REFERENCE

FortiGate® CLI Version 3.0 MR7

Visit http://support.fortinet.com to register your FortiGate® CLI product. By registering you can receive product updates, technical support, and FortiGuard services.

www.fortinet.com

FortiGate® CLI Reference Version 3.0 MR7 12 January 2009 01-30007-0015-20090112 © Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Fortinet, FortiGate and FortiGuard are Registered Trademarks and ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents
What’s new ........................................................................................ 15 Introduction ....................................................................................... 21
About the FortiGate Unified Threat Management System ............................ 21 About this document........................................................................................ 21 FortiGate documentation ................................................................................. 22 Related documentation .................................................................................... 23 FortiManager documentation ....................................................................... 23 FortiClient documentation ............................................................................ 24 FortiMail documentation ............................................................................... 24 FortiAnalyzer documentation ....................................................................... 24 Fortinet Tools and Documentation CD ......................................................... 24 Fortinet Knowledge Center .......................................................................... 25 Comments on Fortinet technical documentation .......................................... 25 Customer service and technical support ....................................................... 25 Register your Fortinet product........................................................................ 25

Using the CLI ..................................................................................... 27
CLI command syntax........................................................................................ 27 Administrator access ....................................................................................... 28 Connecting to the CLI ...................................................................................... 30 Connecting to the FortiGate console............................................................ 30 Setting administrative access on an interface .............................................. 31 Connecting to the FortiGate CLI using SSH ................................................ 31 Connecting to the FortiGate CLI using Telnet .............................................. 32 Connecting to the FortiGate CLI using the web-based manager ................. 32 CLI objects ........................................................................................................ 33 CLI command branches ................................................................................... 33 config branch................................................................................................ 34 get branch .................................................................................................... 36 show branch................................................................................................. 38 execute branch............................................................................................. 39 diagnose branch........................................................................................... 39 Example command sequences .................................................................... 39

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

3

Contents

CLI basics.......................................................................................................... 43 Command help............................................................................................. 43 Command completion .................................................................................. 43 Recalling commands.................................................................................... 44 Editing commands ....................................................................................... 44 Line continuation.......................................................................................... 44 Command abbreviation................................................................................ 44 Environment variables ................................................................................. 44 Encrypted password support ....................................................................... 45 Entering spaces in strings ............................................................................ 45 Entering quotation marks in strings.............................................................. 45 Entering a question mark (?) in a string ....................................................... 45 International characters ............................................................................... 46 Special characters ....................................................................................... 46 IP address formats....................................................................................... 46 Editing the configuration file ......................................................................... 47 Setting screen paging .................................................................................. 47 Changing the baud rate ............................................................................... 47 Using Perl regular expressions .................................................................... 48

Working with virtual domains.......................................................... 51
Enabling virtual domain configuration........................................................... 51 Accessing commands in virtual domain configuration................................ 51 Creating and configuring VDOMs ................................................................... 52 Creating a VDOM......................................................................................... 52 Assigning interfaces to a VDOM .................................................................. 52 Setting VDOM operating mode .................................................................... 52 Changing back to NAT/Route mode ............................................................ 53 Configuring inter-VDOM routing ..................................................................... 53 Changing the management VDOM.................................................................. 54 Creating VDOM administrators ....................................................................... 55 Troubleshooting ARP traffic on VDOMs ........................................................ 55 Duplicate ARP packets ................................................................................ 55 Multiple VDOMs solution.............................................................................. 55 Forward-domain solution ............................................................................. 55 global ................................................................................................................. 57 vdom .................................................................................................................. 60

alertemail ........................................................................................... 63
setting................................................................................................................ 64

antivirus ............................................................................................. 69
filepattern .......................................................................................................... 70 grayware............................................................................................................ 72
FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

4

Contents

heuristic............................................................................................................. 74 notification (FortiOS Carrier) ........................................................................... 75 quarantine ......................................................................................................... 76 quarfilepattern................................................................................................... 79 service ............................................................................................................... 80

firewall................................................................................................ 83
address, address6 ............................................................................................ 84 addrgrp, addrgrp6............................................................................................. 86 carrier-endpoint-bwl (FortiOS Carrier)............................................................ 87 carrier-endpoint-ip-filter (FortiOS Carrier) ..................................................... 89 dnstranslation ................................................................................................... 90 gtp (FortiOS Carrier)......................................................................................... 92 ipmacbinding setting...................................................................................... 100 ipmacbinding table ......................................................................................... 102 ippool ............................................................................................................... 104 ldb-monitor...................................................................................................... 105 mms-profile (FortiOS Carrier)........................................................................ 107 config dupe {mm1 | mm4} .......................................................................... 112 config flood {mm1 | mm4}........................................................................... 114 config log .................................................................................................... 115 config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7} ......................................................................... 116 config notif-msisdn ..................................................................................... 119 multicast-policy .............................................................................................. 120 policy, policy6 ................................................................................................. 122 profile............................................................................................................... 133 config log (FortiOS Carrier) ........................................................................ 154 config sccp ................................................................................................. 155 config simple .............................................................................................. 155 config sip .................................................................................................... 156 schedule onetime ........................................................................................... 163 schedule recurring ......................................................................................... 164 service custom................................................................................................ 166 service group .................................................................................................. 168 vip..................................................................................................................... 169 vipgrp............................................................................................................... 180

gui..................................................................................................... 181
console ............................................................................................................ 182
FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

5

Contents

topology .......................................................................................................... 183

imp2p ............................................................................................... 185
aim-user........................................................................................................... 186 icq-user............................................................................................................ 187 msn-user ......................................................................................................... 188 old-version ...................................................................................................... 189 policy ............................................................................................................... 190 yahoo-user ...................................................................................................... 191

ips..................................................................................................... 193
DoS .................................................................................................................. 194 config limit .................................................................................................. 194 custom............................................................................................................. 197 decoder............................................................................................................ 198 global ............................................................................................................... 199 rule ................................................................................................................... 201 sensor.............................................................................................................. 202

log..................................................................................................... 207
custom-field .................................................................................................... 208 {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter ............................................................................................ 209 disk setting...................................................................................................... 214 fortianalyzer setting ....................................................................................... 218 fortiguard setting............................................................................................ 219 memory setting............................................................................................... 220 memory global setting ................................................................................... 221 syslogd setting ............................................................................................... 222 webtrends setting........................................................................................... 224 trafficfilter........................................................................................................ 225

notification (FortiOS Carrier) ......................................................... 227
notification ...................................................................................................... 228

router................................................................................................ 229
access-list ....................................................................................................... 230 aspath-list........................................................................................................ 233 auth-path ......................................................................................................... 235

6

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

Contents

bgp ................................................................................................................... 237 config router bgp ........................................................................................ 239 config admin-distance ................................................................................ 242 config aggregate-address .......................................................................... 243 config neighbor........................................................................................... 243 config network ............................................................................................ 247 config redistribute ....................................................................................... 248 community-list ................................................................................................ 250 key-chain ......................................................................................................... 252 multicast .......................................................................................................... 254 Sparse mode .............................................................................................. 254 Dense mode............................................................................................... 255 Syntax ........................................................................................................ 255 config router multicast ................................................................................ 256 config interface ........................................................................................... 258 config pim-sm-global .................................................................................. 260 ospf .................................................................................................................. 264 Syntax ........................................................................................................ 264 config router ospf ....................................................................................... 266 config area ................................................................................................. 268 config distribute-list .................................................................................... 272 config neighbor........................................................................................... 273 config network ............................................................................................ 273 config ospf-interface ................................................................................... 274 config redistribute ....................................................................................... 276 config summary-address ............................................................................ 277 policy ............................................................................................................... 279 prefix-list.......................................................................................................... 283 rip ..................................................................................................................... 286 config router rip .......................................................................................... 287 config distance ........................................................................................... 288 config distribute-list .................................................................................... 289 config interface ........................................................................................... 290 config neighbor........................................................................................... 291 config network ............................................................................................ 292 config offset-list .......................................................................................... 292 config redistribute ....................................................................................... 293 route-map ........................................................................................................ 295 Using route maps with BGP ....................................................................... 297 static ................................................................................................................ 301 static6 .............................................................................................................. 304

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

7

Contents

spamfilter......................................................................................... 305
bword............................................................................................................... 306 emailbwl .......................................................................................................... 309 fortishield ........................................................................................................ 311 ipbwl ................................................................................................................ 313 iptrust .............................................................................................................. 315 mheader........................................................................................................... 316 options............................................................................................................. 318 DNSBL ............................................................................................................. 319

system.............................................................................................. 321
accprofile......................................................................................................... 322 admin ............................................................................................................... 325 alertemail......................................................................................................... 330 amc .................................................................................................................. 332 arp-table .......................................................................................................... 333 auto-install ...................................................................................................... 334 autoupdate clientoverride.............................................................................. 335 autoupdate override ....................................................................................... 336 autoupdate push-update................................................................................ 337 autoupdate schedule...................................................................................... 339 autoupdate tunneling ..................................................................................... 341 aux ................................................................................................................... 343 bug-report ....................................................................................................... 344 carrier-endpoint-translation (FortiOS Carrier) ............................................. 345 console ............................................................................................................ 348 dhcp reserved-address .................................................................................. 349 dhcp server ..................................................................................................... 350 dns ................................................................................................................... 353 dynamic-profile (FortiOS Carrier) ................................................................. 354 fips-cc .............................................................................................................. 359 fortianalyzer, fortianalyzer2, fortianalyzer3 ................................................. 360 fortiguard......................................................................................................... 362 fortiguard-log .................................................................................................. 367 fortimanager.................................................................................................... 368 gi-gk (FortiOS Carrier).................................................................................... 370 global ............................................................................................................... 371
FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

8

Contents

gre-tunnel ........................................................................................................ 380 ha...................................................................................................................... 382 interface........................................................................................................... 395 ipv6-tunnel....................................................................................................... 413 mac-address-table .......................................................................................... 414 management-tunnel........................................................................................ 415 modem ............................................................................................................. 417 npu ................................................................................................................... 421 ntp .................................................................................................................... 422 proxy-arp ......................................................................................................... 423 replacemsg admin .......................................................................................... 424 replacemsg alertmail ...................................................................................... 425 replacemsg auth ............................................................................................. 427 replacemsg fortiguard-wf............................................................................... 430 replacemsg ftp ................................................................................................ 431 replacemsg http .............................................................................................. 433 replacemsg im................................................................................................. 435 replacemsg mail.............................................................................................. 437 replacemsg mm1 (FortiOS Carrier) ............................................................... 439 replacemsg mm3 (FortiOS Carrier) ............................................................... 442 replacemsg mm4 (FortiOS Carrier) ............................................................... 444 replacemsg mm7 (FortiOS Carrier) ............................................................... 446 replacemsg nntp ............................................................................................. 449 replacemsg spam ........................................................................................... 451 replacemsg sslvpn ......................................................................................... 453 replacemsg-group (FortiOS Carrier) ............................................................. 454 replacemsg-image (FortiOS Carrier)............................................................. 457 session-helper ................................................................................................ 458 session-sync ................................................................................................... 459 Notes and limitations.................................................................................. 460 Configuring session synchronization.......................................................... 460 Configuring the session synchronization link ............................................. 461 session-ttl........................................................................................................ 465 settings ............................................................................................................ 466 sit-tunnel.......................................................................................................... 470 snmp community ............................................................................................ 471 snmp sysinfo................................................................................................... 475
FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

9

Contents

switch-interface .............................................................................................. 477 tos-based-priority ........................................................................................... 479 vdom-link......................................................................................................... 480 wireless mac-filter .......................................................................................... 482 wireless settings............................................................................................. 483 zone ................................................................................................................. 486

user .................................................................................................. 487
Configuring users for authentication ........................................................... 488 Configuring users for password authentication .......................................... 488 Configuring peers for certificate authentication.......................................... 488 adgrp................................................................................................................ 489 fsae .................................................................................................................. 490 group ............................................................................................................... 492 ldap .................................................................................................................. 497 local ................................................................................................................. 500 peer .................................................................................................................. 502 peergrp ............................................................................................................ 504 radius............................................................................................................... 505 settings............................................................................................................ 507 tacacs+ ............................................................................................................ 508

vpn.................................................................................................... 509
certificate ca.................................................................................................... 510 certificate crl ................................................................................................... 511 certificate local ............................................................................................... 513 certificate ocsp ............................................................................................... 514 certificate remote............................................................................................ 515 ipsec concentrator ......................................................................................... 516 ipsec forticlient ............................................................................................... 517 ipsec manualkey............................................................................................. 518 ipsec manualkey-interface............................................................................. 521 ipsec phase1 ................................................................................................... 524 ipsec phase1-interface................................................................................... 532 ipsec phase2 ................................................................................................... 541 ipsec phase2-interface................................................................................... 548 l2tp ................................................................................................................... 554 pptp.................................................................................................................. 556
FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

10

Contents

ssl monitor ...................................................................................................... 558 ssl settings ...................................................................................................... 559 ssl web bookmarks......................................................................................... 562 ssl web bookmarks-group ............................................................................. 564 ssl web favorite............................................................................................... 565

webfilter ........................................................................................... 567
bword ............................................................................................................... 568 exmword .......................................................................................................... 570 fortiguard......................................................................................................... 572 FortiGuard-Web category blocking ............................................................ 572 ftgd-local-cat ................................................................................................... 575 ftgd-local-rating .............................................................................................. 576 ftgd-ovrd .......................................................................................................... 577 ftgd-ovrd-user ................................................................................................. 579 urlfilter ............................................................................................................. 581

execute............................................................................................. 583
backup ............................................................................................................. 584 batch ................................................................................................................ 587 central-mgmt ................................................................................................... 588 cfg reload......................................................................................................... 589 cfg save ........................................................................................................... 590 clear system arp table .................................................................................... 591 cli status-msg-only ......................................................................................... 592 cli check-template-status............................................................................... 593 date .................................................................................................................. 594 dhcp lease-clear.............................................................................................. 595 dhcp lease-list................................................................................................. 596 disconnect-admin-session ............................................................................ 597 enter ................................................................................................................. 598 factoryreset ..................................................................................................... 599 formatlogdisk .................................................................................................. 600 fortiguard-log update ..................................................................................... 601 fsae refresh ..................................................................................................... 602 ha disconnect.................................................................................................. 603 ha manage ....................................................................................................... 604 ha synchronize................................................................................................ 606
FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

11

Contents

interface dhcpclient-renew ............................................................................ 608 interface pppoe-reconnect ............................................................................ 609 log delete-all.................................................................................................... 610 log delete-filtered............................................................................................ 611 log delete-rolled.............................................................................................. 612 log display....................................................................................................... 613 log filter ........................................................................................................... 614 log fortianalyzer test-connectivity ................................................................ 616 log list .............................................................................................................. 617 log roll.............................................................................................................. 618 modem dial...................................................................................................... 619 modem hangup............................................................................................... 620 mrouter clear................................................................................................... 621 ping .................................................................................................................. 622 ping-options.................................................................................................... 623 ping6 ................................................................................................................ 625 reboot .............................................................................................................. 626 restore ............................................................................................................. 627 router clear bgp .............................................................................................. 630 router clear bfd ............................................................................................... 631 router clear ospf process .............................................................................. 632 router restart ................................................................................................... 633 send-fds-statistics.......................................................................................... 634 set-next-reboot ............................................................................................... 635 sfpmode-sgmii ................................................................................................ 636 shutdown......................................................................................................... 637 ssh ................................................................................................................... 638 telnet ................................................................................................................ 639 time .................................................................................................................. 640 traceroute ........................................................................................................ 641 update-av......................................................................................................... 642 update-ips ....................................................................................................... 643 update-now ..................................................................................................... 644 upd-vd-license ................................................................................................ 645 usb-disk........................................................................................................... 646 vpn certificate ca ............................................................................................ 647

12

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

Contents

vpn certificate crl ............................................................................................ 649 vpn certificate local ........................................................................................ 650 vpn certificate remote .................................................................................... 653 vpn sslvpn del-tunnel..................................................................................... 654 vpn sslvpn del-web......................................................................................... 655

get..................................................................................................... 657
firewall service predefined............................................................................. 658 gui console status .......................................................................................... 659 gui topology status......................................................................................... 660 hardware status .............................................................................................. 661 ips decoder...................................................................................................... 662 ips rule ............................................................................................................. 663 ipsec tunnel list............................................................................................... 664 router info bgp ................................................................................................ 665 router info bfd ................................................................................................. 667 router info multicast ....................................................................................... 668 router info ospf ............................................................................................... 670 router info protocols ...................................................................................... 672 router info rip .................................................................................................. 673 router info routing-table ................................................................................ 674 system admin list............................................................................................ 675 system admin status ...................................................................................... 676 system arp....................................................................................................... 677 system central-mgmt status .......................................................................... 678 system checksum........................................................................................... 679 system cmdb status ....................................................................................... 680 system dashboard .......................................................................................... 681 system fortianalyzer-connectivity................................................................. 682 system fortiguard-log-service status............................................................ 683 system fortiguard-service status .................................................................. 684 system ha status............................................................................................. 685 About the HA cluster index and the execute ha manage command .......... 687 system info admin ssh ................................................................................... 691 system info admin status............................................................................... 692 system performance status ........................................................................... 693 system session list......................................................................................... 695

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

13

Contents

system session status ................................................................................... 696 system status.................................................................................................. 697

Index................................................................................................. 699

14

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

0 are supported. Removed option tls-1. Default value is now disable. Only TLS 1. You can enter a unique identification number for the configured virtual IP.0 MR7 Reference 01-30007-0015-20090112 15 . New keyword. You can add a descriptive comment. Only TLS 1. Blocking of unknown session ID is now disabled by default. Sets return code for HTTP replacement pages.1. Removed option tls-1.1.0 and 3. Change New keyword for the config sip subcommand.0 are supported. Keywords removed.1 set ssl-min-version tls-1.0 and 3. Command config antivirus heuristic set mode config antivirus notification (FortiOS Carrier) config antivirus service http set block-page-status-code config firewall address. set spamhdrcheck config firewall vip edit <name_str> set comment set id set ssl-max-version tls-1. You can define an address with a wildcard netmask. address6 edit <name_str> set type wildcard config firewall policy. Moved from config vdom command. policy6 edit <name_str> config firewall profile edit <profile_str> set https allow-ssl-unknownsess-id set https block-ssl-unknownsess-id set imap-spamaction set imap-spamtagmsg set imap-spamtagtype config sip set reg-diff-port allow-ssl-unknown-sess-id was renamed to blockssl-unknown-sess-id. FortiGate® CLI Version 3. MR6.What’s new What’s new The tables below list commands which have changed since the previous release.1 config global config gui console New keyword. Keyword removed. New keyword. Enable reg-diff-port to accept a SIP register response from a SIP server even if the source port of the register response is different from the destination port of the register request. New option for type. New for FortiOS Carrier MR5.

New keyword. Determines which bits in the IP header’s TOS field are significant. Enables logging of CPU usage at five-minute intervals. config filter edit <filter_str> get config log disk setting set cpu-memory-usage set ldb-monitor config log fortianalyzer setting set multi-report config log trafficfilter config rule config router bgp config neighbor set password set holdtime-timer config router policy edit <policy_integer> set tos <hex_mask> set tos-mask <hex-mask> config router rip config distance set access-list config system admin edit <name_str> set radius-accprofile-override set radius-vdom-override config system alertemail set port config system amc config system console set output Default changed to more from standard. New keyword. Enables logging of VIP realserver health monitoring messages. Subcommand removed. New keyword. config system dhcp reserved-address Maximum number of reserved addresses increased to 200 for all models. New keyword. and counts signatures with pass. and reset actions. both enabled and disabled. Sets password used in MD5 authentication. Enables RADIUS authentication override for the access profile of the administrator. Keyword removed. Change the TCP port number that the FortiGate units uses to connect to the SMTP server.0 MR7 Reference 01-30007-0015-20090112 . New keyword. Sets the name of the access list in which distances will be modified.What’s new Command config ips sensor edit <sensor_str> get Change The get command now returns the count of total enabled signatures. New command. New keyword. New keyword. Configures AMC ports on your FortiGate unit. New keyword. 16 FortiGate® CLI Version 3. The get command now returns the count of the total number of signatures in this filter. Default time changed to 240 seconds from 180. Sets the type of service (TOS) to match after applying the tos-mask. Enables RADIUS authentication override for the (wildcard only) administrator. block.

Replaces allow-interface-subnet-overlap in config system global. that the DNS cache retains information. service. Enables limited support for interface and VLAN subinterface IP address overlap for this VDOM. Keywords dstaddr.What’s new Command config system dns set dns-cache-ttl config system fortiguard set load-balance-servers config system fortimanager Change New keyword. Configures NTP servers. dstintf. New keyword. Default is now enable. Enables IPv6 asymmetric routing in this VDOM. srcaddr. New keyword. set central-mgmt-schedule-script. Renamed from config system ipv6-tunnel. set language set tcp-timewait-timer config system ha set group-name config system interface set dns-server-override set outbandwidth config ipv6 set autoconf set ip6-allowaccess any config system modem set ppp-echo-request1 set ppp-echo-request2 set ppp-echo-request3 config system ntp config system session-sync config filter config system settings set allow-subnet-overlap set asymroute6 set strict-src-check config system sit-tunnel FortiGate® CLI Version 3. Enables sending of heartbeat packets from FortiGate unit backplane fabric interfaces. Sets the KB/sec limit for outgoing (egress) traffic for this interface. portuguese.New keyword. New command. Enables a scheduled restoration of a FortiGate unit’s script from the FortiManager system. New keyword. New keyword. Enables automatic configuration of the interface IPv6 address. Enables PPP echo request to detect low level link down for modems 1. Enables refusal of packets from a source IP range if there is a specific route in the routing table for this network (RFC 3704). Sets the number of seconds the TCP TTL timer waits before timing out. available in Patch 1. New option. restore config system global set allow-interface-subnetoverlap set fortiswitch-heartbeat Keyword removed. Sets the duration. This keyword is available for FortiGate-5001A and FortiGate-5005FA2 boards. and srcintf are now available. New keywords. in seconds. Enables use of load balance servers. 2. New keyword. Replaced by allow subnet overlap in config system settings. New option any allows all forms of administrative access. New keyword. and 3.0 MR7 Reference 01-30007-0015-20090112 17 . New keyword. The maximum length of the group-name increased from 7 to 32 characters. New keyword. ending the session.

Enables SSL VPN OS patch level check. Removed events temperature-high and voltage-alert. Sets spanning direction. New keyword. New keyword. New keyword. Moved into config global command. Sets type: hub or switch.0 MR7 Reference 01-30007-0015-20090112 . Moved into config global command. av-oversize-pass. New command. ips-pkg-update. Specifies the latest allowed OS patch level. Specifies the VDOM to which the switch belongs. Moved into config global command. New keyword. New keyword. New keyword. New keyword. New keyword. config system switch-interface edit <group_name> set span set span-dest-port set span-direction set span-source-port set type set vdom config user fsae config user group edit <group_name> set sslvpn-os-check set sslvpn-ssh set sslvpn-virtual-desktop config sslvpn-os-check-list set action set latest-patch-level set tolerance config user ldap set cnid set dn config vdom config gui console config system ipv6tunnel config system sit-tunnel config vpn ssl settings set url-obscuration config vpn ssl web bookmarks edit <bookmark_name> set apptype config vpn ssl web favorite edit <bookmark_name> set apptype config webfilter ftgd-ovrd-user New option ssh. Enables access to the SSH web application. Maximum length is now 20 characters. Enables the Virtual Desktop SSL VPN client application. If url-obscuration is enabled. bookmark details are not visible. av-oversize-blocked. Specifies how to perform the patch level check. Specifies acceptable number of patches below the latest-patch-level. New option ssh. New keyword. New keyword. Sets destination port. Active Directory is now referred to as Directory Service. Enables access to the SSH web application. New keyword. Enables port spanning.What’s new Command config system snmp community edit <index_number> set events Change New trap event keywords added: av-bypass av-conserve. New keyword. New keyword. Enables access to the SSH web application. Configures FortiGuard-Web filter user overrides. Specifies OS for patch level check. 18 FortiGate® CLI Version 3. Maximum length is now 512 characters. Active Directory is now referred to as Directory Service. Sets source ports. power-supply-failure.

content.0 MR7 Reference 01-30007-0015-20090112 19 . voip.What’s new Command execute deploy execute enter <vdom> execute log delete-rolled <category> <start> <end> execute log list <category> Change Command removed. im. spam. New command. voip. FortiGate® CLI Version 3. Added options for <category>: attack. im. Added options for <category>: attack. Enables execution of VDOM commands in the specified VDOM while logged in to config global shell. content.

What’s new 20 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .

enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. administration. The unique ASIC-based architecture analyzes content and behavior in real-time. such as host-based antivirus protection. FortiGate units improve network security.0 MR7 Reference 01-30007-0015-20090112 21 . About this document This document describes how to use the FortiGate Command Line Interface (CLI). The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology. security. alertemail is an alphabetic reference to the commands used to configure alertemail. and content analysis. and enables new applications and services while greatly lowering costs for equipment.Introduction About the FortiGate Unified Threat Management System Introduction This chapter introduces you to the FortiGate Unified Threat Management System and the following topics: • • • • • • About the FortiGate Unified Threat Management System About this document FortiGate documentation Related documentation Customer service and technical support Register your Fortinet product About the FortiGate Unified Threat Management System The FortiGate Unified Threat Management System supports network-based deployment of application-level services. and maintenance. network-level services such as firewall. The FortiGate series complements existing solutions. and traffic shaping. Working with virtual domains describes how to create and administer multiple VDOMs. which leverages breakthroughs in chip design. • FortiGate® CLI Version 3. intrusion detection. This document contains the following chapters: • • Using the CLI describes how to connect to and use the FortiGate CLI. and help you use communications resources more efficiently without compromising the performance of your network. It also explains how enabling vdom-admin changes the way you work with the CLI. The FortiGate unit is a dedicated easily managed security device that delivers a full suite of capabilities that include: • • application-level services such as virus protection and content filtering. including virus protection and full-scan content filtering. reduce network misuse and abuse. networking. VPN.

get is an alphabetic reference to commands that retrieve status information about the FortiGate unit. FortiGate Installation Guide Describes how to install a FortiGate unit. user is an alphabetic reference to the commands used to configure authorized user accounts and groups. default configuration information. notification (FortiOS Carrier) is an alphabetic reference to the commands used to configure FortiOS Carrier event notification. and they are not covered in this document.0 MR7 Reference 01-30007-0015-20090112 . ips is an alphabetic reference to the commands used to configure intrusion detection and prevention features. spamfilter is an alphabetic reference to the commands used to configure spam filtering features. Includes a hardware reference. Diagnose commands are intended for advanced users only. router is an alphabetic reference to the commands used to configure routing. system is an alphabetic reference to the commands used to configure the FortiGate system settings. webfilter is an alphabetic reference to the commands used to configure web content filtering. and some commands used for maintenance tasks. and basic configuration procedures. FortiGate documentation Information about FortiGate products is available from the following guides: • • FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit. imp2p is an alphabetic reference to the commands used to configure user access to Instant Messaging and Person-to-Person applications. Contact Fortinet technical support before using these commands. execute is an alphabetic reference to the execute commands. firewall is an alphabetic reference to the commands used to configure firewall policies and settings. connection procedures. vpn is an alphabetic reference to the commands used to configure FortiGate VPNs. These commands are used to display system information and for debugging. log is an alphabetic reference to the commands used to configure logging. gui is an alphabetic reference to the commands used to set preferences for the web-based manager CLI console and topology viewer. Choose the guide for your product model number. which provide some useful utilities such as ping and traceroute.FortiGate documentation Introduction • • • • • • • • • • • • • • antivirus is an alphabetic reference to the commands used to configure antivirus features. • Note: Diagnose commands are also available from the FortiGate CLI. 22 FortiGate® CLI Version 3. installation procedures.

antivirus protection. how to apply intrusion prevention. installing signed certificates. • FortiGate SSL VPN User Guide Compares FortiGate IPSec VPN and FortiGate SSL VPN technology. Includes detailed examples. including how to define FortiGate protection profiles and firewall policies. • FortiGate VLANs and VDOMs User Guide Describes how to configure VLANs and VDOMS in both NAT/Route and Transparent mode. importing CA root certificates and certificate revocation lists. • • FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web-based manager. FortiGate Certificate Management User Guide Contains procedures for managing digital certificates including generating certificate requests. FortiGate® CLI Version 3.Introduction Related documentation • FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit. Related documentation Additional information about Fortinet products is available from the following related documentation. and describes how to configure web-only mode and tunnel-mode SSL VPN access for remote users through the web-based manager. • FortiGate High Availability User Guide Contains in-depth information about the FortiGate high availability feature and the FortiGate clustering protocol. set up the FortiManager Server. and backing up and restoring installed certificates and private keys. • FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. FortiManager documentation • FortiManager QuickStart Guide Explains how to install the FortiManager Console. • FortiGate Log Message Reference Describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units. • FortiGate IPSec VPN User Guide Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager. • FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands. and how to configure a VPN.0 MR7 Reference 01-30007-0015-20090112 23 . • FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks. and configure basic settings. and spam filtering. You can access online help from the web-based manager as you work. web content filtering.

0 MR7 Reference 01-30007-0015-20090112 . For the latest versions of all Fortinet documentation see the Fortinet Technical Documentation web site at http://docs. generate and view log reports. • FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient software.forticare. • FortiMail online help Provides a searchable version of the Administration Guide in HTML format. and how to configure message display preferences. Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. including how to configure the unit. and export addresses. The documents on this CD are current for your product at shipping time. how to add.Related documentation Introduction • • FortiManager System Administration Guide Describes how to use the FortiManager System to manage FortiGate devices. • FortiMail Web Mail Online Help Describes how to use the FortiMail web-based email client. It also describes how to view FortiGate and FortiMail log files. create profiles and policies. scan your computer for viruses. create user accounts. FortiMail documentation • FortiMail Administration Guide Describes how to install.com. You can access online help from the FortiManager Console as you work. configure. and manage a FortiMail unit in gateway mode and server mode. configure antispam and antivirus filters. • FortiAnalyzer online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work. 24 FortiGate® CLI Version 3. FortiAnalyzer documentation • FortiAnalyzer Administration Guide Describes how to install and configure a FortiAnalyzer unit to collect FortiGate and FortiMail log files. import. and restrict access to your computer and applications by setting up firewall policies. and set up logging and reporting. You can access online help from the web-based manager as you work. FortiManager System online help Provides a searchable version of the Administration Guide in HTML format. including how to send and receive email. and use the FortiAnalyzer unit as a NAS server. FortiClient documentation • FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks.

Visit the Fortinet Knowledge Center at http://kc.Introduction Customer service and technical support Fortinet Knowledge Center The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. technical notes. configure easily.fortinet. The knowledge center contains short how-to articles. Comments on Fortinet technical documentation Please send information about any errors or omissions in this document. to techdoc@fortinet. You can register multiple Fortinet products in a single session without re-entering your contact information.com.fortinet. FAQs. enter your contact information and the serial numbers of the Fortinet products that you or your organization have purchased. You must also register your product for FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention updates and for FortiGuard Web Filtering and AntiSpam. or any Fortinet technical documentation. Register your Fortinet product Register your Fortinet product to receive Fortinet customer services such as product updates and technical support. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly. Register your product by visiting http://support.com and selecting Product Registration. Please visit the Fortinet Technical Support web site at http://support.forticare. To register. and operate reliably in your network.com to learn about the technical support services that Fortinet provides.com. product and feature guides.0 MR7 Reference 01-30007-0015-20090112 25 . and much more. FortiGate® CLI Version 3.

Register your Fortinet product Introduction 26 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .

<xxx_ipv6> indicates an IPv6 address.bak <xxx_ipv4> indicates a dotted decimal IPv4 address. For example: show system interface [<name_str>] To show the settings for all interfaces. To show the settings for the internal interface. mutually exclusive required keywords. FortiGate® CLI Version 3. • Angle brackets < > to indicate variables. This chapter describes: • • • • • • CLI command syntax Administrator access Connecting to the CLI CLI objects CLI command branches CLI basics CLI command syntax This guide uses the following conventions to describe command syntax.0 MR7 Reference 01-30007-0015-20090112 27 . • Vertical bar and curly brackets {|} to separate alternative. • Square brackets [ ] to indicate that a keyword or variable is optional. <xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask. <xxx_v4mask> indicates a dotted decimal IPv4 netmask. you can enter show system interface. For example: execute restore config <filename_str> You enter: execute restore config myfile. For example: set opmode {nat | transparent} You can enter set opmode nat or set opmode transparent. <xxx_ipv6mask> indicates an IPv6 address followed by an IPv6 netmask. <xxx_v6mask> indicates an IPv6 netmask.Using the CLI CLI command syntax Using the CLI This chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings. you can enter show system interface internal.

0 MR7 Reference 01-30007-0015-20090112 .Administrator access Using the CLI • A space to separate options that can be entered in any combination and must be separated by spaces. you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. as follows: Table 1: Access profile control of access to CLI commands Access control group Admin Users (admingrp) Antivirus Configuration (avgrp) Auth Users (authgrp) Firewall Configuration (fwgrp) FortiProtect Update (updategrp) Available CLI commands system admin system accprofile antivirus user firewall system autoupdate execute update-av execute update-ips execute update-now imp2p ips alertemail log system fortianalyzer execute log execute execute execute execute execute backup batch formatlogdisk restore usb-disk IM. For example: set allowaccess {ping https ssh snmp http telnet} You can enter any of the following: set set set set allowaccess allowaccess allowaccess allowaccess ping ping https ssh https ping ssh snmp In most cases to make changes to lists that contain options separated by spaces. Access control in access profiles is divided into groups. P2P & VoIP Configuration (imp2pgrp) IPS Configuration (ipsgrp) Log & Report (loggrp) Maintenance (mntgrp) 28 FortiGate® CLI Version 3. You need read access to view configurations and write access to make changes. Administrator access The access profile you are assigned in your administrator account controls which CLI commands you can access.

execute cfg execute date execute deploy execute disconnect-adminsession execute factoryreset execute ha execute ping execute ping6 execute ping-options execute reboot execute set-next-reboot execute shutdown execute ssh execute telnet execute time execute traceroute vpn execute vpn webfilter Router Configuration (routegrp) Spamfilter Configuration (spamgrp) System Configuration (sysgrp) VPN Configuration (vpngrp) Webfilter Configuration (webgrp) FortiGate® CLI Version 3. arp-table.Using the CLI Administrator access Table 1: Access profile control of access to CLI commands Network Configuration (netgrp) system arp-table system dhcp system interface system zone execute clear system arp table execute dhcp lease-clear execute dhcp lease-list execute interface router execute mrouter execute router spamfilter system except accprofile.0 MR7 Reference 01-30007-0015-20090112 29 . autoupdate fortianalyzer. admin. interface and zone.

Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the FortiGate console port.0 MR7 Reference 01-30007-0015-20090112 30 . to connect the FortiGate console port and a communications port on your computer terminal emulation software such as HyperTerminal for Windows Note: The following procedure describes how to connect to the FortiGate CLI using Windows HyperTerminal software. You need: • • • a computer with an available communications port a null modem cable. FortiGate® CLI Version 3. Start HyperTerminal. provided with your FortiGate unit. and you can enter CLI commands. To connect to the CLI 1 2 3 4 5 6 Connect the FortiGate console port to the available communications port on your computer. Select OK. SSH. Type the password for this administrator and press Enter.Connecting to the CLI Using the CLI Connecting to the CLI You can use a direct console connection. You can use any terminal emulation program. Select the following port settings and select OK. Telnet or the web-based manager to connect to the FortiGate CLI. The following prompt appears: Welcome! You have connected to the FortiGate CLI. Bits per second 9600 (115200 for the FortiGate-300) Data bits Parity Stop bits Flow control 8 None 1 None 7 Press Enter to connect to the FortiGate CLI. enter a name for the connection. Make sure the FortiGate unit is powered on. A prompt similar to the following appears (shown for the FortiGate-300): FortiGate-300 login: 8 9 Type a valid administrator name and press Enter. and select OK. • • • • • Connecting to the FortiGate console Setting administrative access on an interface Connecting to the FortiGate CLI using SSH Connecting to the FortiGate CLI using Telnet Connecting to the FortiGate CLI using the web-based manager Connecting to the FortiGate console Only the admin administrator or a regular administrator of the root domain can log in by connecting to the console interface.

0 MR7 Reference 01-30007-0015-20090112 31 . to configure the internal interface to accept HTTPS (web-based manager). Access to the CLI requires SSH or Telnet access. If you want to allow both or any of the other management access types you must include all the options you want to apply. HTTPS and SSH access to an interface. To use the web-based manager to configure FortiGate interfaces for SSH or Telnet access. To use the CLI to configure SSH or Telnet access 1 2 Connect and log into the CLI using the FortiGate console port and your terminal emulation software. FortiGate® CLI Version 3. Use the following command to configure an interface to accept SSH connections: config system interface edit <interface_name> set allowaccess <access_types> end Where <interface_name> is the name of the FortiGate interface to be configured to allow administrative access and <access_types> is a whitespaceseparated list of access types to enable. you must enable the required types of administrative access on the interface to which your management computer connects. Once the FortiGate unit is configured to accept SSH connections. If you want to use the web-based manager. enter: config system interface edit <name_str> set allowaccess https ssh telnet end Note: Remember to press Enter at the end of each line in the command example. Also. 3 To confirm that you have configured SSH or Telnet access correctly. Connecting to the FortiGate CLI using SSH Secure Shell (SSH) provides strong secure authentication and secure communications to the FortiGate CLI from your internal network or the internet. you can run an SSH client on your management computer and use this client to connect to the FortiGate CLI. the set portion of the command is set allowaccess ping https ssh. For example to allow PING. including allowaccess. Other access methods The procedure above shows how to allow access only for Telnet or only for SSH. for the named interface. enter the following command to view the access settings for the interface: get system interface <name_str> The CLI displays the settings.Using the CLI Connecting to the CLI Setting administrative access on an interface To perform administrative functions through a FortiGate network interface. type end and press Enter to commit the changes to the FortiGate configuration. SSH and Telnet connections. see the FortiGate Administration Guide. For example. you need HTTPS or HTTP access.

Go to System > Status. To connect to the CLI using SSH 1 2 3 4 Install and start an SSH client. Connecting to the FortiGate CLI using Telnet You can use Telnet to connect to the FortiGate CLI from your internal network or the Internet. Type a valid administrator name and press Enter. If you do not see the CLI Console display. Caution: Telnet is not a secure access method. select Add Content > CLI Console. Connect to a FortiGate interface that is configured for SSH connections.0 MR7 Reference 01-30007-0015-20090112 . you can run a Telnet client on your management computer and use this client to connect to the FortiGate CLI. Type the password for this administrator and press Enter. You have connected to the FortiGate CLI. and you can enter CLI commands. To connect to the CLI using the web-based manager 1 2 3 4 Connect to the web-based manager and log in. SSH should be used to access the FortiGate CLI from the Internet or any other unprotected network. Type a valid administrator name and press Enter. Once the FortiGate unit is configured to accept Telnet connections. see the FortiGate Administration Guide. For information about how to do this. Connect to a FortiGate interface that is configured for Telnet connections. Click in the CLI Console display to connect. ! Note: A maximum of 5 Telnet connections can be open at the same time. 32 FortiGate® CLI Version 3. and you can enter CLI commands. Connecting to the FortiGate CLI using the web-based manager The web-based manager also provides a CLI console that can be detached as a separate window. The following prompt appears: Welcome! You have connected to the FortiGate CLI. The FortiGate model name followed by a # is displayed.Connecting to the CLI Using the CLI Note: A maximum of 5 SSH connections can be open at the same time. To connect to the CLI using Telnet 1 2 3 4 Install and start a Telnet client. Type the password for this administrator and press Enter.

policies and protection profiles.Using the CLI CLI objects CLI objects The FortiGate CLI is based on configurable objects. and FortiGuard-Web category filtering There is a chapter in this manual for each of these top-level objects. based on packet headers filters email based on MIME headers. FortiGate® CLI Version 3. Each of these objects contains more specific lower level objects. Table 2: CLI objects alertemail antivirus firewall gui imp2p ips log notification router spamfilter system user vpn webfilter sends email to designated recipients when it detects log messages of a defined severity level scans services for viruses and grayware.0 MR7 Reference 01-30007-0015-20090112 33 . For example. lists of banned email and ip addresses configures options related to the overall operation of the FortiGate unit. and administrators authenticates users to use firewall policies or VPNs provides Virtual Private Network access through the FortiGate unit blocks or passes web traffic based on a banned word list. moves packets from one network segment to another towards a network destination. a banned word list. address groups. such as interfaces. See also “Example command sequences” on page 39. The top-level objects are the basic components of FortiGate functionality. filter URLs. optionally providing quarantine of infected files controls connections between interfaces according to policies based on IP addresses and type of service. applies protection profiles controls preferences for the web-based manager CLI console and topology viewer controls user access to Internet Messaging and Person-to-Person applications intrusion prevention system configures logging configures event notification in FortiOS Carrier. CLI command branches The FortiGate CLI consists of the following command branches: • • • • • config branch get branch show branch execute branch diagnose branch Examples showing how to enter command sequences within each branch are provided in the following sections. virtual domains. the firewall object contains objects for addresses.

For example in the config user local shell: • type get to see the list of user names added to the FortiGate configuration. antivirus protection. edit end get move purge rename show 34 FortiGate® CLI Version 3. • type get again to confirm that no user names are displayed. The end command is also used to save set command changes and leave the shell. address groups. you use the config command to navigate to the object’s command “shell”. Add an entry to the FortiGate configuration or edit an existing entry. For more information about CLI objects. Top-level objects are containers for more specific lower level objects that are each in the form of a table. get lists the table members. For example. type delete newadmin and press Enter to delete the administrator account named newadmin. and so on. • type move 3 before 1 and press Enter to move the policy in the third position in the table to the first position in the table. List the configuration. (admin)# This is a table shell. In a table shell. Change the position of an entry in an ordered table. • type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account. see “CLI objects” on page 33. • type purge and then y to confirm that you want to purge all the user names. Table entries consist of keywords that you can set to particular values. Save the changes you have made in the current shell and leave the shell. get lists the keywords and their values. You return to the root FortiGate CLI prompt. the firewall object contains tables of addresses. in the config system admin shell. you could rename “admin3” to “fwadmin” like this: rename admin3 to fwadmin Show changes to the default configuration in the form of configuration commands. For example. Remove all entries configured in the current shell. Rename a table entry. To configure an object. policies and protection profiles. You can use any of the following commands: delete Remove an entry from the FortiGate configuration. In an edit shell. For example in the config system admin shell: • type edit admin and press Enter to edit the settings for the default admin administrator account. For example. you enter the command config system admin The command prompt changes to show that you are now in the admin shell. Every config command must be paired with an end command. delete or edit the entries in the table.0 MR7 Reference 01-30007-0015-20090112 . the router. For example in the config firewall policy shell: • type move 3 after 1 and press Enter to move the policy in the third position in the table to the second position in the table.CLI command branches Using the CLI config branch The config commands configure CLI objects. such as the firewall. For example in the config system admin shell. to configure administrators. You can add.

typing unset password resets the password of the admin administrator account to the default of no password. The end command is also used to save set command changes and leave the shell. you enter the edit command with a new administrator name: edit admin_1 The FortiGate unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry: new entry 'admin_1' added (admin_1)# From this prompt. In a few cases. Save the changes you have made in the current shell and continue working in the shell. Reset values to defaults. Every config command must be paired with an end command. You can complete and save the configuration within each shell for that shell. For example from the edit admin command shell. For example from the edit admin command shell. List the configuration. For example if you want to add several new user accounts enter the config user local shell. • Continue using the edit. An example of this is the command to add a secondary IP address to a network interface.Using the CLI CLI command branches If you enter the get command. there are subcommands that you access using a second config command while editing a table entry. In a table shell. FortiGate® CLI Version 3. • Use the set commands to configure the values for the new user account. and next commands to continue adding user accounts. get lists the keywords and their values. Show changes to the default configuration in the form of configuration commands. you see a list of the entries in the table of administrators.0 MR7 Reference 01-30007-0015-20090112 35 . Assign values. In an edit shell. typing set passwd newpass changes the password of the admin administrator account to newpass. you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove. Save the changes you have made in the current shell and leave the shell. you can use any of the following commands: abort config Exit an edit shell without saving the configuration. set. end get next set show unset The config branch is organized into configuration shells. See the example “To add two secondary IP addresses to the internal interface” on page 40. Note: When using a set command to make changes to lists that contain options separated by spaces. or you can leave the shell without saving the configuration. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell. • Type edit User1 and press Enter. • Type end and press Enter to save the last configuration and leave the shell. To add a new administrator. • Type next to save the configuration for User1 without leaving the config user local shell. You can only use the configuration commands for the shell that you are working in. get lists the table members.

or you can use get with a full path to display the settings for a particular object. # get hardware status Model name: Fortigate-300 ASIC version: CP SRAM: 64M CPU: Pentium III (Coppermine) RAM: 250 MB Compact Flash: 122 MB /dev/hda Hard disk: 38154 MB /dev/hdc Network Card chipset: Intel(R) 8255x-based Ethernet Adapter (rev.100. For information about these commands.0 MR7 Reference 01-30007-0015-20090112 .168..255. information about all of the interfaces is displayed. The following examples use the interface names for a FortiGate-300 unit.99 255.255. see “get” on page 657.255.0x0009) Note: Interface names vary for different FortiGate models. Example When you type get in the config system interface shell. At the (interface)# prompt. type: get The screen displays: == [ internal ] name: internal mode: static ip: 192. To use get from the root prompt. Example The command get hardware status provides information about various physical components of the FortiGate unit. you must include a path to a shell.168. The root prompt is the FortiGate host name followed by a #..CLI command branches Using the CLI get branch Use get to display system status information.255.20. You can also use get within a config shell to display the settings for that shell. 36 FortiGate® CLI Version 3.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6-send-adv: disable .0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6-send-adv: disable == [ external ] name: external mode: static ip: 192.200 255.

255. the configuration values for the internal interface are displayed..0 Example You are working in the config system global shell and want to see information about the FortiGate interfaces.255.. Example You want to confirm the IP address and netmask of the internal interface from the root prompt.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6-send-adv: disable .255. At the (global)# prompt.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6-send-adv: disable == [ external ] name: external mode: static ip: 192.200 255.0 MR7 Reference 01-30007-0015-20090112 37 .255. type: get system interface internal FortiGate® CLI Version 3. type: get The screen displays: name allowaccess arpforword cli_conn_status detectserver gwdetect ip and so on.99 255. At the # prompt.100.168.20. edit internal At the (internal)# prompt.255.168.200 255. type: get system interface The screen displays: == [ internal ] name: internal mode: static ip: 192.168.Using the CLI CLI command branches Example When you type get in the internal interface shell.20. : : : : : : : internal ping https ssh enable 0 (null) disable 192.255.

type: show The screen displays: config system interface edit internal set allowaccess ssh ping https set ip 192. You can use show within a config shell to display the configuration of that shell.168.0 next end Example You are working in the internal interface shell and want to see the system global configuration. At the (internal)# prompt. or you can use show with a full path to display the configuration of the specified object.0 MR7 Reference 01-30007-0015-20090112 . The root prompt is the FortiGate host or model name followed by a #.255. Example When you type show and press Enter within the internal interface shell.CLI command branches Using the CLI The screen displays: name allowaccess arpforword cli_conn_status detectserver gwdetect ip ip6-address ip6-default-life . the changes to the default internal interface configuration are displayed. Use show full-configuration to display the complete configuration.255. : : : : : : : : : internal ping https ssh enable 0 (null) disable 192. only changes to the default configuration are displayed. At the (internal)# prompt.200 255. you can use show from the root prompt..0 ::/0 1800 show branch Use show to display the FortiGate unit configuration. type: show system global 38 FortiGate® CLI Version 3.255.168. By default.255.20.20.. To display the configuration of all objects.200 255.

Example command sequences Note: Interface names vary for different FortiGate models. The execute commands are available only from the root prompt. to reset the FortiGate unit to factory defaults. to back up or restore FortiGate configuration files. Example At the root prompt.246.148' set syncinterval 60 set timezone 04 end execute branch Use execute to run static commands. type: config system dns and press Enter.0 MR7 Reference 01-30007-0015-20090112 39 .168.Using the CLI CLI command branches The screen displays: config system global set admintimeout 5 set authtimeout 15 set failtime 5 set hostname 'Fortigate-300' set interval 5 set lcdpin 123456 set ntpserver '132. type: execute reboot and press Enter to restart the FortiGate unit. ! Caution: Diagnose commands are intended for advanced users only. Contact Fortinet technical support before using these commands. type ? FortiGate® CLI Version 3. The following examples use the interface names for a FortiGate_300 unit. diagnose branch Commands in the diagnose branch are used for debugging the operation of the FortiGate unit and to set parameters for displaying different levels of diagnostic information. The prompt changes to (dns)#. The root prompt is the FortiGate host or model name followed by a #. To configure the primary and secondary DNS server addresses 1 Starting at the root prompt. The diagnose commands are not documented in this CLI Reference Guide. 2 At the (dns)# prompt.

type: set primary 172. edit delete purge rename get show end 40 FortiGate® CLI Version 3.16. type unset secondary and press Enter.100. type unset primary and press Enter. type: config system interface and press Enter. If you want to leave the config system dns shell without saving your changes.200. set unset get show abort end 3 Type set ? The following options are displayed. The prompt changes to (interface)#.100. 5 To set the secondary DNS server address to 207. type abort and press Enter. type ? The following options are displayed.104. To confirm your changes have taken effect after leaving the dns sub-shell. To add two secondary IP addresses to the internal interface 1 Starting at the root prompt. 6 7 8 9 10 To restore the primary DNS server address to the default address.200.16. To save your changes and exit the dns sub-shell. type get system dns and press Enter.100 and press Enter.104. To restore the secondary DNS server address to the default address.1 and press Enter. type end and press Enter.0 MR7 Reference 01-30007-0015-20090112 . 2 At the (interface)# prompt.1.100. type: set secondary 207.CLI command branches Using the CLI The following options are displayed. primary secondary domain dns-cache-limit cache-not-found-responses 4 To set the primary DNS server address to 172.

type: edit internal and press Enter. 4 At the (internal)# prompt. type ? The following options are displayed. set unset get show next abort end 9 Type set ? The following options are displayed. The prompt changes to (internal)#. 6 At the (secondaryip)# prompt. The prompt changes to (secondaryip)#. edit delete purge rename get show end 7 To add a secondary IP address with the ID number 0. allowaccess detectserver gwdetect ip FortiGate® CLI Version 3.Using the CLI CLI command branches 3 At the (interface)# prompt. type ? The following options are displayed. type: config secondaryip and press Enter. config set unset get show next abort end 5 At the (internal)# prompt. type: edit 0 and press Enter. 8 At the (0)# prompt. The prompt changes to (0)#. type ? The following options are displayed.0 MR7 Reference 01-30007-0015-20090112 41 .

168.100. type unset ip and press Enter.0. To save your changes and exit the secondary IP address 1 shell. type end and press Enter. The prompt changes to (internal)#. To confirm your changes have taken effect after using the end command. 12 13 To set the secondary IP address with the ID number 1 to 192.100.255.90 and the netmask to 255.168.100.0 MR7 Reference 01-30007-0015-20090112 .CLI command branches Using the CLI 10 To set the secondary IP address with the ID number 0 to 192. type abort and press Enter. To delete the secondary IP address with the ID number 1. type: edit 1 and press Enter.0 and press Enter. type get system interface internal and press Enter. The prompt changes to (secondaryip)#.255.255.255. 17 18 19 42 FortiGate® CLI Version 3.255. The prompt changes to (1)#. If you want to leave the secondary IP address 1 shell without saving your changes.100 255. 14 15 16 To restore the secondary IP address with the ID number 1 to the default. To add a secondary IP address with the ID number 1.100 and the netmask to 255. type: set ip 192. type: set ip 192.255.168. type end and press Enter. To save your changes and exit the internal interface shell. type delete 1 and press Enter.0 and press Enter.168.255.90 255.100.0. type next and press Enter. 11 To add another secondary IP address to the internal interface.255.

• FortiGate® CLI Version 3. After completing the first word of a command. You can type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position.Using the CLI CLI basics CLI basics This section includes: • • • • • • • • • • • • • • • • • • Command help Command completion Recalling commands Editing commands Line continuation Command abbreviation Environment variables Encrypted password support Entering spaces in strings Entering quotation marks in strings Entering a question mark (?) in a string International characters Special characters IP address formats Editing the configuration file Setting screen paging Changing the baud rate Using Perl regular expressions Command help You can press the question mark (?) key to display command help. • • Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.0 MR7 Reference 01-30007-0015-20090112 43 . • • You can press the tab key at any prompt to scroll through the options available for that prompt. you can press the space bar and then the tab key to scroll through the options available at the current cursor position. Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command option combination and a description of each option. • Command completion You can use the tab key or the question mark (?) key to complete commands. Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.

exit the CLI Key combination CTRL+A CTRL+E CTRL+B CTRL+F CTRL+D CTRL+P CTRL+N CTRL+C CTRL+C Line continuation To break a long command over multiple lines. $USERFROM $USERNAME $SerialNum The management access type (SSH.0 MR7 Reference 01-30007-0015-20090112 . config system global set hostname $SerialNum end 44 FortiGate® CLI Version 3. For example. the unit hostname is set to the serial number. The serial number of the FortiGate unit. You can also use the Backspace and Delete keys and the control keys listed in Table 3 to edit the command. Command abbreviation You can abbreviate commands and command options to the smallest number of non-ambiguous characters. Environment variables The FortiGate CLI supports the following environment variables. Telnet and so on) and the IP address of the logged in administrator. The user account name of the logged in administrator.CLI basics Using the CLI Recalling commands You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered. Table 3: Control keys for editing commands Function Beginning of line End of line Back one character Forward one character Delete current character Previous command Next command Abort the command If used at the root prompt. use a \ at the end of each line. In the following example. Variable names are case sensitive. Editing commands Use the Left and Right arrow keys to move the cursor back and forth in a recalled command. the command get system status can be abbreviated to g sy st.

For example: show system admin user1 lists the user1 administrator password as follows: config system admin edit "user1" set accprofile "prof_admin" set password ENC XXNFKpSV3oIVk next end It is also possible to enter an already encrypted password. FortiGate® CLI Version 3. type: config system admin and press Enter. the FortiGate unit encrypts the password and stores it in the configuration file with the prefix ENC.Using the CLI CLI basics Encrypted password support After you enter a clear text password using the CLI. you must precede the question mark with CTRL-V. Use a backslash (“\”) preceding the space. Enclose the string in single quotes. 'Security Administrator'. do one of the following: • • • Enclose the string in quotation marks. you must precede the character with a backslash character. "Security Administrator". Type: end and press Enter. For example. Security\ Administrator.0 MR7 Reference 01-30007-0015-20090112 45 . for example. Entering a question mark (?) in a string If you want to include a question mark (?) in a string. To include a backslash. Entering spaces in strings When a string value contains a space. terminating the string. Type: edit user1 and press Enter. Entering quotation marks in strings If you want to include a quotation mark. Entering a question mark without first entering CTRL-V causes the CLI to display possible command completions. for example. for example. single quote or apostrophe in a string. Type: set password ENC XXNFKpSV3oIVk and press Enter. enter two backslashes.

255. and ” are not permitted in most CLI fields. (.CLI basics Using the CLI International characters The CLI supports international characters in strings. Special characters The characters <.The web-based manager dashboard CLI Console applet supports the appropriate character set for the current administration language. If you want to enter strings that contain Asian characters. International character support with external applications such as SSH clients depends on the capabilities and settings of the application. ’.255. 46 FortiGate® CLI Version 3. The exceptions are: • • • • • • • • • • • • • • • • passwords replacemsg buffer firewall policy comments ips custom signature antivirus filepattern antivirus exemptfilepattern webfilter bword spamfilter bword pattern system interface username (PPPoE mode) system modem phone numbers or account user names firewall profile comment spamfilter mheader fieldbody spamfilter mheader fieldbody spamfilter emailbwl email_pattern router info bgp regular expressions router aspath-list rule regular expressions IP address formats You can enter an IP address and subnet using either dotted decimal or slash-bit format.168. ).1.0 MR7 Reference 01-30007-0015-20090112 . For example you can type either: set ip 192. configure the CLI Console to use the external command input box. >.168. #.1/24 The IP address is displayed in the configuration file in dotted decimal format.1 255.0 or set ip 192.1.

you can configure the display to pause when the screen is full. If the FortiGate unit finds an error. Press Q to end the display. Edit the configuration file using a text editor. the FortiGate unit loads the configuration file and checks each command for errors.Using the CLI CLI basics Editing the configuration file You can change the FortiGate configuration by backing up the configuration file to a TFTP server. One more line of output is displayed. Do not edit this line.03 and higher and FortiOS version 2. Then you can make changes to the file and restore it to the FortiGate unit. If it is.0 MR7 Reference 01-30007-0015-20090112 47 . changing or deleting the CLI commands in the configuration file. an error message is displayed after the command and the command is rejected. To set paged output. You can then do one of the following: • • Press the spacebar to continue. Then the FortiGate unit restarts and loads the new configuration. 3 Use the execute restore config command to copy the edited configuration file back to the FortiGate unit. This is convenient for viewing the lengthy output of a command such as get system global. enter the following command: config system console set output more end Changing the baud rate Using set baudrate in the config system console shell. The FortiGate unit receives the configuration file and checks to make sure the firmware version and model information is correct. You can edit the configuration by adding. You can add comments to the configuration file by starting the comment line with a # character.50 and higher. If you change this information the FortiGate unit will reject the configuration file when you attempt to restore it. all the antivirus commands are grouped together and so on. For instance. FortiGate® CLI Version 3. When the display pauses. 1 2 Use the execute backup config command to back up the configuration file to a TFTP server. Related commands are listed together in the configuration file. Setting screen paging Using the config system console command. Note: Changing the default baud rate is available for FortiGate units with BIOS 3. all the system commands are grouped together. followed by the shell prompt. you can change the default console connection baud rate. the bottom line of the console displays --More--. The first line of the configuration file contains information about the firmware version and FortiGate model.

not 0 or more times of any character. For example. ‘.0 MR7 Reference 01-30007-0015-20090112 48 .html for detailed information about using Perl regular expressions. To match any character 0 or more times.org/perlretut. use ‘. Case sensitivity Regular expression pattern matching is case sensitive in the Web and Spam filters. “atestb”.’ means any character and the ‘*’ means 0 or more times. As a result: • fortinet. In Perl regular expressions.com. Word boundary In Perl regular expressions. use the regular expression /i. fortinetbcom. “mytest”. It is similar to the ‘?’ character in wildcard pattern matching. fortinetccom and so on. three or four b's followed by a c FortiGate® CLI Version 3.perl. See http://perldoc.com not only matches fortinet.' and ‘*’. To make a word or phrase case insensitive. the expression should be \btest\b. For example: • the wildcard match pattern forti*.*\. the regular expression “test” not only matches the word “test” but also matches any word that contains the word “test” such as “atest”.com. “testimony”. To match exactly the word “test”. The notation “\b” specifies the word boundary. ‘*’ means match 0 or more times of the character before it.CLI basics Using the CLI Using Perl regular expressions Some FortiGate features.com but does not match fortinet. the regular expression should be fortinet\. the pattern does not have an implicit word boundary. Table 4: Perl regular expression examples Expression abc ^abc abc$ a|b ^abc|abc$ ab{2.4}c Matches abc (that exact character sequence.com matches fortiiii. Some differences between regular expression and wildcard pattern matching In Perl regular expressions. but anywhere in the string) abc at the beginning of the string abc at the end of the string either of a and b the string abc at the beginning or at the end of the string an a followed by two.*’ where ‘.com. regular expressions use the ‘\’ escape character.com is equivalent to the regular expression forti. To match a special character such as '.’ character refers to any single character.com. For example. For example: • To match fortinet. For example: • forti*\. /bad language/i will block all instances of “bad language” regardless of case. such as spam filtering and web content filtering can use either wildcards or Perl regular expressions.com but also matches fortinetacom.

b and c either of Abc and abc any (nonempty) string of a's. b and c (such as defg) any two decimal digits. b's and c's (such as a. such as foo and 12bar8 and foo_1 the strings 100 and mk optionally separated by any amount of white space (spaces. in perlert but not in perl stuff) tells the regular expression parser to ignore white space that is neither backslashed nor within a character class. FortiGate® CLI Version 3. newlines) abc when followed by a word boundary (e.c exactly any one of a.}c ab*c ab+c ab?c a.c a\.g. /bad language/i blocks any instance of “bad language” regardless of case. acbabcacaa) any (nonempty) string which does not contain any of a. You can use this to break up your regular expression into (slightly) more readable parts. same as \d{2} makes the pattern case insensitive. in abc! but not in abcd) perl when not followed by a word boundary (e. For example. such as 42. tabs. a "word": a nonempty sequence of alphanumeric characters and low lines (underscores).Using the CLI CLI basics Table 4: Perl regular expression examples ab{2.c [abc] [Aa]bc [abc]+ [^abc]+ \d\d /i \w+ 100\s*mk abc\b perl\B \x an a followed by at least two b's followed by a c an a followed by any number (zero or more) of b's followed by a c an a followed by one or more b's followed by a c an a followed by an optional b followed by a c. abba. that is.0 MR7 Reference 01-30007-0015-20090112 49 . either abc or ac an a followed by any single character (not newline) followed by a c a.g.

CLI basics Using the CLI 50 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .

enter next to edit another vdom. you have only four top-level commands: config global Enter config global to access global commands. In the vdom shell. If you enable virtual domain configuration. you can execute commands that affect all virtual domains. Use the global command to configure features that apply to all virtual domains. you can execute commands to configure options that apply only within the VDOM. the FortiGate unit has one virtual domain (root) and one administrator (admin) with unrestricted access to the system configuration. there is no password for the default admin account. For a list of the global commands. In the global shell. By default. or end. In the <vdom_name> shell. see “global” on page 57. Use the global command to create and assign administrators to each virtual domain.0 MR7 Reference 01-30007-0015-20090112 51 . When you have finished.Working with virtual domains Enabling virtual domain configuration Working with virtual domains By default. This section contains the following topics: Enabling virtual domain configuration Accessing commands in virtual domain configuration Creating and configuring VDOMs Configuring inter-VDOM routing Changing the management VDOM Creating VDOM administrators Troubleshooting ARP traffic on VDOMs global vdom Enabling virtual domain configuration The administrators with the super_admin profile can enable virtual domain configuration through either the web-based manager or the CLI. In the CLI. Accessing commands in virtual domain configuration When you log in as admin with virtual domain configuration enabled. Enter config vdom to access VDOM-specific commands. see “vdom” on page 60. the super admin account can also: • • • Use the vdom command to create and configure additional virtual domains. config vdom FortiGate® CLI Version 3. such as config firewall policy. For a list of VDOM-specific commands. use the edit <vdom_name> command to create a new VDOM or to edit the configuration of an existing VDOM. use the following command: config system global set vdom-admin enable end Log off and then log on again with a super_admin admin account. such as config system autoupdate.

0 MR7 Reference 01-30007-0015-20090112 .168. its default operating mode is NAT/Route. log on as admin and enter the following commands: config global config system interface edit port3 set vdom vdomain2 next edit port4 set vdom vdomain2 end end Setting VDOM operating mode When you create a VDOM. You can change the operating mode of each VDOM independently. to assign port3 and port4 to vdomain2. For this VDOM to be useful. so only the admin account can configure interfaces. Creating a VDOM You create a new VDOM using the config vdom command. you enter the following: config vdom edit vdomain2 end This creates a new VDOM operating in NAT/Route mode. but they are accessed through a special top-level command shell. The management IP address is 192. all interfaces belong to the root domain. See “vdom-link” on page 480. You can reassign an interface or VLAN subinterface to another VDOM if the interface is not already used in a VDOM-specific configuration such as a firewall policy. For example. All of the commands described in this Reference are available to admin.100. fields that are not available for some interfaces will display a “-”. You can have up to 10 VDOMs on your FortiGate unit by default. to create a new VDOM called vdomain2. For example. you must specify the management IP address and the default gateway IP address.1: 52 FortiGate® CLI Version 3. The following example shows how to change vdomain2 to Transparent mode. admin has full access to the global FortiGate unit configuration and to the configuration of each VDOM. and the default gateway is 192. Assigning interfaces to a VDOM By default. you need to assign interfaces or VLAN subinterfaces to it. Creating and configuring VDOMs When virtual domain configuration is enabled. When viewing a list of interfaces that are in different VDOMs and different operating modes. Changing to Transparent mode When you change the operating mode of a VDOM from NAT/Route to Transparent mode. exit Log off.10.168. Interfaces are part of the global configuration of the FortiGate unit.10.Creating and configuring VDOMs Working with virtual domains get system status System status.

0 end For more information.0 MR7 Reference 01-30007-0015-20090112 53 .168. This is to prevent a loop.100 255.0 MR3.168.255. Configuring inter-VDOM routing By default. config vdom edit vdomain3 config system settings set opmode nat end config system interface edit port1 set ip 192.10. config global config system vdom-link edit v12_link end FortiGate® CLI Version 3. or interconnect all VDOMs.only 2 VDOMs inter-connected. VDOMs are independent of each other and to communicate they need to use physical interfaces that are externally connected. You want to set up a link between them. For example.0. freeing up the physical interfaces. see “system settings” on page 466. These internal interfaces have the added bonus of being faster the physical interfaces unless the CPU load is very heavy. you need to bind the two ends of the link to the VDOMs it will be connecting.10. The following command creates the VDOM link called v12_link. This feature also allows you to determine the level of inter-VDOM routing you want .255.100 255.255.1 end For more information.Working with virtual domains Configuring inter-VDOM routing config vdom edit vdomain3 config system settings set opmode transparent set manageip 192. For more information. However using IPIP or GRE tunnels do not reset the counter. VDOM-links can also be configured through the web-based management interface. see the FortiGate Administration Guide.0 set gateway 192. Once you have the link in place. You must also specify the default gateway IP address and the interface that connects to the gateway. so you have access to all the security available to physical interface connections. this connection can be moved inside the FortiGate unit. When traffic is encrypted or decrypted it changes the content of the packets and this resets the interVDOM counter. By using the vdom-link command that was added in FortiOS v3.255. A packet can pass through an inter-VDOM link a maximum of three times. BGP is supported over inter-VDOM links. The vdom-link command creates virtual interfaces. This ensures that administrative access is configured on the interface. In this example you already have configured two VDOMs called v1 and v2.168. you must specify which interface you will use for administrative access and the IP address for that interface. see “system settings” on page 466. As of FortiOS v3. Changing back to NAT/Route mode If you change a Transparent mode VDOM back to NAT/Route mode. Then you are free to apply firewall policies or other security measures.10.

If you want to change the management VDOM to vdomain2. Now.0 MR7 Reference 01-30007-0015-20090112 . and other Fortinet services. To remove the vdom-link. In HA mode. Management traffic includes all external logging. You cannot change the management VDOM if any administrators are using RADIUS authentication. inter-VDOM routing must be entirely within one cluster. but a link name of v12_verylongname is too long. You will not be able to delete the ends of the vdom-link by themselves. remote management. delete the vdom-link.Changing the management VDOM Working with virtual domains config system interface edit v12_link0 set vdom v1 next edit v12_link1 set vdom v2 next end Note: When you are naming VDOM links you are limited to 8 characters for the base name. These configurations are discussed in-depth in the FortiGate VLANs and VDOMs Guide. You can change this to another VDOM so that the traffic will leave your FortiGate unit over the new VDOM. Before inter-VDOM routing. with multiple vclusters when you create the vdom-link in system vdom-link there is an option to set which vcluster the link will be in. In the example below the link name v12_link that is used is correct. enter: config global config system vdom-link delete v12_link end Note: In an HA setup with virtual clusters. you enter: config global config system global set management-vdom vdomain2 end 54 FortiGate® CLI Version 3. and you cannot move a VDOM that is linked into another virtual cluster. Changing the management VDOM All management traffic leaves the FortiGate unit through the management VDOM. By default the management VDOM is root. To delete the above set up. many new configurations are available such as a service provider configuration (a number of VDOMS that go through one main VDOM to access the internet) or a mesh configuration (where some or all VDOMs are connected to some or all other VDOMs). VDOMs were completely separate entities. You cannot create links between virtual clusters.

physical interfaces are in the root domain. to create an administrator. By default. This instability can occur if the Layer 2 switch does not maintain separate MAC address tables for each VLAN. including VLAN subinterfaces. and the instability does not occur.Working with virtual domains Creating VDOM administrators Creating VDOM administrators The super_admin admin accounts can create regular administrators and assign them to VDOMs. The VDOM administrator can access only VDOMspecific commands. not enough physical interfaces or your configuration may work better by grouping some VLANs together. admin2. especially in Transparent mode where ARP packets arriving on one interface are sent to all other interfaces. Duplicate ARP packets ARP traffic can cause problems. This means one inbound and one outbound VLAN interface in each virtual domain. the switches do not receive multiple ARP packets with the same source MAC but different VLAN IDs. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. not global commands. In these situations the separate VDOMs solution may not work for you. includes a VDOM assignment. Multiple VDOMs solution One solution is to configure multiple VDOMs on the FortiGate unit. Do not configure any of your VLANs in the root domain. The system admin command. Normally you want ARP packets to pass through the FortiGate unit. you enter: config global config system admin edit admin2 set accprofile prof_admin set password hardtoguess set vdom vdomain2 end The admin2 administrator account can only access the vdomain2 VDOM and can connect only through an interface that belongs to that VDOM.0 MR7 Reference 01-30007-0015-20090112 55 . As a result of this VDOM configuration. when accessed by admin. especially if it is sitting between a client and a server or between a client and a router. FortiGate® CLI Version 3. one for each VLAN. for VDOM vdomain2 with the default profile prof_admin. For example. It is possible that you have more VLANs than licensed VDOMs. ARP packets are not forwarded between VDOMs. Troubleshooting ARP traffic on VDOMs Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Unstable switches may reset causing network traffic to slow down. Forward-domain solution You may run into problems using the multiple VDOMs solution.

Troubleshooting ARP traffic on VDOMs Working with virtual domains In these cases. to using fewer physical interfaces to being able to allowing you more flexible network solutions. This command tags VLAN traffic as belonging to a particular forward-domain collision group. In the following example. All other ports are part of forward-domain collision group 0 by default. There are many benefits for this solution from reduced administration. see the FortiGate VLANs and VDOMs Guide. the solution is to use the forward-domain <collision_group_number> command. and only VLANs tagged as part of that collision group receive that traffic.0 MR7 Reference 01-30007-0015-20090112 . config system interface edit “port1” next edit "port2" set forward_domain 340 next edit “port3” set forward_domain 341 next edit "port1-340" set forward_domain 340 set interface "port1" set vlanid 340 next edit "port1-341" set forward_domain 341 set interface "port1" set vlanid 341 next end There is a more detailed discussion of this issue in the Asymmetric Routing and Other FortiGate Layer2 Installation Issues technical note. Forward-domain collision group 341 includes VLAN 341 traffic on Port1 and untagged traffic on Port3. For more information. By default ports and VLANs are part of forward-domain collision group 0. forward-domain collision group 340 includes VLAN 340 traffic on Port1 and untagged traffic on Port2. These are the CLI commands to accomplish this setup. 56 FortiGate® CLI Version 3.

0 MR7 Reference 01-30007-0015-20090112 57 . For information on these commands.. fortianalyzer3 config system fortiguard conifg system fortiguard-log config system fortimanager config system gi-gk (FortiOS Carrier) config system global config system ha config system interface conifg system management-tunnel config system ntp config system replacemsg admin config system replacemsg alertmail config system replacemsg auth config system replacemsg fortiguard-wf config system replacemsg ftp config system replacemsg http config system replacemsg im FortiGate® CLI Version 3. config system accprofile config system admin config system alertemail config system auto-install config system autoupdate clientoverride config system autoupdate override config system autoupdate override config system autoupdate push-update config system autoupdate schedule config system autoupdate tunneling config system bug-report config system console config system dns config system fips-cc config system fortianalyzer. Syntax This command syntax shows how you access the commands within config global.. config global config antivirus . Virtual domain configuration (vdom-admin) must be enabled first. refer to the relevant sections in this Reference.Working with virtual domains global global From a super_admin profile account. config firewall service config gui console config ips . See “system global” on page 371... config log fortianalyzer setting config log fortiguard setting config log memory setting config log memory global setting config log syslogd setting config log webtrends setting config spamfilter .. use this command to configure features that apply to the complete FortiGate unit including all virtual domains.. fortianalyzer2.

global Working with virtual domains config system replacemsg mail config system replacemsg mm1 (FortiOS Carrier) config system replacemsg mm3 (FortiOS Carrier) config system replacemsg mm4 (FortiOS Carrier) config system replacemsg mm7 (FortiOS Carrier) config system replacemsg nntp config system replacemsg spam config system replacemsg sslvpn config system replacemsg-group (FortiOS Carrier) config system replacemsg-image (FortiOS Carrier) config system session-helper config system session-sync config system snmp community config system snmp sysinfo config system switch-interface conifg system tos-based-priority config system vdom-link config system dynamic-profile (FortiOS Carrier) config vpn certificate ca config vpn certificate crl config vpn certificate local config vpn certificate remote config webfilter fortiguard execute backup execute batch execute central-mgmt execute cfg reload execute cfg save execute cli check-template-status execute cli status-msg-only execute date execute disconnect-admin-session execute enter execute factoryreset execute formatlogdisk execute fortiguard-log update execute ha disconnect execute ha manage execute ha synchronize execute log delete-all execute log delete-filtered execute log delete-rolled execute log display execute log filter execute log list execute log roll execute reboot execute restore execute send-fds-statistics execute set-next-reboot execute shutdown execute time execute update-av execute update-ips FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 58 .

get firewall vip . fsae refresh. dhcp leaselist....0 MR1 Added vdom-link. Related topics • vdom FortiGate® CLI Version 3.. execute update-ips..0 MR7 Reference 01-30007-0015-20090112 59 .Removed vpn sslvpn. FortiOS v3.. execute cfg .0 MR5 Added config firewall service. restore. batch. system console. execute backup. telnet.. FortiOS v3.0 New. system replacemsg admin/alertemail/auth/nntp. and execute update-now. expanded command to vpn certificate .Working with virtual domains global execute update-now execute usb-disk execute vpn certificate .. gui console. FortiOS v3. vpn. webfilter. dhcp lease-client..0 MR6 Added config system session-sync. execute central-mgmt. and traceroute. system fortiguard. vpn certificate crl/local/remote. end History FortiOS v3. .

config vdom edit <vdom_name> config antivirus config firewall address. policy6 config firewall profile config firewall schedule onetime config firewall schedule recurring config firewall service custom config firewall service group config firewall vip config firewall vipgrp config imp2p config ips config log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter config log fortianalyzer setting FortiGate® CLI Version 3. You cannot remove an interface from a virtual domain if the interface is part of any of the following configurations: • • • • • • • • routing proxy arp DHCP server zone firewall policy IP pool redundant pair link aggregate (802. Refer to the relevant sections in this Reference for information on these commands. By default all physical interfaces are in the root virtual domain. address6 config firewall addrgrp. addrgrp6 config firewall dnstranslation config firewall ipmacbinding setting config firewall ipmacbinding table config firewall ippool config firewall ldb-monitor config firewall multicast-policy config firewall policy. Syntax This command syntax shows how you access the commands within a VDOM. Once you add a virtual domain you can configure it by adding zones. use this command to add and configure virtual domains. You cannot delete the default root virtual domain and you cannot delete a virtual domain that is used for system management. You can also move physical interfaces from the root virtual domain to other virtual domains and move VLAN subinterfaces from one virtual domain to another. firewall policies.0 MR7 Reference 01-30007-0015-20090112 60 . The number of virtual domains you can add is dependent on the FortiGate model. Virtual domain configuration (vdom-admin) must be enabled. routing settings.3ad) group Delete these items or modify them to remove the interface first. and VPN settings. See “system global” on page 371.vdom Working with virtual domains vdom From the super admin account.

.. config webfilter execute backup execute clear system arp table execute cli check-template-status execute cli status-msg-only execute dhcp lease-list execute fsae refresh execute ha disconnect execute ha manage execute ha synchronize execute log delete-all execute log delete-filtered execute log delete-rolled execute log display execute log filter execute log list execute log roll execute mrouter clear execute ping execute ping-options execute ping6 execute reboot execute restore execute router clear bgp execute router clear ospf process execute router restart execute traceroute execute usb-disk FortiGate® CLI Version 3.Working with virtual domains vdom config log memory setting config log trafficfilter config router config spamfilter config system admin config system arp-table config system dhcp reserved-address config system dhcp server config system gre-tunnel config system interface config system proxy-arp config system session-ttl config system sit-tunnel config system settings config system zone config user adgrp config user fsae config user group config user ldap config user local config firewall carrier-endpoint-bwl (FortiOS Carrier) config firewall carrier-endpoint-ip-filter (FortiOS Carrier) config user peer config user peergrp config user radius config vpn .0 MR7 Reference 01-30007-0015-20090112 61 .

A VDOM cannot have the same name as a VLAN. Added config gui. all of system settings.0 New. Default Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. A VDOM name cannot exceed 11 characters in length. and execute batch.. Enter an existing VDOM name to configure that VDOM. execute router clear ospf process commands. config system vdom edit Test1 end History FortiOS v3. router graceful-restart commands. Note: Use config system settings set opmode {nat | transparent} to set the operation mode for this VDOM to nat (NAT/Route) or transparent. execute . FortiOS v3. FortiOS v3. FortiOS v3. reboot. The VDOM you enter becomes the current VDOM. end end Variable edit <vdom_name> Description Enter a new name to create a new VDOM. log syslogd. system arp-table.0 MR7 Reference 01-30007-0015-20090112 . Example This example shows how to add a virtual domain called Test1. FortiOS v3.0 MR1 Added system setting multicast-forward and multicast-ttl-notchange. Related topics • global 62 FortiGate® CLI Version 3. Removed log fortianalyzer. Added batch.0 MR5 Removed config alertemail. If you attempt to name a new VDOM vsys_ha or vsys_fgfm it will generate an error.. log webtrends.vdom Working with virtual domains execute vpn sslvpn del-tunnel next edit <another_vdom> config . interface.. date..0 MR1 Added system admin. Added system sit-tunnel. system proxy-arp.0 MR7 Removed config gui and system ipv6-tunnel. ipv6-tunnel commands.

such as system failures or network attacks. This chapter contains the following section: setting FortiGate® CLI Version 3. See “dns” on page 353 for more information about configuring DNS servers.0 MR7 Reference 01-30007-0015-20090112 63 . An SMTP server is configured using the system alertemail commands. When configuring an alert email. the FortiGate unit sends an email to a predefined recipient(s) of the log message encountered.alertemail alertemail Use alertemail commands to configure the FortiGate unit to monitor logs for log messages with certain severity levels. If the message appears in the logs. the alertemail commands do not appear if no SMTP server is configured. Alert emails provide immediate notification of issues occurring on the FortiGate unit. you must configure at least one DNS server. By default. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server. See “system alertemail” on page 330 for more information.

Syntax config alertemail setting set username <user-name-str> set mailto1 <email-address-str> set mailto2 <email-address-str> set mailto3 <email-address-str> set filter-mode <category> <threshold> set email-interval <minutes-integer> set severity {alert | critical | debug | emergency | error | information | notification | warning} set emergency-interval <minutes-integer> set alert-interval <minutes-integer> set critical-interval <minutes-integer> set error-interval <minutes-integer> set warning-interval <minutes-integer> set notification-interval <minutes-integer> set information-interval <minutes-integer> set debug-interval <minutes-integer> set IPS-logs {disable | enable} set firewall-authentication-failure-logs {disable | enable} set HA-logs {enable | disable} set IPsec-error-logs {disable | enable} set FDS-update-logs {disable | enable} set PPP-errors-logs {disable | enable} set sslvpn-authentication-errors-logs {disable | enable} set antivirus-logs {disable | enable} set webfilter-logs {disable | enable} set configuration-changes-logs {disable | enable} set violation-traffic-logs {disable | enable} set admin-login-logs {disable | enable} set local-disk-usage-warning {disable | enable} set FDS-license-expiring-warning {disable | enable} set FDS-license-expiring-days <integer> set local-disk-usage <percentage> set fortiguard-log-quota-warning end 64 FortiGate® CLI Version 3. See “system dns” on page 353 for more information. See “system alertemail” on page 330 for more information.setting alertemail setting Use this command to configure the FortiGate unit to send an alert email to up to three recipients. This command can also be configured to send an alert email a certain number of days before the FDS license expires and/or when the disk usage exceeds a certain threshold amount. You need to configure an SMTP server before configuring alert email settings. Note: The FortiGate unit must be able to look up the SMTP server name on your DNS server because the FortiGate unit uses the SMTP server to connect to the mail server.0 MR7 Reference 01-30007-0015-20090112 .

FortiGate® CLI Version 3. Enter the number of minutes the FortiGate unit should wait before 20 sending out an alert email for notification level messages. the FortiGate unit sends an alert email. Enter the number of minutes the FortiGate unit should wait before 5 sending out an alert email for error level messages. Only available when filter-mode threshold is entered. Enter the number of minutes the FortiGate unit should wait before 1 sending out alert email for emergency level messages. Only available when filter-mode threshold is entered. This is not available when filtermode threshold is enabled. Only available when filter-mode threshold is entered. Enter the number of minutes the FortiGate unit should wait before 2 sending out an alert email for alert level messages. This address appears in the From header of the alert email. the FortiGate unit sends an alert email. Default No default. Enter an email address. This is one of the email addresses where No default. This is one of the email addresses where No default. Only available when filter-mode threshold is entered.com.The following only displays when threshold is entered: • emergency-interval • alert-interval • critical-interval • error-interval • warning-interval • notification-interval • information-interval • debug-interval category email-interval <minutes-integer> emergency-interval <minutes-integer> alert-interval <minutes-integer> critical-interval <minutes-integer> error-interval <minutes-integer> warning-interval <minutes-integer> notification-interval <minutes-integer> information-interval <minutes-integer> debug-interval <minutes-integer> Enter the number of minutes the FortiGate unit should wait before 5 sending out an alert email. Only available when filter-mode threshold is entered. Only available when filter-mode threshold is entered. the FortiGate unit sends an alert email. This is one of the email addresses where No default. Enter an email address. Enter to set the filter mode of the alert email. Enter the number of minutes the FortiGate unit should wait before 30 sending out an alert email for information level messages. Only available when filter-mode threshold is entered. Enter the number of minutes the FortiGate unit should wait before 10 sending out an alert email for warning level messages. Enter the number of minutes the FortiGate unit should wait before 3 sending out an alert email for critical level messages. Only available when filter-mode threshold is entered.alertemail setting Keywords and variables username <user-name-str> mailto1 <email-address-str> mailto2 <email-address-str> mailto3 <email-address-str> filter-mode <category> <threshold> Description Enter a valid email address in the format user@domain. Enter the number of minutes the FortiGate unit should wait before 60 sending out an alert email for debug level messages.0 MR7 Reference 01-30007-0015-20090112 65 . Enter an email address.

For example. disable disable disable Enable or disable traffic violation logs. This is only available when alert filter-mode threshold is entered. Enable or disable web filter logs. the unit logs error. Enable or disable configuration changes logs. critical – Functionality is affected. debug – Information used for diagnosing or debugging the FortiGate unit. Enable or disable IPS logs. alert – Immediate action is required. and emergency level messages. disable disable disable disable disable Enable or disable antivirus logs. Enable or disable IPSec error logs Enable or disable FDS update logs. The FortiGate unit logs all messages at and above the logging severity level you select. error – An erroneous condition exists and functionality is probably affected. disable disable IPS-logs {disable | enable} firewallEnable or disable firewall authentication failure logs. alert. warning – Functionality might be affected. Enable or disable SSL VPN authentication error logs. The number cannot be 0 or 100. For example. critical. if you want notification five days in advance. if you error. information – General information about system operations notification – Information about normal events.0 MR7 Reference 01-30007-0015-20090112 . Enable or disable PPP error logs. emergency – The system is unusable. For example enter the number 15 for a warning when the local disk usage is at 15 percent. Enable or disable admin login logs Enable or disable local disk usage warning in percent. disable disable disable Enable or disable to receive an email notification of the expire date disable of the FDS license. authentication-failurelogs {disable | enable} HA-logs {enable | disable} IPsec-error-logs {disable | enable} FDS-update-logs {disable | enable} PPP-errors-logs {disable | enable} sslvpn-authenticationerrors-logs {disable | enable} antivirus-logs {disable | enable} webfilter-logs {disable | enable} configuration-changeslogs {disable | enable} violation-traffic-logs {disable | enable} admin-login-logs {disable | enable} local-disk-usagewarning {disable | enable} FDS-license-expiringwarning {disable | enable} FDS-license-expiringdays <integer> Enable or disable high availability (HA) logs. 15 66 FortiGate® CLI Version 3. enter 5.setting alertemail Keywords and variables severity {alert | critical | debug | emergency | error | information | notification | warning} Description Default Select the logging severity level. Enter the number of days to be notified by email when the FDS license expires.

80 FortiOS v3. and what type of emails will contain which log messages.com set mail2 admin2@ourcompany.com set filter-mode category set HA-logs enable set FDS-update-logs enable set antivirus-logs enable set webfilter-logs enable set admin-login-logs enable set violation-traffic-logs enable end History FortiOS v2. such as HA and antivirus. FortiOS 3.com set mail1 admin1@ourcompany.alertemail setting Keywords and variables local-disk-usage <percentage> fortiguard-log-quotawarning Description Enter a number for when the local disk’s usage exceeds that number.0MR2 Substantially revised and expanded.com set mail3 admin3@ourcompany. config alertemail setting set username fortigate@ourcompany.0 FortiOS v3. server and password to config system alertemail. New keywords added for: • IPS-logs • firewall-authentication-failure-logs • HA-logs • IPSec-errors-logs • FDS-update-logs • PPP-errors-logs • sslvpn-authentication-errors-logs • antivirus-logs • webfilter-logs • configuration-changes-logs • violation-traffic-logs • admin-login-logs • FDS-license-expiring-warning • local-disk-usage-warning • FDS-license-expiring-days • local-disk-usage Added fortiguard-log-quota-warning keyword. Default 75 disable Examples This example shows how to configure the user name.0MR4 Related topics • • system alertemail system dns FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 67 . Moved authentication. Enter to receive an alert email when the FortiGuard Log & Analysis server reaches its quota. add three email addresses for sending alerts to.

setting alertemail 68 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .

quarantine options. This chapter contains the following sections: filepattern grayware heuristic notification (FortiOS Carrier) quarantine quarfilepattern service FortiGate® CLI Version 3. and to enable or disable grayware and heuristic scanning.antivirus antivirus Use antivirus commands to configure antivirus scanning for services.0 MR7 Reference 01-30007-0015-20090112 69 .

If you enter ? with CTRL-V: edit "*. For example. and MM7 traffic types supported in FortiOS Carrier. • Select block to have the FortiGate unit block matching files. The intercept action is supported in FortiOS Carrier. if you enter ? without CTRL-V: edit "*. the question mark has a different meaning in CLI: it will show available command options in that section. Note that the store-intercepted command in config antivirus quarantine must also be configured to quarantine intercepted files.xe token line: Unmatched double quote. MM1.0 MR7 Reference 01-30007-0015-20090112 . • Select allow to have the FortiGate unit allow matching files. • Select intercept to allow matching files. MM4. If you enter the question mark (?) without first using CTRL-V. MM3. The name of the file pattern being configured. you need to input CTRL-V first. with a copy sent to a quarantine.xe?" new entry '*. Default <filepattern_list_integer> A unique number to identify the file pattern list. The action taken when a matching file is being transferred via a block set active protocol. NNTP support for this keyword will be added in the future. edit or delete the file patterns used for virus blocking and to set which protocols to check for files to block. The action specified will affect the file pattern in the selected protocols. This can be any character string.xe?' added Syntax config antivirus filepattern edit <filepattern_list_integer> set name <filepattern_list> set comment <filepattern_list_comment> config entries edit <filepattern_string> set action <allow | block | intercept> set active {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set file-type {unknown | ignored | activemime | arj | aspack | base64 | bat | binhex | bzip | bzip2 | cab | jad | elf | exe | fsg | genscript | gzip | hlp | hta | html | javascript | lzh | class | msc | msoffice | mime | petite | rar | class | sis | tar | upx | uue | cod | zip} (FortiOS Carrier) set filter-type {pattern | type} (FortiOS Carrier) end Keywords and variables <filepattern_list> Description The name of the file pattern header list. <filepattern_string> action <allow | block | intercept> active {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} 70 FortiGate® CLI Version 3. <filepattern_list_comment> The comment attached to the file pattern header list. Varies. If you need to add configuration via CLI that requires ? as part of config.filepattern antivirus filepattern Use this command to add.

Related topics • • • • • antivirus heuristic antivirus grayware antivirus quarantine antivirus quarfilepattern antivirus service FortiGate® CLI Version 3.zip that are not actually ZIP archives will trigger this filter. This includes primarily streaming audio and video. Select the type of file the file filter will search for.antivirus filepattern Keywords and variables file-type {unknown | ignored | activemime | arj | aspack | base64 | bat | binhex | bzip | bzip2 | cab | jad | elf | exe | fsg | genscript | gzip | hlp | hta | html | javascript | lzh | class | msc | msoffice | mime | petite | rar | class | sis | tar | upx | uue | cod | zip} (FortiOS Carrier) filter-type {pattern | type} (FortiOS Carrier) Description Default This command is only available and valid when filter-type unknown is set to type. • Enter type to examine files only by their contents. pattern • Enter pattern to examine files only by their names. Using the above example. this file type filter will examine the file contents to determine the what type of file it is.0 MR7 Reference 01-30007-0015-20090112 71 . Two of the available options are not file types: • Select unknown to configure a rule affecting every file format the file type filter unit does not recognize.zip. For example. if filter-type is set to pattern. Even files ending in . renaming files to make them appear to be of a different type will not allow them past the FortiGate unit without detection. Because of the way the file type filter works. History FortiOS v2. all files ending in . Unknown includes every file format not available in the file-type command. and the pattern is *. Added IM. Added multiple-list capability for models 800 and above.0 Substantially revised. • Select ignored to configure a rule affecting traffic the FortiGate unit typically does not scan. Note that unlike the file pattern filter. and the type is zip. Even files renamed with non-zip file extensions will trigger this filter.80 FortiOS v3. all ZIP archives will trigger this file filter. The file name and file extension is ignored. if filter-type is set to type.zip will trigger this file filter. Select the file filter detection method.

Joke programs can include custom cursors and programs that appear to affect the system. and other files. chat. Remote administration tools allow outside users to remotely change and monitor a computer on a network. P2P. 72 FortiGate® CLI Version 3. Some toolbars and plugins can attempt to control or record and send browsing preferences. to the advertiser’s web site where it may be recorded and analyzed. By default. Network management tools can be installed and used maliciously to change settings and disrupt network security. Games are usually joke or nuisance games that may be blocked from network users. such as web browsing habits. spyware developers can use these toolbars to monitor web habits and send information back to the developer. BHOs (Browser Helper Objects) are DLL files that are often installed as part of a software package so the software can control the behavior of Internet Explorer 4.x and higher. all new categories are disabled. Spyware is a tracking and analysis program that can report users’ activities. New categories may be added at any time and are loaded with virus updates. While some toolbars are harmless. often without the user’s consent or knowledge.grayware antivirus grayware Use this command to enable or disable grayware scanning for the specified category. The miscellaneous grayware category. but the potential exists to track surfing habits and gather other information. Grayware programs are generally considered an annoyance. Dial Download Game HackerTool Hijacker Joke Keylog Misc NMT P2P Plugin RAT Spy Toolbar Grayware scanning is enabled in a protection profile when Virus Scan is enabled. movies.0 MR7 Reference 01-30007-0015-20090112 . and instant messages. Spyware. Browser hijacking occurs when a ‘spyware’ type program changes web browser settings. Download components are usually run at Windows startup and are designed to install or download other software. including favorites or bookmarks. start pages. Grayware programs are unsolicited commercial software programs that get installed on computers. is synonymous with file sharing programs that are used to swap music. The FortiGate unit scans for known grayware executable programs in each category enabled. Dialers allow others to use the PC modem to call premium numbers or make long distance calls. especially advertising and dial software. but these programs can cause system performance problems or be used for malicious purposes. and menu options. Adware BHO Adware is usually embedded in freeware programs and causes ads to pop up whenever the program is opened or used. Keylogger programs can record every keystroke made on a keyboard including passwords. Not all BHOs are malicious. like adware. while a legitimate protocol. often illegally. Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the browser window. is often included with freeware. The category list and contents are added or updated whenever the FortiGate unit receives a virus update package.

80 New. config antivirus grayware Adware set status enable end History FortiOS v2. Default disable status {enable | disable} Enable or disable grayware scanning for the specified category. Keywords and variables <category_name_str> Description The grayware category being configured.antivirus grayware Syntax config antivirus grayware <category_name_str> set status {enable | disable} end Note: The FortiGate CLI is case sensitive and the first letter of all grayware category names is uppercase. Related topics • • • • • • • antivirus filepattern antivirus heuristic antivirus quarantine antivirus quarfilepattern antivirus service system autoupdate schedule execute update-av FortiGate® CLI Version 3. Example This example shows how to enable grayware scanning for Adware programs.0 MR7 Reference 01-30007-0015-20090112 73 .

0 MR7 New.0 MR7 Reference 01-30007-0015-20090112 . Enter disable to disable heuristics. The default value changes to “disable”. A replacement message is forwarded to the recipient. config antivirus heuristic set mode pass end History FortiOS v2. Suspicious files are quarantined if quarantine is enabled. Related topics • • • • antivirus filepattern antivirus quarantine antivirus quarfilepattern antivirus service 74 FortiGate® CLI Version 3.heuristic antivirus heuristic Use this command to configure heuristic scanning for viruses in binary files.80 FortiOS v3. Enter block to enable heuristics and block detected files. Default disable Example This example shows how to enable heuristic scanning. Syntax config antivirus heuristic set mode {pass | block | disable} end Keywords and variables mode {pass | block | disable} Description Enter pass to enable heuristics but pass detected files to the recipient. Blocked files are quarantined if quarantine is enabled.

Default <list_id_int> name <name_str> comment <comment_str> <virus_str> prefix {enable | disable} status {enable | disable} History FortiOS Carrier v3. Enter an optional comment for the notification list. If required. all list entries are enabled as soon as you create them. Enter edit ? to view all the lists with their ID numbers. If the list is new. For example. Related topics • • • • antivirus filepattern antivirus quarantine antivirus quarfilepattern antivirus service FortiGate® CLI Version 3. Enter the virus pattern to edit an existing list entry. Syntax config antivirus notification edit <list_id_int> set name <name_str> set comment <comment_str> end config entries edit <virus_str> set prefix {enable | disable} set status {enable | disable} end end Keywords and variables Description Enter the ID number of the list to edit.0 MR7 Reference 01-30007-0015-20090112 75 . Enable to match the virus pattern with the beginning of any virus enable name. you can disable a notification entry without removing it enable from the list. A notification list must be specified in an MMS profile to generate notification messages. You can also use this command to change the name of an existing notification list. By default. a prefix match entry for BDoor will generate a notification message for any of the dozens of virus variants starting with BDoor. you must enter a name. With the prefix setting enabled.ACJ!tr. a pattern of BDoor.bdr with the prefix setting disabled will have the FortiGate unit check for a virus with that exact name. Each notification list has a unique ID number. Enter a name for the notification list.0 MR5 New. The FortiGate unit will ignore the list entry. or enter a new virus pattern to create a new list entry.antivirus notification (FortiOS Carrier) notification (FortiOS Carrier) Use this command to configure which viruses will trigger notification messages. You can also use this command to change the name of an existing notification list. Disable to match the virus pattern with all of any virus name.

Users receive a message informing them that the removed files have been quarantined. Entering an age limit of 0 (zero) means files are stored on disk indefinitely depending on low disk space action. MM4. When the limit is reached the TTL column displays EXP and the file is deleted (although a record is maintained in the quarantined files list). MM3. MM3. HTTP.0 MR7 Reference 01-30007-0015-20090112 . NNTP support for this keyword will be added in the future. Submit specific files and add file patterns to the autoupload list so they are automatically uploaded to Fortinet for analysis. The quarantined files are removed from the content stream and stored on the FortiGate local disk. View the file names and status information about the file in the quarantined file list. NNTP support for this keyword will be added in the future. The age limit is used to formulate the value in the TTL column of the quarantined files list. Do not quarantine files found by heuristic scanning in traffic for the specified protocols. and MM7 traffic types supported in FortiOS Carrier. MM4. MM4. FortiGate units with a local disk can quarantine blocked and infected files. Do not quarantine blocked files found in traffic for the specified imap protocols.quarantine antivirus quarantine Use this command to set file quarantine options. MM1. http im imap nntp pop3 smtp im imap nntp drop-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} drop-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} drop-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} 76 FortiGate® CLI Version 3. The files are deleted. FortiGate units that do not have a local disk can quarantine blocked and infected files to a FortiAnalyzer unit. MM1. FTP. MM3. Syntax config antivirus quarantine set agelimit <hours_integer> set drop-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set drop-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set drop-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set drop-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS Carrier) set lowspace {drop-new | ovrw-old} set maxfilesize <MB_integer> set quar-to-fortianalyzer {enable | disable} set store-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set store-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set store-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set store-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS Carrier) end Keywords and variables agelimit <hours_integer> Description Default Specify how long files are kept in quarantine to a maximum of 479 0 hours. MM1. nntp NNTP support for this keyword will be added in the future. and MM7 traffic types supported in FortiOS Carrier. Do not quarantine virus infected files found in traffic for the specified protocols. and MM7 traffic types supported in FortiOS Carrier.

