video filtering on the GUI.

Fortinet Inc.
gui-voip-profile Enable/disable VoIP profiles on the GUI. option - disable
Option Description
enable Enable VoIP profiles on the GUI.
disable Disable VoIP profiles on the GUI.
gui-vpn Enable/disable VPN tunnels on the GUI. option - enable
Option Description
enable Enable VPN tunnels on the GUI.
disable Disable VPN tunnels on the GUI.
gui-waf-profile Enable/disable Web Application Firewall on the option - disable

GUI.
Option Description
enable Enable Web Application Firewall on the GUI.
disable Disable Web Application Firewall on the GUI.
gui-wan-load- Enable/disable SD-WAN on the GUI. option - enable

balancing
Option Description
enable Enable SD-WAN on the GUI.
disable Disable SD-WAN on the GUI.
gui-wanopt- Enable/disable WAN Optimization and Web option - disable

cache * Caching on the GUI.
Option Description
enable Enable WAN Optimization and Web Caching on the GUI.
disable Disable WAN Optimization and Web Caching on the GUI.
gui-webfilter Enable/disable Web filtering on the GUI. option - enable **
Option Description
enable Enable Web filtering on the GUI.
disable Disable Web filtering on the GUI.
gui-webfilter- Enable/disable advanced web filtering on the GUI. option - disable

advanced

Fortinet Inc.
Option Description
enable Enable advanced web filtering on the GUI.
disable Disable advanced web filtering on the GUI.
gui-wireless- Enable/disable the wireless controller on the GUI. option - enable

controller
Option Description
enable Enable the wireless controller on the GUI.
disable Disable the wireless controller on the GUI.
gui-ztna Enable/disable Zero Trust Network Access features option - enable **

on the GUI.
Option Description
enable Enable Zero Trust Network Access features on the GUI.
disable Disable Zero Trust Network Access features on the GUI.
h323-direct- Enable/disable H323 direct model. option - disable

model
Option Description
disable Disable H323 direct model.
enable Enable H323 direct model.
http-external- Offload HTTP traffic to FortiWeb or FortiCache. option - fortiweb

dest
Option Description
fortiweb Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.
forticache Offload HTTP traffic to FortiCache for external web caching and WAN
optimization.
ike-dn-format Configure IKE ASN.1 Distinguished Name format option - with-space

conventions.
Option Description
with-space Format IKE ASN.1 Distinguished Names with spaces between attribute
names and values.
no-space Format IKE ASN.1 Distinguished Names without spaces between attribute
names and values.

Fortinet Inc.
ike-policy-route Enable/disable IKE Policy Based Routing (PBR). option - disable
Option Description
enable Enable IKE Policy Based Routing (PBR).
disable Disable IKE Policy Based Routing (PBR).
ike-port UDP port for IKE/IPsec traffic. integer Minimum 500

value: 1024
Maximum
value: 65535
ike-quick- Enable/disable IKE quick crash detection (RFC option - disable

crash-detect 6290).
Option Description
enable Enable IKE quick crash detection (RFC 6290).
disable Disable IKE quick crash detection (RFC 6290).
ike-session- Enable/disable IKEv2 session resumption (RFC option - disable

resume 5723).
Option Description
enable Enable IKEv2 session resumption (RFC 5723).
disable Disable IKEv2 session resumption (RFC 5723).
ip IP address and netmask. ipv4- Not Specified 0.0.0.0

classnet- 0.0.0.0
host
ip6 IPv6 address prefix for NAT mode. ipv6-prefix Not Specified ::/0
link-down- Enable/disable link down access traffic. option - enable

access
Option Description
enable Allow link down access traffic.
disable Block link down access traffic.
lldp-reception Enable/disable Link Layer Discovery Protocol option - global

(LLDP) reception for this VDOM or apply global
settings to this VDOM.

Fortinet Inc.
Option Description
enable Enable LLDP reception for this VDOM.
disable Disable LLDP reception for this VDOM.
global Use the global LLDP reception configuration for this VDOM.
lldp- Enable/disable Link Layer Discovery Protocol option - global

transmission (LLDP) transmission for this VDOM or apply global
settings to this VDOM.
Option Description
enable Enable LLDP transmission for this VDOM.
disable Disable LLDP transmission for this VDOM.
global Use the global LLDP transmission configuration for this VDOM.
location-id Local location ID in the form of an IPv4 address. ipv4- Not Specified 0.0.0.0
address
mac-ttl Duration of MAC addresses in Transparent mode. integer Minimum 300

value: 300
Maximum
value:
8640000
manageip Transparent mode IPv4 management IP address user Not Specified

and netmask.
manageip6 Transparent mode IPv6 management IP address ipv6-prefix Not Specified ::/0
and netmask.
multicast- Enable/disable multicast forwarding. option - enable

forward
Option Description
enable Enable multicast forwarding.
disable Disable multicast forwarding.
multicast-skip- Enable/disable allowing multicast traffic through the option - disable

policy FortiGate without a policy check.
Option Description
enable Allowing multicast traffic through the FortiGate without creating a multicast
firewall policy.

Fortinet Inc.
Option Description
disable Require a multicast policy to allow multicast traffic to pass through the
FortiGate.
multicast-ttl- Enable/disable preventing the FortiGate from option - disable

notchange changing the TTL for forwarded multicast packets.
Option Description
enable The multicast TTL is not changed.
disable The multicast TTL may be changed.
nat46-force- Enable/disable mandatory IPv4 packet forwarding option - disable

ipv4-packet- in NAT46.
forwarding
Option Description
enable Enable mandatory IPv4 packet forwarding when IPv4 DF is set to 1.
disable Disable mandatory IPv4 packet forwarding when IPv4 DF is set to 1.
nat46- Enable/disable NAT46 IPv6 fragment header option - disable

generate-ipv6- generation.
fragment-
header
Option Description
enable Enable NAT46 IPv6 fragment header generation.
disable Disable NAT46 IPv6 fragment header generation.
nat64-force- Enable/disable mandatory IPv6 packet forwarding option - enable

ipv6-packet- in NAT64.
forwarding
Option Description
enable Enable mandatory IPv6 packet forwarding
disable Disable mandatory IPv6 packet forwarding
ngfw-mode Next Generation Firewall (NGFW) mode. option - profile-

based

Fortinet Inc.
Option Description
profile-based Application and web-filtering are configured using profiles applied to policy
entries.
policy-based Application and web-filtering are configured as policy match conditions.
opmode Firewall operation mode (NAT or Transparent). option - nat
Option Description
nat Change to NAT mode.
transparent Change to transparent mode.
policy-offload- Configure firewall policy offload level. option - disable

level *
Option Description
disable Disable policy offloading.
dos-offload Only enable DoS policy offloading.
prp-trailer- Enable/disable action to take on PRP trailer. option - disable

action
Option Description
enable Try to keep PRP trailer.
disable Trim PRP trailer.
sccp-port TCP port the SCCP proxy monitors for SCCP traffic. integer Minimum 2000
value: 0
Maximum
value: 65535
sctp-session- Enable/disable SCTP session creation without option - disable

without-init SCTP INIT.
Option Description
enable Enable SCTP session creation without SCTP INIT.
disable Disable SCTP session creation without SCTP INIT.
ses-denied- Enable/disable including denied session in the option - disable

traffic session table.

Fortinet Inc.
Option Description
enable Include denied sessions in the session table.
disable Do not add denied sessions to the session table.
sip-expectation Enable/disable the SIP kernel session helper to option - disable

create an expectation for port 5060.
Option Description
enable Allow SIP session helper to create an expectation for port 5060.
disable Prevent SIP session helper from creating an expectation for port 5060.
sip-nat-trace Enable/disable recording the original SIP source IP option - enable

address when NAT is used.
Option Description
enable Record the original SIP source IP address when NAT is used.
disable Do not record the original SIP source IP address when NAT is used.
sip-ssl-port * TCP port the SIP proxy monitors for SIP SSL/TLS integer Minimum 5061
traffic. value: 0
Maximum
value: 65535
sip-tcp-port TCP port the SIP proxy monitors for SIP traffic. integer Minimum 5060
value: 1
Maximum
value: 65535
sip-udp-port UDP port the SIP proxy monitors for SIP traffic. integer Minimum 5060
value: 1
Maximum
value: 65535
snat-hairpin- Enable/disable source NAT (SNAT) for hairpin option - enable

traffic traffic.
Option Description
enable Enable SNAT for hairpin traffic.
disable Disable SNAT for hairpin traffic.
status Enable/disable this VDOM. option - enable

Fortinet Inc.
Option Description
enable Enable this VDOM.
disable Disable this VDOM.
strict-src-check Enable/disable strict source verification. option - disable
Option Description
enable Enable strict source verification.
disable Disable strict source verification.
tcp-session- Enable/disable allowing TCP session without SYN option - disable

without-syn flags.
Option Description
enable Allow TCP session without SYN flags.
disable Do not allow TCP session without SYN flags.
utf8-spam- Enable/disable converting antispam tags to UTF-8 option - enable

tagging for better non-ASCII character support.
Option Description
enable Convert antispam tags to UTF-8.
disable Do not convert antispam tags.
v4-ecmp-mode IPv4 Equal-cost multi-path (ECMP) routing and load option - source-ip-
balancing mode. based
Option Description
source-ip-based Select next hop based on source IP.
weight-based Select next hop based on weight.
usage-based Select next hop based on usage.
source-dest-ip- Select next hop based on both source and destination IPs.
based
vpn-stats-log Enable/disable periodic VPN log statistics for one or option - ipsec pptp
more types of VPN. Separate names with a space. l2tp ssl
Option Description
ipsec IPsec.

Fortinet Inc.
Option Description
pptp PPTP.
l2tp L2TP.
ssl SSL.
vpn-stats- Period to send VPN log statistics. integer Minimum 600

period value: 0
Maximum
value:
4294967295
wccp-cache- Enable/disable WCCP cache engine. option - disable

engine
Option Description
enable Enable WCCP cache engine.
disable Disable WCCP cache engine.

config system sflow
Configure sFlow.
config system sflow
Description: Configure sFlow.
end
config system sflow
collector-ip IP address of the sFlow collector that sFlow agents ipv4- Not 0.0.0.0
added to interfaces in this VDOM send sFlow address Specified
datagrams to.

Fortinet Inc.
collector-port UDP port number used for sending sFlow datagrams. integer Minimum 6343
value: 0
Maximum
value:
65535

Specified
select-method
Option Description
source-ip Source IP address for sFlow agent. ipv4- Not 0.0.0.0

address Specified
config system sit-tunnel
Configure IPv6 tunnel over IPv4.

Description: Configure IPv6 tunnel over IPv4.
edit <name>
set destination {ipv4-address}
set ip6 {ipv6-prefix}
set name {string}
next
end

offload *

Fortinet Inc.
Option Description
destination Destination IP address of the tunnel. ipv4- Not 0.0.0.0

address Specified

Specified
ip6 IPv6 address of the tunnel. ipv6-prefix Not ::/0

Specified
name Tunnel name. string Not

Specified
source Source IP address of the tunnel. ipv4- Not 0.0.0.0

address Specified

gateway.
Option Description

Fortinet Inc.
config system smc-ntp
This command is available for model(s): FortiGate 1100E, FortiGate 1101E, FortiGate 1800F,
FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3980E, FortiGate 400E
Bypass, FortiGate 400E, FortiGate 401E, FortiGate 4200F, FortiGate 4201F, FortiGate
4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 601E.
FortiGate 101E, FortiGate 101F, FortiGate 1200D, FortiGate 140E-POE, FortiGate 140E,
FortiGate 1500DT, FortiGate 1500D, FortiGate 2000E, FortiGate 200E, FortiGate 200F,
FortiGate 3000D, FortiGate 3100D, FortiGate 3200D, FortiGate 3700D, FortiGate 3800D,
FortiGate 3960E, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 5001E1, FortiGate 5001E,
FortiGate 61E, FortiGate 61F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate
80F Bypass, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E,
FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 90E, FortiGate 91E, FortiGate
VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi 40F 3G4G, FortiWiFi
40F, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi
Configure SMC NTP information.

Description: Configure SMC NTP information.
set channel {integer}
config ntpserver
Description: Configure the FortiGate SMC to connect to an NTP server.
edit <id>
set id {integer}
set server {ipv4-address}
next
end
set ntpsync [enable|disable]
set syncinterval {integer}
end
channel SMC NTP client will send NTP packets through this integer Minimum 5
channel. value: 1
Maximum
value:
65535

Fortinet Inc.
ntpsync Enable/disable setting the FortiGate SMC system time option - disable
by synchronizing with an NTP server.
Option Description
enable Enable synchronization with NTP server in SMC.
disable Disable synchronization with NTP server in SMC.
syncinterval SMC NTP synchronization interval. integer Minimum 60

value: 1
Maximum
value:
65535
config ntpserver
id NTP server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
server IP address of the NTP server. ipv4- Not Specified 0.0.0.0

address
config system sms-server
Configure SMS server for sending SMS messages to support user authentication.
Description: Configure SMS server for sending SMS messages to support user
authentication.
edit <name>
set mail-server {string}
set name {string}
next
end
mail-server Email-to-SMS server domain name. string Not

Specified

Fortinet Inc.
name Name of SMS server. string Not

Specified
config system snmp community
SNMP community configuration.

Description: SNMP community configuration.
edit <id>
config hosts
edit <id>
set id {integer}
set ip {user}
set host-type [any|query|...]
next
end
config hosts6
Description: Configure IPv6 SNMP managers.
edit <id>
set id {integer}
set source-ipv6 {ipv6-address}
set ipv6 {ipv6-prefix}
set host-type [any|query|...]
next
end
set id {integer}
set name {string}
set query-v1-status [enable|disable]
set query-v2c-status [enable|disable]
set trap-v1-status [enable|disable]
set trap-v2c-status [enable|disable]
next
end

Fortinet Inc.

Fortinet Inc.
events SNMP trap events. option - cpu-high mem-

low log-full intf-
ip vpn-tun-up
vpn-tun-down
ha-switch ha-
hb-failure ips-
signature ips-
anomaly av-
virus av-
oversize av-
pattern av-
fragmented fm-
if-change bgp-
established
bgp-backward-
transition ha-
member-up ha-
member-down
ent-conf-
change av-
conserve av-
bypass av-
oversize-
passed av-
oversize-
blocked ips-
pkg-update ips-
fail-open
temperature-
high voltage-
alert power-
supply-failure
faz-disconnect
fan-failure wc-
ap-up wc-ap-
down fswctl-
session-up
fswctl-session-
down load-
balance-real-
server-down
per-cpu-high
dhcp pool-
usage ospf-
nbr-state-
change ospf-
virtnbr-state-
change **

Fortinet Inc.
Option Description
cpu-high Send a trap when CPU usage is high.
vpn-tun-up Send a trap when a VPN tunnel comes up.
vpn-tun-down Send a trap when a VPN tunnel goes down.
ha-switch Send a trap after an HA failover when the backup unit has taken over.
ha-hb-failure Send a trap when HA heartbeats are not received.
ips-signature Send a trap when IPS detects an attack.
ips-anomaly Send a trap when IPS finds an anomaly.
av-virus Send a trap when AntiVirus finds a virus.
av-oversize Send a trap when AntiVirus finds an oversized file.
av-pattern Send a trap when AntiVirus finds file matching pattern.
av-fragmented Send a trap when AntiVirus finds a fragmented file.
fm-if-change Send a trap when FortiManager interface changes. Send a FortiManager trap.
fm-conf-change Send a trap when a configuration change is made by a FortiGate administrator

and the FortiGate is managed by FortiManager.
bgp-established Send a trap when a BGP FSM transitions to the established state.
bgp-backward- Send a trap when a BGP FSM goes from a high numbered state to a lower
transition numbered state.
ha-member-up Send a trap when an HA cluster member goes up.
ha-member- Send a trap when an HA cluster member goes down.

down
av-conserve Send a trap when the FortiGate enters conserve mode.
av-bypass Send a trap when the FortiGate enters bypass mode.
av-oversize- Send a trap when AntiVirus passes an oversized file.

passed
av-oversize- Send a trap when AntiVirus blocks an oversized file.

blocked

Fortinet Inc.
Option Description
ips-pkg-update Send a trap when the IPS signature database or engine is updated.
ips-fail-open Send a trap when the IPS network buffer is full.
temperature-high Send a trap when a temperature sensor registers a temperature that is too
high.
voltage-alert Send a trap when a voltage sensor registers a voltage that is outside of the
normal range.
power-supply- Send a trap when a power supply fails.

failure
faz-disconnect Send a trap when a FortiAnalyzer disconnects from the FortiGate.
fan-failure Send a trap when a fan fails.
wc-ap-up Send a trap when a managed FortiAP comes up.
wc-ap-down Send a trap when a managed FortiAP goes down.
fswctl-session-up Send a trap when a FortiSwitch controller session comes up.
fswctl-session- Send a trap when a FortiSwitch controller session goes down.

down
load-balance- Send a trap when a server load balance real server goes down.
real-server-down
device-new Send a trap when a new device is found.
per-cpu-high Send a trap when per-CPU usage is high.
dhcp Send a trap when the DHCP server exhausts the IP pool, an IP address
already is in use, or a DHCP client interface received a DHCP-NAK.
pool-usage Send a trap about ippool usage.
ospf-nbr-state- Send a trap when there has been a change in the state of a non-virtual OSPF
change neighbor.
ospf-virtnbr- Send a trap when there has been a change in the state of an OSPF virtual
state-change neighbor.
id Community ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Community name. string Not Specified

Fortinet Inc.

value: 1
Maximum
value: 65535

status
Option Description

port value: 0
Maximum
value: 65535

status
Option Description
Option Description
trap-v1-lport SNMP v1 trap local port. integer Minimum 162

value: 1
Maximum
value: 65535
trap-v1-rport SNMP v1 trap remote port. integer Minimum 162

value: 1
Maximum
value: 65535
Option Description

Fortinet Inc.

value: 1
Maximum
value: 65535

value: 1
Maximum
value: 65535

status
Option Description
config hosts

value: 0
Maximum
value:
4294967295
source-ip Source IPv4 address for SNMP traps. ipv4- Not Specified 0.0.0.0
address
ha-direct Enable/disable direct management of HA cluster option - disable

members.
Option Description
host-type Control whether the SNMP manager sends SNMP option - any
queries, receives SNMP traps, or both. No traps will
be sent when IP type is subnet.
Option Description
any Accept queries from and send traps to this SNMP manager.

Fortinet Inc.
Option Description
query Accept queries from this SNMP manager but do not send traps.
trap Send traps to this SNMP manager but do not accept SNMP queries from this
SNMP manager.
config hosts6
id Host6 entry ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
source-ipv6 Source IPv6 address for SNMP traps. ipv6- Not Specified ::
address
ipv6 SNMP manager IPv6 address prefix. ipv6-prefix Not Specified ::/0

members.
Option Description
host-type Control whether the SNMP manager sends SNMP option - any
queries, receives SNMP traps, or both.
Option Description
any Accept queries from and send traps to this SNMP manager.
query Accept queries from this SNMP manager but do not send traps.
trap Send traps to this SNMP manager but do not accept SNMP queries from this
SNMP manager.
config system snmp sysinfo
SNMP system info configuration.

Description: SNMP system info configuration.
set contact-info {var-string}

Fortinet Inc.
set engine-id-type [text|hex|...]
set location {var-string}
end
contact-info Contact information. var-string Not

Specified
description System description. var-string Not

Specified
engine-id Local SNMP engineID string (maximum 27 characters). string Not

Specified
engine-id- Local SNMP engineID type (text/hex/mac). option - text

type
Option Description
text Text format.
hex Octets format.
mac MAC address format.
location System location. var-string Not

Specified
Option Description

threshold value: 1
Maximum
value: 100

threshold value: 1
Maximum
value: 100

Fortinet Inc.

memory- value: 1
threshold Maximum
value: 100
config system snmp user
SNMP user configuration.

Description: SNMP user configuration.
edit <name>
set auth-proto [md5|sha|...]
set name {string}
set notify-hosts {ipv4-address}
set notify-hosts6 {ipv6-address}
set priv-proto [aes|des|...]
set queries [enable|disable]
set source-ipv6 {ipv6-address}
set trap-lport {integer}
set trap-rport {integer}
set trap-status [enable|disable]
next
end
auth-proto Authentication protocol. option - sha
Option Description
sha HMAC-SHA-96 authentication protocol.
sha224 HMAC-SHA224 authentication protocol.

Fortinet Inc.
Option Description

Specified

Fortinet Inc.
events SNMP notifications (traps) to send. option - cpu-high mem-

low log-full intf-
ip vpn-tun-up
vpn-tun-down
ha-switch ha-
hb-failure ips-
signature ips-
anomaly av-
virus av-
oversize av-
pattern av-
fragmented fm-
if-change bgp-
established
bgp-backward-
transition ha-
member-up ha-
member-down
ent-conf-
change av-
conserve av-
bypass av-
oversize-
passed av-
oversize-
blocked ips-
pkg-update ips-
fail-open
temperature-
high voltage-
alert power-
supply-failure
faz-disconnect
fan-failure wc-
ap-up wc-ap-
down fswctl-
session-up
fswctl-session-
down load-
balance-real-
server-down
per-cpu-high
dhcp pool-
usage ospf-
nbr-state-
change ospf-
virtnbr-state-
change **

Fortinet Inc.
Option Description
cpu-high Send a trap when CPU usage is high.
vpn-tun-up Send a trap when a VPN tunnel comes up.
vpn-tun-down Send a trap when a VPN tunnel goes down.
ha-switch Send a trap after an HA failover when the backup unit has taken over.
ha-hb-failure Send a trap when HA heartbeats are not received.
ips-signature Send a trap when IPS detects an attack.
ips-anomaly Send a trap when IPS finds an anomaly.
av-virus Send a trap when AntiVirus finds a virus.
av-oversize Send a trap when AntiVirus finds an oversized file.
av-pattern Send a trap when AntiVirus finds file matching pattern.
av-fragmented Send a trap when AntiVirus finds a fragmented file.
fm-if-change Send a trap when FortiManager interface changes. Send a FortiManager trap.
fm-conf-change Send a trap when a configuration change is made by a FortiGate administrator

and the FortiGate is managed by FortiManager.
bgp-established Send a trap when a BGP FSM transitions to the established state.
bgp-backward- Send a trap when a BGP FSM goes from a high numbered state to a lower
transition numbered state.
ha-member-up Send a trap when an HA cluster member goes up.
ha-member- Send a trap when an HA cluster member goes down.

down
av-conserve Send a trap when the FortiGate enters conserve mode.
av-bypass Send a trap when the FortiGate enters bypass mode.
av-oversize- Send a trap when AntiVirus passes an oversized file.

passed
av-oversize- Send a trap when AntiVirus blocks an oversized file.

blocked

Fortinet Inc.
Option Description
ips-pkg-update Send a trap when the IPS signature database or engine is updated.
ips-fail-open Send a trap when the IPS network buffer is full.
temperature-high Send a trap when a temperature sensor registers a temperature that is too
high.
voltage-alert Send a trap when a voltage sensor registers a voltage that is outside of the
normal range.
power-supply- Send a trap when a power supply fails.

failure
faz-disconnect Send a trap when a FortiAnalyzer disconnects from the FortiGate.
fan-failure Send a trap when a fan fails.
wc-ap-up Send a trap when a managed FortiAP comes up.
wc-ap-down Send a trap when a managed FortiAP goes down.
fswctl-session-up Send a trap when a FortiSwitch controller session comes up.
fswctl-session- Send a trap when a FortiSwitch controller session goes down.

down
load-balance- Send a trap when a server load balance real server goes down.
real-server-down
device-new Send a trap when a new device is found.
per-cpu-high Send a trap when per-CPU usage is high.
dhcp Send a trap when the DHCP server exhausts the IP pool, an IP address
already is in use, or a DHCP client interface received a DHCP-NAK.
pool-usage Send a trap about ippool usage.
ospf-nbr-state- Send a trap when there has been a change in the state of a non-virtual OSPF
change neighbor.
ospf-virtnbr- Send a trap when there has been a change in the state of an OSPF virtual
state-change neighbor.

members.
Option Description

Fortinet Inc.

Specified
notify-hosts SNMP managers to send notifications (traps) to. ipv4- Not

address Specified
notify-hosts6 IPv6 SNMP managers to send notifications (traps) ipv6- Not

to. address Specified
priv-proto Privacy (encryption) protocol. option - aes
Option Description
aes CFB128-AES-128 symmetric encryption protocol.
aes256cisco CFB128-AES-256 symmetric encryption protocol compatible with CISCO.

Specified
Option Description

value: 0
Maximum
value:
65535
security-level Security level for message authentication and option - no-auth-no-priv

encryption.
Option Description
source-ip Source IP for SNMP trap. ipv4- Not 0.0.0.0

address Specified
source-ipv6 Source IPv6 for SNMP trap. ipv6- Not ::

address Specified

Fortinet Inc.
status Enable/disable this SNMP user. option - enable
Option Description
trap-lport SNMPv3 local trap port. integer Minimum 162

value: 0
Maximum
value:
65535
trap-rport SNMPv3 trap remote port. integer Minimum 162

value: 0
Maximum
value:
65535
trap-status Enable/disable traps for this SNMP user. option - enable
Option Description
config system source-ip status
Show configured service source-IP.

config system source-ip status
Description: Show configured service source-IP.
end
config system speed-test-schedule
Speed test schedule for each interface.

Description: Speed test schedule for each interface.
edit <interface>
set diffserv {user}
set dynamic-server [disable|enable]
set schedules <name1>, <name2>, ...
set server-name {string}

Fortinet Inc.
set update-inbandwidth [disable|enable]
set update-inbandwidth-maximum {integer}
set update-inbandwidth-minimum {integer}
set update-outbandwidth [disable|enable]
set update-outbandwidth-maximum {integer}
set update-outbandwidth-minimum {integer}
next
end
diffserv DSCP used for speed test. user Not

Specified
dynamic-server Enable/disable dynamic server option. option - disable
Option Description
disable Disable dynamic server.
enable Enable dynamic server.The speed test server will be found automatically.

Specified
schedules Schedules for the interface. string Maximum

<name> Name of a firewall recurring schedule. length: 31
server-name Speed test server name. string Not

Specified
status Enable/disable scheduled speed test. option - enable
Option Description
disable Disable scheduled speed test.
enable Enable scheduled speed test.
update- Enable/disable bypassing interface's inbound option - disable

inbandwidth bandwidth setting.
Option Description
disable Honor interface's inbandwidth shaping.
enable Ignore interface's inbandwidth shaping.

Fortinet Inc.
update- Maximum downloading bandwidth (kbps) to be used integer Minimum 0

inbandwidth- in a speed test. value: 0
maximum Maximum
value:
16776000
update- Minimum downloading bandwidth (kbps) to be integer Minimum 0

inbandwidth- considered effective. value: 0
minimum Maximum
value:
16776000
update- Enable/disable bypassing interface's outbound option - disable

outbandwidth bandwidth setting.
Option Description
disable Honor interface's outbandwidth shaping.
enable Ignore updating interface's outbandwidth shaping.
update- Maximum uploading bandwidth (kbps) to be used in a integer Minimum 0

outbandwidth- speed test. value: 0
maximum Maximum
value:
16776000
update- Minimum uploading bandwidth (kbps) to be integer Minimum 0

outbandwidth- considered effective. value: 0
minimum Maximum
value:
16776000
config system speed-test-server
The config system speed-test-server command is read-only. Administrators cannot

configure custom servers.
Configure speed test server list.

Description: Configure speed test server list.
edit <name>
config host
Description: Hosts of the server.
edit <id>
set id {integer}
set port {integer}

Fortinet Inc.
set user {string}
set longitude {string}
set latitude {string}
next
end
set name {string}
set timestamp {integer}
next
end
name Speed test server name. string Not Specified
timestamp Speed test server timestamp. integer Minimum 0

value: 0
Maximum
value:
4294967295
config host
id Server host ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ip Server host IPv4 address. ipv4- Not Specified 0.0.0.0

address
port Server host port number to communicate with client. integer Minimum 5204
value: 1
Maximum
value: 65535
user Speed test host user name. string Not Specified
password Speed test host password. password Not Specified
longitude Speed test host longitude. string Not Specified
latitude Speed test host latitude. string Not Specified

Fortinet Inc.
distance Speed test host distance. integer Minimum 0

value: 0
Maximum
value:
4294967295
config system sso-admin
Configure SSO admin users.

Description: Configure SSO admin users.
edit <name>
set name {string}
next
end
accprofile SSO admin user access profile. string Not

Specified
name SSO admin name. string Not

Specified
config system sso-forticloud-admin
Configure FortiCloud SSO admin users.

Description: Configure FortiCloud SSO admin users.
edit <name>
set name {string}
next
end

Fortinet Inc.
name FortiCloud SSO admin name. string Not

Specified
config system standalone-cluster
Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

Description: Configure FortiGate Session Life Support Protocol (FGSP) cluster
attributes.
set encryption [enable|disable]
set group-member-id {integer}
set layer2-connection [available|unavailable]
set psksecret {password-3}
set session-sync-dev {user}
set standalone-group-id {integer}
end
encryption Enable/disable encryption when synchronizing option - disable

sessions.
Option Description
enable Enable encryption when synchronizing sessions.
disable Disable encryption when synchronizing sessions.
group- Cluster member ID. integer Minimum 0

member-id value: 0
Maximum
value: 15
layer2- Indicate whether layer 2 connections are present option - unavailable

connection among FGSP members.
Option Description
available There exist layer 2 connections among FGSP members.
unavailable There does not exist layer 2 connection among FGSP members.

Fortinet Inc.
psksecret Pre-shared secret for session synchronization (ASCII password-3 Not

string or hexadecimal encoded with a leading 0x). Specified
session-sync- Offload session-sync process to kernel and sync user Not

dev sessions using connected interface(s) directly. Specified
standalone- Cluster group ID. Must be the same for all members. integer Minimum 0
group-id value: 0
Maximum
value: 255
config system startup-error-log
Display startup config error on console.

config system startup-error-log
Description: Display startup config error on console.
end
config system status
System status.
config system status
Description: System status.
end
config system storage
Configure logical storage.

Description: Configure logical storage.
edit <name>
set device {string}
set media-status [enable|disable|...]
set name {string}
set order {integer}
set partition {string}
set size {integer}
set usage [log|wanopt]
set wanopt-mode [mix|wanopt|...]
next
end

Fortinet Inc.
device Partition device. string Not Specified ?
media-status The physical status of current media. option - disable
Option Description
enable Storage is enabled.
disable Storage is disabled.
fail Storage have some fail sector.
name Storage name. string Not Specified default_n
order Set storage order. integer Minimum 0

value: 0
Maximum
value: 255
partition Label of underlying partition. string Not Specified <unknown>
size Partition size. integer Minimum 0

value: 0
Maximum
value:
4294967295
status Enable/disable storage. option - enable
Option Description
usage Use hard disk for logging or WAN Optimization. option - log
Option Description
log Use hard disk for logging.
wanopt Use hard disk for WAN Optimization.
wanopt-mode WAN Optimization mode. option - mix

*
Option Description
mix Use hard disk for WAN Optimization mix mode.
wanopt Use hard disk for WAN Optimization wanopt mode.
webcache Use hard disk for WAN Optimization webcache mode.

Fortinet Inc.
config system stp
Configure Spanning Tree Protocol (STP).

config system stp
Description: Configure Spanning Tree Protocol (STP).
set forward-delay {integer}
set switch-priority [0|4096|...]
end
config system stp
forward-delay Forward delay. integer Minimum 15

value: 4
Maximum
value: 30

Fortinet Inc.
hello-time Hello time. integer Minimum 2

value: 1
Maximum
value: 10
max-age Maximum packet age. integer Minimum 20

value: 6
Maximum
value: 40
max-hops Maximum number of hops. integer Minimum 20

value: 1
Maximum
value: 40
switch-priority STP switch priority; the lower the number the higher the option - 32768
priority (select from 0, 4096, 8192, 12288, 16384,
20480, 24576, 28672, 32768, 36864, 40960, 45056,
49152, 53248, and 57344).
Option Description
0 0
4096 4096
8192 8192
12288 12288
16384 16384
20480 20480
24576 24576
28672 28672
32768 32768
36864 36864
40960 40960
45056 45056
49152 49152
53248 53248
57344 57344
config system switch-interface
Configure software switch interfaces by grouping physical and WiFi interfaces.

Fortinet Inc.
Description: Configure software switch interfaces by grouping physical and WiFi
interfaces.
edit <name>
set intra-switch-policy [implicit|explicit]
set mac-ttl {integer}
set name {string}
set span [disable|enable]
set span-dest-port {string}
set span-direction [rx|tx|...]
set span-source-port <interface-name1>, <interface-name2>, ...
set type [switch|hub]
set vdom {string}
next
end
intra-switch- Allow any traffic between switch interfaces or require option - implicit
policy firewall policies to allow traffic between switch
interfaces.
Option Description
implicit Traffic between switch members is implicitly allowed.
explicit Traffic between switch members must match firewall policies.
mac-ttl Duration for which MAC addresses are held in the integer Minimum 300
ARP table. value: 300
Maximum
value:
8640000
member Names of the interfaces that belong to the virtual string Maximum
<interface- switch. length: 79
name Interface name (name cannot be in use by any other string Not
interfaces, VLANs, or inter-VDOM links). Specified
span Enable/disable port spanning. Port spanning echoes option - disable

traffic received by the software switch to the span
destination port.
Option Description
disable Disable port spanning.
enable Enable port spanning.

Fortinet Inc.
span-dest-port SPAN destination port name. All traffic on the SPAN string Not
source ports is echoed to the SPAN destination port. Specified
span-direction The direction in which the SPAN port operates, option - both
either: rx, tx, or both.
Option Description
rx Copies only received packets from source SPAN ports to the destination
SPAN port.
tx Copies only transmitted packets from source SPAN ports to the destination
SPAN port.
both Copies both received and transmitted packets from source SPAN ports to
the destination SPAN port.
span-source-port Physical interface name. Port spanning echoes all string Maximum
<interface- traffic on the SPAN source ports to the SPAN length: 79
name> destination port.
Physical interface name.
type Type of switch based on functionality: switch for option - switch

normal functionality, or hub to duplicate packets to all
port members.
Option Description
switch Switch for normal switch functionality (available in NAT mode only).
hub Hub to duplicate packets to all member ports.
vdom VDOM that the software switch belongs to. string Not
Specified
config system tos-based-priority
Configure Type of Service (ToS) based priority table to set network traffic priorities.
Description: Configure Type of Service (ToS) based priority table to set network traffic
priorities.
edit <id>
set id {integer}
set tos {integer}
next
end

Fortinet Inc.
id Item ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
priority ToS based priority level to low, medium or high. option - high
Option Description
low Low priority.
high High priority.
tos Value of the ToS byte in the IP datagram header. integer Minimum 0
value: 0
Maximum
value: 15
config system vdom-dns
Configure DNS servers for a non-management VDOM.

Description: Configure DNS servers for a non-management VDOM.
set alt-primary {ipv4-address}
set alt-secondary {ipv4-address}
set ip6-primary {ipv6-address}
set ip6-secondary {ipv6-address}
set primary {ipv4-address}
set secondary {ipv4-address}
set server-hostname <hostname1>, <hostname2>, ...
set server-select-method [least-rtt|failover]
set vdom-dns [enable|disable]
end

Fortinet Inc.
alt-primary Alternate primary DNS server. This is not used as a ipv4- Not 0.0.0.0
failover DNS server. address Specified
alt-secondary Alternate secondary DNS server. This is not used as a ipv4- Not 0.0.0.0
failover DNS server. address Specified

Specified

method server.
Option Description
ip6-primary Primary IPv6 DNS server IP address for the VDOM. ipv6- Not ::
address Specified
ip6-secondary Secondary IPv6 DNS server IP address for the VDOM. ipv6- Not ::
address Specified
primary Primary DNS server IP address for the VDOM. ipv4- Not 0.0.0.0
address Specified
protocol DNS transport protocols. option - cleartext
Option Description
secondary Secondary DNS server IP address for the VDOM. ipv4- Not 0.0.0.0
address Specified
server- DNS server host name list. string Maximum

hostname DNS server host name list separated by space length: 127
<hostname> (maximum 4 domains).
server-select- Specify how configured servers are prioritized. option - least-rtt

method

Fortinet Inc.
Option Description
least-rtt Select servers based on least round trip time.
failover Select servers based on the order they are configured.
source-ip Source IP for communications with the DNS server. ipv4- Not 0.0.0.0
address Specified
ssl-certificate Name of local certificate for SSL connections. string Not Fortinet_
Specified Factory
vdom-dns Enable/disable configuring DNS servers for the current option - disable
VDOM.
Option Description
enable Enable configuring DNS servers for the current VDOM.
disable Disable configuring DNS servers for the current VDOM.
config system vdom-exception
Global configuration objects that can be configured independently across different ha peers for all VDOMs or for the
defined VDOM scope.
Description: Global configuration objects that can be configured independently across
different ha peers for all VDOMs or for the defined VDOM scope.
edit <id>
set id {integer}
set object [log.fortianalyzer.setting|log.fortianalyzer.override-setting|...]
set scope [all|inclusive|...]
next
end
id Index. integer Minimum value: 0

1 Maximum
value: 4096
object Name of the configuration object that can option -

be configured independently for all
VDOMs.

Fortinet Inc.
Option Description
log.fortianalyzer.setting log.fortianalyzer.setting
log.fortianalyzer.override- log.fortianalyzer.override-setting
setting
log.fortianalyzer2.setting log.fortianalyzer2.setting
log.fortianalyzer2.override- log.fortianalyzer2.override-setting
setting
log.fortianalyzer3.setting log.fortianalyzer3.setting
log.fortianalyzer3.override- log.fortianalyzer3.override-setting
setting
log.fortianalyzer- log.fortianalyzer-cloud.setting
cloud.setting
log.fortianalyzer- log.fortianalyzer-cloud.override-setting
cloud.override-setting
log.syslogd.setting log.syslogd.setting
log.syslogd.override-setting log.syslogd.override-setting
log.syslogd2.setting log.syslogd2.setting
log.syslogd2.override-setting log.syslogd2.override-setting
system.gre-tunnel system.gre-tunnel
system.central-management system.central-management
system.csf system.csf
user.radius user.radius
scope Determine whether the configuration option - all

object can be configured separately for all
VDOMs or if some VDOMs share the same
configuration.
Option Description
all Object configuration independent for all VDOMs.

Fortinet Inc.
Option Description
inclusive Object configuration independent for the listed VDOMs. Other VDOMs use the
global configuration.
exclusive Use the global object configuration for the listed VDOMs. Other VDOMs can
be configured independently.
vdom <name> Names of the VDOMs. string Maximum

VDOM name. length: 79
config system vdom-link
Configure VDOM links.

Description: Configure VDOM links.
edit <name>
set name {string}
set type [ppp|ethernet|...]
set vcluster [vcluster1|vcluster2]
next
end
name VDOM link name (maximum = 11 characters). string Not

Specified
type VDOM link type: PPP or Ethernet. option - ppp
Option Description
ppp PPP VDOM link.
ethernet Ethernet VDOM link.
npupair NPU VDOM link.
vcluster Virtual cluster. option - vcluster1
Option Description
vcluster1 Virtual cluster 1.
vcluster2 Virtual cluster 2.

Fortinet Inc.
config system vdom-netflow
Configure NetFlow per VDOM.

Description: Configure NetFlow per VDOM.
set vdom-netflow [enable|disable]
end
collector-ip NetFlow collector IP address. ipv4- Not 0.0.0.0

address Specified
collector-port NetFlow collector port number. integer Minimum 2055

value: 0
Maximum
value:
65535

Specified
select-method
Option Description
source-ip Source IP address for communication with the NetFlow ipv4- Not 0.0.0.0
vdom-netflow Enable/disable NetFlow per VDOM. option - disable
Option Description
enable Enable NetFlow per VDOM.
disable Disable NetFlow per VDOM.

Fortinet Inc.
config system vdom-property
Configure VDOM property.

Description: Configure VDOM property.
edit <name>
set custom-service {user}
set dialup-tunnel {user}
set firewall-address {user}
set firewall-addrgrp {user}
set firewall-policy {user}
set ipsec-phase1 {user}
set ipsec-phase1-interface {user}
set ipsec-phase2 {user}
set ipsec-phase2-interface {user}
set log-disk-quota {user}
set name {string}
set onetime-schedule {user}
set proxy {user}
set recurring-schedule {user}
set service-group {user}
set session {user}
set snmp-index {integer}
set sslvpn {user}
set user {user}
set user-group {user}
next
end
custom- Maximum guaranteed number of firewall custom user Not Specified

service services.
dialup-tunnel Maximum guaranteed number of dial-up tunnels. user Not Specified
firewall- Maximum guaranteed number of firewall addresses user Not Specified

address (IPv4, IPv6, multicast).
firewall- Maximum guaranteed number of firewall address user Not Specified

addrgrp groups (IPv4, IPv6).
firewall-policy Maximum guaranteed number of firewall policies user Not Specified

(policy, DoS-policy4, DoS-policy6, multicast).
ipsec-phase1 Maximum guaranteed number of VPN IPsec phase 1 user Not Specified
tunnels.

Fortinet Inc.
ipsec-phase1- Maximum guaranteed number of VPN IPsec phase1 user Not Specified
interface interface tunnels.
ipsec-phase2 Maximum guaranteed number of VPN IPsec phase 2 user Not Specified
tunnels.
ipsec-phase2- Maximum guaranteed number of VPN IPsec phase2 user Not Specified
interface interface tunnels.
log-disk-quota Log disk quota in megabytes (MB). Range depends user Not Specified
on how much disk space is available.
name VDOM name. string Not Specified
onetime- Maximum guaranteed number of firewall one-time user Not Specified

schedule schedules.
proxy Maximum guaranteed number of concurrent proxy user Not Specified

users.
recurring- Maximum guaranteed number of firewall recurring user Not Specified

schedule schedules.
service-group Maximum guaranteed number of firewall service user Not Specified

groups.
session Maximum guaranteed number of sessions. user Not Specified
snmp-index Permanent SNMP Index of the virtual domain. integer Minimum 0

value: 1
Maximum
value:
2147483647
sslvpn Maximum guaranteed number of SSL-VPNs. user Not Specified
user Maximum guaranteed number of local users. user Not Specified
user-group Maximum guaranteed number of user groups. user Not Specified
config system vdom-radius-server
Configure a RADIUS server to use as a RADIUS Single Sign On (RSSO) server for this VDOM.
Description: Configure a RADIUS server to use as a RADIUS Single Sign On (RSSO) server
for this VDOM.
edit <name>
set name {string}
set radius-server-vdom {string}
next
end

Fortinet Inc.
name Name of the VDOM that you are adding the RADIUS string Not
server to. Specified
radius-server- Use this option to select another VDOM containing a string Not
vdom VDOM RSSO RADIUS server to use for the current Specified
VDOM.
status Enable/disable the RSSO RADIUS server for this option - disable
VDOM.
Option Description
enable Enable the RSSO RADIUS server for this VDOM.
disable Disable the RSSO RADIUS server for this VDOM.
config system vdom-sflow
Configure sFlow per VDOM to add or change the IP address and UDP port that FortiGate sFlow agents in this VDOM
use to send sFlow datagrams to an sFlow collector.
Description: Configure sFlow per VDOM to add or change the IP address and UDP port that
FortiGate sFlow agents in this VDOM use to send sFlow datagrams to an sFlow collector.
set vdom-sflow [enable|disable]
end
collector-ip IP address of the sFlow collector that sFlow agents ipv4- Not 0.0.0.0
added to interfaces in this VDOM send sFlow address Specified
datagrams to.
collector-port UDP port number used for sending sFlow datagrams. integer Minimum 6343
value: 0
Maximum
value:
65535

Fortinet Inc.

Specified
select-method
Option Description
source-ip Source IP address for sFlow agent. ipv4- Not 0.0.0.0

address Specified
vdom-sflow Enable/disable the sFlow configuration for the current option - disable
VDOM.
Option Description
enable Enable sFlow for this VDOM.
disable Disable sFlow for this VDOM.
config system vdom
Configure virtual domain.

config system vdom
Description: Configure virtual domain.
edit <name>
set flag {integer}
set name {string}
set short-name {string}
next
end
config system vdom
flag Flag. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
name VDOM name. string Not Specified
short-name VDOM short name. string Not Specified
vcluster-id Virtual cluster ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config system virtual-switch
Configure virtual hardware switch interfaces.

Description: Configure virtual hardware switch interfaces.
edit <name>
set name {string}
set physical-switch {string}
config port
Description: Configure member ports.
edit <name>
set name {string}
set alias {string}
next
end
set span [disable|enable]
set span-dest-port {string}

Fortinet Inc.
set span-direction [rx|tx|...]
set span-source-port {string}
set vlan {integer}
next
end
name Name of the virtual switch. string Not Specified
physical- Physical switch parent. string Not Specified

switch
span * Enable/disable SPAN. option - disable
Option Description
disable Disable SPAN.
enable Enable SPAN.
span-dest- SPAN destination port. string Not Specified

port *
span-direction SPAN direction. option - both

*
Option Description
rx SPAN receive direction only.
tx SPAN transmit direction only.
both SPAN both directions.
span-source- SPAN source port. string Not Specified

port *
vlan * VLAN. integer Minimum 0

value: 0
Maximum
value:
4294967295
config port
name Physical interface name. string Not

Specified

Fortinet Inc.
alias Alias. string Not

Specified
config system virtual-wire-pair
Configure virtual wire pairs.

Description: Configure virtual wire pairs.
edit <name>
set name {string}
set poweroff-bypass [enable|disable]
set poweron-bypass [enable|disable]
set vlan-filter {user}
set wildcard-vlan [enable|disable]
next
end
member Interfaces belong to the virtual-wire-pair. string Maximum

name>
name Virtual-wire-pair name. Must be a unique interface string Not

name. Specified
poweroff-bypass Enable/disable interface bypass state when power option - disable

* off.
Option Description
enable Enable bypass when power off.
disable Disable bypass when power off.
poweron-bypass Enable/disable interface bypass state when power option - disable

* on.
Option Description
enable Enable bypass when power on.
disable Disable bypass when power on.
vlan-filter Set VLAN filters. user Not

Specified

Fortinet Inc.
wildcard-vlan Enable/disable wildcard VLAN. option - disable
Option Description
enable Enable wildcard VLAN.
disable Disable wildcard VLAN.
config system vne-tunnel
Configure virtual network enabler tunnel.

Description: Configure virtual network enabler tunnel.
set bmr-hostname {password}
set br {ipv6-address}
set ipv4-address {ipv4-classnet-host}
set mode [map-e|fixed-ip]
set update-url {string}
end

offload *
Option Description
bmr- BMR hostname. password Not

hostname Specified
br Border relay IPv6 address. ipv6- Not ::

address Specified

Specified

Fortinet Inc.
ipv4-address Tunnel IPv4 address and netmask. ipv4- Not 0.0.0.0

classnet- Specified 0.0.0.0
host
mode VNE tunnel mode. option - map-e
Option Description
map-e Map-e mode.
fixed-ip Fixed-ip mode.
ssl-certificate Name of local certificate for SSL connections. string Not Fortinet_
Specified Factory
status Enable/disable VNE tunnel. option - disable
Option Description
enable Enable VNE tunnel.
disable Disable VNE tunnel.
update-url URL of provisioning server. string Not

Specified
config system vxlan
Configure VXLAN devices.

config system vxlan
Description: Configure VXLAN devices.
edit <name>
set ip-version [ipv4-unicast|ipv6-unicast|...]
set multicast-ttl {integer}
set name {string}
set remote-ip <ip1>, <ip2>, ...
set remote-ip6 <ip61>, <ip62>, ...
set vni {integer}
next
end

Fortinet Inc.
config system vxlan
dstport VXLAN destination port. integer Minimum 4789

value: 1
Maximum
value:
65535
interface Outgoing interface for VXLAN encapsulated traffic. string Not

Specified
ip-version IP version to use for the VXLAN interface and so for option - ipv4-unicast
communication over the VXLAN. IPv4 or IPv6 unicast or
multicast.
Option Description
ipv4-unicast Use IPv4 unicast addressing over the VXLAN.
ipv6-unicast Use IPv6 unicast addressing over the VXLAN.
ipv4-multicast Use IPv4 multicast addressing over the VXLAN.
ipv6-multicast Use IPv6 multicast addressing over the VXLAN.
multicast-ttl VXLAN multicast TTL. integer Minimum 0

value: 1
Maximum
value: 255
name VXLAN device or interface name. Must be a unique string Not

interface name. Specified
remote-ip IPv4 address of the VXLAN interface on the device at string Maximum
<ip> the remote end of the VXLAN. length: 15
IPv4 address.
remote-ip6 IPv6 IP address of the VXLAN interface on the device at string Maximum
<ip6> the remote end of the VXLAN. length: 45
IPv6 address.
vni VXLAN network ID. integer Minimum 0

value: 1
Maximum
value:
16777215
config system wccp
Configure WCCP.

Fortinet Inc.
config system wccp
Description: Configure WCCP.
edit <service-id>
set assignment-bucket-format [wccp-v2|cisco-implementation]
set assignment-dstaddr-mask {ipv4-netmask-any}
set assignment-method [HASH|MASK|...]
set assignment-srcaddr-mask {ipv4-netmask-any}
set assignment-weight {integer}
set cache-engine-method [GRE|L2]
set cache-id {ipv4-address}
set forward-method [GRE|L2|...]
set group-address {ipv4-address-multicast}
set ports {user}
set ports-defined [source|destination]
set primary-hash {option1}, {option2}, ...
set return-method [GRE|L2|...]
set router-id {ipv4-address}
set router-list {user}
set server-list {user}
set server-type [forward|proxy]
set service-id {string}
set service-type [auto|standard|...]
next
end
config system wccp
assignment- Assignment bucket format for the WCCP cache option - cisco-
bucket-format engine. implementation
Option Description
wccp-v2 WCCP-v2 bucket format.
cisco-implementation Cisco bucket format.
assignment- Assignment destination address mask. ipv4- Not 0.0.0.0

dstaddr-mask netmask- Specified
any
assignment- Hash key assignment preference. option - HASH

method
Option Description
HASH HASH assignment method.

Fortinet Inc.
Option Description
MASK MASK assignment method.
any HASH or MASK.
assignment- Assignment source address mask. ipv4- Not 0.0.23.65

srcaddr-mask netmask- Specified
any
assignment- Assignment of hash weight/ratio for the WCCP integer Minimum 0

weight cache engine. value: 0
Maximum
value: 255
authentication Enable/disable MD5 authentication. option - disable
Option Description
enable Enable MD5 authentication.
disable Disable MD5 authentication.
cache-engine- Method used to forward traffic to the routers or option - GRE

method to return to the cache engine.
Option Description
GRE GRE encapsulation.
L2 L2 rewrite.
cache-id IP address known to all routers. If the ipv4- Not 0.0.0.0

addresses are the same, use the default address Specified
0.0.0.0.
forward-method Method used to forward traffic to the cache option - GRE

servers.
Option Description
L2 L2 rewrite.
any GRE or L2.
group-address IP multicast address used by the cache routers. ipv4- Not 0.0.0.0
For the FortiGate to ignore multicast WCCP address- Specified
traffic, use the default 0.0.0.0. multicast
password Password for MD5 authentication. password Not

Specified

Fortinet Inc.
ports Service ports. user Not

Specified
ports-defined Match method. option -
Option Description
source Source port match.
destination Destination port match.
primary-hash Hash method. option - dst-ip
Option Description
src-ip Source IP hash.
dst-ip Destination IP hash.
src-port Source port hash.
dst-port Destination port hash.
priority Service priority. integer Minimum 0

value: 0
Maximum
value: 255
protocol Service protocol. integer Minimum 0

value: 0
Maximum
value: 255
return-method Method used to decline a redirected packet and option - GRE

return it to the FortiGate unit.
Option Description
L2 L2 rewrite.
any GRE or L2.
router-id IP address known to all cache engines. If all ipv4- Not 0.0.0.0
cache engines connect to the same FortiGate address Specified
interface, use the default 0.0.0.0.
router-list IP addresses of one or more WCCP routers. user Not

Specified
server-list IP addresses and netmasks for up to four cache user Not

servers. Specified
server-type Cache server type. option - forward

Fortinet Inc.
Option Description
forward Forward server.
proxy Proxy server.
service-id Service ID. string Not

Specified
service-type WCCP service type used by the cache server option - auto
for logical interception and redirection of traffic.
Option Description
auto auto
standard Standard service.
dynamic Dynamic service.
config system wireless ap-status
This command is available for model(s): FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E
DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F.
FortiGateRugged 60F, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-
POE, FortiWiFi 81F 2R.
Configure accepted wireless AP.

Description: Configure accepted wireless AP.
edit <id>
set bssid {mac-address}

Fortinet Inc.
set id {integer}
set ssid {string}
set status [rogue|accepted|...]
next
end
bssid AP's BSSID. mac- Not Specified 00:00:00:00:00:00

address
id AP ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ssid AP's ssid string Not Specified
status AP status. option - rogue
Option Description
rogue Rogue.
accepted Accepted.
suppressed Suppressed.

Fortinet Inc.
config system wireless detected-ap
Rogue AP scanning result.

config system wireless detected-ap
Description: Rogue AP scanning result.
end

Fortinet Inc.
config system wireless settings
Wireless radio configuration.

Description: Wireless radio configuration.
set band [802.11a|802.11b|...]
set beacon-interval {integer}
set bgscan [disable|enable]
set bgscan-idle {integer}
set bgscan-interval {integer}
set channel {integer}
set channel-bonding [enable|disable]
set geography [World|Americas|...]
set mode [CLIENT|AP|...]
set power-level {integer}
set rogue-scan [enable|disable]
set rogue-scan-mac-adjacency {integer}
set short-guard-interval [enable|disable]
end
band Band. option - 802.11g

Fortinet Inc.
Option Description
802.11a 802.11a.
802.11b 802.11b.
802.11g 802.11g.
802.11g-only 802.11g only.
802.11n 802.11n at 2.4G band.
802.11ng-only 802.11ng only at 2.4G band.
802.11n-only 802.11n only at 2.4G band.
802.11n-5G 802.11n at 5G band.
802.11n-5G-only 802.11n only at 5G band.
802.11ac 802.11ac at 5G band.
802.11acn-only 802.11acn only at 5G band.
802.11ac-only 802.11ac only at 5G band.
beacon- Beacon level. integer Minimum 100

interval value: 25
Maximum
value: 1000
bgscan Enable/disable background rogue AP scan. option - disable
Option Description
disable Disable background rogue AP scan.
enable Enable background rogue AP scan.
bgscan-idle Interval between scanning channels. integer Minimum 250

value: 100
Maximum
value: 1000
bgscan- Interval between two rounds of scanning. integer Minimum 120

interval value: 15
Maximum
value: 3600
channel Channel. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
channel- Supported channel width. option - disable

bonding
Option Description
enable 20/40 MHz.
disable 20 MHz.
geography Geography. option - Americas
Option Description
World World.
Americas Americas.
EMEA EMEA.
Israel Israel.
Japan Japan.
mode Mode. option - AP
Option Description
CLIENT Client.
AP Access point.
SCAN Scan.
power-level Power level. integer Minimum 17

value: 0
Maximum
value: 17
rogue-scan Enable/disable rogue scan. option - disable
Option Description
enable Enable rogue scan.
disable Disable rogue scan.
rogue-scan- MAC adjacency. integer Minimum 7

mac- value: 0
adjacency Maximum
value: 31
short-guard- Enable/disable short guard interval. option - disable

interval

Fortinet Inc.
Option Description
enable 400 ns long guard interval.
disable 800 ns short guard interval.
config system zone
Configure zones to group two or more interfaces. When a zone is created you can configure policies for the zone instead
of individual interfaces in the zone.
config system zone
Description: Configure zones to group two or more interfaces. When a zone is created you
can configure policies for the zone instead of individual interfaces in the zone.
edit <name>
set intrazone [allow|deny]
set name {string}
config tagging
edit <name>
set name {string}
next
end
next
end
config system zone

Specified
interface Add interfaces to this zone. Interfaces must not be string Maximum
<interface- assigned to another zone or have firewall policies length: 79
name> defined.
Select interfaces to add to the zone.
intrazone Allow or deny traffic routing between different option - deny

interfaces in the same zone.
Option Description
allow Allow traffic between interfaces in the zone.
deny Deny traffic between interfaces in the zone.

