FortiGate CLI Reference Guide

FortiGate CLI Reference Guide

Version 2.80 MR8

4 February 2005
01-28008-0015-20050204
© Copyright 2005 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate CLI Reference Guide

Version 2.80 MR8
4 February 2005
01-28008-0015-20050204

Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.

Regulatory Compliance
FCC Class A Part 15 CSA/CUS

CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.

DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to
[email protected].
 Contents

Table of Contents
Introduction ............................................................................................................ 9
Changes to the FortiGate CLI for 2.80................................................................................ 9
About this document ......................................................................................................... 10
Conventions ...................................................................................................................... 11
Fortinet documentation ..................................................................................................... 12
Comments on Fortinet technical documentation........................................................... 12
Customer service and technical support........................................................................... 12

Using the CLI........................................................................................................ 13

Administrator access......................................................................................................... 13
Connecting to the CLI ....................................................................................................... 14
Connecting to the FortiGate console ............................................................................ 14
Setting administrative access for SSH or Telnet........................................................... 15
Connecting to the FortiGate CLI using SSH ................................................................. 16
Connecting to the FortiGate CLI using Telnet............................................................... 16
CLI Structure..................................................................................................................... 17
CLI command organization ........................................................................................... 17
Example command sequences..................................................................................... 22
CLI basics ......................................................................................................................... 25
Command help.............................................................................................................. 25
Command completion ................................................................................................... 25
Recalling commands..................................................................................................... 25
Editing commands ........................................................................................................ 25
Line continuation........................................................................................................... 26
Command abbreviation................................................................................................. 26
Environment variables .................................................................................................. 26
Encrypted password support ........................................................................................ 26
Using single quotes to enter tabs or spaces in strings.................................................. 27
International characters ................................................................................................ 27
IP address formats........................................................................................................ 27
Editing the configuration file.......................................................................................... 27
Setting page length ....................................................................................................... 28
Changing the baud rate ................................................................................................ 28
Using Perl regular expressions ..................................................................................... 28

config alertemail .................................................................................................. 31

filter ................................................................................................................................... 32
setting ............................................................................................................................... 36

FortiGate CLI Reference Guide 01-28008-0015-20050204 3

Contents

config antivirus .................................................................................................... 39

filepattern .......................................................................................................................... 40
grayware <category-name_str> ........................................................................................ 42
heuristic............................................................................................................................. 45
quarantine ......................................................................................................................... 47
quarfilepattern ................................................................................................................... 50
service http........................................................................................................................ 52
service ftp.......................................................................................................................... 54
service pop3...................................................................................................................... 56
service imap...................................................................................................................... 58
service smtp...................................................................................................................... 60

config firewall....................................................................................................... 63
address ............................................................................................................................. 64
addrgrp.............................................................................................................................. 66
dnstranslation.................................................................................................................... 68
ipmacbinding setting ......................................................................................................... 70
ipmacbinding table ............................................................................................................ 72
ippool ................................................................................................................................ 74
multicast-policy ................................................................................................................. 76
policy................................................................................................................................. 78
profile ................................................................................................................................ 84
schedule onetime.............................................................................................................. 95
schedule recurring ............................................................................................................ 97
service custom .................................................................................................................. 99
service group .................................................................................................................. 101
vip ................................................................................................................................... 103

config ips ............................................................................................................ 107

anomaly .......................................................................................................................... 108
config limit ................................................................................................................... 110
custom ............................................................................................................................ 112
group............................................................................................................................... 114
config rule <rule-name_str> ........................................................................................ 116

config log............................................................................................................ 119

{disk | fortilog | memory | syslogd | webtrends} filter ....................................................... 120
disk setting ...................................................................................................................... 124
fortilog setting.................................................................................................................. 127
memory setting ............................................................................................................... 129
syslogd setting ................................................................................................................ 131
trafficfilter ........................................................................................................................ 133
config rule ................................................................................................................... 134
webtrends setting............................................................................................................ 136

4 01-28008-0015-20050204 Fortinet Inc.

 Contents

config router....................................................................................................... 139

access-list ....................................................................................................................... 140
config rule ................................................................................................................... 140
get router info ospf .......................................................................................................... 143
get router info protocols .................................................................................................. 144
get router info rip............................................................................................................. 145
get router info routing_table ............................................................................................ 146
key-chain......................................................................................................................... 147
config key.................................................................................................................... 147
ospf ................................................................................................................................. 150
config area .................................................................................................................. 153
config filter-list ............................................................................................................. 155
config range ................................................................................................................ 157
config virtual-link ......................................................................................................... 158
config distribute-list ..................................................................................................... 161
config neighbor ........................................................................................................... 162
config network............................................................................................................. 164
config ospf-interface.................................................................................................... 165
config redistribute........................................................................................................ 169
config summary-address............................................................................................. 170
policy............................................................................................................................... 172
prefix-list.......................................................................................................................... 175
config rule ................................................................................................................... 175
rip .................................................................................................................................... 178
config distance ............................................................................................................ 180
config distribute-list ..................................................................................................... 181
config interface............................................................................................................ 182
config neighbor ........................................................................................................... 184
config network............................................................................................................. 185
config offset-list ........................................................................................................... 186
config redistribute........................................................................................................ 187
route-map........................................................................................................................ 189
config rule ................................................................................................................... 189
static................................................................................................................................ 192
static6.............................................................................................................................. 194

config spamfilter ................................................................................................ 197

bword .............................................................................................................................. 198
emailbwl .......................................................................................................................... 201
fortishield......................................................................................................................... 203
ipbwl................................................................................................................................ 206
mheader.......................................................................................................................... 208
rbl .................................................................................................................................... 211

FortiGate CLI Reference Guide 01-28008-0015-20050204 5

Contents

config system..................................................................................................... 215

accprofile......................................................................................................................... 216
admin .............................................................................................................................. 219
autoupdate clientoverride................................................................................................ 221
autoupdate override ........................................................................................................ 223
autoupdate push-update ................................................................................................. 224
autoupdate schedule....................................................................................................... 226
autoupdate tunneling ...................................................................................................... 228
bug-report ....................................................................................................................... 230
console............................................................................................................................ 231
dhcp exclude_range........................................................................................................ 232
dhcp ipmacbinding .......................................................................................................... 234
dhcp server ..................................................................................................................... 236
dns .................................................................................................................................. 239
fm .................................................................................................................................... 241
get system performance ................................................................................................. 242
get system status ............................................................................................................ 243
global .............................................................................................................................. 244
ha .................................................................................................................................... 249
interface .......................................................................................................................... 259
config ip6-prefix-list ..................................................................................................... 266
config secondaryip ...................................................................................................... 266
ipv6_tunnel...................................................................................................................... 269
mac-address-table .......................................................................................................... 271
manageip ........................................................................................................................ 272
modem ............................................................................................................................ 273
oobm interface ................................................................................................................ 276
oobm route...................................................................................................................... 277
replacemsg {alertmail | catblock | ftp | http | mail | spam} <message-type_str> ............. 278
session-helper................................................................................................................. 282
session_ttl ....................................................................................................................... 284
config port ................................................................................................................... 284
snmp community............................................................................................................. 286
config hosts................................................................................................................. 288
snmp sysinfo ................................................................................................................... 290
vdom ............................................................................................................................... 292
wireless mac_filter .......................................................................................................... 293
config mac_list ............................................................................................................ 293
wireless settings.............................................................................................................. 295
zone ................................................................................................................................ 297

6 01-28008-0015-20050204 Fortinet Inc.

 Contents

config user.......................................................................................................... 299

group............................................................................................................................... 300
ldap ................................................................................................................................. 302
local................................................................................................................................. 304
peer................................................................................................................................. 306
peergrp............................................................................................................................ 308
radius .............................................................................................................................. 310

config vpn........................................................................................................... 313

ipsec concentrator........................................................................................................... 314
ipsec manualkey ............................................................................................................. 316
ipsec phase1................................................................................................................... 319
ipsec phase2................................................................................................................... 326
ipsec vip .......................................................................................................................... 331
l2tp .................................................................................................................................. 333
pinggen ........................................................................................................................... 335
pptp ................................................................................................................................. 337

config webfilter .................................................................................................. 339

bword .............................................................................................................................. 340
catblock........................................................................................................................... 342
FortiGuard category blocking...................................................................................... 342
script ............................................................................................................................... 345
urlblock............................................................................................................................ 347
urlexm ............................................................................................................................. 349
urlpat ............................................................................................................................... 351

FortiGate CLI Reference Guide 01-28008-0015-20050204 7

Contents

execute................................................................................................................ 353
backup ............................................................................................................................ 354
date ................................................................................................................................. 355
dhcpclear ........................................................................................................................ 356
enter................................................................................................................................ 357
factoryreset ..................................................................................................................... 358
formatlogdisk................................................................................................................... 359
ha manage ...................................................................................................................... 360
ha synchronize................................................................................................................ 361
modem dial ..................................................................................................................... 363
modem hangup ............................................................................................................... 364
ping ................................................................................................................................. 365
ping-options .................................................................................................................... 366
ping6 ............................................................................................................................... 368
reboot.............................................................................................................................. 369
restore............................................................................................................................. 370
router restart ................................................................................................................... 371
router restart-graceful ..................................................................................................... 372
shutdown......................................................................................................................... 373
time ................................................................................................................................. 374
traceroute........................................................................................................................ 375
update_now .................................................................................................................... 376
vpn certificate ca ............................................................................................................. 377
vpn certificate key ........................................................................................................... 378
vpn certificate local ......................................................................................................... 379

Index .................................................................................................................... 383

8 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

Introduction
The FortiGate Antivirus Firewall supports network-based deployment of application-level services,
including virus protection and full-scan content filtering. FortiGate units improve network security,
reduce network misuse and abuse, and help you use communications resources more efficiently
without compromising the performance of your network.
The FortiGate unit is a dedicated easily managed security device that delivers a full suite of capabilities
that include:
• application-level services such as virus protection and content filtering,
• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.
The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis System
(ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and
content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time,
enabling key applications to be deployed right at the network edge where they are most effective at
protecting your networks. The FortiGate series complements existing solutions, such as host-based
antivirus protection, and enables new applications and services while greatly lowering costs for
equipment, administration, and maintenance.

Changes to the FortiGate CLI for 2.80

Version 2.80 of the FortiOS introduces major changes to the Command Line Interface (CLI). The
method of entering commands, as well as the structure, navigation, command types, and command
branches have all changed. For a comparison of FortiOS versions 2.50 and 2.80 command branches,
see Table 1.

Table 1: Comparison of FortiOS versions 2.50 and 2.80 command branches

2.50 2.80 Description of change

set config The config command branch replaces the set command branch.
unset The unset function has been moved under the config branch.
get get The get command branch has some changes to how it functions.
execute execute The execute command branch has been updated.
show The show command branch is new.
diagnose diagnose The diagnose command branch has been updated.

For a detailed description of the new structure, navigation and command types, see “CLI Structure” on
page 17.

FortiGate CLI Reference Guide 01-28008-0015-20050204 9

About this document Introduction

About this document

This CLI Reference Guide describes how to use the FortiGate command line interface (CLI). This
document contains the following chapters:
• Using the CLI describes how to connect to and use the FortiGate CLI.
• config alertemail is an alphabetic reference to the commands used to configure alertemail.
• config antivirus is an alphabetic reference to the commands used to configure antivirus features.
• config firewall is an alphabetic reference to the commands used to configure firewall policies and
settings.
• config log is an alphabetic reference to the commands used to configure logging.
• config ips is an alphabetic reference to the commands used to configure intrusion detection and
prevention features.
• config router is an alphabetic reference to the commands used to configure routing.
• config spamfilter is an alphabetic reference to the commands used to configure spam filtering
features.
• config system is an alphabetic reference to the commands used to configure the Fortigate system
settings.
• config user is an alphabetic reference to the commands used to configure authorized user accounts
and groups.
• config vpn is an alphabetic reference to the commands used to configure Fortigate VPNs.
• config webfilter is an alphabetic reference to the commands used to configure web content filtering.
• execute is an alphabetic reference to the execute commands, which provide some useful utilities
such as ping and traceroute, and some commands used for maintenance tasks.
Note: Diagnose commands are also available from the FortiGate CLI. These commands are used to display
system information and for debugging. Diagnose commands are intended for advanced users only, and they are
not covered in this reference guide. Contact Fortinet technical support before using these commands.

10 01-28008-0015-20050204 Fortinet Inc.

Introduction Conventions

Conventions
This guide uses the following conventions to describe command syntax.
• Angle brackets < > to indicate variables.
For example:
execute restore config <filename_str>
You enter:
execute restore config myfile.bak
<xxx_str> indicates an ASCII string that does not contain new-lines or carriage returns.
<xxx_integer> indicates an integer string that is a decimal (base 10) number.
<xxx_octet> indicates a hexadecimal string that uses the digits 0-9 and letters A-F.
<xxx_ipv4> indicates a dotted decimal IPv4 address.
<xxx_v4mask> indicates a dotted decimal IPv4 netmask.
<xxx_ipv4mask> indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4
netmask.
<xxx_ipv6> indicates an IPv6 address.
<xxx_v6mask> indicates an IPv6 netmask.
<xxx_ipv6mask> indicates an IPv6 address followed by an IPv6 netmask.
• Vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords.
For example:
set opmode {nat | transparent}
You can enter set opmode nat or set opmode transparent.
• Square brackets [ ] to indicate that a keyword or variable is optional.
For example:
show system interface [<name_str>]
To show the settings for all interfaces, you can enter show system interface. To show the
settings for the internal interface, you can enter show system interface internal.
• A space to separate options that can be entered in any combination and must be separated by
spaces.
For example:
set allowaccess {ping https ssh snmp http telnet}
You can enter any of the following:
set allowaccess ping
set allowaccess ping https ssh
set allowaccess https ping ssh
set allowaccess snmp
In most cases to make changes to lists that contain options separated by spaces, you need to
retype the whole list including all the options you want to apply and excluding all the options you
want to remove.

FortiGate CLI Reference Guide 01-28008-0015-20050204 11

Fortinet documentation Introduction

Fortinet documentation
Information about FortiGate products is available from the following FortiGate documents:
• FortiGate Administration Guide (one for each FortiGate product)
• FortiGate CLI Reference Guide
• FortiGate Log Message Reference Guide
• FortiGate VPN Guide
The FortiGate online help also contains procedures for using the FortiGate web-based manager to
configure and manage your FortiGate unit.

Comments on Fortinet technical documentation

You can send information about errors or omissions in this document or any Fortinet technical
documentation to [email protected].

Customer service and technical support

For antivirus and attack definition and engine updates, firmware updates, updated product
documentation, technical support information, and other resources, please visit the Fortinet technical
support web site at http://support.fortinet.com.
You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your
registration information at any time.
Fortinet email support is available from the following addresses:

[email protected] For customers in the United States, Canada, Mexico, Latin

America and South America.
[email protected] For customers in Japan, Korea, China, Hong Kong, Singapore,
Malaysia, all other Asian countries, and Australia.
[email protected] For customers in the United Kingdom, Scandinavia, Mainland
Europe, Africa, and the Middle East.

For information on Fortinet telephone support, see http://support.fortinet.com.

When requesting technical support, please provide the following information:
• Your name
• Company name
• Location
• Email address
• Telephone number
• FortiGate unit serial number
• FortiGate model
• FortiGate FortiOS firmware version
• Detailed description of the problem

12 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

Using the CLI

This chapter explains how to connect to the command line interface (CLI) and describes the basics of
using the CLI. You can use CLI commands to view all system information and to change all system
configuration settings.
This chapter describes:
• Administrator access
• Connecting to the CLI
• CLI Structure
• CLI basics

Administrator access
Each administrator account belongs to an access profile. You can create access profiles that deny
access to or allow read only, write only, or both read and write access to the following FortiGate
features.

System Can access the system status, interface, virtual domain, HA, routing, option, SNMP, time, and
Configuration replacement message features.
Log & Report Can access the log setting, and log message features.
Security Policy Can access the firewall, VPN, IPS, and antivirus features.
Auth Users Can access the authorized users feature.
Admin Users Can access the administrative users feature.
FortiProtect Can access the update options feature.
Update
System Can access the system shutdown, and system reboot functions.
Shutdown

FortiGate CLI Reference Guide 01-28008-0015-20050204 13

Connecting to the CLI Using the CLI

Connecting to the CLI

You can use a direct console connection, SSH, or Telnet to connect to the FortiGate CLI.
• Connecting to the FortiGate console
• Setting administrative access for SSH or Telnet
• Connecting to the FortiGate CLI using SSH
• Connecting to the FortiGate CLI using Telnet

Connecting to the FortiGate console

You require:
• A computer with an available communications port,
• Depending on the FortiGate model, a null modem cable with a 9-pin connector or an RJ-45 serial
cable and an RJ-45 to DB-9 converter to connect the FortiGate console port and a communications
port on your computer,
• Terminal emulation software such as HyperTerminal for Windows.

Note: The following procedure describes how to connect to the FortiGate CLI using Windows HyperTerminal
software. You can use any terminal emulation program.

To connect to the CLI:

1 Connect the FortiGate console port to the available communications port on your computer.
2 Make sure the FortiGate unit is powered on.
3 Start HyperTerminal, enter a name for the connection, and select OK.
4 Configure HyperTerminal to connect directly to the communications port on the computer to which you
have connected the FortiGate console port.
5 Select OK.
6 Select the following port settings and select OK.

Bits per second 9600 (115200 for the FortiGate-300)

Data bits 8
Parity None
Stop bits 1
Flow control None

7 Press Enter to connect to the FortiGate CLI.

A prompt similar to the following appears (shown for the FortiGate-300):
FortiGate-300 login:
8 Type a valid administrator name and press Enter.
9 Type the password for this administrator and press Enter.
The following prompt appears:
Welcome!
You have connected to the FortiGate CLI, and you can enter CLI commands.

14 01-28008-0015-20050204 Fortinet Inc.

Using the CLI Connecting to the CLI

Setting administrative access for SSH or Telnet

To configure the FortiGate unit to accept SSH or Telnet connections, you must set administrative
access to SSH or Telnet for the FortiGate interface to which your management computer connects. To
use the web-based manager to configure FortiGate interfaces for SSH or Telnet access, see the
FortiGate Administration Guide for the FortiGate model.

To use the CLI to configure SSH or Telnet access

1 Connect and log into the CLI using the FortiGate console port and your terminal emulation software.
2 Use the following command to configure an interface to accept SSH connections:
config system interface
edit <name_str>
set allowaccess ssh
end
Where <name_str> is the name of the FortiGate interface to be configured to accept SSH
connections.
For example, to configure the internal interface to accept SSH connections, enter:
config system interface
edit internal
set allowaccess ssh
end
3 Use the following command to configure an interface to accept Telnet connections:
config system interface
edit <name_str>
set allowaccess telnet
end
Where <name_str> is the name of the FortiGate interface to be configured to accept Telnet
connections.
For example, to configure the internal interface to accept Telnet connections, enter:
config system interface
edit internal
set allowaccess telnet
end

Note: Remember to press Enter at the end of each line in the command example. Also, type end and press Enter
to commit the changes to the FortiGate configuration.

4 To confirm that you have configured SSH or Telnet access correctly, enter the following command to
view the access settings for the interface:
get system interface <name_str>
The CLI displays the settings, including the management access settings, for the named interface.

FortiGate CLI Reference Guide 01-28008-0015-20050204 15

Connecting to the CLI Using the CLI

Other access methods

The procedure above shows how to allow access only for Telnet or only for SSH. If you want to allow
both or any of the other management access types you must include all the options you want to apply.
For example to allow PING, HTTPS and SSH access to an interface, the set portion of the command is
set allowaccess ping https ssh.

Connecting to the FortiGate CLI using SSH

Secure Shell (SSH) provides strong secure authentication and secure communications to the
FortiGate CLI from your internal network or the internet. Once the FortiGate unit is configured to
accept SSH connections, you can run an SSH client on your management computer and use this client
to connect to the FortiGate CLI.

Note: A maximum of 5 SSH connections can be open at the same time.

To connect to the CLI using SSH

1 Install and start an SSH client.
2 Connect to a FortiGate interface that is configured for SSH connections.
3 Type a valid administrator name and press Enter.
4 Type the password for this administrator and press Enter.
The FortiGate model name followed by a # is displayed.
You have connected to the FortiGate CLI, and you can enter CLI commands.

Connecting to the FortiGate CLI using Telnet

You can use Telnet to connect to the FortiGate CLI from your internal network or the Internet. Once the
FortiGate unit is configured to accept Telnet connections, you can run a Telnet client on your
management computer and use this client to connect to the FortiGate CLI.

Caution: Telnet is not a secure access method. SSH should be used to access the FortiGate CLI from the Internet
! or any other unprotected network.

Note: A maximum of 5 Telnet connections can be open at the same time.

To connect to the CLI using Telnet

1 Install and start a Telnet client.
2 Connect to a FortiGate interface that is configured for Telnet connections.
3 Type a valid administrator name and press Enter.
4 Type the password for this administrator and press Enter.
The following prompt appears:
Welcome!
You have connected to the FortiGate CLI, and you can enter CLI commands.

16 01-28008-0015-20050204 Fortinet Inc.

Using the CLI CLI Structure

CLI Structure
This section describes:
• CLI command organization
• Example command sequences

CLI command organization

The FortiGate CLI consists of the following command branches:
• config branch
• get branch
• show branch
• execute branch
• diagnose branch

config branch
The config branch is organized into configuration shells. You can complete and save the
configuration within each shell for that shell, or you can leave the shell without saving the
configuration. You can only use the configuration commands for the shell that you are working in. To
use the configuration commands for another shell you must leave the shell you are working in and
enter the other shell.
The following navigation and configuration commands are available in the config branch.

config Navigate to a shell. For example, type config system admin and press Enter to access the
shell to add or edit administrator accounts.
end Save the changes you have made in the current shell and leave the shell. Every config
command must be paired with an end command.
The end command is also used to save set command changes and leave the shell.
edit Add an entry to the FortiGate configuration or edit an existing entry. For example in the config
system admin shell:
• type edit admin and press Enter to edit the settings for the default admin administrator
account.
• type edit newadmin and press Enter to create a new administrator account with the name
newadmin and to edit the default settings for the new administrator account.
When you add a new entry using the edit command, the message new entry
<‘variable’> added is displayed.
purge Remove all entries configured in the current shell. For example in the config user local
shell:
• type get to see the list of user names added to the FortiGate configuration,
• type purge and then y to confirm that you want to purge all the user names,
• type get again to confirm that no user names are displayed.
move Change the position of an entry in an ordered table. For example in the config firewall
policy shell:
• type move 3 after 1 and press Enter to move the policy in the third position in the table to
the second position in the table.
• type move 3 before 1 and press Enter to move the policy in the third position in the table
to the first position in the table.
delete Remove an entry from the FortiGate configuration. For example in the config system
admin shell, type delete newadmin and press Enter to delete the administrator account
named newadmin.

FortiGate CLI Reference Guide 01-28008-0015-20050204 17

CLI Structure Using the CLI

next Save the changes you have made in the current shell and continue working in the shell. For
example if you want to add several new user accounts enter the config user local shell.
• Type edit User1 and press Enter.
• Use the set commands to configure the values for the new user account.
• Type next to save the configuration for User1 without leaving the config user local
shell.
• Continue using the edit, set, and next commands to continue adding user accounts.
• type end and press Enter to save the last configuration and leave the shell.
set Assign values. For example from the edit admin command shell, typing set passwd
newpass changes the password of the admin administrator account to newpass.
Note: When using a set command to make changes to lists that contain options separated by
spaces, you need to retype the whole list including all the options you want to apply and
excluding all the options you want to remove.
unset Reset values to defaults. For example from the edit admin command shell, typing unset
passwd resets the password of the admin administrator account to the default of no password.
abort Exit a shell without saving the configuration.

get branch
Use get to display settings. You can use get within a config shell to display the settings for that
shell, or you can use get with a full path to display the settings for the specified shell.
To use get from the root prompt, you must include a path to a shell.
The root prompt is the FortiGate host or model name followed by a #.

Example

Note: Interface names vary for different FortiGate models. The following examples use the interface names for a
FortiGate_300 unit.

When you type get in the config system interface shell, information about all of the interfaces
is displayed.
At the (interface)# prompt, type:
get
The screen displays:
== [ internal ]
name: internal mode: static ip: 192.168.20.200 255.255.255.0 status:
up netbios-forward: disable type: physical ip6-address: ::/0 ip6-
send-adv: disable
== [ external ]
name: external mode: static ip: 192.168.100.99 255.255.255.0 status:
up netbios-forward: disable type: physical ip6-address: ::/0 ip6-
send-adv: disable
...

18 01-28008-0015-20050204 Fortinet Inc.

Using the CLI CLI Structure

Example
When you type get in the internal interface shell, the configuration values for the internal interface
are displayed.
At the (internal)# prompt, type:
get
The screen displays:
name : internal
allowaccess : ping https ssh
arpforword : enable
cli_conn_status : 0
detectserver : (null)
gwdetect : disable
ip : 192.168.20.200 255.255.255.0
ip6-address : ::/0
...
secondaryip:
speed : auto
status : up
substitute-dst-mac : 00 00 00 00 00 00
type : physical
vdom : root

Example
You are working in the config system global shell and want to see information about the
FortiGate interfaces.
At the (global)# prompt, type:
get system interface
The screen displays:
== [ internal ]
name: internal mode: static ip: 192.168.20.200 255.255.255.0 status:
up netbios-forward: disable type: physical ip6-address: ::/0 ip6-
send-adv: disable
== [ external ]
name: external mode: static ip: 192.168.100.99 255.255.255.0 status:
up netbios-forward: disable type: physical ip6-address: ::/0 ip6-
send-adv: disable
...

FortiGate CLI Reference Guide 01-28008-0015-20050204 19

CLI Structure Using the CLI

Example
You want to confirm the IP address and netmask of the internal interface from the root prompt.
At the # prompt, type:
get system interface internal
The screen displays:
name : internal
allowaccess : ping https ssh
arpforword : enable
cli_conn_status : 0
detectserver : (null)
gwdetect : disable
ip : 192.168.20.200 255.255.255.0
ip6-address : ::/0
ip6-default-life : 1800
...

show branch
Use show to display the FortiGate unit configuration. Only changes to the default configuration are
displayed. You can use show within a config shell to display the configuration of that shell, or you
can use show with a full path to display the configuration of the specified shell.
To display the configuration of all config shells, you can use show from the root prompt.
The root prompt is the FortiGate host or model name followed by a #.

Example
When you type show and press Enter within the internal interface shell, the changes to the default
internal interface configuration are displayed.
At the (internal)# prompt, type:
show
The screen displays:
config system interface
edit internal
set allowaccess ssh ping https
set ip 192.168.20.200 255.255.255.0
next
end

Example
You are working in the internal interface shell and want to see the system global configuration.
At the (internal)# prompt, type:
show system global

20 01-28008-0015-20050204 Fortinet Inc.

Using the CLI CLI Structure

The screen displays:

config system global
set admintimeout 5
set authtimeout 15
set failtime 5
set hostname 'Fortigate-300'
set interval 5
set lcdpin 123456
set ntpserver '132.246.168.148'
set syncinterval 60
set timezone 04
end

execute branch
Use execute to run static commands, to reset the FortiGate unit to factory defaults, to back up or
restore FortiGate configuration files, and to enter or leave a virtual domain. The execute commands
are available only from the root prompt.
The root prompt is the FortiGate host or model name followed by a #.

Example
At the root prompt, type:
execute reboot
and press Enter to restart the FortiGate unit.

diagnose branch
Commands in the diagnose branch are used for debugging the operation of the FortiGate unit and to
set parameters for displaying different levels of diagnostic information. The diagnose commands are
not documented in this CLI Reference Guide.

Caution: Diagnose commands are intended for advanced users only. Contact Fortinet technical support before
! using these commands.

FortiGate CLI Reference Guide 01-28008-0015-20050204 21

CLI Structure Using the CLI

Example command sequences

Note: The command prompt changes for each shell.

To configure the primary and secondary DNS server addresses

1 Starting at the root prompt, type:
config system dns
and press Enter. The prompt changes to (dns)#.
2 At the (dns)# prompt, type ?
The following options are displayed.
set
unset
get
show
abort
end
3 Type set ?
The following options are displayed.
primary
secondary
4 To set the primary DNS server address to 172.16.100.100, type:
set primary 172.16.100.100
and press Enter.
5 To set the secondary DNS server address to 207.104.200.1, type:
set secondary 207.104.200.1
and press Enter.
6 To restore the primary DNS server address to the default address, type unset primary and press
Enter.
7 To restore the secondary DNS server address to the default address, type unset secondary and
press Enter.
8 If you want to leave the config system dns shell without saving your changes, type abort and
press Enter.
9 To save your changes and exit the dns sub-shell, type end and press Enter.
10 To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns
and press Enter.

22 01-28008-0015-20050204 Fortinet Inc.

Using the CLI CLI Structure

To add two secondary IP addresses to the internal interface

1 Starting at the root prompt, type:
config system interface
and press Enter. The prompt changes to (interface)#.
2 At the (interface)# prompt, type ?
The following options are displayed.
edit
delete
purge
get
show
end
3 At the (interface)# prompt, type:
edit internal
and press Enter. The prompt changes to (internal)#.
4 At the (internal)# prompt, type ?
The following options are displayed.
config
set
unset
get
show
next
abort
end
5 At the (internal)# prompt, type:
config secondaryip
and press Enter. The prompt changes to (secondaryip)#.
6 At the (secondaryip)# prompt, type ?
The following options are displayed.
edit
delete
purge
get
show
end
7 To add a secondary IP address with the ID number 0, type:
edit 0
and press Enter. The prompt changes to (0)#.