MM1. MM1. Quarantine virus infected files found in traffic for the specified protocols. The FortiGate unit does not quarantine any new files larger than this value. quarantine files with heuristic status in IMAP. set the quarantine to drop new files if the memory is full. the maximum file size to quarantine. and MM7 traffic types supported in FortiOS Carrier. not quarantine blocked files from SMTP and POP3 traffic. MM4. For FortiGate units that do not have a local disc. MM3. not quarantine heuristic tagged files from SMTP and POP3 traffic. NNTP support for this keyword will be added in the future. Enter 0 for unlimited file size. The file size range is 0-499 MB. The FortiGate unit keeps any existing quarantined files over the limit. Specify. and MM7 traffic types supported in FortiOS Carrier. MM4. HTTP. store-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS Carrier) imap smtp pop3 http ftp mm1 mm3 mm4 mm7 Example This example shows how to set the quarantine age limit to 100 hours. MM3. 0 lowspace {drop-new | ovrw-old} maxfilesize <MB_integer> quar-to-fortianalyzer {enable | disable} store-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} store-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} disable Quarantine blocked files found in traffic for the specified protocols. smtp pop3 http ftp mm1 mm3 mm4 mm7 Select the method for handling additional files when the FortiGate ovrw-old hard disk is running out of space. MM4. FTP. Quarantine files found by heuristic scanning in traffic for the specified protocols. MM3. send infected files to a FortiAnalyzer unit. HTTP. No default. or drop-new to drop new quarantine files. Enter ovwr-old to drop the oldest file (lowest TTL). MM1. quarantine files from IMAP traffic with blocked status. Quarantine intercepted files found in traffic for the specified protocols. The files are deleted. and MM7 traffic types supported in FortiOS Carrier. in MB. config antivirus quarantine set agelimit 100 set drop-blocked smtp pop3 set drop-heuristic smtp pop3 set lowspace drop-new set maxfilesize 2 set store-blocked imap set store-heuristic imap http ftp end FortiGate® CLI Version 3. NNTP support for this keyword will be added in the future. set the maximum file size to quarantine at 2 MB. No default. store-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} No default.0 MR7 Reference 01-30007-0015-20090112 77 .antivirus quarantine Keywords and variables drop-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS Carrier) Description Default Do not quarantine intercepted files found in traffic for the specified imap protocols. NNTP support for this keyword will be added in the future. and FTP traffic.

FortiOS v2.0 MR7 Reference 01-30007-0015-20090112 . Related topics • • • • antivirus filepattern antivirus heuristic antivirus quarfilepattern antivirus service 78 FortiGate® CLI Version 3.0 FortiOS v3. Removed set enable-auto-submit.80 MR2 The enable_auto_upload keyword was changed to enable-auto-submit. set use-status. set sel-status.0 MR5 Added IM and NNTP options. set use-fpat.80 Substantially revised.quarantine antivirus History FortiOS v2. FortiOS v3.

antivirus quarfilepattern quarfilepattern Use this command to configure the file patterns used by automatic file uploading. config antivirus quarfilepattern edit *. disable Default status {enable | disable} Enable or disable using a file pattern. Syntax config antivirus quarfilepattern edit pattern_str set status {enable | disable} end Keywords and variables pattern_str Description The file pattern to be quarantined. Configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. Add file patterns to be uploaded to the autoupload list using the * wildcard character. see antivirus quarantine.bat files. For more information. Related topics • • • • antivirus filepattern antivirus heuristic antivirus quarantine antivirus service FortiGate® CLI Version 3. File patterns are applied for autoupload regardless of file blocking settings. This command is only available on FortiGate units with a hard drive.0 MR7 Reference 01-30007-0015-20090112 79 . Entire command removed. Also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list.bat set status enable end History FortiOS v2.80 FortiOS v3. Example Use the following commands to enable automatic upload of *.0 MR5 New.

HTTPS. Bzip2 scanning is extemely CPU intensive. Unless this feature is required.service antivirus service Use this command to configure how the FortiGate unit handles antivirus scanning of large files in HTTP. SMTP. Syntax config antivirus service <service_str> set port <port_integer> set scan-bzip2 {enable | disable} set uncompnestlimit <depth_integer> set uncompsizelimit <MB_integer> set block-page-status-code <integer> end Keywords and variables <service_str> port <port_integer> Description The service being configured: HTTP. msc. you can only configure the ports. FTP. If other files are included within the file. For HTTPS. How file size limits work The uncompsizelimit applies to the uncompressed size of the file. Requires antivirus engine 1. lha. Set a return code for HTTP replacement pages. IM. The limit is from 2 to 100. Set the maximum uncompressed file size that can be buffered 10 (MB) to memory for virus scanning. Enter a value in megabytes between 1 and the maximum oversize threshold. rar. the uncompressed size of each one is checked against the uncompsizelimit value. leave scan-bzip2 disabled. This keyword is only for the HTTP service. 80 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . FTP. but the total size of all uncompressed files within the original file can be greater than the uncompsizelimit. Use ports from the HTTPS: 443 range 1-65535. FTP: 21 IMAP: 143 NNTP: 119 POP3: 110 SMTP: 25 Enable to allow the antivirus engine to scan the contents of disable bzip2 compressed files. Bzip2 support is disabled by default. 200 Default scan-bzip2 {enable | disable} uncompnestlimit <depth_integer> uncompsizelimit <MB_integer> block-page-status-code <integer> Note: If the file in uncompnestlimit has more levels than the limit you set. HTTPS. The supported compression formats are arj. cab. Enter 0 for no limit (not recommended). NNTP. and zip. POP3. tar. the file is passed without scanning.90 for full functionality. Add up to 20 ports. Configure antivirus scanning on a nonstandard port number or HTTP: 80 multiple port numbers for the service. the file will pass through without being virus scanned. gzip. or if the file in uncompsizelimit is larger than the limit you set. If any one of the uncompressed files is larger than the limit. bzip2. IMAP. Set the maximum number of archives in depth the AV engine 12 will scan with nested archives. and SMTP traffic and what ports the FortiGate unit scans for these services. Enter “?” to display the range for your FortiGate unit. lzh. POP3. IMAP.

80 FortiOS v2. FortiOS v3. Added scan_bzip2. and 443 for HTTP traffic. Removed client comforting and file size limit commands. Combined all services into one section.0 MR7 Related topics • • • • antivirus filepattern antivirus heuristic antivirus quarantine antivirus quarfilepattern FortiGate® CLI Version 3. and how to enable antivirus scanning on ports 70.antivirus service Example This example shows how to set the maximum uncompressed file size that can be buffered to memory for scanning at 15 MB. Removed diskfilesizelimit keyword. But only ports can be configured. Added return code selection for HTTP replacement pages.80 MR7 FortiOS v3. Added support for HTTPS. 80. Added uncompsizelimit keyword.0 MR3 FortiOS v3.80 MR6 FortiOS v2.0 Substantially revised.0 MR7 Reference 01-30007-0015-20090112 81 . Added IM. config antivirus service http set uncompsizelimit 15 set port 70 set port 80 set port 443 end History FortiOS v2.

0 MR7 Reference 01-30007-0015-20090112 .service antivirus 82 FortiGate® CLI Version 3.

and services.firewall firewall Use firewall commands to configure firewall policies and the data they use. policy6 profile carrier-endpoint-ip-filter (FortiOS schedule onetime Carrier) schedule recurring dnstranslation service custom gtp (FortiOS Carrier) service group ipmacbinding setting vip ipmacbinding table vipgrp ippool ldb-monitor FortiGate® CLI Version 3. IP addresses and virtual IP addresses.0 MR7 Reference 01-30007-0015-20090112 83 . addrgrp6 carrier-endpoint-bwl (FortiOS Carrier) mms-profile (FortiOS Carrier) multicast-policy policy. schedules. including protection profiles. You can also configure DNS translation. and multicast policies. IP/MAC binding. This chapter contains the following sections: address. address6 addrgrp.

The subnet mask corresponds to the class of the IP address being added. FortiGate units have the firewall address All. address groups. it cannot be deleted until it is deselected from the policy.0 If type is fqdn. Default No default. No default.address. Enter the name of the IPv6 address prefix.2.255. If type is iprange. By default. enter the first IP address in the range.255.255. An IPv6 firewall address is an IPv6 6-to-4 address prefix.255. represented as a domain name. For example. The following commands are for config firewall address. you could enter either: • 172.2.255 The IP address can be for a single computer or a subnetwork. If type is iprange.0. which represents any IP address.0 or /8. No default. enter the last IP address in the range. the firewall address is bound to an interface during firewall policy configuration.0.0.0. address6 Use this command to configure firewall addresses used in firewall policies.0 If type is ipmask. ::/0 84 FortiGate® CLI Version 3. Enter the name of the associated interface. enter the fully qualified domain name (FQDN). in 0. If the IP address is IPv6.255.0 dotted decimal format and separated by a space. If an address is selected in a policy.0. address6 firewall address.0. • A class B subnet mask is 255.255.0. or an IP with a wildcard netmask. 0. • A class C subnet mask is 255.0 or /24.5 255. fully qualified domain name. <name_str> ip6 <address_ipv6prefix> No default. enter an IPv6 IP address prefix.0 or /26. Syntax config firewall address edit <name_str> set associated-interface <interface_str> set end-ip <address_ipv4> set fqdn <domainname_str> set start-ip <address_ipv4> set subnet <address_ipv4mask> set type {ipmask | iprange | fqdn | wildcard} end config firewall address6 edit <name_str> set ip6 <address_ipv6prefix> end Keywords and variables Description Enter the name of the address.168. ipmask type {ipmask | iprange | fqdn | wildcard} The following command is for config firewall address6. or an IP address range. Addresses.0.0. Select whether this firewall address is a subnet address.0 format with no separation. • A class A subnet mask is 255. <name_str> associated-interface <interface_str> end-ip <address_ipv4> fqdn <domainname_str> start-ip <address_ipv4> subnet <address_ipv4mask> 0. an address range. • A single computer’s subnet mask is 255. or in CIDR 0.168. An IPv4 firewall address is a set of one or more IP addresses. and virtual IPs must have unique names to avoid confusion in firewall policies.5/32 • 172. an IP address and a subnet mask.0.0. enter an IP address then its subnet mask. If not configured.0 MR7 Reference 01-30007-0015-20090112 .255.255 or /32.

1.0 255. Added fqdn. iprange.1. Requiring that an address be added to an interface removed.255. config firewall address edit Example_Subnet set type ipmask set subnet 192.0 MR7 Substantially revised. Added wildcard as type.10. address6 Example This example shows how to add one IPv4 address of each type: ipmask.30 next edit Example_Domain set type fqdn set fqdn www. addrgrp6 firewall policy.1.80 FortiOS v3.255. Added option associated-interface.0 next edit Example_Range set type iprange set start-ip 10.168. IP address range option added. Related topics • • firewall addrgrp.com end config firewall address6 edit Example_ipv6_Prefix set ip6 2002:CF8E:83CA::/48 end History FortiOS v2. and fqdn. Allows for firewall address with a wildcard netmask.0 FortiOS v3.0 MR7 Reference 01-30007-0015-20090112 85 .firewall address.10 set end-ip 10.0 MR4 FortiOS v3. It also shows how to configure an IPv6 address prefix.10.example. policy6 FortiGate® CLI Version 3.

addrgrp6 firewall addrgrp. address group. config firewall addrgrp edit Group1 set Example_Subnet Example_Range end History FortiOS v2. rather than creating three separate firewall policies for three firewall addresses. Enter one or more names of firewall addresses to add to the No default.0 MR7 Reference 01-30007-0015-20090112 . omitting the address name.80 Revised. address groups. For example. You can organize related firewall addresses into firewall address groups to simplify firewall policy configuration. To remove an address name from the group. it cannot be deleted unless it is first deselected in the policy. then create one firewall policy using that firewall address group. If an address group is selected in a policy. Example This example shows how to add two firewall addresses to a firewall address group. address6 firewall policy. Separate multiple names with a space. retype the entire new list. Related topics • • firewall address. addrgrp6 Use this command to configure firewall address groups used in firewall policies. you could create a firewall address group consisting of the three firewall addresses. addrgrp6 edit <name_str> set member <name_str> end Keywords and variables <name_str> member <name_str> Description Enter the name of the address group. and virtual IPs must all have unique names to avoid confusion in firewall policies. Syntax config firewall addrgrp.addrgrp. Addresses. Default No default. policy6 86 FortiGate® CLI Version 3.

files are quarantined based on quarantine configuration. or it will be truncated.firewall carrier-endpoint-bwl (FortiOS Carrier) carrier-endpoint-bwl (FortiOS Carrier) In FortiOS Carrier. The Carrier End Point addresses to be filtered are compiled in a list. No default No default null log-action {archive | intercept} <carr_endpnt_lst_comment> <carr_endpnt_pattern> <carr-endpnt-lst-integer> name <carr_endpnt_lst_name> The name of the Carrier End Point filter list. With Carrier End Point MMS filtering. you can filter MM1/3/4/7 messages by the Carrier End Point specified in the From or To addresses. Syntax config firewall carrier-endpoint-bwl edit <carr-endpnt-lst-integer> set comment <carr_endpnt_lst_comment> config entries edit <carr_endpnt_pattern> set pattern-type {regexp | wildcard | simple } set action {none | block | exempt-mass-MMS | exempt } set log-action {archive | intercept} set status {enable | disable} next set name <carr_endpnt_lst_name> next end Keywords and variables action {none | block | exempt-mass-MMS | exempt } Description Default The action (or actions archive and intercept) to take if block the Carrier End Point expression is found in the list. When a user request arrives. otherwise the default profile specified in the firewall policy is applied. There can be multiple Carrier End Point filter lists that can be associated with each protection profile. disable MMS transaction forwarded to FortiAnalyzer archive. The Carrier End Point pattern to use for filtering/searching. log message in AV LOG as intercepted due to Carrier End Point. it is possible to enable a BLOCK or ARCHIVE option for a list of Carrier End Points from a catalog of lists. entry generated in content summary for FortiGate unit • intercept: message delivered to intended recipient. If the user is found in the table.0 MR7 Reference 01-30007-0015-20090112 87 . • none: no action is taken • block: message is not delivered to intended recipient. the user’s Carrier End Point is checked to determine the protection profile that should be applied. A unique number to identify the Carrier End Point filter list. and any messages that have addresses matching an entry in the list can be blocked. The null comment text must be less than 63 characters long. From a protection profile. you can use the Carrier End Points of a sender to provide logging and reporting details to the mobile operator. FortiGate® CLI Version 3. The Carrier End Point feature also provides information about the identity of a sender of infected content. the specified protection profile is applied. log message in AV LOG as blocked due to Carrier End Point • exempt-mass-MMS: no mass MMS scanning performed • exempt: exempt user messages from all scanning • archive: message is delivered to intended recipient. or intercepted. archived to a FortiAnalyzer unit. Spaces are replaced with a plus sign (+). Optional description of the Carrier End Point filter list.

Changed endpoint-bwl to carrier-endpoint-bwl. Enable Carrier End Point filter search for Carrier End Point expression in carr-endpnt-expression.0 MR5 New. action and pattern-type.0 MR2 FortiOS Carrier v3. block. Default wildcard status {enable | disable} disable Example The following example details the Carrier End Point filter list EndPoint2+List.0 MR4 FortiOS Carrier v3. and changed description/contents of Changed MSISDN (msisdn) values to End Point (endpoint).0 MR3 FortiOS Carrier v3." config entries edit "*504*" set action exempt-mass-mms set pattern-type wildcard set status enable next edit "6449675" set pattern-type regexp set status enable next edit "6132259381" set action block set log-action archive intercept set pattern-type simple set status enable next edit "*555*" set action exempt-mass-mms set log-action archive intercept set pattern-type wildcard set status enable next end set name "EndPoint+List+2" next end end History FortiOS Carrier v3. Changed command to config firewall from config user. exempt from all scanning). status (enable/disable).0 MR7 Reference 01-30007-0015-20090112 . and pattern type (wildcard/regular expression/single End Point). or simple. config firewall carrier-endpoint-bwl edit 2 set comment "Description+of+EndPoint2+list. Create patterns for banned Carrier End Point expressions using Perl regular expressions or wildcards. Choose from regexp.carrier-endpoint-bwl (FortiOS Carrier) firewall Keywords and variables pattern-type {regexp | wildcard | simple } Description Set the pattern type for the banned word. wildcard. Added log-action. Related topics • carrier-endpoint-ip-filter (FortiOS Carrier) 88 FortiGate® CLI Version 3. exempt from mass MMS.. Entries combine features including the action (none.

The Carrier End Point IP filter provides a mechanism to block network access for a specific list of Carrier End Points. in addition to the black/white list capability for MMS transactions configured in the protection profile.0 MR4 FortiOS Carrier v3. Enable or disable writing a log message when the carrier end point is blocked.0 MR5 New. Replaced references to MSISDN with End Point. neither the user name nor the IP address can be used to identify a specific user. Enable or disable blocking the carrier end point. Syntax config firewall carrier-endpoint-ip-filter edit <carr_endpnt> set log-status {enable | disable} set status {enable | disable} next end Keywords and variables <carr_endpnt> log-status {enable | disable} status {enable | disable} Description The carrier end point to be blocked. Default No default disable disable History FortiOS Carrier v3. To set up a Carrier End Point IP filter. Command moved from config user to config firewall.0 MR7 Reference 01-30007-0015-20090112 89 .firewall carrier-endpoint-ip-filter (FortiOS Carrier) carrier-endpoint-ip-filter (FortiOS Carrier) In mobile networks. Related topics • carrier-endpoint-bwl (FortiOS Carrier) FortiGate® CLI Version 3. The only element unique to a user is the Carrier End Point.0 MR3 FortiOS Carrier v3. The Carrier End Point IP filter feature uses a Carrier End Point filter list created using the CLI command config firewall carrier-endpoint-bwl. you must create the Carrier End Point filter list prior to enabling the Carrier End Point IP filter feature.

If src and dst are subnets rather than single IP addresses. enter the netmask for both src and dst.200. Example This example shows how to translate the resolved addresses in DNS query replies. dst must also be a subnet. and a private network containing a web server. the resolved address is substituted with dst. replacing the resolved names’ internal network IP addresses with external network IP address equivalents.0 end 90 FortiGate® CLI Version 3. dst can be either a single IP address or a subnet on the external network.0. If the resolved address matches. from an internal (source) subnet to an external (destination) subnet.0 netmask <address_ipv4mask> src <source_ipv4> 0.0 MR7 Reference 01-30007-0015-20090112 . DNS translation mappings between src and dst must be one-to-one. For example.12 set dst 172. edit or delete a DNS translation entry. the DNS query reply would contain a private network IP address. if a virtual IP provided network address translation (NAT) between a public network. config firewall dnstranslation edit 1 set src 192. Default No default.255. and the DNS server performing name resolution for that domain name was also located on the private network. if hosts attempted to access the web server by domain name. like src.0. Enter the IP address or subnet on the external network to substitute for the resolved address in DNS query replies. but must be equal in number to the number of mapped IP addresses in src. such as the Internet.0. and substitute the web server’s private network IP address with the virtual IP address in DNS query replies to the public network. which is not routable from the external network. hosts on the public network could access the web server by using its virtual IP address.0.dnstranslation firewall dnstranslation Use this command to add. For example.0. However.0. it cannot be DNS translated into a dst subnet. This allows external network hosts to use an internal network DNS server for domain name resolution of hosts located on the internal network.0 compare with the resolved address in DNS query replies. you might configure DNS translation. the FortiGate unit rewrites the payload of outbound DNS query replies from internal DNS servers.168. If src is a subnet. Syntax config firewall dnstranslation edit <index_int> set dst <destination_ipv4> set netmask <address_ipv4mask> set src <source_ipv4> end Keywords and variables <index_int> dst <destination_ipv4> Description Enter the unique ID number of the DNS translation entry.100.16. you cannot create one-to-many or many-to-one mappings. dst must be a single IP address. if src is a single IP address.190 set netmask 255.255. If DNS translation is configured.0 Enter the IP address or subnet on the internal network to 0. 0. such as a virtual IP address on a FortiGate unit’s external network interface. To solve this.

80 Revised.0 MR7 Reference 01-30007-0015-20090112 91 .firewall dnstranslation History FortiOS v2. Related topics • firewall vip FortiGate® CLI Version 3.

gtp (FortiOS Carrier)

firewall

gtp (FortiOS Carrier)
Use this command to configure GTP (GPRS Tunneling Protocol) profiles.

Syntax
config firewall gtp edit <name_str> config apn edit index_int set action {allow | deny} set selection-mode {ms net vrf} set value <networkid_str> end config ie-remove-policy edit <index_int> set remove-ies {apn-restriction rat-type rai uli imei} set sgsn-addr <addr/group_str> end config imsi edit <index_int> set action {allow | deny} set apn <networkid_str> set mcc-mnc <mccmnc_str> set selection-mode {ms net vrf} end config ip-policy edit <index_int> set action {allow | deny} set dstaddr <address_str> set srcaddr <address_str> end config noip-policy edit <index_int> set action {allow | deny} set start <protocol_int> set end <protocol_int> set type {etsi | ietf} end config policy edit <index_int> set action {allow | deny} set apn <apn_str> set imei <imei_str> set imsi <imsi_str> set max-apn-restriction {all | private-1 | private-2 | public-1 | public-2} set messages {create-req create-res update-req update-res} set rai <rai_str> set rat-type {any geran utran wlan} set uli <uli_str> end set addr-notify <Gi_ipv4> set apn-filter {enable | disable}

92

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

gtp (FortiOS Carrier)

set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set

authorized-sgsns <addr/grp_str> context-id <id_int> control-plane-message-rate-limit <limit_int> create-aa-pdp {allow | deny} create-pdp {allow | deny} data-record {allow | deny} default-apn-action {allow | deny} default-imsi-action {allow | deny} default-ip-action {allow | deny} default-noip-action {allow | deny} default-policy-action {allow | deny} delete-aa-pdp {allow | deny} delete-pdp {allow | deny} denied-log {enable | disable} echo {allow | deny} error-indication {allow | deny} extension-log {enable | disable} failure-report {allow | deny} forwarded-log {enable | disable} fwd-relocation {allow | deny} fwd-srns-context {allow | deny} gtp-in-gtp {allow | deny} gtp-pdu {allow | deny} handover-group identification {allow | deny} ie-remover {enable | disable} imsi-filter {enable | disable} interface-notify <interface_str> invalid-reserved-field {allow | deny} ip-filter {enable | disable} log-freq <drop_int> max-message-length <bytes_int> min-message-length <bytes_int> miss-must-ie {allow | deny} node-alive {allow | deny} noip-filter {enable | disable} note-ms-present {allow | deny} out-of-state-ie {allow | deny} out-of-state-message {allow | deny} pdu-notification {allow | deny} policy-filter {enable | disable} port-notify <port_int> ran-info {allow | deny} rate-limited-log {enable | disable} redirection {allow | deny} relocation-cancel {allow | deny} reserved-ie {allow | deny} send-route {allow | deny} seq-number-validate {enable | disable} sgsn-context {allow | deny} spoof-src-addr {allow | deny} state-invalid-log {enable | disable} support-extension {allow | deny} traffic-count-log {enable | disable}

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

93

gtp (FortiOS Carrier)

firewall

set set set set set set end

tunnel-limit <limit_int> tunnel-limit-log {enable | disable} tunnel-timeout <time_int> unknown-message-action {allow | deny} update-pdp {allow | deny} version-not-support {allow | deny}
Description Enter the name of this GTP profile. Default No default.

Keywords and variables <name_str>

apn The following commands are the options for config apn. index_int action {allow | deny} selection-mode {ms net vrf} Enter the unique ID number of the APN filter profile. No default. Select to allow or deny traffic matching both the APN and allow Selection Mode specified for this APN filter profile. Select the selection mode or modes required for the APN. ms net vrf The selection mode indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription. • Enter ms to specify a mobile station provided APN, subscription not verified. This Selection Mode indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network. • Enter net to specify a network-provided APN, subscription not verified. This Selection Mode indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network. • Enter vrf to specify a mobile station or networkprovided APN, subscription verified. This Selection Mode indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network. Enter the network ID and operator ID of the APN. No default.

value <networkid_str>

ie-remove-policy The following commands are the set options for config ie-remove-policy. <index_int> remove-ies {apn-restriction rat-type rai uli imei} sgsn-addr <addr/group_str> Enter the unique ID number of the IE removal policy. Select the information elements to be removed from messages prior to being forwarding to the HGGSN. Any combination of R6 information elements (RAT, RAI, ULI, IMEI-SV and APN restrictions) may be specified. Enter an SGSN address or group the IE removal policy will be applied to. No default. apnrestriction rat-type rai uli imei all

imsi The following commands are the options for config imsi. <index_int> action {allow | deny} apn <networkid_str> mcc-mnc <mccmnc_str> Enter the unique ID number of the IMSI filtering policy. No default. Select to allow or deny traffic matching both the APN and allow Selection Mode specified for this APN filter profile Enter the network ID and operator ID of the APN. Enter the MCC and MNC. No default. No default.

94

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

gtp (FortiOS Carrier)

Keywords and variables selection-mode {ms net vrf}

Description

Default

Select the selection mode or modes. The selection mode ms net vrf indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription. • Enter ms to specify a mobile station provided APN, subscription not verified. This Selection Mode indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network. • Enter net to specify a network-provided APN, subscription not verified. This Selection Mode indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network. • Enter vrf to specify a mobile station or networkprovided APN, subscription verified. This Selection Mode indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network.

ip-policy The following commands are the options for config ip-policy. <index_int> action {allow | deny} Enter the unique ID number of the encapsulated IP traffic No default. filtering policy. Select to allow or deny traffic matching both the source and destination addresses specified for this APN filter profile Enter the name of a destination address or address group. Enter the name of a source address or address group. allow

dstaddr <address_str> srcaddr <address_str>

No default. No default.

noip-policy The following commands are the options for config noip-policy. <index_int> action {allow | deny} start <protocol_int> end <protocol_int> type {etsi | ietf} Enter the unique ID number of the encapsulated non-IP traffic filtering policy. Select to allow or deny traffic matching the message protocol specified for this APN filter profile Enter the number of the start protocol. Acceptable rate values range from 0 to 255. Enter the number of the end protocol. Acceptable rate values range from 0 to 255. Select an ETSI or IETF protocol type. No default. allow 0 0 etsi

policy The following commands are the options for config policy. <index_int> action {allow | deny} apn <apn_str> imei <imei_str> imsi <imsi_str> max-apn-restriction {all | private-1 | private-2 | public-1 | public-2} Enter the unique ID number of the advanced filtering policy. Select to allow or deny traffic matching the message attributes specified for this advanced filtering policy Enter the APN suffix, if required. Enter the IMEI (SV) pattern, if required. Enter the IMSI prefix, if required. Select the maximum APN restriction. No default. allow No default. No default. No default. all

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

95

gtp (FortiOS Carrier)

firewall

Keywords and variables messages {create-req create-res update-req update-res} rai <rai_str> rat-type {any geran utran wlan} uli <uli_str>

Description Enter the type or types of GTP messages.

Default create-req

Enter the RAI pattern. Enter the RAT type or types. Enter the ULI pattern. Enter the IP address of the Gi firewall. Select to apply APN filter policies.

No default. any No default. 0.0.0.0 disable

The following commands are the options for edit <profile_str>. addr-notify <Gi_ipv4> apn-filter {enable | disable} authorized-sgsns <addr/grp_str>

Enter authorized SSGN addresses or groups. Any SSGN all groups not specified will not be able to send packets to the GGSN. All firewall addresses and groups defined on the FortiGate unit are available for use with this command. Enter the security context ID. This ID must match the ID entered on the server Gi firewall. Enter the control plane message rate limit. Acceptable rate values range from 0 (no limiting) to 2147483674 packets per second. FortiGate units can limit the packet rate to protect the GSNs from possible Denial of Service (DoS) attacks, such as Border gateway bandwidth saturation or a GTP flood. Select to allow or deny all create AA pdp messages. Select to allow or deny all create pdp messages. Select to allow or deny all data record messages. Select to allow or deny any APN that is not explicitly defined with in an APN policy. Select to allow or deny any IMSI that is not explicitly defined in an IMSI policy. Select to allow or deny any encapsulated IP address traffic that is not explicitly defined in an IP policy. 696 0

context-id <id_int> control-plane-messagerate-limit <limit_int>

create-aa-pdp {allow | deny} create-pdp {allow | deny} data-record {allow | deny} default-apn-action {allow | deny} default-imsi-action {allow | deny} default-ip-action {allow | deny} default-noip-action {allow | deny} default-policy-action {allow | deny} delete-aa-pdp {allow | deny} delete-pdp {allow | deny} denied-log {enable | disable} echo {allow | deny} error-indication {allow | deny}

allow allow allow allow allow allow

Select to allow or deny any encapsulated non-IP protocol allow that is not explicitly defined in a non-IP policy. Select to allow or deny any traffic that is not explicitly defined in an advanced filtering policy. Select to allow or deny all delete AA pdp messages. Select to allow or deny all delete pdp messages. Select to log denied GTP packets. Select to allow or deny all echo messages. Select to allow or deny all error indication messages. allow allow allow disable allow allow

96

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

gtp (FortiOS Carrier)

Keywords and variables extension-log {enable | disable}

Description

Default

Select to log extended information about GTP packets. disable When enabled, this additional information will be included in log entries: • IMSI • MSISDN • APN • Selection Mode • SGSN address for signaling • SGSN address for user data • GGSN address for signaling • GGSN address for user data Select to allow or deny all failure report messages. Select to log forwarded GTP packets. Select to allow or deny all forward relocation messages. Select to allow or deny all forward SRNS messages. allow disable allow allow

failure-report {allow | deny} forwarded-log {enable | disable} fwd-relocation {allow | deny} fwd-srns-context {allow | deny} gtp-in-gtp {allow | deny} gtp-pdu {allow | deny} handover-group

Select to allow or deny GTP packets that contains another allow GTP packet in its message body. Select to allow or deny all G-PDU messages. Handover requests will be honored only from the addresses listed in the specified address group. This way, an untrusted GSN cannot highjack a GTP tunnel with a handover request. Select to allow or deny all identification messages. Select whether to use information element removal policies. Select whether to use IMSI filter policies. Enter any local interface of the FortiGate unit. The interface IP address will be used to send the “clear session” message. Select to allow or deny GTP packets with invalid reserved deny fields. Depending on the GTP version, a varying number of header fields are reserved and should contain specific values. If the reserved fields contain incorrect values, the packet will be blocked if this keyword is set to deny. Select whether to use encapsulated IP traffic filtering policies. disable allow disable disable allow

identification {allow | deny} ie-remover {enable | disable} imsi-filter {enable | disable} interface-notify <interface_str> invalid-reserved-field {allow | deny}

ip-filter {enable | disable} log-freq <drop_int>

Enter the number of messages to drop between logged 0 messages. An overflow of log messages can sometimes occur when logging rate-limited GTP packets exceed their defined threshold. To conserve resources on the syslog server and the FortiGate unit, you can specify that some log messages are dropped. For example, if you want only every twentieth message to be logged, set a logging frequency of 19. This way, 19 messages are skipped and the next logged. Acceptable frequency values range from 0 to 2147483674. When set to ‘0’, no messages are skipped.

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

97

gtp (FortiOS Carrier)

firewall

Keywords and variables max-message-length <bytes_int>

Description

Default

Enter the maximum GTP message size, in bytes, that the 1452 FortiGate unit will allows to pass. Acceptable values range from 0 to 2147483674 bytes. When set to ‘0’, the maximum size restriction is disabled. Enter the minimum GTP message size, in bytes, that the FortiGate unit will allows to pass. Acceptable values range from 0 to 2147483674 bytes. When set to ‘0’, the minimum size restriction is disabled. Select to allow or deny passage of GTP packets with missing mandatory information elements to the GGSN. Select to allow or deny all node alive messages. Enable or disable the configured encapsulated non-IP traffic filtering policies. Select to allow or deny all note MS GPRS present messages. Select to allow or deny passage of GTP Packets with out of sequence information elements. Select to allow or deny out of state messages. The GTP protocol requires a certain state to be kept by both the GGSN and SGSN. Since the GTP has a state, some message types can only be sent when in specific states. Packets that do not make sense in the current state should be filtered or rejected Select to allow or deny all pdu notification messages. Enable or disable the configured advanced filtering policies. Enter the server firewall’s listening port number. Select to allow or deny all RAN info relay messages. 0

min-message-length <bytes_int>

miss-must-ie {allow | deny} node-alive {allow | deny} noip-filter {enable | disable} note-ms-present {allow | deny} out-of-state-ie {allow | deny} out-of-state-message {allow | deny}

deny allow disable allow deny deny

pdu-notification {allow | deny} policy-filter {enable | disable} port-notify <port_int> ran-info {allow | deny} rate-limited-log {enable | disable} redirection {allow | deny} relocation-cancel {allow | deny} reserved-ie {allow | deny} send-route {allow | deny} seq-number-validate {enable | disable}

allow disable 21123 allow

Enable or disable the logging of rate-limited GTP packets. disable Select to allow or deny all redirection messages. Select to allow or deny all relocation cancel messages. Select to allow or deny GTP messages with reserved or undefined information elements. Select to allow or deny all send route messages. Enable or disable sequence number validation The GTP packet header contains a sequence number. The receiving GGSN and the sending GGSN use this number to ensure the packets are in sequence. The FortiGate unit can assume this task and save GGSN resources. Select to allow or deny all SGSN context messages. allow allow deny allow disable

sgsn-context {allow | deny} spoof-src-addr {allow | deny}

allow

deny Select to allow or deny packets containing spoofed MS addresses. As the MS address is negotiated within the PDP Context creation handshake, any packets originating from the MS that contain a different source address will be detected and dropped if this keyword is set to deny.

98

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

gtp (FortiOS Carrier)

Keywords and variables state-invalid-log {enable | disable} support-extension {allow | deny} traffic-count-log {enable | disable} tunnel-limit <limit_int> tunnel-limit-log {enable | disable} tunnel-timeout <time_int>

Description Enable or disable the logging of GTP packets that have failed stateful inspection. Select to allow or deny all support extension messages. Enable or disable logging the total number of control and user data messages received from and forwarded to the GGSNs and SGSNs the FortiGate unit protects. Enter the maximum number of GTP tunnels according to the GSN capacity. Enable or disable packets dropped because the maximum limit of GTP tunnels for the destination GSN is reached.

Default disable allow disable

0 disable

Enter a tunnel timeout value, in seconds. By setting a 86400 timeout value, you can configure the FortiGate unit to remove hanging tunnels. Acceptable values range from 0 to 2147483674 seconds. When set to ‘0’, the timeout is disabled. Select to allow or deny all unknown message types. Select to allow or deny all update pdp messages. Select to allow or deny all version not supported messages. allow allow allow

unknown-message-action {allow | deny} update-pdp {allow | deny} version-not-support {allow | deny}

History
FortiOS v3.00 Revised.

Related topics
• • firewall mms-profile (FortiOS Carrier) firewall policy, policy6

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

99

ipmacbinding setting

firewall

ipmacbinding setting
Use this command to configure IP to MAC address binding settings. IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. It is simple to change a computer’s IP address to mimic that of a trusted host, but MAC addresses are often added to Ethernet cards at the factory, and are more difficult to change. By requiring that traffic from trusted hosts reflect both the IP address and MAC address known for that host, fraudulent connections are more difficult to construct. To configure the table of IP addresses and the MAC addresses bound to them, see “ipmacbinding table” on page 102. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see ipmac in “system interface” on page 395.
Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC binding list, the new or changed hosts will not have access to or through the FortiGate unit. For details on updating the IP/MAC binding table, see “ipmacbinding table” on page 102. Caution: If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP server.

!

Syntax
config firewall ipmacbinding setting set bindthroughfw {enable | disable} set bindtofw {enable | disable} set undefinedhost {allow | block} end
Keywords and variables bindthroughfw {enable | disable} bindtofw {enable | disable} undefinedhost {allow | block} Description Select to use IP/MAC binding to filter packets that a firewall policy would normally allow through the FortiGate unit. Select to use IP/MAC binding to filter packets that would normally connect to the FortiGate unit. Default disable disable

Select how IP/MAC binding handles packets with IP and MAC block addresses that are not defined in the IP/MAC list for traffic going through or to the FortiGate unit. • allow: Allow packets with IP and MAC address pairs that are not in the IP/MAC binding list. • block: Block packets with IP and MAC address pairs that are not in the IP/MAC binding list. This option is available only when either or both bindthroughfw and bindtofw are enable.

Example
This example shows how to enable IP/MAC binding for traffic both going to and through the FortiGate unit, and block undefined hosts (IP/MAC address pairs). config firewall ipmacbinding setting set bindthroughfw enable set bindtofw enable set undefinedhost block end
FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

100

firewall

ipmacbinding setting

History
FortiOS v2.80 Revised.

Related topics
• firewall ipmacbinding table

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

101

ipmacbinding table

firewall

ipmacbinding table
Use this command to configure IP and MAC address pairs in the IP/MAC binding table. You can bind multiple IP addresses to the same MAC address, but you cannot bind multiple MAC addresses to the same IP address. To configure the IP/MAC binding settings, see “ipmacbinding setting” on page 100. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see ipmac in “system interface” on page 395.
Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC binding list, the new or changed hosts will not have access to or through the FortiGate unit. Caution: If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP server.

!

Syntax
config firewall ipmacbinding table edit <index_int> set ip <address_ipv4> set mac <address_hex> set name <name_str> set status {enable | disable} end
Keywords and variables <index_int> ip <address_ipv4> Description Enter the unique ID number of this IP/MAC pair. Default No default.

Enter the IP address to bind to the MAC address. 0.0.0.0 To allow all packets with the MAC address, regardless of the IP address, set the IP address to 0.0.0.0. 00:00:00: Enter the MAC address. To allow all packets with the IP address, regardless of the MAC 00:00:00 address, set the MAC address to 00:00:00:00:00:00. Enter a name for this entry on the IP/MAC address table. (Optional.) Select to enable this IP/MAC address pair. Packets not matching any IP/MAC binding will be dropped. Packets matching an IP/MAC binding will be matched against the firewall policy list. noname disable

mac <address_hex>

name <name_str> status {enable | disable}

Example
This example shows how to add and enable an IP/MAC entry to the IP/MAC binding table. config firewall ipmacbinding table edit 1 set ip 172.16.44.55 set mac 00:10:F3:04:7A:4C set name RemoteAdmin set status enable end

102

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

ipmacbinding table

History
FortiOS v2.80 Revised.

Related topics
• firewall ipmacbinding setting

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

103

ippool

firewall

ippool
Use this command to configure IP address pools that you can use to configure NAT mode firewall policies. An IP pool, also called a dynamic IP pool, is a range of IP addresses added to a firewall interface. You can enable Dynamic IP Pool in a firewall policy to translate the source address to an address randomly selected from the IP pool. To use IP pools, the IP pool interface must be the same as the firewall policy destination interface. Add an IP pool if in order to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. IP pools are only available in NAT/Route mode. Add multiple IP pools to any interface and configure the firewall policy to select the IP pool to use for that firewall policy.

Syntax
config firewall ippool edit <index_int> set endip <address_ipv4> set interface <name_str> set startip <address_ipv4> end
Keywords and variables <index_int> endip <address_ipv4> Description The unique ID number of this IP pool. The end IP of the address range. The end IP must be higher than the start IP. The end IP does not have to be on the same subnet as the IP address of the interface for which you are adding the IP pool. Enter the name of a network interface, binding the IP pool to that interface. On FortiGate-200 models and greater, the network interface can also be a VLAN subinterface. Default No default. 0.0.0.0

interface <name_str>

No default.

startip <address_ipv4>

The start IP of the address range. The start IP does not have to 0.0.0.0 be on the same subnet as the IP address of the interface for which you are adding the IP pool.

Example
You might use the following commands to add an IP pool to the internal network interface. The IP pool would then be available when configuring firewall policies. config firewall ippool edit 1 set startip 192.168.1.100 set endip 192.168.1.200 set interface internal end

History
FortiOS v2.80 Revised.

Related topics
• firewall policy, policy6

104

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

ldb-monitor

ldb-monitor
Use this command to configure health check settings. Health check settings can be used by load balancing VIPs to determine if a real server is currently responsive before forwarding traffic. One health check is sent per interval using the specified protocol, port and HTTP-GET, where applicable to the protocol. If the server does not respond during the timeout period, the health check fails and, if retries are configured, another health check is performed. If all health checks fail, the server is deemed unavailable, and another real server is selected to receive the traffic according to the selected load balancing algorithm. Health check settings can be re-used by multiple real servers. For details on enabling health checking and using configured health check settings, see “firewall vip” on page 169.

Syntax
config firewall ldb-monitor edit <name_str> set http-get <httprequest_str> set http-match <contentmatch_str> set interval <seconds_int> set port <port_int> set retry <retries_int> set timeout <seconds_int> set type {http | ping | tcp} end
Keywords and variables <name_str> http-get <httprequest_str> http-match <contentmatch_str> Description Enter the name of the health check monitor. Enter the path (URI) of the HTTP-GET request to use when testing the responsiveness of the server. This option appears only if type is http. Default No default. No default.

Enter the content of the server’s reply to the HTTP request that No default. must be matched for the health check to succeed. If the FortiGate unit does not receive a reply from the server, or its reply does not contain matching content, the health check fails. This option appears only if type is http. Enter the interval time in seconds between health checks. Enter the port number that will be used by the health check. This option does not appear if type is ping. Enter the number of times that the FortiGate unit should retry the health check if a health check fails. If all health checks, including retries, fail, the server is deemed unavailable. 10 0 3

interval <seconds_int> port <port_int> retry <retries_int>

timeout <seconds_int>

Enter the timeout in seconds. If the FortiGate unit does not 2 receive a response to the health check in this period of time, the the health check fails. Select the protocol used by the health check monitor. No default.

type {http | ping | tcp}

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

105

Configures health check settings which can be used when enabling health checks for load balanced real servers associated with a virtual IP. To ensure that a web page reply containing an error message.0 MR7 Reference 01-30007-0015-20090112 . config firewall ldp-monitor edit httphealthchecksettings set type http set port 8080 set http-get “/index. such as unique text on a main page.0 MR6 New command.0 MR4 New command. does not inadvertently cause the health check to succeed.ldb-monitor firewall Example You might configure a health check for a server using the HTTP protocol to retrieve a web page. Configures health check settings which can be used when enabling health checks for load balanced real servers associated with a virtual IP. Related topics • firewall vip 106 FortiGate® CLI Version 3. This extends and replaces deprecated commands in config realserver for health check by ICMP ECHO (ping). Inc. such as an HTTP 404 page. you might search the reply for text that does not occur in any web server error page.” set interval 5 set timeout 2 set retry 2 end History FortiOS v3. This extends and replaces deprecated commands in config realserver for health check by ICMP ECHO (ping).php” set http-match “Welcome to Example. FortiOSCarrier v3.

firewall mms-profile (FortiOS Carrier) mms-profile (FortiOS Carrier) Use this command to configure MMS protection profiles which can be applied to traffic by selecting the MMS protection profile in one or more protection profiles. and then applying those protection profiles to the firewall policies handling traffic. Syntax config firewall mms-profile edit <profile_str> set avnotificationtable <index_int> set bwordtable <index_int> set carrier-endpoint-prefix {enable | disable} set carrier-endpoint-prefix-range-min <limit_int> set carrier-endpoint-prefix-range-max <limit_int> set carrier-endpoint-prefix-string <prefix_str> set carrierendpointbwltable <index_int> set comment <str> set exmwordtable <index_int> set filepattable <index_int> set mm1 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl chunkedbypass clientcomfort exemptword no-content-summary oversize remove-blocked scan server-comfort strict-file} set mm1-addr-hdr <identifier_str> set mm1-addr-source {cookie | http-header} set mm1-convert-hex {enable | disable} set mm1-retr-dupe {enable | disable} set mm1-retrieve-scan {enable | disable} set mm1comfortamount <size_int> set mm1comfortinterval <seconds_int> set mm3 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl fragmail no-content-summary oversize remove-blocked scan servercomfort splice} set mm4 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl fragmail no-content-summary oversize remove-blocked scan servercomfort splice} set mm7 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl chunkedbypass clientcomfort exemptword no-content-summary oversize remove-blocked scan server-comfort strict-file} set mm7-addr-hdr <identifier_str> set mm7-addr-source {cookie | http-header} set mm7-convert-hex {enable | disable} set mm7comfortamount <size_int> set mm7comfortinterval <seconds_int> set mmsbwordthreshold <score_int> set mms-profile <mms_profile_str> config dupe {mm1 | mm4} set action1 {alert-notif archive archive-first block intercept log} set block-time1 <minutes_int> FortiGate® CLI Version 3. or by applying an MMS protection profile to a protection profile that is associated with a firewall user group.0 MR7 Reference 01-30007-0015-20090112 107 . The firewall policy will apply the subset of the protection profile that is relevant to the service or service group.

mms-profile (FortiOS Carrier) firewall set limit1 <duplicatetrigger_int> get protocol1 set status1 {enable | disable} set status2 {enable | disable} set window1 <minutes_int> end config flood {mm1 | mm4} set action1 {alert-notif archive archive-first block intercept log} set block-time1 <minutes_int> set limit1 <floodtrigger_int> set status1 {enable | disable} set status2 get protocol1 set window1 <minutes_int> end config log (FortiOS Carrier) set log-antispam-mass-mms {enable | disable} set log-av-block {enable | disable} set log-av-endpoint-filter {enable | disable} set log-av-oversize {enable | disable} set log-av-virus {enable | disable} set log-intercept {enable | disable} set log-mms-notification {enable | disable} set log-web-content {enable | disable} end config notification (FortiOS Carrier) set alert-int <int> set alert-int-mode {minutes | hours} set alert-src-msisdn <str> set alert-status {enable | disable} set bword-int <noticeinterval_int> set bword-int-mode {minutes | hours} set bword-status {enable | disable} set carrier-endpoint-bwl-int <interval_int> set carrier-endpoint-bwl-int-mode {hours | minutes} set carrier-endpoint-bwl-status {enable | disable} set days-allowed {monday tuesday wednesday thursday friday saturday sunday} set detect-server {enable | disable} set dupe-int <interval_int> set dupe-int-mode {hours | minutes} set dupe-status {enable | disable} set file-block-int <interval_int> set file-block-int-mode {hours | minutes} set file-block-status {enable | disable} set flood-int <interval_int> set flood-int-mode {hours | minutes} set flood-status {enable | disable} set from-in-header {enable | disable} set mmsc-hostname {<fqdn_str> | <ipv4>} set mmsc-password <passwd_str> set mmsc-port <port_int> set mmsc-url <url_str> set mmsc-username <user_str> FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 108 .

prefix. Enter the ID number of the antivirus notification list to be used for the MMS protection profile.firewall mms-profile (FortiOS Carrier) set msg-protocol {mm1 | mm3 | mm4 | mm7} set msg-type {deliver-req | send-req} get protocol set rate-limit <limit_int> set tod-window-start <window_time> set tod-window-duration <window_time> set user-domain <fqdn_str> set vas-id <vas_str> set vasp-id <vasp_str> set virus-int <interval_int> set virus-int-mode {hours | minutes} set virus-status {enable | disable} end config notif-msisdn edit <msisdn_int> set threshold {dupe-thresh-1 dupe-thresh-2 dupe-thresh-3 flood-thresh-1 flood-thresh-2 flood-thresh-3} end end Keywords and variables <profile_str> avnotificationtable <index_int> Description Enter the name of this MMS protection profile. see “notification (FortiOS Carrier)” on page 75 Enter the ID number of the web content block filter to be used for MMS traffic. comment <str> Enter an optional comment to give additional detail about the MMS protection profile. No default. The web content block tables can be configured using the config webfilter bword command. For more information on antivirus notification tables. such as MSISDN. No default. string <prefix_str> This option appears only if endpoint-prefix is enable. Default No default.Enter the maximum endpoint prefix length. such as MSISDN. length range-min <limit_int> is not limited. exmwordtable <index_int> Enter the ID number of the webfilter exempt word list to be No default.Enter the endpoint. carrier-endpoint-prefix. If this and 0 endpoint-prefix-range-max are set to zero (0). disable carrier-endpoint-prefix. when detected. Antivirus notification tables contain virus names that. Select to add the country code to the extracted carrier endpoint.Enter the minimum carrier endpoint prefix length. carrierendpointbwltable <index_int> carrier-endpoint-prefix {enable | disable} Enter the ID number of the endpoint. carrier-endpoint-prefix. such as MSISDN. filtering table to use for MMS traffic with the MMS protection profile. bwordtable <index_int> No default. length range-max <limit_int> is not limited. No default. used with the MMS protection profile. will have the FortiGate unit send a notification message to the administrator. for logging and notification purposes. This option appears only if msisdn-prefix is enable. This option appears only if msisdn-prefix is enable. FortiGate® CLI Version 3. You can limit the number length for the test numbers used for internal monitoring without a country code. The web content exempt tables can be configured using the config webfilter exmword command.0 MR7 Reference 01-30007-0015-20090112 109 . If this and 0 endpoint-prefix-range-min are set to zero (0).

• strict-file: Perform stricter checking for blocked files as specified in config antivirus filepattern. Chunked encoding means the HTTP message body is altered to allow it to be transferred in a series of chunks.0 MR7 Reference 01-30007-0015-20090112 . 110 FortiGate® CLI Version 3. • clientcomfort: Apply client comforting to prevent client timeout. but allow them through the firewall without modification. This option is available only for mm1 and mm7. • block: Block messages matching the file patterns selected by mms-file-pat-table. Malicious content could enter the network if web content is allowed to bypass the firewall. • splice: Simultaneously scan a message and send it to the recipient. • fragmail: Pass fragmented email messages. even if the files do not contain viruses. • bannedword: Block messages containing content in the banned word list. • archive-full: Content archive both metadata and the MMS message itself.dll files if those patterns are blocked. If the FortiGate unit detects a virus. This can prevent circumvention by web sites with elaborate scripting using . no-contentsummary splice splice No default. • carrier-endpoint-bwl: Enable the black/white list specified with the carrierendpointbwltable command.exe or . • archive-summary: Content archive metadata. • no-content-summary: Omit MMS filtering statistics from the dashboard. No default. Fragmented email messages cannot be scanned for viruses. mm1 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl chunkedbypass clientcomfort exemptword no-content-summary oversize remove-blocked scan server-comfort strict-file} mm3 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl fragmail no-content-summary oversize remove-blocked scan servercomfort splice} mm4 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl fragmail no-content-summary oversize remove-blocked scan servercomfort splice} mm7 {archive-full archive-summary avmonitor avquery bannedword block carrier-endpoint-bwl chunkedbypass clientcomfort exemptword no-content-summary oversize remove-blocked scan server-comfort strict-file} Select actions. This option is available only for mm1 and mm7. • avmonitor: Log detected viruses. • server-comfort: Apply server comforting and prevent server timeout. • exemptword: Exempt words from content blocking. This option is available only for mm1 and mm7. the FortiGate unit will take on MMS messages of the specified protocol. • chunkedbypass: Allow web sites that use chunked encoding for HTTP to bypass the firewall. This option only available for the mm1 and mm7 commands. This option only available for the mm1 and mm7 commands. it prematurely terminates the connection and returns an error message to the recipient. • oversize: Block files that are over the file size limit. • avquery: Use the FortiGuard Antivirus service for virus detection using MD5 checksums. Use of this feature is a risk.mms-profile (FortiOS Carrier) firewall Keywords and variables Description Default filepattable <index_int> Enter the ID number of the file pattern list to be used with the 0 MMS protection profile. • scan: Scan files for viruses and worms. listing the virus name and infected file name. This option is available only for mm3 and mm4. This option only available for the mm3 and mm4 commands. if any. • remove-blocked: Remove blocked items from messages.

mm1-retr messages are not scanned for duplicates as they may often be the same without necessarily being bulk or spam. Select to extract the sender’s address from the HTTP header field or a cookie.x-up-calling-lineid=6044301297 where x-up-calling-line-id would be the sender address identifier. Select to scan message retrieval by MM1.0 MR7 Reference 01-30007-0015-20090112 111 .firewall mms-profile (FortiOS Carrier) Keywords and variables mm1-addr-hdr <identifier_str> Description Default Enter the sender address (MSISDN) identifier. Select to scan MM1 mm1-retr messages for duplicates. It is also the interval between subsequent client comforting sends. you can disable MM1 message retrieval scanning to improve performance. The amount of data sent each interval is set using mm1comfortamount. the address and its callingline-id identifier in the HTTP request header is in the format of: <Sender Address Identifier>: <MSISDN Value> For example. By disable default. If mm1-addr-source is cookie. This is required by some applications. In this case. The interval time is set using mm1comfortinterval. Enter the number of bytes client comforting sends each interval to show a download is progressing. and so scanning message retrieval by MM1 is redundant. http-header mm1-addr-source {cookie | http-header} mm1-convert-hex {enable | disable} mm1-retr-dupe {enable | disable} Select to convert the sender address from ASCII to disable hexadecimal or from hexadecimal to ASCII. the HTTP header might contain: x-up-calling-line-id: 6044301297 where x-up-calling-line-id would be the Sender Address Identifier. This option is available only if status is enable for the config dupe mm1 command. Enter the time in seconds before client comforting starts after a download has begun. messages are scanned while being sent. x-upIf mm1-addr-source is http-header. 1 mm1-retrieve-scan {enable | disable} mm1comfortamount <size_int> mm1comfortinterval <seconds_int> 10 FortiGate® CLI Version 3. the address and its identifier in the HTTP request header’s Cookie field is in the format of attribute-value pairs: Cookie: id=<cookie-id>. If you select scan enable for all MMS interfaces. the HTTP request headers might contain: Cookie: id=0123jf!a. <Sender Address Identifier>=<MSISDN Value> For example.

It is also the interval between subsequent client comforting sends. the HTTP header might contain: x-up-calling-line-id: 6044301297 where x-up-calling-line-id would be the Sender Address Identifier. You can use the config dupe subcommand to detect and act on MMS duplicate messages.0 MR7 Reference 01-30007-0015-20090112 . Select to preserve the length of the MMS message when removing blocked content.mms-profile (FortiOS Carrier) firewall Keywords and variables mm7-addr-hdr <identifier_str> Description Default Enter the sender address (MSISDN) identifier. Thresholds that define excessive duplicate messages and response actions are both configurable. If the combined scores of the content block patterns appearing in an MMS message exceed the threshold value. Enable status2 to gain access to the second threshold. Finally. Select to extract the sender’s address from the HTTP header field or a cookie. If mm7-addr-source is cookie. Then enable status3 to gain access to the third threshold. such as viruses. http-header mm7-addr-source {cookie | http-header} mm7-convert-hex {enable | disable} mm7comfortamount <size_int> mm7comfortinterval <seconds_int> Select to convert the sender address from ASCII to disable hexadecimal or from hexadecimal to ASCII. <Sender Address Identifier>=<MSISDN Value> For example.x-up-calling-lineid=6044301297 where x-up-calling-line-id would be the sender address identifier. the HTTP request headers might contain: Cookie: id=0123jf!a. Enter the number of bytes client comforting sends each interval to show a download is progressing. the address and its identifier in the HTTP request header’s Cookie field is in the format of attribute-value pairs: Cookie: id=<cookie-id>. 1 10 mmsbwordthreshold <score_int> 10 remove-blocked-constlength {enable | disable} disable config dupe {mm1 | mm4} Duplicate MMS messages can result from bulk MMS messages. x-upIf mm7-addr-source is http-header. There are four threshold settings each for mm1 and mm4. The amount of data sent each interval is set using mm7comfortamount. You can configure MMS duplicate message detection for MM1 messages using config dupe mm1 and for MM4 messages using config dupe mm4. MMS spam. 112 FortiGate® CLI Version 3. By default. This is required by some applications. attacks. or other issues. Enter the maximum score an MMS message can have before being blocked. only the first threshold is available for configuration. Enter the time in seconds before client comforting starts after a download has begun. They must be enabled in sequence. The integer at the end of each command indicates which threshold you are configuring. the address and its callingline-id identifier in the HTTP request header is in the format of: <Sender Address Identifier>: <MSISDN Value> For example. The interval time is set using mm7comfortinterval. the message will be blocked. enable status 4 to gain access to the fourth threshold.

firewall mms-profile (FortiOS Carrier) Variables action1 {alert-notif archive archive-first block intercept log} Description Select the actions to take. protocol can .0 MR7 Reference 01-30007-0015-20090112 113 . disable disable 60 status1 {enable | disable} status2 {enable | disable} window1 <minutes_int> Example This example shows how to enable MMS duplicate message detection for MM1 messages and change the block time to 200 minutes: config firewall mms-profile edit example config dupe mm1 set status1 enable set block-time1 200 end end FortiGate® CLI Version 3. Enter the number of messages which signifies excessive message duplicates if exceeded within the window. separate each action with a space. • block: Block and intercept excess duplicates. but cannot be set. Enter the amount of time in minutes during which the FortiGate unit will perform the action after a message flood is detected. This variable can be viewed with the get command. This option appears only if status is enable for the protocol (MM1 or MM4). • archive: Archive duplicates in excess of the configured threshold. See “log-antispam-mass-mms {enable | disable}” on page 154. This option appears only if status is set to enable for the MMS interface. • alert-notif: Enable to have the FortiGate unit send a notification message If this threshold is exceeded. if any. If block is selected. To select more than one action. This option appears only if status is enable for the MMS interface. when excessive duplicate messages are detected. even if intercept is not selected. • intercept: Intercept excess duplicates. This option takes effect only if logging is enabled for bulk MMS message detection. This option appears only if status is enable for the MMS interface. messages are also intercepted. Enable to gain access to the second set of threshold configuration settings. • log: Log excess duplicates. • archive-first: Archive the first duplicate in excess of the configured threshold. Select to detect and act upon duplicate MMS messages. Enter the period of time in minutes during which excessive message duplicates will be detected if the limit is exceeded. be mm1 or mm2 depending on whether you entered config dupe mm1 or config dupe mm4. Default archive block intercept log block-time1 <minutes_int> 100 limit1 <duplicatetrigger_int> 100 protocol1 The MMS interface that you are configuring.

separate each action with a space. • intercept: Intercept excess messages. Enter the period of time in minutes during which excessive message activity will be detected if the limit is exceeded. There are four threshold settings for mm1 and mm4. • archive-first: Archive the first message in excess of the configured threshold. You can configure MMS flood detection for MM1 messages using config flood mm1 and for MM4 messages using config flood mm4. By default. This option appears only if status is enable for the MMS interface. 60 114 FortiGate® CLI Version 3. enable status 4 to gain access to the fourth threshold. log • alert-notif: Enable to have the FortiGate unit send a notification message If this threshold is exceeded. Enter the number of messages which signifies excessive message activity if exceeded within the window.mms-profile (FortiOS Carrier) firewall config flood {mm1 | mm4} Excessive MMS activity (message floods) can result from bulk MMS messages.0 MR7 Reference 01-30007-0015-20090112 . They must be enabled in sequence. messages are also intercepted. disable 100 block-time1 <minutes_int> limit1 <floodtrigger_int> 100 protocol1 status1 {enable | disable} status2 {enable | disable} window1 <minutes_int> Enable to gain access to the second threshold configuration disable settings. Enable status2 to gain access to the second threshold. Variables action1 {alert-notif archive archive-first block intercept log} Description Default Select which actions to take. if any. • log: Log excess messages. This option appears only if status is enable for the MMS interface. • block: Block and intercept excess messages. Thresholds that define a flood of message activity and response actions are both configurable. when excessive block message activity is detected. If block is selected. To select more than one intercept action. The integer at the end of each command indicates which threshold you are configuring. • archive: Archive messages in excess of the configured threshold. only the first threshold is available for configuration. This option appears only if status is enable for the MMS interface. MMS spam. Finally. This variable can be viewed with the get command. but cannot be set. Select to detect and act upon excessive MMS message activity. This option appears only if status is enable for the MMS interface. or other issues. See “log-antispam-mass-mms {enable | disable}” on page 154. This option takes effect only if logging is enabled for bulk MMS message detection. even if intercept is not selected. The MMS interface that you are configuring. Enter the amount of time in minutes during which the FortiGate unit will perform the action after a message flood is detected. attacks. protocol can be mm1 or mm2 depending on whether you entered config flood mm1 or config flood mm4. You can use the config flood subcommand to detect and act on MMS message floods. Then enable status3 to gain access to the third threshold.

disable disable Enable to log MMS intercept actions in MMS messages. filter {enable | disable} log-av-oversize {enable | disable} log-av-virus {enable | disable} log-intercept {enable | disable} log-mms-notification {enable | disable} log-web-content {enable | disable} Enable to log oversized messages. disable disable log-av-block {enable | disable} log-av-carrier-endpoint. All of the config log keywords are the same as the corresponding config policy keywords except the following Variables log-antispam-mass-mms {enable | disable} Description Default Enable to log duplicate or flood MMS notification messages. intercepts.0 MR7 Reference 01-30007-0015-20090112 115 . Enable to log blocked web content. Enable to log blocked viruses and files. Enable to log detected viruses.Enable to log endpoint. For details.firewall mms-profile (FortiOS Carrier) Example This example shows how to enable MMS flood detection for MM4 messages and change the action so that the FortiGate unit only logs and blocks the message floods: config firewall mms-profile edit example config flood mm4 set status1 enable set action1 block log end end config log Use this command to write event log messages when the options that you have enabled in this MMS protection profile perform an action. see “action1 {alert-notif archive archive-first block intercept log}” on page 113 and “action1 {alert-notif archive archive-first block intercept log}” on page 113. disable Also select the log action for each protocol and bulk MMS message event that you want to log. blocking. disable Enable to log MMS notification messages in MMS messages. if you enable antivirus protection you could also use the config log command to enable log-av-block so that the FortiGate unit writes an event log message every time a virus is detected. and archiving in MMS messages. disable disable FortiGate® CLI Version 3. such as MSISDN. For example.

enable 24 hours disable alert-int-mode {minutes | hours} alert-src-msisdn <str> alert-status {enable | disable} bword-int <noticeinterval_int> bword-int-mode {minutes | hours} bword-status {enable | disable} 116 FortiGate® CLI Version 3. the URL to which m-send-req messages are sent. Select to send notices for banned word events. Select whether the value specified in the bword-int command is minutes or hours. including virus events.0 MR7 Reference 01-30007-0015-20090112 . and the port must be specified. then at a configurable interval if events continue to occur. The integer you enter will be interpreted as hours or minutes depending on how the alert-int-mode command is set. one of the existing tracked viruses is removed. Virus event notifications include the virus name. There are separate notifications for each notification type. Enable to have the FortiGate unit send alert messages. The FortiGate unit sends notification messages immediately for the first event. flooding.mms-profile (FortiOS Carrier) firewall Example This example shows how to enable writing event log messages when the following happens because of settings in the MMS protection profile being configured: • • a virus is detected an MMS message is intercepted. config firewall mms-profile edit example config log set log-av-virus enable set log-intercept enable end end config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7} Use this command to configure how the FortiGate unit sends MMS messages to MMS clients to inform them that messages have been sent from their device that violate the settings in this MMS protection profile. The notifications are MM1 m-send-req messages sent from the FortiGate unit directly to the MMSC for delivery to the client. To enable sending notifications you need to enable notification types. If the interval does not coincide with the window of time during which notices may be sent. This setting will determine hour whether the integer entered with the alert-int command is interpreted as minutes or hours. duplicate messages. the FortiGate unit waits and sends the notice in the next available window. Enter the address the alert messages will appear to be sent from. Subsequent notices contain a count of the number of events that have occurred since the previous notification. The host name of the MMSC. Up to three viruses are tracked for each user at a time. and virus scaning. You can also use the MMS notifications options to configure how the notification messages are sent. Variables alert-int <int> Description Default Enter the interval the FortiGate will use to send alert 1 messages. file blocking. You can enable all notification types or you can enable separate notifications for web content blocking. end point blocking. If a fourth virus is found. Enter minutes or hours. Enter the banned word notification send interval.

Select to send notices for excessive MMS message activity events. Also set file-block-status to enable and select the time unit in file-block-int-mode. Also set endpoint-bwl-status to <interval_int> enable and select the time unit in endpoint-bwl-int-mode. monday tuesday wednesday thursday friday saturday sunday enable detect-server {enable | disable} dupe-int <interval_int> Select to automatically determine the server address. Varies by msgprotocol. Also set dupe-status to enable and select the time unit in dupe-int-mode. Select to send notices for excessive MMS message duplicate events. Select the unit of time in minutes or hours for dupe-int. Available only for MM1 and MM4 notificaitons. (Optional) Enter the port number the server is using. flood-int-mode {hours | minutes} flood-status {enable | disable} from-in-header {enable | disable} mmsc-hostname {<fqdn_str> | <ipv4>} mmsc-password <passwd_str> mmsc-port <port_int> mmsc-url <url_str> Select the unit of time in minutes or hours for flood-int. No default. Enter the password required for sending messages using this server. disable flood-int <interval_int> Enter the amount of time between notifications of excessive 24 MMS activity. Enter the URL address of the server. Enter the amount of time between notifications of excessive 24 MMS duplicates. (Optional) FortiGate® CLI Version 3. Available only for MM1 and MM4 notificaitons. hours disable disable No default.firewall mms-profile (FortiOS Carrier) Variables Description Default carrier-endpoint-bwl-int Enter the amount of time between notifications for endpoint 24 black/white list events. Available only for MM1 and MM4 notificaitons. No default. Select to send notices for endpoint black/white list events. Available only for MM1 and MM4 notificaitons. mmsc-username <user_str> Enter the user-name required for sending messages using this server. Also set flood-status to enable and select the time unit in flood-int-mode. Enter the amount of time between notifications of file block events. hours disable Notifications will be sent on the selected days of the week. Enter the FQDN or the IP address of the destination server. carrier-endpoint-bwlint-mode {hours | minutes} carrier-endpoint-bwlstatus {enable | disable} days-allowed {monday tuesday wednesday thursday friday saturday sunday} Select the unit of time in minutes or hours for carrier-endpoint-bwl-int. Select to send notices for file block events. Select to insert the “from” address in the HTTP header. hours disable dupe-int-mode {hours | minutes} dupe-status {enable | disable} file-block-int <interval_int> file-block-int-mode {hours | minutes} file-block-status {enable | disable} 24 Select whether the value specified in the file-block-int hours command is minutes or hours. No default. Available only for MM1 and MM4 notificaitons.0 MR7 Reference 01-30007-0015-20090112 117 . Available only for MM1 and MM4 notificaitons.

user-domain <fqdn_str> vas-id <vas_str> vasp-id <vasp_str> Enter the value added service provider (VASP) ID to be used No default. Also set virus-status to enable and select the time unit in virus-int-mode.0 MR7 Reference 01-30007-0015-20090112 . This variable can be viewed with the get command. hours disable Example This example shows how to enable sending MMS notifications for all MM3 notification types and set the interval for each one to 400 minutes: config firewall mms-profile edit example config notification mm3 set bword-status enable set bword-int-mode minutes set bword-int 400 set file-block-status enable set file-block-mode minutes set file-block-int 400 set carrier-endpoint-bwl-status enable set carrier-endpoint-bwl-int-mode minutes set carrier-endpoint-bwl-int 400 118 FortiGate® CLI Version 3. rate-limit <limit_int> tod-window-start <window_time> tod-window-duration <window_time> 0 Select the time of day to begin sending notifications. No default. This option is available only when msg-type is set to send-req. deliver-req msg-type Select the type of notification message directed to either a {deliver-req | send-req} VASP or a MMSC. Select to send notices for antivirus events. Enter the FQDN of the server to which the user’s address belongs. the notification rate is not limited. If you 00:00 select a start and end time of zero (00:00). protocol The MMS interface that you are configuring. notifications are not limited by time of day. This option is available only when msg-type is set to send-req. mm3. protocol can be mm1. Enter the value added service (VAS) ID to be used when sending a notification message. No default. 24 virus-int <interval_int> Enter the amount of time between notifications for antivirus events. If you enter zero (0). Select the duration of the period during which the FortiGate 00:00 unit will send notification messages. mm4 or mm7 depending on the message type that you are configuring notifications for. notifications are not limited by time of day. Depends on protocol {mm1 | mm3 | mm4 | mm7}. when sending a notification message. If you select a start and duration time of zero (00:00). but cannot be set.mms-profile (FortiOS Carrier) firewall Variables msg-protocol {mm1 | mm3 | mm4 | mm7} Description Default Select the protocol to use for sending notification messages. virus-int-mode {hours | minutes} virus-status {enable | disable} Select the unit of time in minutes or hours for virus-int. Enter the number of notifications to send per second.

firewall mms-profile (FortiOS Carrier) set virus-status enable set virus-int-mode minutes set virus-int 400 end end config notif-msisdn Individual MSISDN users can be configured to have specific duplicate and flood thresholds. dupe-thresh-3 flood-thresh-1 flood-thresh-2 flood-thresh-3} History FortiOS Carrier v3.0 MR7 Reference 01-30007-0015-20090112 119 . Enter a new number to create a new entry. Related topics • firewall profile FortiGate® CLI Version 3. Clear all thresholds with the unset threshold dupe-thresh-2 command.0 MR5 MMS-protection profile added. Variables <msisdn_int> Description Enter the MSISDN number. Some settings existed in the protection profile previously. Default threshold {dupe-thresh-1 Enter the thresholds on which this MSISDN user will receive (null) an alert.

Limit the number of protocols (services) sent out via multicast using the FortiGate unit. accept 0. Default No default. Enter the IP address to substitute for the original source IP address. 0 No default.multicast-policy firewall multicast-policy Use this command to configure a source NAT IP. The end of the port range used for multicast. Enter an IP address to destination network address translate (DNAT) externally received multicast destination addresses to addresses that conform to your organization's internal addressing policy.0. The beginning of the port range used for multicast. Enter the destination IP address and netmask.0 Enter the destination interface name to match against multicast No default.0. to match against multicast NAT packets.0. NAT packets. Enter the source IP address and netmask to match against multicast NAT packets.0. Syntax config firewall multicast-policy edit <index_int> set action {accept | deny} set dnat <address_ipv4> set dstaddr <address_ipv4mask> set dstintf <name_str> set nat <address_ipv4> set srcaddr <address_ipv4mask> set srcintf <name_str> set protocol <multicastlimit_int> set start-port <port_int> set end-port <port_int> end Keywords and variables <index_int> action {accept | deny} dnat <address_ipv4> Description Enter the unique ID number of this multicast policy.0. This command can also be used in Transparent mode to enable multicast forwarding by adding a multicast policy. Enter the policy action.0. separated by a space.0. The matched forwarded (outgoing) IP multicast source IP address is translated to the configured IP address. 65535 120 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .0 0. For additional options related to multicast.0.0 0. 0.0.0 dstaddr <address_ipv4mask> dstintf <name_str> nat <address_ipv4> srcaddr <address_ipv4mask> srcintf <name_str> protocol <multicastlimit_int> start-port <port_int> end-port <port_int> 0.0.0 0. see multicast-forward {enable | disable} in “system settings” on page 466 and tp-mc-skip-policy {enable | disable} in “system global” on page 371.0. Enter the source interface name to match against multicast NAT packets.0 No default.0.

0 set dstintf dmz set nat 10.0.0 MR7 Reference 01-30007-0015-20090112 121 .firewall multicast-policy Example This example shows how to configure a multicast NAT policy.0 MR4 Added protocol.0.0 set srcintf internal end History FortiOS v2.12 255.255. FortiOS v3.100.80 Revised. Related topics • system global FortiGate® CLI Version 3.1.0. start-port.0 MR5 Added dnat.1 set srcaddr 192. FortiOS v3. and end-port to multicast-policy. config firewall multicast-policy edit 1 set dstaddr 10.255.255.1 255.168.255.

some of the IPv4 options. require authentication before the connection is allowed.0 MR7 Reference 01-30007-0015-20090112 122 . policy6 firewall policy. The policy directs the firewall to allow the connection. Firewall policies control all traffic passing through the FortiGate unit. Note: If you are creating an IPv6 policy. edit. are not applicable. deny the connection. such as NAT and VPN settings. or delete firewall policies. policy6 edit <index_int> set action {accept | deny | ipsec | ssl-vpn} set auth-cert <certificate_str> set auth-path {enable | disable} set auth-redirect-addr <domainname_str> set comments <comment_str> set custom-log-fields <fieldid_int> set diffserv-forward {enable | disable} set diffserv-reverse {enable | disable} set diffservcode-forward <dscp_bin> set diffservcode-rev <dscp_bin> set disclaimer {enable | disable} set dstaddr <name_str> set dstintf <name_str> set fixedport {enable | disable} set forticlient-check {enable | disable} set forticlient-ra-notinstalled {enable | disable} set forticlient-ra-notlicensed {enable | disable} set forticlient-ra-db-outdated {enable | disable} set forticlient-ra-no-av {enable | disable} set forticlient-ra-no-fw {enable | disable} set forticlient-ra-no-wf {enable | disable} set forticlient-redir-portal {enable | disable} set fsae {enable | disable} set fsae-guest-profile <profile_str> set gbandwidth <limit_int> set groups <name_str> set gtp_profile <name_str> (FortiOS Carrier) set inbound {enable | disable} set ippool {enable | disable} set logtraffic {enable | disable} set maxbandwidth <limit_int> set nat {enable | disable} set natinbound {enable | disable} set natip <address_ipv4mask> set natoutbound {enable | disable} set ntlm {enable | disable} set outbound {enable | disable} set poolname <name_str> FortiGate® CLI Version 3.policy. policy6 Use this command to add. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. Syntax config firewall policy. or apply IPSec or SSL VPN processing.

see “router auth-path” on page 235. • accept: Allow packets that match the firewall policy. outbound. Enter the IP address or domain name that the FortiGate unit will No default. Also enable or disable nat to make this a NAT policy (NAT/Route mode only). • ipsec: Allow and apply IPSec VPN. policy6 set set set set set set set set set set set set set set set set end priority {high | low | medium} profile <name_str> profile-status {enable | disable} redirect-url <name_str> schedule <name_str> service <name_str> srcaddr <name_str> srcintf <name_str> sslvpn-auth {any | ldap | local | radius | tacacs+} sslvpn-ccert {enable | disable} sslvpn-cipher {0 | 1 | 2} status {enable | disable} tcp-mss-sender <maximumsize_int> tcp-mss-receiver <maximumsize_int> trafficshaping {enable | disable} vpntunnel <name_str> Description Enter the unique ID number of this policy. natoutbound. No default. and enable or disable fixedport so that the NAT policy does not translate the packet source port. use when performing an HTTP-to-HTTPS URL redirects for firewall policy authentication. Default No default. if you have added other certificates.0 MR7 Reference 01-30007-0015-20090112 123 . • deny: Deny packets that match the firewall policy. only accept and deny options are available. see “opmode {nat | transparent}” on page 468. Select a HTTPS server certificate for policy authentication. You may also enable or disable the inbound. and sslvpn-cipher attributes. self-sign is the built-in. auth-redirect-addr <domainname_str> FortiGate® CLI Version 3. This option appears only when the FortiGate unit is operating in NAT mode. auth-cert <certificate_str> auth-path {enable | disable} Select to apply authentication-based routing.firewall policy. When action is set to ipsec. you may select them instead. self-signed certificate. and natinbound attributes and/or specify a natip value. This option appears only if groups is configured. For IPv6 policies. which is usually a fully qualified domain name (FQDN). enable or disable ippool so that the NAT policy selects a source address for packets from a pool of IP addresses added to the destination interface. • ssl-vpn: Allow and apply SSL VPN. When action is set to ssl-vpn. To prevent web browser security warnings. Keywords and variables <index_int> action {accept | deny | ipsec | ssl-vpn} deny Select the action that the FortiGate unit will perform on traffic matching this firewall policy. sslvpn-ccert. and the RADIUS server must be configured to supply the name of an object specified in config router auth-path. you may specify values for the sslvpn-auth. You must also disable specify a RADIUS server. you must specify the vpntunnel attribute. this should match the CN field of the specified auth-cert. For details on NAT and transparent mode. For details on configuring authentication-based routes.

see “vip” on page 169. or a zone. This option appears only if diffserv-rev is enable For details and DSCP configuration examples. Enclose the string in single quotes to enter special characters or spaces. If action is set to ssl-vpn. Separate multiple log custom log field indices with a space. if creating a NAT policy. Enable or disable application of the differentiated services code disable point (DSCP) value to the DSCP field of forward (original) traffic. The value is 6 bits binary. If action is set to ipsec. This option appears only if profile or groups (authentication) is configured. For more information. No default. Enable or disable application of the differentiated services code disable point (DSCP) value to the DSCP field of reverse (reply) traffic. Note: If a interface or VLAN subinterface has been added to a zone. or network that remote clients need to access behind the FortiGate unit. For details on configuring virtual IPs. policy6 firewall Keywords and variables comments <comment_str> Description Default Enter a description or other information about the policy. Separate multiple firewall addresses with a space. see “Entering spaces in strings” on page 45 Enter custom log field index numbers to append one or more No default. or a virtual IP. enter the name of the interface to the external (public) network. The user must accept the disclaimer to connect to the destination. and requires that you first define custom log fields. The interface can No default. server. If action is set to ssl-vpn. The valid range is 000000111111. The valid range is 000000111111. see the Knowledge Center article Differentiated Services Code Point (DSCP) behavior. also configure diffservcode-forward. (Optional. Enter the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of reply (reverse) packets. For details. see “Defining IP source and destination addresses” in the FortiGate IPSec VPN User Guide. a VLAN subinterface. The value is 6 bits binary. Enable to display the authentication disclaimer page. see “log custom-field” on page 208. 000000 custom-log-fields <fieldid_int> diffserv-forward {enable | disable} diffserv-reverse {enable | disable} diffservcode-forward <dscp_bin> diffservcode-rev <dscp_bin> 000000 disclaimer {enable | disable} disable dstaddr <name_str> Enter one or more destination firewall addresses. and only appears on some models. Enter the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of originating (forward) packets. the interface or VLAN subinterface cannot be used for dstintf.policy. which is configured with other replacement messages. If enabled. enter the name of the IP address that corresponds to the host. (Optional) comment_str is limited to 63 characters. enter the name of the interface to the local (private) network. see the Knowledge Center article Differentiated Services Code Point (DSCP) behavior. be a physical interface. enter the name of the IP address to which IP packets may be delivered at the remote end of the IPSec VPN tunnel. This option appears only if diffserv-forward is enable. If enabled.) This option takes effect only if logging is enabled for the policy. Enter the destination interface for the policy.0 MR7 Reference 01-30007-0015-20090112 . For details and DSCP configuration examples. For details. No default. If action is set to ipsec. dstintf <name_str> 124 FortiGate® CLI Version 3. also configure diffservcode-rev. custom log fields to the log message for this policy.

Deny access to this firewall policy if the FortiClient Host Security antivirus database on the host is out of date. Deny access to this firewall policy if the host does not have FortiClient Host Security software installed. 5005FA2. disable Deny access to this firewall policy if FortiClient Host Security disable web filtering is not enabled on the host. Deny access to this firewall policy if the FortiClient Host Security firewall is not enabled on the host. 3600A. Enable to perform FortiClient Host Security software verifications. For details. and can detect FortiClient Host Security software version 3.0 MR2 or later. the fsae guest profile is not applied. also configure: • forticlient-ra-notinstalled • forticlient-ra-notlicensed • forticlient-ra-db-outdated • forticlient-ra-no-av • forticlient-ra-no-fw • forticlient-ra-no-wf • forticlient-redir-portal This feature is available on a number of FortiGate models including the 620B. Deny access to this firewall policy if the host does not have a licensed copy of FortiClient Host Security software installed. Redirect denied users to the internal web portal. This option is available only if forticlient-check is enable. This option is available only if forticlient-check is enable. policy6 Keywords and variables fixedport {enable | disable} Description Default Enable to preserve packets’ source port number. fsae {enable | disable} fsae-guest-profile <profile_str> FortiGate® CLI Version 3. if you do not configure an IP pool for the policy. see “fsaeguest-profile <profile_str>” on page 125 and “groups <name_str>” on page 126. For details. 3016B. see “system global” on page 371.firewall policy. If any other authentication method is selected in the firewall policy. This option is available only if forticlient-check is enable. If you enable this option. account authenticates using FSAE. The portal disable page displays the reason the user was denied access. This option is available only if forticlient-check is enable. 3810A. and 5001A models. you must also define the user groups and the guest account protection profile. which may disable otherwise be changed by a NAT policy. Some applications do not function correctly if the source port number is changed. If a FortiClient installation package is stored on the FortiGate unit. the user can download FortiClient Host Security software from the portal. If fixedport is enable. Enter the name of the protection profile used when a guest No default. This option is available only if forticlient-check is enable. only one connection can occur at a time for this port. disable forticlient-check {enable | disable} forticlient-ranotinstalled {enable | disable} forticlient-ranotlicensed {enable | disable} forticlient-radb-outdated {enable | disable} forticlient-ra-no-av {enable | disable} forticlient-ra-no-fw {enable | disable} forticlient-ra-no-wf {enable | disable} forticlient-redir-portal {enable | disable} disable disable disable Deny access to this firewall policy if the FortiClient Host disable Security antivirus feature is not enabled on the host. You can change the TCP port for the portal using the forticlient-portal-port keyword. and may require this option. To specify the action that the FortiGate unit takes if a verification fails. This option is available only if forticlient-check is enable. disable Enable or disable Directory Service authentication. you should usually also enable IP pools. 1000A.0 MR7 Reference 01-30007-0015-20090112 125 .

if the source address in the firewall encryption policy is 192. 0. enable or disable traffic from computers on the remote private network to initiate an IPSec VPN tunnel. Enable this attribute in combination with the natip attribute to change the source addresses of IP packets before they go into the tunnel. ippool and fixedport can also be enabled or disabled. When a natip value is specified. When NAT is enabled. natoutbound {enable | disable} 126 FortiGate® CLI Version 3.0.0/24. policy6 firewall Keywords and variables gbandwidth <limit_int> Description Enter the amount of bandwidth guaranteed to be available for traffic controlled by the policy.0 outbound clear text packets before they are sent through the tunnel.168. add the GTP profile to the policy. When action is set to ipsec. This option appears only if action is accept or ssl-vpn. FortiOS v3.2. This option appears only if action is ipsec.0 specify the source IP address and subnet mask to apply to 0. This option appears only if action is accept.0.7 will be translated to 172. For details see “Example: Adding a NAT firewall policy in transparent mode” on page 130. Enable or disable recording traffic log messages for this policy. This option appears only if trafficshaping is enable. the source addresses of outbound encrypted packets are translated into the IP address of the FortiGate unit’s external interface. If you do not specify a natip value when natoutbound is enabled. If fixedport is specified for a service or for dynamic NAT. This option appears only if trafficshaping is enable.0 MR7 Reference 01-30007-0015-20090112 .0.0. see “gtp (FortiOS Carrier)” on page 92. enable or disable translating the disable source addresses of outbound encrypted packets into the IP address of the FortiGate unit’s outbound interface. When user groups are created. Default 0 groups <name_str> Enter one or more user group names for users that authenticate No default. enter the name of a profile to No default.16. For example. configure disable a NAT policy to translate the source address to an address randomly selected from the first IP pool added to the destination interface of the policy. to use this policy.7. bandwidth_int can be 0 to 2097151 Kbytes/second. When a GTP profile is being used.policy.1. bandwidth_int can be 0 to 2097151 Kbytes/second. disable nat {enable | disable} natinbound {enable | disable} disable natip <address_ipv4mask> When action is set to ipsec and natoutbound is enabled. For details on configuring GTP profiles. NAT translates the address and the port of packets accepted by the policy. If maximum bandwidth is set to 0 no traffic is allowed by the policy.0/24 and the natip value is 172. disable logtraffic {enable | disable} maxbandwidth <limit_int> Enter the maximum amount of bandwidth available for traffic 0 controlled by the policy. they are paired with protection profiles.16. Enable or disable network address translation (NAT). When action is set to ipsec.168. use IP pools. the FortiGate unit uses a static subnetwork-to-subnetwork mapping scheme to translate the source addresses of outbound IP packets into corresponding IP addresses on the subnetwork that you specify.1. The name_str variable is case-sensitive. Enable or disable translating the source addresses IP packets emerging from the tunnel into the IP address of the FortiGate unit’s network interface to the local private network. disable gtp_profile <name_str> (FortiOS Carrier) inbound {enable | disable} ippool {enable | disable} When the action is set to accept and NAT is enabled. a source address of 192.0 also supports NAT in transparent mode.2.

If action is set to ssl-vpn and the firewall encryption policy is for web-only mode clients. Enter the name of a protection profile to use with the policy. If the interface or VLAN subinterface has been added to a zone. Separate multiple firewall addresses with a space. No default. enter the name of the interface that accepts connections from remote clients. If action is set to ssl-vpn and the firewall encryption policy is for tunnel mode clients. to No default. enter the name of the IP address range that you reserved for tunnel mode clients. Enter the name of one or more services. type all. or network behind the FortiGate unit. if any. server.firewall policy. This is automatically disabled if a user group with an associated protection profile has been configured in groups. match with the firewall policy. a VLAN subinterface or a zone. If disable enabled. To define an address range for tunnel mode clients. This option appears only if trafficshaping is enable. or a service group. Enter a URL. In that case. rather than the firewall policy. Enter one or more source firewall addresses for the policy. This option is available on some models. This option appears only if profile-status is enable. the protection profile is determined by the user group. also configure profile. see “ssl settings” on page 559. No default. This variable appears only if nat and ippool are enable and when dstintf is the network interface bound to the IP pool. Enter the name of the IP pool. Select the priority level for traffic controlled by the policy. disable If you enable this option. outbound {enable | disable} poolname <name_str> priority {high | low | medium} profile <name_str> profile-status {enable | disable} Enable or disable using a protection profile with the policy. policy6 Keywords and variables ntlm {enable | disable} Description Default Enable or disable Directory Service authentication via NTLM.0 MR7 Reference 01-30007-0015-20090112 127 . interface or VLAN subinterface cannot be used for srcintf. see “groups <name_str>” on page 126. and only appears if disclaimer is enable. enter the name of the interface to the local (private) network. enter the private IP address of the host. the policy. If action is set to ssl-vpn. FortiGate® CLI Version 3. you must also define the user groups. srcaddr <name_str> srcintf <name_str> Enter the source interface for the policy. When action is set to ipsec. high No default. If action is set to ipsec. If action is set to ipsec. redirect-url <name_str> schedule <name_str> service <name_str> Enter the name of the one-time or recurring schedule to use for No default. that the user is redirected to after authenticating and/or accepting the user authentication disclaimer. The interface can be a No default. Separate multiple services with a space. enable or disable traffic from disable computers on the local private network to initiate an IPSec VPN tunnel. No default. For details. physical interface.

Enter a TCP MSS number for the receiver. If action is set to ssl-vpn. 0 tcp-mss-receiver <maximumsize_int> trafficshaping {enable | disable} vpntunnel <name_str> Enable or disable traffic shaping. • To use a 128-bit or greater cipher suite (medium). the web server never knows fragmentation is required to reach the client. and priority. • If the remote clients are authenticated by an external RADIUS server. Example: Adding a firewall policy in NAT/Route mode On a FortiGate-100.0 MR7 Reference 01-30007-0015-20090112 . When a FortiGate unit is configured to use PPPoE to connect to an ISP. type local. configure the tcp-mss-sender option to enable access to all web sites. type 1. • If the user group is a local user group. enter one of the following client any authentication options: • If you want the FortiGate unit to authenticate remote clients using any local user group. This occurs because a PPPoE frame takes an extra 8 bytes off the standard Ethernet MTU of 1500. In this case. the ADSL provider’s router either does not send an “ICMP fragmentation needed” packet or the packet is dropped along the path to the web server. When the server sends the large packet with DF bit set to 1. disable maxbandwidth. You must also set the name of the group which will use the authentication method. policy6 firewall Keywords and variables sslvpn-auth {any | ldap | local | radius | tacacs+} Description Default If action is set to ssl-vpn.policy. For more information. Also configure gbandwidth. certain web sites may not be accessible to users. enter one of the following options 0 to determine the level of SSL encryption to use. enable or disable the use of security certificates to authenticate remote clients. see “groups <name_str>” on page 126. type ldap. Enter the name of a Phase 1 IPSec VPN configuration to apply No default. In either case. to the tunnel. type 0. The web browser on the remote client must be capable of matching the level that you select: • To use any cipher suite. use the following example to add policy number 2 that allows users on the external network to access a web server on a DMZ network. • If the remote clients are authenticated by an external TACACS+ server. see the article Cannot view some web sites when using PPPoE on the Fortinet Knowledge Center. FortiGate-200. a RADIUS server. For details. • If the remote clients are authenticated by an external LDAP server. disable sslvpn-ccert {enable | disable} sslvpn-cipher {0 | 1 | 2} If action is set to ssl-vpn. or LDAP server. or FortiGate-300. The policy: • • • Is for connections from the external interface (srcintf is external) to the DMZ interface (dstintf is dmz) Is enabled Allows users from any IP address on the Internet to access the web server (srcaddr is all) 128 FortiGate® CLI Version 3. type 2. enable status {enable | disable} tcp-mss-sender <maximumsize_int> 0 Enter a TCP Maximum Sending Size number for the sender. type radius. • To use a 164-bit or greater cipher suite (high). Enable or disable the policy. This option appears only if action is ipsec. type any. type tacacs+.

seven days a week Sets the service to HTTP to limit access to the web server to HTTP connections Sets action to accept to allow connections Applies network address translation (nat is enabled) Applies traffic shaping to guarantee 100 KBytes/s of bandwidth is available. maxbandwidth set to 500.firewall policy. to limit the maximum bandwidth to 500 KBytes/second. policy6 • • • • • • Allows access to an address on the DMZ network (dstaddr is dmz_web_server) Sets the schedule to Always so that users can access the web server 24 hours a day.0 MR7 Reference 01-30007-0015-20090112 129 . and to set the priority for the traffic accepted by this policy to medium (trafficshaping enabled. priority set to medium) FortiGate® CLI Version 3. gbandwidth set to 100.

1. Reply packets return to the wan1 interface because they have a destination address of 10. When a PC on the internal network attempts to connect to the Internet. So all packets sent by a PC on the internal network that are accepted by the internal to wan1 policy leave the wan1 interface with their source address translated to 10. The internal to wan1 NAT policy translates the destination address of these return packets to the IP address of the originating PC and sends them out the internal interface to the originating PC. policy6 firewall config firewall policy edit 2 set srcintf external set dstintf dmz set status enable set srcaddr all set dstaddr dmz_web_server set schedule Always set service HTTP set action accept set nat enable set trafficshaping enable set gbandwidth 100 set maxbandwidth 500 set priority medium end Example: Adding a NAT firewall policy in transparent mode For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two different networks with two different subnet addresses. all FortiGate unit network interfaces will respond to connections to both of these IP addresses. This configuration results in a typical NAT mode firewall.1.policy.168.1. When you add two management IP addresses.0/24) all of the PCs have a default route of 10.168. you must add an IP pool to the wan1 interface that translates the source addresses of the outgoing packets to an IP address on the network connected to the wan1 interface. Similarly on the DMZ network (subnet address 10.99.1. Because the wan1 interface does not have an IP address of its own.201.201.1.1. Then you can create firewall policies to translate source or destination addresses for packets as they are relayed by the FortiGate unit from one interface to the other.1. The example describes adding an IP pool with a single IP address of 10. A FortiGate unit operating in Transparent mode normally has only one IP address. the PC's default route sends packets destined for the Internet to the FortiGate unit internal interface.1. In the example shown in Figure 1. One of the management IPs of the FortiGate unit is set to 192.1.168. These packets can now travel across the Internet to their destination. To support NAT in Transparent mode you can add a second management IP.1.99. the management IP.0 MR7 Reference 01-30007-0015-20090112 . Use the following steps to configure NAT in Transparent mode • • • Adding two management IPs Adding an IP pool to the wan1 interface Adding an internal to wan1 firewall policy 130 FortiGate® CLI Version 3.1. all of the PCs on the internal network (subnet address 192.99 as their default route.1.0/24) are configured with 192.201. These two management IPs must be on different subnets. The example describes adding an internal to wan1 firewall policy to relay these packets from the internal interface out the wan1 interface to the Internet.1.

168.1.1.1.99/24 end Adding an IP pool to the wan1 interface Use the following command to add an IP pool to the wan1 interface: config firewall ippool edit nat-out set interface "wan1" set startip 10.0/24 Transparent mode Management IPs: 10.1.0 MR7 Reference 01-30007-0015-20090112 131 .1.1.168.201 end Adding an internal to wan1 firewall policy Use the following command to add an internal to wan1 firewall policy with NAT enabled that also includes an IP pool: config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set scraddr "all" set dstaddr "all" set action accept FortiGate® CLI Version 3.1.1. policy6 Figure 1: Example NAT in Transparent mode configuration Internet Router 10.1.201 set endip 10.firewall policy.1.1.1.99 WAN 1 DMZ Internal Internal network 192. The second management IP is the default gateway for the internal network.1.0/24 Adding two management IPs Use the following commands to add two management IPs.99/24 192.99 192. config system settings set manageip 10.0/24 DMZ network 10.1.1.168.

80 MR2 FortiOS v2. FortiOS Carrier v3.80 FortiOS v2. History FortiOS v2. Added groups keyword. natinbound. FortiOS v3. address6 firewall profile firewall schedule onetime firewall schedule recurring firewall service custom firewall service group 132 FortiGate® CLI Version 3. The encrypt action name changed to ipsec. and service. Selects custom log fields to append to the policy’s log message. Added fsae.80 MR3 FortiOS v2.0 MR6 FortiOS v3. inbound. Added tcp-mms-sender and tcp-mss-receiver. Selects custom log fields to append to the policy’s log message. Added secure-vlan keyword. Added the command ntlm. Added ssl-vpn options: sslvpn-ccert. FortiOS Carrier v3.0 MR6 FortiOS v3. and sslvpn-auth. and natip. Replaced usrgrp keyword with userdomain. New variable custom-log-fields <fieldid_int>.0 MR4 New variable custom-log-fields <fieldid_int>.0 MR7 Reference 01-30007-0015-20090112 .0 MR4 New variable auth-path {enable | disable}. This is available only on the FortiGate-224B unit. New variable auth-path {enable | disable}. Removed authentication keyword.80 MR6 FortiOS v3. Selects TACACS+ authentication method when the firewall policy action is set to ssl-vpn. Added poolname keyword. Specifies address used in URL when performing HTTP-to-HTTPS redirects for policy authentication.0 MR6 FortiOS v3.0 Revised.0 MR6 FortiOS Carrier v3.0 MR5 FortiOS v3. Authentication is automatically enabled for a policy when one or more user group are set with the groups keyword. New variable auth-redirect-addr <domainname_str>. Related topics • • • • • • firewall address.0 MR4 FortiOS v3. policy6 firewall set set set set set end schedule "always" service "ANY" nat enable ippool enable poolname nat-out Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT and add the IP Pool. Described the new ability to add multiple entries for the following commands: srcaddr. Enables or disables authentication-based routing. sslvpn-cipher. Nat policy in transparent mode example added. New option tacacs+. Removed userdomain keyword. natoutbound.policy. Specifies address used in URL when performing HTTP-to-HTTPS redirects for policy authentication. Enables or disables authentication-based routing.0 MR4 New variable auth-redirect-addr <domainname_str>. dstaddr. Changes to profile and profile_status. Updated ipsec options: vpntunnel. outbound.

0 MR7 Reference 01-30007-0015-20090112 133 . The firewall policy will apply the subset of the protection profile that is relevant to the service or service group.firewall profile profile Use this command to configure protection profiles which can be applied to traffic by selecting the protection profile in one or more firewall policies. Syntax config firewall profile edit <profile_str> set aim {enable-inspect | } {archive-full archive-summary block-audio block-encrypt block-file block-im block-long-chat block-photo inspect-anyport no-content-summary} set bittorrent {block | pass | limit} set bittorrent-limit <limit_int> set comment <comment_str> set edonkey {block | pass | limit} set edonkey-limit <limit_int> set filepattable <index_int> set ftgd-wf-allow {all | <category_str>} set ftgd-wf-deny {all | <category_str>} set ftgd-wf-enable {all | <category_str>} set ftgd-wf-disable {all | <category_str>} set ftgd-wf-https-options {allow-ovrd error-allow rate-server-ip strict-blocking} set ftgd-wf-log {all | <category_str>} set ftgd-wf-options {allow-ovrd error-allow http-err-detail rate-image-urls rate-server-ip redir-block strict-blocking} set ftgd-wf-ovrd {all | <category_str>} set ftp {archive-full archive-summary avmonitor avquery block clientcomfort filetype no-content-summary oversize quarantine scan scanextended splice} set ftpcomfortamount <size_int> set ftpcomfortinterval <seconds_int> set ftpoversizelimit <size_int> set gnutella {block | pass | limit} set gnutella-limit <limit_int> set http {activexfilter archive-full archive-summary avmonitor avquery bannedword block chunkedbypass clientcomfort cookiefilter exemptword filetype fortiguard-wf javafilter no-content-summary oversize quarantine rangeblock scan scanextended strict-file urlfilter} set httpcomfortamount <size_int> set httpcomfortinterval <seconds_int> set httpoversizelimit <size_int> set http-retry-count <retry_int> set https {block-ssl-unknown-sess-id block-invalid-url fortiguard-wf no-content-summary urlfilter} FortiGate® CLI Version 3. Note: Some of the keywords for this FortiOS version of this command are available for FortiOS Carrier in the config log and config notification subcommands. or by associating a protection profile with a firewall user group.