Fortinet Inc.
name Zone name. string Not

Specified
config tagging

Specified

Specified


Fortinet Inc.
test

l config test acd on page 1520
l config test acsd on page 1520
l config test autod on page 1520
l config test awsd on page 1521
l config test azd on page 1521
l config test bfd on page 1521
l config test chlbd on page 1522
l config test confsyncd on page 1523
l config test confsynchbd on page 1524
l config test csfd on page 1524
l config test ddnscd on page 1525
l config test dhcp6c on page 1525
l config test dhcp6r on page 1525
l config test dhcprelay on page 1526
l config test dlpfingerprint on page 1526
l config test dlpfpcache on page 1527
l config test dnsproxy on page 1528
l config test dsd on page 1528
l config test fas on page 1528
l config test fcnacd on page 1529
l config test fds_notify on page 1529
l config test fnbamd on page 1529
l config test forticldd on page 1530
l config test forticron on page 1530
l config test fsd on page 1530
l config test fsvrd on page 1531
l config test gcpd on page 1531
l config test harelay on page 1531
l config test hasync on page 1532
l config test hatalk on page 1532
l config test ibmd on page 1532
l config test imap on page 1533
l config test init on page 1533
l config test iotd on page 1533
l config test ipamd on page 1534
l config test ipamsd on page 1534
l config test ipldbd on page 1534

Fortinet Inc.
l config test ipmc_sensord on page 1535
l config test ipsengine on page 1535
l config test ipsmonitor on page 1536
l config test ipsufd on page 1536
l config test kubed on page 1536
l config test l2tpcd on page 1537
l config test lnkmtd on page 1537
l config test lted on page 1538
l config test miglogd on page 1538
l config test mrd on page 1539
l config test netxd on page 1539
l config test nntp on page 1539
l config test ocid on page 1540
l config test openstackd on page 1540
l config test ovrd on page 1540
l config test pop3 on page 1541
l config test pptpcd on page 1541
l config test quarantined on page 1541
l config test radius-das on page 1542
l config test radiusd on page 1542
l config test radvd on page 1542
l config test reportd on page 1543
l config test sdncd on page 1543
l config test sdnd on page 1544
l config test sepmd on page 1544
l config test sessionsync on page 1544
l config test sflowd on page 1545
l config test sfupgraded on page 1545
l config test smtp on page 1545
l config test snmpd on page 1546
l config test syslogd on page 1546
l config test updated on page 1546
l config test uploadd on page 1547
l config test urlfilter on page 1547
l config test vned on page 1547
l config test wad on page 1548
l config test wccpd on page 1548
l config test wf_monitor on page 1548
l config test wiredapd on page 1549
l config test zebos_launcher on page 1549

Fortinet Inc.
config test acd
Aggregate Controller.
config test acd
Description: Aggregate Controller.
set <Integer> {string}
end
config test acd
<Integer> Test level. string Not

Specified
config test acsd
Ali Cloud Service daemon.

config test acsd
Description: Ali Cloud Service daemon.
end
config test acsd

Specified
config test autod
Automation daemon.
config test autod
Description: Automation daemon.
end
config test autod

Specified

Fortinet Inc.
config test awsd
Amazon Web Services (AWS) daemon.

config test awsd
Description: Amazon Web Services (AWS) daemon.
end
config test awsd

Specified
config test azd
Microsoft Azure daemon.

config test azd
Description: Microsoft Azure daemon.
end
config test azd

Specified
config test bfd
BFD daemon.
config test bfd
Description: BFD daemon.
end
config test bfd

Specified

Fortinet Inc.
config test chlbd

FortiWiFi 81F 2R.
Chassis loadbalance daemon.

config test chlbd
Description: Chassis loadbalance daemon.
end
config test chlbd

Specified

Fortinet Inc.
config test confsyncd

FortiWiFi 81F 2R.
Configuration-sync daemon.
Description: Configuration-sync daemon.
end

Specified

Fortinet Inc.
config test confsynchbd

FortiWiFi 81F 2R.
Configuration-sync heartbeat daemon.

Description: Configuration-sync heartbeat daemon.
end

Specified
config test csfd
Security Fabric daemon.

config test csfd
Description: Security Fabric daemon.
end

Fortinet Inc.
config test csfd

Specified
config test ddnscd
DDNS client daemon.

config test ddnscd
Description: DDNS client daemon.
end
config test ddnscd

Specified
config test dhcp6c
DHCP6 client daemon.

config test dhcp6c
Description: DHCP6 client daemon.
end
config test dhcp6c

Specified
config test dhcp6r
DHCP6 relay daemon.

config test dhcp6r
Description: DHCP6 relay daemon.
end

Fortinet Inc.
config test dhcp6r

Specified
config test dhcprelay
DHCP relay daemon.

Description: DHCP relay daemon.
end

Specified
config test dlpfingerprint
FortiWiFi 60E.
DLP fingerprint daemon.

Fortinet Inc.
Description: DLP fingerprint daemon.
end

Specified
config test dlpfpcache
FortiWiFi 60E.
DLP fingerprint cache daemon.

Description: DLP fingerprint cache daemon.
end

Specified

Fortinet Inc.
config test dnsproxy
DNS proxy.
Description: DNS proxy.
end

Specified
config test dsd
DLP Statistics daemon.

config test dsd
Description: DLP Statistics daemon.
end
config test dsd

Specified
config test fas
FortiToken Cloud daemon.

config test fas
Description: FortiToken Cloud daemon.
end
config test fas

Specified

Fortinet Inc.
config test fcnacd
FortiClient NAC daemon.

config test fcnacd
Description: FortiClient NAC daemon.
end
config test fcnacd

Specified
config test fds_notify
Update Notification daemon.

Description: Update Notification daemon.
end

Specified
config test fnbamd
FortiGate non-blocking auth daemon.

config test fnbamd
Description: FortiGate non-blocking auth daemon.
end
config test fnbamd

Specified

Fortinet Inc.
config test forticldd
FortiCloud daemon.
Description: FortiCloud daemon.
end

Specified
config test forticron
Forticron daemon.
Description: Forticron daemon.
end

Specified
config test fsd
FortiExplorer daemon.
config test fsd
Description: FortiExplorer daemon.
end
config test fsd

Specified

Fortinet Inc.
config test fsvrd
FortiService daemon.
config test fsvrd
Description: FortiService daemon.
end
config test fsvrd

Specified
config test gcpd
Google Cloud Platform (GCP) daemon.

config test gcpd
Description: Google Cloud Platform (GCP) daemon.
end
config test gcpd

Specified
config test harelay
HA relay daemon.
config test harelay
Description: HA relay daemon.
end
config test harelay

Specified

Fortinet Inc.
config test hasync
HA sync daemon.
config test hasync
Description: HA sync daemon.
end
config test hasync

Specified
config test hatalk
HA talk daemon.
config test hatalk
Description: HA talk daemon.
end
config test hatalk

Specified
config test ibmd
IBM Cloud Infrastructure daemon.

config test ibmd
Description: IBM Cloud Infrastructure daemon.
end
config test ibmd

Specified

Fortinet Inc.
config test imap
IMAP proxy.
config test imap
Description: IMAP proxy.
end
config test imap

Specified
config test init
init process.
config test init
Description: init process.
end
config test init

Specified
config test iotd
IoT device info daemon.

config test iotd
Description: IoT device info daemon.
end
config test iotd

Specified

Fortinet Inc.
config test ipamd
IP Address Management daemon.

config test ipamd
Description: IP Address Management daemon.
end
config test ipamd

Specified
config test ipamsd
IPAM server daemon.

config test ipamsd
Description: IPAM server daemon.
end
config test ipamsd

Specified
config test ipldbd
IP load balancing daemon.

config test ipldbd
Description: IP load balancing daemon.
end
config test ipldbd

Specified

Fortinet Inc.
config test ipmc_sensord
5001E, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 601E, FortiGate 60F,
FortiGate 61F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80F Bypass, FortiGate 80F-
POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D,
FortiGate 90E, FortiGate 91E, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiWiFi
40F 3G4G, FortiWiFi 40F, FortiWiFi 60F, FortiWiFi 61F, FortiWiFi 80F 2R, FortiWiFi 81F 2R
3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
It is not available for: FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate
60E, FortiGate 61E, FortiGate 80E, FortiGate 81E, FortiGate VM64, FortiWiFi 60E DSL,
FortiWiFi 60E, FortiWiFi 61E.
Ipmc sensor daemon.

Description: Ipmc sensor daemon.
end

Specified
config test ipsengine
IPS sensor.
Description: IPS sensor.
end

Fortinet Inc.

Specified
config test ipsmonitor
IPS monitor.
Description: IPS monitor.
end

Specified
config test ipsufd
IPS urlfilter daemon.

config test ipsufd
Description: IPS urlfilter daemon.
end
config test ipsufd

Specified
config test kubed
Kubernetes daemon.
config test kubed
Description: Kubernetes daemon.
end

Fortinet Inc.
config test kubed

Specified
config test l2tpcd
L2TP client daemon.

config test l2tpcd
Description: L2TP client daemon.
end
config test l2tpcd

Specified
config test lnkmtd
Link monitor daemon.

config test lnkmtd
Description: Link monitor daemon.
end
config test lnkmtd

Specified

Fortinet Inc.
config test lted
USB LTE daemon.

config test lted
Description: USB LTE daemon.
end
config test lted

Specified
config test miglogd
Miglog logging daemon.

config test miglogd
Description: Miglog logging daemon.
end

Fortinet Inc.
config test miglogd

Specified
config test mrd
Mobile router daemon.

config test mrd
Description: Mobile router daemon.
end
config test mrd

Specified
config test netxd
VMWare NetX service manager daemon.

config test netxd
Description: VMWare NetX service manager daemon.
end
config test netxd

Specified
config test nntp
NNTP proxy.
config test nntp
Description: NNTP proxy.
end

Fortinet Inc.
config test nntp

Specified
config test ocid
Oracle Cloud Infrastructure.

config test ocid
Description: Oracle Cloud Infrastructure.
end
config test ocid

Specified
config test openstackd
OpenStack SDN connector daemon.

Description: OpenStack SDN connector daemon.
end

Specified
config test ovrd
Override daemon.
config test ovrd
Description: Override daemon.
end

Fortinet Inc.
config test ovrd

Specified
config test pop3
POP3 proxy.
config test pop3
Description: POP3 proxy.
end
config test pop3

Specified
config test pptpcd
PPTP client.
config test pptpcd
Description: PPTP client.
end
config test pptpcd

Specified
config test quarantined
Quarantine daemon.
Description: Quarantine daemon.
end

Fortinet Inc.

Specified
config test radius-das
Radius-das daemon.
Description: Radius-das daemon.
end

Specified
config test radiusd
RADIUS daemon.
config test radiusd
Description: RADIUS daemon.
end
config test radiusd

Specified
config test radvd
radvd daemon.
config test radvd
Description: radvd daemon.
end

Fortinet Inc.
config test radvd

Specified
config test reportd
Report daemon.
config test reportd
Description: Report daemon.
end
config test reportd

Specified
config test sdncd
SDN Connector daemon.

Fortinet Inc.
config test sdncd
Description: SDN Connector daemon.
end
config test sdncd

Specified
config test sdnd
SDN connector daemon.

config test sdnd
Description: SDN connector daemon.
end
config test sdnd

Specified
config test sepmd
Symantec Endpoint Protection Manager daemon.

config test sepmd
Description: Symantec Endpoint Protection Manager daemon.
end
config test sepmd

Specified
config test sessionsync
Session sync daemon.

Fortinet Inc.
Description: Session sync daemon.
end

Specified
config test sflowd
sFlow daemon.
config test sflowd
Description: sFlow daemon.
end
config test sflowd

Specified
config test sfupgraded
Security Fabric Upgrade daemon.

Description: Security Fabric Upgrade daemon.
end

Specified
config test smtp
SMTP proxy.

Fortinet Inc.
config test smtp
Description: SMTP proxy.
end
config test smtp

Specified
config test snmpd
SNMP daemon.
config test snmpd
Description: SNMP daemon.
end
config test snmpd

Specified
config test syslogd
Syslog daemon.
config test syslogd
Description: Syslog daemon.
end
config test syslogd

Specified
config test updated
Update daemon.

Fortinet Inc.
config test updated
Description: Update daemon.
end
config test updated

Specified
config test uploadd
Upload daemon.
config test uploadd
Description: Upload daemon.
end
config test uploadd

Specified
config test urlfilter
URL filter daemon.

Description: URL filter daemon.
end

Specified
config test vned
Virtual network enabler daemon.

Fortinet Inc.
config test vned
Description: Virtual network enabler daemon.
end
config test vned

Specified
config test wad
WAD related processes.

config test wad
Description: WAD related processes.
end
config test wad

Specified
config test wccpd
WCCP daemon.
config test wccpd
Description: WCCP daemon.
end
config test wccpd

Specified
config test wf_monitor
WF monitor.

Fortinet Inc.
Description: WF monitor.
end

Specified
config test wiredapd
Wiredapd daemon.
Description: Wiredapd daemon.
end

Specified
config test zebos_launcher
ZEBOS Launcher daemon.

Description: ZEBOS Launcher daemon.
end

Specified

Fortinet Inc.
user

l config user adgrp on page 1550
l config user certificate on page 1551
l config user domain-controller on page 1552
l config user exchange on page 1555
l config user fortitoken on page 1557
l config user fsso-polling on page 1558
l config user fsso on page 1560
l config user group on page 1564
l config user krb-keytab on page 1569
l config user ldap on page 1570
l config user local on page 1576
l config user nac-policy on page 1579
l config user password-policy on page 1581
l config user peer on page 1582
l config user peergrp on page 1584
l config user pop3 on page 1584
l config user quarantine on page 1585
l config user radius on page 1587
l config user saml on page 1598
l config user security-exempt-list on page 1602
l config user setting on page 1603
l config user tacacs+ on page 1607
config user adgrp
Configure FSSO groups.

config user adgrp
Description: Configure FSSO groups.
edit <name>
set connector-source {string}
set id {integer}
set name {string}
next
end

Fortinet Inc.
config user adgrp
connector- FSSO connector source. string Not Specified

source

value: 0
Maximum
value:
4294967295
server-name FSSO agent name. string Not Specified
config user certificate
Configure certificate users.

Description: Configure certificate users.
edit <name>
set common-name {string}
set id {integer}
set issuer {string}
set name {string}
set type [single-certificate|trusted-issuer]
next
end
common- Certificate common name. string Not Specified

name
id User ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
issuer CA certificate used for client certificate verification. string Not Specified
name User name. string Not Specified
status Enable/disable allowing the certificate user to option - enable

authenticate with the FortiGate unit.

Fortinet Inc.
Option Description
enable Enable user.
disable Disable user.
type Type of certificate authentication method. option - single-

certificate
Option Description
single-certificate Single certificate.
trusted-issuer Trusted CA issuer.
config user domain-controller
Configure domain controller entries.

Description: Configure domain controller entries.
edit <name>
set ad-mode [none|ds|...]
set adlds-dn {string}
set adlds-ip-address {ipv4-address}
set adlds-ip6 {ipv6-address}
set adlds-port {integer}
set dns-srv-lookup [enable|disable]
set domain-name {string}
config extra-server
Description: Extra servers.
edit <id>
set id {integer}
set port {integer}
set source-ip-address {ipv4-address}
set source-port {integer}
next
end
set ldap-server <name1>, <name2>, ...
set name {string}
set port {integer}
set replication-port {integer}
set source-ip-address {ipv4-address}

Fortinet Inc.
next
end
ad-mode Set Active Directory mode. option - none
Option Description
none The server is not configured as an Active Directory Domain Server (AD DS).
ds The server is configured as an Active Directory Domain Server (AD DS).
lds The server is an Active Directory Lightweight Domain Server (AD LDS).
adlds-dn AD LDS distinguished name. string Not

Specified
adlds-ip- AD LDS IPv4 address. ipv4- Not 0.0.0.0

address address Specified
adlds-ip6 AD LDS IPv6 address. ipv6- Not ::

address Specified
adlds-port Port number of AD LDS service. integer Minimum 389

value: 0
Maximum
value:
65535
dns-srv- Enable/disable DNS service lookup. option - disable

lookup
Option Description
enable Enable DNS service lookup.
disable Disable DNS service lookup.
domain-name Domain DNS name. string Not

Specified
hostname Hostname of the server to connect to. string Not

Specified

Specified
select-method

Fortinet Inc.
Option Description
ip-address Domain controller IPv4 address. ipv4- Not 0.0.0.0

address Specified
ip6 Domain controller IPv6 address. ipv6- Not ::

address Specified
ldap-server LDAP server name(s). string Maximum

<name> LDAP server name. length: 79
name Domain controller entry name. string Not

Specified
password Password for specified username. password Not

Specified
port Port to be used for communication with the domain integer Minimum 445
controller. value: 0
Maximum
value:
65535
replication- Port to be used for communication with the domain integer Minimum 0
port controller for replication service. Port number 0 value: 0
indicates automatic discovery. Maximum
value:
65535
source-ip- FortiGate IPv4 address to be used for communication ipv4- Not 0.0.0.0
address with the domain controller. address Specified
source-ip6 FortiGate IPv6 address to be used for communication ipv6- Not ::

with the domain controller. address Specified
source-port Source port to be used for communication with the integer Minimum 0
domain controller. value: 0
Maximum
value:
65535
username User name to sign in with. Must have proper string Not
permissions for service. Specified

Fortinet Inc.
config extra-server
id Server ID. integer Minimum 0

value: 1
Maximum
value: 100
ip-address Domain controller IP address. ipv4- Not 0.0.0.0

address Specified
port Port to be used for communication with the domain integer Minimum 445
controller. value: 0
Maximum
value:
65535
source-ip- FortiGate IPv4 address to be used for communication ipv4- Not 0.0.0.0
address with the domain controller. address Specified
source-port Source port to be used for communication with the integer Minimum 0
domain controller. value: 0
Maximum
value:
65535
config user exchange
Configure MS Exchange server entries.

Description: Configure MS Exchange server entries.
edit <name>
set auth-level [connect|call|...]
set auth-type [spnego|ntlm|...]
set auto-discover-kdc [enable|disable]
set connect-protocol [rpc-over-tcp|rpc-over-http|...]
set http-auth-type [basic|ntlm]
set kdc-ip <ipv41>, <ipv42>, ...
set name {string}
next
end

Fortinet Inc.
auth-level Authentication security level used for the RPC protocol option - privacy
layer.
Option Description
connect RPC authentication level 'connect'.
call RPC authentication level 'call'.
packet RPC authentication level 'packet'.
integrity RPC authentication level 'integrity'.
privacy RPC authentication level 'privacy'.
auth-type Authentication security type used for the RPC protocol option - kerberos
layer.
Option Description
spnego Negotiate authentication.
ntlm NTLM authentication.
kerberos Kerberos authentication.
auto- Enable/disable automatic discovery of KDC IP option - enable

discover-kdc addresses.
Option Description
enable Enable automatic discovery of KDC IP addresses.
disable Disable automatic discovery of KDC IP addresses.
connect- Connection protocol used to connect to MS Exchange option - rpc-over-

protocol service. https
Option Description
rpc-over-tcp Connect using RPC-over-TCP. Use for MS Exchange 2010 and earlier
versions. Supported in MS Exchange 2013.
rpc-over-http Connect using RPC-over-HTTP. Use for MS Exchange 2016 and later
rpc-over-https Connect using RPC-over-HTTPS. Use for MS Exchange 2016 and later
domain-name MS Exchange server fully qualified domain name. string Not

Specified

Fortinet Inc.
http-auth-type Authentication security type used for the HTTP option - ntlm
transport.
Option Description
basic Basic HTTP authentication.
ntlm NTLM HTTP authentication.
ip Server IPv4 address. ipv4- Not 0.0.0.0

address- Specified
any
kdc-ip KDC IPv4 addresses for Kerberos authentication. string Maximum

<ipv4> KDC IPv4 addresses for Kerberos authentication. length: 79
name MS Exchange server entry name. string Not

Specified
password Password for the specified username. password Not

Specified
server-name MS Exchange server hostname. string Not

Specified
ssl-min-proto- Minimum SSL/TLS protocol version for HTTPS option - default

version transport.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
username User name used to sign in to the server. Must have string Not
proper permissions for service. Specified
config user fortitoken
Configure FortiToken.
Description: Configure FortiToken.
edit <serial-number>
set activation-code {string}
set activation-expire {integer}
set license {string}

Fortinet Inc.
set os-ver {string}
set reg-id {string}
set serial-number {string}
set status [active|lock]
next
end
activation- Mobile token user activation-code. string Not Specified

code
activation- Mobile token user activation-code expire time. integer Minimum 0

expire value: 0
Maximum
value:
4294967295
license Mobile token license. string Not Specified
os-ver Device Mobile Version. string Not Specified
reg-id Device Reg ID. string Not Specified
serial-number Serial number. string Not Specified
status Status. option - active
Option Description
active Activate FortiToken.
lock Lock FortiToken.
config user fsso-polling
Configure FSSO active directory servers for polling mode.

Description: Configure FSSO active directory servers for polling mode.
edit <id>
config adgrp
Description: LDAP Group Info.
edit <name>
set name {string}
next
end
set default-domain {string}
set id {integer}
set logon-history {integer}

Fortinet Inc.
set polling-frequency {integer}
set port {integer}
set server {string}
set smb-ntlmv1-auth [enable|disable]
set smbv1 [enable|disable]
set user {string}
next
end
default- Default domain managed by this Active Directory string Not Specified
domain server.
id Active Directory server ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ldap-server LDAP server name used in LDAP connection strings. string Not Specified
logon-history Number of hours of logon history to keep, 0 means integer Minimum 8

keep all history. value: 0
Maximum
value: 48
password Password required to log into this Active Directory password Not Specified
server.
polling- Polling frequency (every 1 to 30 seconds). integer Minimum 10

frequency value: 1
Maximum
value: 30
port Port to communicate with this Active Directory server. integer Minimum 0
value: 0
Maximum
value: 65535
server Host name or IP address of the Active Directory string Not Specified
server.
smb-ntlmv1- Enable/disable support of NTLMv1 for Samba option - disable

auth authentication.
Option Description
enable Enable support of NTLMv1 for Samba authentication.

Fortinet Inc.
Option Description
disable Disable support of NTLMv1 for Samba authentication.
smbv1 Enable/disable support of SMBv1 for Samba. option - disable
Option Description
enable Enable support of SMBv1 for Samba.
disable Disable support of SMBv1 for Samba.
status Enable/disable polling for the status of this Active option - enable
Directory server.
Option Description
user User name required to log into this Active Directory string Not Specified
server.
config adgrp

Specified
config user fsso
Configure Fortinet Single Sign On (FSSO) agents.

config user fsso
Description: Configure Fortinet Single Sign On (FSSO) agents.
edit <name>
set group-poll-interval {integer}
set ldap-poll [enable|disable]
set ldap-poll-filter {string}
set ldap-poll-interval {integer}
set logon-timeout {integer}
set name {string}
set password2 {password}

Fortinet Inc.
set port {integer}
set port2 {integer}
set port3 {integer}
set port4 {integer}
set port5 {integer}
set server {string}
set server2 {string}
set ssl-server-host-ip-check [enable|disable]
set ssl-trusted-cert {string}
set type [default|fortinac]
set user-info-server {string}
next
end
config user fsso
group-poll- Interval in minutes within to fetch groups integer Minimum 0

interval from FSSO server, or unset to disable. value: 1
Maximum
value: 2880
interface Specify outgoing interface to reach string Not

server. Specified
interface- Specify how to select outgoing interface option - auto

select-method to reach server.
Option Description
ldap-poll Enable/disable automatic fetching of option - disable

groups from LDAP server.
Option Description
enable Enable automatic fetching of groups from LDAP server.
disable Disable automatic fetching of groups from LDAP server.

Fortinet Inc.
ldap-poll-filter Filter used to fetch groups. string Not (objectCategory=group)

Specified
ldap-poll- Interval in minutes within to fetch groups integer Minimum 180

interval from LDAP server. value: 1
Maximum
value: 2880
ldap-server LDAP server to get group information. string Not

Specified
logon-timeout Interval in minutes to keep logons after integer Minimum 5

FSSO server down. value: 1
Maximum
value: 2880

Specified
password Password of the first FSSO collector password Not

agent. Specified
password2 Password of the second FSSO collector password Not

agent. Specified
password3 Password of the third FSSO collector password Not

agent. Specified
password4 Password of the fourth FSSO collector password Not

agent. Specified
password5 Password of the fifth FSSO collector password Not

agent. Specified
port Port of the first FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535
port2 Port of the second FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535
port3 Port of the third FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535

Fortinet Inc.
port4 Port of the fourth FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535
port5 Port of the fifth FSSO collector agent. integer Minimum 8000
value: 1
Maximum
value:
65535
server Domain name or IP address of the first string Not

FSSO collector agent. Specified
server2 Domain name or IP address of the string Not

second FSSO collector agent. Specified
server3 Domain name or IP address of the third string Not

server4 Domain name or IP address of the fourth string Not

server5 Domain name or IP address of the fifth string Not

source-ip Source IP for communications to FSSO ipv4- Not 0.0.0.0

source-ip6 IPv6 source for communications to FSSO ipv6- Not ::

ssl Enable/disable use of SSL. option - disable
Option Description
enable Enable use of SSL.
disable Disable use of SSL.
ssl-server- Enable/disable server host/IP option - disable

host-ip-check verification.
Option Description
enable Enable server host/IP verification.
disable Disable server host/IP verification.
ssl-trusted- Trusted server certificate or CA string Not

cert certificate. Specified

Fortinet Inc.
type Server type. option - default
Option Description
default All other unspecified types of servers.
fortinac FortiNAC server.
user-info- LDAP server to get user information. string Not

server Specified
config user group
Configure user groups.

config user group
Description: Configure user groups.
edit <name>
set auth-concurrent-override [enable|disable]
set auth-concurrent-value {integer}
set authtimeout {integer}
set company [optional|mandatory|...]
set email [disable|enable]
set expire {integer}
set expire-type [immediately|first-successful-login]
set group-type [firewall|fsso-service|...]
config guest
Description: Guest User.
edit <id>
set id {integer}
set user-id {string}
set name {string}
set mobile-phone {string}
set sponsor {string}
set company {string}
set email {string}
set expiration {user}
next
end
set http-digest-realm {string}
set id {integer}
config match
Description: Group matches.
edit <id>
set id {integer}
next
end
set max-accounts {integer}

Fortinet Inc.
set mobile-phone [disable|enable]
set multiple-guest-add [disable|enable]
set name {string}
set password [auto-generate|specify|...]
set sponsor [optional|mandatory|...]
set sso-attribute-value {string}
set user-id [email|auto-generate|...]
set user-name [disable|enable]
next
end
config user group
auth- Enable/disable overriding the global number of option - disable

concurrent- concurrent authentication sessions for this user
override group.
Option Description
enable Enable auth-concurrent-override.
disable Disable auth-concurrent-override.
auth- Maximum number of concurrent authenticated integer Minimum 0

concurrent- connections per user. value: 0
value Maximum
value: 100
authtimeout Authentication timeout in minutes for this user integer Minimum 0

group. 0 to use the global user setting auth- value: 0
timeout. Maximum
value: 43200
company Set the action for the company guest user field. option - optional
Option Description
optional Optional.
disabled Disabled.
email Enable/disable the guest user email address field. option - enable
Option Description
disable Enable setting.
enable Disable setting.

Fortinet Inc.
expire Time in seconds before guest user accounts integer Minimum 14400
expire. value: 1
Maximum
value:
31536000
expire-type Determine when the expiration countdown begins. option - immediately
Option Description
immediately Immediately.
first-successful- First successful login.

login
group-type Set the group to be for firewall authentication, option - firewall

FSSO, RSSO, or guest users.
Option Description
firewall Firewall.
fsso-service Fortinet Single Sign-On Service.
rsso RADIUS based Single Sign-On Service.
guest Guest.
http-digest- Realm attribute for MD5-digest authentication. string Not Specified

realm

value: 0
Maximum
value:
4294967295
max-accounts Maximum number of guest accounts that can be integer Minimum 0

created for this group (0 means unlimited). value: 0
Maximum
value: 1024 **
member Names of users, peers, LDAP severs, or RADIUS string Maximum

<name> servers to add to the user group. length: 511
Group member name.
mobile-phone Enable/disable the guest user mobile phone option - disable

number field.

Fortinet Inc.
Option Description
multiple- Enable/disable addition of multiple guests. option - disable

guest-add
Option Description
name Group name. string Not Specified
password Guest user password type. option - auto-generate
Option Description
auto-generate Automatically generate.
specify Specify.
disable Disable.
sms-custom- SMS server. string Not Specified

server
sms-server Send SMS through FortiGuard or other external option - fortiguard

server.
Option Description
sponsor Set the action for the sponsor guest user field. option - optional
Option Description
optional Optional.
disabled Disabled.
sso-attribute- Name of the RADIUS user group that this local string Not Specified
value user group represents.
user-id Guest user ID type. option - email

Fortinet Inc.
Option Description
email Email address.
auto-generate Automatically generate.
specify Specify.
user-name Enable/disable the guest user name entry. option - disable
Option Description
config guest
id Guest ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
user-id Guest ID. string Not Specified
name Guest name. string Not Specified
password Guest password. password Not Specified
mobile-phone Mobile phone. string Not Specified
sponsor Set the action for the sponsor guest user field. string Not Specified
company Set the action for the company guest user field. string Not Specified
email Email. string Not Specified
expiration Expire time. user Not Specified

Fortinet Inc.
config match

value: 0
Maximum
value:
4294967295
server-name Name of remote auth server. string Not Specified
group-name Name of matching user or group on remote string Not Specified

authentication server.
config user krb-keytab
Configure Kerberos keytab entries.

Description: Configure Kerberos keytab entries.
edit <name>
set keytab {string}
set ldap-server <name1>, <name2>, ...
set name {string}
set pac-data [enable|disable]
set principal {string}
next
end
keytab Base64 coded keytab file containing a pre-shared key. string Not
Specified
ldap-server LDAP server name(s). string Maximum

<name> LDAP server name. length: 79
name Kerberos keytab entry name. string Not

Specified
pac-data Enable/disable parsing PAC data in the ticket. option - enable
Option Description
enable Enable parsing PAC data in the ticket.
disable Disable parsing PAC data in the ticket.
principal Kerberos service principal. For example, string Not

HTTP/myfgt.example.com@example.com. Specified

Fortinet Inc.
config user ldap
Configure LDAP server entries.

config user ldap
Description: Configure LDAP server entries.
edit <name>
set account-key-filter {string}
set account-key-processing [same|strip]
set antiphish [enable|disable]
set ca-cert {string}
set cnid {string}
set dn {string}
set group-filter {string}
set group-member-check [user-attr|group-object|...]
set group-object-filter {string}
set group-search-base {string}
set member-attr {string}
set name {string}
set obtain-user-info [enable|disable]
set password-attr {string}
set password-expiry-warning [enable|disable]
set password-renewal [enable|disable]
set port {integer}
set search-type {option1}, {option2}, ...
set secondary-server {string}
set secure [disable|starttls|...]
set server {string}
set server-identity-check [enable|disable]
set tertiary-server {string}
set two-factor [disable|fortitoken-cloud]
set type [simple|anonymous|...]
set user-info-exchange-server {string}
next
end
config user ldap
account-key- Account key string Not (&(userPrincipalName=%s)(!

filter filter, using the Specified (UserAccountControl:1.2.840.113556.1.4.803:=
UPN as the 2)))
search filter.

Fortinet Inc.
account-key- Account key option - same

processing processing
operation, either
keep or strip
domain string of
UPN in the
token.
Option Description
same Same as UPN.
strip Strip domain string from UPN.
antiphish Enable/disable option - disable

AntiPhishing
credential
backend.
Option Description
enable Enable AntiPhishing credential backend.
disable Disable AntiPhishing credential backend.
ca-cert CA certificate string Not

name. Specified
cnid Common name string Not cn

identifier for the Specified
LDAP server.
The common
name identifier
for most LDAP
servers is "cn".
dn Distinguished string Not

name used to Specified
look up entries
on the LDAP
server.
group-filter Filter used for string Not

group matching. Specified
group-member- Group member option - user-attr

check checking
methods.

Fortinet Inc.
Option Description
user-attr User attribute checking.
group-object Group object checking.
posix-group- POSIX group object checking.

object
group-object- Filter used for string Not (&(objectcategory=group)(member=*))

filter group searching. Specified
group-search- Search base string Not

base used for group Specified
searching.
interface Specify outgoing string Not

interface to Specified
reach server.
interface- Specify how to option - auto

select-method select outgoing
interface to
reach server.
Option Description
member-attr Name of string Not memberOf

attribute from Specified
which to get
group
membership.
name LDAP server string Not

entry name. Specified
obtain-user-info Enable/disable option - enable

obtaining of user
information.
Option Description
enable Enable obtaining of user information.
disable Disable obtaining of user information.

Fortinet Inc.
password Password for password Not

initial binding. Specified
password-attr Name of string Not userPassword

attribute to get Specified
password hash.
password- Enable/disable option - disable

expiry-warning password expiry
warnings.
Option Description
enable Enable password expiry warnings.
disable Disable password expiry warnings.
password- Enable/disable option - disable

renewal online password
renewal.
Option Description
enable Enable online password renewal.
disable Disable online password renewal.
port Port to be used integer Minimum 389

for value: 1
communication Maximum
with the LDAP value:
server. 65535
search-type Search type. option -
Option Description
recursive Recursively retrieve the user-group chain information of a user in a particular

Microsoft AD domain.
secondary- Secondary string Not

server LDAP server CN Specified
domain name or
IP.
secure Port to be used option - disable

for
authentication.

Fortinet Inc.
Option Description
disable No SSL.
starttls Use StartTLS.
ldaps Use LDAPS.
server LDAP server CN string Not

domain name or Specified
IP.
server-identity- Enable/disable option - enable

check LDAP server
identity check
(verify server
domain name/IP
address against
the server
certificate).
Option Description
enable Enable server identity check.
disable Disable server identity check.
source-ip FortiGate IP string Not

address to be Specified
used for
communication
with the LDAP
server.
source-port Source port to integer Minimum 0

be used for value: 0
communication Maximum
with the LDAP value:
server. 65535
ssl-min-proto- Minimum option - default

version supported
protocol version
for SSL/TLS
connections.
Option Description

Fortinet Inc.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
tertiary-server Tertiary LDAP string Not

server CN Specified
domain name or
IP.
two-factor Enable/disable option - disable

two-factor
authentication.
Option Description
disable disable two-factor authentication.
two-factor- Authentication option -

authentication method by
FortiToken
Cloud.
Option Description
two-factor- Notification option -

notification method for user
activation by
FortiToken
Cloud.
Option Description

Fortinet Inc.
type Authentication option - simple

type for LDAP
searches.
Option Description
simple Simple password authentication without search.
anonymous Bind using anonymous user search.
regular Bind using username/password and then search.
user-info- MS Exchange string Not

exchange- server from Specified
server which to fetch
user information.
username Username (full string Not

DN) for initial Specified
binding.
config user local
Configure local users.

config user local
Description: Configure local users.
edit <name>
set auth-concurrent-override [enable|disable]
set auth-concurrent-value {integer}
set authtimeout {integer}
set email-to {string}
set fortitoken {string}
set id {integer}
set name {string}
set passwd-policy {string}
set passwd-time {user}
set ppk-identity {string}
set ppk-secret {password-3}
set radius-server {string}
set sms-phone {string}
set tacacs+-server {string}
set two-factor [disable|fortitoken|...]
set type [password|radius|...]
set username-sensitivity [disable|enable]

Fortinet Inc.
set workstation {string}
next
end
config user local
auth-concurrent- Enable/disable overriding the policy-auth- option - disable

override concurrent under config system global.
Option Description
enable Enable auth-concurrent-override.
disable Disable auth-concurrent-override.
auth-concurrent- Maximum number of concurrent logins permitted integer Minimum 0

value from the same user. value: 0
Maximum
value: 100
authtimeout Time in minutes before the authentication timeout integer Minimum 0

for a user is reached. value: 0
Maximum
value: 1440
email-to Two-factor recipient's email address. string Not Specified
fortitoken Two-factor recipient's FortiToken serial number. string Not Specified
id User ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ldap-server Name of LDAP server with which the user must string Not Specified
authenticate.
name User name. string Not Specified
passwd User's password. password Not Specified
passwd-policy Password policy to apply to this user, as defined string Not Specified
in config user password-policy.
passwd-time Time of the last password update. user Not Specified
ppk-identity IKEv2 Postquantum Preshared Key Identity. string Not Specified
ppk-secret IKEv2 Postquantum Preshared Key (ASCII string password-3 Not Specified
or hexadecimal encoded with a leading 0x).

Fortinet Inc.
radius-server Name of RADIUS server with which the user must string Not Specified
authenticate.
sms-custom- Two-factor recipient's SMS server. string Not Specified

server
sms-phone Two-factor recipient's mobile phone number. string Not Specified
sms-server Send SMS through FortiGuard or other external option - fortiguard

server.
Option Description
status Enable/disable allowing the local user to option - enable

authenticate with the FortiGate unit.
Option Description
enable Enable user.
disable Disable user.
tacacs+-server Name of TACACS+ server with which the user string Not Specified
must authenticate.
two-factor Enable/disable two-factor authentication. option - disable
Option Description
disable disable
fortitoken FortiToken
email Email authentication code.
sms SMS authentication code.
two-factor- Authentication method by FortiToken Cloud. option -

authentication
Option Description

Fortinet Inc.
two-factor- Notification method for user activation by option -

notification FortiToken Cloud.
Option Description
type Authentication method. option - password
Option Description
password Password authentication.
radius RADIUS server authentication.
tacacs+ TACACS+ server authentication.
ldap LDAP server authentication.
username- Enable/disable case and accent sensitivity when option - enable

sensitivity performing username matching (accents are
stripped and case is ignored when disabled).
Option Description
disable Ignore case and accents. Username at prompt not required to match case or
accents.
enable Do not ignore case and accents. Username at prompt must be an exact
match.
workstation Name of the remote user workstation, if you want string Not Specified
to limit the user to authenticate only from a
particular workstation.
config user nac-policy
Configure NAC policy matching pattern to identify matching NAC devices.

Description: Configure NAC policy matching pattern to identify matching NAC devices.
edit <name>
set category [device|firewall-user|...]
set ems-tag {string}
set family {string}
set firewall-address {string}
set host {string}
set hw-vendor {string}
set hw-version {string}
set mac {string}

Fortinet Inc.
set name {string}
set os {string}
set src {string}
set ssid-policy {string}
set sw-version {string}
set switch-fortilink {string}
set switch-group <name1>, <name2>, ...
set switch-mac-policy {string}
set type {string}
set user {string}
set user-group {string}
next
end
category Category of NAC policy. option - device
Option Description
device Device category.
firewall-user Firewall user category.
ems-tag EMS Tag category.
description Description for the NAC policy matching pattern. string Not
Specified
ems-tag NAC policy matching EMS tag. string Not

Specified
family NAC policy matching family. string Not

Specified
firewall- Dynamic firewall address to associate MAC which string Not

address * match this policy. Specified
host NAC policy matching host. string Not

Specified
hw-vendor NAC policy matching hardware vendor. string Not

Specified
hw-version NAC policy matching hardware version. string Not

Specified
mac NAC policy matching MAC address. string Not

Specified
name NAC policy name. string Not

Specified

Fortinet Inc.
os NAC policy matching operating system. string Not

Specified
src NAC policy matching source. string Not

Specified
ssid-policy SSID policy to be applied on the matched NAC policy. string Not
Specified
status Enable/disable NAC policy. option - enable
Option Description
enable Enable NAC policy.
disable Disable NAC policy.
sw-version NAC policy matching software version. string Not

Specified
switch-fortilink FortiLink interface for which this NAC policy belongs to. string Not
* Specified
switch-group List of managed FortiSwitch groups on which NAC string Maximum

<name> * policy can be applied. length: 79
Managed FortiSwitch group name from available
options.
switch-mac- Switch MAC policy action to be applied on the matched string Not
policy * NAC policy. Specified
type NAC policy matching type. string Not

Specified
user NAC policy matching user. string Not

Specified
user-group NAC policy matching user group. string Not

Specified
config user password-policy
Configure user password policy.

Description: Configure user password policy.
edit <name>
set expire-days {integer}
set expired-password-renewal [enable|disable]
set name {string}
set warn-days {integer}

Fortinet Inc.
next
end
expire-days Time in days before the user's password expires. integer Minimum 180
value: 0
Maximum
value: 999
expired- Enable/disable renewal of a password that already is option - disable

password- expired.
renewal
Option Description
enable Enable renewal of a password that already is expired.
disable Disable renewal of a password that already is expired.
name Password policy name. string Not

Specified
warn-days Time in days before a password expiration warning integer Minimum 15

message is displayed to the user upon login. value: 0
Maximum
value: 30
config user peer
Configure peer users.

config user peer
Description: Configure peer users.
edit <name>
set ca {string}
set cn {string}
set cn-type [string|email|...]
set ldap-mode [password|principal-name]
set mandatory-ca-verify [enable|disable]
set name {string}
set ocsp-override-server {string}
set subject {string}
set two-factor [enable|disable]
next
end

Fortinet Inc.
config user peer
ca Name of the CA certificate. string Not

Specified
cn Peer certificate common name. string Not

Specified
cn-type Peer certificate common name type. option - string
Option Description
string Normal string.
email Email address.
FQDN Fully Qualified Domain Name.
ipv4 IPv4 address.
ipv6 IPv6 address.
ldap-mode Mode for LDAP peer authentication. option - password
Option Description
password Username/password.
principal-name Principal name.
ldap- Password for LDAP server bind. password Not

password Specified
ldap-server Name of an LDAP server defined under the user ldap string Not
command. Performs client access rights check. Specified
ldap- Username for LDAP server bind. string Not

username Specified
mandatory- Determine what happens to the peer if the CA certificate option - enable
ca-verify is not installed. Disable to automatically consider the
peer certificate as valid.
Option Description
name Peer name. string Not

Specified

Fortinet Inc.
ocsp- Online Certificate Status Protocol (OCSP) server for string Not
override- certificate retrieval. Specified
server
passwd Peer's password used for two-factor authentication. password Not

Specified
subject Peer certificate name constraints. string Not

Specified
two-factor Enable/disable two-factor authentication, applying option - disable

certificate and password-based authentication.
Option Description
enable Enable 2-factor authentication.
disable Disable 2-factor authentication.
config user peergrp
Configure peer groups.

config user peergrp
Description: Configure peer groups.
edit <name>
set name {string}
next
end
config user peergrp
member <name> Peer group members. string Maximum

Peer group member name. length: 35
name Peer group name. string Not

Specified
config user pop3
POP3 server entry configuration.

config user pop3
Description: POP3 server entry configuration.
edit <name>
set name {string}

Fortinet Inc.
set port {integer}
set secure [none|starttls|...]
set server {string}
next
end
config user pop3
name POP3 server entry name. string Not

Specified
port POP3 service port number. integer Minimum 0

value: 0
Maximum
value:
65535
secure SSL connection. option - starttls
Option Description
none None.
starttls Use StartTLS.
pop3s Use POP3 over SSL.
server Server domain name or IP address. string Not

Specified

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
config user quarantine
Configure quarantine support.

Description: Configure quarantine support.
set firewall-groups {string}

Fortinet Inc.
config targets
Description: Quarantine entry to hold multiple MACs.
edit <entry>
set entry {string}
config macs
Description: Quarantine MACs.
edit <mac>
set drop [disable|enable]
set parent {string}
next
end
next
end
set traffic-policy {string}
end
firewall- Firewall address group which includes all quarantine string Not
groups MAC address. Specified
quarantine Enable/disable quarantine. option - enable
Option Description
enable Enable quarantine.
disable Disable quarantine.
traffic-policy * Traffic policy for quarantined MACs. string Not

Specified
config targets
entry Quarantine entry name. string Not

Specified
description Description for the quarantine entry. string Not

Specified

Fortinet Inc.
config macs
mac Quarantine MAC. mac- Not 00:00:00:00:00:00

address Specified
description Description for the quarantine MAC. string Not

Specified
drop Enable/disable dropping of quarantined device option - disable

traffic.
Option Description
disable Sends quarantined device traffic to FortiGate.
enable Blocks quarantined device traffic to FortiGate.
parent Parent entry name. string Not

Specified
config user radius
Configure RADIUS server entries.

config user radius
Description: Configure RADIUS server entries.
edit <name>
config accounting-server
Description: Additional accounting servers.
edit <id>
set id {integer}
set server {string}
set secret {password}
set port {integer}
next
end
set acct-all-servers [enable|disable]
set acct-interim-interval {integer}
set all-usergroup [disable|enable]
set auth-type [auto|ms_chap_v2|...]
set class <name1>, <name2>, ...
set group-override-attr-type [filter-Id|class]
set h3c-compatibility [enable|disable]
set name {string}
set nas-ip {ipv4-address}
set password-encoding [auto|ISO-8859-1]
set password-renewal [enable|disable]

Fortinet Inc.
set radius-coa [enable|disable]
set rsso [enable|disable]
set rsso-context-timeout {integer}
set rsso-endpoint-attribute [User-Name|NAS-IP-Address|...]
set rsso-endpoint-block-attribute [User-Name|NAS-IP-Address|...]
set rsso-ep-one-ip-only [enable|disable]
set rsso-flush-ip-session [enable|disable]
set rsso-log-flags {option1}, {option2}, ...
set rsso-log-period {integer}
set rsso-radius-response [enable|disable]
set rsso-radius-server-port {integer}
set rsso-secret {password}
set rsso-validate-request-secret [enable|disable]
set secondary-secret {password}
set secret {password}
set server {string}
set sso-attribute [User-Name|NAS-IP-Address|...]
set sso-attribute-key {string}
set sso-attribute-value-override [enable|disable]
set switch-controller-acct-fast-framedip-detect {integer}
set switch-controller-service-type {option1}, {option2}, ...
set tertiary-secret {password}
set username-case-sensitive [enable|disable]
next
end
config user radius
acct-all-servers Enable/disable sending of accounting messages option - disable

to all configured servers.
Option Description
enable Send accounting messages to all configured servers.
disable Send accounting message only to servers that are confirmed to be

reachable.
acct-interim- Time in seconds between each accounting integer Minimum 0

interval interim update message. value: 60
Maximum
value: 86400
all-usergroup Enable/disable automatically including this option - disable

RADIUS server in all user groups.

Fortinet Inc.
Option Description
disable Do not automatically include this server in a user group.
enable Include this RADIUS server in every user group.
auth-type Authentication methods/protocols permitted for option - auto

this RADIUS server.
Option Description
auto Use PAP, MSCHAP_v2, and CHAP (in that order).
ms_chap_v2 Microsoft Challenge Handshake Authentication Protocol version 2.
ms_chap Microsoft Challenge Handshake Authentication Protocol.
chap Challenge Handshake Authentication Protocol.
pap Password Authentication Protocol.
class <name> Class attribute name(s). string Maximum

Class name. length: 79
group-override- RADIUS attribute type to override user group option -

attr-type information.
Option Description
filter-Id Filter-Id
class Class
h3c- Enable/disable compatibility with the H3C, a option - disable

compatibility mechanism that performs security checking for
authentication.
Option Description
enable Enable H3C compatibility.
disable Disable H3C compatibility.

method server.
Option Description

Fortinet Inc.
Option Description
name RADIUS server entry name. string Not Specified
nas-ip IP address used to communicate with the ipv4- Not Specified 0.0.0.0
RADIUS server and used as NAS-IP-Address address
and Called-Station-ID attributes.
password- Password encoding. option - auto

encoding
Option Description
auto Use original password encoding.
ISO-8859-1 Use ISO-8859-1 password encoding.
password- Enable/disable password renewal. option - enable

renewal
Option Description
enable Enable password renewal.
disable Disable password renewal.
radius-coa Enable to allow a mechanism to change the option - disable

attributes of an authentication, authorization,
and accounting session after it is authenticated.
Option Description
enable Enable RADIUS CoA.
disable Disable RADIUS CoA.
radius-port RADIUS service port number. integer Minimum 0

value: 0
Maximum
value: 65535
rsso Enable/disable RADIUS based single sign on option - disable

feature.
Option Description
enable Enable RADIUS based single sign on feature.
disable Disable RADIUS based single sign on feature.

Fortinet Inc.
rsso-context- Time in seconds before the logged out user is integer Minimum 28800
timeout removed from the "user context list" of logged on value: 0
users. Maximum
value:
4294967295
rsso-endpoint- RADIUS attributes used to extract the user end option - Calling-
attribute point identifier from the RADIUS Start record. Station-Id
Option Description
User-Name Use this attribute.
NAS-IP-Address Use this attribute.
Framed-IP- Use this attribute.

Address

Netmask
Filter-Id Use this attribute.
Login-IP-Host Use this attribute.
Reply-Message Use this attribute.
Callback- Use this attribute.

Number
Callback-Id Use this attribute.
Framed-Route Use this attribute.
Framed-IPX- Use this attribute.

Network
Class Use this attribute.
Called-Station-Id Use this attribute.
Calling-Station- Use this attribute.

Id
NAS-Identifier Use this attribute.
Proxy-State Use this attribute.
Login-LAT- Use this attribute.

Service
Login-LAT-Node Use this attribute.

Group

Fortinet Inc.
Option Description
Framed- Use this attribute.

AppleTalk-Zone
Acct-Session-Id Use this attribute.
Acct-Multi- Use this attribute.

Session-Id
rsso-endpoint- RADIUS attributes used to block a user. option -

block-attribute
Option Description

Address

Netmask

Number

Network

Id

Service

Fortinet Inc.
Option Description

Group

AppleTalk-Zone

Session-Id
rsso-ep-one-ip- Enable/disable the replacement of old IP option - disable

only addresses with new ones for the same endpoint
on RADIUS accounting Start messages.
Option Description
enable Enable replacement of old IP address with new IP address for the same
endpoint on RADIUS accounting start.
disable Disable replacement of old IP address with new IP address for the same
endpoint on RADIUS accounting start.
rsso-flush-ip- Enable/disable flushing user IP sessions on option - disable

session RADIUS accounting Stop messages.
Option Description
enable Enable flush user IP sessions on RADIUS accounting stop.
disable Disable flush user IP sessions on RADIUS accounting stop.
rsso-log-flags Events to log. option - protocol-error

profile-
missing
accounting-
stop-missed
accounting-
event
endpoint-
block radiusd-
other
Option Description
protocol-error Enable this log type.

Fortinet Inc.
Option Description
profile-missing Enable this log type.
accounting-stop- Enable this log type.

missed
accounting- Enable this log type.

event
endpoint-block Enable this log type.
radiusd-other Enable this log type.
none Disable all logging.
rsso-log-period Time interval in seconds that group event log integer Minimum 0
messages will be generated for dynamic profile value: 0
events. Maximum
value:
4294967295
rsso-radius- Enable/disable sending RADIUS response option - disable

response packets after receiving Start and Stop records.
Option Description
enable Enable sending RADIUS response packets.
disable Disable sending RADIUS response packets.
rsso-radius- UDP port to listen on for RADIUS Start and Stop integer Minimum 1813
server-port records. value: 0
Maximum
value: 65535
rsso-secret RADIUS secret used by the RADIUS accounting password Not Specified
server.
rsso-validate- Enable/disable validating the RADIUS request option - disable

request-secret shared secret in the Start or End record.
Option Description
enable Enable validating RADIUS request shared secret.
disable Disable validating RADIUS request shared secret.
secondary- Secret key to access the secondary server. password Not Specified
secret
secondary- Secondary RADIUS CN domain name or IP string Not Specified

server address.

Fortinet Inc.
secret Pre-shared secret key used to access the password Not Specified
primary RADIUS server.
server Primary RADIUS server CN domain name or IP string Not Specified

address.
source-ip Source IP address for communications to the string Not Specified

RADIUS server.
sso-attribute RADIUS attribute that contains the profile group option - Class
name to be extracted from the RADIUS Start
record.
Option Description

Address

Netmask

Number

Network

Id

Service

Fortinet Inc.
Option Description

Group

AppleTalk-Zone

Session-Id
sso-attribute- Key prefix for SSO group value in the SSO string Not Specified
key attribute.
sso-attribute- Enable/disable override old attribute value with option - enable

value-override new value for the same endpoint.
Option Description
enable Enable override old attribute value with new value for the same endpoint.
disable Disable override old attribute value with new value for the same endpoint.
switch- Switch controller accounting message Framed- integer Minimum 2

controller-acct- IP detection from DHCP snooping. value: 2
fast-framedip- Maximum
detect value: 600
switch- RADIUS service type. option -

controller-
service-type
Option Description
login User should be connected to a host.
framed User use Framed Protocol.
callback-login User disconnected and called back.
callback-framed User disconnected and called back, then a Framed Protocol.
outbound User granted access to outgoing devices.
administrative User granted access to the administrative unsigned interface.
nas-prompt User provided a command prompt on the NAS.

Fortinet Inc.
Option Description
authenticate- Authentication requested, and no auth info needs to be returned.

only
callback-nas- User disconnected and called back, then provided a command prompt.
prompt
call-check Used by the NAS in an Access-Request packet, Access-Accept to answer

the call.
callback- User disconnected and called back, granted access to the admin unsigned
administrative interface.
tertiary-secret Secret key to access the tertiary server. password Not Specified
tertiary-server Tertiary RADIUS CN domain name or IP string Not Specified

address.
timeout Time in seconds between re-sending integer Minimum 5

authentication requests. value: 1
Maximum
value: 300
use- Enable/disable using management VDOM to option - disable

management- send requests.
vdom
Option Description
enable Send requests using the management VDOM.
disable Send requests using the current VDOM.
username-case- Enable/disable case sensitive user names. option - disable

sensitive
Option Description
enable Enable username case-sensitive.
disable Disable username case-sensitive.
config accounting-server

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
server Server CN domain name or IP address. string Not Specified
secret Secret key. password Not Specified
port RADIUS accounting port number. integer Minimum 0

value: 0
Maximum
value: 65535
source-ip Source IP address for communications to the string Not Specified

RADIUS server.

Option Description
config user saml
SAML server entry configuration.

config user saml
Description: SAML server entry configuration.
edit <name>
set adfs-claim [enable|disable]
set cert {string}
set clock-tolerance {integer}
set digest-method [sha1|sha256]
set entity-id {string}
set group-claim-type [email|given-name|...]
set idp-cert {string}
set limit-relaystate [enable|disable]
set name {string}
set single-logout-url {string}

Fortinet Inc.
set single-sign-on-url {string}
set user-claim-type [email|given-name|...]
set user-name {string}
next
end
config user saml
adfs-claim Enable/disable ADFS Claim for user/group attribute in option - disable

assertion statement.
Option Description
enable Enable ADFS Claim for user/group attribute in assertion statement.
disable Disable ADFS Claim for user/group attribute in assertion statement.
cert Certificate to sign SAML messages. string Not

Specified
clock- Clock skew tolerance in seconds. integer Minimum 15

tolerance value: 0
Maximum
value: 300
digest- Digest method algorithm. option - sha1

method
Option Description
sha1 Digest Method Algorithm is SHA1.
sha256 Digest Method Algorithm is SHA256.
entity-id SP entity ID. string Not

Specified
group-claim- Group claim in assertion statement. option - group

type
Option Description
email E-mail address of the user.
given-name Given name of the user.
name Unique name of the user.
upn User principal name (UPN) of the user.
common-name Common name of the user.
email-adfs-1x E-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0.

Fortinet Inc.
Option Description
group Group that the user is a member of.
upn-adfs-1x User principal name (UPN) of the user.
role Role that the user has.
sur-name Surname of the user
ppid Private identifier of the user.
name-identifier SAML name identifier of the user.
authentication- Method used to authenticate the user.

method
deny-only-group- Deny-only group SID of the user.

sid
deny-only- Deny-only primary SID of the user.

primary-sid
deny-only- Deny-only primary group SID of the user.

primary-group-
sid
group-sid Group SID of the user.
primary-group- Primary group SID of the user.

sid
primary-sid Primary SID of the user.
windows- Domain account name of the user in the form of <domain>\<user>.

account-name
group-name Group name in assertion statement. string Not

Specified
idp-cert IDP Certificate name. string Not

Specified
idp-entity-id IDP entity ID. string Not

Specified
idp-single- IDP single logout url. string Not

logout-url Specified
idp-single- IDP single sign-on URL. string Not

sign-on-url Specified
limit- Enable/disable limiting of relay-state parameter when it option - disable

relaystate exceeds SAML 2.0 specification limits (80 bytes).

Fortinet Inc.
Option Description
enable Enable limiting of relay-state parameter when it exceeds SAML 2.0

specification limits (80 bytes).
disable Disable limiting of relay-state parameter when it exceeds SAML 2.0

specification limits (80 bytes).
name SAML server entry name. string Not

Specified
single-logout- SP single logout URL. string Not

url Specified
single-sign- SP single sign-on URL. string Not

on-url Specified
user-claim- User name claim in assertion statement. option - upn

type
Option Description
email E-mail address of the user.
given-name Given name of the user.
name Unique name of the user.
upn User principal name (UPN) of the user.
common-name Common name of the user.
email-adfs-1x E-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0.
group Group that the user is a member of.
upn-adfs-1x User principal name (UPN) of the user.
role Role that the user has.
sur-name Surname of the user
ppid Private identifier of the user.
name-identifier SAML name identifier of the user.
authentication- Method used to authenticate the user.

method
deny-only-group- Deny-only group SID of the user.

sid
deny-only- Deny-only primary SID of the user.

primary-sid

Fortinet Inc.
Option Description
deny-only- Deny-only primary group SID of the user.

primary-group-
sid
group-sid Group SID of the user.
primary-group- Primary group SID of the user.

sid
primary-sid Primary SID of the user.
windows- Domain account name of the user in the form of <domain>\<user>.

account-name
user-name User name in assertion statement. string Not

Specified
config user security-exempt-list
Configure security exemption list.