FortiGate CLI Reference Guide 01-28008-0015-20050204 23

CLI Structure Using the CLI

8 At the (0)# prompt, type ?

The following options are displayed.
set
unset
get
show
next
abort
end
9 Type set ?
The following options are displayed.
allowaccess
detectserver
gwdetect
ip
10 To set the secondary IP address with the ID number 0 to 192.168.100.100 and the netmask to
255.255.255.0, type:
set ip 192.168.100.100 255.255.255.0
and press Enter.
11 To add another secondary IP address to the internal interface, type next and press Enter.
The prompt changes to (secondaryip)#.
12 To add a secondary IP address with the ID number 1, type:
edit 1
and press Enter. The prompt changes to (1)#.
13 To set the secondary IP address with the ID number 1 to 192.168.100.90 and the netmask to
255.255.255.0, type:
set ip 192.168.100.90 255.255.255.0
and press Enter.
14 To restore the secondary IP address with the ID number 1 to the default, type unset ip and press
Enter.
15 If you want to leave the secondary IP address 1 shell without saving your changes, type abort and
press Enter.
16 To save your changes and exit the secondary IP address 1 shell, type end and press Enter.
The prompt changes to (internal)#.
17 To delete the secondary IP address with the ID number 1, type delete 1 and press Enter.
18 To save your changes and exit the internal interface shell, type end and press Enter.
19 To confirm your changes have taken effect after using the end command, type get system
interface internal and press Enter.

24 01-28008-0015-20050204 Fortinet Inc.

Using the CLI CLI basics

CLI basics
This section includes:
• Command help
• Command completion
• Recalling commands
• Editing commands
• Line continuation
• Command abbreviation
• Environment variables
• Encrypted password support
• Using single quotes to enter tabs or spaces in strings
• International characters
• IP address formats
• Editing the configuration file
• Setting page length
• Changing the baud rate
• Using Perl regular expressions

Command help
You can press the question mark (?) key to display command help.
• Press the question mark (?) key at the command prompt to display a list of the commands available
and a description of each command.
• Type a command followed by a space and press the question mark (?) key to display a list of the
options available for that command and a description of each option.
• Type a command followed by an option and press the question mark (?) key to display a list of
additional options available for that command option combination and a description of each option.

Command completion
You can use the tab key or the question mark (?) key to complete commands.
• You can press the tab key at any prompt to scroll through the options available for that prompt.
• You can type the first characters of any command and press the tab key or the question mark (?)
key to complete the command or to scroll through the options that are available at the current
cursor position.
• After completing the first word of a command, you can press the space bar and then the tab key to
scroll through the options available at the current cursor position.

Recalling commands
You can recall previously entered commands by using the Up and Down arrow keys to scroll through
commands you have entered.

Editing commands
Use the Left and Right arrow keys to move the cursor back and forth in a recalled command. You can
also use the Backspace and Delete keys and the control keys listed in Table 2 to edit the command.

FortiGate CLI Reference Guide 01-28008-0015-20050204 25

CLI basics Using the CLI

Table 2: Control keys for editing commands

Function Key combination

Beginning of line CTRL+A
End of line CTRL+E
Back one character CTRL+B
Forward one character CTRL+F
Delete current character CTRL+D
Previous command CTRL+P
Next command CTRL+N
Abort the command CTRL+C
If used at the root prompt, exit the CLI CTRL+C

Line continuation
To break a long command over multiple lines, use a \ at the end of each line.

Command abbreviation
You can abbreviate commands and command options to the smallest number of non-ambiguous
characters. For example, the command get system status can be abbreviated to g sy st.

Environment variables
The FortiGate CLI supports several environment variables.

$USERFROM The management access type (SSH, Telnet and so on) and the IP address of the logged in
administrator.
$USERNAME The user account name of the logged in administrator.
$SerialNum The serial number of the FortiGate unit.

Variable names are case sensitive. In the following example, when entering the variable, you can type
$ followed by a tab to auto-complete the variable to ensure that you have the exact spelling and case.
Continue pressing tab until the variable you want to use is displayed.
config system global
set hostname $SerialNum
end

Encrypted password support

After you enter a clear text password using the CLI, the FortiGate unit encrypts the password and
stores it in the configuration file with the prefix ENC. For example:
show system admin user1
config system admin
edit "user1"
set accprofile "prof_admin"
set password ENC XXNFKpSV3oIVk
next
end

26 01-28008-0015-20050204 Fortinet Inc.

Using the CLI CLI basics

It is also possible to enter an already encrypted password. For example, type:

config system admin
and press Enter.
Type:
edit user1
and press Enter.
Type:
set password ENC XXNFKpSV3oIVk
and press Enter.
Type:
end
and press Enter.

Using single quotes to enter tabs or spaces in strings

Use single quotes when a string includes tabs or spaces. All special characters are valid within the
single quotes. Use \’ to include a single quote in a single-quoted string. Use \\ to include a backslash in
a single-quoted string. For example:
config system snmp
set contact_info 'Security Administrator'
set location 'Building 1\\Room 326'
end

International characters
The CLI supports international characters in strings.

IP address formats
You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example
you can type either:
set ip 192.168.1.1 255.255.255.0
or
set ip 192.168.1.1/24
The IP address is displayed in the configuration file in dotted decimal format.

Editing the configuration file

You can change the FortiGate configuration by backing up the configuration file to a TFTP server.
Then you can make changes to the file and restore it to the FortiGate unit.
1 Use the execute backup config command to back up the configuration file to a TFTP server.

FortiGate CLI Reference Guide 01-28008-0015-20050204 27

CLI basics Using the CLI

2 Edit the configuration file using a text editor.

Related commands are listed together in the configuration file. For instance, all the system commands
are grouped together, all the antivirus commands are grouped together and so on. You can edit the
configuration by adding, changing or deleting the CLI commands in the configuration file.
The first line of the configuration file contains information about the firmware version and FortiGate
model. Do not edit this line. If you change this information the FortiGate unit will reject the configuration
file when you attempt to restore it.
3 Use the execute restore config command to copy the edited configuration file back to the
FortiGate unit.
The FortiGate unit receives the configuration file and checks to make sure the firmware version and
model information is correct. If it is, the FortiGate unit loads the configuration file and checks each
command for errors. If the FortiGate unit finds an error, an error message is displayed after the
command and the command is rejected. Then the FortiGate unit restarts and loads the new
configuration.

Setting page length

Using the config console command you can specify the CLI page length.
For example in the config console shell, you can use the command set page 30 to specify a
page length of 30 lines. This means that commands that display multiple lines of output, display 30
lines at a time. The default page length is 25 lines.

Changing the baud rate

Using set baudrate in the config system console shell, you can change the default console
connection baud rate. For more information on setting the console baud rate, see “console” on
page 231.

Note: Changing the default baud rate is available for FortiGate units with BIOS 3.03 and higher and FortiOS
version 2.50 and higher.

Using Perl regular expressions

Some FortiGate features, such as spam filtering and web content filtering can use either wildcards or
Perl regular expressions.
See http://www.perldoc.com/perl5.8.0/pod/perlre.html for detailed information about using Perl regular
expressions.

Some differences between regular expression and wildcard pattern matching

In Perl regular expressions, ‘.’ character refers to any single character. It is similar to the ‘?’ character
in wildcard pattern matching. As a result:
• fortinet.com not only matches fortinet.com but also matches fortinetacom,
fortinetbcom, fortinetccom and so on.
To match a special character such as '.' and ‘*’, regular expressions use the ‘\’ escape character. For
example:
• To match fortinet.com, the regular expression should be fortinet\.com.

28 01-28008-0015-20050204 Fortinet Inc.

Using the CLI CLI basics

In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not 0 or more
times of any character. For example:
• forti*\.com matches fortiiii.com but does not match fortinet.com.
To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’ means 0 or
more times. For example:
• the wildcard match pattern forti*.com is equivalent to the regular expression forti.*\.com.

Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the
regular expression “test” not only matches the word “test” but also matches any word that contains the
word “test” such as “atest”, “mytest”, “testimony”, “atestb”. The notation “\b” specifies the word
boundary. To match exactly the word “test”, the expression should be \btest\b.

Case sensitivity
Regular expression pattern matching is case sensitive in the Web and Spam filters. To make a word or
phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all
instances of “bad language” regardless of case.

Table 3: Perl regular expression examples

Expression Matches
abc abc (that exact character sequence, but anywhere in the string)
^abc abc at the beginning of the string
abc$ abc at the end of the string
a|b either of a and b
^abc|abc$ the string abc at the beginning or at the end of the string
ab{2,4}c an a followed by two, three or four b's followed by a c
ab{2,}c an a followed by at least two b's followed by a c
ab*c an a followed by any number (zero or more) of b's followed by a c
ab+c an a followed by one or more b's followed by a c
ab?c an a followed by an optional b followed by a c; that is, either abc or ac
a.c an a followed by any single character (not newline) followed by a c
a\.c a.c exactly
[abc] any one of a, b and c
[Aa]bc either of Abc and abc
[abc]+ any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa)
[^abc]+ any (nonempty) string which does not contain any of a, b and c (such as defg)
\d\d any two decimal digits, such as 42; same as \d{2}
/i makes the pattern case insensitive. For example, /bad language/i
blocks any instance of “bad language” regardless of case.
\w+ a "word": a nonempty sequence of alphanumeric characters and low lines
(underscores), such as foo and 12bar8 and foo_1

FortiGate CLI Reference Guide 01-28008-0015-20050204 29

CLI basics Using the CLI

Table 3: Perl regular expression examples

100\s*mk the strings 100 and mk optionally separated by any amount of white space
(spaces, tabs, newlines)
abc\b abc when followed by a word boundary (e.g. in abc! but not in abcd)
perl\B perl when not followed by a word boundary (e.g. in perlert but not in perl stuff)
\x tells the regular expression parser to ignore white space that is neither
backslashed nor within a character class. You can use this to break up your
regular expression into (slightly) more readable parts.

30 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config alertemail
filter
setting

FortiGate CLI Reference Guide 01-28008-0015-20050204 31

config alertemail filter

filter
Use this command to specify what log activity and what log severity level to send alert email for.
You can configure the FortiGate unit to send alert email to multiple recipients when selected events
occur.

Note: If more than one log message is collected before an interval is reached, the messages are combined and
sent out as one alert email.

Command syntax pattern

config alertemail filter
set <keyword> <variable>
config alertemail filter
unset <keyword>
get alertemail filter
show alertemail filter

alertemail filter command keywords and variables

Keywords Description Default Availability
admin Enable or disable sending an alert email for disable All models.
{disable | enable} administrative events, such as user logins, resets,
and configuration updates.
anomaly Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit logs an attack covered by the IPS
anomaly list.
attack Enable or disable sending an alert email when disable All models.
{disable | enable} entries are written to the attack log.
auth Enable or disable sending an alert email when a disable All models.
{disable | enable} user attempts to authenticate with the firewall.
blocked Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit blocks a file using filename pattern
blocking.
cat_block Enable or disable sending an alert email when a disable All models.
{disable | enable} web page is blocked by category filtering
(FortiGuard or Cerberian).
cat_errors Enable or disable sending an alert email when a disable All models.
{disable | enable} category filtering rating error occurs (FortiGuard or
Cerberian).
cat_monitor Enable or disable sending an alert email when a disable All models.
{disable | enable} user accesses a monitored web page (FortiGuard
or Cerberian).
chassis Enable or disable sending an alert email when a disable FortiGate-4000
{disable | enable} chassis anomaly is logged. only.
content_log Enable or disable sending an alert email when disable All models.
{disable | enable} protocol content is logged.
content_log_ftp Enable or disable sending an alert email when disable All models.
{disable | enable} FTP content is logged.
content_log_http Enable or disable sending an alert email when disable All models.
{disable | enable} HTTP content is logged.

32 01-28008-0015-20050204 Fortinet Inc.

config alertemail filter

alertemail filter command keywords and variables (Continued)

Keywords Description Default Availability
content_log_imap Enable or disable sending an alert email when disable All models.
{disable | enable} IMAP content is logged.
content_log_pop3 Enable or disable sending an alert email when disable All models.
{disable | enable} POP3 content is logged.
content_log_smtp Enable or disable sending an alert email when disable All models.
{disable | enable} SMTP content is logged.
dhcp Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit logs a DHCP service event.
email Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit logs an email filter event.
email_log _imap Enable or disable sending an alert email when disable All models.
{disable | enable} spam is detected in IMAP mail.
email_log_pop3 Enable or disable sending an alert email when disable All models.
{disable | enable} spam is detected in POP3 mail.
email_log_smtp Enable or disable sending an alert email when disable All models.
{disable | enable} spam is detected in SMTP mail.
event Enable or disable sending an alert email when disable All models.
{disable | enable} entries are written to the event log.
exempt Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit allows a web page listed on the URL
exempt list.
ha Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit logs high availability (HA) activity.
infected Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit detects a virus.
ipsec Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit logs IPSec negotiation activity.
oversized Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit processes an oversized file.
pattern Enable or disable sending an alert email for disable All models.
{disable | enable} pattern update events, such as antivirus and IPS
pattern updates. An alert email is also sent if a
pattern update fails.
ppp Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit logs PPPoE, PPTP, and L2TP
activity.

FortiGate CLI Reference Guide 01-28008-0015-20050204 33

config alertemail filter

alertemail filter command keywords and variables (Continued)

Keywords Description Default Availability
severity {alert | Select the alert email log severity level. The alert All models.
critical | debug | FortiGate unit will send alert emails for all levels of
emergency | error | severity greater than the severity level you select.
For example, if you want the FortiGate unit to send
information | alert email for emergency, alert, critical, and error
notification | warning} messages, select error.
emergency
• The system is unusable.
alert
• Immediate action is required.
critical
• Functionality is affected.
error
• An erroneous condition exists and functionality is
probably affected.
warning
• Functionality might be affected.
notification
• Information about normal events.
information
• General information about system operations.
debug
• Information used for diagnosing or debugging
the FortiGate unit.
signature Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit logs an attack covered by the IPS
signature list.
system Enable or disable sending an alert email for disable All models.
{disable | enable} system activity.
url_block Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit blocks a web page listed on the URL
block list.
virus Enable or disable sending an alert email when disable All models.
{disable | enable} entries are written to the virus log.
web Enable or disable sending an alert email when disable All models.
{disable | enable} entries are written to the web filter log.
web_content Enable or disable sending an alert email when the disable All models.
{disable | enable} FortiGate unit blocks a web page using the content
block list.

Examples
This example shows how to configure the FortiGate unit to send alert email for administrative events,
HA activity, and virus incidents, and to set a log severity level of warning.
config alertemail filter
set severity warning
set admin enable
set ha enable
set virus enable
end
This example shows how to display the alertemail filter settings.
get alertemail filter

34 01-28008-0015-20050204 Fortinet Inc.

config alertemail filter

This example shows how to display the configuration for the alertemail filter settings.
show alertemail filter
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 Substantially revised and expanded.
FortiOS v.2.80 MR2 The email_content keyword was removed.
The email_log_imap, email_log_pop3, and email_log_smtp
keywords were added.
FortiOS v.2.80 MR3 The chassis keyword was added.

Related Commands
• config alertemail setting
• config log

FortiGate CLI Reference Guide 01-28008-0015-20050204 35

config alertemail setting

setting
Use this command to configure the FortiGate unit to send alert email to up to three recipients, and to
configure how frequently the FortiGate unit sends alert email.
Note: Because the FortiGate uses the SMTP server name to connect to the mail server, it must be able to look up
this name on your DNS server. For information, see “config system dns” on page 239.

Command syntax pattern

config alertemail setting
set <keyword> <variable>
config alertemail setting
unset <keyword>
get alertemail setting
show alertemail setting

alertemail setting command keywords and variables

Keywords and variables Description Default Availability
alert-interval Enter the number of minutes the FortiGate unit 2 All models.
<minutes_integer> should wait before sending out alert email for alert
level messages.
authenticate Enable SMTP authentication if the FortiGate unit is disable All models.
{disable | enable} required to authenticate before using the SMTP
server.
critical-interval Enter the number of minutes the FortiGate unit 3 All models.
<minutes_integer> should wait before sending out alert email for critical
level messages.
debug-interval Enter the number of minutes the FortiGate unit 60 All models.
<minutes_integer> should wait before sending out alert email for debug
level messages.
emergency-interval Enter the number of minutes the FortiGate unit 1 All models.
<minutes_integer> should wait before sending out alert email for
emergency level messages.
error-interval Enter the number of minutes the FortiGate unit 5 All models.
<minutes_integer> should wait before sending out alert email for error
level messages.
information-interval Enter the number of minutes the FortiGate unit 30 All models.
<minutes_integer> should wait before sending out alert email for
information level messages.
mailto1 Enter an email address. This is one of the email No All models.
<email-address_str> addresses to which the FortiGate unit sends alert default.
email.
mailto2 Enter an email address. This is one of the email No All models.
<email-address_str> addresses to which the FortiGate unit sends alert default.
email.
mailto3 Enter an email address. This is one of the email No All models.
<email-address_str> addresses to which the FortiGate unit sends alert default.
email.
notification-interval Enter the number of minutes the FortiGate unit 20 All models.
<minutes_integer> should wait before sending out alert email for
notification level messages.
password Enter the password that the FortiGate unit needs to No All models.
<password_str> access the SMTP server. default.

36 01-28008-0015-20050204 Fortinet Inc.

config alertemail setting

alertemail setting command keywords and variables (Continued)

Keywords and variables Description Default Availability
server Enter the name of the SMTP server, in the format No All models.
{<name_str> | smtp.domain.com, to which the FortiGate unit default.
<address_ipv4>} should send email. The SMTP server can be located
on any network connected to the FortiGate unit.
username Enter a valid email address in the format No All models.
<user-name_str> [email protected]. This address appears in the default.
From header of the alert email.
warning-interval Enter the number of minutes the FortiGate unit 10 All models.
<minutes_integer> should wait before sending out alert email for warning
level messages.

Examples
This example shows how to configure the SMTP server and user name, add two email addresses for
sending alerts to, and specify how frequently to send alerts for each log severity level.
config alertemail setting
set server mail.ourcompany.com
set username [email protected]
set mailto1 [email protected]
set mailto2 [email protected]
set alert-interval 2
set critical-interval 10
set debug-interval 10
set emergency-interval 1
set error-interval 60
set information-interval 1440
set notification-interval 720
set warning-interval 120
end
This example shows how to display the alertemail settings.
get alertemail setting
This example shows how to display the configuration of the alertemail setting command.
show alertemail setting

Command History
FortiOS v2.80 Substantially revised and expanded.

Related Commands
• config alertemail filter
• config log
• config system dns

FortiGate CLI Reference Guide 01-28008-0015-20050204 37

config alertemail setting

38 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config antivirus
filepattern
grayware <category-name_str>
heuristic
quarantine
quarfilepattern
service http
service ftp
service pop3
service imap
service smtp

FortiGate CLI Reference Guide 01-28008-0015-20050204 39

config antivirus filepattern

filepattern
Use this command to add, edit or delete the file patterns used for virus blocking and to set which
protocols to check for files to block.

Command syntax pattern

config antivirus filepattern
edit <filepattern_str>
set <keyword> <variable>
end
config antivirus filepattern
edit <filepattern_str>
unset <keyword>
end
config antivirus filepattern
delete <filepattern_str>
end
get antivirus filepattern [<filepattern_str>]
show antivirus filepattern [<filepattern_str>]

Note: <filepattern_str> can use * to represent any character string.

antivirus filepattern command keywords and variables

Keywords and variables Description Default Availability
allow Don’t block the specified file pattern in the selected Varies. All models.
{ftp http imap pop3 smtp} protocols. Blocking deletes files that match enabled
file patterns.
block Block the specified file pattern in the selected Varies. All models.
{ftp http imap pop3 smtp} protocols. Blocking deletes files that match the file
patterns.

Example
This example shows how to add the *.xyz file pattern, allow *.xyz files in IMAP, SMTP, and POP3
traffic, and block *.xyz files in HTTP and FTP traffic.
config antivirus filepattern
edit *.xyz
set allow imap smtp pop3
set block http ftp
end
This example shows how to display the file pattern list.
get antivirus filepattern
This example shows how to display the settings for the *.bat file pattern.
get antivirus filepattern *.bat

40 01-28008-0015-20050204 Fortinet Inc.

config antivirus filepattern

This example shows how to display the configuration for the entire file pattern list.
show antivirus filepattern
This example shows how to display the configuration for the *.bat file pattern.
show antivirus filepattern *.bat

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• config antivirus heuristic
• config antivirus grayware <category-name_str>
• config antivirus quarantine
• config antivirus quarfilepattern
• config antivirus service http
• config antivirus service ftp
• config antivirus service pop3
• config antivirus service imap
• config antivirus service smtp

FortiGate CLI Reference Guide 01-28008-0015-20050204 41

config antivirus grayware <category-name_str>

grayware <category-name_str>
Use this command to enable or disable grayware scanning for the specified category.
Grayware programs are unsolicited commercial software programs that get installed on computers,
often without the user’s consent or knowledge. Grayware programs are generally considered an
annoyance, but these programs can cause system performance problems or be used for malicious
means.
The FortiGate unit scans for known grayware executable programs in each category you enable. The
category list and contents are added or updated whenever your FortiGate unit receives a virus update
package. New categories may be added at any time and are loaded with virus updates. By default, all
new categories are disabled.

Adware Adware is usually embedded in freeware programs and causes ads to pop up whenever the
program is opened or used.
Dial Dialers allow others to use the PC modem to call premium numbers or make long distance
calls.
Game Games are usually joke or nuisance games that you may want to block from network users.
Joke Joke programs can include custom cursors and programs that appear to affect the system.
P2P P2P, while a legitimate protocol, is synonymous with file sharing programs that are used to
swap music, movies, and other files, often illegally.
Spy Spyware, like adware, is often included with freeware. Spyware is a tracking and analysis
program that can report your activities, such as web browsing habits, to the advertiser’s web
site where it may be recorded and analyzed.
Keylog Keylogger programs can record every keystroke made on a keyboard including passwords,
chat, and instant messages.
Hijacker Browser hijacking occurs when a ‘spyware’ type program changes web browser settings,
including favorites or bookmarks, start pages, and menu options.
Plugin Browser plugins can often be harmless Internet browsing tools that are installed and operate
directly from the browser window. Some toolbars and plugins can attempt to control or record
and send browsing preferences.
NMT Network management tools can be installed and used maliciously to change settings and
disrupt network security.
RAT Remote administration tools allow outside users to remotely change and monitor a computer
on a network.
Misc The miscellaneous grayware category.
BHO BHOs (Browser Helper Objects) are DLL files that are often installed as part of a software
package so the software can control the behavior of Internet Explorer 4.x and higher. Not all
BHOs are malicious, but the potential exists to track surfing habits and gather other
information.
Toolbar While some toolbars are harmless, spyware developers can use these toolbars to monitor
web habits and send information back to the developer.
Download Download components are usually run at Windows startup and are designed to install or
download other software, especially advertising and dial software.

Grayware scanning is enabled in a protection profile when Virus Scan is enabled.

Command syntax pattern

config antivirus grayware <category-name_str>
set <keyword> <variable>
end

42 01-28008-0015-20050204 Fortinet Inc.

config antivirus grayware <category-name_str>

config antivirus grayware <category-name_str>

unset <keyword>
end
get antivirus grayware [<category-name_str>]
show antivirus grayware [<category-name_str>]

Note: The FortiGate CLI is case sensitive and the first letter of all grayware category names is uppercase.

antivirus grayware command keywords and variables

Keywords and variables Description Default Availability
status Enable or disable grayware scanning for the specified disable All models.
{enable | disable} category.

Example
This example shows how to enable grayware scanning for Adware programs.
config antivirus grayware Adware
set status enable
end
This example shows how to display the list of grayware categories.
get antivirus grayware
This example shows how to display the settings for the Adware category.
get antivirus filepattern Adware
This example shows how to display the configuration for all the grayware categories.
show antivirus grayware
This example shows how to display the configuration for the Adware category.
show antivirus grayware Adware

Command History
FortiOS v2.80 New.

FortiGate CLI Reference Guide 01-28008-0015-20050204 43

config antivirus grayware <category-name_str>

Related Commands
• config antivirus filepattern
• config antivirus heuristic
• config antivirus quarantine
• config antivirus quarfilepattern
• config antivirus service http
• config antivirus service ftp
• config antivirus service pop3
• config antivirus service imap
• config antivirus service smtp
• config system autoupdate schedule
• execute update_now

44 01-28008-0015-20050204 Fortinet Inc.

config antivirus heuristic

heuristic
Use this command to configure heuristic scanning for viruses in binary files.

Command syntax pattern

config antivirus heuristic
set <keyword> <variable>
end
config antivirus heuristic
unset <keyword>
end
get antivirus heuristic
show antivirus heuristic

antivirus heuristic command keywords and variables

Keywords and variables Description Default Availability
mode Enter pass to enable heuristics but pass detected pass All models.
{pass | block | disable} files to the recipient. Suspicious files are quarantined
if quarantine is enabled.
Enter block to enable heuristics and block detected
files. A replacement message is forwarded to the
recipient. Blocked files are quarantined if quarantine
is enabled.
Enter disable to disable heuristics.

Example
This example shows how to disable heuristic scanning.
config antivirus heuristic
set mode disable
end
This example shows how to display the settings for the antivirus heuristic command.
get antivirus heuristic
This example shows how to display the configuration for the antivirus heuristic command.
show antivirus heuristic

Command History
FortiOS v2.80 New.

FortiGate CLI Reference Guide 01-28008-0015-20050204 45

config antivirus heuristic

Related Commands
• config antivirus filepattern
• config antivirus quarantine
• config antivirus quarfilepattern
• config antivirus service http
• config antivirus service ftp
• config antivirus service pop3
• config antivirus service imap
• config antivirus service smtp

46 01-28008-0015-20050204 Fortinet Inc.

config antivirus quarantine

quarantine
Use this command to set file quarantine options.
FortiGate units with a local disk can quarantine blocked and infected files. The quarantined files are
removed from the content stream and stored on the FortiGate local disk. Users receive a message
informing them that the removed files have been quarantined.
You can view the file names and status information about the file in the quarantined file list. You can
also submit specific files and add file patterns to the autoupload list so they are automatically uploaded
to Fortinet for analysis.

Command syntax pattern

config antivirus quarantine
set <keyword> <variable>
end
config antivirus quarantine
unset <keyword>
end
get antivirus quarantine
show antivirus quarantine

antivirus quarantine command keywords and variables

Keywords and variables Description Default Availability
agelimit <hours_integer> Specify how long files are kept in quarantine to a 0 FortiGate
maximum of 479 hours. The age limit is used to models with
formulate the value in the TTL column of the a local disk.
quarantined files list. When the limit is reached
the TTL column displays EXP. and the file is
deleted (although a record is maintained in the
quarantined files list). Entering an age limit of 0
(zero) means files are stored on disk indefinitely
depending on low disk space action.
drop_blocked Do not quarantine blocked files found in traffic for imap smtp FortiGate
{imap pop3 smtp} the specified protocols. The files are deleted. pop3 models with
a local disk.
drop_heuristic Do not quarantine files found by heuristic imap smtp FortiGate
{ftp http imap pop3 smtp} scanning in traffic for the specified protocols. pop3 http models with
ftp a local disk.
drop_infected Do not quarantine virus infected files found in imap smtp FortiGate
{ftp http imap pop3 smtp} traffic for the specified protocols. pop3 http models with
ftp a local disk.
enable_auto_submit Enable or disable automatic submission of the disable FortiGate
{disable | enable} quarantined files matching the use_fpat or models with
use_status settings. a local disk.
lowspace Select the method for handling additional files ovrw_old FortiGate
{drop_new | ovrw_old} when the FortiGate hard disk is running out of models with
space. a local disk.
Enter ovwr_old to drop the oldest file (lowest
TTL), or drop_new to drop new quarantine files.

FortiGate CLI Reference Guide 01-28008-0015-20050204 47

config antivirus quarantine

antivirus quarantine command keywords and variables (Continued)

Keywords and variables Description Default Availability
maxfilesize <MB_integer> Specify, in MB, the maximum file size to 0 FortiGate
quarantine. (unlimited) models with
The FortiGate unit keeps any existing a local disk.
quarantined files over the limit. The FortiGate
unit does not quarantine any new files larger
than this value. The file size range is 0-499 MB.
Enter 0 for unlimited file size.
sel_status Configure the status used for automatic No default. FortiGate
{fileblocked heuristic} uploading of quarantined files. models with
a local disk.
store_blocked Quarantine blocked files found in traffic for the No default. FortiGate
{imap pop3 smtp} specified protocols. models with
a local disk.
store_heuristic Quarantine files found by heuristic scanning in No default. FortiGate
{ftp http imap pop3 smtp} traffic for the specified protocols. models with
a local disk.
store_infected Quarantine virus infected files found in traffic for No default. FortiGate
{ftp http imap pop3 smtp} the specified protocols. models with
a local disk.
use_fpat Enable or disable using file patterns to select disable FortiGate
{disable | enable} quarantined files for automatic uploading. See models with
“config antivirus quarfilepattern” on page 50 for a local disk.
information on how to configure the file patterns
used for automatic uploading.
use_status Enable or disable using file status to select disable FortiGate
{disable | enable} quarantined files for automatic uploading. models with
a local disk.

Example
This example shows how to set the quarantine age limit to 100 hours, not quarantine blocked files from
SMTP and POP3 traffic, not quarantine heuristic tagged files from SMTP and POP3 traffic, enable
auto submit to the quarantine, set the quarantine to drop new files if the memory is full, set the
maximum file size to quarantine at 2 MB, quarantine files from IMAP traffic with blocked status,
quarantine files with heuristic status in IMAP, HTTP, and FTP traffic, use both file patterns and status
to determine which files to quarantine.
config antivirus quarantine
set agelimit 100
set drop_blocked smtp pop3
set drop_heuristic smtp pop3
set enable_auto_submit enable
set lowspace drop_new
set maxfilesize 2
set sel_status fileblocked
set store_blocked imap
set store_heuristic imap http ftp
set use_fpat enable
set use_status enable
end
This example shows how to display the settings for the antivirus quarantine command.
get antivirus quarantine

48 01-28008-0015-20050204 Fortinet Inc.

config antivirus quarantine

This example shows how to display the configuration for the antivirus quarantine command.
show antivirus quarantine

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR2 The enable_auto_upload keyword was changed to enable_auto_submit.

Related Commands
• config antivirus filepattern
• config antivirus heuristic
• config antivirus quarfilepattern
• config antivirus service http
• config antivirus service ftp
• config antivirus service pop3
• config antivirus service imap
• config antivirus service smtp

FortiGate CLI Reference Guide 01-28008-0015-20050204 49

config antivirus quarfilepattern

quarfilepattern
Use this command to configure the file patterns used by automatic file uploading.
You can configure the FortiGate unit to automatically upload suspicious files to Fortinet for analysis.
You can add file patterns you want uploaded to the autoupload list using the * wildcard character. File
patterns are applied for autoupload regardless of file blocking settings.
You can also upload files to Fortinet based on status (blocked or heuristics) or submit individual files
directly from the quarantined files list. For more information, see config antivirus quarantine.