0 MR7 Reference 01-30007-0015-20090112 134 .profile firewall set icq {enable-inspect | } {archive-full archive-summary block-audio block-file block-im block-photo inspect-anyport no-contentsummary} set im { avmonitor avquery block oversize quarantine scan} set imap { archive-full archive-summary avmonitor avquery bannedword block filetype fragmail no-content-summary oversize quarantine scan spam-mail-log spamemailbwl spamfschksum spamfsip spamfssubmit spamfsurl spamipbwl spamraddrdns spamrbl} set imapoversizelimit <size_int> set imoversizelimit <size_int> set imoversizechat <size_int> set ips-sensor <name_str> set ips-sensor-status {enable | disable} set kazaa {block | pass | limit} set kazaa-limit <limit_int> set log-av-block {enable | disable} set log-av-oversize {enable | disable} set log-av-virus {enable | disable} set log-im {enable | disable} set log-ips {enable | disable} set log-p2p {enable | disable} set log-spam {enable | disable} set log-voip {enable | disable} set log-voip-violations {enable | disable} set log-web-content {enable | disable} set log-web-filter-activex {enable | disable} set log-web-filter-applet {enable | disable} set log-web-filter-cookie {enable | disable} set log-web-ftgd-err {enable | disable} set log-web-url {enable | disable} set mail-sig <signature_str> set mailsig-status {enable | disable} set mms-profile <mms_profile_str> (FortiOS Carrier) set msn {enable-inspect | } {archive-full archive-summary block-audio block-file block-im block-photo no-content-summary} set nntp {archive-full archive-summary avmonitor avquery block filetype no-content-summary oversize scan spam-mail-log } set nntpoversizelimit <limit_int> set p2p {enable | disable} set pop3 {archive-full archive-summary avmonitor avquery bannedword block filetype fragmail no-content-summary oversize quarantine scan spam-mail-log spamemailbwl spamfschksum spamfsip spamfssubmit spamfsurl spamhdrcheck spamipbwl spamraddrdns spamrbl} set pop3oversizelimit <size_int> set pop3-spamaction {pass | tag} set pop3-spamtagmsg <message_str> set pop3-spamtagtype {header | subject} {spaminfo | } set replacemsg-group <name_str> set skype {block | pass} set smtp {archive-full archive-summery avmonitor avquery bannedword block filetype fragmail no-content-summary oversize quarantine scan spam-mail-log spamemailbwl spamfsip spamfschksum spamfsurl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice} set smtp-spam-localoverride {enable | disable} FortiGate® CLI Version 3.

0 MR7 Reference 01-30007-0015-20090112 135 .firewall profile set smtpoversizelimit <size_int> set smtp-spamaction {discard | pass | tag} set smtp-spamhdrip {enable | disable} set smtp-spamtagmsg <message_str> set smtp-spamtagtype {header | subject} {spaminfo | } set spambwordtable <index_int> set spamemaddrtable <index_int> set spamipbwltable <index_int> set spamiptrusttable <index_int> set spammheadertable <index_int> set spamrbltable <index_int> set spambwordthreshold <value_int> set webbwordtable <index_int> set webbwordthreshold <value_int> set web-bword-threshold <value_int> (FortiOS Carrier) set webexmwordtable <index_int> set weburlfiltertable <index_int> set winny {block | pass | limit} set winny-limit <limit_int> set yahoo {enable-inspect | } {archive-full archive-summary block-audio block-file block-im block-photo inspect-anyport nocontent-summary} config dupe(FortiOS Carrier) end config flood (FortiOS Carrier) end config log (FortiOS Carrier) set log-antispam-mass-mms {enable | disable} set log-av-block {enable | disable} set log-av-endpoint-filter {enable | disable} set log-av-oversize {enable | disable} set log-av-virus {enable | disable} set log-im {enable | disable} set log-intercept {enable | disable} set log-ips {enable | disable} set log-mms-notification {enable | disable} set log-p2p {enable | disable} set log-spam {enable | disable} set log-voip {enable | disable} set log-voip-violations {enable | disable} set log-web-content {enable | disable} set log-web-filter-activex {enable | disable} set log-web-filter-applet {enable | disable} set log-web-filter-cookie {enable | disable} set log-web-ftgd-err {enable | disable} set log-web-url {enable | disable} set log-web-ftgd-err {enable | disable} set log-web-ftgd-err {enable | disable} end config notification (FortiOS Carrier) end config sccp set archive-summary {enable | disable} set block-mcast {enable | disable} FortiGate® CLI Version 3.

0 MR7 Reference 01-30007-0015-20090112 136 .profile firewall set max-calls <limit_int> set no-content-summary {enable | disable} set status {enable | disable} set verify-header {enable | disable} end config simple set archive-full {enable | disable} set archive-summary {enable | disable} set block-message {enable | disable} set status {enable | disable} set message-rate <limit_int> end config sip set ack-rate <rate_int> (FortiOS Carrier) set archive-summary {enable | disable} set block-ack {enable | disable} set block-bye {enable | disable} set block-cancel {enable | disable} set block-info {enable | disable} set block-invite {enable | disable} set block-long-lines {enable | disable} set block-notify {enable | disable} set block-options {enable | disable} set block-prack {enable | disable} set block-publish {enable | disable} set block-refer {enable | disable} set block-register {enable | disable} set block-subscribe {enable | disable} set block-unknown {enable | disable} set block-update {enable | disable} set call-keepalive <limit_int> set contact-fixup {enable | disable} (FortiOS Carrier) set info-rate <rate_int> (FortiOS Carrier) set invite-rate <limit_int> set max-dialogs <limit_int> set max-line-length <limit_int> set nat-trace {enable | disable} set no-sdp-fixup {enable | disable} (FortiOS Carrier) set notify-rate <limit_int> (FortiOS Carrier) set options-rate <limit_int> (FortiOS Carrier) set prack-rate <limit_int> (FortiOS Carrier) set preserve-override {enable | disable} (FortiOS Carrier) set primary-secondary {enable | disable} (FortiOS Carrier) set refer-rate <limit_int> (FortiOS Carrier) set reg-diff-port {enable | disable} (FortiOS Carrier) set register-rate <limit_int> (FortiOS Carrier) set rtp {enable | disable} set status {enable | disable} set strict-register {enable | disable} set subscribe-rate <limit_int> (FortiOS Carrier) set timeout-buffer <calls_int> (FortiOS Carrier) set update-rate <limit_int> (FortiOS Carrier) end end FortiGate® CLI Version 3.

pass bittorrent {block | pass | limit} bittorrent-limit <limit_int> Enter the maximum amount of bandwidth BitTorrent 0 connections are allowed to use. • block: Block BitTorrent traffic. FortiGate® CLI Version 3. Configure edonkey-limit to specify the bandwidth limit. If this variable is set to zero (0). • inspect-anyport: Inspect AIM traffic on any port that is not used by a FortiGate proxy. • block: Block eDonkey traffic. up to 100000 KB/s. or shared by all firewall policies that use the protection profile. This option appears only if edonkey is set to limit. or shared by all firewall policies that use the protection profile. • pass: Allow BitTorrent traffic. up to 100000 KB/s. The bandwidth limit can be applied separately for each firewall policy that uses the protection profile. By default. This option is available only if p2p is enable.firewall profile Keywords and variables <profile_str> Description Enter the name of this protection profile. • archive-full: Content archive both metadata and the chat itself. • block-long-chat: Block oversize instant messages. No default. see the p2p-rate-limiting variable in “system settings” on page 466. Select the action the FortiGate unit performs on BitTorrent peer-to-peer (P2P) traffic. The bandwidth limit can be applied separately for each firewall policy that uses the protection profile. This option appears only if bittorrent is set to limit. • archive-summary: Content archive chat metadata. The following commands are the set options for edit <profile str>. • block-photo: Block photo sharing. • limit: Restrict bandwidth used by BitTorrent. Default No default. comment <comment_str> edonkey {block | pass | limit} pass edonkey-limit <limit_int> Enter the maximum amount of bandwidth eDonkey 0 connections are allowed to use. • no-content-summary: Omit content information from the dashboard. Configure bittorrent-limit to specify the bandwidth limit. Select the action the FortiGate unit performs on eDonkey peer-to-peer (P2P) traffic. the limit is applied separately to each firewall policy. For information on configuring per policy or per protection profile P2P bandwidth limiting. surround the comment with double quotes (“). then enter any additional anyport options. • block-audio: Block audio content. • pass: Allow eDonkey traffic. For information on configuring per policy or per protection profile P2P bandwidth limiting. • block-encrypt: Block encrypted session. Comments can be up to 64 characters long. BitTorrent traffic is not allowed. If the comment contains spaces or special characters.0 MR7 Reference 01-30007-0015-20090112 137 . By default. Enter a comment about the protection profile. If this variable is set to zero (0). separated by a space. eDonkey traffic is not allowed. • block-file: Block file transfers. • limit: Restrict bandwidth used by eDonkey. see the p2p-rate-limiting variable in “system settings” on page 466. aim {enable-inspect | } {archive-full archivesummary block-audio block-encrypt block-file block-im block-long-chat block-photo inspect-anyport nocontent-summary} Enter enable-inspect to enable inspection of AOL inspectInstant Messenger (AIM) traffic. This option is available only if p2p is enable. the limit is applied separately to each firewall policy. • block-im: Block instant messages.

To delete entries. or enter one or more category codes. 1 Drug Abuse. Enter all. Disable categories for use in local ratings. Select the options for FortiGuard Web Filtering category strictblocking. use the unset command to delete the entire list. then locate entries for ftgd-wfenable. Enable categories for use in local ratings. and c06 Spam URL. This option appears only on FortiGate-800 models and greater. representing FortiGuard Web Filtering web page categories or category groups that you want to block. enter get. classes. All categories representing FortiGuard Web Filtering web page categories not specified as or category groups that you want to allow. use the unset command to delete the entire list. and c06 Spam URL. classes. See also “webfilter fortiguard” on page 572. and c06 Spam URL. and groups. Separate multiple codes with a space. providing additional security against circumvention attempts. or enter one or more category codes. To delete entries. retype the list with the option removed or added. ftgd-wf-deny {all | <category_str>} ftgd-wf-enable {all | <category_str>} ftgd-wf-disable {all | <category_str>} ftgd-wf-https-options {allow-ovrd error-allow rate-server-ip strict-blocking} 138 FortiGate® CLI Version 3. use the unset command to delete the entire list. deny or monitor. enter get. then locate entries for ftgd-wfenable. No default. To delete entries. Separate multiple codes with a space. and c06 Spam URL. ftgd-wf-allow {all | <category_str>} Enter all. Separate multiple codes with a space. blocking • allow-ovrd: Allow authenticated rating overrides. such as g01 Potentially Liable. To view a list of available category codes with their descriptions. • rate-server-ip: Rate both the URL and the IP address of the requested site. See also “webfilter fortiguard” on page 572. use the unset command to delete the entire list. To remove an option from the list or add an option to the list. such as g01 Potentially Liable. Separate multiple options with a space. • error-allow to allow web pages with a rating error to pass through. See also “webfilter fortiguard” on page 572. 1 Drug Abuse. • strict-blocking to block any web pages if any classification or category matches the rating. To delete entries.0 MR7 Reference 01-30007-0015-20090112 . categories. categories. Separate multiple codes with a space. You can enable No default. 1 Drug Abuse. then locate entries for ftgd-wfenable. then locate entries for ftgd-wfenable. such as g01 Potentially Liable. To view a list of available category codes with their descriptions. such as g01 Potentially Liable. and groups. enter get. You can disable No default. enter get. See also “webfilter fortiguard” on page 572. To view a list of available category codes with their descriptions. 1 Drug Abuse. To view a list of available category codes with their descriptions.profile firewall Keywords and variables Description Default filepattable <index_int> Enter the ID number of the file pattern list to be used with the 0 protection profile.

redirects may be designed specifically to circumvent web filtering. providing additional security against attempts to bypass the FortiGuard system. • http-err-detail: Display a replacement message for 4xx and 5xx HTTP errors.0 MR7 Reference 01-30007-0015-20090112 139 . • rate-server-ip: Send both the URL and the IP address of the requested site for checking. This option does not apply to HTTPS. To remove an option from the list or add an option to the list. in some cases.firewall profile Keywords and variables ftgd-wf-log {all | <category_str>} Description Default Enter all. see “groups <name_str>” on page 126. Blocked images are replaced with blanks. For details. use the unset command to delete the entire list. • redir-block: Block HTTP redirects. Separate multiple codes with a space. No default. and c06 Spam URL. representing FortiGuard Web Filtering web page categories or category groups that you want to log. such as g01 Potentially Liable. This option does not apply to HTTPS. 1 Drug Abuse. strictblocking ftgd-wf-options {allow-ovrd error-allow http-err-detail rate-image-urls rate-server-ip redir-block strict-blocking} ftgd-wf-ovrd {all | <category_str>} No default. enter get. use the unset command to delete the entire list. • error-allow: Allow web pages with a rating error to pass through. This option does not apply to HTTPS. These options take effect only if FortiGuard web filtering is enabled for the protocol. separating multiple options with a space. if they successfully authenticate. or enter one or more category codes. If error pages are allowed. enter get. To delete entries. and c06 Spam URL. as the initial web page could have a different rating than the destination web page of the redirect. then locate entries for ftgd-wfenable. FortiGate® CLI Version 3. Many web sites use HTTP redirects legitimately. If filtering overrides are enabled for the protocol and a user requests a web page from a category that is blocked. representing FortiGuard Web Filtering web page categories or category groups that you want to allow users to override. or enter one or more category codes. Separate multiple codes with a space. such as g01 Potentially Liable. however. To view a list of available category codes with their descriptions. • rate-image-urls: Rate images by URL. To delete entries. then locate entries for ftgd-wfenable. User groups permitted to authenticate are defined in the firewall policy. they are permitted to bypass the filter and access the web page. • allow-ovrd: Allow authenticated rating overrides. Select options for FortiGuard web filtering. Enter all. malicious or objectionable sites could use these common error pages to circumvent web category blocking. the user is presented with an authentication challenge. retype the list with the option removed or added. • strict-blocking: Block any web pages if any classification or category matches the rating. 1 Drug Abuse. To view a list of available category codes with their descriptions.

using both the current FortiGuard Antivirus wild list database and the extended database.profile firewall Keywords and variables ftp {archive-full archive-summary avmonitor avquery block clientcomfort filetype no-content-summary oversize quarantine scan scanextended splice} Description Default Select actions. avquery: Use the FortiGuard AV query service. If the FortiGate unit detects a virus. clientcomfort: Apply client comforting and prevent client timeout. oversize: Block files that are over the file size limit. 10 in megabytes. depending on whether ftp contains the oversize option. filetype: Block specific types of files even if the files do not contain viruses. which consists of definitions for older viruses that FortiGuard has not recently observed in the wild. it prematurely terminates the connection. If the file is larger than the ftpoversizelimit. archive-full: Content archive both metadata and the file itself. FortiGate-3600A. scan: Scan files for viruses and worms. quarantine: Quarantine files that contain viruses. and FortiGate-3810A • FortiGate-5005FA2 and FortiGate-5001A splice: Simultaneously scan a message and send it to the recipient. the FortiGate unit will perform with splice FTP connections. for example: • FortiGate-50B and FortiWiFi-50B • FortiGate-60B and FortiWiFi-60B • FortiGate-310B • FortiGate-1000A and FortiGate-1000AFA2 • FortiGate-1000A-LENC • FortiGate-3016B. block: Deny files matching the file pattern selected by filepattable or file-pat-table (FortiOS Carrier). even if the files do not contain viruses. The extended antivirus data is available on newer FortiGate models with more than one partition. but allow them through the firewall without modification. Separate multiple options with a space. the file is passed or blocked. Enter the number of bytes client comforting sends each interval to show that an FTP download is progressing.0 MR7 Reference 01-30007-0015-20090112 . avmonitor: Log detected viruses. (FortiOS Carrier) no-content-summary: Omit the content summary from the dashboard. Enter the maximum in-memory file size that will be scanned. ftpoversizelimit <size_int> 140 FortiGate® CLI Version 3. The maximum file size for scanning in memory is 10% of the FortiGate unit’s RAM. The interval time is set using ftpcomfortinterval. This feature is available for FortiGate units that contain a hard disk or are connected to a FortiAnalyzer unit. The amount of data sent each interval is set using ftpcomfortamount. The file type table used is set with the file-type-table command. It is also the interval between subsequent client comforting sends. scanextended: Scan files for viruses and worms. 1 ftpcomfortamount <size_int> ftpcomfortinterval <seconds_int> Enter the time in seconds before client comforting starts 10 after an FTP download has begun. To remove an option from the list or add an option to the list. if any. archive-summary: Content archive metadata. retype the list with the option removed or added.

http {activexfilter archive-full archive-summary avmonitor avquery bannedword block chunkedbypass clientcomfort cookiefilter exemptword filetype fortiguard-wf javafilter no-content-summary oversize quarantine rangeblock scan scanextended strict-file urlfilter} FortiGate® CLI Version 3. filetype: Block specific types of files even if the files do not contain viruses. chunkedbypass: Allow web sites that use chunked encoding for HTTP to bypass the firewall. but allow them through the firewall without modification. oversize: Block files that are over the file size limit. Gnutella traffic is not allowed. javafilter: Block Java applets. block: Deny files matching the file pattern selected by filepattable or file-pat-table (FortiOS Carrier). no-content-summary: Omit content information from the dashboard. even if the files do not contain viruses. activexfilter: Block ActiveX plugins. if any. • block: Block Gnutella traffic. By default. or shared by all firewall policies that use the protection profile.0 MR7 Reference 01-30007-0015-20090112 141 . Default pass gnutella-limit <limit_int> Enter the maximum amount of bandwidth Gnutella 0 connections are allowed to use. The file type table used is set with the file-type-table command. • pass: Allow Gnutella traffic. exemptword: Exempt words from content blocking. bannedword: Block web pages containing content in the banned word list. This feature is available for FortiGate units that contain a hard disk or are connected to a FortiAnalyzer unit. The bandwidth limit can be applied separately for each firewall policy that uses the protection profile. For information on configuring per policy or per protection profile P2P bandwidth limiting. up to 100000 KB/s. Chunked encoding means the HTTP message body is altered to allow it to be transferred in a series of chunks.firewall profile Keywords and variables gnutella {block | pass | limit} Description Select the action the FortiGate unit performs on Gnutella peer-to-peer (P2P) traffic. This option appears only if gnutella is set to limit. the limit is applied separately to each firewall policy. clientcomfort: Apply client comforting and prevent client timeout. Configure gnutella-limit to specify the bandwidth limit. (FortiOS Carrier) fortiguard-wf: Use FortiGuard Web Filtering. If this variable is set to zero (0). archive-full: Content archive both metadata and the request. This feature is disabled by default. the FortiGate unit will perform with HTTP connections. see the p2p-rate-limiting variable in “system settings” on page 466. Use of this feature is a risk. quarantine: Quarantine files that contain viruses. cookiefilter: Block cookies. Malicious content could enter the network if web content is allowed to bypass the firewall. • limit: Restrict bandwidth used by Gnutella. This option is available only if p2p is enable. avquery: Use the FortiGuard Antivirus service for virus detection using MD5 checksums. archive-summary: Content archive metadata. rangeblock Select actions. avmonitor: Log detected viruses.

which consists of definitions for older viruses that FortiGuard has not recently observed in the wild. The range is 0 to 100. This allows the web server proxy to repeat the connection attempt on behalf of the browser if the server refuses the connection the first time. scanextended: Scan files for viruses and worms.To remove an option from the list or add an option to the list. and FortiGate-3810A • FortiGate-5005FA2 and FortiGate-5001A strict-file to perform stricter checking for blocked files as specified by antivirus file patterns. Enabling this option may break certain applications that use the Range Header in the HTTP protocol. If the file is larger than the httpoversizelimit. Enter the number of times to retry establishing an HTTP connection when the connection fails on the first try. such as PDF. Entering zero (0) effectively disables this feature. The maximum file size for scanning in memory is 10% of the FortiGate unit’s RAM.0 MR7 Reference 01-30007-0015-20090112 . retype the list with the option removed or added. urlfilter: Use the URL filter list. scan: Scan files for viruses and worms.exe or . 0 httpoversizelimit <size_int> http-retry-count <retry_int> 142 FortiGate® CLI Version 3. fragment files to increase download speed and enabling this option can cause download interruptions. a Linux update manager. The amount of data sent each interval is set using httpcomfortamount. Separate multiple options with a space. Note that some types of files. This works well and reduces the number of hang-ups or page not found errors for busy web servers. The extended antivirus data is available on newer FortiGate models with more than one partition. using both the current FortiGuard Antivirus wild list database and the extended database. This more thorough checking can effectively block some web sites with elaborate scripting using . It is also the interval between subsequent client comforting sends. depending on whether oversize is set in the profile http command. such as YUM.profile firewall Keywords and variables Description rangeblock: Block ddownloading parts of a file that have already been partially downloaded. FortiGate-3600A. for example: • FortiGate-50B and FortiWiFi-50B • FortiGate-60B and FortiWiFi-60B • FortiGate-310B • FortiGate-1000A and FortiGate-1000AFA2 • FortiGate-1000A-LENC • FortiGate-3016B. the file is passed or blocked. Enter the maximum in-memory file size that will be scanned. 1 Enter the time in seconds before client comforting starts 10 after an HTTP download has begun. 10 in megabytes.dll files if those patterns are blocked. The interval time is set using httpcomfortinterval. Default httpcomfortamount <size_int> httpcomfortinterval <seconds_int> Enter the number of bytes client comforting sends each interval to show an FTP download is progressing. Enabling this option prevents the unintentional download of virus files hidden in fragmented files.

the FortiGate unit does not perform FortiGuard Web Filtering.firewall profile Keywords and variables Description Default https Select actions. {block-ssl-unknown-sess. • oversize: Block files that are over the file size limit. • archive-summary: Content archive metadata. • archive-full: Content archive both metadata and the chat itself. regardless of whether this option is enabled. This option allows for unknown (encrypted SSL data) urlfilter} session IDs by default. • block-invalid-url: Block web sites whose SSL certificate’s CN field does not contain a valid domain name. • scan: Scan files for viruses and worms. • avquery: Use the FortiGuard Antivirus service for virus detection using MD5 checksums. • block-audio: Block audio content. if any.To remove an option from the list or add an option to the list. • block-file: Block file transfers. not the domain name. • quarantine: Quarantine files that contain viruses. im { avmonitor avquery block oversize quarantine scan} FortiGate® CLI Version 3. ort separated by a space. Select actions. • no-content-summary: Omit content information from the dashboard. FortiGate units always validate the CN field. but allow them through the firewall without modification. block-invalid-url If HTTPS web filtering is enabled. if this option is disabled. session IDs may be fortiguard-wf regenerated by the server. • inspect-anyport: Inspect ICQ traffic on any port that is not used by a FortiGate proxy. • no-content-summary: Omit content information from the dashboard. and so rating queries by either or both the IP address and the domain name is not reliable. the FortiGate unit will perform with No default. the real IP address of the web server is not known. Separate multiple options with a space. which in turn will reject some no-content-summary HTTPS sessions based on the 'unknown session ID' test. • block-im: Block instant messages. • Enter urlfilter to enable the URL filter list.HTTPS connections. if any. • fortiguard-wf: Enable FortiGuard Web Filtering. retype the list with the option removed or added. If the request is to a web server proxy. the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only. No default. then enter any additional options.0 MR7 Reference 01-30007-0015-20090112 143 . • block-photo: Block photo sharing. However. the FortiGate unit will perform with instant message (IM) connections. rather than a web server proxy. it changes the behavior of FortiGuard Web Filtering. This feature is available for FortiGate units that contain a hard disk or are connected to a FortiAnalyzer unit. • block-ssl-unknown-sess-id: Enable blocking of SSL id sessions whose ID has not been previously filtered. icq {enable-inspect | } {archive-full archive-summary block-audio block-file block-im block-photo inspect-anyport nocontent-summary} Enter enable-inspect to enable inspection of ICQ Instant inspect-anyp Messenger traffic. although validation failure does not cause the FortiGate unit to block the request. In this case. If the request is made directly to the web server. • avmonitor: Log detected viruses.

0 MR7 Reference 01-30007-0015-20090112 . ftp. simply click the link in the message to inform FortiGuard of the false positive. • archive-full: Content archive both metadata and the email itself.nto email. • archive-summary: Content archive metadata. the FortiGate unit will perform with spamfssubmit IMAP connections. • oversize: Block files that are over the file size limit. • filetype: Block specific types of files even if the files do not contain viruses.profile firewall Keywords and variables imap { archive-full archive-summary avmonitor avquery bannedword block filetype fragmail no-content-summary oversize quarantine scan spam-mail-log spamemailbwl spamfschksum spamfsip spamfssubmit spamfsurl spamipbwl spamraddrdns spamrbl} Description Default fragmail Select actions. • spamfsurl to enable the FortiGuard Antispam filtering URL blacklist. Fragmented email cannot be scanned for viruses. • spamfschksum to enable the FortiGuard Antispam email message checksum spam check. retype the list with the option removed or added. • scan: Scan files for viruses and worms. If an email message is not spam. • spamaddrdns to enable filtering based on the return email DNS check. Separate multiple options with a space. and http categories. • spamrbl to enable checking traffic against configured DNS-based Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers. 144 FortiGate® CLI Version 3. The file type table used is set with the file-type-table command. • avquery: Use the FortiGuard Antivirus service for virus detection using MD5 checksums. • spamipbwl to enable filtering based on the email ip address. but allow them through the firewall without modification. • spamfsip to enable the FortiGuard Antispam filtering IP address blacklist. if any. This feature is available for FortiGate units that contain a hard disk. • bannedword: Block email containing content on the banned word list. even if the files do not contain viruses. • spam-mail-log to include spam in mail log. • spamfssubmit to add a link to the message body to allow users to report messages incorrectly marked as spam. • block: Deny files matching the file pattern selected by filepattable or file-pat-table (FortiOS Carrier). • no-content-summary: Omit content information from the dashboard. • quarantine to enable quarantining files that contain viruses. (FortiOS Carrier) • fragmail: Allow fragmented email. • spamemailbwlto enable filtering based on the email address list. To remove an option from the list or add an option to the list. • avmonitor: Log detected viruses.

• limit: Restrict bandwidth used by Kazaa. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment. 8192 No default. including attachments.pass to-peer (P2P) traffic. the file is passed or blocked. The maximum file size for scanning in memory is 10% of the FortiGate unit’s RAM. For details on configuring DoS sensors. The most common encoding. The maximum file size for scanning in memory is 10% of the FortiGate unit’s RAM. This option does not select denial of service (DoS) sensors. up to 100000 KB/s. • pass: Allow Kazaa traffic. The bandwidth limit can be applied separately for each firewall policy that uses the protection profile. see the p2p-rate-limiting variable in “system settings” on page 466. Kazaa traffic is not allowed. depending on whether oversize is set in the profile imap command. Select to log file pattern or file type blocking. If enabled. Enter the maximum in-memory file size that will be scanned. 10 in megabytes. If the file is larger than the imoversizelimit. or shared by all firewall policies that use the protection profile. Note: For email scanning. translates 3 bytes of binary data into 4 bytes of base64 data. Enter the maximum allowed length of chat messages in bytes. By default. If this variable is set to zero (0). Select to log IM activity by profile. This option is available only if p2p is enable.firewall profile Keywords and variables imapoversizelimit <size_int> Description Default Enter the maximum in-memory file size that will be scanned. Enter the name of an IPS sensor (set of signatures). base64.0 MR7 Reference 01-30007-0015-20090112 145 . Select to log oversize file and email blocking. the oversize threshold refers to the final size of the email after encoding by the email client. So a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the configured oversize threshold. Configure kazaa-limit to specify the bandwidth limit. Select to log IPS events. For information on configuring per policy or per protection profile P2P bandwidth limiting. 10 in megabytes.disable sensor. from 2048 to 65536. see “ips DoS” on page 194. This option appears only if kazaa is set to limit. Select to log viruses detected. Select the action the FortiGate unit performs on Kazaa peer. disable disable disable disable disable kazaa {block | pass | limit} kazaa-limit <limit_int> log-av-block {enable | disable} log-av-oversize {enable | disable} log-av-virus {enable | disable} log-im {enable | disable} log-ips {enable | disable} FortiGate® CLI Version 3. If the file is larger than the imapoversizelimit. imoversizelimit <size_int> imoversizechat <size_int> ips-sensor <name_str> ips-sensor-status {enable | disable} Select to use an IPS sensor. • block: Block Kazaa traffic. depending on whether oversize is set in the profile im command. the limit is applied separately to each firewall policy. the file is passed or blocked. Enter the maximum amount of bandwidth Kazaa 0 connections are allowed to use. also configure ips.

Select to log URL blocking. contains spaces. Also configure mail-sig. Select to log VoIP events. mailsig-status {enable | disable} mms-profile <mms_profile_str> (FortiOS Carrier) msn {enable-inspect | } {archive-full archivesummary block-audio block-file block-im block-photo no-contentsummary} Select to add a signature to outgoing email. surround it with single or double quotes (‘ or “). Windows Messenger traffic. • archive-full: Content archive both metadata and the chat itself. Select to log ActiveX plugin blocking. Default disable disable disable disable disable disable disable disable enable disable mail-sig <signature_str> Enter a signature to add to outgoing email.profile firewall Keywords and variables log-p2p {enable | disable} log-spam {enable | disable} log-voip {enable | disable} log-voip-violations {enable | disable} log-web-content {enable | disable} log-web-filter-activex {enable | disable} log-web-filter-applet {enable | disable} log-web-filter-cookie {enable | disable} log-web-ftgd-err {enable | disable} log-web-url {enable | disable} Description Select to log P2P activity. disable No default. • block-photo: Block photo sharing. • block-im: Block instant messages. Select to log Java applet blocking. This option is applied only if mailsig-status is enable. • block-audio: Block audio content. If the signature No default. Select to log FortiGuard rating errors. Select to log web content blocking. Enter the name of an MMS protection profile to add to this protection profile.0 MR7 Reference 01-30007-0015-20090112 . • block-file: Block file transfers. then enter additional options. Select to log spam detected. if any. 146 FortiGate® CLI Version 3. • no-content-summary: Omit content information from the dashboard. Select to log VoIP activity. • archive-summary: Content archive metadata. Enter enable-inspect to enable inspection of Microsoft No default. FortiGate units can perform MSN protocol content inspection on any port that is not used by a FortiGate proxy. Select to log cookie blocking. such as those being scanned for viruses or filtered URLs.

firewall profile Keywords and variables nntp {archive-full archive-summary avmonitor avquery block filetype no-content-summary oversize scan spam-maillog } Description Default Select actions. if any. 10 in megabytes. (FortiOS Carrier) • fragmail: Allow fragmented email. The file type table used is set with the file-type-table command. P2P traffic passing through the FortiGate unit will not receive inspection or statistics tracking.0 MR7 Reference 01-30007-0015-20090112 147 . the file is passed or blocked. • scan: Scan files for viruses and worms. If disabled. • archive-full: Content archive both metadata and the email itself. but allow them through the firewall without modification. retype the list with the option removed or added. • avquery: Use the FortiGuard Antivirus query service. even if the files do not contain viruses. disable nntpoversizelimit <limit_int> p2p {enable | disable} pop3 {archive-full archivesummary avmonitor avquery bannedword block filetype fragmail no-content-summary oversize quarantine scan spam-mail-log spamemailbwl spamfschksum spamfsip spamfssubmit spamfsurl spamhdrcheck spamipbwl spamraddrdns spamrbl} fragmail Select actions. depending on whether oversize is set in the profile nntp command. • spam-mail-log: Include spam in the mail log. Select to inspect peer-to-peer (P2P) traffic. Enter the maximum in-memory file size that will be scanned. The maximum file size for scanning in memory is 10% of the FortiGate unit’s RAM. if any. • avmonitor: Log detected viruses. • avquery: Use the FortiGuard Antivirus query service. FortiGate® CLI Version 3. To remove an option from the list or add an option to the list. • archive-summary: Content archive metadata. • block: Deny files matching the file pattern selected by filepattable or file-pat-table (FortiOS Carrier). • avmonitor: Log detected viruses. • oversize: Block files that are over the file size limit. (FortiOS Carrier) • no-content-summary: Omit content information from the dashboard. • archive-full: Content archive both metadata and the mail itself. Separate multiple options with a space. • bannedword: Block email containing content in the banned word list. The file type table used is set with the file-type-table command. • block: Deny files matching the file pattern selected by filepattable or file-pat-table (FortiOS Carrier). the FortiGate unit will perform with No default. • filetype: Block specific types of files even if the files do not contain viruses. • filetype: Block specific types of files even if the files do not contain viruses. the FortiGate unit will perform with spamfssubmit POP3 connections. • archive-summary: Content archive metadata. even if the files do not contain viruses. NNTP connections. If the file is larger than the ntpoversizelimit. Fragmented email cannot be scanned for viruses. but allow them through the firewall without modification.

• spamaddrdns: Filter email using the return email DNS check. • spamfssubmit: Add a link to the message body to allow users to report messages incorrectly marked as spam. The most common encoding. If an email message is not spam. To remove an option from the list or add an option to the list. the oversize threshold refers to the final size of the email after encoding by the email client. • spamemailbwl: Block email containing addresses in the email address list. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment. Select the action to perform on POP3 email that is detected tag as spam.0 MR7 Reference 01-30007-0015-20090112 . • spamfschksum: Use FortiGuard Antispam email message checksum spam checking. 10 in megabytes. • quarantine: Quarantine files that contain viruses. If the file is larger than the pop3oversizelimit. • spamipbwl: Filter email using the email IP address. • oversize: Block files that are over the file size limit. the file is passed or blocked. translates 3 bytes of binary data into 4 bytes of base64 data. including attachments. Note: For email scanning. • tag: Tag spam email with text configured using the pop3spamtagmsg keyword and the location set using the pop3-spamtagtype keyword. base64. depending on whether oversize is set in the profile pop3 command. • spamrbl: Filter email using the configured DNS-based Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers. • scan: Scan files for viruses and worms. • spamfsurl: Use the FortiGuard Antispam URL blacklist. The maximum file size for scanning in memory is 10% of the FortiGate unit’s RAM. So a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the configured oversize threshold. • spamfsip: Use the FortiGuard Antispam IP address blacklist.nto email.profile firewall Keywords and variables Description • no-content-summary: Omit content information from the dashboard. • spam-mail-log: Include spam in the email log. Separate multiple options with a space. click the link in the message to inform FortiGuard of the false positive. This feature is available for FortiGate units that contain a hard disk or a connection to a FortiAnalyzer unit. • pass: Disable spam filtering for POP3 traffic. Default pop3oversizelimit <size_int> Enter the maximum in-memory file size that will be scanned. FTP. retype the list with the option removed or added. and HTTP categories. pop3-spamaction {pass | tag} 148 FortiGate® CLI Version 3. • spamhdrcheck: Filter email using the MIME header list.

firewall

profile

Keywords and variables pop3-spamtagmsg <message_str>

Description

Default

Enter a word or phrase (tag) to affix to email identified as Spam spam. When typing a tag, use the same language as the FortiGate unit’s current administrator language setting. Tag text using other encodings may not be accepted. For example, when entering a spam tag that uses Japanese characters, first verify that the administrator language setting is Japanese; the FortiGate unit will not accept a spam tag written in Japanese characters while the administrator language setting is English. For details on changing the language setting, see “system global” on page 371. Note: To correctly enter the tag, your SSH or telnet client must also support your language’s encoding. Alternatively, you can use the web-based manager’s CLI widget to enter the tag. Tags must not exceed 64 bytes. The number of characters constituting 64 bytes of data varies by text encoding, which may vary by the FortiGate administrator language setting. Tags containing space characters, such as multiple words or phrases, must be surrounded by quote characters (‘)to be accepted by the CLI. Select to affix the tag to either the MIME header or the subject subject line, and whether or not to append spam information spaminfo to the spam header, when an email is detected as spam. Also configure pop3-spamtagmsg. If you select to affix the tag to the subject line, the FortiGate unit will convert the entire subject line, including tag, to UTF8 by default. This improves display for some email clients that cannot properly display subject lines that use more than one encoding. For details on disabling conversion of subject line to UTF-8, see “system settings” on page 466. Enter the name of the replacement message group to be used with this protection profile. No default.

pop3-spamtagtype {header | subject} {spaminfo | }

replacemsg-group <name_str> (FortiOS Carrier) skype {block | pass}

Select the action the FortiGate unit performs on Skype peer- pass to-peer (P2P) traffic. • block: Block Skype traffic. • pass: Allow Skype traffic. This option is available only if p2p is enable.

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

149

profile

firewall

Keywords and variables smtp {archive-full archivesummery avmonitor avquery bannedword block filetype fragmail no-content-summary oversize quarantine scan spam-mail-log spamemailbwl spamfsip spamfschksum spamfsurl spamhdrcheck spamhelodns spamipbwl spamraddrdns spamrbl splice}

Description

Default

no-contentSelect actions, if any, the FortiGate unit will perform with summary SMTP connections. • archive-full: Content archive both metadata and the splice email itself. • archive-summary: Content archive metadata. • avmonitor: Log detected viruses, but allow them through the firewall without modification. • avquery: Use the FortiGuard AV query service. • bannedword: Block email containing content in the banned word list. • block: Deny files matching the file pattern selected by filepattable or file-pat-table (FortiOS Carrier), even if the files do not contain viruses. • filetype: Block specific types of files even if the files do not contain viruses. The file type table used is set with the file-type-table command. (FortiOS Carrier) • fragmail: Allow fragmented email. Fragmented email cannot be scanned for viruses. • no-content-summary: Omit content information from the dashboard. • oversize: Block files that are over the file size limit. • quarantine: Quarantine files that contain viruses. This feature is available for FortiGate units that contain a hard disk or a connection to a FortiAnalyzer unit. • scan: Scan files for viruses and worms. • spam-mail-log: Include spam in the email log. • spamemailbwl: Filter email using the email address list. • spamfsip: Use the FortiGuard Antispam filtering IP address blacklist. • spamfschksum: Use FortiGuard Antispam email message checksum spam checking. • spamfssubmit: Add a link to the message body allowing users to report messages incorrectly marked as spam. If an email message is not spam, click the link in the message to report the false positive. • spamfsurl: Use the FortiGuard Antispam filtering URL blacklist. • spamhdrcheck: Filter email using the MIME header list. • spamhelodns: Filter email using an HELO/EHLO DNS check. • spamipbwl: Filter email using the source IP or subnet address. • spamaddrdns: Filter email using a return email DNS check. • spamrbl: Filter email using configured DNS-based Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers. • splice: Simultaneously scan a message and send it to the recipient. If the FortiGate unit detects a virus, it prematurely terminates the connection, and returns an error message to the sender, listing the virus and infected file name. splice is selected when scan is selected. With streaming mode enabled, select either Spam Action (Tagged or Discard) for SMTP spam. When streaming mode is disabled for SMTP, infected attachments are removed and the email is forwarded (without the attachment) to the SMTP server for delivery to the recipient. Throughput is higher when streaming mode is enabled. Separate multiple options with a space. To remove an option from the list or add an option to the list, retype the list with the option removed or added.

150

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

profile

Keywords and variables smtp-spam-localoverride {enable | disable} smtpoversizelimit <size_int>

Description Select to override SMTP remote check, which includes IP RBL check, IP FortiGuard antispam check, and HELO DNS check, with the locally defined black/white antispam list.

Default disable

Enter the maximum in-memory file size that will be scanned, 10 in megabytes. If the file is larger than the smtpoversizelimit, the file is passed or blocked, depending on whether oversize is set in the profile smtp command. The maximum file size for scanning in memory is 10% of the FortiGate unit’s RAM. Note: For email scanning, the oversize threshold refers to the final size of the email after encoding by the email client, including attachments. Email clients may use a variety of encoding types and some encoding types translate into larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. So a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the configured oversize threshold. Select the action that this profile uses for filtered SMTP discard email. Tagging appends custom text to the subject or header of email identified as spam. When scan or streaming mode (also called splice) is selected, the FortiGate unit can only discard spam email. Discard immediately drops the connection. Without streaming mode or scanning enabled, chose to discard, pass, or tag SMTP spam. In the US Domestic distribution, streaming mode is permanently enabled for SMTP, and the tag option is not available. • discard: Do not pass email identified as spam. • pass: Disable spam filtering for SMTP traffic. • tag: Tag spam email with text configured using the smtpspamtagmsg keyword and the location set using the smtp-spamtagtype keyword. Select to check header IP addresses for spamfsip, spamrbl, and spamipbwl filters. disable

smtp-spamaction {discard | pass | tag}

smtp-spamhdrip {enable | disable} smtp-spamtagmsg <message_str>

Spam Enter a word or phrase (tag) to affix to email identified as spam. When typing a tag, use the same language as the FortiGate unit’s current administrator language setting. Tag text using other encodings may not be accepted. For example, when entering a spam tag that uses Japanese characters, first verify that the administrator language setting is Japanese; the FortiGate unit will not accept a spam tag written in Japanese characters while the administrator language setting is English. For details on changing the language setting, see “system global” on page 371. Note: To correctly enter the tag, your SSH or telnet client must also support your language’s encoding. Alternatively, you can use the web-based manager’s CLI widget to enter the tag. Tags must not exceed 64 bytes. The number of characters constituting 64 bytes of data varies by text encoding, which may vary by the FortiGate administrator language setting. Tags containing space characters, such as multiple words or phrases, must be surrounded by quote characters (‘)to be accepted by the CLI.

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

151

profile

firewall

Keywords and variables smtp-spamtagtype {header | subject} {spaminfo | }

Description

Default

Select to affix the tag to either the MIME header or the subject subject line, and whether or not to append spam information spaminfo to the spam header, when an email is detected as spam. Also configure smtp-spamtagmsg. If you select to affix the tag to the subject line, the FortiGate unit will convert the entire subject line, including tag, to UTF8 by default. This improves display for some email clients that cannot properly display subject lines that use more than one encoding. For details on disabling conversion of subject line to UTF-8, see “system settings” on page 466. Enter the ID number of the spamfilter banned word list to be 0 used with the protection profile. This variable appears only on FortiGate-800 and above units. Enter the ID number of the spamfilter email address list to be 0 used with the protection profile. This variable appears only on FortiGate-800 and above units. Enter the ID number of the spamfilter IP address black/white 0 list to be used with the protection profile. This variable appears only on FortiGate-800 and above units. Enter the ID number of the spamfilter IP trust list to be used with the protection profile. This variable only appears on FortiGate-800 models and greater. 0

spambwordtable <index_int>

spamemaddrtable <index_int>

spamipbwltable <index_int>

spamiptrusttable <index_int>

spammheadertable <index_int>

Enter the ID number of the spamfilter MIME header list to be 0 used with the protection profile. This variable only appears on FortiGate-800 models and greater.

spamrbltable <index_int> Enter the ID number of the spamfilter DNSBL list to be used 0 with the protection profile. This variable only appears on FortiGate-800 models and greater. spambwordthreshold <value_int> If the combined scores of the banned word patterns 10 appearing in an email message exceed the threshold value, the message will be processed according to the Spam Action setting. Enter the ID number of the webfilter banned word list to be used with the protection profile. This variable only appears on FortiGate-800 models and greater. Enter the maximum score a web page can have before being blocked. If the combined scores of the content block patterns appearing on a web page exceed the threshold value, the page will be blocked. Enter the maximum score a web page can have before being blocked. If the combined scores of the content block patterns appearing on a web page exceed the threshold value, the page will be blocked. Enter the ID number of the webfilter exempt word list to be used with the protection profile. This variable only appears on FortiGate-800 models and greater. 0

webbwordtable <index_int>

webbwordthreshold <value_int>

10

web-bword-threshold <value_int> (FortiOS Carrier) webexmwordtable <index_int>

10

0

weburlfiltertable <index_int>

Enter the ID number of the webfilter URL filter list to be used 0 with the protection profile. This variable appears only on FortiGate-800 models and greater.

152

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

profile

Keywords and variables winny {block | pass | limit}

Description Select the action the FortiGate unit performs on WinNY peer-to-peer (P2P) traffic. • block: Block WinNY traffic. • pass: Allow WinNY traffic. • limit: Restrict bandwidth used by WinNY. Configure winny-limit to specify the bandwidth limit. This option is available only if p2p is enable.

Default pass

winny-limit <limit_int>

Enter the maximum amount of bandwidth WinNY 0 connections are allowed to use, up to 100000 KB/s. If this variable is set to zero (0), WinNY traffic is not allowed. This option appears only if winny is set to limit. The bandwidth limit can be applied separately for each firewall policy that uses the protection profile, or shared by all firewall policies that use the protection profile. By default, the limit is applied separately to each firewall policy. For information on configuring per policy or per protection profile P2P bandwidth limiting, see the p2p-rate-limiting variable in “system settings” on page 466. Enter enable-inspect to enable inspection of Yahoo Messenger traffic, then enter any additional options. Separate multiple options with a space. • archive-full: Content archive both metadata and the chat itself. • archive-summary: Content archive metadata. • block-audio: Block audio content. • block-file: Block file transfers. • block-im: Block instant messages. • block-photo: Block photo sharing. • inspect-anyport: Inspect traffic on any port that is not used by a FortiGate proxy, such as those being scanned for viruses or filtered URLs. • no-content-summary: Omit content information from the dashboard. For FortiOS Carrier MR this command has been moved to “config dupe {mm1 | mm4}” on page 112. For FortiOS Carrier MR this command has been moved to “config flood {mm1 | mm4}” on page 114. For FortiOS Carrier MR this command has been moved to “config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7}” on page 116. inspectanyport

yahoo {enable-inspect | } {archive-full archivesummary block-audio block-file block-im block-photo inspect-anyport nocontent-summary}

config dupe(FortiOS Carrier) config flood (FortiOS Carrier) config notification (FortiOS Carrier)

Example
This example shows how to create a profile called spammail, using: • • filtering of email according to the email banned word list, the MIME header list, and the return DNS check, enable spam to be logged and tagged with the tag “Spam” in the subject for POP3 traffic filtering of email based on the DNSBL server, and discard messages identified as spam for SMTP traffic config firewall profile edit spammail set pop3 spamemailbwl spamhdrcheck spamraddrdns set pop3-spamaction log tag set pop3-spamtagmsg Spam set pop3-spamtagtype subject set smtp spamrbl set smtp-spamaction discard end
FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

153

profile

firewall

This example shows how to add HTTP category blocking to the spammail profile created above, using: • • category blocking to deny access to web pages categorized as Games (20), Personals and Dating (37), Shopping and Auction (42) and the category group Objectionable or Controversial (g02) category monitoring to log access to web pages categorized as Computer Security (50) and the category group Potentially Bandwidth Consuming (g04) config firewall profile edit spammail set ftgd-wf-deny 20 37 42 g02 set ftgd-wf-log 50 g04 end

config log (FortiOS Carrier)
Use this command to write event log messages when the options that you have enabled in this protection profile perform an action. For example, if you enable antivirus protection you could also use the config log command to enable log-av-block so that the FortiGate unit writes an event log message every time a virus is detected. All of the config log keywords are the same as the corresponding config policy keywords except the following
Variables log-antispam-mass-mms {enable | disable} Description Default

Select to log duplicate or flood MMS notification messages. disable Also select the log action for each protocol and bulk MMS message event that you want to log. For details, see “action1 {alert-notif archive archive-first block intercept log}” on page 113 and “action1 {alert-notif archive archive-first block intercept log}” on page 113. Select to log endpoint, such as MSISDN, blocking, intercepts, and archiving in MMS messages. Select to log MMS intercept actions in MMS messages. disable disable

log-av-endpoint-filter {enable | disable} log-intercept {enable | disable} log-mms-notification {enable | disable}

Select to log MMS notification messages in MMS messages. disable

Example
This example shows how to enable writing event log messages when the following happens because of settings in the protection profile being configured: • • a virus is detected an MMS message is intercepted. config firewall profile edit example config log set log-av-virus enable set log-intercept enable end end

154

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

profile

config sccp
Use this command to configure Skinny Call Control Protocol (SCCP) extensions such as: • • • content archiving SCCP call metadata protection from SCCP DoS attacks by blocking multicast RTP connections and limiting the maximum number of SCCP calls verify SCCP header content

When SCCP rate limiting is enabled, if the FortiGate unit receives more messages per second (or minute) than the configured rate, the extra messages are dropped.
Variables archive-summary {enable | disable} block-mcast {enable | disable} max-calls <limit_int> Description Enable to content archive call metadata. Enable to block multicast RTP connections. Default disable disable

Enter the maximum calls per minute per SCCP client (max 0 65535). If the FortiGate unit receives more calls per minute, the extra calls are dropped. Set to 0 to disable limiting the number of calls. Enable to monitor SCCP call data. Enable to use SCCP extentions to inspect SCCP traffic. Other SCCP extensions options become available if this option is set to enable. Enable to verify SCCP header content. disable disable

no-content-summary {enable | disable} status {enable | disable} verify-header {enable | disable}

disable

Example
This example shows how to enable SCCP extensions and set the maximum number of SCCP calls to 200: config firewall profile edit example config sccp set status enable set max-calls 200 end end

config simple
Use this command to configure Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE) extensions such as: • • content archiving SIMPLE call metadata protection from SIMPLE DoS attacks by blocking multicast SIMPLE instant messages and limiting the maximum number of SIMPLE calls

When SIMPLE rate limiting is enabled, if the FortiGate unit receives more messages per second (or minute) than the configured rate, the extra messages are dropped.

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

155

profile

firewall

Variables archive-full {enable | disable} archive-summary {enable | disable} block-message {enable | disable}

Description Enable to content archive full contents of chat messages. Enable to content archive summary information for chat messages. Enable to block SIMPLE instant messages.

Default disable disable disable 0

message-rate <limit_int> Enter the MESSAGE request rate limit per second, per policy. Set to 0 to disable limiting the message rate. status {enable | disable}

Enable to use SIMPLE extenstions to inspect SIMPLE disable traffic. Other SIMPLE inspection options become available if this option is set to enable.

Example
This example shows how to enable SIMPLE extensions and limit the SIMPLE message rate to 150: config firewall profile edit example config simple set status enable set message-rate 150 end end

config sip
Use this command to configure Session Initiation Protocol (SIP) extensions such as: • • content archiving SIP call metadata protection from SIP DoS attacks by blocking various SIP messages, and limiting SIP call setup messages.

When SIP rate limiting is enabled, if the FortiGate unit receives more messages per second (or minute) than the configured rate, the extra messages are dropped. See the SIP support chapter of the FortiGate Administration Guide for more information about FortiGate SIP options and extensions.
Variables ack-rate <rate_int> (FortiOS Carrier) archive-summary {enable | disable} block-ack {enable | disable} block-bye {enable | disable} block-cancel {enable | disable} block-info {enable | disable} block-invite {enable | disable} Description Enter the SIP ACK rate limit per second, per policy. Set the rate to 0 to disable limiting the ACK rate. Enable to content archive SIP call metadata. Enable to block SIP ACK requests. Enable to block SIP BYE requests. Enable to block SIP CANCEL requests. Enable to block SIP INFO requests. Enable to block SIP INVITE requests. Default 0 disable disable disable disable disable disable

156

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

profile

Variables block-long-lines {enable | disable} block-notify {enable | disable} block-options {enable | disable} block-prack {enable | disable} block-publish {enable | disable} block-refer {enable | disable} block-register {enable | disable} block-subscribe {enable | disable} block-unknown {enable | disable} block-update {enable | disable} call-keepalive <limit_int> contact-fixup {enable | disable} (FortiOS Carrier)

Description Enable to block SIP requests with headers exceeding maxline-length. Enable to block SIP NOTIFY requests. Enable to block SIP OPTIONS requests. Enable to block SIP PRACK requests. Enable to block SIP PUBLISH requests. Enable to block SIP REFER requests. Enable to block SIP REGISTER requests. Enable to block SIP SUBSCRIBE requests. Enable to block unrecognized SIP requests. Enable to block SIP UPDATE requests.

Default enable disable disable disable disable disable disable disable enable disable

Limit the number of minutes to track SIP calls with no RTP. 0 Set the limit to 0 to disable limiting the number of minutes to track SIP calls with no RTP. Enable contact-fixup so that the FortiGate SIP ALG enable performs normal SIP NAT translation to SIP contact headers as SIP sessions pass through the FortiGate unit. Disable contact-fixup if you do not want the SIP ALG to perform normal SIP NAT translation of the SIP contact header if a Record-Route header is also available. If contact-fixup is disabled the SIP ALG does the following with contact headers: • For Contact in Requests, if a Record-Route header is present and the request comes from the external network the SIP Contact header is not translated. • For Contact in Responses, if a Record-Route header is present and the response comes from the external network the SIP Contact header is not translated. If contact-fixup is disabled, the SIP ALG must be able to identify the external network. To identify the external network, you must use the config system interface command to set the external keyword to enable for the interface that is connected to the external network. See system interface “external {enable | disable)” on page 400.

info-rate <rate_int> (FortiOS Carrier) invite-rate <limit_int> max-dialogs <limit_int>

Enter the SIP INFO rate limit per second, per policy. Set the 0 rate to 0 to disable limiting the INFO rate. Enter the SIP INVITE request rate limit per second, per policy. Set the rate to 0 to disable limiting the INVITE rate. 0

Enter the maximum number of concurrent SIP calls. Set the 0 rate to 0 to disable limiting the maximum number of SIP calls. Enter the maximum SIP header line length (78-4096). 998

max-line-length <limit_int>

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

157

profile

firewall

Variables nat-trace {enable | disable} no-sdp-fixup {enable | disable} (FortiOS Carrier) notify-rate <limit_int> (FortiOS Carrier)

Description Enable to preserve the original IP address in the SDP i line. Enable to preserve the SIP SDP packet.

Default enable disable

Enter the SIP NOTIFY rate limit per second, per policy. Set the rate to 0 to disable limiting the NOTIFY rate.

0

options-rate <limit_int> Enter the SIP OPTIONS rate limit per second, per policy. Set 0 the rate to 0 to disable limiting the OPTIONS rate. (FortiOS Carrier) prack-rate <limit_int> (FortiOS Carrier) preserve-override {enable | disable} (FortiOS Carrier) primary-secondary {enable | disable} (FortiOS Carrier) refer-rate <limit_int> (FortiOS Carrier) reg-diff-port {enable | disable} Enter the SIP PRACK rate limit per second, per policy. Set the rate to 0 to disable limiting the PRACK rate. Enable to remove the original IP address from SDP i line. When disabled, IP addresses are appended. Enable to monitor SIP primary/secondary outbound proxy redundancy. Enter the SIP REFER rate limit per second, per policy. Set the rate to 0 to disable limiting the REFER rate. 0 disable

disable

0

Enable reg-diff-port to accept a SIP register response disable from a SIP server even if the source port of the register response is different from the destination port of the register request. Most SIP servers use 5060 as the source port in the SIP register reponse. Some SIP servers; however, may use a different source port. If your SIP server uses a different source port you can enable reg-diff-port and the FortiGate SIP ALG will create a temporary pinhole when receiving a register request from a SIP client. As a result, the FortiGate unit will accept a register response with any soruce port number from the SIP server. Enter the SIP REGISTER request rate limit (per second, per 0 policy). Set the rate to 0 to disable limiting the REGISTER request rate. Enable touse SIP extensions to inspect SIP traffic. Other SIP inspection options become available if this option is set to enable. Enable or disable SIP RTP NAT traversal. disable

register-rate <limit_int> (FortiOS Carrier) status {enable | disable} rtp {enable | disable} strict-register {enable | disable} subscribe-rate <limit_int> (FortiOS Carrier) timeout-buffer <calls_int> (FortiOS Carrier) update-rate <limit_int> (FortiOS Carrier)

enable

Enable to allow only the SIP registrar to connect through the disable FortiGate unit. Enter the SIP SUBSCRIBE rate limit per second, per policy. 0 Set the rate to 0 to disable limiting the SUBSCRIBE rate. Enter the maximum number of timed out SIP calls to buffer. Set the rate to 0 to disable limiting the number of timed out SIP calls to buffer. 0

Enter the SIP UPDATE rate limit per second, per policy. Set 0 the rate to 0 to disable limiting the UPDATE rate.

158

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

profile

Example
This example shows how to enable SIP extensions, enable blocking SIP notify requests, and limit the SIP INFO rate to 150 messages a second per policy: config firewall profile edit example config sip set status enable set block-notify enable set info-rate 150 end end

History
FortiOS v2.80 FortiOS v2.80 MR2 FortiOS v2.80 MR3 Substantially revised. Removed log variable from imap-spamaction, pop3-spamaction, and smtpspamaction keywords. Added splice variable to ftp and smtp keywords. Moved from config antivirus ftp service and config antivirus smtp service. Added chunkedbypass variable to http keyword. Added http_err_detail to cat_options keyword. Removed buffer_to_disk variable from ftp, http, imap, pop3, and smtp keywords. Added spamfeip variable to imap, pop3, and smtp keywords. Changed content_log variable to content-archive for ftp, http, imap, pop3, and smtp keywords. Changed spamfeip variable to spamfsip for the FortiShield Antispam Service. Added no-content-summary variable to ftp, http, imap, pop3, and smtp keywords. Added spamfsurl for the FortiShield spam filter URL blacklist to imap, pop3, and smtp keywords. Added keywords for FortiGuard. New options added for ftp, http, imap, pop3, smtp, imap-spamtagtype, pop3-spamtagtype, smtpspamtagtype. Added keywords for IM. Added new keywords for IPS. Added new keywords for logging. Added smtp-spamhdrip to profile. Added all IM and P2P options. Added client comforting and oversize file commands. Added NNTP-related commands. Added list selection commands for FortiGate-800 models and greater. Added new options avquery and exemptword for HTTP. Removed options fileexempt, mail_log and spamfschksum from HTTP, POP3 and IMAP. Added new options archive-full, archive-summary and avquery for IMAP, POP3, and AIM. Removed options content-archive and fileexempt from IMAP and IM. Added no-content-summary to AIM, ICQ, MSN, and Yahoo options. Removed transfer-log, from the same commands as it is not a feature. Added VoIP config commands for SCCP, Simple, and SIP protocols. Added associated-interface, nntpoversizelimit, imoversizechat, log-voip, log-voip-violations, and HTTPS commands. Removed the following options and commands: nntp-spamaction, nntp-spamtagtype, nntp-spamtagmsg. Added set smtp-spam-localoverride command. New option redir-block for variable ftgd-wf-options. Blocks HTTP redirects. Removed variables ips-signature and ips-anomaly. IPS sensors, formerly signatures, are now configured by selecting a sensor name. Denial of service (DoS) sensors, formerly anomalies, are no longer configured in protection profiles.

FortiOS v2.80 MR5 FortiOS v2.80 MR6

FortiOS v2.80 MR7

FortiOS v2.80 MR8 FortiOS v3.0

FortiOS v3.0 MR3

FortiOS v3.0 MR4 FortiOS v3.0 MR4

FortiOS v3.0 MR6 FortiOS v3.0 MR6

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

159

profile

firewall

FortiOS v3.0 MR6 FortiOS v3.0 MR6 FortiOS v3.0 MR6 FortiOS v3.0 MR6 FortiOS v3.0 MR6 FortiOS v3.0 MR6 FortiOS v3.0 MR7 FortiOS v3.0 MR7 FortiOS v3.0 MR7

New variables ips-sensor-status and ips-sensor. Enables IPS sensors, and selects the IPS sensor name. Renamed variable ips-log to log-ips. New option block-long-chat for variable aim. Blocks oversize chat messages. Renamed options content-full and content-meta to archive-full and archive-summary, respectively, for the msn, icq, and yahoo variables. Removed variable ftgd-wf-ovrd-group. Authorizing a group to perform web filtering overrides now occurs within group configuration. New option scanextended for the ftp and http variables. Scans for viruses and worms using the extended database of virus definitions. Renamed variable allow-ssl-unknown-sess-id to block-ssl-unknownsess-id. Blocking of unknown session ID is now disabled by default. Removed variables IMAP spamhdrcheck, imap-spamaction, imap-spamtagmsg, and imap-spamtagtype. Added the new config sip subcommand keyword reg-diff-port.

FortiOS Carrier v3.0 MR3 New variable imoversizechat. Limits the size of individual chat messages. FortiOS Carrier v3.0 MR3 New command config dupe. Configures detection of excessive MMS message duplicates. FortiOS Carrier v3.0 MR3 New command config flood. Configures detection of excessive MMS message activity. FortiOS Carrier v3.0 MR3 New variables msisdn-prefix, msisdn-string, msisdn-prefix-range-min and msisdn-prefix-range-max. Configures MSISDN prefixes. FortiOS Carrier v3.0 MR3 New variable mm1-retr-dupe. Scans mm1-retr MMS messages for duplicates. By default, mm1-retr messages are not scanned for duplicates as they may often be the same without necessarily being bulk or spam. FortiOS Carrier v3.0 MR3 New variables mm1-addr-hdr, mm1-addr-source, mm1-convert-hex, mm7addr-hdr, mm7-addr-source, mm7-convert-hex. Configures MSISDN extraction and conversion to hexadecimal for MM1 and MM7 MMS messages. FortiOS Carrier v3.0 MR3 New variables msisdn-bwl-int, msisdn-bwl-int-mode, msisdn-bwlstatus in the config notification subcommand. Configures MMS notification intervals when MSISDN black/white list events occur. FortiOS Carrier v3.0 MR3 New variables dupe-int, dupe-int-mode, dupe-status in the config notification subcommand. Configures MMS notification intervals when excessive MMS message duplicates are detected. FortiOS Carrier v3.0 MR3 New variables flood-int, flood-int-mode, flood-status in the config notification subcommand. Configures MMS notification intervals when excessive MMS message activity is detected. FortiOS Carrier v3.0 MR3 New variable rate-limit in the config notification subcommand. Limits the rate at which MMS notices are sent. FortiOS Carrier v3.0 MR3 New variables tod-window-start and tod-window-end in the config notification subcommand. Configures the window of time during which MMS notices are sent. FortiOS Carrier v3.0 MR3 New variable no-sdp-fixup in the config sip subcommand. Preserves the original SDP packet. FortiOS Carrier v3.0 MR3 New variables notify-rate, options-rate, prack-rate, preserveoverride, refer-rate, subscribe-rate, and update-rate in the config sip subcommand. Limits the rate at which certain types of SIP traffic are forwarded. FortiOS Carrier v3.0 MR3 New variable preserve-override in the config sip subcommand. Omits the original IP address from SDP i line. FortiOS Carrier v3.0 MR3 New variable primary-secondary in the config sip subcommand. Monitors primary/secondary outbound proxy redundancy. FortiOS Carrier v3.0 MR3 New variable timeout-buffer in the config sip subcommand. Configures the maximum number of timed out calls to buffer.

160

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

profile

FortiOS Carrier v3.0 MR4 Moved variables: • log-antispam-mass-mms • log-av-block • log-av-msisdn-filter • log-av-oversize • log-av-virus • log-im • log-intercept • log-ips • log-mms-notification • log-p2p • log-spam • log-voip • log-voip-violations • log-web-content • log-web-filter-activex • log-web-filter-applet • log-web-filter-cookie • log-web-ftgd-err • log-web-url to command config log. FortiOS Carrier v3.0 MR4 Renamed variable log-av-msisdn-filter to log-av-endpoint-filter. FortiOS Carrier v3.0 MR4 Renamed variables: • msisdn-prefix • msisdn-prefix-string • msisdn-prefix-range-min • msisdn-prefix-range-max • mms-msisdn-bwl-table to: • endpoint-prefix • endpoint-prefix-string • endpoint-prefix-range-min • endpoint-prefix-range-max • mms-endpoint-bwl-table FortiOS Carrier v3.0 MR4 New variable mms-remove-blocked-const-length. Preserves the length of the MMS message when removing blocked content, such as viruses. FortiOS Carrier v3.0 MR4 New variable mm1-retrieve-scan. Enables scanning of message retrieval by MM1. If you select scan for all MMS interfaces, messages are scanned while being sent, and so scanning message retrieval by MM1 is redundant. In this case, you can disable MM1 message retrieval scanning to improve performance. FortiOS Carrier v3.0 MR4 New variable nat-trace in the config sip subcommand. Preserves the original IP address in the SDP i line. FortiOS Carrier v3.0 MR4 Removed variables ips-signature and ips-anomaly. IPS sensors, formerly signatures, are now configured by selecting a sensor name. Denial of service (DoS) sensors, formerly anomalies, are no longer configured in protection profiles. FortiOS Carrier v3.0 MR4 New variables ips-sensor-status and ips-sensor. Enables IPS sensors, and selects the IPS sensor name. FortiOS Carrier v3.0 MR4 Renamed variables: • msisdn-bwl-int-mode • msisdn-bwl-int • msisdn-bwl-status in config notification subcommand to: • endpoint-bwl-int-mode • endpoint-bwl-int • endpoint-bwl-status

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

161

profile

firewall

FortiOS Carrier v3.0 MR4 Added the new config sip subcommand keywords reg-diff-port and contact-fixup. FortiOS Carrier v3.0 MR5 Most FortiOS Carrier keywords moved to “firewall mms-profile (FortiOS Carrier)” on page 107. mms-profile keyword added.

Related topics
• • • • • firewall policy, policy6 alertemail antivirus ips webfilter

162

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

define the entire schedule. Enter the ending day and time of the schedule. Use one-time schedules for policies that are effective once for the period of time specified in the schedule.1992 to infinity • mm . 15.00. or delete one-time schedules.1992 to infinity • mm . Related topics • • firewall policy.80 Revised. both those that are changing and those that are not. Note: To edit a schedule.00 to 23 • mm . 00:00 2001/01/01 start <hh:mm> <yyyy/mm/dd> 00:00 2001/01/01 Example Use the following example to add a one-time schedule named Holiday that is valid from 5:00 pm on 3 September 2004 until 8:45 am on 7 September 2004. 30.firewall schedule onetime schedule onetime Use this command to add.00 to 23 • mm .01 to 31 Enter the starting day and time of the schedule. 30. • hh .01 to 12 • dd .00.01 to 12 • dd . or 45 • yyyy . Use scheduling to control when policies are active or inactive. including the changes. Syntax config firewall schedule onetime edit <name_str> set end <hh:mm> <yyyy/mm/dd> set start <hh:mm> <yyyy/mm/dd> end Keywords and variables <name_str> end <hh:mm> <yyyy/mm/dd> Description Enter the name of this schedule. edit. config firewall schedule onetime edit Holiday set start 17:00 2004/09/03 set end 08:45 2004/09/07 end History FortiOS v2. policy6 firewall schedule recurring FortiGate® CLI Version 3. or 45 • yyyy . This means entering all of the schedule parameters.01 to 31 Default No default.0 MR7 Reference 01-30007-0015-20090112 163 . • hh . 15.

• hh can be 00 to 23 • mm can be 00. Note: If a recurring schedule is created with a stop time that occurs before the start time. Use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week. 30. edit. Syntax config firewall schedule recurring edit <name_str> set day <name_str> set end <hh:mm> set start <hh:mm> end Keywords and variables <name_str> day <name_str> end <hh:mm> Description Enter the name of this schedule. 15. Default No default. or 45 only Enter the starting time of the schedule. 15. 30. Separate multiple names with a space. set the start and stop times to the same time. Enter the names of one or more days of the week for which the sunday schedule is valid. To create a recurring schedule that runs for 24 hours. and delete recurring schedules used in firewall policies. Use scheduling to control when policies are active or inactive. Use recurring schedules to create policies that repeat weekly. You can use this technique to create recurring schedules that run from one day to the next. config firewall schedule recurring edit access set day monday tuesday wednesday thursday set start 07:45 set end 17:30 end 164 FortiGate® CLI Version 3. config firewall schedule recurring edit access set day monday tuesday wednesday thursday friday set start 07:45 set end 17:30 end Edit the recurring schedule named access so that it is no longer valid on Fridays. the schedule starts at the start time and finishes at the stop time on the next day. • hh can be 00 to 23 • mm can be 00. or 45 only 00:00 start <hh:mm> 00:00 Example This example shows how to add a recurring schedule named access so that it is valid Monday to Friday from 7:45 am to 5:30 pm. Enter the ending time of the schedule.0 MR7 Reference 01-30007-0015-20090112 .schedule recurring firewall schedule recurring Use this command to add.

policy6 firewall schedule onetime FortiGate® CLI Version 3.firewall schedule recurring History FortiOS v2.80 Revised.0 MR7 Reference 01-30007-0015-20090112 165 . Related topics • • firewall policy.

If the source port is only a single port.iana. enter 1-65535.org. If source port can be any port. The range for type_int is from 0-255. enter the command get firewall service predefined <service_str>. simply enter a single port number for srcportlow_int and no value for srcporthigh_int. For details. If source port can be any port. No default. Syntax config firewall service custom edit <name_str> set icmpcode <code_int> set icmptype <type_int> set protocol {ICMP | IP | TCP/UDP} set protocol-number <protocol_int> set tcp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>] set udp-portrange <dstportlow_int>[-<dstporthigh_int>: <srcportlow_int>-<srcporthigh_int>] end Keywords and variables <name_str> icmpcode <code_int> icmptype <type_int> protocol {ICMP | IP | TCP/UDP} protocol-number <protocol_int> tcp-portrange <dstportlow_int>[<dstporthigh_int>: <srcportlow_int><srcporthigh_int>] Description Enter the name of this custom service. simply enter a single port number for dstportlow_int and no value for dstporthigh_int. If the destination is only a single port. For TCP services. Note: To display a list of all predefined service names.org. enter the IP protocol number.iana. enter 1-65535. enter the command get firewall service predefined ?.org. Enter the ICMP type number.0 MR7 Reference 01-30007-0015-20090112 . If the destination port range can be any port. enter the destination and source port ranges. see http://www. If the destination port range can be any port. To display a predefined service’s details.iana. Find ICMP type and code numbers at www. Default No default No default. udp-portrange <dstportlow_int>[<dstporthigh_int>: <srcportlow_int><srcporthigh_int>] 166 FortiGate® CLI Version 3. Enter the ICMP code number. Enter the protocol used by the service. no source port need be added. If the source port is only a single port.service custom firewall service custom Use this command to configure a firewall service that is not in the predefined service list. If the destination is only a single port. Find ICMP type and code numbers at www. No default. For information 0 on protocol numbers. For UDP services. simply enter a single port number for dstportlow_int and no value for dstporthigh_int. enter the destination and source port ranges. no source port need be added. 0 IP For an IP service. simply enter a single port number for srcportlow_int and no value for srcporthigh_int. see “get firewall service predefined” on page 658.

The portrange command split into tcp-portrange and udp-portrange.00 Revised.80 FortiOS v3. Related topics • firewall policy. The service destination port range is TCP 4545 to 4550. config firewall service custom edit Custom_1 set protocol TCP/UDP set tcp-portrange 4545-4550:9620 end History FortiOS v2.0 MR7 Reference 01-30007-0015-20090112 167 . The service destination port range is TCP 4501 to 4503. The service can use any source port. The service uses source port 9620. policy6 FortiGate® CLI Version 3.firewall service custom Example This example shows how to add a custom service called Custom_1. config firewall service custom edit Custom_1 set protocol TCP/UDP set tcp-portrange 4501-4503 end A second example shows how to add a custom service called Custom_2.

config firewall service group edit web_Services set member FTP HTTP HTTPS RAUDIO end This example shows how to add the TELNET service to the web_Services service group. To simplify policy creation. policy6 168 FortiGate® CLI Version 3. Default No default. you can create groups of services and then add one policy to provide or block access for all the services in the group.0 MR7 Reference 01-30007-0015-20090112 . Note: To edit a service group. To view the list of available services enter set member ? at the prompt.80 Revised. Syntax config firewall service group edit <name_str> set member <name_str> end Keywords and variables <group-name_str> member <service_str> Description Enter the name of this service group. config firewall service group edit web_Services set member FTP HTTP HTTPS RAUDIO TELNET end History FortiOS v2. <service_str> is case-sensitive.service group firewall service group Use this command to configure firewall service groups. Enter one or more names of predefined or custom firewall services to add to the service group. Related topics • firewall policy. HTTP. No default. and Real Audio services. Separate multiple names with a space. A service group cannot contain another service group. enter all of the members of the service group. HTTPS. A service group can contain predefined services and custom services in any combination. both those changing and those staying the same. Example This example shows how to add a service group called web_Services that includes the FTP.

If using port number ranges. and each IP address in the external range is always translated to the same IP address in the mapped range. one-to-one NAT mapping: an external IP address is always translated to the same mapped IP address.0. a load balancing with Port algorithm dynamically selects an IP address from the mapped IP address range to provide Forwarding more even traffic distribution. If using IP address ranges. the NAT behavior varies by your selection of: • • • static vs. also known as port forwarding or network address port translation (NAPT).0. and is dynamically translated to a mapped IP address or address range. dynamic NAT mapping the dynamic NAT’s load balancing style. Static NAT Static.firewall vip vip Use this command to configure virtual IPs and their associated address and port mappings (NAT). and/or network address translation (NAT) of IP addresses. If using IP address ranges.0 MR7 Reference 01-30007-0015-20090112 169 . the interface maps traffic destined for any IP address. The external IP address is not always translated to the same mapped IP address. you can add a virtual IP to an external FortiGate unit interface so that the external interface can respond to connection requests for users who are actually connecting to a server on the DMZ or internal network. the external port number range corresponds to a mapped port number range containing an equal number of port numbers. Depending on your configuration of the virtual IP. For each session. Proxy ARP is defined in RFC 1027. For example. If you configure NAT in the virtual IP and firewall policy. FortiGate® CLI Version 3. many-to-few or many-to-one NAT mapping: if you set the external IP address of a virtual IP to 0. one-to-many NAT mapping with port forwarding: an external IP address is translated to one of the mapped IP addresses. For each session. a load balancing algorithm dynamically selects an IP address from the mapped IP address range to provide more even traffic distribution. Static NAT with Port Static. The external IP address is not always translated to the same mapped IP address. and each IP address in the external range is always translated to the same IP address in the mapped range. and an external port number is always Forwarding translated to the same mapped port number. Dynamic Virtual IPs Dynamic. Virtual IPs can be used to allow connections through a FortiGate unit using network address translation (NAT) firewall policies. the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses. its mapping may involve port address translation (PAT). if using dynamic NAT mapping full NAT vs. one-to-many NAT mapping: an external IP address is translated to one of the mapped IP addresses. and each port number in the external range is always translated to the same port number in the mapped range. Load Balancing Dynamic. destination NAT (DNAT) The following table describes combinations of PAT and/or NAT that are possible when configuring a firewall policy with a virtual IP. Virtual IPs can use proxy ARP so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network.0. Load Balancing Dynamic. the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses. one-to-one NAT mapping with port forwarding: an external IP address is always translated to the same mapped IP address.

255. but does not translate the source address. Duplicate entries or overlapping ranges are not permitted.vip firewall Dynamic. Server load balancing requires that you configure at least one “real” server. When port forwarding. The Mapped IP Address/Range must not include any interface IP addresses. but can use up to eight (8) real servers per virtual IP (VIP). For reply traffic. Health check monitors can be used to gauge server responsiveness before forwarding packets. DNAT translates packets’ destination address to the mapped private IP address.0.255. Server load balancing requires that you configure at least one “real” server. the External IP Address/Range cannot be 0. The private network is aware of the source’s public IP address. If the virtual IP is mapped to a range of IP addresses and its type is Static NAT. • • • • • • • The Mapped IP Address/Range cannot be 0. and the last port number in the range must not exceed 65535. as determined by the selected load balancing algorithm for more even traffic distribution. Server Load Balancing Virtual IPs have the following requirements.0. instead. Server Load Dynamic.0. one-to-many NAT mapping with port forwarding: an external IP address is Balancing with Port translated to one of the mapped IP addresses. but can use up to eight (8) real servers per virtual IP (VIP).0 or 255. the FortiGate unit translates packets’ private network source IP address to match the destination address of the originating packets. the count of mapped port numbers and external port numbers must be the same.0. one-to-many NAT mapping: an external IP address is translated to one of the mapped IP addresses.0. Virtual IP names must be different from address or address group names. The external IP address is not always translated to the same mapped IP address. When port forwarding. Real servers can be configured with health check monitors. it performs destination network address translation (DNAT). Health check monitors can be used to gauge server responsiveness before forwarding packets. Note: If the NAT check box is not selected when building the firewall policy. the External IP Address/Range cannot include any interface IP addresses.The external IP address is not always Forwarding translated to the same mapped IP address.0 MR7 Reference 01-30007-0015-20090112 170 . For inbound traffic. as determined by the selected load balancing algorithm for more even traffic distribution.255. which is maintained in the session table. Real servers can be configured with health check monitors. the resulting policy does not perform full (source and destination) NAT. Syntax config firewall vip edit <name_str> set arp-reply {enable | disable} set comment <comment_str> set extintf <name_str> set extip <address_ipv4> set extport <port_int> set http {enable | disable} set http-ip-header {enable | disable} set id <id_num_str> set ldb-method {round-robin | static | weighted} set mappedip [<start_ipv4>-<end_ipv4>] set mappedport <port_int> set max-embryonic-connections <initiated_int> set nat-source-vip {enable | disable} set portforward {enable | disable} set protocol {tcp | udp} set ssl {full | half | off} set ssl-certificate <certificate_str> FortiGate® CLI Version 3.

firewall vip set ssl-client-session-state-max <sessionstates_int> set ssl-client-session-state-timeout <timeout_int> set ssl-client-session-state-type {both | client | disable | time} set ssl-dh-bits <bits_int> set ssl-http-location-conversion {enable | disable} set ssl-http-match-host {enable | disable} set ssl-max-version {ssl-3. enable No default Enter the name of the interface connected to the source No default. Default No default. the FortiGate unit uses extip as the first IP address in the external IP address range. To configure a dynamic virtual IP that accepts connections for any port. set extip to 0. To configure a dynamic virtual IP that accepts connections destined for any IP address.0. VLAN subinterface. Then set mappedport to the start and end of the destination port range. Enter comments relevant to the configured virtual IP.0} set ssl-min-version {ssl-3.0} set ssl-send-empty-frags {enable | disable} set ssl-server-session-state-max <sessionstates_int> set ssl-server-session-state-timeout <timeout_int> set ssl-server-session-state-type {both | client | disable | time} set type {load-balance | server-load-balance | static-nat} config realservers edit <table_int> set dead-interval <seconds_int> set healthcheck {enable | disable} set holddown-interval <seconds_int> set ip <server_ip> set monitor <healthcheck_str> set ping-detect {enable | disable} set port <port_ip> set status {active | disable | standby} set wake-interval <seconds_int> set weight <loadbalanceweight_int> end end Keywords and variables <name_str> arp-reply {enable | disable} comment <comment_str> extintf <name_str> Description Enter the name of this virtual IP address. extip <address_ipv4> extport <port_int> FortiGate® CLI Version 3. The FortiGate unit automatically calculates the end of the extport port number range.0 | tls-1. If type is static-nat and mappedip is an IP address range.0 MR7 Reference 01-30007-0015-20090112 171 . network that receives the packets that will be forwarded to the destination network.0.0.0. set extport to 0.0 map to an address on the destination network. set extip to the first port number in the range. The interface name can be any FortiGate network interface. Enter the IP address on the external interface that you want to 0.0. If you want to configure a static NAT virtual IP that maps a range of external port numbers to a range of destination port numbers. Enter the external port number that you want to map to a port 0 number on the destination network.0 | tls-1. or modem interface. Select to respond to ARP requests for this virtual IP address. IPSec VPN interface. and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping. Enter the IP address or IP address range on the destination 0. This can be useful if you require logging on the server of the client’s original IP address. This should be greater than the maximum number of connections you want to establish per second. and treats all servers as equals regardless of response time or number of connections. This option appears only if portforward and http are enable. You must also specify the port forwarding mappings by configuring extport and mappedport. Enter the port number on the destination network to which the 0 external port number is mapped. the header will contain the IP address of the FortiGate unit. Not checked for uniqueness. This can improve performance by reducing server overhead associated with establishing multiple connections. and http is enable or ssl is not off. If type is load-balance and mappedip is an IP address range. the FortiGate unit uses extip as a single IP address to create a one-to-many mapping. A separate server is required.0. This option appears only if portforward is enable. IP. to use when forwarding packets.1 compliant. TCP or UDP. Select the load balancing method. • static: Distributes load evenly across all servers. Default disable http-ip-header {enable | disable} Select to preserve the client’s IP address in the Xdisable Forwarded-For HTTP header line.0 MR7 Reference 01-30007-0015-20090112 . static • round-robin: Directs request to the next server.vip firewall Keywords and variables http {enable | disable} Description Select to use the FortiGate unit’s HTTP proxy to multiplex multiple client connections destined for the web server into a few connections between the FortiGate unit and the web server. Server weights can be set in config realservers set weight This option appears only if type is server-load-balance. if you add a map to port range the FortiGate unit calculates the external port number range. This option appears only if portforward is enable.0. • weighted: Servers with a higher weight value will receive a larger percentage of connections at any one time. Enter a unique identification number for the configured virtual No default. the FortiGate unit uses extip as the first IP address in the external IP address range. For a static NAT virtual IP. Select the protocol. Unresponsive servers are avoided.0 network to which the external IP address is mapped. separate servers are not required. disable disable id <id_num_str> ldb-method {round-robin | static | weighted} mappedip [<start_ipv4>-<end_ipv4>] mappedport <port_int> max-embryonic-connections <initiated_int> nat-source-vip {enable | disable} portforward {enable | disable} protocol {tcp | udp} tcp 172 FortiGate® CLI Version 3. If this option is not selected. The server must be HTTP/1. Range 0 . If type is static-nat and mappedip is an IP address range. Enable nat-source-vip to prevent unintended servers from using this virtual IP.65535. Enter the maximum number of partially established SSL or 1000 HTTP connections. You can also enter a port number range to forward packets to multiple ports on the destination network. Select to enable port forwarding.

This option appears only if ssl is not off. This results in performance which is less than the option half. such as FortiGate-3600A. but cannot be used in failover configurations where the failover path does not have an SSL accelerator. • full: Select to apply SSL to both parts of the connection: the segment between client and the FortiGate unit. For example. Larger prime numbers are associated with greater cryptographic strength. • off: Do not apply SSL acceleration. • both: Select to expire SSL session states when either sslclient-session-state-max or ssl-clientsession-state-timeout is exceeded. and the segment between the FortiGate unit and the server.0 MR7 Reference 01-30007-0015-20090112 173 . and TLS 1. This option appears only if portforward is enable. The segment between the FortiGate unit and the server will use clear text communications. 1024 ssl-client-session-statetimeout <timeout_int> ssl-client-session-statetype {both | client | disable | time} ssl-dh-bits <bits_int> ssl-http-locationconversion {enable | disable} disable FortiGate® CLI Version 3. Select which method the FortiGate unit should use when both deciding to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate unit. • count: Select to expire SSL session states when sslclient-session-state-max is exceeded. • disable: Select to keep no SSL session states. SSL 3.1 are supported. If the server is already configured to use SSL.0.firewall vip Keywords and variables ssl {full | half | off} Description Default Select whether or not to accelerate SSL communications with off the destination by using the FortiGate unit to perform SSL operations. This results in best performance. and only on FortiGate models whose hardware support SSL acceleration. and can be used in failover configurations where the failover path does not have an SSL accelerator. This option appears only if ssl is half. Enter the number of minutes to keep the SSL session states 30 for the segment of the SSL connection between the client and the FortiGate unit. Enter the number of bits of the prime number used in the Diffie-Hellman exchange for RSA encryption of the SSL connection. but the handshakes will be abbreviated.0. This option appears only if ssl is not off. ssl-certificate <certificate_str> ssl-client-session-statemax <sessionstates_int> Enter the maximum number of SSL session states to keep for 1000 the segment of the SSL connection between the client and the FortiGate unit. This option appears only if ssl is not off. this also enables SSL acceleration without requiring changes to the server’s configuration. in the reply.com/ would be converted to Location: https://example. Select to replace http with https in the reply’s Location HTTP header field.com/ . This option appears only if ssl is not off. TLS 1. regardless of which occurs first. but still improved over communications without SSL acceleration. Enter the name of the SSL certificate to use with SSL acceleration. • half: Select to apply SSL only to the part of the connection between the client and the FortiGate unit. This option appears only if ssl is not off. Location: http://example. The segment between the FortiGate unit and the server will use encrypted communications. No default. and indicate which segments of the connection will receive SSL offloading. • time: Select to expire SSL session states when sslclient-session-state-timeout is exceeded.

type {load-balance | server-load-balance | static-nat} 174 FortiGate® CLI Version 3. • disable: Select to keep no SSL session states. This option appears only if ssl is full.0. • load-balance: Dynamic NAT load balancing with server selection from an IP address range.0 | tls-1. If the reply contains Location: http://example.0} ssl-send-empty-frags {enable | disable} ssl-3. 30 ssl-server-session-statemax <sessionstates_int> ssl-server-session-statetimeout <timeout_int> ssl-server-session-statetype {both | client | disable | time} Select which method the FortiGate unit should use when both deciding to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate unit. tls-1. Select the type of static or dynamic NAT applied to the virtual static-nat IP. or. Enter the maximum version of SSL/TLS to accept in negotiation.com/ . conversion occurs regardless of whether the host names in the request and the reply match. • both: Select to expire SSL session states when either sslserver-session-state-max or ssl-serversession-state-timeout is exceeded. This option appears only if ssl is not off. This option appears only if ssl is full. • static-nat: Static NAT. then the FortiGate unit detects the matching host name and converts the reply field to Location: https://example. Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the server and the FortiGate unit. if the Host field does not exist.0} ssl-min-version {ssl-3. This option appears only if ssl is not off. This option is deprecated and may be removed in future.com/. if host matching is enabled. determined by your selected load balancing algorithm and server responsiveness monitors. Enter the minimum version of SSL/TLS to accept in negotiation.0 | tls-1.0 MR7 Reference 01-30007-0015-20090112 . the host name portion of the request’s URI. • time: Select to expire SSL session states when sslserver-session-state-timeout is exceeded. • count: Select to expire SSL session states when sslserver-session-state-max is exceeded. If disabled. regardless of which occurs first. For example.com and the reply contains Location: http://example. • server-load-balance: Dynamic NAT load balancing with server selection from among up to eight realservers.0 and TLS 1. and a request contains Host: example.0 ssl-max-version {ssl-3. You might disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments. This option appears only if ssl is full. however.0 Select to precede the record with empty fragments to thwart enable attacks on CBC IV. and ssl-httplocation-conversion is enable. This option appears only if ssl is not off.cc/. the Location field does not match the host of the original request and the reply’s Location field remains unchanged. Enter the maximum number of SSL session states to keep for 1000 the segment of the SSL connection between the server and the FortiGate unit. This option appears only if ssl is half.vip firewall Keywords and variables ssl-http-match-host {enable | disable} Description Default Select to apply Location conversion to the reply’s HTTP disable header only if the host name portion of Location matches the request’s Host field. and applies only to SSL 3.

firewall

vip

Keywords and variables

Description

Default

realservers The following commands are the options for config realservers, and are available only if type is serverload-balance. <table_int> Enter an index number used to identify the server that you are No default. configuring. You can configure a maximum number of eight (8) servers in a server load balancing cluster. Enter the interval of time that a connection can remain idle 10 before it is dropped. Valid interval values are between 10 and 255 seconds. This option is deprecated and may be removed in future. Instead, configure monitor. Enable to check the responsiveness of the server before forwarding traffic. You must also configure monitor. disable

dead-interval <seconds_int>

healthcheck {enable | disable} holddown-interval <seconds_int>

Enter the amount of time in seconds that the health check 300 monitor will continue to monitor the status of a server whose status is active after it has been detected to be unresponsive. • If the server is detected to be continuously responsive during this interval, a server whose status is standby will be removed from current use and replaced with this server, which will again be used by server load balanced traffic. In this way, server load balancing prefers to use servers whose status is active, if they are responsive. • If the server is detected to be unresponsive during the first holddown interval, the server will remain out of use for server load balanced traffic, the health check monitor will double the holddown interval once, and continue to monitor the server for the duration of the doubled holddown interval. The health check monitor continues to monitor the server for additional iterations of the doubled holddown interval until connectivity to the server becomes reliable, at which time the holddown interval will revert to the configured interval, and the newly responsive server whose status is active will replace the standby server in the pool of servers currently in use. In effect, if the status of a server is active but the server is habitually unresponsive, the health check monitor is less likely to restore the server to use by server load balanced traffic until the server’s connectivity becomes more reliable. This option applies only to real servers whose status is active, but have been detected to be unresponsive (“down”). Enter the IP address of a server in this server load balancing cluster. Enter one or more names of health check monitor settings to use when performing a health check, separating each name with a space. If any of the configured health check monitors detect failures, the FortiGate unit will deem the server unresponsive, and will not forward traffic to that server. For details on configuring health check monitor settings, see “firewall ldb-monitor” on page 105. This option appears only if healthcheck is enable. 0.0.0.0 No default.

ip <server_ip> monitor <healthcheck_str>

ping-detect {enable | disable}

Select to test the server’s responsiveness by ICMP ECHO disable (ping). Enabling this option is equivalent to configuring a ldbmonitor whose interval is 10, timeout is 1, and retry is 5. For details on health check monitors, see “firewall ldbmonitor” on page 105. This option is available only if healthcheck is enable. Enter the port used if port forwarding is enabled. 10

port <port_ip>

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

175

vip

firewall

Keywords and variables status {active | disable | standby}

Description

Default

Select whether the server is in the pool of servers currently active being used for server load balanced traffic, the server is on standby, or is disabled. • active: The FortiGate unit may forward traffic to the server unless its health check monitors determine that the server is unresponsive, at which time the FortiGate unit will temporarily use a server whose status is standby. The healthcheck monitor will continue to monitor the unresponsive server for the duration of holddowninterval. If this server becomes reliably responsive again, it will be restored to active use, and the standby server will revert to standby. For details on health check monitoring when an active server is unresponsive, see “holddowninterval <seconds_int>” on page 175. • disable: The FortiGate unit will not forward traffic to this server, and will not perform health checks. You might use this option to conserve server load balancing resources when you know that a server will be unavailable for a long period, such as when the server is down for repair. • standby: If a server whose status is active becomes unresponsive, the FortiGate unit will temporarily use a responsive server whose status is standby until the server whose status is active again becomes reliably responsive. If multiple responsive standby servers are available, the FortiGate unit selects the standby server with the greatest weight. If a standby server becomes unresponsive, the FortiGate unit will select another responsive server whose status is standby. Enter the interval of time the connection will try to detect a server before giving up. Valid interval values are between 10 and 255 seconds. This option is deprecated and may be removed in future. Instead, configure monitor. 10

wake-interval <seconds_int>

weight <loadbalanceweight_int>

Enter the weight value of a specific server. Servers with a 1 greater weight receive a greater proportion of forwarded connections, or, if their status is standby, are more likely to be selected to temporarily replace servers whose status is active, but that are unresponsive. Valid weight values are between 1 and 255. This option is available only if ldb-method is weighted.

Example
This example shows how to add a static NAT virtual IP named Web_Server that allows users on the Internet to connect to a single web server on the private network. The public IP address of the web server is 64.32.21.34 and the IP address of the web server on the internal network is 192.168.1.44. config firewall vip edit Web_Server set extintf external set extip 64.32.21.34 set mappedip 192.168.1.44 end This example shows how to edit the static NAT virtual IP named Web_Server to change the IP address of the web server on the internal network to 192.168.110.23. config firewall vip edit web_Server set mappedip 192.168.110.23 end

176

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

vip

This example shows how to add a static NAT port forwarding virtual IP that uses port address translation to allow external access to a web server on the private network if there is no separate external IP address for the web server. In this example, the IP address of the external interface is 192.168.100.99 and the real IP address of the web server on the internal network is 192.168.1.93. config firewall vip edit web_Server set portforward enable set extintf external set extip 192.168.100.99 set extport 80 set mappedip 192.168.1.93 set mappedport 80 end This example shows how to enter a static NAT virtual IP named Server_Range that allows Internet users to connect to a range of 10 virtual IP addresses on the Internet and have the IP addresses in this range mapped to a range of IP addresses on the DMZ network. The DMZ network contains 10 servers with IP addresses from 10.10.10.20 to 10.10.10.29. The Internet IP addresses for these servers are in the range 219.34.56.10 to 219.34.56.19. In this example you do not have to enter the external IP address range. Instead you enter the first IP address in the external IP address range and the FortiGate unit calculates the end of the IP address range based on the number of IP addresses defined by the mapped IP address range. Also in the example, port2 is connected to the Internet. config firewall vip edit Server_Range set extintf port2 set extip 219.34.56.10 set mappedip 10.10.10.20 10.10.10.19 end This example shows how to enter a load balancing virtual IP named Ext_Load_Balance that allows Internet users to connect to a single virtual IP address on the Internet and have that IP address mapped to a range of IP addresses on the network connected to port5. You might use a configuration such as this to load balance connections from the Internet to an internal server farm. In the example the Internet is connected to port2 and the virtual IP address is 67.34.56.90 and the IP address range on the network connected to port5 is 172.20.120.10 to 172.20.120.30. config firewall vip edit Server_Range set type load-balance set extintf port2 set extip 67.34.56.90 set mappedip 172.20.120.10-172.20.120.30 end

History
FortiOS v2.80 FortiOS v3.00 FortiOS v3.00 FortiOS v3.0 MR4 FortiOS v3.0 MR5 Revised. Revised. Added server-load-balance to set type. Added the following commands and options: config realserver. extintf <name_str> variable now accepts modem interface names. Formerly, it accepted a network interface, VLAN subinterface, or IPSec VPN virtual interface.

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

177

vip

firewall

FortiOS v3.0 MR6 FortiOS v3.0 MR6

New variables monitor and healthcheck. Enables health checking for real servers and specifies which of the health check settings to use. New variables: • ssl, ssl-certificate • ssl-client-session-state-max • ssl-client-session-state-timeout • ssl-client-session-state-type • ssl-dh-bits • ssl-http-location-conversion • ssl-http-match-host • ssl-max-version • ssl-min-version • ssl-send-empty-frags • ssl-server-session-state-max • ssl-server-session-state-timeout • ssl-server-session-state-type Enables SSL acceleration by offloading SSL operations from the destination to the FortiGate unit, and configures various aspects of the offloading, including to which segment(s) of the connection the FortiGate unit will apply SSL, and what encryption strength and other options to use. New variable max-embryonic-connections. Specifies the maximum number of partially established SSL or HTTP connections when the virtual IP is performing HTTP multiplexing or SSL offloading. New variable http. Enables multiplexing of port forwarded HTTP connections into a few connections to the destination. New variable http-ip-header. Preserves the original client’s IP address in the XForwarded-For HTTP header line when using HTTP multiplexing. New variable status in config realservers subcommand. Designates each server as an active or standby member of the server load balanced cluster, or disables the cluster member. New variable holddown-interval in config realservers subcommand. Configures the amount of time during which a previously unresponsive server must remain responsive in order for the FortiGate unit to resume forwarding traffic to the server. If the server is unresponsive during this interval, the FortiGate unit continues to use a standby server. New variables comment and id, Customer requirement for unique identifier and descriptive information relevant to virtual IP. Removed ssl-max-version/sslmin-version tls-1.1 option. TLS 1.1 is not supported. Added new keyword nat-source-vip.

FortiOS v3.0 MR6

FortiOS v3.0 MR6 FortiOS v3.0 MR6 FortiOS v3.0 MR6

FortiOS v3.0 MR6

FortiOS v3.0 MR7

FortiOS Carrier v3.0 MR4 New variable arp-reply. Enables the FortiGate unit to respond to ARP requests for that virtual IP. FortiOS Carrier v3.0 MR4 New variable max-embryonic-connections. Specifies the maximum number of partially established SSL or HTTP connections when the virtual IP is performing HTTP multiplexing or SSL off loading. FortiOS Carrier v3.0 MR4 New variable http. Enables multiplexing of port forwarded HTTP connections into a few connections to the destination. FortiOS Carrier v3.0 MR4 New variable http-ip-header. Preserves the original client’s IP address in the XForwarded-For HTTP header line when using HTTP multiplexing. FortiOS Carrier v3.0 MR4 New variable monitor in config realservers subcommand. Selects the name of a health check monitor to use when verifying the responsiveness of the server. FortiOS Carrier v3.0 MR4 New variable status in config realservers subcommand. Designates each server as an active or standby member of the server load balanced cluster, or disables the cluster member. FortiOS Carrier v3.0 MR4 New variable holddown-interval in config realservers subcommand. Configures the amount of time during which a previously unresponsive server must remain responsive in order for the FortiGate unit to resume forwarding traffic to the server. If the server is unresponsive during this interval, the FortiGate unit continues to use a standby server.