Description: Configure security exemption list.
edit <name>
set name {string}
config rule
Description: Configure rules for exempting users from captive portal
authentication.
edit <id>
set id {integer}
next
end
next
end

Specified
name Name of the exempt list. string Not

Specified

Fortinet Inc.
config rule

value: 0
Maximum
value:
4294967295
srcaddr Source addresses or address groups. string Maximum

<name> Address or group name. length: 79
dstaddr Destination addresses or address groups. string Maximum

<name> Address or group name. length: 79
service Destination services. string Maximum

config user setting
Configure user authentication setting.

config user setting
Description: Configure user authentication setting.
set auth-blackout-time {integer}
set auth-ca-cert {string}
set auth-http-basic [enable|disable]
set auth-invalid-max {integer}
set auth-lockout-duration {integer}
set auth-lockout-threshold {integer}
set auth-on-demand [always|implicitly]
set auth-portal-timeout {integer}
config auth-ports
Description: Set up non-standard ports for authentication with HTTP, HTTPS, FTP, and
TELNET.
edit <id>
set id {integer}
set type [http|https|...]
set port {integer}
next
end
set auth-secure-http [enable|disable]
set auth-src-mac [enable|disable]
set auth-ssl-allow-renegotiation [enable|disable]
set auth-ssl-max-proto-version [sslv3|tlsv1|...]
set auth-ssl-min-proto-version [default|SSLv3|...]
set auth-ssl-sigalgs [no-rsa-pss|all]
set auth-timeout {integer}
set auth-timeout-type [idle-timeout|hard-timeout|...]
set auth-type {option1}, {option2}, ...
set per-policy-disclaimer [enable|disable]

Fortinet Inc.
set radius-ses-timeout-act [hard-timeout|ignore-timeout]
end
config user setting
auth-blackout- Time in seconds an IP address is denied access integer Minimum 0

time after failing to authenticate five times within one value: 0
minute. Maximum
value: 3600
auth-ca-cert HTTPS CA certificate for policy authentication. string Not Specified
auth-cert HTTPS server certificate for policy authentication. string Not Specified
auth-http-basic Enable/disable use of HTTP basic authentication for option - disable

identity-based firewall policies.
Option Description
auth-invalid- Maximum number of failed authentication attempts integer Minimum 5

max before the user is blocked. value: 1
Maximum
value: 100
auth-lockout- Lockout period in seconds after too many login integer Minimum 0
duration failures. value: 0
Maximum
value:
4294967295
auth-lockout- Maximum number of failed login attempts before integer Minimum 3

threshold login lockout is triggered. value: 1
Maximum
value: 10
auth-on- Always/implicitly trigger firewall authentication on option - implicitly

demand demand.
Option Description
always Always trigger firewall authentication on demand.
implicitly Implicitly trigger firewall authentication on demand.
auth-portal- Time in minutes before captive portal user have to integer Minimum 3
timeout re-authenticate. value: 1
Maximum
value: 30

Fortinet Inc.
auth-secure- Enable/disable redirecting HTTP user authentication option - disable

http to more secure HTTPS.
Option Description
auth-src-mac Enable/disable source MAC for user identity. option - enable
Option Description
enable Enable source MAC for user identity.
disable Disable source MAC for user identity.
auth-ssl-allow- Allow/forbid SSL re-negotiation for HTTPS option - disable

renegotiation authentication.
Option Description
enable Allow SSL re-negotiation.
disable Forbid SSL re-negotiation.
auth-ssl-max- Maximum supported protocol version for SSL/TLS option -

proto-version connections.
Option Description
sslv3 SSLv3.
tlsv1 TLSv1.
tlsv1-1 TLSv1.1.
tlsv1-2 TLSv1.2.
tlsv1-3 TLSv1.3.
auth-ssl-min- Minimum supported protocol version for SSL/TLS option - default

proto-version connections.
Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.

Fortinet Inc.
auth-ssl- Set signature algorithms related to HTTPS option - all

sigalgs authentication.
Option Description
no-rsa-pss Disable RSA-PSS signature algorithms for HTTPS authentication.
all Enable all supported signature algorithms for HTTPS authentication.
auth-timeout Time in minutes before the firewall user integer Minimum 5

authentication timeout requires the user to re- value: 1
authenticate. Maximum
value: 1440
auth-timeout- Control if authenticated users have to login again option - idle-

type after a hard timeout, after an idle timeout, or after a timeout
session timeout.
Option Description
idle-timeout Idle timeout.
hard-timeout Hard timeout.
new-session New session timeout.
auth-type Supported firewall policy authentication option - http https

protocols/methods. ftp telnet
Option Description
http Allow HTTP authentication.
https Allow HTTPS authentication.
ftp Allow FTP authentication.
telnet Allow TELNET authentication.
per-policy- Enable/disable per policy disclaimer. option - disable

disclaimer
Option Description
enable Enable per policy disclaimer.
disable Disable per policy disclaimer.
radius-ses- Set the RADIUS session timeout to a hard timeout or option - hard-
timeout-act to ignore RADIUS server session timeouts. timeout

Fortinet Inc.
Option Description
hard-timeout Use session timeout from RADIUS as hard-timeout.
ignore-timeout Ignore session timeout from RADIUS.
config auth-ports

value: 0
Maximum
value:
4294967295
type Service type. option - http
Option Description
http HTTP service.
https HTTPS service.
ftp FTP service.
telnet TELNET service.
port Non-standard port for firewall user authentication. integer Minimum 1024
value: 1
Maximum
value: 65535
config user tacacs+
Configure TACACS+ server entries.

config user tacacs+
Description: Configure TACACS+ server entries.
edit <name>
set authen-type [mschap|chap|...]
set authorization [enable|disable]
set key {password}
set name {string}
set port {integer}
set secondary-key {password}
set server {string}

Fortinet Inc.
set tertiary-key {password}
next
end
config user tacacs+
authen-type Allowed authentication protocols/methods. option - auto
Option Description
mschap MSCHAP.
chap CHAP.
pap PAP.
ascii ASCII.
auto Use PAP, MSCHAP, and CHAP (in that order).
authorization Enable/disable TACACS+ authorization. option - disable
Option Description
enable Enable TACACS+ authorization.
disable Disable TACACS+ authorization.

Specified

Option Description
key Key to access the primary server. password Not

Specified
name TACACS+ server entry name. string Not

Specified

Fortinet Inc.
port Port number of the TACACS+ server. integer Minimum 49

value: 1
Maximum
value:
65535
secondary-key Key to access the secondary server. password Not

Specified
secondary- Secondary TACACS+ server CN domain name or IP string Not

server address. Specified
server Primary TACACS+ server CN domain name or IP string Not

address. Specified
source-ip Source IP address for communications to TACACS+ string Not

server. Specified
tertiary-key Key to access the tertiary server. password Not

Specified
tertiary-server Tertiary TACACS+ server CN domain name or IP string Not

address. Specified

Fortinet Inc.
videofilter

l config videofilter profile on page 1610
l config videofilter youtube-channel-filter on page 1612
l config videofilter youtube-key on page 1614
config videofilter profile
Configure VideoFilter profile.

Description: Configure VideoFilter profile.
edit <name>
set dailymotion [enable|disable]
config fortiguard-category
Description: Configure FortiGuard categories.
config filters
Description: Configure VideoFilter FortiGuard category.
edit <id>
set id {integer}
set action [allow|monitor|...]
set category-id {integer}
next
end
end
set name {string}
set vimeo [enable|disable]
set youtube [enable|disable]
set youtube-channel-filter {integer}
next
end
dailymotion Enable/disable Dailymotion video source. option - enable

Fortinet Inc.
Option Description
enable Enable Dailymotion source.
disable Disable Dailymotion source.
replacemsg- Replacement message group. string Not Specified

group
vimeo Enable/disable Vimeo video source. option - enable
Option Description
enable Enable Vimeo source.
disable Disable Vimeo source.
youtube Enable/disable YouTube video source. option - enable
Option Description
enable Enable YouTube source.
disable Disable YouTube source.
youtube- Set YouTube channel filter. integer Minimum 0

channel-filter value: 0
Maximum
value:
4294967295
config filters

value: 0
Maximum
value:
4294967295
action VideoFilter action. option - monitor
Option Description
allow Allow videos to be accessed.
monitor Monitor videos.
block Block videos.

Fortinet Inc.
category-id Category ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
Option Description
config videofilter youtube-channel-filter
Configure YouTube channel filter.

Description: Configure YouTube channel filter.
edit <id>
set default-action [allow|monitor|...]
config entries
Description: YouTube filter entries.
edit <id>
set id {integer}
set action [allow|monitor|...]
set channel-id {string}
next
end
set id {integer}
set name {string}
set override-category [enable|disable]
next
end
default-action YouTube channel filter default action. option - monitor

Fortinet Inc.
Option Description
block Block videos.

value: 0
Maximum
value:
4294967295
Option Description
override- Enable/disable overriding category filtering result. option - disable

category
Option Description
enable Enable overriding category filtering result.
disable Disable overriding category filtering result.
config entries

value: 0
Maximum
value:
4294967295
action YouTube channel filter action. option - monitor
Option Description

Fortinet Inc.
Option Description
block Block videos.
channel-id Channel ID. string Not Specified
config videofilter youtube-key
Configure YouTube API keys.

Description: Configure YouTube API keys.
edit <id>
set id {integer}
set key {string}
next
end

value: 0
Maximum
value:
4294967295
key Key. string Not Specified

Fortinet Inc.
voip

l config voip profile on page 1615
config voip profile
Configure VoIP profiles.

config voip profile
Description: Configure VoIP profiles.
edit <name>
config msrp
Description: MSRP.
set log-violations [disable|enable]
set max-msg-size {integer}
set max-msg-size-action [pass|block|...]
end
set name {string}
config sccp
Description: SCCP.
set block-mcast [disable|enable]
set verify-header [disable|enable]
set log-call-summary [disable|enable]
set max-calls {integer}
end
config sip
Description: SIP.
set rtp [disable|enable]
set nat-port-range {user}
set open-register-pinhole [disable|enable]
set open-contact-pinhole [disable|enable]
set strict-register [disable|enable]
set register-rate {integer}
set register-rate-track [none|src-ip|...]
set invite-rate {integer}
set invite-rate-track [none|src-ip|...]
set max-dialogs {integer}
set max-line-length {integer}
set block-long-lines [disable|enable]
set block-unknown [disable|enable]
set call-keepalive {integer}
set block-ack [disable|enable]
set block-bye [disable|enable]

Fortinet Inc.
set block-cancel [disable|enable]
set block-info [disable|enable]
set block-invite [disable|enable]
set block-message [disable|enable]
set block-notify [disable|enable]
set block-options [disable|enable]
set block-prack [disable|enable]
set block-publish [disable|enable]
set block-refer [disable|enable]
set block-register [disable|enable]
set block-subscribe [disable|enable]
set block-update [disable|enable]
set register-contact-trace [disable|enable]
set open-via-pinhole [disable|enable]
set open-record-route-pinhole [disable|enable]
set rfc2543-branch [disable|enable]
set log-call-summary [disable|enable]
set nat-trace [disable|enable]
set subscribe-rate {integer}
set subscribe-rate-track [none|src-ip|...]
set message-rate {integer}
set message-rate-track [none|src-ip|...]
set notify-rate {integer}
set notify-rate-track [none|src-ip|...]
set refer-rate {integer}
set refer-rate-track [none|src-ip|...]
set update-rate {integer}
set update-rate-track [none|src-ip|...]
set options-rate {integer}
set options-rate-track [none|src-ip|...]
set ack-rate {integer}
set ack-rate-track [none|src-ip|...]
set prack-rate {integer}
set prack-rate-track [none|src-ip|...]
set info-rate {integer}
set info-rate-track [none|src-ip|...]
set publish-rate {integer}
set publish-rate-track [none|src-ip|...]
set bye-rate {integer}
set bye-rate-track [none|src-ip|...]
set cancel-rate {integer}
set cancel-rate-track [none|src-ip|...]
set preserve-override [disable|enable]
set no-sdp-fixup [disable|enable]
set contact-fixup [disable|enable]
set max-idle-dialogs {integer}
set block-geo-red-options [disable|enable]
set hosted-nat-traversal [disable|enable]
set hnt-restrict-source-ip [disable|enable]
set max-body-length {integer}
set unknown-header [discard|pass|...]
set malformed-request-line [discard|pass|...]
set malformed-header-via [discard|pass|...]
set malformed-header-from [discard|pass|...]
set malformed-header-to [discard|pass|...]

Fortinet Inc.
set malformed-header-call-id [discard|pass|...]
set malformed-header-cseq [discard|pass|...]
set malformed-header-rack [discard|pass|...]
set malformed-header-rseq [discard|pass|...]
set malformed-header-contact [discard|pass|...]
set malformed-header-record-route [discard|pass|...]
set malformed-header-route [discard|pass|...]
set malformed-header-expires [discard|pass|...]
set malformed-header-content-type [discard|pass|...]
set malformed-header-content-length [discard|pass|...]
set malformed-header-max-forwards [discard|pass|...]
set malformed-header-allow [discard|pass|...]
set malformed-header-p-asserted-identity [discard|pass|...]
set malformed-header-no-require [discard|pass|...]
set malformed-header-no-proxy-require [discard|pass|...]
set malformed-header-sdp-v [discard|pass|...]
set malformed-header-sdp-o [discard|pass|...]
set malformed-header-sdp-s [discard|pass|...]
set malformed-header-sdp-i [discard|pass|...]
set malformed-header-sdp-c [discard|pass|...]
set malformed-header-sdp-b [discard|pass|...]
set malformed-header-sdp-z [discard|pass|...]
set malformed-header-sdp-k [discard|pass|...]
set malformed-header-sdp-a [discard|pass|...]
set malformed-header-sdp-t [discard|pass|...]
set malformed-header-sdp-r [discard|pass|...]
set malformed-header-sdp-m [discard|pass|...]
set provisional-invite-expiry-time {integer}
set ips-rtp [disable|enable]
set ssl-mode [off|full]
set ssl-client-certificate {string}
set ssl-server-certificate {string}
set ssl-auth-client {string}
set ssl-auth-server {string}
end
next
end
config voip profile

Specified
feature-set Flow or proxy inspection feature set. option - proxy

Fortinet Inc.
Option Description

Specified
config msrp
status Enable/disable MSRP. option - enable
Option Description
log-violations Enable/disable logging of MSRP violations. option - enable
Option Description
max-msg-size Maximum allowable MSRP message size. integer Minimum 0

value: 0
Maximum
value:
65535
max-msg- Action for violation of max-msg-size. option - pass

size-action
Option Description
monitor Pass and log matching traffic.

Fortinet Inc.
config sccp
status Enable/disable SCCP. option - enable
Option Description
block-mcast Enable/disable block multicast RTP connections. option - disable
Option Description
verify-header Enable/disable verify SCCP header content. option - disable
Option Description
log-call- Enable/disable log summary of SCCP calls. option - disable

summary
Option Description
log-violations Enable/disable logging of SCCP violations. option - disable
Option Description
max-calls Maximum calls per minute per SCCP client (max integer Minimum 0
65535). value: 0
Maximum
value:
65535

Fortinet Inc.
config sip
status Enable/disable SIP. option - enable
Option Description
rtp Enable/disable create pinholes for RTP traffic to option - enable

traverse firewall.
Option Description
nat-port-range RTP NAT port range. user Not Specified 5117-

65533
open-register- Enable/disable open pinhole for REGISTER Contact option - enable

pinhole port.
Option Description
open-contact- Enable/disable open pinhole for non-REGISTER option - enable

pinhole Contact port.
Option Description
strict-register Enable/disable only allow the registrar to connect. option - enable
Option Description
register-rate REGISTER request rate limit (per second, per integer Minimum 0
policy). value: 0
Maximum
value:
4294967295

Fortinet Inc.
register-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.
invite-rate INVITE request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
invite-rate-track Track the packet protocol field. option - none
Option Description
none None.
src-ip Source IP.
max-dialogs Maximum number of concurrent calls/dialogs (per integer Minimum 0

policy). value: 0
Maximum
value:
4294967295
max-line-length Maximum SIP header line length. integer Minimum 998

value: 78
Maximum
value: 4096
block-long- Enable/disable block requests with headers option - enable

lines exceeding max-line-length.
Option Description
block-unknown Block unrecognized SIP requests. option - enable
Option Description

Fortinet Inc.
Option Description
call-keepalive Continue tracking calls with no RTP for this many integer Minimum 0
minutes. value: 0
Maximum
value: 10080
block-ack Enable/disable block ACK requests. option - disable
Option Description
block-bye Enable/disable block BYE requests. option - disable
Option Description
block-cancel Enable/disable block CANCEL requests. option - disable
Option Description
block-info Enable/disable block INFO requests. option - disable
Option Description
block-invite Enable/disable block INVITE requests. option - disable
Option Description
block-message Enable/disable block MESSAGE requests. option - disable

Fortinet Inc.
Option Description
block-notify Enable/disable block NOTIFY requests. option - disable
Option Description
block-options Enable/disable block OPTIONS requests and no option - disable

OPTIONS as notifying message for redundancy
either.
Option Description
block-prack Enable/disable block prack requests. option - disable
Option Description
block-publish Enable/disable block PUBLISH requests. option - disable
Option Description
block-refer Enable/disable block REFER requests. option - disable
Option Description
block-register Enable/disable block REGISTER requests. option - disable

Fortinet Inc.
Option Description
block- Enable/disable block SUBSCRIBE requests. option - disable

subscribe
Option Description
block-update Enable/disable block UPDATE requests. option - disable
Option Description
register- Enable/disable trace original IP/port within the option - disable

contact-trace contact header of REGISTER requests.
Option Description
open-via- Enable/disable open pinhole for Via port. option - disable

pinhole
Option Description
open-record- Enable/disable open pinhole for Record-Route port. option - enable

route-pinhole
Option Description
rfc2543-branch Enable/disable support via branch compliant with option - disable

RFC 2543.

Fortinet Inc.
Option Description
log-violations Enable/disable logging of SIP violations. option - disable
Option Description
log-call- Enable/disable logging of SIP call summary. option - enable

summary
Option Description
nat-trace Enable/disable preservation of original IP in SDP i option - enable

line.
Option Description
subscribe-rate SUBSCRIBE request rate limit (per second, per integer Minimum 0
policy). value: 0
Maximum
value:
4294967295
subscribe-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.

Fortinet Inc.
message-rate MESSAGE request rate limit (per second, per integer Minimum 0
policy). value: 0
Maximum
value:
4294967295
message-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.
notify-rate NOTIFY request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
notify-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.
refer-rate REFER request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
refer-rate-track Track the packet protocol field. option - none
Option Description
none None.
src-ip Source IP.

Fortinet Inc.
update-rate UPDATE request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
update-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.
options-rate OPTIONS request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
options-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.
ack-rate ACK request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
ack-rate-track Track the packet protocol field. option - none
Option Description
none None.
src-ip Source IP.

Fortinet Inc.
prack-rate PRACK request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
prack-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.
info-rate INFO request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
info-rate-track Track the packet protocol field. option - none
Option Description
none None.
src-ip Source IP.
publish-rate PUBLISH request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
publish-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.

Fortinet Inc.
bye-rate BYE request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
bye-rate-track Track the packet protocol field. option - none
Option Description
none None.
src-ip Source IP.
cancel-rate CANCEL request rate limit (per second, per policy). integer Minimum 0
value: 0
Maximum
value:
4294967295
cancel-rate- Track the packet protocol field. option - none

track
Option Description
none None.
src-ip Source IP.
preserve- Override i line to preserve original IPS. option - disable

override
Option Description
no-sdp-fixup Enable/disable no SDP fix-up. option - disable
Option Description
contact-fixup Fixup contact anyway even if contact's IP:port option - enable

doesn't match session's IP:port.

Fortinet Inc.
Option Description
max-idle- Maximum number established but idle dialogs to integer Minimum 0

dialogs retain (per policy). value: 0
Maximum
value:
4294967295
block-geo-red- Enable/disable block OPTIONS requests, but option - disable

options OPTIONS requests still notify for redundancy.
Option Description
hosted-nat- Hosted NAT Traversal (HNT). option - disable

traversal
Option Description
hnt-restrict- Enable/disable restrict RTP source IP to be the option - disable

source-ip same as SIP source IP when HNT is enabled.
Option Description
max-body- Maximum SIP message body length (0 meaning no integer Minimum 0

length limit). value: 0
Maximum
value:
4294967295
unknown- Action for unknown SIP header. option - pass

header
Option Description
discard Discard malformed messages.

Fortinet Inc.
Option Description
pass Bypass malformed messages.
respond Respond with error code.
malformed- Action for malformed request line. option - pass

request-line
Option Description
malformed- Action for malformed VIA header. option - pass

header-via
Option Description
malformed- Action for malformed From header. option - pass

header-from
Option Description
malformed- Action for malformed To header. option - pass

header-to
Option Description
malformed- Action for malformed Call-ID header. option - pass

header-call-id

Fortinet Inc.
Option Description
malformed- Action for malformed CSeq header. option - pass

header-cseq
Option Description
malformed- Action for malformed RAck header. option - pass

header-rack
Option Description
malformed- Action for malformed RSeq header. option - pass

header-rseq
Option Description
malformed- Action for malformed Contact header. option - pass

header-contact
Option Description
malformed- Action for malformed Record-Route header. option - pass

header-record-
route

Fortinet Inc.
Option Description
malformed- Action for malformed Route header. option - pass

header-route
Option Description
malformed- Action for malformed Expires header. option - pass

header-expires
Option Description
malformed- Action for malformed Content-Type header. option - pass

header-
content-type
Option Description
malformed- Action for malformed Content-Length header. option - pass

header-
content-length
Option Description

Fortinet Inc.
malformed- Action for malformed Max-Forwards header. option - pass

header-max-
forwards
Option Description
malformed- Action for malformed Allow header. option - pass

header-allow
Option Description
malformed- Action for malformed P-Asserted-Identity header. option - pass

header-p-
asserted-
identity
Option Description
malformed- Action for malformed SIP messages without Require option - pass
header-no- header.
require
Option Description
malformed- Action for malformed SIP messages without Proxy- option - pass
header-no- Require header.
proxy-require

Fortinet Inc.
Option Description
malformed- Action for malformed SDP v line. option - pass

header-sdp-v
Option Description
malformed- Action for malformed SDP o line. option - pass

header-sdp-o
Option Description
malformed- Action for malformed SDP s line. option - pass

header-sdp-s
Option Description
malformed- Action for malformed SDP i line. option - pass

header-sdp-i
Option Description
malformed- Action for malformed SDP c line. option - pass

header-sdp-c

Fortinet Inc.
Option Description
malformed- Action for malformed SDP b line. option - pass

header-sdp-b
Option Description
malformed- Action for malformed SDP z line. option - pass

header-sdp-z
Option Description
malformed- Action for malformed SDP k line. option - pass

header-sdp-k
Option Description
malformed- Action for malformed SDP a line. option - pass

header-sdp-a
Option Description
malformed- Action for malformed SDP t line. option - pass

header-sdp-t

Fortinet Inc.
Option Description
malformed- Action for malformed SDP r line. option - pass

header-sdp-r
Option Description
malformed- Action for malformed SDP m line. option - pass

header-sdp-m
Option Description
provisional- Expiry time for provisional INVITE. integer Minimum 210

invite-expiry- value: 10
time Maximum
value: 3600
ips-rtp Enable/disable allow IPS on RTP. option - enable
Option Description
ssl-mode * SSL/TLS mode for encryption & decryption of traffic. option - off
Option Description
off No SSL.
ssl-send- Send empty fragments to avoid attack on CBC IV option - enable

empty-frags * (SSL 3.0 & TLS 1.0 only).

Fortinet Inc.
Option Description
ssl-client- Allow/block client renegotiation by server. option - allow

renegotiation *
Option Description
ssl-algorithm * Relative strength of encryption algorithms accepted option - high

in negotiation.
Option Description
ssl-pfs * SSL Perfect Forward Secrecy. option - allow
Option Description
require PFS mandatory.
deny PFS rejected.
allow PFS allowed.
ssl-min-version Lowest SSL/TLS version to negotiate. option - tls-1.1

*
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.

Fortinet Inc.
ssl-max- Highest SSL/TLS version to negotiate. option - tls-1.3

version *
Option Description
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3.
ssl-client- Name of Certificate to offer to server if requested. string Not Specified

certificate *
ssl-server- Name of Certificate return to the client in every SSL string Not Specified
certificate * connection.
ssl-auth-client * Require a client certificate and authenticate it with string Not Specified
the peer/peergrp.
ssl-auth-server Authenticate the server's certificate with the string Not Specified
* peer/peergrp.

Fortinet Inc.
vpn

l config vpn certificate ca on page 1641
l config vpn certificate crl on page 1642
l config vpn certificate local on page 1643
l config vpn certificate ocsp-server on page 1647
l config vpn certificate remote on page 1648
l config vpn certificate setting on page 1648
l config vpn ike gateway on page 1653
l config vpn ipsec concentrator on page 1654
l config vpn ipsec fec on page 1654
l config vpn ipsec forticlient on page 1656
l config vpn ipsec manualkey-interface on page 1657
l config vpn ipsec manualkey on page 1659
l config vpn ipsec phase1-interface on page 1661
l config vpn ipsec phase1 on page 1685
l config vpn ipsec phase2-interface on page 1705
l config vpn ipsec phase2 on page 1714
l config vpn ipsec stats crypto on page 1723
l config vpn ipsec stats tunnel on page 1723
l config vpn ipsec tunnel details on page 1724
l config vpn ipsec tunnel name on page 1724
l config vpn ipsec tunnel summary on page 1724
l config vpn l2tp on page 1724
l config vpn ocvpn on page 1725
l config vpn pptp on page 1730
l config vpn ssl client on page 1730
l config vpn ssl monitor on page 1732
l config vpn ssl settings on page 1732
l config vpn ssl web host-check-software on page 1745
l config vpn ssl web portal on page 1747
l config vpn ssl web realm on page 1766
l config vpn ssl web user-bookmark on page 1767
l config vpn ssl web user-group-bookmark on page 1773
l config vpn status l2tp on page 1779
l config vpn status pptp on page 1780
l config vpn status ssl hw-acceleration-status on page 1780
l config vpn status ssl list on page 1780

Fortinet Inc.
config vpn certificate ca
CA certificate.
Description: CA certificate.
edit <name>
set auto-update-days {integer}
set auto-update-days-warning {integer}
set ca {user}
set name {string}
set ssl-inspection-trusted [enable|disable]
next
end
auto-update- Number of days to wait before requesting an updated integer Minimum 0

days CA certificate. value: 0
Maximum
value:
4294967295
auto-update- Number of days before an expiry-warning message is integer Minimum 0

days-warning generated. value: 0
Maximum
value:
4294967295
ca CA certificate as a PEM file. user Not Specified
ca-identifier CA identifier of the SCEP server. string Not Specified
range Either global or VDOM IP address range for the CA option - vdom
certificate.
Option Description
scep-url URL of the SCEP server. string Not Specified
source CA certificate source type. option - user

Fortinet Inc.
Option Description
source-ip Source IP address for communications to the SCEP ipv4- Not Specified 0.0.0.0
server. address
ssl- Enable/disable this CA as a trusted CA for SSL option - enable

trusted
Option Description
enable Trusted CA for SSL inspection.
disable Untrusted CA for SSL inspection.
config vpn certificate crl
Certificate Revocation List as a PEM file.

Description: Certificate Revocation List as a PEM file.
edit <name>
set crl {user}
set http-url {string}
set name {string}
set scep-cert {string}
set update-vdom {string}
next
end
crl Certificate Revocation List as a PEM file. user Not Specified

Fortinet Inc.
http-url HTTP server URL for CRL auto-update. string Not Specified
ldap- LDAP server user password. password Not Specified

password
ldap-server LDAP server name for CRL auto-update. string Not Specified
ldap- LDAP server user name. string Not Specified

username
range Either global or VDOM IP address range for the option - vdom
certificate.
Option Description
scep-cert Local certificate for SCEP communication for CRL string Not Specified Fortinet_
auto-update. CA_SSL
scep-url SCEP server URL for CRL auto-update. string Not Specified
Option Description
source-ip Source IP address for communications to a HTTP or ipv4- Not Specified 0.0.0.0
SCEP CA server. address
update- Time in seconds before the FortiGate checks for an integer Minimum 0
interval updated CRL. Set to 0 to update only when it expires. value: 0
Maximum
value:
4294967295
update-vdom VDOM for CRL update. string Not Specified root
config vpn certificate local
Local keys and certificates.

Description: Local keys and certificates.
edit <name>
set acme-ca-url {string}

Fortinet Inc.
set acme-domain {string}
set acme-email {string}
set acme-renew-window {integer}
set acme-rsa-key-size {integer}
set auto-regenerate-days {integer}
set auto-regenerate-days-warning {integer}
set certificate {user}
set cmp-path {string}
set cmp-regeneration-method [keyupate|renewal]
set cmp-server {string}
set cmp-server-cert {string}
set csr {user}
set enroll-protocol [none|scep|...]
set ike-localid {string}
set ike-localid-type [asn1dn|fqdn]
set name {string}
set name-encoding [printable|utf8]
set scep-password {password}
set state {user}
next
end
acme-ca-url The URL for the ACME CA string Not Specified https://acme-
server. v02.api.letsencrypt.org/directory
acme-domain A valid domain that resolves string Not Specified

to this FortiGate unit.
acme-email Contact email address that string Not Specified

is required by some CAs like
LetsEncrypt.
acme-renew- Beginning of the renewal integer Minimum 30

window window. value: 1
Maximum
value: 60
acme-rsa-key- Length of the RSA private integer Minimum 2048

size key of the generated cert value: 2048
(Minimum 2048 bits). Maximum
value: 4096

Fortinet Inc.

regenerate- before expiry of an updated value: 0
days local certificate is requested Maximum
(0 = disabled). value:
4294967295

regenerate- before an expiry warning value: 0
days-warning message is generated (0 = Maximum
disabled). value:
4294967295
ca-identifier CA identifier of the CA string Not Specified

server for signing via SCEP.
certificate PEM format certificate. user Not Specified
cmp-path Path location inside CMP string Not Specified

server.
cmp- CMP auto-regeneration option - keyupate

regeneration- method.
method
Option Description
keyupate Key Update.
renewal Renewal.
cmp-server Address and port for CMP string Not Specified

server (format =
address:port).
cmp-server-cert CMP server certificate. string Not Specified
comments Comment. string Not Specified
csr Certificate Signing Request. user Not Specified
enroll-protocol Certificate enrollment option - none

protocol.
Option Description
none None (default).
scep Simple Certificate Enrollment Protocol.
cmpv2 Certificate Management Protocol Version 2.
acme2 Automated Certificate Management Environment Version 2.

Fortinet Inc.
ike-localid Local ID the FortiGate uses string Not Specified

for authentication as a VPN
client.
ike-localid-type IKE local ID type. option - asn1dn
Option Description
asn1dn ASN.1 distinguished name.
name-encoding Name encoding method for option - printable

auto-regeneration.
Option Description
printable Printable encoding (default).
utf8 UTF-8 encoding.
password Password as a PEM file. password Not Specified
private-key PEM format key encrypted user Not Specified

with a password.
range Either a global or VDOM IP option - vdom

address range for the
certificate.
Option Description
scep-password SCEP server challenge password Not Specified

password for auto-
regeneration.
scep-url SCEP server URL. string Not Specified
Option Description

Fortinet Inc.
source-ip Source IP address for ipv4- Not Specified 0.0.0.0

communications to the address
SCEP server.
state Certificate Signing Request user Not Specified

State.
config vpn certificate ocsp-server
OCSP server configuration.

Description: OCSP server configuration.
edit <name>
set cert {string}
set name {string}
set secondary-cert {string}
set secondary-url {string}
set unavail-action [revoke|ignore]
set url {string}
next
end
cert OCSP server certificate. string Not

Specified
name OCSP server entry name. string Not

Specified
secondary- Secondary OCSP server certificate. string Not

cert Specified
secondary-url Secondary OCSP server URL. string Not

Specified
source-ip Source IP address for communications to the OCSP ipv4- Not 0.0.0.0
unavail-action Action when server is unavailable (revoke the certificate option - revoke
or ignore the result of the check).
Option Description
revoke Revoke certificate if server is unavailable.
ignore Ignore OCSP check if server is unavailable.

Fortinet Inc.
url OCSP server URL. string Not

Specified
config vpn certificate remote
Remote certificate as a PEM file.

Description: Remote certificate as a PEM file.
edit <name>
set name {string}
set remote {user}
next
end

Specified
range Either the global or VDOM IP address range for the option - vdom
remote certificate.
Option Description
remote Remote certificate. user Not

Specified
source Remote certificate source type. option - user
Option Description
config vpn certificate setting
VPN certificate setting.

Fortinet Inc.
Description: VPN certificate setting.
set certname-dsa1024 {string}
set certname-dsa2048 {string}
set certname-ecdsa256 {string}
set certname-ed25519 {string}
set certname-ed448 {string}
set certname-rsa1024 {string}
set check-ca-cert [enable|disable]
set check-ca-chain [enable|disable]
set cmp-key-usage-checking [enable|disable]
set cmp-save-extra-certs [enable|disable]
set cn-allow-multi [disable|enable]
set cn-match [substring|value]
config crl-verification
Description: CRL verification options.
set expiry [ignore|revoke]
set leaf-crl-absence [ignore|revoke]
set chain-crl-absence [ignore|revoke]
end
set ocsp-default-server {string}
set ocsp-option [certificate|server]
set ocsp-status [enable|disable]
set ssl-ocsp-source-ip {ipv4-address}
set strict-ocsp-check [enable|disable]
set subject-match [substring|value]
set subject-set [subset|superset]
end
certname- 1024 bit DSA key certificate for re-signing server string Not Fortinet_
dsa1024 certificates for SSL inspection. Specified SSL_
DSA1024
certname- 2048 bit DSA key certificate for re-signing server string Not Fortinet_
dsa2048 certificates for SSL inspection. Specified SSL_
DSA2048
certname- 256 bit ECDSA key certificate for re-signing server string Not Fortinet_
ecdsa256 certificates for SSL inspection. Specified SSL_
ECDSA256

Fortinet Inc.
ECDSA384
ECDSA521
certname- 253 bit EdDSA key certificate for re-signing server string Not Fortinet_
ed25519 certificates for SSL inspection. Specified SSL_
ED25519
certname- 456 bit EdDSA key certificate for re-signing server string Not Fortinet_
ed448 certificates for SSL inspection. Specified SSL_ED448
certname- 1024 bit RSA key certificate for re-signing server string Not Fortinet_
rsa1024 certificates for SSL inspection. Specified SSL_
RSA1024
RSA2048
RSA4096
check-ca-cert Enable/disable verification of the user certificate and option - enable

pass authentication if any CA in the chain is trusted.
Option Description
enable Enable verification of the user certificate.
disable Disable verification of the user certificate.
check-ca- Enable/disable verification of the entire certificate option - disable

chain chain and pass authentication only if the chain is
complete and all of the CAs in the chain are trusted.
Option Description
enable Enable verification of the entire certificate chain.
disable Disable verification of the entire certificate chain.
cmp-key- Enable/disable server certificate key usage checking option - enable

usage- in CMP mode.
checking

Fortinet Inc.
Option Description
enable Enable server certificate key usage checking in CMP mode.
disable Disable server certificate key usage checking in CMP mode.
cmp-save- Enable/disable saving extra certificates in CMP mode. option - disable

extra-certs
Option Description
enable Enable saving extra certificates in CMP mode.
disable Disable saving extra certificates in CMP mode.
cn-allow-multi When searching for a matching certificate, allow option - enable

multiple CN fields in certificate subject name.
Option Description
disable Does not allow multiple CN entries in certificate matching.
enable Allow multiple CN entries in certificate matching.
cn-match When searching for a matching certificate, control how option - substring
to do CN value matching with certificate subject name.
Option Description
substring Find a match if the name being searched for is a part or the same as a
certificate CN.
value Find a match if the name being searched for is same as a certificate CN.

Specified

Option Description
ocsp-default- Default OCSP server. string Not

server Specified
ocsp-option Specify whether the OCSP URL is from certificate or option - server
configured OCSP server.

Fortinet Inc.
Option Description
certificate Use URL from certificate.
server Use URL from configured OCSP server.
ocsp-status Enable/disable receiving certificates using the OCSP. option - disable
Option Description

Option Description
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
ssl-ocsp- Source IP address to use to communicate with the ipv4- Not 0.0.0.0
source-ip OCSP server. address Specified
strict-ocsp- Enable/disable strict mode OCSP checking. option - disable

check
Option Description
enable Enable strict mode OCSP checking.
disable Disable strict mode OCSP checking.
subject-match When searching for a matching certificate, control how option - substring
to do RDN value matching with certificate subject
name.
Option Description
substring Find a match if the name being searched for is a part or the same as a
certificate subject RDN.
value Find a match if the name being searched for is same as a certificate subject
RDN.

Fortinet Inc.
subject-set When searching for a matching certificate, control how option - subset
to do RDN set matching with certificate subject name.
Option Description
subset Find a match if the name being searched for is a subset of a certificate subject.
superset Find a match if the name being searched for is a superset of a certificate
subject.
config crl-verification
expiry CRL verification option when CRL is expired. option - ignore
Option Description
ignore Certificate status will be verified even if CRL is expired.
revoke Certificate will be revoked if CRL is expired.
leaf-crl- CRL verification option when leaf CRL is absent. option - ignore
absence
Option Description
ignore CRL verification against leaf certificate is ignored if CRL is absent.
revoke Certificate will be revoked if CRL of leaf certificate is absent.
chain-crl- CRL verification option when CRL of any certificate in option - ignore
absence chain is absent.
Option Description
ignore CRL verification is ignored if CRL of any certificate in chain is absent.
revoke Certificate will be revoked if CRL of any certificate in chain is absent.
config vpn ike gateway
List gateways.
Description: List gateways.
set <name> {string}
end

Fortinet Inc.
<name> Name of IKE gateway to list. string Not

Specified
config vpn ipsec concentrator
Concentrator configuration.
Description: Concentrator configuration.
edit <id>
set id {integer}
set name {string}
set src-check [disable|enable]
next
end
id Concentrator ID. integer Minimum 0

value: 1
Maximum
value:
65535
member Names of up to 3 VPN tunnels to add to the string Maximum

<name> concentrator. length: 79
Member name.
name Concentrator name. string Not

Specified
src-check Enable to check source address of phase 2 selector. option - disable

Disable to check only the destination selector.
Option Description
disable Ignore source selector when choosing tunnel.
enable Use source selector to choose tunnel.
config vpn ipsec fec
Configure Forward Error Correction (FEC) mapping profiles.

Fortinet Inc.
Description: Configure Forward Error Correction (FEC) mapping profiles.
edit <name>
config mappings
Description: FEC redundancy mapping table.
edit <seqno>
set seqno {integer}
set base {integer}
set redundant {integer}
set packet-loss-threshold {integer}
set latency-threshold {integer}
set bandwidth-up-threshold {integer}
set bandwidth-down-threshold {integer}
set bandwidth-bi-threshold {integer}
next
end
set name {string}
next
end

Specified
config mappings
seqno Sequence number. integer Minimum 0

value: 0
Maximum
value: 64
base Number of base FEC packets. integer Minimum 0

value: 1
Maximum
value: 20
redundant Number of redundant FEC packets. integer Minimum 0

value: 1
Maximum
value: 5
packet-loss- Apply FEC parameters when packet loss is >= integer Minimum 0
threshold threshold. value: 0
Maximum
value: 100

Fortinet Inc.
latency- Apply FEC parameters when latency is <= threshold integer Minimum 0
threshold (0 means no threshold). value: 0
Maximum
value:
4294967295
bandwidth- Apply FEC parameters when available up bandwidth integer Minimum 0

up-threshold is >= threshold (kbps, 0 means no threshold). value: 0
Maximum
value:
4294967295
bandwidth- Apply FEC parameters when available down integer Minimum 0

down- bandwidth is >= threshold (kbps, 0 means no value: 0
threshold threshold). Maximum
value:
4294967295
bandwidth-bi- Apply FEC parameters when available bi-bandwidth integer Minimum 0

threshold is >= threshold (kbps, 0 means no threshold). value: 0
Maximum
value:
4294967295
config vpn ipsec forticlient
Configure FortiClient policy realm.

Description: Configure FortiClient policy realm.
edit <realm>
set phase2name {string}
set realm {string}
set usergroupname {string}
next
end
phase2name Phase 2 tunnel name that you defined in the string Not
FortiClient dialup configuration. Specified
realm FortiClient realm name. string Not

Specified
status Enable/disable this FortiClient configuration. option - enable

Fortinet Inc.
Option Description
usergroupname User group name for FortiClient users. string Not

Specified
config vpn ipsec manualkey-interface
Configure IPsec manual keys.

Description: Configure IPsec manual keys.
edit <name>
set addr-type [4|6]
set auth-alg [null|md5|...]
set auth-key {user}
set enc-alg [null|des|...]
set enc-key {user}
set local-spi {user}
set name {string}
set npu-offload [enable|disable]
set remote-spi {user}
next
end
addr-type IP version to use for IP packets. option - 4
Option Description
4 Use IPv4 addressing for IP packets.
6 Use IPv6 addressing for IP packets.
auth-alg Authentication algorithm. Must be the same for both option - null
ends of the tunnel.

Fortinet Inc.
Option Description
null null
md5 md5
sha1 sha1
sha256 sha256
sha384 sha384
sha512 sha512
auth-key Hexadecimal authentication key in 16-digit (8-byte) user Not

segments separated by hyphens. Specified
enc-alg Encryption algorithm. Must be the same for both ends of option - null
the tunnel.
Option Description
null null
des des
3des 3des
aes128 aes128
aes192 aes192
aes256 aes256
aria128 aria128
aria192 aria192
aria256 aria256
seed seed
enc-key Hexadecimal encryption key in 16-digit (8-byte) user Not

interface Name of the physical, aggregate, or VLAN interface. string Not

Specified
Option Description

Fortinet Inc.
local-gw IPv4 address of the local gateway's external interface. ipv4- Not 0.0.0.0
address- Specified
any
local-gw6 Local IPv6 address of VPN gateway. ipv6- Not ::

address Specified
local-spi Local SPI, a hexadecimal 8-digit (4-byte) tag. Discerns user Not
between two traffic streams with different encryption Specified
rules.
name IPsec tunnel name. string Not

Specified
npu-offload * Enable/disable offloading IPsec VPN manual key option - enable

sessions to NPUs.
Option Description
enable Enable NPU offloading.
disable Disable NPU offloading.
remote-gw IPv4 address of the remote gateway's external interface. ipv4- Not 0.0.0.0
address Specified
remote-gw6 Remote IPv6 address of VPN gateway. ipv6- Not ::

address Specified
remote-spi Remote SPI, a hexadecimal 8-digit (4-byte) tag. user Not

Discerns between two traffic streams with different Specified
encryption rules.
config vpn ipsec manualkey
Configure IPsec manual keys.

Description: Configure IPsec manual keys.
edit <name>
set authentication [null|md5|...]
set authkey {user}
set enckey {user}
set encryption [null|des|...]
set localspi {user}
set name {string}
set remotespi {user}

Fortinet Inc.
next
end
authentication Authentication algorithm. Must be the same for both option - null
ends of the tunnel.
Option Description
null Null.
md5 MD5.
sha1 SHA1.
sha256 SHA256.
sha384 SHA384.
sha512 SHA512.
authkey Hexadecimal authentication key in 16-digit (8-byte) user Not

enckey Hexadecimal encryption key in 16-digit (8-byte) user Not

encryption Encryption algorithm. Must be the same for both ends option - null
of the tunnel.
Option Description
null Null.
des DES.
3des 3DES.
aes128 AES128.
aes192 AES192.
aes256 AES256.
aria128 ARIA128.
aria192 ARIA192.
aria256 ARIA256.
seed Seed.
interface Name of the physical, aggregate, or VLAN interface. string Not

Specified

Fortinet Inc.
local-gw Local gateway. ipv4- Not 0.0.0.0

address- Specified
any
localspi Local SPI, a hexadecimal 8-digit (4-byte) tag. Discerns user Not
between two traffic streams with different encryption Specified
rules.
name IPsec tunnel name. string Not

Specified
npu-offload * Enable/disable NPU offloading. option - enable
Option Description
remote-gw Peer gateway. ipv4- Not 0.0.0.0

address Specified
remotespi Remote SPI, a hexadecimal 8-digit (4-byte) tag. user Not

Discerns between two traffic streams with different Specified
encryption rules.
config vpn ipsec phase1-interface
Configure VPN remote gateway.

Description: Configure VPN remote gateway.
edit <name>
set acct-verify [enable|disable]
set add-gw-route [enable|disable]
set add-route [disable|enable]
set aggregate-member [enable|disable]
set aggregate-weight {integer}
set assign-ip [disable|enable]
set assign-ip-from [range|usrgrp|...]
set authmethod [psk|signature]
set authmethod-remote [psk|signature]
set authpasswd {password}
set authusr {string}
set authusrgrp {string}
set auto-discovery-forwarder [enable|disable]
set auto-discovery-psk [enable|disable]
set auto-discovery-receiver [enable|disable]
set auto-discovery-sender [enable|disable]
set auto-discovery-shortcuts [independent|dependent]
set auto-negotiate [enable|disable]

Fortinet Inc.
set backup-gateway <address1>, <address2>, ...
set banner {var-string}
set cert-id-validation [enable|disable]
set certificate <name1>, <name2>, ...
set childless-ike [enable|disable]
set client-auto-negotiate [disable|enable]
set client-keep-alive [disable|enable]
set default-gw {ipv4-address}
set default-gw-priority {integer}
set dhcp-ra-giaddr {ipv4-address}
set dhcp6-ra-linkaddr {ipv6-address}
set dhgrp {option1}, {option2}, ...
set digital-signature-auth [enable|disable]
set dns-mode [manual|auto]
set domain {string}
set dpd [disable|on-idle|...]
set dpd-retrycount {integer}
set dpd-retryinterval {user}
set eap [enable|disable]
set eap-exclude-peergrp {string}
set eap-identity [use-id-payload|send-request]
set encap-local-gw4 {ipv4-address}
set encap-local-gw6 {ipv6-address}
set encap-remote-gw4 {ipv4-address}
set encap-remote-gw6 {ipv6-address}
set encapsulation [none|gre|...]
set encapsulation-address [ike|ipv4|...]
set enforce-unique-id [disable|keep-new|...]
set esn [require|allow|...]
set exchange-interface-ip [enable|disable]
set exchange-ip-addr4 {ipv4-address}
set exchange-ip-addr6 {ipv6-address}
set fec-base {integer}
set fec-codec [rs|xor]
set fec-egress [enable|disable]
set fec-health-check {string}
set fec-ingress [enable|disable]
set fec-mapping-profile {string}
set fec-receive-timeout {integer}
set fec-redundant {integer}
set fec-send-timeout {integer}
set fgsp-sync [enable|disable]
set forticlient-enforcement [enable|disable]
set fragmentation [enable|disable]
set fragmentation-mtu {integer}
set group-authentication [enable|disable]
set group-authentication-secret {password-3}
set ha-sync-esp-seqno [enable|disable]
set idle-timeout [enable|disable]
set idle-timeoutinterval {integer}
set ike-version [1|2]
set inbound-dscp-copy [enable|disable]
set include-local-lan [disable|enable]

Fortinet Inc.
set ip-delay-interval {integer}
set ip-fragmentation [pre-encapsulation|post-encapsulation]
set ipv4-dns-server1 {ipv4-address}
set ipv4-end-ip {ipv4-address}
config ipv4-exclude-range
Description: Configuration Method IPv4 exclude ranges.
edit <id>
set id {integer}
next
end
set ipv4-name {string}
set ipv4-netmask {ipv4-netmask}
set ipv4-split-exclude {string}
set ipv4-split-include {string}
set ipv4-start-ip {ipv4-address}
set ipv4-wins-server1 {ipv4-address}
Description: Configuration method IPv6 exclude ranges.
edit <id>
set id {integer}
next
end
set ipv6-prefix {integer}
set keepalive {integer}
set keylife {integer}
set local-gw {ipv4-address}
set localid {string}
set localid-type [auto|fqdn|...]
set loopback-asymroute [enable|disable]
set mesh-selector-type [disable|subnet|...]
set mode [aggressive|main]
set mode-cfg [disable|enable]
set monitor {string}
set monitor-hold-down-delay {integer}
set monitor-hold-down-time {user}
set monitor-hold-down-type [immediate|delay|...]
set monitor-hold-down-weekday [everyday|sunday|...]
set name {string}
set nattraversal [enable|disable|...]

Fortinet Inc.
set negotiate-timeout {integer}
set net-device [enable|disable]
set network-id {integer}
set network-overlay [disable|enable]
set passive-mode [enable|disable]
set peer {string}
set peergrp {string}
set peerid {string}
set peertype [any|one|...]
set ppk [disable|allow|...]
set proposal {option1}, {option2}, ...
set psksecret-remote {password-3}
set reauth [disable|enable]
set rekey [enable|disable]
set remotegw-ddns {string}
set rsa-signature-format [pkcs1|pss]
set save-password [disable|enable]
set send-cert-chain [enable|disable]
set signature-hash-alg {option1}, {option2}, ...
set split-include-service {string}
set suite-b [disable|suite-b-gcm-128|...]
set type [static|dynamic|...]
set unity-support [disable|enable]
set usrgrp {string}
set vni {integer}
set wizard-type [custom|dialup-forticlient|...]
set xauthtype [disable|client|...]
next
end
acct-verify Enable/disable verification of RADIUS option - disable

accounting record.
Option Description
enable Enable verification of RADIUS accounting record.
disable Disable verification of RADIUS accounting record.
add-gw-route Enable/disable automatically add a route option - disable

to the remote gateway.

Fortinet Inc.
Option Description
enable Automatically add a route to the remote gateway.
disable Do not automatically add a route to the remote gateway.
add-route Enable/disable control addition of a route option - enable

to peer destination selector.
Option Description
disable Do not add a route to destination of peer selector.
enable Add route to destination of peer selector.
aggregate- Enable/disable use as an aggregate option - disable

member member.
Option Description
enable Enable use as an aggregate member.
disable Disable use as an aggregate member.
aggregate- Link weight for aggregate. integer Minimum 1

weight value: 1
Maximum
value: 100
assign-ip Enable/disable assignment of IP to IPsec option - enable

interface via configuration method.
Option Description
disable Do not assign an IP address to the IPsec interface.
enable Assign an IP address to the IPsec interface.
assign-ip-from Method by which the IP address will be option - range

assigned.
Option Description
range Assign IP address from locally defined range.
usrgrp Assign IP address via user group.
dhcp Assign IP address via DHCP.
name Assign IP address from firewall address or group.
authmethod Authentication method. option - psk

Fortinet Inc.
Option Description
psk PSK authentication method.
signature Signature authentication method.
authmethod- Authentication method (remote side). option -

remote
Option Description
authpasswd XAuth password (max 35 characters). password Not Specified
authusr XAuth user name. string Not Specified
authusrgrp Authentication user group. string Not Specified
auto-discovery- Enable/disable forwarding auto-discovery option - disable

forwarder short-cut messages.
Option Description
enable Enable forwarding auto-discovery short-cut messages.
disable Disable forwarding auto-discovery short-cut messages.
auto-discovery- Enable/disable use of pre-shared secrets option - disable

psk for authentication of auto-discovery
tunnels.
Option Description
enable Enable use of pre-shared-secret authentication for auto-discovery tunnels.
disable Disable use of authentication defined by 'authmethod' for auto-discovery

tunnels.
auto-discovery- Enable/disable accepting auto-discovery option - disable

receiver short-cut messages.
Option Description
enable Enable receiving auto-discovery short-cut messages.
disable Disable receiving auto-discovery short-cut messages.
auto-discovery- Enable/disable sending auto-discovery option - disable

sender short-cut messages.

Fortinet Inc.
Option Description
enable Enable sending auto-discovery short-cut messages.
disable Disable sending auto-discovery short-cut messages.
auto-discovery- Control deletion of child short-cut tunnels option - independent

shortcuts when the parent tunnel goes down.
Option Description
independent Short-cut tunnels remain up if the parent tunnel goes down.
dependent Short-cut tunnels are brought down if the parent tunnel goes down.
auto-negotiate Enable/disable automatic initiation of IKE option - enable

SA negotiation.
Option Description
enable Enable automatic initiation of IKE SA negotiation.
disable Disable automatic initiation of IKE SA negotiation.
backup-gateway Instruct unity clients about the backup string Maximum

<address> gateway address(es). length: 79
Address of backup gateway.
banner Message that unity client should display var-string Not Specified
after connecting.
cert-id-validation Enable/disable cross validation of peer ID option - enable

and the identity in the peer's certificate as
specified in RFC 4945.
Option Description
enable Enable cross validation of peer ID and the identity in the peer's certificate as
disable Disable cross validation of peer ID and the identity in the peer's certificate
as specified in RFC 4945.
certificate The names of up to 4 signed personal string Maximum

<name> certificates. length: 79
Certificate name.
childless-ike Enable/disable childless IKEv2 initiation option - disable

(RFC 6023).

Fortinet Inc.
Option Description
enable Enable childless IKEv2 initiation (RFC 6023).
disable Disable childless IKEv2 initiation (RFC 6023).
client-auto- Enable/disable allowing the VPN client to option - disable

negotiate bring up the tunnel when there is no
traffic.
Option Description
disable Disable allowing the VPN client to bring up the tunnel when there is no
traffic.
enable Enable allowing the VPN client to bring up the tunnel when there is no
traffic.
client-keep-alive Enable/disable allowing the VPN client to option - disable

keep the tunnel up when there is no
traffic.
Option Description
disable Disable allowing the VPN client to keep the tunnel up when there is no
traffic.
enable Enable allowing the VPN client to keep the tunnel up when there is no
traffic.
default-gw IPv4 address of default route gateway to ipv4-address Not Specified 0.0.0.0
use for traffic exiting the interface.
default-gw- Priority for default gateway route. A integer Minimum 0

priority higher priority number signifies a less value: 0
preferred route. Maximum
value:
4294967295
dhcp-ra-giaddr Relay agent gateway IP address to use in ipv4-address Not Specified 0.0.0.0
the giaddr field of DHCP requests.
dhcp6-ra- Relay agent IPv6 link address to use in ipv6-address Not Specified ::
linkaddr DHCP6 requests.
dhgrp DH group. option - 14

Fortinet Inc.
Option Description
1 DH Group 1.
2 DH Group 2.
5 DH Group 5.
14 DH Group 14.
15 DH Group 15.
16 DH Group 16.
17 DH Group 17.
18 DH Group 18.
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
27 DH Group 27.
28 DH Group 28.
29 DH Group 29.
30 DH Group 30.
31 DH Group 31.
32 DH Group 32.
digital-signature- Enable/disable IKEv2 Digital Signature option - disable

auth Authentication (RFC 7427).
Option Description
enable Enable IKEv2 Digital Signature Authentication (RFC 7427).
disable Disable IKEv2 Digital Signature Authentication (RFC 7427).
distance Distance for routes added by IKE. integer Minimum 15

value: 1
Maximum
value: 255
dns-mode DNS server mode. option - manual
Option Description
manual Manually configure DNS servers.
auto Use default DNS servers.

Fortinet Inc.
domain Instruct unity clients about the single string Not Specified
default DNS domain.
dpd Dead Peer Detection mode. option - on-demand
Option Description
disable Disable Dead Peer Detection.
on-idle Trigger Dead Peer Detection when IPsec is idle.
on-demand Trigger Dead Peer Detection when IPsec traffic is sent but no reply is
received from the peer.
dpd-retrycount Number of DPD retry attempts. integer Minimum 3

value: 0
Maximum
value: 10
dpd-retryinterval DPD retry interval. user Not Specified
eap Enable/disable IKEv2 EAP option - disable

authentication.
Option Description
enable Enable IKEv2 EAP authentication.
disable Disable IKEv2 EAP authentication.
eap-exclude- Peer group excluded from EAP string Not Specified

peergrp authentication.
eap-identity IKEv2 EAP peer identity type. option - use-id-payload
Option Description
use-id-payload Use IKEv2 IDi payload to resolve peer identity.
send-request Use EAP identity request to resolve peer identity.
encap-local-gw4 Local IPv4 address of GRE/VXLAN ipv4-address Not Specified 0.0.0.0

tunnel.
encap-local-gw6 Local IPv6 address of GRE/VXLAN ipv6-address Not Specified ::

tunnel.
encap-remote- Remote IPv4 address of GRE/VXLAN ipv4-address Not Specified 0.0.0.0

gw4 tunnel.
encap-remote- Remote IPv6 address of GRE/VXLAN ipv6-address Not Specified ::

gw6 tunnel.
encapsulation Enable/disable GRE/VXLAN option - none

encapsulation.