Command syntax pattern

config antivirus quarfilepattern
edit <pattern_str>
set <keyword> <variable>
end
config antivirus quarfilepattern
edit <pattern_str>
unset <keyword>
end
config antivirus quarfilepattern
delete <pattern_str>
end
get antivirus quarfilepattern [<pattern_str>]
show antivirus quarfilepattern [<pattern_str>]

antivirus quarfilepattern command keywords and variables

Keywords and variables Description Default Availability
status {disable | enable} Enable or disable using a file pattern. disable Models
numbered
200 and
higher that
have a local
hard disk.

Example
Use the following commands to enable automatic upload of *.bat files.
config antivirus quarfilepattern
edit *.bat
set status enable
end
This example shows how to display the settings for the antivirus quarfilepattern command.
get antivirus quarfilepattern
This example shows how to display the settings for the *.bat file pattern.
get antivirus quarfilepattern *.bat

50 01-28008-0015-20050204 Fortinet Inc.

config antivirus quarfilepattern

This example shows how to display the configuration for the antivirus quarfilepattern
command.
show antivirus quarfilepattern
This example shows how to display the configuration for the *.bat file pattern.
show antivirus quarfilepattern *.bat

Command History
FortiOS v2.80 New.

Related Commands
• config antivirus filepattern
• config antivirus heuristic
• config antivirus quarantine
• config antivirus service http
• config antivirus service ftp
• config antivirus service pop3
• config antivirus service imap
• config antivirus service smtp

FortiGate CLI Reference Guide 01-28008-0015-20050204 51

config antivirus service http

service http
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in
HTTP traffic and what ports the FortiGate unit scans for HTTP.

Command syntax pattern

config antivirus service http
set <keyword> <variable>
end
config antivirus service http
unset <keyword>
end
get antivirus service [http]
show antivirus service [http]

antivirus service http command keywords and variables

Keywords and variables Description Default Availability
memfilesizelimit Set the maximum file size (in megabytes) that can 10 (MB) All models.
<MB_integer> be buffered to memory for virus scanning.
The maximum file size allowed is 10% of the
FortiGate RAM size. For example, a FortiGate unit
with 256 MB of RAM could have a threshold range
of 1 MB to 25 MB. Using the unset command
resets the memfilesizelimit to 10 (default).
Note: For email scanning, the memfilesizelimit
refers to the final size of the email after encoding by
the email client, including attachments. Email clients
may use a variety of encoding types and some
encodings translate into larger file sizes than the
original attachment. The most common encoding,
base64, translates 3 bytes of binary data into 4
bytes of base64 data. So a file may be blocked or
logged as oversized even if the attachment is
several megabytes less than the memfilesizelimit.
port <port_integer> Configure antivirus scanning on a nonstandard port 80 All models.
number or multiple port numbers for HTTP. You can
use ports from the range 1-65535. You can add up
to 20 ports.
uncompsizelimit Set the maximum uncompressed file size that can 10 (MB) All models.
<MB_integer> be buffered to memory for virus scanning. Enter a
value in megabytes between 1 and the total
memory size. Enter 0 for no limit (not
recommended).

How file size limits work

The memfilesizelimit is applied first to all incoming files, compressed or uncompressed. If the file is
larger than the limit the file is passed or blocked according to the user configuration in the firewall
profile.
The uncompsizelimit applies to the uncompressed size of the file. If other files are inlcuded within the
file, the uncompressed size of each one is checked against the uncompsizelimit value. If any one of
the uncompressed files is larger than the limit, the file is passed without scanning, but the total size of
all uncompressed files within the original file can be greater than the uncompsizelimit.Example

52 01-28008-0015-20050204 Fortinet Inc.

config antivirus service http

This example shows how to set the maximum file size that can be buffered to memory for scanning at
12 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 15 MB,
and how to enable antivirus scanning on ports 70, 80, and 443 for HTTP traffic.
config antivirus service http
set memfilesizelimit 12
set uncompsizelimit 15
set port 70
set port 80
set port 443
end
This example shows how to display the antivirus HTTP traffic settings.
get antivirus service http
This example shows how to display the configuration for antivirus HTTP traffic.
show antivirus service http

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR6 Removed diskfilesizelimit keyword.
FortiOS v2.80 MR7 Added uncompsizelimit keyword.

Related Commands
• config antivirus filepattern
• config antivirus heuristic
• config antivirus quarantine
• config antivirus quarfilepattern
• config antivirus service ftp
• config antivirus service pop3
• config antivirus service imap
• config antivirus service smtp

FortiGate CLI Reference Guide 01-28008-0015-20050204 53

config antivirus service ftp

service ftp
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in FTP
traffic and how the FortiGate unit handles the buffering and uploading of files to an FTP server.

Command syntax pattern

config antivirus service ftp
set <keyword> <variable>
end
config antivirus service ftp
unset <keyword>
end
get antivirus service [ftp]
show antivirus service [ftp]

antivirus service ftp command keywords and variables

Keywords and variables Description Default Availability
memfilesizelimit Set the maximum file size that can be buffered to 10 (MB) All models.
<MB_integer> memory for virus scanning.
The maximum file size allowed is 10% of the
FortiGate RAM size. For example, a FortiGate unit
with 256 MB of RAM could have a threshold range
of 1 MB to 25 MB.
Oversized files can be passed or blocked in a
firewall protection profile.
Note: For email scanning, the memfilesizelimit
refers to the final size of the email after encoding by
the email client, including attachments. Email clients
may use a variety of encoding types and some
encodings translate into larger file sizes than the
original attachment. The most common encoding,
base64, translates 3 bytes of binary data into 4
bytes of base64 data. So a file may be blocked or
logged as oversized even if the attachment is
several megabytes less than the memfilesizelimit.
port <port_integer> Configure antivirus scanning on a nonstandard port 21 All models.
number or multiple port numbers for FTP. You can
use ports from the range 1-65535. You can add up
to 20 ports.
uncompsizelimit Set the maximum uncompressed file size that can 10 (MB) All models.
<MB_integer> be buffered to memory for virus scanning. Enter a
value in megabytes between 1 and the total memory
size. Enter 0 for no limit (not recommended).

How file size limits work

See “How file size limits work” on page 52.

54 01-28008-0015-20050204 Fortinet Inc.

config antivirus service ftp

Example
This example shows how to set the maximum file size buffered to memory for scanning at 25 MB, the
maximum uncompressed file size that can be buffered to memory at 100 MB, and how to enable
antivirus scanning on ports 20 and 21 for FTP traffic.
config antivirus service ftp
set memfilesizelimit 25
set uncompsizelimit 100
set port 20 21
end
This example shows how to display the antivirus FTP traffic settings.
get antivirus service ftp
This example shows how to display the configuration for antivirus FTP traffic.
show antivirus service ftp

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR3 The splice keyword was changed to a variable and moved under the ftp and smtp
keywords of config firewall profile.
FortiOS v2.80 MR6 Removed diskfilesizelimit keyword.
FortiOS v2.80 MR7 Added uncompsizelimit keyword.

Related Commands
• config antivirus filepattern
• config antivirus heuristic
• config antivirus quarantine
• config antivirus quarfilepattern
• config antivirus service http
• config antivirus service pop3
• config antivirus service imap
• config antivirus service smtp

FortiGate CLI Reference Guide 01-28008-0015-20050204 55

config antivirus service pop3

service pop3
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in
POP3 traffic and what ports the FortiGate unit scans for POP3.

Command syntax pattern

config antivirus service pop3
set <keyword> <variable>
end
config antivirus service pop3
unset <keyword>
end
get antivirus service [pop3]
show antivirus service [pop3]

antivirus service pop3 command keywords and variables

Keywords and variables Description Default Availability
memfilesizelimit Set the maximum file size that can be buffered to 10 (MB) All models.
<MB_integer> memory for virus scanning.
The maximum file size allowed is 10% of the
FortiGate RAM size. For example, a FortiGate unit
with 256 MB of RAM could have a threshold range of
1 MB to 25 MB.
Note: For email scanning, the memfilesizelimit refers
to the final size of the email after encoding by the
email client, including attachments. Email clients may
use a variety of encoding types and some encodings
translate into larger file sizes than the original
attachment. The most common encoding, base64,
translates 3 bytes of binary data into 4 bytes of
base64 data. So a file may be blocked or logged as
oversized even if the attachment is several
megabytes less than the memfilesizelimit.
port <port_integer> Configure antivirus scanning on a nonstandard port 110 All models.
number or multiple port numbers for POP3. You can
use ports from the range 1-65535. You can add up to
20 ports.
uncompsizelimit Set the maximum uncompressed file size that can be 10 (MB) All models.
<MB_integer> buffered to memory for virus scanning. Enter a value
in megabytes between 1 and the total memory size.
Enter 0 for no limit (not recommended).

How file size limits work

See “How file size limits work” on page 52.

56 01-28008-0015-20050204 Fortinet Inc.

config antivirus service pop3

Example
This example shows how to set the maximum file size that can be buffered to memory for scanning at
20 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 60 MB,
and how to enable antivirus scanning on ports 110, 111, and 992 for POP3 traffic.
config antivirus service pop3
set memfilesizelimit 20
set uncompsizelimit 60
set port 110
set port 111
set port 992
end
This example shows how to display the antivirus POP3 traffic settings.
get antivirus service pop3
This example shows how to display the configuration for antivirus POP3 traffic.
show antivirus service pop3

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR6 Removed diskfilesizelimit keyword.
FortiOS v2.80 MR7 Added uncompsizelimit keyword.

Related Commands
• config antivirus filepattern
• config antivirus heuristic
• config antivirus quarantine
• config antivirus quarfilepattern
• config antivirus service http
• config antivirus service ftp
• config antivirus service imap
• config antivirus service smtp

FortiGate CLI Reference Guide 01-28008-0015-20050204 57

config antivirus service imap

service imap
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in IMAP
traffic and what ports the FortiGate unit scans for IMAP.

Command syntax pattern

config antivirus service imap
set <keyword> <variable>
end
config antivirus service imap
unset <keyword>
end
get antivirus service [imap]
show antivirus service [imap]

antivirus service imap command keywords and variables

Keywords and variables Description Default Availability
memfilesizelimit Set the maximum file size that can be buffered to 10 (MB) All models.
<MB_integer> memory for virus scanning.
The maximum file size allowed is 10% of the
FortiGate RAM size. For example, a FortiGate unit
with 256 MB of RAM could have a threshold range of
1 MB to 25 MB.
Note: For email scanning, the memfilesizelimit refers
to the final size of the email after encoding by the
email client, including attachments. Email clients may
use a variety of encoding types and some encodings
translate into larger file sizes than the original
attachment. The most common encoding, base64,
translates 3 bytes of binary data into 4 bytes of
base64 data. So a file may be blocked or logged as
oversized even if the attachment is several
megabytes less than the memfilesizelimit.
port <port_integer> Configure antivirus scanning on a nonstandard port 143 All models.
number or multiple port numbers for IMAP. You can
use ports from the range 1-65535. You can add up to
20 ports.
uncompsizelimit Set the maximum uncompressed file size that can be 10 (MB) All models.
<MB_integer> buffered to memory for virus scanning. Enter a value
in megabytes between 1 and the total memory size.
Enter 0 for no limit (not recommended).

How file size limits work

See “How file size limits work” on page 52.

58 01-28008-0015-20050204 Fortinet Inc.

config antivirus service imap

Example
This example shows how to set the maximum file size that can be buffered to memory for scanning at
25 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 50 MB,
and how to enable antivirus scanning on ports 143 and 993 for IMAP traffic.
config antivirus service http
set memfilesizelimit 25
set uncompsizelimit 50
set port 143
set port 993
end
This example shows how to display the antivirus IMAP traffic settings.
get antivirus service imap
This example shows how to display the configuration for antivirus IMAP traffic.
show antivirus service imap

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR6 Removed diskfilesizelimit keyword.
FortiOS v2.80 MR7 Added uncompsizelimit keyword.

Related Commands
• config antivirus filepattern
• config antivirus heuristic
• config antivirus quarantine
• config antivirus quarfilepattern
• config antivirus service http
• config antivirus service ftp
• config antivirus service pop3
• config antivirus service smtp

FortiGate CLI Reference Guide 01-28008-0015-20050204 59

config antivirus service smtp

service smtp
Use this command to configure how the FortiGate unit handles antivirus scanning of large files in
SMTP traffic, what ports the FortiGate unit scans for SMTP, and how the FortiGate unit handles
interaction with an SMTP server for delivery of email with infected email file attachments.

Command syntax pattern

config antivirus service smtp
set <keyword> <variable>
end
config antivirus service smtp
unset <keyword>
end
get antivirus service [smtp]
show antivirus service [smtp]

antivirus service smtp command keywords and variables

Keywords and variables Description Default Availability
memfilesizelimit Set the maximum file size that can be buffered to 10 (MB) All models.
<MB_integer> memory for virus scanning.
The maximum file size allowed is 10% of the
FortiGate RAM size. For example, a FortiGate unit
with 256 MB of RAM could have a threshold range of
1 MB to 25 MB.
Note: For email scanning, the memfilesizelimit refers
to the final size of the email after encoding by the
email client, including attachments. Email clients
may use a variety of encoding types and some
encodings translate into larger file sizes than the
original attachment. The most common encoding,
base64, translates 3 bytes of binary data into 4 bytes
of base64 data. So a file may be blocked or logged
as oversized even if the attachment is several
megabytes less than the memfilesizelimit.
port <port_integer> Configure antivirus scanning on a nonstandard port 143 All models.
number or multiple port numbers for SMTP. You can
use ports from the range 1-65535. You can add up to
20 ports.
uncompsizelimit Set the maximum uncompressed file size that can be 10 (MB) All models.
<MB_integer> buffered to memory for virus scanning. Enter a value
in megabytes between 1 and the total memory size.
Enter 0 for no limit (not recommended).

How file size limits work

See “How file size limits work” on page 52.

60 01-28008-0015-20050204 Fortinet Inc.

config antivirus service smtp

Example
This example shows how to set the maximum file size that can be buffered to memory for scanning at
100 MB, the maximum uncompressed file size that can be buffered to memory for scanning at 1 GB
(1000 MB), and how to enable antivirus scanning on ports 25, and 465 for SMTP traffic.
config antivirus service smtp
set memfilesizelimit 100
set uncompsizelimit 1000
set port 25
set port 465
end
This example shows how to display the antivirus SMTP traffic settings.
get antivirus service smtp
This example shows how to display the configuration for antivirus SMTP traffic.
show antivirus service smtp

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR3 The splice keyword was changed to a variable and moved under the ftp and smtp
keywords of config firewall profile.
FortiOS v2.80 MR6 Removed diskfilesizelimit keyword.
FortiOS v2.80 MR7 Added uncompsizelimit keyword.

Related Commands
• config antivirus filepattern
• config antivirus heuristic
• config antivirus quarantine
• config antivirus quarfilepattern
• config antivirus service http
• config antivirus service ftp
• config antivirus service pop3
• config antivirus service imap

FortiGate CLI Reference Guide 01-28008-0015-20050204 61

config antivirus service smtp

62 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config firewall
address
addrgrp
dnstranslation
ipmacbinding setting
ipmacbinding table
ippool
multicast-policy
policy
profile
schedule onetime
schedule recurring
service custom
service group
vip

FortiGate CLI Reference Guide 01-28008-0015-20050204 63

config firewall address

address
Use this command to add and edit addresses used in firewall policies. A firewall address can be
configured with a name, an IP address, and a netmask, or a name and IP address range.
The FortiGate unit comes configured with the default address All, which represents any IP address.
Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall
policies. If an address is included in a policy, it canno t be deleted unless it is first removed from the
policy.

Note: IP address: 0.0.0.0 and Netmask: 255.255.255.255 is not a valid firewall address. IP address: 0.0.0.0 and
Netmask: 0.0.0.0 means all possible addresses.

Command syntax pattern

config firewall address
edit <name_str>
set <keyword> <variable>
end
config firewall address
edit <name_str>
unset <keyword>
end
config firewall address
delete <name_str>
end
get firewall address [<name_str>]
show firewall address [<name_str>]

firewall address command keywords and variables

Keywords and variables Description Default Availability
subnet If type is set to ipmask, the IP Address can be 0.0.0.0 All models.
<address_ipv4mask> the IP address of a single computer (for 0.0.0.0 type ipmask
example, 192.45.46.45) or the address of a only.
subnetwork (for example, 192.168.1.0).
The Netmask should correspond to the address
that you are adding. For example:
• The netmask for the IP address of a single
computer should be 255.255.255.255.
• The netmask for a class A subnet should be
255.0.0.0.
• The netmask for a class B subnet should be
255.255.0.0.
• The netmask for a class C subnet should be
255.255.255.0.
end_ip <address_ipv4> If type is set to iprange enter the end IP 0.0.0.0 All models.
Address for the range. type iprange
only.

64 01-28008-0015-20050204 Fortinet Inc.

config firewall address

firewall address command keywords and variables (Continued)

Keywords and variables Description Default Availability
start_ip <address_ipv4> If type is set to iprange enter the start IP 0.0.0.0 All models.
Address for the range. type iprange
only.
type {ipmask | iprange} Specify whether this firewall address is a subnet ipmask All models.
address or an address range.

Example
This example shows how to add an address called User_Network, with an IP address and mask, and
add an address called User_Range, with an IP address range.
config firewall address
edit User_Network
set type ipmask
set subnet 192.168.1.0 255.255.255.0
next
edit User_Range
set type iprange
set start_ip 13.1.1.10
set end_ip 13.1.1.30
end
This example shows how to display the firewall address list.
get firewall address
This example shows how to display the settings for the address User_Range.
get firewall address User_Range
This example shows how to display the configuration for the entire address list.
show firewall address
This example shows how to display the configuration for the address User_Network.
show firewall address User_Network

Command History
FortiOS v2.80 Substantially revised. IP address range option added. Requiring that an
address be added to an interface removed.

Related Commands
• config firewall addrgrp
• config firewall policy

FortiGate CLI Reference Guide 01-28008-0015-20050204 65

config firewall addrgrp

addrgrp
Add, edit or delete address groups used in firewall policies.
You can organize related addresses into address groups to make it easier to configure policies. For
example, if you add three addresses and then configure them in an address group, you can configure
a single policy using all three addresses.
Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall
policies. If an address group is included in a policy, it cannot be deleted unless it is first removed from
the policy.

Command syntax pattern

config firewall addrgrp
edit <group-name_str>
set <keyword> <variable>
end
config firewall addrgrp
edit <group-name_str>
unset <keyword>
end
config firewall addrgrp
delete <group-name_str>
end
get firewall addrgrp [<name_str>]
show firewall addrgrp [<name_str>]

firewall addrgrp command keywords and variables

Keywords and variables Description Default Availability
member <name_str> The names of the addresses to add to the address No All models.
[<name_str> [<name_str> group. The member addresses must already have default.
...]] been added. Use spaces to separate the address
names. Remove an address name from the group by
retyping the list without including the address name.

Example
This example shows how to add an address group named Group1, and add the addresses
User_Network and User_Range to the group.
config firewall addrgrp
edit Group1
set User_Network User_Range
end
This example shows how to display the settings for the firewall address groups.
get firewall addrgrp
This example shows how to display the settings for the Group1 address group.
get firewall addrgrp Group1

66 01-28008-0015-20050204 Fortinet Inc.

config firewall addrgrp

This example shows how to display the configuration for address groups.
show firewall addrgrp
This example shows how to display the configuration for the Group1 address group.
show firewall addrgrp Group1

Command History
FortiOS v2.80 Revised.

Related Commands
• address
• policy

FortiGate CLI Reference Guide 01-28008-0015-20050204 67

config firewall dnstranslation

dnstranslation
Use this command to add, edit or delete a DNS translation entry.
DNS translation translates IP addresses in packets sent by a DNS server from the internal network to
the external network. Use DNS translation if you have a DNS server on your internal network that can
be accessed by users on the external network to find the IP addresses of servers on your internal
network.
If users on the external network can access a server on your internal network using virtual IP mapping,
you may allow them to find the IP address of the server using a DNS query. If they query a DNS server
that is also on your internal network, the DNS server would return the internal IP address of the server.
The external users would not be able to use this IP address to access the internal server.
Using DNS translation, you can map the internal IP address of the server to an address that external
users can use to access this server. So, when the firewall receives DNS packets from the internal
network that match a DNS translation source address, DNS translation changes the IP address in the
DNS packet to the DNS translation destination IP address and forwards the packet through the firewall
to the external user.

Command syntax pattern

config firewall dnstranslation
edit <id_integer>
set <keyword> <variable>
end
config firewall dnstranslation
edit <id_integer>
unset <keyword>
end
config firewall dnstranslation
delete <id_integer>
end
get firewall dnstranslation [<id_integer>]
show firewall dnstranslation [<id_integer>]

firewall dnstranslation command keywords and variables

Keywords and variables Description Default Availability
dst <destination_ipv4> The destination address can be a single external IP No All models.
address or the IP address of a subnet accessible default.
from the external network.
netmask <address_mask> Set the netmask as required for the source and No All models.
destination address type. default.
src <source_ipv4> The source address can be a single IP address on No All models.
the internal network or the IP address of a subnet. default.

Note: The source and destination addresses must both be single IP addresses or must both be subnet addresses.
The netmask applies to both the source and destination addresses.

68 01-28008-0015-20050204 Fortinet Inc.

config firewall dnstranslation

Example
This example shows how to add DNS translation for the source and destination addresses listed.
config firewall dnstranslation
edit 1
set dst 220.210.200.190
set netmask 255.255.255.0
set src 192.168.100.12
end
This example shows how to display the configured DNS translation settings.
get firewall dnstranslation
This example shows how to display the settings for the id 1 DNS translation entry.
get firewall dnstranslation 1
This example shows how to display the configuration for DNS translation.
show firewall dnstranslation
This example shows how to display the configuration for the id 1 DNS translation entry.
show firewall dnstranslation 1

Command History
FortiOS v2.80 Revised.

Related Commands
• vip

FortiGate CLI Reference Guide 01-28008-0015-20050204 69

config firewall ipmacbinding setting

ipmacbinding setting
Use this command to configure IP/MAC binding settings. You can enable or disable IP/MAC binding
for traffic going to or through the FortiGate unit. You can allow or block traffic not defined in the IP/MAC
binding table. You can enable or disable IP/MAC binding for each individual FortiGate interface using
the ipmac keyword with the interface command described on page 262.
IP/MAC binding protects the FortiGate unit and your network from IP spoofing attacks. IP spoofing
attacks try to use the IP address of a trusted computer to connect to, or through, the FortiGate unit
from a different computer. The IP address of a computer is easy to change to a trusted address, but
MAC addresses are added to ethernet cards at the factory and are not easy to change.

Note: If you enable IP/MAC binding and change the IP address of a computer with an IP or MAC address in the
IP/MAC list, you must also change the entry in the IP/MAC list or the computer does not have access to or through
the FortiGate unit. You must also add the IP/MAC address pair of any new computer that you add to your network
or the new computer does not have access to or through the FortiGate unit.

Command syntax pattern

config firewall ipmacbinding setting
set <keyword> <variable>
config firewall ipmacbinding setting
unset <keyword>
get firewall ipmacbinding setting
show firewall ipmacbinding setting

firewall ipmacbinding setting command keywords and variables

Keywords and variables Description Default Availability
bindthroughfw Enter enable to use IP/MAC binding to filter packets disable All models.
{disable | enable} that a firewall policy would normally allow through the
firewall.
bindtofw Enter enable to use IP/MAC binding to filter packets disable All models.
{disable | enable} that would normally connect with the firewall.
undefinedhost Available when you enable either bindthroughfw block All models.
{allow | block} or bindtofw.
Configure how IP/MAC binding handles packets with
IP and MAC addresses that are not defined in the
IP/MAC list. Setting undefinedhost configures this
behavior for traffic going through the firewall and
traffic going to the firewall.
Enter allow to allow packets with IP and MAC
address pairs that are not added to the IP/MAC
binding list.
Enter block to block packets with IP and MAC
address pairs that are not added to the IP/MAC
binding list.

70 01-28008-0015-20050204 Fortinet Inc.

config firewall ipmacbinding setting

Example
This example shows how to enable IP/MAC binding going to and going through the firewall, and allow
undefined hosts (IP/MAC address pairs).
config firewall ipmacbinding setting
set bindthroughfw enable
set bindtofw enable
set undefinedhost allow
end
This example shows how to display the IP/MAC binding settings.
get firewall ipmacbinding setting
This example shows how to display the configuration for IP/MAC binding.
show firewall ipmacbinding setting

Command History
FortiOS v2.80 Revised.

Related Commands
• ipmacbinding table

FortiGate CLI Reference Guide 01-28008-0015-20050204 71

config firewall ipmacbinding table

ipmacbinding table
Use this command to add IP and MAC address pairs to the IP/MAC binding table, or to edit or delete IP
and MAC address pairs added to the IP/MAC binding table.
You can enable or disable IP/MAC binding for each individual FortiGate interface using the ipmac
keyword with the interface command described on page 262.

Command syntax pattern

config firewall ipmacbinding table
edit <sequence_integer>
set <keyword> <variable>
end
config firewall ipmacbinding table
edit <sequence_integer>
unset <keyword>
end
config firewall ipmacbinding table
delete <sequence_integer>
end
get firewall ipmacbinding setting [<sequence_integer>]
show firewall ipmacbinding setting [<sequence_integer>]

firewall ipmacbinding table command keywords and variables

Keywords and variables Description Default Availability
ip <address_ipv4> The IP address to add to the IP/MAC binding table. 0.0.0.0 All models.
You can bind multiple IP addresses to the same MAC
address. You cannot bind multiple MAC addresses to
the same IP address.
You can set the IP address to 0.0.0.0 for multiple
MAC address. This means that all packets with the
MAC address are allowed continue through the
firewall to be matched with a firewall policy.
mac <address_hex> The MAC address to add to the IP/MAC binding 00:00:00: All models.
table. You can set the MAC address to 00:00:00
00:00:00:00:00:00 for multiple IP addresses. This
means that all packets with these IP addresses are
allowed to continue through the firewall to be
matched with a firewall policy.
name <name_str> Optional name for this entry on the IP/MAC address noname All models.
table.
status {disable | enable} Enable or disable IP/MAC binding for this address disable All models.
pair.

72 01-28008-0015-20050204 Fortinet Inc.

config firewall ipmacbinding table

Example
This example shows how to add and enable an IP/MAC entry to the IP/MAC binding table.
config firewall ipmacbinding table
edit 1
set ip 205.33.44.55
set mac 00:10:F3:04:7A:4C
set name RemoteAdmin
set status enable
end
This example shows how to display the settings for IP/MAC binding table.
get firewall ipmacbinding table
This example shows how to display the settings for the first entry (id 1) in the IP/MAC binding table.
get firewall ipmacbinding table 1
This example shows how to display the configuration for IP/MAC binding table.
show firewall ipmacbinding table
This example shows how to display the configuration for the first entry (id 1) in the IP/MAC binding
table.
show firewall ipmacbinding table 1

Command History
FortiOS v2.80 Revised.

Related Commands
• ipmacbinding setting

FortiGate CLI Reference Guide 01-28008-0015-20050204 73

config firewall ippool

ippool
Use this command to add IP address pools to use for NAT mode policies. An IP pool (also called a
dynamic IP pool) is a range of IP addresses added to a firewall interface. Enable Dynamic IP Pool in a
firewall policy to translate the source address to an address randomly selected from the IP pool. To
use IP pools the IP pool interface must be the same as the firewall policy destination interface.
You can add an IP pool if you want to add NAT mode policies that translate source addresses to
addresses randomly selected from the IP pool rather than being limited to the IP address of the
destination interface. IP pools are only available in NAT/Route mode. You can add multiple IP pools to
any interface and configure the firewall policy to select the IP pool to use for that firewall policy.

Command syntax pattern

config firewall ippool
edit <id_integer>
set <keyword> <variable>
end
config firewall ippool
edit <id_integer>
unset <keyword>
end
config firewall ippool
delete <id_integer>
end
get firewall ippool [<id_integer>]
show firewall ippool [<id_integer>]

firewall ippool command keywords and variables

Keywords and variables Description Default Availability
endip <address_ipv4> The end IP of the address range. The end IP must 0.0.0.0 All models.
be higher than the start IP. The end IP must be on
the same subnet as the IP address of the
interface for which you are adding the IP pool.
interface <name_str> Add an IP pool with the specified start and end IP No default. All models.
addresses to the named interface. On FortiGate
models 200 and up the interface can also be a
VLAN subinterface.
startip <address_ipv4> The start IP of the address range. The start IP 0.0.0.0 All models.
must be lower than the end IP. The start IP must
be on the same subnet as the IP address of the
interface for which you are adding the IP pool.

74 01-28008-0015-20050204 Fortinet Inc.

config firewall ippool

Example
Use the following command to add an IP pool with these settings to the firewall configuration.
• ID number: 1
• interface name: internal
• start of IP address range: 192.168.1.100
• end of IP address range: 192.168.1.200
config firewall ippool
edit 1
set startip 192.168.1.100
set endip 192.168.1.200
set interface internal
end
This example shows how to display the settings for the firewall ippool command.
get firewall ippool
This example shows how to display the settings for the id 1 IP pool.
get firewall ippool 1
This example shows how to display the configuration for the firewall ippool command.
show firewall ippool
This example shows how to display the configuration for the id 1 IP pool.
show firewall ippool 1

Command History
FortiOS v2.80 Revised.

Related Commands
• policy

FortiGate CLI Reference Guide 01-28008-0015-20050204 75

config firewall multicast-policy

multicast-policy
Use this command to configure a source NAT IP, if multicast forwarding is enabled.
The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP
address.

Command syntax pattern

config firewall multicast-policy
edit <id_integer>
set <keyword> <variable>
end
config firewall multicast-policy
edit <id_integer>
unset <keyword>
end
config firewall multicast-policy
delete <id_integer>
end
get firewall multicast-policy [<id_integer>]
show firewall multicast-policy [<id_integer>]

firewall multicast-policy command keywords and variables

Keywords and variables Description Default Availability
dstaddr Enter the destination IP address and netmask to 0.0.0.0 All models.
<address_ipv4mask> match against multicast NAT packets. 0.0.0.0
dstintf <name_str> Enter the destination interface name to match No default. All models.
against multicast NAT packets.
nat <address_ipv4> Enter the IP address to substitute for the original 0.0.0.0 All models.
source IP address.
srcaddr Enter the source IP address and netmask to 0.0.0.0 All models.
<address_ipv4mask> match against multicast NAT packets. 0.0.0.0
srcintf <name_str> Enter the source interface name to match against No default. All models.
multicast NAT packets.