178

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

firewall

vip

Related topics
• • • firewall policy, policy6 firewall ldb-monitor vipgrp

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

179

vipgrp

firewall

vipgrp
You can create virtual IP groups to facilitate firewall policy traffic control. For example, on the DMZ interface, if you have two email servers that use Virtual IP mapping, you can put these two VIPs into one VIP group and create one external-to-DMZ policy, instead of two policies, to control the traffic. Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es) and port number(s).

Syntax
config firewall vipgrp edit <name_str> set interface <name_str> set member <virtualip_str> end
Keywords and variables <name_str> interface <name_str> member <virtualip_str> Description Enter the name of the virtual IP group. Default No default.

Enter the name of the interface to which the virtual IP group will No default. be bound. Enter one or more virtual IPs that will comprise the virtual IP group. No default.

Example
config firewall vipgrp edit group_one set interface internal set member vipone viptwo vipthree end

History
FortiOS v3.0 MR4 Command vipgrp added.

Related topics
• • firewall policy, policy6 vip

180

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

gui

gui
This chapter covers the commands to restore web-based manager CLI console and topology viewer. This chapter contains the following sections: console topology

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

181

console

gui

console
Use this command to configure the web-based manager CLI console.

Syntax
config gui console set preferences <filedata> end To obtain base-64 encoded data from a configured CLI console, use: show gui console
Variables preferences <filedata> Description Base-64 encoded file to upload containing the commands to set up the web-based manager CLI console on the FortiGate unit. Default No default

Example
This example shows how to upload the data file pref-file containing commands to set up the web-based manager CLI console on the FortiGate unit. config gui console set preferences pref-file end

History
FortiOS v3.00 MR5 New.

182

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

gui

topology

topology
Use this command to configure the web-based manager topology viewer. This command is not available when virtual domains are enabled.

Syntax
config gui topology set background-image <filedatabackground> set database <filedatabase> set preferences <filedatapref> end To obtain base-64 encoded data from a configured topology viewer, use: show gui topology
Variables background-image <filedatabackground> database <filedatabase> preferences <filedatapref> Description Base-64 encoded file to upload containing the commands to set up the background image of the web-based manager topology viewer. Base-64 encoded file to upload containing the data used to set up the web-based manager topology viewer. Base-64 encoded file to upload containing the commands to set the preferences of the web-based manager topology viewer. Default

Example
This example shows how to upload the data file (topguifile) containing commands to set up the topology GUI on the FortiGate unit and the background image (backgroundfile). config gui topology set preferences topguifile set background-image backgroundfile end

History
FortiOS v3.00 MR5 New.

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

183

topology

gui

184

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

imp2p

imp2p
Use imp2p commands to configure user access to Instant Messaging and Person-to-Person applications, and to configure a global policy for unknown users who might use these applications. This chapter contains the following sections: aim-user icq-user msn-user old-version policy yahoo-user

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

185

aim-user

imp2p

aim-user
Use this command to permit or deny a specific user the use of AOL Instant Messenger.

Syntax
config imp2p aim-user edit <name_str> set action {permit | deny} end
Keywords and variables name_str action {permit | deny} Description The name of the AIM user. Permit or deny the use of AOL Instant Messenger by this user. deny Default

Example
This example shows how to add user_1 and permit the user to use the AIM protocol if the policy is set to allow AOL Instant Messenger. config imp2p aim-user edit user_1 set action permit end

History
FortiOS v3.0 New

Related topics
• • • • • imp2p icq-user imp2p msn-user imp2p old-version imp2p policy imp2p yahoo-user

186

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

imp2p

icq-user

icq-user
Use this command to permit or deny a specific user the use of ICQ Instant Messenger.

Syntax
config imp2p icq-user edit <name_str> set action {permit | deny} end
Keywords and variables name_str action {permit | deny} Description The name of the ICQ user. Permit or deny the use of the ICQ Instant Messenger by this user. deny Default

Example
This example shows how to add user_1 and permit the user to use the ICQ protocol if the policy is set to allow ICQ Instant Messenger. config imp2p icq-user edit user_1 set action permit end

History
FortiOS v3.0 New

Related topics
• • • • • imp2p aim-user imp2p msn-user imp2p old-version imp2p policy imp2p yahoo-user

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

187

msn-user

imp2p

msn-user
Use this command to permit or deny a specific user the use of MSN Messenger.

Syntax
config imp2p msn-user edit <name_str> set action {permit | deny} end
Keywords and variables name_str action {permit | deny} Description The name of the MSN user. Permit or deny the use of MSN Messenger by this user. deny Default

Example
This example shows how to add user_1 and permit the user to use the MSN protocol if the policy is set to allow MSN Messenger. config imp2p msn-user edit user_1 set action permit end

History
FortiOS v3.0 New

Related topics
• • • • • imp2p aim-user imp2p icq-user imp2p old-version imp2p policy imp2p yahoo-user

188

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

0 New Related topics • • • • • imp2p aim-user imp2p icq-user imp2p msn-user imp2p policy imp2p yahoo-user FortiGate® CLI Version 3.0 and above ICQ 4. Enter block to block the session if the version is too old. Supported IM protocols include: • • • • MSN 6.0 and above Syntax config imp2p old-version set aim {block | best-effort} set icq {block | best-effort} set msn {block | best-effort} set yahoo {block | best-effort} end Keywords and variables aim {block | best-effort} Description Enter block to block the session if the version is too old. Enter block to block the session if the version is too old.0 and above AIM 5. Enter best-effort to inspect the session based on the policy.0 and above Yahoo 6. The following command provides the option to disable these older IM protocol versions. Enter best-effort to inspect the session based on the policy. Enter best-effort to inspect the session based on the policy. config imp2p old-version set msn block set yahoo best-effort end History FortiOS v3. Enter best-effort to inspect the session based on the policy.0 MR7 Reference 01-30007-0015-20090112 189 .imp2p old-version old-version Some older versions of IM protocols are able to bypass file blocking because the message types are not recognized. Default block icq {block | best-effort} block msn {block | best-effort} block yahoo {block | best-effort} block Example This example shows how to block older versions of MSN Messenger and inspect older versions of Yahoo Messenger. Enter block to block the session if the version is too old.

policy imp2p policy Use this command to create a global policy for instant messenger applications. Default deny deny deny deny Example This example shows how to configure the IM/P2P policy to allow AOL Instant Messenger. Deny an unknown user and add the user to the black list. Deny an unknown user and add the user to the black list. MSN Messenger. and Yahoo Messenger but deny ICQ Instant Messenger.0 MR7 Reference 01-30007-0015-20090112 . config imp2p policy set aim allow set msn allow set icq deny set yahoo allow end History FortiOS v3. Allow an unknown user and add the user to the white list. If an unknown user attempts to use one of the applications. Allow an unknown user and add the user to the white list. Allow an unknown user and add the user to the white list.0 New Related topics • • • • • imp2p aim-user imp2p icq-user imp2p msn-user imp2p old-version imp2p yahoo-user 190 FortiGate® CLI Version 3. or be denied use and added to a black list. Syntax config imp2p policy set aim {allow | deny} set icq {allow | deny} set msn {allow | deny} set yahoo {allow | deny} end Keywords and variables aim {allow | deny} icq {allow | deny} msn {allow | deny} yahoo {allow | deny} Description Allow an unknown user and add the user to the white list. Deny an unknown user and add the user to the black list. the user can either be permitted use and added to a white list. Deny an unknown user and add the user to the black list.

config imp2p yahoo-user edit user_1 set action permit end History FortiOS v3.0 New Related topics • • • • • imp2p aim-user imp2p icq-user imp2p msn-user imp2p old-version imp2p policy FortiGate® CLI Version 3. deny Default Example This example shows how to add user_1 and permit the user to use the Yahoo protocol if the policy is set to allow Yahoo Messenger. Permit or deny the use of Yahoo Messenger by this user.0 MR7 Reference 01-30007-0015-20090112 191 .imp2p yahoo-user yahoo-user Use this command to permit or deny a specific user the use of Yahoo Messenger. Syntax config imp2p yahoo-user edit <name_str> set action {permit | deny} end Keywords and variables name_str action {permit | deny} Description The name of the Yahoo user.

0 MR7 Reference 01-30007-0015-20090112 .yahoo-user imp2p 192 FortiGate® CLI Version 3.

For information on how to set the Peer Interface see “interface” on page 395. and one interface cannot be both the peer and original interface. the peer interface will be used. DoS sensors can also be defined to examine traffic for anomalies This chapter contains the following sections: DoS custom decoder global rule sensor Note: If the IPS test can’t find the destination MAC address.0 MR7 Reference 01-30007-0015-20090112 193 . To ensure packets get IPS inspection.ips ips Use ips commands to configure IPS sensors to define which signatures are used to examine traffic and what actions are taken when matches are discovered. Both interfaces must be in the same VDOM. FortiGate® CLI Version 3. there must be a Peer Interface.

and select the action taken in response to detecting an anomaly.168. Four statistical anomaly types for the TCP. For example. Note: It is important to estimate the normal and expected traffic on the network before changing the default anomaly thresholds.0. and setting the thresholds too high could allow some attacks.100.0 MR7 Reference 01-30007-0015-20090112 194 . Enable or disable logging for each anomaly. config limit Access the config limit subcommand using the config ips anomaly <name_str> command. Setting the thresholds too low could cause false positives. if thresholds are defined for 192. udp_src_session. The list of anomalies can be updated only when the FortiGate firmware image is upgraded. icmp_dst_session. Use this command for session control based on source and destination network address. Syntax config ips DoS edit <sensor_int> config address edit <address_int> set dst-ip <dst_ipv4mask> set dst-port <dstport_int> set src-ip <src_ipv4mask> end config anomaly edit <anomaly_str> set status {enable | disable} set log {enable | disable} set action {block | pass} set threshold <threshold_int> end set comment <comment_str> set name <name_str> set status {disable | enable} end FortiGate® CLI Version 3. Flooding Scan Source session limit Destination session limit If the number of sessions targeting a single destination in one second is over a threshold. the address with the 24 bit netmask is matched before the entry with the 16 bit netmask.0/16. UDP. The default entry cannot be edited. If the number of concurrent sessions from a single source is over a threshold. tcp_dst_session. Configure the anomaly thresholds to detect traffic patterns that could represent an attack. This command is available for tcp_src_session. the source session limit is reached. and ICMP protocols can be identified. udp_dst_session. If the number of concurrent sessions to a single destination is over a threshold.DoS ips DoS FortiGate Intrusion Protection uses Denial of Service (DoS) sensors to identify network traffic anomalies that do not fit known or preset traffic patterns. icmp_src_session. Addresses are matched from more specific to more general. If the number of sessions from a single source in one second is over a threshold. the destination session limit is reached.168. the source is scanning.0/24 and 192. the destination is experiencing flooding.

Enter an unused number to create a new sensor. default-action. and port.0. The default is all ports. Names with spaces must be enclosed in quotation marks. Enable or disable logging of the specified anomaly in the current DoS sensor.0 0 0. This is displayed in the DoS sensor list.0. Enable or disable the current DoS sensor. Enter the destination port to which this sensor applies.0 MR5 FortiOS v3. This is displayed in the DoS sensor list. Enter the number of times the specified anomaly must be detected in network traffic before the action is triggered. This is an ID number used to reference a specified protected address source/destination/ port combination.0 MR6 Substantially revised. and src-ip commands were added. Enable or disable the specified anomaly in the current DoS sensor. Enter the name of the anomaly you want to configure.0. set ipaddress was removed. Enter the destination IP address and subnet to which this sensor applies.0. config ips DoS edit 12 set name test set comment "This is for test" config anomaly edit udp_flood set action block set status enable end end History FortiOS v2.0 MR7 Reference 01-30007-0015-20090112 195 .0 0.0 0. Default dst-ip <dst_ipv4mask> dst-port <dstport_int> src-ip <src_ipv4mask> anomaly_str status {enable | disable} log {enable | disable} action {block | pass} threshold <threshold_int> comment <comment_str> 0.ips DoS Keywords and variables sensor_int address_int Description The DoS sensor number. and default-severity. Enter ‘?’ to display a list of sensor numbers.0. Enter a description of the DoS sensor. and enable blocking of the udp_flood anomaly with the default threshold. The default is all addresses. Added severity. if required. FortiGate® CLI Version 3. Under the config limit command. Anomalies now defined in DoS sensors allowing the creation of multiple sensors to tailor behavior depending on traffic source.0. dst-ip. Completely revised.0. destination. Enter the protected address integer. pass varies by anomaly name <name_str> status {disable | enable} disable Examples This example shows how to create a DoS sensor.0. Enter a name for the DoS sensor. The default is all addresses. Descriptions with spaces must be enclosed in quotation marks.0 FortiOS v3. name it. Enter the source IP address and subnet to which this sensor applies.0 disable enable Pass or block traffic in which the specified anomaly is detected. service.80 FortiOS v3. Display a list of the available anomaly types by entering ‘?’.

0 MR7 Reference 01-30007-0015-20090112 .DoS ips Related topics • • • ips custom ips global ips fail-open {enable | disable} 196 FortiGate® CLI Version 3.

--flow bi_direction. Custom signatures provide the power and flexibility to customize FortiGate Intrusion Protection for diverse network environments. Removed all options except signature. add custom signatures based on the security alerts released by the application and platform vendors. The FortiGate predefined signatures cover common attacks. single quotes.80 FortiOS v3. This document assumes the user has previous experience writing intrusion detection signatures. --pattern "nude cheerleader". --no_case)' end History FortiOS v2. Default Example This example shows how to add a custom signature. Note: Custom signatures are an advanced feature. If an unusual or specialized application or an uncommon platform is being used. Related topics • • • • ips global execute backup execute restore ips fail-open {enable | disable} FortiGate® CLI Version 3. For more information on custom signature syntax see the FortiGate IPS Custom Signatures Technical Bulletin. The custom signature settings are configured when it is defined as a signature override in an IPS sensor. See “ips sensor” on page 202 for details. Enter the custom signature. The signature must be enclosed in No default. Use custom signatures to block or allow specific traffic. a single custom signature can be used in multiple sensors with different settings in each. config ips custom edit bad_things set signature 'F-SBID (--protocol tcp.0 MR7 Reference 01-30007-0015-20090112 197 . Syntax config ips custom edit <sig_str> set signature <signature_str> end Keywords and variables sig_str signature <signature_str> Description The name of the custom signature.0 MR6 Substantially revised. This way. Other settings are configured when specifying the signature in a signature override.ips custom custom Create custom IPS signatures and add them to IPS sensors.

2. and 3 instead of the default 53. Enter the ports which the decoder will examine.decoder ips decoder The Intrusion Protection system looks for certain types of traffic on specific ports. Enter ‘?’ for a list. Using the decoders command. Multiple ports can be specified by separating them with commas and enclosing the list in quotes.0 MR7 Reference 01-30007-0015-20090112 . you can change ports if your configuration uses non-standard ports. Syntax config ips decoder edit <decoder_str> set port_list <port_int> end Keywords and variables decoder_str port_list <port_int> Description Enter the name of the decoder. config ips decoder dns_decoder set port_list "1. varies by decoder Default Example This example shows how to modify the dns_decoder to examine ports 1.3" end 198 FortiGate® CLI Version 3. 2.

Default continuous 0 Enter the number of intrusion protection engines to run. When set to the default value of 0. enable fail-open {enable | disable} firewall-anomaly-action {block | pass} FortiOS Carrier firewall-anomaly-log {enable | disable} FortiOS Carrier ignore-session-bytes <byte_integer> session-limit-mode {accurate | heuristic} socket-size <ips_buffer_size> traffic-submit {enable | disable} Use this keyword to set the firewall to block or pass sessions for pass which IPS anomaly detection detects an attack. Enter periodical to allow configured number of packets per second. Enable or disable writing log messages when IPS anomaly detection detects an attack. Syntax config ips global set anomaly-mode {continuous | periodical} set engine-count <integer> set fail-open {enable | disable} set firewall-anomaly-action {block | pass} FortiOS Carrier set firewall-anomaly-log {enable | disable} FortiOS Carrier set ignore-session-bytes <byte_integer> set session-limit-mode {accurate | heuristic} set socket-size <ips_buffer_size> set traffic-submit {enable | disable} end Keywords and variables anomaly-mode {continuous | periodical} engine-count <integer> Description Enter continuous to start blocking packets once attack starts. it will fail open by default. Select pass to accept sessions containing attacks. config ips global set ignore-session-bytes 204800 end FortiGate® CLI Version 3. Enter heuristic to heuristically count the concurrent sessions. the FortiGate unit determines the optimal number of intrusion protection engines to run. Set the number of bytes after which the session is ignored. This option demands more resource. Set intrusion protection buffer size.ips global global Use this command to ignore sessions after a set amount of traffic has passed. Multiprocessor FortiGate units can more efficiently process traffic with multiple engines running. The default value is correct in most cases. Select block to deny sessions containing attacks. Submit attack characteristics to FortiGuard Service disable 204800 heuristic modeldependent disable Example This example shows how to set intrusion protection to ignore sessions after 204800 bytes. This means that crucial network traffic will not be blocked and the Firewall will continue to operate while the problem is resolved. Enter accurate to accurately count the concurrent sessions. If for any reason the IPS should cease to function.0 MR7 Reference 01-30007-0015-20090112 199 .

0 New.0 MR4 Merged get ips global including example.global ips This example shows how to see the current configuration of ips global. FortiOS v3. # get ips global anomaly-mode : engine-count : fail-open : ignore-session-bytes: session-limit-mode : socket-size : traffic-submit : continuous 0 enable 204800 heuristic 8 (MB) disable History FortiOS v3.0 MR7 Reference 01-30007-0015-20090112 .0 MR6 Removed the ip-protocol option. Related topics • • • execute backup execute restore ips fail-open {enable | disable} 200 FortiGate® CLI Version 3. FortiOS v3.

450 end FortiGate® CLI Version 3.Header.DoS signature.Long. Linux.He~d) # get name : Apache. # config ips rule Apache. For a complete list of the predefined signatures.Long. enter ‘?’ instead of a signature name.DoS (Apache. HTTP rule-id : 11206 rev : 2. Details about the default settings of each signature can also be displayed.Long. Default Example This example shows how to display the current configuration of the Apache. Solaris application : Apache service : TCP. Syntax config ips rule <rule_str> get Keywords and variables rule_str Description Enter the name of a signature.Header.ips rule rule The IPS sensors use signatures to detect attacks.Header. BSD.0 MR7 Reference 01-30007-0015-20090112 201 . These signatures can be listed with the rules command.DoS status : enable log : enable log-packet : disable action : pass group : web_server severity : medium location : server os : Windows.Long.

sensor ips sensor The IPS sensors use signatures to detect attacks. IPS sensors are made up of filters and override rules. Override rules allow you to override the settings of individual signatures. Syntax config ips sensor edit <sensor_str> get config filter edit <filter_str> set location {all | client | server} set severity {all | info low medium high critical} set protocol <protocol_str> set os {all | other windows linux bsd solaris macos} set application <app_str> set status {default | enable | disable} set log {default | enable | disable} set action {block | default | pass | reject} get end config override edit <override_int> config exempt-ip edit <exempt_int> set dst-ip <dest_ipv4mask> set src-ip <source_ipv4mask> end set action {block | pass | reset} set log {disable | enable} set log-packet {disable | enable} set status {disable | enable} end set comment <comment_str> end 202 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . Each filter specifies a number of signature attributes and all signatures matching all the specified attributes are included in the filter.

ips sensor Keywords and variables sensor_str Description Enter the name of an IPS sensor. default • enable will enable logging. Enter ‘?’ to display a list all of the available protocols. Filters with a default status of disable will not be used. Specify the severity level or levels. Default get filter_str location {all | client | server} all severity {all | info low medium high critical} protocol <protocol_str> all Specify the protocols to be examined. • disable will disable the filter. All will include all all operating systems. Filters with a default logging status of disable will not be logged. All will include all protocols. • all selects both client and server signatures. enter ‘?’ instead of an IPS sensor name. Specify the applications to be protected. Other will include all unlisted applications. enter ‘?’ instead of a filter name.0 MR7 Reference 01-30007-0015-20090112 203 . • server selects signatures for attacks against servers. Other will include all unlisted operating systems. Enter the name of a filter. • comment is the comment entered for this sensor. Other will include all unlisted protocols. Disabled signatures are not included. • count-block is the number of enabled signatures configured with the block action. Enter ‘?’ to display a list of the available applications. Specify all to include all severity levels. Specify the type of system to be protected. • enable will enable the filter. Enter a new name to create a filter. • filter lists the filters in this IPS sensor. • count-enabled is the number of enabled signatures in this IPS sensor. all os {all | other windows linux bsd solaris macos} application <app_str> status {default | enable | disable} default log {default | enable | disable} Specify the logging status of the signatures included in the filter. For a list of the filters in the IPS sensor. • default will enable logging for only the filters with a default logging status of enable. • default will enable the filter and only use the filters with a default status of enable. FortiGate® CLI Version 3. • client selects signatures for attacks against client computers. All will include all applications. • disable will disable logging. • count-pass is the number of enabled signatures configured with the pass action. The complete syntax of this command is: config ips sensor edit <sensor_str> get end This get command returns the following information about the sensor: • name is the name of this sensor. • count-reset is the number of enabled signatures configured with the reset action. Specify the status of the signatures included in the filter. Enter a new name to create a sensor. Specify the operating systems to be protected. For a list of the IPS sensors.

This feature is only available in FortiGate units with internal hard drives. H323. • reject will reset the session. • status displays whether the signature state is enabled. • pass will allow the traffic. For a list of the currently defined overrides. You can download the packets in pcap format for diagnostic use. • log displays the logging status of the signatures included in the filter. block all. • reset will reset the session. • application is the program affected by the signature. 204 FortiGate® CLI Version 3. destination addresses. or default. Each override can apply to any number of source addresses.0.0 MR7 Reference 01-30007-0015-20090112 . • default will either pass or drop matching traffic. The default is all addresses. The default is all addresses. Rule IDs are an attribute of every signature.0 0. • location is type of system targeted by the attack.0. The addresses are referenced by exempt_id values.sensor ips Keywords and variables action {block | default | pass | reject} Description Specify what action is taken with traffic in which signatures ar detected. The action can be set to pass all. enter ‘?’ instead of a rule ID.0. • count is the total number of signatures in this filter. • os is the operating systems to which the signature applies.0. The rule ID is number assigned to a filter.0 pass log {disable | enable} log-packet {disable | enable} disable When enabled. The locations are client and server. • action displays what the FortiGate does with traffic containing a signature. packet logging will save the packet that triggers disable the override.0. POP3.0. Specify the action to be taken for this override. or source/destination pairs.0 0. • block will drop the session with the offending traffic. or default. Logging can be set to enabled. Enter the rule ID of an override filter.0. or default. Enter the source IP address and subnet to which this sensor will apply. Default default get override_int exempt_int dst-ip <dest_ipv4mask> src-ip <source_ipv4mask> action {block | pass | reset} 0. The complete syntax of this command is: config ips sensor edit <sensor_str> config filter edit <filter_str> get end This get command returns the following information about the filter: • name is the name of this filter. Both enabled and disabled signatures are included.0 0. reset all.0. Enter the destination IP address and subnet to which this sensor will apply. from info to critical. • protocol is the type of traffic to which the signature applies. Examples include HTTP. • pass will allow the traffic. Specify whether the log should record when the override occurs. • block will drop the session. and it specified which filter is being overridden. disabled. and DNS. pre-defined or custom. • severity is the relative importance of the signature. Use the config ips rule command to list the signatures or view them in the GUI. depending on the default action of each signature. disabled.

config ips sensor edit dept_srv set comment "Department file servers" config filter edit win_srv set location server set os windows set action block end end History FortiOS v3. Enter a description of the IPS sensor.ips sensor Keywords and variables status {disable | enable} comment <comment_str> Description Enable or disable the override.0 MR7 Reference 01-30007-0015-20090112 205 . FortiGate® CLI Version 3. This description will appear in the ISP sensor list. Default disable Example This example shows how to create an IPS sensor containing a filter that includes all signatures to protect against Windows server attacks.0 MR6 New. Descriptions with spaces must be enclosed in quotes.

0 MR7 Reference 01-30007-0015-20090112 .sensor ips 206 FortiGate® CLI Version 3.

custom-field {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter disk setting fortianalyzer setting fortiguard setting memory setting memory global setting syslogd setting webtrends setting trafficfilter FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 207 . SSL VPN events are not available in Transparent mode. For example. Note: In Transparent mode. certain log settings and options may not be available because certain features do not support logging or are not available in this mode.log log Use the config log commands to set the logging type. and the logging location for the FortiGate unit. the logging severity level.

No default value <integer> Example This example shows how to configure a customized field for logs for branch offices in a company and are associated with specific firewall policies. No default (‘_‘). numbers. Syntax config log custom-field edit id <integer> set name <name> set value <integer> end Keywords and variables id <integer> name <name> Description Enter the identification number for the log field.custom-field log custom-field Use the following command to customize the log fields with a name and/or value. config log custom-field edit 1 set name company_branch1 set value 2 next edit 2 set name company_branch2 set value 4 next edit 3 set name company_branch3 set value 5 end History FortiOS v3. The name cannot exceed 16 characters. Default No default Enter a name to identify the log. Related topics • {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter 208 FortiGate® CLI Version 3.0 MR6 New. The custom name and/or value will appear in the log message. You can use letters. but no characters such as the number symbol (#).0 MR7 Reference 01-30007-0015-20090112 . Enter a firewall policy number to associate a firewall policy with the logs.

Filter settings include commands for multiple Syslog servers or multiple FortiAnalyzer units. and “syslogd setting” on page 222 for more information about configuring multiple Syslog servers. For example. Filter settings for fortiguard are only available when FortiGuard Analysis and Management Service is enabled. config log fortianalyzer2 filter. Use the ? command to view each filter setting since not all filter settings display for each device. When enabling filter settings for VoIP. FortiGuard Analysis Services is now FortiGuard Analysis and Management Service.0 MR5. Filter settings for disk is available for FortiGate units with hard disks. See “fortianalyzer setting” on page 218 for more information about configuring multiple FortiAnalyzer units. See “firewall” on page 83 about enabling VoIP settings in a protection profile. In FortiOS 3. also enable VoIP settings in a protection profile.0 MR7 Reference 01-30007-0015-20090112 209 .0 MR6. Log filters define the types of log messages sent to each log location. VoIP calls cannot be properly logged unless both filter and protection profile settings for VoIP are enabled. Syntax config log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter set admin {disable | enable} set allowed {disable | enable} set anomaly {disable | enable} set attack {disable | enable} set auth {disable | enable} set blocked {disable | enable} set cpu-memory-usage {disable | enable} set dhcp {disable | enable} set email {disable | enable} set email-log-imap {disable | enable} set email-log-pop3 {disable | enable} set email-log-smtp {disable | enable} set endpoint-bwl {disable | enable}(FortiOS Carrier) set event {disable | enable} set ftgd-wf-block {disable | enable} set ftgd-wf-errors {disable | enable} set mass-mms {disable | enable}(FortiOS Carrier) set gtp {disable | enable}(FortiOS Carrier) set ha {disable | enable} set im {disable | enable} set im-all {disable | enable} set infected {disable | enable} set ipsec {disable | enable} set ldb-monitor {disable | enable} set other-traffic {disable | enable} set oversized {disable | enable} set pattern {disable | enable} set ppp {disable | enable} set severity {alert | critical | debug | emergency | error | information | notification | warning} FortiGate® CLI Version 3.log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter Use this command to configure log filter options. FortiGuard Log & Analysis was renamed to FortiGuard Analysis Services for FortiOS 3.

Enable or disable logging of spam detected in IMAP traffic. email enable only. resets. Enable or disable logging of End-point filter block messages. enable 210 FortiGate® CLI Version 3. Enable or disable to log CPU usage every five minutes. This keyword is available when event is enabled. This keyword is available when attack is enabled. enable disable enable enable enable enable enable enable Enable or disable writing event log messages.0 MR7 Reference 01-30007-0015-20090112 . Enable or disable logging of DHCP service messages. Enable or disable logging all traffic that is allowed according to the firewall policy settings in the traffic log.{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log set set set set set set set set set set set set set set set set end signature {disable | enable} sslvpn-log-adm {disable | enable} sslvpn-log-auth {disable | enable} sslvpn-log-session {disable | enable} system {disable | enable} traffic {disable | enable} url-filter {disable | enable} violation {disable | enable} virus {disable | enable} voip {disable | enable} voip-all {disable | enable} web {disable | enable} web-content {disable | enable} web-filter-activex {disable | enable} web-filter-applet {disable | enable} web-filter-cookie {disable | enable} Description Enable or disable logging all administrative events. This option is available only for memory and disk logs. This keyword is available when traffic is enabled. such as user logins. Enable or disable logging all instances of blocked files. and configuration updates in the event log. Enable or disable logging of spam detected in SMTP traffic. Default enable Keywords and variables admin {disable | enable} allowed {disable | enable} anomaly {disable | enable} enable enable attack {disable | enable} auth {disable | enable} blocked {disable | enable} cpu-memory-usage {disable | enable} dhcp {disable | enable} email {disable | enable} email-log-imap {disable | enable} email-log-pop3 {disable | enable} email-log-smtp {disable | enable} endpoint-bwl {disable | enable} (FortiOS Carrier) event {disable | enable} enable Enable or disable logging all firewall-related events. Enable or disable logging all detected and prevented attacks based on unknown or suspicious traffic patterns. Enable or disable the attack log. email enable only. This keyword is available when event is enabled. and the action taken by the FortiGate unit in the attack log. email enable only. Enable or disable the spam filter log. such as user enable authentication in the event log. Enable or disable logging of spam detected in POP3 traffic.

This keyword is available when event is enabled. enable oversized {disable | enable} pattern {disable | enable} ppp {disable | enable} severity {alert | critical | debug | emergency | error | information | notification | warning} Enable or disable logging of all pattern update events.0 MR7 Reference 01-30007-0015-20090112 211 . Enable or disable logging of all L2TP. in the event log.An erroneous condition exists and functionality is probably affected. notification . if you select error. such as progress and error reports in the event log.Information about normal events. PPTP. and PPPoE-related events. Enable or disable logging of instant messages and Peer-to-Peer (P2P) events. critical. FortiGate® CLI Version 3.Information used for diagnosing or debugging the FortiGate unit.Functionality is affected. Enable or disable logging of a large amount of MMS blocked messages. Enable or disable HA activity messages. debug . enable Select the logging severity level. The FortiGate unit logs all informa messages at and above the logging severity level you select. Enable or disable logging all instances of FortiGuard category filtering rating errors.log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter Keywords and variables ftgd-wf-block {disable | enable} ftgd-wf-errors {disable | enable} mass-mms {disable | enable} (FortiOS Carrier) gtp {disable | enable} (FortiOS Carrier) ha {disable | enable} im {disable | enable} im-all {disable | enable} infected {disable | enable} ipsec {disable | enable} ldb-monitor {disable | enable} other-traffic {disable | enable} Description Enable or disable logging of web pages blocked by FortiGuard category filtering in the web filter log.General information about system operations. Enable or disable logging for GTP messages. This keyword is available when event is enabled.Immediate action is required. For tion example. Traffic log entries include generating traffic logs: • for all dropped ICMP packets • for all dropped invalid IP packets • for session start and on session deletion This setting is not rate limited. critical . Default enable enable enable enable enable enable enable enable enable disable Enable or disable ICSA compliant logs. such as enable antivirus and IPS pattern updates and update failures in the event log. emergency .Functionality might be affected. Enable or disable logging of all virus infections in the antivirus log. alert and emergency level messages. warning . Enable or disable logging of instant messages.The system is unusable. This keyword is available when web is enabled. Enable or disable logging of VIP realserver health monitoring messages. Enable or disable logging of IPSec negotiation events. A large volume of invalid packets can dramatically increase the number of log entries. the unit logs error. This keyword is available when virus is enabled. Enable or disable logging of oversized files in the antivirus log. This setting is disable independent from the traffic setting. This keyword is available when event is enabled. error . This keyword is available when web is enabled. information . This keyword is available when virus is enabled. alert . such as manager and socket creation processes.

See “firewall” on page 83 about enabling VoIP settings in a protection profile. Enable or disable to log VoIP events. also enable VoIP settings in a protection profile. enable virus logging for infected files. Enable or disable the antivirus log. See “firewall” on page 83 about enabling VoIP settings in a protection profile. config log disk filter set severity warning set virus enable set infected enable set event enable set anomaly enable set ipsec enable end FortiGate® CLI Version 3. Enable or disable the traffic log. Enable or disable logging of SSL-VPN administration. also enable VoIP settings in a protection profile. Enable or disable logging of SSL-VPN user authentication. Enable or disable logging of blocked URLs (specified in the URL block list) in the web filter log. If enabling VoIP.0 MR7 Reference 01-30007-0015-20090112 212 . This keyword is available when attack is enabled. Enable or disable the web filter log. Enable or disable logging of blocked content (specified in the banned words list) in the web filter log. in the attack log. Enable or disable logging of all traffic that violates the firewall policy settings in the traffic log. Enable or disable to log all subcategories of VoIP events. This keyword is available when web is enabled. and enable event logging for anomaly and IPSec events. This keyword is available when web is enabled. Enable or disable logging of system activity messages.{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log Keywords and variables signature {disable | enable} Description Enable or disable logging of detected and prevented attacks based on the attack signature. Enable or disable logging of SSL-VPN sessions. Enable or disable the logging of Active X block messages Enable or disable the logging of java applet block messages Enable or disable the logging of cookie block messages Default enable sslvpn-log-adm {disable | enable} sslvpn-log-auth {disable | enable} sslvpn-log-session {disable | enable} system {disable | enable} traffic {disable | enable} url-filter {disable | enable} violation {disable | enable} virus {disable | enable} voip {disable | enable} voip-all {disable | enable} enable enable enable enable enable enable enable enable enable enable web {disable | enable} web-content {disable | enable} web-filter-activex {disable | enable} web-filter-applet {disable | enable} web-filter-cookie {disable | enable} enable enable enable enable enable Example This example shows how to set the logging severity level to warning. and the action taken by the FortiGate unit. This keyword is available when trafic is enabled. If enabling VoIP.

Added ldb-monitor and cpu-memory-usage keywords. for configuring to log a large amount of blocked MMS messages.80 FortiOS v2.0 MR4 FortiOS Carrier 3. The change occurred to msisdn-bwl. Also added VoIP commands. sslvpn-adm. url-block command renamed to url-filter. mas-mms.0 Substantially revised. sslvpn-session.log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter History FortiOS v2. This command appears only in FortiOS Carrier 3. FortiOS v3. it is now endpoint-bwl. Added keywords for FortiOS Carrier. im-all and sslvpn-auth.8 MR2 FortiOS v3. New keywords im. Added email_log_imap.0 MR7 Reference 01-30007-0015-20090112 213 . cat-block and cat-errors commands renamed to ftgd-wf-block and ftgd-wferrors respectively. Removed email_content keyword.0 MR4 FortiOS 3. exempt and content-keywords commands removed. and email_log_smtp keywords.0 MR7 Related topics • • • • • • log fortianalyzer setting log memory setting log syslogd setting log webtrends setting log trafficfilter firewall FortiGate® CLI Version 3. fortiguard for configuring the filter settings for the FortiGuard Log & Analysis server. All occurrences of msisdn is now referred to as endpoint. cat-monitor.0 MR4. Added the command. Added the FortiGuard Log & Analysis command. web-filter-applet and web-filter-cookie added. web-filter-activex. email_log_pop3.

0 MR7 Reference 01-30007-0015-20090112 . You can enter a number between 1 and 100. If you have an AMC disk installed on your FortiGate unit. Syntax config log disk setting set status {enable | disable} set log full-first-warning threshold set log full-second-warning threshold set log full-final-warning threshold set max-log-file-size <integer max> set roll-schedule {daily | weekly} set roll-time <hh:mm> set diskfull {nolog | overwrite} set upload {enable | disable} set upload-destination {fortianalyzer | ftp-server} set uploadip <class_ip> set uploadport <port_integer> set uploaduser <user_str> set uploadpass <passwd> set uploaddir <dir_name_str> set uploadtype {attack event im spamfilter traffic virus voip webfilter} set uploadzip {disable | enable} set uploadsched {disable | enable} set uploadtime <time_integer> set upload-delete-files {enable | disable} set drive-standby-time <0-19800> end Keywords and variables status {enable | disable} full-first-warning threshold full-second-warning threshold full-final-warning threshold Description Enter enable to enable logging to the local disk. You can enter a number between 1 and 100. you can use disk setting to configure logging of traffic to the AMC disk.disk setting log disk setting Use this command to configure log settings for logging to the local disk. Default disable 75 90 95 214 FortiGate® CLI Version 3. Disk logging is only available for FortiGate units with an internal hard disk. The AMC disk behaves as a local disk after being inserted into the FortiGate unit and the FortiGate unit rebooted. You can also use this command to configure the FortiGate unit to upload current log files to an FTP server every time the log files are rolled. Enter to configure the first warning before reaching the threshold. Note: AMC disk is supported on all FortiGate units that have single-wide AMC slots. You can view logs from Log&Report > Log Access > Disk when logging to an AMC disk. You can enter a number between 1 and 100. Enter to configure the final warning before reaching the threshold. Enter to configure the second warning before reaching the threshold.

and so on. Select to upload log files directly to a FortiAnalyzer unit or to an disable FTP server. This is required. Port 21 is the standard FTP port. If you want to remove a log file type from the list or add a log file type to the list. When you select to upload log files directly to a FortiAnalyzer unit. When you enter nolog.0. Enter the name of the path on the FTP server where the log files will be transferred to. overwrite disable Enable or disable uploading log files to a remote directory. you must retype the list with the log file type removed or added. Enter the password required to connect to the FTP server. When set. required. overwrite will begin overwriting the oldest file once the local disk is full. Use the uploaddir. the FortiGate unit will stop logging. the FortiGate unit saves the current log file and starts a new active log file.log disk setting Keywords and variables max-log-file-size <integer max> Description Default Enter the maximum size of the log file (in MB) that is saved to 100 the local disk.0.0 MR7 Reference 01-30007-0015-20090112 215 . Enter the IP address of the FTP server. the FortiGate unit uploads the logs when the logs are rolled. when the log file rolls. If disable is entered. Use the uploadtype keyword to select the type of log files to upload. you can also schedule when to upload the log files. the FortiGate unit will roll the log event if the maximum size has not been reached. disable FortiGate® CLI Version 3. the log files are uploaded to the FTP server in plain text format. 0. You can enter one or more of the log file types separated by spaces. and uploaduser keywords to add this information required to connect to the FTP server and upload the log files to a specific location on the server. When the log file reaches the specified maximum size. Select the log files to upload to the FTP server. the log files are uploaded to the root directory of the FTP server.0 upload-destination {fortianalyzer | ftpserver} uploadip <class_ip> uploadport <port_integer> uploaduser <user_str> uploadpass <passwd> uploaddir <dir_name_str> Enter the port number used by the FTP server. When set to disable. in the format hh:mm. daily roll-schedule {daily | weekly} roll-time <hh:mm> diskfull {nolog | overwrite} upload {enable | disable} Enter the time of day. No default uploadtype {attack event im spamfilter traffic virus voip webfilter} traffic event spamfilter virus webfilter voip im disable uploadzip {disable | enable} uploadsched {disable | enable} Enter enable to compress the log files after uploading to the FTP server. All upload keywords are available after enabling the upload command. The default minimum log file size is 1 MB and the maximum log file size allowed is 1024MB. This is No default. Use a space to separate the log file types. Use the upload-delete-files keyword to delete the files from the hard disk once the FortiGate unit completes the file transfer. uploadip. If you do not specify a remote directory. The default port 21 is 21. uploadpass. Enter the action to take when the local disk is full. Enable log uploads at a specific time of the day. Enter the user account for the upload to the FTP server. Enter the frequency of log rolling. This No default is required. when the FortiGate 00:00 unit saves the current log file and starts a new active log file. Enable upload to upload log files to an FTP server whenever a log file rolls. uploadport.

the password is ftppass1. the user name is ftpone. Example This example shows how to enable logging to the local disk. 0 The uploadsched setting must first be set to enable. up to 19800. ftpserver. config log disk setting set upload enable set uploadip 172. roll log files daily and start a new one at 1:30pm every day. Enter the number 0 of seconds.disk setting log Keywords and variables uploadtime <time_integer> upload-delete-files {enable | disable} drive-standby-time <0-19800> Description Default Enter the time of day when the FortiGate unit uploads the logs. and uploaduser keywords. uploadtype. Added upload keyword. set the action to stop logging when the disk is full. Setting the value to 0 disables the setting. The FTP server has the IP address 172. Added upload-delete-files command. Removed ftppasswd. Removed roll-day command.0 MR2 FortiOS v3. If there is no hard disk activity within the defined time frame.80 FortiOS v2. enable Set the power management for the hard disk. and the directory on the FTP server is fortigate\login.80 MR2 Substantially revised. the hard disk will spin down to conserve energy. voip and im.0 FortiOS v3. and ftpuser keywords. Renamed keyword filesize to max-log-file-size.24 set uploaduser ftpone set uploadpass ftppass1 set uploadtype traffic content set uploaddir fortigate\logs end History FortiOS v2.0 MR7 Reference 01-30007-0015-20090112 . FortiOS v3. Removed duration and unit keywords. uploadip. uploaddir. uploadport. uploadpass.0 MR4 216 FortiGate® CLI Version 3.24. Enable or disable the removal of the log files once the FortiGate unit has uploaded the log file to the FTP server.120. Added upload. log files have a maximum size of 300MB.30.120. config log disk setting set status enable set diskfull nolog set max-log-file-size 300 set roll-schedule daily set roll-time 01:30 end This example shows how to enable uploading the traffic log and content archive files to an FTP server. Additional log files new to FortiOS 3.0MR4 were added to uploadtype keyword.30.

Added the following keywords: • full-first-warning threshold • full-second-warning threshold • full-final-warning threshold Related topics • • • • • • log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log fortianalyzer setting log memory setting log syslogd setting log trafficfilter log webtrends setting FortiGate® CLI Version 3. from uploadtype command.0 MR6 Removed the keyword. content.log disk setting FortiOS v3. upload-destination. Added keyword.0 MR5 FortiOS v3. for uploading log files to a FortiAnalyzer unit.0 MR7 Reference 01-30007-0015-20090112 217 .

config log fortianalyzer setting set status enable end History FortiOS v2. you can send logs to up to three different FortiAnalyzer units for maximum fail-over protection of log data. Removed multi-report keyword and max-buffer-size keyword.0 MR7 Related topics • • • • • • • system fortianalyzer. Using the CLI. Changed FortiLog product name to FortiAnalyzer Added multi-report keyword. FortiOS v3. Command includes up to three FortiAnalyzer units. fortianalyzer3 log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log fortianalyzer setting log memory setting log syslogd setting log webtrends setting log trafficfilter FortiGate® CLI Version 3.fortianalyzer setting log fortianalyzer setting Use this command to enable the FortiGate unit to send log files to a FortiAnalyzer unit. FortiOS v2.0 MR4 FortiOS v3. FortiAnalyzer units are network appliances that provide integrated log collection. Example This example shows how to enable logging to a FortiAnalyzer unit. the FortiGate unit will send the same log packets to all configured FortiAnalyzer units. fortianalyzer2 and fortianalyzer3. After configuring logging to FortiAnalyzer units. analysis tools and data storage. fortianalyzer2. fortianalyzer3” on page 360 to configure the FortiAnalyzer configuration settings. Additional FortiAnalyzer units are configured using the fortianalyzer 2 and fortianalyzer 3 commands.80 MR2 Added localid and psksecret keywords. Note: The FortiAnalyzer CLI commands are not cumulative.80 FortiOS v3. See “fortianalyzer.0 New. Using a syntax similar to the following is not valid: config log fortianalyzer fortianalyzer2 fortianalyzer3 setting Syntax config log fortianalyzer setting set status {disable | enable} end Keywords and variables Description Default disable status {disable | enable} Enter enable to enable logging to a FortiAnalyzer unit. Detailed log reports provide historical as well as current analysis of network and email activity to help identify security issues and reduce network misuse and abuse.0 MR7 Reference 01-30007-0015-20090112 218 . Moved all FortiAnalyzer configuration keywords under config system fortianalyzer. fortianalyzer2.

Example In this example. disable status {disable | enable} Enter to enable the FortiGuard Analysis server. Syntax config log fortiguard setting set quotafull {nolog | overwrite} set status {disable | enable} end Keywords and variables quotafull {nolog | overwrite} Description Default Enter the action to take when the specified storage space on overwrite the FortiGuard Analysis server is full.0 MR4 New.0 MR7 Reference 01-30007-0015-20090112 219 . See the FortiGate Administration Guide for more information about subscription-based FortiGuard Analysis and Management Service. and varies. including enabling logging to a FortiGuard Analysis server.log fortiguard setting fortiguard setting Use this command for configuring FortiGuard Analysis Service settings. and overwrite will begin overwriting the oldest file. the FortiGate unit is logging to a FortiGuard Analysis server. When you enter nolog. the FortiGate unit will stop logging. and will stop logging when the maximum storage space on the server is reached. depending on the services requested. Related topics • {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter FortiGate® CLI Version 3. config log fortiguard setting set quotafull nolog set status enable end History FortiOS v3. Note: The fortiguard setting command is only available when FortiGuard Analysis and Management Service subscription-based services are enabled. The storage space is a specified amount.

80 FortiOS v3. by default. Added diskfull keyword. config log memory setting set status enable set diskfull overwrite end History FortiOS v2. After all available memory is used.0 FortiOS v3. The only option available is overwrite. due to the high volume of traffic information. which means that the FortiGate unit will begin overwriting the oldest file. The FortiGate system memory has a limited capacity and only displays the most recent log entries.memory setting log memory setting Use this command to configure log settings for logging to the FortiGate system memory.0 MR7 Reference 01-30007-0015-20090112 . Syntax config log memory setting set diskfull <overwrite> set status {disable | enable} end Keywords and variables diskfull <overwrite> Description Enter the action to take when the memory is reaching its capacity. Related topics • • • • • • log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log fortianalyzer setting log syslogd setting log webtrends setting log trafficfilter memory global setting 220 FortiGate® CLI Version 3. All log entries are deleted when the FortiGate unit restarts. disable Example This example shows how to enable logging to the FortiGate system memory.0 MR6 Substantially revised. Traffic logs are not stored in the memory buffer. the FortiGate unit begins to overwrite the oldest messages. Removed blocktraffic and nolog keywords. Default overwrite status {disable | enable} Enter enable to enable logging to the FortiGate system memory.

for the FortiGate system memory. by default.0 MR7 Reference 01-30007-0015-20090112 221 . You can enter a number between 1 and 98. The FortiGate system memory has a limited capacity and displays only the most recent log entries.log memory global setting memory global setting Use this command to configure log threshold warnings. After all available memory is used. Syntax config log memory global setting set full-final-warning-threshold set full-first-warning-threshold set full-second-warning-threshold set max-lines end Keywords and variables full-final-warningthreshold full-first-warningthreshold full-second-warningthreshold max-lines Description Enter to configure the final warning before reaching the threshold. config log memory global setting set first-full-warning-threshold 40 set second-full-warning-threshold 60 set final-full-warning-threshold 80 set max-lines 60 end History FortiOS v3. as well as the maximum buffer lines.0 MR6 New. Enter to configure the first warning before reaching the threshold. You can enter a number between 3 and 100. Enter to configure the second warning before reaching the threshold. You can enter a number between 2 and 99. the FortiGate unit begins to overwrite the oldest log messages. All log entries are deleted when the FortiGate unit restarts. Traffic logs are not stored in the memory buffer. due to the high volume of traffic information. Enter the maximum number of lines in the memory buffer log. Related topics • • • • • • log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log fortianalyzer setting log syslogd setting log webtrends setting log trafficfilter memory setting FortiGate® CLI Version 3. and final threshold warnings as well as the maximum lines for the memory buffer log. Default 95 75 90 No default Example This example shows how to configure the first. second.

facility identifies the source of the log local7 message to syslog. disable facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} port <port_integer> server <address_ipv4> status {disable | enable} Enter enable to enable logging to a remote syslog server. If you do not enable CSV format the FortiGate unit produces plain text files. Note: Syslog CLI commands are not cumulative. Configure additional syslog servers using syslogd2 and syslogd3 commands and the same keywords outlined below.0 MR7 Reference 01-30007-0015-20090112 . Available facility types are: • alert: log alert • audit: log audit • auth: security/authorization messages • authpriv: security/authorization messages (private) • clock: clock daemon • cron: cron daemon performing scheduled commands • daemon: system daemons running background system processes • ftp: File Transfer Protocol (FTP) daemon • kernel: kernel messages • local0 – local7: reserved for local use • lpr: line printer subsystem • mail: email system • news: network news subsystem • ntp: Network Time Protocol (NTP) daemon • syslog: messages generated internally by the syslog daemon Enter the port number for communication with the syslog server. Using the CLI. You might want to change facility to distinguish log messages from different FortiGate units. Using a syntax similar to the following is not valid: config log syslogd syslogd2 syslogd3 setting Syntax config log syslogd setting set csv {disable | enable} set facility {alert | audit | auth | authpriv | clock | cron | daemon | ftp | kernel | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 | lpr | mail | news | ntp | syslog | user | uucp} set port <port_integer> set server <address_ipv4> set status {disable | enable} end Keywords and variables csv {disable | enable} Description Default Enter enable to enable the FortiGate unit to produce the log in disable Comma Separated Value (CSV) format. You can configure the FortiGate unit to send logs to a remote computer running a syslog server. 514 Enter the IP address of the syslog server that stores the logs. you can send logs to up to three different syslog servers. No default.syslogd setting log syslogd setting Use this command to configure log settings for logging to a remote syslog server. Enter the facility type. 222 FortiGate® CLI Version 3.

Related topics • • • • • log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log fortianalyzer setting log memory setting log webtrends setting log trafficfilter FortiGate® CLI Version 3. Added alert and audit keywords for use with facility keyword. Command includes up to three syslog servers.190 set port 601 set csv enable end History FortiOS v2.80 MR3 FortiOS v3. configure an IP address and port for the server. config log syslogd setting set status enable set server 220. and enable logging in CSV format.200.0 MR7 Reference 01-30007-0015-20090112 223 .log syslogd setting Example This example shows how to enable logging to a remote syslog server.210. syslogd2 and syslogd3.80 FortiOS v2.0 Substantially revised.

Default No default.200.0 MR7 Reference 01-30007-0015-20090112 .210.webtrends setting log webtrends setting Use this command to configure log settings for logging to a remote computer running a NetIQ WebTrends firewall reporting server. Syntax config log webtrends setting set server <address_ipv4> set status {disable | enable} end Keywords and variables server <address_ipv4> Description Enter the IP address of the WebTrends server that stores the logs. FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with NetIQ WebTrends Security Reporting Center and Firewall Suite 4.1.80 Substantially revised. config log webtrends setting set status enable set server 220.190 end History FortiOS v2. disable status {disable | enable} Enter enable to enable logging to a WebTrends server. Related topics • • • • • log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log fortianalyzer setting log memory setting log syslogd setting log trafficfilter 224 FortiGate® CLI Version 3. Example This example shows how to enable logging to and set an IP address for a remote WebTrends server.

Removed the config rule sub-command. Enter port to display the port number used by traffic in traffic log messages.0 MR7 Revised. config log trafficfilter set display name set resolve enable end History FortiOS v2.log trafficfilter trafficfilter Use this command to configure the following global settings for traffic logging: • • resolve IP addresses to host names display the port number or service (protocol) in the log message Syntax config log trafficfilter set display {name | port} set resolve {disable | enable} end Keywords and variables display {name | port} Description Enter name to enable the display of the service name in the traffic log messages.0 MR7 Reference 01-30007-0015-20090112 225 . Related topics • • • • • log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter log fortianalyzer setting log memory setting log syslogd setting log webtrends setting FortiGate® CLI Version 3. Enter enable to enable resolving IP addresses to host names in traffic log messages.80 FortiOS v3. Default port resolve {disable | enable} disable Example This example shows how to display the service name and enable resolving IP addresses to host names in log messages.

0 MR7 Reference 01-30007-0015-20090112 .trafficfilter log 226 FortiGate® CLI Version 3.

0 MR7 Reference 01-30007-0015-20090112 227 . This chapter contains the following sections: notification FortiGate® CLI Version 3.notification (FortiOS Carrier) notification (FortiOS Carrier) This chapter covers the commands to configure event notification.

bd is the rate per second or per minute.535.00 MR5 Added the maximum-rate keyword. The range is 1 to 2. Enter the percentage of memory the notification cache is allowed to use.notification notification (FortiOS Carrier) notification Use this command to configure event notification. 20 maximum-retries <integer> maximum-sessions <integer> mem-percent <integer> Enter the maximum number of simultaneous sessions with the 2048 MMSC. 5 History FortiOS Carrier v3.048. Set maximum-rate to 0 to disable rate limiting notification messages. Enter the maximum number of retries allowed for each notification message. W Syntax config notification set maximum-rate <integer> set maximum-retries <integer> set maximum-sessions <integer> set mem-percent <integer> end Variables maximum-rate <integer> Description Default Enter the maximum rate for notification messages. 228 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . The rate is 250 the number of message per second. The range is 1 to 65. The range is 0 to 1000. The range it 1 to 16 %.

0 MR7 Reference 01-30007-0015-20090112 229 . Other factors related to the availability of routes and the status of the network may influence the route selection that a router makes when forwarding a packet to the next segment. The FortiGate unit supports many advanced routing functions and is compatible with industry standard Internet routers. the router uses data in the packet header to look up a suitable route on which to forward the packet to the next segment. The information that a router uses to make routing decisions is stored in a routing table. When a packet reaches a router.router router Routers move packets from one network segment to another towards a network destination. The FortiGate unit can communicate with other routers to determine the best route for a packet. The following router commands are available to configure options related to FortiGate unit router communications and packet forwarding: access-list aspath-list auth-path bgp community-list key-chain multicast ospf policy prefix-list rip route-map static static6 FortiGate® CLI Version 3.

Enable exact-match to match only the configured prefix. Syntax config router access-list edit <access_list_name> set comments <string> config rule edit <access_list_id> set action {deny | permit} set exact-match {enable | disable} set prefix { <prefix_ipv4mask> | any } set wildcard <address_ipv4> <wildcard_mask> end end Note: The action and prefix keywords are required. access list rules are matched on the prefix or disable any more specific prefix. Each rule in an access list consists of a prefix (IP address and netmask). it takes the action specified for that prefix.0. The exact-match keyword is optional. Enter a descriptive comment.0/1.0 MR7 Reference 01-30007-0015-20090112 . No default. Access lists are filters used by FortiGate unit routing processes. The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list.0. 0. An access list and a prefix list cannot have the same name. use the format 128. The number must be an integer.0. Enter an entry number for the rule. If it finds a match for the prefix. Variables edit <access_list_name> comments <string> config rule variables edit <access_list_id> action {deny | permit} Description Enter a name for the access list. A prefix-list must be used for this purpose. permit exact-match {enable | disable} By default. it must be called by a FortiGate unit routing process (for example. Set the action to take for this prefix. For more information. and whether to match the prefix exactly or to match the prefix and any more specific prefix. the action to take for this prefix (permit or deny). Note: If you are setting a prefix of 128. No default. 230 FortiGate® CLI Version 3. or delete access lists. The default route.0. For an access list to take effect. see “prefix-list” on page 283.0/0 can not be exactly matched with an access-list. If no match is found the default action is deny.0. Default No default. The max length is 127 characters. edit. a process that supports RIP or OSPF).0.access-list router access-list Use this command to add.0.

255.1. 172.0.16. either: • Type the IP address and network mask.168.20.4. and so on are processed): config router access-list edit acc_list3 config rule edit 1 set action permit set wildcard 172.x. config router access-list edit acc_list1 config rule edit 1 set prefix 192.0. Default any Enter the IP address and reverse (wildcard) mask to No default.20.16.50.168.255.0 MR7 Reference 01-30007-0015-20090112 231 . to process “even” or “odd” networks according to any network address octet).0.0) determines which address bits to match.0 255. 0.0 set action deny set exact-match enable next edit 2 set prefix 192.255.0.16.0.0 and permits all other subnets that match the prefix 192.0.50. • Type any to match any prefix.255.20.168.16.0 end end FortiGate® CLI Version 3.254. 172. process.0 (networks 172.0. do not specify a wildcard attribute unless prefix is set to any. The first rule denies the subnet that exactly matches the prefix 192. Example This example shows how to add an access list named acc_list1 with two rules.5.0. A value of 0 means that an exact match is required.0 255.0 0.168.3. You can specify discontinuous masks (for example.4.255 (addresses 10. For best results.x are processed): config router access-list edit acc_list2 config rule edit 1 set action permit set wildcard 10.4.router access-list Variables prefix { <prefix_ipv4mask> | any } wildcard <address_ipv4> <wildcard_mask> Description Enter the prefix for this access list rule.16.255. The value of the mask (for example.0 0.4.255. while a binary value of 1 indicates that part of the binary network address does not have to match.20.0.255 end end The next example shows how to add an access list that permits “odd” subnets according to the thirdoctet of network address 172.0 255.255.0 255.0 set action permit set exact-match disable end end The next example shows how to add an access list that permits all subnets matching network address 10.1 through 10.0.0.1.0.

access-list router History FortiOS v2.0 New. Related topics • • • router ospf router prefix-list router rip 232 FortiGate® CLI Version 3. FortiOS v3. Changed exact_match keyword to exact-match.0 MR7 Reference 01-30007-0015-20090112 . Added wildcard attribute.80 FortiOS v3.0 MR6 Added comments attribute.

^730$). Specify the regular expression that will be compared to the AS_PATH attribute (for example. config router aspath-list edit ebgp_in config rule edit 1 set action permit set regexp _(333|334|338|71)$ end end FortiGate® CLI Version 3. BGP uses an ordered list of Autonomous System (AS) numbers to describe the route that a packet takes to reach its destination. it can perform operations on updates from neighbors and choose the shortest path to a destination. Enter an entry number for the rule. No default. Each entry in the AS-path list defines a rule for matching and selecting routes based on the setting of the AS_PATH attribute. AS 338. The number must be an integer. Variables edit <aspath_list_name> config rule variables edit <as_rule_id> action {deny | permit} regexp <regexp_str> Description Enter a name for the AS path list.router aspath-list aspath-list Use this command to set or unset BGP AS-path list parameters. By default. or 71. AS 334. You can filter BGP routes using AS path lists. 338. The default rule in an AS path list (which the FortiGate unit applies last) denies the matching of all routes. Use the config router aspath-list command to define an access list that examines the AS_PATH attributes of BGP routes to match routes. 334.0 MR7 Reference 01-30007-0015-20090112 233 . No default. Null. Syntax config router aspath-list edit <aspath_list_name> config rule edit <as_rule_id> set action {deny | permit} set regexp <regexp_str> end end Note: The action and regexp keywords are required. Default No default. Deny or permit operations on a route based on the value of the route’s AS_PATH attribute. Delimit a complex regexp_str value using double-quotation marks. A list of AS numbers is called an AS path. The AS path list will match routes that originate in AS 333. or AS 71. The path that has the least number of AS numbers is considered the shortest AS path. Example This example shows how to create an AS-path list named ebgp_in. The value is used to match AS numbers. When the FortiGate unit receives routing updates from other autonomous systems. The list contains a single rule that permits operations on BGP routes whose AS_PATH attribute references an AS number of 333. The shortest path is determined by counting the number of AS numbers in the AS path.

0 New. Related topics • • • • router bgp router community-list Using route maps with BGP router key-chain 234 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .aspath-list router History FortiOS v3.

Example This example shows how to configure an auth-path object called auth_route that routes traffic over the dmz interface using 172.20.4. Configure the router auth-path object.0 MR6 New. Configure a firewall policy that has route based authentication enabled. These settings also need to be configured on the RADIUS server used to authenticate.20.120. Null. The same object is required to be configured on the RADIUS server.4 next end History FortiOS v3. Add that user to a user group configured to use the RADIUS server. Configure a user that uses the RADIUS server. Configure a service group that includes RADIUS traffic along with other types of traffic that will be allowed to pass through the firewall. Specify the interface for this path. FortiGate® CLI Version 3.router auth-path auth-path Authentication based routing allows firewall policies to direct network traffic flows. Configure a custom service for RADIUS traffic.120.0 MR7 Reference 01-30007-0015-20090112 235 . Specify the gateway IP address for this path. Note: The auth-path command is not available when the FortiGate unit is in Transparent mode. config router auth-path edit auth_route set device dmz set gateway 172. This command configures a RADIUS object on your FortiGate unit. No default. The Fortinet Knowledge Center has an article on authentication based routing that provides a sample configuration for these steps. To configure authentication based routing on your FortiGate unit 1 2 3 4 5 6 7 Configure your FortiGate unit to communicate with a RADIUS authentication server. Default No default. Syntax config router auth-path edit <aspath_list_name> set device <interface> set gateway <gway_ipv4> end Variables edit <auth_path_name> device <interface> gateway <gway_ipv4> Description Enter a name for the authentication path.

0 MR7 Reference 01-30007-0015-20090112 .auth-path router Related topics • • • user local user radius firewall policy. policy6 236 FortiGate® CLI Version 3.

routes are made known from the border of the internal network outwards (routes are pushed forward) instead of relying on upstream routers to propagate alternative paths to the FortiGate unit. the FortiGate unit sends routing table updates to the upstream ISP router whenever any part of the routing table changes. Fortinet BGP-4 complies with RFC 1771 and supports IPv4 addressing. External BGP (EBGP) confederations — The FortiGate unit can operate as a confederation member. It is used to quickly locate hardware failures in the network. FortiGate unit BGP supports the following extensions to help manage large numbers of BGP peers: • Communities — The FortiGate unit can set the COMMUNITY attribute of a route to assign the route to predefined paths (see RFC 1997). When BGP is enabled. In this way. BFD support was added in FortiOS v3. Internal BGP (IBGP) route reflectors — The FortiGate unit can operate as a route reflector or participate as a client in a cluster of IBGP peers (see RFC 1966). • • Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. and if a timer runs out on a connection then that router is declared down. Routers running BFD communicate with each other. The FortiGate unit can examine the COMMUNITY attribute of learned routes to perform local filtering and/or redistribution. BFD then communicates this information to the routing protocol and the routing information is updated.0 MR4.0 MR7 Reference 01-30007-0015-20090112 237 . and can only be configured through the CLI. Syntax config router bgp set always-compare-med {enable | disable} set as <local_as_id> set bestpath-as-path-ignore {enable | disable} set bestpath-cmp-confed-aspath {enable | disable} set bestpath-cmp-routerid {enable | disable} set bestpath-med-confed {enable | disable} set bestpath-med-missing-as-worst {enable | disable} set client-to-client-reflection {enable | disable} set cluster-id <address_ipv4> set confederation-identifier <peerid_integer> set dampening {enable | disable} set dampening-max-suppress-time <minutes_integer> set dampening-reachability-half-life <minutes_integer> set dampening-reuse <reuse_integer> set dampening-route-map <routemap-name_str> set dampening-suppress <limit_integer> set dampening-unreachability-half-life <minutes_integer> set default-local-preference <preference_integer> set deterministic-med {enable | disable} set distance-external <distance_integer> set distance-internal <distance_integer> set distance-local <distance_integer> set enforce-first-as {enable | disable} FortiGate® CLI Version 3. BGP can be used to perform Classless Interdomain Routing (CIDR) and to route traffic between different autonomous systems or domains using an alternative route if a link between a FortiGate unit and a BGP peer (such as an ISP router) fails. using its AS confederation identifier in all transactions with peers that are not members of its confederation (see RFC 3065). The update advertises which routes can be used to reach the FortiGate unit.router bgp bgp Use this command to set or unset BGP-4 routing parameters.

0 MR7 Reference 01-30007-0015-20090112 238 .bgp router set fast-external-failover {enable | disable} set graceful_restart {enable | disable} set holdtime-timer <seconds_integer> set ignore_optional_capability {enable | disable} set keepalive-timer <seconds_integer> set log-neighbor-changes {enable | disable} set network-import-check {enable | disable} set router-id <address_ipv4> set scan-time <seconds_integer> set synchronization {enable | disable} config admin-distance edit <route_entry_id> set distance <integer> set neighbor-prefix <ip_and_netmask> set route-list <string> end config aggregate-address edit <aggr_addr_id> set as-set {enable | disable} set prefix <address_ipv4mask> set summary-only {enable | disable} end config neighbor edit <neighbor_address_ipv4> set activate {enable | disable} set advertisement-interval <seconds_integer> set allowas-in <max_num_AS_integer> set allowas-in-enable {enable | disable} set attribute-unchanged [as-path] [med] [next-hop] set bfd {enable | disable} set capability-default-originate {enable | disable} set capability-dynamic {enable | disable} set capability-graceful-restart {enable | disable} set capability-orf {both | none | recieve | send} set capability-route-refresh {enable | disable} set connect-timer <seconds_integer> set description <text_str> set distribute-list-in <access-list-name_str> set distribute-list-out <access-list-name_str> set dont-capability-negotiate {enable | disable} set ebgp-enforce-multihop {enable | disable} set ebgp-multihop-ttl <seconds_integer> set filter-list-in <aspath-list-name_str> set filter-list-out <aspath-list-name_str> set holdtime-timer <seconds_integer> set interface <interface-name_str> set keep-alive-timer <seconds_integer> set maximum-prefix <prefix_integer> set maximum-prefix-threshold <percentage_integer> set maximum-prefix-warning-only {enable | disable} set next-hop-self {enable | disable} set override-capability {enable | disable} set passive {enable | disable} set password <string> FortiGate® CLI Version 3.

Note: In the following table. An aggregate route enables the FortiGate unit to advertise one block of contiguous IP addresses as a single. You can implement aggregate routing either by redistributing an aggregate route (see “config redistribute” on page 248) or by using the conditional aggregate routing feature (see “config aggregate-address” on page 243).router bgp set prefix-list-in <prefix-list-name_str> set prefix-list-out <prefix-list-name_str> set remote-as <id_integer> set remove-private-as {enable | disable} set retain-stale-time <seconds_integer> set route-map-in <routemap-name_str> set route-map-out <routemap-name_str> set route-reflector-client {enable | disable} set route-server-client {enable | disable} set send-community {both | disable | extended | standard} set shutdown {enable | disable} set soft-reconfiguration {enable | disable} set strict-capability-match {enable | disable} set unsuppress-map <route-map-name_str> set update-source <interface-name_str> set weight <weight_integer> end config network edit <network_id> set backdoor {enable | disable} set prefix <address_ipv4mask> set route-map <routemap-name_str> end config redistribute {connected | static | rip | ospf} set status {enable | disable} set route-map <route-map-name_str> end end config router bgp Use this command to enable a Border Gateway Protocol version 4 (BGP-4) process on the FortiGate unit. which in turn propagates this updated routing information to upstream routers. FortiGate units maintain separate entries in their routing tables for BGP routes. See “Using route maps with BGP” on page 297. define the interfaces making up the local BGP network (see “config network” on page 247). All other keywords are optional. the as and router-id keywords are required. To reduce the size of the BGP routing table and conserve network resources. BGP attributes determine the best route and the FortiGate unit communicates this information to its BGP peers. When multiple routes to the FortiGate unit exist. less-specific address. The best route is added to the IP routing table of the BGP peer. and set operating parameters for communicating with BGP neighbors (see “config neighbor” on page 243).0 MR7 Reference 01-30007-0015-20090112 239 . FortiGate® CLI Version 3. you can optionally aggregate routes to the FortiGate unit.

0.0 confederation-identifier <peerid_integer> dampening {enable | disable} 0 disable dampening-max-suppresstime <minutes_integer> 60 dampening-reachabilityhalf-life <minutes_integer> 15 240 FortiGate® CLI Version 3. Set the time (in minutes) after which any penalty assigned to a reachable (but flapping) route is decreased by half. an External BGP (EBGP) session is started. Otherwise. Enable or disable client-to-client route reflection between IBGP peers. the route is ignored to prevent looping. disable client-to-clientreflection {enable | disable} cluster-id <address_ipv4> enable 0. Set the identifier of the route-reflector in the cluster ID to which the FortiGate unit belongs. Enable or disable the comparison of the router-ID values for identical EBGP paths. The range is from 1 to 255. If the clients are fully meshed. This keyword is available when bestpath-med-confed is set to enable. Default disable as <local_as_id> Enter an integer to specify the local autonomous system (AS) 0 number of the FortiGate unit. which defines an ordered list of AS numbers representing a path from the FortiGate unit through autonomous systems within the local confederation. See RFC 2439. This keyword is available when dampening is set to enable. However. A value of 0 is not allowed.) If you set dampening. (A flapping route is unstable and continually transitions down and up. The range is from 1 to 45. you may optionally set dampening-route-map or define the associated values individually using the dampening-* keywords. This keyword is available when dampening is set to enable. Enable or disable the comparison of the AS_CONFED_SEQUENCE attribute.0 MR7 Reference 01-30007-0015-20090112 . Enable or disable route-flap dampening on all BGP routes. an Internal BGP (IBGP) session is started. When the local_as_id number is different than the AS number of the specified BGP neighbor (see “remote-as <id_integer>” on page 246). disable bestpath-as-path-ignore {enable | disable} bestpath-cmp-confedaspath {enable | disable} bestpath-cmp-routerid {enable | disable} bestpath-med-confed {enable | disable} bestpath-med-missing-asworst {enable | disable} disable Enable or disable the comparison of MED attributes for routes disable advertised by confederation EBGP peers. If 0 is specified. Enable or disable the inclusion of an AS path in the selection disable algorithm for choosing a BGP route. treat any confederation path with a missing MED metric as the least preferred path.bgp router Variables always-compare-med {enable | disable} Description Enable or disable the comparison of MULTI_EXIT_DISC (Multi Exit Discriminator or MED) attributes for identical destinations advertised by BGP peers in different autonomous systems.0. route reflection may be disabled. When bestpath-med-confed is enabled. the FortiGate unit operates as the route reflector and its router-id value is used as the cluster-id value. If the FortiGate unit identifies its own cluster ID in the CLUSTER_LIST attribute of a received route. Set the identifier of the confederation to which the FortiGate unit belongs. A route may continue to accumulate penalties while it is suppressed. the route cannot be suppressed longer than minutes_integer. The range is from 1 to 65 535. Set the maximum time (in minutes) that a route can be suppressed. The range is from 1 to 65 535.

Graceful restart capability limits the effects of software disable problems by allowing forwarding to continue when the control plane of the router fails. FortiGate® CLI Version 3. Enable or disable the addition of routes learned from an EBGP peer when the AS number at the beginning of the route’s AS_PATH attribute does not match the AS number of the EBGP peer. The range is from 1 to 255. Specify the route-map that contains criteria for dampening. This keyword is available when dampening is set to enable. It also reduces routing flaps by stabilizing the network. The range is 20 from 1 to 255. Set the time (in minutes) after which the penalty on a route that is considered unreachable is decreased by half. This keyword is available when distance-external is set. The range is from 1 to 20 000. The maximum amount of time (in seconds) that may expire before the FortiGate unit declares any BGP peer down. dampening-suppress <limit_integer> 2 000 dampening-unreachabilityhalf-life <minutes_integer> 15 default-local-preference <preference_integer> deterministic-med {enable | disable} distance-external <distance_integer> distance-internal <distance_integer> distance-local <distance_integer> enforce-first-as {enable | disable} 100 disable Set the administrative distance of EBGP routes.router bgp Variables dampening-reuse <reuse_integer> Description This keyword is available when dampening is set to enable. See “route-map” on page 295 and “Using route maps with BGP” on page 297. A keepalive message must be received every seconds_integer seconds. Set a dampening-reuse limit based on accumulated penalties. If the penalty assigned to a flapping route decreases enough to fall below the specified reuse_integer. Enable or disable deterministic comparison of the MED attributes of routes advertised by peers in the same AS. A route is suppressed (not advertised) when its penalty exceeds the specified limit. If you set this value. disable fast-external-failover {enable | disable} graceful_restart {enable | disable} Immediately reset the session information associated with enable BGP external peers if the link used to reach them goes down. BGP peers exchange keepalive messages to maintain the connection for the duration of the session. disable The frequency (in seconds) that a keepalive message is sent 60 from the FortiGate unit to any BGP peer. Set the default local preference value. the route is not suppressed. 200 Set the administrative distance of IBGP routes. 200 Set the administrative distance of local BGP routes. or the peer is declared down. You must create the route-map before it can be selected here. Set a dampening-suppression limit.0 MR7 Reference 01-30007-0015-20090112 241 . Default 750 dampening-route-map <routemap-name_str> Null. The range is from 0 to 65 535. A higher value signifies a preferred route. The range is from 1 to 20 000. This keyword is available when distance-external is set. The range is from 0 to 4 294 967 295. The value can be 0 or an integer in the 3 to 65 535 range. 180 holdtime-timer <seconds_integer> ignore_optional_capabilit y {enable | disable} keepalive-timer <seconds_integer> Don’t send unknown optional capability notification message. This keyword is available when dampening is set to enable. The range is from 1 to 255. The range is from 1 to 45. you must also set values for distance-internal and distance-local. This keyword is available when dampening is set to enable.

0. If router-id is not explicitly set. No default.0 is not allowed. Specify a fixed identifier for the FortiGate unit.0.0 MR7 Reference 01-30007-0015-20090112 242 .20 config neighbor edit 10. This value can be from 1 to 255.168.2. config router bgp set as 65001 set router-id 172. The number must be an integer.0.0 and a netmask of 255.1.168.1.2 set remote-as 65100 end end config admin-distance Use this subcommand to set administrative distance modifications for bgp routes. This variable must be a valid IP address No default. Enter an ID number for the entry. It also defines an EBGP neighbor at IP address 10.0.0.0. the highest IP address of the VDOM will be used as the default router-id. The range is from 5 to 60.0 scan-time <seconds_integer> synchronization {enable | disable} 60 disable Example The following example defines the number of the AS of which the FortiGate unit is a member. It shows adding 25 to the weight of the route.0. A value of 0. Only advertise routes from iBGP if routes are present in an interior gateway protocol (IGP) such as RIP or OSPF.0. The list of routes this distance will be applied to. that are also permitted by the access-list “downtown_office”. Neighbor address prefix.120.0.0 255.16. that it will apply to neighbor routes with an IP address of 192.0. No default. Example This example shows how to manually adjust the distance associated with a route.255.bgp router Variables log-neighbor-changes {enable | disable} network-import-check {enable | disable} router-id <address_ipv4> Description Enable or disable the logging of changes to BGP neighbor status. Default No default. The routes in this list can only come from the access-list which can be viewed at config router access-list. Default disable enable 0.0 set route-list downtown_office next end end FortiGate® CLI Version 3. config router bgp config admin-distance edit 1 set distance 25 set neighbour-prefix 192. and netmask. Variables edit <route_entry_id> distance <integer> neighbor-prefix <ip_and_netmask> route-list <string> Description The administrative distance to apply to the route. Configure the background scanner interval (in seconds) for next-hop route scanning. Enable or disable the advertising of the BGP network in IGP (see “config network” on page 247).0.255.

The subcommand creates a BGP aggregate entry in the FortiGate unit routing table. Note: The prefix keyword is required. The aggregate address represents addresses in several autonomous systems. The number must be an integer. Default No default. The as-set command enables the generation of an unordered list of AS numbers to include in the path information. enable FortiGate® CLI Version 3. Enable or disable the address family for the BGP neighbor.0. Aggregation reduces the length of the network mask until it masks only the bits that are common to all of the addresses being summarized.0 0.0 MR7 Reference 01-30007-0015-20090112 243 .0/16 set as-set enable end end config neighbor Use this subcommand to set or unset BGP neighbor configuration settings. Enable or disable the generation of an unordered list of AS numbers to include in the path information.0/16. disable Example This example shows how to define an aggregate prefix of 192. When you aggregate routes.0.0.0. You can have up to 1000 configured neighbors.168. You can add up to 1000 BGP neighbors. 0.router bgp config aggregate-address Use this subcommand to set or unset BGP aggregate-address table parameters.0.0. routing becomes less precise because path details are not readily available for routing purposes. Include the IP address and netmask. Variables edit <aggr_addr_id> as-set {enable | disable} Description Enter an ID number for the entry. a set-atomic-aggregate value (see “Using route maps with BGP” on page 297) does not have to be specified. All other keywords are optional. When as-set is enabled. The subcommand adds a BGP neighbor configuration to the FortiGate unit.168. You can clear all or some BGP neighbor connections (sessions) using the exec router clear bgp command (see “router clear bgp” on page 630). Variables edit <neighbor_address_ipv4> activate {enable | disable} Description Enter the IP address of the BGP neighbor. disable prefix <address_ipv4mask> summary-only {enable | disable} Set an aggregate prefix. Default No default.0 Enable or disable the advertising of aggregate routes only (the advertising of specific routes is suppressed). Note: The remote-as keyword is required. config router bgp config aggregate-address edit 1 set prefix 192. All other keywords are optional.

select med. Set the maximum number of occurrences your AS number as allowed in. Enable or disable the readvertising of all prefixes containing duplicate AS numbers. select receive. Enter a one-word (no spaces) description to associate with the BGP neighbor configuration settings. • To advertise unchanged MULTI_EXIT_DISC attributes. select as-path. The range is from 0 to 65 535. Set the amount of time that must expire before readvertising through the allowas-in keyword. select next-hop. Enable or disable the advertising of graceful-restart capability to BGP neighbors.bgp router Variables advertisement-interval <seconds_integer> Description Set the minimum amount of time (in seconds) that the FortiGate unit waits before sending a BGP routing update to the BGP neighbor. To disable the advertising of ORF prefix-list capability. disable disable disable capability-default-originate {enable | disable} capability-dynamic {enable | disable} capability-graceful-restart {enable | disable} capability-orf {both | none | receive | send} capability-orf {both | none | recieve | send} Accept/Send outbound router filter (ORF) lists to/from this neighbor: • • • • both . Enable or disable the advertising of dynamic capability to BGP neighbors.only accept ORF lists send . Enable or disable the advertising of Outbound Routing Filter (ORF) prefix-list capability to the BGP neighbor. • To enable send capability. • To enable receive capability.only send ORF lists none capability-route-refresh {enable | disable} connect-timer <seconds_integer> Enable or disable the advertising of route-refresh capability to the BGP neighbor. disable allowas-in-enable {enable | disable} attribute-unchanged [as-path] [med] [next-hop] Empty set. • To advertise the IP address of the next-hop router interface (even when the address has not changed).0 MR7 Reference 01-30007-0015-20090112 . select both. • To enable send and receive capability. Propagate unchanged BGP attributes to the BGP neighbor. bfd {enable | disable} Enable to turn on Bi-Directional Forwarding Detection disable (BFD) for this neighbor. select send. An empty set is a supported value. The range is from 0 to 600. • To advertise unchanged AS_PATH attributes. select none. Set the maximum amount of time (in seconds) that the FortiGate unit waits to make a connection with a BGP neighbor before the neighbor is declared unreachable. Enable or disable the advertising of the default route to disable BGP neighbors. This indicates that this neighbor is using BFD.do not accept or send ORF lists recieve . 244 FortiGate® CLI Version 3. enable -1 (not set) description <text_str> Null. . Default 30 allowas-in <max_num_AS_integer> This keyword is available when allowas-in-enable unset is set to enable.both accept and send ORF lists none .

75 maximum-prefix-threshold <percentage_integer> maximum-prefix-warning-only {enable | disable} disable FortiGate® CLI Version 3. the Network Layer Reachability Information (NLRI) defined in the specified access list. When the maximum is reached. The range is from 1 to 4 294 967 295. The range is from 1 to 100. This value overrides the global keep-alive-timer value (see “keepalive-timer <seconds_integer>” on page 241). Null. See “accesslist” on page 230. See “access-list” on page 230. See “aspath-list” on page 233. Enable or disable capability negotiations with the BGP neighbor. distribute-list-out <access-list-name_str> dont-capability-negotiate {enable | disable} ebgp-enforce-multihop {enable | disable} ebgp-multihop-ttl <seconds_integer> disable disable This keyword is available when ebgp-multihop is set 255 to enable. See “aspath-list” on page 233. if the neighbor goes down because it reaches the maximum number of prefixes and you increase the maximum-prefix value afterward. The range is from 0 to 65 535.router bgp Variables distribute-list-in <access-list-name_str> Description Default Limit route updates from the BGP neighbor based on Null. Limit inbound BGP routes according to the specified AS-path list. The value can be 0 or an integer in the 3 to 65 535 range. This value overrides the global holdtimetimer value (see “holdtime-timer <seconds_integer>” on page 241). Enable or disable the enforcement of Exterior BGP (EBGP) multihops. Null. You must create the AS-path list before it can be selected here. Specify the threshold (as a percentage) that must be exceeded before a warning message about the maximum number of NLRI prefixes is displayed. -1 (not set) interface <interface-name_str> Specify a descriptive name for the BGP neighbor interface. You must create the access list before it can be selected here. This keyword is available when graceful-restart is set to enabled.0 MR7 Reference 01-30007-0015-20090112 245 . Limit route updates to the BGP neighbor based on the NLRI defined in the specified access list. the neighbor will be reset. filter-list-in <aspath-list-name_str> filter-list-out <aspath-list-name_str> holdtime-timer <seconds_integer> Null. Changing this value on the FortiGate unit does not disconnect the BGP neighbor. You must create the AS-path list before it can be selected here. The amount of time (in seconds) that must expire -1 (not set) before the FortiGate unit declares the BGP neighbor down. Limit outbound BGP routes according to the specified AS-path list. Define a TTL value (in hop counts) for BGP packets sent to the BGP neighbor. maximum-prefix <prefix_integer> unset Set the maximum number of NLRI prefixes to accept from the BGP neighbor. This keyword is available when maximum-prefix is set. Enable or disable the display of a warning when the maximum-prefix-threshold has been reached. A keepalive message must be received every seconds_integer from the BGP neighbor or it is declared down. However. You must create the access list before it can be selected here. The range is from 1 to 255. This keyword is available when maximum-prefix is set. the FortiGate unit disconnects the BGP neighbor. Null. keep-alive-timer <seconds_integer> The frequency (in seconds) that a keepalive message is sent from the FortiGate unit to the BGP neighbor.

The range is from 1 to 65 535. Otherwise. route-map-out <routemap-name_str> Limit route updates or change the attributes of route Null. Limit route updates to a BGP neighbor based on the NLRI in the specified prefix list. Specify the time (in seconds) that stale routes to the BGP neighbor will be retained. This keyword is available when remote-as is identical disable to the FortiGate unit AS number (see “as <local_as_id>” on page 240). the FortiGate unit communicates with the neighbor using internal BGP (IBGP). Network Layer Reachability Information (NLRI) in the specified prefix list. Limit route updates from a BGP neighbor based on the Null. The prefix list defines the NLRI prefix and length advertised in a route. See “prefix-list” on page 283. See “route-map” on page 295 and “Using route maps with BGP” on page 297. 0 route-map-in <routemap-name_str> Null. Enable or disable IPv6 addressing for a BGP neighbor that does not support capability negotiation. The time until the 0 restart can be from 0 to 3600 seconds. Remove the private AS numbers from outbound updates to the BGP neighbor. A value of 0 disables this feature. Limit route updates or change the attributes of route updates from the BGP neighbor according to the specified route map. Null. See “prefix-list” on page 283.0 MR7 Reference 01-30007-0015-20090112 . The prefix list defines the NLRI prefix and length advertised in a route. You must create the prefix list before it can be selected here. Enable or disable the operation of the FortiGate unit as a route reflector and identify the BGP neighbor as a route-reflector client. retain-stale-time <seconds_integer> This keyword is available when capabilitygraceful-restart is set to enable. You must create the route-map before it can be selected here. Enter password used in MD5 authentication Default disable disable disable Null. If the number is identical to the FortiGate unit AS number. Enable or disable the sending of Open messages to BGP neighbors. disable route-reflector-client {enable | disable} route-server-client {enable | disable} 246 FortiGate® CLI Version 3. The range is from 1 to 65 535. the neighbor is an external peer and the FortiGate unit uses EBGP to communicate with the neighbor. prefix-list-out <prefix-list-name_str> remote-as <id_integer> Adds a BGP neighbor to the FortiGate unit unset configuration and sets the AS number of the neighbor. Enable or disable the recognition of the BGP neighbor as route-server client. You must create the route-map before it can be selected here. See “route-map” on page 295 and “Using route maps with BGP” on page 297.bgp router Variables next-hop-self {enable | disable} override-capability {enable | disable} passive {enable | disable} password <string> prefix-list-in <prefix-list-name_str> Description Enable or disable advertising of the FortiGate unit’s IP address (instead of the neighbor’s IP address) in the NEXT_HOP information that is sent to IBGP peers. updates to the BGP neighbor according to the specified route map. You must create the prefix list before it can be selected here. disable remove-private-as {enable | disable} restart_time <seconds_integer> Sets the time until a restart happens.

See “routemap” on page 295 and “Using route maps with BGP” on page 297.10. The IP address of the interface will be used as the source address for outgoing updates. All other keywords are optional. A higher number signifies a greater preference. the FortiGate unit searches its routing table for a matching entry. disable Enable or disable the FortiGate unit to store unmodified disable updates from the BGP neighbor to support inbound soft-reconfiguration. If an exact match is found. • To advertise extended and standard capabilities. config router bgp config neighbor edit 10. You must create the route-map before it can be selected here. • To disable the advertising of the COMMUNITY attribute. an IP prefix)—you specify the IP addresses making up the local BGP network. the prefix is advertised. Enable or disable strict-capability negotiation matching with the BGP neighbor. The range is from 0 to 65 535. Specify the name of the local FortiGate unit interface to Null.router bgp Variables send-community {both | disable | extended | standard} Description Default Enable or disable the sending of the COMMUNITY both attribute to the BGP neighbor. Administratively enable or disable the BGP neighbor. • To advertise standard capabilities. When you enable the network-import-check attribute on the FortiGate unit (see “networkimport-check {enable | disable}” on page 242) and you specify a BGP network prefix through the config network command. select both. select disable.167 set remote-as 2879 set description BGP_neighbor_Site1 end end config network Use this subcommand to set or unset BGP network configuration parameters.10.167 and enter a descriptive name for the configuration. select extended. The subcommand is used to advertise a BGP network (that is. unset update-source <interface-name_str> weight <weight_integer> Example This example shows how to set the AS number of a BGP neighbor at IP address 10. A route-map can optionally be used to modify the attributes of routes before they are advertised. select standard.10.0 MR7 Reference 01-30007-0015-20090112 247 . disable shutdown {enable | disable} soft-reconfiguration {enable | disable} strict-capability-match {enable | disable} unsuppress-map <route-map-name_str> Specify the name of the route-map to selectively Null. use for TCP connections to neighbors. Apply a weight value to all routes learned from a neighbor. Note: The prefix keyword is required. • To advertise extended capabilities.10. unsuppress suppressed routes. FortiGate® CLI Version 3.

Default No default. disable prefix <address_ipv4mask> Enter the IP address and netmask that identifies the BGP network to advertise. and/or OSPF routes. config router bgp config network edit 1 set prefix 10.0.0. which causes an administrative distance of 200 to be assigned to the route.0 Null. A route map named BGP_rmap1 is used to modify the attributes of the local BGP routes before they are advertised. You can enable BGP to provide connectivity between connected.0/8. The BGP redistribution table contains four static entries. rip—Redistribute routes learned from RIP. 0.0. When you enter the subcommand.0 MR7 Reference 01-30007-0015-20090112 . You must create the route-map before it can be selected here. Backdoor routes are not advertised to EBGP peers. When a large internetwork is divided into multiple routing domains.bgp router Variables edit <network_id> backdoor {enable | disable} Description Enter an ID number for the entry. route-map <routemap-name_str> Specify the name of the route-map that will be used to modify the attributes of the route before it is advertised.0. The entries are defined as follows: • • • • connected—Redistribute routes learned from a direct connection to the destination network. end the command with one of the four static entry names (that is.0 0.0/8 set route-map BGP_rmap1 end end config router route-map edit BGP_rmap1 config rule edit 1 set set-community no-export end end config redistribute Use this subcommand to set or unset BGP redistribution table parameters. you can use the config network subcommand to advertise a prefix to the BGP network (see “config network” on page 247). Example This example defines a BGP network at IP address 10. 248 FortiGate® CLI Version 3. As an alternative.0. The number must be an integer. You cannot add entries to the table. use the subcommand to redistribute routes to the various domains. BGP redistributes the routes from one protocol to another. ospf—Redistribute routes learned from OSPF.0. Enable or disable the route as a backdoor. static. RIP.0. static—Redistribute the static routes defined in the FortiGate unit routing table.0. config redistribute {connected | static | rip | ospf}). See “route-map” on page 295 and “Using route maps with BGP” on page 297.

all routes are redistributed to BGP. Changed config neighbor capability-orf keyword from disable to none. status {enable | disable} Enable or disable the redistribution of connected. static. FortiOS v3. See “route-map” on page 295 and “Using route maps with BGP” on page 297. or OSPF routes. FortiOS v3. Default time for holdtime-timer changed from 240 to 180. Variables Description Default disable Null. Example The following example changes the status and route-map fields of the connected entry. If a route map is not specified. Changed keep-alive-timer to keepalive-timer. You must create the route map before it can be selected here.0 MR6 Changed ebgp-multihop to ebgp-enforced-mutlihop. config router bgp config redistribute connected set status enable set route-map rmap1 end end History FortiOS v3.0 New.router bgp Note: The status and route-map keywords are optional. Related topics • • • • router aspath-list router community-list Using route maps with BGP router key-chain FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 249 . route-map <route-map-name_str> Specify the name of the route map that identifies the routes to redistribute.0 MR7 Added password to config neighbor. RIP.

Matched routes are not advertised to EBGP peers. type no-export. Specify the type of community to match. • To select all routes in the NO_ADVERTISE community. A route can belong to more than one community. • To match all routes in the Internet community. “123:234 345:456”). All other keywords are optional. 250 FortiGate® CLI Version 3. • To select all routes in the NO_EXPORT community. type local-AS. where AA represents an AS. See “regexp <regular_expression>” on page 251. you must also specify a config rule regexp value. the routes are advertised within the confederation. This keyword is available when set type is set to Null. Matched routes are not advertised locally. Syntax config router community-list edit <community_name> set type {standard | expanded} config rule edit <community_rule_id> set action {deny | permit} set match <criteria> set regexp <regular_expression> end end Note: The action keyword is required. the attribute could identify all routes to satellite offices). Variables edit <community_name> type {standard | expanded} Description Enter a name for the community list. Delimit complex expressions with double-quotation marks (for example. standard. Matched routes are not advertised. type no-advertise. No default. When the COMMUNITY attribute is set. No default. Default No default. type internet. Specify the criteria for matching a reserved community. The default rule in a community list (which the FortiGate unit applies last) denies the matching of all routes. If a confederation is configured. the FortiGate unit can select routes based on their COMMUNITY attribute values.community-list router community-list Use this command to identify BGP routes according to their COMMUNITY attributes (see RFC 1997). If you select standard expanded. config rule variables edit <community_rule_id> Enter an entry number for the rule. The number must be an integer.0 MR7 Reference 01-30007-0015-20090112 . Each entry in the community list defines a rule for matching and selecting routes based on the setting of the COMMUNITY attribute. and NN is the community identifier. You add a route to a community by setting its COMMUNITY attribute. • To match all routes in the LOCAL_AS community. A route may be added to a community because it has something in common with the other routes in the group (for example. action {deny | permit} match <criteria> Deny or permit operations on a route based on the value of the route’s COMMUNITY attribute. • Use decimal notation to match one or more COMMUNITY attributes having the syntax AA:NN.

Related topics • • • • router aspath-list router bgp router Using route maps with BGP router key-chain FortiGate® CLI Version 3. The list permits operations on BGP routes whose COMMUNITY attribute has the number 3 in the second part of the first instance and the number 86 in the second part of the second instance. Example This example creates a community list named Satellite_offices. The value or values are used to match a community.*:86” end end History FortiOS v3.router community-list Variables regexp <regular_expression> Description Default This keyword is available when set type is set to Null. “1:3 4:86”.0 New. Specify an ordered list of COMMUNITY attributes as a regular expression. expanded. The list permits operations on BGP routes whose COMMUNITY attribute is set to no-advertise. For example.*:3 . Delimit a complex regular_expression value using double-quotation marks.0 MR7 Reference 01-30007-0015-20090112 251 . config router community-list edit ext_community set type expanded config rule edit 1 set action permit set regexp “. config router community-list edit Satellite_offices set type standard config rule edit 1 set action permit set match no-advertise end end The next example creates a community list named ext_community. or “69:3 69:86 69:69 70:800 600:333”). the community list could match routes having the following COMMUNITY attribute values: “100:3 500:86 300:800”.

0 to 23 • mm . You can add. For authentication to work both the sending and receiving routers must be set to use authentication.0 MR7 Reference 01-30007-0015-20090112 . RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable. Variables edit <key_chain_name> config key variables edit <key_id> accept-lifetime <start> <end> Description Enter a name for the key chain list. Enter an ID number for the key entry. Keys are used for authenticating routing packets only during the specified lifetimes. key-string.0 to 59 • ss . The number must be No default. an integer.1 to 31 • month . The FortiGate unit migrates from one key to the next according to the scheduled send and receive lifetimes. The end time provides a choice of three settings: • hh:mm:ss day month year • a duration from 1 to 2147483646 seconds • infinite (for a key that never expires) The valid settings for hh:mm:ss day month year are: • hh . and send-lifetime keywords are required.1993 to 2035 No default. edit or delete keys identified by the specified key number. Set the time period during which the key can be received. but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times. Default No default. A key chain is a list of one or more keys and the send and receive lifetimes for each key.0 to 59 • day . 252 FortiGate® CLI Version 3.1 to 12 • year . The sending and receiving routers should have their system dates and times synchronized. and must be configured with the same keys. See “config system global” on page 243 to ensure that the FortiGate unit system date and time are correct.key-chain router key-chain Use this command to manage RIP version 2 authentication keys. Syntax config router key-chain edit <key_chain_name> config key edit <key_id> set accept-lifetime <start> <end> set key-string <password> set send-lifetime <start> <end> end end Note: The accept-lifetime. The start time has the syntax hh:mm:ss day month year.

1993 to 2035 Example This example shows how to add a key chain named test1 with three keys. Set the time period during which the key can be sent.0 to 59 • day . and the 3rd key has send and receive lifetimes that never expire. config router key-chain edit test1 config key edit 1 set accept-lifetime 10:00:00 1 6 2004 46800 set send-lifetime 10:00:00 1 6 2004 46800 set key-string 1a2b2c4d5e6f7g8h next edit 2 set accept-lifetime 22:00:00 1 6 2004 46800 set send-lifetime 22:00:00 1 6 2004 46800 set key-string 9i1j2k3l4m5n6o7p next edit 3 set accept-lifetime 10:00:00 2 6 2004 infinite set send-lifetime 10:00:00 2 6 2004 infinite set key-string 123abc456def789g end end History FortiOS v2.80 New.1 to 12 • year .0 to 23 • mm .0 MR7 Reference 01-30007-0015-20090112 253 . start time has the syntax hh:mm:ss day month year. The No default. The first two keys each have send and receive lifetimes of 13 hours. Related topics • • router rip system global FortiGate® CLI Version 3. Default No default.0 to 59 • ss .router key-chain Variables key-string <password> send-lifetime <start> <end> Description The <password_str> can be up to 35 characters long. The end time provides a choice of three settings: • hh:mm:ss day month year • a duration from 1 to 2147483646 seconds • infinite (for a key that never expires) The valid settings for hh:mm:ss day month year are: • hh .1 to 31 • month .

two PIM routers. or BGP to forward multicast packets to their destinations. sparse mode is enabled on it by default to ensure that distribution trees are not built unless at least one downstream receiver requests multicast traffic from a specific source. A PIM domain is a logical area comprising a number of contiguous networks. Multicast routing is only available in the root virtual domain. The domain contains at least one Boot Strap Router (BSR). or is connected directly to a receiver. If the sources of multicast traffic and their receivers are close to each other and the PIM domain contains a dense population of active receivers. The RP uses its MRIB to forward a single stream of IP packets from the source to the members of the multicast group. PIM routers use the information to build packet distribution trees. if a FortiGate unit is located between a source and a PIM router. To send multicast traffic. FortiGate units support PIM sparse mode (RFC 4601) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate unit interface is connected. and if sparse mode is enabled. By joining and pruning the information contained in distribution trees. a video feed) originating from the source can be forwarded to a certain RP to reach a multicast destination. a server application sends IP traffic to a multicast group address. PIM can use static routes. all candidate BSRs in a PIM domain exchange bootstrap messages to select one BSR to which each RP sends the multicast address or addresses of the multicast group(s) that it can service. the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. To enable source-to-destination packet delivery. a number of Rendezvous Points (RPs) and Designated Routers (DRs). When PIM is enabled on a FortiGate unit.multicast router multicast A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. Note: When a FortiGate unit interface is configured as a multicast interface.0 MR7 Reference 01-30007-0015-20090112 . The selected BSR chooses one RP per multicast group and makes this information available to all of the PIM routers in the domain through bootstrap messages. which map each multicast group to a specific RP. Each PIM router maintains a Multicast Routing Information Base (MRIB) that determines to which neighboring PIM router join and prune messages are sent. 254 FortiGate® CLI Version 3. Sparse mode routers cannot send multicast messages to dense mode routers. you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination. the FortiGate unit can perform any of these functions at any time as configured. In addition. Note: To support PIM communications. OSPF. Sparse mode Initially. An MRIB contains reverse-path information that reveals the path of a multicast packet from its source to the PIM router that maintains the MRIB. either sparse mode or dense mode must be enabled on the PIM-router interfaces. Packet distribution trees may also contain information about the sources and receivers associated with particular multicast groups. The IP packets are replicated only when necessary to distribute the data to branches of the RP’s distribution tree. The locally elected DR registers the sender with the RP that is associated with the target multicast group. you may choose to enable dense mode throughout the PIM domain instead. a single stream of multicast packets (for example. An RP represents the root of a non-source-specific distribution tree to a multicast group. It is not supported in Transparent mode (TP mode). RIP.