Fortinet Inc.
Option Description
none No additional encapsulation.
gre GRE encapsulation.
vxlan VXLAN encapsulation.
encapsulation- Source for GRE/VXLAN tunnel address. option - ike

address
Option Description
ike Use IKE/IPsec gateway addresses.
ipv4 Specify separate GRE/VXLAN tunnel address.
ipv6 Specify separate GRE/VXLAN tunnel address.
enforce-unique- Enable/disable peer ID uniqueness option - disable

id check.
Option Description
disable Disable peer ID uniqueness enforcement.
keep-new Enforce peer ID uniqueness, keep new connection if collision found.
keep-old Enforce peer ID uniqueness, keep old connection if collision found.
esn * Extended sequence number (ESN) option - disable

negotiation.
Option Description
require Require extended sequence number.
allow Allow extended sequence number.
disable Disable extended sequence number.
exchange- Enable/disable exchange of IPsec option - disable

interface-ip interface IP address.
Option Description
enable Enable exchange of IPsec interface IP address.
disable Disable exchange of IPsec interface IP address.
exchange-ip- IPv4 address to exchange with peers. ipv4-address Not Specified 0.0.0.0
addr4
exchange-ip- IPv6 address to exchange with peers. ipv6-address Not Specified ::

addr6

Fortinet Inc.
fec-base Number of base Forward Error Correction integer Minimum 10

packets. value: 1
Maximum
value: 20
fec-codec Forward Error Correction option - rs

encoding/decoding algorithm.
Option Description
rs Reed-Solomon FEC algorithm.
xor XOR FEC algorithm.
fec-egress Enable/disable Forward Error Correction option - disable

for egress IPsec traffic.
Option Description
enable Enable Forward Error Correction for egress IPsec traffic.
disable Disable Forward Error Correction for egress IPsec traffic.
fec-health-check SD-WAN health check. string Not Specified
fec-ingress Enable/disable Forward Error Correction option - disable

for ingress IPsec traffic.
Option Description
enable Enable Forward Error Correction for ingress IPsec traffic.
disable Disable Forward Error Correction for ingress IPsec traffic.
fec-mapping- Forward Error Correction (FEC) mapping string Not Specified

profile profile.
fec-receive- Timeout in milliseconds before dropping integer Minimum 50

timeout Forward Error Correction packets. value: 1
Maximum
value: 1000
fec-redundant Number of redundant Forward Error integer Minimum 1

Correction packets. value: 1
Maximum
value: 5
fec-send-timeout Timeout in milliseconds before sending integer Minimum 5

Forward Error Correction packets. value: 1
Maximum
value: 1000

Fortinet Inc.
fgsp-sync Enable/disable IPsec syncing of tunnels option - disable

for FGSP IPsec.
Option Description
enable Enable IPsec syncing of tunnels to other cluster members.
disable Disable IPsec syncing of tunnels to other cluster members.
forticlient- Enable/disable FortiClient enforcement. option - disable

enforcement
Option Description
enable Enable FortiClient enforcement.
disable Disable FortiClient enforcement.
fragmentation Enable/disable fragment IKE message on option - enable

re-transmission.
Option Description
enable Enable intra-IKE fragmentation support on re-transmission.
disable Disable intra-IKE fragmentation support.
fragmentation- IKE fragmentation MTU. integer Minimum 1200

mtu value: 500
Maximum
value: 16000
group- Enable/disable IKEv2 IDi group option - disable

authentication authentication.
Option Description
enable Enable IKEv2 IDi group authentication.
disable Disable IKEv2 IDi group authentication.
group- Password for IKEv2 ID group password-3 Not Specified

authentication- authentication. ASCII string or
secret hexadecimal indicated by a leading 0x.
ha-sync-esp- Enable/disable sequence number jump option - enable

seqno ahead for IPsec HA.
Option Description
enable Enable HA syncing of ESP sequence numbers.
disable Disable HA syncing of ESP sequence numbers.

Fortinet Inc.
idle-timeout Enable/disable IPsec tunnel idle timeout. option - disable
Option Description
enable Enable IPsec tunnel idle timeout.
disable Disable IPsec tunnel idle timeout.
idle- IPsec tunnel idle timeout in minutes. integer Minimum 15

timeoutinterval value: 5
Maximum
value: 43200
ike-version IKE protocol version. option - 1
Option Description
1 Use IKEv1 protocol.
inbound-dscp- Enable/disable copy the dscp in the ESP option - disable

copy header to the inner IP Header.
Option Description
enable Enable copy the dscp in the ESP header to the inner IP Header.
disable Disable copy the dscp in the ESP header to the inner IP Header.
include-local-lan Enable/disable allow local LAN access on option - disable

unity clients.
Option Description
disable Disable local LAN access on Unity clients.
enable Enable local LAN access on Unity clients.
interface Local physical, aggregate, or VLAN string Not Specified

outgoing interface.
ip-delay-interval IP address reuse delay interval in integer Minimum 0

seconds. value: 0
Maximum
value: 28800
ip-fragmentation Determine whether IP packets are option - post-encapsulation

fragmented before or after IPsec
encapsulation.

Fortinet Inc.
Option Description
pre- Fragment before IPsec encapsulation.

encapsulation
post- Fragment after IPsec encapsulation (RFC compliant).

encapsulation
Option Description
ipv4-dns-server1 IPv4 DNS server 1. ipv4-address Not Specified 0.0.0.0
ipv4-end-ip End of IPv4 range. ipv4-address Not Specified 0.0.0.0
ipv4-name IPv4 address name. string Not Specified
ipv4-netmask IPv4 Netmask. ipv4- Not Specified 255.255.255.255

netmask
ipv4-split- IPv4 subnets that should not be sent over string Not Specified
exclude the IPsec tunnel.
ipv4-split-include IPv4 split-include subnets. string Not Specified
ipv4-start-ip Start of IPv4 range. ipv4-address Not Specified 0.0.0.0
ipv4-wins- WINS server 1. ipv4-address Not Specified 0.0.0.0

server1
ipv4-wins- WINS server 2. ipv4-address Not Specified 0.0.0.0

server2
ipv6-dns-server1 IPv6 DNS server 1. ipv6-address Not Specified ::
ipv6-end-ip End of IPv6 range. ipv6-address Not Specified ::
ipv6-name IPv6 address name. string Not Specified
ipv6-prefix IPv6 prefix. integer Minimum 128

value: 1
Maximum
value: 128

Fortinet Inc.
ipv6-split- IPv6 subnets that should not be sent over string Not Specified
exclude the IPsec tunnel.
ipv6-split-include IPv6 split-include subnets. string Not Specified
ipv6-start-ip Start of IPv6 range. ipv6-address Not Specified ::
keepalive NAT-T keep alive interval. integer Minimum 10

value: 10
Maximum
value: 900
keylife Time to wait in seconds before phase 1 integer Minimum 86400

encryption key expires. value: 120
Maximum
value: 172800
local-gw IPv4 address of the local gateway's ipv4-address Not Specified 0.0.0.0
external interface.
local-gw6 IPv6 address of the local gateway's ipv6-address Not Specified ::

external interface.
localid Local ID. string Not Specified
localid-type Local ID type. option - auto
Option Description
auto Select ID type automatically.
fqdn Use fully qualified domain name.
user-fqdn Use user fully qualified domain name.
keyid Use key-id string.
address Use local IP address.
asn1dn Use ASN.1 distinguished name.
loopback- Enable/disable asymmetric routing for option - enable

asymroute IKE traffic on loopback interface.
Option Description
enable Allow ingress/egress IKE traffic to be routed over different interfaces.
disable Ingress/egress IKE traffic must be routed over the same interface.
mesh-selector- Add selectors containing subsets of the option - disable

type configuration depending on traffic.

Fortinet Inc.
Option Description
disable Disable.
subnet Enable addition of matching subnet selector.
host Enable addition of host to host selector.
mode The ID protection mode used to establish option - main

a secure channel.
Option Description
aggressive Aggressive mode.
main Main mode.
mode-cfg Enable/disable configuration method. option - disable
Option Description
disable Disable Configuration Method.
enable Enable Configuration Method.
monitor IPsec interface as backup for primary string Not Specified

interface.
monitor-hold- Time to wait in seconds before recovery integer Minimum 0

down-delay once primary re-establishes. value: 0
Maximum
value:
31536000
monitor-hold- Time of day at which to fail back to user Not Specified

down-time primary after it re-establishes.
monitor-hold- Recovery time method when primary option - immediate

down-type interface re-establishes.
Option Description
immediate Fail back immediately after primary recovers.
delay Number of seconds to delay fail back after primary recovers.
time Specify a time at which to fail back after primary recovers.
monitor-hold- Day of the week to recover once primary option - sunday

down-weekday re-establishes.

Fortinet Inc.
Option Description
everyday Every Day.
sunday Sunday.
monday Monday.
tuesday Tuesday.
thursday Thursday.
friday Friday.
saturday Saturday.
name IPsec remote gateway name. string Not Specified
nattraversal Enable/disable NAT traversal. option - enable
Option Description
enable Enable IPsec NAT traversal.
disable Disable IPsec NAT traversal.
forced Force IPsec NAT traversal on.
negotiate- IKE SA negotiation timeout in seconds. integer Minimum 30

timeout value: 1
Maximum
value: 300
net-device Enable/disable kernel device creation. option - disable
Option Description
enable Create a kernel device for every tunnel.
disable Do not create a kernel device for tunnels.
network-id VPN gateway network ID. integer Minimum 0

value: 0
Maximum
value: 255
network-overlay Enable/disable network overlays. option - disable
Option Description
disable Disable network overlays.
enable Enable network overlays.

Fortinet Inc.
npu-offload * Enable/disable offloading NPU. option - enable
Option Description
passive-mode Enable/disable IPsec passive mode for option - disable

static tunnels.
Option Description
enable Enable IPsec passive mode.
disable Disable IPsec passive mode.
peer Accept this peer certificate. string Not Specified
peergrp Accept this peer certificate group. string Not Specified
peerid Accept this peer identity. string Not Specified
peertype Accept this peer type. option - peer
Option Description
any Accept any peer ID.
one Accept this peer ID.
dialup Accept peer ID in dialup group.
peer Accept this peer certificate.
peergrp Accept this peer certificate group.
ppk Enable/disable IKEv2 Postquantum option - disable

Preshared Key (PPK).
Option Description
disable Disable use of IKEv2 Postquantum Preshared Key (PPK).
allow Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
require Require use of IKEv2 Postquantum Preshared Key (PPK).
ppk-identity IKEv2 Postquantum Preshared Key string Not Specified

Identity.
ppk-secret IKEv2 Postquantum Preshared Key password-3 Not Specified

(ASCII string or hexadecimal encoded
with a leading 0x).

Fortinet Inc.
priority Priority for routes added by IKE. integer Minimum 1

value: 1
Maximum
value: 65535
proposal Phase1 proposal. option -
Option Description
des-md5 des-md5
des-sha1 des-sha1
des-sha256 des-sha256
3des-md5 3des-md5
3des-sha1 3des-sha1
3des-sha256 3des-sha256
aes128-md5 aes128-md5
aes128-sha1 aes128-sha1
aes128gcm-prfsha1 aes128gcm-prfsha1

Fortinet Inc.
Option Description
chacha20poly1305-prfsha1 chacha20poly1305-prfsha1
aria128-md5 aria128-md5
aria128-sha1 aria128-sha1
seed-md5 seed-md5
seed-sha1 seed-sha1

Fortinet Inc.
Option Description
seed-sha256 seed-sha256
psksecret Pre-shared secret for PSK authentication password-3 Not Specified

(ASCII string or hexadecimal encoded
with a leading 0x).
psksecret- Pre-shared secret for remote side PSK password-3 Not Specified
remote authentication (ASCII string or
hexadecimal encoded with a leading 0x).
reauth Enable/disable re-authentication upon option - disable

IKE SA lifetime expiration.
Option Description
disable Disable IKE SA re-authentication.
enable Enable IKE SA re-authentication.
rekey Enable/disable phase1 rekey. option - enable
Option Description
enable Enable phase1 rekey.
disable Disable phase1 rekey.
remote-gw IPv4 address of the remote gateway's ipv4-address Not Specified 0.0.0.0
external interface.
remote-gw6 IPv6 address of the remote gateway's ipv6-address Not Specified ::

external interface.
remotegw-ddns Domain name of remote gateway. For string Not Specified

example, name.ddns.com.
rsa-signature- Digital Signature Authentication RSA option - pkcs1

format signature format.
Option Description
pkcs1 RSASSA PKCS#1 v1.5.
pss RSASSA Probabilistic Signature Scheme (PSS).
save-password Enable/disable saving XAuth username option - disable

and password on VPN clients.

Fortinet Inc.
Option Description
disable Disable saving XAuth username and password on VPN clients.
enable Enable saving XAuth username and password on VPN clients.
send-cert-chain Enable/disable sending certificate chain. option - enable
Option Description
enable Enable sending certificate chain.
disable Disable sending certificate chain.
signature-hash- Digital Signature Authentication hash option - sha2-512

alg algorithms.
Option Description
sha1 SHA1.
sha2-256 SHA2-256.
sha2-384 SHA2-384.
sha2-512 SHA2-512.
split-include- Split-include services. string Not Specified

service
suite-b Use Suite-B. option - disable
Option Description
disable Do not use UI suite.
suite-b-gcm-128 Use Suite-B-GCM-128.
type Remote gateway type. option - static
Option Description
static Remote VPN gateway has fixed IP address.
dynamic Remote VPN gateway has dynamic IP address.
ddns Remote VPN gateway has dynamic IP address and is a dynamic DNS
client.
unity-support Enable/disable support for Cisco UNITY option - enable

Configuration Method extensions.

Fortinet Inc.
Option Description
disable Disable Cisco Unity Configuration Method Extensions.
enable Enable Cisco Unity Configuration Method Extensions.
usrgrp User group name for dialup peers. string Not Specified
vni VNI of VXLAN tunnel. integer Minimum 0

value: 1
Maximum
value:
16777215
wizard-type GUI VPN Wizard Type. option - custom
Option Description
custom Custom VPN configuration.
dialup-forticlient Dial Up - FortiClient Windows, Mac and Android.
dialup-ios Dial Up - iPhone / iPad Native IPsec Client.
dialup-android Dial Up - Android Native IPsec Client.
dialup-windows Dial Up - Windows Native IPsec Client.
dialup-cisco Dial Up - Cisco IPsec Client.
static-fortigate Site to Site - FortiGate.
dialup-fortigate Dial Up - FortiGate.
static-cisco Site to Site - Cisco.
dialup-cisco-fw Dialup Up - Cisco Firewall.
simplified-static- Site to Site - FortiGate (SD-WAN).

fortigate
hub-fortigate- Hub role in a Hub-and-Spoke auto-discovery VPN.

auto-discovery
spoke-fortigate- Spoke role in a Hub-and-Spoke auto-discovery VPN.

auto-discovery
xauthtype XAuth type. option - disable
Option Description
disable Disable.
client Enable as client.

Fortinet Inc.
Option Description
pap Enable as server PAP.
chap Enable as server CHAP.
auto Enable as server auto.

value: 0
Maximum
value:
4294967295
start-ip Start of IPv4 exclusive range. ipv4- Not Specified 0.0.0.0

address
end-ip End of IPv4 exclusive range. ipv4- Not Specified 0.0.0.0

address

value: 0
Maximum
value:
4294967295
start-ip Start of IPv6 exclusive range. ipv6- Not Specified ::

address
end-ip End of IPv6 exclusive range. ipv6- Not Specified ::

address
config vpn ipsec phase1
Configure VPN remote gateway.

Description: Configure VPN remote gateway.
edit <name>
set acct-verify [enable|disable]

Fortinet Inc.
set add-gw-route [enable|disable]
set add-route [disable|enable]
set assign-ip [disable|enable]
set assign-ip-from [range|usrgrp|...]
set authmethod [psk|signature]
set authmethod-remote [psk|signature]
set authpasswd {password}
set authusr {string}
set authusrgrp {string}
set backup-gateway <address1>, <address2>, ...
set banner {var-string}
set cert-id-validation [enable|disable]
set certificate <name1>, <name2>, ...
set childless-ike [enable|disable]
set client-auto-negotiate [disable|enable]
set client-keep-alive [disable|enable]
set dhcp-ra-giaddr {ipv4-address}
set dhcp6-ra-linkaddr {ipv6-address}
set digital-signature-auth [enable|disable]
set dns-mode [manual|auto]
set domain {string}
set dpd [disable|on-idle|...]
set dpd-retrycount {integer}
set dpd-retryinterval {user}
set eap-exclude-peergrp {string}
set eap-identity [use-id-payload|send-request]
set enforce-unique-id [disable|keep-new|...]
set esn [require|allow|...]
set fec-base {integer}
set fec-codec [rs|xor]
set fec-egress [enable|disable]
set fec-health-check {string}
set fec-ingress [enable|disable]
set fec-mapping-profile {string}
set fec-receive-timeout {integer}
set fec-redundant {integer}
set fec-send-timeout {integer}
set fgsp-sync [enable|disable]
set forticlient-enforcement [enable|disable]
set fragmentation [enable|disable]
set fragmentation-mtu {integer}
set group-authentication [enable|disable]
set group-authentication-secret {password-3}
set ha-sync-esp-seqno [enable|disable]
set idle-timeout [enable|disable]
set idle-timeoutinterval {integer}
set ike-version [1|2]
set inbound-dscp-copy [enable|disable]
set include-local-lan [disable|enable]
set ip-delay-interval {integer}

Fortinet Inc.
Description: Configuration Method IPv4 exclude ranges.
edit <id>
set id {integer}
next
end
set ipv4-netmask {ipv4-netmask}
Description: Configuration method IPv6 exclude ranges.
edit <id>
set id {integer}
next
end
set ipv6-prefix {integer}
set keepalive {integer}
set keylife {integer}
set local-gw {ipv4-address}
set localid {string}
set localid-type [auto|fqdn|...]
set mesh-selector-type [disable|subnet|...]
set mode [aggressive|main]
set mode-cfg [disable|enable]
set name {string}
set nattraversal [enable|disable|...]
set negotiate-timeout {integer}
set peer {string}
set peergrp {string}
set peerid {string}
set peertype [any|one|...]
set ppk [disable|allow|...]

Fortinet Inc.
set psksecret-remote {password-3}
set reauth [disable|enable]
set rekey [enable|disable]
set remotegw-ddns {string}
set rsa-signature-format [pkcs1|pss]
set save-password [disable|enable]
set send-cert-chain [enable|disable]
set signature-hash-alg {option1}, {option2}, ...
set split-include-service {string}
set suite-b [disable|suite-b-gcm-128|...]
set type [static|dynamic|...]
set unity-support [disable|enable]
set usrgrp {string}
set wizard-type [custom|dialup-forticlient|...]
set xauthtype [disable|client|...]
next
end
acct-verify Enable/disable verification of RADIUS option - disable

accounting record.
Option Description
enable Enable verification of RADIUS accounting record.
disable Disable verification of RADIUS accounting record.
add-gw-route Enable/disable automatically add a route to option - disable

the remote gateway.
Option Description
enable Automatically add a route to the remote gateway.
disable Do not automatically add a route to the remote gateway.
add-route Enable/disable control addition of a route to option - disable

peer destination selector.
Option Description
disable Do not add a route to destination of peer selector.
enable Add route to destination of peer selector.
assign-ip Enable/disable assignment of IP to IPsec option - enable

interface via configuration method.

Fortinet Inc.
Option Description
disable Do not assign an IP address to the IPsec interface.
enable Assign an IP address to the IPsec interface.
assign-ip-from Method by which the IP address will be option - range

assigned.
Option Description
range Assign IP address from locally defined range.
usrgrp Assign IP address via user group.
dhcp Assign IP address via DHCP.
name Assign IP address from firewall address or group.
authmethod Authentication method. option - psk
Option Description
authmethod- Authentication method (remote side). option -

remote
Option Description
authpasswd XAuth password (max 35 characters). password Not

Specified
authusr XAuth user name. string Not

Specified
authusrgrp Authentication user group. string Not

Specified
auto-negotiate Enable/disable automatic initiation of IKE option - enable

SA negotiation.
Option Description
enable Enable automatic initiation of IKE SA negotiation.
disable Disable automatic initiation of IKE SA negotiation.

Fortinet Inc.
backup-gateway Instruct unity clients about the backup string Maximum

<address> gateway address(es). length: 79
Address of backup gateway.
banner Message that unity client should display var-string Not

after connecting. Specified
cert-id-validation Enable/disable cross validation of peer ID option - enable

and the identity in the peer's certificate as
Option Description
enable Enable cross validation of peer ID and the identity in the peer's certificate as
disable Disable cross validation of peer ID and the identity in the peer's certificate
as specified in RFC 4945.
certificate Names of up to 4 signed personal string Maximum

<name> certificates. length: 79
Certificate name.
childless-ike Enable/disable childless IKEv2 initiation option - disable

(RFC 6023).
Option Description
enable Enable childless IKEv2 initiation (RFC 6023).
disable Disable childless IKEv2 initiation (RFC 6023).
client-auto- Enable/disable allowing the VPN client to option - disable

negotiate bring up the tunnel when there is no traffic.
Option Description
disable Disable allowing the VPN client to bring up the tunnel when there is no
traffic.
enable Enable allowing the VPN client to bring up the tunnel when there is no
traffic.
client-keep-alive Enable/disable allowing the VPN client to option - disable

keep the tunnel up when there is no traffic.
Option Description
disable Disable allowing the VPN client to keep the tunnel up when there is no
traffic.

Fortinet Inc.
Option Description
enable Enable allowing the VPN client to keep the tunnel up when there is no
traffic.

Specified
dhcp-ra-giaddr Relay agent gateway IP address to use in ipv4-address Not 0.0.0.0

the giaddr field of DHCP requests. Specified
dhcp6-ra- Relay agent IPv6 link address to use in ipv6-address Not ::

linkaddr DHCP6 requests. Specified
dhgrp DH group. option - 14
Option Description
1 DH Group 1.
2 DH Group 2.
5 DH Group 5.
14 DH Group 14.
15 DH Group 15.
16 DH Group 16.
17 DH Group 17.
18 DH Group 18.
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
27 DH Group 27.
28 DH Group 28.
29 DH Group 29.
30 DH Group 30.
31 DH Group 31.
32 DH Group 32.
digital-signature- Enable/disable IKEv2 Digital Signature option - disable

auth Authentication (RFC 7427).

Fortinet Inc.
Option Description
enable Enable IKEv2 Digital Signature Authentication (RFC 7427).
disable Disable IKEv2 Digital Signature Authentication (RFC 7427).
distance Distance for routes added by IKE. integer Minimum 15

value: 1
Maximum
value: 255
dns-mode DNS server mode. option - manual
Option Description
manual Manually configure DNS servers.
auto Use default DNS servers.
domain Instruct unity clients about the single default string Not
DNS domain. Specified
dpd Dead Peer Detection mode. option - on-demand
Option Description
disable Disable Dead Peer Detection.
on-idle Trigger Dead Peer Detection when IPsec is idle.
on-demand Trigger Dead Peer Detection when IPsec traffic is sent but no reply is
received from the peer.
dpd-retrycount Number of DPD retry attempts. integer Minimum 3

value: 0
Maximum
value: 10
dpd-retryinterval DPD retry interval. user Not

Specified
eap Enable/disable IKEv2 EAP authentication. option - disable
Option Description
enable Enable IKEv2 EAP authentication.
disable Disable IKEv2 EAP authentication.
eap-exclude- Peer group excluded from EAP string Not

peergrp authentication. Specified
eap-identity IKEv2 EAP peer identity type. option - use-id-payload

Fortinet Inc.
Option Description
use-id-payload Use IKEv2 IDi payload to resolve peer identity.
send-request Use EAP identity request to resolve peer identity.
enforce-unique- Enable/disable peer ID uniqueness check. option - disable

id
Option Description
disable Disable peer ID uniqueness enforcement.
keep-new Enforce peer ID uniqueness, keep new connection if collision found.
keep-old Enforce peer ID uniqueness, keep old connection if collision found.
esn * Extended sequence number (ESN) option - disable

negotiation.
Option Description
require Require extended sequence number.
allow Allow extended sequence number.
disable Disable extended sequence number.
fec-base Number of base Forward Error Correction integer Minimum 10

packets. value: 1
Maximum
value: 20
fec-codec Forward Error Correction option - rs

encoding/decoding algorithm.
Option Description
rs Reed-Solomon FEC algorithm.
xor XOR FEC algorithm.
fec-egress Enable/disable Forward Error Correction for option - disable

egress IPsec traffic.
Option Description
enable Enable Forward Error Correction for egress IPsec traffic.
disable Disable Forward Error Correction for egress IPsec traffic.
fec-health-check SD-WAN health check. string Not

Specified

Fortinet Inc.
fec-ingress Enable/disable Forward Error Correction for option - disable

ingress IPsec traffic.
Option Description
enable Enable Forward Error Correction for ingress IPsec traffic.
disable Disable Forward Error Correction for ingress IPsec traffic.
fec-mapping- Forward Error Correction (FEC) mapping string Not

profile profile. Specified
fec-receive- Timeout in milliseconds before dropping integer Minimum 50

timeout Forward Error Correction packets. value: 1
Maximum
value: 1000
fec-redundant Number of redundant Forward Error integer Minimum 1

Correction packets. value: 1
Maximum
value: 5
fec-send-timeout Timeout in milliseconds before sending integer Minimum 5

Forward Error Correction packets. value: 1
Maximum
value: 1000
fgsp-sync Enable/disable IPsec syncing of tunnels for option - disable

FGSP IPsec.
Option Description
enable Enable IPsec syncing of tunnels to other cluster members.
disable Disable IPsec syncing of tunnels to other cluster members.
forticlient- Enable/disable FortiClient enforcement. option - disable

enforcement
Option Description
enable Enable FortiClient enforcement.
disable Disable FortiClient enforcement.
fragmentation Enable/disable fragment IKE message on option - enable

re-transmission.
Option Description
enable Enable intra-IKE fragmentation support on re-transmission.
disable Disable intra-IKE fragmentation support.

Fortinet Inc.
fragmentation- IKE fragmentation MTU. integer Minimum 1200

mtu value: 500
Maximum
value: 16000
group- Enable/disable IKEv2 IDi group option - disable

authentication authentication.
Option Description
enable Enable IKEv2 IDi group authentication.
disable Disable IKEv2 IDi group authentication.
group- Password for IKEv2 ID group password-3 Not

authentication- authentication. ASCII string or hexadecimal Specified
secret indicated by a leading 0x.
ha-sync-esp- Enable/disable sequence number jump option - enable

seqno ahead for IPsec HA.
Option Description
enable Enable HA syncing of ESP sequence numbers.
disable Disable HA syncing of ESP sequence numbers.
idle-timeout Enable/disable IPsec tunnel idle timeout. option - disable
Option Description
enable Enable IPsec tunnel idle timeout.
disable Disable IPsec tunnel idle timeout.
idle- IPsec tunnel idle timeout in minutes. integer Minimum 15

timeoutinterval value: 5
Maximum
value: 43200
ike-version IKE protocol version. option - 1
Option Description
inbound-dscp- Enable/disable copy the dscp in the ESP option - disable

copy header to the inner IP Header.

Fortinet Inc.
Option Description
include-local-lan Enable/disable allow local LAN access on option - disable

unity clients.
Option Description
disable Disable local LAN access on Unity clients.
enable Enable local LAN access on Unity clients.
interface Local physical, aggregate, or VLAN string Not

outgoing interface. Specified
ip-delay-interval IP address reuse delay interval in seconds. integer Minimum 0

value: 0
Maximum
value: 28800
ipv4-dns-server1 IPv4 DNS server 1. ipv4-address Not 0.0.0.0

Specified

Specified

Specified
ipv4-end-ip End of IPv4 range. ipv4-address Not 0.0.0.0

Specified
ipv4-name IPv4 address name. string Not

Specified
ipv4-netmask IPv4 Netmask. ipv4- Not 255.255.255.255

netmask Specified
ipv4-split- IPv4 subnets that should not be sent over string Not
exclude the IPsec tunnel. Specified
ipv4-split-include IPv4 split-include subnets. string Not

Specified
ipv4-start-ip Start of IPv4 range. ipv4-address Not 0.0.0.0

Specified
ipv4-wins- WINS server 1. ipv4-address Not 0.0.0.0

server1 Specified

Fortinet Inc.
ipv4-wins- WINS server 2. ipv4-address Not 0.0.0.0

server2 Specified
ipv6-dns-server1 IPv6 DNS server 1. ipv6-address Not ::

Specified

Specified

Specified
ipv6-end-ip End of IPv6 range. ipv6-address Not ::

Specified
ipv6-name IPv6 address name. string Not

Specified
ipv6-prefix IPv6 prefix. integer Minimum 128

value: 1
Maximum
value: 128
ipv6-split- IPv6 subnets that should not be sent over string Not
exclude the IPsec tunnel. Specified
ipv6-split-include IPv6 split-include subnets. string Not

Specified
ipv6-start-ip Start of IPv6 range. ipv6-address Not ::

Specified
keepalive NAT-T keep alive interval. integer Minimum 10

value: 10
Maximum
value: 900
keylife Time to wait in seconds before phase 1 integer Minimum 86400

encryption key expires. value: 120
Maximum
value:
172800
local-gw Local VPN gateway. ipv4-address Not 0.0.0.0

Specified
localid Local ID. string Not

Specified
localid-type Local ID type. option - auto

Fortinet Inc.
Option Description
auto Select ID type automatically.
fqdn Use fully qualified domain name.
user-fqdn Use user fully qualified domain name.
keyid Use key-id string.
address Use local IP address.
asn1dn Use ASN.1 distinguished name.
mesh-selector- Add selectors containing subsets of the option - disable

type configuration depending on traffic.
Option Description
disable Disable.
subnet Enable addition of matching subnet selector.
host Enable addition of host to host selector.
mode ID protection mode used to establish a option - main

secure channel.
Option Description
aggressive Aggressive mode.
main Main mode.
mode-cfg Enable/disable configuration method. option - disable
Option Description
disable Disable Configuration Method.
enable Enable Configuration Method.
name IPsec remote gateway name. string Not

Specified
nattraversal Enable/disable NAT traversal. option - enable
Option Description
enable Enable IPsec NAT traversal.
disable Disable IPsec NAT traversal.
forced Force IPsec NAT traversal on.

Fortinet Inc.
negotiate- IKE SA negotiation timeout in seconds. integer Minimum 30

timeout value: 1
Maximum
value: 300
npu-offload * Enable/disable offloading NPU. option - enable
Option Description
peer Accept this peer certificate. string Not

Specified
peergrp Accept this peer certificate group. string Not

Specified
peerid Accept this peer identity. string Not

Specified
peertype Accept this peer type. option - peer
Option Description
any Accept any peer ID.
one Accept this peer ID.
dialup Accept peer ID in dialup group.
peer Accept this peer certificate.
peergrp Accept this peer certificate group.
ppk Enable/disable IKEv2 Postquantum option - disable

Preshared Key (PPK).
Option Description
disable Disable use of IKEv2 Postquantum Preshared Key (PPK).
allow Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
require Require use of IKEv2 Postquantum Preshared Key (PPK).
ppk-identity IKEv2 Postquantum Preshared Key string Not

Identity. Specified
ppk-secret IKEv2 Postquantum Preshared Key (ASCII password-3 Not

string or hexadecimal encoded with a Specified
leading 0x).

Fortinet Inc.
priority Priority for routes added by IKE. integer Minimum 1

value: 1
Maximum
value: 65535
Option Description
des-md5 des-md5
des-sha1 des-sha1
3des-md5 3des-md5
3des-sha1 3des-sha1

Fortinet Inc.
Option Description
seed-md5 seed-md5
seed-sha1 seed-sha1

Fortinet Inc.
Option Description
psksecret Pre-shared secret for PSK authentication password-3 Not

(ASCII string or hexadecimal encoded with Specified
a leading 0x).
psksecret- Pre-shared secret for remote side PSK password-3 Not

remote authentication (ASCII string or hexadecimal Specified
encoded with a leading 0x).
reauth Enable/disable re-authentication upon IKE option - disable

SA lifetime expiration.
Option Description
disable Disable IKE SA re-authentication.
enable Enable IKE SA re-authentication.
rekey Enable/disable phase1 rekey. option - enable
Option Description
enable Enable phase1 rekey.
disable Disable phase1 rekey.
remote-gw Remote VPN gateway. ipv4-address Not 0.0.0.0

Specified
remotegw-ddns Domain name of remote gateway. For string Not

example, name.ddns.com. Specified
rsa-signature- Digital Signature Authentication RSA option - pkcs1

format signature format.
Option Description
pkcs1 RSASSA PKCS#1 v1.5.
pss RSASSA Probabilistic Signature Scheme (PSS).
save-password Enable/disable saving XAuth username option - disable

and password on VPN clients.

Fortinet Inc.
Option Description
disable Disable saving XAuth username and password on VPN clients.
enable Enable saving XAuth username and password on VPN clients.
send-cert-chain Enable/disable sending certificate chain. option - enable
Option Description
enable Enable sending certificate chain.
disable Disable sending certificate chain.
signature-hash- Digital Signature Authentication hash option - sha2-512

alg algorithms.
Option Description
sha1 SHA1.
sha2-256 SHA2-256.
sha2-384 SHA2-384.
sha2-512 SHA2-512.
split-include- Split-include services. string Not

service Specified
suite-b Use Suite-B. option - disable
Option Description
disable Do not use UI suite.
type Remote gateway type. option - static
Option Description
static Remote VPN gateway has fixed IP address.
dynamic Remote VPN gateway has dynamic IP address.
ddns Remote VPN gateway has dynamic IP address and is a dynamic DNS
client.
unity-support Enable/disable support for Cisco UNITY option - enable

Configuration Method extensions.

Fortinet Inc.
Option Description
disable Disable Cisco Unity Configuration Method Extensions.
enable Enable Cisco Unity Configuration Method Extensions.
usrgrp User group name for dialup peers. string Not

Specified
wizard-type GUI VPN Wizard Type. option - custom
Option Description
custom Custom VPN configuration.
dialup-forticlient Dial Up - FortiClient Windows, Mac and Android.
dialup-ios Dial Up - iPhone / iPad Native IPsec Client.
dialup-android Dial Up - Android Native IPsec Client.
dialup-windows Dial Up - Windows Native IPsec Client.
dialup-cisco Dial Up - Cisco IPsec Client.
static-fortigate Site to Site - FortiGate.
dialup-fortigate Dial Up - FortiGate.
static-cisco Site to Site - Cisco.
dialup-cisco-fw Dialup Up - Cisco Firewall.
simplified-static- Site to Site - FortiGate (SD-WAN).

fortigate
hub-fortigate- Hub role in a Hub-and-Spoke auto-discovery VPN.

auto-discovery
spoke-fortigate- Spoke role in a Hub-and-Spoke auto-discovery VPN.

auto-discovery
xauthtype XAuth type. option - disable
Option Description
disable Disable.
client Enable as client.
pap Enable as server PAP.
chap Enable as server CHAP.
auto Enable as server auto.

Fortinet Inc.

value: 0
Maximum
value:
4294967295
start-ip Start of IPv4 exclusive range. ipv4- Not Specified 0.0.0.0

address
end-ip End of IPv4 exclusive range. ipv4- Not Specified 0.0.0.0

address

value: 0
Maximum
value:
4294967295
start-ip Start of IPv6 exclusive range. ipv6- Not Specified ::

address
end-ip End of IPv6 exclusive range. ipv6- Not Specified ::

address
Configure VPN autokey tunnel.

Description: Configure VPN autokey tunnel.
edit <name>
set add-route [phase1|enable|...]
set auto-discovery-forwarder [phase1|enable|...]
set auto-discovery-sender [phase1|enable|...]
set dhcp-ipsec [enable|disable]
set dst-addr-type [subnet|range|...]
set dst-end-ip {ipv4-address-any}
set dst-end-ip6 {ipv6-address}
set dst-name {string}
set dst-name6 {string}

Fortinet Inc.
set dst-start-ip {ipv4-address-any}
set dst-start-ip6 {ipv6-address}
set dst-subnet {ipv4-classnet-any}
set dst-subnet6 {ipv6-prefix}
set encapsulation [tunnel-mode|transport-mode]
set inbound-dscp-copy [phase1|enable|...]
set initiator-ts-narrow [enable|disable]
set ipv4-df [enable|disable]
set keepalive [enable|disable]
set keylife-type [seconds|kbs|...]
set keylifekbs {integer}
set keylifeseconds {integer}
set l2tp [enable|disable]
set name {string}
set pfs [enable|disable]
set replay [enable|disable]
set route-overlap [use-old|use-new|...]
set single-source [enable|disable]
set src-addr-type [subnet|range|...]
set src-end-ip {ipv4-address-any}
set src-end-ip6 {ipv6-address}
set src-name {string}
set src-name6 {string}
set src-start-ip {ipv4-address-any}
set src-start-ip6 {ipv6-address}
set src-subnet {ipv4-classnet-any}
set src-subnet6 {ipv6-prefix}
next
end
add-route Enable/disable automatic route addition. option - phase1
Option Description
phase1 Add route according to phase1 add-route setting.
enable Add route for remote proxy ID.
disable Do not add route for remote proxy ID.
auto-discovery- Enable/disable forwarding short-cut messages. option - phase1

forwarder

Fortinet Inc.
Option Description
phase1 Forward short-cut messages according to the phase1 auto-discovery-

forwarder setting.
enable Enable forwarding auto-discovery short-cut messages.
disable Disable forwarding auto-discovery short-cut messages.
auto-discovery- Enable/disable sending short-cut messages. option - phase1

sender
Option Description
phase1 Send short-cut messages according to the phase1 auto-discovery-sender

setting.
enable Enable sending auto-discovery short-cut messages.
disable Disable sending auto-discovery short-cut messages.
auto-negotiate Enable/disable IPsec SA auto-negotiation. option - disable
Option Description
dhcp-ipsec Enable/disable DHCP-IPsec. option - disable
Option Description
dhgrp Phase2 DH group. option - 14
Option Description
1 DH Group 1.
2 DH Group 2.
5 DH Group 5.
14 DH Group 14.
15 DH Group 15.
16 DH Group 16.

Fortinet Inc.
Option Description
17 DH Group 17.
18 DH Group 18.
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
27 DH Group 27.
28 DH Group 28.
29 DH Group 29.
30 DH Group 30.
31 DH Group 31.
32 DH Group 32.
diffserv Enable/disable applying DSCP value to the option - disable

IPsec tunnel outer IP header.
Option Description
diffservcode DSCP value to be applied to the IPsec tunnel user Not Specified
outer IP header.
dst-addr-type Remote proxy ID type. option - subnet
Option Description
subnet IPv4 subnet.
range IPv4 range.
ip IPv4 IP.
name IPv4 firewall address or group name.
subnet6 IPv6 subnet.
range6 IPv6 range.
ip6 IPv6 IP.
name6 IPv6 firewall address or group name.

Fortinet Inc.
dst-end-ip Remote proxy ID IPv4 end. ipv4- Not Specified 0.0.0.0

address-any
dst-end-ip6 Remote proxy ID IPv6 end. ipv6- Not Specified ::

address
dst-name Remote proxy ID name. string Not Specified
dst-name6 Remote proxy ID name. string Not Specified
dst-port Quick mode destination port. integer Minimum 0

value: 0
Maximum
value: 65535
dst-start-ip Remote proxy ID IPv4 start. ipv4- Not Specified 0.0.0.0

address-any
dst-start-ip6 Remote proxy ID IPv6 start. ipv6- Not Specified ::

address
dst-subnet Remote proxy ID IPv4 subnet. ipv4- Not Specified 0.0.0.0

classnet-any 0.0.0.0
dst-subnet6 Remote proxy ID IPv6 subnet. ipv6-prefix Not Specified ::/0
encapsulation ESP encapsulation mode. option - tunnel-mode
Option Description
tunnel-mode Use tunnel mode encapsulation.
transport-mode Use transport mode encapsulation.
inbound-dscp- Enable/disable copy the dscp in the ESP header option - phase1
copy to the inner IP Header.
Option Description
phase1 copy the dscp in the ESP header to the inner IP Header according to the
phase1 inbound_dscp_copy setting.
initiator-ts- Enable/disable traffic selector narrowing for option - disable

narrow IKEv2 initiator.
Option Description

Fortinet Inc.
ipv4-df Enable/disable setting and resetting of IPv4 option - disable

'Don't Fragment' bit.
Option Description
enable Set IPv4 DF the same as original packet.
disable Reset IPv4 DF.
keepalive Enable/disable keep alive. option - disable
Option Description
keylife-type Keylife type. option - seconds
Option Description
seconds Key life in seconds.
kbs Key life in kilobytes.
both Key life both.
keylifekbs Phase2 key life in number of kilobytes of traffic. integer Minimum 5120
value: 5120
Maximum
value:
4294967295
keylifeseconds Phase2 key life in time in seconds. integer Minimum 43200

value: 120
Maximum
value: 172800
l2tp Enable/disable L2TP over IPsec. option - disable
Option Description
enable Enable L2TP over IPsec.
disable Disable L2TP over IPsec.
name IPsec tunnel name. string Not Specified
pfs Enable/disable PFS feature. option - enable

Fortinet Inc.
Option Description
phase1name Phase 1 determines the options required for string Not Specified
phase 2.
Option Description
null-md5 null-md5
null-sha1 null-sha1
null-sha256 null-sha256
des-null des-null
des-md5 des-md5
des-sha1 des-sha1
3des-null 3des-null
3des-md5 3des-md5
3des-sha1 3des-sha1
aes128-null aes128-null

Fortinet Inc.
Option Description
aes128gcm aes128gcm
aes256gcm aes256gcm
chacha20poly1305 chacha20poly1305
aria128-null aria128-null

Fortinet Inc.
Option Description
seed-null seed-null
seed-md5 seed-md5
seed-sha1 seed-sha1
protocol Quick mode protocol selector. integer Minimum 0

value: 0
Maximum
value: 255
replay Enable/disable replay detection. option - enable
Option Description
route-overlap Action for overlapping routes. option - use-new
Option Description
use-old Use the old route and do not add the new route.
use-new Delete the old route and add the new route.
allow Allow overlapping routes.
single-source Enable/disable single source IP restriction. option - disable
Option Description
enable Only single source IP will be accepted.
disable Source IP range will be accepted.
src-addr-type Local proxy ID type. option - subnet

Fortinet Inc.
Option Description
subnet IPv4 subnet.
range IPv4 range.
ip IPv4 IP.
subnet6 IPv6 subnet.
range6 IPv6 range.
ip6 IPv6 IP.
name6 IPv6 firewall address or group name.
src-end-ip Local proxy ID end. ipv4- Not Specified 0.0.0.0

address-any
src-end-ip6 Local proxy ID IPv6 end. ipv6- Not Specified ::

address
src-name Local proxy ID name. string Not Specified
src-name6 Local proxy ID name. string Not Specified
src-port Quick mode source port. integer Minimum 0

value: 0
Maximum
value: 65535
src-start-ip Local proxy ID start. ipv4- Not Specified 0.0.0.0

address-any
src-start-ip6 Local proxy ID IPv6 start. ipv6- Not Specified ::

address
src-subnet Local proxy ID subnet. ipv4- Not Specified 0.0.0.0

src-subnet6 Local proxy ID IPv6 subnet. ipv6-prefix Not Specified ::/0
Configure VPN autokey tunnel.

Description: Configure VPN autokey tunnel.
edit <name>
set add-route [phase1|enable|...]
set dhcp-ipsec [enable|disable]

Fortinet Inc.
set dst-addr-type [subnet|range|...]
set dst-end-ip {ipv4-address-any}
set dst-end-ip6 {ipv6-address}
set dst-name {string}
set dst-name6 {string}
set dst-start-ip {ipv4-address-any}
set dst-start-ip6 {ipv6-address}
set dst-subnet {ipv4-classnet-any}
set dst-subnet6 {ipv6-prefix}
set encapsulation [tunnel-mode|transport-mode]
set inbound-dscp-copy [phase1|enable|...]
set initiator-ts-narrow [enable|disable]
set ipv4-df [enable|disable]
set keepalive [enable|disable]
set keylife-type [seconds|kbs|...]
set keylifekbs {integer}
set keylifeseconds {integer}
set l2tp [enable|disable]
set name {string}
set pfs [enable|disable]
set replay [enable|disable]
set route-overlap [use-old|use-new|...]
set selector-match [exact|subset|...]
set single-source [enable|disable]
set src-addr-type [subnet|range|...]
set src-end-ip {ipv4-address-any}
set src-end-ip6 {ipv6-address}
set src-name {string}
set src-name6 {string}
set src-start-ip {ipv4-address-any}
set src-start-ip6 {ipv6-address}
set src-subnet {ipv4-classnet-any}
set src-subnet6 {ipv6-prefix}
set use-natip [enable|disable]
next
end
add-route Enable/disable automatic route addition. option - phase1

Fortinet Inc.
Option Description
phase1 Add route according to phase1 add-route setting.
enable Add route for remote proxy ID.
disable Do not add route for remote proxy ID.
auto-negotiate Enable/disable IPsec SA auto-negotiation. option - disable
Option Description
dhcp-ipsec Enable/disable DHCP-IPsec. option - disable
Option Description
dhgrp Phase2 DH group. option - 14
Option Description
1 DH Group 1.
2 DH Group 2.
5 DH Group 5.
14 DH Group 14.
15 DH Group 15.
16 DH Group 16.
17 DH Group 17.
18 DH Group 18.
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
27 DH Group 27.
28 DH Group 28.

Fortinet Inc.
Option Description
29 DH Group 29.
30 DH Group 30.
31 DH Group 31.
32 DH Group 32.
diffserv Enable/disable applying DSCP value to the option - disable

IPsec tunnel outer IP header.
Option Description
diffservcode DSCP value to be applied to the IPsec tunnel user Not Specified
outer IP header.
dst-addr-type Remote proxy ID type. option - subnet
Option Description
subnet IPv4 subnet.
range IPv4 range.
ip IPv4 IP.
dst-end-ip Remote proxy ID IPv4 end. ipv4- Not Specified 0.0.0.0

address-any
dst-end-ip6 Remote proxy ID IPv6 end. ipv6- Not Specified ::

address
dst-name Remote proxy ID name. string Not Specified
dst-name6 Remote proxy ID name. string Not Specified
dst-port Quick mode destination port. integer Minimum 0

value: 0
Maximum
value: 65535
dst-start-ip Remote proxy ID IPv4 start. ipv4- Not Specified 0.0.0.0

address-any
dst-start-ip6 Remote proxy ID IPv6 start. ipv6- Not Specified ::

address

Fortinet Inc.
dst-subnet Remote proxy ID IPv4 subnet. ipv4- Not Specified 0.0.0.0

dst-subnet6 Remote proxy ID IPv6 subnet. ipv6-prefix Not Specified ::/0
encapsulation ESP encapsulation mode. option - tunnel-mode
Option Description
tunnel-mode Use tunnel mode encapsulation.
transport-mode Use transport mode encapsulation.
inbound-dscp- Enable/disable copy the dscp in the ESP header option - phase1
copy to the inner IP Header.
Option Description
phase1 copy the dscp in the ESP header to the inner IP Header according to the
phase1 inbound_dscp_copy setting.
initiator-ts- Enable/disable traffic selector narrowing for option - disable

narrow IKEv2 initiator.
Option Description
ipv4-df Enable/disable setting and resetting of IPv4 option - disable

'Don't Fragment' bit.
Option Description
enable Set IPv4 DF the same as original packet.
disable Reset IPv4 DF.
keepalive Enable/disable keep alive. option - disable
Option Description
keylife-type Keylife type. option - seconds

Fortinet Inc.
Option Description
seconds Key life in seconds.
kbs Key life in kilobytes.
both Key life both.
keylifekbs Phase2 key life in number of kilobytes of traffic. integer Minimum 5120
value: 5120
Maximum
value:
4294967295
keylifeseconds Phase2 key life in time in seconds. integer Minimum 43200

value: 120
Maximum
value: 172800
l2tp Enable/disable L2TP over IPsec. option - disable
Option Description
enable Enable L2TP over IPsec.
disable Disable L2TP over IPsec.
name IPsec tunnel name. string Not Specified
pfs Enable/disable PFS feature. option - enable
Option Description
phase1name Phase 1 determines the options required for string Not Specified
phase 2.
Option Description
null-md5 null-md5
null-sha1 null-sha1

Fortinet Inc.
Option Description
des-null des-null
des-md5 des-md5
des-sha1 des-sha1
3des-null 3des-null
3des-md5 3des-md5
3des-sha1 3des-sha1
aes128gcm aes128gcm

Fortinet Inc.
Option Description
aes256gcm aes256gcm
chacha20poly1305 chacha20poly1305
seed-null seed-null
seed-md5 seed-md5
seed-sha1 seed-sha1

Fortinet Inc.
protocol Quick mode protocol selector. integer Minimum 0

value: 0
Maximum
value: 255
replay Enable/disable replay detection. option - enable
Option Description
route-overlap Action for overlapping routes. option - use-new
Option Description
use-old Use the old route and do not add the new route.
use-new Delete the old route and add the new route.
allow Allow overlapping routes.
selector-match Match type to use when comparing selectors. option - auto
Option Description
exact Match selectors exactly.
subset Match selectors by subset.
auto Use subset or exact match depending on selector address type.
single-source Enable/disable single source IP restriction. option - disable
Option Description
enable Only single source IP will be accepted.
disable Source IP range will be accepted.
src-addr-type Local proxy ID type. option - subnet
Option Description
subnet IPv4 subnet.
range IPv4 range.
ip IPv4 IP.

Fortinet Inc.
src-end-ip Local proxy ID end. ipv4- Not Specified 0.0.0.0

address-any
src-end-ip6 Local proxy ID IPv6 end. ipv6- Not Specified ::

address
src-name Local proxy ID name. string Not Specified
src-name6 Local proxy ID name. string Not Specified
src-port Quick mode source port. integer Minimum 0

value: 0
Maximum
value: 65535
src-start-ip Local proxy ID start. ipv4- Not Specified 0.0.0.0

address-any
src-start-ip6 Local proxy ID IPv6 start. ipv6- Not Specified ::

address
src-subnet Local proxy ID subnet. ipv4- Not Specified 0.0.0.0

src-subnet6 Local proxy ID IPv6 subnet. ipv6-prefix Not Specified ::/0
use-natip Enable to use the FortiGate public IP as the option - enable

source selector when outbound NAT is used.
Option Description
enable Replace source selector with interface IP when using outbound NAT.
disable Do not modify source selector when using outbound NAT.
config vpn ipsec stats crypto
IPsec crypto statistics.

config vpn ipsec stats crypto
Description: IPsec crypto statistics.
end
config vpn ipsec stats tunnel
IPsec tunnel statistics.

config vpn ipsec stats tunnel
Description: IPsec tunnel statistics.
end

Fortinet Inc.
config vpn ipsec tunnel details
List all IPsec tunnels in details.

config vpn ipsec tunnel details
Description: List all IPsec tunnels in details.
end
config vpn ipsec tunnel name
List IPsec tunnel by name.

config vpn ipsec tunnel name
Description: List IPsec tunnel by name.
end
config vpn ipsec tunnel summary
List all IPsec tunnels in summary.

config vpn ipsec tunnel summary
Description: List all IPsec tunnels in summary.
end
config vpn l2tp
Configure L2TP.
config vpn l2tp
Description: Configure L2TP.
set compress [enable|disable]
set eip {ipv4-address}
set enforce-ipsec [enable|disable]
set sip {ipv4-address}
set usrgrp {string}
end
config vpn l2tp
compress Enable/disable data compression. option - disable

Fortinet Inc.
Option Description
enable Enable compress
disable Disable compress
eip End IP. ipv4- Not 0.0.0.0

address Specified
enforce-ipsec Enable/disable IPsec enforcement. option - disable
Option Description
enable Enable enforce-ipsec
disable Disable enforce-ipsec
hello-interval L2TP hello message interval in seconds. integer Minimum 60

value: 0
Maximum
value: 3600
lcp-echo- Time in seconds between PPPoE Link Control Protocol integer Minimum 5
interval (LCP) echo requests. value: 0
Maximum
value:
32767
lcp-max- Maximum number of missed LCP echo messages integer Minimum 3

echo-fails before disconnect. value: 0
Maximum
value:
32767
sip Start IP. ipv4- Not 0.0.0.0

address Specified
status Enable/disable FortiGate as a L2TP gateway. option - disable
Option Description
usrgrp User group. string Not

Specified
config vpn ocvpn
Configure Overlay Controller VPN settings.

Fortinet Inc.
config vpn ocvpn
Description: Configure Overlay Controller VPN settings.
set auto-discovery [enable|disable]
set auto-discovery-shortcut-mode [independent|dependent]
set eap-users {string}
config forticlient-access
Description: Configure FortiClient settings.
config auth-groups
Description: FortiClient user authentication groups.
edit <name>
set name {string}
set auth-group {string}
set overlays <overlay-name1>, <overlay-name2>, ...
next
end
end
set ip-allocation-block {ipv4-classnet-any}
set multipath [enable|disable]
set nat [enable|disable]
config overlays
Description: Network overlays to register with Overlay Controller VPN service.
edit <overlay-name>
set overlay-name {string}
set inter-overlay [allow|deny]
config subnets
Description: Internal subnets to register with OCVPN service.
edit <id>
set id {integer}
set type [subnet|interface]
next
end
next
end
set role [spoke|primary-hub|...]
set sdwan [enable|disable]
set sdwan-zone {string}
set wan-interface <name1>, <name2>, ...
end
config vpn ocvpn
auto- Enable/disable auto-discovery shortcuts. option - enable

discovery

Fortinet Inc.
Option Description
enable Enable ADVPN auto-discovery shortcuts.
disable Disable ADVPN auto-discovery shortcuts.
auto- Control deletion of child short-cut tunnels when the option - independent
discovery- parent tunnel goes down.
shortcut-
mode
Option Description
independent Short-cut tunnels remain up if the parent tunnel goes down.
dependent Short-cut tunnels are brought down if the parent tunnel goes down.
eap Enable/disable EAP client authentication. option - disable
Option Description
enable Enable EAP client authentication.
disable Disable EAP client authentication.
eap-users EAP authentication user group. string Not

Specified
ip-allocation- Class B subnet reserved for private IP address ipv4- Not 10.254.0.0
block assignment. classnet- Specified 255.255.0.0
any
multipath Enable/disable multipath redundancy. option - enable
Option Description
enable Enable multipath redundancy.
disable Disable multipath redundancy.
nat Enable/disable NAT support. option - enable
Option Description
enable Enable NAT support.
disable Disable NAT support.
poll-interval Overlay Controller VPN polling interval. integer Minimum 30

value: 30
Maximum
value: 120

Fortinet Inc.
role Set device role. option - spoke
Option Description
spoke Register device as static spoke.
primary-hub Register device as primary hub.
secondary-hub Register device as secondary hub.
sdwan Enable/disable adding OCVPN tunnels to SD-WAN. option - disable
Option Description
enable Enable adding OCVPN tunnels to SD-WAN.
disable Disable adding OCVPN tunnels to SD-WAN.
sdwan-zone Set SD-WAN zone. string Not virtual-wan-

Specified link
status Enable/disable Overlay Controller cloud assisted option - disable

VPN.
Option Description
enable Enable Overlay Controller VPN.
disable Disable Overlay Controller VPN.
wan-interface FortiGate WAN interfaces to use with OCVPN. string Maximum

config forticlient-access
status Enable/disable FortiClient to access OCVPN networks. option - disable
Option Description
enable Enable FortiClient access to OCVPN overlays.
disable Disable FortiClient access to OCVPN overlays.
psksecret Pre-shared secret for FortiClient PSK authentication password-3 Not

(ASCII string or hexadecimal encoded with a leading Specified
0x).