Example
This example shows how to configure a multicast NAT policy.
config firewall multicast-policy
edit 1
set dstaddr 10.0.0.1 255.255.255.0
set dstintf dmz/ha
set nat 10.0.1.1
set srcaddr 192.168.100.12 255.255.255.0
set srcintf internal
end
This example shows how to display the settings for the firewall multicast-policy command.
get firewall multicast-policy

76 01-28008-0015-20050204 Fortinet Inc.

config firewall multicast-policy

This example shows how to display the settings for the id 1 multicast policy.
get firewall multicast-policy 1
This example shows how to display the configuration for the firewall multicast-policy
command.
show firewall multicast-policy
This example shows how to display the configuration for the id 1 multicast policy.
show firewall multicast-policy 1

Command History
FortiOS v2.80 Revised.

Related Commands
• config system global, set multicast-forward

FortiGate CLI Reference Guide 01-28008-0015-20050204 77

config firewall policy

policy
Use this command to add, edit or delete firewall policies.
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions
used by the FortiGate unit to decide what to do with a connection request. The policy directs the
firewall to allow the connection, deny the connection, require authentication before the connection is
allowed, or process the packet as an IPSec VPN packet.

Command syntax pattern

config firewall policy
edit <id_integer>
set <keyword> <variable>
end
config firewall policy
edit <id_integer>
unset <keyword>
end
config firewall policy
delete <id_integer>
end
config firewall policy
move <id_integer> {after <id_integer> | before <id_integer>}
end
get firewall policy [<id_integer>]
show firewall policy [<id_integer>]

78 01-28008-0015-20050204 Fortinet Inc.

config firewall policy

firewall policy command keywords and variables

Keywords and variables Description Default Availability
action Enter accept to accept packets that deny All models.
{accept | deny | encrypt} match the firewall policy. If you enter
accept you can also enable or disable
authentication for the policy, enable
or disable nat to make this a NAT policy
(NAT/Route mode only), enable or
disable ippool so that the NAT policy
selects a source address for packets from
a pool of IP addresses added to the
destination interface, and enable or
disable fixedport so that the NAT
policy does not translate the packet
source port.
Enter deny to deny packets that match
the firewall policy.
Enter encrypt to configure the policy to
be an encrypt policy for IPSec tunnels. If
you enter encrypt you can also enable
or disable inbound, natinbound,
outbound, and natoutbound to control
the VPN traffic allowed by the policy.
comments <comment_str> Optionally add a description or other No All models.
information about the policy. default.
comment_str is limited to 63 characters.
You can enclose the string in single
quotes to enter special characters or
spaces. For more information, see “Using
single quotes to enter tabs or spaces in
strings” on page 27
diffserv_forward Enable or disable forward (original) disable All models.
{disable | enable} Differentiated Services traffic for this
policy.
diffserv_reverse Enable or disable reverse (reply) disable All models.
{disable | enable} Differentiated Services traffic for this
policy.
diffservcode_forward Set the Differentiated Services Code 000000 All models.
<outbound_binary> Point (DSCP) value in the Diffserv field of diffserv_forward
outbound packets. The value is 6 bits enable only
binary. The valid range is 000000-
111111.
diffservcode_rev Set the Differentiated Services Code 000000 All models.
<reply_binary> Point (DSCP) value in the Diffserv field of diffserv_rev
reply packets. The value is 6 bits binary. enable only
The valid range is 000000-111111.
dstaddr <name_str> Enter the destination address for the No All models.
policy. For a NAT policy you can also add default.
a virtual IP. See “vip” on page 103.
name_str is case-sensitive.
dstintf <name_str> Enter the destination interface for the No All models.
policy. The interface can be a physical default.
interface, a VLAN subinterface or a zone.
You cannot use an interface or VLAN
subinterface for dstintf if the interface
or VLAN subinterface has been added to
a zone.

FortiGate CLI Reference Guide 01-28008-0015-20050204 79

config firewall policy

firewall policy command keywords and variables (Continued)

Keywords and variables Description Default Availability
fixedport Prevent a NAT policy from translating the disable All models.
{disable | enable} source port. Some applications do not action accept
function correctly if the source port is only
changed. If you enter fixedport, you
should also enable IP pools. If you do not
enable IP pools a policy with fixedport
can only allow one connection at a time
for this port or service.
gbandwidth Guarantee the amount of bandwidth 0 All models.
<bandwidth_integer> available for traffic controlled by the traffic
policy. bandwidth_integer can be 0 to shaping enabled
100000 Kbytes/second.
groups <name_str> Enter one or more user group names for No All models.
users that authenticate through this Default. action accept and
policy. When user groups are created, authentication
they are paired with protection profiles. enabled
The user group name is case sensitive.
inbound Enable inbound to allow inbound VPN enable All models.
{disable | enable} tunnels that match this policy or disable action encrypt
inbound to deny inbound tunnels that only
match this policy.
ippool Configure a NAT policy to translate the disable All models.
{disable | enable} source address to an address randomly action accept and
selected from the first IP pool added to nat enabled
the destination interface of the policy. Use
IP pools if you must specify fixedport
for a service or for dynamic NAT.
logtraffic Enable or disable recording traffic log disable All models.
{disable | enable} messages for this policy.
maxbandwidth Limit the maximum amount of bandwidth 100 All models.
<bandwidth_integer> available for traffic controlled by the traffic
policy. bandwidth_integer can be 0 shaping enabled
to 100000 Kbytes/second. If maximum
bandwidth is set to 0 no traffic is allowed
by the policy.
nat {disable | enable} Configure the policy for network address disable All models.
translation (NAT). NAT translates the action accept
source address and the source port of only
packets accepted by the policy. If you
enable NAT you can enable or disable
ippool and fixedport.
natinbound Enable or disable inbound NAT for VPN disable All models.
{disable | enable} tunnels that match this policy. action encrypt
only

80 01-28008-0015-20050204 Fortinet Inc.

config firewall policy

firewall policy command keywords and variables (Continued)

Keywords and variables Description Default Availability
natip <address_ipv4mask> Configure natip for a firewall policy with 0.0.0.0 All models.
action set to encrypt and with outbound 0.0.0.0 Encrypt policy, with
NAT enabled. Specify the IP address and outbound NAT
subnet mask to translate the source enabled.
address of outgoing packets.
Set natip for peer to peer VPNs to
control outbound NAT IP address
translation for outgoing VPN packets.
If you do not use natip to translate IP
addresses, the source addresses of
outbound VPN packets are translated into
the IP address of the FortiGate external
interface. If you use natip, the FortiGate
unit uses a static mapping scheme to
translate the source addresses of VPN
packets into corresponding IP addresses
on the subnet that you specify. For
example, if the source address in the
encryption policy is 192.168.1.0/24 and
the natip is 172.16.2.0/24, a source
address of 192.168.1.7 is translated to
172.16.2.7
natoutbound Enable or disable outbound NAT for VPN disable All models.
{disable | enable} tunnels that match this policy. action encrypt
only
outbound Enable outbound to allow outbound enable All models.
{disable | enable} VPN tunnels that match this policy or action encrypt
disable outbound to deny outbound only
tunnels that match this policy.
poolname <name_str> Enter the name of the IP pool to use for No All models. nat and
the policy. default. ippool enabled
This command only appears if nat and
ippool are enabled and when the policy
destination interface is the same as the IP
pool interface.
priority Set the priority for traffic controlled by the high All models.
{high | low | medium} policy. The available settings are high for traffic
high priority traffic, medium for medium shaping enabled
priority traffic, and low for low priority
traffic.
profile <name_str> Enter the name of a profile to add the No All models.
protection profile to the policy. name_str Default.profile_
is case-sensitive. status enabled
profile_status Enable or disable using a protection disable All models.
{disable | enable} profile for the policy.
schedule <name_str> Enter the name of the one-time or No All models.
recurring schedule to use for the policy. default.
name_str is case-sensitive.
service <name_str> Enter the name of the service to use for No All models.
the policy. name_str is case-sensitive. default.
srcaddr <name_str> Enter the source address for the policy. No All models.
name_str is case-sensitive. default.

FortiGate CLI Reference Guide 01-28008-0015-20050204 81

config firewall policy

firewall policy command keywords and variables (Continued)

Keywords and variables Description Default Availability
srcintf <name_str> Enter the source interface for the policy. No All models.
The interface can be a physical interface, default.
a VLAN subinterface or a zone.
You cannot use an interface or VLAN
subinterface for srcintf if the interface
or VLAN subinterface has been added to
a zone.
status Enable or disable the policy. enable All models.
{disable | enable}
trafficshaping Enable or disable traffic shaping. If you disable All models.
{disable | enable} enable traffic shaping you can set
gbandwidth, maxbandwidth, and
priority.
vpntunnel <name_str> Enter the name of the AutoIKE key or No All models.
manual key tunnel for the IPSec policy. default. action encrypt
The VPN tunnel name is case sensitive. only

Example
On a FortiGate-100, 200, or 300, use the following example to add policy number 2 that allows users
on the external network to access a web server on a DMZ network. The policy:
• Is for connections from the external interface (srcintf is external) to the DMZ interface
(dstintf is dmz)
• Is enabled
• Allows users from any IP address on the Internet to access the web server (srcaddr is all)
• Allows access to an address on the DMZ network (dstaddr is dmz_web_server)
• Sets the schedule to Always so that users can access the web server 24 hours a day, seven
days a week
• Sets the service to HTTP to limit access to the web server to HTTP connections
• Sets action to accept to allow connections
• Applies network address translation (nat is enabled)
• Applies traffic shaping to guarantee 100 KBytes/s of bandwidth is available, to limit the maximum
bandwidth to 500 KBytes/second, and to set the priority for the traffic accepted by this policy to
medium (trafficshaping enabled, gbandwidth set to 100, maxbandwidth set to 500,
priority set to medium)

82 01-28008-0015-20050204 Fortinet Inc.

config firewall policy

config firewall policy

edit 2
set srcintf external
set dstintf dmz
set status enable
set srcaddr all
set dstaddr dmz_web_server
set schedule Always
set service HTTP
set action accept
set nat enable
set trafficshaping enable
set gbandwidth 100
set maxbandwidth 500
set priority medium
end
This example shows how to display the settings for the firewall policy command.
get firewall policy
This example shows how to display the settings for the id 2 policy.
get firewall policy 2
This example shows how to display the configuration for the firewall policy command.
show firewall policy
This example shows how to display the configuration for the id 2 policy.
show firewall policy 2

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR2 Replaced usrgrp keyword with userdomain.
Added poolname keyword.
FortiOS v2.80 MR3 Removed userdomain keyword.
Added groups keyword.
FortiOS v2.80 MR6 Removed authentication keyword. Authentication is automatically enabled for a policy
when one or more user group are set with the groups keyword.

Related Commands
• config firewall address
• config firewall profile
• config firewall schedule onetime
• config firewall schedule recurring
• config firewall service custom
• config firewall service group

FortiGate CLI Reference Guide 01-28008-0015-20050204 83

config firewall profile

profile
Use this command to add, edit or delete protection profiles. Use protection profiles to apply different
protection settings for traffic controlled by firewall policies.

Command syntax pattern

config firewall profile
edit <profilename_str>
set <keyword> <variable>
end
config firewall profile
edit <profilename_str>
unset <keyword>
end
config firewall profile
delete <profilename_str>
end
get firewall profile [<profilename_str>]
show firewall profile [<profilename_str>]

firewall profile command keywords and variables

Keywords and variables Description Default Availability
cat_allow <cat_integer> You must subscribe to a web filtering service All All models.
[-<cat_integer> (FortiGuard or Cerberian) to use category blocking. categories
[-<cat_integer>]] See “config webfilter catblock” on page 342. not
Enter set cat_allow ? at the prompt to view the specified
list of categories and category groups. Categories as deny or
are organized into groups to make selection easier. monitor.
Enter one or more integers representing the
categories or groups of web pages you want to
allow. Use a hyphen to separate the integers or
groups.
To delete entries you must use the unset command
to delete the entire list.
cat_deny <cat_integer> Enter set cat_deny ? at the prompt to view the No default. All models.
[-<cat_integer> list of categories and category groups. Categories
[-<cat_integer>]] are organized into groups to make selection easier.
Enter one or more integers representing the
categories or groups of web pages you want to
block. Use a hyphen to separate the integers.
To delete entries you must use the unset command
to delete the entire list.
cat_monitor Enter set cat_monitor ? at the prompt to view No default. All models.
<cat_integer> the list of categories and category groups.
[-<cat_integer> Categories are organized into groups to make
selection easier.
[-<cat_integer>]]
Enter one or more integers representing the
categories or groups of web pages you want to
monitor. Use a hyphen to separate the integers.
To view the list of categories enter
set cat_allow ? at the prompt.
To delete entries you must use the unset command
to delete the entire list.

84 01-28008-0015-20050204 Fortinet Inc.

config firewall profile

firewall profile command keywords and variables (Continued)

Keywords and variables Description Default Availability
cat_options Select the options for category blocking. No default. All models.
{error_allow • Enter error_allow to allow web pages with a
http_err_detail rating error to pass through.
rate_image_urls • Enter http_err_detail to display a replacement
unrated_block} message for 4xx and 5xx HTTP errors. If the error
is allowed through then malicious or objectionable
sites could use these common error pages to
circumvent web category blocking.
• Enter rate_image_urls to block images rated
by FortiGuard. FortiGuard rates images based on
the URL of the image. Images that should be
bocked are replaced with a blank image on the
original web page. FortiGuard has ratings for gif,
jpeg, tiff, png, and bmp images.
• Enter unrated_block to block web pages that
have not been rated by the web filtering service.
Enter all the actions you want this profile to use. Use
a space to separate the options you enter. If you
want to remove an option from the list or add an
option to the list, you must retype the list with the
option removed or added.

FortiGate CLI Reference Guide 01-28008-0015-20050204 85

config firewall profile

firewall profile command keywords and variables (Continued)

Keywords and variables Description Default Availability
ftp Select the actions that this profile uses for filtering splice All models.
{block content-archive FTP traffic for a policy.
no-content-summary • Enter block to enable deleting files with blocked
oversize quarantine file patterns even if the files do not contain viruses.
scan splice} • Enter content-archive to enable archiving of
FTP content meta-information to a FortiLog
appliance.
• Enter no-content-summary to disable storing a
content log summary which contains statistics
since bootup/reset and the most recent content
logs split into email, ftp, and http categories.
• Enter oversize to enable blocking files that are
over the file size threshold.
• Enter quarantine to enable quarantining files
that contain viruses. This feature is available for
FortiGate units that contain a hard disk.
• Enter scan to enable scanning files for viruses
and worms.
• Enabled by default. Enter splice to enable the
FortiGate unit to simultaneously buffer a file for
scanning and upload the file to an FTP server. If a
virus is detected, the FortiGate unit stops the
upload, attempts to delete the partial file from the
FTP server, and displays a replacement message
for the user. To delete the file successfully, the
server permissions must be set to allow deletes.
When downloading files from an FTP server the
FortiGate unit sends 1 byte every 30 seconds to
prevent the client from timing out during scanning
and download. If a virus is detected, the FortiGate
unit stops the download and displays a
replacement message for the user. The user must
then delete the partially downloaded file. This
partial file is harmless. Enabling splice reduces
timeouts when uploading and downloading large
files. When splice is disabled for ftp, the FortiGate
unit buffers the file for scanning before uploading it
to the FTP server. If the file is clean, the FortiGate
unit allows the upload or download to continue.
Enter all the actions you want this profile to use. Use
a space to separate the options you enter. If you
want to remove an option from the list or add an
option to the list, you must retype the list with the
option removed or added.

86 01-28008-0015-20050204 Fortinet Inc.

config firewall profile

firewall profile command keywords and variables (Continued)

Keywords and variables Description Default Availability
http Select the actions that this profile uses for filtering No default. All models.
{bannedword block HTTP traffic for a policy.
catblock chunkedbypass • Enter bannedword to enable web content
content-archive blocking based on the banned word list.
no-content-summary • Enter block to enable deleting files with blocked
file patterns even if the files do not contain viruses.
oversize quarantine
• Enter catblock to enable web category blocking.
rangeblock scan
• Enter chunkedbypass to allow web sites that use
scriptfilter urlblock chunked encoding for HTTP to bypass the firewall.
urlexempt} Chunked encoding means the HTTP message
body is altered to allow it to be transferred in a
series of chunks. Use this feature at your own risk.
Malicious content could enter your network if you
allow web content to bypass the firewall.
• Enter content-archive to enable archiving of
HTTP content meta-information to a FortiLog
appliance.
• Enter no-content-summary to disable
displaying a content log summary which contains
statistics since bootup/reset and the most recent
content logs split into email, ftp, and http
categories.
• Enter oversize to enable blocking files that are
over the large file size limit.
• Enter quarantine to enable quarantining files
that contain viruses. This feature is available for
FortiGate units that contain a hard disk.
• Enter rangeblock to block downloading parts of
a file that have already been partially downloaded.
Enabling this option prevents the unintentional
download of virus files hidden in fragmented files.
Note that some types of files, such as PDF,
fragment files to increase download speed and
enabling this option can cause download
interruptions.
• Enter scan to enable scanning files for viruses
and worms.
• Enter scriptfilter to enable web script
filtering.
• Enter urlblock to enable URL blocking.
• Enter urlexempt to enable URL exempt filtering.
Enter all the actions you want this profile to use. Use
a space to separate the options you enter. If you
want to remove an option from the list or add an
option to the list, you must retype the list with the
option removed or added.
http_retry_count Define the number of times to retry establishing an 0 All models.
<retry_integer> HTTP connection when the connection fails on the
first try .
This allows the web server proxy to repeat the
connection attempt on behalf of the browser if the
server refuses the connection the first time. This
works well and reduces the number of hang-ups or
page not found errors for busy web servers.
The default of 0 (zero) effectively disables this
feature.

FortiGate CLI Reference Guide 01-28008-0015-20050204 87

config firewall profile

firewall profile command keywords and variables (Continued)

Keywords and variables Description Default Availability
imap Select the actions that this profile uses for filtering fragmail All models.
{bannedword block IMAP traffic for a policy.
content-archive • Enter bannedword to enable email content
fragmail blocking based on the banned word list.
no-content-summary • Enter block to enable deleting files with blocked
file patterns even if the files do not contain viruses.
oversize quarantine
• Enter content-archive to enable archiving of
scan spamemailbwl IMAP content meta-information to a FortiLog
spamfsip spamfsurl appliance.
spamhdrcheck • Enter fragmail to enable blocking fragmented
spamraddrdns spamrbl} email messages.
• Enter no-content-summary to disable storing a
content log summary which contains statistics
since bootup/reset and the most recent content
logs split into email, ftp, and http categories.
• Enter oversize to enable blocking files that are
over the large file size limit.
• Enter quarantine to enable quarantining files
that contain viruses. This feature is available for
FortiGate units that contain a hard disk.
• Enter scan to enable scanning files for viruses
and worms.
• Enter spamemailbwlto enable filtering based on
the email address list.
• Enter spamfsip to enable the FortiShield spam
filtering IP address blacklist.
• Enter spamfsurl to enable the FortiShield spam
filtering URL blacklist.
• Enter spamhdrcheck to enable filtering based on
the MIME header list.
• Enter spamaddrdns to enable filtering based on
the return e-mail DNS check.
• Enter spamrbl to enable checking traffic against
configured DNS-based Blackhole List (DNSBL)
and Open Relay Database List (ORDBL) servers.
Enter all the actions you want this profile to use. Use
a space to separate the options you enter. If you
want to remove an option from the list or add an
option to the list, you must retype the list with the
option removed or added.
imap_spamaction Select the action that this profile uses for filtered tag All models.
{pass | tag} IMAP email. You can enter pass or tag.
• Enter pass to disable spam filtering for IMAP
traffic.
• Enter tag to enable tagging spam email with text
configured using the imap_spamtagmsg keyword
and the location set using the
imap_spamtagtype keyword.
imap_spamtagmsg Enter the subject text or MIME header text with Spam All models.
<message_str> which to tag spam messages. A tag of more than
one word (a phrase) must be enclosed in single
quotes to be accepted by the CLI.
imap_spamtagtype Enter the location for the spam tag. The spam tag subject All models.
{header | subject} can be added to the MIME header or to the email
subject.

88 01-28008-0015-20050204 Fortinet Inc.

config firewall profile

firewall profile command keywords and variables (Continued)

Keywords and variables Description Default Availability
ips {anomaly signature} Select the actions that this profile uses for filtering No default. All models.
IPS traffic for a policy.
• Enter anomaly to enable filtering traffic based on
the IPS anomaly list.
• Enter signature to enable filtering traffic based
on the IPS signature list.
Enter all the actions you want this profile to use. Use
a space to separate the options you enter. If you
want to remove an option from the list or add an
option to the list, you must retype the list with the
option removed or added.
mail_sig Enter a signature to add to outgoing email. A No default. All models.
<signature_str> signature of more than one word (a phrase) must be
enclosed in single quotes to be accepted by the CLI.
mailsig-status Enable or disable adding a signature to outgoing disable All models.
{disable | enable} email.
pop3 Select the actions that this profile uses for filtering fragmail All models.
{bannedword block POP3 traffic for a policy.
content-archive • Enter bannedword to enable email content
fragmail blocking based on the banned word list.
no-content-summary • Enter block to enable deleting files with blocked
file patterns even if the files do not contain viruses.
oversize quarantine
• Enter content-archive to enable archiving of
scan spamemailbwl POP3 content meta-information to a FortiLog
spamfsip spamfsurl appliance.
spamhdrcheck • Enter fragmail to enable blocking of fragmented
spamraddrdns spamrbl} email messages.
• Enter no-content-summary to disable storing a
content log summary which contains statistics
since bootup/reset and the most recent content
logs split into email, ftp, and http categories.
• Enter oversize to enable blocking files that are
over the large file size limit.
• Enter quarantine to enable quarantining files
that contain viruses. This feature is available for
FortiGate units that contain a hard disk.
• Enter scan to enable scanning files for viruses
and worms.
• Enter spamemailbwlto enable filtering based on
the email address list.
• Enter spamfsip to enable the FortiShield spam
filtering IP address blacklist.
• Enter spamfsurl to enable the FortiShield spam
filtering URL blacklist.
• Enter spamhdrcheck to enable filtering based on
the MIME header list.
• Enter spamaddrdns to enable filtering based on
the return e-mail DNS check.
• Enter spamrbl to enable checking traffic against
configured DNS-based Blackhole List (DNSBL)
and Open Relay Database List (ORDBL) servers.
Enter all the actions you want this profile to use. Use
a space to separate the options you enter. If you
want to remove an option from the list or add an
option to the list, you must retype the list with the
option removed or added.

FortiGate CLI Reference Guide 01-28008-0015-20050204 89

config firewall profile

firewall profile command keywords and variables (Continued)

Keywords and variables Description Default Availability
pop3_spamaction Select the action that this profile uses for filtered tag All models.
{pass | tag} POP3 email. You can enter pass or tag.
• Enter pass to disable spam filtering for POP3
traffic.
• Enter tag to enable tagging spam email with text
configured using the pop3_spamtagmsg keyword
and the location set using the
pop3_spamtagtype keyword.
pop3_spamtagmsg Enter the subject text or MIME header text to add to Spam All models.
<message_str> spam. A tag of more than one word (a phrase) must
be enclosed in single quotes to be accepted by the
CLI.
pop3_spamtagtype Select the location for the spam tag. The spam tag subject All models.
{header | subject} can be added to the MIME header, or to the email
subject.

90 01-28008-0015-20050204 Fortinet Inc.

config firewall profile

firewall profile command keywords and variables (Continued)

Keywords and variables Description Default Availability
smtp Select the actions that this profile uses for filtering fragmail All models.
{bannedword block SMTP traffic for a policy. splice
content-archive • Enter bannedword to enable email content
fragmail blocking based on the banned word list.
no-content-summary • Enter block to enable deleting files with blocked
file patterns even if the files do not contain viruses.
oversize quarantine
• Enter content-archive to enable archiving of
scan spamemailbwl SMTP content meta-information to a FortiLog.
spamfsip spamfsurl • Enter fragmail to enable blocking of fragmented
spamhdrcheck email messages.
spamhelodns spamipbwl • Enter no-content-summary to disable storing a
spamraddrdns spamrbl content log summary which contains statistics
splice} since bootup/reset and the most recent content
logs split into email, ftp, and http categories.
• Enter oversize to enable blocking files that are
over the large file size limit.
• Enter quarantine to enable quarantining files
that contain viruses. This feature is available for
FortiGate units that contain a hard disk.
• Enter scan to enable scanning files for viruses
and worms.
• Enter spamemailbwlto enable filtering based on
the email address list.
• Enter spamfsip to enable the FortiShield spam
filtering IP address blacklist.
• Enter spamfsurl to enable the FortiShield spam
filtering URL blacklist.
• Enter spamhdrcheck to enable filtering based on
the MIME header list.
• Enter spamhelodns to enable filtering email
based on the helo/ehlo domain dns check.
• Enter spamipbwl to enable filtering email based
on the source IP or subnet address.
• Enter spamaddrdns to enable filtering based on
the return e-mail DNS check.
• Enter spamrbl to enable checking traffic against
configured DNS-based Blackhole List (DNSBL)
and Open Relay Database List (ORDBL) servers.
• Enabled by default and automatically enabled
when scan is enabled. Enter splice to enable
the FortiGate unit to simultaneously scan an email
and send it to the SMTP server. If the FortiGate
unit detects a virus, it terminates the server
connection and returns an error message to the
sender, listing the virus name and infected file
name. Email is not tagged, but discarded by the
SMTP server, and with splice enabled you cannot
select any Spam Action except Discard for SMTP
spam. Throughput is higher when splice is
enabled. An error message is sent to the sender if
an attachment is infected. The receiver does not
receive the email or the attachment. When splice
is disabled for SMTP, infected attachments are
removed and the email is forwarded (without the
attachment) to the SMTP server for delivery to the
recipient.
Enter all the actions you want this profile to use. Use
a space to separate the options you enter. If you
want to remove an option from the list or add an
option to the list, you must retype the list with the
option removed or added.

FortiGate CLI Reference Guide 01-28008-0015-20050204 91

config firewall profile

firewall profile command keywords and variables (Continued)

Keywords and variables Description Default Availability
*smtp_spamaction Select the action that this profile uses for filtered discard All models.
{discard | pass | tag} SMTP email. You can enter discard, pass, or
tag. Tagged allows you to append a custom tag to
the subject or header of email identified as spam. If
you have scan or splice enabled, the FortiGate
unit can only discard spam email. Discard
immediately drops the connection. Without splice or
scanning enabled, you can chose to discard, pass,
or tag SMTP spam.
• Enter discard to enable deleting email identified
as spam.
• Enter pass to disable spam filtering for SMTP
traffic.
• Enter tag to enable tagging spam email with text
configured using the smtp_spamtagmsg keyword
and the location set using the
smtp_spamtagtype keyword.
smtp_spamtagmsg Enter the subject text or MIME header text added to Spam All models.
<message_str> spam email. A tag of more than one word (a phrase)
must be enclosed in single quotes to be accepted by
the CLI.
smtp_spamtagtype Enter the location for the spam tag. The spam tag subject All models.
{header | subject} can be added to the MIME header, or to the email
Subject header.

Example
This example shows how to:
• create a profile called spammail
• enable filtering of email according to the email banned word list, the MIME header list, and the
return DNS check, enable spam to be logged and tagged with the tag “Spam” in the subject for
POP3 traffic
• enable filtering of email based on the DNSBL server, and log and discard messages identified as
spam for SMTP traffic
config firewall profile
edit spammail
set pop3 spamemailbwl spamhdrcheck spamraddrdns
set pop3_spamaction log tag
set pop3_spamtagmsg Spam
set pop3_spamtagtype subject
set smtp spamrbl
set smtp_spamaction log discard
end

92 01-28008-0015-20050204 Fortinet Inc.

config firewall profile

This example shows how to:

• add HTTP category blocking to the spammail profile created above
• configure category blocking to deny access to web pages categorized as Games (20),
Personals and Dating (37), Shopping and Auction (42) and the category group Objectionable or
Controversial (g02)
• configure category monitoring to monitor access to web pages categorized as Computer
Security (50) and the category group Potentially Bandwidth Consuming (g04)
config firewall profile
edit spammail
set cat_deny 20-37-42-g02
set cat_monitor 50-g04
end
This example shows how to display the settings for the firewall profile command.
get firewall profile
This example shows how to display the settings for the spammail profile.
get firewall profile spammail
This example shows how to display the configuration for the firewall profile command.
show firewall profile
This example shows how to display the configuration for the spammail profile.
show firewall profile spammail

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR2 Removed log variable from imap_spamaction, pop3_spamaction, and
smtp_spamaction keywords.
FortiOS v2.80 MR3 Added splice variable to ftp and smtp keywords. Moved from config antivirus
ftp service and config antivirus smtp service.
Added chunkedbypass variable to http keyword.
FortiOS v2.80 MR5 Added http_err_detail to cat_options keyword.
FortiOS v2.80 MR6 Removed buffer_to_disk variable from ftp, http, imap, pop3, and smtp keywords.
Added spamfeip variable to imap, pop3, and smtp keywords.
Changed content_log variable to content-archive for ftp, http, imap, pop3,
and smtp keywords.
FortiOS v2.80 MR7 Changed spamfeip variable to spamfsip for the FortiShield Anitspam Service.
Added no-content-summary variable to ftp, http, imap, pop3, and smtp keywords.
FortiOS v2.80 MR8 Added spamfsurl for the FortiShield spam filter URL blacklist to imap, pop3, and smtp
keywords. Added the rate_image_urls setting to the cat_options keyword.

FortiGate CLI Reference Guide 01-28008-0015-20050204 93

config firewall profile

Related Commands
• policy
• config alertemail
• config spamfilter
• config antivirus
• config ips
• config webfilter

94 01-28008-0015-20050204 Fortinet Inc.

config firewall schedule onetime

schedule onetime
Use this command to add, edit, or delete one-time schedules.
Use scheduling to control when policies are active or inactive. You can use one-time schedules for
policies that are effective once for the period of time specified in the schedule.