When a receiver requests traffic for multicast address G. or 3 (RFC 3376) control messages to request the traffic for a particular multicast group. 2 (RFC 2236). The forwarding table is updated whenever the TIB is modified. When a multicast source begins to send IP traffic and dense mode is enabled. To forward multicast packets to specific destinations afterward. which is used to build a multicast forwarding table. When the DR no longer receives confirmation that at least one member of the multicast group is still active. the closest PIM router registers the IP traffic from the multicast source (S) and forwards multicast packets to the multicast group address (G). the DR sends a prune message towards the RP for the group. Upstream PIM routers depend on prune/graft messages from downstream PIM routers to determine if receivers are actually present on directly connected network segments.router multicast To receive multicast traffic. PIM routers receive data streams every few minutes and update their forwarding tables using the source (S) and multicast group (G) information in the data stream.0 MR7 Reference 01-30007-0015-20090112 255 . the closest PIM router sends a graft message upstream to begin receiving multicast packets. the PIM routers build distribution trees based on the information in multicast packets. All PIM routers initially broadcast the multicast packets throughout the PIM domain to ensure that all receivers that have requested traffic for multicast group address G can access the information if needed. Dense mode The packet organization used in sparse mode is also used in dense mode. a client application can use Internet Group Management Protocol (IGMP) version 1 (RFC 1112). Afterward. the DR queries the hosts on the connected network segment continually to determine whether the hosts are active. Superfluous multicast traffic is stopped by PIM routers that do not have downstream receivers—PIM routers that do not manage multicast groups send prune messages to the upstream PIM routers. The PIM routers exchange state refresh messages to update their distribution trees. FortiGate units store this state information in a Tree Information Base (TIB). The locally elected DR receives the request and adds the host to the multicast group that is associated with the connected network segment by sending a join message towards the RP for the group. The information in the multicast forwarding table determines whether packets are forwarded downstream. Syntax config router multicast set igmp-state-limit <limit_integer> set multicast-routing {enable | disable} set route-limit <limit_integer> set route-threshold <threshold_integer> config interface edit <interface_name> set cisco-exclude-genid {enable | disable} set dr-priority <priority_integer> set hello-holdtime <holdtime_integer> set hello-interval <hello_integer> set neighbour-filter <access_list_name> set passive {enable | disable} set pim-mode {sparse-mode | dense-mode} set propagation-delay <delay_integer> set rp-candidate {enable | disable} set rp-candidate-group <access_list_name> set rp-candidate-interval <interval_integer> set rp-candidate-priority <priority_integer> set state-refresh-interval <refresh_integer> set ttl-threshold <ttl_integer> FortiGate® CLI Version 3.

the FortiGate unit allocates memory to manage mapping information.0 MR7 Reference 01-30007-0015-20090112 . processes the multicast traffic associated with specific multicast groups.multicast router end config join-group edit address <address_ipv4> end config igmp set access-group <access_list_name> set immediate-leave-group <access_list_name> set last-member-query-count <count_integer> set last-member-query-interval <interval_integer> set query-interval <interval_integer> set query-max-response-time <time_integer> set query-timeout <timeout_integer> set router-alert-check { enable | disable } set version {1 | 2 | 3} end end config pim-sm-global set accept-register-list <access_list_name> set bsr-allow-quick-refresh {enable | disable} set bsr-candidate {enable | disable} set bsr-priority <priority_integer> set bsr-interface <interface_name> set bsr-hash <hash_integer> set cisco-register-checksum {enable | disable} set cisco-register-checksum-group <access_list_name> set cisco-crp-prefix {enable | disable} set cisco-ignore-rp-set-priority {enable | disable} set message-interval <interval_integer> set register-rate-limit <rate_integer> set register-rp-reachability {enable | disable} set register-source {disable | interface | ip-address} set register-source-interface <interface_name> set register-source-ip <address_ipv4> set register-suppression <suppress_integer> set rp-register-keepalive <keepalive_integer> set spt-threshold {enable | disable} set spt-threshold-group <access_list_name> set ssm {enable | disable} set ssm-range <access_list_name> config rp-address edit <rp_id> set ip-address <address_ipv4> set group <access_list_name> end end config router multicast You can configure a FortiGate unit to support PIM using the config router multicast CLI command. When PIM is enabled. The FortiGate unit communicates with neighboring PIM routers to acquire mapping information and if required. 256 FortiGate® CLI Version 3.

adjust the default settings of PIM-enabled interface(s). collisions may occur (to resolve this problem. an alias for the multicast group address. Make a note of the interfaces that will be PIM-enabled.0 MR7 Reference 01-30007-0015-20090112 257 .255 range may be used as a multicast group address. All class D addresses must be assigned in advance. A class D address in the 224. configure one or more of the PIM routers to be candidate RPs.router multicast Note: The end-user multicast client-server applications must be installed and configured to initiate Internet connections and handle broadband content such as audio/video information. On FortiGate units.0 to 239. 5 6 7 Variables igmp-state-limit <limit_integer> Description Default If memory consumption is an issue. If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs.255. These interfaces may run a unicast routing protocol. To configure a PIM domain 1 2 3 4 If you will be using sparse mode. Because there is no way to determine in advance if a certain multicast group address is in use. or some other method through a user interface to select the address of interest. If required. use the config router multicast command to set global operating parameters.0. The range is from 96 to 64 000. Enable or disable PIM routing. The value represents the maximum combined number of IGMP states (multicast memberships) that can be handled by all interfaces.255.0. Rather than sending multiple copies of generated IP traffic to more than one specific IP destination address. Note: All keywords are optional. subject to the rules assigned by the Internet Assigned Numbers Authority (IANA). PIM-enabled routers encapsulate the data and use the one multicast group address to forward multicast packets to multiple destinations. Enable PIM version 2 on all participating routers between the source and receivers. a single stream of data can be sent. Because one destination address is used. record the IP addresses of the PIM-enabled interfaces on those RPs. disable multicast-routing {enable | disable} FortiGate® CLI Version 3. or a callconference number to initiate the session. determine appropriate paths for multicast packets. specify a limit on the 3200 number of IGMP states (multicast memberships) that the FortiGate unit will store. Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user could type in a class D multicast group address. Configure the PIM routers that have good connections throughout the PIM domain to be candidate BSRs. a menu of ongoing or future sessions. If sparse mode is enabled. Traffic associated with excess IGMP membership reports is not delivered. Client applications receive multicast data by requesting that the traffic destined for a certain multicast group address be delivered to them— end-users may use phone books. end-users may switch to a different multicast address).

A GenID value may be included for compatibility with older Cisco IOS routers. The range is from 1 to 4 294 967 294. Specify the amount of time (in seconds) that a PIM neighbor 105 may consider the information in a hello message to be valid. Select the PIM mode of operation: • Select sparse-mode to manage PIM packets through distribution trees and multicast groups. Set the amount of time (in seconds) that the FortiGate unit 30 waits between sending hello messages to neighboring PIM routers.multicast router Variables route-limit <limit_integer> route-threshold <threshold_integer> Description If memory consumption is an issue. The route-threshold value must be lower than the route-limit value. disable Enable or disable including a generation ID in hello messages sent to neighboring PIM routers. Enable or disable PIM communications on the interface without affecting IGMP communications. including the mode of operation (sparse or dense). The range is from 1 to 2 147 483 674. Establish or terminate adjacency with PIM neighbors having the IP addresses given in the specified access list. and the router having the highest DR priority is selected to be the DR. The range is from 1 to 65 535. Note: All keywords are optional. the helloholdtime attribute is set to 3. Variables edit <interface_name> cisco-exclude-genid {enable | disable} Description Enter the name of the FortiGate unit interface on which to enable PIM protocols.5 x hello-interval automatically. Null. If the hello-interval attribute is modified and the helloholdtime attribute has never been set explicitly. set a limit on the number of multicast routes that can be added to the FortiGate unit routing table. Changing the hellointerval attribute may update the hello-holdtime attribute automatically. This keyword applies only when pim-mode is sparse-mode. The range is from 1 to 2 147 483 674. This keyword applies only when pim-mode is sparse-mode. If two DR priority values are the same. config interface Use this subcommand to change interface-related PIM settings. The value is compared to that of other DR interfaces connected to the same network segment. 1 Assign a priority to FortiGate unit DR candidacy.0 MR7 Reference 01-30007-0015-20090112 . • Select dense-mode to enable multicast flooding. dr-priority <priority_integer> hello-holdtime <holdtime_integer> hello-interval <hello_integer> neighbour-filter <access_list_name> passive {enable | disable} pim-mode {sparse-mode | dense-mode} disable sparsemode 258 FortiGate® CLI Version 3. Default 2147483674 Specify the number of multicast routes that can be added to 2147483674 the FortiGate unit’s routing table before a warning message is displayed. Default No default. the interface having the highest IP address is selected. Global settings do not override interface-specific settings. See “access-list” on page 230. The range is from 1 to 65 535.

Specify the amount of time (in milliseconds) that the FortiGate unit waits to send prune-override messages. The range is from 100 to 5 000. 1 state-refresh-interval <refresh_integer> ttl-threshold <ttl_integer> config join-group variables edit address <address_ipv4> config igmp variables access-group <access_list_name> Null. See “access-list” on page 230. The BSR compares the value to that of other RP candidates that can service the same multicast group. Assign a priority to FortiGate unit RP candidacy. Cause the FortiGate unit interface to activate (IGMP join) the multicast group associated with the specified multicast group address. 195) prevents PIM packets from being forwarded through the interface. This attribute is used when the FortiGate unit is connected directly to the multicast source. The range is from 0 to 255. FortiGate® CLI Version 3. If two RP priority values are the same. No default. Enable or disable the FortiGate unit interface to offer Rendezvous Point (RP) services. Set the amount of time (in seconds) that the FortiGate unit waits between sending staterefresh messages. This keyword is available when pim-mode is set to sparse-mode. The range is from 1 to 16 383. The range is from 1 to 100. Specify the minimum Time-To-Live (TTL) value (in hops) that an outbound multicast packet must have in order to be forwarded from the interface. This keyword is available when pim-mode is set to 60 dense-mode. the prune state on the downstream router is refreshed. immediate-leave-group <access_list_name> This keyword applies when version is set to 2 or 3. This keyword is available when rp-candidate is set to enable and pim-mode is set to sparse-mode. and the router having the highest RP priority is selected to be the RP for that multicast group.router multicast Variables propagation-delay <delay_integer> Description Default This keyword is available when pim-mode is set to 500 dense-mode. See “access-list” on page 230. enable and pim-mode is set to sparse-mode. See “access-list” on page 230. disable rp-candidate {enable | disable} rp-candidate-group <access_list_name> This keyword is available when rp-candidate is set to Null. the RP candidate having the highest IP address on its RP interface is selected. 60 rp-candidate-interval <interval_integer> rp-candidate-priority <priority_integer> This keyword is available when rp-candidate is set to 192 enable and pim-mode is set to sparse-mode. When a staterefresh message is received by a downstream router. Specifying a high value (for example. Set the amount of time (in seconds) that the FortiGate unit waits between sending RP announcement messages. Specify which multicast groups hosts on the connected network segment may join based on the multicast addresses given in the specified access list. The range is from 0 to 255.0 MR7 Reference 01-30007-0015-20090112 259 . Configure a FortiGate unit DR to stop sending traffic and IGMP queries to receivers after receiving an IGMP version 2 group-leave message from any member of the multicast groups identified in the specified access list. Specify for which multicast groups RP candidacy is advertised based on the multicast group prefixes given in the specified access list. Null.

If sparse mode is enabled. Set the amount of time (in seconds) that a FortiGate unit DR 125 waits between sending IGMP queries to determine which members of a multicast group are active. If no response is received before the specified time expires and the FortiGate unit DR has already sent an IGMP query lastmember-query-count times. config pim-sm-global These global settings apply only to sparse mode PIM-enabled interfaces. 260 FortiGate® CLI Version 3. All other keywords are optional. The range is from 1 to 25. you can configure a DR to send multicast packets to a particular RP by specifying the IP address of the RP through the config rp-address subcommand. Set the maximum amount of time (in seconds) that a FortiGate unit DR waits for a member of a multicast group to respond to an IGMP query. Variables accept-register-list <access_list_name> bsr-allow-quick-refresh {enable | disable} bsr-candidate {enable | disable} Description Default Cause a FortiGate unit RP to accept or deny register Null. A FortiGate unit begins sending IGMP queries if it does not receive regular IGMP queries from another DR through the interface. The value must match the version used by all other PIM routers on the connected network segment.multicast router Variables last-member-query-count <count_integer> Description Default This keyword applies when version is set to 2 or 3. the FortiGate unit DR removes the member from the group. the ipaddress keyword is required.0 MR7 Reference 01-30007-0015-20090112 . If no response is received before the specified time expires. 2. 3 The value can be 1. The range is from 1000 to 25 500. 10 last-member-queryinterval <interval_integer> query-interval <interval_integer> query-max-response-time <time_integer> query-timeout <timeout_integer> Set the amount of time (in seconds) that must expire before a 255 FortiGate unit begins sending IGMP queries to the multicast group that is managed through the interface. This keyword applies when version is set to 2 or 3. Note: To send multicast packets to a particular RP using the config rp-address subcommand. disable Enable or disable the FortiGate unit to offer its services as a disable Boot Strap Router (BSR) when required. Enable or disable accepting bsr quick refresh packets from neighbors. If multicast packets from more than one multicast group can pass through the same RP. disabled router-alert-check { enable | disable } version {1 | 2 | 3} Specify the version number of IGMP to run on the interface. 1000 Set the amount of time (in milliseconds) that a FortiGate unit DR waits for the last member of a multicast group to respond to an IGMP query. The range is from 60 to 300. the FortiGate unit DR removes the member from the group and sends a prune message to the associated RP. packets from the source IP addresses given in the specified access list. Enable to require the Router Alert option in IGMP packets. Global PIM settings do not override interface-specific PIM settings. See “access-list” on page 230. 2 Specify the number of times that a FortiGate unit DR sends an IGMP query to the last member of a multicast group after receiving an IGMP version 2 group-leave message. The IP address must be directly accessible to the DR. or 3. The range is from 1 to 65 535. you can use an access list to specify the associated multicast group addresses.

Set the length of the mask (in bits) to apply to multicast group addresses in order to derive a single RP for one or more multicast groups. a value of 24 means that the first 24 bits of the group address are significant. The range is from 0 to 65 535. You may choose to enable the attribute if required for compatibility with older Cisco RPs. The range is from 1 to 65 535.0 MR7 Reference 01-30007-0015-20090112 261 . You may choose to enable the attribute if required for compatibility with older Cisco BSRs.G) per second that a FortiGate unit DR can send for each PIM entry in the routing table. The value is compared to that of other BSR candidates and the candidate having the highest priority is selected to be the BSR. All multicast groups having the same seed hash belong to the same RP. If two BSR priority values are the same. where 0 means an unlimited number of register messages per second. This keyword is available when cisco-registerNull. You may choose to enable register checksums on entire PIM packets for compatibility with older Cisco IOS routers. This keyword is available when bsr-candidate is set to enable. For example. Identify on which PIM packets to perform a whole-packet register checksum based on the multicast group addresses in the specified access list. Enable or disable a FortiGate unit RP that has a group prefix number of 0 to communicate with a Cisco BSR. Null.router multicast Variables bsr-priority <priority_integer> Description Default This keyword is available when bsr-candidate is set to 0 enable. The range is from 0 to 32. A register checksum is performed on the header only by default. Set the amount of time (in seconds) that the FortiGate unit 60 waits between sending periodic PIM join/prune messages (sparse mode) or prune messages (dense mode). You may choose to enable register checksums on the whole packet for compatibility with older Cisco IOS routers. bsr-interface <interface_name> bsr-hash <hash_integer> 10 cisco-crp-prefix {enable | disable} disable cisco-ignore-rp-setpriority {enable | disable} cisco-register-checksum {enable | disable} Enable or disable a FortiGate unit BSR to recognize Cisco disable RP-SET priority values when deriving a single RP for one or more multicast groups. Assign a priority to FortiGate unit BSR candidacy. Enable or disable performing a register checksum on entire disable PIM packets. 0 cisco-register-checksumgroup <access_list_name> message-interval <interval_integer> register-rate-limit <rate_integer> register-rp-reachability {enable | disable} enable FortiGate® CLI Version 3. Set the maximum number of register messages per (S. See “access-list” on page 230. The range is from 0 to 255. This keyword is available when bsr-candidate is set to enable. Enable or disable a FortiGate unit DR to check if an RP is accessible prior to sending register messages. Specify the name of the PIM-enabled interface through which the FortiGate unit may announce BSR candidacy. The value must be identical to the message interval value set on all other PIM routers in the PIM domain. the BSR candidate having the highest IP address on its BSR interface is selected. checksum is set to enable.

Build an SPT only for the multicast group addresses given in the specified access list. select disable.multicast router Variables register-source {disable | interface | ip-address} Description If the FortiGate unit acts as a DR. Enter the name of the FortiGate unit interface.0 to 232. This keyword is available when spt-threshold is set to enable. Enable SSM only for the multicast addresses given in the specified access list. Null. Null. The range is from 1 to 65 535.255 (232/8) range are used to support SSM interactions. 0.255. Enable or disable Source Specific Multicast (SSM) interactions (see RFC 3569).0 MR7 Reference 01-30007-0015-20090112 . enable or disable changing the IP source address of outbound register packets to one of the following IP addresses.0. select ip-address. 262 FortiGate® CLI Version 3.0 register-suppression <suppress_integer> Enter the amount of time (in seconds) that a FortiGate unit 60 DR waits to start sending data to an RP after receiving a Register-Stop message from the RP. The range is from 1 to 65 535. • To change the IP source address of a register packet to the IP address of a particular FortiGate unit interface. The IP address must be accessible to the RP so that the RP can respond to the IP address with a Register-Stop message: • To retain the IP address of the FortiGate unit DR interface that faces the RP. Enter the IP source address to include in the register message. set the frequency (in 185 seconds) with which the FortiGate unit sends keepalive messages to a DR. The two routers exchange keepalive messages to maintain a link for as long as the source continues to generate traffic. See “access-list” on page 230. If the register-suppression attribute is modified on the RP and the rp-register-keepalive attribute has never been set explicitly. To change the IP source address of a register packet to a particular IP address. Default ip-address • register-source-interface <interface_name> register-source-ip <address_ipv4> This keyword is available when register-source is set to interface. Enable or disable the FortiGate unit to build a Shortest Path enable Tree (SPT) for forwarding multicast packets. rp-register-keepalive <keepalive_integer> spt-threshold {enable | disable} spt-threshold-group <access_list_name> ssm {enable | disable} enable ssm-range <access_list_name> Null. The register-sourceinterface attribute specifies the interface name. This keyword is available when the IGMP version is set to 3. By default. This keyword is available when ssm is set to enable. See “access-list” on page 230. If the FortiGate unit acts as an RP.255. This keyword is available when register-source is set to address. multicast addresses in the 232.0. select interface.0. The register-source-ip attribute specifies the IP address. the rp-register-keepalive attribute is set to (3 x register-suppression) + 5 automatically.0.

Related topics • • get router info multicast execute mrouter clear FortiGate® CLI Version 3. 0.0 Configure a single static RP for the multicast group Null.0.0 MR7 Reference 01-30007-0015-20090112 263 . Example This example shows how to enable a FortiGate unit to support PIM routing in sparse mode and enable BSR candidacy on the dmz interface: config router multicast set multicast-routing enable config interface edit dmz set pim-mode sparse-mode end end config pim-sm-global set bsr-candidate enable set bsr-priority 1 set bsr-interface dmz set bsr-hash 24 end This example shows how to enable RP candidacy on the port1 interface for the multicast group addresses given through an access list named multicast_port1: config router multicast set multicast-routing enable config interface edit port1 set pim-mode sparse-mode set rp-candidate enable set rp-candidate-group multicast_port1 set rp-candidate-priority 15 end end History FortiOS v3. Specify a static IP address for the RP. Enter an ID number for the static RP address entry.0. The number must be an integer. the static RP address is ignored and the RP known to the BSR is used instead. Default No default. addresses given in the specified access list.0 New. If an RP for any of these group addresses is already known to the BSR.router multicast Variables config rp-address variables edit <rp_id> ip-address <address_ipv4> group <access_list_name> Description Applies only when pim-mode is sparse-mode. See “accesslist” on page 230.

0 MR4. BFD support was added in FortiOS v3. An OSPF autonomous system (AS) or routing domain is a group of areas connected to a backbone area. Routing information is communicated between routers using link state advertisements (LSAs). It is used to quickly locate hardware failures in the network. More information on OSPF can be found in RFC 2328. Routing information is contained in a link state database. Syntax config router ospf set abr-type {cisco | ibm | shortcut | standard} set auto-cost-ref-bandwidth <mbps_integer> set bfd {enable | disable | global} set database-overflow {enable | disable} set database-overflow-max-lsas <lsas_integer> set database-overflow-time-to-recover <seconds_integer> set default-information-metric <metric_integer> set default-information-metric-type {1 | 2} set default-information-originate {always | disable | enable} set default-information-route-map <name_str> set default-metric <metric_integer> set distance <distance_integer> set distance-external <distance_integer> set distance-inter-area <distance_integer> set distance-intra-area <distance_integer> set distribute-list-in <access_list_name> set passive-interface <name_str> set restart-mode {graceful-restart | lls | none} set rfc1583-compatible {enable | disable} set router-id <address_ipv4> set spf-timers <delay_integer> <hold_integer> config area edit <area_address_ipv4> set authentication {md5 | none | text} set default-cost <cost_integer> set nssa-default-information-originate {enable | disable} set nssa-default-information-originate-metric <metric> set nssa-default-information-originate-metric-type {1 | 2} set nssa-redistribution {enable | disable} set nssa-translator-role {always | candidate | never} set shortcut {default | disable | enable} set stub-type {no-summary | summary} set type {nssa | regular | stub} config filter-list edit <filter-list_id> 264 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . Routers running BFD communicate with each other. A router connected to more than one area is an area border router (ABR).ospf router ospf Use this command to configure Open Shortest Path First (OSPF) protocol settings on the FortiGate unit. OSPF is a link state protocol capable of routing larger networks than the simpler distance vector RIP protocol. BFD then communicates this information to the routing protocol and the routing information is updated. and if a timer runs out on a connection then that router is declared down. Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. and can only be configured through the CLI.

0 MR7 Reference 01-30007-0015-20090112 265 .router ospf set direction {in | out} set list <name_str> end config range edit <range_id> set advertise {enable | disable} set prefix <address_ipv4mask> set substitute <address_ipv4mask> set substitute-status {enable | disable} end config virtual-link edit <vlink_name> set authentication {md5 | none | text} set authentication-key <password_str> set dead-interval <seconds_integer> set hello-interval <seconds_integer> set md5-key <id_integer><key_str> set peer <address_ipv4> set retransmit-interval <seconds_integer> set transmit-delay <seconds_integer> end end config distribute-list edit <distribute-list_id> set access-list <name_str> set protocol {connected | rip | static} end end config neighbor edit <neighbor_id> set cost <cost_integer> set ip <address_ipv4> set poll-interval <seconds_integer> set priority <priority_integer> end end config network edit <network_id> set area <id-address_ipv4> set prefix <address_ipv4mask> end end config ospf-interface edit <ospf_interface_name> set authentication {md5 | none | text} set authentication-key <password_str> set set cost <cost_integer> set database-filter-out {enable | disable} set dead-interval <seconds_integer> set hello-interval <seconds_integer> set interface <name_str> set ip <address_ipv4> set md5-key <id_integer> <key_str> FortiGate® CLI Version 3.

For the global settings see “system bfd {enable | disable}” on page 467. For more information. 1000 Values can range from 1 to 65535. Additional configuration options are supported. Variables abr-type {cisco | ibm | shortcut | standard} Description Specify the behavior of a FortiGate unit acting as an OSPF area border router (ABR) when it has multiple attached areas and has no backbone connection. disable bfd {enable | disable | global} Select one of the Bidirectional Forwarding Detection (BFD) options for this interface.stop BFD on this interface • global .use the global settings instead of explicitly setting BFD per interface. Note: The router-id keyword is required. see RFC 3509. Selecting the ABR type compatible with the routers on your network can reduce or eliminate the need for configuring and maintaining virtual links.start BFD on this interface • disable . 266 FortiGate® CLI Version 3. • enable .ospf router set mtu <mtu_integer> set mtu-ignore {enable | disable} set network-type <type> set priority <priority_integer> set resync-timeout <integer> set retransmit-interval <seconds_integer> set status {enable | disable} set transmit-delay <seconds_integer> end end config redistribute {bgp | connected | static | rip} set metric <metric_integer> set metric-type {1 | 2} set routemap <name_str> set status {enable | disable} set tag <tag_integer> end config summary-address edit <summary-address_id> set advertise {enable | disable} set prefix <address_ipv4mask> set tag <tag_integer> end end end config router ospf Use this command to set the router ID of the FortiGate unit. All other keywords are optional. Default standard auto-cost-ref-bandwidth <mbps_integer> Enter the Mbits per second for the reference bandwidth.0 MR7 Reference 01-30007-0015-20090112 .

The range is from 1 to 255. Enter enable to advertise a default route into an OSPF disable routing domain. Change the administrative distance of all intra-area OSPF routes. You must create the access list before it can be selected here. after which the FortiGate unit 300 will attempt to leave the overflow state. Change the administrative distance of all inter-area OSPF routes. The valid range for metric_integer is 1 to 16777214. Use always to advertise a default route even if the FortiGate unit does not have a default route in its routing table. The range is from 1 to 255. A lower administrative distance indicates a more preferred route. set the limit 10000 for the number of external link state advertisements (LSAs) that the FortiGate unit can keep in its link state database before entering the overflow state. Specify the metric for the default route set by the default-information-originate command. and there is no default route in the routing table. The valid range for seconds_integer is 0 to 65535.router ospf Variables database-overflow {enable | disable} Description Enable or disable dynamically limiting link state database size under overflow conditions. 10 database-overflow-time-to-recover <seconds_integer> default-information-metric <metric_integer> default-information-metric-type {1 | 2} default-information-originate {always | disable | enable} Specify the OSPF external metric type for the default 2 route set by the default-information-originate command. Default disable database-overflow-max-lsas <lsas_integer> If you have enabled database-overflow. See “accesslist” on page 230. Enable this command for FortiGate units on a network with routers that may not be able to maintain a complete link state database because of limited resources. Null. If seconds_integer is set to 0. The valid range for distance_integer is 1 to 255. default. The valid range for lsas_integer is 0 to 4294967294. the FortiGate unit will not leave the overflow state until restarted. distance <distance_integer> Configure the administrative distance for all OSPF routes. The range is from 1 to 255. The valid range for metric_integer is 1 to 16777214.0 MR7 Reference 01-30007-0015-20090112 267 . If you have set default-information-originate to always. Enter the time. FortiGate® CLI Version 3. 110 110 Null. Using administrative distance you can specify the relative priorities of different routes to the same destination. you can configure a route map to define the parameters that OSPF uses to advertise the default route. default-information-route-map <name_str> default-metric <metric_integer> Specify the default metric that OSPF should use for redistributed routes. Limit route updates from the OSPF neighbor based on the Network Layer Reachability Information (NLRI) defined in the specified access list. 10 110 distance-external <distance_integer> distance-inter-area <distance_integer> distance-intra-area <distance_integer> distribute-list-in <access_list_name> Change the administrative distance of all external OSPF 110 routes. passive-interface <name_str> OSPF routing information is not sent or received through No the specified interface. in seconds. The lsas_integer must be the same on all routers attached to the OSPF area and the OSPF backbone.

The hold_integer is the minimum time.0.Enable Link-local Signaling (LLS) mode none . in IP 0.0 address dotted decimal format. RFC 1583 disable compatibility should be enabled only when there is another OSPF router in the network that only supports RFC 1583.1. between when OSPF receives information that will require an SPF calculation and when it starts an SPF calculation. See “config filter-list variables” on page 270.hitless restart (graceful restart) is disabled Enable or disable RFC 1583 compatibility. Change the default shortest path first (SPF) calculation 5 10 delay time and frequency. Areas are linked together by area border routers (ABRs).0. See “config range variables” on page 270. rfc1583-compatible {enable | disable} router-id <address_ipv4> spf-timers <delay_integer> <hold_integer> Example This example shows how to set the OSPF router ID to 1. in seconds. in seconds. however.0. that is used to identify an OSPF router to other OSPF routers within an area. see “access-list” on page 230 and “prefix-list” on page 283. 268 FortiGate® CLI Version 3. The delay_integer is the time. There must be a backbone area that all areas can connect to. You can use access or prefix lists for OSPF area filter lists. For more information.1 end config area Use this subcommand to set OSPF area related parameters. this uses more CPU.1. The router ID is a unique number. the ABR advertises a summary route that includes all the networks within the area that are within the specified range. A setting of 0 for spf-timers can quickly use up all available CPU.0 MR7 Reference 01-30007-0015-20090112 . Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings called areas. Set the router ID. If the network numbers in an area are contiguous. You can use the config filter-list subcommand to control the import and export of LSAs into and out of an area.1. A router ID of 0. Routers within an OSPF area maintain link state databases for their own areas.1 for a standard area border router: config router ospf set abr-type standard set router-id 1.0. When RFC 1583 compatibility is enabled. Otherwise.ospf router Variables restart-mode {graceful-restart | lls | none} Description Default Select the restart mode from: none graceful-restart . You can use a virtual link to connect areas that do not have a physical connection to the backbone. routers choose the lowest cost intra-area path through a nonbackbone area. OSPF updates routes more quickly if the SPF timers are set low. The router ID should not be changed while OSPF is running. The valid range for delay_integer is 0 to 4294967295. You can use the config range subcommand to summarize routes at an area boundary. between consecutive SPF calculations.(also known as hitless restart) when FortiGate unit goes down it advertises to neighbors how long it will be down to reduce traffic lls .0 is not allowed. routers choose the path with the lowest cost.1. The valid range for hold_integer is 0 to 4294967295.

Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the area.0. If you select text. The transit area cannot be a stub area. In text mode the key is sent in clear text over the network. See “config ospf-interface” on page 274. If you define a range.0 indicates the backbone area. Authentication passwords or keys are defined per interface. enable A NSSA border router can translate the Type 7 LSAs used for candidate external route information within the NSSA to Type 5 LSAs used for distributing external route information to other parts of the OSPF routing domain. Affects NSSA ABRs or NSSA Autonomous System Boundary Routers only. Enter enable to advertise a default route in a not so stubby area. the direction and list keywords are required. Note: If you define a filter list. If you define a virtual link. Default No default.router ospf You can configure a virtual link using the config virtual-link subcommand to connect an area to the backbone when the area has no direct connection to the backbone (see “config virtual-link variables” on page 270). An address of 0. the prefix keyword is required. Usually a NSSA will have only one NSSA border router acting as a translator for the NSSA. All other keywords are optional. no authentication is used. an authentication key is used to generate an MD5 hash. none Use the authentication keyword to define the authentication used for OSPF packets sent and received in this area. the authentication configured for the area is not used. FortiGate® CLI Version 3. the authentication key is sent as plain text. Both text mode and MD5 mode only guarantee the authenticity of the OSPF packet. If you select md5. You can set the translator role to never to ensure this FortiGate unit never acts as the translator if it is in a NSSA. the peer keyword is required. A virtual link allows traffic from the area to transit a directly connected area to reach the backbone. You can set the translator role to always to ensure this FortiGate unit always acts as a translator if it is in a NSSA. You can set the translator role to candidate to have this FortiGate unit participate in the process for electing a translator for a NSSA. Enable or disable redistributing routes into a NSSA area.0 MR7 Reference 01-30007-0015-20090112 269 . If you configure authentication for interfaces. Enter the metric to use for the summary default route in a stub 10 area or not so stubby area (NSSA). Specify the metric (an integer) for the default route set by the nssa-default-information-originate keyword. Variables edit <area_address_ipv4> authentication {md5 | none | text} Description Type the IP address of the area. even if other routers in the NSSA are also acting as translators. A lower default cost indicates a more preferred route. disable default-cost <cost_integer> nssa-default-informationoriginate {enable | disable} nssa-default-informationoriginate-metric <metric> nssa-default-informationoriginate-metric-type {1 | 2} nssa-redistribution {enable | disable} nssa-translator-role {always | candidate | never} 10 Specify the OSPF external metric type for the default route set 2 by the nssa-default-information-originate keyword. not the confidentiality of the information in the packet. If you select none. Virtual links can only be set up between two ABRs.0. The valid range for cost_integer is 1 to 16777214. Set the authentication type.

Default disable summary regular config filter-list variables edit <filter-list_id> direction {in | out} list <name_str> config range variables edit <range_id> advertise {enable | disable} prefix <address_ipv4mask> substitute <address_ipv4mask> substitute-status {enable | disable} config virtual-link variables edit <vlink_name> authentication {md5 | none | text} Enter a name for the virtual link. Enter no-summary to prevent an ABR sending summary LSAs into a stub area. disable none Set the authentication type. The prefix 0.0. an authentication key is used to generate an MD5 hash.0. No default. Enter an ID number for the range.) Enter the password to use for text authentication. Enter the name of the access list or prefix list to use for this filter list. Enter an ID number for the filter list. The maximum length for the authentication-key is 15 characters. Enter a prefix to advertise instead of the prefix defined for the 0. • Select stub for a stub area. Enter summary to allow an ABR to send summary LSAs into a stub area. not the confidentiality of the information in the packet.0. Set the area type: • Select nssa for a not so stubby area.0. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the area. out Null. If you select text. In text mode the key is sent in clear text over the network. Enter in to filter incoming packets. The number must be an integer.0.0. Set the direction for the filter.0 0. 0. * This keyword is available when authentication is set to text. the authentication key is sent as plain text. If you select none.0. The number must be an integer in the 0 to 4 294 967 295 range. Enter out to filter outgoing packets. Specify the range of addresses to summarize. No default. authentication-key <password_str> 270 FortiGate® CLI Version 3. Both text mode and MD5 mode only guarantee the authenticity of the OSPF packet.0 MR7 Reference 01-30007-0015-20090112 . no authentication is used.0 is not allowed.0. Enable or disable advertising the specified range. Use the authentication keyword to define the authentication used for OSPF packets sent and received over this virtual link.0. enable 0.0. If you select md5.0 Enable or disable using a substitute prefix. • Select regular for a normal OSPF area.0.0 No default.0.ospf router Variables shortcut {default | disable | enable} stub-type {no-summary | summary} type {nssa | regular | stub} Description Use this command to specify area shortcut parameters.0 range. (No default.0 0. The authentication-key must be the same on both ends of the virtual link.

Enter the key ID and password to use for MD5 authentication.1.1. config router ospf config area edit 15. The value of the dead-interval should be four times the value of the hello-interval. Default 40 hello-interval <seconds_integer> 10 md5-key <id_integer><key_str> This keyword is available when authentication is set to No default. between hello packets. The router id of the remote ABR. config router ospf config area edit 15. a default cost of 20. and MD5 authentication. to wait for a hello packet before declaring a router down. Both ends of the virtual link must use the same value for dead-interval. required to send a link state 1 update packet on this virtual link. to wait before sending a LSA retransmission. Both ends of the virtual link must use the same key ID and key. The valid range for seconds_integer is 1 to 65535.1.1. The valid range for seconds_integer is 1 to 65535.1.1. 0. in seconds. Increase the value for transmit-delay on low speed links. in seconds. The time. Both ends of the virtual link must use the same value for hello-interval.0. 0.0 MR7 Reference 01-30007-0015-20090112 271 .0. The valid range for seconds_integer is 1 to 65535.1 set type stub set stub-type summary set default-cost 20 set authentication md5 end end This example shows how to use a filter list named acc_list1 to filter packets entering area 15. The time.0.0.1.1 config filter-list edit 1 set direction in set list acc_list1 end end FortiGate® CLI Version 3. Example This example shows how to configure a stub area with the id 15. a stub type of summary. key_str is an alphanumeric string of up to 16 characters.0 5 peer <address_ipv4> retransmit-interval <seconds_integer> transmit-delay <seconds_integer> The estimated time.1. in seconds.1. in seconds.router ospf Variables dead-interval <seconds_integer> Description The time. The valid range for id_integer is 1 to 255.0 is not allowed.1. md5. The value for the retransmit interval must be greater than the expected round-trip delay for a packet. OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the virtual link. The valid range for seconds_integer is 1 to 65535.

1.1 config range edit 1 set prefix 1.1 end end config distribute-list Use this subcommand to filter the networks in routing updates using an access list. Routes not matched by any of the distribution lists will not be advertised.1. You must configure the access list that you want the distribution list to use before you configure the distribution list. Null. see “access-list” on page 230.0. Variables edit <distribute-list_id> access-list <name_str> Description Default Enter an ID number for the distribution list.1.0 end end This example shows how to configure a virtual link.1. Enter the name of the access list to use for this distribution list. config router ospf config area edit 15.255. be an integer.1.1.1 config virtual-link edit vlnk1 set peer 1. To configure an access list.1.1.0 MR7 Reference 01-30007-0015-20090112 .1. Note: The access-list and protocol keywords are required. Example This example shows how to configure distribution list 2 to use an access list named acc_list1 for all static routes.1. The number must No default.0 255. config router ospf config area edit 15.0. config router ospf config distribute-list edit 2 set access-list acc_list1 set protocol static end end 272 FortiGate® CLI Version 3. protocol Advertise only the routes discovered by the specified protocol connected {connected | rip | static} and that are permitted by the named access list.ospf router This example shows how to set the prefix for range 1 of area 15.

Variables edit <neighbor_id> bfd cost <cost_integer> ip <address_ipv4> poll-interval <seconds_integer> Description Enter an ID number for the OSPF neighbor. The value of the poll interval must be larger than the value of the hello interval.63 end end config network Use this subcommand to identify the interfaces to include in the specified OSPF area. The number must be an integer. All other keywords are optional.168. 0. Enter a priority number for the neighbor. between hello packets sent to the 10 neighbor in the down state.0 0. 10 0.0. Default No default. in seconds. config router ospf config neighbor edit 1 set ip 192.0. FortiGate® CLI Version 3. The prefix keyword can define one or multiple interfaces.0.0. OSPF packets are unicast to the specified neighbor address.21.0.0. The valid range for priority_integer is 0 to 255. Enter the IP address of the neighbor. The number must be an integer.0. Variables edit <network_id> area <id-address_ipv4> Description Enter an ID number for the network. The valid range for seconds_integer is 1 to 65535.0 MR7 Reference 01-30007-0015-20090112 273 . 1 priority <priority_integer> Example This example shows how to manually add a neighbor.router ospf config neighbor Use this subcommand to manually configure an OSPF neighbor on non-broadcast networks. The ID number of the area to be associated with the prefix. Note: The area and prefix keywords are required. You can configure multiple neighbors.0. Default No default. Note: The ip keyword is required.0 prefix <address_ipv4mask> Enter the IP address and netmask for the OSPF network.0 0. The valid range for cost_integer is 1 to 65535.0 Enter the time. Enter the cost to use for this neighbor.

1. Select to enable Bi-directional Forwarding Detection (BFD). Enter the password to use for text authentication. If you configure authentication for the interface. To apply this configuration to a FortiGate unit interface. It is used to quickly detect hardware problems on the network. All routers on the network must use the same authentication type.0. If you select none. If you select md5. Specify the cost (metric) of the link.1. not the confidentiality of the routing information in the packet. The maximum length for the authentication-key is 15 characters. This keyword is available when authentication is set to text.0. The authentication-key must be the same on all neighboring routers.0 end end config ospf-interface Use this subcommand to change interface related OSPF settings. config router ospf config network edit 2 set area 10. Use the authentication keyword to define the none authentication used for OSPF packets sent and received by this interface.255. authentication for areas is not used.ospf router Example Use the following command to enable OSPF for the interfaces attached to networks specified by the IP address 10. All other keywords are optional.) authentication-key <password_str> bfd {enable | disable} cost <cost_integer> database-filter-out {enable | disable} 274 FortiGate® CLI Version 3.0.0 255. Note: The interface keyword is required. no authentication is used. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network.0 and to add these interfaces to area 10. Variables edit <ospf_interface_name> authentication {md5 | none | text} Description Enter a descriptive name for this OSPF interface configuration. set the interface <name_str> attribute. The cost is used for shortest 10 path first calculations. the authentication key is sent as plain text.0 and the netmask 255.1.1. Both text mode and MD5 mode only guarantee the authenticity of the update packet. Enable or disable flooding LSAs out of this interface. If you select text.255.255. the authentication key is used to generate an MD5 hash. This command enables this service on this interface.255.0 MR7 Reference 01-30007-0015-20090112 .1. In text mode the key is sent in clear text over the network. disable * (No default.1 set prefix 10.0. Default No default.

to wait for a hello packet before declaring 40 a router down. It is possible to apply different OSPF configurations for different IP addresses defined on the same interface. The valid range for priority_integer is 0 to 255. The valid range for seconds_integer is 1 to 65535. The value of the dead-interval should be four times the value of the hello-interval. mtu-ignore should only be enabled if it is not possible to reconfigure the MTUs so that they match.0 keyword. key_str is an alphanumeric string of up to 16 characters. If there is a tie for router priority. The interface might be a virtual IPSec or GRE interface. Enter the name of the interface to associate with this OSPF configuration. hello-interval <seconds_integer> interface <name_str> ip <address_ipv4> Enter the IP address of the interface named by the interface 0.0 MR7 Reference 01-30007-0015-20090112 275 . OSPF will stop detecting mismatched MTUs and go ahead and form an adjacency. 10 All routers on the network must use the same value for hellointerval. Set the router priority for this interface. in seconds. one of: • broadcast • non-broadcast • point-to-multipoint • point-to-point If you specify non-broadcast. OSPF will detect mismatched MTUs and not form an adjacency. you cannot unset one key without unsetting all of the keys. This command specifies the behavior of the OSPF interface according to the network type. The valid range for id_integer is 1 to 255. The valid range for mtu_integer is 576 to 65535. The interface with the highest router priority wins the election. The key ID and key must be the same on all neighboring routers. The time. However.0. between hello packets. 1 Router priority is used during the election of a designated router (DR) and backup designated router (BDR). md5-key <id_integer> <key_str> mtu <mtu_integer> Change the Maximum Transmission Unit (MTU) size included in 1500 database description packets sent out this interface. this setting has no effect on a point-to-point network. Enter the key ID and password to use for MD5 authentication You can add more than one key ID and key pair per interface. router ID is used. No default. The valid range for seconds_integer is 1 to 65535. broadcast OSPF supports four different types of network. Use this command to control the way OSPF behaves when the disable MTU in the sent and received database description packets does not match. you must also configure neighbors using “config neighbor” on page 113. When mtu-ignore is enabled. When mtu-ignore is disabled. therefore. Point-to-point networks do not elect a DR or BDR. This keyword is available when authentication is set to md5.router ospf Variables dead-interval <seconds_integer> Description Default The time. Specify the type of network to which the interface is connected. in seconds. All routers on the network must use the same value for deadinterval. Null. An interface with router priority set to 0 can not be elected DR or BDR. mtu-ignore {enable | disable} network-type <type> priority <priority_integer> FortiGate® CLI Version 3.0.

end the command with one of the four static entry names (that is. The valid range for seconds_integer is 1 to 65535. Default 40 5 status {enable | disable} transmit-delay <seconds_integer> enable 1 Example This example shows how to assign an OSPF interface configuration named test to the interface named internal and how to configure text authentication for this interface.168.ospf router Variables resync-timeout <integer> retransmit-interval <seconds_integer> Description Enter the synchronizing timeout for graceful restart interval. Increase the value for transmit-delay on low speed links. The entries are defined as follows: • • • • bgp—Redistribute routes learned from BGP. The value for the retransmit interval must be greater than the expected round-trip delay for a packet. Specify the external link type to be used for the redistributed routes. The OSPF redistribution table contains four static entries. Default 10 2 276 FortiGate® CLI Version 3. to wait before sending a LSA retransmission. RIP. connected—Redistribute routes learned from a direct connection to the destination network. Note: All keywords are optional. When you enter the subcommand. required to send a link state update packet on this interface. config router ospf config ospf-interface edit test set interface internal set ip 192. You cannot add entries to the table. or a direct connection to the destination network.20. Variables metric <metric_integer> metric-type {1 | 2} Description Enter the metric to be used for the redistributed routes. The estimated time. The time. static—Redistribute the static routes defined in the FortiGate unit routing table. The valid range for seconds_integer is 1 to 65535. This is the period for this interface to synchronize with a neighbor.0 MR7 Reference 01-30007-0015-20090112 . in seconds. The metric_integer range is from 1 to 16777214. Enable or disable OSPF on this interface. static routes. config redistribute {bgp | connected | static | rip}). rip—Redistribute routes learned from RIP.3 set authentication text set authentication-key a2b3c4d5e end end config redistribute Use this subcommand to redistribute routes learned from BGP. OSPF increments the age of the LSAs in the update packet to account for transmission and propagation delays on the interface. in seconds.

see “config range variables” on page 270.0 0. All other keywords are optional.0. Default Null. By replacing the LSAs for each route with one aggregate route. Specify a tag for redistributed routes. Note: The prefix keyword is required. Example This example shows how to summarize routes using the prefix 10.0. config router ospf config summary-address edit 5 set prefix 10.0.0.0 is not allowed.0.0.0. config router ospf config redistribute rip set metric 3 set routemap rtmp2 set status enable end config summary-address Use this subcommand to summarize external routes for redistribution into OSPF.0. For information on how to configure route maps.0 end end FortiGate® CLI Version 3.0 0. This command works only for summarizing external routes on an Autonomous System Boundary Router (ASBR).0 255.0.0. tag <tag_integer> Specify a tag for the summary route.0. status {enable | disable} Enable or disable redistributing routes.0. The valid range for tag_integer is 0 to 4294967295.0. The number must be an integer. you reduce the size of the OSPF link-state database.0. advertise {enable | disable} Advertise or suppress the summary route that matches the specified prefix. using a metric of 3 and a route map named rtmp2. see “route-map” on page 295. The prefix 0.router ospf Variables routemap <name_str> Description Enter the name of the route map to use for the redistributed routes.0 0 edit <summary-address_id> Enter an ID number for the summary address.0 MR7 Reference 01-30007-0015-20090112 277 . The valid range for tag_integer is 0 to 4294967295.0. Variables Description Default No default.0 255. tag <tag_integer> disable 0 Example This example shows how to enable route redistribution from RIP. prefix <address_ipv4mask> Enter the prefix (IP address and netmask) to use for the summary route.0. enable 0. For information on summarization between areas.0.

Changed default value of abr-type attribute to standard. restart-mode. distance-intra-area.0 New.0 MR4 Added bfd.80 FortiOS v3. distance-inter-area. FortiOS v3. and restart-period keywords. Added distance-external.ospf router History FortiOS v2. and distribute-list-in keywords. resynch-timeout. Related topics • • • • • • router access-list get router info ospf get router info protocols get router info routing-table router prefix-list router route-map 278 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .

For more information see RFC 791 and RFC 1349. If no packets match the policy route. edit or delete a route policy. A router maintains a ToS value for each route in its routing table. Each of these qualities help gateways determine the best way to route datagrams. Note: For static routing. If there is no match. with such criteria as delay. See “config branch” on page 34. Precedence should only be used within a network. or 5. When set to 1. Generally there is a higher delivery cost associated with enabling bits 3. When set to 1. reliability.4. this bit indicates high throughput is a priority. priority. When multiple routes for the same destination exist. it starts at the top of the policy routing list and attempts to match the packet with a policy in ascending order. When you create a policy route. tos-mask enables you to only look at select bits of the 8-bit TOS field in the IP header.0 MR7 Reference 01-30007-0015-20090112 279 . the FortiGate unit routes the packet using the routing table. Using increased quality may increase the cost of delivery because better performance may consume limited network resources. and minimum cost. You can change the order of policy routes using the move command. any packets that match the policy are forwarded to the IP address of the next-hop gateway through the specified outbound interface. and not about the other TOS criteria. the highest is 7 . the datagram is sent over a zero TOS route. This is useful for services that require lots of bandwidth such as video conferencing. FortiGate® CLI Version 3. Not used at this time. 2 bit 3 bit 4 bit 5 bit 6 bit 7 Precedence Some networks treat high precedence traffic as more important traffic. any number of static routes can be defined for the same destination. 1. This is useful for such services as VoIP where delays degrade the quality of the sound. This is useful when a service must always be available such as with DNS servers. move. this bit indicates low cost is a priority. this bit indicates low delay is a priority. When set to 1. Typically you do not care about these bits. When set to 1.router policy policy Use this command to add. Table 5: The role of each bit in the IP header TOS 8-bit field bits 0. the FortiGate unit chooses the route having the lowest administrative distance. This is useful as you may only care about reliability for some traffic. You can configure the FortiGate unit to route packets based on: • • • • a source address a protocol. and bit 6 indicates to use the lowest cost route. service type. Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how the IP datagram should be delivered.4. Route redundancy is not available for policy routing: any packets that match a route policy are forwarded according to the route specified in the policy. this bit indicates high reliability is a priority. The router tries to match the TOS of the datagram to the TOS on one of the possible routes to the destination. or port range the inbound interface type of service (TOS) When the FortiGate unit receives a packet. and can be used differently in each network.when bits 3.and 5 are all set to 1. Route policies are processed before static routing.The lowest priority TOS is 0. Delay Throughput Reliability Cost Reserved for future use The two keywords tos and tos-mask enable you to configure type of service support on your FortiGate unit.

Send packets that match the policy to this next hop router. 280 FortiGate® CLI Version 3. or those bits will prevent a match with your tos pattern. Syntax config router policy move <seq-num1> {before | after} <seq-num2> edit <policy_integer> set dst <dest-address_ipv4mask> set end-port <port_integer> set gateway <address_ipv4> set input-device <interface-name_str> set output-device <interface-name_str> set protocol <protocol_integer> set src <source-address_ipv4mask> set start-port <port_integer> set tos <hex_mask> set tos-mask <hex_mask> end Note: The input-device keyword is required.0. then the rest of the policy is applied.0 MR7 Reference 01-30007-0015-20090112 . Enter an ID number for the route policy. the start-port value must be identical to the end-port value. Variables move <seq-num1> {before | after} <seq-num2> edit <policy_integer> dst <dest-address_ipv4mask> end-port <port_integer> Description Move one policy before or after another. and eventually default routing is applied if there are no other matches. For protocols other than TCP and UDP. All other keywords are optional. the port number is ignored.0. the start-port value must be lower than the end-port value. No default. 0.0. Note: You need to use tos-mask to remove bits from the pattern you don’t care about. the next policy tries to match if its configured. 65 535 Match packets that have this destination port range. To specify a single port.policy router The value in tos is used to match the pattern from tos-mask. Match packets that are received on this interface. Match packets that have this destination IP address and netmask. For protocols other than TCP and UDP. 0. The port_integer range is 0 to 65 535. Send packets that match the policy out this interface.0 The end port number of a port range for a policy route. You must configure both the start-port and end-port keywords for destination-port-range matching to take effect.0 Null. The number must be an integer. the port number is ignored.0. If the mask doesn’t match.0 0.0. gateway <address_ipv4> input-device <interface-name_str> output-device <interface-name_str> protocol <protocol_integer> Match packets that have this protocol number.0. Default No default. Null. If it matches. The range is 0 0 to 255. To specify a range.

To specify a range.255.0 subnet to the 100. The type of service (TOS) mask to match after applying the Null.1.0 MR7 Reference 01-30007-0015-20090112 281 .0 255. The port_integer range is 0 to 65 535.0 255.2.255.168.0 you can enter the following route policies: • Enter the following command to route traffic from the 192.0 The start port number of a port range for a policy route.10. The hex mask for this pattern would be “04”.0 subnet. This is an 8-bit hexadecimal pattern that can be from “00” to “FF”.0 set dst 200.200.255. This is an 8-bit hexadecimal mask that can be from “00” to “FF”.0 subnet to the 200.168. A tos mask of “0010” would indicate reliability is important.100.0 set dst 100. To specify a single port. but with normal delay and throughput. The tos mask attempts to match the quality of service for this profile.1. Default 0. Typically. Force the packets to the next hop gateway at IP address 1.100.255. Force the packets to the next hop gateway at IP address 2.2.200.0 set output-device external set gateway 1. the port number is ignored.20. You must configure both the start-port and end-port keywords for destination-port-range matching to take effect. config router policy edit 2 set input-device internal set src 192. tos-mask.router policy Variables src <source-address_ipv4mask> start-port <port_integer> Description Match packets that have this source IP address and netmask.2. if the internal network includes the subnets 192.0 255.168.20.0.1 end FortiGate® CLI Version 3.0 and 192.10. the start-port value must be lower than the end-port value. so it is necessary to mask out the other bits. To mask out everything but bits 3 through 6.0.20. the hex mask would be “1E”. For protocols other than TCP and UDP.1.1 end • Enter the following command to route traffic from the 192.0.168.0 subnet.1.100.200.0 set output-device external set gateway 2.255. the start-port value must be identical to the end-port value.255.168.168.0.10.255.200. This value determines which bits in the IP header’s TOS Null.0 0.0 255. only bits 3 through 6 are used for TOS. Each bit in the mask represents a different aspect of quality. For example. tos <hex_mask> tos-mask <hex_mask> Example If a FortiGate unit provides Internet access for multiple internal subnets.2.1 through the interface named external.100. field are significant. you can use policy routing to control the route that traffic from each network takes to the Internet.255.1 through the interface named external. 1 Match packets that have this destination port range. config router policy edit 1 set input-device internal set src 192.

0 set dst 0.policy router • Enter the following command to direct all HTTP traffic using port 80 to the next hop gateway at IP address 1.2.0. FortiOS v3.2.0 set output-device external set gateway 2. config router policy edit 2 set input-device internal set src 0. Changed default end-point number to 65 535.1.1. Replaced all underscore characters in keywords with hyphens.1.0 MR7 Reference 01-30007-0015-20090112 .1 end History FortiOS v2.2.80 FortiOS v3.0.0.0 0.1.1 if it has the TOS low delay bit set.2.1 set protocol 6 set start-port 80 set end-port 80 set tos-mask 10 set tos 10 end • Enter the following command to direct all other traffic to the next hop gateway at IP address 2.0.0 Revised.0.0 0.0.0.0 set dst 0. Related topics • router static 282 FortiGate® CLI Version 3. Changed default startpoint number to 1. config router policy edit 1 set input-device internal set src 0.0.0.0.0.0.0 0. and tos-mask.0.1.0 set output-device external set gateway 1.0 0.0.0.0 MR7 Added tos.0.

0. The setting for ge should be less than the setting for le. permit Match prefix lengths that are greater than or equal to this 0 number. 0. A prefix list and an access list cannot have the same name. Each rule in a prefix list consists of a prefix (IP address and netmask).router prefix-list prefix-list Use this command to add. The number must be an integer. Set the action to take for this prefix. A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask. and maximum and minimum prefix length settings. length_integer can be any number from 0 to 32. The length of the netmask should be less than the setting for ge.0 MR7 Reference 01-30007-0015-20090112 283 .0 le <length_integer> prefix Enter the prefix (IP address and netmask) for this prefix list {<address_ipv4mask> | any} rule or enter any to match any prefix. or delete prefix lists.0. it must be called by another FortiGate unit routing feature such as RIP or OSPF. If prefix is set to any. edit. For a prefix list to take effect. The setting for ge should be greater than the netmask set for prefix. FortiGate® CLI Version 3.0. Match prefix lengths that are less than or equal to this number. All other keywords are optional. If no match is found the default action is deny. No default. Default No default. The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list. Variables edit <prefix_list_name> config rule variables edit <prefix_rule_id> action {deny | permit} comments <string> ge <length_integer> Description Enter a name for the prefix list.0/0.0. the action to take for this prefix (permit or deny).0. ge and le should not be set. The description can be up to 127 characters long. Enter an entry number for the rule. If it finds a match for the prefix it takes the action specified for that prefix. 32 The setting for le should be greater than the setting for ge. length_integer can be any number from 0 to 32.0 0.0. Syntax config router prefix-list edit <prefix_list_name> set comments <string> config rule edit <prefix_rule_id> set action {deny | permit} set ge <length_integer> set le <length_integer> set prefix {<address_ipv4mask> | any} end end Note: The action and prefix keywords are required. Enter a description of this access list entry. A prefix-list should be used to match the default route 0.

0.0. The second rule denies subnets that match the prefix lengths between 20 and 25 for the prefix 10.0.0 255.1.255. config router prefix-list edit prf_list1 config rule edit 1 set prefix set action set ge 26 set le 30 next edit 2 set prefix set action set ge 20 set le 25 next edit 3 set prefix set action end end 192.100.0.0 unset ge unset le next edit 2 set prefix any unset ge unset le next end next end 284 FortiGate® CLI Version 3.168.100. The first rule matches the default route only and is set to deny.0 255.0. The third rule denies all other traffic.255.0 permit 10.255.0 0.255.255.0 deny any deny The following example shows how to create a prefix-list that will drop the default route but allow all other prefixes to be passed. the second rule will match all other prefixes and allow them to be passed.0.0.1.168.prefix-list router Examples This example shows how to add a prefix list named prf_list1 with three rules.0 MR7 Reference 01-30007-0015-20090112 . config router prefix-list edit "drop_default" config rule edit 1 set action deny set prefix 0.255.0. The first rule permits subnets that match prefix lengths between 26 and 30 for the prefix 192.0 255.0.0.0 255.

80 New.0 MR7 Reference 01-30007-0015-20090112 285 . Related topics • • router access-list router rip FortiGate® CLI Version 3.80 MR2 Changed default for le from 0 to 32. FortiOS v2.router prefix-list History FortiOS v2.

Note: update_timer cannot be larger than timeout_timer and garbage_timer. Syntax config router rip set default-information-originate {enable | disable} set default-metric <metric_integer> set garbage-timer <timer_integer> set passive-interface <name_str> set timeout-timer <timer_integer> set update-timer <timer_integer> set version {1 2} config distance edit <distance_id> set access-list <name_str> set distance <distance_integer> set prefix <address_ipv4mask> end config distribute-list edit <distribute_list_id> set direction {in | out} set interface <name_str> set listname <access/prefix-listname_str> set status {enable | disable} end config interface edit <interface_name> set auth-keychain <name_str> set auth-mode {none | text | md5} set auth-string <password_str> set receive-version {1 2} set send-version {1 2} set send-version1-compatible {enable | disable} set split-horizon {poisoned | regular} set split-horizon-status {enable | disable} end config neighbor edit <neighbor_id> set ip <address_ipv4> end config network edit <network_id> set prefix <address_ipv4mask> end config offset-list 286 FortiGate® CLI Version 3. RIP uses hop count as its routing metric. relatively homogeneous. The network diameter is limited to 15 hops with 16 hops. RIP is a distance-vector routing protocol intended for small. networks.rip router rip Use this command to configure the Routing Information Protocol (RIP) on the FortiGate unit. Each network is usually counted as one hop. Attempts to do so will generate an error.0 MR7 Reference 01-30007-0015-20090112 .

Block RIP broadcasts on the specified interface. before RIP deletes the route. All routers and access servers in the network should have the same RIP timer settings. The default metric can be a number from 1 to 16. Variables Description Default disable 1 default-information-originate Enter enable to advertise a default static route into RIP. and RIP version 2 as defined by RFC 2453. Note: All keywords are optional. The update timer interval can not be larger than the garbage timer interval. garbage-timer <timer_integer> The time in seconds that must elapse after the timeout interval 120 for a route expires. The FortiGate unit implementation of RIP supports both RIP version 1 as defined by RFC 1058. and to support simple authentication and subnet masks.router rip edit <offset_list_id> set access-list <name_str> set direction {in | out} set interface <name_str> set offset <metric_integer> set status {enable | disable} end config redistribute {connected | static | ospf | bgp} set metric <metric_integer> set routemap <name_str> set status {enable | disable} end config router rip Use this command to specify RIP operating parameters. RIP timer defaults are effective in most configurations. If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable. This metric is added to the metrics of learned routes. RIP version 2 enables RIP messages to carry more information. You can use No “config neighbor” on page 291 and the passive interface default. command to allow RIP to send unicast updates to the specified neighbor while blocking broadcast updates on the specified interface. passive-interface <name_str> FortiGate® CLI Version 3. {enable | disable} default-metric <metric_integer> For non-default routes in the static routing table and directly connected networks the default metric is the metric that the FortiGate unit advertises to adjacent routers.0 MR7 Reference 01-30007-0015-20090112 287 .

If you specify a prefix. Default No default. and raise the preference of local routes in the static routing table (the default metric) from the default of 1 to 5 . Enter the name of an access list. If RIP receives an update for the route before the timeout timer expires. When different routing protocols provide multiple routes to the same destination. RIP timer defaults are effective in most configurations. The lowest administrative distance indicates the preferred route. RIP 2 version 2 packets. enable the sending and receiving of RIP version 1 packets.those routes well be less preferred. 288 FortiGate® CLI Version 3. or both for all RIP-enabled interfaces. Null. All routers and access servers in the network should have the same RIP timer settings. Variables edit <distance_id> access-list <name_str> Description Enter an entry number for the distance. RIP holds the route until the garbage timer expires and then deletes the route. The value of the timeout timer should be at least three times the value of the update timer.0 MR7 Reference 01-30007-0015-20090112 . You can override this setting on a per interface basis using the receive-version {1 2}and send-version {1 2} keywords described under “config interface” on page 290. The update timer interval can not be larger than the timeout timer interval. config router rip set default-information-originate enable set version 1 set default-metric 5 end config distance Use this subcommand to specify an administrative distance. Example This example shows how to enable the advertising of a default static route into RIP. To create an access list. The time interval in seconds between RIP updates. The number must be an integer. see “access-list” on page 230. the administrative distance sets the priority of those routes. All other keywords are optional. RIP timer defaults are effective in most configurations. The update timer interval can not be larger than timeout or garbage timer intervals. The route is removed from the routing table. Note: The distance keyword is required. 30 update-timer <timer_integer> version {1 2} Enable sending and receiving RIP version 1 packets. If RIP receives an update for the route after the timeout timer expires but before the garbage timer expires then the entry is switched back to reachable. then the timeout-timer is restarted. RIP uses the specified distance when the source IP address of a packet matches the prefix. All routers and access servers in the network should have the same RIP timer settings.rip router Variables timeout-timer <timer_integer> Description Default The time interval in seconds after which a route is declared 180 unreachable. The distances associated with the routes in the access list will be modified.

the filter will be applied to all interfaces. Default 0 Optionally enter a prefix to apply the administrative distance to. config router rip config distance edit 1 set distance 10 set access-list internal_example end end config distribute-list Use this subcommand to filter incoming or outgoing updates using an access list or a prefix list. The number must be an integer.0.0. If you do not specify an interface. Set the direction for the filter. see “access-list” on page 230 and “prefix-list” on page 283. For more information on configuring access lists and prefix lists. Null. this distribution list will be used for all interfaces. Default No default. Note: The direction and listname keywords are required. Enable or disable this distribution list. This keyword is required. out Enter the name of the interface to apply this distribution list to. config router rip config distribute-list edit 1 set direction in set interface external set listname acc_list1 set status enable end end FortiGate® CLI Version 3. Enter the name of the access list or prefix list to use for this distribution list.0 MR7 Reference 01-30007-0015-20090112 289 . Enter out to filter outgoing packets. to set the administrative distance. Variables edit <distribute_list_id> direction {in | out} interface <name_str> Description Enter an entry number for the distribution list.0. You must configure the access list or prefix list that you want the distribution list to use before you configure the distribution list. disable listname <access/prefix-listname_str> status {enable | disable} Example This example shows how to configure and enable a distribution list to use an access list named acc_list1 for incoming updates on the external interface. All other keywords are optional. Null.0.0 0.0 Example This example shows how to change the administrative distance to 10 for all IP addresses that match the internal_example access-list.router rip Variables distance <distance_integer> prefix <address_ipv4mask> Description Enter a number from 1 to 255. If you do not specify an interface. 0. Enter in to filter incoming packets.

Enter 1 2 to configure RIP to listen for both RIP version 1 and RIP version 2 messages on an interface. the authentication key is used to generate an MD5 hash. A poisoned split horizon will still advertise the route on the interface it received it on. If you select none. Enter 1 to configure RIP to send RIP version 1 messages from an interface. none Use the auth-mode keyword to define the authentication used for RIP version 2 packets sent and received by this interface. For information on how to configure key chains. and to configure and enable split horizon. Enter a single key to use for authentication for RIP version 2 packets sent and received by this interface. version 2 packets sent and received by this interface. Enter 2 to configure RIP to send RIP version 2 messages from an interface. This is also called split horizon with poison reverse. Null. Default No default. 290 FortiGate® CLI Version 3. Enter 2 to configure RIP to listen for RIP version 2 messages on an interface. see “key-chain” on page 252. RIP version send and receive for the specified interface. RIP routing messages are UDP packets that use port 520. Use the auth-string keyword to specify the key.rip router config interface Use this subcommand to configure RIP version 2 authentication. not the confidentiality of the routing information in the packet. A split horizon occurs when a router advertises a route it learns over the same interface it learned it on. Variables edit <interface_name> Description Type the name of the FortiGate unit interface that is linked to the RIP network. if the primary route fails that router tries the second route to find itself as part of the route and an infinite loop is created. Authentication is only available for RIP version 2 packets sent and received by an interface. Both text mode and MD5 mode only guarantee the authenticity of the update packet. no authentication is used. but it will mark the route as unreachable. Use auth-string when you only want to configure one key. auth-mode {none | text | md5} auth-string <password_str> receive-version {1 2} No default. In text mode the key is sent in clear text over the network. In this case the router that gave the learned route to the last router now has two entries to get to another location. The key can be up to 35 characters long. The interface might be a virtual IPSec or GRE interface. Any unreachable routes are automatically removed from the routing table. However. No default.0 MR7 Reference 01-30007-0015-20090112 . send-version {1 2} RIP routing messages are UDP packets that use port 520. If you select text. Enter 1 to configure RIP to listen for RIP version 1 messages on an interface. Text mode is usually used only to prevent network problems that can occur if an unwanted or misconfigured router is mistakenly added to the network. Use key chains when you want to configure multiple keys. Enter 1 2 to configure RIP to send both RIP version 1 and RIP version 2 messages from an interface. the authentication key is sent as plain text. You must set auth-mode to none when receive-version or send-version are set to 1 or 1 2 (both are set to 1 by default). Note: All keywords are optional. auth-keychain <name_str> Enter the name of the key chain to use for authentication for RIP Null. If you select md5.

Example This example shows how to specify that the router at 192.router rip Variables Description Default disable send-version1-compatible Enable or disable sending broadcast updates from an interface configured for RIP version 2. enable split-horizon-status {enable | disable} Example This example shows how to configure the external interface to send and receive RIP version 2. Variables edit <neighbor_id> ip <address_ipv4> Description Enter an entry number for the RIP neighbor.168.0. You can use the neighbor subcommand and “passive-interface <name_str>” on page 287 to allow RIP to send unicast updates to the specified neighbor while blocking broadcast updates on the specified interface. You can configure multiple neighbors. Split horizon is enabled by default. split-horizon {poisoned | regular} poisoned Configure RIP to use either regular or poisoned split horizon on this interface.168. Select poisoned to send updates with routes learned on an interface back out the same interface but mark those routes as unreachable. Enable or disable split horizon for this interface.20 is a neighbor.21. All other keywords are optional. Select regular to prevent RIP from sending updates for a route back out on the interface from which it received that route. config router rip config neighbor edit 1 set ip 192. {enable | disable} RIP version 2 normally multicasts updates.20 end end FortiGate® CLI Version 3.21. to use MD5 authentication. The number must be an integer. Enter the IP address of the neighboring router to which to send 0.0.0 unicast updates. config router rip config interface edit external set receive-version 2 set send-version 2 set auth-mode md5 set auth-keychain test1 end end config neighbor Use this subcommand to enable RIP to send unicast routing updates to the router at the specified address. Note: The ip keyword is required.0 MR7 Reference 01-30007-0015-20090112 291 . Disable split horizon only if there is no possibility of creating a counting to infinity loop when network topology changes. and to use a key chain called test1. Default No default. RIP version 1 can only receive broadcast updates.

The metric_integer range is from 1 to 16.0. Variables edit <network_id> Description Enter an entry number for the RIP network. Enter the name of the access list to use for this offset list.0. Null.0 0. disable status {enable | disable} Enable or disable this offset list.0 and the netmask 255.0 255.0. The number must be an No default.0. direction {in | out} interface <name_str> offset <metric_integer> out Null. The number must be an integer.255. Note: The access-list. integer. Example Use the following command to enable RIP for the interfaces attached to networks specified by the IP address 10.0. Enter in to apply the offset to the metrics of incoming routes. 292 FortiGate® CLI Version 3. Enter the offset number to add to the metric. 0. Note: The prefix keyword is optional.0 prefix <address_ipv4mask> Enter the IP address and netmask for the RIP network. The access list is used to determine which routes to add the metric to. Enter out to apply the offset to the metrics of outgoing routes. All other keywords are optional. with 16 being unreachable. interfaces in that network will not be advertised in RIP updates. and offset keywords are required.0 end end config offset-list Use this subcommand to add the specified offset to the metric (hop count) of a route from the offset list.0. Enter the name of the interface to match for this offset list.0.255.0.255. config router rip config network edit 2 set prefix 10. Variables edit <offset_list_id> access-list <name_str> Description Default Enter an entry number for the offset list. Default No default.0 MR7 Reference 01-30007-0015-20090112 .0.255. direction. If a network is not specified. The metric is the 0 hop count.rip router config network Use this subcommand to identify the networks for which to send and receive RIP updates.

config router rip config offset-list edit 5 set access-list acc_list1 set direction in set interface external set offset 3 set status enable end end config redistribute Use this subcommand to redistribute routes learned from OSPF. Enter the name of the route map to use for the redistributed routes. connected—Redistribute routes learned from a direct connection to the destination network. ospf—Redistribute routes learned from OSPF. static—Redistribute the static routes defined in the FortiGate unit routing table. using a metric of 3 and a route map named rtmp2. status {enable | disable} Enable or disable redistributing routes. or a direct connection to the destination network. config redistribute {bgp | connected | ospf | static}). static routes. Note: All keywords are optional. The RIP redistribution table contains four static entries. disable Example This example shows how to enable route redistribution from OSPF. The entries are defined as follows: • • • • bgp—Redistribute routes learned from BGP. The 0 metric_integer range is from 0 to 16. You cannot add entries to the table. BGP. end the command with one of the four static entry names (that is.router rip Example This example shows how to configure and enable offset list number 5 that adds a metric of 3 to incoming routes that match the access list named acc_list1 on the external interface. For information on how to configure route maps. Variables metric <metric_integer> routemap <name_str> Description Default Enter the metric value to be used for the redistributed routes. config router rip config redistribute ospf set metric 3 set routemap rtmp2 set status enable end FortiGate® CLI Version 3. When you enter the subcommand. Null.0 MR7 Reference 01-30007-0015-20090112 293 . see “route-map” on page 295.

80 MR7 Substantially revised. Related topics • • • • • • • router access-list router key-chain router prefix-list router route-map get router info protocols get router info rip get router info routing-table 294 FortiGate® CLI Version 3. Added access-list keyword to config distance subcommand.rip router History FortiOS v2.0 MR7 Reference 01-30007-0015-20090112 .80 FortiOS v2.

route maps can be configured to permit or deny the addition of routes to the FortiGate unit routing table and make changes to routing information dynamically as defined through route-map rules.0 MR7 Reference 01-30007-0015-20090112 295 . edit. The rules are examined in ascending order until one or more of the rules in the route map are found to match one or more of the route attributes: • When a single matching match-* rule is found. route maps support enhanced packet-matching criteria. To use the command to limit the number of received or advertised BGP route and routing updates using route maps. Note: Any keywords and rules that to not appear here can be found in the BGP route-map section. and/or settag settings. In addition. See “Using route maps with BGP” on page 297. For a route map to take effect. Syntax config router route-map edit <route_map_name> set comments <string> config rule edit <route_map_rule_id> set action {deny | permit} set match-interface <name_str> set match-ip-address <access/prefix-listname_str> set match-ip-nexthop <access/prefix-listname_str> set match-metric <metric_integer> set match-route-type {1 | 2} set match-tag <tag_integer> set set-ip-nexthop <address_ipv4> set set-metric <metric_integer> set set-metric-type {1 | 2} set set-tag <tag_integer> end end FortiGate® CLI Version 3. • • • The default rule in the route map (which the FortiGate unit applies last) denies all routes. see “Using route maps with BGP” on page 297. no changes are made to the routing information. set-metric-type. all of the defined match-* rules must evaluate to TRUE or the routing information is not changed. When more than one match-* rule is defined. If no match-* rules are defined. The FortiGate unit compares the rules in a route map to the attributes of a route. If no matching rule is found. set-metric. Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing the routing of packets to particular destinations. changes to the routing information are made as defined through the rule’s set-ip-nexthop.router route-map route-map Use this command to add. or delete route maps. it must be called by a FortiGate unit routing process. the FortiGate unit makes changes to the routing information only when all of the default match-* rules happen to match the attributes of the route. Compared to access lists.

Enter an entry number for the rule. Enter a description for this route map name. No default. Set a tag value for a matched route. Set the type for a matched route. Default No default. No default.route-map router Note: All keywords are optional. Null. config router route-map edit rtmp2 config rule edit 1 set match-ip-address acc_list2 set action deny next edit 2 set match-metric 2 set action permit set set-metric 4 end end 296 FortiGate® CLI Version 3.0 0 external-type1 0 Example This example shows how to add a route map list named rtmp2 with two rules. permit Enter deny to deny routes that match this rule.0. Match a route that has a next-hop router address included in the specified access list or prefix list. Match a route that has the external type set to 1 or external-type1 2. The metric 0 can be a number from 1 to 16. Match a route if the destination address is included Null.0 MR7 Reference 01-30007-0015-20090112 . This keyword is available when set-tag is set. The number must be an integer. Match a route with the specified metric. Enter permit to permit routes that match this rule. Variables edit <route_map_name> comments <string> config rule variables edit <route_map_rule_id> action {deny | permit} match-interface <name_str> match-ip-address <access/prefix-listname_str> match-ip-nexthop <access/prefix-listname_str> match-metric <metric_integer> match-route-type {1 | 2} match-tag <tag_integer> set-ip-nexthop <address_ipv4> set-metric <metric_integer> set-metric-type {1 | 2} set-tag <tag_integer> Description Enter a name for the route map. Match a route that has the specified tag. The second rule permits routes that match a metric of 2 and changes the metric to 4. that will be used to match route interfaces. 0 0. The first rule denies routes that match the IP addresses in an access list named acc_list2. Set a metric value of 1 to 16 for a matched route.0. Set the next-hop router address for a matched route. Enter the name of the local FortiGate unit interface Null. in the specified access list or prefix list.

0 MR7 Reference 01-30007-0015-20090112 297 . set set-local-preference <preference_integer> set set-originator-id <address_ipv4> set set-origin {egp | igp | incomplete | none} set set-weight <weight_integer> end FortiGate® CLI Version 3. the two peers exchange all of their BGP route entries. set set-extcommunity-soo <AA:NN> <AA:NN> <AA:NN> .. edit. Syntax config router route-map edit <route_map_name> set comments <string> config rule edit <route_map_rule_id> set match-as-path <aspath-list-name_str> set match-community <community-list-name_str> set match-community-exact {enable | disable} set match-origin {egp | igp | incomplete | none} set set-aggregator-as <id_integer> set set-aggregator-ip <address_ipv4> set set-aspath <id_integer> <id_integer> <id_integer> . Note: When you specify a route map for the dampening-route-map value through the config router bgp command (see “dampening-route-map <routemap-name_str>” on page 241).. You can limit the number of received or advertised BGP route and routing updates using route maps. or delete a route map. the FortiGate unit ignores global dampening settings.. Several BGP entries may be present in a route-map table.. they exchange updates that only include changes to the existing routing information. set set-atomic-aggregate {enable | disable} set set-community-delete <community-list-name_str> set set-community <criteria> set set-community-additive {enable | disable} set set-dampening-reachability-half-life <minutes> set set-dampening-reuse <reuse_integer> set set-dampening-suppress <suppress_integer> set set-dampening-max-suppress <minutes> set set-dampening-unreachability-half-life <minutes> set set-extcommunity-rt <AA:NN> <AA:NN> <AA:NN> . Use the config router route-map command to create..router route-map Using route maps with BGP When a connection is established between BGP peers. Afterward. You cannot set global dampening settings for the FortiGate unit and then override those values through a route map..

Variables edit <route_map_name> comments <string> config rule variables edit <route_map_rule_id> match-as-path <aspath-list-name_str> match-community <community-list-name_str> Description Enter a name for the route map.0 MR7 Reference 01-30007-0015-20090112 .0 set-aggregator-as <id_integer> set-aggregator-ip <address_ipv4> set-aspath <id_integer> <id_integer> <id_integer> . The number must be an No default. The value should be identical to the FortiGate unit router-id value (see “router-id <address_ipv4>” on page 242). 0. The value unset specifies at which AS the aggregate route originated. Enter a description for this route map name.0. The resulting path describes the autonomous systems along the route to the destination specified by the NLRI. • To disable the matching of BGP routes based on the origin of the route. The set-aggregator-ip value must also be set to further identify the originating AS. See “community-list” on page 250. the AS numbers of the AS path belonging to a BGP route. route prefixes. through redistribution). The FortiGate unit has the second-highest preference for routes of this type. Set the IP address of the BGP router that originated the aggregate route. No default. The FortiGate unit has the highest preference for routes learned through Internal Gateway Protocol (IGP). Modify the FortiGate unit AS_PATH attribute and add to it No default.route-map router Note: All keywords are optional. select incomplete. The set-aspath value is added to the beginning of the AS_SEQUENCE segment of the AS_PATH attribute of incoming routes. Enter a value to compare to the ORIGIN attribute of a none routing update: • To compare the NLRI learned from the Exterior Gateway Protocol (EGP). Default No default. • To match routes that were learned some other way (for example. Enclose all AS numbers in quotes if there are multiple occurrences of the same id_integer. This keyword is available when set-aggregator-as is set... You must create the AS-path list before it can be selected here. The range is from 1 to 65 535. match-community-exact {enable | disable} match-origin {egp | igp | incomplete | none} This keyword is available when match-community is set. Enter the community list name that will be used to match BGP routes according to their COMMUNITY attributes. Null. select egp. integer. You must create the community list before it can be selected here.0. 298 FortiGate® CLI Version 3. See “aspath-list” on page 233. Otherwise the AS path may be incomplete. select igp. Set the originating AS of an aggregated route. select none. or to the end of the AS_SEQUENCE segment of the AS_PATH attribute of outgoing routes. disable Enable or disable an exact match of the BGP route community specified by the match-community keyword. The range is from 1 to 65 535. Enter an entry number for the rule. Enter the AS-path list name that will be used to match BGP Null. • To compare the NLRI learned from a protocol internal to the originating AS.

The value has the syntax AA:NN.. The value 0 is advertised to IBGP peers. You must create the community list first before it can be selected here (see “community-list” on page 250). a BGP route. Remove the COMMUNITY attributes from the BGP routes identified in the specified community list. See also “dampening-max-suppress-time” in “dampeningmax-suppress-time <minutes_integer>” on page 240. Set the unreachability half-life of a BGP route (in minutes). set-local-preference <preference_integer> FortiGate® CLI Version 3. select local-AS. The range is from 1 to 255. The COMMUNITY attribute value has the syntax AA:NN. and NN is the community identifier. This value does not have to be specified when an as-set value is specified in the aggregate-address table (see “config aggregate-address” on page 243).. See also “dampeningsuppress <limit_integer>” on page 241. The 0 range is from 1 to 20 000. notation) of a BGP route. Set the dampening reachability half-life of a BGP route (in minutes). select no-export. set-community <criteria> No default. set-extcommunity-soo <AA:NN> <AA:NN> <AA:NN> .0 MR7 Reference 01-30007-0015-20090112 299 . where AA represents an AS. select no-advertise. 0 The range is from 1 to 45. Enable or disable the appending of the set-community value to a BGP route. and NN is the community identifier. where AA represents an AS. See also “dampeningunreachability-half-life” in “dampeningunreachability-half-life <minutes_integer>” on page 241. The range is from 1 to 45. you must also set set-dampeningsuppress and set-dampening-max-suppress. • Use decimal notation to set a specific COMMUNITY attribute for the route. where AA represents an AS. The COMMUNITY attribute value has the syntax AA:NN. • To make the route part of the NO_EXPORT community.router route-map Variables set-atomic-aggregate {enable | disable} Description Enable or disable a warning to upstream routers through the ATOMIC_AGGREGATE attribute that address aggregation has occurred on an aggregate route. Set the limit at which a BGP route may be suppressed. • To make the route part of the LOCAL_AS community. Default disable set-community-delete <community-list-name_str> Null. The range is from 1 to 20 000. select internet. • To make the route part of the NO_ADVERTISE community. Set the site-of-origin extended community (in decimal No default. “123:234 345:456”). set-community-additive {enable | disable} set-dampening-reachabilityhalf-life <minutes> set-dampening-reuse <reuse_integer> disable 0 Set the value at which a dampened BGP route will be 0 reused. Delimit complex expressions with doublequotation marks (for example. A higher number signifies a preferred route among multiple routes to the same destination. Set the LOCAL_PREF value of an IBGP route.. Set the target extended community (in decimal notation) of No default. Set maximum time (in minutes) that a BGP route can be suppressed. and NN is the community identifier. The range is from 0 to 4 294 967 295. • To make the route part of the Internet community. Set the COMMUNITY attribute of a BGP route. 0 set-dampening-suppress <suppress_integer> set-dampening-max-suppress <minutes> set-dampeningunreachability-half-life <minutes> set-extcommunity-rt <AA:NN> <AA:NN> <AA:NN> .. If you set setdampening-reuse. This keyword is available when set-community is set.

0. which is equivalent to the router-id of the originator of the route in the local AS.80 FortiOS v3. Default 0. Example This example shows how to create a route map named BGP_rtmp2. A route’s weight has the 0 most influence when two identical BGP routes are compared. select egp. Route reflectors use this value to prevent routing loops.0 MR6 Added comments keyword. • If you did not specify egp or igp. • To set the value to the NLRI learned from a protocol internal to the originating AS.0 New. • To disable the ORIGIN attribute.0. FortiOS v3. The second rule permits operations on routes according to a community list named com_list3. Added support for BGP.route-map router Variables set-originator-id <address_ipv4> Description Set the ORIGINATOR_ID attribute. Related topics • • • • • • • router access-list router prefix-list router rip router aspath-list router bgp router community-list router key-chain 300 FortiGate® CLI Version 3. config router route-map edit BGP_rtmp2 set comments “example BGP route map” config rule edit 1 set match-ip-address acc_list2 set action permit next edit 2 set match-community com_list3 set action permit end end History FortiOS v2. select igp. A higher number signifies a greater preference.0 set-origin {egp | igp | incomplete | none} none set-weight <weight_integer> Set the weight of a BGP route. select none.0 MR7 Reference 01-30007-0015-20090112 . • To set the value to the NLRI learned from the Exterior Gateway Protocol (EGP). The first rule permits operations on routes that match the IP addresses in an access list named acc_list2. The range is from 0 to 2 147 483 647. Set the ORIGIN attribute of a local BGP route. select incomplete. The route map contains two rules.

the sequence numbers of those routes determines routing priority. You configure routes by specifying destination IP addresses and network masks and adding gateways for these destination addresses. For IPv6 traffic. the FortiGate unit compares the administrative distances of those entries. Enter the name of the FortiGate unit interface through which to route traffic. with lowest priority being preferred. the greater the preferability of the route. Variables edit <sequence_number> Description Enter a sequence number for the static route. use the static6 command. You can adjust the administrative distance of a route to indicate preference when more than one route to the same destination is available. FortiGate® CLI Version 3. When two routes to the same destination exist in the forwarding table. the FortiGate unit selects the route having the lowest sequence number. an equal cost multi-path (ECMP) situation occurs. the egress index for the routes will be used to determine the selected route. The lower the administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations). You add static routes to control traffic exiting the FortiGate unit. Syntax config router static edit <sequence_number> set blackhole {enable | disable} set device <interface_name> set distance <distance> set dst <destination-address_ipv4mask> set dynamic-gateway {enable | disable} set gateway <gateway-address_ipv4> set priority <integer> end Note: The dst and gateway keywords are required when blackhole is disabled. or delete static routes for IPv4 traffic. Enable or disable dropping all packets that match this route.If both administrative distance and priority are both tied for two or more routes. edit. selects the entries having the lowest distances. All other keywords are optional. the dst keyword is required. Gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded. and installs them as routes in the FortiGate unit forwarding table. Default No default. Any ties are resolved by comparing the routes’ priority. In this case. Null. After the FortiGate unit selects static routes for the forwarding table based on their administrative distances. the FortiGate unit forwarding table only contains routes having the lowest distances to every possible destination.0 MR7 Reference 01-30007-0015-20090112 301 . blackhole {enable | disable} device <interface_name> disable This keyword is available when blackhole is set to disable.router static static Use this command to add. This route is advertised to neighbors through dynamic routing protocols as any other static route. The sequence number may influence routing priority in the FortiGate unit forwarding table. As a result. When blackhole is enabled. Use ‘?’ to see a list of interfaces.

0 set distance 1 set priority 1 end History FortiOS v2.255.255.255. These settings makes this the preferred route. In the case where both routes have the same priority.0 MR2 Added dynamic-gateway attribute.0 MR6 Added default value for priority. the corresponding routing entries are updated to reflect the change. The distance value may influence route preference in the FortiGate unit routing table.44 end This example shows how to add a static route for a dynamic modem interface with a administrative distance of 1 and a priority of 1.0. This field is only accessible through the CLI.0 0. 302 FortiGate® CLI Version 3. config route static edit 3 set dev modem set dynamic-gateway enable set dst 10. gateway <gatewayaddress_ipv4> priority <integer> Example This example shows how to add a static route that has the sequence number 2. such as a DHCP or PPPoE interface. See also config system interface “distance <distance_integer>” on page 259. Enter the destination IP address and network mask for this route.0.0 to create a new static default route. FortiOS v3.0 Enter the IP address of the next-hop router to which traffic is forwarded.0.0. The range is an integer from 1-255.22.0. The administrative priority value is used to resolve ties in route 0 selection.7 255. You can enter 0. When the interface connects or disconnects.0.static router Variables distance <distance> Description Enter the administrative distance for the route.22.0 Substantially revised.0 set gateway 192.255.80 FortiOS v3.0 255.0.0.168.0. 0. Lower priority routes are preferred routes. such as equal cost multi-path (ECMP). The range is an integer from 0 to 4294967295. config router static edit 2 set dev internal set dst 192.168. Added blackhole attribute. This keyword is available when blackhole is set to disable. dynamic-gateway hides the gateway variable disable for a dynamic interface.0 MR7 Reference 01-30007-0015-20090112 .0 0.0 dynamic-gateway {enable | disable} When enabled. FortiOS v3. Default 10 dst <destinationaddress_ipv4mask> 0. the egress index for the routes will be used to determine the selected route.0.0.0.

router static Related topics • • system interface get router info routing-table FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 303 .

static6 router static6 Use this command to add. dst.80 New. Default No default. and gateway keywords are all required. You add static routes to specify the destination of traffic exiting the FortiGate unit. The destination IPv6 address and netmask for this route. edit. Variables edit <sequence_number> device <interface_name> dst <destinationaddress_ipv6mask> gateway <gateway-address_ipv6> Description Enter a sequence number for the static route. You configure routes by adding destination IP addresses and network masks and adding gateways for these destination addresses. Syntax config router static6 edit <sequence_number> set device <interface_name> set dst <destination-address_ipv6mask> set gateway <gateway-address_ipv6> end Note: The device. Note: You can configure static routes for IPv6 traffic on FortiGate units that run in NAT/Route mode. The name of the FortiGate unit interface through which to route Null. The gateways are the next-hop routers to which traffic that matches the destination addresses in the route are forwarded. Related topics • • system interface get router info routing-table 304 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . traffic. or delete static routes for IPv6 traffic. ::/0 :: Example This example shows how to add an IPv6 static route that has the sequence number 2. The IPv6 address of the next-hop router to which traffic is forwarded. You can enter ::/0 to create a new static default route for IPv6 traffic. config router static6 edit 2 set dev internal set dst 2001:DB8::/32 set gateway 2001:DB8:0:CD30:123:4567:89AB:CDEF end History FortiOS v2.

and MIME headers. and to configure the FortiGuard-Antispam service. configure filters based on email addresses. ip addresses.0 MR7 Reference 01-30007-0015-20090112 305 .spamfilter spamfilter Use spamfilter commands to create a banned word list. This chapter contains the following sections: bword emailbwl fortishield ipbwl iptrust mheader options DNSBL FortiGate® CLI Version 3.

IP address FortiGuard check. If a phrase is entered.bword spamfilter bword Use this command to add or edit and configure options for the spam filter banned word list. use Perl regular expressions. See “Using Perl regular expressions” on page 48. and URLs in email content) Banned word check For POP3 and IMAP 1 2 3 4 E-mail address BWL check MIME headers check. the FortiGate unit searches for words or patterns in email messages. Words can be marked as spam or clear. Add one or more banned words to sort email containing those words in the email subject. IP BWL check Return e-mail DNS check. the email message is passed along to the next filter. HELO DNS lookup E-mail address BWL check MIME headers check IP address BWL check (for IPs extracted from “Received” headers) Return e-mail DNS check. use the regular expression /i. Banned words can be one word or a phrase up to 127 characters long. FortiGuard Antispam check. POP3. To block any word in a phrase. If no match is found. the FortiGate unit blocks all email containing the exact phrase. DNSBL & ORDBL check Banned word check For SMTP. The FortiGate spam filters are applied in the following order: For SMTP 1 2 3 4 5 6 7 IP address BWL check . the FortiGate unit blocks all email that contain that word. If matches are found. /bad language/i blocks all instances of bad language regardless of case. the message is marked as spam. Note: Perl regular expression patterns are case sensitive for Spam Filter banned words. values assigned to the words are totalled. Use Perl regular expressions or wildcards to add banned word patterns to the list. body. For example. If a user-defined threshold value is exceeded. FortiGuard Antispam check (for IPs extracted from “Received” headers. and IMAP Control spam by blocking email messages containing specific words or patterns. If a single word is entered. To make a word or phrase case insensitive.0 MR7 Reference 01-30007-0015-20090112 .Last hop IP DNSBL & ORDBL check. If enabled in the protection profile. or both. 306 FortiGate® CLI Version 3. Wildcard patterns are not case sensitive.

spam western Default <banned_word_list_integer> A unique number to identify the banned word list. Added French and Thai variables to the language keyword.0 MR4 New.80 FortiOS v2. Traditional Chinese.0 MR7 Reference 01-30007-0015-20090112 307 . or Western. and if the total is greater than the spamwordthreshold value set in the protection profile. <banned_word_list_comment> The comment attached to the banned word list. Japanese.0 FortiOS v3. A unique number to identify the banned word or pattern. Enter the pattern type for the banned word (pattern). Enter the banned word or phrase pattern using regular expressions or wildcards. the message is processed according to the spam action setting in the protection profile. Enable or disable scanning email for each banned word. Choose from regular expressions or wildcard. Thai. wildcard 10 status {enable | disable} where {all | body | subject} enable all History FortiOS v2.80 MR2 FortiOS v3. Enter spam to apply the spam action configured in the protection profile. Enter where in the email to search for the banned word or phrase. <banned_word_integer> action {clear | spam} language {french | japanese | korean | simch | thai | trach | western} pattern <banned_word_str> pattern-type {regexp | wildcard} score <integer_value> No default. Choose from French. FortiGate® CLI Version 3. Enter the language character set used for the banned word or phrase. The score for a banned word is counted once even if the word appears multiple times in an email message. Enter clear to allow the email.spamfilter bword Syntax config spamfilter bword edit <banned_word_list_integer> set name <banned_word_list> set comment <banned_word_list_comment> config entries edit <banned_word_integer> set action {clear | spam} set language {french | japanese | korean | simch | thai | trach | western} set pattern <banned_word_str> set pattern-type {regexp | wildcard} set score <integer_value> set status {enable | disable} set where {all | body | subject} end Keywords and variables <banned_word_list> Description The name of the banned word list. Korean. Added multiple-list capability for models 800 and above. The score values of all the matching words appearing in an email message are added. Simplified Chinese. All models have the same CLI syntax now. Added score variable. A numerical weighting applied to the banned word.

bword spamfilter Related topics • • • • • • • spamfilter emailbwl spamfilter fortishield spamfilter ipbwl spamfilter iptrust spamfilter mheader spamfilter options spamfilter DNSBL 308 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .

0 MR7 Reference 01-30007-0015-20090112 309 . FortiGuard Antispam check (for IPs extracted from “Received” headers. the corresponding action is taken. and IMAP The FortiGate unit uses the email address list to filter incoming email.net). See “Using Perl regular expressions” on page 48. IP BWL check Return e-mail DNS check. Syntax config spamfilter emailbwl edit <emailbwl_list_integer> set name <emailbwl_list> set comment <emailbwl_list_comment> config entries edit <email_address_integer> set action {clear | spam} set email-pattern <email_address_str> set pattern-type {regexp | wildcard} set status {enable | disable} end FortiGate® CLI Version 3. If no match is found.spamfilter emailbwl emailbwl Use this command to filter email based on the sender’s email address or address pattern.Last hop IP DNSBL & ORDBL check. The FortiGate unit can filter email from specific senders or all email from a domain (such as example. and URLs in email content) Banned word check For POP3 and IMAP 1 2 3 4 E-mail address BWL check MIME headers check. IP address FortiGuard check. The FortiGate unit compares the email address or domain of the sender to the list in sequence. FortiGuard Antispam check. The FortiGate spam filters are applied in the following order: For SMTP 1 2 3 4 5 6 7 IP address BWL check . HELO DNS lookup E-mail address BWL check MIME headers check IP address BWL check (for IPs extracted from “Received” headers) Return e-mail DNS check. POP3. If a match is found. the email is passed on to the next spam filter. Use Perl regular expressions or wildcards to add email address patterns to the list. DNSBL & ORDBL check Banned word check For SMTP. Each email address can be marked as clear or spam.

The comment attached to the email black/white list.0 FortiOS v3.0 MR4 New.80 FortiOS v3. Enter the pattern-type for the email address. The name of the email black/white list. Choose from wildcards or Perl regular expressions. Default spam email-pattern <email_address_str> pattern-type {regexp | wildcard} status {enable | disable} wildcard enable History FortiOS v2. Enter the email address pattern using wildcards or Perl regular expressions. Enter spam to apply the spam action configured in the protection profile.emailbwl spamfilter Keywords and variables <emailbwl_list_integer> <emailbwl_list> <emailbwl_list_comment> <email_address_integer> action {clear | spam} Description A unique number to identify the email black/white list. Enable or disable scanning for each email address. All models have the same CLI syntax now. A unique number to identify the email pattern. Related topics • • • • • • • spamfilter bword spamfilter fortishield spamfilter ipbwl spamfilter iptrust spamfilter mheader spamfilter options spamfilter DNSBL 310 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . Added multiple-list capability for models 800 and above. Enter clear to exempt the email from the rest of the spam filters.