Fortinet Inc.
config auth-groups

Specified
auth-group Authentication user group for FortiClient access. string Not

Specified
overlays OCVPN overlays to allow access to. string Maximum

<overlay- Overlay name. length: 79
name>
config overlays
overlay-name Overlay name. string Not

Specified
inter-overlay Allow or deny traffic from other overlays. option - deny
Option Description
allow Allow traffic from other overlays.
deny Deny traffic from other overlays.
config subnets

value: 0
Maximum
value:
4294967295
type Subnet type. option - subnet
Option Description
subnet Configure participating subnet IP and mask.
interface Configure participating LAN interface.
subnet IPv4 address and subnet mask. ipv4- Not Specified 0.0.0.0
classnet- 0.0.0.0
any
interface LAN interface. string Not Specified

Fortinet Inc.
config vpn pptp
Configure PPTP.
config vpn pptp
Description: Configure PPTP.
set eip {ipv4-address}
set ip-mode [range|usrgrp]
set local-ip {ipv4-address}
set sip {ipv4-address}
set usrgrp {string}
end
config vpn pptp
eip End IP. ipv4- Not 0.0.0.0

address Specified
ip-mode IP assignment mode for PPTP client. option - range
Option Description
range PPTP client IP from manual config (range from sip to eip).
usrgrp PPTP client IP from user-group defined server.
local-ip Local IP to be used for peer's remote IP. ipv4- Not 0.0.0.0
address Specified
sip Start IP. ipv4- Not 0.0.0.0

address Specified
status Enable/disable FortiGate as a PPTP gateway. option - disable
Option Description
usrgrp User group. string Not

Specified
config vpn ssl client
Client.
Description: Client.
edit <name>

Fortinet Inc.
set name {string}
set peer {string}
set port {integer}
set psk {password-3}
set realm {string}
set server {string}
set user {string}
next
end
certificate Certificate to offer to SSL-VPN server if it requests one. string Not

Specified

Specified
distance Distance for routes added by SSL-VPN. integer Minimum 10

value: 1
Maximum
value: 255
interface SSL interface to send/receive traffic over. string Not

Specified
name SSL-VPN tunnel name. string Not

Specified
peer Authenticate peer's certificate with the peer/peergrp. string Not

Specified
port SSL-VPN server port. integer Minimum 443

value: 1
Maximum
value:
65535
priority Priority for routes added by SSL-VPN. integer Minimum 1

value: 1
Maximum
value:
65535

Fortinet Inc.
psk Pre-shared secret to authenticate with the server password-3 Not

(ASCII string or hexadecimal encoded with a leading Specified
0x).
realm Realm name configured on SSL-VPN server. string Not

Specified
server IPv4, IPv6 or DNS address of the SSL-VPN server. string Not
Specified
source-ip IPv4 or IPv6 address to use as a source for the SSL- string Not
VPN connection to the server. Specified
status Enable/disable this SSL-VPN client configuration. option - enable
Option Description
enable Enable the SSL-VPN configuration.
disable Disable the SSL-VPN configuration.
user Username to offer to the peer to authenticate the client. string Not
Specified
config vpn ssl monitor
SSL-VPN session.
config vpn ssl monitor
Description: SSL-VPN session.
end
config vpn ssl settings
Configure SSL-VPN.
Description: Configure SSL-VPN.
set algorithm [high|medium|...]
set auth-session-check-source-ip [enable|disable]
config authentication-rule
Description: Authentication rule for SSL-VPN.
edit <id>
set id {integer}
set source-interface <name1>, <name2>, ...
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]

Fortinet Inc.
set portal {string}
set realm {string}
set client-cert [enable|disable]
set user-peer {string}
set cipher [any|high|...]
set auth [any|local|...]
next
end
set auto-tunnel-static-route [enable|disable]
set banned-cipher {option1}, {option2}, ...
set check-referer [enable|disable]
set ciphersuite {option1}, {option2}, ...
set client-sigalgs [no-rsa-pss|all]
set default-portal {string}
set deflate-compression-level {integer}
set deflate-min-data-size {integer}
set dns-suffix {var-string}
set dtls-hello-timeout {integer}
set dtls-max-proto-ver [dtls1-0|dtls1-2]
set dtls-min-proto-ver [dtls1-0|dtls1-2]
set dtls-tunnel [enable|disable]
set dual-stack-mode [enable|disable]
set encode-2f-sequence [enable|disable]
set encrypt-and-store-password [enable|disable]
set force-two-factor-auth [enable|disable]
set header-x-forwarded-for [pass|add|...]
set hsts-include-subdomains [enable|disable]
set http-compression [enable|disable]
set http-only-cookie [enable|disable]
set http-request-body-timeout {integer}
set http-request-header-timeout {integer}
set https-redirect [enable|disable]
set login-attempt-limit {integer}
set login-block-time {integer}
set login-timeout {integer}
set port {integer}
set port-precedence [enable|disable]
set reqclientcert [enable|disable]
set saml-redirect-port {integer}
set servercert {string}
set source-address <name1>, <name2>, ...
set source-address-negate [enable|disable]
set source-address6 <name1>, <name2>, ...
set source-address6-negate [enable|disable]
set source-interface <name1>, <name2>, ...
set ssl-client-renegotiation [disable|enable]
set ssl-insert-empty-fragment [enable|disable]
set ssl-max-proto-ver [tls1-0|tls1-1|...]
set ssl-min-proto-ver [tls1-0|tls1-1|...]

Fortinet Inc.
set transform-backward-slashes [enable|disable]
set tunnel-addr-assigned-method [first-available|round-robin]
set tunnel-connect-without-reauth [enable|disable]
set tunnel-ip-pools <name1>, <name2>, ...
set tunnel-ipv6-pools <name1>, <name2>, ...
set tunnel-user-session-timeout {integer}
set unsafe-legacy-renegotiation [enable|disable]
set url-obscuration [enable|disable]
set user-peer {string}
set web-mode-snat [enable|disable]
set x-content-type-options [enable|disable]
end
algorithm Force the SSL-VPN security level. High allows option - high
only high. Medium allows medium and high. Low
allows any.
Option Description
high High algorithms.
medium High and medium algorithms.
default default
low All algorithms.
auth-session- Enable/disable checking of source IP for option - enable

check-source-ip authentication session.
Option Description
enable Enable checking of source IP for authentication session.
disable Disable checking of source IP for authentication session.
auth-timeout SSL-VPN authentication timeout. integer Minimum 28800

value: 0
Maximum
value: 259200
auto-tunnel- Enable/disable to auto-create static routes for option - enable

static-route the SSL-VPN tunnel IP addresses.

Fortinet Inc.
Option Description
banned-cipher Select one or more cipher technologies that option -

cannot be used in SSL-VPN negotiations. Only
applies to TLS 1.2 and below.
Option Description
RSA Ban the use of cipher suites using RSA key.
DHE Ban the use of cipher suites using authenticated ephemeral DH key
agreement.
ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key
agreement.
DSS Ban the use of cipher suites using DSS authentication.
ECDSA Ban the use of cipher suites using ECDSA authentication.
AES Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES Ban the use of cipher suites using triple DES
STATIC Ban the use of cipher suites using static keys.
CHACHA20 Ban the use of cipher suites using ChaCha20.
ARIA Ban the use of cipher suites using ARIA.
AESCCM Ban the use of cipher suites using AESCCM.
check-referer Enable/disable verification of referer field in option - disable

HTTP request header.
Option Description
enable Enable verification of referer field in HTTP request header.
disable Disable verification of referer field in HTTP request header.

Fortinet Inc.
ciphersuite Select one or more TLS 1.3 ciphersuites to option - TLS-AES-128-

enable. Does not affect ciphers in TLS 1.2 and GCM-SHA256
below. At least one must be enabled. To disable TLS-AES-256-
all, set ssl-max-proto-ver to tls1-2 or below. GCM-SHA384
TLS-
CHACHA20-
POLY1305-
SHA256
Option Description

GCM-SHA256

GCM-SHA384
TLS- Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

CHACHA20-
POLY1305-
SHA256
TLS-AES-128- Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

CCM-SHA256
TLS-AES-128- Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

CCM-8-SHA256
client-sigalgs Set signature algorithms related to client option - all

authentication. Affects TLS version <= 1.2 only.
Option Description
no-rsa-pss Disable RSA-PSS signature algorithms for client authentication.
all Enable all supported signature algorithms for client authentication.
default-portal Default SSL-VPN portal. string Not Specified
deflate- Compression level (0~9). integer Minimum 6

compression- value: 0
level Maximum
value: 9
deflate-min- Minimum amount of data that triggers integer Minimum 300

data-size compression. value: 200
Maximum
value: 65535
dns-server1 DNS server 1. ipv4- Not Specified 0.0.0.0

address

Fortinet Inc.

address
dns-suffix DNS suffix used for SSL-VPN clients. var-string Not Specified
dtls-hello- SSLVPN maximum DTLS hello timeout. integer Minimum 10

timeout value: 10
Maximum
value: 60
dtls-max-proto- DTLS maximum protocol version. option - dtls1-2

ver
Option Description
dtls1-0 DTLS version 1.0.
dtls-min-proto- DTLS minimum protocol version. option - dtls1-0

ver
Option Description
dtls-tunnel Enable/disable DTLS to prevent eavesdropping, option - enable

tampering, or message forgery.
Option Description
dual-stack- Tunnel mode: enable parallel IPv4 and IPv6 option - disable
mode tunnel. Web mode: support IPv4 and IPv6
bookmarks in the portal.
Option Description
encode-2f- Encode \2F sequence to forward slash in URLs. option - disable

sequence

Fortinet Inc.
Option Description
encrypt-and- Encrypt and store user passwords for SSL-VPN option - disable
store-password web sessions.
Option Description
force-two- Enable/disable only PKI users with two-factor option - disable

factor-auth authentication for SSL-VPNs.
Option Description
header-x- Forward the same, add, or remove HTTP option - add

forwarded-for header.
Option Description
pass Forward the same HTTP header.
add Add the HTTP header.
remove Remove the HTTP header.
hsts-include- Add HSTS includeSubDomains response option - disable

subdomains header.
Option Description
http- Enable/disable to allow HTTP compression over option - disable

compression SSL-VPN tunnels.
Option Description

Fortinet Inc.
http-only-cookie Enable/disable SSL-VPN support for HttpOnly option - enable

cookies.
Option Description
http-request- SSL-VPN session is disconnected if an HTTP integer Minimum 30

body-timeout request body is not received within this time. value: 0
Maximum
value:
4294967295
http-request- SSL-VPN session is disconnected if an HTTP integer Minimum 20

header-timeout request header is not received within this time. value: 0
Maximum
value:
4294967295
https-redirect Enable/disable redirect of port 80 to SSL-VPN option - disable

port.
Option Description
idle-timeout SSL-VPN disconnects if idle for specified time in integer Minimum 300
seconds. value: 0
Maximum
value: 259200
ipv6-dns- IPv6 DNS server 1. ipv6- Not Specified ::

server1 address

server2 address
ipv6-wins- IPv6 WINS server 1. ipv6- Not Specified ::

server1 address
ipv6-wins- IPv6 WINS server 2. ipv6- Not Specified ::

server2 address
login-attempt- SSL-VPN maximum login attempt times before integer Minimum 2

limit block. value: 0
Maximum
value:
4294967295

Fortinet Inc.
login-block-time Time for which a user is blocked from logging in integer Minimum 60
after too many failed login attempts. value: 0
Maximum
value:
4294967295
login-timeout SSLVPN maximum login timeout. integer Minimum 30

value: 10
Maximum
value: 180
port SSL-VPN access port. integer Minimum 10443

value: 1
Maximum
value: 65535
port- Enable/disable, Enable means that if SSL-VPN option - enable

precedence connections are allowed on an interface admin
GUI connections are blocked on that interface.
Option Description
reqclientcert Enable/disable to require client certificates for all option - disable

SSL-VPN users.
Option Description
saml-redirect- SAML local redirect port in the machine running integer Minimum 8020
port FortiClient. 0 is to disable redirection on FGT value: 0
side. Maximum
value: 65535
servercert Name of the server certificate to be used for string Not Specified
SSL-VPNs.
source-address Source address of incoming traffic. string Maximum

source- Enable/disable negated source address match. option - disable

address-negate

Fortinet Inc.
Option Description
source- IPv6 source address of incoming traffic. string Maximum

address6 IPv6 address name. length: 79
<name>
source- Enable/disable negated source IPv6 address option - disable

address6- match.
negate
Option Description
source- SSL-VPN source interface of incoming traffic. string Maximum

interface Interface name. length: 35
<name>
ssl-client- Enable/disable to allow client renegotiation by option - disable

renegotiation the server if the tunnel goes down.
Option Description
disable Abort any SSL connection that attempts to renegotiate.
enable Allow a SSL client to renegotiate.
ssl-insert- Enable/disable insertion of empty fragment. option - enable

empty-fragment
Option Description
ssl-max-proto- SSL maximum protocol version. option - tls1-3

ver
Option Description
tls1-0 TLS version 1.0.

Fortinet Inc.
ssl-min-proto- SSL minimum protocol version. option - tls1-2

ver
Option Description
status Enable/disable SSL-VPN. option - enable
Option Description
enable Enable SSL-VPN.
disable Disable SSL-VPN.
transform- Transform backward slashes to forward slashes option - disable

backward- in URLs.
slashes
Option Description
tunnel-addr- Method used for assigning address for tunnel. option - first-available
assigned-
method
Option Description
first-available Assign the first available address from the pools.
round-robin Assign the available address from the pool with a round robin fashion.
tunnel-connect- Enable/disable tunnel connection without re- option - disable

without-reauth authorization if previous connection dropped.
Option Description
enable Enable tunnel connection without re-authorization.
disable Disable tunnel connection without re-authorization.
tunnel-ip-pools Names of the IPv4 IP Pool firewall objects that string Maximum
<name> define the IP addresses reserved for remote length: 79
clients.

Fortinet Inc.
Address name.
tunnel-ipv6- Names of the IPv6 IP Pool firewall objects that string Maximum
pools <name> define the IP addresses reserved for remote length: 79
clients.
Address name.
tunnel-user- Time out value to clean up user session after integer Minimum 30
session-timeout tunnel connection is dropped. value: 1
Maximum
value: 255
unsafe-legacy- Enable/disable unsafe legacy re-negotiation. option - disable

renegotiation
Option Description
url-obscuration Enable/disable to obscure the host name of the option - disable

URL of the web browser display.
Option Description
user-peer Name of user peer. string Not Specified
web-mode-snat Enable/disable use of IP pools defined in firewall option - disable

policy while using web-mode.
Option Description
enable Enable use of IP pools defined in firewall policy while using web-mode.
disable Disable use of IP pools defined in firewall policy while using web-mode.
wins-server1 WINS server 1. ipv4- Not Specified 0.0.0.0

address
wins-server2 WINS server 2. ipv4- Not Specified 0.0.0.0

address
x-content-type- Add HTTP X-Content-Type-Options header. option - enable

options

Fortinet Inc.
Option Description
config authentication-rule

value: 0
Maximum
value:
4294967295
source- SSL-VPN source interface of incoming traffic. string Maximum

interface Interface name. length: 35
<name>
source- Source address of incoming traffic. string Maximum

address Address name. length: 79
<name>
source- Enable/disable negated source address match. option - disable

address-
negate
Option Description
source- IPv6 source address of incoming traffic. string Maximum

address6 IPv6 address name. length: 79
<name>
source- Enable/disable negated source IPv6 address match. option - disable

address6-
negate
Option Description
users <name> User name. string Maximum

User name. length: 79

Fortinet Inc.
groups User groups. string Maximum

<name> Group name. length: 79
portal SSL-VPN portal. string Not Specified
realm SSL-VPN realm. string Not Specified
client-cert Enable/disable SSL-VPN client certificate restrictive. option - disable
Option Description
user-peer Name of user peer. string Not Specified
cipher SSL-VPN cipher strength. option - high
Option Description
any Any cipher strength.
high High cipher strength (>= 168 bits).
medium Medium cipher strength (>= 128 bits).
auth SSL-VPN authentication method restriction. option - any
Option Description
any Any
local Local
radius RADIUS
tacacs+ TACACS+
ldap LDAP
peer PEER
config vpn ssl web host-check-software
SSL-VPN host check software.

Description: SSL-VPN host check software.
edit <name>
config check-item-list
Description: Check item list.
edit <id>
set id {integer}
set action [require|deny]

Fortinet Inc.
set type [file|registry|...]
set target {string}
set version {string}
set md5s <id1>, <id2>, ...
next
end
set guid {user}
set name {string}
set os-type [windows|macos]
set type [av|fw]
set version {string}
next
end
guid Globally unique ID. user Not

Specified

Specified
os-type OS type. option - windows
Option Description
windows Microsoft Windows operating system.
macos Apple MacOS operating system.
type Type. option - av
Option Description
av AntiVirus.
fw Firewall.
version Version. string Not

Specified
config check-item-list

value: 0
Maximum
value:
65535

Fortinet Inc.
action Action. option - require
Option Description
require Require.
deny Deny.
type Type. option - file
Option Description
file File.
registry Registry.
process Process.
target Target. string Not

Specified
version Version. string Not

Specified
md5s <id> MD5 checksum. string Maximum

Hex string of MD5 checksum. length: 32
config vpn ssl web portal
Portal.
Description: Portal.
edit <name>
set allow-user-access {option1}, {option2}, ...
set auto-connect [enable|disable]
config bookmark-group
Description: Portal bookmark group.
edit <name>
set name {string}
config bookmarks
Description: Bookmark table.
edit <name>
set name {string}
set apptype [ftp|rdp|...]
set url {var-string}
set host {var-string}
set folder {var-string}
set domain {var-string}
set additional-params {var-string}
set keyboard-layout [ar-101|ar-102|...]
set security [any|rdp|...]

Fortinet Inc.
set send-preconnection-id [enable|disable]
set preconnection-id {integer}
set preconnection-blob {var-string}
set load-balancing-info {var-string}
set restricted-admin [enable|disable]
set port {integer}
set logon-user {var-string}
set logon-password {password}
set color-depth [32|16|...]
set sso [disable|static|...]
config form-data
Description: Form data.
edit <name>
set name {string}
next
end
set sso-credential [sslvpn-login|alternative]
set sso-username {var-string}
set sso-password {password}
set sso-credential-sent-once [enable|disable]
set width {integer}
set height {integer}
next
end
next
end
set clipboard [enable|disable]
set custom-lang {string}
set customize-forticlient-download-url [enable|disable]
set default-window-height {integer}
set default-window-width {integer}
set dhcp-ip-overlap [use-new|use-old]
set display-bookmark [enable|disable]
set display-connection-tools [enable|disable]
set display-history [enable|disable]
set display-status [enable|disable]
set dns-suffix {var-string}
set exclusive-routing [enable|disable]
set forticlient-download [enable|disable]
set forticlient-download-method [direct|ssl-vpn]
set heading {string}
set hide-sso-credential [enable|disable]
set host-check [none|av|...]
set host-check-interval {integer}
set host-check-policy <name1>, <name2>, ...
set ip-mode [range|user-group|...]
set ip-pools <name1>, <name2>, ...
set ipv6-exclusive-routing [enable|disable]
set ipv6-pools <name1>, <name2>, ...
set ipv6-service-restriction [enable|disable]
set ipv6-split-tunneling [enable|disable]

Fortinet Inc.
set ipv6-split-tunneling-routing-address <name1>, <name2>, ...
set ipv6-split-tunneling-routing-negate [enable|disable]
set ipv6-tunnel-mode [enable|disable]
set keep-alive [enable|disable]
set limit-user-logins [enable|disable]
set mac-addr-action [allow|deny]
set mac-addr-check [enable|disable]
config mac-addr-check-rule
Description: Client MAC address check rule.
edit <name>
set name {string}
set mac-addr-mask {integer}
set mac-addr-list <addr1>, <addr2>, ...
next
end
set macos-forticlient-download-url {var-string}
set name {string}
set os-check [enable|disable]
config os-check-list
Description: SSL-VPN OS checks.
edit <name>
set name {string}
set action [deny|allow|...]
set tolerance {integer}
set latest-patch-level {user}
next
end
set prefer-ipv6-dns [enable|disable]
set redir-url {var-string}
set rewrite-ip-uri-ui [enable|disable]
set save-password [enable|disable]
set service-restriction [enable|disable]
set skip-check-for-browser [enable|disable]
set skip-check-for-unsupported-os [enable|disable]
set smb-max-version [smbv1|smbv2|...]
set smb-min-version [smbv1|smbv2|...]
set smb-ntlmv1-auth [enable|disable]
set smbv1 [enable|disable]
config split-dns
Description: Split DNS for SSL-VPN.
edit <id>
set id {integer}
set domains {var-string}
next
end
set split-tunneling [enable|disable]
set split-tunneling-routing-address <name1>, <name2>, ...
set split-tunneling-routing-negate [enable|disable]
set theme [jade|neutrino|...]
set tunnel-mode [enable|disable]

Fortinet Inc.
set use-sdwan [enable|disable]
set user-bookmark [enable|disable]
set user-group-bookmark [enable|disable]
set web-mode [enable|disable]
set windows-forticlient-download-url {var-string}
next
end
allow-user- Allow user access to SSL-VPN applications. option - web ftp

access smb sftp
telnet ssh
vnc rdp
ping
Option Description
web HTTP/HTTPS access.
ftp FTP access.
smb SMB/CIFS access.
sftp SFTP access.
ssh SSH access.
vnc VNC access.
rdp RDP access.
ping PING access.
auto-connect Enable/disable automatic connect by client when option - disable

system is up.
Option Description
clipboard Enable to support RDP/VPC clipboard functionality. option - enable
Option Description
enable Enable support of RDP/VNC clipboard.
disable Disable support of RDP/VNC clipboard.

Fortinet Inc.
custom-lang Change the web portal display language. Overrides string Not
config system global set language. You can use config Specified
system custom-language and execute system custom-
language to add custom language files.
customize- Enable support of customized download URL for option - disable

forticlient- FortiClient.
download-url
Option Description
default-window- Screen height. integer Minimum 768

height value: 0
Maximum
value:
65535
default-window- Screen width. integer Minimum 1024

width value: 0
Maximum
value:
65535
dhcp-ip-overlap Configure overlapping DHCP IP allocation option - use-new

assignment.
Option Description
use-new Assign DHCP lease to new client and remove old client lease.
use-old Preserve previous client IP allocation and disconnect new client.
display- Enable to display the web portal bookmark widget. option - enable
bookmark
Option Description
display- Enable to display the web portal connection tools option - enable
connection- widget.
tools

Fortinet Inc.
Option Description
display-history Enable to display the web portal user login history option - enable
widget.
Option Description
display-status Enable to display the web portal status widget. option - enable
Option Description
dns-server1 IPv4 DNS server 1. ipv4- Not 0.0.0.0

address Specified
dns-server2 IPv4 DNS server 2. ipv4- Not 0.0.0.0

address Specified
dns-suffix DNS suffix. var-string Not

Specified
exclusive- Enable/disable all traffic go through tunnel only. option - disable

routing
Option Description
forticlient- Enable/disable download option for FortiClient. option - enable

download
Option Description
forticlient- FortiClient download method. option - direct

download-
method

Fortinet Inc.
Option Description
direct Download via direct link.
ssl-vpn Download via SSL-VPN.
heading Web portal heading message. string Not SSL-VPN

Specified Portal
hide-sso- Enable to prevent SSO credential being sent to client. option - enable
credential
Option Description
host-check Type of host checking performed on endpoints. option - none
Option Description
none No host checking.
av AntiVirus software recognized by the Windows Security Center.
fw Firewall software recognized by the Windows Security Center.
av-fw AntiVirus and firewall software recognized by the Windows Security Center.
custom Custom.
host-check- Periodic host check interval. Value of 0 means integer Minimum 0

interval disabled and host checking only happens when the value: 120
endpoint connects. Maximum
value:
259200
host-check- One or more policies to require the endpoint to have string Maximum
policy <name> specific security software. length: 79
Host check software list name.
ip-mode Method by which users of this SSL-VPN tunnel obtain option - range
IP addresses.
Option Description
range Use the IP addresses available for all SSL-VPN users as defined by the SSL
settings command.
user-group Use the IP addresses associated with individual users or user groups
(usually from external auth servers).
dhcp Use IP addresses obtained from external DHCP server.

Fortinet Inc.
ip-pools IPv4 firewall source address objects reserved for SSL- string Maximum
<name> VPN tunnel mode clients. length: 79
Address name.
ipv6-dns- IPv6 DNS server 1. ipv6- Not ::

server1 address Specified
ipv6-dns- IPv6 DNS server 2. ipv6- Not ::

ipv6-exclusive- Enable/disable all IPv6 traffic go through tunnel only. option - disable
routing
Option Description
ipv6-pools IPv6 firewall source address objects reserved for SSL- string Maximum
<name> VPN tunnel mode clients. length: 79
Address name.
ipv6-service- Enable/disable IPv6 tunnel service restriction. option - disable

restriction
Option Description
ipv6-split- Enable/disable IPv6 split tunneling. option - enable

tunneling
Option Description
ipv6-split- IPv6 SSL-VPN tunnel mode firewall address objects string Maximum
tunneling- that override firewall policy destination addresses to length: 79
routing-address control split-tunneling access.
<name> Address name.
ipv6-split- Enable to negate IPv6 split tunneling routing address. option - disable
tunneling-
routing-negate

Fortinet Inc.
Option Description
ipv6-tunnel- Enable/disable IPv6 SSL-VPN tunnel mode. option - disable

mode
Option Description
ipv6-wins- IPv6 WINS server 1. ipv6- Not ::

ipv6-wins- IPv6 WINS server 2. ipv6- Not ::

keep-alive Enable/disable automatic reconnect for FortiClient option - disable

connections.
Option Description
limit-user-logins Enable to limit each user to one SSL-VPN session at a option - disable
time.
Option Description
mac-addr- Client MAC address action. option - allow

action
Option Description
allow Allow connection when client MAC address is matched.
deny Deny connection when client MAC address is matched.
mac-addr- Enable/disable MAC address host checking. option - disable

check

Fortinet Inc.
Option Description
macos- Download URL for Mac FortiClient. var-string Not

forticlient- Specified
download-url
name Portal name. string Not

Specified
os-check Enable to let the FortiGate decide action based on option - disable
client OS.
Option Description
prefer-ipv6-dns Prefer to query IPv6 DNS server first if enabled. option - disable
Option Description
redir-url Client login redirect URL. var-string Not

Specified
rewrite-ip-uri-ui Rewrite contents for URI contains IP and /ui/. option - disable
Option Description
enable Enable contents rewrite for URI contains "IP-address/ui/".
disable Disable contents rewrite for URI contains "IP-address/ui/".
save-password Enable/disable FortiClient saving the user's password. option - disable
Option Description
service- Enable/disable tunnel service restriction. option - disable

restriction

Fortinet Inc.
Option Description
skip-check-for- Enable to skip host check for browser support. option - enable
browser
Option Description
skip-check-for- Enable to skip host check if client OS does not support option - enable
unsupported-os it.
Option Description
smb-max- SMB maximum client protocol version. option - smbv3

version
Option Description
smbv1 SMB version 1.
smb-min- SMB minimum client protocol version. option - smbv2

version
Option Description
smb-ntlmv1- Enable support of NTLMv1 for Samba authentication. option - disable

auth
Option Description

Fortinet Inc.
smbv1 SMB version 1. option - disable
Option Description
enable enable
disable disable
split-tunneling Enable/disable IPv4 split tunneling. option - enable
Option Description
split-tunneling- IPv4 SSL-VPN tunnel mode firewall address objects string Maximum
routing-address that override firewall policy destination addresses to length: 79
<name> control split-tunneling access.
Address name.
split-tunneling- Enable to negate split tunneling routing address. option - disable

routing-negate
Option Description
theme Web portal color scheme. option - neutrino
Option Description
jade Jade theme.
neutrino Neutrino theme.
mariner Mariner theme.
graphite Graphite theme.
melongene Melongene theme.
dark-matter Dark Matter theme.
onyx Onyx theme.
eclipse Eclipse theme.
tunnel-mode Enable/disable IPv4 SSL-VPN tunnel mode. option - disable

Fortinet Inc.
Option Description
use-sdwan Use SD-WAN rules to get output interface. option - disable
Option Description
user-bookmark Enable to allow web portal users to create their own option - enable
bookmarks.
Option Description
user-group- Enable to allow web portal users to create bookmarks option - enable
bookmark for all users in the same user group.
Option Description
web-mode Enable/disable SSL-VPN web mode. option - disable
Option Description
windows- Download URL for Windows FortiClient. var-string Not

forticlient- Specified
download-url
wins-server1 IPv4 WINS server 1. ipv4- Not 0.0.0.0

address Specified
wins-server2 IPv4 WINS server 1. ipv4- Not 0.0.0.0

address Specified

Fortinet Inc.
config bookmark-group
name Bookmark group name. string Not

Specified
config bookmarks
name Bookmark name. string Not Specified
apptype Application type. option - web
Option Description
ftp FTP.
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.
url URL parameter. var-string Not Specified
host Host name/IP parameter. var-string Not Specified
folder Network shared file folder parameter. var-string Not Specified
domain Login domain. var-string Not Specified
additional- Additional parameters. var-string Not Specified

params
keyboard-layout Keyboard layout. option - en-us
Option Description
ar-101 Arabic (101).
ar-102-azerty Arabic (102) AZERTY.
can-mul Canadian Multilingual Standard.

Fortinet Inc.
Option Description
cz Czech.
cz-qwerty Czech (QWERTY).
cz-pr Czech Programmers.
da Danish.
nl Dutch.
de German.
de-ch German, Switzerland.
de-ibm German (IBM).
en-uk English, United Kingdom.
en-uk-ext English, United Kingdom Extended.
en-us English, United States.
en-us-dvorak English, United States-Dvorak.
es Spanish.
es-var Spanish Variation.
fi Finish.
fi-sami Finnish with Sami.
fr French.
fr-apple French, Apple.
fr-ca French, Canada.
fr-ch French, Switzerland.
fr-be French, Belgium.
hr Croatian.
hu Hungarian.
hu-101 Hungarian 101-Key.
it Italian.
it-142 Italian (142).
ja Japanese.
ko Korean.
lt Lithuanian.

Fortinet Inc.
Option Description
lt-ibm Lithuanian IBM.
lt-std Lithuanian Standard.
lav-std Latvian (Standard).
lav-leg Latvian (Legacy).
mk Macedonian (FYROM).
mk-std Macedonia (FYROM) - Standard.
no Norwegian.
no-sami Norwegian with Sami.
pol-214 Polish (214).
pol-pr Polish (Programmers).
pt Portuguese.
pt-br Portuguese (Brazilian ABNT).
pt-br-abnt2 Portuguese (Brazilian ABNT2).
ru Russian.
ru-mne Russian - Mnemonic.
ru-t Russian (Typewriter).
sl Slovenian.
sv Swedish.
sv-sami Swedish with Sami.
tuk Turkmen.
tur-f Turkish F.
tur-q Turkish Q.
zh-sym-sg-us Chinese (Simplified, Singapore) - US keyboard.
zh-sym-us Chinese (Simplified) - US Keyboard.
zh-tr-hk Chinese (Traditional, Hong Kong S.A.R.).
zh-tr-mo Chinese (Traditional Macao S.A.R.) - US Keyboard.
zh-tr-us Chinese (Traditional) - US keyboard.
security Security mode for RDP connection. option - rdp

Fortinet Inc.
Option Description
any Allow the server to choose the type of security.
rdp Standard RDP encryption.
nla Network Level Authentication.
tls TLS encryption.
send- Enable/disable sending of preconnection ID. option - disable

preconnection-id
Option Description
enable Enable sending of preconnection ID.
disable Disable sending of preconnection ID.
preconnection-id The numeric ID of the RDP source. integer Minimum 0

value: 0
Maximum
value:
4294967295
preconnection- An arbitrary string which identifies the RDP var-string Not Specified
blob source.
load-balancing- The load balancing information or cookie which var-string Not Specified
info should be provided to the connection broker.
restricted-admin Enable/disable restricted admin mode for RDP. option - disable
Option Description
enable Enable restricted admin mode for RDP.
disable Disable restricted admin mode for RDP.
port Remote port. integer Minimum 0

value: 0
Maximum
value: 65535
logon-user Logon user. var-string Not Specified
logon-password Logon password. password Not Specified
color-depth Color depth per pixel. option - 16
Option Description
32 32bits per pixel.

Fortinet Inc.
Option Description
8 8bits per pixel.
sso Single Sign-On. option - disable
Option Description
disable Disable SSO.
static Static SSO.
auto Auto SSO.
sso-credential Single sign-on credentials. option - sslvpn-

login
Option Description
sslvpn-login SSL-VPN login.
alternative Alternative.
sso-username SSO user name. var-string Not Specified
sso-password SSO password. password Not Specified
sso-credential- Single sign-on credentials are only sent once to option - disable
sent-once remote server.
Option Description
enable Single sign-on credentials are only sent once to remote server.
disable Single sign-on credentials are sent to remote server for every HTTP
request.
width Screen width. integer Minimum 0

value: 0
Maximum
value: 65535
height Screen height. integer Minimum 0

value: 0
Maximum
value: 65535

Fortinet Inc.
config form-data

Specified
value Value. var-string Not

Specified
config mac-addr-check-rule
name Client MAC address check rule name. string Not

Specified
mac-addr- Client MAC address mask. integer Minimum 48

mask value: 1
Maximum
value: 48
mac-addr-list Client MAC address list. mac- Not

<addr> Client MAC address. address Specified
config os-check-list

Specified
action OS check options. option - allow
Option Description
deny Deny all OS versions.
allow Allow any OS version.
check-up-to-date Verify OS is up-to-date.
tolerance OS patch level tolerance. integer Minimum 0

value: 0
Maximum
value:
65535
latest-patch- Latest OS patch level. user Not 0

level Specified

Fortinet Inc.
config split-dns

value: 0
Maximum
value:
4294967294
domains Split DNS domains used for SSL-VPN clients var-string Not Specified
separated by comma.

address

address

server1 address

server2 address
config vpn ssl web realm
Realm.
Description: Realm.
edit <url-path>
set login-page {var-string}
set max-concurrent-user {integer}
set nas-ip {ipv4-address}
set url-path {string}
set virtual-host {var-string}
set virtual-host-only [enable|disable]
set virtual-host-server-cert {string}
next
end
login-page Replacement HTML for SSL-VPN login page. var-string Not

Specified

Fortinet Inc.
max- Maximum concurrent users. integer Minimum 0

concurrent- value: 0
user Maximum
value:
65535
nas-ip IP address used as a NAS-IP to communicate with the ipv4- Not 0.0.0.0
RADIUS server. address Specified
radius-port RADIUS service port number. integer Minimum 0

value: 0
Maximum
value:
65535
radius-server RADIUS server associated with realm. string Not

Specified
url-path URL path to access SSL-VPN login page. string Not

Specified
virtual-host Virtual host name for realm. var-string Not

Specified
virtual-host- Enable/disable enforcement of virtual host method for option - disable

only SSL-VPN client access.
Option Description
virtual-host- Name of the server certificate to used for this realm. string Not
server-cert Specified
config vpn ssl web user-bookmark
Configure SSL-VPN user bookmark.

Description: Configure SSL-VPN user bookmark.
edit <name>
config bookmarks
edit <name>
set name {string}

Fortinet Inc.
set port {integer}
config form-data
edit <name>
set name {string}
next
end
set width {integer}
next
end
set custom-lang {string}
set name {string}
next
end
custom-lang Personal language. string Not

Specified
name User and group name. string Not

Specified
config bookmarks

Fortinet Inc.
Option Description
ftp FTP.
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.

params
Option Description
cz Czech.
da Danish.
nl Dutch.
de German.

Fortinet Inc.
Option Description
es Spanish.
fi Finish.
fr French.
hr Croatian.
hu Hungarian.
it Italian.
ja Japanese.
ko Korean.
lt Lithuanian.
no Norwegian.

Fortinet Inc.
Option Description
pt Portuguese.
ru Russian.
sl Slovenian.
sv Swedish.
tuk Turkmen.
tur-f Turkish F.
tur-q Turkish Q.
Option Description
tls TLS encryption.

preconnection-id

Fortinet Inc.
Option Description

value: 0
Maximum
value:
4294967295
blob source.
Option Description

value: 0
Maximum
value: 65535
Option Description
8 8bits per pixel.
Option Description
static Static SSO.
auto Auto SSO.

Fortinet Inc.

login
Option Description
Option Description
request.

value: 0
Maximum
value: 65535

value: 0
Maximum
value: 65535
config form-data

Specified

Specified
config vpn ssl web user-group-bookmark
Configure SSL-VPN user group bookmark.

Description: Configure SSL-VPN user group bookmark.
edit <name>
config bookmarks

Fortinet Inc.
edit <name>
set name {string}
set port {integer}
config form-data
edit <name>
set name {string}
next
end
set width {integer}
next
end
set name {string}
next
end

Specified
config bookmarks

Fortinet Inc.
Option Description
ftp FTP.
rdp RDP.
sftp SFTP.
smb SMB/CIFS.
ssh SSH.
telnet Telnet.
vnc VNC.
web HTTP/HTTPS.

params
Option Description
cz Czech.
da Danish.
nl Dutch.
de German.

Fortinet Inc.
Option Description
es Spanish.
fi Finish.
fr French.
hr Croatian.
hu Hungarian.
it Italian.
ja Japanese.
ko Korean.
lt Lithuanian.

Fortinet Inc.
Option Description
no Norwegian.
pt Portuguese.
ru Russian.
sl Slovenian.
sv Swedish.
tuk Turkmen.
tur-f Turkish F.
tur-q Turkish Q.
Option Description
tls TLS encryption.

preconnection-id

Fortinet Inc.
Option Description

value: 0
Maximum
value:
4294967295
blob source.
Option Description

value: 0
Maximum
value: 65535
Option Description
8 8bits per pixel.
Option Description
static Static SSO.
auto Auto SSO.

Fortinet Inc.

login
Option Description
Option Description
request.

value: 0
Maximum
value: 65535

value: 0
Maximum
value: 65535
config form-data

Specified

Specified
config vpn status l2tp
Display L2TP status.

config vpn status l2tp
Description: Display L2TP status.
end

Fortinet Inc.
config vpn status pptp
Display PPTP status.

config vpn status pptp
Description: Display PPTP status.
end
config vpn status ssl hw-acceleration-status
SSL hardware acceleration status.

config vpn status ssl hw-acceleration-status
Description: SSL hardware acceleration status.
end
config vpn status ssl list
List current connections.

config vpn status ssl list
Description: List current connections.
end

Fortinet Inc.
waf

l config waf main-class on page 1781
l config waf profile on page 1781
l config waf signature on page 1806
l config waf sub-class on page 1807
config waf main-class
Hidden table for datasource.

Description: Hidden table for datasource.
edit <id>
set id {integer}
set name {string}
next
end
id Main signature class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Main signature class name. string Not Specified
config waf profile
Configure Web application firewall configuration.

config waf profile
Description: Configure Web application firewall configuration.
edit <name>
config address-list
Description: Address block and allow lists.
set blocked-log [enable|disable]
set severity [high|medium|...]
set trusted-address <name1>, <name2>, ...
set blocked-address <name1>, <name2>, ...

Fortinet Inc.
end
config constraint
Description: WAF HTTP protocol restrictions.
config header-length
Description: HTTP header length in request.
set length {integer}
set action [allow|block]
end
config content-length
Description: HTTP content length in request.
end
config param-length
Description: Maximum length of parameter in URL, HTTP POST request or HTTP
body.
end
config line-length
Description: HTTP line length in request.
end
config url-param-length
Description: Maximum length of parameter in URL.
end
config version
Description: Enable/disable HTTP version check.
end
config method
Description: Enable/disable HTTP method check.

Fortinet Inc.
end
config hostname
Description: Enable/disable hostname check.
end
config malformed
Description: Enable/disable malformed HTTP request check.
end
config max-cookie
Description: Maximum number of cookies in HTTP request.
set max-cookie {integer}
end
config max-header-line
Description: Maximum number of HTTP header line.
set max-header-line {integer}
end
config max-url-param
Description: Maximum number of parameters in URL.
set max-url-param {integer}
end
config max-range-segment
Description: Maximum number of range segments in HTTP range line.
set max-range-segment {integer}
end
config exception
Description: HTTP constraint exception.
edit <id>
set id {integer}
set regex [enable|disable]

Fortinet Inc.
set header-length [enable|disable]
set content-length [enable|disable]
set param-length [enable|disable]
set line-length [enable|disable]
set url-param-length [enable|disable]
set version [enable|disable]
set method [enable|disable]
set hostname [enable|disable]
set malformed [enable|disable]
set max-cookie [enable|disable]
set max-header-line [enable|disable]
set max-url-param [enable|disable]
set max-range-segment [enable|disable]
next
end
end
set external [disable|enable]
config method
Description: Method restriction.
set default-allowed-methods {option1}, {option2}, ...
config method-policy
Description: HTTP method policy.
edit <id>
set id {integer}
set allowed-methods {option1}, {option2}, ...
next
end
end
set name {string}
config signature
Description: WAF signatures.
config main-class
Description: Main signature class.
edit <id>
set id {integer}
set action [allow|block|...]
next
end
set disabled-sub-class <id1>, <id2>, ...
set disabled-signature <id1>, <id2>, ...
set credit-card-detection-threshold {integer}
config custom-signature
Description: Custom signature.
edit <name>
set name {string}

Fortinet Inc.
set action [allow|block|...]
set direction [request|response]
set target {option1}, {option2}, ...
next
end
end
config url-access
Description: URL access list.
edit <id>
set id {integer}
set action [bypass|permit|...]
config access-pattern
Description: URL access pattern.
edit <id>
set id {integer}
set srcaddr {string}
set negate [enable|disable]
next
end
next
end
next
end
config waf profile

Specified
Option Description
external Disable/Enable external HTTP Inspection. option - disable
Option Description
disable Disable external inspection.
enable Enable external inspection.

Fortinet Inc.
name WAF Profile name. string Not

Specified
config address-list
Option Description
blocked-log Enable/disable logging on blocked addresses. option - disable
Option Description
severity Severity. option - medium
Option Description
high High severity.
medium Medium severity.
low Low severity.
trusted- Trusted address. string Maximum

<name>
blocked- Blocked address. string Maximum

<name>
config header-length
status Enable/disable the constraint. option - disable
Option Description

Fortinet Inc.
length Length of HTTP header in bytes (0 to 2147483647). integer Minimum 8192

value: 0
Maximum
value:
2147483647
action Action. option - allow
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.
config content-length
Option Description
length Length of HTTP content in bytes (0 to 2147483647). integer Minimum 67108864

value: 0
Maximum
value:
2147483647

Fortinet Inc.
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.
config param-length
Option Description
length Maximum length of parameter in URL, HTTP POST integer Minimum 8192
request or HTTP body in bytes (0 to 2147483647). value: 0
Maximum
value:
2147483647
Option Description
allow Allow.
block Block.

Fortinet Inc.
Option Description
Option Description
high High severity.
low Low severity.
config line-length
Option Description
length Length of HTTP line in bytes (0 to 2147483647). integer Minimum 1024

value: 0
Maximum
value:
2147483647
Option Description
allow Allow.
block Block.
Option Description

Fortinet Inc.
Option Description
high High severity.
low Low severity.
config url-param-length
Option Description
length Maximum length of URL parameter in bytes (0 to integer Minimum 8192

2147483647). value: 0
Maximum
value:
2147483647
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.

Fortinet Inc.
config version
Option Description
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.
config method
Option Description

Fortinet Inc.
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.
config method
Option Description
Option Description
Option Description
high High severity
medium medium severity
low low severity

Fortinet Inc.
default-allowed- Methods. option -

methods
Option Description
get HTTP GET method.
post HTTP POST method.
put HTTP PUT method.
head HTTP HEAD method.
connect HTTP CONNECT method.
trace HTTP TRACE method.
options HTTP OPTIONS method.
delete HTTP DELETE method.
others Other HTTP methods.
config hostname
Option Description
Option Description
allow Allow.
block Block.
Option Description

Fortinet Inc.
Option Description
high High severity.
low Low severity.
config malformed
Option Description
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.
config max-cookie

Fortinet Inc.
Option Description
max-cookie Maximum number of cookies in HTTP request (0 to integer Minimum 16

2147483647). value: 0
Maximum
value:
2147483647
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.
config max-header-line
Option Description

Fortinet Inc.
max-header- Maximum number HTTP header lines (0 to integer Minimum 32

line 2147483647). value: 0
Maximum
value:
2147483647
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.
config max-url-param
Option Description
max-url- Maximum number of parameters in URL (0 to integer Minimum 16

param 2147483647). value: 0
Maximum
value:
2147483647

Fortinet Inc.
Option Description
allow Allow.
block Block.
Option Description
Option Description
high High severity.
low Low severity.
config max-range-segment
Option Description
max-range- Maximum number of range segments in HTTP range integer Minimum 5

segment line (0 to 2147483647). value: 0
Maximum
value:
2147483647
Option Description
allow Allow.
block Block.

Fortinet Inc.
Option Description
Option Description
high High severity.
low Low severity.
config exception
id Exception ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
pattern URL pattern. string Not Specified
regex Enable/disable regular expression based pattern option - disable

match.
Option Description
address Host address. string Not Specified
header-length HTTP header length in request. option - disable
Option Description
content- HTTP content length in request. option - disable

length

Fortinet Inc.
Option Description
param-length Maximum length of parameter in URL, HTTP POST option - disable

request or HTTP body.
Option Description
line-length HTTP line length in request. option - disable
Option Description
url-param- Maximum length of parameter in URL. option - disable

length
Option Description
version Enable/disable HTTP version check. option - disable
Option Description
method Enable/disable HTTP method check. option - disable
Option Description
hostname Enable/disable hostname check. option - disable

Fortinet Inc.
Option Description
malformed Enable/disable malformed HTTP request check. option - disable
Option Description
max-cookie Maximum number of cookies in HTTP request. option - disable
Option Description
max-header- Maximum number of HTTP header line. option - disable

line
Option Description
max-url- Maximum number of parameters in URL. option - disable

param
Option Description
max-range- Maximum number of range segments in HTTP range option - disable

segment line.
Option Description

Fortinet Inc.
config method
config method
default-allowed- Methods. option -

methods
config method-policy
id HTTP method policy ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

match.
Option Description
allowed- Allowed Methods. option -

methods
Option Description
get HTTP GET method.

Fortinet Inc.
Option Description
post HTTP POST method.
put HTTP PUT method.
head HTTP HEAD method.
connect HTTP CONNECT method.
trace HTTP TRACE method.
options HTTP OPTIONS method.
delete HTTP DELETE method.
others Other HTTP methods.
config signature
disabled-sub- Disabled signature subclasses. integer Minimum

class <id> Signature subclass ID. value: 0
Maximum
value:
4294967295
disabled- Disabled signatures. integer Minimum

signature Signature ID. value: 0
<id> Maximum
value:
4294967295
credit-card- The minimum number of Credit cards to detect integer Minimum 3

detection- violation. value: 0
threshold Maximum
value: 128
config main-class
id Main signature class ID. integer Minimum 0

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
Option Description
allow Allow.
block Block.
erase Erase credit card numbers.
Option Description
Option Description
high High severity.
low Low severity.
config custom-signature
name Signature name. string Not

Specified
Option Description

Fortinet Inc.
Option Description
allow Allow.
block Block.
erase Erase credit card numbers.
Option Description
Option Description
high High severity.
low Low severity.
direction Traffic direction. option - request
Option Description
request Match HTTP request.
response Match HTTP response.
case-sensitivity Case sensitivity in pattern. option - disable
Option Description
pattern Match pattern. string Not

Specified
target Match HTTP target. option -
Option Description
arg HTTP arguments.
arg-name Names of HTTP arguments.
req-body HTTP request body.

Fortinet Inc.
Option Description
req-cookie HTTP request cookies.
req-cookie-name HTTP request cookie names.
req-filename HTTP request file name.
req-header HTTP request headers.
req-header- HTTP request header names.

name
req-raw-uri Raw URI of HTTP request.
req-uri URI of HTTP request.
resp-body HTTP response body.
resp-hdr HTTP response headers.
resp-status HTTP response status.
config url-access
id URL access ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
action Action. option - permit
Option Description
bypass Allow the HTTP request, also bypass further WAF scanning.
permit Allow the HTTP request, and continue further WAF scanning.
block Block HTTP request.
Option Description

Fortinet Inc.
Option Description
high High severity.
low Low severity.
config access-pattern
id URL access pattern ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
srcaddr Source address. string Not Specified

match.
Option Description
negate Enable/disable match negation. option - disable
Option Description
config waf signature

edit <id>
set desc {string}
set id {integer}
next
end

Fortinet Inc.
desc Signature description. string Not Specified
id Signature ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
config waf sub-class

edit <id>
set id {integer}
set name {string}
next
end
id Signature subclass ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Signature subclass name. string Not Specified

Fortinet Inc.
wanopt

l config wanopt auth-group on page 1808
l config wanopt cache-service on page 1810
l config wanopt content-delivery-network-rule on page 1813
l config wanopt peer on page 1818
l config wanopt profile on page 1819
l config wanopt remote-storage on page 1828
l config wanopt settings on page 1829
l config wanopt webcache on page 1831
config wanopt auth-group
Configure WAN optimization authentication groups.

Description: Configure WAN optimization authentication groups.
edit <name>
set auth-method [cert|psk]
set cert {string}
set name {string}
set peer {string}

Fortinet Inc.
set peer-accept [any|defined|...]
set psk {password}
next
end
auth-method Select certificate or pre-shared key authentication for option - cert

this authentication group.
Option Description
cert Certificate authentication.
psk Pre-shared secret key authentication.
cert Name of certificate to identify this peer. string Not

Specified
name Auth-group name. string Not

Specified
peer If peer-accept is set to one, select the name of one peer string Not
to add to this authentication group. The peer must have Specified
added with the wanopt peer command.
peer-accept Determine if this auth group accepts, any peer, a list of option - any
defined peers, or just one peer.
Option Description
any Accept any peer that can authenticate with this auth group.
defined Accept only the peers added with the wanopt peer command.
one Accept the peer added to this auth group using the peer option.
psk Pre-shared key used by the peers in this authentication password Not
group. Specified

Fortinet Inc.
config wanopt cache-service
Designate cache-service for wan-optimization and webcache.

Description: Designate cache-service for wan-optimization and webcache.
set acceptable-connections [any|peers]
set collaboration [enable|disable]
set device-id {string}
config dst-peer
Description: Modify cache-service destination peer list.
edit <device-id>
set auth-type {integer}
set encode-type {integer}
next
end
set prefer-scenario [balance|prefer-speed|...]
config src-peer
Description: Modify cache-service source peer list.
edit <device-id>
set auth-type {integer}
set encode-type {integer}
next
end
end

Fortinet Inc.
acceptable- Set strategy when accepting cache collaboration option - any

connections connection.
Option Description
any We can accept any cache-collaboration connection.
peers We can only accept connections that are already in src-peers.
collaboration Enable/disable cache-collaboration between cache- option - disable

service clusters.
Option Description
enable Enable cache cache-collaboration.
disable Disable cache cache-collaboration.
device-id Set identifier for this cache device. string Not default_
Specified dev_id
prefer-scenario Set the preferred cache behavior towards the balance option - balance
between latency and hit-ratio.
Option Description
balance Balance between speed and cache hit ratio.
prefer-speed Prefer response speed at the expense of increased cache bypasses.
prefer-cache Prefer improving hit-ratio through increasing latency tolerance.
config dst-peer
device-id Device ID of this peer. string Not

Specified
auth-type Set authentication type for this peer. integer Minimum 0

value: 0
Maximum
value: 255
encode-type Set encode type for this peer. integer Minimum 0

value: 0
Maximum
value: 255

Fortinet Inc.
priority Set priority for this peer. integer Minimum 1

value: 0
Maximum
value: 255
ip Set cluster IP address of this peer. ipv4- Not 0.0.0.0

address- Specified
any
config src-peer
device-id Device ID of this peer. string Not

Specified
auth-type Set authentication type for this peer. integer Minimum 0

value: 0
Maximum
value: 255
encode-type Set encode type for this peer. integer Minimum 0

value: 0
Maximum
value: 255
priority Set priority for this peer. integer Minimum 1

value: 0
Maximum
value: 255
ip Set cluster IP address of this peer. ipv4- Not 0.0.0.0

address- Specified
any

Fortinet Inc.
config wanopt content-delivery-network-rule
Configure WAN optimization content delivery network rules.

Description: Configure WAN optimization content delivery network rules.
edit <name>
set category [vcache|youtube]
set host-domain-name-suffix <name1>, <name2>, ...
set name {string}
set request-cache-control [enable|disable]
set response-cache-control [enable|disable]
set response-expires [enable|disable]
config rules
Description: WAN optimization content delivery network rule entries.
edit <name>
set name {string}
set match-mode [all|any]
set skip-rule-mode [all|any]
config match-entries
Description: List of entries to match.
edit <id>
set id {integer}
set target [path|parameter|...]
set pattern <string1>, <string2>, ...
next
end
config skip-entries
Description: List of entries to skip.
edit <id>

Fortinet Inc.
set id {integer}
set pattern <string1>, <string2>, ...
next
end
config content-id
Description: Content ID settings.
set start-str {string}
set start-skip {integer}
set start-direction [forward|backward]
set end-str {string}
set end-skip {integer}
set end-direction [forward|backward]
set range-str {string}
end
next
end
set updateserver [enable|disable]
next
end
category Content delivery network rule category. option - vcache
Option Description
vcache Vcache content delivery network.
youtube Youtube content delivery network.
comment Comment about this CDN-rule. var-string Not

Specified
host-domain- Suffix portion of the fully qualified domain name. For string Maximum
name-suffix example, fortinet.com in "www.fortinet.com". length: 79
<name> Suffix portion of the fully qualified domain name.
name Name of table. string Not

Specified
request-cache- Enable/disable HTTP request cache control. option - disable

control
Option Description

Fortinet Inc.
response- Enable/disable HTTP response cache control. option - disable

cache-control
Option Description
response- Enable/disable HTTP response cache expires. option - disable

expires
Option Description
status Enable/disable WAN optimization content delivery option - enable

network rules.
Option Description
updateserver Enable/disable update server. option - disable
Option Description
config rules
name WAN optimization content delivery network rule name. string Not
Specified
match-mode Match criteria for collecting content ID. option - all
Option Description
all Must match all of the match entries.
any Must match any of the match entries.
skip-rule- Skip mode when evaluating skip-rules. option - all

mode

Fortinet Inc.
Option Description
all Must match all skip entries.
any Must match any skip entries.
config match-entries

value: 0
Maximum
value:
4294967295
target Option in HTTP header or URL parameter to match. option - path
Option Description
path Match with the URL path.
parameter Match with the URL parameters.
referrer Match with the Referrer option in HTTP header.
youtube-map Match Youtube content-id collection.
youtube-id Match Youtube content-id.
youku-id Match Youku content-id.
pattern Pattern string for matching target (Referrer or URL string Maximum
<string> pattern). For example, a, a*c, *a*, a*c*e, and *. length: 79
Pattern strings.
config skip-entries

value: 0
Maximum
value:
4294967295

Fortinet Inc.
Option Description
pattern Pattern string for matching target (Referrer or URL string Maximum
<string> pattern). For example, a, a*c, *a*, a*c*e, and *. length: 79
Pattern strings.
config content-id
Option Description
hls-manifest Match with HLS manifest.
dash-manifest Match with DASH manifest.
hls-fragment Match HLS stream fragment.
dash-fragment Match DASH stream fragment.
start-str String from which to start search. string Not Specified
start-skip Number of characters in URL to skip after start-str has integer Minimum 0
been matched. value: 0
Maximum
value:
4294967295
start-direction Search direction from start-str match. option - forward

Fortinet Inc.
Option Description
forward Forward direction.
backward Backward direction.
end-str String from which to end search. string Not Specified
end-skip Number of characters in URL to skip after end-str has integer Minimum 0
been matched. value: 0
Maximum
value:
4294967295
end-direction Search direction from end-str match. option - forward
Option Description
forward Forward direction.
backward Backward direction.
range-str Name of content ID within the start string and end string Not Specified
string.
config wanopt peer
Configure WAN optimization peers.

Fortinet Inc.
config wanopt peer
Description: Configure WAN optimization peers.
edit <peer-host-id>
set peer-host-id {string}
next
end
config wanopt peer
ip Peer IP address. ipv4- Not 0.0.0.0

address- Specified
any
peer-host-id Peer host ID. string Not

Specified
config wanopt profile
Configure WAN optimization profiles.

Description: Configure WAN optimization profiles.
edit <name>
set auth-group {string}
config cifs

Fortinet Inc.
Description: Enable/disable CIFS (Windows sharing) WAN Optimization and
configure CIFS WAN Optimization features.
set secure-tunnel [enable|disable]
set byte-caching [enable|disable]
set prefer-chunking [dynamic|fix]
set protocol-opt [protocol|tcp]
set tunnel-sharing [shared|express-shared|...]
set log-traffic [enable|disable]
end
config ftp
Description: Enable/disable FTP WAN Optimization and configure FTP WAN
Optimization features.
end
config http
Description: Enable/disable HTTP WAN Optimization and configure HTTP WAN
end
config mapi
Description: Enable/disable MAPI email WAN Optimization and configure MAPI WAN
end
set name {string}
config tcp
Description: Enable/disable TCP WAN Optimization and configure TCP WAN
set byte-caching-opt [mem-only|mem-disk]
set port {user}

Fortinet Inc.
set ssl-port {user}
end
set transparent [enable|disable]
next
end
auth-group Optionally add an authentication group to restrict string Not

access to the WAN Optimization tunnel to peers in the Specified
authentication group.