Note: To edit a schedule, you must redefine the entire schedule, including your changes. This means entering all
of the schedule parameters, both those that are changing and those that are not.

Command syntax pattern

config firewall schedule onetime
edit <name_str>
set <keyword> <variable> <variable>
end
config firewall schedule onetime
edit <name_str>
unset <keyword>
end
config firewall schedule onetime
delete <name_str>
end
get firewall schedule onetime [<name_str>]
show firewall schedule onetime [<name_str>]

firewall schedule onetime command keywords and variables

Keywords and variables Description Default Availability
end <hh:mm> <yyyy/mm/dd> The ending day and time of the schedule. No All models.
• hh - 00 to 23 default.
• mm - 00, 15, 30, or 45
• yyyy - 1992 to infinity
• mm - 01 to 12
• dd - 01 to 31
start The starting day and time of the schedule. No All models.
<hh:mm> <yyyy/mm/dd> • hh - 00 to 23 default.
• mm - 00, 15, 30, or 45
• yyyy - 1992 to infinity
• mm - 01 to 12
• dd - 01 to 31

FortiGate CLI Reference Guide 01-28008-0015-20050204 95

config firewall schedule onetime

Example
Use the following example to add a one-time schedule named Holiday that is valid from 5:00 pm on
3 September 2004 until 8:45 am on 7 September 2004.
config firewall schedule onetime
edit Holiday
set start 17:00 2004/09/03
set end 08:45 2004/09/07
end
This example shows how to display the settings for the firewall schedule onetime command.
get firewall schedule onetime
This example shows how to display the settings for the Holiday onetime schedule.
get firewall schedule onetime Holiday
This example shows how to display the configuration for the firewall schedule onetime
command.
show firewall schedule onetime
This example shows how to display the configuration for the Holiday onetime schedule.
show firewall schedule onetime Holiday

Command History
FortiOS v2.80 Revised.

Related Commands
• policy
• schedule recurring

96 01-28008-0015-20050204 Fortinet Inc.

config firewall schedule recurring

schedule recurring
Use this command to add, edit and delete recurring schedules used in firewall policies.
Use scheduling to control when policies are active or inactive. Use recurring schedules to create
policies that repeat weekly. You can use recurring schedules to create policies that are effective only
at specified times of the day or on specified days of the week.

Note: If you create a recurring schedule with a stop time that occurs before the start time, the schedule starts at
the start time and finishes at the stop time on the next day. You can use this technique to create recurring
schedules that run from one day to the next. You can also create a recurring schedule that runs for 24 hours by
setting the start and stop times to the same time.

Command syntax pattern

config firewall schedule recurring
edit <name_str>
set <keyword> <variable>
end
config firewall schedule recurring
edit <name_str>
unset <keyword>
end
config firewall schedule recurring
delete <name_str>
end
get firewall schedule recurring [<name_str>]
show firewall schedule recurring [<name_str>]

firewall schedule recurring command keywords and variables

Keywords and variables Description Default Availability
day <name_str> Enter the names of one or more days of the week for No All models.
which the schedule is valid. Separate names by a default.
space.
end <hh:mm> The ending time of the schedule. 00:00 All models.
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45 only
start <hh:mm> The starting time of the schedule. 00:00 All models.
• hh can be 00 to 23
• mm can be 00, 15, 30, or 45 only

FortiGate CLI Reference Guide 01-28008-0015-20050204 97

config firewall schedule recurring

Example
This example shows how to add a recurring schedule named access so that it is valid Monday to
Friday from 7:45 am to 5:30 pm.
config firewall schedule recurring
edit access
set day monday tuesday wednesday thursday friday
set start 07:45
set end 17:30
end
Edit the recurring schedule named access so that it is no longer valid on Fridays.
config firewall schedule recurring
edit access
set day monday tuesday wednesday thursday
set start 07:45
set end 17:30
end
This example shows how to display the settings for the firewall schedule recurring
command.
get firewall schedule recurring
This example shows how to display the settings for the access recurring schedule.
get firewall schedule recurring access
This example shows how to display the configuration for the firewall schedule recurring
command.
show firewall schedule recurring
This example shows how to display the configuration for the access recurring schedule.
show firewall schedule recurring access

Command History
FortiOS v2.80 Revised.

Related Commands
• policy
• schedule onetime

98 01-28008-0015-20050204 Fortinet Inc.

config firewall service custom

service custom
Use this command to add, edit, or delete custom firewall services.
Add a custom service if you need to create a policy for a service that is not in the predefined service
list.

Command syntax pattern

config firewall service custom
edit <name_str>
set <keyword> <variable>
end
config firewall service custom
edit <name_str>
unset <keyword>
end
config firewall service custom
delete <name_str>
end
get firewall service custom [<name_str>]
show firewall service custom [<name_str>]

firewall service custom command keywords and variables

Keywords and variables Description Default Availability
dstport <lowport_integer- Enter the destination port range for the service. No All models.
highport_integer> If the destination port range can be any port, enter default. TCP and
1-65535. UDP only.
To specify a single port, enter the same port number
for lowport_integer and highport_integer.
For example, if the single port is 5003, enter 5003-
5003.
srcport <lowport_integer- Enter the source port range for the service. No All models.
highport_integer> If the source port range can be any port, enter default. TCP and
1-65535. UDP only.
To specify a single port, enter the same port number
for lowport_integer and highport_integer.
For example, if the single port is 5003, enter 5003-
5003.
icmpcode <code_integer> Enter the ICMP code number. You can find ICMP No All models.
type and code numbers at www.iana.org. default. ICMP only.
icmptype <type_integer> Enter the ICMP type number. The range for No All models.
type_integer is from 0-255. You can find ICMP default. ICMP only.
type and code numbers at www.iana.org.
protocol Enter the protocol used by the service. No All models.
{ICMP | IP | TCP | UDP} default.
protocol-number Enter the Internet protocol number. You can find No All models.
<protocol_integer> Internet protocol numbers at www.iana.org. default. IP only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 99

config firewall service custom

Example
This example shows how to add a custom service called Custom_1. The service can use any source
port. The service destination port range is TCP 4501 to 4503.
config firewall service custom
edit Custom_1
set protocol TCP
set srcport 1-65535
set dstport 4501-4503
end
This example shows how to display the settings for the firewall service custom command.
get firewall service custom
This example shows how to display the settings for the Custom_1 service.
get firewall service custom Custom_1
This example shows how to display the configuration for the firewall service custom
command.
show firewall service custom
This example shows how to display the configuration for the Custom_1 service.
show firewall service custom Custom_1

Command History
FortiOS v2.80 Revised.

Related Commands
• policy

100 01-28008-0015-20050204 Fortinet Inc.

config firewall service group

service group
Use this command to add, edit, or delete firewall service groups.
To make it easier to add policies, you can create groups of services and then add one policy to provide
or block access for all the services in the group. A service group can contain predefined services and
custom services in any combination. You cannot add service groups to another service group.

Note: To edit a service group, you must enter all of the members of the service group, both those you are
changing and those that are staying the same.

Command syntax pattern

config firewall service group
edit <group-name_str>
set <keyword> <variable>
end
config firewall service group
edit <group-name_str>
unset <keyword>
end
config firewall service group
delete <group-name_str>
end
get firewall service group [<group-name_str>]
show firewall service group [<group-name_str>]

firewall service group command keywords and variables

Keywords and variables Description Default Availability
member <service-name_str> Enter the names, separated by spaces, of the No All models.
[<service-name_str> predefined and custom firewall services to add to the default.
[<service-name_str> ...]] service group. To view the list of available services
enter set member ? at the prompt.
<service_str> is case-sensitive.

Example
This example shows how to add a service group called web_Services that includes the FTP, HTTP,
HTTPS, and Real Audio services.
config firewall service group
edit web_Services
set member FTP HTTP HTTPS RAUDIO
end
This example shows how to add the TELNET service to the web_Services service group.
config firewall service group
edit web_Services
set member FTP HTTP HTTPS RAUDIO TELNET
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 101

config firewall service group

This example shows how to display the settings for the firewall service group command.
get firewall service group
This example shows how to display the settings for the web_Services service group.
get firewall service group web_Services
This example shows how to display the configuration for the firewall service group command.
show firewall service group
This example shows how to display the configuration for the web_Services service group.
show firewall service custom web_Services

Command History
FortiOS v2.80 Revised.

Related Commands
• policy

102 01-28008-0015-20050204 Fortinet Inc.

config firewall vip

vip
Use this command to add, edit, or delete virtual IPs. You can add static NAT virtual IPs or port
forwarding virtual IPs.
Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall
policies. If aVIP is included in a policy, it cannot be deleted unless it is first removed from the policy.
Use virtual IPs to provide access to IP addresses on a destination network that are hidden from the
source network by NAT security policies. To allow connections between these networks, you must
create a mapping between an address on the source network and the real address on the destination
network. This mapping is called a virtual IP.
You can create two types of virtual IPs:

Static NAT Used to translate an address on a source network to a hidden address on a destination
network. Static NAT translates the source address of return packets to the address on the
source network.
Port Forwarding Used to translate an address and a port number on a source network to a hidden address and,
optionally, a different port number on a destination network. Using port forwarding you can also
route packets with a specific port number and a destination address that matches the IP
address of the interface that receives the packets. This technique is called port forwarding or
port address translation (PAT). You can also use port forwarding to change the destination port
of the forwarded packets.

Note: Virtual IPs are not available in transparent mode.

Command syntax pattern

config firewall vip
edit <name_str>
set <keyword> <variable>
end
config firewall vip
edit <name_str>
unset <keyword>
end
config firewall vip
delete <name_str>
end
get firewall vip [<group-name_str>]
show firewall vip [<group-name_str>]

FortiGate CLI Reference Guide 01-28008-0015-20050204 103

config firewall vip

firewall vip command keywords and variables

Keywords and variables Description Default Availability
extintf <name_str> The name of the interface connected to the No default. All models.
source network that receives the packets to be
forwarded to the destination network.
On FortiGate models numbered 200 and up
<name_str> can be the name of an interface or
VLAN subinterface.
extip <address_ipv4> The external IP address to be mapped to an 0.0.0.0 All models.
address on the destination network.
For example, if the virtual IP provides access from
the Internet to a web server on a destination
network, the external IP address must be a static
IP address obtained from your ISP for your web
server.
For a static NAT virtual IP, this address must be a
unique address that is not used by another host
and cannot be the same as the IP address of the
extintf <name_str>. However, this address
must be routed to this interface.
For port forwarding virtual IP, this address can be
any IP address including the IP address of the
extintf <name_str>.
If the IP address of extintf <name_str>
is set using PPPoE or DHCP,
extip <address_ipv4> can be 0.0.0.0. The
FortiGate unit substitutes the IP address set for
this interface using PPPoE or DHCP. The virtual
IP address and the external IP address can be on
different subnets.
extport <port_integer> The external service port number for which to 0 All models.
configure port forwarding. Required for port type
forwarding virtual IPs. Not required for static NAT portforward
virtual IPs. only
The external port number must match the
destination port of the packets to be forwarded.
For example, if the virtual IP provides access from
the Internet to a web server, the external service
port number would be 80 (the HTTP port).
mappedip <address_ipv4> The real IP address in the more secure network or 0.0.0.0 All models.
zone to which to map the external IP address.
mappedport <port_integer> Enter mappedport <port_integer> if you 0 All models.
want the port forwarding virtual IP to translate the type
destination port to a different port number. portforward
You only have to specify the mappedport if you only
want to translate the port.
protocol {tcp | udp} The protocol, TCP or UDP, to be used by the tcp All models.
forwarded packets.
type The type of virtual IP to add or edit. staticnat All models.
{portforward | staticnat} Enter portforward to add or edit a port
forwarding virtual IP.
Enter staticnat to add or edit a static NAT
virtual IP.

104 01-28008-0015-20050204 Fortinet Inc.

config firewall vip

Example
This example shows how to add a static NAT virtual IP named web_Server that allows users on the
Internet to connect to a web server on your internal network. The internet address of the web server is
64.32.21.34 and the real IP address of the web server on the internal network is 192.168.1.44.
config firewall vip
edit web_Server
set type staticnat
set extintf external
set extip 64.32.21.34
set mappedip 192.168.1.44
end
This example shows how to edit the static NAT virtual IP named web_Server to change the real IP
address of the web server on the internal network to 192.168.110.23.
config firewall vip
edit web_Server
set mappedip 192.168.110.23
end
This example shows how to add a port forwarding virtual IP that uses port address translation to allow
external access to a web server on your internal network if you do not have a separate external IP
address for the web server. In this example, the IP address of the external interface is 192.168.100.99
and the real IP address of the web server on the internal network is 192.168.1.93.
config firewall vip
edit web_Server
set type portforward
set extintf external
set extip 192.168.100.99
set extport 80
set mappedip 192.168.1.93
set mappedport 80
end
This example shows how to display the settings for the firewall vip command.
get firewall vip
This example shows how to display the settings for the web_Server VIP.
get firewall vip web_Server
This example shows how to display the configuration for the firewall vip command.
show firewall vip
This example shows how to display the configuration for the web_Server VIP.
show firewall vip web_Server

Command History
FortiOS v2.80 Revised.

FortiGate CLI Reference Guide 01-28008-0015-20050204 105

config firewall vip

Related Commands
• policy

106 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config ips
anomaly
custom
group

FortiGate CLI Reference Guide 01-28008-0015-20050204 107

config ips anomaly

anomaly
The FortiGate IPS uses anomalies to identify network traffic that does not fit known or preset traffic
patterns. The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP
protocols.

Flooding If the number of sessions targeting a single destination in one second is over a threshold, the
destination is experiencing flooding.
Scan If the number of sessions from a single source in one second is over a threshold, the source is
scanning.
Source session If the number of concurrent sessions from a single source is over a threshold, the source
limit session limit is reached.
Destination If the number of concurrent sessions to a single destination is over a threshold, the destination
session limit session limit is reached.

You can enable or disable logging for each anomaly, and you can control the IPS action in response to
detecting an anomaly. In many cases you can also configure the thresholds that the anomaly uses to
detect traffic patterns that could represent an attack.

Note: It is important to estimate the normal and expected traffic on your network before changing the default
anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high
could miss some attacks.

The list of anomalies can be updated only when the FortiGate firmware image is upgraded.

Command syntax pattern

config ips anomaly <name_str>
set <keyword> <variable>
end
config ips anomaly <name_str>
unset <keyword>
end
get ips anomaly [<name_str>]
show ips anomaly [<name_str>]
The config ips anomaly command has 1 subcommand.
config limit

108 01-28008-0015-20050204 Fortinet Inc.

config ips anomaly

anomaly command keywords and variables

Keywords and variables Description Default Availability
action Select an action for the FortiGate unit to take when Varies. All models.
{clear_session | drop traffic triggers this anomaly.
| drop_session | pass clear_session
| pass_session | reset • The FortiGate unit drops the packet that triggered
| reset_client the anomaly, removes the session from the
FortiGate session table, and does not send a
| reset_server} reset.
drop
• The FortiGate unit drops the packet that triggered
the anomaly. Fortinet recommends using an action
other than drop for TCP connection based
attacks.
drop_session
• The FortiGate unit drops the packet that triggered
the anomaly and drops any other packets in the
same session.
pass
• The FortiGate unit lets the packet that triggered the
anomaly pass through the firewall. If logging is
disabled and action is set to Pass, the anomaly is
effectively disabled.
pass_session
• The FortiGate unit lets the packet that triggered the
anomaly and all other packets in the session pass
through the firewall.
reset
• The FortiGate unit drops the packet that triggered
the anomaly, sends a reset to both the client and
the server, and removes the session from the
FortiGate session table. Used for TCP connections
only. If you set this action for non-TCP connection
based attacks, the action behaves as
clear_session. If the Reset action is triggered
before the TCP connection is fully established it
acts as clear_session.
reset_client
• The FortiGate unit drops the packet that triggered
the anomaly, sends a reset to the client, and
removes the session from the FortiGate session
table. Used for TCP connections only. If you set
this action for non-TCP connection based attacks,
the action behaves as clear_session. If the
reset_client action is triggered before the TCP
connection is fully established it acts as
clear_session.
reset_server
• The FortiGate unit drops the packet that triggered
the anomaly, sends a reset to the server, and
removes the session from the FortiGate session
table. Used for TCP connections only. If you set
this action for non-TCP connection based attacks,
the action behaves as clear_session. If the
reset_server action is triggered before the TCP
connection is fully established it acts as
clear_session.
log {disable | enable} Enable or disable logging for the anomaly. enable All models.

FortiGate CLI Reference Guide 01-28008-0015-20050204 109

config ips anomaly

anomaly command keywords and variables (Continued)

Keywords and variables Description Default Availability
status {disable | enable} Enable or disable this anomaly. enable All models.
threshold For the anomalies that include the threshold Varies. All models.
<threshold_integer> setting, traffic over the specified threshold triggers
the anomaly.

Example
This example shows how to change the tcp_land anomaly configuration.
config ips anomaly tcp_land
set action pass
set log enable
set status enable
end
This example shows how to change the icmp_flood anomaly configuration.
config ips anomaly icmp_flood
set action drop
set log enable
set status enable
set threshold 1024
end
This example shows how to display the list of anomalies.
get ips anomaly
This example shows how to display the settings for icmp_flood.
get ips anomaly icmp_flood
This example shows how to display the configuration for the ips anomaly command.
show ips anomaly
This example shows how to display the configuration for icmp_flood.
show ips anomaly icmp_flood

config limit
Access the config limit subcommand using the config ips anomaly <name_str>
command. Use this command for session control based on source and destination network address.
This command is available for tcp_src_session, tcp_dst_session, icmp_src_session,
icmp_dst_session, udp_src_session, udp_dst_session.
You cannot edit the default entry. Addresses are matched from more specific to more general. For
example, if you define thresholds for 192.168.100.0/24 and 192.168.0.0/16, the address with the 24 bit
netmask is matched before the entry with the 16 bit netmask.

110 01-28008-0015-20050204 Fortinet Inc.

config ips anomaly

Command syntax pattern

config limit
edit <name_str>
set <keyword> <variable>
end
config limit
edit <name_str>
unset <keyword>
end
config limit
delete <name_str>

limit command keywords and variables

Keywords and variables Description Default Availability
ipaddress The ip address and netmask of the source or No All models.
<address_ipv4mask> destination network. default.
threshold Set the threshold that triggers this anomaly. No All models.
<threshold_integer> default.

Example
Use the following command to configure the limit for the tcp_src_session anomaly.
config ips anomaly tcp_src_session
config limit
edit subnet1
set ipaddress 1.1.1.0 255.255.255.0
set threshold 300
end
end

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• config ips custom
• config ips group
• config system global ips-open

FortiGate CLI Reference Guide 01-28008-0015-20050204 111

config ips custom

custom
You can create custom IPS signatures. The custom signatures you create are added to a single
Custom signature group.
Custom signatures provide the power and flexibility to customize the FortiGate IPS for diverse network
environments. The FortiGate predefined signatures cover common attacks. If you are using an
unusual or specialized application or an uncommon platform, you can add custom signatures based on
the security alerts released by the application and platform vendors.
You can also use custom signatures to block or allow specific traffic.
Once you add the custom signature, you can configure the settings for it under the signature group
named custom. For more information on configuring signature groups, see “config ips group” on
page 114.
For more information on custom signature syntax see the FortiGate IPS Custom Signatures Technical
Bulletin.

Note: Custom signatures are an advanced feature. This document assumes the user has previous experience
writing intrusion detection signatures.

Command syntax pattern

config ips custom
edit <name_str>
set <keyword> <variable>
end
config ips custom
edit <name_str>
unset <keyword>
end
config ips custom
delete <name_str>
get ips custom [<name_str>]
show ips custom [<name_str>]

custom command keywords and variables

Keywords and variables Description Default Availability
signature Enter the custom signature. The signature must be No All models.
<‘signature_str’> enclosed in single quotes. default.

Example
This example shows how to add a custom signature for ICMP packets set to type 10.
config ips custom
edit ICMP10
set signature 'F-SBID(--protocol icmp; --icmp_type 10; --revision 2; )'
end

112 01-28008-0015-20050204 Fortinet Inc.

config ips custom

This example shows how to display the list of custom signatures.

get ips custom
This example shows how to display the settings for the ICMP10 custom signature.
get ips custom ICMP10
This example shows how to display the configuration for the ips custom command.
show ips custom
This example shows how to display the configuration for the ICMP10 custom signature.
show ips custom ICMP10

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• config ips group
• execute backup
• execute restore
• config system global ips-open

FortiGate CLI Reference Guide 01-28008-0015-20050204 113

config ips group

group
The FortiGate IPS matches network traffic against patterns contained in attack signatures. Attack
signatures reliably protect your network from known attacks. Fortinet’s FortiProtect infrastructure
ensures the rapid identification of new threats and the development of new attack signatures.
You can configure the FortiGate unit to automatically check for and download an updated attack
definition file containing the latest signatures, or you can manually download the updated attack
definition file. You can also configure the FortiGate unit to allow push updates of updated attack
definition files as soon as they are available from the FortiProtect Distribution Network. For details, see
“config system autoupdate schedule” on page 226 and “execute update_now” on page 376.
When the FortiGate unit installs an updated attack definition file, it checks to see if the default
configuration for any existing signatures has changed. If the default configuration has changed, the
changes are preserved.
Signatures are arranged into groups based on the type of attack. By default, all signature groups are
enabled.
You can enable or disable signature groups or individual signatures. Disabling unneeded signatures
can improve system performance and reduce the number of log messages and alert emails that the
IPS generates. For example, the IPS detects a large number of web server attacks. If you do not
provide access to a web server behind your FortiGate unit, you might want to disable all web server
attack signatures.
Some signature groups include configurable parameters. The parameters that are available depend on
the type of signatures in the signature group. When you configure these parameters for a signature
group, the parameters apply to all of the signatures in the group.
For each signature, you can configure the action the FortiGate IPS takes when it detects an attack.
The FortiGate IPS can pass, drop, reset or clear packets or sessions. You can also enable or disable
logging of the attack.

Command syntax pattern

config ips group <group-name_str>
set <keyword> <variable>
end
config ips group <group-name_str
unset <keyword>
end
get ips group [<name_str>]
show ips group [<name_str>]
The config ips group command has 1 subcommand.
config rule <rule-name_str>

114 01-28008-0015-20050204 Fortinet Inc.

config ips group

group command keywords and variables

Keywords and variables Description Default Availability
bad_flag_list A comma separated list of bad TCP flags. NULL, F, All models.
<flag_str> U, P, SF, tcp_reassembler
PF, UP,
UPF,
UAPSF,
UAPRSF
codepoint A number from 0 to 63. Used for differentiated -1 All models.
<codepoint_integer> services tagging. When the action for p2p and im im, p2p
signatures is set to pass, the FortiGate unit
checks the codepoint. If the codepoint is set to a
number from 1 to 63, the codepoint for the session
is changed to the specified value. If the codepoint
is set to -1 (the default) no change is made to the
codepoint in the IP header.
idle_timeout If a session is idle for longer than this number of 30 All models.
<timeout_integer> seconds, the session is be maintained by tcp tcp_reassembler
reassembly.
min_ttl A packet with a higher ttl number in its IP header 1 All models.
<ttl_integer> than the number specified here is not processed tcp_reassembler
by tcp reassembly.
port_list A comma separated list of ports. The dissector can Varies. All models.
<port_integer> decode these TCP ports. tcp_reassembler
Default port lists: http_decoder
• tcp_reassembler - 21, 23, 25, 53, 80, 110, rpc_decoder
111, 143, 513,1837,1863,5050,5190
• http_decoder - 80
• rpc_decoder - 111, 32771
direction Valid settings are from-server, from-client, or both. from- All models.
<direction_str> client tcp_reassembler
status Enable or disable this signature group. enable All models.
{disable | enable}

Example
This example shows how to disable the dos signature group.
config ips group dos
set status disable
end
This example shows how to display the list of signature groups.
get ips group
This example shows how to display the settings for the dos signature group.
get ips group dos
This example shows how to display the configuration for the ips group command.
show ips group
This example shows how to display the configuration for the dos signature group.
show ips group dos

FortiGate CLI Reference Guide 01-28008-0015-20050204 115

config ips group

config rule <rule-name_str>

Access the rule subcommand using the ips group command. Use the config rule subcommand to
configure the settings for individual signatures in a signature group.

Command syntax pattern

config rule <rule-name_str>
set <keyword> <variable>
end
config rule <rule-name_str>
unset <keyword> <variable>
end
get ips group [<name_str>]
show ips group [<name_str>]

116 01-28008-0015-20050204 Fortinet Inc.

config ips group

rule command keywords and variables

Keywords and variables Description Default Availability
action {clear_session Select an action for the FortiGate unit to take when Varies. All models.
| drop | drop_session traffic triggers this signature.
| pass | pass_session clear_session
| reset | reset_client • The FortiGate unit drops the packet that triggered
| reset_server} the signature, removes the session from the
FortiGate session table, and does not send a
reset.
drop
• The FortiGate unit drops the packet that triggered
the signature. Fortinet recommends using an
action other than drop for TCP connection based
attacks.
drop_session
• The FortiGate unit drops the packet that triggered
the signature and drops any other packets in the
same session.
pass
• The FortiGate unit lets the packet that triggered
the signature pass through the firewall. If logging
is disabled and action is set to Pass, the
signature is effectively disabled.
pass_session
• The FortiGate unit lets the packet that triggered
the signature and all other packets in the session
pass through the firewall.
reset
• The FortiGate unit drops the packet that triggered
the signature, sends a reset to both the client and
the server, and removes the session from the
FortiGate session table. Used for TCP
connections only. If you set this action for non-
TCP connection based attacks, the action
behaves as clear_session. If the reset
action is triggered before the TCP connection is
fully established it acts as clear_session.
reset_client
• The FortiGate unit drops the packet that triggered
the signature, sends a reset to the client, and
removes the session from the FortiGate session
table. Used for TCP connections only. If you set
this action for non-TCP connection based
attacks, the action behaves as clear_session.
If the reset_client action is triggered before
the TCP connection is fully established it acts as
clear_session.
reset_server
• The FortiGate unit drops the packet that triggered
the signature, sends a reset to the server, and
removes the session from the FortiGate session
table. Used for TCP connections only. If you set
this action for non-TCP connection based
attacks, the action behaves as clear_session.
If the reset_server action is triggered before
the TCP connection is fully established it acts as
clear_session.
log {disable | enable} Enable or disable logging for the signature. enable All models.
status {disable | enable} Enable or disable this signature. enable All models.

FortiGate CLI Reference Guide 01-28008-0015-20050204 117

config ips group

Example
This example shows how to change the action for the NAPTHA signature in the dos signature group to
drop.
config ips group dos
config rule NAPTHA
set action drop
end
end
This example shows how to display the list of signature groups.
get ips group
This example shows how to display the settings for the dos signature group.
get ips group dos
This example shows how to display the configuration for the ips group command.
show ips group
This example shows how to display the configuration for the dos signature group.
show ips group dos

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• config ips anomaly
• config system autoupdate schedule
• execute update_now
• config system global ips-open

118 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config log
Use the config log commands to set the logging type, the logging severity level, and the logging
location for the FortiGate unit.
For descriptions of log formats and specific log messages see the FortiGate Log Message Reference
Guide.

{disk | fortilog | memory | syslogd

| webtrends} filter
disk setting
fortilog setting
memory setting
syslogd setting
trafficfilter
webtrends setting

FortiGate CLI Reference Guide 01-28008-0015-20050204 119

config log {disk | fortilog | memory | syslogd | webtrends} filter

{disk | fortilog | memory | syslogd | webtrends} filter

Use this command to configure log filter options. Log filters define the types of log messages sent to
each log location.

Command syntax pattern

config log {disk | fortilog | memory | syslogd | trafficfilter |
webtrends} filter
set <keyword> <variable>
end
config log {disk | fortilog | memory | syslogd | webtrends} filter
unset <keyword>
end
get log {disk | fortilog | memory | syslogd | webtrends} filter
show log {disk | fortilog | memory | syslogd | webtrends} filter

Note: Logging to disk is only available on FortiGate units with a local disk.

log {disk | fortilog | memory | syslogd | webtrends} filter command keywords

and variables
Keywords and variables Description Default Availability
admin Enable or disable logging all administrative disable All models.
{disable | enable} events, such as user logins, resets, and event
configuration updates in the event log. enable only.
allowed Enable or disable logging all traffic that is disable All models.
{disable | enable} allowed according to the firewall policy settings traffic
in the traffic log. enable only.
anomaly Enable or disable logging all detected and disable All models.
{disable | enable} prevented attacks based on unknown or attack
suspicious traffic patterns, and the action taken enable only.
by the FortiGate unit in the attack log.
attack Enable or disable the attack log. disable All models.
{disable | enable}
auth Enable or disable logging all firewall-related disable All models.
{disable | enable} events, such as user authentication in the event event
log. enable only.
blocked Enable or disable logging all instances of disable All models.
{disable | enable} blocked files.
cat_block Enable or disable logging of web pages blocked disable All models.
{disable | enable} by FortiGuard category filtering in the web filter web enable
log. only.
cat_errors Enable or disable logging all instances of disable All models.
{disable | enable} FortiGuard category filtering rating errors. web enable
only.
cat_monitor Enable or disable logging of web pages disable All models.
{disable | enable} monitored by FortiGuard category filtering. web enable
only.