DNSBL & ORDBL check Banned word check For SMTP. IP address FortiGuard check. and body of the email for common spam content. The IP address black list contains IP addresses of email servers known to be used to generate Spam. a URL black list. FortiGuard-Antispam Service terminates the session. FortiGuard-Antispam Service compiles the IP address and URL list from email captured by spam probes located around the world.0 MR7 Reference 01-30007-0015-20090112 311 . These URL links will be sent to a FortiGuard-Antispam Service server to see if any of them is listed. and URLs in email content) Banned word check For POP3 and IMAP 1 2 3 4 E-mail address BWL check MIME headers check. FortiGuard-Antispam Service performs the second antispam pass by checking the header. On the first pass. The URL black list contains found in Spam email. If spamfsurl is selected in the protection profile. If an IP address or URL match is found.Last hop IP DNSBL & ORDBL check. Typically Spam messages contain URL links to advertisements (also called spamvertizing). the email is tagged or dropped according to the configuration in the firewall protection profile. If FortiGuard-Antispam Service finds spam content. and spam filtering tools. subject. FortiGuard-Antispam Service checks the body of email messages to extract any URL links. and IMAP FortiGuard-Antispam Service is an antispam system from Fortinet that includes an IP address black list. FortiGuard Antispam check. FortiGuardAntispam Service combines IP address and URL checks with other spam filter techniques in a twopass process. the mail server sends the email to the recipient. POP3. FortiGuard Antispam check (for IPs extracted from “Received” headers. IP BWL check Return e-mail DNS check.spamfilter fortishield fortishield Use this command to configure the settings for the FortiGuard-Antispam Service. If FortiGuard-Antispam Service does not find a match. FortiGuard-Antispam Service extracts the SMTP mail server source address and sends the IP address to a FortiGuard-Antispam Service server to see if this IP address matches the list of known spammers. As each email is received. FortiGate® CLI Version 3. if spamfsip is selected in the protection profile. HELO DNS lookup E-mail address BWL check MIME headers check IP address BWL check (for IPs extracted from “Received” headers) Return e-mail DNS check. The FortiGate spam filters are applied in the following order: For SMTP 1 2 3 4 5 6 7 IP address BWL check . Spam probes are email addresses purposely configured to attract spam and identify known spam sources to create the antispam IP address and URL list.

Syntax config spamfilter fortishield set spam-submit-force {enable | disable} set spam-submit-srv <url_str> set spam-submit-txt2htm {enable | disable} end Keywords and variables spam-submit-force {enable | disable} spam-submit-srv <url_str> Description Enable or disable force insertion of a new mime entity for the submission text. Enable or disable converting text email to HTML.net enable spam-submit-txt2htm {enable | disable} History FortiOS v2.80 MR7 FortiOS v3.0 MR7 Reference 01-30007-0015-20090112 . Enable or disable FortiGuard-Antispam Service in a firewall protection profile.some commands were moved to system fortiguard and some new commands were added. Related topics • • • • • • • spamfilter bword spamfilter emailbwl spamfilter ipbwl spamfilter iptrust spamfilter mheader spamfilter options spamfilter DNSBL 312 FortiGate® CLI Version 3. Use this command only to change the host name.fortishield spamfilter Both FortiGuard-Antispam Service antispam processes are completely automated and configured by Fortinet. Default enable www. With constant monitoring and dynamic updates. Some revisions and added port and timeout. FortiGuard-Antispam Service is always current.0 FortiOS v3. The FortiGate unit comes preconfigured with the host name. Restructured -.0 MR1 New.nospa mmer. The host name of the FortiGuard-Antispam Service server.

168. HELO DNS lookup E-mail address BWL check MIME headers check IP address BWL check (for IPs extracted from “Received” headers) Return e-mail DNS check.x.255.168. Mark each IP address as clear. POP3. If no match is found.x/x.x. FortiGuard Antispam check. The FortiGate spam filters are generally applied in the following order: For SMTP 1 2 3 4 5 6 7 IP address BWL check . the corresponding protection profile action is taken.x.10.23/255. IP BWL check Return e-mail DNS check. or reject.x.Last hop IP DNSBL & ORDBL check. and URLs in email content) Banned word check For POP3 and IMAP 1 2 3 4 E-mail address BWL check MIME headers check. the email is passed on to the next spam filter.23/24 Configure the FortiGate unit to filter email from specific IP addresses.0 x.x.x.spamfilter ipbwl ipbwl Use this command to filter email based on the IP or subnet address.255. for example 192. If a match is found.x/x. The FortiGate unit compares the IP address of the sender to the list in sequence. Enter an IP address and mask in one of two formats: • • x.x. spam. DNSBL & ORDBL check Banned word check For SMTP. Syntax config spamfilter ipbwl edit <ipbwl_list_integer> set name <ipbwl_list> set comment <ipbwl_list_comment> config entries edit <address_ipv4_integer> set action {clear | reject | spam} set ip/subnet {<address_ipv4> | <address_ipv4>/<address_ipv4mask>} set status {enable | disable} end FortiGate® CLI Version 3. IP address FortiGuard check. or a range of addresses at the network level by configuring an address and mask. and IMAP The FortiGate unit uses the IP address list to filter incoming email. for example 192.10. FortiGuard Antispam check (for IPs extracted from “Received” headers.0 MR7 Reference 01-30007-0015-20090112 313 . Filter single IP addresses.

All models have the same CLI syntax now.23/255.ipbwl spamfilter Keywords and variables <ipbwl_list_integer> <ipbwl_list> <ipbwl_list_comment> <address_ipv4_integer> action {clear | reject | spam} Description A unique number to identify the IP black/white list. A unique number to identify the address.255. A subnet mask in the format also be included. The IP address to filter.168.168.23/24 can No default. Enter reject to drop any current or incoming sessions. History FortiOS v2.10. The name of the IP black/white list. Enable or disable scanning email for each IP address. Added multiple-list capability for models 800 and above. Enter spam to apply the spam action configured in the protection profile.80 FortiOS v3. Default Enter clear to exempt the email from the rest of the spam spam filters.0 FortiOS v3. enable ip/subnet {<address_ipv4> | <address_ipv4>/<address_ip v4mask>} status {enable | disable} 192.10. The comment attached to the IP black/white list.0 MR7 Reference 01-30007-0015-20090112 .0 MR4 New.0 or 192. Related topics • • • • • • • spamfilter bword spamfilter emailbwl spamfilter fortishield spamfilter iptrust spamfilter mheader spamfilter options spamfilter DNSBL 314 FortiGate® CLI Version 3.255.

The trusted IP address. Enable or disable the IP address.168.spamfilter iptrust iptrust Use this command to add an entry to a list of trusted IP addresses. The comment attached to the IP trust list. A unique number to identify the address. external IP addresses may be added to the list if it is known that they are not sources of spam. A subnet mask in the format No default Default 192.10. All models have the same CLI syntax now.0 MR7 Reference 01-30007-0015-20090112 315 .23/255.23/24 can also be included.0 or 192. In some cases.0 FortiOS v3. it may be unnecessary to check email IP addresses because they are internal and trusted.10. enable History FortiOS v3.255. Syntax config spamfilter iptrust edit <iptrust_list_integer> set name <iptrust_list> set comment <iptrust_list_comment> config entries edit <address_integer> set ip/subnet {<address_ipv4> | <address_ipv4>/<address_ipv4mask>} set status {enable | disable} end Keywords and variables <iptrust_list_integer> <iptrust_list> <iptrust_list_comment> <address_integer> ip/subnet {<address_ipv4> | <address_ipv4>/<address_ip v4mask>} status {enable | disable} Description A unique number to identify the IP trust list. The only IP addresses that need to be checked are those from outside of the company.0 MR4 New. The name of the IP trust list. Related topics • • • • • • • spamfilter bword spamfilter emailbwl spamfilter fortishield spamfilter ipbwl spamfilter mheader spamfilter options spamfilter DNSBL FortiGate® CLI Version 3.255.168. If the FortiGate unit sits behind a company’s Mail Transfer Units.

and IMAP The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. The second part is called the value. MIME header settings are configured with this command but MIME header filtering is enabled within each protection profile. POP3. the email is passed on to the next spam filter. MIME (Multipurpose Internet Mail Extensions) headers are added to email to describe content type and content encoding. or just header. such as the type of text in the email body or the program that generated the email. HELO DNS lookup E-mail address BWL check MIME headers check IP address BWL check (for IPs extracted from “Received” headers) Return e-mail DNS check. Mark the email as spam or clear for each header configured. FortiGuard Antispam check. See “Using Perl regular expressions” on page 48. If no match is found.0 MR7 Reference 01-30007-0015-20090112 . IP BWL check Return e-mail DNS check.Last hop IP DNSBL & ORDBL check. Spammers often insert comments into header values or leave them blank. and URLs in email content) Banned word check For POP3 and IMAP 1 2 3 4 E-mail address BWL check MIME headers check. The FortiGate spam filters are applied in the following order: For SMTP 1 2 3 4 5 6 7 IP address BWL check . the corresponding action is taken.mheader spamfilter mheader Use this command to configure email filtering based on the MIME header. Note: MIME header entries are case sensitive. FortiGuard Antispam check (for IPs extracted from “Received” headers. If a match is found. Some examples of MIME headers include: • • • • X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg The first part of the MIME header is called the header key. Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. IP address FortiGuard check. 316 FortiGate® CLI Version 3. Use Perl regular expressions or wildcards to add MIME header patterns to the list. DNSBL & ORDBL check Banned word check For SMTP. These malformed headers can fool some spam and virus filters.

No default. pattern-type {regexp | wildcard} status {enable | disable} wildcard Enable or disable scanning email headers for the MIME header enable and header value defined in the fieldbody and fieldname strings. header field body) using wildcards No default. All models have the same CLI syntax now. spam Default fieldbody <mime_str> fieldname <mime_str> Enter the MIME header (key. or Perl regular expressions. Added multiple-list capability for models 800 and above. History FortiOS v2. Do not include a trailing colon. Enter the MIME header value (header field name) using wildcards or Perl regular expressions. Choose from wildcards or Perl regular expressions. A unique number to identify the MIME header.spamfilter mheader Syntax config spamfilter mheader edit <mime_list_integer> set name <mime_list> set comment <mime_list_comment> config entries edit <mime_integer> set action {clear | spam} set fieldbody <mime_str> set fieldname <mime_str> set pattern-type {regexp | wildcard} set status {enable | disable} end end Keywords and variables <mime_list_integer> <mime_list> <mime_list_comment> <mime_integer> action {clear | spam} Description A unique number to identify the MIME header list.80 FortiOS v3. Enter clear to exempt the email from the rest of the spam filters.0 MR4 New. Related topics • • • • • • • spamfilter bword spamfilter fortishield spamfilter fortishield spamfilter ipbwl spamfilter iptrust spamfilter options spamfilter DNSBL FortiGate® CLI Version 3. Enter the pattern-type for the MIME header. The comment attached to the MIME header list.0 MR7 Reference 01-30007-0015-20090112 317 . The name of the MIME header list. Enter spam to apply the spam action configured in the protection profile.0 FortiOS v3.

Default 7 Example This example shows how to set the dns timeout. Related topics • • • • • • • spamfilter bword spamfilter emailbwl spamfilter fortishield spamfilter ipbwl spamfilter iptrust spamfilter mheader spamfilter DNSBL 318 FortiGate® CLI Version 3.options spamfilter options Use this command to set the spamfilter dns query timeout. config spamfilter options set dns-timeout 15 end History FortiOS v3. Syntax config spamfilter options set dns-timeout <timeout_integer> end Keywords and variables dns-timeout <timeout_integer> Description Set the DNS query timeout in the range 1 to 30 seconds.0 New.0 MR7 Reference 01-30007-0015-20090112 .

For information on configuring DNS. IP address FortiGuard check. Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network. FortiGuard Antispam check. HELO DNS lookup E-mail address BWL check MIME headers check IP address BWL check (for IPs extracted from “Received” headers) Return e-mail DNS check. Some spammers use unsecured third party SMTP servers to send unsolicited bulk email. see “system dns” on page 353. FortiGate® CLI Version 3.Last hop IP DNSBL & ORDBL check. DNSBL & ORDBL check Banned word check For SMTP. and IMAP The FortiGate unit compares the IP address or domain name of the sender to any database lists configured in sequence. Please check with the service being used to confirm the correct domain name for connecting to the server. DSNBL and ORDBL settings are configured with this command but DSNBL and ORDBL filtering is enabled within each protection profile. IP BWL check Return e-mail DNS check. Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server. If no match is found. The FortiGate spam filters are generally applied in the following order: For SMTP 1 2 3 4 5 6 7 IP address BWL check . POP3. it must be able to look up this name on the DNS server. and URLs in email content) Banned word check For POP3 and IMAP 1 2 3 4 E-mail address BWL check MIME headers check. the email is passed on to the next spam filter. These lists act as domain name servers that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass through. FortiGuard Antispam check (for IPs extracted from “Received” headers.spamfilter DNSBL DNSBL Use this command to configure email filtering using DNS-based Blackhole List (DNSBL) or Open Relay Database List (ORDBL) servers. There are several free and subscription servers available that provide reliable access to continually updated DNSBLs and ORDBLs. If a match is found.0 MR7 Reference 01-30007-0015-20090112 319 . the corresponding action is taken.

Enable or disable querying the Real-time Blackhole List server or Open Relay Database server named in the server string. spam Default server <name_str> status {enable | disable} No default. A unique number to identify the DNSBL server. The comment attached to the DNSBL header list. enable History FortiOS v2. Enter reject to stop any further processing of the current session and to drop an incoming connection at once.0 MR7 Reference 01-30007-0015-20090112 . Enter spam to identify email as spam. Multiple-list feature is available for all models. Added multiple-list capability for models 800 and above. The name of the DNSBL header list.0 MR5 New. Enter the domain name of a Real-time Blackhole List server or an Open Relay Database server.0 FortiOS v3. Changed RBL to DNSBL.80 FortiOS v3.0 MR2 FortiOS v3. Related topics • • • • • • • • spamfilter bword spamfilter emailbwl spamfilter fortishield spamfilter ipbwl spamfilter iptrust spamfilter mheader spamfilter options system dns 320 FortiGate® CLI Version 3.DNSBL spamfilter Syntax config spamfilter DNSBL edit <DNSBL_list_integer> set name <DNSBL_list> set comment <DNSBL_list_comment> config entries edit <server_integer> set action {reject | spam} set server <name_str> set status {enable | disable} end Keywords and variables <DNSBL_list_integer> <DNSBL_list> <DNSBL_list_comment> <server_integer> action {reject | spam} Description A unique number to identify the DNSBL list.

replacemsg mail fortianalyzer3 FortiGate® CLI Version 3. fortianalyzer2.system system Use system commands to configure options related to the overall operation of the FortiGate unit. including: • • • • • • Administrative access Automatic updating of antivirus and attack definitions High availability (HA) Network interfaces Replacement messages VLANs and virtual domains This chapter contains the following sections: accprofile admin alertemail amc arp-table auto-install autoupdate clientoverride autoupdate override autoupdate push-update autoupdate schedule autoupdate tunneling aux bug-report carrier-endpoint-translation (FortiOS Carrier) console dhcp reserved-address dhcp server dns dynamic-profile (FortiOS Carrier) fips-cc fortiguard fortiguard-log fortimanager gi-gk (FortiOS Carrier) global gre-tunnel ha interface ipv6-tunnel mac-address-table management-tunnel modem npu ntp proxy-arp replacemsg admin replacemsg alertmail replacemsg auth replacemsg fortiguard-wf replacemsg ftp replacemsg http replacemsg mm1 (FortiOS Carrier) replacemsg mm3 (FortiOS Carrier) replacemsg mm4 (FortiOS Carrier) replacemsg mm7 (FortiOS Carrier) replacemsg nntp replacemsg spam replacemsg sslvpn replacemsg-group (FortiOS Carrier) replacemsg-image (FortiOS Carrier) session-helper session-sync session-ttl settings sit-tunnel snmp community snmp sysinfo switch-interface tos-based-priority vdom-link wireless mac-filter wireless settings zone replacemsg im fortianalyzer.0 MR7 Reference 01-30007-0015-20090112 321 .

P2P. allow read only. viewing logs and alert email settings execute batch commands maintenance commands: reset to factory defaults. and VoIP access configuration intrusion prevention system configuration log and report configuration including log settings. avgrp fwgrp impp2p ipsgrp loggrp mntgrp 322 FortiGate® CLI Version 3. Syntax config system accprofile edit <profile-name> set <access-group> <access-level> set radius-vdom-override {disable | enable} set radius-accprofile-override {disable | enable} config fwgrp-permission set address {none | read | read-write} set others {none | read | read-write} set policy {none | read | read-write} set profile {none | read | read-write} set schedule {none | read | read-write} set service {none | read | read-write} end config loggrp-permission set config {none | read | read-write} set data-access {none | read | read-write} end end Variable edit <profile-name> <access-group> Description Enter a new profile name to create a new profile.accprofile system accprofile Use this command to add access profiles that control administrator access to FortiGate features. format log disk. but you can use the super_admin profile with more than one administrator account. restore and shutdown Default No default. or allow both read and write access to FortiGate features. You can create access profiles that deny access. LDAP servers. RADIUS servers. Enter an existing profile name to edit that profile. Each FortiGate administrator account must include an access profile. reboot. including local users. You cannot delete or modify the super_admin access profile. admingrp authgrp administrator accounts and access profiles user authentication.0 MR7 Reference 01-30007-0015-20090112 . and user groups antivirus configuration firewall configuration IM. Enter the feature group for which you are configuring access: No default.

config Enter the level of administrator access to the logging {none | read | read-write} configuration. An administrator account with this access profile can view and edit firewall policies. routegrp spamgrp sysgrp updategrp vpngrp webgrp <access-level> Enter the level of administrator access to this feature: custom none read read-write configures custom access for fwgrp or loggrp access selections only no access read-only access read and write access none config fwgrp-permission keywords. {none | read | read-write} others Enter the level of administrator access to virtual IP {none | read | read-write} configurations. config loggrp-permission keywords. Available if loggrp is set to custom. zones • get system status • get system arp table • config system arp-table • execute dhcp lease-list • execute dhcp lease-clear router configuration spamfilter configuration system configuration except accprofile. {none | read | read-write} service Enter the level of administrator access to firewall service {none | read | read-write} definitions. {none | read | read-write} profile Enter the level of administrator access to firewall profiles.0 MR7 Reference 01-30007-0015-20090112 323 .system accprofile Variable <access-group> (continued) Description netgrp interfaces. policy Enter the level of administrator access to firewall policies. address Enter the level of administrator access to firewall addresses. Available if fwgrp is set to custom. but cannot view or change any other FortiGate settings or features. {none | read | read-write} schedule Enter the level of administrator access to firewall schedules. admin and autoupdate FortiGuard antivirus and IPS updates. manual and automatic VPN configuration webfilter configuration Default No default. data-access Enter the level of administrator access to the log data. config system accprofile edit policy_profile set fwgrp read-write end FortiGate® CLI Version 3. dhcp servers. {none | read | read-write} none none none none none none none none Examples Use the following commands to add a new access profile named policy_profile that allows read and write access to firewall policies and that denies access to all other FortiGate features.

0 MR7 Reference 01-30007-0015-20090112 . FortiOS v3. FortiOS v3.80 New FortiOS v3.0 MR2 Modifications for super_admin profile and read-write access-level changes (no write only). execute batch command control assigned to mntgrp (Maintenance) access control group. but cannot view or change any other FortiGate settings or features. An administrator account with this access profile can view and edit the selected custom firewall permissions (address. Added config fwgrp-permission and config loggrp-permission subcommands.accprofile system Use the following commands to add a new access profile named policy_profile_cu that allows customized read and write access to firewall policies and that denies access to all other FortiGate features.0 MR4 Modifications for custom fwgrp firewall permissions.0 MR6 Added imp2pgrp access profile. FortiOS v3. policy. config system accprofile edit policy_profile_cu set fwgrp custom config fwgrp-permission set address read-write set policy read-write set schedule read-write end end end History FortiOS v2. and schedule). Related topics • system admin 324 FortiGate® CLI Version 3.0 MR1 Removed secgrp feature group.

Note: You cannot change the management VDOM if any administrators are using RADIUS authentication. For a user ITAdmin with the access profile super_admin. There can only be one vdom-override user per system. You cannot delete the default super admin account or change the access profile (super_admin). to reset the password from 123456 to the default ‘empty’ or ‘null’: config sys admin edit ITAdmin unset password 123456 end If you type ‘set password ?’ in the CLI. In addition. edit. super_admin_readonly. Administrators can control what data modules appear in the FortiGate unit system dashboard by using the config system admin command. see the System Administration chapter of the FortiGate Administration Guide for your model. there is also an access profile that allows read-only super admin privileges. For detailed information about configuring administrators. you will have to enter the new password and the old password in order for the change to be effective. A vdom/access profile override feature supports authentication of administrators via RADIUS.system admin admin Use this command to add. Each administrator account except the default admin must include an access profile. Note: For users with super_admin access profile. The super_admin_readonly profile cannot be deleted or changed. When you use RADIUS authentication. you can authenticate specific administrators or you can allow any account on the RADIUS server to access the FortiGate unit as an administrator. This feature is only available to wildcard admins. and delete administrator accounts. This read-only super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making changes. You can authenticate administrators using a password stored on the FortiGate unit or you can use a RADIUS server to perform authentication. Administrators must have read and write privileges to make dashboard GUI modifications. similar to the super_admin profile. you can reset the password in the CLI. to set the password to 123456: config sys admin edit ITAdmin set password 123456 end For a user ITAdmin with the access profile super_admin.0 MR7 Reference 01-30007-0015-20090112 325 . The admin user will be have access depending on which vdom they are restricted to and their associated access profile. you will NOT be able to reset the password to ‘empty’ or ‘null’. In this case. The default setting allows administrators to log in any time. Syntax config system admin edit <name_str> set accprofile <profile-name> set comments <comments_string> set password <admin_password> FortiGate® CLI Version 3. You can configure an administrator to only be allowed to log in at certain times. Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels.

schedule <schedule-name> 326 FortiGate® CLI Version 3. disable Enter the administrator user group name. Name of peer group defined under config user peergrp or user group defined under config user group. Restrict times that an administrator can log in. password <admin_password> Enter the password for this administrator. Enable RADIUS authentication override for the access profile of the administrator. LDAP. if you are using No default.0 MR7 Reference 01-30007-0015-20090112 . or TACACS+ server. The total length of the string can be up to 128 characters. Defined in null config firewall schedule. LDAP. Separate each attribute with a comma. Access profiles control administrator access to FortiGate features. first name. Used for peer certificate authentication (for HTTPS admin access). mobile phone number. accprofile <profile-name> Enter the name of the access profile to assign to this administrator account. phone null number. This is only available when remote-auth is enabled. peer-auth <peer_auth> peer-group <peer-grp> radius-accprofileoverride {disable | enable} radius-vdom-override {disable | enable} remote-auth {enable | disable} remote-group <name> disable Enable RADIUS authentication override for the (wildcard disable only) administrator. RADIUS. comments <comments_string> Enter the last name. email address. (Optional) null disable null Set to enable peer certificate authentication (for HTTPS admin access). Null indicates that the administrator can log in at any time. and enclose the string in double-quotes.admin system set peer-auth <peer_auth> set peer-group <peer-grp> set radius-accprofile-override {disable | enable} set radius-vdom-override {disable | enable} set remote-auth {enable | disable} set remote-group <name> set schedule <schedule-name> set ssh-public-key1 "<key-type> <key-value>" set ssh-public-key2 "<key-type> <key-value>" set ssh-public-key3 "<key-type> <key-value>" set trusthost1 <address_ipv4mask> set trusthost2 <address_ipv4mask> set trusthost3 <address_ipv4mask> set vdom <vdom_name> setsystem wildcard {enable | disable} config dashboard edit moduleid <module_name> set column <column_number> set status <module_status> end end end Keywords and variables Description Default No default. or TACACS+ authentication. and pager number for this administrator. Enable or disable authentication of this administrator using a remote RADIUS.

Top sessions • sysinfo .0 MR7 Reference 01-30007-0015-20090112 327 .0. These clients are authenticated without being asked for the administrator password. 255.0 and the netmask to 0. Available for all dashboard modules.0.0.0. <key type> is ssh-dss for a DSA key or ssh-rsa for an RSA key. If you want the administrator to be able to access the FortiGate unit from any address. If you want the administrator to be able to access the FortiGate unit from any address.0.0. (Optional) No default.System information • licinfo .0.0. Any IP address or subnet address and netmask from 0.Unit operation information • statistics .CLI console • sysres .0.Top viruses by month • tr-history .0. Values open or close.1 which the administrator can connect to the FortiGate unit. No default. <key-value> is the public key string of the SSH client.system admin Keywords and variables ssh-public-key1 "<key-type> <key-value>" ssh-public-key2 "<key-type> <key-value>" ssh-public-key3 "<key-type> <key-value>" trusthost1 <address_ipv4mask> Description Default You can specify the public keys of up to three SSH No default.0 and the netmask to 0. This is available when remote-auth is enabled.0.255 If you want the administrator to be able to access the FortiGate unit from any address. Includes the following selections: • alert . clients.0.0.0. Values 1 or 2.0.Interface traffic history Column in which the dashboard module appears.255. trusthost2 <address_ipv4mask> trusthost3 <address_ipv4mask> vdom <vdom_name> wildcard {enable | disable} Enable wildcard to allow all accounts on the RADIUS disable server to log on to the FortiGate unit as administrator.System resource information • sysop . Enter the name of the VDOM this account belongs to. Disable wildcard if you want to allow only the specified administrator to log on. show-conserve-mode: display conserve mode on alert message console show-firmware-change: display firmware upgrade/downgrade on alert message console show-system-restart: display system restart on alert message console dashboard moduleid <module_name> column <column_number> status <module_status> dashboard module selections alert FortiGate® CLI Version 3.0 which the administrator can connect to the FortiGate unit.0.0 0.0.0.0. set the trusted hosts to 0. Available for all dashboard modules. Any IP address or subnet address and netmask from 0. Administrator must have read and write privileges to make changes.System restart/firmware change alerts • sessions .0 0.System operational statistics • top-attacks -Top system attacks • top-viruses . set the trusted hosts to 0.0.0. Name of the dashboard module. set the trusted hosts to 0. Any IP address or subnet address and netmask from 127. Use config dashboard to configure the dashboard GUI of the FortiGate unit.License information • jsconsole .255. No default.0.0. Status of module on dashboard.0 which the administrator can connect to the FortiGate unit. You must create the public-private key pair in the SSH client application.0 and the netmask to 0.0.0.

interface: name of interface monitored for traffic history data. status default open. status default open. 0 to disable. top-sessions: number of top sessions to display. top-sessions: number of top viruses to display. Values between 5 and 20. status default open. set-sort-by: sort top sessions by either destination address or source address. refresh: set to refresh traffic history data automatically. column and status settings available. The dashboard setting alert > show-system-restart is enabled and displays in column 2 of the FortiOS GUI. column and status settings available. Values between 5 and 20. config system admin edit new_admin set password p8ssw0rd set accprofile policy_profile set vdom main_office config dashboard edit alert set column 2 set status open show-system-restart enable end end end 328 FortiGate® CLI Version 3. Values between 10 and 1200. refresh-interval: time in between refresh of top viruses data.0 MR7 Reference 01-30007-0015-20090112 . top-sessions: number of top attacks to display. It is accessible on the main_office VDOM.admin system Keywords and variables jsconsole licinfo sessions Description column and status settings available. 0 to disable. refresh-interval: time in between refresh of session data. Values between 5 and 20. Values between 10 and 1200. Administrators that log in to this account will have administrator access to the FortiGate unit from any IP address. Default statistics sysinfo sysop sysres top-attacks top-viruses tr-history Example Use the following commands to add a new administrator account named new_admin with the password set to p8ssw0rd and that includes an access profile named policy_profile. Values between 10 and 1200. status default open. 0 to disable. show-fds-chart: display the FortiGuard log disk usage chart show-fortianalyzer-chart: display the FortiAnalyzer disk usage chart refresh-interval: time in between refresh of top attacks data. column and status settings available. status default open. column and status settings available.

80 FortiOS v3. FortiOS v3. radius-group.0 MR6 Added schedule. Combined first-name. FortiOS v3.pager-number and put in keyword comments (concatenated). Included description of ReadOnlyAdmin. Renamed keyword radius-auth to remote-auth. FortiOS v3. password. mobile-number.system admin History FortiOS v2. wildcard keywords.0 MR7 Reference 01-30007-0015-20090112 329 .0 Revised.0 MR5 Added description of password setup.0 MR7 Added radius-vdom-override and radius-accprofile-override. phone-number. FortiOS v3. Renamed keyword radius-group to remote-group. Added config dashboard subcommand.0 MR4 Added dashboard configuration keywords/variables. first-name. pager-number. last-name. FortiOS v3. radius-auth. last-name.0 MR3 Removed is-admin. phone-number. Related topics • system accprofile FortiGate® CLI Version 3. emailaddress. Added email-address.0 MR1 Added is-admin and vdom keywords. mobile-number. FortiOS v3.

Enter the user name for the SMTP server that the FortiGate unit uses to send alert emails. port <port_integer> 25 server {<name-str> | <address_ipv4>} Enter the name of the SMTP server. The FortiGate unit uses the user name admin2 and the password h8rdt0g3uss to connect to the SMTP server. The SMTP server can be located on any network connected to the FortiGate unit.domain.example.com. This variable is accessible only if authenticate is enabled and server is defined. smtp.com set authenticate enable set password h8rdt0g3uss set username admin2 end FortiGate® CLI Version 3. Syntax config system alertemail set authenticate {disable | enable} set password <password_str> set port <port_integer> set server {<name-str> | <address_ipv4>} set username <username_str> end Keywords and variables authenticate {disable | enable} Description Enable SMTP authentication if the FortiGate unit is required to authenticate before using the SMTP server. Enter the password that the FortiGate unit needs to access the SMTP server. Then you will be able to see all the keywords. the IP address of the SMTP server can be entered. You can change the port number if the SMTP server has been configured to use a different port. Note: You must configure the server setting under config system alertemail before the commands under config alertemail become accessible. The standard SMTP port is 25.0 MR7 Reference 01-30007-0015-20090112 330 . in the format No default. The order of the keywords is important. To configure alertemail settings you must first configure the server. username <username_str> Examples This example shows how to configure the FortiGate unit to send alert emails using the SMTP server smtp.com. Alternately.example.alertemail system alertemail Use this command to configure the FortiGate unit to access an SMTP server to send alert emails. to which the FortiGate unit should send email. Default disable password <password_str> No default. This variable is accessible only if authenticate is enabled and server is defined. The server must be defined first. Change the TCP port number that the FortiGate unit uses to connect to the SMTP server. Then authentication needs to be next. This command is global in scope. This variable is accessible only if server is defined. see “alertemail” on page 63. and enable authenticate. For more information on config alertemail. config system alertemail set server smtp. No default.

0 Command created from alertemail command. FortiOS v3.system alertemail History FortiOS v3.0 MR7 Reference 01-30007-0015-20090112 331 .0 MR7 Added the port keyword. FortiGate® CLI Version 3.

When you first get your FortiGate unit with AMC ports.AMC double width 2XG NP2 card • adm-fb8 . adm-xb2. Syntax config system amc set {amc-sw1 | amc-sw2} {asm-disk | asm-fb4 | auto | none} set {amc-dw1 | amc-dw2} {adm-xb2 | asm-fb8 | auto | none} end Keywords and variables {amc-sw1 | amc-sw2} {asm-disk | asm-fb4 | auto | none} Description Configure this single width AMC port for the following type of card.AMC double width 8G NP2 network interface card • auto . For example if the port is set to asm-disk with configurations for that disk.0 MR7 Reference 01-30007-0015-20090112 . none • adm-xb2 . The settings are different for single width and double width ports.support any single width card • none . asm-fb4.not configured Default none {amc-dw1 | amc-dw2} {adm-xb2 | asm-fb8 | auto | none} Configure this double width AMC port for the following type of card.support any card that is inserted • none . The auto setting will recognize any card used in the AMC port.0 MR7 New command.not configured Examples History FortiOS v3. The asm-disk. but when you remove the card it will not retain any configuration settings.AMC Single width SCSI hard disk card. 332 FortiGate® CLI Version 3. such as ASM-S08 • asm-fb4 . and then reconfigure the slot for the new type of card. This will remove all configuration that was associated with the previous AMC card.AMC single width 4G NP2 network interface card • auto . The number of AMC ports on your FortiGate unit will vary by model.amc system amc Use this command to configure AMC ports on your FortiGate unit. and if the disk needs to be replaced it can be removed and it or one of the same type can be re-inserted with the FortiGate unit retaining all the related configurations. • asm-disk . the AMC ports must be configured before the ports can be used. To use an AMC slot that is configured for one type of card with a different type of card. and adm-fb8 settings will retain any configurations related to that card until a different type of card is inserted. you must first set the slot to none.

You can only access the arp-table values from the CLI. Default No default No default.161 set mac 00:09:0f:69:00:7c end History FortiOS v3. No in the form of xx:xx:xx:xx:xx:xx. This command is not available when VDOMs are enabled or in TP mode.0 MR7 Reference 01-30007-0015-20090112 333 . default.20.120. config system arp-table edit 3 set interface port2 set ip 172. Syntax config system arp-table edit <table_value> set interface <port> set ip <address_ipv4> set mac <mac_address> end Keywords and variables interface <port> ip <address_ipv4> mac <mac_address> Description Enter the interface this ARP entry is associated with Enter the IP address of the ARP entry.system arp-table arp-table Use this command to manually configure the ARP table entries on the FortiGate unit.161 on the port2 interface.20.0 MR2 New command. Examples This example adds an entry to the arp table with a MAC address of 00-09-0f-69-00-7c and an IP address of 172. Enter the MAC address of the device entered in the table. Related topics • get system arp FortiGate® CLI Version 3.120.

both occur on the same reboot. To format your USB disk when it is connected to a Windows system.0 MR7 Reference 01-30007-0015-20090112 . However. Enter the name of the image file on the USB disk.conf image. Note: This command is available only when a USB key is installed on the FortiGate unit. The FortiGate unit will not reload a firmware or configuration file that is already loaded. Enter the name of the configuration file on the USB disk.out History FortiOS v3. To format your USB Disk when its connected to your FortiGate unit. FortiUSB and generic USB disks are supported. and <drive_label> is the name you want to give the USB disk volume for identification.0 New. If you set both configuration and firmware image update. the USB disk must be formatted as a FAT16 drive. Enable or disable automatic installation of firmware from a USB disk on the next reboot. at the command prompt type “format <drive_letter>: /FS:FAT /V:<drive_label>” where <drive_letter> is the letter of the connected USB drive you want to format. Syntax config system auto-install set auto-install-config {disable | enable} set auto-install-image {disable | enable} set default-config-file set default-image-file end Variables auto-install-config {disable | enable} auto-install-image {disable | enable} default-config-file default-image-file Description Enable or disable automatic loading of the system configuration from a USB disk on the next reboot. No other partition type is supported. 334 FortiGate® CLI Version 3. at the CLI prompt type “exe usbdisk format”. This command is available only on units that have a USB disk connection.auto-install system auto-install Use this command to configure automatic installation of firmware and system configuration from a USB disk when the FortiGate unit restarts. Default disable disable system. Formatting your USB disk will delete all information on your USB disk.

80 MR6 Added. Enable or disable the ability to override the FDN interface address. This is useful if your company uses an internal updates server instead of FDN.system autoupdate clientoverride autoupdate clientoverride Use this command to receive updates on a different interface than the interface connected to the FortiGuard Distribution Network (FDN). This command changes the source IP address of update requests to the FortiGuard server.45 which is on the port4 interface. Related topics • • • • • system autoupdate override system autoupdate push-update system autoupdate schedule system autoupdate tunneling execute update-av FortiGate® CLI Version 3.2.2. default.0.45 set status enable end History FortiOS v2.0 MR7 Reference 01-30007-0015-20090112 335 . disable Example This example shows how to add a push update client IP address 192. config system autoupdate clientoverride set address 192. Syntax config system autoupdate clientoverride set address <address_ipv4> set status {enable | disable} end Variables address <address_ipv4> status {enable | disable} Description Default Enter the IP address or fully qualified domain name to receive No updates from.0. causing it to send the update to the modified source address.

168. Syntax config system autoupdate override set address <FDS_address> set failover {enable | disable} set status {enable | disable} end Variables address <FDS_address> failover {enable | disable} status {enable | disable} Description Enter the IP address or fully qualified domain name of the override FDS server. If you cannot connect to the FortiGuard Distribution Network (FDN) or if your organization provides updates using their own FortiGuard server. Contact your ISP to make sure they unblock TCP and UDP ports 1025 to 1035 to enable FDS server traffic. you can specify an override FDS server so that the FortiGate unit connects to this server instead of the FDN.87. if enable the FortiGate unit cannot reach the override FDS server it will failover to the public FDS servers. Default No default. disable Example This example shows how to add and enable your company’s own FDS override server with an IP address of 192. config system autoupdate override set address 192. Enable or disable overriding the default FDS server.80 Revised. it is possible your ISP is blocking the lower TCP and UDP ports for security reasons.autoupdate override system autoupdate override Use this command to specify an override FDS server. even after specifying an override server.0 MR7 Reference 01-30007-0015-20090112 .168. If you enable failover.87. Enable or disable FDS server failover. Related topics • • • • • system autoupdate push-update system autoupdate schedule system autoupdate tunneling execute update-av execute update-ips 336 FortiGate® CLI Version 3.45 set status enable end History FortiOS v2. Note: If you are unable to connect to the FDS server.45.

set using PPPoE or DHCP). Enable an override of push updates. you must configure port forwarding on the NAT device and add the port forwarding information to the push update override configuration. The FortiGuard Distribution Network (FDN) can push updates to FortiGate units to provide the fastest possible response to critical situations such as software exploits or viruses. Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example. the FortiGate unit requests an update from the FDN. FortiGate® CLI Version 3. Select enable if the FortiGate unit connects to the FDN through a NAT device. Using this command you can enable or disable push updates. interface of your NAT device. This is the address of the external default. When you configure a FortiGate unit to allow push updates.80 Revised.system autoupdate push-update autoupdate push-update Use this command to configure push updates. Example This example shows how to enable push updates on port 9993. The next time an update is released. the FortiGate unit sends a SETUP message to the FDN. Within 60 seconds of receiving a push notification. config system autoupdate push-update set status enable set port 9993 end History FortiOS v2. If the FDN must connect to the FortiGate unit through a NAT device. This can be port 9443 by default or a different port that you assign.0 MR7 Reference 01-30007-0015-20090112 337 . disable 9443 disable override {enable | disable} port <FDN_port> status {enable | disable} Enable or disable FDN push updates. Enter the port that the FDN connects to. Syntax config system autoupdate push-update set address <push_ipv4> set override {enable | disable} set port <FDN_port> set status {enable | disable} end Variables address <push_ipv4> Description Default Enter the External IP address that the FDN connects to if you No want to enable push override. You must register the FortiGate unit before it can receive push updates. the FDN notifies all FortiGate units that are configured for push updates that a new update is available. You can also configure push IP address and port overrides.

autoupdate push-update system Related topics • • • • • system autoupdate override system autoupdate schedule system autoupdate tunneling execute update-av execute update-ips 338 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 .

This option is available only when frequency is set to weekly. Set time to the time of day to check for updates. Tuesday. weekly • Check for updates once a week. every once a day. Set time to the time of day to check for updates. Set interval to one of the following: every • Check for updates periodically.system autoupdate schedule autoupdate schedule Use this command to enable or disable scheduled FDN updates at regular intervals throughout the day. once a day. or 60 for random minute disable 01:60 frequency {every | daily | weekly} status {enable | disable} time <hh:mm> Example This example shows how to configure the FortiGate unit to check the FortiGuard Distribution Network (FDN) for updates once a day at 3:00 in the morning. or once a week. Monday. or once a week.0 MR7 Reference 01-30007-0015-20090112 339 . Enter Monday one of: Sunday. • hh can be 00 to 23 • mm can be 00-59. Thursday. Wednesday. daily • Check for updates once a day. Syntax config system autoupdate schedule set day <day_of_week> set frequency {every | daily | weekly} set status {enable | disable} set time <hh:mm> end Variables day <day_of_week> Description Default Enter the day of the week on which to check for updates. Enter the time at which to check for updates. or Saturday. Enable or disable scheduled updates. Schedule the FortiGate unit to check for updates every hour. Set day to the day of the week to check for updates. To have your FortiGate unit to update at a random time during a particular hour. config system autoupdate schedule set frequency daily set time 03:00 set status enable end FortiGate® CLI Version 3. Set time to the time interval to wait between updates. Friday. select a time that includes 60 minutes as this will choose a random time during that hour for the scheduled update.

80 MR2 Revised. Related topics • • • • system autoupdate override system autoupdate push-update system autoupdate tunneling system global 340 FortiGate® CLI Version 3. Can set time as well as day for weekly updates. config system autoupdate schedule set frequency daily set time 03:60 set status enable end History FortiOS v2.80 FortiOS v2.autoupdate schedule system This example is the same as the above example but it will check for updates once a day at sometime between 3:00 and 4:00 in the morning.0 MR7 Reference 01-30007-0015-20090112 .

Some proxy servers do not allow CONNECT to connect to any port. requires the user id proxy_user and the password proxy_pwd. The CONNECT method is used mostly for tunneling SSL traffic. add the user name and password required to connect to the proxy server.35. Example This example shows how to enable tunneling where the FortiGate unit must connect to a proxy server with IP address 67. No default. The user name used to connect to the proxy server. Syntax config system autoupdate tunneling set address <proxy_address> set password <password> set port <proxy_port> set status {enable | disable} set username <name> end Variables address <proxy_address> password <password> port <proxy_port> status {enable | disable} username <name> Description The IP address or fully qualified domain name of the proxy server. To use the proxy server. config system autoupdate tunneling set address 67. The proxy server establishes the connection to the FDN and passes information between the FortiGate unit and the FDN. The FortiGate unit sends a HTTP CONNECT request to the proxy server (optionally with authentication information) specifying the IP address and port required to connect to the FDN. The password to connect to the proxy server if one is required.50. No default.50. The port required to connect to the proxy server. If the proxy server requires authentication.34 set port 8080 set username proxy_user set password proxy_pwd set status enable end FortiGate® CLI Version 3.34 that uses port 8080. your proxy server might have to be configured to allow connections on this port.0 MR7 Reference 01-30007-0015-20090112 341 . as described in RFC 2616. The FortiGate unit connects to the proxy server using the HTTP CONNECT method. Default No default.35. proxy servers restrict the allowed ports to the well known ports for HTTPS and perhaps some other similar services. disable No default. Enable or disable tunneling. you must enable tunneling and add the IP address and port required to connect to the proxy server. Because FortiGate autoupdates use HTTPS on port 8890 to connect to the FDN.system autoupdate tunneling autoupdate tunneling Use this command to configure the FortiGate unit to use a proxy server to connect to the FortiGuard Distribution Network (FDN).

autoupdate tunneling system History FortiOS v2.80 Revised.0 MR7 Reference 01-30007-0015-20090112 . Related topics • • • system autoupdate override system autoupdate push-update system autoupdate schedule 342 FortiGate® CLI Version 3.

38400. History FortiOS v3. The main difference between the standard console port and the AUX port is that the standard console port is for local serial console connections only. The default is 9600. You can use a modem connected to the AUX port to remotely connect to a console session on the FortiGate unit. but not all FortiGate models have an AUX port.0 MR7 Reference 01-30007-0015-20090112 343 .0 MR1 New. Syntax config system aux set baudrate <baudrate> end <baudrate> is the speed of the connection. but it has some limitations the standard console port does not have. 19200. or 115200. The AUX port is located near the console port. Related topics • system console FortiGate® CLI Version 3. The AUX port will send out modem initializing strings (AT strings) that will appear on an AUX console session at the start. It can be set to one of the following: 9600. Ensure devices on both ends of the connection are set to the same baudrate. An AUX port cannot accept a modem connection to establish a remote console connection.system aux aux Use this command to configure the AUX port. The AUX console port allows you to establish a local connection. 57600. • • The AUX port will not display the booting messages that the standard console connection displays.

The default user name is bug_report. See description.com A valid user name on the specified SMTP server. See description. FortiOS v2.0 MR1 New.com email server to bug_report@ourcompany. The email address for bug reports. Example This example shows how to configure the FortiGate unit to send bug report email from the ourmailserver. See description. Related topics • system dns FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 344 .80 MR2 Command changed from config bug-report to config system bug-report.com set username OurAdmin end History FortiOS v2.0 FortiOS v3. The default server is fortinetvirussubmit. The default user name is bug_report. Changed username_smtp to username-smtp. config system bug-report set auth yes set mailto bug_report@ourcompany.com.com set password 123456 set server ourmailserver. Syntax config system bug-report set auth {no | yes} set mailto <email_address> set password <password> set server <servername> set username <name> set username-smtp <account_name> end Variables auth {no | yes} mailto <email_address> password <password> server <servername> username <name> username-smtp <account_name> Description Default Enter yes if the SMTP server requires authentication or no if it no does not. enter the password required.80 FortiOS v3. The SMTP server to use for sending bug report email. The default is bug_report@fortinetvirussubmit.bug-report system bug-report Use this command to configure a custom email relay for sending problem reports to Fortinet customer support. If the SMTP server requires authentication.com using the User1 account. A valid user name on the specified SMTP server. Added mailto keyword. No default. The email server requires authentication. See description.

Syntax config system carrier-endpoint-translation set carrier-endpoint-convert-hex {enable | disable} set carrier-endpoint-header <endpoint_header_title> set carrier-endpoint-header-suppress {enable | disable} set carrier-endpoint-prefix {enable | disable} set carrier-endpoint-prefix-range-max <prefix_range_max> set carrier-endpoint-prefix-range-min <prefix_range_min> set carrier-endpoint-prefix-string <prefix_string> set carrier-endpoint-source {cookie | http-header} set profile-query-type {extract-carrier-endpoint | extract-ip | session-ip} set ip-header <ip_header_name> set ip-header-suppress {enable | disable} set missing-header-fallback <policy-profile | session-ip> end Keywords and variables carrier-endpointconvert-hex {enable | disable} carrier-endpoint-header <endpoint_header_title> carrier-endpoint-headersuppress {enable | disable} carrier-endpoint-prefix {enable | disable} Description Enable if the carrier end point is encoded in the communication session using hexadecimal notation. Range is integer 1 . HTTP header options control how FortiOS Carrier finds source IP addresses and carrier end points in communication sessions. FortiOS Carrier converts the carrier end point from hex to decimal. Specify the header field in the communication session that includes the carrier end point.16. You can use this feature to prevent your customer’s carrier end points from appearing on the Internet. The carrier endpoint prefix is not added to the carrier end point if the carrier end point has the same or more digits than the maximum number of characters. The default settings also causes FortiOS Carrier to look in the HTTP header for the carrier end point. In most cases you do not have to change the default settings.0 MR7 Reference 01-30007-0015-20090112 345 . An important exception is WAP traffic because. FortiGate® CLI Version 3. which comes from a WAP server instead of directly from a customer so extra configuration is required for WAP traffic. However. Enable to add a prefix to the carrier end point found in the communication session. some types of traffic are exceptions that require selecting one of the other Profile Query types and adding additional configuration settings. Default disable x-upcallingline-id Enable to delete the carrier end point header found in the disable specified carrier-endpoint-header field.system carrier-endpoint-translation (FortiOS Carrier) carrier-endpoint-translation (FortiOS Carrier) Use this command to configure carrier end point HTTP header options. The other carrier-endpointprefix keywords are available only of carrierendpoint-prefix is enabled. Only available if carrier-endpoint-prefix is enabled. disable carrier-endpoint-prefixrange-max <prefix_range_max> Maximum number of characters in the carrier endpoint null prefix string. The default settings assumes that the source IP address of communication sessions is the actual IP address of the originator of the communication session.

http-header carrier-endpoint-prefixstring <prefix_string> carrier-endpoint-source {cookie | http-header} profile-query-type {extract-carrierendpoint | extract-ip | session-ip} Select the specific type of dynamic profile query to be session-ip executed: session-ip: Default setting. Only available if carrier-endpoint-prefix is enabled.carrier-endpoint-translation (FortiOS Carrier) system Keywords and variables carrier-endpoint-prefixrange-min <prefix_range_min> Description Default Minimum number of characters in the carrier endpoint prefix null string. Enable to delete the IP address header found in the IP disable address header field specified by the ip-header keyword. policyprofile ip-header <ip_header_name> ip-header-suppress {enable | disable} missing-header-fallback <policy-profile | session-ip> Example This example shows how to configure HTTP header options : config system carrier-endpoint-translation set missing-header-fallback session-ip set profile-query-type extract-ip end 346 FortiGate® CLI Version 3. Configure HTTP header options to get the IP address from communication sessions. Only available if profile-query-type is session-ip. You can use this feature to prevent your customers source IP addresses from appearing on the Internet. Only available if carrier-endpoint-prefix is enabled. Configure FortiOS Carrier to find the communication session’s carrier end point in the HTTP Header Field (http-header) or in a Cookie (cookie) in the HTTP session. The alphanumeric string that is the prefix to add to the null carrier end point. Use this option if FortiOS Carrier cannot find the specified IP address header or if the specified IP address header does not contain an IP address. The prefix is not added to the carrier end point if it has the same or fewer digits than the minimum length. For Up to 64 character maximum. Specify how to get the source IP address of the communication session . Specify the header field in the communication session that X-UpForwardedincludes the source IP address. session-ip: use the actual source IP address of the communication session. FortiOS Carrier matches this IP address with the IP addresses in the user context list. Only available if profile-query-type is session-ip.0 MR7 Reference 01-30007-0015-20090112 .16. extract-ip: Use the actual source IP address of communication sessions and get the carrier end point from the user context list. Configure HTTP header options to get the carrier end point from communication sessions. Use the actual source IP address of the communication session and the carrier end point extracted from the communication session. Select policy-profile: use the IP address found in the specified ip-header. extract-endpoint: Extract the carrier end point from communication sessions and get the source IP address from the user context list. Range is integer 1 .

0 MR4 FortiOS Carrier v3. MR4 keywords named endpoint-.0 MR5 New. renamed carrierendpoint-. Related topics • dynamic-profile (FortiOS Carrier) FortiGate® CLI Version 3.0 MR2 FortiOS Carrier v3...system carrier-endpoint-translation (FortiOS Carrier) History FortiOS Carrier v3. Removed references to MSISDN and replaced with End Point...0 MR7 Reference 01-30007-0015-20090112 347 .

FortiOS v2. Select one of 9600. output must be set to standard for scripts to execute properly.80 MR4 page keyword removed.0 MR7 Reference 01-30007-0015-20090112 . 19200. line more Example This example shows how to set the baudrate to 38400 and set the output style to more so it will pause after each screen full of information. the number of lines displayed by the console. Set console output to standard (no pause) or more (pause after each screen is full.80 MR2 Command changed from config console to config system console.80 Revised.0 MR7 output default changed from standard to more. output must be set to standard for scripts to execute properly. Default 9600 Set the console mode to line or batch. If this FortiGate unit is connected to a FortiManager unit running scripts. 57600. Related topics • system aux 348 FortiGate® CLI Version 3. Note: If this FortiGate unit is connected to a FortiManager unit running scripts. 1000AFA2. config system console set baudrate 38400 set output more end History FortiOS v2. 38400. resume on keypress). see “aux” on page 343. output keyword added. This port on these models is configured with the system aux command.console system console Use this command to set the console command mode. Syntax config system console set baudrate <speed> set mode {batch | line} set output {standard | more} end Variables baudrate <speed> mode {batch | line} output {standard | more} Description Set the console port baudrate. This setting applies to show or get commands only. Used for autotesting only. FortiOS v3. or 115200. FortiOS v2. and 3000A models have an AUX port that can be used for remote console connections using a modem. Fortigate-1000A. and the baud rate.

110.3 set mac 00:09:0F:0A:01:BC set type regular end History FortiOS v2.80 Substantially revised.168. Enter the MAC address. see “dhcp server” on page 350.110.0 00:00:00:00:00:00 regular Example Use the following command to add a reserved address named client_1 consisting of IP address 192. Syntax config system dhcp reserved-address edit <name_str> set ip <address_ipv4> set mac <address_hex> set type {regular | ipsec} end Variables ip <address_ipv4> mac <address_hex> type {regular | ipsec} Description Enter the IP address.0. Note: For this configuration to take effect. FortiOS v3. Enter the type of the connection to be reserved: • regular Client connecting through regular Ethernet • IPSec Client connecting through IPSec VPN Default 0.3 and MAC address 00:09:0F:0A:01:BC for a regular ethernet connection. you must configure at least one DHCP server using the config system dhcp server command. config system dhcp reserved-address edit client_1 set ip 192.0 MR7 Maximum number of reserved addresses increased to 200 for all models.0 MR7 Reference 01-30007-0015-20090112 349 . The DHCP server then always assigns the reserved IP address to the client. You can define up to 200 reserved addresses. Related topics • • system dhcp server system interface FortiGate® CLI Version 3.168.0.system dhcp reserved-address dhcp reserved-address Use this command to reserve an IP address for a particular client identified by its device MAC address and type of connection.

As a DHCP server. On all other models. you can configure up to 32 DHCP servers. For more information see “system dhcp reserved-address” on page 349. This command is available in NAT/Route mode only.0. You can add more than one DHCP server to a single interface to be able to provide DHCP services to multiple networks. you can configure up to 8 DHCP servers.dhcp server system dhcp server Use this command to add one or more DHCP servers for any FortiGate interface. On FortiGate models numbered 100 and below. 0. For more information on configuring your network and FortiGate unit to use multiple DHCP servers on one interface. You can use the config system dhcp reserved command to reserve an address for a specific MAC address.0.0.0. see the System DHCP chapter in the Administration Guide for your FortiGate unit.0 350 FortiGate® CLI Version 3. the interface dynamically assigns IP addresses to hosts on a network connected to the interface. Valid range is from 60 to 8640000 seconds (1 minute to 100 days). Syntax config system dhcp server edit <dhcpservername> set conflicted-ip-timeout <timeout_int> set default-gateway <address_ipv4> set dns-server1 <address_ipv4> set dns-server2 <address_ipv4> set dns-server3 <address_ipv4> set domain <domain_name_str> set enable {enable | disable} set end-ip <address_ipv4> set interface <interface_name> set ipsec-lease-hold <release_seconds> set lease-time <seconds> set netmask <mask> set option1 <option_code> [<option_hex>] set option2 <option_code> [<option_hex>] set option3 <option_code> [<option_hex>] set server-type <type> set start-ip <address_ipv4> set wins-server1 <wins_ipv4> set wins-server2 <wins_ipv4> config exclude-range edit <excl_range_num> set end-ip <excl_ipv4> set start-ip <excl_ipv4> end end Variables conflicted-ip-timeout <timeout_int> default-gateway <address_ipv4> dns-server1 <address_ipv4> Description Default Enter the time in seconds to wait before a conflicted IP 1800 address is removed from the DHCP range. The IP address of the default gateway that the DHCP server assigns to DHCP clients. The IP address of the first DNS server that the DHCP server assigns to DHCP clients.0 0.0 MR7 Reference 01-30007-0015-20090112 . All FortiGate models support up to 200 reserved IP addresses for DHCP.

This keyword applies to exclude-range.0 0. default. The lease (7 days) duration must be between 300 and 864.0. The IP address of the first WINS server that the DHCP server assigns to DHCP clients.0 start-ip <excl_ipv4> 0.0. The start IP and end IP must be in the same subnet.0 server assigns to DHCP clients.0 FortiGate® CLI Version 3.0. A value of 0 disables the forced expiry of the DHCPover-IPSec leases. The interval in seconds after which a DHCP client must 604. For detailed information about DHCP options. The end IP address in the exclusion range. Enter an integer ID for this exclusion range. option_hex is an even number of hexadecimal characters. option_code is the default. The ending IP for the range of IP addresses that this DHCP server assigns to DHCP clients. Set lease-time to 0 for an unlimited lease time. The start IP and end IP must be in the same subnet.0. Enable or disable this DHCP server. Visible only when server-type is set to ipsec. 0. DHCP option code in the range 1 to 255.0.0. second.0.0 Domain name suffix for the IP addresses that the DHCP No server assigns to DHCP clients.0. The DHCP client netmask assigned by the DHCP server.0 The first. Enter the type of client to serve: • regular Client connects through regular Ethernet • IPSec Client connects through IPSec VPN The starting IP for the range of IP addresses that this DHCP server assigns to DHCP clients.0 end-ip <excl_ipv4> 0.000 seconds (10 days). The IP range is defined by the start-ip and the end-ip keywords which should both be in the same subnet.0 interface <interface_name> ipsec-lease-hold <release_seconds> internal Set the DHCP lease release delay in seconds for DHCP.0. This keyword applies to exclude-range. The interface of the DHCP server. Configure a range of IP addresses to exclude from the list of DHCP addresses that are available.0. and third custom DHCP options that No can be sent by the DHCP server.800 ask the DHCP server for new settings.0. 0.0 wins-server1 <wins_ipv4> wins-server2 <wins_ipv4> config exclude-range edit <excl_range_num> 0. see RFC 2132. The IP address of the third DNS server that the DHCP server assigns to DHCP clients. enable 0.60 over-IPSec tunnels when the tunnel goes down.0. You can add up to 16 exclusion ranges of IP addresses that the FortiGate DHCP server cannot assign to DHCP clients The start IP address in the exclusion range.0.0.0. The IP address of the second WINS server that the DHCP server assigns to DHCP clients. DHCP Options and BOOTP Vendor Extensions.0 MR7 Reference 01-30007-0015-20090112 351 .system dhcp server Variables dns-server2 <address_ipv4> dns-server3 <address_ipv4> domain <domain_name_str> enable {enable | disable} end-ip <address_ipv4> Description Default The IP address of the second DNS server that the DHCP 0. The IP range is defined by the start-ip and the end-ip keywords which should both be in the same subnet.0.0. None regular lease-time <seconds> netmask <mask> option1 <option_code> [<option_hex>] option2 <option_code> [<option_hex>] option3 <option_code> [<option_hex>] server-type <type> start-ip <address_ipv4> 0.0.

This DHCP server assigns IP addresses to computers connected to the same network as the internal interface. and one WINS server.25 end end History FortiOS v2.0 FortiOS v3.0 set default-gateway 192.20. Added edit keyword.33.0 MR7 Reference 01-30007-0015-20090112 . The example DHCP configuration also sets the netmask. Removed discard-age keyword. Added ipsec-lease-hold keyword.168.100 to 192.200 set netmask 255. FortiOS v2. config system dhcp server edit new_dhcp set interface internal set start-ip 192.33.168.255.33.100 set end-ip 192. two DNS server IP addresses.0 MR3 FortiOS v3.168. The IP addresses assigned are in the range 192.99 set lease-time 4000 set wins-server1 192.0 MR5 FortiOS v3.22 set end-ip 192.34.dhcp server system Example Use the following command to add a DHCP server named new_dhcp. Related topics • • system dhcp reserved-address system interface 352 FortiGate® CLI Version 3.25.168.33.96 set dns-server2 56.168. default gateway.20.20. FortiOS v2.0 MR1 FortiOS v3. Added conflicted-ip-timeout keyword.80 Substantially revised.34.168.45 end The following command shows how to add an exclusion range from 192.0 MR6 Changed exclude_range to exclude-range.22 to 192.168.56.80 MR2 Added domain keyword.200.33. Removed edit keyword.1 set dns-server1 56. the lease time. config system dhcp server edit new_dhcp config exclude-range edit 1 set start-ip 192.33.168.56.20.255.168.168.80 MR8 default-router changed to default-gateway config exclude_range subcommand added (formerly config dhcp exclude_range command) FortiOS v3.

No default. use DNS. Default disable cache-notfound-responses Enable to cache NOTFOUND responses from the DNS server.77.76 set secondary 45.39.37. Added cache-notfound-responses keyword.39. {enable | disable} dns-cache-limit <integer> dns-cache-ttl <int> domain <domain_name> fwdintf <interface> Set maximum number of entries in the DNS cache.121.139. primary <dns_ipv4> secondary <dns_ip4> 65. Several FortiGate functions. Enter the primary DNS server IP address.0 MR7 Reference 01-30007-0015-20090112 353 . On models numbered 100 and lower. Enter the secondary DNS IP server address.76 and the secondary FortiGate DNS server IP address to 45. Syntax config system dns set autosvr {enable | disable} set cache-notfound-responses {enable | disable} set dns-cache-limit <integer> set dns-cache-ttl <int> set domain <domain_name> set fwdintf <interface> set primary <dns_ipv4> set secondary <dns_ip4> end Keywords and variables autosvr {enable | disable} Description Enable or disable DNS forwarding.139.121.80 MR8 FortiOS v3.0 MR7 Revised.80 MR2 FortiOS v2.37. Enter the duration. that the DNS cache retains information. Enter the interface to which forwarding applies: • internal • dmz Available on models numbered 100 and lower in NAT/Route mode.37.37.121. config system dns set primary 45. you can use this command to configure DNS forwarding. including sending email alerts and URL blocking. Available only on models numbered 100 and lower in NAT/Route mode. Set the local domain name (optional).77 end History FortiOS v2. in seconds. FortiGate® CLI Version 3. disable 5000 1800 No default.63 Example This example shows how to set the primary FortiGate DNS server IP address to 45.121. Added dns-cache-ttl keyword.53 65. Added autosvr and fwdintf keywords for models numbered 100 and lower.80 FortiOS v2. autosvr disabled by default.system dns dns Use this command to set the DNS server addresses. The autosvr and fwdintf keywords are only available on FortiGate models numbered 100 and lower.

You configure the dynamic profile to: • • • • Enable dynamically assigning protection profiles Select the protocols that FortiOS Carrier can dynamically assign protection profiles to Configure the RADIUS options used by FortiOS Carrier to extract information from the RADIUS Start record and to communicate with the RADIUS server Change timeouts that control how long FortiOS Carrier keeps entries in the carrier end point list and how long FortiOS Carrier waits for a user context entry to be added after receiving a communication session Select the kinds of log messages that FortiOS Carrier writes when dynamic profile events occur. Service providers can add customer identifying information and protection profile names to their accounting system. • For details about RADIUS attributes see RFC 2138 Remote Authentication Dial In User Service (RADIUS) and RFC 2866 RADIUS Accounting. Then. Syntax config system dynamic-profile set context-timeout <timeout_seconds> set carrier-endpoint-attribute <RADIUS_attribute> set hold-time <proxy_hold_time> set log-flags <lflags> set log-period <log_time> set mem-percent <memory_percent> set profile-attribute <RADIUS_attribute> set profile-attribute-key <profile_attribute_key> set radius-response {enable | disable} set radius-server-port <RADIUS_listen_port> set secret <server_password> set status set status-ftgd set status-ftp set status-http set status-imap set status-im-ips set status-log set status-nntp set status-pop3 set status-smtp 354 FortiGate® CLI Version 3. The dynamic profile functions like an API between FortiOS Carrier and RADIUS-based accounting systems. FortiOS Carrier uses the dynamic profile configuration to extract customer identifying information from the RADIUS Start record.0 MR7 Reference 01-30007-0015-20090112 . FortiOS Carrier can then dynamically select and apply the protection profile named in the RADIUS Start record to the communication session. Using the dynamic profile. In real time FortiOS Carrier can extract identifying information and protection profile names from these RADIUS Start records and match the identifying information with the customer communication session. by using a mobile phone to browse the Web). in response to a customer connecting to the service provider network (for example.dynamic-profile (FortiOS Carrier) system dynamic-profile (FortiOS Carrier) MSSP and carrier service providers can use the FortiOS Carrier dynamic profile configuration to dynamically assign protection profiles to customer traffic. the service provider accounting system can send a RADIUS Start record to FortiOS Carrier. FortiOS Carrier can receive RADIUS Start records from service provider accounting systems when customers connect to service provider networks.

but entries that are no longer used should be removed regularly. then the user must no longer be connected to the network. FortiOS Carrier applies the protection profile in the firewall policy to the communication session.0 MR7 Reference 01-30007-0015-20090112 355 . If this timeout is too low FortiOS Carrier could remove user context entries for users who are still connected. This could be happening if there is a delay before FortiOS Carrier receives the RADIUS Start record from the accounting server. You might want to increase this timeout if the default protection profile is being applied to users instead of the protection profile that should be dynamically assigned. If you set this timeout to 0 FortiOS Carrier blocks communication sessions that do not have a matching entry in the user context list. To extract the carrier end point from the RADIUS Start record. However. If a match is not found after this timeout. even if the accounting system does send RADIUS Stop records this timeout should be set in case FortiOS Carrier misses a Stop record. You might want to reduce this timeout if the accounting server does not send RADIUS Stop records.system dynamic-profile (FortiOS Carrier) set validate-request-secret {enable | disable} set vdom <vdom-name> end Keywords and variables context-timeout <timeout_seconds> Description Default The number of seconds that a user context entry can 28800 remain in the user context list without FortiOS Carrier receiving a communication session from the carrier end point. The default user context creation timeout is 5 seconds. Also if customer IP addresses change often you might want to set this timeout lower so that out of date entries are removed from the list. FortiGate® CLI Version 3. You can keep this timeout relatively high because its not usually a problem to have a long list. the system waits for the user context creation timeout. If a user context entry is not being looked up. The RADIUS_attribute is case sensitive. You can select the RADIUS_attribute from the list or enter an attribute name. The default user context entry timeout is 28800 seconds (8 hours). This timeout is only required if FortiOS Carrier doesn’t receive the RADIUS Stop record. this keyword must be set to the name of the RADIUS attribute that contains the carrier end point. Set the timeout to 0 if you do not want FortiOS Carrier to remove entries from the list except in response to RADIUS Stop messages. CallingStation-Id carrier-endpointattribute <RADIUS_attribute> hold-time <proxy_hold_time> If FortiOS Carrier receives a communication session and 5 can’t find a corresponding carrier end point and IP address in the user context list. The RADIUS_attribute must match one of the RADIUS attributes in the list.

And the log messages generated each period contain a count of how many events of that type occurred.dynamic-profile (FortiOS Carrier) system Keywords and variables log-flags <lflags> Description Default Enter one or more of the following options to configure All options FortiOS Carrier to write event log messages for dynamic except none. accounting-stop. You can enter multiple options. accounting-event Enable to write an event log message when FortiOS Carrier does not find the expected information in a RADIUS Record. write a log message if the memory limit for the user context list is reached and the oldest entries in the table have been dropped. if a RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile. if the log message period is 30 seconds. context-missing Enable to write an event log message whenever a user context creation timeout expires indicating that FortiOS Carrier was not able to match a communication session because a matching entry was not found in the user context list. profile events. Enable to write event log messages for other events. The event is described in the log message. Separate the options with a space. if a RADIUS record contains more than the expected number of addresses. For example. For example. FortiOS Carrier generates groups of event log messages every 30 seconds instead of generating event log messages continuously. FortiOS Carrier generates all event log messages in real time. Enable to write an event log message whenever FortiOS Carrier cannot find a protection profile name in a RADIUS start message that matches the name of a protection profile added to FortiOS Carrier. Maximum percentage of system memory to use for the user 4 context tables. For example. The range is 1 to 25%. none Disable writing event log messages for dynamic profile events. CLI only. If set to 0.Enable to write an event log missed message whenever a user context entry timeout expires indicating that FortiOS Carrier removed an entry from the user context list without receiving a RADIUS Stop message. Enable to write an event log message if RADIUS protocol errors occur. For example.0 MR7 Reference 01-30007-0015-20090112 . profile-missing protocol-error radiusd-other log-period <log_time> The time in seconds to group event log messages for 0 dynamic profile events. mem-percent <memory_percent> 356 FortiGate® CLI Version 3.

For example. and MM7 sessions that are accepted by firewall policies that contain a protection profile. Default Class profile-attribute-key <profile_attribute_key> Enter a string if the profile attribute contains more data than No default. The RADIUS_attribute is case sensitive. and MM7 sessions from being dynamically assigned protection profiles. enable status-ftgd status-ftp status-http status-imap Enable to dynamically assign protection profiles to IMAP enable sessions that are accepted by firewall policies that contain a protection profile. Disable to exempt IM. change the UDP port number used by the RADIUS accounting server for sending RADIUS records. IPS. if the protection profile name always follows the text string profile. Enable to dynamically assign protection profiles to IM.0 MR7 Reference 01-30007-0015-20090112 357 . this field must be set to the name of the RADIUS attribute that contains the protection profile name. IPS. FortiOS Carrier listens for RADIUS Start and Stop records on this port. As well. Enable to dynamically assign protection profiles to sessions enable that include FortiGuard overrides. FortiOS Carrier accepts connections on the radius-server-port. When you enable the dynamic profile. status-im-ips FortiGate® CLI Version 3. Dynamically assigning a protection profile occurs only if a match is found between the carrier end point and source IP address in the communication session and a carrier end point and source IP address received in a RADIUS Start record and then only if the RADIUS Start record includes a protection profile name. Enable to dynamically assign protection profiles to HTTP. Enter the RADIUS secret used by the RADIUS accounting server. Enable to dynamically assign protection profiles to FTP enable sessions that are accepted by firewall policies that contain a protection profile. The profile key is a text string that always comes directly before the protection profile name in the profile attribute. and VOIP sessions from being dynamically assigned protection profiles. just the protection profile name. Disable to exempt IMAP sessions from being dynamically assigned protection profiles. You can select the RADIUS_attribute from the list or enter an attribute name. Enable if you want FortiOS Carrier to send RADIUS responses after receiving RADIUS Start and Stop records. FortiOS Carrier attempts to dynamically assign a protection profile to all communication sessions accepted by any firewall policy that includes a protection profile. Disable to exempt FTP sessions from being dynamically assigned protection profiles. Disable to exempt HTTP. the class attribute could include the string: profile=<profile_name_str>. Disable to exempt sessions that include FortiGuard overrides from being dynamically assigned protection profiles. Maximum 36 characters. disable radius-response {enable | disable} radius-server-port <RADIUS_listen_port> 1813 secret <server_password> status No default. If required. Enable the dynamic profile and then configure dynamic disable profile settings. The RADIUS_attribute must match one of the RADIUS attributes in the list. MM1. enable and VOIP sessions that are accepted by firewall policies that contain a protection profile. Where <profile_name_str> is the name of the protection profile.system dynamic-profile (FortiOS Carrier) Keywords and variables profile-attribute <RADIUS_attribute> Description To extract a protection profile name from the RADIUS Start record. This setting may be required by your accounting system. MM1.

MR4 keywords named endpoint-. You can verify the RADIUS secret to verify that the RADIUS record is valid. disable status-nntp status-pop3 status-smtp validate-request-secret {enable | disable} vdom <vdom-name> root Example This example shows how to enable dynamically assigning protection profiles using the config system dynamic-profile command.0 MR2 FortiOS Carrier v3.. Added status dynamic profile queries. This should be the management VDOM. Deleted attribute-key... Enable to dynamically assign protection profiles to POP3 enable sessions that are accepted by firewall policies that contain a protection profile. Disable to exempt NNTP sessions from being dynamically assigned protection profiles. More detailed descriptions added. find the carrier end point in the RADIUS User-Name attribute.0 MR5 Related topics • • • carrier-endpoint-translation (FortiOS Carrier) carrier-endpoint-bwl (FortiOS Carrier) carrier-endpoint-ip-filter (FortiOS Carrier) FortiGate® CLI Version 3. The example also configures FortiOS Carrier to send RADIUS responses. Specify the VDOM that receives RADIUS packets and sends RADIUS packets. config system dynamic-profile set status enable set radius-response enable set validate-request-secret enable set carrier-endpoint-attribute User-Name set profile-attribute Class end History FortiOS Carrier v3. Enable to dynamically assign protection profiles to SMTP enable sessions that are accepted by firewall policies that contain a protection profile.0 MR4 New.. Enable if you want FortiOS Carrier to verify that the RADIUS secret matches the RADIUS secret in the RADIUS Start or End record.dynamic-profile (FortiOS Carrier) system Keywords and variables status-log Description Default Enable to insert the appropriate carrier end point into all log enable messages generated by FortiOS Carrier when these log messages are generated by events related to processing a carrier end point communication session. Disable to exempt POP3 sessions from being dynamically assigned protection profiles. validate the RADIUS secret.0 MR7 Reference 01-30007-0015-20090112 358 . Disable to exempt SMTP sessions from being dynamically assigned protection profiles. FortiOS Carrier v3. Changed general feature description. Changed names of radiusattribute and radius-attribute-key to profileattribute and profile-attribute-key. Enable to dynamically assign protection profiles to NNTP enable sessions that are accepted by firewall policies that contain a protection profile. and find the protection profile name in the RADIUS Class attribute. renamed carrier-endpoint.

all of the existing configuration is lost. FortiGate® CLI Version 3.system fips-cc fips-cc Use this command to set the FortiGate unit into FIPS-CC mode. When switching to FIPS-CC mode. Syntax config system fips-cc set end Keywords and variables status <enable | disable> Description Enable to select FIPS-CC mode operation for the FortiGate unit. you will be prompted to confirm. Note: When you enable FIPS-CC mode.0 MR7 Reference 01-30007-0015-20090112 359 . This is an enhanced security mode that is valid only on FIPS-CC-certified versions of the FortiGate firmware.0 MR6 Command moved from config system global set CC-mode. and you will have to login. see the FIPS-CC technote on the Knowledge Center website. For more information on FIPS-CC mode. Enable Federal Information Processing Standards-Common Criteria (FIPS-CC) mode. Default disable History FortiOS v3.

localid <identifier> Enter an identifier up to 64 characters long.0 This keyword is only available when address-mode is set to static. Select static if the FortiGate unit has a static IP address. fortianalyzer2. Enter the number of seconds before the FortiAnalyzer connection times out. you then need to configure logging to the FortiAnalyzer units using the log fortianalyzer filter and log fortianalyzer setting command. This is needed only if encrypt is set to enable. fortianalyzer2. Enable or disable communication with the FortiAnalyzer unit. server <fortianalyzer_ipv4> status {enable | disable} No default. You must use the same identifier on the FortiGate unit and the FortiAnalyzer unit. The other keywords are available only if status is set to enable. Once communication with the FortiAnalyzer unit(s) has been configured. Enter the IP address of the FortiAnalyzer unit. create separate virtual IP address for the FortiAnalyzer and FortiManager to ensure they do not have the same IP address. This keyword is only available when address-mode is set to auto-discovery. No default. fdp-device <serial_number> Enter the serial number of the Fortianalyzer unit to connect No default to. To resolve this issue.0. Disable to send data as plain text. fortianalyzer3 Use this command to configure the FortiGate unit to communicate with up to three FortiAnalyzer units. status must be set to enable for the other keywords to be visible.0 unit. config system fortianalyzer set address-mode {auto-discovery | static} set conn-timeout <seconds> set encrypt {enable | disable} set fdp-device <serial_number> set localid <identifier> set psksecret <pre-shared_key> set server <fortianalyzer_ipv4> set status {enable | disable} set ver-1 {enable | disable} end Variables address-mode {autodiscovery | static} conn-timeout <seconds> Description Select auto-discovery to have the FortiAnalyzer device automatically detect the IP address of this FortiGate unit. otherwise disable.0. changing any fortianalyzer setting on the FortiGate unit will reset the connection with the FortiManager device. Syntax The command syntax is the same for fortianalyzer.fortianalyzer. disable ver-1 {enable | disable} disable 360 FortiGate® CLI Version 3. Enable for FortiAnalyzer 1. Default static 10 disable encrypt {enable | disable} Enable to use IPSec VPN tunnel for communication.0 MR7 Reference 01-30007-0015-20090112 . psksecret <pre-shared_key> Enter the pre-shared key for the IPSec VPN tunnel. fortianalyzer2 and fortianalyzer3. 0. fortianalyzer3 system fortianalyzer. Note: If the FortiGate unit is connected to a FortiAnalyzer device and a FortiManager device through a NAT device.

120.0 MR7 Reference 01-30007-0015-20090112 361 . Related topics • log fortianalyzer setting FortiGate® CLI Version 3. fortianalyzer3 Example This example shows how to set the FortiGate unit to communicate with a FortiAnalyzer-400 unit that is using a static IP address of 192.0 FortiOS v3.100 set status enable set ver-1 disable set conn-timeout 60 end History FortiOS v3.20.0 MR4 New Added address-mode variable. Added conn-timeout variable.system fortianalyzer. fortianalyzer2.0 MR1 FortiOS v3.100: config system fortianalyzer set address-mode static set encrypt enable set localid fortianalyzer-400 set psksecret <128-character string> set server 192.120.20.

see the FortiGuard Analysis and Management Service Administration Guide. see the Fortinet Knowledge Center article Traffic Types and TCP/UDP Ports Used by Fortinet Products. Syntax config system fortiguard set hostname <url_str> set port {53 | 8888} set srv-ovrd {enable | disable} set client-override-ip <ovrd_ipv4> set client-override-status {enable | disable} set service-account-id <id_str> set load-balance-servers <number> set analysis-service {enable | disable} set antispam-status {enable | disable} set antispam-cache {enable | disable} set antispam-cache-ttl <ttl_int> set antispam-cache-mpercent <ram_int> set antispam-timeout <timeout_int> set avquery-status {enable | disable} set avquery-cache {enable | disable} set avquery-cache-ttl <ttl_int> set avquery-cache-mpercent <max_int> set avquery-timeout <timeout_int> set central-mgmt-auto-backup {enable | disable} set central-mgmt-scheduled-config-restore {enable | disable} 362 FortiGate® CLI Version 3. For a list of required ports.fortiguard system fortiguard Use this command to configure communications with the FortiGuard Distribution Network (FDN) for FortiGuard subscription services such as: • • • FortiGuard Antivirus and IPS FortiGuard Web Filtering and Antispam FortiGuard Analysis and Management Service For FortiGuard Antivirus and IPS. IP address and port number overrides for FortiGuard Analysis and Management Service are configured separately from other FortiGuard services. if you have a FortiManager unit. see “system fortimanager” on page 368.0 MR7 Reference 01-30007-0015-20090112 . see the FortiManager Administration Guide. For details on configuring the FortiManager system to act as a private FDS. you can alternatively use this command to configure the FortiGate unit to communicate with a FortiManager system. For details. see “system fortiguard-log” on page 367. verify connectivity on required ports. Note: If the FortiGate unit is unable to connect to the FDN. By default. For example. Remote administration by a FortiManager system is mutually exclusive with remote administration by FortiGuard Analysis and Management Service. For details on configuring remote administration by a FortiManager system instead. Web Filtering and Antispam. which can act as a private FortiGuard Distribution Server (FDS) for those services. you might download a local copy of FortiGuard service updates to the FortiManager unit. For additional information on the FortiGuard Analysis and Management Service. FortiGate units connect to the FDN using a set of default connection settings. then redistribute those updates by configuring each FortiGate unit’s server override feature to connect to the FortiManager unit’s private FDS IP address. You can override these settings to use IP addresses and port numbers other than the defaults.

disable disable analysis-service {enable | disable} antispam-status {enable | disable} antispam-cache {enable | disable} Enable or disable caching of FortiGuard Antispam query results. Enable or disable for the FortiGuard Analysis and Management Service. When the cache is full. Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN or FortiManager unit each time the same IP address or URL appears as the source of an email. This keyword is available only if client-override-status is enable. connect to the FortiGuard servers. FortiGate® CLI Version 3. Enter the number of FortiGuard servers to connect to. Use this command fortiguard . Alternatively. Enable or disable use of FortiGuard Antispam.0 MR7 Reference 01-30007-0015-20090112 363 . You can increase this number up to 20 if you want the FortiGate unit to use a different FortiGuard server each time it contacts the FortiGuard network. 53 disable port {53 | 8888} srv-ovrd {enable | disable} client-override-ip <ovrd_ipv4> Enter the IP address on this FortiGate unit that will be used to No default. FortiGate unit defaults include the host name.net only when required to change the host name. service-account-id <id_str> load-balance-servers <number> Enter the Service Account ID to use with communications with No default. configure hostname. the least recently used cache entry is replaced. Enter the port to use for rating queries to the FortiGuard Web Filtering or FortiGuard Antispam service. By default 1 the FortiGate unit always uses the first server in its FortiGuard server list to connect to the FortiGuard network and loadbalance-servers is set to 1. Specify override server(s) using config srv-ovrd-list. disable client-override-status Enable to force your FortiGate unit to connect to the FortiGuard servers using a specific IP address. hostname is not used and unavailable for configuration when this keyword is enable. Alternatively configure srv-ovrd. the FortiGate unit alternates between checking the first two servers in the FortiGuard server list. Enable to override the primary FortiGuard server set in hostname. service. This keyword is available only if srv-ovrd is disable. You must also configure {enable | disable} client-override-ip. If you set load-balance-servers to 2. FortiGuard Analysis Service or FortiGuard Management Service.system fortiguard set central-mgmt-scheduled-upgrade {enable | disable} set central-mgmt-status {enable | disable} set webfilter-cache {enable | disable} set webfilter-cache-ttl <ttl_int> set webfilter-status {enable | disable} set webfilter-timeout <timeout_int> config serv-ovrd-list edit <index_int> set ip <ovrd_ipv4> end end end Variables hostname <url_str> Description Default Enter the host name of the primary FortiGuard server. disble including IP address and URL block list.

The expiration date of the FortiGuard Antivirus service contract. When the cache is full. This variable can be viewed with the get command. Valid percentage ranges from 1 to 15. requiring the FortiGate unit to query the FDN or FortiManager unit the next time that item occurs in scanned traffic. 1800 When the TTL expires. the cache entry is removed. for antivirus cache entries. This keyword is available only if central-mgmt-status is enable. Enable or disable caching of FortiGuard Antivirus query results. Enter the FortiGuard Antispam query timeout. N/A This variable can be viewed with the get command. Valid TTL ranges from 300 to 86400 seconds. The interval of time between license checks for the FortiGuard Antispam service contract. Enter the maximum percentage of memory (RAM) to use for antispam caching. but cannot be set. Enter the time limit in seconds for the FortiGuard Antivirus service query timeout. Enable automatic backup of the FortiGate unit’s configuration to FortiGuard Analysis and Management Service upon an administrator’s logout or session timeout. Valid percentage ranges from 1 to 15. for antispam cache entries. Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN each time the same IP address or URL appears as the source of an email. This keyword is available only if central-mgmt-status is enable. the cache entry is removed. in seconds. the least recently used cache entry is replaced. Default 1800 antispam-cachempercent <ram_int> antispam-expiration 2 The expiration date of the FortiGuard Antispam service contract. avquery-expiration N/A avquery-timeout <timeout_int> central-mgmt-autobackup {enable | disable} 7 disable central-mgmtscheduled-configrestore {enable | disable} central-mgmtscheduled-upgrade {enable | disable} disable disable 364 FortiGate® CLI Version 3. but cannot be set. This variable can be viewed with the get command. Enable scheduled restoration of the FortiGate unit’s configuration from FortiGuard Analysis and Management Service. When the TTL expires.0 MR7 Reference 01-30007-0015-20090112 . This variable can be viewed with the get command. requiring the FortiGate unit to query the FDN or FortiManager unit the next time that item occurs in scanned traffic. Valid timeout ranges from 1 to 30. 2 Unknown avquery-cache-mpercent Enter the maximum memory to be used for FortiGuard Antivirus query caching.fortiguard system Variables antispam-cache-ttl <ttl_int> Description Enter a time to live (TTL). in seconds. This keyword is available only if central-mgmt-status is enable. but cannot be set. 7 antispam-license antispam-timeout <timeout_int> avquery-status {enable | disable} avquery-cache {enable | disable} 7 disable enable avquery-cache-ttl <ttl_int> Enter a time to live (TTL). Valid timeout ranges from 1 to 30 seconds. <max_int> avquery-license The interval of time between license checks for the FortiGuard Antivirus service contract. Enable or disable use of FortiGuard Antivirus. Valid TTL ranges from 300 to 86400 seconds. but cannot be set. Enable scheduled upgrades of the FortiGate unit’s firmware by FortiGuard Analysis and Management Service.

You must also configure service-account-id. Initially. including category ratings for URLs. Example This example shows how to configure the FortiGate unit for remote administration by FortiGuard Analysis and Management Service.0.0 address. in seconds. The expiration date of the FortiGuard Web Filtering service contract. Valid timeout ranges from 1 to 30 seconds. Enter the FortiGuard Web Filtering query timeout. When the TTL expires. the cache entry is removed. override. For details on validating or updating the FortiGuard Analysis and Management contract. This may be the IP address of a FortiManager unit or a specific FDN server.0. for web filtering cache entries. Enter the IP address that will override the default server IP 0. this value is unknown. Enter a time to live (TTL). but cannot be set. This variable can be viewed with the get command. <index_int> ip <ovrd_ipv4> Enter the index number of a FortiGuard Antivirus and IPS server No default. and is set after contacting the FDN to validate the FortiGuard Web Filtering license. the least recently used cache entry is replaced. The interval of time between license checks for the FortiGuard Web Filtering service contract. Enable or disable caching of FortiGuard Web Filtering query disable results.system fortiguard Variables central-mgmt-status {enable | disable} Description Default Enable remote administration of the FortiGate unit by FortiGuard disable Analysis and Management Service. config system fortiguard set central-mgmt-status enable set service-account-id ExampleCo set central-mgmt-auto-backup enable set central-mgmt-config-restore enable set central-mgmt-scheduled-upgrade enable end config system management-tunnel end FortiGate® CLI Version 3. see “ fortiguard-log update” on page 541. Valid TTL ranges from 300 to 86400 seconds. but cannot be set. Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN or FortiManager unit each time the same IP address or URL is requested. When the cache is full. see “system management-tunnel” on page 415. requiring the FortiGate unit to query the FDN or FortiManager unit the next time that item occurs in scanned traffic. 3600 webfilter-cache {enable | disable} webfilter-cache-ttl <ttl_int> webfilter-expiration N/A webfilter-license Unknown webfilter-status {enable | disable} webfilter-timeout <timeout_int> disable 15 config serv-ovrd-list This command is available only if srv-ovrd is enable. For details on configuring the remote management tunnel and connections initiated by the FortiGuard Analysis and Management Service rather than the FortiGate unit. Enable or disable use of FortiGuard Web Filtering service. This variable can be viewed with the get command.0 MR7 Reference 01-30007-0015-20090112 365 .

avquery-license.0 MR5 New. Added get system fortiguard-service status command reference.fortiguard system History FortiOS v3. central-mgmtscheduled-upgrade.0 MR3 FortiOS v3. client-override-ip. central-mgmt-auto-backup. Added service-account-id. antispam-license. webfilter-expiration.0 MR7 Reference 01-30007-0015-20090112 . New variables antispam-expiration.0 FortiOS v3. avqueryexpiration.0 MR2 FortiOS v3.0 MR7 Related topics • • • • • get system dashboard system fortiguard-log system fortimanager system management-tunnel fortiguard setting 366 FortiGate® CLI Version 3. Added load-balance-servers keyword and the analysis-service keyword. webfilterlicense. and central-mgmtscheduled-config-restore for FortiGuard Analysis and Management Service and future FortiManager system features. FortiOS Carrier v3. central-mgmt-status.

0.5 set controller-port 1234 end History FortiOS v3.0 MR7 Reference 01-30007-0015-20090112 367 . Related topics • • • system fortiguard system management-tunnel fortiguard setting FortiGate® CLI Version 3.1. Configures the connection with the FortiGuard Analysis and Management Service.0 MR4 FortiOS Carrier v3.168. Syntax config system fortiguard-log set controller-ip <address_ipv4> set controller-port <port_int> set override-controller {enable | disable} end Variables controller-ip <address_ipv4> Description Enter the IP address of the FortiGuard Analysis and Management Service controller. New command. Select to override the default FortiGuard Analysis and Management Service controller IP address and/or port. This option appears only if override-controller is enable. Default 0. Valid ports range from 0 to 65535.system fortiguard-log fortiguard-log Use this command to override default ports and IP addresses that the FortiGate unit connects to for FortiGuard Analysis and Management Service. This option appears only if override-controller is enable.0.0 MR4 New.0 controller-port <port_int> Enter the port number of the FortiGuard Analysis and 0 Management Service controller. disable override-controller {enable | disable} Example This example shows how to override the default IP address and port number to which the FortiGate unit connects when communicating with the FortiGuard Analysis and Management Service for features such as remote logging and reporting. config system fortiguard-log set override-controller enable set controller-ip 172.

This option appears only if central-management is enable. see “system fortiguard” on page 362 and “system management-tunnel” on page 415. and so the FortiManager unit will already possess the most current changes to the FortiGate unit’s configuration. disable Enable scheduled restoration of the FortiGate unit’s configuration from the FortiManager system. but does not affect whether or not. and select whether or not you will configure the FortiGate unit exclusively from the FortiManager system (Management Mode is Central). After the FortiGate unit has retrieved the scheduled time from the FortiManager system. in the FortiManager system’s Device Manager. the FortiGate unit will download the configuration file at the scheduled time and apply the configuration. This option is available only if config system fortiguard. or sometimes use the FortiGate unit’s CLI or web-based manager. Select to automatically back up FortiGate unit disable configuration changes to the FortiManager system upon administrator logout or session timeout. Syntax config system fortimanager set ip <address_ipv4> set vdom <vdom_str> set ipsec {enable | disable} set central-management {enable | disable} set central-mgmt-auto-backup {enable | disable} set central-mgmt-schedule-config-restore {enable | disable} set central-mgmt-schedule-script-restore {enable | disable} end Variables central-management {enable | disable} Description Default Select to enable remote administration from a disable FortiManager system. For details on retrieving the configuration restoration schedule from the FortiManager system.0 MR7 Reference 01-30007-0015-20090112 . For details. while still using some remote administration features such as scripts from the FortiManager system (Management Mode is Local). This option appears only if central-management is enable.fortimanager system fortimanager Use this command to configure remote administration using a FortiManager system. You must also configure the FortiManager system to accept connections from the FortiGate unit. in the FortiManager system’s Device Manager. this device’s Management Mode is Local or Central. changes to the FortiGate unit’s configuration will be made using the FortiManager system’s local copy of the device configuration. see the FortiManager Administration Guide. Note: Remote administration by a FortiManager system is mutually exclusive with remote administration by FortiGuard Analysis and Management Service. this device’s Management Mode is Local. If the device’s Management Mode is Central. see “execute central-mgmt” on page 588. This option applies only if. Note: This option enables remote administration. central-mgmt-status is disable. For details on configuring remote administration by FortiGuard Analysis and Management Service instead. central-mgmt-auto-backup {enable | disable} central-mgmt-scheduleconfig-restore {enable | disable} 368 FortiGate® CLI Version 3.

0. Enter the IP address of the FortiManager system that is allowed to manage this FortiGate unit. config system fortimanager set central-management enable set ip 172.0 MR7 Added central-mgmt-schedule-script-restore keyword.0.2.10 set central-mgmt-scheduled-cfg-restore disable set central-mgmt-auto-backup enable end History FortiOS v3. FortiOS v3. Enter the FortiGate unit virtual domain (VDOM) through which to communicate with the FortiManager unit. but disabling the ability of the FortiManager unit to schedule a change to the FortiGate unit’s configuration. FortiOS Carrier v3. This option appears only if central-management is enable.0 MR6 New command.0 ip <address_ipv4> ipsec {enable | disable} vdom <vdom_str> Select to apply an IPSec VPN to connections between the disable FortiManager unit and this FortiGate unit. After the FortiGate unit has retrieved the scheduled time from the FortiManager system.168.0 MR7 Reference 01-30007-0015-20090112 369 . FortiGate® CLI Version 3. (Optional. 0. the FortiGate unit will download the script file at the scheduled time and apply the script. Replaces config system fm and defines settings specific to remote management by a FortiManager unit. Replaces config system fm and defines settings specific to remote management by a FortiManager unit.2.system fortimanager Variables central-mgmt-schedulescript-restore {enable | disable} Description Default Enable a scheduled restoration of a FortiGate unit’s script disable from the FortiManager system.168.10. enabling automatic configuration backups to the FortiManager unit. Example This example shows how to configure a secure to a FortiManager unit whose IP address is 172.) No default.0 MR4 New command.

This firewall is used in the antioverbilling configuration. 0 Default History FortiOS v3. Valid range is from 0 to 65535.gi-gk (FortiOS Carrier) system gi-gk (FortiOS Carrier) This command configures the settings for the Gi gateway firewall. Related topics • system interface 370 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . Syntax config system gi-gk set context <id_integer> set port <tcp_port> end Variables context <id_integer> port <tcp_port> Description Enter the context ID for the Gi gateway firewall Enter the TCP port to listen to. and can be enabled on a per interface basis. For more information see “system interface” on page 395.0 MR5 New.

Another option in runtime-only configuration mode is to manually save your configuration periodically to preserve your changes. For more information see set cfg-save {automatic | manual | revert}.system global global Use this command to configure global settings that affect various FortiGate systems and configurations. This mode allows you to try out commands that may put your FortiGate unit into an unrecoverable state normally requiring a physical reboot. Syntax config system global set access-banner {enable | disable} set admin-https-pki-required {enable | disable} set admin-maintainer {enable | disable} set admin-port <port_number> set admin-scp {enable | disable} set admin-server-cert { self-sign | <certificate>} set admin-sport <port_number> set admin-ssh-port <port_number> set admin-ssh-v1 {enable | disable} set admin-telnet-port <port_number> set admintimeout <admin_timeout_minutes> set auth-cert <cert-name> set auth-http-port <http_port> set auth-https-port <https_port> set auth-keepalive {enable | disable} set av-failopen {idledrop | off | one-shot | pass} set av-failopen-session {enable | disable} set batch_cmdb {enable | disable} set cfg-save {automatic | manual | revert} set cfg-revert-timeout <seconds> set check-reset-range {enable | disable} set clt-cert-req {enable | disable} set conn-tracking {enable | disable} set daily-restart {enable | disable} set detection-summary {enable | disable} set dst {enable | disable} set failtime <failures_count> set fds-statistics {enable | disable} set fds-statistics-period <minutes> set forticlient-portal-port <port> set fortiswitch-heartbeat {enable | disable} FortiGate® CLI Version 3. Normally the internal interface is configured as one interface shared by all four ports. In runtime-only config mode you can set a timeout so after a period of no input activity the FortiGate unit will reboot with the last saved configuration. and execute cfg reload.0 and higher). Runtime-only config mode was introduced in FortiOS v3.0 MR2. set cfg-reverttimeout <seconds>.0 and higher) models where the internal interface is a four or six port switch.0 MR7 Reference 01-30007-0015-20090112 371 . and 200A (Rev2. Consult your release notes for the most current list of supported models for this feature. A VLAN can not be configured on a switch interface. FortiGate 60B. The keywords internal-switch-mode {interface | switch} and internal-switch-speed {100full | 100half | 10full | 10half | auto} apply only to switch mode enabled FortiGate models. Switch mode is available on FortiWiFi 60B. 100A (Rev2. Switch mode allows you to configure each interface on the switch separately with their own interfaces.

Default setting disable allows admin users to log in by providing a valid certificate or password. Disable for CC. Enabled by default. Enable to allow user to login by providing a valid certificate if PKI is enabled for HTTPS administrative access. Default disable Keywords and variables access-banner {enable | disable} admin-https-pki-required {enable | disable} disable admin-maintainer {enable | disable} admin-port <port_number> enable 80 372 FortiGate® CLI Version 3. For more information see “system replacemsg admin” on page 424. Enter the port to use for HTTP administrative access.0 MR7 Reference 01-30007-0015-20090112 .global system set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set end fsae-burst-size <packets> fsae-rate-limit (pkt_sec) gui-ipv6 {enable | disable} gui-lines-per-page <gui_lines> hostname <unithostname> http-obfuscate {header-only | modified | no-error | none} ie6workaround {enable | disable} internal-switch-mode {interface | switch} internal-switch-speed {100full | 100half | 10full | 10half | auto} interval <deadgw_detect_seconds> ip-src-port-range <start_port>-<end_port> language <language> lcdpin <pin_number> lcdprotection {enable | disable} ldapconntimeout <ldaptimeout_msec> loglocaldeny {enable | disable} management-vdom <domain> ntpserver <ntp_server_address> ntpsync {enable | disable} optimize {antivirus | throughput} phase1-rekey {enable | disable} radius-port <radius_port> refresh <refresh_seconds> remoteauthtimeout <remoteauth_timeout_mins> reset-sessionless-tcp {enable | disable} restart-time <hh:mm> show-backplane-intf {enable | disable} sslvpn-sport <port_number> strong-crypto {enable | disable} syncinterval <ntpsync_minutes> tcp-halfclose-timer <seconds> tcp-halfopen-timer <seconds> tcp-option {enable | enable} tcp-timewait-timer <seconds_int> timezone <timezone_number> tos-based-priority {low | medium | high} tp-mc-skip-policy {enable | disable} udp-idle-timer <seconds> user-server-cert <cert_name> vdom-admin {enable | disable} vip-arp-range {unlimited | restricted} Description Enable to display the admin access disclaimer message.