Specified

Specified
transparent Enable/disable transparent mode. option - enable
Option Description
enable Determine if WAN Optimization changes client packet source addresses.

Affects the routing configuration on the server network.
disable Disable transparent mode. Client packets source addresses are changed to
the source address of the FortiGate internal interface. Similar to source NAT.
config cifs
status Enable/disable WAN Optimization. option - disable
Option Description
enable Enable WAN Optimization.
disable Disable WAN Optimization.
secure-tunnel Enable/disable securing the WAN Opt tunnel using option - disable
SSL. Secure and non-secure tunnels use the same TCP
port (7810).
Option Description
enable Enable SSL-secured tunnelling.
disable Disable SSL-secured tunnelling.

Fortinet Inc.
byte-caching Enable/disable byte-caching. Byte caching reduces the option - enable

amount of traffic by caching file data sent across the
WAN and in future serving if from the cache.
Option Description
enable Enable byte-caching.
disable Disable byte-caching.
prefer- Select dynamic or fixed-size data chunking for WAN option - fix
chunking Optimization.
Option Description
dynamic Select dynamic data chunking to help to detect persistent data chunks in a
changed file or in an embedded unknown protocol.
fix Select fixed data chunking.
protocol-opt Select protocol specific optimization or generic TCP option - protocol

optimization.
Option Description
protocol Using protocol-specific optimization.
tcp Using generic TCP optimization.
tunnel- Tunnel sharing mode for aggressive/non-aggressive option - private

sharing and/or interactive/non-interactive protocols.
Option Description
shared For profiles that accept nonaggressive and non-interactive protocols.
express-shared For profiles that accept interactive protocols such as Telnet.
private For profiles that accept aggressive protocols such as HTTP and FTP so that
these aggressive protocols do not share tunnels with less-aggressive
protocols.
log-traffic Enable/disable logging. option - enable
Option Description

Fortinet Inc.
config ftp
Option Description
port (7810).
Option Description

Option Description
ssl Enable/disable SSL/TLS offloading (hardware option - disable

acceleration) for traffic in this tunnel.
Option Description
enable Enable SSL/TLS offloading.
disable Disable SSL/TLS offloading.
Option Description

optimization.

Fortinet Inc.
Option Description

Option Description
protocols.
Option Description
config http
Option Description
port (7810).
Option Description


Fortinet Inc.
Option Description

Option Description
Option Description

optimization.
Option Description

Option Description
protocols.
Option Description

Fortinet Inc.
config mapi
Option Description
port (7810).
Option Description

Option Description

Option Description
protocols.
Option Description

Fortinet Inc.
config tcp
Option Description
port (7810).
Option Description
byte-caching Enable/disable byte-caching. Byte caching reduces the option - disable

Option Description
byte-caching- Select whether TCP byte-caching uses system memory option - mem-only
opt only or both memory and disk space.
Option Description
mem-only Byte caching with memory only.
mem-disk Byte caching with memory and disk.

Option Description
protocols.

Fortinet Inc.
Option Description
port Port numbers or port number ranges for TCP. Only user Not
packets with a destination port number that matches this Specified
port number or range are accepted by this profile.

Option Description
ssl-port Port numbers or port number ranges on which to expect user Not
HTTPS traffic for SSL/TLS offloading. Specified
config wanopt remote-storage
Configure a remote cache device as Web cache storage.

Description: Configure a remote cache device as Web cache storage.

Fortinet Inc.
set local-cache-id {string}
set remote-cache-id {string}
set remote-cache-ip {ipv4-address-any}
end
local-cache-id ID that this device uses to connect to the remote device. string Not
Specified
remote- ID of the remote device to which the device connects. string Not
cache-id Specified
remote- IP address of the remote device to which the device ipv4- Not 0.0.0.0
cache-ip connects. address- Specified
any
status Enable/disable using remote device as Web cache option - disable

storage.
Option Description
disable Use local disks as Web cache storage.
enable Use a remote device as Web cache storage.
config wanopt settings

Fortinet Inc.
Configure WAN optimization settings.
Description: Configure WAN optimization settings.
set auto-detect-algorithm [simple|diff-req-resp]
set host-id {string}
set tunnel-optimization [memory-usage|balanced|...]
set tunnel-ssl-algorithm [high|medium|...]
end
auto-detect- Auto detection algorithms used in tunnel negotiations. option - simple

algorithm
Option Description
simple Use the same TCP option value in SYN/SYNACK packets. Backward
compatible.
diff-req-resp Use different TCP option values in SYN/SYNACK packets to avoid false
positive detection.
host-id Local host ID (must also be entered in the remote string Not default-id
FortiGate's peer list). Specified
tunnel- WANOpt tunnel optimization option. option - balanced **

optimization
Option Description
memory-usage Optimize tunnel for low system memory usage.
balanced Optimize tunnel to balance between system memory usage and throughput.
throughput Optimize tunnel for throughput.
tunnel-ssl- Relative strength of encryption algorithms accepted option - high

algorithm during tunnel negotiation.
Option Description

Fortinet Inc.
config wanopt webcache
Configure global Web cache settings.

Description: Configure global Web cache settings.
set always-revalidate [enable|disable]
set cache-by-default [enable|disable]
set cache-cookie [enable|disable]
set cache-expired [enable|disable]
set default-ttl {integer}
set fresh-factor {integer}
set host-validate [enable|disable]
set ignore-conditional [enable|disable]
set ignore-ie-reload [enable|disable]
set ignore-ims [enable|disable]
set ignore-pnc [enable|disable]
set max-object-size {integer}
set max-ttl {integer}
set min-ttl {integer}
set neg-resp-time {integer}
set reval-pnc [enable|disable]
end

Fortinet Inc.
always- Enable/disable revalidation of requested cached option - disable

revalidate objects, which have content on the server, before
serving it to the client.
Option Description
enable Enable revalidation of requested cached objects.
disable Disable revalidation of requested cached objects.
cache-by- Enable/disable caching content that lacks explicit option - disable

default caching policies from the server.
Option Description
enable Enable caching content that lacks explicit caching policies.
disable Disable caching content that lacks explicit caching policies.
cache-cookie Enable/disable caching cookies. Since cookies option - disable

contain information for or about individual users, they
not usually cached.
Option Description
enable Cache cookies.
disable Do not cache cookies.
cache-expired Enable/disable caching type-1 objects that are option - disable

already expired on arrival.
Option Description
default-ttl Default object expiry time. This only applies to those integer Minimum 1440
objects that do not have an expiry time set by the web value: 1
server. Maximum
value:
5256000
external Enable/disable external Web caching. option - disable
Option Description
enable Enable external Web caching.
disable Disable external Web caching.

Fortinet Inc.
fresh-factor Frequency that the server is checked to see if any integer Minimum 100
objects have expired. The higher the fresh factor, the value: 1
less often the checks occur. Maximum
value: 100
host-validate Enable/disable validating "Host:" with original server option - disable

IP.
Option Description
enable Enable validating "Host:" with original server IP.
disable Disable validating "Host:" with original server IP.
ignore- Enable/disable controlling the behavior of cache- option - disable

conditional control HTTP 1.1 header values.
Option Description
enable Enable ignoring cache-control HTTP 1.1 header values.
disable Disable ignoring cache-control HTTP 1.1 header values.
ignore-ie- Enable/disable ignoring the PNC-interpretation of option - enable

reload Internet Explorer's Accept: / header.
Option Description
enable Enable Enable/disable ignoring the PNC-interpretation of Internet Explorer's

Accept: / header.
disable Disable Enable/disable ignoring the PNC-interpretation of Internet Explorer's

Accept: / header.
ignore-ims Enable/disable ignoring the if-modified-since (IMS) option - disable

header.
Option Description
enable Enable ignoring the if-modified-since (IMS) header.
disable Disable ignoring the if-modified-since (IMS) header.
ignore-pnc Enable/disable ignoring the pragma no-cache (PNC) option - disable

header.
Option Description
enable Enable ignoring the pragma no-cache (PNC) header.
disable Disable ignoring the pragma no-cache (PNC) header.

Fortinet Inc.
max-object- Maximum cacheable object size in kB. All objects that integer Minimum 512000
size exceed this are delivered to the client but not stored in value: 1
the web cache. Maximum
value:
2147483
max-ttl Maximum time an object can stay in the web cache integer Minimum 7200
without checking to see if it has expired on the server. value: 1
Maximum
value:
5256000
min-ttl Minimum time an object can stay in the web cache integer Minimum 5
without checking to see if it has expired on the server. value: 1
Maximum
value:
5256000
neg-resp-time Time in minutes to cache negative responses or integer Minimum 0

errors. value: 0
Maximum
value:
4294967295
reval-pnc Enable/disable revalidation of pragma-no-cache option - disable

(PNC) to address bandwidth concerns.
Option Description
enable Enable revalidation of pragma-no-cache (PNC).
disable Disable revalidation of pragma-no-cache (PNC).

Fortinet Inc.
web-proxy

l config web-proxy debug-url on page 1835
l config web-proxy explicit on page 1836
l config web-proxy forward-server-group on page 1841
l config web-proxy forward-server on page 1842
l config web-proxy global on page 1844
l config web-proxy profile on page 1846
l config web-proxy url-match on page 1850
l config web-proxy wisp on page 1851
config web-proxy debug-url
Configure debug URL addresses.

Description: Configure debug URL addresses.
edit <name>
set exact [enable|disable]
set name {string}
set url-pattern {string}
next
end
exact Enable/disable matching the exact path. option - enable
Option Description
enable Enable matching the exact path.
disable Disable matching the exact path.
name Debug URL name. string Not

Specified
status Enable/disable this URL exemption. option - enable

Fortinet Inc.
Option Description
enable Enable this URL exemption.
disable Disable this URL exemption.
url-pattern URL exemption pattern. string Not

Specified
config web-proxy explicit
Configure explicit Web proxy settings.

Description: Configure explicit Web proxy settings.
set ftp-incoming-port {user}
set ftp-over-http [enable|disable]
set http-incoming-port {user}
set https-incoming-port {user}
set https-replacement-message [enable|disable]
set incoming-ip {ipv4-address-any}
set incoming-ip6 {ipv6-address}
set ipv6-status [enable|disable]
set message-upon-server-error [enable|disable]
set outgoing-ip6 {ipv6-address}
set pac-file-data {user}
set pac-file-name {string}
set pac-file-server-port {user}
set pac-file-server-status [enable|disable]
set pac-file-url {user}
config pac-policy
Description: PAC policies.
edit <policyid>
set pac-file-name {string}
set pac-file-data {user}
next
end
set pref-dns-result [ipv4|ipv6]
set realm {string}
set sec-default-action [accept|deny]
set socks [enable|disable]
set socks-incoming-port {user}
set strict-guest [enable|disable]

Fortinet Inc.
set trace-auth-no-rsp [enable|disable]
set unknown-http-version [reject|best-effort]
end
ftp-incoming- Accept incoming FTP-over-HTTP requests on one or user Not

port more ports. Specified
ftp-over-http Enable to proxy FTP-over-HTTP sessions sent from a option - disable

web browser.
Option Description
enable Enable FTP-over-HTTP sessions.
disable Disable FTP-over-HTTP sessions.
http-incoming- Accept incoming HTTP requests on one or more ports. user Not
port Specified
https-incoming- Accept incoming HTTPS requests on one or more user Not

port ports. Specified
https- Enable/disable sending the client a replacement option - enable

replacement- message for HTTPS requests.
message
Option Description
enable Display a replacement message for HTTPS requests.
disable Do not display a replacement message for HTTPS requests.
incoming-ip Restrict the explicit HTTP proxy to only accept ipv4- Not 0.0.0.0
sessions from this IP address. An interface must have address- Specified
this IP address. any
incoming-ip6 Restrict the explicit web proxy to only accept sessions ipv6- Not ::
from this IPv6 address. An interface must have this address Specified
IPv6 address.
ipv6-status Enable/disable allowing an IPv6 web proxy destination option - disable

in policies and all IPv6 related entries in this command.
Option Description
enable Enable allowing an IPv6 web proxy destination.
disable Disable allowing an IPv6 web proxy destination.

Fortinet Inc.
message-upon- Enable/disable displaying a replacement message option - enable

server-error when a server error is detected.
Option Description
enable Display a replacement message when a server error is detected.
disable Do not display a replacement message when a server error is detected.
outgoing-ip Outgoing HTTP requests will have this IP address as ipv4- Not
their source address. An interface must have this IP address- Specified
address. any
outgoing-ip6 Outgoing HTTP requests will leave this IPv6. Multiple ipv6- Not
interfaces can be specified. Interfaces must have address Specified
these IPv6 addresses.
pac-file-data PAC file contents enclosed in quotes (maximum of user Not

256K bytes). Specified
pac-file-name Pac file name. string Not proxy.pac

Specified
pac-file-server- Port number that PAC traffic from client web browsers user Not
port uses to connect to the explicit web proxy. Specified
pac-file-server- Enable/disable Proxy Auto-Configuration (PAC) for option - disable

status users of this explicit proxy profile.
Option Description
enable Enable Proxy Auto-Configuration (PAC).
disable Disable Proxy Auto-Configuration (PAC).
pac-file-url PAC file access URL. user Not

Specified
pref-dns-result Prefer resolving addresses using the configured IPv4 option - ipv4
or IPv6 DNS server.
Option Description
ipv4 Prefer the IPv4 DNS server.
ipv6 Prefer the IPv6 DNS server.
realm Authentication realm used to identify the explicit web string Not default
proxy (maximum of 63 characters). Specified
sec-default- Accept or deny explicit web proxy sessions when no option - deny
action web proxy firewall policy exists.

Fortinet Inc.
Option Description
accept Accept requests. All explicit web proxy traffic is accepted whether there is an
explicit web proxy policy or not.
deny Deny requests unless there is a matching explicit web proxy policy.
socks Enable/disable the SOCKS proxy. option - disable
Option Description
enable Enable the SOCKS proxy.
disable Disable the SOCKS proxy.
socks- Accept incoming SOCKS proxy requests on one or user Not

incoming-port more ports. Specified
ssl-algorithm Relative strength of encryption algorithms accepted in option - low

HTTPS deep scan: high, medium, or low.
Option Description
high High encrption. Allow only AES and ChaCha.
status Enable/disable the explicit Web proxy for HTTP and option - disable
HTTPS session.
Option Description
enable Enable the explicit web proxy.
disable Disable the explicit web proxy.
strict-guest Enable/disable strict guest user checking by the option - disable

explicit web proxy.
Option Description
enable Enable strict guest user checking.
disable Disable strict guest user checking.
trace-auth-no- Enable/disable logging timed-out authentication option - disable

rsp requests.

Fortinet Inc.
Option Description
enable Enable logging timed-out authentication requests.
disable Disable logging timed-out authentication requests.
unknown-http- How to handle HTTP sessions that do not comply with option - reject
version HTTP 0.9, 1.0, or 1.1.
Option Description
reject Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
best-effort Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session
uses a different HTTP version, it may not parse correctly and the connection
may be lost.
config pac-policy

value: 1
Maximum
value: 100
status Enable/disable policy. option - enable
Option Description
enable Enable policy.
disable Disable policy.

srcaddr6 Source address6 objects. string Maximum


pac-file-name Pac file name. string Not proxy.pac

Specified
pac-file-data PAC file contents enclosed in quotes (maximum of user Not

256K bytes). Specified
comments Optional comments. var-string Not

Specified

Fortinet Inc.
config web-proxy forward-server-group
Configure a forward server group consisting or multiple forward servers. Supports failover and load balancing.
Description: Configure a forward server group consisting or multiple forward servers.
Supports failover and load balancing.
edit <name>
set affinity [enable|disable]
set group-down-option [block|pass]
set ldb-method [weighted|least-session|...]
set name {string}
config server-list
Description: Add web forward servers to a list to form a server group.
Optionally assign weights to each server.
edit <name>
set name {string}
next
end
next
end
affinity Enable/disable affinity, attaching a source-ip's traffic to option - enable

the assigned forwarding server until the forward-server-
affinity-timeout is reached (under web-proxy global).
Option Description
enable Enable affinity.
disable Disable affinity.
group-down- Action to take when all of the servers in the forward option - block
option server group are down: block sessions until at least one
server is back up or pass sessions to their destination.
Option Description
block Block sessions until at least one server in the group is back up.
pass Pass sessions to their destination bypassing servers in the forward server
group.
ldb-method Load balance method: weighted or least-session. option - weighted

Fortinet Inc.
Option Description
weighted Load balance traffic to forward servers based on assigned weights. Weights
are ratios of total number of sessions.
least-session Send new sessions to the server with lowest session count.
active-passive Send new sessions to the next active server in the list. Servers are selected
with highest weight first and then in order as they are configured. Traffic
switches back to the first server upon failure recovery.
name Configure a forward server group consisting one or string Not

multiple forward servers. Supports failover and load Specified
balancing.
config server-list
name Forward server name. string Not

Specified
weight Optionally assign a weight of the forwarding server for integer Minimum 10
weighted load balancing. value: 1
Maximum
value: 100
config web-proxy forward-server
Configure forward-server addresses.

Description: Configure forward-server addresses.
edit <name>
set fqdn {string}
set healthcheck [disable|enable]
set monitor {string}
set name {string}
set port {integer}
set server-down-option [block|pass]
next
end

Fortinet Inc.
addr-type Address type of the forwarding proxy option - ip

server: IP or FQDN.
Option Description
ip Use an IP address for the forwarding proxy server.
fqdn Use the FQDN for the forwarding proxy server.
comment Comment. string Not

Specified
fqdn Forward server Fully Qualified Domain string Not

Name (FQDN). Specified
healthcheck Enable/disable forward server health option - disable

checking. Attempts to connect through
the remote forwarding server to a
destination to verify that the forwarding
server is operating normally.
Option Description
disable Disable health checking.
enable Enable health checking.
ip Forward proxy server IP address. ipv4- Not 0.0.0.0

address- Specified
any
monitor URL for forward server health check string Not http://www.google.com
monitoring. Specified

Specified
password HTTP authentication password. password Not

Specified
port Port number that the forwarding server integer Minimum 3128
expects to receive HTTP sessions on. value: 1
Maximum
value:
65535
server-down- Action to take when the forward server is option - block

option found to be down: block sessions until the
server is back up or pass sessions to their
destination.

Fortinet Inc.
Option Description
block Block sessions until the server is back up.
pass Pass sessions to their destination bypassing the forward server.
username HTTP authentication user name. string Not

Specified
config web-proxy global
Configure Web proxy global settings.

Description: Configure Web proxy global settings.
set fast-policy-match [enable|disable]
set forward-proxy-auth [enable|disable]
set forward-server-affinity-timeout {integer}
set ldap-user-cache [enable|disable]
set learn-client-ip [enable|disable]
set learn-client-ip-from-header {option1}, {option2}, ...
set learn-client-ip-srcaddr <name1>, <name2>, ...
set learn-client-ip-srcaddr6 <name1>, <name2>, ...
set max-message-length {integer}
set max-request-length {integer}
set max-waf-body-cache-length {integer}
set proxy-fqdn {string}
set src-affinity-exempt-addr {ipv4-address-any}
set src-affinity-exempt-addr6 {ipv6-address}
set ssl-ca-cert {string}
set strict-web-check [enable|disable]
end
fast-policy- Enable/disable fast matching algorithm for explicit and option - enable
match transparent proxy policy.
Option Description
forward- Enable/disable forwarding proxy authentication option - disable

proxy-auth headers.

Fortinet Inc.
Option Description
enable Enable forwarding proxy authentication headers.
disable Disable forwarding proxy authentication headers.
forward- Period of time before the source IP's traffic is no integer Minimum 30
server- longer assigned to the forwarding server. value: 6
affinity- Maximum
timeout value: 60
ldap-user- Enable/disable LDAP user cache for explicit and option - disable
cache transparent proxy user.
Option Description
learn-client-ip Enable/disable learning the client's IP address from option - disable

headers.
Option Description
enable Enable learning the client's IP address from headers.
disable Disable learning the client's IP address from headers.
learn-client- Learn client IP address from the specified headers. option -

ip-from-
header
Option Description
true-client-ip Learn the client IP address from the True-Client-IP header.
x-real-ip Learn the client IP address from the X-Real-IP header.
x-forwarded-for Learn the client IP address from the X-Forwarded-For header.
learn-client- Source address name (srcaddr or srcaddr6 must be string Maximum

ip-srcaddr set). length: 79
learn-client- IPv6 Source address name (srcaddr or srcaddr6 must string Maximum
ip-srcaddr6 be set). length: 79
max- Maximum length of HTTP message, not including integer Minimum 32

message- body. value: 16
length Maximum
value: 256

Fortinet Inc.
max-request- Maximum length of HTTP request line. integer Minimum 8

length value: 2
Maximum
value: 64
max-waf- Maximum length of HTTP messages processed by integer Minimum 32

body-cache- Web Application Firewall. value: 10
length Maximum
value: 1024
proxy-fqdn Fully Qualified Domain Name to connect to the explicit string Not default.fqdn
web proxy. Specified
src-affinity- IPv4 source addresses to exempt proxy affinity. ipv4- Not

exempt-addr address- Specified
any
src-affinity- IPv6 source addresses to exempt proxy affinity. ipv6- Not

exempt-addr6 address Specified
ssl-ca-cert SSL CA certificate for SSL interception. string Not Fortinet_CA_

Specified SSL
ssl-cert SSL certificate for SSL interception. string Not Fortinet_

Specified Factory
strict-web- Enable/disable strict web checking to block web sites option - disable
check that send incorrect headers that don't conform to
HTTP 1.1.
Option Description
enable Enable strict web checking.
disable Disable strict web checking.
webproxy- Name of the web proxy profile to apply when explicit string Not
profile proxy traffic is allowed by default and traffic is Specified
accepted that does not match an explicit proxy policy.
config web-proxy profile
Configure web proxy profiles.

Description: Configure web proxy profiles.
edit <name>
set header-client-ip [pass|add|...]
set header-front-end-https [pass|add|...]
set header-via-request [pass|add|...]
set header-via-response [pass|add|...]
set header-x-authenticated-groups [pass|add|...]
set header-x-authenticated-user [pass|add|...]

Fortinet Inc.
set header-x-forwarded-client-cert [pass|add|...]
set header-x-forwarded-for [pass|add|...]
config headers
Description: Configure HTTP forwarded requests headers.
edit <id>
set id {integer}
set name {string}
set action [add-to-request|add-to-response|...]
set base64-encoding [disable|enable]
set add-option [append|new-on-not-found|...]
next
end
set log-header-change [enable|disable]
set name {string}
set strip-encoding [enable|disable]
next
end
header-client-ip Action to take on the HTTP client-IP header in option - pass

forwarded requests: forwards (pass), adds, or
removes the HTTP header.
Option Description
header-front- Action to take on the HTTP front-end-HTTPS header option - pass

end-https in forwarded requests: forwards (pass), adds, or
Option Description
header-via- Action to take on the HTTP via header in forwarded option - pass
request requests: forwards (pass), adds, or removes the
HTTP header.

Fortinet Inc.
Option Description
header-via- Action to take on the HTTP via header in forwarded option - pass
response responses: forwards (pass), adds, or removes the
HTTP header.
Option Description
header-x- Action to take on the HTTP x-authenticated-groups option - pass

authenticated- header in forwarded requests: forwards (pass), adds,
groups or removes the HTTP header.
Option Description
header-x- Action to take on the HTTP x-authenticated-user option - pass

authenticated- header in forwarded requests: forwards (pass), adds,
user or removes the HTTP header.
Option Description
header-x- Action to take on the HTTP x-forwarded-client-cert option - pass

forwarded-client- header in forwarded requests: forwards (pass), adds,
cert or removes the HTTP header.
Option Description

Fortinet Inc.
Option Description
header-x- Action to take on the HTTP x-forwarded-for header in option - pass

forwarded-for forwarded requests: forwards (pass), adds, or
Option Description
log-header- Enable/disable logging HTTP header changes. option - disable

change
Option Description
enable Enable Enable/disable logging HTTP header changes.
disable Disable Enable/disable logging HTTP header changes.

Specified
strip-encoding Enable/disable stripping unsupported encoding from option - disable

the request header.
Option Description
enable Enable stripping of unsupported encoding from the request header.
disable Disable stripping of unsupported encoding from the request header.
config headers
id HTTP forwarded header id. integer Minimum 0

value: 0
Maximum
value:
4294967295
name HTTP forwarded header name. string Not Specified
dstaddr Destination address and address group names. string Maximum


Fortinet Inc.
dstaddr6 Destination address and address group names (IPv6). string Maximum
action Action when the HTTP header is forwarded. option - add-to-

request
Option Description
add-to-request Add the HTTP header to request.
add-to-response Add the HTTP header to response.
remove-from- Remove the HTTP header from request.

request
remove-from- Remove the HTTP header from response.

response
content HTTP header content. string Not Specified
base64- Enable/disable use of base64 encoding of HTTP option - disable

encoding content.
Option Description
disable Disable use of base64 encoding of HTTP content.
enable Enable use of base64 encoding of HTTP content.
add-option Configure options to append content to existing HTTP option - new

header or add new HTTP header.
Option Description
append Append content to existing HTTP header or create new header if HTTP
header is not found.
new-on-not- Create new header only if existing HTTP header is not found.
found
new Create new header regardless if existing HTTP header is found or not.
protocol Configure protocol(s) to take add-option action on option - https http

(HTTP, HTTPS, or both).
Option Description
https Perform add-option action on HTTPS.
http Perform add-option action on HTTP.
config web-proxy url-match
Exempt URLs from web proxy forwarding and caching.

Fortinet Inc.
Description: Exempt URLs from web proxy forwarding and caching.
edit <name>
set cache-exemption [enable|disable]
set forward-server {string}
set name {string}
set url-pattern {string}
next
end
cache- Enable/disable exempting this URL pattern from option - disable

exemption caching.
Option Description
enable Enable exempting this URL pattern from caching.
disable Disable exempting this URL pattern from caching.

Specified
forward- Forward server name. string Not

server Specified
name Configure a name for the URL to be exempted. string Not

Specified
status Enable/disable exempting the URLs matching the URL option - enable
pattern from web proxy forwarding and caching.
Option Description
enable Enable exempting the matching URLs.
disable Disable exempting the matching URLs.
url-pattern URL pattern to be exempted from web proxy forwarding string Not
and caching. Specified
config web-proxy wisp
Configure Websense Integrated Services Protocol (WISP) servers.

Description: Configure Websense Integrated Services Protocol (WISP) servers.
edit <name>

Fortinet Inc.
set name {string}
set server-ip {ipv4-address-any}
next
end

Specified
max- Maximum number of web proxy WISP connections. integer Minimum 64

connections value: 4
Maximum
value: 4096

Specified
outgoing-ip WISP outgoing IP address. ipv4- Not 0.0.0.0

address- Specified
any
server-ip WISP server IP address. ipv4- Not 0.0.0.0

address- Specified
any
server-port WISP server port. integer Minimum 15868

value: 1
Maximum
value:
65535
timeout Period of time before WISP requests time out. integer Minimum 5
value: 1
Maximum
value: 15

Fortinet Inc.
webfilter

l config webfilter categories on page 1853
l config webfilter content-header on page 1853
l config webfilter content on page 1854
l config webfilter fortiguard on page 1856
l config webfilter ftgd-local-cat on page 1858
l config webfilter ftgd-local-rating on page 1859
l config webfilter ftgd-statistics on page 1860
l config webfilter ips-urlfilter-cache-setting on page 1860
l config webfilter ips-urlfilter-setting on page 1860
l config webfilter ips-urlfilter-setting6 on page 1861
l config webfilter override-usr on page 1862
l config webfilter override on page 1862
l config webfilter profile on page 1863
l config webfilter search-engine on page 1880
l config webfilter status on page 1881
l config webfilter urlfilter on page 1881
config webfilter categories
List the FortiGuard Web Filter category descriptions.

config webfilter categories
Description: List the FortiGuard Web Filter category descriptions.
end
config webfilter content-header
Configure content types used by Web filter.

Description: Configure content types used by Web filter.
edit <id>
config entries
Description: Configure content types used by web filter.
edit <pattern>
set action [block|allow|...]
set category {user}
next
end

Fortinet Inc.
set id {integer}
set name {string}
next
end

value: 0
Maximum
value:
4294967295
config entries
pattern Content type (regular expression). string Not

Specified
action Action to take for this content type. option - allow
Option Description
block Block content type.
allow Allow content type.
exempt Exempt content type.
category Categories that this content type applies to. user Not all
Specified
config webfilter content
Configure Web filter banned word table.

Description: Configure Web filter banned word table.
edit <id>
config entries
Description: Configure banned word entries.
edit <name>
set name {string}

Fortinet Inc.
set lang [western|simch|...]
set score {integer}
set action [block|exempt]
next
end
set id {integer}
set name {string}
next
end

value: 0
Maximum
value:
4294967295
config entries
name Banned word. string Not Specified
pattern-type Banned word pattern type: wildcard pattern or Perl option - wildcard
regular expression.
Option Description
status Enable/disable banned word. option - disable
Option Description
lang Language of banned word. option - western
Option Description
western Western.

Fortinet Inc.
Option Description
japanese Japanese.
korean Korean.
french French.
thai Thai.
spanish Spanish.
cyrillic Cyrillic.
score Score, to be applied every time the word appears on a integer Minimum 10
web page. value: 0
Maximum
value:
4294967295
action Block or exempt word when a match is found. option - block
Option Description
block Block matches.
exempt Exempt matches.
config webfilter fortiguard
Configure FortiGuard Web Filter service.

Description: Configure FortiGuard Web Filter service.
set cache-mem-percent {integer}
set cache-mode [ttl|db-ver]
set cache-prefix-match [enable|disable]
set close-ports [enable|disable]
set ovrd-auth-https [enable|disable]
set ovrd-auth-port-http {integer}
set ovrd-auth-port-https {integer}
set ovrd-auth-port-https-flow {integer}
set ovrd-auth-port-warning {integer}
set request-packet-size-limit {integer}
set warn-auth-https [enable|disable]
end

Fortinet Inc.
cache-mem- Maximum percentage of available memory allocated to integer Minimum 2 **

percent caching. value: 1
Maximum
value: 15
cache-mode Cache entry expiration mode. option - ttl
Option Description
ttl Expire cache items by time-to-live.
db-ver Expire cache items when the server DB version changes.
cache-prefix- Enable/disable prefix matching in the cache. option - enable

match
Option Description
close-ports Close ports used for HTTP/HTTPS override option - disable

authentication and disable user overrides.
Option Description
ovrd-auth- Enable/disable use of HTTPS for override option - enable

https authentication.
Option Description
ovrd-auth- Port to use for FortiGuard Web Filter HTTP override integer Minimum 8008
port-http authentication. value: 0
Maximum
value:
65535

Fortinet Inc.
ovrd-auth- Port to use for FortiGuard Web Filter HTTPS override integer Minimum 8010
port-https authentication in proxy mode. value: 0
Maximum
value:
65535
ovrd-auth- Port to use for FortiGuard Web Filter HTTPS override integer Minimum 8015
port-https- authentication in flow mode. value: 0
flow Maximum
value:
65535
ovrd-auth- Port to use for FortiGuard Web Filter Warning override integer Minimum 8020
port-warning authentication. value: 0
Maximum
value:
65535
request- Limit size of URL request packets sent to FortiGuard integer Minimum 0
packet-size- server. value: 576
limit Maximum
value:
10000
warn-auth- Enable/disable use of HTTPS for warning and option - enable

https authentication.
Option Description
config webfilter ftgd-local-cat
Configure FortiGuard Web Filter local categories.

Description: Configure FortiGuard Web Filter local categories.
edit <desc>
set desc {string}
set id {integer}
next
end

Fortinet Inc.
desc Local category description. string Not

Specified
id Local category ID. integer Minimum 0

value: 140
Maximum
value: 191
status Enable/disable the local category. option - enable
Option Description
enable Enable the local category.
disable Disable the local category.
config webfilter ftgd-local-rating
Configure local FortiGuard Web Filter local ratings.

Description: Configure local FortiGuard Web Filter local ratings.
edit <url>
set rating {user}
set url {string}
next
end

Specified
rating Local rating. user Not

Specified
status Enable/disable local rating. option - enable
Option Description
enable Enable local rating.
disable Disable local rating.

Fortinet Inc.
url URL to rate locally. string Not

Specified
config webfilter ftgd-statistics
Display rating cache and daemon statistics.

config webfilter ftgd-statistics
Description: Display rating cache and daemon statistics.
end
config webfilter ips-urlfilter-cache-setting
Configure IPS URL filter cache settings.

Description: Configure IPS URL filter cache settings.
set dns-retry-interval {integer}
set extended-ttl {integer}
end
dns-retry- Retry interval. Refresh DNS faster than TTL to capture integer Minimum 0
interval multiple IPs for hosts. 0 means use DNS server's TTL value: 0
only. Maximum
value:
2147483
extended-ttl Extend time to live beyond reported by DNS. Use of 0 integer Minimum 0
means use DNS server's TTL. value: 0
Maximum
value:
2147483
config webfilter ips-urlfilter-setting
Configure IPS URL filter settings.

Description: Configure IPS URL filter settings.
set device {string}

Fortinet Inc.
set geo-filter {var-string}
end
device Interface for this route. string Not

Specified
distance Administrative distance for this route. integer Minimum 1

value: 1
Maximum
value: 255
gateway Gateway IP address for this route. ipv4- Not 0.0.0.0

address Specified
geo-filter Filter based on geographical location. Route will NOT var-string Not
be installed if the resolved IP address belongs to the Specified
country in the filter.
config webfilter ips-urlfilter-setting6
Configure IPS URL filter settings for IPv6.

Description: Configure IPS URL filter settings for IPv6.
set device {string}
set geo-filter {var-string}
end
device Interface for this route. string Not

Specified
distance Administrative distance for this route. integer Minimum 1

value: 1
Maximum
value: 255
gateway6 Gateway IPv6 address for this route. ipv6- Not ::

address Specified
geo-filter Filter based on geographical location. Route will NOT var-string Not
be installed if the resolved IPv6 address belongs to the Specified
country in the filter.

Fortinet Inc.
config webfilter override-usr
Display list of user overrides.

config webfilter override-usr
Description: Display list of user overrides.
end
config webfilter override
Configure FortiGuard Web Filter administrative overrides.

Description: Configure FortiGuard Web Filter administrative overrides.
edit <id>
set expires {user}
set id {integer}
set initiator {string}
set new-profile {string}
set old-profile {string}
set scope [user|user-group|...]
set user {string}
set user-group {string}
next
end
expires Override expiration date and time, from 5 minutes to user Not Specified 1969/12/31
365 from now (format: yyyy/mm/dd hh:mm:ss). 16:00:00 **
id Override rule ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
initiator Initiating user of override (read-only setting). string Not Specified
ip IPv4 address which the override applies. ipv4- Not Specified 0.0.0.0
address
ip6 IPv6 address which the override applies. ipv6- Not Specified ::
address
new-profile Name of the new web filter profile used by the string Not Specified
override.

Fortinet Inc.
old-profile Name of the web filter profile which the override string Not Specified
applies.
scope Override either the specific user, user group, IPv4 option - user
address, or IPv6 address.
Option Description
user Override the specified user.
user-group Override the specified user group.
ip Override the specified IP address.
ip6 Override the specified IPv6 address.
status Enable/disable override rule. option - disable
Option Description
enable Enable override rule.
disable Disable override rule.
user Name of the user which the override applies. string Not Specified
user-group Specify the user group for which the override string Not Specified
applies.
config webfilter profile
Configure Web filter profiles.

Description: Configure Web filter profiles.
edit <name>
config antiphish
Description: AntiPhishing profile.
set default-action [exempt|log|...]
set check-uri [enable|disable]
set check-basic-auth [enable|disable]
set check-username-only [enable|disable]
set max-body-len {integer}
config inspection-entries
Description: AntiPhishing entries.
edit <name>
set name {string}
set fortiguard-category {user}
set action [exempt|log|...]
next
end

Fortinet Inc.
config custom-patterns
Description: Custom username and password regex patterns.
edit <pattern>
set category [username|password]
set type [regex|literal]
next
end
set authentication [domain-controller|ldap]
set ldap {string}
end
config ftgd-wf
Description: FortiGuard Web Filter settings.
set exempt-quota {user}
set ovrd {user}
config filters
Description: FortiGuard filters.
edit <id>
set id {integer}
set action [block|authenticate|...]
set warn-duration {user}
set auth-usr-grp <name1>, <name2>, ...
set override-replacemsg {string}
set warning-prompt [per-domain|per-category]
set warning-duration-type [session|timeout]
next
end
config quota
Description: FortiGuard traffic quota settings.
edit <id>
set id {integer}
set category {user}
set type [time|traffic]
set unit [B|KB|...]
set value {integer}
set duration {user}
set override-replacemsg {string}
next
end
set max-quota-timeout {integer}
set rate-javascript-urls [disable|enable]
set rate-css-urls [disable|enable]
set rate-crl-urls [disable|enable]
end
set https-replacemsg [enable|disable]
set log-all-url [enable|disable]
set name {string}
config override

Fortinet Inc.
Description: Web Filter override settings.
set ovrd-cookie [allow|deny]
set ovrd-scope [user|user-group|...]
set profile-type [list|radius]
set ovrd-dur-mode [constant|ask]
set ovrd-dur {user}
set profile-attribute [User-Name|NAS-IP-Address|...]
set ovrd-user-group <name1>, <name2>, ...
set profile <name1>, <name2>, ...
end
set ovrd-perm {option1}, {option2}, ...
set post-action [normal|block]
config web
Description: Web content filtering settings.
set bword-threshold {integer}
set bword-table {integer}
set urlfilter-table {integer}
set content-header-list {integer}
set blocklist [enable|disable]
set allowlist {option1}, {option2}, ...
set safe-search {option1}, {option2}, ...
set youtube-restrict [none|strict|...]
set vimeo-restrict {string}
set log-search [enable|disable]
set keyword-match <pattern1>, <pattern2>, ...
end
set web-antiphishing-log [enable|disable]
set web-content-log [enable|disable]
set web-extended-all-action-log [enable|disable]
set web-filter-activex-log [enable|disable]
set web-filter-applet-log [enable|disable]
set web-filter-command-block-log [enable|disable]
set web-filter-cookie-log [enable|disable]
set web-filter-cookie-removal-log [enable|disable]
set web-filter-js-log [enable|disable]
set web-filter-jscript-log [enable|disable]
set web-filter-referer-log [enable|disable]
set web-filter-unknown-log [enable|disable]
set web-filter-vbs-log [enable|disable]
set web-ftgd-err-log [enable|disable]
set web-ftgd-quota-usage [enable|disable]
set web-invalid-domain-log [enable|disable]
set web-url-log [enable|disable]
set wisp [enable|disable]
set wisp-algorithm [primary-secondary|round-robin|...]
set wisp-servers <name1>, <name2>, ...
next
end

Fortinet Inc.

Specified
extended-log Enable/disable extended logging for web filtering. option - disable
Option Description
Option Description
https- Enable replacement messages for HTTPS. option - enable

replacemsg
Option Description
log-all-url Enable/disable logging all URLs visited. option - disable
Option Description

Specified
options Options. option -
Option Description
activexfilter ActiveX filter.
cookiefilter Cookie filter.
javafilter Java applet filter.
block-invalid-url Block sessions contained an invalid domain name.
jscript Javascript block.

Fortinet Inc.
Option Description
js JS block.
vbs VB script block.
unknown Unknown script block.
intrinsic Intrinsic script block.
wf-referer Referring block.
wf-cookie Cookie block.
per-user-bal Per-user block/allow list filter
ovrd-perm Permitted override types. option -
Option Description
bannedword- Banned word override.

override
urlfilter-override URL filter override.
fortiguard-wf- FortiGuard Web Filter override.

override
contenttype- Content-type header override.

check-override
post-action Action taken for HTTP POST traffic. option - normal
Option Description
normal Normal, POST requests are allowed.
block POST requests are blocked.

group Specified
web- Enable/disable logging of AntiPhishing checks. option - enable

antiphishing-
log
Option Description
web-content- Enable/disable logging logging blocked web content. option - enable

log

Fortinet Inc.
Option Description
web-extended- Enable/disable extended any filter action logging for option - disable
all-action-log web filtering.
Option Description
web-filter- Enable/disable logging ActiveX. option - enable

activex-log
Option Description
web-filter- Enable/disable logging Java applets. option - enable

applet-log
Option Description
web-filter- Enable/disable logging blocked commands. option - enable

command-
block-log
Option Description
web-filter- Enable/disable logging cookie filtering. option - enable

cookie-log
Option Description

Fortinet Inc.
web-filter- Enable/disable logging blocked cookies. option - enable

cookie-
removal-log
Option Description
web-filter-js-log Enable/disable logging Java scripts. option - enable
Option Description
web-filter- Enable/disable logging JScripts. option - enable

jscript-log
Option Description
web-filter- Enable/disable logging referrers. option - enable

referer-log
Option Description
web-filter- Enable/disable logging unknown scripts. option - enable

unknown-log
Option Description
web-filter-vbs- Enable/disable logging VBS scripts. option - enable

log
Option Description

Fortinet Inc.
web-ftgd-err- Enable/disable logging rating errors. option - enable

log
Option Description
web-ftgd- Enable/disable logging daily quota usage. option - enable

quota-usage
Option Description
web-invalid- Enable/disable logging invalid domain names. option - enable

domain-log
Option Description
web-url-log Enable/disable logging URL filtering. option - enable
Option Description
wisp Enable/disable web proxy WISP. option - disable
Option Description
enable Enable web proxy WISP.
disable Disable web proxy WISP.
wisp-algorithm WISP server selection algorithm. option - auto-

learning
Option Description
primary- Select the first healthy server in order.

secondary
round-robin Select the next healthy server.
auto-learning Select the lightest loading healthy server.

Fortinet Inc.
wisp-servers WISP servers. string Maximum

<name> Server name. length: 79
config antiphish
status Toggle AntiPhishing functionality. option - disable
Option Description
enable Enable AntiPhishing functionality.
disable Disable AntiPhishing functionality.
default-action Action to be taken when there is no matching rule. option - exempt
Option Description
exempt Exempt requests from matching.
log Log all matched requests.
block Block all matched requests.
check-uri Enable/disable checking of GET URI parameters option - disable

for known credentials.
Option Description
enable Enable checking of GET URI for username and password fields.
disable Disable checking of GET URI for username and password fields.
check-basic- Enable/disable checking of HTTP Basic Auth field option - disable

auth for known credentials.
Option Description
enable Enable checking of HTTP Basic Auth field for known credentials.
disable Disable checking of HTTP Basic Auth field for known credentials.
check- Enable/disable username only matching of option - disable

username-only credentials. Action will be taken for valid
usernames regardless of password validity.
Option Description
enable Enable username only credential matches.
disable Disable username only credential matches.

Fortinet Inc.
max-body-len Maximum size of a POST body to check for integer Minimum 65536
credentials. value: 0
Maximum
value:
4294967295
authentication Authentication methods. option - domain-

controller
Option Description
domain- Domain Controller to verify user credential.

controller
ldap LDAP to verify user credential.
domain- Domain for which to verify received credentials string Not Specified
controller against.
ldap LDAP server for which to verify received string Not Specified
credentials against.
config inspection-entries
name Inspection target name. string Not

Specified
fortiguard- FortiGuard category to match. user Not 0

category Specified
action Action to be taken upon an AntiPhishing match. option - exempt
Option Description
exempt Exempt requests from matching.
log Log all matched requests.
block Block all matched requests.
config custom-patterns
pattern Target pattern. string Not

Specified
category Category that the pattern matches. option - username

Fortinet Inc.
Option Description
username Pattern matches username fields.
password Pattern matches password fields.
type Pattern will be treated either as a regex pattern or literal option - regex
string.
Option Description
regex Pattern will be treated as a regex pattern.
literal Pattern will be treated as a literal string.
config ftgd-wf
options Options for FortiGuard Web Filter. option - ftgd-disable
Option Description
error-allow Allow web pages with a rating error to pass through.
rate-server-ip Rate the server IP in addition to the domain name.
connect-request- Bypass connection which has CONNECT request.

bypass
ftgd-disable Disable FortiGuard scanning.
exempt-quota Do not stop quota for these categories. user Not 17

Specified
ovrd Allow web filter profile overrides. user Not

Specified
max-quota- Maximum FortiGuard quota used by single page view in integer Minimum 300
timeout seconds (excludes streams). value: 1
Maximum
value:
86400
rate- Enable/disable rating JavaScript by URL. option - enable

javascript-urls
Option Description
disable Disable rating JavaScript by URL.
enable Enable rating JavaScript by URL.

Fortinet Inc.
rate-css-urls Enable/disable rating CSS by URL. option - enable
Option Description
disable Disable rating CSS by URL.
enable Enable rating CSS by URL.
rate-crl-urls Enable/disable rating CRL by URL. option - enable
Option Description
disable Disable rating CRL by URL.
enable Enable rating CRL by URL.
config filters

value: 0
Maximum
value: 255
category Categories and groups the filter examines. integer Minimum 0

value: 0
Maximum
value: 255
action Action to take for matches. option - monitor
Option Description
block Block access.
authenticate Authenticate user before allowing access.
monitor Allow access while logging the action.
warning Allow access after warning the user.
warn-duration Duration of warnings. user Not 5m

Specified
auth-usr-grp Groups with permission to authenticate. string Maximum

<name> User group name. length: 79

Fortinet Inc.
Option Description
override- Override replacement message. string Not

replacemsg Specified
warning- Warning prompts in each category or each domain. option - per-

prompt category
Option Description
per-domain Per-domain warnings.
per-category Per-category warnings.
warning- Re-display warning after closing browser or after a option - timeout

duration-type timeout.
Option Description
session After session ends.
timeout After timeout occurs.
config quota

value: 0
Maximum
value:
4294967295
category FortiGuard categories to apply quota to (category user Not Specified

action must be set to monitor).
type Quota type. option - time
Option Description
time Use a time-based quota.
traffic Use a traffic-based quota.
unit Traffic quota unit of measurement. option - MB

Fortinet Inc.
Option Description
B Quota in bytes.
KB Quota in kilobytes.
MB Quota in megabytes.
GB Quota in gigabytes.
value Traffic quota value. integer Minimum 1024

value: 1
Maximum
value:
4294967295
duration Duration of quota. user Not Specified 5m
override- Override replacement message. string Not Specified

replacemsg
config override
ovrd-cookie Allow/deny browser-based (cookie) overrides. option - deny
Option Description
allow Allow browser-based (cookie) override.
deny Deny browser-based (cookie) override.
ovrd-scope Override scope. option - user
Option Description
user Override for the user.
user-group Override for the user's group.
ip Override for the initiating IP.
browser Create browser-based (cookie) override.
ask Prompt for scope when initiating an override.
profile-type Override profile type. option - list
Option Description
list Profile chosen from list.
radius Profile determined by RADIUS server.

Fortinet Inc.
ovrd-dur- Override duration mode. option - constant

mode
Option Description
constant Constant mode.
ask Prompt for duration when initiating an override.
ovrd-dur Override duration. user Not 15m

Specified
profile- Profile attribute to retrieve from the RADIUS server. option - Login-LAT-
attribute Service
Option Description

Address

Netmask

Number

Network
Calling-Station-Id Use this attribute.

Service

Fortinet Inc.
Option Description

Group

AppleTalk-Zone

Session-Id
ovrd-user- User groups with permission to use the override. string Maximum
group User group name. length: 79
<name>
profile Web filter profile with permission to create overrides. string Maximum
<name> Web profile. length: 79
config web
bword- Banned word score threshold. integer Minimum 10

threshold value: 0
Maximum
value:
2147483647
bword-table Banned word table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
urlfilter-table URL filter table ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
content- Content header list. integer Minimum 0

header-list value: 0
Maximum
value:
4294967295
blocklist Enable/disable automatic addition of URLs detected option - disable

by FortiSandbox to blocklist.

Fortinet Inc.
Option Description
allowlist FortiGuard allowlist settings. option -
Option Description
exempt-av Exempt antivirus.
exempt- Exempt web content.

webcontent
exempt-activex- Exempt ActiveX-JAVA-Cookie.

java-cookie
exempt-dlp Exempt DLP.
exempt- Exempt RangeBlock.

rangeblock
extended-log- Support extended log.

others
safe-search Safe search type. option -
Option Description
url Insert safe search string into URL.
header Insert safe search header.
youtube- YouTube EDU filter level. option - none

restrict
Option Description
none Full access for YouTube.
strict Strict access for YouTube.
moderate Moderate access for YouTube.
vimeo-restrict Set Vimeo-restrict ("7" = don't show mature content, string Not Specified
"134" = don't show unrated and mature content). A
value of cookie "content_rating".
log-search Enable/disable logging all search phrases. option - disable
Option Description

Fortinet Inc.
Option Description
keyword- Search keywords to log when match is found. string Maximum **

match Pattern/keyword to search for. length: 79
<pattern>
config webfilter search-engine
Configure web filter search engines.

Description: Configure web filter search engines.
edit <name>
set charset [utf-8|gb2312]
set name {string}
set query {string}
set safesearch [disable|url|...]
set safesearch-str {string}
set url {string}
next
end
charset Search engine charset. option - utf-8
Option Description
utf-8 UTF-8 encoding.
gb2312 GB2312 encoding.
hostname Hostname (regular expression). string Not

Specified
name Search engine name. string Not

Specified
query Code used to prefix a query (must end with an equals string Not
character). Specified
safesearch Safe search method. You can disable safe search, add option - disable
the safe search string to URLs, or insert a safe search
header.

Fortinet Inc.
Option Description
disable Site does not support safe search.
url Safe search selected with a parameter in the URL.
header Safe search selected by search header (i.e. youtube.edu).
translate Perform URL FortiGuard check on HTTP requests parameter.
yt-pattern Pattern to match YouTube channel ID.
yt-scan Perform IPS scan.
yt-video Pattern to match YouTube video name.
yt-channel Pattern to match YouTube channel name.
safesearch-str Safe search parameter used in the URL. string Not

Specified
url URL (regular expression). string Not

Specified
config webfilter status
Display rating info.

Description: Display rating info.
set <refresh-rate> {string}
end
<refresh-rate> Frequency to refresh the server list (sec). string Not

Specified
config webfilter urlfilter
Configure URL filter lists.

Description: Configure URL filter lists.
edit <id>
config entries
Description: URL filter entries.
edit <id>

Fortinet Inc.
set id {integer}
set url {string}
set type [simple|regex|...]
set action [exempt|block|...]
set antiphish-action [block|log]
set exempt {option1}, {option2}, ...
set web-proxy-profile {string}
set referrer-host {string}
set dns-address-family [ipv4|ipv6|...]
next
end
set id {integer}
set ip-addr-block [enable|disable]
set name {string}
set one-arm-ips-urlfilter [enable|disable]
next
end

value: 0
Maximum
value:
4294967295
ip-addr-block Enable/disable blocking URLs when the hostname option - disable

appears as an IP address.
Option Description
enable Enable blocking URLs when the hostname appears as an IP address.
disable Disable blocking URLs when the hostname appears as an IP address.
name Name of URL filter list. string Not Specified
one-arm-ips- Enable/disable DNS resolver for one-arm IPS URL option - disable
urlfilter filter operation.
Option Description
enable Enable DNS resolver for one-arm IPS URL filter operation.
disable Disable DNS resolver for one-arm IPS URL filter operation.

Fortinet Inc.
config entries

value: 0
Maximum
value:
4294967295
url URL to be filtered. string Not Specified
type Filter type (simple, regex, or wildcard). option - simple
Option Description
simple Simple URL string.
regex Regular expression URL string.
wildcard Wildcard URL string.
action Action to take for URL filter matches. option - exempt
Option Description
exempt Exempt matches.
allow Allow matches (no log).
monitor Allow matches (with log).
antiphish- Action to take for AntiPhishing matches. option - block

action
Option Description
log Allow matches with log.
status Enable/disable this URL filter. option - enable
Option Description
enable Enable this URL filter.
disable Disable this URL filter.

Fortinet Inc.
exempt If action is set to exempt, select the security profile option - av web-
operations that exempt URLs skip. Separate multiple content
options with a space. activex-
java-cookie
dlp
fortiguard
range-block
antiphish all
Option Description
av AntiVirus scanning.
web-content Web filter content matching.
activex-java- ActiveX, Java, and cookie filtering.

cookie
dlp DLP scanning.
fortiguard FortiGuard web filtering.
range-block Range block feature.
pass Pass single connection from all.
antiphish AntiPhish credential checking.
all Exempt from all security profiles.
web-proxy- Web proxy profile. string Not Specified

profile
referrer-host Referrer host name. string Not Specified
dns-address- Resolve IPv4 address, IPv6 address, or both from option - ipv4
family DNS server.
Option Description
ipv4 Resolve IPv4 address from DNS server.
ipv6 Resolve IPv6 address from DNS server.
both Resolve both IPv4 and IPv6 addresses from DNS server.

Fortinet Inc.
wireless-controller

l config wireless-controller access-control-list on page 1886
l config wireless-controller address on page 1889
l config wireless-controller addrgrp on page 1889
l config wireless-controller ap-status on page 1890
l config wireless-controller apcfg-profile on page 1891
l config wireless-controller arrp-profile on page 1893
l config wireless-controller ble-profile on page 1896
l config wireless-controller bonjour-profile on page 1898
l config wireless-controller client-info on page 1899
l config wireless-controller global on page 1899
l config wireless-controller hotspot20 anqp-3gpp-cellular on page 1903
l config wireless-controller hotspot20 anqp-ip-address-type on page 1904
l config wireless-controller hotspot20 anqp-nai-realm on page 1905
l config wireless-controller hotspot20 anqp-network-auth-type on page 1909
l config wireless-controller hotspot20 anqp-roaming-consortium on page 1909
l config wireless-controller hotspot20 anqp-venue-name on page 1910
l config wireless-controller hotspot20 anqp-venue-url on page 1911
l config wireless-controller hotspot20 h2qp-advice-of-charge on page 1912
l config wireless-controller hotspot20 h2qp-conn-capability on page 1913
l config wireless-controller hotspot20 h2qp-operator-name on page 1916
l config wireless-controller hotspot20 h2qp-osu-provider-nai on page 1917
l config wireless-controller hotspot20 h2qp-osu-provider on page 1918
l config wireless-controller hotspot20 h2qp-terms-and-conditions on page 1919
l config wireless-controller hotspot20 h2qp-wan-metric on page 1920
l config wireless-controller hotspot20 hs-profile on page 1921
l config wireless-controller hotspot20 icon on page 1929
l config wireless-controller hotspot20 qos-map on page 1930
l config wireless-controller inter-controller on page 1932
l config wireless-controller log on page 1934
l config wireless-controller mpsk-profile on page 1938
l config wireless-controller nac-profile on page 1940
l config wireless-controller qos-profile on page 1941
l config wireless-controller region on page 1944
l config wireless-controller rf-analysis on page 1945
l config wireless-controller scan on page 1945
l config wireless-controller setting on page 1946
l config wireless-controller snmp on page 1955

Fortinet Inc.
l config wireless-controller spectral-info on page 1959
l config wireless-controller ssid-policy on page 1959
l config wireless-controller status on page 1960
l config wireless-controller syslog-profile on page 1960
l config wireless-controller timers on page 1962
l config wireless-controller utm-profile on page 1964
l config wireless-controller vap-group on page 1965
l config wireless-controller vap-status on page 1965
l config wireless-controller vap on page 1966
l config wireless-controller wag-profile on page 1998
l config wireless-controller wids-profile on page 1999
l config wireless-controller wlchanlistlic on page 2007
l config wireless-controller wtp-group on page 2007
l config wireless-controller wtp-profile on page 2010
l config wireless-controller wtp-status on page 2082
l config wireless-controller wtp on page 2082
config wireless-controller access-control-list
Configure WiFi bridge access control list.