120 01-28008-0015-20050204 Fortinet Inc.

config log {disk | fortilog | memory | syslogd | webtrends} filter

log {disk | fortilog | memory | syslogd | webtrends} filter command keywords

and variables (Continued)
Keywords and variables Description Default Availability
chassis Enable or disable logging of chassis anomalies. disable Model 4000
{disable | enable} only.
content_log Enable or disable archiving of protocol content. disable All models.
{disable | enable} Archives can include meta-data information
such as file sizes, source and destination
addresses, and status.
content_log_ftp Enable or disable arvhiving of FTP content. disable All models.
{disable | enable} Archives can include meta-data information content_log
such as file sizes, source and destination enable only.
addresses, and status.
content_log_http Enable or disable archiving of HTTP content. disable All models.
{disable | enable} Archives can include meta-data information content_log
such as file sizes, source and destination enable only.
addresses, and status.
content_log_imap Enable or disable archiving of IMAP content. disable All models.
{disable | enable} Arvhives can include meta-data information content_log
such as file sizes, source and destination enable only.
addresses, and status.
content_log_pop3 Enable or disable archiving of POP3 content. disable All models.
{disable | enable} Archives can include meta-data information content_log
such as file sizes, source and destination enable only.
addresses, and status.
content_log_smtp Enable or disable arvchiving of SMTP content. disable All models.
{disable | enable} Archives can include meta-data information content_log
such as file sizes, source and destination enable only.
addresses, and status.
dhcp Enable or disable logging of DHCP events, such disable All models.
{disable | enable} as the requests and responses, in the event log. event
enable only.
email Enable or disable the spam filter log. disable All models.
{disable | enable}
email_log _imap Enable or disable logging of spam detected in disable All models.
{disable | enable} IMAP traffic. email
enable only.
email_log_pop3 Enable or disable logging of spam detected in disable All models.
{disable | enable} POP3 traffic. email
enable only.
email_log_smtp Enable or disable logging of spam detected in disable All models.
{disable | enable} SMTP traffic. email
enable only.
event Enable or disable the event log. disable All models.
{disable | enable}
exempt Enable or disable logging of allowed URLs disable All models.
{disable | enable} (specified in the URL exempt list) in the web web enable
filter log. only.
ha Enable or disable logging of high availability disable All models.
{disable | enable} events, such as link, member, and state event
information in the event log. enable only.
infected Enable or disable logging of all virus infections disable All models.
{disable | enable} in the antivirus log. virus must be enabled. virus
enable only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 121

config log {disk | fortilog | memory | syslogd | webtrends} filter

log {disk | fortilog | memory | syslogd | webtrends} filter command keywords

and variables (Continued)
Keywords and variables Description Default Availability
ipsec Enable or disable logging of IPSec negotiation disable All models.
{disable | enable} events, such as progress and error reports in event
the event log. enable only.
oversized Enable or disable logging of oversized files in disable All models.
{disable | enable} the antivirus log. virus
enable only.
pattern Enable or disable logging of all pattern update disable All models.
{disable | enable} events, such as antivirus and IPS pattern event
updates and update failures in the event log. enable only.
ppp Enable or disable logging of all L2TP, PPTP, disable All models.
{disable | enable} and PPPoE-related events, such as manager event
and socket creation processes, in the event log. enable only.
severity Select the logging severity level. The FortiGate alert All models.
{alert | critical | debug unit logs all messages at and above the logging
| emergency | error | severity level you select. For example, if you
select error, the unit logs error, critical,
information | alert and emergency level messages.
notification | warning} emergency - The system is unusable.
alert - Immediate action is required.
critical - Functionality is affected.
error - An erroneous condition exists and
functionality is probably affected.
warning - Functionality might be affected.
notification - Information about normal
events.
information - General information about
system operations.
debug - Information used for diagnosing or
debugging the FotiGate unit.
signature Enable or disable logging of detected and disable All models.
{disable | enable} prevented attacks based on the attack attack
signature, and the action taken by the FortiGate enable only.
unit, in the attack log.
system Enable or disable logging of all system-related disable All models.
{disable | enable} events, such as ping server failure and gateway event
status, in the event log. enable only.
traffic Enable or disable the traffic log. disable All models.
{disable | enable}
url_block Enable or disable logging of blocked URLs disable All models.
{disable | enable} (specified in the URL block list) in the web filter web enable
log. only.
violation Enable or disable logging of all traffic that disable All models.
{disable | enable} violates the firewall policy settings in the traffic trafic
log. enable only.
virus Enable or disable the antivirus log. disable All models.
{disable | enable}
web Enable or disable the web filter log. disable All models.
{disable | enable}
web_content Enable or disable logging of blocked content disable All models.
{disable | enable} (specified in the banned words list) in the web web enable
filter log. only.

122 01-28008-0015-20050204 Fortinet Inc.

config log {disk | fortilog | memory | syslogd | webtrends} filter

Example
This example shows how to set the logging severity level to warning, enable virus logging for infected
files, and enable event logging for admin and IPSec events.
config log disk filter
set severity warning
set virus enable
set infected enable
set event enable
set admin enable
set ipsec enable
end
This example shows how to display the filter settings for logging to a FortiLog unit.
get log disk filter
This example shows how to display the configuration for logging to a syslog server.
show log syslogd filter
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.8 MR2 Removed email_content keyword.
Added email_log_imap, email_log_pop3, and email_log_smtp
keywords.

Related Commands
• disk setting
• fortilog setting
• memory setting
• syslogd setting
• trafficfilter
• webtrends setting

FortiGate CLI Reference Guide 01-28008-0015-20050204 123

config log disk setting

disk setting
Use this command to configure log settings for logging to the local disk. Disk logging is only available
for FortiGate models with a local disk. You can also use this command to configure the FortiGate unit
to upload current log files to an FTP server every time the log files are rolled.

Command syntax pattern

config log disk setting
set <keyword> <variable>
end
config log disk setting
unset <keyword>
end
get log disk setting
show log disk setting

log disk setting command keywords and variables

Keywords and variables Description Default Availability
diskfull {nolog | Enter the action to take when the local disk is overwrite Models with
overwrite} full. nolog means the FortiGate will stop a local disk.
logging, and overwrite means the FortiGate
unit will begin overwriting the oldest file.
duration Enter the number of times the current log should 0 Models with
<frequency_integer> be saved and a new active log started. This a local disk.
number will represent minutes, hours, or days
as specified using the unit keyword.
filesize <MB_integer> Enter the maximum size of the log file (in MB) 100 Models with
that is saved to the local disk. a local disk.
When the log file reaches the specified
maximum size, the current log file is saved and
a new active log file is started. The default
maximum log file size is 100 MB and the
maximum log file size allowed is 10 GB.
rollday { friday | monday Enter the day of the week when the log should sunday Models with
| saturday | sunday | be saved and a new log started. At midnight on a local disk.
thursday | tuesday | the specified day the current log file is saved
and a new active log file is started.
wednesday }
rolltime <time_integer> Enter the time of day, in the format hh:mm:ss, 00:00:00 Models with
when the current log file is saved and a new a local disk.
active log file is started. Use a 24 hour clock.
status {disable | enable} Enter enable to enable logging to the local disable Models with
disk. a local disk.
unit {day | hour | Enter the unit of time to use for the duration hour Models with
minute} keyword. a local disk.

124 01-28008-0015-20050204 Fortinet Inc.

config log disk setting

log disk setting command keywords and variables (Continued)

Keywords and variables Description Default Availability
upload {disable | enable} Enable or disable uploading log files to a remote disable Models with
directory. Enable upload to upload log files to a local disk.
an FTP server whenever a log file rolls.
Use the uploaddir, uploadip, uploadpass,
uploadport, and uploaduser keywords to
add the information required to connect to the
FTP server and upload the log files to a specific
location on the server.
Use the uploadtype keyword to select the
type of log files to upload.
uploaddir <dir_name_str> Enter the name of the path on the FTP server No default. Models with
into which to transfer the log files. If you do not a local disk.
specify a remote directory, the log files are upload
uploaded to the root directory of the FTP server. enabled.
uploadip Enter the IP address of the FTP server to which 0.0.0.0 Models with
<ftp_server_ipv4> to upload the log files. a local disk.
upload
enabled.
uploadpass <password_str Enter the password required to connect to the No default. Models with
FTP server. a local disk.
upload
enabled.
uploadport <port_integer> Enter the port number used by the FTP server. 21 Models with
The default port is 21, which is the standard FTP a local disk.
port. upload
enabled.
uploadtype {attack Select the log files to upload to the FTP server. attack Models with
content event spamfilter You can enter one or more of the log file types content a local disk.
traffic virus webfilter} separated by spaces. Use a space to separate event upload
the log file types. If you want to remove a log file spamfilte enabled.
type from the list or add a log file type to the list, r traffic
you must retype the list with the log file type virus
removed or added. webfilter
uploaduser <username_str> Enter the user name required to connect to the No default. Models with
FTP server. a local disk.
upload
enabled.

Example
This example shows how to enable logging to the local disk, set the action to stop logging when the
disk is full, and save the old log and start a new one at 6pm on Fridays.
config log disk setting
set status enable
set diskfull nolog
set rollday friday
set rolltime 18:00:00
end
This example shows how to enable uploading the traffic log and content archive files to an FTP server.
The FTP server has the IP address 172.30.120.24, the user name is ftpuser, the password is
ftppass, and the directory on the FTP server is fortigate\logs.

FortiGate CLI Reference Guide 01-28008-0015-20050204 125

config log disk setting

config log disk setting

set upload enable
set uploadip 172.30.120.24
set uploaduser ftpuser
set uploadpass ftppass
set uploadtype traffic content
set uploaddir fortigate\logs
set uploadpass ftppass
end
This example shows how to display the log setting for logging to the local disk.
get log disk setting
This example shows how to display the configuration for logging to the local disk.
show log disk setting
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR2 Removed ftppasswd, ftpserver, and ftpuser keywords.
Added upload keyword.
Added upload, uploaddir, uploadip, uploadpass, uploadport, uploadtype,
and uploaduser keywords.

Related Commands
• {disk | fortilog | memory | syslogd | webtrends} filter
• fortilog setting
• memory setting
• syslogd setting
• trafficfilter
• webtrends setting

126 01-28008-0015-20050204 Fortinet Inc.

config log fortilog setting

fortilog setting
Use this command to configure log settings for logging to a FortiLog unit.
The FortiLog unit is a log analyzer and manager that can combine the log information from various
FortiGate units.

Command syntax pattern

config log fortilog setting
set <keyword> <variable>
end
config log fortilog setting
unset <keyword>
end
get log fortilog setting
show log fortilog setting

log fortilog setting command keywords and variables

Keywords and variables Description Default Availability
encrypt Enter enable to enable encrypted communication disable All models.
{enable | disable} with the FortiLog unit.
localid <str_id> Enter the local ID for an IPSec VPN tunnel to a No default. All models.
FortiLog unit. You can create an IPSec VPN
tunnel if one or more FortiGate units are sending
log messages to a FortiLog unit across the
Internet. Using an IPSec VPN tunnel means that
all log messages sent by the FortiGate are
encrypted and secure.
psksecret <str_psk> Enter the pre-shared key for the IPSec VPN No default. All models.
tunnel to a FortiLog unit. You can create an
IPSec VPN tunnel if one or more FortiGate units
are sending log messages to a FortiLog unit
across the Internet. Using an IPSec VPN tunnel
means that all log messages sent by the
FortiGate are encrypted and secure.
server <address_ipv4> Enter the IP address of the FortiLog unit. No default. All models.
status {disable | enable} Enter enable to enable logging to a FortiLog disable All models.
unit.

Example
This example shows how to enable logging to a FortiLog unit and set the FortiLog IP address.
config log fortilog setting
set status enable
set server 192.168.100.1
end
This example shows how to display the log setting for logging to a FortiLog unit.
get log fortilog setting

FortiGate CLI Reference Guide 01-28008-0015-20050204 127

config log fortilog setting

This example shows how to display the configuration for logging to a FortiLog unit.
show log fortilog setting
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added localid and psksecret keywords.

Related Commands
• {disk | fortilog | memory | syslogd | webtrends} filter
• disk setting
• memory setting
• syslogd setting
• trafficfilter
• webtrends setting

128 01-28008-0015-20050204 Fortinet Inc.

config log memory setting

memory setting
Use this command to configure log settings for logging to the FortiGate system memory.
The FortiGate system memory has a limited capacity and only displays the most recent log entries.
Traffic logs cannot be stored in the memory buffer. After all available memory is used, by default the
FortiGate unit begins to overwrite the oldest messages. All log entries are deleted when the FortiGate
unit restarts.

Command syntax pattern

config log memory setting
set <keyword> <variable>
end
config log memory setting
unset <keyword>
end
get log memory setting
show log memory setting

log memory setting command keywords and variables

Keywords and variables Description Default Availability
status {disable | enable} Enter enable to enable logging to the FortiGate disable All models.
system memory.

Example
This example shows how to enable logging to the FortiGate system memory.
config log memory setting
set status enable
end
This example shows how to display the log setting for logging to the FortiGate system memory.
get log memory setting
This example shows how to display the configuration for logging to the FortiGate system memory.
show log memory setting
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 Substantially revised.

FortiGate CLI Reference Guide 01-28008-0015-20050204 129

config log memory setting

Related Commands
• {disk | fortilog | memory | syslogd | webtrends} filter
• disk setting
• fortilog setting
• syslogd setting
• trafficfilter
• webtrends setting

130 01-28008-0015-20050204 Fortinet Inc.

config log syslogd setting

syslogd setting
Use this command to configure log settings for logging to a remote syslog server.
You can configure the FortiGate unit to send logs to a remote computer running a syslog server.

Command syntax pattern

config log syslogd setting
set <keyword> <variable>
end
config log syslogd setting
unset <keyword>
end
get log syslogd setting
show log syslogd setting

log syslogd setting command keywords and variables

Keywords and variables Description Default Availability
csv {disable | enable} Enter enable to enable the FortiGate unit to disable All models.
produce the log in Comma Separated Value
(CSV) format. If you do not enable CSV format the
FortiGate unit produces plain text files.
facility {alert | audit | Enter the facility type. facility identifies the local7 All models.
auth | authpriv | clock | source of the log message to syslog. You might
cron | daemon | ftp | want to change facility to distinguish log
messages from different FortiGate units. Available
kernel | local0 | local1 facility types are:
| local2 | local3 | • alert: log alert
local4 | local5 | local6 • audit: log audit
| local7 | lpr | mail | • auth: security/authorization messages
news | ntp | syslog | • authpriv: security/authorization messages
user | uucp} (private)
• clock: clock daemon
• cron: cron daemon performing scheduled
commands
• daemon: system daemons running background
system processes
• ftp: File Transfer Protocol (FTP) daemon
• kernel: kernel messages
• local0 – local7: reserved for local use
• lpr: line printer subsystem
• mail: email system
• news: network news subsystem
• ntp: Network Time Protocol (NTP) daemon
• syslog: messages generated internally by the
syslog daemon
port <port_integer> Enter the port number for communication with the 514 All models.
syslog server.
server <address_ipv4> Enter the IP address of the syslog server that No default. All models.
stores the logs.
status {disable | enable} Enter enable to enable logging to a remote disable All models.
syslog server.

FortiGate CLI Reference Guide 01-28008-0015-20050204 131

config log syslogd setting

Example
This example shows how to enable logging to a remote syslog server, configure an IP address and
port for the server, and enable logging in CSV format.
config log syslogd setting
set status enable
set server 220.210.200.190
set port 601
set csv enable
end
This example shows how to display the log setting for logging to a remote syslog server.
get log syslogd setting
This example shows how to display the configuration for logging to a remote syslog server.
show log syslogd setting
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR3 Added alert and audit keywords for use with facility keyword.

Related Commands
• {disk | fortilog | memory | syslogd | webtrends} filter
• disk setting
• fortilog setting
• memory setting
• trafficfilter
• webtrends setting

132 01-28008-0015-20050204 Fortinet Inc.

config log trafficfilter

trafficfilter
Use this command to configure the following global settings for traffic logging:
• resolve IP addresses to host names
• display the port number or service (protocol) in the log message

Command syntax pattern

config log trafficfilter
set <keyword> <variable>
end
config log trafficfilter
unset <keyword>
end
get log trafficfilter
show log trafficfilter
The config log trafficfilter command has 1 subcommand.
config rule

log trafficfilter command keywords and variables

Keywords and variables Description Default Availability
display {name | port} Enter name to enable the display of the service port All models.
name in the traffic log messages. Enter port to
display the port number used by traffic in traffic log
messages.
resolve Enter enable to enable resolving IP addresses to disable All models.
{disable | enable} host names in traffic log messages.

Example
This example shows how to display the service name and enable resolving IP addresses to host
names in log messages.
config log trafficfilter
set display name
set resolve enable
end
This example shows how to display the settings for the log trafficfilter command.
get log trafficfilter setting
This example shows how to display the configuration for the log trafficfilter command.
show log trafficfilter setting
If the show command returns you to the prompt, the settings are at default.

FortiGate CLI Reference Guide 01-28008-0015-20050204 133

config log trafficfilter

config rule
Access the rule subcommand using the log trafficfilter command.
Use the following command to configure traffic filter rules based on source IP address, destination IP
address, and service (protocol).

Command syntax pattern

config rule
edit <name_str>
set <keyword> <variable>
end
config rule
edit <name_str>
unset <keyword>
end
config rule
delete <name_str>
end
get log trafficfilter
show log trafficfilter

rule command keywords and variables

Keywords and variables Description Default Availability
dst <address_ipv4mask> Enter the destination IP address and netmask for 0.0.0.0 All models.
which you want to filter traffic logs. 0.0.0.0
service <name_str> Enter the service for which you want to filter traffic No All models.
logs. You can choose from any of the predefined default.
services listed and any custom services you have
configured. See “service custom” on page 99.
src <address_ipv4mask> Enter the source IP address and netmask for which 0.0.0.0 All models.
you want to filter traffic logs. 0.0.0.0

Example
This example shows how to configure a traffic filter called TF_1, to configure the source and
destination IP and netmask, and to set the service to HTTP.
config log trafficfilter
config rule
edit TF_1
set dst 220.210.200.190 255.255.255.0
set src 192.168.100.1 255.255.255.0
set service HTTP
end
end
This example shows how to display the settings for the log trafficfilter command.
get log trafficfilter setting

134 01-28008-0015-20050204 Fortinet Inc.

config log trafficfilter

This example shows how to display the configuration for the log trafficfilter command.
show log trafficfilter setting
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 Revised.

Related Commands
• {disk | fortilog | memory | syslogd | webtrends} filter
• disk setting
• fortilog setting
• memory setting
• syslogd setting
• webtrends setting

FortiGate CLI Reference Guide 01-28008-0015-20050204 135

config log webtrends setting

webtrends setting
Use this command to configure log settings for logging to a remote computer running a NetIQ
WebTrends firewall reporting server.
FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with
NetIQ WebTrends Security Reporting Center 2.0 and Firewall Suite 4.1.

Command syntax pattern

config log webtrends setting
set <keyword> <variable>
end
config log webtrends setting
unset <keyword>
end
get log webtrends setting
show log webtrends setting

log webtrends setting command keywords and variables

Keywords and variables Description Default Availability
server <address_ipv4> Enter the IP address of the WebTrends server that No All models.
stores the logs. default.
status {disable | enable} Enter enable to enable logging to a WebTrends disable All models.
server.

Example
This example shows how to enable logging to and set an IP address for a remote WebTrends server.
config log webtrends setting
set status enable
set server 220.210.200.190
end
This example shows how to display the settings for logging to a remote WebTrends server.
get log webtrends setting
This example shows how to display the configuration for logging to a remote WebTrends server.
show log webtrends setting
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 Substantially revised.

136 01-28008-0015-20050204 Fortinet Inc.

config log webtrends setting

Related Commands
• {disk | fortilog | memory | syslogd | webtrends} filter
• disk setting
• fortilog setting
• memory setting
• syslogd setting
• trafficfilter

FortiGate CLI Reference Guide 01-28008-0015-20050204 137

config log webtrends setting

138 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config router
access-list
get router info ospf
get router info protocols
get router info rip
get router info routing_table
key-chain
ospf
policy
prefix-list
rip
route-map
static
static6

FortiGate CLI Reference Guide 01-28008-0015-20050204 139

config router access-list

access-list
Use this command to add, edit, or delete access lists.
Access lists are filters used by FortiGate routing features.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this
prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more
specific prefix.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of
the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found
the default action is deny.
For an access list to take effect it must be called by another FortiGate routing feature such as RIP or
OSPF.

Command syntax pattern

Add, edit or delete an access list with the specified name. An access list and a prefix list cannot have
the same name.
config router access-list
edit <name_str>
end
config router access-list
delete <name_str>
end
get router access-list [<name_str>]
show router access-list [<name_str>]
The config router access-list command has 1 subcommand.
config rule

config rule
Access the config rule subcommand using the config router access-list command. Use
the config rule command to add, edit, or delete access list rules with the specified number.

Command syntax pattern

config rule
edit <id_integer>
set <keyword> <variable>
end
config rule
edit <id_integer>
unset <keyword> <variable>
end
config rule
delete <id_integer>
end

140 01-28008-0015-20050204 Fortinet Inc.

config router access-list

get router access-list [<name_str>]

show router access-list [<name_str>]

rule command keywords and variables

Keywords and variables Description Default Availability
action {deny | permit} Set the action to take for this prefix. permit All models.
exact_match By default, access list rules are matched on disable All models.
{disable | enable} the prefix or any more specific prefix. Enable
exact_match to match only the configured
prefix.
prefix <address_ipv4mask> | Enter the prefix (IP address and netmask) for any All models.
any} this access list rule or enter any to match any
prefix.

Example
This example shows how to add an access list named acc_list1 with two rules. The first rule denies
the subnet that exactly matches the prefix 192.168.50.0 255.255.255.0 and permits all other
subnets that match the prefix 192.168.0.0 255.255.0.0.
config router access-list
edit acc_list1
config rule
edit 1
set prefix 192.168.50.0 255.255.255.0
set action deny
set exact_match enable
next
edit 2
set prefix 192.168.0.0 255.255.0.0
set action permit
set exact_match disable
end
end
This example shows how to display the list of access lists.
get router access-list
This example shows how to display the settings for acc_list1.
get router access-list acc_list1
This example shows how to display the configuration for the router access-list command.
show router access-list
This example shows how to display the configuration for acc_list1.
show router access-list acc_list1

Command History
FortiOS v2.80 New.

FortiGate CLI Reference Guide 01-28008-0015-20050204 141

config router access-list

Related Commands
• config router ospf
• config router prefix-list
• config router rip

142 01-28008-0015-20050204 Fortinet Inc.

config router get router info ospf

get router info ospf

Use this command to display information about OSPF.

Command syntax
get router info ospf <keyword>

router info ospf command keywords and variables

Keywords Description Availability
border-routers Show OSPF routing table entries that have an Area Border All models.
Router (ABR) or Autonomous System Boundary Router
(ASBR) as a destination.
database Show the entries in the OSPF routing database. All models.
interface Show the status of the FortiGate interfaces and whether OSPF All models.
is enabled for each interface.
neighbor Show information about OSPF neighbors. All models.
route Show the OSPF routing table. All models.
status Show general information about the OSPF routing processes. All models.
virtual-links Show information about OSPF virtual links. All models.

Examples
get router info ospf database
get router info ospf interface

Command History
FortiOS v2.80 MR1 New.
FortiOS v2.80 MR2 Renamed from execute router show ospf.
FortiOS v2.80 MR7 Added status keyword.

Related Commands
• execute router restart
• get router info protocols
• get router info routing_table
• config system interface
• config router ospf

FortiGate CLI Reference Guide 01-28008-0015-20050204 143

config router get router info protocols

get router info protocols

Show the current state of active routing protocols.

Command syntax
get router info protocols

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execute router show protocols.

Related Commands
• execute router restart
• get router info rip
• get router info routing_table
• config router rip
• config router ospf

144 01-28008-0015-20050204 Fortinet Inc.

config router get router info rip

get router info rip

Use this command to display information about RIP.

Command syntax
get router info rip <keyword>

router info rip command keywords and variables

Keywords Description Availability
database Show the entries in the RIP routing database. All models.
interface Show the status of the FortiGate interfaces and whether RIP is All models.
enabled for each interface.

Examples
get router info rip database
get router info rip interface

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execute router show rip.

Related Commands
• execute router restart-graceful
• get router info protocols
• get router info routing_table
• config router rip
• config system interface

FortiGate CLI Reference Guide 01-28008-0015-20050204 145

config router get router info routing_table

get router info routing_table

Display the routing table.

Command syntax
get router info routing_table

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Renamed from execute router show routing_table.

Related Commands
• execute router restart
• execute router restart-graceful
• get router info ospf
• get router info protocols
• get router info rip
• config router policy
• config router rip
• config router static
• config router static6
• config system interface

146 01-28008-0015-20050204 Fortinet Inc.

config router key-chain

key-chain
Use this command to manage RIP version 2 authentication keys.
RIP version 2 uses authentication keys to ensure that the routing information exchanged between
routers is reliable. For authentication to work both the sending and receiving routers must be set to use
authentication, and must be configured with the same keys.
A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are
used for authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates
from one key to the next according to the scheduled send and receive lifetimes. The sending and
receiving routers should have their system dates and times synchronized, but overlapping the key
lifetimes ensures that a key is always available even if there is some difference in the system times.
See “config system global” on page 244 to ensure that the FortiGate system date and time are correct.

Command syntax pattern

Add, edit or delete a key chain with the specified name.
config router key-chain
edit <name_str>
end
config router key-chain
delete <name_str>
end
get router key-chain [<name_str>]
show router key-chain [<name_str>]
The config router key-chain command has 1 subcommand.
config key

config key
Access the config key subcommand using the config router key-chain command. Use the
config key command to add, edit, or delete keys identified by the specified number.

Command syntax pattern

config key
edit <id_integer>
set <keyword> <variable>
end
config key
edit <id_integer>
unset <keyword> <variable>
end
config key
delete <id_integer>
end
get router key-chain [<name_str>]
show router key-chain [<name_str>]

FortiGate CLI Reference Guide 01-28008-0015-20050204 147

config router key-chain

key command keywords and variables

Keywords and variables Description Default Availability
accept-lifetime Set the time period during which the key can be No All models.
{<hh:mm:ss day month year> received. default.
{<hh:mm:ss day month year> The first <hh:mm:ss day month year>
| <duration_integer> variable sets the start time.
| infinite}} The second variable (a choice of three settings)
sets the end time and can be a date and time, a
duration in seconds, or infinite (for a key that
never expires).
Valid settings for <hh:mm:ss day month
year> are:
• hh - 0 to 23
• mm - 0 to 59
• ss - 0 to 59
• day - 1 to 31
• month - 1 to 12
• year - 1993 to 2035
The duration_integer range is from 1 to
2147483646 seconds.
key-string <password_str> The <password_str> can be up to 35 No All models.
characters long. default.
send-lifetime Set the time period during which the key can be No All models.
{<hh:mm:ss day month year> sent. default.
{<hh:mm:ss day month year> The first <hh:mm:ss day month year>
| <duration_integer> variable sets the start time.
| infinite}} The second variable (a choice of three settings)
sets the end time and can be a date and time, a
duration in seconds, or infinite (for a key that
never expires).
Valid settings for <hh:mm:ss day month
year> are:
• hh - 0 to 23
• mm - 0 to 59
• ss - 0 to 59
• day - 1 to 31
• month - 1 to 12
• year - 1993 to 2035
The duration_integer range is from 1 to
2147483646 seconds.

148 01-28008-0015-20050204 Fortinet Inc.

config router key-chain

Example
This example shows how to add a key chain named test1 with three keys. The first two keys each
have send and receive lifetimes of 13 hours, and the 3rd key has send and receive lifetimes that never
expire.
config router key-chain
edit test1
config key
edit 1
set accept-lifetime 10:00:00 1 6 2004 46800
set send-lifetime 10:00:00 1 6 2004 46800
set key-string 1a2b2c4d5e6f7g8h
next
edit 2
set accept-lifetime 22:00:00 1 6 2004 46800
set send-lifetime 22:00:00 1 6 2004 46800
set key-string 9i1j2k3l4m5n6o7p
next
edit 3
set accept-lifetime 10:00:00 2 6 2004 infinite
set send-lifetime 10:00:00 2 6 2004 infinite
set key-string 123abc456def789g
end
end
This example shows how to display the list of key-chains.
get router key-chain
This example shows how to display the settings for the key chain test1.
get router key-chain test1
This example shows how to display the configuration for the router key-chain command.
show router key-chain
This example shows how to display the configuration for the key chain test1.
show router key-chain test1

Command History
FortiOS v2.80 New.

Related Commands
• config router rip
• config system global

FortiGate CLI Reference Guide 01-28008-0015-20050204 149

config router ospf

ospf
Use this command to configure open shortest path first (OSPF) on the FortiGate unit.
OSPF is an open protocol based on the shortest path first algorithm. OSPF is a link state protocol
capable of routing larger networks than the simpler distance vector RIP protocol. An OSPF
autonomous system (AS) or routing domain is a group of areas connected to a backbone area. A
router connected to more than one area is an area border router (ABR). Routing information is
contained in a link state database. Routing information is communicated between routers using link
state advertisements (LSAs). More information on OSPF can be found in RFC 2328.

Command syntax pattern

config router ospf
set <keyword> <variable>
end
config router ospf
unset <keyword>
end
get router ospf
show router ospf
The config router ospf command has 7 subcommands.
config area
config distribute-list
config neighbor
config network
config ospf-interface
config redistribute
config summary-address

Note: In the following table, only the router-id keyword is required. All other keywords are optional.

150 01-28008-0015-20050204 Fortinet Inc.

config router ospf

ospf command keywords and variables

Keywords and variables Description Default Availability
abr-type {cisco | ibm | shortcut |Specify the behavior of a FortiGate unit cisco All models.
standard} acting as an OSPF area border router
(ABR) when it has multiple attached areas
and has no backbone connection.
Selecting the ABR type compatible with
the routers on your network can reduce or
eliminate the need for configuring and
maintaining virtual links. For more
information, see RFC 3509.
database-overflow Enable or disable dynamically limiting link disable All models.
{disable | enable} state database size under overflow
conditions. Enable this command for
FortiGate units on a network with routers
that because of limited resources may not
be able to maintain a complete link state
database.
database-overflow-max-lsas If you have enabled database- 10000 All models.
<lsas_integer> overflow, set the limit for the number of
external link state advertisements (LSAs)
that the FortiGate unit can keep in its link
state database before entering the
overflow state. The lsas_integer must
be the same on all routers attached to the
OSPF area and the OSPF backbone. The
valid range for lsas_integer is 0 to
4294967294.
database-overflow-time-to-recover Enter the time, in seconds, after which the 300 All models.
<seconds_integer> FortiGate unit will attempt to leave the
overflow state. If seconds_integer is
set to 0, the FortiGate unit will not leave
the overflow state until restarted. The valid
range for seconds_integer is 0 to
65535.
default-information-metric Specify the metric for the default route set 10 All models.
<metric_integer> by the default-information-
originate command. The valid range for
metric_integer is 1 to 16777214.
default-information-metric-type Specify the OSPF external metric type for 2 All models.
{1 | 2} the default route set by the default-
information-originate command.
default-information-originate Enter enable to advertise a default route disable All models.
{always | disable | enable} into an OSPF routing domain.
Use always to advertise a default route
even if the FortiGate unit does not have a
default route in its routing table.
default-information-route-map If you have set default-information- null All models.
<name_str> originate to always, and there is no
default route in the routing table, you can
configure a route map to define the
parameters that OSPF uses to advertise
the default route.
default-metric <metric_integer> Specify the default metric that OSPF 10 All models.
should use for redistributed routes. The
valid range for metric_integer is 1 to
16777214.