443 Enter the port to use for SSH administrative access. • Enter one-shot to bypass the antivirus system when memory is low. Enter the port to use for HTTPS administrative access. one-shot. You must enter off or pass to restart antivirus scanning. Set the HTTP authentication port. This controls the amount of inactive time before the administrator must log in again. To improve security keep the idle timeout at the default value of 5 minutes. Https server certificate for policy authentication. but continue to process current active sessions. and can prevent malicious bots from keeping a connection open to a remote server. certificates. Set the HTTPS authentication port. disable av-failopen-session {enable | disable} FortiGate® CLI Version 3. • Enter idledrop to drop connections based on the clients that have the most connections open. self-sign Self-sign is the built in certificate but others will be listed as you add them. <http_port> can be from 1 to 65535. Default setting is Fortinet_Factory.0. <https_port> can be from 1 to 65535.system global Keywords and variables admin-scp {enable | disable} admin-server-cert { self-sign | <certificate>} admin-sport <port_number> admin-ssh-port <port_number> admin-ssh-v1 {enable | disable} admin-telnet-port <port_number> admintimeout <admin_timeout_minutes> Description Enable to allow system configuration download by the secure copy (SCP) protocol. This is most useful for Windows applications. 22 disable 21 Set the number of minutes before an idle administrator 5 times out. • Enter pass to bypass the antivirus system when memory is low. Set the action to take if there is an overload of the pass antivirus system. otherwise self-sign. if available. This applies to models numbered 300A and higher. Antivirus scanning resumes when the low memory condition is resolved. and pass. When enabled and a proxy for a protocol runs out of room in its session table. Choices See definition include self-sign. The maximum admintimeout interval is 480 minutes (8 hours). and the filename of any installed under Description. 1000 1003 auth-cert <cert-name> auth-http-port <http_port> auth-https-port <https_port> auth-keepalive {enable | disable} av-failopen {idledrop | off | oneshot | pass} Enable to extend the authentication time of the session disable through periodic traffic to prevent an idle timeout. Enter the port to use for telnet administrative access.0 MR7 Reference 01-30007-0015-20090112 373 . • Enter off to stop accepting new AV sessions when entering conserve mode. Enable compatibility with SSH v1. that protocol goes into failopen mode and enacts the action specified by avfailopen. Valid options are off. This applies to FortiGate models numbered 300A and higher. Default disable Select the admin https server certificate to use.

disable cfg-save {automatic | manual | revert} cfg-revert-timeout <seconds> check-reset-range {enable | disable} clt-cert-req {enable | disable} conn-tracking {enable | disable} enable daily-restart {enable | disable} detection-summary {enable | disable} dst {enable | disable} Enable to restart the FortiGate unit every day. enable disable Enable or disable daylight saving time. 0 disables dead gateway detection. See “execute cfg reload” on page 589 for more information. This will help prevent a SYN flood and free up system resources. Set the method for saving the FortiGate system automatic configuration and enter into runtime-only configuration mode. no check is performed. disable If set to strict (enable). If necessary. Enter the timeout interval in seconds. enable Batch mode is used to enter a series of commands.manually save the current configuration and then revert to that saved configuration after cfgrevert-timeout expires Switching to automatic mode disconnects your session. This command is part of the runtime-only configuration mode. the FortiGate unit adjusts the system time when the time zone changes to daylight saving time and back to standard time. This command is available only when cfg-save is set to revert. the FortiGate unit will automatically revert to the last saved configuration.automatically save the configuration after every change • manually .manually save the configuration using the execute cfg save command • revert . 374 FortiGate® CLI Version 3. 60 Range is 1 to 1440 minutes. see “execute batch” on page 587. Enable to require a client certificate before an administrator logs on to the web-based manager using HTTPS. Default timeout is 600 seconds. Methods for saving the configuration are: • automatic . Enable or disable AV/IPS signature reporting. disable to avoid error messages on HA subordinate units during an AV/IPS update. If set to disable. RST must fall between the last ACK and the next send. disable The time of the restart is controlled by restart-time. If the 600 administrator makes a change and there is no activity for the timeout period.0 MR7 Reference 01-30007-0015-20090112 . and executing the commands as a group once they are loaded. Enable to have the firewall drop SYN packets after the connection has been established with the remote system. For more information. Enter 5 the number of times that ping fails before the FortiGate unit assumes that the gateway is no longer functioning. Set the dead gateway detection failover interval. If you enable daylight saving time.global system Keywords and variables batch_cmdb {enable | disable} Description Default Enable/disable batch mode. This command is used as part of the runtime-only configuration mode. Disable to prohibit the collection of detection summary statistics for FortiGuard. Set whether RST out-of-window checking is performed. enable failtime <failures_count> fds-statistics {enable | disable} fds-statistics-period <minutes> Select the number of minutes in the FDS report period. See “execute cfg reload” on page 589 for more information.

http-obfuscate {header-only | modified | no-error | none} ie6workaround {enable | disable} internal-switch-mode {interface | switch} FortiGate® CLI Version 3. FortiGate 5000 models support longer hostnames some up to 35 characters. one for each network connection. On the FortiGate models 1000A. Set the level at which the identity of the FortiGate web none server is hidden or obfuscated.0 and higher) models. The interface option splits the internal interface into 4 separate interfaces. This shortened hostname will be displayed in the CLI. Enable or disable sending heartbeat packets from disable FortiGate unit backplane fabric interfaces. For more information see the Firewall chapter and System Maintenance chapter of the FortiGate Administration Guide. • none does not hide the FortiGate web server identity • header-only hides the HTTP server banner • modified provides modified error responses • no-error suppresses error responses Enable or disable the work around for a navigation bar disable freeze issue caused by using the FortiGate web-based manager with Internet Explorer 6. Enable or disable ability to configure IPv6 using the web-based manager.1000 lines per page. can only include letters. Valid numbers are from 0 to 65535. 3600A. A hostname FortiGate serial number. numbers. Set the FSAE burst size in packets.0 and higher). 100 fortiswitch-heartbeat {enable | disable} fsae-burst-size <packets> fsae-rate-limit (pkt_sec) gui-ipv6 {enable | disable} gui-lines-per-page <gui_lines> hostname <unithostname> Enter a name to identify this FortiGate unit. A VLAN can not be configured on a switch interface. This applies only to FortiWiFi 60B. The internal interface refers to a switch that has 4 network connections. and 200A (Rev2. By default the hostname of your FortiGate unit is its serial number which includes the model. and underlines. The switch option is regular operation with one internal interface that all 4 network connections access. 300 disable 50 Set the FSAE message rate limit in packets per second. and other locations the hostname is used. and 5005FA2. Set the mode for the internal switch to be one of switch interface. This keyword is available for FortiGate-5001A and FortiGate-5005FA2 boards. No spaces are allowed. A FortiSwitch-5003A board receives the heartbeat packets to verify that the FortiGate board is still active. hyphens. or switch. While the hostname can be longer than 16 characters. Range is from 20 .system global Keywords and variables forticlient-portal-port <port> Description Default Enter the HTTP port used to download a copy of 8009 FortiClient. if it is longer than 16 characters it will be truncated and end with a ‘‘~” to indicate it has been truncated. 100A (Rev2. The FortiGate board sends 10 packets per second from each fabric interface. The default value is switch. The packets are type 255 bridge protocol data unit (BPDU) packets. FortiGate 60B. firewall policies can deny access for hosts that do not have FortiClient Host Security software installed and operating.0 MR7 Reference 01-30007-0015-20090112 375 . Set the number of lines displayed on table lists.

You can english set <language> to one of english. LDAP connection timeout in msec disable lcdpin <pin_number> lcdprotection {enable | disable} ldapconntimeout <ldaptimeout_msec> loglocaldeny {enable | disable} 500 Enable or disable logging of failed connection attempts disable to the FortiGate unit that use TCP/IP ports other than the TCP/IP ports configured for management access (443 for https.org. Full and half refer to full or half duplex. Select the number of seconds between pings the FortiGate unit sends to the target for dead gateway detection. Set firmware performance optimization to either antivirus or throughput.global system Keywords and variables internal-switch-speed {100full | 100half | 10full | 10half | auto} Description Default Set the speed of the switch used for the internal auto interface.ntp. Specify the IP source port range used for traffic originating from the FortiGate unit. This applies to FortiGate models numbered 300 to 3600. 5 interval <deadgw_detect_seconds> ip-src-port-range <start_port>-<end_port> 1024-4999 language <language> Set the web-based manager display language.0 and higher). Enable or disable automatic rekeying between IKE peers before the phase 1 keylife expires.0 and higher) models. antivirus optimize {antivirus | throughput} phase1-rekey {enable | disable} enable 376 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . Management traffic such as FortiGuard traffic originates from the management VDOM. For more information about NTP and to find the IP address of an NTP server that you can use. root management-vdom <domain> ntpserver <ntp_server_address> ntpsync {enable | disable} 132. and 80 for HTTP by default). portuguese. japanese. 22 for ssh. french. FortiGate 60B. Default value is auto.148 Enable or disable automatically updating the system disable date and time by connecting to a Network Time Protocol (NTP) server. 23 for telnet. Enter the name of the management virtual domain.246. such as FDN ports. This is available on FortiGate models numbered 1000 and higher. This applies to FortiGate models numbered 300 to 3600. korean. Choose one of: • 100full • 100half • 10full • 10half • auto 100 and 10 refer to 100M or 10M bandwidth. Enable or disable LCD panel PIN protection. see http://www. Selecting 0 disables dead gateway detection. The valid range for <start_port> and <end_port> is from 1 to 65535 inclusive. Set the 6 digit PIN administrators must enter to use the 123456 LCD panel. simch (Simplified Chinese) or trach (Traditional Chinese).168. This applies only to FortiWiFi 60B. 100A (Rev2. and 200A (Rev2. Enter the domain name or IP address of a Network Time Protocol (NTP) server. You can use this setting to avoid problems with networks that block some ports.

Enter 0 for no automatic refresh.0 and 6. Firefox. If you disable reset-sessionless-tcp. Set the Automatic Refresh Interval. This is available in NAT/Route mode only. The reset-sessionless-tcp command determines what action the FortiGate unit performs if it receives a TCP packet but cannot find a corresponding session in its session table. Netscape 8. the FortiGate unit should 0 synchronize its time with the Network Time Protocol (NTP) server. To improve security keep the remote authentication timeout at the default value of 5 minutes. In most cases you should leave reset-sessionless-tcp disabled. 443 disable sslvpn-sport <port_number> strong-crypto {enable | disable} syncinterval <ntpsync_minutes> Enter how often. Enter daily restart time in hh:mm format (hours and minutes). No default. The valid range is from 1 to 86400 seconds. The packet originator ends the current session. restart-time <hh:mm> show-backplane-intf {enable | disable} Select enable to show FortiGate-5000 backplane disable interfaces as port9 and port10. This is available only when daily-restart is enabled. the FortiGate unit silently drops the packet. This is normal network operation. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port on your FortiGate unit.system global Keywords and variables radius-port <radius_port> Description Change the default RADIUS port. The default port for RADIUS traffic is 1812. Enter how many seconds the FortiGate unit should wait 120 to close a session after one peer has sent a FIN packet but the other has not responded. but it can try to establish a new session. This happens most often because the session has timed out. Enable to use strong encryption and only allow strong ciphers (AES. for the web-based manager System Status Monitor. Setting to 0 disables time synchronization. Enter the port to use for SSL-VPN access (HTTPS).0 are not supported in strong encryption.0. Default 1812 refresh <refresh_seconds> 0 remoteauthtimeout <remoteauth_timeout_mins> reset-sessionless-tcp {enable | disable} 5 disable Enabling this option may help resolve issues with a problematic server. The syncinterval number can be from 1 to 1440 minutes. 3DES) and digest (SHA1) for HTTPS/SSH admin access.0 MR7 Reference 01-30007-0015-20090112 377 . Timeout for RADIUS/LDAP authentication in minutes.0 (beta). The packet originator does not know that the session has expired and might re-transmit the packet several times before attempting to start a new session. HTTPS is supported by the following web browsers: Netscape 7. When strong encryption is enabled. the FortiGate unit sends a RESET packet to the packet originator. but it can make the FortiGate unit more vulnerable to denial of service attacks.2. and Microsoft Internet Explorer 7. Note that Microsoft Internet Explorer 5. This is only available on FortiGate-5000 models. Once these backplanes are visible they can be treated as regular physical interfaces. tcp-halfclose-timer <seconds> FortiGate® CLI Version 3. in minutes. If you enable reset-sessionless-tcp. in seconds.

The valid range is from 1 to 86400 seconds. The valid range is 0 to 300 seconds. disable 180 tos-based-priority {low | medium | high} tp-mc-skip-policy {enable | disable} udp-idle-timer <seconds> user-server-cert <cert_name> See definition under Description. Default setting is Fortinet_Factory.0 MR7 Reference 01-30007-0015-20090112 . Enable to allow skipping of the policy check. Press ? to list time zones and their numbers. Enable to configure multiple virtual domains. See system tos-based-priority for more information. Enable SACK. Enter the number of seconds before an idle udp connection times out.80 New. If restricted. timestamp and MSS TCP options. FortiOS v2. The valid range is from 1 to 86400 seconds.80 MR4 Moved date and time to execute branch. Select the certificate to use for https user authentication. and to enable multicast through. TOS determines the priority of traffic for scheduling. Typically this is set on a per service type level. if available. Disable for performance testing or in rare cases where it impairs performance. Select the default system-wide level of priority for Type high of Service (TOS).80 MR2 The ip-overlap keyword was changed to allow-interface-subnet-overlap. vdom-admin {enable | disable} vip-arp-range {unlimited | restricted} disable restricted Example This example shows how to change to enable daylight savings time. the FortiGate unit sends ARP packets for only the first 8192 addresses in a VIP range. the FortiGate unit sends ARP packets for every address in the VIP range. The value of this keyword is the default setting for when TOS is not configured on a per service level. If unlimited. For normal operation tcp-option should be enabled. FortiOS v2. otherwise self-sign.80 MR3 Added av_failopen and reset_sessionless_tcp keywords. A value of 0 disables the timer. config system global set dst enable end History FortiOS v2. 378 FortiGate® CLI Version 3. enable tcp-option {enable | enable} tcp-timewait-timer <seconds_int> 120 sec timezone <timezone_number> The number corresponding to your time zone from 00 00 to 72. FortiOS v2.global system Keywords and variables tcp-halfopen-timer <seconds> Description Default Enter how many seconds the FortiGate unit should wait 60 to close a session after one peer has sent an open session packet but the other has not responded. Added phase1-rekey keyword. Choose the time zone for the FortiGate unit from the list and enter the correct number. Select the number of seconds the TCP TTL timer will wait before timing out and ending the session. vip-arp-range controls the number of ARP packets the FortiGate unit sends for a VIP range.

Added admin-https-pki-required. Added fortiswitch-heartbeat. ip_signature. and auth-type to config user settings.0 MR2 FortiOS v3. Removed sslvpn-enable keyword.80 MR6 FortiOS v3. Removed management-vdom. admin-telnet-port. tcp-halfopen-timer. Added access-banner. internal-switch-speed. mc-ttl-notchange. ldapconntimeout. Removed local-anomaly. tcp-option. conn-tracking. auth-secure-http. and multicast-forward. internal-switch-mode. forticlient-portal-port and tcp-halfopen-timer. admin-maintainer. Changed underscore to hyphen in av-failopen.0 MR7 Patch 1 Related topics • • execute cfg reload execute cfg save FortiGate® CLI Version 3. Removed mc-ttl-notchange.0 MR1 FortiOS v3.0 MR5 FortiOS v3. admin-telnet-port.0 MR4 FortiOS v3. restart-time. fsae-rate-limit. opmode keywords. and CC-mode. radius-port. cfg-save. fsae-burst-size. and fds-statistics-period command. forticlient-portalport. reset-sessionless-tcp.0 MR6 FortiOS v3. Modified definition of admin-server-cert and user-server-cert. Removed asymroute. Added new idledrop option for av-failopen command. local_anomaly. management-vdom. Added tcp-timewait-timer. tos-based-priority. Added detection-summary. Added fds-statistics and udp-idle-timer. cfg-revert-timeout.0 MR7 Reference 01-30007-0015-20090112 379 . user-server-cert. admin-server-cert.system global FortiOS v2.0 MR7 FortiOS v3. Modified default value of optimize keyword. batch_sleep.0 Added ips-open keyword. Added av-failopen-session. Added portuguese to language keyword FortiOS v3. remoteauthtimeout.0 MR3 FortiOS v3. Added admin-ssh-port. Removed allow-interface-subnet-overlap. strong-crypto keywords. tp-mc-skip-policy. Moved authtimeout. Added auth-cert command.

you need to: • • • configure a firewall policy to pass traffic from the local private network to the tunnel interface configure a static route to the private network at the remote end of the tunnel using the GRE tunnel “device” optionally. the public IP address is 172. Example In this example. At Site A. Site A configuration Site B configuration config system gre-tunnel edit toSiteB set interface port1 set local-gw 172.68.3.168. Enter the IP address of the remote gateway.16.0/24 network at Site A need to communicate with users on the 192. a GRE tunnel is needed between two sites using FortiGate units.198 set remote-gw 172. define the IP addresses for each end of the tunnel to enable dynamic routing through the tunnel or to enable pinging of each end of the tunnel for testing Syntax config system gre-tunnel edit <tunnel_name> set interface <interface_name> set local-gw <localgw_IP> set remote-gw <remotegw_IP> end Variables edit <tunnel_name> interface <interface_name> local-gw <localgw_IP> remote-gw <remotegw_IP> Description Enter a name for the tunnel.67.199 and at Site B it is 172.16. This command is available only in NAT/Route mode. Users on the 192.2. A new interface of type “tunnel” with the same name is created automatically as the local end of the tunnel.198 end config system gre-tunnel edit toSiteA set interface port1 set local-gw 172.68.16.67.199 set remote-gw 172. To complete the configuration of a GRE tunnel.0/24 network at Site B. Enter the physical or VLAN interface that functions as the local end of the tunnel.16. Enter the IP address of the local gateway.16.16.68.0 MR7 Reference 01-30007-0015-20090112 . At both sites the private network is connected to Port 2 of the FortiGate unit and the connection to the Internet is through Port 1. Default No default.198.gre-tunnel system gre-tunnel Use this command to configure the tunnel for a GRE interface.168.199 end 380 FortiGate® CLI Version 3.67.

system gre-tunnel config firewall policy edit 1 set src-intf port2 set dst-intf toSiteB set srcaddr all set dstaddr all set action accept set service ANY set schedule always next edit 2 set src-intf toSiteB set dst-intf port2 set srcaddr all set dstaddr all set action accept set service ANY set schedule always end config route static edit 1 set device toSiteB set dst 192.0 MR7 Reference 01-30007-0015-20090112 381 . policy6 router static FortiGate® CLI Version 3.2 set allowaccess ping end config system interface edit toSiteA set ip 10.0.0.1/32 set remote-ip 10.0.1 set allowaccess ping end History FortiOS v3.0.0.168.0 New Related topics • • • system interface firewall policy.2.168.3.0.0.0.0/24 end (Optional) config firewall policy edit 1 set src-intf port2 set dst-intf toSiteA set srcaddr all set dstaddr all set action accept set service ANY set schedule always next edit 2 set src-intf toSiteA set dst-intf port2 set srcaddr all set dstaddr all set action accept set service ANY set schedule always end config route static edit 1 set device toSiteA set dst 192.0/24 end (Optional) config system interface edit toSiteB set ip 10.2/32 set remote-ip 10.

including the other HA configuration settings. HA is supported on FortiGate and FortiWiFi models numbered 60 and higher. and password before the FortiGate units can form a cluster. Configuring virtual clustering is very similar to configuring normal HA except that in a virtual cluster. and the Fortinet Knowledge Center. Note: You cannot enable HA mode if one of the FortiGate unit interfaces uses DHCP or PPPoE to acquire an IP address. password. mode. the HA mode can only be set to active-passive. When virtual domains are enabled for the FortiGate units to be operating in HA mode you are configuring virtual clustering. If DHCP or PPPoE is configured. For complete information about how to configure and operate FortiGate HA clusters and more detail about the config system ha CLI command. the FortiGate HA Guide. The primary unit synchronizes all other configuration settings.ha system ha Use this command to enable and configure FortiGate high availability (HA) and virtual clustering. Command syntax pattern config system ha set arps <arp_integer> set arps-interval <interval_integer> set authentication {disable | enable} set encryption {disable | enable} set group-id <id_integer> set group-name <name_str> set hb-interval <interval_integer> set hb-lost-threshold <threshold_integer> set hbdev <interface_name> <priority_integer> [<interface_name> <priority_integer>]. the config ha mode keyword is not available.0 MR7 Reference 01-30007-0015-20090112 382 .. set helo-holddown <holddown_integer> set link-failed-signal {disable | enable} set load-balance-all {disable | enable} set mode {a-a | a-p | standalone} set monitor <interface_names> set override {disable | enable} set password <password_str> set pingserver-failover-threshold <threshold_integer> set pingserver-flip-timeout <timeout_integer> set pingserver-monitor-interface <interface_names> set priority <priority_integer> set route-hold <hold_integer> set route-ttl <ttl_integer> set route-wait <wait_integer> set schedule {hub | ip | ipport | leastconnection | none | random | round-robin | weight-round-robin} set session-pickup {disable | enable} FortiGate® CLI Version 3. Using the config system ha command you must configure all cluster members with the same group name. mode. As well additional options are available for adding virtual domains to each virtual cluster and for setting the device priority for each device in each virtual cluster. Group name. as well as priority and group ID are not synchronized between cluster units. Using virtual clustering you create two virtual clusters and add virtual domains to each cluster. see the FortiGate HA Overview..

sending gratuitous ARP packets may generate a lot of network traffic. As long as the cluster still fails over successfully you could reduce the number of time gratuitous ARP packets are sent to reduce the amount of traffic produced after a failover. There may be a number of reasons to reduce the number of times that gratuitous ARP packets are sent. if your cluster has a large number of VLAN interfaces and virtual domains and because gratuitous ARP packets are broadcast. As long as the cluster still fails over successfully you could increase arps-interval to reduce the amount of traffic produced after a failover. However you may need to increase the number of times the primary unit sends gratuitous ARP packets if your cluster takes a long time to failover or to train the network. (This is sometimes called using gratuitous ARP packets to train the network. if your cluster has a large number of VLAN interfaces and virtual domains and because gratuitous ARP packets are broadcast. When a cluster unit becomes a primary unit (this occurs when the cluster is starting up or after a failover) the primary unit sends gratuitous ARP packets immediately to inform connected network equipment of the IP address and MAC address of the primary unit.system ha set sync-config {disable | enable} set uninterruptable-upgrade {disable | enable} set vdom <vdom_names> set vcluster2 {disable | enable} set weight <priority_integer> <weight_integer> end config secondary-vcluster set monitor <interface_names> set override {disable | enable} set priority <priority_integer> set vdom <vdom_names> end end Keywords and variables arps <arp_integer> Description Default Set the number of times that the primary unit sends 5 gratuitous ARP packets. This happens until the gratuitous ARP packets have been sent the number of times set by the arps keyword. Gratuitous ARP packets are sent when a cluster unit becomes a primary unit (this can occur when the cluster is starting up or after a failover). Sending more gratuitous ARP packets may help the failover happen faster. There may be a number of reasons to set the arps-interval higher. Normally you would not need to change the arps setting. For example. Set the number of seconds to wait between sending 8 gratuitous ARP packets. Depending on your network. Normally you would not need to change the arps-interval. Gratuitous ARP packets configure connected network devices to associate the cluster virtual MAC addresses and cluster IP address with primary unit physical interfaces.0 MR7 Reference 01-30007-0015-20090112 383 . you may need to decrease the arps-interval to send gratuitous ARP packets more often if your cluster takes a long time to failover or to train the network. However. sending gratuitous ARP packets may generate a lot of network traffic. The arps-interval range is 1 to 20 seconds.) The arps range is 1 to 16. For example. you may be able to use both the arps and the arps-interval keywords to improve how quickly your cluster fails over. The primary unit then waits for the number of seconds in the arps-interval and sends the gratuitous ARP packets again. arps-interval <interval_integer> FortiGate® CLI Version 3.

A cluster unit changes from hello state to work state when it starts up. The heartbeat interval range is 1 to 20 <interval_integer> (100*ms). hbdev <interface_name> Select the FortiGate interfaces to be heartbeat interfaces and set the heartbeat priority for each interface. The group ID range is from 0 to 63. encryption {disable | Enable/disable HA heartbeat message encryption. The CLI lists interfaces in alphanumeric order: • port1 • port2 through 9 • port10 Hash map order sorts interfaces in the following order: • port1 • port10 • port2 through port9 By default two interfaces are configured to be heartbeat interfaces and the priority for both these interfaces is set to 50. False HA heartbeat messages could affect the stability of the cluster. All cluster members must have the same group name. All members of the HA cluster must have the same group ID. which is the number of seconds to wait to receive a heartbeat packet from another <threshold_integer> cluster unit before assuming that the cluster unit has failed. You can select up to 8 heartbeat interfaces. which is the time between sending heartbeat packets. enter a list of interface name and priority pairs. In most cases you can maintain the default hbdev configuration as long as you can connect the hbdev interfaces together. The <priority_integer> heartbeat interface with the highest priority processes all [<interface_name> heartbeat traffic. The hello state hold-down time range is 5 to 300 seconds. If heartbeat communication is interrupted the cluster stops processing traffic. Use a space to separate each interface name and priority pair.. Enter the name of each interface followed by the priority. group-id <id_integer> The HA group ID. This limit only applies to FortiGate units with more than 8 physical interfaces. same priority. 20 384 FortiGate® CLI Version 3. To change the heartbeat interface configuration. On the FortiGate-50B only one interface is configured as the default heartbeat interface. Changing the Group ID changes the cluster virtual MAC address. Enabling HA heartbeat message encryption prevents an attacker from enable} sniffing HA packets to get HA cluster information.ha system Keywords and variables Description authentication {disable Enable/disable HA heartbeat message authentication. group-name <name_str> The HA group name.. which is the number of seconds that a cluster unit waits before changing from hello <holddown_integer> state to work state. hb-interval The heartbeat interval. If two or more heartbeat interfaces have the <priority_integer>]. Default disable disable 0 FGT-HA 6 2 Depends on the FortiGate model. The lost heartbeat threshold range is 1 to 60 seconds. hb-lost-threshold The lost heartbeat threshold. helo-holddown The hello state hold-down time. or change a priority.0 MR7 Reference 01-30007-0015-20090112 . add an interface to the list. If you want to remove an interface from the list. The maximum length of the group name is 32 characters. you must retype the entire updated list. Heartbeat communication must be enabled on at least one interface. The heartbeat interface priority range is 0 to 512. the heartbeat interface that with the lowest hash map order value processes all heartbeat traffic. Enabling HA heartbeat message authentication prevents an | enable} attacker from creating false HA heartbeat messages.

If mode is set to a-a. Enable or disable port monitoring for link failure. 60M. This limit only applies to FortiGate units with more than 16 physical interfaces. IM traffic. and broadcast traffic is never load balanced and is always processed by the primary unit. some switches may not detect that the primary unit has become a subordinate unit and may keep sending packets to the former primary unit. If you want to remove an interface from the list or add an interface to the list you must retype the list with the names changed as required.3ad aggregated interfaces but not VLAN subinterfaces or IPSec VPN interfaces. 200A. a-a mode is not available for virtual clusters. Use a space to separate each interface name. If all interfaces are not shut down in this way. ICMP. Enter the names of the interfaces to monitor.system ha Keywords and variables link-failed-signal {disable | enable} load-balance-all {disable | enable} mode {a-a | a-p | standalone} monitor <interface_names> Description Enable or disable shutting down all primary unit interfaces (except for heartbeat device interfaces) for one second when a link failover occurs. configure active-active HA to load balance TCP sessions and sessions for firewall policies that include protection profiles or to just load balance sessions for firewall policies that include protection profiles. Default disable disable standalone No default FortiGate® CLI Version 3. and 802. Enter disable to load balance only sessions for firewall policies that include protection profiles. 100A. VoIP traffic. Not available if a FortiGate interface mode is set to dhcp or pppoe. This includes the internal interface of FortiGate models 50B. in which the primary cluster unit is actively processing all connections and the other cluster units are passively monitoring the cluster status and remaining synchronized with the primary cluster unit. in which each cluster unit is actively processing connections and monitoring the status of the other FortiGate units. IPSec VPN traffic.0 MR7 Reference 01-30007-0015-20090112 385 . Enter enable to load balance TCP sessions and sessions for firewall policies that include protection profiles. multicast. This also includes the LAN interface of the FortiGate-500A. Port monitoring (also called interface monitoring) monitors FortiGate interfaces to verify that the monitored interfaces are functioning properly and connected to their networks. You can monitor physical interfaces. 60. Enter a-p to create an Active-Passive HA cluster. UDP. Enter a-a to create an Active-Active HA cluster. All members of an HA cluster must be set to the same HA mode. and SSL VPN traffic is also always processed only by the primary unit. You can monitor up to 16 interfaces. Set the HA mode. redundant interfaces. You cannot monitor interfaces that are 4-port switches. and FortiWiFi-60.

For this distribution to occur override must be enabled for both virtual clusters. The maximum password length is 15 characters. Otherwise you will need to restart the cluster to force it to renegotiate. pingserver-flip-timeout Set the HA remote IP monitoring flip timeout in minutes. cluster failover occurs when the priority of all failed ping servers reaches or exceeds this threshold. The password must be the same for all FortiGate units in the cluster. For example. setting the pingserver-flip-timeout to 120 means that remote IP monitoring can only cause a failover every 120 minutes. For a virtual cluster configuration. No default 0 60 386 FortiGate® CLI Version 3. Set the HA remote IP monitoring failover threshold. Setting the failover threshold to 0 means that if any ping server added to the HA remote IP monitoring configuration fails an HA failover will occur. changes status within a cluster. If you have more than one FortiGate HA cluster on the same network. password <password_str> Enter a password for the HA cluster. If HA pingserver-failoverremote monitoring is enabled using the threshold pingserver-monitor-interface set the failover <threshold_integer> threshold so that if one or more ping servers fails. Default disable enable when you use set vcluster2 enable to enable virtual cluster 2. The failover threshold range is 0 to 50. If HA remote IP monitoring fails on all cluster units because <timeout_integer> none of the cluster units can connect to the monitored IP addresses. During cluster negotiation traffic may be interrupted.0 MR7 Reference 01-30007-0015-20090112 . the flip timeout stops a failover from occurring until the timer runs out. You can choose to disable override for both virtual clusters once the cluster is operating. override is enabled by default for both virtual clusters when you enter set vcluster2 enable to enable virtual cluster 2.ha system Keywords and variables override {disable | enable} Description Enable or disable forcing the cluster to renegotiate and select a new primary unit every time a cluster unit leaves or joins a cluster. Enabling override makes cluster operation more predictable but may lead to the cluster negotiating more often. The range is 20 to 2147483647 minutes. You set the priority for each remote IP monitoring ping server using the ha-priority keyword of the command “system interface” on page 395. each cluster must have a different password. Usually you would enable virtual cluster 2 and expect one cluster unit to be the primary unit for virtual cluster 1 and the other cluster unit to be the primary unit for virtual cluster 2. The override setting is not synchronized to all cluster units. or every time the HA configuration of a cluster unit changes.

The route <hold_integer> hold range is 0 to 3600 seconds. During HA negotiation. You can configure remote IP monitoring for all types of interfaces including physical interfaces. route-wait The time the primary unit waits after receiving a routing table update before sending the update to the subordinate units in <wait_integer> the cluster. • • Set the ha-priority keyword of the command “system interface” on page 395 for each ping server. The device priority range is 0 to 255. priority Change the device priority of the cluster unit. routes remain active in the routing table for the route time to live while the new primary unit acquires new routes. redundant interfaces and aggregate interfaces.0 MR7 Reference 01-30007-0015-20090112 387 . You can use the detectserver keyword of the command “system interface” on page 395 or you can add ping servers from the web-based manager. Use a space to separate each interface name. The time to live range is 0 to 3600 seconds. route-hold The time that the primary unit waits between sending routing table updates to subordinate units in a cluster. 128 10 10 0 FortiGate® CLI Version 3. Set the pingserver-failover-threshold and pingserver-flip-timeout keywords.system ha Keywords and variables pingserver-monitorinterface <interface_names> Description Default Enable HA remote IP monitoring by specifying the FortiGate unit interfaces that will be used to monitor remote IP addresses. see “Remote IP Monitoring Example” on page 391. The route-wait range is 0 to 3600 seconds. route-ttl <ttl_integer> The time to live for routes in a cluster unit routing table. set route-wait to a relatively short time so that the primary unit does not hold routing table changes for too long before updating the subordinate units. VLAN interfaces. For more information about configuring HA remote IP monitoring. For quick routing table updates to occur. To maintain communication sessions after a cluster unit becomes a primary unit. the cluster unit with the highest device priority becomes the primary unit. If you want to remove an interface from the list or add an interface to the list you must retype the list with the names changed as required. Each cluster unit can have a different device priority (the device priority is <priority_integer> not synchronized among cluster members). For remote IP monitoring to work you must also: • Add ping servers to these interfaces. The time to live controls how long routes remain active in a cluster unit routing table after the cluster unit becomes a primary unit.

ip: load balancing according to IP address. and destination port of the packet. Enable session-pickup so that if the primary unit fails. traffic processing is not interrupted during a normal firmware upgrade. 388 FortiGate® CLI Version 3. If you do not enable session pickup the subordinate units do not maintain session tables. If the cluster units are connected using switches. hub: load balancing if the cluster interfaces are connected to hubs. use ipport to distribute traffic to units in a cluster based on the source IP. You can optionally use the weight keyword to set a weighting for each cluster unit. leaving session pickup disabled may reduce HA CPU usage and reduce HA heartbeat network bandwidth usage. You must enable session pickup for effective failover protection. If uninterruptable-upgrade is disabled. use leastconnection to distribute traffic to the cluster unit currently processing the fewest connections. use ip to distribute traffic to units in a cluster based on the Source IP and Destination IP of the packet. traffic processing is interrupted during a normal firmware upgrade (similar to upgrading the firmware operating on a standalone FortiGate unit). round-robin: round robin load balancing. use random to randomly distribute traffic to cluster units. weight-round-robin: weighted round robin load balancing. but you can use the weight keyword to assign weighted values to each of the units in a cluster based on their capacity and on how many connections they are currently processing. If the cluster units are connected using switches. Traffic is distributed to cluster units based on the Source IP and Destination IP of the packet. If the cluster units are connected using switches. the primary unit should have a lower weighted value because it handles scheduling and forwards traffic. If the primary unit fails all sessions are interrupted and must be restarted when the new primary unit is operating. If the cluster units are connected using switches. Use none when the cluster interfaces are connected to load balancing switches. If you enable session pickup the subordinate units maintain session tables that match the primary unit session table. If you do not require effective failover protection. sync-config {disable | Enable or disable automatic synchronization of primary unit configuration changes to all cluster units. If the primary unit fails. destination IP. all | enable} sessions are picked up by the new primary unit. This process can take some time and may reduce the capacity of the cluster for a short time. Similar to round robin. the new primary unit can maintain all active communication sessions. {disable | enable} If uninterruptable-upgrade is enabled. ipport: load balancing according to IP address and port. Weighted round robin distributes traffic more evenly because units that are not processing traffic are more likely to receive new connections than units that are very busy. If the cluster units are connected using switches. random: random load balancing. leastconnection: least connection load balancing. For example. source port. none: no load balancing. session-pickup {disable Enable or disable session pickup.0 MR7 Reference 01-30007-0015-20090112 .ha system Description Active-active load balancing schedule. use round-robin to distribute traffic to the next available cluster unit. enable} Keywords and variables schedule {hub | ip | ipport | leastconnection | none | random | round-robin | weight-round-robin} Default round-robin disable enable uninterruptable-upgrade Enable or disable upgrading the cluster without interrupting enable cluster traffic processing.

In the example virtual domains are not enabled. When you set schedule to weightround-robin you can use the weight keyword to set the weight of each cluster unit. When virtual cluster 2 is enabled you can use config secondary-cluster to configure virtual cluster 2. weight-integer is a number between 0 and 31 that is the weight assigned to the clustet units according to their priority in the cluster. changing the group-name. entering set vdom domain_1 followed by set vdom domain_2 has the same result as entering set vdom domain_1 domain_2. A FortiGate HA cluster can contain up to 32 FortiGate units so you can set up to 32 weights. In the global virtual domain configuration. Disable virtual cluster 2 to move all virtual domains from virtual cluster 2 back to virtual cluster 1. Enable or disable virtual cluster 2. You can add virtual domains one at a time or you can add multiple virtual domains at a time. virtual cluster 2 is enabled by default. You must enable vcluster2. and vdom for virtual cluster 2. Then you can use config secondary-vcluster to set monitor. In the config secondary-vcluster shell. and entering a password. priority. use set vdom to add virtual domains to virtual cluster 1. Configure virtual cluster 2. Adding a virtual domain to virtual cluster 2 removes it from virtual cluster 1. Increase the weight to increase the number of connections processed by the cluster unit with that priority. Examples This example shows how to configure a FortiGate unit for active-active HA operation. Add virtual domains to virtual cluster 1 or virtual cluster 2. The example shows how to set up a basic HA configuration by setting the HA mode.system ha Keywords and variables weight <priority_integer> <weight_integer> vdom <vdom_names> vcluster2 {disable | enable} config secondaryvcluster Description The weighted round robin load balancing weight to assign to each cluster unit. disable Same defaults as virtual cluster 1 except that the default value for override is enable. priority_integer is a number from 0 to 31 that identifies the priority of the cluster unit. For example. Adding a virtual domain to virtual cluster 1 removes that virtual domain from virtual cluster 2. The default weight of 1 1 1 1 means that the first four units in the cluster all have the same weight of 1. You would enter the exact same commands on every FortiGate unit in the cluster. In the config system ha shell. Virtual cluster 2 is also called the secondary virtual cluster. Enabling virtual cluster 2 enables override for virtual cluster 1 and virtual cluster 2.0 MR7 Reference 01-30007-0015-20090112 389 . use set vdom to add virtual domains to virtual cluster 2. weight is available when mode is set to a-a and schedule is set to weight-round-robin. The weight is set according to the priority of the unit in the cluster. config system ha set mode a-a set group-name myname set password HApass end FortiGate® CLI Version 3. Default 1 1 1 1 All virtual domains are added to virtual cluster 1. You can use vdom to add virtual domains to a virtual cluster in any combination. override.

ha system The following example shows how to configure a FortiGate unit with virtual domains enabled for activepassive HA operation. In addition. After you enter the following commands the cluster renegotiates and may select a new primary unit. The example shows how to set up a basic HA configuration similar to the previous example. When you log into the cluster you are actually connecting to the primary unit. After you enter the following commands the cluster renegotiates and selects a new primary unit. config global config system ha set mode a-p set group-name myname set password HApass set vcluster2 enable config secondary-vcluster set vdom domain_2 domain_3 end end end The following example shows how to change the device priority of the primary unit to 200 so that this cluster unit always becomes the primary unit. config global config system ha config secondary-vcluster set priority 50 end end end The following example shows how to change the default heartbeat interface configuration so that the port4 and port1 interfaces can be used for HA heartbeat communication and to give the port4 interface the highest heartbeat priority so that port4 is the preferred HA heartbeat interface. except that the HA mode can only be set to a-p. config system ha set priority 200 end The following example shows how to change the device priority of a subordinate unit to 255 so that this subordinate unit becomes the primary unit. In the example virtual cluster 2 has already been enabled so all you have to do is use the config secondary-vcluster command to configure virtual cluster 2. config system ha set hbdev port4 100 port1 50 end FortiGate® CLI Version 3. and domain_3) in addition to the root virtual domain. the FortiGate unit is configured with three virtual domains (domain_1. When you change the device priority of the primary unit this change only affects the primary unit because the device priority is not synchronized to all cluster units. the example shows how to enable vcluster2 and how to add the virtual domains domain_2 and domain_3 to vcluster2. execute ha manage 0 config system ha set priority 255 end The following example shows how to change the device priority of the primary unit in virtual cluster 2.0 MR7 Reference 01-30007-0015-20090112 390 . The example involves connecting to the virtual cluster CLI and changing the global configuration. This example involves connecting to the cluster CLI and using the execute ha manage 0 command to connect to the highest priority subordinate unit. domain_2. In the example.

You can enter the following commands to configure the weight values for each unit: Table 6: Example weights for three cluster units Cluster unit priority 0 1 2 Weight 1 3 3 config system ha set schedule weight-round-robin set weight 0 1 set weight 1 3 set weight 2 3 end These commands have the following results: • • • The first connection is processed by the primary unit (priority 0. with remote IP monitoring the cluster can detect failures in network equipment that is not directly connected to the cluster but that would interrupt traffic processed by the cluster if the equipment failed. and both subordinate units. weight 3) The subordinate units process more connections than the primary unit. FortiGate® CLI Version 3. process the same number of connections. on average. Port monitoring causes a cluster to failover if a monitored primary unit interface fails or is disconnected. Usually these would be IP addresses of network devices not directly connected to the cluster. the switch connected directly to the primary unit is operating normally but the link on the other side of the switches fails. get system ha This example shows how to display the configuration for the system ha command. For example. and DMZ interfaces. Using remote IP monitoring to select a new primary unit can be useful in a number of ways depending on your network configuration.system ha The following example shows how to enable monitoring for the external. weight 3) The next three connections are processed by the second subordinate unit (priority 2. in a full mesh HA configuration. config system ha set monitor external internal dmz end The following example shows how to configure weighted round robin weights for a cluster of three FortiGate units. This example shows how to display the settings for the system ha command. Remote IP monitoring causes a failover if one or more of these remote IP addresses does not respond to a ping server. internal. In the example topology shown in Figure 2. As a result traffic can no longer flow between the primary unit and the Internet. weight 1) The next three connections are processed by the first subordinate unit (priority 1.0 MR7 Reference 01-30007-0015-20090112 391 . show system ha Remote IP Monitoring Example HA Remote IP monitoring is similar to HA port monitoring. Remote IP monitoring uses ping servers configured on FortiGate interfaces on the primary unit to test connectivity with IP addresses of network devices.

ha system To detect this failure you can create a remote IP monitoring configuration consisting of a ping server on port2 of the cluster.168. Figure 2: Example HA remote IP monitoring topology Internet Monitored Ping Server from Remote IP Primary unit Router 192. The primary unit tests connectivity to 192.168.20.168.268.20 the cluster to fails over and the subordinate unit becomes the new primary unit.20 so the failover maintains connectivity between the internal network and the Internet through the cluster.20.20. If the ping server cannot connect to 192.20.0 MR7 Reference 01-30007-0015-20090112 . Causing HA Failover Link Failure Physical Link Operating Switch port2 Switch Primary Unit port1 Subordinate Unit Switch Switch Router Internal Network 392 FortiGate® CLI Version 3.20 cannot Reach Monitored IP. The remote HA monitoring ping server on the new primary unit can connect to 192.20.

• 4 • FortiGate® CLI Version 3.20. If one or more ping servers fails.168.20 set ha-priority 10 end 3 You can also use the config global command to change the time interval between ping server pings using the interval keyword and to change the number of times that the ping fails before a failure is detected using the failtime keyword. If your FortiGate configuration includes VLAN interfaces. • • Enter the detectserver keyword to add the ping server and set the ping server IP address to 192. config system interface edit port2 set detectserver 192.20.168. Setting the pingserver-flip-timeout to 120 means that remote IP monitoring can only cause a failover every 120 minutes. Enter the pingserver-flip-timeout keyword to set the flip timeout to 120 minutes. the flip timeout prevents the failover from occurring until the timer runs out. cluster failover occurs when the priority of all failed ping servers reaches or exceeds this threshold.20. Enter the pingserver-failover-threshold keyword to set the HA remote IP monitoring failover threshold to 10. This flip timeout is required to prevent repeating failovers if remote IP monitoring causes a failover from all cluster units because none of the cluster units can connect to the monitored IP addresses. you can add the names of these interfaces to the pingserver-monitor-interface keyword to configure HA remote IP monitoring for these interfaces.system ha To configure remote IP monitoring 1 Enter the following commands to configure HA remote monitoring for the example topology. After a failover. You can also do the following to configure HA remote IP monitoring to test more IP addresses: • • Enable HA remote IP monitoring on more interfaces by adding more interface names to the pingserver-monitor-interface keyword. if HA remote IP monitoring on the new primary unit also causes a failover.168. aggregate interfaces and other interface types. Add a second IP address to the detectserver keyword to monitor two IP addresses on each interface. Enter the ha-priority keyword to set the HA remote IP monitoring priority of the ping server to 10 so that if this ping server does not connect to 192.0 MR7 Reference 01-30007-0015-20090112 393 .20 the HA remote IP monitoring priority will be high enough to reach the failover threshold and cause a failover. You set the priority for each ping server using the ha-priority keyword as described in step 2 below.20. config system ha set pingserver-monitor-interface port2 set pingserver-failover-threshold 10 set pingserver-flip-timeout 120 end 2 Enter the following commands to add the ping server to the port2 interface and to set the HA remote IP monitoring priority for this ping server. • • Enter the pingserver-monitor-interface keyword to enable HA remote IP monitoring on port2.

By adding multiple ping servers to the remote HA monitoring configuration and setting the HA priorities for each you can fine tune remote IP monitoring.80 FortiOS v2. if its more important to maintain connections to some remote IPs you can set the HA priorities higher for these IPs. and only when neither server responds will the ping server fail. Command History FortiOS v2.0 MR5 FortiOS v3. and hb-interval keywords. encryption. For example. sync-config. vdom. But a failover will not occur if the cluster cannot connect to one or two low priority IPs. Changes to the weight keyword. and config secondary-vcluster keywords.0 Revised. arps. Added uninterruptable-upgrade keyword. And if its less important to maintain connections to other remote IPs you can set the HA priorities lower for these IPs. vcluster2.ha system Note: If you add two IP addresses to the detectserver keyword the ping will be sent to both at the same time. Added route-hold. heloholddown. session-pickup. Improved the description of the arps keyword. priority numbers are no longer supported. You can do this to monitor multiple IP addresses on any interface and set a different HA priority for each one. and pingserver-flip-timeout keywords. FortiOS v2.0 MR7 Reference 01-30007-0015-20090112 . You can also adjust the pingserver-failover-threshold so that if the cluster cannot connect to one or two high priority IPs a failover occurs. pingserver-monitor-interface.0 MR3 FortiOS v3. The monitor and hbdev functionality has been simplified. Added the group-name.80 MR2 FortiOS v2.0 MR7 394 FortiGate® CLI Version 3.0 MR4 FortiOS v3. hb-lost-threshold. Added load-balance-all keyword. pingserver-failover-threshold. FortiOS v3. Added authentication. • Add secondary IPs to any interface and enter detectserver and ha-priority for each of the secondary IPs. Priorities added back to the hbdev keyword.80 MR10 New link-failed-signal keyword. Added the arps-interval. In a virtual cluster configuration override is enabled for virtual cluster 1 and virtual cluster 2 when you enter set vcluster2 enable to enable virtual cluster 2.80 MR7 FortiOS v3. and route-ttl keywords.0 MR6 FortiOS v3.80 MR6 FortiOS v2.80 MR5 FortiOS v2. The maximum length of the group-name increased from 7 to 32 characters. route-wait.

Use the edit command to add a VLAN subinterface. IEEE 802. Some FortiGate models support switch mode for the internal interfaces.system interface interface Use this command to edit the configuration of a FortiGate physical interface.. Note: VLAN communication over the backplane interfaces is available for FortiGate-5000 modules installed in a FortiGate-5020 chassis. redundant interface or IPSec tunnel interface. config system interface edit <interface_name> set allowaccess <access_types> set alias <name_string> set arpforward {enable | disable} set auth-type <ppp_auth_method> set bfd {enable | disable | global} set bfd-desired-min-tx <interval_msec> set bfd-detect-mult <multiplier> set bfd-required-min-rx <interval_msec> set broadcast-forward {enable | disable} set ddns {enable | disable} set ddns-domain <ddns_domain_name> set ddns-password <ddns_password> set ddns-profile-id <dnsart_profile_id> set ddns-server <ddns_service> set ddns-sn <ddns_sn> set ddns-username <ddns_username> set defaultgw {enable | disable} set detectserver <pingserver_ipv4> [pingserver2_ipv4] set description <text> set dhcp-relay-ip <dhcp_relay1_ipv4> {. Some keywords are specific to aggregate interfaces.. 620B and 800 or higher)” on page 410. Syntax Entering a name string for the edit keyword that is not the name of a physical interface adds a VLAN subinterface. In the following table. VLAN subinterface can be substituted for interface in most places except that you can only configure VLAN subinterfaces with static IP addresses. VLAN subinterface. The FortiSwitch-5003 does not support VLAN-tagged packets so VLAN communication is not available over the FortiGate-5050 and FortiGate-5140 chassis backplanes. <dhcp_relay8_ipv4>} set dhcp-relay-service {enable | disable} set dhcp-relay-type {ipsec | regular} set disc-retry-timeout <pppoe_retry_seconds> set distance <admin_distance> set dns-server-override {enable | disable} set external {enable | disable) (FortiOS Carrier) set fortimanager-discover-helper {enable | disable} set forward-domain <collision_group_number> FortiGate® CLI Version 3. For more information see “global” on page 371. Switch mode allows you to configure each interface on the switch separately with their own interfaces. 500A.0 MR7 Reference 01-30007-0015-20090112 395 . 310B. These appear at the end of the list of commands under “variables for aggregate and redundant interfaces (models 300A. A VLAN can not be configured on a switch interface. 400A.3ad aggregate interface.

] set gi-gk {enable | disable} (FortiOS Carrier) set gwaddr <IPv4> set gwdetect {enable | disable} set ha-priority <priority_integer> set icmp-redirect {enable | disable} set ident-accept {enable | disable} set idle-timeout <pppoe_timeout_seconds> set inbandwidth <bandwidth_integer> set interface <port_name> set ip <interface_ipv4mask> set ipmac {enable | disable} set ipunnumbered <unnumbered_ipv4> set l2forward {enable | disable} set l2tp-client {enable | disable} set lacp-ha-slave {enable | disable} set lacp-mode {active | passive | static} set lacp-speed {fast | slow} set lcp-echo-interval <lcp_interval_seconds> set lcp-max-echo-fail <missed_echoes> set log {enable | disable} set macaddr <mac_address> set mediatype {serdes-sfp | sgmii-sfp} set member <if_name1> <if_name2> .0 MR7 Reference 01-30007-0015-20090112 396 ..interface system set fp-anomaly [. set mode <interface_mode> set mpls {enable | disable} (FortiOS Carrier) set mtu <mtu_bytes> set mtu-override {enable | disable} set mux-type { llc-encaps | vc-encaps} set netbios-forward {disable | enable} set outbandwidth <bandwidth_integer> set padt-retry-timeout <padt_retry_seconds> set password <pppoe_password> set peer-interface <interface> set pppoe-unnumbered-negotiate {disable | enable} set pptp-client {disable | enable} set pptp-user <pptp_username> set pptp-password <pptp_userpassword> set pptp-server-ip <pptp_serverid> set pptp-auth-type <pptp_authtype> set pptp-timeout <pptp_idletimeout> set priority <learned_priority> set remote-ip <ipv4> set speed <interface_speed> set status {down | up} set stpforward {enable | disable} set subst {enable | disable} set substitute-dst-mac <destination_mac_addres> set tcp-mss <max_send_bytes> set type {adsl | aggregate | loopback | physical | redundant | tunnel | vlan | wireless} set username <pppoe_username> set vci <integer> set vdom <vdom_name> FortiGate® CLI Version 3....

system interface set vlanforward {enable | disable} set vlanid <id_number> set vpi <integer> set wifi-acl {allow | deny} set wifi-auth {PSK | RADIUS} set wifi-broadcast_ssid {enable | disable} set wifi-encrypt {AES | TKIP} set wifi-fragment_threshold <packet_size> set wifi-key <hex_key> set wifi-mac-filter {enable | disable} set wifi-passphrase <pass_str> set wifi-radius-server <server_name> set wifi-rts_threshold <integer> set wifi-security <sec_mode> set wifi-ssid <id_str> set wins-ip <wins_server_ip> config ipv6 set autoconf {enable | disable} set ip6-address <if_ipv6mask> set ip6-allowaccess <access_types> set ip6-default-life <ipv6_life_seconds> set ip6-hop-limit <ipv6_hops_limit> set ip6-link-mtu <ipv6_mtu> set ip6-manage-flag {disable | enable} set ip6-max-interval <adverts_max_seconds> set ip6-min-interval <adverts_min_seconds> set ip6-other-flag {disable | enable} set ip6-reachable-time <reachable_msecs> set ip6-retrans-time <retrans_msecs> set ip6-send-adv {enable | disable} config ip6-prefix-list edit <ipv6_prefix> set autonomous-flag {enable | disable} set onlink-flag {enable | disable} set preferred-life-time <seconds> set valid-life-time <seconds> end end end config l2tp-client-settings set auth-type {auto | chap | mschapv1 | mschapv2 | pap} set defaultgw {enable | disable} set distance <admin_distance> set mtu <integer> set password <password> set peer-host <ipv4_addr> set peer-mask <netmask> set peer-port <port_num> set priority <integer> set user <string> end config secondaryip edit <secondary_ip_id> set allowaccess <access_types> FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 397 .

Once configured. Separate each type with a space. • Enter auto to select authentication method automatically • Enter chap for CHAP • Enter mschapv1 for Microsoft CHAP v1 • Enter mschapv2 for Microsoft CHAP v2 • Enter pap for PAP This is available only when mode is pppoe. Valid range is from 1 to 100 000 msec. 50 3 50 disable bfd-desired-min-tx <interval_msec> bfd-detect-mult <multiplier> bfd-required-min-rx <interval_msec> broadcast-forward {enable | disable} 398 FortiGate® CLI Version 3. Valid types are: http https ping snmp ssh telnet. and type of interface is physical.disable BFD on this interface global . To add or remove an option from the list. The alias can be a maximum of 25 characters. This option is only available when interface type is physical. Valid range is from 1 to 100 000 msec. auto alias <name_string> arpforward {enable | disable} auth-type <ppp_auth_method> bfd {enable | disable | global} The status of Bidirectional Forwarding Detection (bfd) on this global interface: enable .interface system set detectserver <pingserver_ipv4> [pingserver2_ipv4] set gwdetect {enable | disable} set ha-priority <priority_integer> set ip <interface_ipv4mask> end end config wifi-mac_list edit <entry_number> set mac <mac_address> end Note: A VLAN cannot have the same name as a zone or a virtual domain.BFD behavior on this interface will be based on the global configuration for BFD The other bfd* keywords are visible only if bfd is enabled. ARP forwarding is required for DHCP relay and MS Windows Client browsing. Enter the minimum desired interval for the BFD transmit interval. Select the BFD detection multiplier. Variable allowaccess <access_types> Description Default Enter the types of management access permitted on this Varies for interface or secondary IP address. Select to enable broadcast forwarding. each interface. the alias will be displayed with the interface name to make it easier to distinguish.enable BFD and ignore global BFD configuration disable .0 MR7 Reference 01-30007-0015-20090112 . Select the PPP authentication method for this interface. Enable or disable forwarding of ARP packets on this enable interface. Enter the minimum required interface for the BFD receive interval. Use with caution. retype the complete list as required. Enter an alias name for the interface.

org supports members. defaultgw {enable | disable} description <text> FortiGate® CLI Version 3. ddns-profile-id <dnsart_profile_id> Enter your DDNS profile ID.com. PPPoE. This is available only when ddns is enabled.todayisp.net. you can arrange with a DDNS service provider to use a domain name to provide redirection of traffic to your network whenever the IP address changes.com.net. of ddns-domain. server.net supports dipdnsserver. This is available only when ddns is enabled. but ddnsserver is not set to dnsart. • dyns. No default. Optionally.net.dhs. This keyword is available instead No default. • dyndns. • dnsart. ddns-password <ddns_password> No default. DDNS is available only in NAT/Route mode. Enter the fully qualified domain name to use for the DDNS. This is available when ddns is enabled. and ddnsserver is set to dnsart.net. No default. • now.com supports www.com. ddns-server <ddns_service> ddns-sn <ddns_sn> No default.dipdns. The client software for these services is built into the FortiGate firmware.com supports rh. Enter the password to use when connecting to the DDNS server. • vavic.dnsart. This keyword is available instead of ddns-username and ddns-password.org supports members.net.com supports ph001.net supports www. ddns-username <ddns_username> Enter the user name to use when connecting to the DDNS No default. Default disable ddns-domain <ddns_domain_name> No default. • tzo. and ddns-server is set to dipdns. Enter your DDNS serial number.dyndns. This is only available when ddns is enabled.com. • dhs. This is available only if ddns is enabled. Enable or disable getting the gateway IP address from the disable DHCP. This is available only when ddns is enabled.tzo.0 MR7 Reference 01-30007-0015-20090112 399 . or PPPoA.oray.net. This is valid only when the mode is one of DHCP. but ddns-server is not set to dipdns.cn supports ip. but ddnsserver is not set to dipdns.com.com. The FortiGate unit can only connect automatically to a DDNS server for these supported clients. • ods.org supports ods.system interface Variable ddns {enable | disable} Description Enable or disable using a Dynamic DNS service (DDNS).dyns. If this interface of your FortiGate unit uses a dynamic IP address. enter up to 63 characters to describe this interface. Select a DDNS server to use. or PPPoA server.org. PPPoE. This is the domain name you have registered with your DDNS. • dipdns.com.org and dnsalias.org.

0. A primary and secondary ping server IP address can be the same. Do not set dhcp-relay-ip to 0. Enter an integer identifier. This keyword is used for SIP address translation. see None. The time to wait before retrying to start a PPPoE discovery. enable dns-server-override {enable | disable} edit <interface_name> edit <ipv6_prefix> edit <secondary_ip_id> external {enable | disable) (FortiOS Carrier) fortimanager-discoverhelper {enable | disable} None. the FortiGate unit confirms connectivity with the server at this IP address. The ping will be sent to both at the same time. mode must be set to dhcp or pppoe. For settings. dhcp-relay-ip <dhcp_relay1_ipv4> {. Adding a ping server is required for routing failover. None. Using administrative distance you can specify the relative priorities of different routes to the same destination. Edit an existing interface or create a new VLAN interface. Set disc-retry-timeout to 0 to disable. A ping server is usually the next hop router on the network connected to the interface. Set the initial discovery timeout in seconds. Set DHCP relay IP addresses. This is available in NAT/Route mode only. Enter the IPv6 prefix you want to configure.. mode must be set to pppoe. disable disable 400 FortiGate® CLI Version 3. e. A lower administrative distance indicates a more preferred route.interface system Variable detectserver <pingserver_ipv4> [pingserver2_ipv4] Description Add the IP address of a ping server. 1. This is available only in NAT/Route mode. dhcp-relay-service {enable | disable} Enable to provide DHCP relay service on this interface. Disable to prevent the interface from using DNS server addresses it acquires via DHCP or PPPoe. this the FortiGate unit will act as a relay between a FortiManager and FortiClient units if they are on different networks. Set dhcp_type to ipsec or regular depending on type of regular firewall traffic. <dhcp_relay8_ipv4>} No default. Default No default. and only when neither server responds will gwdetect fail. Distance can be an integer from 1-255. If gwdetect is enabled.0 MR7 Reference 01-30007-0015-20090112 . The client responds to the offer it wants to accept.g. You can specify up to eight DHCP relays. 1 dhcp-relay-type {ipsec | regular} disc-retry-timeout <pppoe_retry_seconds> distance <admin_distance> Configure the administrative distance for routes learned 1 through PPPoE or DHCP. See also router static “distance <distance>” on page 302 mode must be set to dhcp or pppoe for this keyword to be available. the edit <ipv6_prefix> variables section of this table. See firewall profile config sip “contact-fixup {enable | disable}” on page 157 for more information. for the secondary ip address that you want to configure. Replies from all DHCP servers are forwarded back to the client... Optionally you can add 2 ping servers. This is available in NAT/Route mode only. Enable to indicate that an interface is an external interface connected to an external network. When enabled.0. There must be no other DHCP server of the same type (regular or ipsec) configured on this interface.0. The disable DHCP type relayed depends on the setting of dhcp-relaytype.

(FortiOS Carrier) See “Configuring anti-overbilling protection” in the FortiGate Administration Guide for more information. This is available in NAT/Route mode only. fp-anomaly [. 0 <collision_group_number> Layer 2 broadcasts are limited to the same group. For more information see “Working with virtual domains” on page 51.. disable ha-priority <priority_integer> The HA priority to assign to the ping servers configured on an 0 interface when the interface is added to an HA remote IP monitoring configuration. Disconnect if the PPPoE connection is idle for the specified number of seconds. (FortiOS Carrier) gwdetect {enable | disable} Enable or disable confirming connectivity with the server at the detectserver IP address. You configure HA remote IP monitoring using the pingserver-monitor-interface keyword in the command “system ha” on page 382. including policy-required IPS performed using the FortiGate unit main processing resources. If set to disable. Set to zero to disable this feature. and secondary IPs. 0 FortiGate® CLI Version 3. VLAN interfaces. Without collision domains. the FortiGate unit sends a TCP reset packet in response to an ident packet. Log messages are generated when packets are dropped due to options in this setting.] No options Enable NP2 hardware fast path anomaly checking on an interface and specify whether to drop or allow (pass) different specified (disabled) types of anomalies. Collision domains prevent the forwarding of ARP packets to all VLANs on an interface. This is available when mode is set to pppoe. This command is available in Transparent mode only. duplicate MAC addresses on VLANs may cause ARP packets to be duplicated. The priority range is 0 to 50. packets may still be rejected by other anomaly checks. disable gi-gk {enable | disable} Enable Gi Gatekeeper to enable the Gi firewall on this interface as part of the anti-overbilling configuration. This keyword is not available in Transparent mode.0 MR7 Reference 01-30007-0015-20090112 401 .. enable icmp-redirect {enable | disable} ident-accept {enable | disable} idle-timeout <pppoe_timeout_seconds> Enable or disable passing ident packets (TCP port 113) to the disable firewall policy. If pass options are specified. You can set ha-priority for all types of interfaces including physical interfaces. The frequency with which the FortiGate unit confirms connectivity is set using the failtime and interval keywords in the command “system global” on page 371. See the Fortinet Hardware Acceleration Technical Note for more information. When no options are specified. all interfaces are in group 0. anomaly checking performed by the network processor is disabled. By default.system interface Variable Description Default forward-domain Specify the collision domain to which this interface belongs. The fp-anomaly option is available for NP2-enabled interfaces. Disable to stop ICMP redirect from sending from this interface. Duplicate ARP packets can cause some switches to reset.

0 Use this command to configure inbound traffic shaping for an interface. and the FortiGate unit can not be in Transparent mode. 60 series. Enabling this setting may reduce system performance. You can set inbound traffic shaping for any FortiGate interface and it can be active for more than one FortiGate interface at a time. Setting <bandwidth_integer> to 0 (the default) means unlimited bandwidth or no traffic shaping. The IP address cannot be on the same subnet as any other interface. The Unnumbered IP may be used for PPPoE interfaces for which no unique local address is provided. but it will not display. Set the interval in seconds between PPPoE LCP echo requests. This IP address can be the same as the IP address of another interface or can be any IP address. macaddr <mac_address> 402 FortiGate® CLI Version 3. All other traffic will not be logged. Factory set. set the IP and netmask. Enter one disable of: • enable • disable Enable or disable this interface as an L2TP client. ipunnumbered <unnumbered_ipv4> Enable IP unnumbered mode for PPPoE. Inbound traffic shaping limits the bandwidth accepted by the interface. Override the factory set MAC address of this interface by specifying a new MAC address. and 100A. Specify the IP No default. or HA mode. you can add any of these IP addresses to the Unnumbered IP. Enabling makes config l2tp-client-settings visible. interface <port_name> ip <interface_ipv4mask> Enter the interface IP address and netmask. Limiting inbound traffic takes precedence over traffic shaping applied by firewall policies. disable See “ipmacbinding setting” on page 100 and “ipmacbinding table” on page 102 for information about configuring IP/MAC binding settings. ipmac {enable | disable} Enable or disable IP/MAC binding for the specified interface. The interface can not be part of an aggregate interface. If you have been assigned a block of IP addresses by your ISP for example. This is available only when mode is pppoe. This is available only on FortiGate 50 series. Use the form xx:xx:xx:xx:xx:xx. the FortiGate unit will not enter HA mode until the L2TP client is disabled. This is available only when mode is pppoe. Traffic will be logged only when it is on an administrative port. This is available only when adding virtual interfaces such as VLANs and VPNs. Varies for This is not available if mode is set to dhcp or pppoe. This is available only when mode is pppoe.0 MR7 Reference 01-30007-0015-20090112 . None. Set the maximum number of missed LCP echoes before the PPPoE link is disconnected. This is available in NAT/Route mode only. disable l2forward {enable | disable} l2tp-client {enable | disable} lcp-echo-interval <lcp_interval_seconds> lcp-max-echo-fail <missed_echoes> log {enable | disable} 5 3 Enable or disable traffic logging of connections to this disable interface. You can each interface. If l2tp-client is enabled on an interface. address to be borrowed by the interface. Set the state of layer 2 forwarding for this interface. Enter the physical interface the virtual interface is linked to. and is normally used only for troubleshooting.interface system Variable inbandwidth <bandwidth_integer> Description Default Enter the KB/sec limit for incoming traffic for this interface.

This keyword is available for some FortiGate SFP interfaces.FortiGate units support up to 6 layers of labels. Use this keyword to switch the interface between these two modes. • eoa . To use MPLS: • operation mode must be transparent • • l2forward must be enabled to pass the MPLS packets a multicast policy is needed to allow MPLS router hello traffic MPLS is only available in FortiOS Carrier. See your FortiGate unit install guide for more information about what modes your FortiGate interfaces support.configure the interface to receive its IP address from an external PPPoA server.configure the interface to receive its IP address from an external DHCP server.Ethernet over ATM • ipoa .IP over ATM (also known as bridged mode).0 MR7 Reference 01-30007-0015-20090112 403 . Multi Protocol Label Switching (MPLS) is a networking protocol that allows adding labels to packets (RFC 3031). • Set mediatype to serdes-sfp if you have installed a SerDes transceiver. or 1000 Mbps. When MPLS is enabled on your FortiGate Carrier unit. • dhcp . The mode that the interface operates in depends on the type of SFP transceiver installed. dhcp. • static .configure a static IP address for the interface. or removed from the packet header . • Set mediatype to sgmii-sfp iff you have installed an SGMII transceiver. The labels are used for improved routing. Additional MPLS labels can be added. Only IPS can be applied to MPLS packets. all FortiGate-ASM-FB4 interfaces and interfaces port3 to port18 of the FortiGate-3016B support both SerDes and SGMII mode. • pppoa . • pppoe -configure the interface to receive its IP address from an external PPPoE server.system interface Variable mediatype {serdessfp | sgmii-sfp} Description Default Some FortiGate SFP interfaces can operate in SerDes serdes-sfp (Serializer/Deserializer) or SGMII (Serial Gigabit Media Independent Interface) mode. eoa. disable mode <interface_mode> mpls {enable | disable} FortiGate® CLI Version 3. In SerDes mode an SFP interface can only operate at 1000 Mbps. This is available only in NAT/Route mode. or ipoa (as available). 100. Configure the connection mode for the interface as one of: static static. In SGMII mode the interface can operate at 10. pppoe. This is available only in NAT/Route mode on models with ADSL modem. AV traffic will be blocked. This is only available in NAT/Route mode. For example. pppoa.

FortiGate models 3000 and larger support jumbo frames. disable Select enable to use custom MTU size instead of default (1 500). mtu is available only when mtu-override is enabled. Select enable to forward NetBIOS broadcasts to a WINS server. You can set outbound traffic shaping for any FortiGate interface and it can be active for more than one FortiGate interface at a time. disable mtu-override {enable | disable} netbios-forward {disable | enable} outbandwidth <bandwidth_integer> 0 padt-retry-timeout <padt_retry_seconds> Initial PPPoE Active Discovery Terminate (PADT) timeout in 1 seconds. if you change the MTU of an interface. The peer-interface cannot be the same interface. PADT must be supported by your ISP. This is available in NAT/Route mode only. You can only set the MTU of a physical interface. This is available for physical interfaces only. <mtu_bytes> valid ranges are: • 68 to 1 500 bytes in static mode • 576 to 1 500 bytes in dhcp mode • 576 to 1 492 bytes in pppoe mode • 9 000 bytes for NP2-accelerated interfaces • up to 16 110 bytes in jumbo frames (only supported on high end FortiGate models) In Transparent mode. No default. password <pppoe_password> peer-interface <interface> 404 FortiGate® CLI Version 3. Use wins-ip <wins_server_ip> to set the WINS server IP address. Enter the KB/sec limit for outgoing (egress) traffic for this interface. If you change the MTU. Enter the password to connect to the PPPoE server. All virtual interfaces will inherit that MTU from the physical parent interface. you must change the MTU of all interfaces to match the new MTU. all other network equipment on the route to the destination must also support jumbo frames. Use this command to configure outbound traffic shaping for an interface. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. but it must be in the same VDOM. If you configure jumbo frames on your FortiGate unit. For more information on jumbo frames. Limiting outbound traffic takes precedence over traffic shaping applied by firewall policies. when the FortiGate unit cannot find the destination MAC address in the local table. This is available in NAT/Route mode when mode is pppoe. Setting <bandwidth_integer> to 0 (the default) means unlimited bandwidth or no traffic shaping. see Fortinet Administration Guide. This option is only available in Transparent mode. This is available in NAT/Route mode when mode is pppoe. Select an interface to be used in TP mode. Outbound traffic shaping limits the bandwidth accepted by the interface. Ideally set mtu to the size of the smallest MTU of all the networks between this FortiGate unit and the packet destination.interface system Variable mtu <mtu_bytes> Description Default Set a custom maximum transmission unit (MTU) size in 1 500 bytes. This can happen during IPS test. you must reboot the FortiGate unit to update the MTU values of the VLANs on this interface.0 MR7 Reference 01-30007-0015-20090112 .

100A. This is only available when mode is pppoe and ipunnumbered is set. If you stop a physical interface. such as Japan. half duplex • 1000full. No default. speed <interface_speed> status {down | up} stpforward {enable | disable} subst {enable | disable} Enter enable to use a substitute destination MAC address for this address. The interface uses autonegotiation to determine the connection speed. Enter the IP address for the PPTP server. Default enable pptp-client {disable | enable} pptp-user <pptp_username> pptp-password <pptp_userpassword> pptp-server-ip <pptp_serverid> pptp-auth-type <pptp_authtype> pptp-timeout <pptp_idletimeout> priority <learned_priority> remote-ip <ipv4> disable No default. 100 Mbps. The default configuration may not work in some regions. 10 Mbps. 60M. No default. No default. 100 Mbps. You cannot change the speed for interfaces that are 4-port switches. Enter the name of the PPTP user. you must specify an address for the remote end of the tunnel in remote-ip and an address for this end of the tunnel in ip. No default. Use the xx:xx:xx:xx:xx:xx format. substitute-dst-mac Enter the substitute destination MAC address to use when <destination_mac_addres> subst is enabled. associated virtual interfaces such as VLAN interfaces will also stop. up (down for VLANs) disable disable No default. Enter the authentication type for the PPTP user. Enable or disable forward Spanning Tree Protocol (STP) packets through this interface. the default speed. Enter an IP address for the remote end of a tunnel interface. This includes the internal interfaces of FortiGate models 60. 1000 Mbps.0 MR7 Reference 01-30007-0015-20090112 405 . Enter a space and a “?” after the speed keyword to display a list of speeds available for your model and interface. This also includes the LAN interface of the FortiGate-500A. half duplex Speed options vary for different models and interfaces. 1000 Mbps. and ipunnumbered is set. 10 Mbps. or be able to ping the tunnel interface. Enter the password for the PPTP user. Start or stop the interface. FortiGate® CLI Version 3.system interface Variable pppoe-unnumberednegotiate {disable | enable} Description Disable to resolve problems when mode is set to PPPoE. If the interface is stopped. 200A. Enter the idle timeout in minutes. If you want to use dynamic routing with the tunnel. The interface speed: auto • auto. full duplex • 10half. This is only available when mode is pppoe or dhcp. Enable to configure and use a PPTP client. Change the speed only if the interface is connected to a device that does not support auto-negotiation. half duplex • 100full. Use this timeout to shut down the PPTP user session if it is idle for this number of seconds. full duplex • 1000half. No default. full duplex • 100half. 0 for disabled. Enter the priority of routes using this interface. No default. and FortiWiFi-60. • 10full. it does not accept or send packets. This is available only if type is tunnel.

VLANs increase the number of network interfaces beyond the physical connections on the unit. • wireless applies only to FortiWiFi-60A. and -60B models. When disabled. Note: • adsl is available only on FortiGate model 60ADSL. Enable or disable forwarding of traffic between VLANs on this enable interface. • tunnel is for reference only . • loopback is a virtual interface that is always up. tcp-mss <max_send_bytes> Enter the FortiGate unit’s maximum sending size for TCP packets. It is primarily used for blackhole routing dropping all packets that match this route. Only one interface is in use at any given time. This route is advertised to neighbors through dynamic routing protocols as any other static route. Aggregate links use the 802. This is useful in HA configurations. traffic continues uninterrupted as it switches to the next interface in the group. no forwarding. Firewall IP pools and virtual IP previously added for this interface are deleted. no mode. If the first interface fails. 620B and 800 or higher)” on page 410. This is the type of interface created by default on any existing physical interface. This interface’s status and link status are not affected by external changes. Enter the user name used to connect to the PPPoE server. loopback interfaces have no dhcp settings. see the FortiGate VLANs and VDOMs Guide. 500A. You can only create a loopback interface from the CLI. Enter the name of the virtual domain to which this interface root belongs. type {adsl | aggregate | loopback | physical | redundant | tunnel | vlan | wireless} Enter the type of interface. For ADSL-specific keywords see “variables for ADSL interface (model 60ADSL only)” on page 410. the physical interface moves to the specified virtual domain. You should also manually delete any routes that include this interface as they may now be inaccessible. For more about VDOMs.3ad standard to group up to 8 interfaces together.you cannot create tunnel interfaces using this command. or dns settings. all VLAN traffic will only be delivered to that VLAN only. For aggregate specific keywords see “variables for aggregate and redundant interfaces (models 300A. Create IPSec tunnels using the vpn ipsec-intf phase1 command. username <pppoe_username> vdom <vdom_name> No default.interface system Variable Description Default No default. physical otherwise. -60AM. The ADSL FortiGate model has an internal ADSL modem and this is a physical interface to connect to your ADSL service. • redundant is used to group 2 or more interfaces together for reliability. The order interfaces become active in the group is determined by the order you specify using the set member keyword.0 MR7 Reference 01-30007-0015-20090112 . Create GRE tunnels using the system gre-tunnel command. This is only available in NAT/Route mode when mode is set to pppoe. vlanforward {enable | disable} 406 FortiGate® CLI Version 3. 400A. When you change this keyword. • aggregate is available only on FortiGate models 800 and higher. vlan for newly created interface. 310B. • vlan is for virtual LAN interfaces.

Set RADIUS server name for WPA_RADIUS security. If the packet size less than the threshold. No default. as 0 and 4095 are reserved. This is available in AP mode only. However. For a 128-bit WEP key. This is used in the config wifi-mac_list subcommand. wins-ip <wins_server_ip> Enter the IP address of a WINS server to which to forward No default.0 MR7 Reference 01-30007-0015-20090112 407 . No default. deny PSK wifi-auth {PSK | RADIUS} Select either Pre-shared Key (PSK) or RADIUS to authenticate users connecting to this interface. wifi-key <hex_key> wifi-mac-filter {enable | disable} wifi-passphrase <pass_str> wifi-radius-server <server_name> disable No default. wifi-security must be set to WPA_PSK. This is available only when wifi-security is set to WPA. If the packet size is larger than the threshold. WiFi keywords mac <mac_address> wifi-acl {allow | deny} These keywords apply only to the FortiWiFi-60A and FortiWiFi-60AM unit when type is wireless.1Q-compliant router on the other end of the connection. This is available in AP mode only. This WINS server address is only used if netbios-forward is enabled. enter 10 hexadecimal digits. Enable MAC filtering for the wireless interface. disable TKIP wifi-fragment_threshold <packet_size> Set the maximum size of a data packet before it is broken 2346 into smaller packets. Select either Advanced Encryption Standard (AES) or Temporal Key Integrity Protocol (TKIP) for encryption on this WLAN interface. wifi-security must be set to WEP128 or WEP64. enter 26 hexadecimal digits. see the FortiGate VLANs and VDOMs Guide. Enter a MAC address for the MAC filter list. For more about VLANs. the FortiWiFi unit will fragment the transmission. you can add two or more VLAN subinterfaces with the same VLAN ID to different physical interfaces. No default. Enter a WEP key. but it must match the VLAN ID added by the IEEE 802. This is available in AP mode only. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. A setting of 2346 bytes effectively disables this option. This is available in NAT/Route mode only. FortiGate® CLI Version 3. NetBIOS broadcasts. be received by this VLAN subinterface. This is available only when editing an interface with a type of VLAN. For a 64-bit WEP key. This is available only when wifi-security is set to WPA. The WEP key must be 10 or 26 hexadecimal digits (0-9 a-f). Enter shared key for WPA_PSK security. the FortiWiFi unit will not fragment the transmission. The VLAN ID can be any number between 1 and 4094. wifi-security must be set to WPA_RADIUS. This is available in AP mode only. Range 800-2346. wifi-broadcast_ssid {enable | disable} wifi-encrypt {AES | TKIP} Enable if you want FortiWiFi-60 to broadcast its SSID.system interface Variable vlanid <id_number> Description Default Enter a VLAN ID that matches the VLAN ID of the packets to No default. Select whether MAC filter list allows or denies access. and you can add more multiple VLANs with different VLAN IDs to the same physical interface. reducing the chance of packet collisions.

ip6-address <if_ipv6mask> ip6-allowaccess <access_types> ip6-default-life <ipv6_life_seconds> 1800 ip6-hop-limit <ipv6_hops_limit> Enter the number to be added to the Cur Hop Limit field in the 0 router advertisements sent out this interface. Entering 0 means no hop limit is specified. This is available in NAT/Route mode only. • WEP64 WEP 64-bit encryption • WEP128 WEP 128-bit encryption • WPA_PSK WPA encryption with pre-shared key This is available in AP mode only. Valid types are: ping or any. the FortiGate unit acts as a stateless address auto-configuration client (SLAAC). wifi-ssid <id_str> Change the Service Set ID (SSID) as required. This is available in NAT/Route mode only. In some cases. fortinet config ipv6 variables autoconf {enable | disable} Enable or disable automatic configuration of the IPv6 disable address. This is available in NAT/Route mode only. in 2346 bytes. Varies for each interface. The valid range is 0 to 9000. The interface IPv6 address and netmask. of a packet that the FortiWiFi will accept without sending RTS/CTS packets to the sending wireless device. A setting of 2347 bytes effectively disables this option. This is available in NAT/Route mode only. The valid range is 256 to 2346. This is available in AP mode only. slowing data transmissions. The format for IPv6 ::/0 addresses and netmasks is described in RFC 3513. to add to the Router Lifetime field of router advertisements sent from the interface. Enter the number. in seconds. Enter the types of management access permitted on this IPv6 interface. None wifi-security <sec_mode> Enter security (encryption) mode: • None Communication is not encrypted. ip6-link-mtu <ipv6_mtu> ip6-manage-flag {disable | enable} 408 FortiGate® CLI Version 3. This is available in NAT/Route mode only.interface system Variable wifi-rts_threshold <integer> Description Default The request to send (RTS) threshold is the maximum size. This is available in AP mode only. Users who wish to use the wireless network should configure their computers to connect to the network that broadcasts this network name. Both of these options only allow ping access.0 MR7 Reference 01-30007-0015-20090112 . Enable or disable the managed address configuration flag in disable router advertisements. • WPA_RADIUS WPA encryption via RADIUS server. The SSID is the wireless network name that this FortiWiFi60A WLAN broadcasts. Entering 0 means that no MTU options are sent. and ip6-send-adv is disabled. Enter the MTU number to add to the router advertisements 0 options field. This is available in NAT/Route mode only. larger packets being sent may cause collisions. When enabled.

Enter the minimum time interval. The valid range is 4 to 1800. Enter the valid lifetime. This is available in NAT/Route mode only. disable 2 1460 n/a FortiGate® CLI Version 3. in seconds. in seconds. for this IPv6 prefix. between sending unsolicited multicast router advertisements from the interface. in seconds. 604800 2592000 onlink-flag {enable | disable} preferred-life-time <seconds> valid-life-time <seconds> config l2tp-client-settings auth-type {auto | chap | mschapv1 | mschapv2 | pap} Select the type of authorization used with this client: • auto . Enter the number to be added to the reachable time field in the router advertisements. This is available in NAT/Route mode only.use Password Authentication Protocol auto defaultgw {enable | disable} distance <admin_distance> mtu <integer> password <password> Enable to use the default gateway. The valid range is 0 to 3600.use Challenge-Handshake Authentication Protocol mschapv1 . disable ip6-send-adv {enable | disable} edit <ipv6_prefix> variables autonomous-flag {enable | disable} Set the state of the autonomous flag for the IPv6 prefix. Enter the administration distance of learned routes. in seconds. and autoconf is enabled. Enter disable one of: • enable • disable Set the state of the on-link flag ("L-bit") in the IPv6 prefix. Enable or disable the flag indicating whether or not to send periodic router advertisements and to respond to router solicitations. Enter the password for L2TP. Entering 0 means that the Retrans Timer is not specified.0 MR7 Reference 01-30007-0015-20090112 409 . This is available in NAT/Route mode only. Entering 0 means no reachable time is specified.automatically choose type of authorization • • • • chap . for this IPv6 prefix. Enter the Maximum Transmission Unit (MTU) for L2TP. the FortiGate unit acts as a stateless address auto-configuration client (SLAAC). This is available in NAT/Route mode only. The valid range is 4 to 1800. Enable or disable the other stateful configuration flag in router advertisements. This is available in NAT/Route mode only. Enter one of: • enable • disable Enter the preferred lifetime. Default 600 ip6-min-interval <adverts_min_seconds> 198 ip6-other-flag {disable | enable} ip6-reachable-time <reachable_msecs> disable 0 ip6-retrans-time <retrans_msecs> Enter the number to be added to the Retrans Timer field in 0 the router advertisements.system interface Variable ip6-max-interval <adverts_max_seconds> Description Enter the maximum time interval.use Microsoft version of CHAP version 2 pap . between sending unsolicited multicast router advertisements from the interface.use Microsoft version of CHAP version 1 mschapv2 . This is available in NAT/Route mode only. When disabled.

This is the default. This will be 0 used to resolve any ties in the routing table. Enter the MUX type as either llc-encaps or vc-encaps. 500A. Enter the virtual circuit identification VPI number. This number is provided by your ISP.respond to LACP PDU packets and negotiate link aggregation connections • static . active • active .send LACP PDU packets to negotiate link aggregation connections. Enter the L2TP user name used to connect. fall back to L2 algorithm if IP information is not available • L4 . passive. Valid numbers are from 0 to 65535. 5. 310B.interface system Variable peer-host <ipv4_addr> peer-mask <netmask> peer-port <port_num> priority <integer> user <string> Description Enter the IP address of the L2TP host.0 MR7 Reference 01-30007-0015-20090112 . This number is provided by your ISP.25 to this interface. Default n/a Enter the netmask used to connect to L2TP peers connected 255. • passive . UDP or ESP header information lacp-ha-slave {enable | disable} L4 This option affects how the aggregate interface participates enable in Link Aggregation Control Protocol (LACP) negotiation when HA is enabled for the VDOM. or static. n/a variables for ADSL interface (model 60ADSL only) These variables are available only when type is adsl gwaddr <IPv4> mux-type { llc-encaps | vc-encaps} vci <integer> Enter the IP address of the gateway for this interface. algorithm {L2 | L3 | L4} Enter the algorithm used to control how frames are distributed across links in an aggregated interface.link aggregation is configured statically lacp-mode {active | passive | static} 410 FortiGate® CLI Version 3.255.use source and destination MAC addresses • L3 . It takes effect only if Active-Passive HA is enabled and lacp-mode is not static.255 Enter the port used to connect to L2TP peers on this interface. Enter one of active. 400A. Valid numbers are from 0 to 255. This information is provided by your ISP. 0 vpi <integer> 35 variables for aggregate and redundant interfaces (models 300A. 1701 Enter the priority of routes learned through L2TP. 620B and 800 or higher) These variables are available only when type is aggregate or redundant.use TCP. Enter the virtual circuit identification VCI number.use source and destination IP addresses. Enter enable to participate in LACP negotiation as a slave or disable to not participate. Enter one of: • L2 . The choice of algorithm determines what information is used to determine frame distribution.

159 255.0 and bfd is set to global..255. aggregate or redundant group. Enter fast to send LACP PDU packets every second.168..0. The order you specify the interfaces in the member list is the order they will become active in the redundant group.255.0 MR7 Reference 01-30007-0015-20090112 411 .110.100. IP Pool or multicast policy • it is not an HA heartbeat device or monitored by HA In a redundant group.0 set bfd global end FortiGate® CLI Version 3.0.255. then vdom must be set the same for each interface before you enter the member list. member <if_name1> <if_name2> . as it is a blackhole route.0. To modify a list. Example This example shows how to set the FortiGate-300 internal interface IP address and netmask to 192. This is available only on FortiGate models 800 and higher when type is aggregate.0. Any traffic sent to this interface will be dropped. failover to the next member interface happens when the active interface fails or is disconnected. The IP address is set to 10. For example if you enter set member port5 port1. An interface is available to be part of an aggregate or redundant group only if • it is a physical interface. and when it fails or is disconnected port1 will become active.255. This is the default.255. then port5 will be active at the start. not a VLAN interface • it is not already part of an aggregated or redundant interface • it is in the same VDOM as the aggregated interface • it has no defined IP address and is not configured for DHCP or PPPoE • it has no DHCP server or relay configured on it • it does not have any VLAN subinterfaces • it is not referenced in any firewall policy. config system interface edit internal set allowaccess ping https ssh set ip 192. Specify a list of physical interfaces that are part of an No default.10 255. enter the complete revised list.168. and ssh. as recommended in the IEEE 802. If VDOMs are enabled. This is available only when type is aggregate or redundant.255.0. VIP. and the management access to ping.3ad standard.10 255. config system interface edit loop1 set type loopback set ip 10.0 end This example shows how to add a loopback interface with a name of loop1.255. https.255.26 255.system interface Variable Description Default lacp-speed {fast | slow} Enter slow to send LACP PDU packets every 30 seconds to slow negotiate link aggregation connections.

255.23.0 MR3 FortiOS v3. bfd-desired-min-tx. Added bfd. Added <pingserver2_ip4> to detectserver.0 Added external keyword. MR4 412 FortiGate® CLI Version 3. Added pptp variables. FortiOS v3. Changed ipv6-allowaccess parameters.180 255.255. aggregate and redundant to type keyword. fp-anomaly. moved to system zone. Removed defaultgw keyword. icmp-redirect. wifiencrypt.0 MR4 FortiOS v3. You can not add a secondary IP that is part of the subnet of the original interface IP address.80 MR3 FortiOS v2. Also configure ping and https management access to this secondary IP address. Added peer-interface.0 MR6 Substantially revised. config system interface edit internal config secondaryip edit 1 set allowaccess ping https set ip 192. alias. Added wifi-auth. and mpls keyword (FortiOS Carrier only). IPv6 added.interface system This example shows how to add a secondary IP address and netmask of 192. bfd-detect-mult. wins-ip keywords. Added outbandwidth. Added l2tp-client.176.0 MR7 Reference 01-30007-0015-20090112 .80 MR6 FortiOS v3. Added defaultgw keyword. Removed zone keyword. Added mtu-override keyword. dns-server-override default value is now enable.0 end end History FortiOS v2. and l2tp-client-settings subcommands. added pppoe-unnumbered-negotiate and priority keywords. DDNS retry interval increased to after 3 failed attempts. Removed all lt2p-client commands. Added ident-accept keyword. and lcp-max-echo-failures to lcp-maxecho-fail.180 255. and added any option to IPv6 allowaccess keyword. bfd-required-min-rx keywords.0 MR7 FortiOS Carrier v3. Changed gateway_address to gwaddr.23.0 MR1 FortiOS v3. IPv6 autoconf keyword. Added the ha-priority keyword.80 MR2 FortiOS v2. Added netbios-forward. loopback type.176. Changes to parameters of auth-type. and mediatype.0 to the internal interface.255.80 FortiOS v2.255. and show-backplane-intf keywords. and connection command.0 MR5 FortiOS v3.0 FortiOS v3.

1 end History FortiOS v2. The source IPv4 address for this tunnel. FortiOS v3. config system ipv6-tunnel edit test_tunnel set destination 10. The destination IPv4 address for this tunnel. Syntax config system ipv6-tunnel edit <tunnel_name> set destination <tunnel_address> set interface <name> set ip6 <address_ipv6> set source <address_ipv4> end Variables Description Enter a name for the IPv6 tunnel. The IPv6 interface is configured under config system interface. Removed ipv6 and mode keywords. Default No default.0.0 MR6 Removed command.0 No default.0.0.1 set interface internal set ip6 12AB:0:0:CD30::/60 set source 192.50. 0.0 MR1 Removed vdom keyword. FortiOS v3.system ipv6-tunnel ipv6-tunnel Use this command to tunnel IPv6 traffic over an IPv4 network.0.10.10.0 MR7 Reference 01-30007-0015-20090112 413 .0 edit <tunnel_name> destination <tunnel_address> interface <name> ip6 <address_ipv6> source <address_ipv4> Example Use the following commands to set up an IPv6 tunnel.0 MR2 Added command syntax for multiple-vdom mode. 0. Related topics • • system interface system sit-tunnel FortiGate® CLI Version 3.0 New. The interface used to send and receive traffic for this tunnel.80 FortiOS v3. FortiOS v3. No default.0 MR5 Added ip6 FortiOS v3. The IPv6 address for this tunnel. Note: This command is not available in Transparent mode. FortiOS v3. Changed from ipv6_tunnel to ipv6-tunnel.168.0 MR7 Added command back.

e. config system mac-address-table edit 11:22:33:00:ff:aa set interface internal end History FortiOS v2. Syntax config system mac-address-table edit <mac-address_hex> set interface <if_name> end Keywords and variables edit <mac-address_hex> interface <if_name> Description Enter the MAC address as six pairs of hexadecimal digits separated by colons. No default. This command is available in Transparent mode only.: 11:22:33:00:ff:aa Enter the name of the interface to which this MAC table entry applies.mac-address-table system mac-address-table Use this command to create a static MAC table. Default No default. 414 FortiGate® CLI Version 3. The table can hold up to 200 entries.g. Formerly set system brctl.80 Renamed and Revised. Example Use the following commands to add a static MAC entry for the internal interface.0 MR7 Reference 01-30007-0015-20090112 .

and which remote management actions the FortiGate unit will allow from FortiGuard Analysis and Management Service.0. Note: This command is currently only applicable to FortiGuard Analysis and Management Service. such as providing the service account ID. This option appears only if status and authorizedmanager-only is enable. This option appears only if status is enable. see “system fortiguard” on page 362. Syntax config system management-tunnel set allow-collect-statistics {enable | disable} set allow-config-restore {enable | disable} set allow-push-configuration {enable | disable} set allow-push-firmware {enable | disable} set authorized-manager-only {enable | disable} set serial-number <serial_str> set status {enable | disable} end Variables status {enable | disable} Description Enable or disable the SSL-secured management tunnel between the FortiGate unit and FortiGuard Analysis and Management Service. enable serial-number <serial_str> Enter up to five serial numbers of FortiManager unit that No default. are authorized to remotely manage this FortiGate unit. and is reserved for future use. Also configure serial-number. Enable or disable remote management only by the FortiManager unit with the specified serial number. Default enable allow-config-restore {enable | disable} allow-push-configuration {enable | disable} enable enable enable enable allow-push-firmware {enable Enable or disable remote firmware upgrades. FortiGate® CLI Version 3.system management-tunnel management-tunnel Use this command to configure the remote management tunnel that is required by some FortiGuard Analysis and Management Service remote administration features. also configure their required settings. Separate multiple serial numbers with a space. allow-collect-statistics Enable or disable real-time monitor SNMP polls through {enable | disable} authorized-manager-only {enable | disable} the tunnel. For details on enabling remote administration and remote management connections initiated by the FortiGate unit rather than the FortiGuard Analysis and Management Service. To complete remote management setup with FortiGuard Analysis and Management Service. Enable or disable remote restoration of a previous configuration.0 MR7 Reference 01-30007-0015-20090112 415 . it will also be applicable to FortiManager 4. | disable} This option appears only if status is enable. such as the real-time monitor. This option appears only if status is enable. Enable or disable remote configuration. This option appears only if status is enable. and is reserved for future use. This option appears only if status is enable.

Configures remote management tunnel and actions allowed from the FortiGuard Management Service.0 MR7 Reference 01-30007-0015-20090112 . FortiOS Carrier v3.management-tunnel system Example This example shows how to configure the remote management tunnel to allow FortiGuard Analysis and Management Service to query for real-time monitor (SNMP) statistics. config system fortiguard set central-mgmt-status enable set service-account-id ExampleCo end config system management-tunnel set status enable set allow-collect-statistics enable set allow-push-firmware disable end History FortiOS v3. Related topics • • system fortiguard system fortiguard-log 416 FortiGate® CLI Version 3.0 MR6 New command.0 MR4 New command. Configures remote management tunnel and actions allowed from the FortiGuard Management Service. but not to initiate remote firmware upgrades.

This is available only when dial-on-demand is set to disabled. Changing the status to enabled will display the modem in the web-based manager. and mode is set to standalone. Set the connection completion timeout (30 . Syntax config system modem set altmode {enable | disable} set auto-dial {enable | disable} set connect_timeout <seconds> set dial-on-demand {enable | disable} set distance <distance> set holddown-timer <seconds> set idle-timer <minutes> set interface <name> set mode {redudant | standalone} set passwd1 <password_str> set passwd2 <password_str> set passwd3 <password_str> set peer_modem1 {actiontec | ascendTNT | generic} set peer_modem2 {actiontec | ascendTNT | generic} set peer_modem3 {actiontec | ascendTNT | generic} set phone1 <phone-number> set phone2 <phone-number> set phone3 <phone-number> set ppp-echo-request1 {disable | enable} set ppp-echo-request2 {disable | enable} set ppp-echo-request3 {disable | enable} set priority <integer> {disable | enable} set redial <tries_integer> set status {disable | enable} set username1 <name_str> set username2 <name_str> set username3 <name_str> end Keywords and variables auto-dial {enable | disable} Description Default enable altmode {enable | disable} Enable for installations using PPP in China. You can add the information to connect to up to three dialup accounts.0 MR7 Reference 01-30007-0015-20090112 417 . The FortiGate-60 or FortiGate60M unit modem interface can act as a backup interface for one of the FortiGate ethernet interfaces or as a standalone dialup interface. CLI interface lists will display the modem no matter what the modem status is. Enable to dial the modem automatically if the connection is disable lost or the FortiGate unit is restarted. 90 connect_timeout <seconds> FortiGate® CLI Version 3. These commands are available in NAT/Route mode only. A modem status is initially set to disabled.255 seconds). Disabled modems will not be displayed in the web-manager interface list.system modem modem Use this command to configure a FortiGate-60M modem or a serial modem interface connected using a serial converter to the USB port.

country codes. otherwise leave setting as generic. No default. otherwise leave setting as generic. standalone Enter the required mode: • redundant The modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable.0 MR7 Reference 01-30007-0015-20090112 . • standalone The modem interface is the connection from the FortiGate unit to the Internet. with the ethernet interface that you want to either back up (backup configuration) or replace (standalone configuration). No default. Make sure to include standard special characters for pauses. See also router static “distance <distance>” on page 302 This keyword is useful for configuring redundant routes in which the modem interface acts as a backup to another interface. No default. Do not add spaces to the phone number. Enter the password used to access the specified dialup account. select generic that type. Used only when the modem is configured as a backup for 60 an interface. This setting applies to models 50AM. select generic that type. Enter the password used to access the specified dialup account. and other functions as required by your modem to connect to your dialup account. and mode is set to standalone. after the primary interface has been restored. Set the number of minutes the modem connection can be idle before it is disconnected. 60M and WiFi-60M only. If the modem at phone2 is Actiontec or AscendTNT. 418 FortiGate® CLI Version 3. This is available only if mode is set to standalone.modem system Keywords and variables dial-on-demand {enable | disable} Description Enable to dial the modem when packets are routed to the modem interface. select generic that type. mode {redudant | standalone} passwd1 <password_str> passwd2 <password_str> passwd3 <password_str> peer_modem1 {actiontec | ascendTNT | generic} peer_modem2 {actiontec | ascendTNT | generic} peer_modem3 {actiontec | ascendTNT | generic} phone1 <phone-number> If the modem at phone1 is Actiontec or AscendTNT. 5 holddown-timer <seconds> idle-timer <minutes> interface <name> Enter an interface name to associate the modem interface No default. If the modem at phone3 is Actiontec or AscendTNT. This setting applies to models 50AM. Enter the phone number required to connect to the dialup account. This is available only when mode is set to redundant. This is available only if auto-dial is set to disabled. Set the time (1-60 seconds) that the FortiGate unit waits before switching from the modem interface to the primary interface. The modem disconnects after the idle-timer period. No default. Default disable distance <distance> Enter the administrative distance (1-255) to use for the 1 default route that is automatically added when the modem connects and obtains an IP address. otherwise leave setting as generic. A lower distance indicates a more preferred route. This setting applies to models 50AM. 60M and WiFi-60M only. Enter the password used to access the specified dialup account. 60M and WiFi-60M only.