Description: Configure WiFi bridge access control list.
edit <name>
config layer3-ipv4-rules
Description: AP ACL layer3 ipv4 rule list.
edit <rule-id>
set srcaddr {user}
set srcport {integer}
set dstaddr {user}
set action [allow|deny]
next
end
Description: AP ACL layer3 ipv6 rule list.
edit <rule-id>
set srcaddr {user}
set srcport {integer}
set dstaddr {user}
set action [allow|deny]
next

Fortinet Inc.
end
set name {string}
next
end
comment Description. string Not

Specified
name AP access control list name. string Not

Specified

value: 1
Maximum
value:
65535

Specified
srcaddr Source IP address. user Not

Specified
srcport Source port. integer Minimum 0

value: 0
Maximum
value:
65535
dstaddr Destination IP address. user Not

Specified
dstport Destination port. integer Minimum 0

value: 0
Maximum
value:
65535
protocol Protocol type as defined by IANA. integer Minimum 255

value: 0
Maximum
value: 255
action Policy action (allow | deny). option -

Fortinet Inc.
Option Description
allow Allows traffic matching the policy.
deny Blocks traffic matching the policy.

value: 1
Maximum
value:
65535

Specified
srcaddr Source IPv6 address (any | local-LAN | IPv6 address user Not
[/prefix length]), default = any. Specified
srcport Source port. integer Minimum 0

value: 0
Maximum
value:
65535
dstaddr Destination IPv6 address (any | local-LAN | IPv6 user Not

address[/prefix length]), default = any. Specified
dstport Destination port. integer Minimum 0

value: 0
Maximum
value:
65535
protocol Protocol type as defined by IANA. integer Minimum 255

value: 0
Maximum
value: 255
action Policy action (allow | deny). option -
Option Description
allow Allows traffic matching the policy.
deny Blocks traffic matching the policy.

Fortinet Inc.
config wireless-controller address
Configure the client with its MAC address.

Description: Configure the client with its MAC address.
edit <id>
set id {string}
set policy [allow|deny]
next
end
id ID. string Not

Specified

address Specified
policy Allow or block the client with this MAC address. option - deny
Option Description
allow Allow the client with this MAC address.
deny Block the client with this MAC address.
config wireless-controller addrgrp
Configure the MAC address group.

Description: Configure the MAC address group.
edit <id>
set addresses <id1>, <id2>, ...
set default-policy [allow|deny]
set id {string}
next
end
addresses Manually selected group of addresses. string Maximum

<id> Address ID. length: 35

Fortinet Inc.
default-policy Allow or block the clients with MAC addresses that are option - allow
not in the group.
Option Description
allow Allow the clients with MAC addresses that are not in the group.
deny Block the clients with MAC addresses that are not in the group.
id ID. string Not

Specified
config wireless-controller ap-status
Configure access point status (rogue | accepted | suppressed).

Description: Configure access point status (rogue | accepted | suppressed).
edit <id>
set bssid {mac-address}
set id {integer}
set ssid {string}
set status [rogue|accepted|...]
next
end
bssid Access Point's (AP's) BSSID. mac- Not Specified 00:00:00:00:00:00

address
id AP ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
ssid Access Point's (AP's) SSID. string Not Specified
status Access Point's (AP's) status: rogue, option - rogue

accepted, or supressed.
Option Description
rogue Rogue AP.
accepted Accepted AP.
suppressed Suppressed AP.

Fortinet Inc.
config wireless-controller apcfg-profile
Configure AP local configuration profiles.

Description: Configure AP local configuration profiles.
edit <name>
set ac-ip {ipv4-address}
set ac-port {integer}
set ac-timer {integer}
set ac-type [default|specify|...]
set ap-family [fap|fap-u|...]
config command-list
Description: AP local configuration command list.
edit <id>
set id {integer}
set type [non-password|password]
set name {string}
set value {string}
set passwd-value {password}
next
end
set name {string}
next
end
ac-ip IP address of the validation controller that AP must be ipv4- Not 0.0.0.0
able to join after applying AP local configuration. address Specified
ac-port Port of the validation controller that AP must be able to integer Minimum 0
join after applying AP local configuration. value: 1024
Maximum
value:
49150
ac-timer Maximum waiting time for the AP to join the validation integer Minimum 10
controller after applying AP local configuration. value: 3
Maximum
value: 30
ac-type Validation controller type. option - default
Option Description
default This controller is the one and only controller that the AP could join after
applying AP local configuration.

Fortinet Inc.
Option Description
specify Specified controller is the one and only controller that the AP could join after
applying AP local configuration.
apcfg Any controller defined by AP local configuration after applying AP local

configuration.
ap-family FortiAP family type. option - fap
Option Description
fap FortiAP Family.
fap-u FortiAP-U Family.
fap-c FortiAP-C Family.

Specified
name AP local configuration profile name. string Not

Specified
config command-list
id Command ID. integer Minimum 0

value: 1
Maximum
value: 255
type The command type. option - non-

password
Option Description
non-password Non-password command.
password Password command.
name AP local configuration command name. string Not

Specified
value AP local configuration command value. string Not

Specified
passwd-value AP local configuration command password value. password Not

Specified

Fortinet Inc.
config wireless-controller arrp-profile
Configure WiFi Automatic Radio Resource Provisioning (ARRP) profiles.

Description: Configure WiFi Automatic Radio Resource Provisioning (ARRP) profiles.
edit <name>
set darrp-optimize {integer}
set darrp-optimize-schedules <name1>, <name2>, ...
set include-dfs-channel [enable|disable]
set include-weather-channel [enable|disable]
set monitor-period {integer}
set name {string}
set override-darrp-optimize [enable|disable]
set selection-period {integer}
set threshold-ap {integer}
set threshold-channel-load {integer}
set threshold-noise-floor {string}
set threshold-rx-errors {integer}
set threshold-spectral-rssi {string}
set threshold-tx-retries {integer}
set weight-channel-load {integer}
set weight-dfs-channel {integer}
set weight-managed-ap {integer}
set weight-noise-floor {integer}
set weight-rogue-ap {integer}
set weight-spectral-rssi {integer}
set weight-weather-channel {integer}
next
end

Specified
darrp- Time for running Dynamic Automatic Radio Resource integer Minimum 86400
optimize Provisioning. value: 0
Maximum
value:
86400
darrp- Firewall schedules for DARRP running time. DARRP string Maximum
optimize- will run periodically based on darrp-optimize within the length: 35
schedules schedules. Separate multiple schedule names with a
<name> space.
Schedule name.
include-dfs- Enable/disable use of DFS channel in DARRP channel option - disable

channel selection phase 1.

Fortinet Inc.
Option Description
enable Include DFS channel in darrp channel selection phase 1.
disable Exclude DFS channel in darrp channel selection phase 1.
include- Enable/disable use of weather channel in DARRP option - disable

weather- channel selection phase 1.
channel
Option Description
enable Include weather channel in darrp channel selection phase 1.
disable Exclude weather channel in darrp channel selection phase 1.
monitor- Period in seconds to measure average transmit retries integer Minimum 300
period and receive errors. value: 0
Maximum
value:
65535
name WiFi ARRP profile name. string Not

Specified
override- Enable to override setting darrp-optimize and darrp- option - disable

darrp- optimize-schedules.
optimize
Option Description
enable Override setting darrp-optimize and darrp-optimize-schedules.
disable Use setting darrp-optimize and darrp-optimize-schedules.
selection- Period in seconds to measure average channel load, integer Minimum 3600
period noise floor, spectral RSSI. value: 0
Maximum
value:
65535
threshold-ap Threshold to reject channel in DARRP channel integer Minimum 250

selection phase 1 due to surrounding APs. value: 0
Maximum
value: 500
threshold- Threshold in percentage to reject channel in DARRP integer Minimum 60

channel-load channel selection phase 1 due to channel load. value: 0
Maximum
value: 100

Fortinet Inc.
threshold- Threshold in dBm to reject channel in DARRP channel string Not -85
noise-floor selection phase 1 due to noise floor. Specified
threshold-rx- Threshold in percentage for receive errors to trigger integer Minimum 50

errors channel reselection in DARRP monitor stage. value: 0
Maximum
value: 100
threshold- Threshold in dBm to reject channel in DARRP channel string Not -65
spectral-rssi selection phase 1 due to spectral RSSI. Specified
threshold-tx- Threshold in percentage for transmit retries to trigger integer Minimum 300
retries channel reselection in DARRP monitor stage. value: 0
Maximum
value: 1000
weight- Weight in DARRP channel score calculation for channel integer Minimum 20
channel-load load. value: 0
Maximum
value: 2000
weight-dfs- Weight in DARRP channel score calculation for DFS integer Minimum 500
channel channel. value: 0
Maximum
value: 2000
weight- Weight in DARRP channel score calculation for integer Minimum 50

managed-ap managed APs. value: 0
Maximum
value: 2000
weight-noise- Weight in DARRP channel score calculation for noise integer Minimum 40
floor floor. value: 0
Maximum
value: 2000
weight-rogue- Weight in DARRP channel score calculation for rogue integer Minimum 10
ap APs. value: 0
Maximum
value: 2000
weight- Weight in DARRP channel score calculation for spectral integer Minimum 40
spectral-rssi RSSI. value: 0
Maximum
value: 2000
weight- Weight in DARRP channel score calculation for weather integer Minimum 1000
weather- channel. value: 0
channel Maximum
value: 2000

Fortinet Inc.
config wireless-controller ble-profile
Configure Bluetooth Low Energy profile.

Description: Configure Bluetooth Low Energy profile.
edit <name>
set advertising {option1}, {option2}, ...
set beacon-interval {integer}
set ble-scanning [enable|disable]
set eddystone-instance {string}
set eddystone-namespace {string}
set eddystone-url {string}
set ibeacon-uuid {string}
set major-id {integer}
set minor-id {integer}
set name {string}
set txpower [0|1|...]
next
end
advertising Advertising type. option -
Option Description
ibeacon iBeacon advertising.
eddystone-uid Eddystone UID advertising.
eddystone-url Eddystone URL advertising.
beacon- Beacon interval. integer Minimum 100

interval value: 40
Maximum
value: 3500
ble-scanning Enable/disable Bluetooth Low Energy option - disable

(BLE) scanning.
Option Description
enable Enable BLE scanning.
disable Disable BLE scanning.

Specified

Fortinet Inc.
eddystone- Eddystone instance ID. string Not abcdef

instance Specified
eddystone- Eddystone namespace ID. string Not 0102030405

namespace Specified
eddystone-url Eddystone URL. string Not http://www.fortinet.com

Specified
ibeacon-uuid Universally Unique Identifier (UUID; string Not 005ea414-cbd1-11e5-

automatically assigned but can be manually Specified 9956-625662870761
reset).
major-id Major ID. integer Minimum 1000

value: 0
Maximum
value:
65535
minor-id Minor ID. integer Minimum 2000

value: 0
Maximum
value:
65535
name Bluetooth Low Energy profile name. string Not

Specified
txpower Transmit power level. option - 0
Option Description
0 Transmit power level 0 (-21 dBm)
7 Transmit power level 7 (0 dBm)

Fortinet Inc.
config wireless-controller bonjour-profile
Configure Bonjour profiles. Bonjour is Apple's zero configuration networking protocol. Bonjour profiles allow APs and
FortiAPs to connnect to networks using Bonjour.
Description: Configure Bonjour profiles. Bonjour is Apple's zero configuration
networking protocol. Bonjour profiles allow APs and FortiAPs to connnect to networks using
Bonjour.
edit <name>
set name {string}
config policy-list
Description: Bonjour policy list.
edit <policy-id>
set policy-id {integer}
set from-vlan {string}
set to-vlan {string}
set services {option1}, {option2}, ...
next
end
next
end

Specified
name Bonjour profile name. string Not

Specified
config policy-list
policy-id Policy ID. integer Minimum 0

value: 1
Maximum
value:
65535

Specified
from-vlan VLAN ID from which the Bonjour service is advertised. string Not 0
Specified

Fortinet Inc.
to-vlan VLAN ID to which the Bonjour service is made available. string Not all
Specified
services Bonjour services for the VLAN connecting to the option - all
Bonjour network.
Option Description
all All services.
airplay AirPlay.
afp AFP (Apple File Sharing).
bit-torrent BitTorrent.
ftp FTP.
ichat iChat.
itunes iTunes.
printers Printers.
samba Samba.
scanners Scanners.
ssh SSH.
chromecast ChromeCast.
config wireless-controller client-info
Wireless controller client-info.

Description: Wireless controller client-info.
set <vfid> {string}
end
<vfid> VFID. string Not

Specified
config wireless-controller global
Configure wireless controller global settings.

Fortinet Inc.
Description: Configure wireless controller global settings.
set ap-log-server [enable|disable]
set ap-log-server-ip {ipv4-address}
set ap-log-server-port {integer}
set control-message-offload {option1}, {option2}, ...
set data-ethernet-II [enable|disable]
set discovery-mc-addr {ipv4-address-multicast}
set fiapp-eth-type {integer}
set image-download [enable|disable]
set ipsec-base-ip {ipv4-address}
set link-aggregation [enable|disable]
set local-radio-vdom {string}
set max-clients {integer}
set max-retransmit {integer}
set mesh-eth-type {integer}
set nac-interval {integer}
set name {string}
set rogue-scan-mac-adjacency {integer}
set tunnel-mode [compatible|strict]
set wtp-share [enable|disable]
end
ap-log-server Enable/disable configuring FortiGate to redirect option - disable

wireless event log messages or FortiAPs to send
UTM log messages to a syslog server.
Option Description
enable Enable AP log server.
disable Disable AP log server.
ap-log-server- IP address that FortiGate or FortiAPs send log ipv4- Not Specified 0.0.0.0
ip messages to. address
ap-log-server- Port that FortiGate or FortiAPs send log messages integer Minimum 0
port to. value: 0
Maximum
value: 65535

Fortinet Inc.
control- Configure CAPWAP control message data option - ebp-frame

message- channel offload. aeroscout-tag
offload ap-list sta-list
sta-cap-list
stats
aeroscout-mu
sta-health
spectral-
analysis
Option Description
ebp-frame Ekahau blink protocol (EBP) frames.
aeroscout-tag AeroScout tag.
ap-list Rogue AP list.
sta-list Rogue STA list.
sta-cap-list STA capability list.
stats WTP, radio, VAP, and STA statistics.
aeroscout-mu AeroScout Mobile Unit (MU) report.
sta-health STA health log.
spectral-analysis Spectral analysis report.
data-ethernet- Configure the wireless controller to use Ethernet II option - enable

II or 802.3 frames with 802.3 data tunnel mode.
Option Description
enable Use Ethernet II frames with 802.3 data tunnel mode.
disable Use 802.3 Ethernet frames with 802.3 data tunnel mode.
discovery-mc- Multicast IP address for AP discovery. ipv4- Not Specified 224.0.1.140

addr address-
multicast
fiapp-eth-type Ethernet type for Fortinet Inter-Access Point integer Minimum 5252
Protocol. value: 0
Maximum
value: 65535
image- Enable/disable WTP image download at join time. option - enable

download

Fortinet Inc.
Option Description
enable Enable WTP image download at join time.
disable Disable WTP image download at join time.
ipsec-base-ip Base IP address for IPsec VPN tunnels between ipv4- Not Specified 169.254.0.1
the access points and the wireless controller. address
link- Enable/disable calculating the CAPWAP transmit option - disable

aggregation hash to load balance sessions to link aggregation
nodes.
Option Description
enable Enable calculating the CAPWAP transmit hash.
disable Disable calculating the CAPWAP transmit hash.
local-radio- Assign local radio's virtual domain. string Not Specified root
vdom *
location Description of the location of the wireless string Not Specified

controller.
max-clients Maximum number of clients that can connect integer Minimum 0

simultaneously. value: 0
Maximum
value:
4294967295
max- Maximum number of tunnel packet integer Minimum 3

retransmit retransmissions. value: 0
Maximum
value: 64
mesh-eth-type Mesh Ethernet identifier included in backhaul integer Minimum 8755

packets. value: 0
Maximum
value: 65535
nac-interval Interval in seconds between two WiFi network integer Minimum 120
access control. value: 10
Maximum
value: 600
name Name of the wireless controller. string Not Specified
rogue-scan- Maximum numerical difference between an AP's integer Minimum 7

mac- Ethernet and wireless MAC values to match for value: 0
adjacency rogue detection. Maximum
value: 31

Fortinet Inc.
tunnel-mode Compatible/strict tunnel mode. option - compatible
Option Description
compatible Allow for backward compatible ciphers(3DES+SHA1+Strong list).
strict Follow system level strong-crypto ciphers.
wtp-share Enable/disable sharing of WTPs between option - disable

VDOMs.
Option Description
enable WTP can be shared between all VDOMs.
disable WTP can be used only in its own VDOM.
config wireless-controller hotspot20 anqp-3gpp-cellular
Configure 3GPP public land mobile network (PLMN).

Description: Configure 3GPP public land mobile network (PLMN).
edit <name>
config mcc-mnc-list
Description: Mobile Country Code and Mobile Network Code configuration.
edit <id>
set id {integer}
set mcc {string}
set mnc {string}
next
end
set name {string}
next
end
name 3GPP PLMN name. string Not

Specified

Fortinet Inc.
config mcc-mnc-list

value: 1
Maximum
value: 6
mcc Mobile country code. string Not

Specified
mnc Mobile network code. string Not

Specified
config wireless-controller hotspot20 anqp-ip-address-type
Configure IP address type availability.

Description: Configure IP address type availability.
edit <name>
set ipv4-address-type [not-available|public|...]
set ipv6-address-type [not-available|available|...]
set name {string}
next
end
ipv4-address- IPv4 address type. option - not-

type available
Option Description
not-available Address type not available.
public Public IPv4 address available.
port-restricted Port-restricted IPv4 address available.
single-NATed- Single NATed private IPv4 address available.

private
double-NATed- Double NATed private IPv4 address available.

private

Fortinet Inc.
Option Description
port-restricted- Port-restricted IPv4 address and single NATed IPv4 address available.
and-single-
NATed
port-restricted- Port-restricted IPv4 address and double NATed IPv4 address available.
and-double-
NATed
not-known Availability of the address type is not known.
ipv6-address- IPv6 address type. option - not-

type available
Option Description
not-available Address type not available.
available Address type available.
not-known Availability of the address type not known.
name IP type name. string Not

Specified
config wireless-controller hotspot20 anqp-nai-realm
Configure network access identifier (NAI) realm.

Description: Configure network access identifier (NAI) realm.
edit <name>
config nai-list
Description: NAI list.
edit <name>
set name {string}
set encoding [disable|enable]
set nai-realm {string}
config eap-method
Description: EAP Methods.
edit <index>
set index {integer}
set method [eap-identity|eap-md5|...]
config auth-param
Description: EAP auth param.
edit <index>
set index {integer}
set id [non-eap-inner-auth|inner-auth-eap|...]
set val [eap-identity|eap-md5|...]
next
end
next

Fortinet Inc.
end
next
end
set name {string}
next
end
name NAI realm list name. string Not

Specified
config nai-list
name NAI realm name. string Not

Specified
encoding Enable/disable format in accordance with IETF RFC option - enable

4282.
Option Description
disable Disable format in accordance with IETF RFC 4282.
enable Enable format in accordance with IETF RFC 4282.
nai-realm Configure NAI realms (delimited by a semi-colon string Not

character). Specified
config eap-method
index EAP method index. integer Minimum 0

value: 1
Maximum
value: 5
method EAP method type. option - eap-identity
Option Description
eap-identity Identity.
eap-md5 MD5.
eap-tls TLS.

Fortinet Inc.
Option Description
eap-ttls TTLS.
eap-peap PEAP.
eap-sim SIM.
eap-aka AKA.
eap-aka-prime AKA'.
config auth-param
index Param index. integer Minimum 0

value: 1
Maximum
value: 4
id ID of authentication parameter. option - inner-auth-

eap
Option Description
non-eap-inner- Non-EAP inner authentication type.

auth
inner-auth-eap Inner authentication EAP method type.
credential Credential type.
tunneled- Tunneled EAP method credential type.

credential
val Value of authentication parameter. option - eap-identity
Option Description
eap-identity EAP Identity.
eap-md5 EAP MD5.
eap-tls EAP TLS.
eap-ttls EAP TTLS.
eap-peap EAP PEAP.
eap-sim EAP SIM.
eap-aka EAP AKA.

Fortinet Inc.
Option Description
eap-aka-prime EAP AKA'.
non-eap-pap Non EAP PAP.
non-eap-chap Non EAP CHAP.
non-eap-mschap Non EAP MSCHAP.
non-eap- Non EAP MSCHAPV2.

mschapv2
cred-sim Credential SIM.
cred-usim Credential USIM.
cred-nfc Credential NFC secure element.
cred-hardware- Credential hardware token.

token
cred-softoken Credential softoken.
cred-certificate Credential certificate.
cred-user-pwd Credential username password.
cred-none Credential none.
cred-vendor- Credential vendor specific.

specific
tun-cred-sim Tunneled credential SIM.
tun-cred-usim Tunneled credential USIM.
tun-cred-nfc Tunneled credential NFC secure element.
tun-cred- Tunneled credential hardware token.

hardware-token
tun-cred- Tunneled credential softoken.

softoken
tun-cred- Tunneled credential certificate.

certificate
tun-cred-user- Tunneled credential username password.

pwd
tun-cred- Tunneled credential anonymous.

anonymous
tun-cred-vendor- Tunneled credential vendor specific.

specific

Fortinet Inc.
config wireless-controller hotspot20 anqp-network-auth-type
Configure network authentication type.

Description: Configure network authentication type.
edit <name>
set auth-type [acceptance-of-terms|online-enrollment|...]
set name {string}
set url {string}
next
end
auth-type Network authentication type. option - acceptance-

of-terms
Option Description
acceptance-of- Acceptance of terms and conditions.

terms
online-enrollment Online enrollment supported.
http-redirection HTTP and HTTPS redirection.
dns-redirection DNS redirection.
name Authentication type name. string Not

Specified
url Redirect URL. string Not

Specified
config wireless-controller hotspot20 anqp-roaming-consortium
Configure roaming consortium.

Description: Configure roaming consortium.
edit <name>
set name {string}
config oi-list
Description: Organization identifier list.
edit <index>
set index {integer}
set oi {string}
next
end

Fortinet Inc.
next
end
name Roaming consortium name. string Not

Specified
config oi-list
index OI index. integer Minimum 0

value: 1
Maximum
value: 10
oi Organization identifier. string Not

Specified

Specified
config wireless-controller hotspot20 anqp-venue-name
Configure venue name duple.

Description: Configure venue name duple.
edit <name>
set name {string}
config value-list
Description: Name list.
edit <index>
set index {integer}
set lang {string}
set value {string}
next
end
next
end
name Name of venue name duple. string Not

Specified

Fortinet Inc.
config value-list
index Value index. integer Minimum 0

value: 1
Maximum
value: 10
lang Language code. string Not eng

Specified
value Venue name value. string Not

Specified
config wireless-controller hotspot20 anqp-venue-url
Configure venue URL.

Description: Configure venue URL.
edit <name>
set name {string}
config value-list
Description: URL list.
edit <index>
set index {integer}
set number {integer}
set value {string}
next
end
next
end
name Name of venue url. string Not

Specified
config value-list
index URL index. integer Minimum 0

value: 1
Maximum
value: 10

Fortinet Inc.
number Venue number. integer Minimum 0

value: 0
Maximum
value: 255
value Venue URL value. string Not

Specified
config wireless-controller hotspot20 h2qp-advice-of-charge
Configure advice of charge.

Description: Configure advice of charge.
edit <name>
config aoc-list
Description: AOC list.
edit <name>
set name {string}
set type [time-based|volume-based|...]
set nai-realm-encoding {string}
config plan-info
Description: Plan info.
edit <name>
set name {string}
set lang {string}
set currency {string}
set info-file {string}
next
end
next
end
set name {string}
next
end
name Plan name. string Not

Specified

Fortinet Inc.
config aoc-list
name Advice of charge ID. string Not

Specified
type Usage charge type. option - time-

based
Option Description
time-based Time based usage charge.
volume-based Volume based usage charge.
time-and- Time and volume based usage charge.

volume-based
unlimited Unlimited usage.
nai-realm- NAI realm encoding. string Not

encoding Specified
nai-realm NAI realm list name. string Not

Specified
config plan-info
name Plan name. string Not

Specified
lang Language code. string Not

Specified
currency Currency code. string Not

Specified
info-file Info file. string Not

Specified
config wireless-controller hotspot20 h2qp-conn-capability
Configure connection capability.

Description: Configure connection capability.
edit <name>
set esp-port [closed|open|...]
set ftp-port [closed|open|...]
set http-port [closed|open|...]
set icmp-port [closed|open|...]

Fortinet Inc.
set ikev2-port [closed|open|...]
set ikev2-xx-port [closed|open|...]
set name {string}
set pptp-vpn-port [closed|open|...]
set ssh-port [closed|open|...]
set tls-port [closed|open|...]
set voip-tcp-port [closed|open|...]
set voip-udp-port [closed|open|...]
next
end
esp-port Set ESP port service (used by IPsec VPNs) status. option - unknown
Option Description
closed The port is not open for communication.
open The port is open for communication.
unknown The port may or may not be open for communication.
ftp-port Set FTP port service status. option - unknown
Option Description
http-port Set HTTP port service status. option - unknown
Option Description
icmp-port Set ICMP port service status. option - unknown
Option Description
ikev2-port Set IKEv2 port service for IPsec VPN status. option - unknown

Fortinet Inc.
Option Description
ikev2-xx-port Set UDP port 4500 (which may be used by IKEv2 for option - unknown
IPsec VPN) service status.
Option Description
name Connection capability name. string Not

Specified
pptp-vpn-port Set Point to Point Tunneling Protocol (PPTP) VPN port option - unknown
service status.
Option Description
ssh-port Set SSH port service status. option - unknown
Option Description
tls-port Set TLS VPN (HTTPS) port service status. option - unknown
Option Description
voip-tcp-port Set VoIP TCP port service status. option - unknown

Fortinet Inc.
Option Description
voip-udp-port Set VoIP UDP port service status. option - unknown
Option Description
config wireless-controller hotspot20 h2qp-operator-name
Configure operator friendly name.

Description: Configure operator friendly name.
edit <name>
set name {string}
config value-list
Description: Name list.
edit <index>
set index {integer}
set lang {string}
set value {string}
next
end
next
end
name Friendly name ID. string Not

Specified

Fortinet Inc.
config value-list
index Value index. integer Minimum 0

value: 1
Maximum
value: 10

Specified
value Friendly name value. string Not

Specified
config wireless-controller hotspot20 h2qp-osu-provider-nai
Configure online sign up (OSU) provider NAI list.

Description: Configure online sign up (OSU) provider NAI list.
edit <name>
config nai-list
Description: OSU NAI list.
edit <name>
set name {string}
set osu-nai {string}
next
end
set name {string}
next
end
name OSU provider NAI ID. string Not

Specified
config nai-list
name OSU NAI ID. string Not

Specified
osu-nai OSU NAI. string Not

Specified

Fortinet Inc.
config wireless-controller hotspot20 h2qp-osu-provider
Configure online sign up (OSU) provider list.

Description: Configure online sign up (OSU) provider list.
edit <name>
config friendly-name
Description: OSU provider friendly name.
edit <index>
set index {integer}
set lang {string}
set friendly-name {string}
next
end
set icon {string}
set name {string}
set osu-method {option1}, {option2}, ...
set osu-nai {string}
set server-uri {string}
config service-description
Description: OSU service name.
edit <service-id>
set service-id {integer}
set lang {string}
set service-description {string}
next
end
next
end
icon OSU provider icon. string Not

Specified
name OSU provider ID. string Not

Specified
osu-method OSU method list. option -
Option Description
oma-dm OMA DM.
soap-xml-spp SOAP XML SPP.
reserved Reserved.
osu-nai OSU NAI. string Not

Specified
server-uri Server URI. string Not

Specified

Fortinet Inc.
config friendly-name
index OSU provider friendly name index. integer Minimum 0

value: 1
Maximum
value: 10

Specified
friendly-name OSU provider friendly name. string Not

Specified
config service-description
service-id OSU service ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
lang Language code. string Not Specified eng
service- Service description. string Not Specified

description
config wireless-controller hotspot20 h2qp-terms-and-conditions
Configure terms and conditions.

Description: Configure terms and conditions.
edit <name>
set name {string}
set timestamp {integer}
set url {string}
next
end
filename Filename. string Not Specified
name Terms and Conditions ID. string Not Specified

Fortinet Inc.
timestamp Timestamp. integer Minimum 0

value: 0
Maximum
value:
4294967295
url URL. string Not Specified
config wireless-controller hotspot20 h2qp-wan-metric
Configure WAN metrics.

Description: Configure WAN metrics.
edit <name>
set downlink-load {integer}
set downlink-speed {integer}
set link-at-capacity [enable|disable]
set link-status [up|down|...]
set load-measurement-duration {integer}
set name {string}
set symmetric-wan-link [symmetric|asymmetric]
set uplink-load {integer}
set uplink-speed {integer}
next
end
downlink-load Downlink load. integer Minimum 0

value: 0
Maximum
value: 255
downlink-speed Downlink speed (in kilobits/s). integer Minimum 2400

value: 0
Maximum
value:
4294967295
link-at-capacity Link at capacity. option - disable
Option Description
enable Link at capacity (not allow additional mobile devices to associate).
disable Link not at capacity (allow additional mobile devices to associate).

Fortinet Inc.
link-status Link status. option - up
Option Description
up Link up.
down Link down.
in-test Link in test state.
load- Load measurement duration (in tenths of a integer Minimum 0

measurement- second). value: 0
duration Maximum
value: 65535
name WAN metric name. string Not Specified
symmetric-wan- WAN link symmetry. option - asymmetric

link
Option Description
symmetric Symmetric WAN link (uplink and downlink speeds are the same).
asymmetric Asymmetric WAN link (uplink and downlink speeds are not the same).
uplink-load Uplink load. integer Minimum 0

value: 0
Maximum
value: 255
uplink-speed Uplink speed (in kilobits/s). integer Minimum 2400

value: 0
Maximum
value:
4294967295
config wireless-controller hotspot20 hs-profile
Configure hotspot profile.

Description: Configure hotspot profile.
edit <name>
set 3gpp-plmn {string}
set access-network-asra [enable|disable]
set access-network-esr [enable|disable]
set access-network-internet [enable|disable]
set access-network-type [private-network|private-network-with-guest-access|...]
set access-network-uesa [enable|disable]
set advice-of-charge {string}
set anqp-domain-id {integer}
set bss-transition [enable|disable]

Fortinet Inc.
set conn-cap {string}
set deauth-request-timeout {integer}
set dgaf [enable|disable]
set gas-comeback-delay {integer}
set gas-fragmentation-limit {integer}
set hessid {mac-address}
set ip-addr-type {string}
set l2tif [enable|disable]
set name {string}
set network-auth {string}
set oper-friendly-name {string}
set oper-icon {string}
set osu-provider <name1>, <name2>, ...
set osu-provider-nai {string}
set osu-ssid {string}
set pame-bi [disable|enable]
set proxy-arp [enable|disable]
set qos-map {string}
set release {integer}
set roaming-consortium {string}
set terms-and-conditions {string}
set venue-group [unspecified|assembly|...]
set venue-name {string}
set venue-type [unspecified|arena|...]
set venue-url {string}
set wan-metrics {string}
set wnm-sleep-mode [enable|disable]
next
end
3gpp-plmn 3GPP PLMN name. string Not

Specified
access-network- Enable/disable additional step required for option - disable

asra access (ASRA).
Option Description
enable Enable additional step required for access (ASRA).
disable Disable additional step required for access (ASRA).
access-network- Enable/disable emergency services option - disable

esr reachable (ESR).

Fortinet Inc.
Option Description
enable Enable emergency services reachable (ESR).
disable Disable emergency services reachable (ESR).
access-network- Enable/disable connectivity to the Internet. option - disable

internet
Option Description
enable Enable connectivity to the Internet.
disable Disable connectivity to the Internet.
access-network- Access network type. option - private-network

type
Option Description
private-network Private network.
private-network- Private network with guest access.

with-guest-
access
chargeable- Chargeable public network.

public-network
free-public- Free public network.

network
personal-device- Personal devices network.

network
emergency- Emergency services only network.

services-only-
network
test-or- Test or experimental.

experimental
wildcard Wildcard.
access-network- Enable/disable unauthenticated emergency option - disable

uesa service accessible (UESA).
Option Description
enable Enable unauthenticated emergency service accessible (UESA).
disable Disable unauthenticated emergency service accessible (UESA).

Fortinet Inc.
advice-of-charge Advice of charge. string Not

Specified
anqp-domain-id ANQP Domain ID. integer Minimum 0

value: 0
Maximum
value:
65535
bss-transition Enable/disable basic service set (BSS) option - disable

transition Support.
Option Description
enable Enable basic service set (BSS) transition support.
disable Disable basic service set (BSS) transition support.
conn-cap Connection capability name. string Not

Specified
deauth-request- Deauthentication request timeout (in integer Minimum 60

timeout seconds). value: 30
Maximum
value: 120
dgaf Enable/disable downstream group- option - disable

addressed forwarding (DGAF).
Option Description
enable Enable downstream group-addressed forwarding (DGAF).
disable Disable downstream group-addressed forwarding (DGAF).
domain-name Domain name. string Not

Specified
gas-comeback- GAS comeback delay. integer Minimum 500

delay value: 100
Maximum
value:
10000
gas- GAS fragmentation limit. integer Minimum 1024

fragmentation- value: 512
limit Maximum
value: 4096
hessid Homogeneous extended service set identifier mac- Not 00:00:00:00:00:00

(HESSID). address Specified

Fortinet Inc.
ip-addr-type IP address type name. string Not

Specified
l2tif Enable/disable Layer 2 traffic inspection and option - disable

filtering.
Option Description
enable Enable Layer 2 traffic inspection and filtering.
disable Disable Layer 2 traffic inspection and filtering.
nai-realm NAI realm list name. string Not

Specified
name Hotspot profile name. string Not

Specified
network-auth Network authentication name. string Not

Specified
oper-friendly- Operator friendly name. string Not

name Specified
oper-icon Operator icon. string Not

Specified
osu-provider Manually selected list of OSU provider(s). string Maximum

<name> OSU provider name. length: 35
osu-provider-nai OSU Provider NAI. string Not

Specified
osu-ssid Online sign up (OSU) SSID. string Not

Specified
pame-bi Enable/disable Pre-Association Message option - enable

Exchange BSSID Independent (PAME-BI).
Option Description
disable Disable Pre-Association Message Exchange BSSID Independent (PAME-

BI).
enable Enable Pre-Association Message Exchange BSSID Independent (PAME-

BI).
proxy-arp Enable/disable Proxy ARP. option - enable
Option Description
enable Enable Proxy ARP.
disable Disable Proxy ARP.

Fortinet Inc.
qos-map QoS MAP set ID. string Not

Specified
release Hotspot 2.0 Release number. integer Minimum 2

value: 1
Maximum
value: 3
roaming- Roaming consortium list name. string Not

consortium Specified
terms-and- Terms and conditions. string Not

conditions Specified
venue-group Venue group. option - unspecified
Option Description
unspecified Unspecified.
assembly Assembly.
business Business.
educational Educational.
factory Factory and industrial.
institutional Institutional.
mercantile Mercantile.
residential Residential.
storage Storage.
utility Utility and miscellaneous.
vehicular Vehicular.
outdoor Outdoor.
venue-name Venue name. string Not

Specified
venue-type Venue type. option - unspecified
Option Description
unspecified Unspecified.
arena Arena.
stadium Stadium.

Fortinet Inc.
Option Description
passenger- Passenger terminal.

terminal
amphitheater Amphitheater.
amusement- Amusement park.

park
place-of-worship Place of worship.
convention- Convention center.

center
library Library.
museum Museum.
restaurant Restaurant.
theater Theater.
bar Bar.
coffee-shop Coffee shop.
zoo-or-aquarium Zoo or aquarium.
emergency- Emergency coordination center.

center
doctor-office Doctor or dentist office.
bank Bank.
fire-station Fire station.
police-station Police station.
post-office Post office.
professional- Professional office.

office
research-facility Research and development facility.
attorney-office Attorney office.
primary-school Primary school.
secondary- Secondary school.

school
university-or- University or college.

college

Fortinet Inc.
Option Description
factory Factory.
hospital Hospital.
long-term-care- Long term care facility.

facility
rehab-center Alcohol and drug rehabilitation center.
group-home Group home.
prison-or-jail Prison or jail.
retail-store Retail store.
grocery-market Grocery market.
auto-service- Auto service station.

station
shopping-mall Shopping mall.
gas-station Gas station.
private Private residence.
hotel-or-motel Hotel or motel.
dormitory Dormitory.
boarding-house Boarding house.
automobile Automobile or truck.
airplane Airplane.
bus Bus.
ferry Ferry.
ship-or-boat Ship or boat.
train Train.
motor-bike Motor bike.
muni-mesh- Muni mesh network.

network
city-park City park.
rest-area Rest area.
traffic-control Traffic control.
bus-stop Bus stop.

Fortinet Inc.
Option Description
kiosk Kiosk.
venue-url Venue name. string Not

Specified
wan-metrics WAN metric name. string Not

Specified
wnm-sleep- Enable/disable wireless network option - disable

mode management (WNM) sleep mode.
Option Description
enable Enable wireless network management (WNM) sleep mode.
disable Disable wireless network management (WNM) sleep mode.
config wireless-controller hotspot20 icon
Configure OSU provider icon.

Description: Configure OSU provider icon.
edit <name>
config icon-list
Description: Icon list.
edit <name>
set name {string}
set lang {string}
set file {string}
set type [bmp|gif|...]
set width {integer}
next
end
set name {string}
next
end
name Icon list ID. string Not

Specified

Fortinet Inc.
config icon-list
name Icon name. string Not

Specified

Specified
file Icon file. string Not

Specified
type Icon type. option - png
Option Description
bmp BMP image.
gif GIF image.
jpeg JPEG image.
png PNG image.
tiff TIFF image.
width Icon width. integer Minimum 0

value: 1
Maximum
value:
65535
height Icon height. integer Minimum 0

value: 1
Maximum
value:
65535
config wireless-controller hotspot20 qos-map
Configure QoS map set.

Description: Configure QoS map set.
edit <name>
config dscp-except
Description: Differentiated Services Code Point (DSCP) exceptions.
edit <index>
set index {integer}
set dscp {integer}
set up {integer}
next
end
config dscp-range

Fortinet Inc.
Description: Differentiated Services Code Point (DSCP) ranges.
edit <index>
set index {integer}
set up {integer}
set low {integer}
set high {integer}
next
end
set name {string}
next
end
name QOS-MAP name. string Not

Specified
config dscp-except
index DSCP exception index. integer Minimum 0

value: 1
Maximum
value: 21
dscp DSCP value. integer Minimum 0

value: 0
Maximum
value: 63
up User priority. integer Minimum 0

value: 0
Maximum
value: 7
config dscp-range
index DSCP range index. integer Minimum 0

value: 1
Maximum
value: 8

Fortinet Inc.
up User priority. integer Minimum 0

value: 0
Maximum
value: 7
low DSCP low value. integer Minimum 255

value: 0
Maximum
value: 63
high DSCP high value. integer Minimum 255

value: 0
Maximum
value: 63
config wireless-controller inter-controller
Configure inter wireless controller operation.

Description: Configure inter wireless controller operation.
set fast-failover-max {integer}
set fast-failover-wait {integer}
set inter-controller-key {password}
set inter-controller-mode [disable|l2-roaming|...]
config inter-controller-peer
Description: Fast failover peer wireless controller list.
edit <id>
set id {integer}
set peer-ip {ipv4-address}
set peer-port {integer}
set peer-priority [primary|secondary]
next
end
set inter-controller-pri [primary|secondary]
end
fast-failover- Maximum number of retransmissions for fast failover integer Minimum 10

max HA messages between peer wireless controllers. value: 3
Maximum
value: 64

Fortinet Inc.
fast-failover- Minimum wait time before an AP transitions from integer Minimum 10

wait secondary controller to primary controller. value: 10
Maximum
value:
86400
inter- Secret key for inter-controller communications. password Not

controller-key Specified
inter- Configure inter-controller mode. option - disable

controller-
mode
Option Description
disable Disable inter-controller mode.
l2-roaming Enable layer 2 roaming support between inter-controllers.
1+1 Enable 1+1 fast failover mode.
inter- Configure inter-controller's priority. option - primary

controller-pri
Option Description
primary Primary fast failover mode.
secondary Secondary fast failover mode.
config inter-controller-peer

value: 0
Maximum
value:
4294967295
peer-ip Peer wireless controller's IP address. ipv4- Not Specified 0.0.0.0

address
peer-port Port used by the wireless controller's for inter- integer Minimum 5246
controller communications. value: 1024
Maximum
value: 49150
peer-priority Peer wireless controller's priority. option - primary

Fortinet Inc.
Option Description
primary Primary fast failover mode.
secondary Secondary fast failover mode.
config wireless-controller log
Configure wireless controller event log filters.

Description: Configure wireless controller event log filters.
set addrgrp-log [emergency|alert|...]
set ble-log [emergency|alert|...]
set clb-log [emergency|alert|...]
set dhcp-starv-log [emergency|alert|...]
set led-sched-log [emergency|alert|...]
set radio-event-log [emergency|alert|...]
set rogue-event-log [emergency|alert|...]
set sta-event-log [emergency|alert|...]
set sta-locate-log [emergency|alert|...]
set wids-log [emergency|alert|...]
set wtp-event-log [emergency|alert|...]
end
addrgrp-log Lowest severity level to log address group message. option - notification
Option Description
alert Alert level.
error Error level.
debug Debug level.
ble-log Lowest severity level to log BLE detection message. option - notification

Fortinet Inc.
Option Description
alert Alert level.
error Error level.
debug Debug level.
clb-log Lowest severity level to log client load balancing option - notification
message.
Option Description
alert Alert level.
error Error level.
debug Debug level.
dhcp-starv- Lowest severity level to log DHCP starvation event option - notification
log message.
Option Description
alert Alert level.
error Error level.

Fortinet Inc.
Option Description
debug Debug level.
led-sched-log Lowest severity level to log LED schedule event option - notification
message.
Option Description
alert Alert level.
error Error level.
debug Debug level.
radio-event- Lowest severity level to log radio event message. option - notification
log
Option Description
alert Alert level.
error Error level.
debug Debug level.
rogue-event- Lowest severity level to log rogue AP event message. option - notification
log
Option Description

Fortinet Inc.
Option Description
alert Alert level.
error Error level.
debug Debug level.
sta-event-log Lowest severity level to log station event message. option - notification
Option Description
alert Alert level.
error Error level.
debug Debug level.
sta-locate-log Lowest severity level to log station locate message. option - notification
Option Description
alert Alert level.
error Error level.
debug Debug level.
status Enable/disable wireless event logging. option - enable

Fortinet Inc.
Option Description
enable Enable wireless event logging.
disable Disable wireless event logging.
wids-log Lowest severity level to log WIDS message. option - notification
Option Description
alert Alert level.
error Error level.
debug Debug level.
wtp-event-log Lowest severity level to log WTP event message. option - notification
Option Description
alert Alert level.
error Error level.
debug Debug level.
config wireless-controller mpsk-profile
Configure MPSK profile.

Description: Configure MPSK profile.
edit <name>
set mpsk-concurrent-clients {integer}
config mpsk-group
Description: List of multiple PSK groups.

Fortinet Inc.
edit <name>
set name {string}
set vlan-type [no-vlan|fixed-vlan]
set vlan-id {integer}
config mpsk-key
Description: List of multiple PSK entries.
edit <name>
set name {string}
set passphrase {password}
set concurrent-client-limit-type [default|unlimited|...]
set concurrent-clients {integer}
set mpsk-schedules <name1>, <name2>, ...
next
end
next
end
set name {string}
next
end
mpsk- Maximum number of concurrent clients that connect integer Minimum 0

concurrent- using the same passphrase in multiple PSK value: 0
clients authentication. Maximum
value:
65535
name MPSK profile name. string Not

Specified
config mpsk-group
name MPSK group name. string Not

Specified
vlan-type MPSK group VLAN options. option - no-vlan
Option Description
no-vlan No VLAN.
fixed-vlan Fixed VLAN ID.
vlan-id Optional VLAN ID. integer Minimum 0

value: 1
Maximum
value: 4094

Fortinet Inc.
config mpsk-key
name Pre-shared key name. string Not

Specified

address Specified
passphrase WPA Pre-shared key. password Not

Specified
concurrent- MPSK client limit type options. option - default

client-limit-
type
Option Description
default Using the value in profile configuration.
unlimited Unlimited.
specified Specified value.
concurrent- Number of clients that can connect using this integer Minimum 256
clients pre-shared key. value: 1
Maximum
value:
65535

Specified
mpsk- Firewall schedule for MPSK passphrase. The string Maximum

schedules passphrase will be effective only when at least length: 35
<name> one schedule is valid.
Schedule name.
config wireless-controller nac-profile
Configure WiFi network access control (NAC) profiles.

Description: Configure WiFi network access control (NAC) profiles.
edit <name>
set name {string}
set onboarding-vlan {string}
next
end

Fortinet Inc.

Specified

Specified
onboarding-vlan VLAN interface name. string Not

Specified
config wireless-controller qos-profile
Configure WiFi quality of service (QoS) profiles.

Description: Configure WiFi quality of service (QoS) profiles.
edit <name>
set bandwidth-admission-control [enable|disable]
set bandwidth-capacity {integer}
set burst [enable|disable]
set call-admission-control [enable|disable]
set call-capacity {integer}
set downlink {integer}
set downlink-sta {integer}
set dscp-wmm-be <id1>, <id2>, ...
set dscp-wmm-bk <id1>, <id2>, ...
set dscp-wmm-mapping [enable|disable]
set dscp-wmm-vi <id1>, <id2>, ...
set dscp-wmm-vo <id1>, <id2>, ...
set name {string}
set uplink {integer}
set uplink-sta {integer}
set wmm [enable|disable]
set wmm-be-dscp {integer}
set wmm-bk-dscp {integer}
set wmm-dscp-marking [enable|disable]
set wmm-uapsd [enable|disable]
set wmm-vi-dscp {integer}
set wmm-vo-dscp {integer}
next
end

Fortinet Inc.
bandwidth- Enable/disable WMM bandwidth admission control. option - disable

admission-
control
Option Description
enable Enable WMM bandwidth admission control.
disable Disable WMM bandwidth admission control.
bandwidth- Maximum bandwidth capacity allowed. integer Minimum 2000

capacity value: 1
Maximum
value:
600000
burst Enable/disable client rate burst. option - disable
Option Description
enable Enable client rate burst.
disable Disable client rate burst.
call- Enable/disable WMM call admission control. option - disable

admission-
control
Option Description
enable Enable WMM call admission control.
disable Disable WMM call admission control.
call-capacity Maximum number of Voice over WLAN. integer Minimum 10

value: 0
Maximum
value: 60

Specified
downlink Maximum downlink bandwidth for Virtual Access Points. integer Minimum 0
value: 0
Maximum
value:
2097152

Fortinet Inc.
downlink-sta Maximum downlink bandwidth for clients. integer Minimum 0

value: 0
Maximum
value:
2097152
dscp-wmm-be DSCP mapping for best effort access (default = 0 24). integer Minimum
<id> DSCP WMM mapping numbers (0 - 63). value: 0
Maximum
value: 63
dscp-wmm-bk DSCP mapping for background access (default = 8 16). integer Minimum
Maximum
value: 63
dscp-wmm- Enable/disable Differentiated Services Code Point option - disable

mapping (DSCP) mapping.
Option Description
enable Enable Differentiated Services Code Point (DSCP) mapping.
disable Disable Differentiated Services Code Point (DSCP) mapping.
dscp-wmm-vi DSCP mapping for video access (default = 32 40). integer Minimum
Maximum
value: 63
dscp-wmm-vo DSCP mapping for voice access (default = 48 56). integer Minimum
Maximum
value: 63
name WiFi QoS profile name. string Not

Specified
uplink Maximum uplink bandwidth for Virtual Access Points. integer Minimum 0
value: 0
Maximum
value:
2097152
uplink-sta Maximum uplink bandwidth for clients. integer Minimum 0

value: 0
Maximum
value:
2097152
wmm Enable/disable WiFi multi-media (WMM) control. option - enable

Fortinet Inc.
Option Description
enable Enable WiFi multi-media (WMM) control.
disable Disable WiFi multi-media (WMM) control.
wmm-be-dscp DSCP marking for best effort access. integer Minimum 0

value: 0
Maximum
value: 63
wmm-bk-dscp DSCP marking for background access. integer Minimum 8

value: 0
Maximum
value: 63
wmm-dscp- Enable/disable WMM Differentiated Services Code option - disable

marking Point (DSCP) marking.
Option Description
enable Enable WMM Differentiated Services Code Point (DSCP) marking.
disable Disable WMM Differentiated Services Code Point (DSCP) marking.
wmm-uapsd Enable/disable WMM Unscheduled Automatic Power option - enable

Save Delivery (U-APSD) power save mode.
Option Description
enable Enable WMM Unscheduled Automatic Power Save Delivery (U-APSD) power
save mode.
disable Disable WMM Unscheduled Automatic Power Save Delivery (U-APSD) power
save mode.
wmm-vi-dscp DSCP marking for video access. integer Minimum 32

value: 0
Maximum
value: 63
wmm-vo-dscp DSCP marking for voice access. integer Minimum 48

value: 0
Maximum
value: 63
config wireless-controller region
Configure FortiAP regions (for floor plans and maps).

Description: Configure FortiAP regions (for floor plans and maps).

Fortinet Inc.
edit <name>
set grayscale [enable|disable]
set name {string}
set opacity {integer}
next
end
comments Comments. string Not

Specified
grayscale Region image grayscale. option - disable
Option Description
enable Enable region image grayscale.
disable Disable region image grayscale.
name FortiAP region name. string Not

Specified
opacity Region image opacity. integer Minimum 100

value: 0
Maximum
value: 100
config wireless-controller rf-analysis
Wireless controller rf-analysis.

Description: Wireless controller rf-analysis.
set <wtp-id> {string}
end
<wtp-id> WTP ID. string Not

Specified
config wireless-controller scan
Wireless controller scan result.

Fortinet Inc.
config wireless-controller scan
Description: Wireless controller scan result.
end
config wireless-controller setting
VDOM wireless controller configuration.

Description: VDOM wireless controller configuration.
set account-id {string}
set country [--|AF|...]
set darrp-optimize {integer}
set darrp-optimize-schedules <name1>, <name2>, ...
set device-holdoff {integer}
set device-idle {integer}
set device-weight {integer}
set duplicate-ssid [enable|disable]
set fake-ssid-action {option1}, {option2}, ...
set fapc-compatibility [enable|disable]
set firmware-provision-on-authorization [enable|disable]
config offending-ssid
Description: Configure offending SSID.
edit <id>
set id {integer}
set ssid-pattern {string}
set action {option1}, {option2}, ...
next
end
set phishing-ssid-detect [enable|disable]
set wfa-compatibility [enable|disable]
end
account-id FortiCloud customer account ID. string Not

Specified
country Country or region in which the FortiGate is located. option - US

The country determines the 802.11 bands and
channels that are available.
Option Description
-- NO_COUNTRY_SET
AF AFGHANISTAN
AL ALBANIA

Fortinet Inc.
Option Description
DZ ALGERIA
AS AMERICAN SAMOA
AO ANGOLA
AR ARGENTINA
AM ARMENIA
AU AUSTRALIA
AT AUSTRIA
AZ AZERBAIJAN
BS BAHAMAS
BH BAHRAIN
BD BANGLADESH
BB BARBADOS
BY BELARUS
BE BELGIUM
BZ BELIZE
BJ BENIN
BM BERMUDA
BT BHUTAN
BO BOLIVIA
BA BOSNIA AND HERZEGOVINA
BW BOTSWANA
BR BRAZIL
BN BRUNEI DARUSSALAM
BG BULGARIA
BF BURKINA-FASO
KH CAMBODIA
CM CAMEROON
KY CAYMAN ISLANDS
CF CENTRAL AFRICA REPUBLIC

Fortinet Inc.
Option Description
TD CHAD
CL CHILE
CN CHINA
CX CHRISTMAS ISLAND
CO COLOMBIA
CG CONGO REPUBLIC
CD DEMOCRATIC REPUBLIC OF CONGO
CR COSTA RICA
HR CROATIA
CY CYPRUS
CZ CZECH REPUBLIC
DK DENMARK
DM DOMINICA
DO DOMINICAN REPUBLIC
EC ECUADOR
EG EGYPT
SV EL SALVADOR
ET ETHIOPIA
EE ESTONIA
GF FRENCH GUIANA
PF FRENCH POLYNESIA
FO FAEROE ISLANDS
FJ FIJI
FI FINLAND
FR FRANCE
GE GEORGIA
DE GERMANY
GH GHANA
GI GIBRALTAR

Fortinet Inc.
Option Description
GR GREECE
GL GREENLAND
GD GRENADA
GP GUADELOUPE
GU GUAM
GT GUATEMALA
GY GUYANA
HT HAITI
HN HONDURAS
HK HONG KONG
HU HUNGARY
IS ICELAND
IN INDIA
ID INDONESIA
IQ IRAQ
IE IRELAND
IM ISLE OF MAN
IL ISRAEL
IT ITALY
CI COTE_D_IVOIRE
JM JAMAICA
JO JORDAN
KZ KAZAKHSTAN
KE KENYA
KR KOREA REPUBLIC
KW KUWAIT
LA LAOS
LV LATVIA
LB LEBANON

Fortinet Inc.
Option Description
LS LESOTHO
LY LIBYA
LI LIECHTENSTEIN
LT LITHUANIA
LU LUXEMBOURG
MO MACAU SAR
MK MACEDONIA, FYRO
MG MADAGASCAR
MW MALAWI
MY MALAYSIA
MV MALDIVES
ML MALI
MT MALTA
MH MARSHALL ISLANDS
MQ MARTINIQUE
MR MAURITANIA
MU MAURITIUS
YT MAYOTTE
MX MEXICO
FM MICRONESIA
MD REPUBLIC OF MOLDOVA
MC MONACO
MN MONGOLIA
MA MOROCCO
MZ MOZAMBIQUE
MM MYANMAR
NA NAMIBIA
NP NEPAL
NL NETHERLANDS

Fortinet Inc.
Option Description
AN NETHERLANDS ANTILLES
AW ARUBA
NZ NEW ZEALAND
NI NICARAGUA
NE NIGER
NO NORWAY
MP NORTHERN MARIANA ISLANDS
OM OMAN
PK PAKISTAN
PW PALAU
PA PANAMA
PG PAPUA NEW GUINEA
PY PARAGUAY
PE PERU
PH PHILIPPINES
PL POLAND
PT PORTUGAL
PR PUERTO RICO
QA QATAR
RE REUNION
RO ROMANIA
RU RUSSIA
RW RWANDA
BL SAINT BARTHELEMY
KN SAINT KITTS AND NEVIS
LC SAINT LUCIA
MF SAINT MARTIN
PM SAINT PIERRE AND MIQUELON
VC SAINT VINCENT AND GRENADIENS

Fortinet Inc.
Option Description
SA SAUDI ARABIA
SN SENEGAL
RS REPUBLIC OF SERBIA
ME MONTENEGRO
SL SIERRA LEONE
SG SINGAPORE
SK SLOVAKIA
SI SLOVENIA
ZA SOUTH AFRICA
ES SPAIN
LK SRI LANKA
SE SWEDEN
SR SURINAME
CH SWITZERLAND
TW TAIWAN
TZ TANZANIA
TH THAILAND
TG TOGO
TT TRINIDAD AND TOBAGO
TN TUNISIA
TR TURKEY
TM TURKMENISTAN
AE UNITED ARAB EMIRATES
TC TURKS AND CAICOS
UG UGANDA
UA UKRAINE
GB UNITED KINGDOM
US UNITED STATES2
PS UNITED STATES (PUBLIC SAFETY)

Fortinet Inc.
Option Description
UY URUGUAY
UZ UZBEKISTAN
VU VANUATU
VE VENEZUELA
VN VIET NAM
VI VIRGIN ISLANDS
WF WALLIS AND FUTUNA
YE YEMEN
ZM ZAMBIA
ZW ZIMBABWE
JP JAPAN14
CA CANADA2
darrp-optimize Time for running Dynamic Automatic Radio Resource integer Minimum 86400
Provisioning. value: 0
Maximum
value:
86400
darrp-optimize- Firewall schedules for DARRP running time. DARRP string Maximum
schedules will run periodically based on darrp-optimize within the length: 35
<name> schedules. Separate multiple schedule names with a
space.
Schedule name.
device-holdoff Lower limit of creation time of device for identification integer Minimum 5
in minutes. value: 0
Maximum
value: 60
device-idle Upper limit of idle time of device for identification in integer Minimum 1440
minutes. value: 0
Maximum
value:
14400
device-weight Upper limit of confidence of device for identification. integer Minimum 1

value: 0
Maximum
value: 255

Fortinet Inc.
duplicate-ssid Enable/disable allowing Virtual Access Points (VAPs) option - disable

to use the same SSID name in the same VDOM.
Option Description
enable Allow VAPs to use the same SSID name in the same VDOM.
disable Do not allow VAPs to use the same SSID name in the same VDOM.
fake-ssid- Actions taken for detected fake SSID. option - log

action
Option Description
log Write logs for detected fake SSID.
suppress Suppress detected fake SSID.
fapc- Enable/disable FAP-C series compatibility. option - disable

compatibility
Option Description
enable Enable FAP-C series compatibility.
disable Disable FAP-C series compatibility.
firmware- Enable/disable automatic provisioning of latest option - disable

provision-on- firmware on authorization.
authorization
Option Description
enable Enable firmware provision on authorization.
disable Disable firmware provision on authorization.
phishing-ssid- Enable/disable phishing SSID detection. option - enable

detect
Option Description
enable Enable phishing SSID detection.
disable Disable phishing SSID detection.
wfa- Enable/disable WFA compatibility. option - disable

compatibility
Option Description
enable Enable Wi-Fi Alliance Certification compatibility.
disable Disable Wi-Fi Alliance Certification compatibility.