FortiGate CLI Reference Guide 01-28008-0015-20050204 151

config router ospf

ospf command keywords and variables (Continued)

Keywords and variables Description Default Availability
distance <distance_integer> Configure the administrative distance for 110 All models.
all OSPF routes. Using administrative
distance you can specify the relative
priorities of different routes to the same
destination. A lower administrative
distance indicates a more preferred route.
The valid range for distance_integer
is 1 to 255.
passive-interface <name_str> OSPF routing information is not sent or No All models.
received through the specified interface. default.
rfc1583-compatible Enable or disable RFC 1583 compatibility. disable All models.
{disable | enable} RFC 1583 compatibility should be enabled
only when there is another OSPF router in
the network that only supports RFC 1583.
When RFC 1583 compatibility is enabled,
routers choose the path with the lowest
cost. Otherwise, routers choose the lowest
cost intra-area path through a non-
backbone area.
router-id <address_ipv4> Set the router ID. The router ID is a unique 0.0.0.0 All models.
number, in IP address dotted decimal
format, that is used to identify an OSPF
router to other OSPF routers. The router
ID should not be changed while OSPF is
running.
A router ID of 0.0.0.0 is not allowed.
spf-timers <delay_integer> Change the default shortest path first 5 10 All models.
<hold_integer> (SPF) calculation delay time and
frequency.
The delay_integer is the time, in
seconds, between when OSPF receives
information that will require an SPF
calculation and when it starts an SPF
calculation. The valid range for
delay_integer is 0 to 4294967295.
The hold_integer is the minimum time,
in seconds, between consecutive SPF
calculations. The valid range for
hold_integer is 0 to 4294967295.
OSPF updates routes more quickly if the
SPF timers are set low; however, this uses
more CPU. A setting of 0 for spf-timers
can quickly use up all available CPU.

Example
This example shows how to set the OSPF router ID to 1.1.1.1:
config router ospf
set router-id 1.1.1.1
end
This example shows how to display the OSPF settings.
get router ospf
This example shows how to display the OSPF configuration.
show router ospf

152 01-28008-0015-20050204 Fortinet Inc.

config router ospf

config area
Access the config area subcommand using the config router ospf command. Use the
config area command to set OSPF area related parameters.
Routers in an OSPF autonomous system (AS) or routing domain are organized into logical groupings
called areas. Areas are linked together by area border routers (ABRs). There must be a backbone
area that all areas can connect to. You can use a virtual link to connect areas that do not have a
physical connection to the backbone. Routers within an OSPF area maintain link state databases for
their own areas.

Command syntax pattern

Note: Any IP address is a valid area ID. An area ID of 0.0.0.0 indicates the backbone area.

config area
edit <id_ipv4>
set <keyword> <variable>
end
config area
edit <id_ipv4>
unset <keyword> <variable>
end
config area
delete <id_ipv4>
end
config area
edit <id_ipv4>
get
end
config area
edit <id_ipv4>
show
end
The config area command has 3 subcommands.
config filter-list
config range
config virtual-link

Note: All area keywords are optional.

FortiGate CLI Reference Guide 01-28008-0015-20050204 153

config router ospf

area command keywords and variables

Keywords and variables Description Default Availability
authentication {md5 | Set the authentication type. none All models.
none | text} Use the authentication keyword to define the
authentication used for OSPF packets sent and
received in this area. If you select none, no
authentication is used. If you select text, the
authentication key is sent as plain text. If you
select md5, an authentication key is used to
generate an MD5 hash.
Both text mode and MD5 mode only guarantee
the authenticity of the OSPF packet, not the
confidentiality of the information in the packet.
In text mode the key is sent in clear text over the
network. Text mode is usually used only to
prevent network problems that can occur if an
unwanted or misconfigured router is mistakenly
added to the area.
If you configure authentication for interfaces, the
authentication configured for the area is not used.
Authentication passwords or keys are defined per
interface. See “config ospf-interface” on
page 165.
default-cost Enter the metric to use for the summary default 10 All models.
<cost_integer> route in a stub area or not so stubby area
(NSSA). A lower default cost indicates a more
preferred route.
The valid range for cost_integer is 1 to
16777214.
nssa-default-information- Enter enable to advertise a default route in a not disable All models.
originate so stubby area. Affects NSSA ABRs or NSSA
{disable | enable} Autonomous System Boundary Routers only.
nssa-default-information- Specify the metric for the default route set by the 10 All models.
originate-metric nssa-default-information-originate
<metric_integer> keyword.
nssa-default-information- Specify the OSPF external metric type for the 2 All models.
originate-metric-type default route set by the nssa-default-
{1 | 2} information-originate keyword.
nssa-redistribution Enable or disable redistributing routes into a enable All models.
{disable | enable} NSSA area.
nssa-translator-role A NSSA border router can translate the Type 7 candidate All models.
{always | candidate | LSAs used for external route information within
never} the NSSA to Type 5 LSAs used for distributing
external route information to other parts of the
OSPF routing domain. Usually a NSSA will have
only one NSSA border router acting as a
translator for the NSSA.
You can set the translator role to always to
ensure this FortiGate unit always acts as a
translator if it is in a NSSA, even if other routers
in the NSSA are also acting as translators.
You can set the translator role to candidate to
have this FortiGate unit participate in the process
for electing a translator for a NSSA.
You can set the translator role to never to
ensure this FortiGate unit never acts as the
translator if it is in a NSSA.
shortcut {default | Use this command to specify area shortcut disable All models.
disable | enable} parameters.

154 01-28008-0015-20050204 Fortinet Inc.

config router ospf

area command keywords and variables (Continued)

Keywords and variables Description Default Availability
stub-type Enter no-summary to prevent an ABR sending summary All models.
{no-summary | summary} summary LSAs into a stub area. Enter summary
to allow an ABR to send summary LSAs into a
stub area.
type Set the area type: regular All models.
{nssa | regular | stub} • Select nssa for a not so stubby area.
• Select regular for a normal OSPF area.
• Select stub for a stub area.

Example
This example shows how to configure a stub area with the id 15.1.1.1, a stub type of summary, a
default cost of 20, and MD5 authentication.
config router ospf
config area
edit 15.1.1.1
set type stub
set stub-type summary
set default-cost 20
set authentication md5
end
end
This example shows how to display the settings for area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
get
end
This example shows how to display the configuration for area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
show
end

config filter-list
Access the config filter-list subcommand using the config area subcommand.
Use filter lists to control the import and export of LSAs into and out of an area. You can use access or
prefix lists for OSPF area filter lists. For more information, see “access-list” on page 140 and “prefix-
list” on page 175.

FortiGate CLI Reference Guide 01-28008-0015-20050204 155

config router ospf

Command syntax pattern

config filter-list
edit <id_integer>
set <keyword> <variable>
end
config filter-list
edit <id_integer>
unset <keyword>
end
config filter-list
delete <id_integer>
end
config filter-list
edit <id_integer>
get
end
config filter-list
edit <id_integer>
show
end

Note: Both keywords are required.

filter-list command keywords and variables

Keywords and variables Description Default Availability
direction {in | out} Set the direction for the filter. Enter in to filter out All models.
incoming packets. Enter out to filter outgoing
packets.
list <name_str> Enter the name of the access list or prefix list to use null All models.
for this filter list.

Example
This example shows how to use an access list named acc_list1 to filter packets entering area
15.1.1.1.
config router ospf
config area
edit 15.1.1.1
config filter-list
edit 1
set direction in
set list acc_list1
end
end

156 01-28008-0015-20050204 Fortinet Inc.

config router ospf

This example shows how to display the settings for area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
get
end
This example shows how to display the configuration for area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
show
end

config range
Access the config range subcommand using the config area command.
Use the area range command to summarize routes at an area boundary. If the network numbers in an
area are contiguous, the ABR advertises a summary route that includes all the networks within the
area that are within the specified range.

Command syntax pattern

The range id_integer can be 0 to 4 294 967 295.
config range
edit <id_integer>
set <keyword> <variable>
end
config range
edit <id_integer>
unset <keyword>
end
config range
delete <id_integer>
end
config range
edit <id_integer>
get
end
config range
edit <id_integer>
show
end

Note: Only the prefix keyword is required. All other keywords are optional.

FortiGate CLI Reference Guide 01-28008-0015-20050204 157

config router ospf

range command keywords and variables

Keywords and variables Description Default Availability
advertise Enable or disable advertising the specified range. enable All models.
{disable | enable}
prefix <address_ipv4mask> Specify the range of addresses to summarize. 0.0.0.0 All models.
0.0.0.0
substitute Enter a prefix to advertise instead of the prefix 0.0.0.0 All models.
<address_ipv4mask> defined for the range. The prefix 0.0.0.0 0.0.0.0
0.0.0.0 is not allowed.
substitute-status Enable or disable using a substitute prefix. disable All models.
{disable | enable}

Example
This example shows how to set the prefix for range 1 of area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
config range
edit 1
set prefix 1.1.0.0 255.255.0.0
end
end
This example shows how to display the settings for area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
get
end
This example shows how to display the configuration for area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
show
end

config virtual-link
Access the config virtual-link subcommand using the config area command.
Use virtual links to connect an area to the backbone when the area has no direct connection to the
backbone. A virtual link allows traffic from the area to transit a directly connected area to reach the
backbone. The transit area cannot be a stub area. Virtual links can only be set up between two area
border routers (ABRs).

158 01-28008-0015-20050204 Fortinet Inc.

config router ospf

Command syntax pattern

config virtual-link
edit <name_str>
set <keyword> <variable>
end
config virtual-link
edit <name_str>
unset <keyword>
end
config virtual-link
delete <name_str>
end
config virtual-link
edit <name_str>
get
end
config virtual-link
edit <name_str>
show
end

Note: Only the peer keyword is required. All other keywords are optional.

virtual-link command keywords and variables

Keywords and variables Description Default Availability
authentication Set the authentication type. none All models.
{md5 | none | text} Use the authentication keyword to
define the authentication used for OSPF
packets sent and received over this virtual
link. If you select none, no authentication
is used. If you select text, the
authentication key is sent as plain text. If
you select md5, an authentication key is
used to generate an MD5 hash.
Both text mode and MD5 mode only
guarantee the authenticity of the OSPF
packet, not the confidentiality of the
information in the packet.
In text mode the key is sent in clear text
over the network. Text mode is usually
used only to prevent network problems
that can occur if an unwanted or
misconfigured router is mistakenly added
to the area.
authentication-key Enter the password to use for text No All models.
<password_str> authentication. default. authentication
The authentication-key must be the must be set to
same on both ends of the virtual link. text.
The maximum length for the
authentication-key is 15 characters.

FortiGate CLI Reference Guide 01-28008-0015-20050204 159

config router ospf

virtual-link command keywords and variables (Continued)

Keywords and variables Description Default Availability
dead-interval The time, in seconds, to wait for a hello 40 All models.
<seconds_integer> packet before declaring a router down. The
value of the dead-interval should be
four times the value of the hello-
interval.
Both ends of the virtual link must use the
same value for dead-interval.
The valid range for seconds_integer is
1 to 65535.
hello-interval The time, in seconds, between hello 10 All models.
<seconds_integer> packets.
Both ends of the virtual link must use the
same value for hello-interval.
The valid range for seconds_integer is
1 to 65535.
md5-key Enter the key ID and password to use for No All models.
<id_integer><key_str> MD5 authentication. Both ends of the virtual default. authentication
link must use the same key ID and key. must be set to md5.
The valid range for id_integer is 1 to
255. key_str is an alphanumeric string of
up to 16 characters.
peer <address_ipv4> The router id of the remote ABR. 0.0.0.0 All models.
0.0.0.0 is not allowed.
retransmit-interval The time, in seconds, to wait before 5 All models.
<seconds_integer> sending a LSA retransmission. The value
for the retransmit interval must be greater
than the expected round-trip delay for a
packet. The valid range for
seconds_integer is 1 to 65535.
transmit-delay The estimated time, in seconds, required 1 All models.
<seconds_integer> to send a link state update packet on this
virtual link.
OSPF increments the age of the LSAs in
the update packet to account for
transmission and propagation delays on
the virtual link.
Increase the value for transmit-delay
on low speed links.
The valid range for seconds_integer is
1 to 65535.

Example
This example shows how to configure a virtual link.
config router ospf
config area
edit 15.1.1.1
config virtual-link
edit vlnk1
set peer 1.1.1.1
end
end

160 01-28008-0015-20050204 Fortinet Inc.

config router ospf

This example shows how to display the settings for area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
get
end
This example shows how to display the configuration for area 15.1.1.1.
config router ospf
config area
edit 15.1.1.1
show
end

config distribute-list
Access the config distribute-list subcommand using the config router ospf command.
Use this command to use an access list to filter the networks in routing updates. Routes not matched
by any of the distribute lists will not be advertised.
You must configure the access list that you want the distribute list to use before you configure the
distribute list. For more information on configuring access lists, see “config router access-list” on
page 140.

Command syntax pattern

config distribute-list
edit <id_integer>
set <keyword> <variable>
end
config distribute-list
edit <id_integer>
unset <keyword>
end
config distribute-list
delete <id_integer>
config distribute-list
edit <id_integer>
get
end
config distribute-list
edit <id_integer>
show
end

Note: Both keywords are required.

FortiGate CLI Reference Guide 01-28008-0015-20050204 161

config router ospf

distribute-list command keywords and variables

Keywords and variables Description Default Availability
access-list <name_str> Enter the name of the access list to use for this null All models.
distribute list.
protocol Advertise only the routes discovered by the connected All models.
{connected | rip | static} specified protocol and that are permitted by the
named access list.

Example
This example shows how to configure a distribute list numbered 2 to use an access list named
acc_list1 for all static routes.
config router ospf
config distribute-list
edit 2
set access-list acc_list1
set protocol static
end
end
This example shows how to display the settings for distribute list 2.
config router ospf
config distribute-list
edit 2
get
end
This example shows how to display the configuration for distribute list 2.
config router ospf
config distribute-list
edit 2
show
end

config neighbor
Access the config neighbor subcommand using the config router ospf command.
Use this command to manually configure an OSPF neighbor on nonbroadcast networks. OSPF
packets are unicast to the specified neighbor address. You can configure multiple neighbors.

Command syntax pattern

config neighbor
edit <id_integer>
set <keyword> <variable>
end
config neighbor
edit <id_integer>
unset <keyword>
end

162 01-28008-0015-20050204 Fortinet Inc.

config router ospf

config neighbor
delete <id_integer>
end
config neighbor
edit <id_integer>
get
end
config neighbor
edit <id_integer>
show
end

Note: Only the ip keyword is required. All other keywords are optional.

neighbor command keywords and variables

Keywords and variables Description Default Availability
cost <cost_integer> Enter the cost to use for this neighbor. The valid 10 All models.
range for cost_integer is 1 to 65535.
ip <address_ipv4> Enter the IP address of the neighbor. 0.0.0.0 All models.
poll-interval Enter the time, in seconds, between hello packets 10 All models.
<seconds_integer> sent to the neighbor in the down state. The value of
the poll interval must be larger than the value of the
hello interval. The valid range for
seconds_integer is 1 to 65535.
priority Enter a priority number for the neighbor. The valid 1 All models.
<priority_integer> range for priority_integer is 0 to 255.

Example
This example shows how to manually add a neighbor.
config router ospf
config neighbor
edit 1
set ip 192.168.21.63
end
end
This example shows how to display the settings for neighbor 1.
config router ospf
config neighbor
edit 1
get
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 163

config router ospf

This example shows how to display the configuration for neighbor 1.

config router ospf
config neighbor
edit 1
show
end

config network
Access the config network subcommand using the config router ospf command.
Use this command to identify the interfaces to include in the specified OSPF area. The prefix
keyword can define one or multiple interfaces.

Command syntax pattern

config network
edit <id_integer>
set <keyword> <variable>
end
config network
edit <id_integer>
unset <keyword>
end
config network
delete <id_integer>
end
config network
edit <id_integer>
get
end
config network
edit <id_integer>
show
end

network command keywords and variables

Keywords and variables Description Default Availability
area <id_ipv4> The ID number of the area to be associated with 0.0.0.0 All models.
the prefix.
prefix <address_ipv4mask> Enter the IP address and netmask for the OSPF 0.0.0.0 All models.
network. 0.0.0.0

164 01-28008-0015-20050204 Fortinet Inc.

config router ospf

Example
Use the following command to enable OSPF for the interfaces attached to networks specified by the IP
address 10.0.0.0 and the netmask 255.255.255.0 and to add these interfaces to area 10.1.1.1.
config router ospf
config network
edit 2
set area 10.1.1.1
set prefix 10.0.0.0 255.255.255.0
end
end
This example shows how to display the settings for network 2.
config router ospf
config network
edit 2
get
end
This example shows how to display the configuration for network 2.
config router ospf
config network
edit 2
show
end

config ospf-interface
Access the config ospf-interface subcommand using the config router ospf command.
Use this command to change interface related OSPF settings.

Command syntax pattern

Note: The <interface-name_str> variable in the syntax pattern below represents a descriptive name for this
OSPF configuration. To set the FortiGate interface that this configuration will apply to, use the interface
<name_str> keyword and variable in the table below.

config ospf-interface
edit <interface-name_str>
set <keyword> <variable>
end
config ospf-interface
edit <interface-name_str>
unset <keyword>
end
config ospf-interface
delete <interface-name_str>
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 165

config router ospf

config ospf-interface
edit <interface-name_str>
get
end
config ospf-interface
edit <interface-name_str>
show
end

Note: The interface and ip keywords are required. All other keywords are optional.

ospf-interface command keywords and variables

Keywords and variables Description Default Availability
authentication Use the authentication keyword to none All models.
{md5 | none | text} define the authentication used for OSPF
packets sent and received by this interface.
If you select none, no authentication is
used. If you select text, the authentication
key is sent as plain text. If you select md5,
the authentication key is used to generate
an MD5 hash.
Both text mode and MD5 mode only
guarantee the authenticity of the update
packet, not the confidentiality of the routing
information in the packet.
In text mode the key is sent in clear text over
the network. Text mode is usually used only
to prevent network problems that can occur
if an unwanted or misconfigured router is
mistakenly added to the network.
If you configure authentication for the
interface, authentication for areas is not
used.
All routers on the network must use the
same authentication type.
authentication-key Enter the password to use for text No default. All models.
<password_str> authentication. authentication
The authentication-key must be the must be set to
same on all neighboring routers. text.
The maximum length for the
authentication-key is 15 characters.
cost <cost_integer> Specify the cost (metric) of the link. The cost 10 All models.
is used for shortest path first calculations.
database-filter-out Enable or disable flooding LSAs out of this disable All models.
{disable | enable} interface.
dead-interval The time, in seconds, to wait for a hello 40 All models.
<seconds_integer> packet before declaring a router down. The
value of the dead-interval should be
four times the value of the hello-
interval.
All routers on the network must use the
same value for dead-interval.
The valid range for seconds_integer is 1
to 65535.

166 01-28008-0015-20050204 Fortinet Inc.

config router ospf

ospf-interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
hello-interval The time, in seconds, between hello 10 All models.
<seconds_integer> packets.
All routers on the network must use the
same value for hello-interval.
The valid range for seconds_integer is 1
to 65535.
interface <name_str> Enter the name of the interface to associate null All models.
with this OSPF configuration.
ip <address_ipv4> Enter the IP address of the interface named 0.0.0.0 All models.
by the interface keyword.
It is possible to apply different OSPF
configurations for different IP addresses
defined on the same interface.
The IP address 0.0.0.0 is not allowed.
md5-key Enter the key ID and password to use for No default. All models.
<id_integer> <key_str> MD5 authentication authentication
You can add more than one key ID and key must be set to
pair per interface. However, you cannot md5.
unset one key without unsetting all of the
keys.
The key ID and key must be the same on all
neighboring routers.
The valid range for id_integer is 1 to 255.
key_str is an alphanumeric string of up to
16 characters.
mtu <mtu_integer> Change the Maximum Transmission Unit 1500 All models.
(MTU) size included in database description
packets sent out this interface. The valid
range for mtu_integer is 576 to 65535.
mtu-ignore Use this command to control the way OSPF disable All models.
{disable | enable} behaves when the MTU in the sent and
received database description packets does
not match.
When mtu-ignore is enabled, OSPF will
stop detecting mismatched MTUs and go
ahead and form an adjacency.
When mtu-ignore is disabled, OSPF will
detect mismatched MTUs and not form an
adjacency.
mtu-ignore should only be enabled if it is
not possible to reconfigure the MTUs so that
they match.
network-type {broadcast Specify the type of network to which the broadcast All models.
| non-broadcast interface is connected.
| point-to-multipoint OSPF supports four different types of
| point-to-point} network. This command specifies the
behavior of the OSPF interface according to
the network type.
If you specify the non-broadcast
keyword, you must also configure neighbors
using “config neighbor” on page 162.

FortiGate CLI Reference Guide 01-28008-0015-20050204 167

config router ospf

ospf-interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
priority Set the router priority for this interface. 1 All models.
<priority_integer> Router priority is used during the election of
a designated router (DR) and backup
designated router (BDR).
An interface with router priority set to 0 can
not be elected DR or BDR. The interface
with the highest router priority wins the
election. If there is a tie for router priority,
router ID is used.
Point-to-point networks do not elect a DR or
BDR; therefore, this setting has no effect on
a point-to-point network.
The valid range for priority_integer is
0 to 255.
retransmit-interval The time, in seconds, to wait before sending 5 All models.
<seconds_integer> a LSA retransmission. The value for the
retransmit interval must be greater than the
expected round-trip delay for a packet. The
valid range for seconds_integer is 1 to
65535.
status Enable or disable OSPF on this interface. enable All models.
{disable | enable}
transmit-delay The estimated time, in seconds, required to 1 All models.
<seconds_integer> send a link state update packet on this
interface.
OSPF increments the age of the LSAs in the
update packet to account for transmission
and propagation delays on the interface.
Increase the value for transmit-delay on
low speed links.
The valid range for seconds_integer is 1
to 65535.

Example
This example shows how to assign an OSPF interface configuration named test to the interface
named internal and how to configure text authentication for this interface.
config router ospf
config ospf-interface
edit test
set interface internal
set ip 192.168.20.3
set authentication text
set authentication-key a2b3c4d5e
end
end
This example shows how to display the settings for the OSPF interface configuration named test.
config router ospf
config ospf-interface
edit test
get
end

168 01-28008-0015-20050204 Fortinet Inc.

config router ospf

This example shows how to display the configuration for the OSPF interface configuration named test.
config router ospf
config ospf-interface
edit test
show
end

config redistribute
Access the config redistribute subcommand using the config router ospf command.
Use the redistribute command to advertise routes learned from RIP, static routes, or a direct
connection to the destination network.

Command syntax pattern

config redistribute {connected | static | rip}
set <keyword> <variable>
end
config redistribute {connected | static | rip}
unset <keyword>
end
get router ospf
show router ospf

redistribute command keywords and variables

Keywords and variables Description Default Availability
metric <metric_integer> Enter the metric to be used for the redistributed 10 All models.
routes. The metric_integer range is from 1 to
16777214.
metric-type {1 | 2} Specify the external link type to be used for the 2 All models.
redistributed routes.
routemap <name_str> Enter the name of the route map to use for the null All models.
redistributed routes. For information on how to
configure route maps, see “config router route-map”
on page 189.
status {disable | enable} Enable or disable redistributing routes. disable All models.
tag <tag_integer> Specify a tag for redistributed routes. 0 All models.
The valid range for tag_integer is 0 to
4294967295.

FortiGate CLI Reference Guide 01-28008-0015-20050204 169

config router ospf

Example
This example shows how to enable route redistribution from RIP, using a metric of 3 and a route map
named rtmp2.
config router ospf
config redistribute rip
set metric 3
set routemap rtmp2
set status enable
end
end
This example shows how to display the OSPF settings.
get router ospf
This example shows how to display the OSPF configuration.
show router ospf

config summary-address
Access the config summary-address subcommand using the config router ospf command.
Use this command to summarize external routes for redistribution into OSPF. This command works
only for summarizing external routes on an Autonomous System Boundary Router (ASBR). For
information on summarization between areas, see “config range” on page 157. By replacing the LSAs
for each route with one aggregate route, you reduce the size of the OSPF link-state database.

Command syntax pattern

config summary-address
edit <id_integer>
set <keyword> <variable>
end
config summary-address
edit <id_integer>>
unset <keyword>
end
config summary-address
delete <id_integer>
end
get router ospf
show router ospf

Note: Only the prefix keyword is required. All other keywords are optional.

170 01-28008-0015-20050204 Fortinet Inc.

config router ospf

summary-address command keywords and variables

Keywords and variables Description Default Availability
advertise Advertise or suppress the summary route that enable All models.
{disable | enable} matches the specified prefix.
prefix <address_ipv4mask> Enter the prefix (IP address and netmask) to use for 0.0.0.0 All models.
the summary route. The prefix 0.0.0.0 0.0.0.0 0.0.0.0
is not allowed.
tag <tag_integer> Specify a tag for the summary route. 0 All models.
The valid range for tag_integer is 0 to
4294967295.

Example
This example shows how to summarize routes using the prefix 10.0.0.0 255.0.0.0.
config router ospf
config summary-address
edit 5
set prefix 10.0.0.0 255.0.0.0
end
end
This example shows how to display the OSPF settings.
get router ospf
This example shows how to display the OSPF configuration.
show router ospf

Command History
FortiOS v2.80 New.

Related Commands
• config router access-list
• config router prefix-list
• config router route-map
• get router info ospf
• get router info protocols
• get router info routing_table

FortiGate CLI Reference Guide 01-28008-0015-20050204 171

config router policy

policy
When you create a policy route, any packets that match the policy are forwarded to the IP address of
the next hop gateway through the specified outbound interface.
You can configure the FortiGate unit to route packets based on:
• a source address
• a protocol, service type, or port range
• the inbound interface
When the FortiGate unit receives a packet, it starts at the top of the policy routing list and attempts to
match the packet with a policy in ascending order. If no packets match the policy route, the FortiGate
unit routes the packet using the regular routing table (policy routing is processed before static routing).

Note: For static routing, any number of static routes can be defined for the same destination IP/mask. When
multiple routes for the same destination IP/mask exist, the FortiGate unit chooses the route with the lowest
number in the Distance field. Route redundancy is not available for policy routing: any packets that match a policy
route are forwarded according to the route specified in the policy.

Command syntax pattern

Add, edit or delete a policy route with the specified sequence number.
config router policy
edit <sequence_integer>
set <keyword> <variable>
end
config router policy
edit <sequence_integer>
unset <keyword>
end
config router policy
delete <sequence_integer>
end
get router policy <sequence_integer>
show router policy <sequence_integer>

policy command keywords and variables

Keywords and variables Description Default Availability
dst Match packets that have this destination IP 0.0.0.0 All models.
<destination-address_ipv4mask> address and netmask. 0.0.0.0
end_port <port_integer> The end port number of a port range for a 0 All models.
policy route. Match packets that have this
destination port range. You must configure
both the start_port and end_port
keywords for destination port range matching
to take effect.
gateway <address_ipv4> Send packets that match the policy to this 0.0.0.0 All models.
next hop router.
input_device Match packets that are received on this null All models.
<interface-name_str> interface.

172 01-28008-0015-20050204 Fortinet Inc.

config router policy

policy command keywords and variables (Continued)

Keywords and variables Description Default Availability
output_device Send packets that match the policy out this null All models.
<interface-name_str> interface.
protocol <protocol_integer> Match packets that have this protocol number. 0 All models.
src Match packets that have this source IP 0.0.0.0 All models.
<source-address_ipv4mask> address and netmask. 0.0.0.0
start_port <port_integer> The start port number of a port range for a 0 All models.
policy route. Match packets that have this
destination port range. You must configure
both the start_port and end_port
keywords for destination port range matching
to take effect.

Example
If a FortiGate unit provides Internet access for multiple internal subnets, you can use policy routing to
control the route that traffic from each network takes to the Internet. For example, if the internal
network includes the subnets 192.168.10.0 and 192.168.20.0 you can enter the following policy
routes:
• Enter the following command to route traffic from the 192.168.10.0 subnet to the
100.100.100.0 subnet. Force the packets to the next hop gateway at IP address 1.1.1.1
through the interface named external.
config router policy
edit 1
set input_device internal
set src 192.168.10.0 255.255.255.0
set dst 100.100.100.0 255.255.255.0
set output_device external
set gateway 1.1.1.1
end
• Enter the following command to route traffic from the 192.168.20.0 subnet to the 200.200.200.0
subnet. Force the packets to the next hop gateway at IP address 2.2.2.1 through the interface
named external.
config router policy
edit 2
set input_device internal
set src 192.168.20.0 255.255.255.0
set dst 200.200.200.0 255.255.255.0
set output_device external
set gateway 2.2.2.1
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 173

config router policy

• Enter the following command to direct all HTTP traffic using port 80 to the next hop gateway at IP
address 1.1.1.1.
config router policy
edit 1
set input_device internal
set src 0.0.0.0 0.0.0.0
set dst 0.0.0.0 0.0.0.0
set output_device external
set gateway 1.1.1.1
set protocol 6
set start_port 80
set end_port 80
end
• Enter the following command to direct all other traffic to the next hop gateway at IP address
2.2.2.1.
config router policy
edit 2
set input_device internal
set src 0.0.0.0 0.0.0.0
set dst 0.0.0.0 0.0.0.0
set output_device external
set gateway 2.2.2.1
end
This example shows how to display the list of policy based routes.
get router policy
This example shows how to display the settings for routing policy 1.
get router policy 1
This example shows how to display the configuration for the router policy command.
show router policy
This example shows how to display the configuration for routing policy 1.
show router policy 1

Command History
FortiOS v2.80 Revised.

Related Commands
• config router static

174 01-28008-0015-20050204 Fortinet Inc.

config router prefix-list

prefix-list
Use this command to add, edit, or delete prefix lists.
A prefix list is an enhanced version of an access list that allows you to control the length of the prefix
netmask.
Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix
(permit or deny), and maximum and minimum prefix length settings.
The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the
list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the
default action is deny.
For a prefix list to take effect it must be called by another FortiGate routing feature such as RIP or
OSPF.