This applies to the 1st modem. Enter the user name used to access the specified dialup account. status {disable | enable} username1 <name_str> username2 <name_str> username3 <name_str> Example This example shows how to enable the modem and configure the modem to act as a backup for the WAN1 interface. config system modem set action dial set status enable set holddown-timer 5 set interface wan1 set passwd1 acct1passwd set phone1 1234567891 set redial 10 set username1 acct1user end FortiGate® CLI Version 3. country codes. and other functions as required by your modem to connect to your dialup account. Only one dialup account is configured. ppp-echo-request1 {disable | enable} Disable ppp-echo-request1 if the PPP echo request enable feature is not supported by your wireless ISP. This applies to a 2nd modem. if connected. if connected. Enter the user name used to access the specified dialup account. country codes. 0 ppp-echo-request2 {disable | enable} ppp-echo-request3 {disable | enable} priority <integer> {disable | enable} redial <tries_integer> Set the maximum number of times (1-10) that the No default. The FortiGate unit and modem will attempt to dial this account 10 times. and other functions as required by your modem to connect to your dialup account. No default.system modem Keywords and variables phone2 <phone-number> Description Enter the phone number required to connect to the dialup account. Enter the phone number required to connect to the dialup account. Enter the priority of learned routes on this interface.0 MR7 Reference 01-30007-0015-20090112 419 . Enable or disable modem support. Make sure to include standard special characters for pauses. Default No default. Enter the user name used to access the specified dialup account. Disable ppp-echo-request2 if the PPP echo request enable feature is not supported by your wireless ISP. Do not add spaces to the phone number. Valid priorities are from 0 to 4294967295. if connected. The FortiGate unit will wait 5 seconds after the WAN1 interface recovers before switching back to the WAN1 interface. PPP echo request is used to detect low level link down for modems. PPP echo request is used to detect low level link down for modems. FortiGate unit dials the ISP to restore an active connection on the modem interface. disable No default. Do not add spaces to the phone number. This applies to a 3rd modem. Make sure to include standard special characters for pauses. PPP echo request is used to detect low level link down for modems. This is equivalent to bringing an interface up or down. phone3 <phone-number> No default. Disable ppp-echo-request3 if the PPP echo request enable feature is not supported by your wireless ISP. Select none to allow the modem to redial without a limit. No default.

modem system This example shows how to display the settings for the modem command. get system modem This example shows how to display the configuration for the modem command.0 MR7 Reference 01-30007-0015-20090112 . show system modem History Related topics • system interface 420 FortiGate® CLI Version 3.

0 MR7 Reference 01-30007-0015-20090112 421 . You need to allow twice the bandwidth as with unidirection. the bidirection option counts twice as much traffic.0 MR5 New. Enable this option for the system to offload IPSEC enable packet encryption to FB4 when the ingress port of the tunnel is on FB4. History FortiOS v3. Syntax config system npu set enc-offload-antireplay {enable | disable} set dec-offload-antireplay {enable | disable} set offload-ipsec-host {enable | disable} set traffic-shaping-mode {unidirection | bidirection} next end Variables enc-offload-antireplay {enable | disable} dec-offload-antireplay {enable | disable} offload-ipsec-host {enable | disable} Description Default Enable this option for the system to offload IPSEC disable packet encryption to FB4 when the egress port of the tunnel is on FB4. Note: If you use the traffic-shaping-mode command. Enable this option for the system to offload packet disable encryption to FB4 when the egress port of this packet is on FB4. FortiGate® CLI Version 3. The default value on 3810B models is unidirection. In bidirection the traffic in both directions is counted at the same time. {unidirection | bidirection} In unidirection. traffic in each direction is counted separately.system npu npu Use this command to configure the Network Processing Unit (NPU) for FortiGate units that support FB4. traffic-shaping-mode Select the fast path bandwidth calculation method. The default value on 3600A models is bidirection.

0 MR7 Reference 01-30007-0015-20090112 . Only valid when ntpsync is enabled. Syntax config system ntp set ntpsync en/dis set syncinterval config ntpserver edit <serverid> set server <IP_address>[/<name_string>] next end Variables ntpsync {enable | disable} syncinterval <interval_int> Description Enable to synchronize FortiGate unit’s system time with the ntp server.ntp system ntp Use this command to configure Network Time Protocol (NTP) servers. Default disable Enter the interval in minutes between contacting NTP 0 server to synchronize time. The range is from 1 to 1440 minutes. 422 FortiGate® CLI Version 3. Configure multiple NTP servers Enter the number for this NTP server Enter the IPv4 address and hostname (optional) for this NTP server.0 MR7 New. config ntpserver edit <serverid_int> set server <IPv4_addr>[/<hostname_str> History FortiOS v3.

0 MR2 New. Default No default. Related topics • • system arp-table get router info bgp FortiGate® CLI Version 3. Enter the physical port this IP will be associated with. Syntax config system proxy-arp edit <table_entry> set interface <port> set ip <ipv4_address> next end Variables edit <table_entry> interface <port> ip <ipv4_address> Description Enter the unique ID of the table entry to add or modify. Enter the IP address to associate with this physical port. History FortiOS v3. No default.0 MR7 Reference 01-30007-0015-20090112 423 .system proxy-arp proxy-arp Use this command to add IP addresses to MAC address translation entries to the proxy ARP table. No default.

Table 7: Replacement message tags Tag %%AUTH_LOGOUT%% %%KEEPALIVEURL%% %%TIMEOUT%% Description Immediately close the connection policy. the replacement message tag is replaced with content relevant to the message. Replacement messages can include replacement message tags. When users receive the replacement message. Set the format of the message: • html • text • none Set the format of the message header: • 8bit • http • none Default Depends on message type. Maximum length 8 192 characters. it will be cleared.0 MR7 Reference 01-30007-0015-20090112 . %%AUTH_REDIR_URL%% Link to open a new window. History FortiOS v3. Generally there is not a large call for these tags in disclaimer pages. Syntax config system replacemsg admin admin_disclaimer_text set buffer <message> set format <format> set header <header_type> end Variable buffer <message> Description Type a new replacement message to replace the current replacement message. Configured number of seconds between %%KEEPALIVEURL%% connections. URL the keep alive page connects to that keeps the connection policy alive. Connects every %%TIMEOUT%% seconds. Note: If you unset the buffer for a replacement message. 424 FortiGate® CLI Version 3. No default format <format> header <header_type> Depends on message type. These are HTML messages with HTTP headers. (optional).replacemsg admin system replacemsg admin Use this command to change the administration disclaimer page.0 MR4 New command.

0 MR7 Reference 01-30007-0015-20090112 425 . Default message includes the virus or worm type. Note: If you unset the buffer for a replacement message. Set the format of the message: • html • text • none Set the format of the message header: • 8bit • http • none format <format> header <header_type> Depends on message type. it will be cleared. Maximum length 8 192 characters. A critical firewall event occurred. An intrusion event occurred. Default message includes name of file. Default message includes the intrusion type. One of: alertmail-block alertmail-crit-event A file download was blocked. Syntax config system replacemsg alertmail auth_msg_type set buffer <message> set format <format> set header <header_type> end Variable auth_msg_type Description FortiGuard replacement alertmail message type. A virus or worm was detected. FortiGate® CLI Version 3. Use this command to change the alertmail pages including: • • • • • the block message that alerts users a file transfer was blocked the critical firewall event message the hard disk log is full message the nids event message to notify a network intrusion event has occurred the virus message to indicate that a message was found These are HTML messages with HTTP headers. Depends on message type. Default message includes the event type. The hard disk log is full. No default Default No default alertmail-disk-full alertmail-nids-event alertmail-virus buffer <message> Type a new replacement message to replace the current replacement message.system replacemsg alertmail replacemsg alertmail Alertmail can be configured to alert users or admins about important system events such as blocked files or viruses detected.

%%PROTOCOL%% is added to alert email virus messages. POP3.0 MR7 Reference 01-30007-0015-20090112 . This could be a file that contained a virus or was blocked by antivirus file blocking. 426 FortiGate® CLI Version 3. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.replacemsg alertmail system Replacement messages can include replacement message tags. %%VIRUS%% can be used in virus messages The URL of a web page. IP address of the user’s computer that attempted to download the message from which the file was removed. The email address of the sender of the message from which the file was removed. %%VIRUS%% %%URL%% %%CRITICAL_EVENT%% Added to alert email critical event email messages. Command added. FTP. IMAP. SMTP) in which a virus was detected.0 MR2 FortiOS v3. Example The default message for a detected virus is: Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%% Destination IP: %DST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To: %%EMAIL_TO%% History FortiOS v2. The email address of the intended receiver of the message from which the file was removed. Command removed.0 MR3 New command. the replacement message tag is replaced with content relevant to the message. Replacement messages increased in size from 4 096 to 8 192 bytes per message. The IPS attack message. IP address of the email server that sent the email containing the virus. When users receive the replacement message. %%CRITICAL_EVENT%% is replaced with the critical event message that triggered the alert email. Table 8: Replacement message tags Tag %%FILE%% Description The name of a file that has been removed from a content stream. The name of a virus that was found in a file by the antivirus system. %%NIDS_EVENT%% is added to alert email intrusion messages.8 FortiOS v3. %%FILE%% can be used in virus and file block messages. %%PROTOCOL%% %%SOURCE_IP%% %%DEST_IP%% %%EMAIL_FROM%% %%EMAIL_TO%% %%NIDS_EVENT%% The protocol (HTTP. This can be a web page that is blocked by web filter content or URL blocking.

One of: authchallengepage authdisclaimer[ 1|2|3] Challenges the user with a question. Displays after user fails to login.Displays when user rejects the disclaimer page. FortiGate® CLI Version 3. Maximum length 8 192 characters. it will be cleared. Default No default Prompts user to accept the displayed disclaimer when leaving protected network. The extra pages seamlessly extend the size of the page from 8 192 characters up 16 384 and 24 576 characters respectively. Keeps a session open by connecting to renew the connection policy.0 MR7 Reference 01-30007-0015-20090112 427 . authkeepalivepage auth-loginfailed-page auth-loginpage auth-reject. page buffer <message> Type a new replacement message to replace the current replacement message. Note: If you unset the buffer for a replacement message. Depends on message type. Prompts the user for their username and password to login. Closing the page will timeout the connection. Syntax config system replacemsg auth auth_msg_type set buffer <message> set format <format> set header <header_type> end Variable auth_msg_type Description FortiGuard replacement message type.system replacemsg auth replacemsg auth Use this command to change the authentication pages including: • • • • • • the challenge page that prompts users for additional verification past initial login information the disclaimer page that notifies users when they are leaving the protected network the keepalive page that keeps a session open by renewing the connection at a set interval the failed login page that informs the user of their failed attempt to authenticate themselves and provides the login prompt for them to try again the login page presented to users who must authenticate themselves to use firewall policies or VPNs the reject page that is displayed when the user rejects the disclaimer page These are HTML messages with HTTP headers. This page includes a failed login message and a login prompt.

Connects every %%TIMEOUT%% seconds. Configured number of seconds between %%KEEPALIVEURL%% connections. This tag is used on the challenge. URL the keep alive page connects to that keeps the connection policy alive. the replacement message tag is replaced with content relevant to the message. Username of the user logging in. 428 FortiGate® CLI Version 3. %%AUTH_REDIR_URL%% Link to open a new window. (optional). Table 9: Replacement message tags Tag %%AUTH_LOGOUT%% %%FAILED_MESSAGE%% %%KEEPALIVEURL%% %%QUESTION%% Description Immediately close the connection policy. replace %%QUESTION%% with the text that you prefer. This tag is used on the login and failed login pages. the default challenge page uses this as the challenge question. If you want to use different text. login and failed login pages. The default login and rejected login pages use this text immediately preceding the username and password fields.0 MR7 Reference 01-30007-0015-20090112 . These are treated as two different variables by the server. • • The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST" The form must contain the following hidden controls: •<INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%"> •<INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%"> •<INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%"> • The form must contain the following visible controls: •<INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25> •<INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25> Example This example shows how to change the authentication login page. Replacement messages can include replacement message tags. Message displayed on failed login page after user login fails. You enter the web page content as one long quoted string. %%TIMEOUT%% %%USERNAMEID%% %%PASSWORDID%% Requirements for login page The authentication login page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work. using the backslash (“\”) character at the end of each line to continue the text on the next line.replacemsg auth system Variable format <format> Description Set the format of the message: • html • text • none Set the format of the message header: • 8bit • http • none Default No default header <header_type> Depends on message type. Password of the user logging in. When users receive the replacement message.

</h4> \ <form action="/" method="post"> \ <input name="%%MAGICID%%" value="%%MAGICVAL%%" type="hidden"> \ <table align="center" bgcolor="#00cccc" border="0" \ cellpadding="15" cellspacing="0" width="320"><tbody> \ <tr><th>Username:</th> \ <td><input name="%%USERNAMEID%%" size="25" type="text"></td></tr> \ <tr><th>Password:</th> \ <td><input name="%%PASSWORDID%%" size="25" type="password"></td> \ </tr><tr><td colspan="2" align="center" bgcolor="#00cccc"> \ <input name="%%STATEID%%" value="%%STATEVAL%%" type="hidden"> \ <input name="%%REDIRID%%" value="%%PROTURI%%" type="hidden"> \ <input value="Continue" type="submit"></td></tr></tbody></table> \ </font></form></body></html>" set format html set header http end History FortiOS v3.0 MR7 Reference 01-30007-0015-20090112 429 .0 FortiOS v3. Replacement messages increased in size from 4 096 to 8 192 bytes per message. auth-loginfailed-page and auth-reject-page keywords. FortiGate® CLI Version 3.system replacemsg auth config system replacemsg auth auth-login-page set buffer "<html><head> \ <title>Firewall Authentication</title> \ </head> \ <body><h4>You must authenticate to use this service.0 MR3 auth category added. authkeepalive-page.0 MR2 FortiOS v3. auth-disclaimer[1|2|3]-page. Added auth-challenge-page.

0 FortiOS v3. header <header_type> http Replacement messages can include replacement message tags. html Default No default.replacemsg fortiguard-wf system replacemsg fortiguard-wf Use this command to change the default messages that replace a web pages that FortiGuard web filtering has blocked. An error occurred when accessing the web page. When users receive the replacement message.80 MR2 Changed cerb keyword to catblock.0 MR7 Reference 01-30007-0015-20090112 . FortiOS v2. Depends on message type. one of: • html • text • none Set the format of the message header: • 8bit • http • none. Maximum length 8 192 characters.0 MR3 New IM category added. these are HTML messages. Syntax config system replacemsg fortiguard-wf <fortiguard_msg_type> set buffer <message> set format <format> set header <header_type> end Variable <fortiguard_msg_type> Description FortiGuard replacement message type. the replacement message tag is replaced with content relevant to the message. Set the format of the message.80 FortiOS v3. FortiGuard override form. Changed fortiguard_wf to fortiguard-wf. it will be cleared. 430 FortiGate® CLI Version 3. One of: ftgd-block ftgd-ovrd http-err buffer <message> format <format> FortiGuard blocked a web page. http_err to http-err Replacement messages increased in size from 4 096 to 8 192 bytes per message. This can be a web page that is blocked by web filter content or URL blocking. Table 10: Replacement message tags Tag %%URL%% Description The URL of a web page. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked. Note: If you unset the buffer for a replacement message. Type a new replacement message to replace the current replacement message. By default. ftgd_ovrd to ftgd-ovrd. History FortiOS v2. ftgd_block to ftgd-block.

Antivirus system detects a virus in a file being downloaded and blocks the file. Maximum length 8 192 characters. Syntax config system replacemsg ftp <message-type> set buffer <message> set format <format> set header <header_type> end Variable <message-type> Description FTP replacement message type. these are text-format messages with no header. Note: If you unset the buffer for a replacement message. One of: ftp-dl-blocked ftp-dl-filesize ftp-dl-infected buffer <message> format <format> Antivirus system blocks a file that matches a file pattern. one of: • 8bit • http • none. one of: • html • text • none Set the format of the message header. Set the format of the message. By default. Antivirus system blocks an oversize file (one that is too large to scan). header <header_type> none FortiGate® CLI Version 3. it will be cleared. Depends on message type. Type a new replacement message to replace the current replacement message.0 MR7 Reference 01-30007-0015-20090112 431 .system replacemsg ftp replacemsg ftp Use this command to change default replacement messages added to FTP sessions when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected. text Default No default.

For email this is the IP address of the email server that sent the email containing the virus. POP3. %%PROTOCOL%% is added to alert email virus messages. config system replacemsg ftp ftp-dl-filesize set buffer "This file download was blocked because it is > 10MB. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed. This could be a file that contained a virus or was blocked by antivirus file blocking. %%VIRUS%% can be used in virus messages The name of a file that has been removed from a content stream and added to the quarantine." end History FortiOS v2. %%QUARFILENAME%% can be used in virus and file block messages. 432 FortiGate® CLI Version 3.replacemsg ftp system Replacement messages can include replacement message tags. The IP address of the computer that would have received the blocked file. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked. The URL of a web page.80 FortiOS v3. Quarantining is only available on FortiGate units with a local disk. When users receive the replacement message. The name of a virus that was found in a file by the antivirus system. %%FILE%% can be used in virus and file block messages. For HTTP this is the IP address of the web page that sent the virus.0 MR7 Reference 01-30007-0015-20090112 . %%VIRUS%% %%QUARFILENAME%% %%URL%% %%PROTOCOL%% %%SOURCE_IP%% %%DEST_IP%% Example This example shows how to change the message sent when an FTP download is oversize. The protocol (HTTP. SMTP) in which a virus was detected. FTP. The IP address from which a virus was received. This can be a web page that is blocked by web filter content or URL blocking. This could be a file that contained a virus or was blocked by antivirus file blocking. the replacement message tag is replaced with content relevant to the message.0 MR3 New Replacement messages increased in size from 4 096 to 8 192 bytes per message. IMAP. Table 11: Replacement message tags Tag %%FILE%% Description The name of a file that has been removed from a content stream.

The antivirus system blocks a file that is too large to scan. it will be cleared. The antivirus system blocks a file that is too large to be virus scanned.0 MR7 Reference 01-30007-0015-20090112 433 . The antivirus system blocks a file that contains a virus.system replacemsg http replacemsg http Use this command to change default replacement messages added to web pages when the antivirus engine blocks a file in an HTTP session because of a matching file pattern or because a virus is detected. Web filter URL blocking blocks a web page. The antivirus system blocks a file that matches a file pattern. Syntax config system replacemsg http <message-type> set buffer <message> set format <format> set header <header_type> end Variable Description HTTP replacement message type. The antivirus system blocks a file that contains a virus. one of: • html • text • none Set the format of the message header. html Default No default. or when web filter blocks a web page. The antivirus system blocks a file that matches a file pattern. The antivirus system blocks a URL that has a previously discovered virus. Set the format of the message. <message-type> http-virus infcache-block url-block buffer <message> format <format> Type a new replacement message to replace the current replacement message. Maximum length 8 192 characters. Note: If you unset the buffer for a replacement message. one of: bannedword http-block http-client-bannedword http-client-block http-client-filesize http-client-virus http-filesize The web filter banned word list blocks a web page. one of: • 8bit • http • none header <header_type> http FortiGate® CLI Version 3. Depends on message type. The antivirus system blocks a file that matches a file pattern.

0 MR2 FortiOS v3. The name of a virus that was found in a file by the antivirus system. The IP address of the web page from which a virus was received. %%FILE%% can be used in virus and file block messages. The URL of a web page. Quarantining is only available on FortiGate units with a local disk. %%PROTOCOL%% is added to alert email virus messages. %%VIRUS%% can be used in virus messages The name of a file that has been removed from a content stream and added to the quarantine.0 MR3 New Added infcache-block replacemsg. Replacement messages increased in size from 4 096 to 8 192 bytes per message. IMAP. This can be a web page that is blocked by web filter content or URL blocking. When users receive the replacement message. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked. 434 FortiGate® CLI Version 3. This could be a file that contained a virus or was blocked by antivirus file blocking.0 MR7 Reference 01-30007-0015-20090112 . For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed. SMTP) in which a virus was detected.replacemsg http system Replacement messages can include replacement message tags. %%VIRUS%% %%QUARFILENAME%% %%URL%% %%PROTOCOL%% %%SOURCE_IP%% %%DEST_IP%% Example This example shows how to change the message that replaces a web page blocked for banned words. POP3." end History FortiOS v2. The protocol (HTTP. FTP. The IP address of the computer that would have received the blocked file. config system replacemsg http http-client-bannedword set buffer "This web page was blocked. This could be a file that contained a virus or was blocked by antivirus file blocking. the replacement message tag is replaced with content relevant to the message. It contains banned words. Table 12: Replacement message tags Tag %%FILE%% Description The name of a file that has been removed from a content stream.80 FortiOS v3. %%QUARFILENAME%% can be used in virus and file block messages.

one of: im-file-xfer-block im-file-xfer-infected im-file-xfer-name im-file-xfer-size im-photo-share-block im-voice-chat-block buffer <message> format <format> The IM system blocks a file transfer. Maximum length 8 192 characters. Syntax config system replacemsg im <message-type> set buffer <message> set format <format> set header <header_type> end Variable Description im replacement message type. The IM system blocks an oversize file. <message-type> Type a new replacement message to replace the current replacement message. one of: • 8bit • http • none header <header_type> 8bit FortiGate® CLI Version 3. these are text messages with an 8-bit header. The IM system blocks a photosharing request. text Default No default.system replacemsg im replacemsg im Use this command to change default replacement messages added to instant messaging and peer-to-peer sessions when either file-transfer or voice-chat is blocked.0 MR7 Reference 01-30007-0015-20090112 435 . Note: If you unset the buffer for a replacement message. The IM system blocks a virusinfected file. The IM system blocks voice chat. The IM system blocks a file due to file block list. one of: • html • text • none Set the format of the message header. Set the format of the message. By default. it will be cleared. Depends on message type.

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages The name of a file that has been removed from a content stream and added to the quarantine.0 MR3 New IM category added. IMAP. %%FILE%% can be used in virus and file block messages. the replacement message tag is replaced with content relevant to the message. 436 FortiGate® CLI Version 3. This could be a file that contained a virus or was blocked by antivirus file blocking. %%VIRUS%% %%QUARFILENAME%% %%PROTOCOL%% %%SOURCE_IP%% %%DEST_IP%% Example This example shows how to change the message added to instant messaging sessions when voice chat is blocked. This could be a file that contained a virus or was blocked by antivirus file blocking.0 FortiOS v3. The IP address from which a virus was received. SMTP) in which a virus was detected. FTP. For email this is the IP address of the email server that sent the email containing the virus. POP3. The IP address of the computer that would have received the blocked file.replacemsg im system Replacement messages can include replacement message tags.80 FortiOS v3.0 MR7 Reference 01-30007-0015-20090112 . When users receive the replacement message. Quarantining is only available on FortiGate units with a local disk. For HTTP this is the IP address of the web page that sent the virus. Replacement messages increased in size from 4 096 to 8 192 bytes per message. %%PROTOCOL%% is added to alert email virus messages. Table 13: Replacement message tags Tag %%FILE%% Description The name of a file that has been removed from a content stream. The protocol (HTTP. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed. config system replacemsg im im-voice-chat-block set buffer "Use of chat applications is not permitted." end History FortiOS v2. %%QUARFILENAME%% can be used in virus and file block messages.

system replacemsg mail replacemsg mail Use this command to change default replacement messages added to email messages when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected. one of: email-block email-filesize The antivirus system blocks a file that matches a file pattern. Depends on message type. these are text messages with an 8-bit header. one of: • html • text • none Set the format of the message header.0 MR7 Reference 01-30007-0015-20090112 437 . Maximum length 8 192 characters. The antivirus system deletes a file from an email messages that contains a virus. <message-type> email-virus partial smtp-block smtp-filesize smtp-virus buffer <message> format <format> Type a new replacement message to replace the current replacement message. The antivirus system blocks an SMTP email message that is too large to be virus scanned. The antivirus system deletes a file from an SMTP email messages that contains a virus. text Default No default. it will be cleared. one of: • 8bit • http • none header <header_type> 8bit FortiGate® CLI Version 3. Set the format of the message. Note: If you unset the buffer for a replacement message. The FortiGate unit deletes a part of a fragmented email message. By default. The antivirus system blocks a file in an SMTP email message that matches a file pattern. Syntax config system replacemsg mail <message-type> set buffer <message> set format <format> set header <header_type> end Variable Description mail replacement message type. The antivirus system blocks an email message that is too large to be virus scanned. or when spam filter blocks an email.

The email address of the intended receiver of the message from which the file was removed. POP3.0 MR7 Reference 01-30007-0015-20090112 . config system replacemsg mail email-virus set buffer "The attachment was blocked because it contains a virus. IMAP. SMTP) in which a virus was detected. IP address of the email server that sent the email containing the virus. FTP. This could be a file that contained a virus or was blocked by antivirus file blocking. The name of a virus that was found in a file by the antivirus system.80 FortiOS v3. The email address of the sender of the message from which the file was removed. Table 14: Replacement message tags Tag %%FILE%% Description The name of a file that has been removed from a content stream. %%QUARFILENAME%% can be used in virus and file block messages. IP address of the user’s computer that attempted to download the message from which the file was removed. Quarantining is only available on FortiGate units with a local disk. This could be a file that contained a virus or was blocked by antivirus file blocking.replacemsg mail system Replacement messages can include replacement message tags. The protocol (HTTP. When users receive the replacement message. %%PROTOCOL%% is added to alert email virus messages.0 MR3 New Replacement messages increased in size from 4 096 to 8 192 bytes per message. the replacement message tag is replaced with content relevant to the message. 438 FortiGate® CLI Version 3. %%VIRUS%% can be used in virus messages The name of a file that has been removed from a content stream and added to the quarantine." end History FortiOS v2. %%FILE%% can be used in virus and file block messages. %%VIRUS%% %%QUARFILENAME%% %%PROTOCOL%% %%SOURCE_IP%% %%DEST_IP%% %%EMAIL_FROM%% %%EMAIL_TO%% Example This example shows how to change the email message that is sent to test the alert email system.

This keyword is available for the following message types: • mm1-send-req-block • mm1-send-req-bword • mm1-send-req-sis-block • mm1-send-req-virus Character encoding used for replacement message.system replacemsg mm1 (FortiOS Carrier) replacemsg mm1 (FortiOS Carrier) Use this command to change default replacement messages added to messages sent on the MM1 network when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected. or when spam filter blocks an email.0 MR7 Reference 01-30007-0015-20090112 439 . Syntax config system replacemsg mm1 <message_type> set add-smil {enable | disable} set charset <character_set> set class <class> set format <format> set from <from_address> set from-sender {enable | disable} set header <header_type> set image <string> set message <message_text> set priority <priority> set rsp-status <rsp_status> set rsp-text <response_text> set sender-visibility <sender_vis> set smil-part <string> set subject <subject_text> end Keywords and variable <message_type> Description MM1 replacement message types. one of: • mm1-retr-conf-block • mm1-retr-conf-bword • mm1-retr-conf-sis-block • mm1-retr-conf-virus • mm1-send-conf-block • mm1-send-conf-bword • mm1-send-conf-sis-block • mm1-send-conf-virus • mm1-send-req-block • mm1-send-req-bword • mm1-send-req-sis-block • mm1-send-req-virus Default No default. add-smil {enable | disable} Enable to add SMIL content to the message. SMIL content can disable include images. one of: • us-ascii • utf-8 utf-8 charset <character_set> FortiGate® CLI Version 3.

Using ‘?’ will show the list of available image names. one of: • 8bit • http • none Enter the name of the image to include in the SMIL message part. notspecified smil-part <string> subject <subject_text> Depends on message type. Example This example shows how to set the message sent when a virus being sent by this user on the MM1 network. one of: • err-content-not-accepted • err-msg-fmt-corrupt • err-msg-not-found • err-net-prob • err-snd-addr-unresolv • err-srv-denied • err-unspecified • err-unsupp-msg • ok Response text.replacemsg mm1 (FortiOS Carrier) system class <class> The message can be classified as one of: • advertisement • automatic • informational • not-included • personal Set the format of the message. It uses the default message text. Text of the replacement message. Subject text string. one of: • html • none • text • wml Not all formats are supported by all message types. Enable for the notification message to be sent from the recipient. automatic format <format> text from <from_address> from-sender {enable | disable} header <header_type> null disable http image <string> message <message_text> priority <priority> Depends on message type. Priority of the message. Set the format of the message header. one of: • high • low • normal • not included Response status code. This is only available when add-smil is enabled. normal rsp-status <rsp_status> errcontentnotaccepted rsp-text <response_text> sender-visibility <sender_vis> Depends on message type. Address the message is from. 440 FortiGate® CLI Version 3. one of: • hide • not-specified • show Enter the SMIL part of the replacement message. This is to avoid billing problems. Sender visibility.0 MR7 Reference 01-30007-0015-20090112 .

0 New command.system replacemsg mm1 (FortiOS Carrier) config system replacemsg mm1 mm1-send-conf-virus set charset utf-8 set class automatic set format text set header none set priority high set rsp-status err-content-not-accepted set subject “File you sent contains a virus” set message "The message you sent has been blocked because the file %%FILE%% in the message contains the virus %%VIRUS%%.0 MR7 Reference 01-30007-0015-20090112 441 ." end History FortiOS v3. The message has been quarantined as %%QUARFILENAME%%. FortiGate® CLI Version 3.

or when spam filter blocks an email. Syntax config system replacemsg mm3 <message_type> set charset <character_set> set format <format> set from <from_address> set header <header_type> set message <message_text> set priority <priority> set subject <subject_text> end Keywords and variable <message_type> Description MM3 replacement message types.0 MR7 Reference 01-30007-0015-20090112 . normal subject <subject_text> Depends on message type. Default No default charset <character_set> format <format> utf-8 text from <from_address> header <header_type> null none message <message_text> priority <priority> Depends on message type. one of: • mm3-block • mm3-block-notif • mm3-bword • mm3-bword-notif • mm3-sis-block • mm3-sis-block-notif • mm3-sis-block-notif • mm3-virus • mm3-virus-block Character encoding used for replacement messages.replacemsg mm3 (FortiOS Carrier) system replacemsg mm3 (FortiOS Carrier) Use this command to change default replacement messages added to messages sent on the MM3 network when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected. one of: • 8bit • http • none Text of the replacement message. Priority of the message. one of: • html • none • text • wml Address the message is from. one of: • us-ascii • utf-8 Replacement message format flag. one of: • high • low • normal • not included Subject text string. 442 FortiGate® CLI Version 3. Set the format of the message header.

0 New command.0 MR7 Reference 01-30007-0015-20090112 443 ." end History FortiOS v3. It uses the default message text. FortiGate® CLI Version 3. config system replacemsg mm3 mm3-virus set charset utf-8 set class automatic set format text set header none set priority high set rsp-status err-content-not-accepted set subject “Messages sent containing viruses” set message "This device has sent %%NUM_MSG%% messages containing the virus %%VIRUS%% in the last %%DURATION%% hours.system replacemsg mm3 (FortiOS Carrier) Example This example shows how to set the message sent when a user on the MM3 network sends one or more viruses.

This keyword is available for the following message types: • mm4-block-notif • mm4-bword-notif • mm4-sis-block-notif Character encoding used for replacement messages.replacemsg mm4 (FortiOS Carrier) system replacemsg mm4 (FortiOS Carrier) Use this command to change default replacement messages added to messages sent on the MM4 network when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected. or when spam filter blocks an email. Syntax config system replacemsg mm4 <message_type> set charset <character_set> set class <class> set domain <address_domain> set format <format> set from <from_address> set from-sender {enable | disable} set header <header_type> set image <string> set message <message_text> set priority <priority> set rsp-status <rsp_status> set smil-part <string> set subject <subject_text> end Keywords and variables <message_type> Description MM4 replacement message types. one of: • us-ascii • utf-8 The message can be classified as one of: • advertisement • automatic • informational • not-included • personal The from address domain. one of: • mm4-block • mm4-block-notif • mm4-bword • mm4-bword-notif • mm4-sis-block • mm4-sis-block-notif • mm4-virus • mm4-virus-block Default No default add-smil {enable | disable} Enable to add SMIL content to the message. utf-8 charset <character_set> class <class> automatic domain <address_domain> null 444 FortiGate® CLI Version 3. SMIL content can disable include images.0 MR7 Reference 01-30007-0015-20090112 .

Enable for the notification message to be sent from the recipient. config system replacemsg mm4 mm4-virus-notif set class automatic set domain ‘’ set format text set header none set priority high set subject “Messages sent containing viruses” set message "This device has sent %%NUM_MSG%% messages containing the virus %%VIRUS%% in the last %%DURATION%% hours. text from <from_address> from-sender {enable | disable} header <header_type> null disable none image <string> message <message_text> priority <priority> Depends on message type. Using ‘?’ will show the list of available image names. one of: • err-content-not-accepted • err-msg-fmt-corrupt • err-net-prob • err-snd-addr-unresolv • err-srv-denied • err-unspecified • err-unsupp-msg • ok Enter the SMIL part of the replacement message. Text of the replacement message.0 New command. This is to avoid billing problems. one of: • high • low • normal • not included Response status codes. normal rsp-status <rsp_status> errcontentnotaccepted smil-part <string> subject <subject_text> Depends on message type. Set the format of the message header. one of: • 8bit • http • none Enter the name of the image to include in the SMIL message part. Priority of the message. one of: • html • none • text • wml Address the message is from. FortiGate® CLI Version 3. This is only available when add-smil is enabled. Example This example shows how to set the message sent when a user on the MM4 network sends one or more viruses.0 MR7 Reference 01-30007-0015-20090112 445 ." end History FortiOS v3. Subject text string. It uses the default message text.system replacemsg mm4 (FortiOS Carrier) format <format> Replacement message format flag.

Syntax config system replacemsg mm7 <mm7message_type> set add-smil {enable | disable} set addr_type <addr_type> set charset <character_set> set class <class> set format <format> set from <from_address> set from-sender {enable | disable} set header <header_type> set image <string> set message <message_text> set priority <priority> set rsp-status <rsp_status> set smil-part <string> set subject <subject_text> end Keywords and variables <mm7message_type> Description MM7 replacement message types.replacemsg mm7 (FortiOS Carrier) system replacemsg mm7 (FortiOS Carrier) Use this command to change default replacement messages added to messages sent on the MM7 network when the antivirus engine blocks a file either because of a matching file pattern or because a virus is detected. SMIL content can disable include images.0 MR7 Reference 01-30007-0015-20090112 . one of: • number • rfc2882-addr • short-code charset <character_set> class <class> Character encoding used for replacement messages. This keyword is available for the following message types: • mm7-block-notif • mm7-bword-notif • mm7-sis-block-notif number addr_type <addr_type> From address types. or when spam filter blocks an email. one of: • us-ascii • utf-8 The message can be classified as one of: • advertisement • automatic • informational • not-included • personal utf-8 automatic 446 FortiGate® CLI Version 3. one of: • mm7-block • mm7-block-notif • mm7-bword • mm7-bword-notif • mm7-sis-block • mm7-sis-block-notif • mm7-virus • mm7-virus-block Default No default add-smil {enable | disable} Enable to add SMIL content to the message.

normal rsp-status <rsp_status> Depends on message type. one of: • addr-err • addr-not-found • app-addr-not-supp • app-denied • app-id-not-found • client-err • content-refused • gen-service-err • improper-ident • link-id-not-found • msg-fmt-corrupt • msg-id-not-found • msg-rejected • multiple-addr-not-supp • not-possible • oper-restrict • partial-success • repl-app-id-not-found • service-denied • service-err • service-unavail • srv-err • success • unsupp-oper • unsupp-ver • validation-err Enter the SMIL part of the replacement message. one of: • html • none • text • wml Address the message is from. Set the format of the message header.system replacemsg mm7 (FortiOS Carrier) format <format> Replacement message format flag. Priority of the message. Subject text string. text from <from_address> from-sender {enable | disable} header <header_type> null disable none image <string> message <message_text> priority <priority> Depends on message type. Text of the replacement message. smil-part <string> subject <subject_text> Depends on message type. Using ‘?’ will show the list of available image names. Enable for the notification message to be sent from the recipient. one of: • high • low • normal • not included Response status codes. This is to avoid billing problems. one of: • 8bit • http • none Enter the name of the image to include in the SMIL message part.0 MR7 Reference 01-30007-0015-20090112 447 . This is only available when add-smil is enabled. FortiGate® CLI Version 3.

It uses the default message text.0 MR7 Reference 01-30007-0015-20090112 .replacemsg mm7 (FortiOS Carrier) system Example This example shows how to set the message sent when a user on the MM7 network sends one or more viruses.0 New command." end History FortiOS v3. config system replacemsg mm7 mm7-virus-notif set charset utf-8 set class automatic set format text set header none set priority high set rsp-status err-content-not-accepted set subject “Messages sent containing viruses” set message "This device has sent %%NUM_MSG%% messages containing the virus %%VIRUS%% in the last %%DURATION%% hours. 448 FortiGate® CLI Version 3.

0 MR7 Reference 01-30007-0015-20090112 449 . One of: nntp-dlblocked nntp-dlfilesize nntp-dlinfected buffer <message> A file being downloaded has been blocked. Syntax config system replacemsg nntp auth_msg_type set buffer <message> set format <format> set header <header_type> end Variable auth_msg_type Description FortiGuard replacement alertmail message type. The article is larger than the configured size limit. Note: If you unset the buffer for a replacement message. it will be cleared. The file has been quarantined. An attached file has had a virus detected in it. Maximum length 8 192 characters. and quarantined. Depends on message type. No default Default No default Type a new replacement message to replace the current replacement message. FortiGate® CLI Version 3.system replacemsg nntp replacemsg nntp Use this command to change the net news transfer protocol (NNTP) download pages including: • • • NNTP download blocked NNTP download filesize error NNTP download infected These are HTML messages with HTTP headers. Set the format of the message: • html • text • none Set the format of the message header: • 8bit • http • none format <format> header <header_type> Depends on message type.

0 MR4 New command.0 MR7 Reference 01-30007-0015-20090112 . the replacement message tag is replaced with content relevant to the message. %%FILE%% can be used in virus and file block messages. This could be a file that contained a virus or was blocked by antivirus file blocking. 450 FortiGate® CLI Version 3. Quarantining is only available on FortiGate units with a local disk. Table 15: Replacement message tags Tag %%FILE%% Description The name of a file that has been removed from a content stream. %%QUARFILENAME%% can be used in virus and file block messages. %%VIRUS%% can be used in virus messages %%QUARFILENAME%% %%VIRUS%% Example The default message for a detected virus is: Virus/Worm detected: %%VIRUS%% Protocol: %%PROTOCOL%% Source IP: %%SOURCE_IP%% Destination IP: %DST_IP%% Email Address From: %%EMAIL_FROM%% Email Address To: %%EMAIL_TO%% History FortiOS v3. When users receive the replacement message. This could be a file that contained a virus or was blocked by antivirus file blocking. The file may have been quarantined if a virus was detected. The name of a virus that was found in a file by the antivirus system. The name of a file that has been removed from a content stream and added to the quarantine.replacemsg nntp system Replacement messages can include replacement message tags.

FortiGuard-Spam blocked an email based on its originating URL. these are text messages with an 8-bit header. The spam MIME headers list marked a message as spam. An email message is blocked because the HELO/EHLO domain is invalid. Note: If you unset the buffer for a replacement message. <message-type> reversedns smtp-spam-bannedword smtp-spam-emailblack smtp-spam-feip smtp-spam-fschksum smtp-spam-fsurl smtp-spam-helo smtp-spam-mimeheader smtp-spam-rbl submit buffer <message> Type a new replacement message to replace the current replacement message.system replacemsg spam replacemsg spam Use this command to change default replacement messages added to SMTP email messages when spam filter blocks an email message.AntiSpam checksum blacklist. By default.0 MR7 Reference 01-30007-0015-20090112 451 . FortiGuard-Spam blocked an email based on its originating IP address. Spam filtering return-email DNS check identified a message as spam. The spam filter DNSBL & ORDBL list marked an email message as reject or as spam. Depends on message type. Default No default. Checksum is in the FortiGuard. The spam submit list marked an email as spam. it will be cleared. FortiGate® CLI Version 3. The spam filter email address list marked an email as spam. The spam filter email address list marked an SMTP message as spam. one of: ipblocklist The spam filter IP address list marked an email message as reject or as spam. Maximum length 8 192 characters. Syntax config system replacemsg spam <message-type> set buffer <message> set format <format> set header <header_type> end Variable Description spam replacement message type.

one of: • html • text • none Set the format of the message header. config system replacemsg spam ipblocklist set buffer "This email was blocked as spam. 452 FortiGate® CLI Version 3. the replacement message tag is replaced with content relevant to the message.80 FortiOS v3. %%SOURCE_IP%% %%DEST_IP%% %%EMAIL_FROM%% %%EMAIL_TO%% Example This example shows how to change the message added to SMTP mail that the spam filter has blocked.0 MR7 Reference 01-30007-0015-20090112 . The IP address of the computer that would have received the blocked file. For email this is the IP address of the email server that sent the email containing the virus.replacemsg spam system Variable format <format> Description Set the format of the message.0 MR3 New Added smtp-spam-fschksum replacement message.0 MR2 FortiOS v3. Table 16: Replacement message tags Tag %%QUARFILENAME%% Description The name of a file that has been removed from a content stream and added to the quarantine. %%QUARFILENAME%% can be used in virus and file block messages. Replacement messages increased in size from 4 096 to 8 192 bytes per message. Quarantining is only available on FortiGate units with a local disk. The IP address from which a virus was received. For HTTP this is the IP address of the web page that sent the virus." end History FortiOS v2. The email address of the intended receiver of the message from which the file was removed. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed. This could be a file that contained a virus or was blocked by antivirus file blocking. When users receive the replacement message. The email address of the sender of the message from which the file was removed. one of: • 8bit • http • none Default text header <header_type> 8bit Replacement messages can include replacement message tags.

The form must contain the %%SSL_HIDDEN%% tag. message type. it will be cleared.0 MR7 Reference 01-30007-0015-20090112 453 .0 FortiOS v3. Requirements for login page The SSL login page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work. Replacement messages can include replacement message tags.0 MR3 sslvpn replacemsg category added. History FortiOS v3. When users receive the replacement message. the replacement message tag is replaced with content relevant to the message. • • • The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%" and METHOD="%%SSL_METHOD%%" The form must contain the %%SSL_LOGIN%% tag to provide the logon form. Maximum length 8 192 characters.system replacemsg sslvpn replacemsg sslvpn Use this command to change the login page presented to SSL-VPN users. Replacement messages increased in size from 4 096 to 8 192 bytes per message. This is an HTML message with an HTTP header. Set the format of the message: • html • text • none Set the format of the message header: • 8bit • http • none No default header <header_type> Depends on message type. FortiGate® CLI Version 3. Syntax config system replacemsg sslvpn sslvpn-login set buffer <message> set format <format> set header <header_type> end Variable buffer <message> format <format> Description Default Type a new replacement message to replace the current Depends on replacement message. Note: If you unset the buffer for a replacement message.

their replacement messages come from the ‘default’ group. mm4. This allows the customization of messages for specific users or user groups. The ’default’ group always exists. The only replacement messages that can not be customized in groups are administration related messages. mm7 which use the message keyword. Syntax config system replacemsg_group edit <groupname_string> set comment <string> config {fortiguard-wf | ftp | http | mail | mm1 | mm3 | mm4 | mm7 | nntp | spam} edit <msgkey_integer> set msg-type <type> set buffer <string> set header <header_flag> set format <format_flag> set message <string> end end Variable edit <groupname_string> comment <string> Description Create or edit a replacement message group. mm3. Enter a descriptive comment for this replacement message group. all replacement message types use the buffer keyword to refer to the body of the message. If a user is not part of a custom replacement message group. Any messages in custom groups that have not been modified.0 MR7 Reference 01-30007-0015-20090112 .replacemsg-group (FortiOS Carrier) system replacemsg-group (FortiOS Carrier) In FortiOS Carrier. which in the following categories: • • • • • Alert Mail Administration Authentication IM and P2P SSL VPN Except for mm1. See “firewall profile” on page 133 for more information on protection profiles. Users are assigned to a group through the protection profile feature of firewall. All additional replacement message groups inherit from the default group. and cannot be deleted. replacement messages can be created and applied to specific protection profiles. inherit any changes to those messages in the default group. Default 454 FortiGate® CLI Version 3.

These types or protocols. This keyword is used with the following replacement messages: • fortiguard-wf • ftp • http • mail • nntp • spam Other replacement messages use the message keyword. For a list of valid message types for this table. Valid formats include: • html • none • text • wml Enter the replacement message for this message type. Valid message types vary according to which replacement message table you are editing. Enter the replacement message for this message type. Default edit <msgkey_integer> msg-type <type> buffer <string> header <header_flag> format <format_flag> message <string> FortiGate® CLI Version 3. refer to the CLI replacemsg command of the same name. For more information on these replacement message types see: • “replacemsg fortiguard-wf” on page 430 • “replacemsg ftp” on page 431 • “replacemsg http” on page 433 • “replacemsg mail” on page 437 • “replacemsg mm1 (FortiOS Carrier)” on page 439 • “replacemsg mm3 (FortiOS Carrier)” on page 442 • “replacemsg mm4 (FortiOS Carrier)” on page 444 • “replacemsg mm7 (FortiOS Carrier)” on page 446 • “replacemsg nntp” on page 449 • “replacemsg spam” on page 451 Create or edit a message entry in the table.0 MR7 Reference 01-30007-0015-20090112 455 . Select the message type for this message entry. Select the header for this message.system replacemsg-group (FortiOS Carrier) Variable config {fortiguard-wf | ftp | http | mail | mm1 | mm3 | mm4 | mm7 | nntp | spam} Description Select a replacement message type to add or edit. Valid types include: • 8bit • http • none Select the format of this message. This keyword is used with the following replacement messages: • mm1 • mm3 • mm4 • mm7 Other replacement messages use the buffer keyword. Enclose the message in quotes. Enter the key of the entry. and determine which msg-types are available. Enclose the message in quotes. match with the existing replacemsg commands. Using ‘?’ will show you the existing message type as well as the msgkey entries in the table.

replacemsg-group (FortiOS Carrier) system Example In this example you have 2 groups of users that use different replacement messages due to language and regional differences. and the other group is in the United Kingdom. URL = http://%%URL%%” end end edit united_kingdom set comment “messages for United Kingdom customers” config http edit 1 set msg-type bannedword set format text set message “Unfortunately your requested web page has been blocked. each group expects different messages. It contains off-color words that violate the banned word list. It appears to contain prohibited off-colour words. the format will be text only. config system replacemsg-group edit united_states set comment “messages for United States customers” config http edit 1 set msg-type bannedword set format text set message “Your attempt to access this unauthorized web page has been blocked.0 MR5 New 456 FortiGate® CLI Version 3. The first group is in the United States. URL = http://%%URL%%” end end History FortiOS v3. Different spelling and different speech patterns mean. To keep it simple.0 MR7 Reference 01-30007-0015-20090112 .

system replacemsg-image (FortiOS Carrier) replacemsg-image (FortiOS Carrier) Use this command to add.0 MR7 Reference 01-30007-0015-20090112 457 . History FortiOS v3. edit <image_name> image-base64 <image_data> image-type <format> Enter the image in base64 encoding. Syntax config system replacemsg-image edit <image_name> set image-base64 <image_data> set image-type <format> end Variables Description Enter the name or tag to use for this image Default none. Select the format of the image. FortiGate® CLI Version 3. You can also use the graphical none. interface to add images by browsing to their location. Both image-base64 and image-type must be present for a valid entry.0 MR5 New. edit. Available formats include: • gif • • • jpeg png tiff none. or delete images to be used in SMIL parts of replacement messages.

h323.0 MR7 Reference 01-30007-0015-20090112 . there are session helpers that bind services to standard ports. One of: dns-tcp. tftp. 458 FortiGate® CLI Version 3. ftp. rtsp. dns-udp. Syntax config system session-helper edit <helper-number> set name <helper-name> set port <port_number> set protocol <protocol_number> end Services. Use this command to configure a new session helper or to edit an existing one. Enter the port number to use for this protocol. h245I.session-helper system session-helper A session helper binds a service to a TCP or UDP port. ident. ras.80 FortiOS v3. pmap. ports. as defined in RFC 1700. edit. mms. name <helper-name> port <port_number> protocol <protocol_number> No default. and protocols 1 2 3 4 5 6 7 8 9 10 pptp h323 ras tns tftp rtsp rtsp ftp rtsp rtsp port 1723 port 1720 port 1719 port 1521 port 69 port 23 port 25 port 21 port 554 port 7070 protocol 6 protocol 6 protocol 17 protocol 6 protocol 17 protocol 6 protocol 6 protocol 6 protocol 6 protocol 6 11 12 13 14 15 16 17 18 19 pmap sip dns-udp rsh rsh dcerpc dcerpc mgcp mgcp port 111 5060 53 514 512 135 135 2427 2727 protocol 17 protocol 17 protocol 17 protocol 6 protocol 6 protocol 6 protocol 17 protocol 17 protocol 17 Keywords and variables Description Default edit <helper-number> Enter the number of the session-helper that you want to No default. sip. h245O. The protocol number for this service. or enter an unused number to create a new session-helper. Example Use the following commands to edit the file transfer protocol (FTP) and change it to port 111. The name of the session helper.0 New Changed dns_tcp to dns-tcp and dns_udp to dns-udp. By default. pptp. No default. No default. tns. but remain as protocol 6: config system session-helper edit 8 set name ftp set port 111 set protocol 6 end History FortiOS v2.

FortiGate® CLI Version 3. specified source and destination interfaces. If the external load balances direct all sessions to one peer the affect is similar to active-passive HA. As well the external routers or load balancers will detect the failover and re-distribute all sessions to the peer that is still operating. The load balancers should be configured so that all of the packets for any given session are processed by the same peer. If external load balancers or routers load balance traffic to both peers. This includes return packets. Standalone session synchronization can be used instead of HA to provide TCP session synchronization between two peer FortiGate units. You can optionally add filters to a configuration control which TCP sessions are synchronized. You can use this feature with external routers or load balancers configured to distribute or load balance TCP sessions between two peer FortiGate units. If one of the peers fails. session failover occurs and active TCP sessions fail over to the peer that is still operating. standalone session synchronization synchronizes all TCP sessions. This failover occurs without any loss of data. and specified predefined firewall TCP services.0 MR7 Reference 01-30007-0015-20090112 459 . Figure 3: Standalone session synchronization Internet Router or Load Balancer Session Syncronization Link Router or Load Balancer Internal Network By default. You can add filters to only synchronize packets from specified source and destination addresses. Note: TCP session synchronization between two standalone FortiGate units is also sometimes called standalone session synchronization or session synchronization between non-HA FortiGate units. the affect is similar to active-active HA.system session-sync session-sync Use this command to configure TCP session synchronization between two standalone FortiGate units.

Session synchronization has not been tested for inter-vdom links. This includes return packets. However. You don’t have to synchronize all of the virtual domains. On each peer. So all of the packets of a given session must be processed on the same peer. including VLAN interfaces. load balancing is done by external routers or load balancers. configuring session synchronization consists of selecting the virtual domains to be synchronized using the syncvd keyword. you can add multiple filters by adding multiple identical standalone session synchronization configurations. Notes and limitations Standalone session synchronization has the following limitations: • • Only TCP sessions accepted by firewall policies are synchronized. must be the same on both peers. the configuration of the two peers is not identical because in most cases the peers would have different IP addresses. Session synchronization is available for FortiGate units or virtual domains operating in NAT/Route or Transparent mode. accelerated interfaces (FA2 and NP2). Also unlike HA. and for redundant interfaces. and aggregate interfaces. The session synchronization configurations of each peer should compliment the other. Session synchronization is stateful. Using FortiManager. When virtual domain configuration is enabled and you have added virtual domains you configure session synchronization for each virtual domain to be synchronized. selecting the virtual domain on the other peer that receives the synchronization packets using the peervd keyword. 460 FortiGate® CLI Version 3.session-sync system Unlike HA. The names of the matching interfaces. You must configure session synchronization on both peers. As a result you can only add one predefined firewall TCP service to a filter configuration. • • • • • • • • Configuring session synchronization You configure session synchronization for each virtual domain to be synchronized. Due to their non-stateful nature. NAT sessions are not synchronized in either mode. In fact you can manage and configure both peers as separate FortiGate units. UDP and ICMP sessions don't need to be synchronized to naturally failover. zones. between HA clusters. Session synchronization cannot be asymmetric.0 MR7 Reference 01-30007-0015-20090112 . standalone session synchronization does not include configuration synchronization. Session synchronization is supported for traffic on physical interfaces. The FortiGate units only perform session synchronization and session failover. You must configure the load balancers so that they do not cause asymmetric routing. The interface with the peerip must be in the peervd virtual domain. You cannot add custom services or service groups even if virtual domains are not enabled. aggregate interfaces and so on. You can only add one filter configuration to a given standalone session synchronization configuration. you configure session synchronization for the root virtual domain. In fact. Sessions accepted by firewall policies that contain protection profiles are not synchronized. If virtual domain configuration is not enabled. In NAT/Route mode. you can manage both peers as two separate FortiGate devices. Sessions that include network address translation (NAT) applied by selecting NAT in firewall policies are not synchronized because the address translation binds to a FortiGate unit address and the peers have different IP addresses. only sessions for normal Transparent mode policies are synchronized. only sessions for route mode firewall policies are synchronized. each one with a different filter configuration. Session synchronization is a CLI only configuration. and setting IP address of the interface in the peer unit that receives the synchronization packets using the peerip keyword. In Transparent mode. Standalone session synchronization is a global configuration option. VLAN interfaces.

Note that the index numbers of the matching interfaces and VLAN interfaces can be different. the peerip settings will be different because the peerip setting on the first peer includes the IP address of an interface on the second peer. For FortiGate-5000 systems you can use a backplane interface as the session synchronization link. And the peerip setting on the second peer includes the IP address of an interface on the first peer. Usually you would use the same interface on each peer for session synchronization.system session-sync The syncvd and peervd settings must be the same on both peers. the peers share session information over an Ethernet link between the peers similar to an HA heartbeat link. Session synchronization traffic can use a considerable amount of network bandwidth. The names of the matching interfaces in each virtual domain must also be the same. you may want to configure and connect multiple session synchronization links to distribute session synchronization traffic to these multiple links. As well. this includes the names of matching VLAN interfaces. Because session synchronization does not synchronize FortiGate configuration settings you must configure both peers separately. session synchronization link interfaces should only be used for session synchronization traffic and not for data traffic. However. Configuring the session synchronization link When session synchronization is operating. you can have multiple session synchronization links between the peers. Also the VLAN IDs of the matching VLAN interfaces can be different. For a configuration example.0 MR7 Reference 01-30007-0015-20090112 461 . For session synchronization to work properly all session synchronized virtual domains must be added to both peers. sessions will not failover and data could be lost. In fact if you are synchronizing a lot of sessions. see “Basic example configuration” on page 462. If session synchronization communication is interrupted and a failure occurs. The session synchronization link should always be maintained. Also. Each configuration only includes one session synchronization link. You can use different interfaces on each peer for session synchronization links. If possible. If possible use a crossover cable for the session synchronization link. if you multiple sessions synchronization configurations. the session synchronized virtual domains should have the same firewall policies so that sessions can be resumed after a failover using the same firewall policies. You should connect the session synchronization interfaces directly without using a switch or other networking equipment. Syntax config system session-sync edit <sync_id> set peerip <peer_ipv4> set peervd <vd_name> set syncvd <vd_name> config filter set dstaddr <dist_ip_ipv4> <dist_mask_ipv4> set dstintf <interface_name> set service <string> set srcaddr <string> set srcintf <interface_name> end end FortiGate® CLI Version 3. You cannot configure backup session synchronization links.

0. Enter the source IP address and netmask of the sessions to synchronize.0.0.0. Only sessions from this interface are synchronized. The default dstintf setting synchronizes sessions for all interfaces. Using a filter you can configure synchronization to only synchronize sessions according to source and destination address.0. You can only add one filter to a standalone session synchronization configuration. Only sessions that use this predefined service are synchronized. The session synchronization configuration ID can be any number between 1 and 200. Add a filter to a standalone session synchronization configuration. The default IP address and netmask of 0. Enter the destination IP address and netmask of the sessions to synchronize. Default No default peerip <peer_ipv4> peervd <vd_name> 0. If you want to specify multiple IP addresses or address ranges you can add multiple standalone session synchronization configurations.0.10. FortiGate® CLI Version 3.2.10.0. The synchronization link interface is port3 which is in the root virtual domain. If you want to synchronize sessions for multiple interfaces you can add multiple standalone session synchronization configurations. Enter the name of the virtual domain that contains the session synchronization link interface on the peer unit. The IP address of port3 on peer_2 is 10.1. aggregate interface.0 0.0. virtual SSL VPN interface. or inter-VDOM link interface). or inter-VDOM link interface). aggregate interface. You can use <dist_ip_ipv4> and <dist_mask_ipv4> to specify a single IP address or a range of IP addresses. You can only enter one interface name.10.0. The default IP address and netmask of 0. The host names of peers are peer_1 and peer_2.0 dstintf <interface_name> Enter the name of a FortiGate interface (this can be any interface including (null) a VLAN interface. (null) service <string> srcaddr <string> 0.0 synchronizes sessions for all source address. You can only enter one interface name. redundant interface.0 and 0. The session synchronization configuration IDs of the peers do not have to match. Usually both peers would have the same peervd.10. Multiple session synchronization configurations can use the same peervd. If you want to synchronize sessions for multiple interfaces you can add multiple standalone session synchronization configurations.0. You can add a filter if you want to only synchronize some TCP sessions.0. You can use <dist_ip_ipv4> and <dist_mask_ipv4> to specify a single IP address or a range of IP addresses.0. The default srcintf setting synchronizes sessions for all interfaces.0 0. If you want to specify multiple IP addresses or address ranges you can add multiple standalone session synchronization configurations.0 synchronizes sessions for all destination address. Enter the IP address of the interface on the peer unit that is used for the session synchronization link. If you want to synchronize sessions for multiple services you can add multiple standalone session synchronization configurations.0.0 and 0. source and destination interface. Enter the names of one or more virtual domains so that the sessions processed by these virtual domains are synchronized using this session synchronization configuration.0.0 MR7 Reference 01-30007-0015-20090112 462 . You can only enter one predefined service name.0. All sessions processed by vdom_1 are synchronized.0 srcintf <interface_name> Enter the name of a FortiGate interface (this can be any interface including (null) a VLAN interface. and predefined firewall TCP service. Basic example configuration The following configuration example shows how to configure a basic session synchronization configuration for two peer FortiGate units shown in Figure 4 on page 463.0. Both peers are configured with two virtual domains: root and vdom_1. redundant interface. Only sessions destined for this interface are synchronized.session-sync system Variables <sync_id> Description Enter the unique ID number for the session synchronization configuration to edit.0. virtual SSL VPN interface. Enter the name of a FortiGate firewall predefined service.0. The IP address of port3 on peer_1 is 10.0 root syncvd <vd_name> config filter dstaddr <dist_ip_ipv4> <dist_mask_ipv4> 0.

Enter the following commands to configure session synchronization for peer_1 config system session-sync edit 1 set peerip 10. Figure 4: Example standalone session synchronization network configuration Internet Router or Load Balancer Peer_1 port2 port2 port3 root port3 10.0 MR7 Reference 01-30007-0015-20090112 463 .10.20.110.10.1.20. On peer_2 the IP address of port1 is set to 192.1.1. Set the IP address of port1 to 192.10.168.10. port1 and port2 are added to vdom_1. Configure the load balancer or router to send all traffic to peer_2 if peer_1 fails.system session-sync Also on both peers.168.2 set peervd root set syncvd vdom_1 end FortiGate® CLI Version 3.20. Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces. Set the IP address of port2 to 172. Add route mode firewall policies between port1 and port2 to vdom_1. On peer_1 the IP address of port1 is set to 192.20.10.10.2 and the IP address of port2 is set to 172.20.20. Use normal FortiGate configuration steps on peer_1: • • • • • • • 4 Enable virtual domain configuration.10.168.1 Session Syncronization Link root port3 10. Set the IP address of port3 to 10.1.110.10.2. Add the vdom_1 virtual domain.110.2 port1 port2 Peer_2 Vdom_1 port1 Vdom_1 port1 Router or Load Balancer Internal Network Configuration steps 1 2 3 Configure the load balancer or router to send all sessions to peer_1.1 and the IP address of port2 is set to 172.

dstintf. For example you can enter the following commands on both FortiGate units to edit the standalone sessions configurations and add a filter so that only HTTP sessions are synchronized config system session-sync edit 1 config filter set service HTTP end end History FortiOS v3. 6 Enter the following commands to configure session synchronization for peer_1 config system session-sync edit 1 set peerip 10.10. and srcintf) are now available for MR7.0 MR7 Reference 01-30007-0015-20090112 .2. srcaddr.0 MR6.2.10.10. Set the IP address of port1 to 192.session-sync system 5 Use normal FortiGate configuration steps on peer_2: • • • • • • • Enable virtual domain configuration.110.20.0 MR7 The config filter command and associated keywords (dstaddr. FortiOS v3. Add route mode firewall policies between port1 and port2 to vdom_1. Set the IP address of port2 to 172.168. service. Add port1 and port2 to the vdom_1 virtual domain and configure these interfaces. 464 FortiGate® CLI Version 3.10.20.1 set peervd root set syncvd vdom_1 end Adding a filter You can add a filter to this basic configuration if you only want to synchronize some TCP sessions. Set the IP address of port3 to 10.1.0 MR6 The command config system session-sync is new for FortiOS v3. Add the vdom_1 virtual domain.

Note: While it is possible to set a timeout for a session to a value that never expires. Changed from session_ttl to session-ttl. Syntax config system session-ttl set default <seconds> config port edit <port_number> set timeout {<seconds> | never} end end Variables default <seconds> edit <port_number> timeout {<seconds> | never} Description Enter a the default session timeout in seconds. this is not a secure configuration and should be avoided.0 MR3 Added never keyword to timeout. FortiOS v3. and added valid ranges for times for timeout and default. config system session-ttl config port edit 22 set timeout 3600 end end History FortiOS v2.604800 seconds. The valid range is from 300 . Enter the port number for the TCP session.0 MR7 Reference 01-30007-0015-20090112 465 . FortiGate® CLI Version 3.604800 seconds. Enter the number of seconds the session can be idle for on this port.80 FortiOS v3. 300 The valid range is from 300 . Default 3600 None.0 Revised. You can set the general default timeout or set the timeout for a specific port. Examples The following command increases the default session timeout: config system session-ttl set default 62000 end Use the following command to change the session timeout for SSH on port 22 to 3600 seconds. Optionally you can select never instead of specifying the number of seconds.system session-ttl session-ttl Use this command to increase or decrease the length of time a TCP session can be idle before being dropped.

Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. Routers running BFD communicate with each other.0 MR4. the opmode change will fail. They are only visible after you set the opmode ab before you commit the changes with either ‘end or ‘next’. If you do not set these keywords. It is used to quickly locate hardware failures in the network. there are keywords that are visible depending on which opmode you are changing to. Table 17: Keywords associated with each opmode Change from NAT to Transparent mode Change from Transparent to NAT mode set device <interface_name> set gateway <gw_ipv4> set manageip <manage_ipv4> set gateway <gw_ipv4> set ip <address_ipv4> system settings differs from system global in that system global keywords apply to the entire FortiGate unit. where system settings keywords apply only to the current VDOM.0 MR7 Reference 01-30007-0015-20090112 .settings system settings Use this command to change settings that are per VDOM settings such as the operating mode and default gateway. or the entire FortiGate unit if VDOMs are not enabled. Syntax config system settings set allow-subnet-overlap {enable | disable} set asymroute {enable | disable} set asymroute6 {enable | disable} set bfd {enable | disable} set bfd-desired-min-tx <interval_msec> set bfd-required-min-tx <interval_msec> set bfd-detect-mult <multiplier set bfd-dont-enforce-src-port {enable | disable} set comments <string> set device <interface_name> set ecmp-max-paths <max_entries> set gateway <gw_ipv4> set ip <address_ipv4> set manageip <manage_ipv4> set multicast-forward {enable | disable} set multicast-ttl-notchange {enable | disable} set opmode {nat | transparent} set p2p-rate-limit {per-policy | per-profile} set sccp-port <port_number> set sip-helper {enable | disable} set sip-nat-trace {enable | disable} set sip-tcp-port <port_number> set sip-udp-port <port_number> set status {enable | disable} set strict-src-check {enable | disable} set utf8-spam-tagging {enable | disable} end 466 FortiGate® CLI Version 3. and can only be configured through the CLI. When changing the opmode of the VDOM. and if a timer runs out on a connection then that router is declared down. BFD support was added in FortiOS v3. BFD then communicates this information to the routing protocol and the routing information is updated.

Caution: for advanced users only. This feature should only be used as a temporary check to troubleshoot a network. Enter the default gateway IP address. This keyword is visible only after you change opmode from transparent to nat. It is not intended to be enabled permanently. If possible this will be the minimum used. Set to 1 to disable ECMP routing. FortiGate® CLI Version 3. see the FortiGate VLANs and VDOMs guide Enable to turn on IPv6 asymmetric routing on your disable FortiGate unit. Enter the interface to use for management access. or the whole FortiGate unit. before you commit the change. This keyword is visible only after you change opmode from nat to transparent or from transparent to nat. This feature should only be used as a temporary check to troubleshoot a network.0 MR7 Reference 01-30007-0015-20090112 467 . Enable to turn on IPv4 asymmetric routing on your disable FortiGate unit. Use this command to enable limited support for overlapping IP addresses in an existing network configuration. For more information on asymmetric routing. and can be used in load balancing. Enter a value from 1 to 50 for the BFD detection multiplier. Enable to not enforce the BFD source port. before you commit the change. see the FortiGate VLANs and VDOMs guide Enable to turn on bi-directional forwarding detection (BFD) for this virtual domain. When it enabled. Enter a descriptive comment for this virtual domain. 3 disable null No default. many security features of your FortiGate unit are not enabled. This is only available when bfd is enabled. bfd-required-min-tx <interval_msec> bfd-detect-mult <multiplier bfd-dont-enforce-src-port {enable | disable} comments <string> device <interface_name> ecmp-max-paths <max_entries> 10 gateway <gw_ipv4> No default. BFD can be used with OSPF and BGP configurations. or this VDOM if you have VDOMs enabled. Enter the maximum number of routes allowed to be included in an Equal Cost Multi-Path (ECMP) configuration. many security features of your FortiGate unit are not enabled. ECMP routes have the same distance and the same priority. and overridden on a per interface basis.system settings Variables allow-subnet-overlap {enable | disable} Description Default Enable limited support for interface and VLAN disable subinterface IP address overlap for this VDOM. The FortiGate unit will not transmit BFD packets at a slower rate than this. or this VDOM if you have VDOMs enabled. This is the interface to which ip applies. For more information on asymmetric routing. disable asymroute {enable | disable} asymroute6 {enable | disable} bfd {enable | disable} bfd-desired-min-tx <interval_msec> Enter a value from 1 to 100000 msec as the preferred 50 minimum transmit interval for BFD packets. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping. When it enabled. This is only available when bfd is enabled. It is not intended to be enabled permanently. Enter a value from 1 to 100000 msec as the required 50 minimum transmit interval for BFD packets.

all disabled VDOMs must be deleted . strict-src-check {enable | disable} utf8-spam-tagging {enable | disable} disable enable 468 FortiGate® CLI Version 3. Enable to refuse packets from a source IP range if there is a specific route in the routing table for this network (RFC 3704). gateway-device and gateway. this option is only available within VDOMs. Default No default.0 MR7 Reference 01-30007-0015-20090112 . this option is only available within VDOMs. manageip <manage_ipv4> No default. sip-udp-port <port_number> Enter a port number from 1 to 65535 for the UDP port the SIP proxy will use to monitor for SIP traffic. It is not available at the global level. you must set device. enable enable 5060 5060 enable sccp-port <port_number> sip-helper {enable | disable} sip-nat-trace {enable | disable} sip-tcp-port <port_number> Enter a port number from 1 to 65535 for the TCP port the SIP proxy will use to monitor for SIP traffic. When multiple VDOMs are configured. But if 2 policies refer to BitTorrent. each will have that limit for a total of 100 KB/Sec. Disable for normal multicast forwarding behavior. multicast-forward {enable | disable} Enable or disable multicast forwarding to forward any disable multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface.to leave VDOM mode there can be only the root VDOM configured. This option not available in transparent mode. With per-policy limiting. This is the default behavior.settings system Variables ip <address_ipv4> Description Enter the IP address to use after switching to nat mode. disable multicast-ttl-notchange {enable | disable} opmode {nat | transparent} Enter the required operating mode. You must set this when you change opmode from nat to transparent. Enable converts spam tags to UTF8 for better nonascii character support. If you change opmode from transparent to nat. Enable to alter multicast forwarding so that it does not decrement the time-to-live (TTL) in the packet header. status {enable | disable} Disable or enable this VDOM. This keyword is visible only after you change opmode from transparent to nat. In multiple VDOM mode. nat If you change opmode from nat to transparent. Enable to use the helper to add dynamic sip firewall allow rules. Enter the port number from 1 to 65535 of the TCP port 2000 to use to monitor Skinny Client Call protocol (SCCP) traffic. before you commit the change. ip. Disabled VDOMs keep all their configuration. but the resources of that VDOM are not accessible. p2p-rate-limit {perpolicy | per-profile} Select per-profile or per-policy for limiting the per-policy bandwidth available for peer-to-peer applications. you must set manageip and gateway. the profile may limit a p2p application like BitTorrent to 50 KB/sec. To leave VDOM mode. SCCP is a Cisco proprietary protocol for VoIP. Set the IP address and netmask of the Transparent mode management interface. The TTL in the IP header will be reduced by 1. Select enable to record the original IP address of the phone.

Added allow-subnet-overlap.168.0 MR6 FortiOS v3.0 MR7 Reference 01-30007-0015-20090112 469 . Removed gateway-device. The management interface is set to internal.0 MR4 FortiOS v3. config vdom edit vdom2 config system settings set opmode nat set device internal set ip 192. sccp-port. Added multicast-forward and multicast-ttl-notchange. bfd-desired-min-tx. bfd.8 set gateway internal end end History FortiOS v3. the other required keywords ip.168.0 New. and sip-udp-port.255 .0 MR3 FortiOS v3.168.0 MR7 Related Commands • vdom FortiGate® CLI Version 3. bfd-requiredmin-tx.system settings Example Changing the opmode from Transparent to NAT involves a number of steps. and utf8-spam-tagging. This example changes to NAT opmode in a VDOM called vdom2. and the management IP is set to 192. before you change the opmode. sip-nattrace. For example. bfd-detect-mult. opmode moved from system global. bfd-dont-enforce-src-port. manageip moved from system manageip. asymroute6. and strictsrc-check keywords.8 with a gateway of 192. Added asymroute. sip-tcp-port. and gateway are not visible.10. FortiOS v3. sip-helper.10.10. Added comments. p2p-rate-limit. device. status.

No default. The source IPv4 address for this tunnel. 0.80 FortiOS v3.0 MR2 Added command syntax for multiple-vdom mode.0 MR5 Added ip6 FortiOS v3. Default No default.10. Syntax config system sit-tunnel edit <tunnel_name> set destination <tunnel_address> set interface <name> set ip6 <address_ipv6> set source <address_ipv4> end Variables Description Enter a name for the IPv6 tunnel.50. FortiOS v3. The IPv6 interface is configured under config system interface. Related topics • • system interface system ipv6-tunnel FortiGate® CLI Version 3. The interface used to send and receive traffic for this tunnel.0 MR1 Removed vdom keyword.sit-tunnel system sit-tunnel Use this command to tunnel IPv6 traffic over an IPv4 network.0.0 No default.0.0.0 MR7 Changed from ipv6-tunnel to sit-tunnel.168.0 MR7 Reference 01-30007-0015-20090112 470 .10.0 New. FortiOS v3.0.1 set interface internal set ip6 12AB:0:0:CD30::/60 set source 192. FortiOS v3.0 edit <tunnel_name> destination <tunnel_address> interface <name> ip6 <address_ipv6> source <address_ipv4> Example Use the following commands to set up an IPv6 tunnel. config system sit-tunnel edit test_tunnel set destination 10. Removed ipv6 and mode keywords. 0. The destination IPv4 address for this tunnel. Changed from ipv6_tunnel to ipv6-tunnel. Note: This command is not available in Transparent mode. The IPv6 address for this tunnel.1 end History FortiOS v2.

Each community can have a different configuration for SNMP queries and traps. or when the log disk is almost full.system snmp community snmp community Use this command to configure SNMP communities on your FortiGate unit. Note: Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. or the Fortinet Knowledge Center online. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit. For more information on SNMP traps and variables see the FortiGate Administration Guide. You can add up to three SNMP communities. Each community can be configured to monitor the FortiGate unit for a different set of events. Default FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 471 . Syntax config system snmp community edit <index_number> set events <events_list> set name <community_name> set query-v1-port <port_number> set query-v1-status {enable | disable} set query-v2c-port <port_number> set query-v2c-status {enable | disable} set status {enable | disable} set trap-v1-lport <port_number> set trap-v1-rport <port_number> set trap-v1-status {enable | disable} set trap-v2c-lport <port_number> set trap-v2c-rport <port_number> set trap-v2c-status {enable | disable} config hosts edit <host_number> set interface <if_name> set ip <address_ipv4> end end Variables edit <index_number> Description Enter the index number of the community in the SNMP communities table. Enter an unused index number to create a new SNMP community. You can also the add IP addresses of up to 8 SNMP managers to each community. SNMP traps are triggered when system events happen such as when antirvirus checking is bypassed. or be able to query it. You add SNMP communities so that SNMP managers can connect to the FortiGate unit to view system information and receive SNMP traps.

Power outage detected on monitored power supply. Default is 90%. Default is 80%.0 MR7 Reference 01-30007-0015-20090112 . ha-member-up ha-switch intf-ip ips-anomaly ips-pkg-update IPS package has been updated ips-signature log-full mem-low power-supplyfailure vpn-tun-down vpn-tun-up name <community_name> Enter the name of the SNMP community. A virus is detected. 472 FortiGate® CLI Version 3. Default is 80%. An oversized file has passed through. Memory usage exceeds threshold. Default All events enabled. IPS detects an attack. The IP address of a FortiGate interface changes. An file matching the AV pattern is detected. ha-member-down The HA cluster member stops. Automatic smoothing ensures only prolonged high CPU usage will trigger this trap. No default. Only available on some models. not a momentary spike. The HA cluster members starts. A fragmented file has been detected. fm-if-change ha-hb-failure FortiManager interface changes. An oversized file has been detected. A VPN tunnel stops.snmp community system Variables events <events_list> Description Enable the events for which the FortiGate unit should send traps to the SNMP managers in this community. av-conserve av-fragmented av-oversize av-oversizeblocked av-oversizepassed av-pattern av-virus cpu-high fm-conf-change FortiGate unit is managed by FortiManager. CPU usage exceeds threshold. The primary unit in a HA cluster fails and is replaced with a new HA unit. but the FortiGate administrator has modified the configuration directly. IPS detects an anomaly. A VPN tunnel starts. See “set av-failopen pass” under “global” on page 371. The HA heartbeat interface has failed. av-bypass FortiGate unit has entered bypass mode. Hard drive usage exceeds threshold. System enters conserve mode. An oversized file has been blocked.

Enable or disable SNMP v2c queries for this SNMP community.0. Enter the SNMP v2c query port number used for SNMP manager queries. enable 162 162 enable Enter the index number of the host in the table.34 end end FortiGate® CLI Version 3.20. In the example below the community is added. Enter an unused index number to create a new host. config system snmp community edit 1 set name SNMP_Com1 set query-v2c-status disable set trap-v2c-status disable config hosts edit 1 set interface internal set ip 192.168. No Default 0. The SNMP manager IP address is 192. Enter the name of the FortiGate interface to which the SNMP manager connects. Enter the SNMP v2c remote port number used for sending traps to the SNMP managers. Enable or disable SNMP v2c traps for this SNMP community.34 and it connects to the FortiGate unit internal interface. Enable or disable SNMP v1 traps for this SNMP community.0 Example This example shows how to add a new SNMP community named SNMP_Com1. all v2c functionality is disabled.0. Enable or disable the SNMP community.0 MR7 Reference 01-30007-0015-20090112 473 .168. Enable or disable SNMP v1 queries for this SNMP community. Default 161 enable 161 enable enable 162 Enter the SNMP v1 remote port number used for sending 162 traps to the SNMP managers. The default configuration can be used in most cases with only a few modifications. Enter the IP address of the SNMP manager. given a name.10. Enter the SNMP v1 local port number used for sending traps to the SNMP managers. Enter the SNMP v2c local port number used for sending traps to the SNMP managers.system snmp community Variables query-v1-port <port_number> query-v1-status {enable | disable} query-v2c-port <port_number> query-v2c-status {enable | disable} status {enable | disable} trap-v1-lport <port_number> trap-v1-rport <port_number> trap-v1-status {enable | disable} trap-v2c-lport <port_number> trap-v2c-rport <port_number> trap-v2c-status {enable | disable} hosts variables edit <host_number> interface <if_name> ip <address_ipv4> Description Enter the SNMP v1 query port number used for SNMP manager queries. and then because this community is for an SNMP manager that is SNMP v1 compatible. After the community is configured the SNMP manager is added.

0 MR7 Reference 01-30007-0015-20090112 . av-pattern. New events added: av-fragmented.0 FortiOS v3.80 FortiOS v3.0 MR7 Substantially revised. avoversize-pass.snmp community system History FortiOS v2. av-conserve. FortiOS v2. and voltage-alarm.0 MR3 FortiOS v3. av-oversize-blocked. Removed temperature-high and voltage-alert. Event names hyphens changed to underscores. temperature-high. av-oversized. Changed underscores to hyphens in keywords. ha-hb-failure. ips-pkg-update.80 MR6 fm_if_change added to events Related topics • system snmp sysinfo 474 FortiGate® CLI Version 3. and power-supply-failure. Added note. Added event keywords av-bypass.

Default No default description <description> Add a name or description of the FortiGate unit. default location <location> Describe the physical location of the FortiGate unit. Enter the percentage of disk space used that will trigger the threshold SNMP trap for the log-full. The system location description can be up to 35 characters long. The description No can be up to 35 characters long. Enter the percentage of CPU used that will trigger the threshold SNMP trap for the high-cpu. or the Fortinet Knowledge Center online. you will know which unit sent the information. log full. The contact information can be up to 35 characters long. There is some smoothing of the high CPU trap to ensure the CPU usage is constant rather than a momentary spike. trap-high-cpu-threshold <percentage> trap-log-full-threshold <percentage> 90 80 trap-low-memory-threshold Enter the percentage of memory used that will be the threshold SNMP trap for the low-memory. config system snmp sysinfo set status enable set contact-info 'System Admin ext 245' set description 'Internal network unit' set location 'Server Room A121' end FortiGate® CLI Version 3. Syntax config system snmp sysinfo set contact-info <info_str> set description <description> set location <location> set status {enable | disable} set trap-high-cpu-threshold <percentage> set trap-log-full-threshold <percentage> set trap-low-memory-threshold <percentage> end Keywords and variables contact-info <info_str> Description Add the contact information for the person responsible for this FortiGate unit. When your SNMP manager receives traps from the FortiGate unit. Some SNMP traps indicate high CPU usage.0 MR7 Reference 01-30007-0015-20090112 475 . For more information on SNMP traps and variables see the FortiGate Administration Guide. or low memory. No default disable 80 status {enable | disable} Enable or disable the FortiGate SNMP agent. Enter information about the FortiGate unit to identify it.system snmp sysinfo snmp sysinfo Use this command to enable the FortiGate SNMP agent and to enter basic system information used by the SNMP agent. This feature prevents frequent and unnecessary traps. <percentage> Example This example shows how to enable the FortiGate SNMP agent and add basic SNMP information.

FortiOS v3.0 MR2 Added trap-high-cpu-threshold. and trap-low-memory-threshold commands.snmp sysinfo system History FortiOS v2. Related topics • system snmp community 476 FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112 . trap-log-full-threshold.0 Revised. Changed contact_info to contact-info.80 FortiOS v3.

system

switch-interface

switch-interface
Use this command to group interfaces into a ‘soft-switch’ - a switch that is implemented in software instead of hardware. A group of switched interfaces have one IP address between them to connect to the FortiGate unit. This feature is available on all FortiGate models. For more information on switchmode, see “global” on page 371. Interfaces that may be members of a ‘soft-switch’ are physical and wlan interfaces that are not used anywhere else in FortiOS. Member interfaces cannot be monitored by HA or used as heart beat devices.

Syntax
config system switch-interface edit <group_name> set member <iflist> set span {enable | disable} set span-dest-port <portnum> set span-direction {rx | tx | both} set span-source-port <portlist> set type {hub | switch | hardware-switch} set vdom <vdom_name> end
Keywords and variables <group_name> member <iflist> Description Default

The name for this group of interfaces. No default Cannot be in use by any other interfaces, vlans, or inter-VDOM links. Enter a list of the interfaces that will be part of this switch. Separate interface names with a space. Use <tab> to advance through the list of available interfaces. Enable or disable port spanning. This is available only when type is switch. Enter the destination port name. Use <tab> to advance through the list of available interfaces. Available when span is enabled. Select the direction in which the span port operates: rx tx both Copy only received packets from source SPAN ports to the destination SPAN port. Copy only transmitted packets from source SPAN ports to the destination SPAN port. Copy both transmitted and received packets from source SPAN ports to the destination SPAN port. No default. No default

span {enable | disable} span-dest-port <portnum> span-direction {rx | tx | both}

disable No default. both

span-direction is available only when span is enabled. span-source-port <portlist> Enter a list of the interfaces that are source ports. Separate interface names with a space. Use <tab> to advance through the list of available interfaces. Available when span is enabled. Select the type of switch functionality: • hub - duplicates packets to all member ports • switch - normal switch functionality (available in NAT mode only) • hardware-switch - unit electronics provides switch functionality Note: hardware-switch is available only on model 224B, where it is the only option for type. Enter the VDOM to which the switch belongs.

type {hub | switch | hardware-switch}

switch

vdom <vdom_name>

No default.

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

477

switch-interface

system

Example
This example shows how to create a group of 3 interfaces called low_speed ideally that are all at 10m speed. It assumes these interfaces are not referred to in FortiOS by anything else. config system switch-interface edit low_speed set member port1 wlan dmz end

History
FortiOS v3.0 MR6 FortiOS v3.0 MR7 New. Added span, span-dest-port, span-direction, span-sourceport, type, and vdom keywords.

478

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

system

tos-based-priority

tos-based-priority
Use this command to prioritize your network traffic based on its type-of-service (TOS). IP datagrams have a TOS byte in the header (as described in RFC 791). Four bits within this field determine the delay, the throughput, the reliability, and cost (as described in RFC 1349) associated with that service. Together these bits are the tos variable of the tos-based-priority command. The TOS information can be used to manage network traffic based on the needs of the application or service. TOS application routing (RFC 1583) is supported by OSPF routing.

Syntax
config system tos-based-priority edit <name> set tos <ip_tos_value> set priority [high | medium | low] end
Variables edit <name> tos <ip_tos_value> priority [high | medium | low] Description Enter the name of the link object to create Enter the value of the type of service byte in the IP datagram header. This value can be from 0 to 15. Default No default. 0

Select the priority of this type of service as either high, High medium, or low priority. These priority levels conform to the firewall traffic shaping priorities.

Examples
It is a good idea to have your entry names in the tos-based-priority table and their TOS values be the same. Otherwise it can become confusing. config tos-based-priority edit 1 set tos 1 set priority low next edit 4 set tos 4 set priority medium next edit 6 set tos 6 set priority high next end

History Related topics
• • • • system global router ospf router policy execute ping-options

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

479

vdom-link

system

vdom-link
Use this command to create an internal point-to-point interface object. This object is a link used to join virtual domains. Inter-VDOM links support BGP routing, and DHCP. Creating the interface object also creates 2 new interface objects by the name of <name>0 and <name>1. For example if your object was named v_link, the 2 interface objects would be named v_link0 and v_link1. You can then configure these new interfaces as you would any other virtual interface using config system interface. When using vdom-links in HA, you can only have vdom-links in one vcluster. If you have vclusters defined, you must use the vcluster keyword to determine which vcluster will be allowed to contain the vdom-links. Vdom-links support IPSec DHCP, but not regular DHCP. A packet can pass through an inter-VDOM link a maximum of three times. This is to prevent a loop. When traffic is encrypted or decrypted it changes the content of the packets and this resets the interVDOM counter. However using IPIP or GRE tunnels do not reset the counter. For more information on the vdom-link command see “Configuring inter-VDOM routing” on page 53 and the FortiGate VLANs and VDOMs Guide.

Syntax
config system vdom-link edit <name> end
Variables edit <name> vcluster {1|2} Description Enter the name of the link object to create. You are limited to 8 characters maximum for the name. Select vcluster 1 or 2 as the only vcluster to have interVDOM links. This option is available only when HA and vclusters are configured, and there are VDOMs in both vclusters. Default No default.

Examples
In this example you have already created two virtual domains called v1 and v2. You want to set up a link between them. The following command creates the VDOM link called v12_link. Once you have the link you need to bind its two ends to the VDOMs it will be working with. config system vdom-link edit v12_link end config system interface edit v12_link0 set vdom v1 next edit v12_link1 set vdom v2 end

480

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

system

vdom-link

If you want to delete the vdom-link, you must delete the interface - in the above example this would be: config system interface delete v12_link end

History
FortiOS v3.0 FortiOS v3.0 MR4 New command. Added vcluster keyword.

Related topics
• • • router bgp system interface system dhcp server

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

481

wireless mac-filter

system

wireless mac-filter
Use this command to configure the WLAN interface MAC filter on the FortiWifi-60 unit in Access Point mode.

Syntax
config system wireless mac-filter set default-acl {allow | deny} set status {enable | disable} config mac-list edit <list_number> set acl {allow | deny } set mac <mac_address> end end
Variables default-acl {allow | deny} edit <list_number> status {enable | disable} mac-list variables acl {allow | deny } mac <mac_address> Select Allow or Deny for the access control list (ACL). Set the MAC address to add to the list. deny No default. Description Select whether unlisted MAC addresses are allowed or denied access. Enter the number of the MAC filter list that you want to edit. Enter an unused number to create a new list. Enable or disable MAC filter. Status is always disable in Client mode. disable Default deny

Examples
This example shows how to enable the MAC filter, specify that unlisted MAC addresses should be denied access, and add MAC address 12:34:56:78:90:AB to the MAC filter Allow list: config system wireless mac-filter set status enable set default-acl deny config mac-list edit 1 set acl allow set mac 12:34:56:78:90:AB end end

History
FortiOS v2.80E FortiOS v3.0 New command, incorporating config system network wireless wlan. Changed mac_filter to mac-filter, default_acl to default-acl, mac_list to mac-list.

Related topics
• • system wireless settings system interface

482

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

system

wireless settings

wireless settings
Use this command to configure the WLAN interface wireless settings on the FortiWiFi-60 unit.

Syntax
config system wireless settings set band {802.11a | 802.11b | 802.11g} set beacon_interval <integer> set broadcast_ssid {enable | disable} set channel <channel_number> set fragment_threshold <bytes> set geography <americas | EMEA | Israel | Japan | World> set key <WEP-key_hex> set mode <opmode> set passphrase <string> set power_level <dBm> set radius-server <radius_name> set rts_threshold <integer> set security <sec_mode> set ssid <ssid_string> end
Variable Description Default

band Enter the wireless band to use. (802.11a only available on 802.11g {802.11a | 802.11b | 802.11g} the FortiWiFi-60A and FortiWiFi-60B.) beacon_interval <integer> Set the interval between beacon packets. Access Points 100 broadcast Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. In an environment with high interference, decreasing the Beacon Interval might improve network performance. In a location with few wireless nodes, you can increase this value. This is available in AP mode only. Enable if you want FortiWiFi-60 to broadcast its SSID. For the FortiWiFi-60A unit, see wifi-broadcast-ssid in the system interface command. Select a channel number for your FortiWiFi unit wireless network. Use “0” to auto-select the channel. Users who want to use the wireless network should configure their computers to use this channel for wireless networking. disable

broadcast_ssid {enable | disable} channel <channel_number>

5

fragment_threshold <bytes>

Set the maximum size of a data packet before it is broken 2346 into smaller packets, reducing the chance of packet collisions. If the packet size is larger than the threshold, the FortiWiFi unit will fragment the transmission. If the packet size less than the threshold, the FortiWiFi unit will not fragment the transmission. A setting of 2346 bytes effectively disables this option. Range 800-2346. This is available in AP mode only. For the FortiWiFi-60A unit, see wifi-fragment_threshold <packet_size> in the system interface command. Select the country or region in which this FortiWifi unit will operate. World

geography <americas | EMEA | Israel | Japan | World>

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

483

wireless settings

system

Variable key <WEP-key_hex>

Description

Default

Enter a WEP key. The WEP key must be 10 or 26 No default. hexadecimal digits (0-9 a-f). For a 64-bit WEP key, enter 10 hexadecimal digits. For a 128-bit WEP key, enter 26 hexadecimal digits. This is available in AP mode only when security is set to WEP128 or WEP64. For the FortiWiFi-60A unit, see wifi-key <hex_key> in the system interface command. Enter the operation mode for the wireless interface: • Access Point (AP) Multiple wireless clients can connect to unit. • Client Connect to another wireless network as a client. When switching from AP mode to Client mode you first have to remove any virtual AP interfaces. AP

mode <opmode>

passphrase <string>

Enter shared key for WPA_PSK security. No default. security must be set to WPA_PSK. This is available in AP mode only. For the FortiWiFi-60A unit, see wifi-passphrase <pass_str> in the system interface command. Set transmitter power level in dBm. Range 0 to 31. This is available in AP mode only. 31

power_level <dBm>

radius-server <radius_name>

Set RADIUS server name for WPA_RADIUS security. No default. This is only available in AP mode when security is set to WPA_RADIUS. For the FortiWiFi-60A unit, see wifi-radius-server <server_name> in the system interface command. 2347 The RTS threshold is the maximum size, in bytes, of a packet that the FortiWiFi will accept without sending RTS/CTS packets to the sending wireless device. In some cases, larger packets being sent may cause collisions, slowing data transmissions. Range 256-2347. A setting of 2347 bytes effectively disables this option. This is available in AP mode only. For the FortiWiFi-60A unit, see wifi-rts_threshold <integer> in the system interface command. Enter security (encryption) mode: • None - Communication is not encrypted. • WEP64 - WEP 64-bit encryption • WEP128 - WEP 128-bit encryption • WPA_PSK - WPA encryption with pre-shared key This is available in AP mode only. • WPA_RADIUS - WPA encryption via RADIUS server. This is available in AP mode only. For the FortiWiFi-60A unit, see wifi-security <sec_mode> in the system interface command. None

rts_threshold <integer>

security <sec_mode>

ssid <ssid_string>

Change the Service Set ID (SSID) as required. fortinet The SSID is the wireless network name that the FortiWiFi60 broadcasts. Users who wish to use the FortiWiFi-60 wireless network should configure their computers to connect to the network that broadcasts this network name. For the FortiWiFi-60A unit, see wifi-ssid <id_str> in the system interface command.

484

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

system

wireless settings

Example
This example shows how to configure the wireless interface. config system wireless settings set channel 4 set geography Americas set security WEP128 set ssid test_wifi end

History
FortiOS v2.80E Command changed from config system wireless wlan. Keywords added: beacon_interval, broadcast_ssid, fragment_threshold, passphrase, power_level, radius_server, rts_threshold

Related topics
• • • system interface system vdom-link wireless mac-filter

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

485

zone

system

zone
Use this command to add or edit zones. In NAT/Route mode, you can group related interfaces or VLAN subinterfaces into zones. Grouping interfaces and subinterfaces into zones simplifies policy creation. For example, if you have two interfaces connected to the Internet, you can add both of these interfaces to the same zone. Then you can configure policies for connections to and from this zone, rather than to and from each interface. In Transparent mode you can group related VLAN subinterfaces into zones and add these zones to virtual domains.

Syntax
config system zone edit <zone_name> set interface <name_str> set intrazone {allow | deny} end
Keywords and variables edit <zone_name> interface <name_str> Description Enter the name of a new or existing zone. Add the specified interface to this zone. You cannot add an No default. interface if it belongs to another zone or if firewall policies are defined for it. Allow or deny traffic routing between different interfaces in deny the same zone. Default

intrazone {allow | deny}

Example
This example shows how to add a zone named Zone1, add the internal interface to it, and to deny routing between different zones. config system zone edit Zone1 set interface internal set intrazone deny end

History
FortiOS v2.80 Revised.

FortiOS v2.80 MR2 intrazone now available on all models. All models support zones. Added interface keyword (was part of config system interface).

Related topics
• system interface

486

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

user

user
This chapter covers • • • configuration of the FortiGate unit to use external authentication servers, including Windows Active Directory or other Directory Service servers configuration of user accounts and user groups for firewall policy authentication, administrator authentication and some types of VPN authentication configuration of peers and peer groups for IPSec VPN authentication and PKI user authentication

This chapter contains the following sections: Configuring users for authentication adgrp fsae group ldap local peer peergrp radius settings tacacs+

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

487

Configuring users for authentication

user

Configuring users for authentication
This chapter covers two types of user configuration: • • users authenticated by password users, sites or computers (peers) authenticated by certificate

Configuring users for password authentication
You need to set up authentication in the following order: 1 If external authentication is needed, configure the required servers. • • • • 2 See “user radius” on page 505. See “user ldap” on page 497. See “user tacacs+” on page 508 For Directory Service, see “user fsae” on page 490.

Configure local user identities. For each user, you can choose whether the FortiGate unit or an external authentication server verifies the password. • See “user local” on page 500.

3

Create user groups. Add local users to each user group as appropriate. You can also add an authentication server to a user group. In this case, all users in the server’s database can authenticate to the FortiGate unit. • • See “user group” on page 492. For Directory Service, also see “user adgrp” on page 489.

Configuring peers for certificate authentication
If your FortiGate unit will host IPSec VPNs that authenticate clients using certificates, you need to prepare for certificate authentication as follows: 1 2 3 Import the CA certificates for clients who authenticate with a FortiGate unit VPN using certificates. • • See “vpn certificate ca” on page 510. See “user peer” on page 502. Enter the certificate information for each VPN client (peer). Create peer groups, if you have VPNs that authenticate by peer group. Assign the appropriate peers to each peer group. • See “user peergrp” on page 504. For detailed information about IPSec VPNs, see the FortiGate IPSec VPN Guide. For CLI-specific information about VPN configuration, see the VPN chapter of this Reference.

488

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

user

adgrp

adgrp
Use this command to list Directory Service user groups.

Syntax
get user adgrp [<dsgroupname>] If you do not specify a group name, the command returns information for all Directory Service groups. For example: == [ DOCTEST/Cert Publishers ] name: DOCTEST/Cert Publishers server-name: DSserv1 == [ DOCTEST/Developers ] name: DOCTEST/Developers server-name: DSserv1 == [ DOCTEST/Domain Admins ] name: DOCTEST/Domain Admins server-name: DSserv1 == [ DOCTEST/Domain Computers ] name: DOCTEST/Domain Computers server-name: DSserv1 == [ DOCTEST/Domain Controllers ] name: DOCTEST/Domain Controllers server-name: DSserv1 == [ DOCTEST/Domain Guests ] name: DOCTEST/Domain Guests server-name: DSserv1 == [ DOCTEST/Domain Users ] name: DOCTEST/Domain Users server-name: DSserv1 == [ DOCTEST/Enterprise Admins ] name: DOCTEST/Enterprise Admins server-name: DSserv1 == [ DOCTEST/Group Policy Creator Owners ] name: DOCTEST/Group Policy Creator Owners server-name: DSserv1 == [ DOCTEST/Schema Admins ] name: DOCTEST/Schema Admins server-name: DSserv1 If you specify a Directory Service group name, the command returns information for only that group. For example: name server-name : DOCTEST/Developers : ADserv1

The server-name is the name you assigned to the Directory Service server when you configured it in the user fsae command.

History
FortiOS v3.0 New.

Related topics
• • user fsae execute fsae refresh

FortiGate® CLI Version 3.0 MR7 Reference 01-30007-0015-20090112

489

fsae

user

fsae
Use this command to configure the FortiGate unit to receive user group information from a Directory Service server equipped with the Fortinet Server Authentication Extensions (FSAE). You can specify up to five computers on which a FSAE collector agent is installed. The FortiGate unit uses these collector agents in a redundant configuration. If the first agent fails, the FortiGate unit attempts to connect to the next agent in the list. You can add user groups to Directory Service type user groups for authentication in firewall policies.

Syntax
config user fsae edit <server_name> set ldap_server <ldap-server-name> set password <password> password2 <password2> password3 <password3> password4 <password4> password5 <password5> set password2 <password2> set password3 <password3> set password4 <password4> set password5 <password5> set port <port_number> <port_number2> set port <port_number2> set port <port_number3> set port <port_number4> set port <port_number5> set server <domain> server2 <domain2> server3 <domain3> server4 <domain4> server5 <domain5> set server2 <domain2> set server3 <domain3> set ser