Fortinet Inc.
config offending-ssid

value: 0
Maximum
value:
65535
ssid-pattern Define offending SSID pattern (case insensitive). For string Not
example, word, word*, *word, wo*rd. Specified
action Actions taken for detected offending SSID. option - log
Option Description
log Generate logs for detected offending SSID.
suppress Suppress detected offending SSID.
config wireless-controller snmp
Configure SNMP.
Description: Configure SNMP.
config community
Description: SNMP Community Configuration.
edit <id>
set id {integer}
set name {string}
set query-v1-status [enable|disable]
set query-v2c-status [enable|disable]
set trap-v1-status [enable|disable]
set trap-v2c-status [enable|disable]
config hosts
edit <id>
set id {integer}
set ip {user}
next
end
next
end
set trap-high-mem-threshold {integer}
config user
Description: SNMP User Configuration.
edit <name>
set name {string}

Fortinet Inc.
set queries [enable|disable]
set trap-status [enable|disable]
set auth-proto [md5|sha]
set priv-proto [aes|des|...]
set notify-hosts {ipv4-address}
next
end
end
contact-info Contact Information. string Not

Specified
engine-id AC SNMP engineID string (maximum 24 characters). string Not

Specified

threshold value: 10
Maximum
value: 100
trap-high- Memory usage when trap is sent. integer Minimum 80

mem- value: 10
threshold Maximum
value: 100
config community
id Community ID. integer Minimum 0

value: 0
Maximum
value:
4294967295
name Community name. string Not Specified
Option Description

Fortinet Inc.

status
Option Description

status
Option Description
Option Description

status
Option Description
config hosts

value: 0
Maximum
value:
4294967295

Fortinet Inc.
config user
name SNMP user name. string Not test

Specified
status SNMP user enable. option - enable
Option Description
Option Description
trap-status Enable/disable traps for this SNMP user. option - disable
Option Description

encryption. priv
Option Description
auth-proto Authentication protocol. option - sha
Option Description
sha HMAC-SHA-96 authentication protocol.

Specified
priv-proto Privacy (encryption) protocol. option - aes

Fortinet Inc.
Option Description
aes CFB128-AES-128 symmetric encryption protocol.
aes256cisco CFB128-AES-256 symmetric encryption protocol compatible with CISCO.

Specified
notify-hosts Configure SNMP User Notify Hosts. ipv4- Not

address Specified
config wireless-controller spectral-info
Wireless controller spectrum analysis.

Description: Wireless controller spectrum analysis.
set [wtp-id] {string}
end
[wtp-id] WTP ID. string Not

Specified
config wireless-controller ssid-policy
Configure WiFi SSID policies.

Description: Configure WiFi SSID policies.
edit <name>
set name {string}
set vlan {string}
next
end

Fortinet Inc.

Specified

Specified
vlan VLAN interface name. string Not

Specified
config wireless-controller status
Wireless controller status.

Description: Wireless controller status.
set [1|2] {string}
end
[1|2] Verbose. string Not

Specified
config wireless-controller syslog-profile
Configure Wireless Termination Points (WTP) system log server profile.

Description: Configure Wireless Termination Points (WTP) system log server profile.
edit <name>
set log-level [emergency|alert|...]
set name {string}
set server-addr-type [fqdn|ip]
set server-fqdn {string}
set server-status [enable|disable]
next
end

Fortinet Inc.

Specified
log-level Lowest level of log messages that FortiAP units send option - information
to this server.
Option Description
emergency Level 0
alert Level 1
critical Level 2
error Level 3
warning Level 4
notification Level 5
information Level 6
debugging Level 7
name WTP system log server profile name. string Not

Specified
server-addr- Syslog server address type. option - ip

type
Option Description
fqdn Fully Qualified Domain Name address.
ip IPv4 address.
server-fqdn FQDN of syslog server that FortiAP units send log string Not
messages to. Specified
server-ip IP address of syslog server that FortiAP units send log ipv4- Not 0.0.0.0
messages to. address Specified
server-port Port number of syslog server that FortiAP units send integer Minimum 514
log messages to. value: 0
Maximum
value:
65535
server-status Enable/disable FortiAP units to send log messages to option - enable

a syslog server.

Fortinet Inc.
Option Description
enable Enable syslog server.
disable Disable syslog server.
config wireless-controller timers
Configure CAPWAP timers.

Description: Configure CAPWAP timers.
set ble-scan-report-intv {integer}
set client-idle-timeout {integer}
set discovery-interval {integer}
set drma-interval {integer}
set echo-interval {integer}
set fake-ap-log {integer}
set ipsec-intf-cleanup {integer}
set radio-stats-interval {integer}
set rogue-ap-cleanup {integer}
set rogue-ap-log {integer}
set sta-capability-interval {integer}
set sta-locate-timer {integer}
set sta-stats-interval {integer}
set vap-stats-interval {integer}
end
auth-timeout Time after which a client is considered failed in integer Minimum 5

RADIUS authentication and times out. value: 5
Maximum
value: 30
ble-scan- Time between running Bluetooth Low Energy. integer Minimum 30

report-intv value: 10
Maximum
value: 3600
client-idle- Time after which a client is considered idle and times integer Minimum 300
timeout out. value: 20
Maximum
value: 3600

Fortinet Inc.
discovery- Time between discovery requests. integer Minimum 5

interval value: 2
Maximum
value: 180
drma-interval Dynamic radio mode assignment. integer Minimum 60

value: 1
Maximum
value: 1440
echo-interval Time between echo requests sent by the managed integer Minimum 30
WTP, AP, or FortiAP. value: 1
Maximum
value: 255
fake-ap-log Time between recording logs about fake APs if integer Minimum 1
periodic fake AP logging is configured. value: 1
Maximum
value: 1440
ipsec-intf- Time period to keep IPsec VPN interfaces up after integer Minimum 120
cleanup WTP sessions are disconnected. value: 30
Maximum
value: 3600
radio-stats- Time between running radio reports. integer Minimum 15

interval value: 1
Maximum
value: 255
rogue-ap- Time period in minutes to keep rogue AP after it is integer Minimum 0

cleanup gone. value: 0
Maximum
value:
4294967295
rogue-ap-log Time between logging rogue AP messages if periodic integer Minimum 0

rogue AP logging is configured. value: 0
Maximum
value: 1440
sta-capability- Time between running station capability reports. integer Minimum 30

interval value: 1
Maximum
value: 255
sta-locate- Time between running client presence flushes to integer Minimum 1800
timer remove clients that are listed but no longer present. value: 0
Maximum
value: 86400

Fortinet Inc.
sta-stats- Time between running client. integer Minimum 1

interval value: 1
Maximum
value: 255
vap-stats- Time between running Virtual Access Point. integer Minimum 15

interval value: 1
Maximum
value: 255
config wireless-controller utm-profile
Configure UTM (Unified Threat Management) profile.

Description: Configure UTM (Unified Threat Management) profile.
edit <name>
set antivirus-profile {string}
set name {string}
set scan-botnet-connections [disable|monitor|...]
set utm-log [enable|disable]
next
end
antivirus- AntiVirus profile name. string Not

profile Specified
application-list Application control list name. string Not

Specified

Specified
ips-sensor IPS sensor name. string Not

Specified
name UTM profile name. string Not

Specified
scan-botnet- Block or monitor connections to Botnet servers or option - monitor

connections disable Botnet scanning.

Fortinet Inc.
Option Description
utm-log Enable/disable UTM logging. option - enable
Option Description
enable Enable UTM logging.
disable Disable UTM logging.
webfilter- WebFilter profile name. string Not

profile Specified
config wireless-controller vap-group
Configure virtual Access Point (VAP) groups.

Description: Configure virtual Access Point (VAP) groups.
edit <name>
set name {string}
set vaps <name1>, <name2>, ...
next
end

Specified
name Group Name. string Not

Specified
vaps <name> List of SSIDs to be included in the VAP group. string Maximum
VAP name. length: 35
config wireless-controller vap-status
Wireless controller VAP-status.

Fortinet Inc.
Description: Wireless controller VAP-status.
set [1] {string}
end
[1] Verbose. string Not

Specified
config wireless-controller vap
Configure Virtual Access Points (VAPs).

Description: Configure Virtual Access Points (VAPs).
edit <name>
set access-control-list {string}
set additional-akms {option1}, {option2}, ...
set address-group {string}
set antivirus-profile {string}
set atf-weight {integer}
set auth [psk|radius|...]
set auth-portal-addr {string}
set beacon-advertising {option1}, {option2}, ...
set broadcast-ssid [enable|disable]
set broadcast-suppression {option1}, {option2}, ...
set bss-color-partial [enable|disable]
set bstm-disassociation-imminent [enable|disable]
set bstm-load-balancing-disassoc-timer {integer}
set bstm-rssi-disassoc-timer {integer}
set captive-portal-ac-name {string}
set captive-portal-auth-timeout {integer}
set dhcp-address-enforcement [enable|disable]
set dhcp-lease-time {integer}
set dhcp-option43-insertion [enable|disable]
set dhcp-option82-circuit-id-insertion [style-1|style-2|...]
set dhcp-option82-insertion [enable|disable]
set dhcp-option82-remote-id-insertion [style-1|disable]
set dynamic-vlan [enable|disable]
set eap-reauth [enable|disable]
set eap-reauth-intv {integer}
set eapol-key-retries [disable|enable]
set encrypt [TKIP|AES|...]
set external-fast-roaming [enable|disable]
set external-logout {string}
set external-web {var-string}
set external-web-format [auto-detect|no-query-string|...]
set fast-bss-transition [disable|enable]

Fortinet Inc.
set fast-roaming [enable|disable]
set ft-mobility-domain {integer}
set ft-over-ds [disable|enable]
set ft-r0-key-lifetime {integer}
set gas-comeback-delay {integer}
set gas-fragmentation-limit {integer}
set gtk-rekey [enable|disable]
set gtk-rekey-intv {integer}
set high-efficiency [enable|disable]
set hotspot20-profile {string}
set igmp-snooping [enable|disable]
set intra-vap-privacy [enable|disable]
set ipv6-rules {option1}, {option2}, ...
set key {password}
set keyindex {integer}
set ldpc [disable|rx|...]
set local-authentication [enable|disable]
set local-bridging [enable|disable]
set local-lan [allow|deny]
set local-standalone [enable|disable]
set local-standalone-dns [enable|disable]
set local-standalone-dns-ip {ipv4-address}
set local-standalone-nat [enable|disable]
set mac-auth-bypass [enable|disable]
set mac-called-station-delimiter [hyphen|single-hyphen|...]
set mac-calling-station-delimiter [hyphen|single-hyphen|...]
set mac-case [uppercase|lowercase]
set mac-filter [enable|disable]
config mac-filter-list
Description: Create a list of MAC addresses for MAC address filtering.
edit <id>
set id {integer}
set mac-filter-policy [allow|deny]
next
end
set mac-filter-policy-other [allow|deny]
set mac-password-delimiter [hyphen|single-hyphen|...]
set mac-username-delimiter [hyphen|single-hyphen|...]
set max-clients {integer}
set max-clients-ap {integer}
set mbo [disable|enable]
set mbo-cell-data-conn-pref [excluded|prefer-not|...]
set me-disable-thresh {integer}
set mesh-backhaul [enable|disable]
set mpsk-profile {string}
set mu-mimo [enable|disable]
set multicast-enhance [enable|disable]
set multicast-rate [0|6000|...]
set nac [enable|disable]
set nac-profile {string}
set name {string}
set neighbor-report-dual-band [disable|enable]
set okc [disable|enable]

Fortinet Inc.
set osen [enable|disable]
set owe-groups {option1}, {option2}, ...
set owe-transition [disable|enable]
set owe-transition-ssid {string}
set passphrase {password}
set pmf [disable|enable|...]
set pmf-assoc-comeback-timeout {integer}
set pmf-sa-query-retry-timeout {integer}
set port-macauth [disable|radius|...]
set port-macauth-reauth-timeout {integer}
set port-macauth-timeout {integer}
set portal-message-override-group {string}
config portal-message-overrides
Description: Individual message overrides.
set auth-disclaimer-page {string}
set auth-reject-page {string}
set auth-login-page {string}
set auth-login-failed-page {string}
end
set portal-type [auth|auth+disclaimer|...]
set primary-wag-profile {string}
set probe-resp-suppression [enable|disable]
set probe-resp-threshold {string}
set ptk-rekey [enable|disable]
set ptk-rekey-intv {integer}
set qos-profile {string}
set radio-2g-threshold {string}
set radio-5g-threshold {string}
set radio-sensitivity [enable|disable]
set radius-mac-auth [enable|disable]
set radius-mac-auth-server {string}
set radius-mac-auth-usergroups <name1>, <name2>, ...
set radius-mac-mpsk-auth [enable|disable]
set radius-mac-mpsk-timeout {integer}
set rates-11a {option1}, {option2}, ...
set rates-11ac-ss12 {option1}, {option2}, ...
set rates-11ac-ss34 {option1}, {option2}, ...
set rates-11ax-ss12 {option1}, {option2}, ...
set rates-11ax-ss34 {option1}, {option2}, ...
set rates-11bg {option1}, {option2}, ...
set rates-11n-ss12 {option1}, {option2}, ...
set rates-11n-ss34 {option1}, {option2}, ...
set sae-groups {option1}, {option2}, ...
set sae-h2e-only [enable|disable]
set sae-password {password}
set sae-pk [enable|disable]
set sae-private-key {string}
set scan-botnet-connections [disable|monitor|...]
set schedule <name1>, <name2>, ...
set secondary-wag-profile {string}
set security [open|captive-portal|...]
set security-exempt-list {string}
set security-redirect-url {var-string}
set selected-usergroups <name1>, <name2>, ...

Fortinet Inc.
set split-tunneling [enable|disable]
set ssid {string}
set sticky-client-remove [enable|disable]
set sticky-client-threshold-2g {string}
set target-wake-time [enable|disable]
set tkip-counter-measure [enable|disable]
set tunnel-echo-interval {integer}
set tunnel-fallback-interval {integer}
set usergroup <name1>, <name2>, ...
set utm-log [enable|disable]
set utm-profile {string}
set vlan-auto [enable|disable]
config vlan-name
Description: Table for mapping VLAN name to VLAN ID.
edit <name>
set name {string}
set vlan-id {integer}
next
end
config vlan-pool
Description: VLAN pool.
edit <id>
set id {integer}
set wtp-group {string}
next
end
set vlan-pooling [wtp-group|round-robin|...]
set voice-enterprise [disable|enable]
next
end
access-control- Profile name for access-control-list. string Not Specified

list
additional-akms Additional AKMs. option -
Option Description
akm6 Use AKM suite employing PSK_SHA256.
address-group Address group ID. string Not Specified
antivirus-profile AntiVirus profile name. string Not Specified
application-list Application control list name. string Not Specified

Fortinet Inc.
atf-weight Airtime weight in percentage. integer Minimum 20

value: 0
Maximum
value: 100
auth Authentication protocol. option - psk
Option Description
psk Use a single Pre-shard Key (PSK) to authenticate all users.
radius Use a RADIUS server to authenticate clients.
usergroup Use a firewall usergroup to authenticate clients.
auth-cert HTTPS server certificate. string Not Specified
auth-portal-addr Address of captive portal. string Not Specified
beacon- Fortinet beacon advertising IE data . option -

advertising
Option Description
name AP name.
model AP model abbreviation.
serial-number AP serial number.
broadcast-ssid Enable/disable broadcasting the SSID. option - enable
Option Description
enable Enable broadcasting the SSID.
disable Disable broadcasting the SSID.
broadcast- Optional suppression of broadcast messages. option - dhcp-up

suppression For example, you can keep DHCP messages, dhcp-ucast
ARP broadcasts, and so on off of the wireless arp-known
network.
Option Description
dhcp-up Suppress broadcast uplink DHCP messages.
dhcp-down Suppress broadcast downlink DHCP messages.
dhcp-starvation Suppress broadcast DHCP starvation req messages.
dhcp-ucast Convert downlink broadcast DHCP messages to unicast messages.
arp-known Suppress broadcast ARP for known wireless clients.

Fortinet Inc.
Option Description
arp-unknown Suppress broadcast ARP for unknown wireless clients.
arp-reply Suppress broadcast ARP reply from wireless clients.
arp-poison Suppress ARP poison messages from wireless clients.
arp-proxy Reply ARP requests for wireless clients as a proxy.
netbios-ns Suppress NetBIOS name services packets with UDP port 137.
netbios-ds Suppress NetBIOS datagram services packets with UDP port 138.
ipv6 Suppress IPv6 packets.
all-other-mc Suppress all other multicast messages.
all-other-bc Suppress all other broadcast messages.
bss-color-partial Enable/disable 802.11ax partial BSS color. option - enable
Option Description
enable Enable 802.11ax partial BSS color.
disable Disable 802.11ax partial BSS color.
bstm- Enable/disable forcing of disassociation after option - enable

disassociation- the BSTM request timer has been reached.
imminent
Option Description
enable Enable BSTM disassociation imminent.
disable Disable BSTM disassociation imminent.
bstm-load- Time interval for client to voluntarily leave AP integer Minimum 10

balancing- before forcing a disassociation due to AP load- value: 1
disassoc-timer balancing. Maximum
value: 30
bstm-rssi- Time interval for client to voluntarily leave AP integer Minimum 200
disassoc-timer before forcing a disassociation due to low value: 1
RSSI. Maximum
value: 2000
captive-portal-ac- Local-bridging captive portal ac-name. string Not Specified

name
captive-portal- Hard timeout - AP will always clear the session integer Minimum 0
auth-timeout after timeout regardless of traffic. value: 0
Maximum
value: 864000

Fortinet Inc.
dhcp-address- Enable/disable DHCP address enforcement. option - disable

enforcement
Option Description
enable Enable DHCP enforcement, data from clients that have not completed the
DHCP process will be blocked.
disable Disable DHCP enforcement, clients can access the network without DHCP
process.
dhcp-lease-time DHCP lease time in seconds for NAT IP integer Minimum 2400
address. value: 300
Maximum
value:
8640000
dhcp-option43- Enable/disable insertion of DHCP option 43. option - enable

insertion
Option Description
enable Enable insertion of DHCP option 43.
disable Disable insertion of DHCP option 43.
dhcp-option82- Enable/disable DHCP option 82 circuit-id option - disable

circuit-id- insert.
insertion
Option Description
style-1 ASCII string composed of AP-MAC;SSID;SSID-TYPE. For example,

"xx:xx:xx:xx:xx:xx;wifi;s".
style-2 ASCII string composed of AP-MAC. For example, "xx:xx:xx:xx:xx:xx".
style-3 ASCII string composed of NETWORK-TYPE:WTPPROF-

NAME:VLAN:SSID:AP-MODEL:AP-HOSTNAME:AP-MAC. For
example,"WLAN:FAPS221E-default:100:wifi:PS221E:FortiAP-
S221E:xx:xx:xx:xx:xx:xx".
disable Disable DHCP option 82 circuit-id insert.
dhcp-option82- Enable/disable DHCP option 82 insert. option - disable

insertion
Option Description
enable Enable DHCP option 82 insert.
disable Disable DHCP option 82 insert.

Fortinet Inc.
dhcp-option82- Enable/disable DHCP option 82 remote-id option - disable

remote-id- insert.
insertion
Option Description
style-1 ASCII string in the format "xx:xx:xx:xx:xx:xx" containing MAC address of

client device.
disable Disable DHCP option 82 remote-id insert.
dynamic-vlan Enable/disable dynamic VLAN assignment. option - disable
Option Description
enable Enable dynamic VLAN assignment.
disable Disable dynamic VLAN assignment.
eap-reauth Enable/disable EAP re-authentication for WPA- option - disable

Enterprise security.
Option Description
enable Enable EAP re-authentication for WPA-Enterprise security.
disable Disable EAP re-authentication for WPA-Enterprise security.
eap-reauth-intv EAP re-authentication interval. integer Minimum 86400

value: 1800
Maximum
value: 864000
eapol-key-retries Enable/disable retransmission of EAPOL-Key option - enable

frames.
Option Description
disable Disable retransmission of EAPOL-Key frames (message 3/4 and group

message 1/2).
enable Enable retransmission of EAPOL-Key frames (message 3/4 and group

message 1/2).
encrypt Encryption protocol to use (only available when option - AES

security is set to a WPA type).
Option Description
TKIP Use TKIP encryption.
AES Use AES encryption.

Fortinet Inc.
Option Description
TKIP-AES Use TKIP and AES encryption.
external-fast- Enable/disable fast roaming or pre- option - disable

roaming authentication with external APs not managed
by the FortiGate.
Option Description
enable Enable fast roaming or pre-authentication with external APs.
disable Disable fast roaming or pre-authentication with external APs.
external-logout URL of external authentication logout server. string Not Specified
external-web URL of external authentication web server. var-string Not Specified
external-web- URL query parameter detection. option - auto-detect

format
Option Description
auto-detect Automatically detect if "external-web" URL has any query parameter.
no-query-string "external-web" URL does not have any query parameter.
partial-query- "external-web" URL has some query parameters.

string
fast-bss- Enable/disable 802.11r Fast BSS Transition. option - disable

transition
Option Description
disable Disable 802.11r Fast BSS Transition (FT).
enable Enable 802.11r Fast BSS Transition (FT).
fast-roaming Enable/disable fast-roaming, or pre- option - enable

authentication, where supported by clients.
Option Description
enable Enable fast-roaming, or pre-authentication.
disable Disable fast-roaming, or pre-authentication.
ft-mobility- Mobility domain identifier in FT. integer Minimum 1000

domain value: 1
Maximum
value: 65535

Fortinet Inc.
ft-over-ds Enable/disable FT over the Distribution System option - disable

(DS).
Option Description
disable Disable FT over the Distribution System (DS).
enable Enable FT over the Distribution System (DS).
ft-r0-key-lifetime Lifetime of the PMK-R0 key in FT, 1-65535 integer Minimum 480
minutes. value: 1
Maximum
value: 65535
gas-comeback- GAS comeback delay. integer Minimum 500

delay value: 100
Maximum
value: 10000
gas- GAS fragmentation limit. integer Minimum 1024

fragmentation- value: 512
limit Maximum
value: 4096
gtk-rekey Enable/disable GTK rekey for WPA security. option - disable
Option Description
enable Enable GTK rekey for WPA security.
disable Disable GTK rekey for WPA security.
gtk-rekey-intv GTK rekey interval. integer Minimum 86400

value: 1800
Maximum
value: 864000
high-efficiency Enable/disable 802.11ax high efficiency. option - enable
Option Description
enable Enable 802.11ax high efficiency.
disable Disable 802.11ax high efficiency.
hotspot20-profile Hotspot 2.0 profile name. string Not Specified
igmp-snooping Enable/disable IGMP snooping. option - disable
Option Description
enable Enable IGMP snooping.

Fortinet Inc.
Option Description
disable Disable IGMP snooping.
intra-vap-privacy Enable/disable blocking communication option - disable

between clients on the same SSID.
Option Description
enable Enable intra-SSID privacy.
disable Disable intra-SSID privacy.
ip IP address and subnet mask for the local ipv4- Not Specified 0.0.0.0
standalone NAT subnet. classnet-host 0.0.0.0
ipv6-rules Optional rules of IPv6 packets. For example, option - drop-icmp6ra

you can keep RA, RS and so on off of the drop-icmp6rs
wireless network. drop-llmnr6
drop-
icmp6mld2
drop-dhcp6s
drop-dhcp6c
ndp-proxy
drop-ns-dad
Option Description
drop-icmp6ra Drop ICMP6 Router Advertisement (RA) packets that originate from
wireless clients.
drop-icmp6rs Drop ICMP6 Router Solicitation (RS) packets to be sent to wireless clients.
drop-llmnr6 Drop Link-Local Multicast Name Resolution (LLMNR) packets
drop-icmp6mld2 Drop ICMP6 Multicast Listener Report V2 (MLD2) packets
drop-dhcp6s Drop DHCP6 server generated packets that originate from wireless clients.
drop-dhcp6c Drop DHCP6 client generated packets to be sent to wireless clients.
ndp-proxy Enable IPv6 ndp proxy - send back na on behalf of the client and drop the
ns.
drop-ns-dad Drop ICMP6 NS-DAD when target address is not found in ndp proxy cache.
drop-ns-nondad Drop ICMP6 NS-NonDAD when target address is not found in ndp proxy
cache.
key WEP Key. password Not Specified

Fortinet Inc.
keyindex WEP key index. integer Minimum 1

value: 1
Maximum
value: 4
ldpc VAP low-density parity-check (LDPC) coding option - rxtx

configuration.
Option Description
disable Disable LDPC.
rx Enable LDPC when receiving traffic.
tx Enable LDPC when transmitting traffic.
rxtx Enable LDPC when both receiving and transmitting traffic.
local- Enable/disable AP local authentication. option - disable

authentication
Option Description
enable Enable AP local authentication.
disable Disable AP local authentication.
local-bridging Enable/disable bridging of wireless and option - disable

Ethernet interfaces on the FortiAP.
Option Description
enable Enable AP local VAP to Ethernet bridging.
disable Disable AP local VAP to Ethernet bridging.
local-lan Allow/deny traffic destined for a Class A, B, or option - allow

C private IP address.
Option Description
allow Allow traffic destined for a Class A, B, or C private IP address.
deny Deny traffic destined for a Class A, B, or C private IP address.
local-standalone Enable/disable AP local standalone. option - disable
Option Description
enable Enable AP local standalone.
disable Disable AP local standalone.

Fortinet Inc.
local-standalone- Enable/disable AP local standalone DNS. option - disable

dns
Option Description
enable Enable AP local standalone DNS.
disable Disable AP local standalone DNS.
local-standalone- IPv4 addresses for the local standalone DNS. ipv4-address Not Specified
dns-ip
local-standalone- Enable/disable AP local standalone NAT option - disable

nat mode.
Option Description
enable Enable AP local standalone NAT mode.
disable Disable AP local standalone NAT mode.
mac-auth-bypass Enable/disable MAC authentication bypass. option - disable
Option Description
mac-called- MAC called station delimiter. option - hyphen

station-delimiter
Option Description
hyphen Use hyphen as delimiter for called station.
single-hyphen Use single hyphen as delimiter for called station.
colon Use colon as delimiter for called station.
none No delimiter for called station.
mac-calling- MAC calling station delimiter. option - hyphen

station-delimiter
Option Description
hyphen Use hyphen as delimiter for calling station.
single-hyphen Use single hyphen as delimiter for calling station.
colon Use colon as delimiter for calling station.
none No delimiter for calling station.

Fortinet Inc.
mac-case MAC case. option - uppercase
Option Description
uppercase Use uppercase MAC.
lowercase Use lowercase MAC.
mac-filter Enable/disable MAC filtering to block wireless option - disable

clients by mac address.
Option Description
enable Enable MAC filtering.
disable Disable MAC filtering.
mac-filter-policy- Allow or block clients with MAC addresses that option - allow
other are not in the filter list.
Option Description
allow Allow clients with MAC addresses that are not in the filter list.
deny Block clients with MAC addresses that are not in the filter list.
mac-password- MAC authentication password delimiter. option - hyphen

delimiter
Option Description
hyphen Use hyphen as delimiter for MAC auth password.
single-hyphen Use single hyphen as delimiter for MAC auth password.
colon Use colon as delimiter for MAC auth password.
none No delimiter for MAC auth password.
mac-username- MAC authentication username delimiter. option - hyphen

delimiter
Option Description
hyphen Use hyphen as delimiter for MAC auth username.
single-hyphen Use single hyphen as delimiter for MAC auth username.
colon Use colon as delimiter for MAC auth username.
none No delimiter for MAC auth username.

Fortinet Inc.
max-clients Maximum number of clients that can connect integer Minimum 0

simultaneously to the VAP. value: 0
Maximum
value:
4294967295
max-clients-ap Maximum number of clients that can connect integer Minimum 0

simultaneously to the VAP per AP radio. value: 0
Maximum
value:
4294967295
mbo Enable/disable Multiband Operation. option - disable
Option Description
disable Disable Multiband Operation (MBO).
enable Enable Multiband Operation (MBO).
mbo-cell-data- MBO cell data connection preference. option - prefer-not

conn-pref
Option Description
excluded Wi-Fi Agile Multiband AP does not want the Wi-Fi Agile Multiband STA to
use the cellular data connection.
prefer-not Wi-Fi Agile Multiband AP prefers the Wi-Fi Agile Multiband STA should not
use cellular data connection.
prefer-use Wi-Fi Agile Multiband AP prefers the Wi-Fi Agile Multiband STA should use
cellular data connection.
me-disable- Disable multicast enhancement when this integer Minimum 32

thresh many clients are receiving multicast traffic. value: 2
Maximum
value: 256
mesh-backhaul Enable/disable using this VAP as a WiFi mesh option - disable

backhaul. This entry is only available when
security is set to a WPA type or open.
Option Description
enable Enable mesh backhaul.
disable Disable mesh backhaul.
mpsk-profile MPSK profile name. string Not Specified
mu-mimo Enable/disable Multi-user MIMO. option - enable

Fortinet Inc.
Option Description
enable Enable Multi-user MIMO.
disable Disable Multi-user MIMO.
multicast- Enable/disable converting multicast to unicast option - disable

enhance to improve performance.
Option Description
enable Enable multicast enhancement.
disable Disable multicast enhancement.
multicast-rate Multicast rate. option - 0
Option Description
0 Use the default multicast rate.
6000 6 Mbps.
12000 12 Mbps.
24000 24 Mbps.
nac Enable/disable network access control. option - disable
Option Description
enable Enable network access control.
disable Disable network access control.
nac-profile NAC profile name. string Not Specified
name Virtual AP name. string Not Specified
neighbor-report- Enable/disable dual-band neighbor report. option - disable

dual-band
Option Description
disable Disable dual-band neighbor report.
enable Enable dual-band neighbor report.
okc Enable/disable Opportunistic Key Caching. option - enable
Option Description
disable Disable Opportunistic Key Caching (OKC).
enable Enable Opportunistic Key Caching (OKC).

Fortinet Inc.
osen Enable/disable OSEN as part of key option - disable

management.
Option Description
enable Enable OSEN auth.
disable Disable OSEN auth.
owe-groups OWE-Groups. option -
Option Description
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
owe-transition Enable/disable OWE transition mode support. option - disable
Option Description
disable Disable OWE transition mode support.
enable Enable OWE transition mode support.
owe-transition- OWE transition mode peer SSID. string Not Specified

ssid
passphrase WPA pre-shared key (PSK) to be used to password Not Specified

authenticate WiFi users.
pmf Protected Management Frames. option - disable
Option Description
disable Disable PMF completely.
enable Enable PMF but deny clients without PMF.
optional Enable PMF and allow clients without PMF.
pmf-assoc- Protected Management Frames. integer Minimum 1

comeback- value: 1
timeout Maximum
value: 20
pmf-sa-query- Protected Management Frames. integer Minimum 2

retry-timeout value: 1
Maximum
value: 5
port-macauth Enable/disable LAN port MAC authentication. option - disable

Fortinet Inc.
Option Description
disable Disable LAN port MAC authentication.
radius Enable LAN port RADIUS-based MAC authentication.
address-group Enable LAN port address-group based MAC authentication.
port-macauth- LAN port MAC authentication re-authentication integer Minimum 7200

reauth-timeout timeout value. value: 120
Maximum
value: 65535
port-macauth- LAN port MAC authentication idle timeout integer Minimum 600
timeout value. value: 60
Maximum
value: 65535
portal-message- Replacement message group for this VAP string Not Specified
override-group (only available when security is set to a captive
portal type).
portal-type Captive portal functionality. Configure how the option - auth

captive portal authenticates users and whether
it includes a disclaimer.
Option Description
auth Portal for authentication.
auth+disclaimer Portal for authentication and disclaimer.
disclaimer Portal for disclaimer.
email-collect Portal for email collection.
cmcc Portal for CMCC.
cmcc-macauth Portal for CMCC and MAC authentication.
auth-mac Portal for authentication and MAC authentication.
external-auth Portal for external portal authentication.
external-macauth Portal for external portal MAC authentication.
primary-wag- Primary wireless access gateway profile name. string Not Specified
profile
probe-resp- Enable/disable probe response suppression. option - disable

suppression

Fortinet Inc.
Option Description
enable Enable probe response suppression.
disable Disable probe response suppression.
probe-resp- Minimum signal level/threshold in dBm string Not Specified -80

threshold required for the AP response to probe
requests.
ptk-rekey Enable/disable PTK rekey for WPA-Enterprise option - disable

security.
Option Description
enable Enable PTK rekey for WPA-Enterprise security.
disable Disable PTK rekey for WPA-Enterprise security.
ptk-rekey-intv PTK rekey interval. integer Minimum 86400

value: 1800
Maximum
value: 864000
qos-profile Quality of service profile name. string Not Specified
quarantine Enable/disable station quarantine. option - enable
Option Description
enable Enable station quarantine.
disable Disable station quarantine.
radio-2g- Minimum signal level/threshold in dBm string Not Specified -79

threshold required for the AP response to receive a
packet in 2.4G band.
radio-5g- Minimum signal level/threshold in dBm string Not Specified -76

threshold required for the AP response to receive a
packet in 5G band.
radio-sensitivity Enable/disable software radio sensitivity. option - disable
Option Description
enable Enable software radio sensitivity.
disable Disable software radio sensitivity.
radius-mac-auth Enable/disable RADIUS-based MAC option - disable

authentication of clients.

Fortinet Inc.
Option Description
enable Enable RADIUS-based MAC authentication.
disable Disable RADIUS-based MAC authentication.
radius-mac-auth- RADIUS-based MAC authentication server. string Not Specified

server
radius-mac-auth- Selective user groups that are permitted for string Maximum
usergroups RADIUS mac authentication. length: 79
<name> User group name.
radius-mac- Enable/disable RADIUS-based MAC option - disable

mpsk-auth authentication of clients for MPSK
authentication.
Option Description
enable Enable RADIUS-based MAC authentication for MPSK authentication.
disable Disable RADIUS-based MAC authentication for MPSK authentication.
radius-mac- RADIUS MAC MPSK cache timeout interval. integer Minimum 86400
mpsk-timeout value: 300
Maximum
value: 864000
radius-server RADIUS server to be used to authenticate WiFi string Not Specified

users.
rates-11a Allowed data rates for 802.11a. option -
Option Description
1 1 Mbps supported rate.
1-basic 1 Mbps BSS basic rate.
5.5 5.5 Mbps supported rate.
5.5-basic 5.5 Mbps BSS basic rate.

Fortinet Inc.
Option Description
rates-11ac-ss12 Allowed data rates for 802.11ac with 1 or 2 option -

spatial streams.
Option Description
mcs0/1 Data rate for MCS index 0 with 1 spatial stream.

Fortinet Inc.
Option Description
mcs0/2 Data rate for MCS index 0 with 2 spatial streams.
rates-11ac-ss34 Allowed data rates for 802.11ac with 3 or 4 option -

spatial streams.
Option Description

Fortinet Inc.
Option Description
rates-11ax-ss12 Allowed data rates for 802.11ax with 1 or 2 option -

spatial streams.
Option Description

Fortinet Inc.
Option Description
rates-11ax-ss34 Allowed data rates for 802.11ax with 3 or 4 option -

spatial streams.
Option Description

Fortinet Inc.
Option Description
rates-11bg Allowed data rates for 802.11b/g. option -
Option Description
5.5 5.5 Mbps supported rate.
5.5-basic 5.5 Mbps BSS basic rate.

Fortinet Inc.
Option Description
rates-11n-ss12 Allowed data rates for 802.11n with 1 or 2 option -

spatial streams.
Option Description
rates-11n-ss34 Allowed data rates for 802.11n with 3 or 4 option -

spatial streams.

Fortinet Inc.
Option Description
sae-groups SAE-Groups. option -
Option Description
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
sae-h2e-only Use hash-to-element-only mechanism for PWE option - disable

derivation.
Option Description
enable Enable WAP3 SAE-H2E-only.
disable Disable WPA3 SAE-H2E-only.
sae-password WPA3 SAE password to be used to password Not Specified

authenticate WiFi users.
sae-pk Enable/disable WPA3 SAE-PK. option - disable

Fortinet Inc.
Option Description
enable Enable WAP3 SAE-PK.
disable Disable WPA3 SAE-PK.
sae-private-key Private key used for WPA3 SAE-PK string Not Specified
authentication.
scan-botnet- Block or monitor connections to Botnet servers option - monitor

connections or disable Botnet scanning.
Option Description
schedule Firewall schedules for enabling this VAP on the string Maximum
<name> FortiAP. This VAP will be enabled when at least length: 35
one of the schedules is valid. Separate multiple
schedule names with a space.
Schedule name.
secondary-wag- Secondary wireless access gateway profile string Not Specified

profile name.
security Security mode for the wireless interface. option - wpa2-only-

personal
Option Description
open Open.
captive-portal Captive portal.
wep64 WEP 64-bit.
wep128 WEP 128-bit.
wpa-personal WPA/WPA2 personal.
wpa- WPA/WPA2 personal with captive portal.

personal+captive-
portal
wpa-enterprise WPA/WPA2 enterprise.
wpa-only-personal WPA personal.

Fortinet Inc.
Option Description
wpa-only- WPA personal with captive portal.

personal+captive-
portal
wpa-only-enterprise WPA enterprise.
wpa2-only-personal WPA2 personal.
wpa2-only- WPA2 personal with captive portal.

personal+captive-
portal
wpa2-only- WPA2 enterprise.

enterprise
wpa3-enterprise WPA3 enterprise with 192-bit encryption and PMF mandatory.
wpa3-only- WPA3 enterprise with PMF mandatory.

enterprise
wpa3-enterprise- WPA3 enterprise with PMF optional.

transition
wpa3-sae WPA3 SAE.
wpa3-sae-transition WPA3 SAE transition.
owe Opportunistic wireless encryption.
osen OSEN.
security-exempt- Optional security exempt list for captive portal string Not Specified
list authentication.
security-redirect- Optional URL for redirecting users after they var-string Not Specified
url pass captive portal authentication.
selected- Selective user groups that are permitted to string Maximum

usergroups authenticate. length: 79
<name> User group name.
split-tunneling Enable/disable split tunneling. option - disable
Option Description
enable Enable split tunneling.
disable Disable split tunneling.

Fortinet Inc.
ssid IEEE 802.11 service set identifier (SSID) for string Not Specified fortinet
the wireless interface. Users who wish to use
the wireless network must configure their
computers to access this SSID name.
sticky-client- Enable/disable sticky client remove to maintain option - disable

remove good signal level clients in SSID.
Option Description
enable Enable sticky client remove.
disable Disable sticky client remove.
sticky-client- Minimum signal level/threshold in dBm string Not Specified -79

threshold-2g required for the 2G client to be serviced by the
AP.

AP.

AP.
target-wake-time Enable/disable 802.11ax target wake time. option - enable
Option Description
enable Enable 802.11ax target wake time.
disable Disable 802.11ax target wake time.
tkip-counter- Enable/disable TKIP counter measure. option - enable

measure
Option Description
enable Enable TKIP counter measure.
disable Disable TKIP counter measure.
tunnel-echo- The time interval to send echo to both primary integer Minimum 300
interval and secondary tunnel peers. value: 1
Maximum
value: 65535
tunnel-fallback- The time interval for secondary tunnel to fall integer Minimum 7200
interval back to primary tunnel. value: 0
Maximum
value: 65535

Fortinet Inc.
usergroup Firewall user group to be used to authenticate string Maximum

<name> WiFi users. length: 79
User group name.
utm-log Enable/disable UTM logging. option - enable
Option Description
enable Enable UTM logging.
disable Disable UTM logging.
utm-profile UTM profile name. string Not Specified
utm-status Enable to add one or more security profiles option - disable

(AV, IPS, etc.) to the VAP.
Option Description
vlan-auto Enable/disable automatic management of option - disable

SSID VLAN interface.
Option Description
enable Enable automatic management of SSID VLAN interface.
disable Disable automatic management of SSID VLAN interface.
vlan-pooling Enable/disable VLAN pooling, to allow option - disable

grouping of multiple wireless controller VLANs
into VLAN pools. When set to wtp-group, VLAN
pooling occurs with VLAN assignment by wtp-
group.
Option Description
wtp-group Enable VLAN pooling with VLAN assignment by wtp-group.
round-robin Enable VLAN pooling with round-robin VLAN assignment.
hash Enable VLAN pooling with hash-based VLAN assignment.
disable Disable VLAN pooling.
vlanid Optional VLAN ID. integer Minimum 0

value: 0
Maximum
value: 4094

Fortinet Inc.
voice-enterprise Enable/disable 802.11k and 802.11v assisted option - disable

Voice-Enterprise roaming.
Option Description
disable Disable 802.11k and 802.11v assisted Voice-Enterprise roaming.
enable Enable 802.11k and 802.11v assisted Voice-Enterprise roaming.
webfilter-profile WebFilter profile name. string Not Specified
config mac-filter-list

value: 0
Maximum
value:
4294967295

address
mac-filter- Deny or allow the client with this MAC option - deny
policy address.
Option Description
allow Allow the client with this MAC address.
deny Block the client with this MAC address.
config portal-message-overrides
auth- Override auth-disclaimer-page message with message string Not

disclaimer- from portal-message-overrides group. Specified
page
auth-reject- Override auth-reject-page message with message from string Not

page portal-message-overrides group. Specified
auth-login- Override auth-login-page message with message from string Not

page portal-message-overrides group. Specified
auth-login- Override auth-login-failed-page message with message string Not

failed-page from portal-message-overrides group. Specified

Fortinet Inc.
config vlan-name
name VLAN name. string Not

Specified
vlan-id VLAN ID. integer Minimum 0

value: 0
Maximum
value: 4094
config vlan-pool

value: 0
Maximum
value: 4094
wtp-group WTP group name. string Not

Specified
config wireless-controller wag-profile
Configure wireless access gateway (WAG) profiles used for tunnels on AP.
Description: Configure wireless access gateway (WAG) profiles used for tunnels on AP.
edit <name>
set dhcp-ip-addr {ipv4-address}
set name {string}
set ping-interval {integer}
set ping-number {integer}
set return-packet-timeout {integer}
set tunnel-type [l2tpv3|gre]
set wag-ip {ipv4-address}
set wag-port {integer}
next
end

Specified

Fortinet Inc.
dhcp-ip-addr IP address of the monitoring DHCP request packet sent ipv4- Not 0.0.0.0
through the tunnel. address Specified
name Tunnel profile name. string Not

Specified
ping-interval Interval between two tunnel monitoring echo packets. integer Minimum 1
value: 1
Maximum
value:
65535
ping-number Number of the tunnel monitoring echo packets. integer Minimum 5

value: 1
Maximum
value:
65535
return-packet- Window of time for the return packets from the tunnel's integer Minimum 160
timeout remote end. value: 1
Maximum
value:
65535
tunnel-type Tunnel type. option - l2tpv3
Option Description
l2tpv3 L2TPV3 Ethernet Pseudowire.
gre GRE Ethernet tunnel.
wag-ip IP Address of the wireless access gateway. ipv4- Not 0.0.0.0

address Specified
wag-port UDP port of the wireless access gateway. integer Minimum 1701
value: 0
Maximum
value:
65535
config wireless-controller wids-profile
Configure wireless intrusion detection system (WIDS) profiles.

Description: Configure wireless intrusion detection system (WIDS) profiles.
edit <name>
set ap-auto-suppress [enable|disable]
set ap-bgscan-disable-schedules <name1>, <name2>, ...
set ap-bgscan-duration {integer}
set ap-bgscan-idle {integer}

Fortinet Inc.
set ap-bgscan-intv {integer}
set ap-bgscan-period {integer}
set ap-bgscan-report-intv {integer}
set ap-fgscan-report-intv {integer}
set ap-scan [disable|enable]
set ap-scan-passive [enable|disable]
set ap-scan-threshold {string}
set asleap-attack [enable|disable]
set assoc-flood-thresh {integer}
set assoc-flood-time {integer}
set assoc-frame-flood [enable|disable]
set auth-flood-thresh {integer}
set auth-flood-time {integer}
set auth-frame-flood [enable|disable]
set deauth-broadcast [enable|disable]
set deauth-unknown-src-thresh {integer}
set eapol-fail-flood [enable|disable]
set eapol-fail-intv {integer}
set eapol-fail-thresh {integer}
set eapol-logoff-flood [enable|disable]
set eapol-logoff-intv {integer}
set eapol-logoff-thresh {integer}
set eapol-pre-fail-flood [enable|disable]
set eapol-pre-fail-intv {integer}
set eapol-pre-fail-thresh {integer}
set eapol-pre-succ-flood [enable|disable]
set eapol-pre-succ-intv {integer}
set eapol-pre-succ-thresh {integer}
set eapol-start-flood [enable|disable]
set eapol-start-intv {integer}
set eapol-start-thresh {integer}
set eapol-succ-flood [enable|disable]
set eapol-succ-intv {integer}
set eapol-succ-thresh {integer}
set invalid-mac-oui [enable|disable]
set long-duration-attack [enable|disable]
set long-duration-thresh {integer}
set name {string}
set null-ssid-probe-resp [enable|disable]
set sensor-mode [disable|foreign|...]
set spoofed-deauth [enable|disable]
set weak-wep-iv [enable|disable]
set wireless-bridge [enable|disable]
next
end
ap-auto- Enable/disable on-wire rogue AP auto-suppression. option - disable

suppress

Fortinet Inc.
Option Description
enable Enable on-wire rogue AP auto-suppression.
disable Disable on-wire rogue AP auto-suppression.
ap-bgscan- Firewall schedules for turning off FortiAP radio string Maximum
disable- background scan. Background scan will be disabled length: 35
schedules when at least one of the schedules is valid. Separate
<name> multiple schedule names with a space.
Schedule name.
ap-bgscan- Listen time on scanning a channel. integer Minimum 30

duration value: 10
Maximum
value: 1000
ap-bgscan- Wait time for channel inactivity before scanning this integer Minimum 20
idle channel. value: 0
Maximum
value: 1000
ap-bgscan- Period between successive channel scans. integer Minimum 3

intv value: 1
Maximum
value: 600
ap-bgscan- Period between background scans. integer Minimum 600

period value: 10
Maximum
value: 3600
ap-bgscan- Period between background scan reports. integer Minimum 30

Maximum
value: 600
ap-fgscan- Period between foreground scan reports. integer Minimum 15

Maximum
value: 600
ap-scan Enable/disable rogue AP detection. option - disable
Option Description
disable Disable rogue AP detection.
enable Enable rogue AP detection.

Fortinet Inc.
ap-scan- Enable/disable passive scanning. Enable means do not option - disable

passive send probe request on any channels.
Option Description
enable Passive scanning on all channels.
disable Passive scanning only on DFS channels.
ap-scan- Minimum signal level/threshold in dBm required for the string Not -90
threshold AP to report detected rogue AP. Specified
asleap-attack Enable/disable asleap attack detection. option - disable
Option Description
enable Enable asleap attack detection.
disable Disable asleap attack detection.
assoc-flood- The threshold value for association frame flooding. integer Minimum 30
thresh value: 1
Maximum
value: 100
assoc-flood- Number of seconds after which a station is considered integer Minimum 10

time not connected. value: 5
Maximum
value: 120
assoc-frame- Enable/disable association frame flooding detection. option - disable

flood
Option Description
enable Enable association frame flooding detection.
disable Disable association frame flooding detection.
auth-flood- The threshold value for authentication frame flooding. integer Minimum 30
thresh value: 1
Maximum
value: 100
auth-flood- Number of seconds after which a station is considered integer Minimum 10

time not connected. value: 5
Maximum
value: 120
auth-frame- Enable/disable authentication frame flooding detection. option - disable

flood

Fortinet Inc.
Option Description
enable Enable authentication frame flooding detection.
disable Disable authentication frame flooding detection.

Specified
deauth- Enable/disable broadcasting de-authentication option - disable

broadcast detection.
Option Description
enable Enable broadcast de-authentication detection.
disable Disable broadcast de-authentication detection.
deauth- Threshold value per second to deauth unknown src for integer Minimum 10
unknown-src- DoS attack (0: no limit). value: 0
thresh Maximum
value:
65535
eapol-fail- Enable/disable EAPOL-Failure flooding. option - disable

flood
Option Description
enable Enable EAPOL-Failure flooding detection.
disable Disable EAPOL-Failure flooding detection.
eapol-fail-intv The detection interval for EAPOL-Failure flooding. integer Minimum 1

value: 1
Maximum
value: 3600
eapol-fail- The threshold value for EAPOL-Failure flooding in integer Minimum 10

thresh specified interval. value: 2
Maximum
value: 100
eapol-logoff- Enable/disable EAPOL-Logoff flooding. option - disable

flood
Option Description
enable Enable EAPOL-Logoff flooding detection.
disable Disable EAPOL-Logoff flooding detection.

Fortinet Inc.
eapol-logoff- The detection interval for EAPOL-Logoff flooding. integer Minimum 1

intv value: 1
Maximum
value: 3600
eapol-logoff- The threshold value for EAPOL-Logoff flooding in integer Minimum 10

Maximum
value: 100
eapol-pre-fail- Enable/disable premature EAPOL-Failure flooding. option - disable

flood
Option Description
enable Enable premature EAPOL-Failure flooding detection.
disable Disable premature EAPOL-Failure flooding detection.
eapol-pre-fail- The detection interval for premature EAPOL-Failure integer Minimum 1

intv flooding. value: 1
Maximum
value: 3600
eapol-pre-fail- The threshold value for premature EAPOL-Failure integer Minimum 10

thresh flooding in specified interval. value: 2
Maximum
value: 100
eapol-pre- Enable/disable premature EAPOL-Success flooding. option - disable

succ-flood
Option Description
enable Enable premature EAPOL-Success flooding detection.
disable Disable premature EAPOL-Success flooding detection.
eapol-pre- The detection interval for premature EAPOL-Success integer Minimum 1

succ-intv flooding. value: 1
Maximum
value: 3600
eapol-pre- The threshold value for premature EAPOL-Success integer Minimum 10

succ-thresh flooding in specified interval. value: 2
Maximum
value: 100
eapol-start- Enable/disable EAPOL-Start flooding. option - disable

flood

Fortinet Inc.
Option Description
enable Enable EAPOL-Start flooding detection.
disable Disable EAPOL-Start flooding detection.
eapol-start- The detection interval for EAPOL-Start flooding. integer Minimum 1

intv value: 1
Maximum
value: 3600
eapol-start- The threshold value for EAPOL-Start flooding in integer Minimum 10

Maximum
value: 100
eapol-succ- Enable/disable EAPOL-Success flooding. option - disable

flood
Option Description
enable Enable EAPOL-Success flooding detection.
disable Disable EAPOL-Success flooding detection.
eapol-succ- The detection interval for EAPOL-Success flooding. integer Minimum 1

intv value: 1
Maximum
value: 3600
eapol-succ- The threshold value for EAPOL-Success flooding in integer Minimum 10

Maximum
value: 100
invalid-mac- Enable/disable invalid MAC OUI detection. option - disable

oui
Option Description
enable Enable invalid MAC OUI detection.
disable Disable invalid MAC OUI detection.
long-duration- Enable/disable long duration attack detection based on option - disable

attack user configured threshold.
Option Description
enable Enable long duration attack detection.
disable Disable long duration attack detection.

Fortinet Inc.
long-duration- Threshold value for long duration attack detection. integer Minimum 8200
thresh value: 1000
Maximum
value:
32767
name WIDS profile name. string Not

Specified
null-ssid- Enable/disable null SSID probe response detection. option - disable

probe-resp
Option Description
enable Enable null SSID probe resp detection.
disable Disable null SSID probe resp detection.
sensor-mode Scan nearby WiFi stations. option - disable
Option Description
disable Disable the scan.
foreign Enable the scan and monitor foreign channels. Foreign channels are all other
available channels than the current operating channel.
both Enable the scan and monitor both foreign and home channels. Select this
option to monitor all WiFi channels.
spoofed- Enable/disable spoofed de-authentication attack option - disable

deauth detection.
Option Description
enable Enable spoofed de-authentication attack detection.
disable Disable spoofed de-authentication attack detection.
weak-wep-iv Enable/disable weak WEP IV. option - disable
Option Description
enable Enable weak WEP IV detection.
disable Disable weak WEP IV detection.
wireless- Enable/disable wireless bridge detection. option - disable

bridge

Fortinet Inc.
Option Description
enable Enable wireless bridge detection.
disable Disable wireless bridge detection.
config wireless-controller wlchanlistlic
Get channel list according to the region code.

config wireless-controller wlchanlistlic
Description: Get channel list according to the region code.
end
config wireless-controller wtp-group
Configure WTP groups.

Description: Configure WTP groups.
edit <name>
set name {string}
set platform-type [AP-11N|220B|...]
set wtps <wtp-id1>, <wtp-id2>, ...
next
end
name WTP group name. string Not

Specified
platform-type FortiAP models to define the WTP group platform type. option -
Option Description
AP-11N Default 11n AP.
220B FAP220B/221B.
210B FAP210B.
222B FAP222B.

FortiOS 7.0.9 CLI Reference

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS 7.0.9 CLI Reference

Uploaded by

Copyright:

Available Formats

CLI Reference

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

December 06, 2022

FortiOS 7.0.9 CLI Reference 3

FortiOS 7.0.9 CLI Reference 4

FortiOS 7.0.9 CLI Reference 5

FortiOS 7.0.9 CLI Reference 6

FortiOS 7.0.9 CLI Reference 7

FortiOS 7.0.9 CLI Reference 8

FortiOS 7.0.9 CLI Reference 9

FortiOS 7.0.9 CLI Reference 10

FortiOS 7.0.9 CLI Reference 11

FortiOS 7.0.9 CLI Reference 12

FortiOS 7.0.9 CLI Reference 13

FortiOS 7.0.9 CLI Reference 14

FortiOS 7.0.9 CLI Reference 15

FortiOS 7.0.9 CLI Reference 16

FortiOS 7.0.9 CLI Reference 17

FortiOS 7.0.9 CLI Reference 18

Date Change Description

2022-11-22 First automated release of the FortiOS 7.0.9 CLI Reference.

2022-12-06 Updated to include more reference models.

FortiOS 7.0.9 CLI Reference 19

Availability of commands and options

FortiOS Carrier, FortiGate 5K/6K/7K, FortiGate with LTE, etc.

FortiOS 7.0.9 CLI Reference 20

l To view all available diagnose commands, enter tree diagnose.

FortiOS 7.0.9 CLI Reference 21

FortiOS 7.0.9 CLI Reference 22

This section includes syntax for the following commands:

config alertemail setting

Configure alert email settings.

FortiOS 7.0.9 CLI Reference 23

Parameter Description Type Size Default

FDS-license- Number of days to send alert email prior to integer Minimum 15

FDS-license- Enable/disable FortiGuard license expiration option - disable

enable Enable FortiGuard license expiration warnings in alert email.

disable Disable FortiGuard license expiration warnings in alert email.

FDS-update-logs Enable/disable FortiGuard update logs in alert email. option - disable

enable Enable FortiGuard update logs in alert email.

disable Disable FortiGuard update logs in alert email.

FSSO- Enable/disable logging of FSSO collector agent option - disable

enable Enable logging of FSSO collector agent disconnect.

disable Disable logging of FSSO collector agent disconnect.

HA-logs Enable/disable HA logs in alert email. option - disable

enable Enable HA logs in alert email.

disable Disable HA logs in alert email.

IPS-logs Enable/disable IPS logs in alert email. option - disable

FortiOS 7.0.9 CLI Reference 24

enable Enable IPS logs in alert email.

disable Disable IPS logs in alert email.

IPsec-errors-logs Enable/disable IPsec error logs in alert email. option - disable

enable Enable IPsec error logs in alert email.

disable Disable IPsec error logs in alert email.

PPP-errors-logs Enable/disable PPP error logs in alert email. option - disable

enable Enable PPP error logs in alert email.

disable Disable PPP error logs in alert email.

admin-login-logs Enable/disable administrator login/logout logs in alert option - disable

enable Enable administrator login/logout logs in alert email.

disable Disable administrator login/logout logs in alert email.

alert-interval Alert alert interval in minutes. integer Minimum 2