Command syntax pattern

Add, edit or delete a prefix list with the specified name. An access list and a prefix list cannot have the
same name.
config router prefix-list
edit <name_str>
end
config router prefix-list
delete <name_str>
end
get router prefix-list [<name_str>]
show router prefix-list [<name_str>]
The config router prefix-list command has 1 subcommand.
config rule

config rule
Access the config rule subcommand using the router prefix-list command. Use the
config rule command to add, edit, or delete prefix list rules with the specified number.

Command syntax pattern

config rule
edit <id_integer>
set <keyword> <variable>
end
config rule
edit <id_integer>
unset <keyword> <variable>
end
config rule
delete <id_integer>
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 175

config router prefix-list

get router prefix-list [<name_str>]

show router prefix-list [<name_str>]

rule command keywords and variables

Keywords and variables Description Default Availability
action {deny | permit} Set the action to take for this prefix. permit All models.
ge <length_integer> Match prefix lengths that are greater than or 0 All models.
equal to this number. The setting for ge should
be less than the setting for le. The setting for ge
should be greater than the netmask set for
prefix. length_integer can be any number
from 0 to 32.
le <length_integer> Match prefix lengths that are less than or equal to 32 All models.
this number. The setting for le should be greater
than the setting for ge. length_integer can
be any number from 0 to 32.
prefix Enter the prefix (IP address and netmask) for this 0.0.0.0 All models.
{<address_ipv4mask> | any} prefix list rule or enter any to match any prefix. 0.0.0.0
The length of the netmask should be less than
the setting for ge. If prefix is set to any, ge and
le should not be set.

Example
This example shows how to add a prefix list named prf_list1 with three rules. The first rule permits
subnets that match prefix lengths between 26 and 30 for the prefix 192.168.100.0
255.255.255.0. The second rule denies subnets that match the prefix lengths between 20 and 25
for the prefix 10.1.0.0 255.255.0.0. The third rule denies all other traffic.
config router prefix-list
edit prf_list1
config rule
edit 1
set prefix 192.168.100.0 255.255.255.0
set action permit
set ge 26
set le 30
next
edit 2
set prefix 10.1.0.0 255.255.0.0
set action deny
set ge 20
set le 25
next
edit 3
set prefix any
set action deny
end
end
This example shows how to display the list of prefix lists.
get router prefix-list

176 01-28008-0015-20050204 Fortinet Inc.

config router prefix-list

This example shows how to display the settings for prf_list1.

get router prefix-list prf_list1
This example shows how to display the configuration for the router prefix-list command.
show router prefix-list
This example shows how to display the configuration for prf_list1.
show router prefix-list prf_list1

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Changed default for le from 0 to 32.

Related Commands
• config router access-list
• config router rip

FortiGate CLI Reference Guide 01-28008-0015-20050204 177

config router rip

rip
Use this command to configure routing information protocol (RIP) on the FortiGate unit.
The FortiGate implementation of RIP supports both RIP version 1 as defined by RFC 1058, and RIP
version 2 as defined by RFC 2453. RIP version 2 enables RIP messages to carry more information,
and to support simple authentication and subnet masks.
RIP is a distance-vector routing protocol intended for small, relatively homogeneous, networks. RIP
uses hop count as its routing metric. Each network is usually counted as one hop. The network
diameter is limited to 15 hops.

Command syntax pattern

config router rip
set <keyword> <variable>
end
config router rip
unset <keyword>
end
get router rip
show router rip
The config router rip command has 7 subcommands.
config distance
config distribute-list
config interface
config neighbor
config network
config offset-list
config redistribute

rip command keywords and variables

Keywords and variables Description Default Availabilit
y
default-information-originate Enter enable to advertise a default static route disable All models.
{disable | enable} into RIP.
default-metric For non-default routes in the static routing table 1 All models.
<metric_integer> and directly connected networks the default metric
is the metric that the FortiGate unit advertises to
adjacent routers. This metric is added to the
metrics of learned routes. The default metric can
be a number from 1 to 16.

178 01-28008-0015-20050204 Fortinet Inc.

config router rip

rip command keywords and variables (Continued)

Keywords and variables Description Default Availabilit
y
garbage-timer The time in seconds that must elapse after the 120 All models.
<timer_integer> timeout interval for a route expires, before RIP
deletes the route. If RIP receives an update for the
route after the timeout timer expires but before the
garbage timer expires then the entry is switched
back to reachable.
RIP timer defaults are effective in most
configurations. All routers and access servers in
the network should have the same RIP timer
settings.
passive-interface Block RIP broadcasts on the specified interface. No All models.
<name_str> You can use “config neighbor” on page 184 and default.
the passive interface command to allow RIP to
send unicast updates to the specified neighbor
while blocking broadcast updates on the specified
interface.
timeout-timer The time interval in seconds after which a route is 180 All models.
<timer_integer> declared unreachable. The route is removed from
the routing table. RIP holds the route until the
garbage timer expires and then deletes the route.
If RIP receives an update for the route before the
timeout timer expires, then the timeout-timer is
restarted. If RIP receives an update for the route
after the timeout timer expires but before the
garbage timer expires then the entry is switched
back to reachable. The value of the timeout timer
should be at least three times the value of the
update timer.
RIP timer defaults are effective in most
configurations. All routers and access servers in
the network should have the same RIP timer
settings.
update-timer The time interval in seconds between RIP 30 All models.
<timer_integer> updates.
RIP timer defaults are effective in most
configurations. All routers and access servers in
the network should have the same RIP timer
settings.
version {1 2} Enable sending and receiving RIP version 1 2 All models.
packets, RIP version 2 packets, or both for all
RIP-enabled interfaces. You can override this
setting on a per interface basis using the receive-
version {1 2} and send-version {1 2} keywords
described under “config interface” on page 182.

Example
This example shows how to:
• enable advertising a default static route into RIP,
• enable sending and receiving RIP version 1 packets,
• set the default metric to 5.

FortiGate CLI Reference Guide 01-28008-0015-20050204 179

config router rip

config router rip

set default-information-originate enable
set version 1
set default-metric 5
end
This example shows how to display the RIP settings.
get router rip
This example shows how to display the RIP configuration.
show router rip

config distance
Access the config distance subcommand using the config router rip command.
Configure administrative distance to set the priority of routes advertised by different routing protocols
to the same destination. The lowest administrative distance number indicates the preferred route. If
you specify a prefix, RIP uses the specified distance when the source IP address of a packet matches
the prefix.

Command syntax pattern

config distance
edit <id_integer>
set <keyword> <variable>
end
config distance
edit <id_integer>
unset <keyword> <variable>
end
config distance
delete <id_integer>
end
get router rip
show router rip

distance command keywords and variables

Keywords and variables Description Default Availability
access-list <name_str> Enter the name of an access list. The distances null All models.
associated with the routes in the access list will
be modified. To create an access list, see
“config router access-list” on page 139".
distance Enter a number from 1 to 255, to set the 0 All models.
<distance_integer> administrative distance.
prefix Optionally enter a prefix to apply the 0.0.0.0 All models.
<address_ipv4mask> administrative distance to. 0.0.0.0

180 01-28008-0015-20050204 Fortinet Inc.

config router rip

Example
This example shows how to change the administrative distance to 10.
config router rip
config distance
edit 1
set distance 10
end
end
This example shows how to display the RIP settings.
get router rip
This example shows how to display the RIP configuration.
show router rip

config distribute-list
Access the config distribute-list subcommand using the config router rip command.
Use this command to filter incoming or outgoing updates using an access list or a prefix list. If you do
not specify an interface the filter will be applied to all interfaces. You must configure the access list or
prefix list that you want the distribute list to use before you configure the distribute list. For more
information on configuring access lists and prefix lists, see “config router access-list” on page 140 and
“config router prefix-list” on page 175.

Command syntax pattern

config distribute-list
edit <id_integer>
set <keyword> <variable>
end
config distribute-list
edit <id_integer>
unset <keyword> <variable>
end
config distribute-list
delete <id_integer>
end
get router rip
show router rip

distribute-list command keywords and variables

Keywords and variables Description Default Availability
direction {in | out} Set the direction for the filter. Enter in to filter out All models.
incoming packets. Enter out to filter outgoing
packets.
interface <name_str> Enter the name of the interface to apply this null All models.
distribute list to. If you do not specify an interface,
this distribute list will be used for all interfaces.

FortiGate CLI Reference Guide 01-28008-0015-20050204 181

config router rip

distribute-list command keywords and variables (Continued)

Keywords and variables Description Default Availability
listname Enter the name of the access list or prefix list to null All models.
<access/prefix-listname_str> use for this distribute list.
status {disable | enable} Enable or disable this distribute list. disable All models.

Example
This example shows how to configure and enable a distribute list numbered 2 to use an access list
named acc_list1 on incoming updates on the external interface.
config router rip
config distribute-list
edit 2
set direction in
set interface external
set listname acc_list1
set status enable
end
end
This example shows how to display the RIP settings.
get router rip
This example shows how to display the RIP configuration.
show router rip

config interface
Access the config interface subcommand using the config router rip command.
Use the config interface subcommand to configure RIP version 2 authentication, RIP version
send and receive for the specified interface, and to configure and enable split horizon.
Authentication is only available for RIP version 2 packets sent and received by an interface. Set
authentication to none if receive-version or send-version are set to 1 or 1 2.

Command syntax pattern

config interface
edit <interface-name_str>
set <keyword> <variable>
end
config interface
edit <interface-name_str>
unset <keyword>
end
config interface
delete <interface-name_str>
end
get router rip
show router rip

182 01-28008-0015-20050204 Fortinet Inc.

config router rip

interface command keywords and variables

Keywords and variables Description Default Availability
auth-keychain Enter the name of the key chain to use for null All models.
<name_str> authentication for RIP version 2 packets sent and
received by this interface. Use key chains when you
want to configure multiple keys. For information on
how to configure key chains, see “config router key-
chain” on page 147.
auth-mode Use the auth-mode keyword to define the none All models.
{md5 | none | text} authentication used for RIP version 2 packets sent
and received by this interface. If you select none, no
authentication is used. If you select text, the
authentication key is sent as plain text. If you select
md5, the authentication key is used to generate an
MD5 hash.
Both text mode and MD5 mode only guarantee the
authenticity of the update packet, not the
confidentiality of the routing information in the packet.
In text mode the key is sent in clear text over the
network. Text mode is usually used only to prevent
network problems that can occur if an unwanted or
misconfigured router is mistakenly added to the
network.
Use the auth-string keyword to specify the key.
auth-string Enter a single key to use for authentication for RIP null All models.
<password_str> version 2 packets sent and received by this interface.
Use auth-string when you only want to configure
one key. The key can be up to 35 characters long.
receive-version {1 2} RIP routing messages are UDP packets that use port No All models.
520. default.
Enter 1 to configure RIP to listen for RIP version 1
messages on an interface.
Enter 2 to configure RIP to listen for RIP version 2
messages on an interface.
Enter 1 2 to configure RIP to listen for both RIP
version 1 and RIP version 2 messages on an
interface.
send-version {1 2} RIP routing messages are UDP packets that use port No All models.
520. default.
Enter 1 to configure RIP to send RIP version 1
messages from an interface.
Enter 2 to configure RIP to send RIP version 2
messages from an interface.
Enter 1 2 to configure RIP to send both RIP version
1 and RIP version 2 messages from an interface.
send-version1-compatible Enable or disable sending broadcast updates from disable All models.
{disable | enable} an interface configured for RIP version 2.
RIP version 2 normally multicasts updates. RIP
version 1 can only receive broadcast updates.

FortiGate CLI Reference Guide 01-28008-0015-20050204 183

config router rip

interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
split-horizon Configure RIP to use either regular or poisoned split poisoned All models.
{poisoned | regular} horizon on this interface.
Select regular to prevent RIP from sending
updates for a route back out the interface from which
it received that route.
Select poisoned to send updates with routes
learned on an interface back out the same interface
but with the routes marked as unreachable.
split-horizon-status Enable or disable split horizon for this interface. Split enable All models.
{disable | enable} horizon is enabled by default. You should only
disable split horizon if there is no possibility of
creating a counting to infinity loop when network
topology changes.

Example
This example shows how to configure the external interface to send and receive RIP version 2, to use
MD5 authentication, and to use a key chain called test1.
config router rip
config interface
edit external
set receive-version 2
set send-version 2
set auth-mode md5
set auth-keychain test1
end
end
This example shows how to display the RIP settings.
get router rip
This example shows how to display the RIP configuration.
show router rip

config neighbor
Access the config neighbor subcommand using the config router rip command.
Use this command to enable RIP to send unicast routing updates to the router at the specified
address. You can use the neighbor command and “passive-interface <name_str>” on page 179 to
allow RIP to send unicast updates to the specified neighbor while blocking broadcast updates on the
specified interface. You can configure multiple neighbors.

Command syntax pattern

config neighbor
edit <id_integer>
set <keyword> <variable>
end

184 01-28008-0015-20050204 Fortinet Inc.

config router rip

config neighbor
edit <id_integer>
unset <keyword>
end
config neighbor
delete <id_integer>
end
get router rip
show router rip

neighbor command keywords and variables

Keywords and variables Description Default Availability
ip <address_ipv4> Enter the IP address of the neighboring router to 0.0.0.0 All models.
which to send unicast updates.

Example
This example shows how to set the router at 192.168.21.20 as a neighbor.
config router rip
config neighbor
edit 1
set ip 192.168.21.20
end
end
This example shows how to display the RIP settings.
get router rip
This example shows how to display the RIP configuration.
show router rip

config network
Access the config network subcommand using the config router rip command.
Use this command to identify the networks for which to send and receive RIP updates. If a network is
not specified, interfaces in that network will not be advertised in RIP updates.

Command syntax pattern

config network
edit <id_integer>
set <keyword> <variable>
end
config network
edit <id_integer>
unset <keyword>
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 185

config router rip

config network
delete <id_integer>
end
get router rip
show router rip

network command keywords and variables

Keywords and variables Description Default Availability
prefix <address_ipv4mask> Enter the IP address and netmask for the RIP 0.0.0.0 All models.
network.

Example
Use the following command to enable RIP for the interfaces attached to networks specified by the IP
address 10.0.0.0 and the netmask 255.255.255.0.
config router rip
config network
edit 2
set prefix 10.0.0.0 255.255.255.0
end
end
This example shows how to display the RIP settings.
get router rip
This example shows how to display the RIP configuration.
show router rip

config offset-list
Access the config offset-list subcommand using the config router rip command.
Use the offset list to add the specified offset to the metric of a route.

Command syntax pattern

config offset-list
edit <id_integer>
set <keyword> <variable>
end
config offset-list
edit <id_integer>>
unset <keyword>
end
config offset-list
delete <id_integer>
end
get router rip
show router rip

186 01-28008-0015-20050204 Fortinet Inc.

config router rip

offset-list command keywords and variables

Keywords and variables Description Default Availability
access-list <name_str> Enter the name of the access list to use for this null All models.
offset list. The access list is used to determine
which routes to add the metric to.
direction {in | out} Enter in to apply the offset to the metrics of out All models.
incoming routes. Enter out to apply the offset to the
metrics of outgoing routes.
interface <name_str> Enter the name of the interface to match for this null All models.
offset list.
offset <metric_integer> Enter the offset number to add to the metric. The 0 All models.
metric_integer range is from 1 to 16.
status {disable | enable} Enable or disable this offset list. disable All models.

Example
This example shows how to configure and enable offset list number 5 that adds a metric of 3 to
incoming routes that match the access list named acc_list1 on the external interface.
config router rip
config offset-list
edit 5
set access-list acc_list1
set direction in
set interface external
set offset 3
set status enable
end
end
This example shows how to display the RIP settings.
get router rip
This example shows how to display the RIP configuration.
show router rip

config redistribute
Access the config redistribute subcommand using the config router rip command.
Use the redistribute command to advertise routes learned from OSPF, BGP, static routes, or a
direct connection to the destination network.

Command syntax pattern

config redistribute {connected | static | ospf | bgp}
set <keyword> <variable>
end
config redistribute {connected | static | ospf | bgp}
unset <keyword>
end
get router rip
show router rip

FortiGate CLI Reference Guide 01-28008-0015-20050204 187

config router rip

redistribute command keywords and variables

Keywords and variables Description Default Availability
metric <metric_integer> Enter the metric to be used for the redistributed 0 All models.
routes. The metric_integer range is from 0 to
16.
routemap <name_str> Enter the name of the route map to use for the null All models.
redistributed routes. For information on how to
configure route maps, see “config router route-map”
on page 189.
status {disable | enable} Enable or disable redistributing routes. disable All models.

Example
This example shows how to enable route redistribution from OSPF, using a metric of 3 and a route
map named rtmp2.
config router rip
config redistribute ospf
set metric 3
set routemap rtmp2
set status enable
end
end
This example shows how to display the RIP settings.
get router rip
This example shows how to display the RIP configuration.
show router rip

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR7 Added access-list keyword to config distance subcommand.

Related Commands
• config router access-list
• config router key-chain
• config router prefix-list
• config router route-map
• execute router restart-graceful
• get router info protocols
• get router info rip
• get router info routing_table

188 01-28008-0015-20050204 Fortinet Inc.

config router route-map

route-map
Use this command to add, edit, or delete route maps.
Route maps are a specialized form of filter. Route maps are similar to access lists, but have enhanced
matching criteria, and in addition to permit or deny actions can be configured to make changes as
defined by set statements.
The FortiGate unit attempts to match a packet against the rules in a route map starting at the top of the
list. If it finds a match it makes the changes defined in the set statements and then takes the action
specified for the rule. If no match is found in the route map the default action is deny. If no match
statements are defined in a rule, the default action is to match everything. If multiple match statements
are defined in a rule, all the match statements must match before the set statements can be used.
For a route map to take effect it must be called by another FortiGate routing feature such as RIP.

Command syntax pattern

Add, edit or delete a route map with the specified name.
config router route-map
edit <name_str>
end
config router route-map
delete <name_str>
end
get router route-map [<name_str>]
show router route-map [<name_str>]
The config router route-map command has 1 subcommand.
config rule

config rule
Access the config rule subcommand using the config router route-map command. Use the
config rule subcommand to add, edit, or delete route map rules with the specified number.

Command syntax pattern

config rule
edit <id_integer>
set <keyword> <variable>
end
config rule
edit <id_integer>
unset <keyword> <variable>
end
config rule
delete <id_integer>
end
get router route-map [<name_str>]
show router route-map [<name_str>]

FortiGate CLI Reference Guide 01-28008-0015-20050204 189

config router route-map

rule command keywords and variables

Keywords and variables Description Default Availability
action {deny | permit} Enter permit to permit routes that match this permit All models.
rule. Enter deny to deny routes that match this
rule.
match-interface Match a route with the specified destination null All models.
<name_str> interface.
match-ip-address Match a route if the destination address is null All models.
<access/prefix-listname_str> included in the specified access list or prefix list.
match-ip-nexthop Match a route that has a next hop router null All models.
<access/prefix-listname_str> address included in the specified access list or
prefix list.
match-metric Match a route with the specified metric. The 0 All models.
<metric_integer> metric can be a number from 1 to 16.
match-route-type {1 | 2} Match a route that has the external type set to 1 external All models.
or 2. -type1
match-tag <tag_integer> Match a route that has the specified tag. 0 All models.
set-tag
must be set.
set-ip-nexthop Set the next hop router address for a matched 0.0.0.0 All models.
<address_ipv4> route.
set-metric Set a metric value of 1 to 16 for a matched 0 All models.
<metric_integer> route.
set-metric-type {1 | 2} Set the type for a matched route. external All models.
-type1
set-tag <tag_integer> Set a tag value for a matched route. 0 All models.

Example
This example shows how to add a route map list named rtmp2 with two rules. The first rule denies
routes that match the IP addresses in an access list named acc_list2. The second rule permits
routes that match a metric of 2 and changes the metric to 4.
config router route-map
edit rtmp2
config rule
edit 1
set match-ip-address acc_list2
set action deny
next
edit 2
set match-metric 2
set action permit
set set-metric 4
end
end
This example shows how to display the list of route maps.
get router route-map
This example shows how to display the settings for rtmp2.
get router route-map rtmp2

190 01-28008-0015-20050204 Fortinet Inc.

config router route-map

This example shows how to display the configuration for the router route-map command.
show router route-map
This example shows how to display the configuration for rtmp2.
show router route-map rtmp2

Command History
FortiOS v2.80 New.

Related Commands
• config router access-list
• config router prefix-list
• config router rip

FortiGate CLI Reference Guide 01-28008-0015-20050204 191

config router static

static
Use this command to add, edit, or delete static routes for IPv4 traffic.
Add static routes to control the destination of traffic exiting the FortiGate unit. You configure routes by
adding destination IP addresses and netmasks and adding gateways for these destination addresses.
The gateways are the next hop routers to which to route traffic that matches the destination addresses
in the route.
You can also configure the administrative distance for a route to indicate the order of preferability when
more than one route is available to the same network. The lower the administrative distance the
greater the preferability of the route.
The FortiGate unit assigns routes using a best match algorithm. To select a route for a packet, the
FortiGate unit searches through the routing table for a route that best matches the destination address
of the packet. If a match is not found, the FortiGate unit routes the packet using the default route.

Command syntax pattern

config router static
edit <sequence_integer>
set <keyword> <variable>
end
config router static
edit <sequence_integer>
unset <keyword>
end
config router static
delete <sequence_integer>
end
get router static [<sequence_integer>]
show router static [<sequence_integer>]

static command keywords and variables

Keywords and variables Description Default Availability
device <interface- The name of the FortiGate interface through which null All models.
name_str> to route traffic.
distance The administrative distance for the route. Using 10 All models.
<distance_integer> administrative distance you can specify the relative
priorities of different routes to the same destination.
A lower administrative distance indicates a more
preferred route. Distance can be an integer from
1-255. See also config system interface “distance
<distance_integer>” on page 261.
dst <destination- The destination IP address and netmask for this 0.0.0.0 All models.
address_ipv4mask> route. 0.0.0.0
Enter 0.0.0.0 0.0.0.0 for the destination IP
address and netmask to add a default route.
gateway <gateway- The IP address of the first next hop router to which 0.0.0.0 All models.
address_ipv4> this route directs traffic.

192 01-28008-0015-20050204 Fortinet Inc.

config router static

Example
This example shows how to add a static route that has the sequence number 2.
config router static
edit 2
set dev internal
set dst 192.168.22.0 255.255.255.0
set gateway 192.168.22.44
end
This example shows how to display the list of static route numbers.
get router static
This example shows how to display the settings for static route 2.
get router static 2
This example shows how to display the static route configuration.
show router static
This example shows how to display the configuration for static route 2.
show router static 2

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• config system interface
• get router info routing_table

FortiGate CLI Reference Guide 01-28008-0015-20050204 193

config router static6

static6
Use this command to add, edit, or delete static routes for IPv6 traffic. Add static routes to control the
destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP
addresses and netmasks and adding gateways for these destination addresses. The gateways are the
next hop routers to which to route traffic that matches the destination addresses in the route.
The FortiGate unit assigns routes using a best match algorithm. To select a route for a packet, the
FortiGate unit searches through the routing table for a route that best matches the destination address
of the packet. If a match is not found, the FortiGate unit routes the packet using the default route.

Command syntax pattern

config router static6
edit <sequence_integer>
set <keyword> <variable>
end
config router static6
edit <sequence_integer>
unset <keyword>
end
config router static6
delete <sequence_integer>
end
get router static6 [<sequence_integer>]
show router static6 [<sequence_integer>]

static6 command keywords and variables

Keywords and variables Description Default Availability
device The name of the FortiGate interface through which null All models.
<interface-name_str> to route traffic. NAT/Route
mode only.
dst The destination IPv6 address and netmask for this ::/0 All models.
<destination- route. NAT/Route
address_ipv6mask> Enter ::/0 for the destination IPv6 address and mode only.
netmask to add a default route.
gateway The IPv6 address of the first next hop router to :: All models.
<gateway-address_ipv6> which this route directs traffic. NAT/Route
mode only.

Example
This example shows how to add an IPV6 static route that has the sequence number 2.
config router static6
edit 2
set dev internal
set dst 12AB:0:0:CD30::/60
set gateway 12AB:0:0:CD30:123:4567:89AB:CDEF
end

194 01-28008-0015-20050204 Fortinet Inc.

config router static6

This example shows how to display the list of IPV6 static route numbers.
get router static6
This example shows how to display the settings for IPV6 static route 2.
get router static6 2
This example shows how to display the IPV6 static route configuration.
show router static6
This example shows how to display the configuration for IPV6 static route 2.
show router static6 2

Command History
FortiOS v2.80 New.

Related Commands
• config system interface
• get router info routing_table

FortiGate CLI Reference Guide 01-28008-0015-20050204 195

config router static6

196 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config spamfilter
bword
emailbwl
fortishield
ipbwl
mheader
rbl

FortiGate CLI Reference Guide 01-28008-0015-20050204 197

config spamfilter bword

bword
Use this command to add or edit and configure options for the spam filter banned word list.
The FortiGate spam filters are generally applied in the following order:
• fortishield: FortiShield Antispam Service
• ipbwl : IP address list
• rbl: DNSBL & ORDBL
• emailbwl: Email address list
• mheader: MIME headers
• bword: Banned words
Control spam by blocking email containing specific words or patterns. The FortiGate unit searches for
banned words in email messages. If a match is found, the corresponding protection profile action is
taken. If no match is found, the email is passed to the recipient (because bword is the final spam filter).
You can use Perl regular expressions or wildcards to add banned word patterns to the list. See “Using
Perl regular expressions” on page 28. You can add one or more banned words to sort email containing
those words in the email subject, body, or both. Words can be marked as spam or clear. Banned
words can be one word or a phrase up to 127 characters long.
If you enter a single word, the FortiGate unit blocks all email that contain that word. If you enter a
phrase, the FortiGate unit blocks all email containing the exact phrase. To block any word in a phrase,
use Perl regular expressions.

Note: Perl regular expression patterns are case sensitive for Spam Filter banned words. To make a word or
phrase case insensitive, use the regular expression /i. For example, /bad language/i blocks all instances of
bad language regardless of case. Wildcard patterns are not case sensitive.

Command syntax pattern

config spamfilter bword
edit <banned-word_integer>
set <keyword> <variable>
end
config spamfilter bword
edit <banned-word_integer>
unset <keyword>
end
config spamfilter bword
delete <banned-word_integer>
end
get spamfilter bword [<banned-word_integer>]
show spamfilter bword [<banned-word_integer>]

198 01-28008-0015-20050204 Fortinet Inc.

config spamfilter bword

spamfilter bword command keywords and variables

Keywords and variables Description Default Availability
action {clear | spam} Enter clear to allow the email. Enter spam to spam All models.
apply the spam action configured in the
protection profile.
language {french | Enter the language character set used for the western All models.
japanese | korean | simch banned word or phrase. Choose from French,
| thai | trach | western} Japanese, Korean, Simplified Chinese, Thai,
Traditional Chinese, or Western.
pattern <banned-word_str> Enter the banned word or phrase pattern. You No default. All models.
can use regular expressions or wildcards.
pattern_type {regexp | Enter the pattern type for the banned word wildcard All models.
wildcard} (pattern). Choose from regular expressions or
wildcard.
status Enable or disable scanning email for each enable All models.
{enable | disable} banned word.
where {all | body | Enter where in the email to search for the banned all All models.
subject} word or phrase.

Examples
This example shows how to add the banned word patterns bad* and ^worse to the banned word list
(as the tenth and eleventh list entries). Enable both words, set the action to spam, use the ASCII
character set, set the correct pattern_type and search the body of the email for each word.
config spamfilter bword
edit 10
set status enable
set action spam
set language ASCII
set pattern bad*
set pattern_type wildcard
set where body
next
edit 11
set status enable
set action spam
set language ASCII
set pattern ^worse
set pattern_type regexp
set where body
end
This example shows how to display the spamfilter banned word list.
get spamfilter bword
This example shows how to display the settings for the fifth banned word in the list.
get spamfilter bword 5
This example shows how to display the configuration for the banned word list.
show spamfilter bword

FortiGate CLI Reference Guide 01-28008-0015-20050204 199

config spamfilter bword

This example shows how to display the configuration for the first banned word in the list.
show spamfilter bword 1

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added French and Thai variables to the language keyword.

Related Commands
• config spamfilter emailbwl
• config spamfilter ipbwl
• config spamfilter mheader
• config spamfilter rbl

200 01-28008-0015-20050204 Fortinet Inc.

config spamfilter emailbwl

emailbwl
Use this command to filter email based on the sender’s email address or address pattern.
The FortiGate spam filters are generally applied in the following order:
• fortishield: FortiShield Antispam Service
• ipbwl : IP address list
• rbl: DNSBL & ORDBL
• emailbwl: Email address list
• mheader: MIME headers
• bword: Banned words
The FortiGate unit uses the email address list to filter incoming email. The FortiGate unit compares the
email address or domain of the sender to the list in sequence. If a match is found, the corresponding
action is taken. If no match is found, the email is passed on to the next spam filter.
The FortiGate unit can filter email from specific senders or all email from a domain (such as
sample.net). You can mark each email address as clear or spam.
You can use Perl regular expressions or wildcards to add email address patterns to the list. See “Using
Perl regular expressions” on page 28.

Command syntax pattern

config spamfilter emailbwl
edit <email-address_integer>
set <keyword> <variable>
end
config spamfilter emailbwl
edit <email-address_integer>
unset <keyword>
end
config spamfilter emailbwl
delete <email-address_integer>
end
get spamfilter emailbwl [<email-address_integer>]
show spamfilter emailbwl [<email-address_integer>]

spamfilter emailbwl command keywords and variables

Keywords and variables Description Default Availability
action {clear | spam} Enter clear to exempt the email from the rest of spam All models.
the spam filters. Enter spam to apply the spam
action configured in the protection profile.
email_pattern Enter the email address pattern. You can use No default. All models.
<email-address_str> wildcards or Perl regular expressions.
pattern_type Enter the pattern_type for the email address. wildcard All models.
{regexp | wildcard} Choose from wildcards or Perl regular expressions.
status Enable or disable scanning for each email address. enable All models.
{enable | disable}

FortiGate CLI Reference Guide 01-28008-0015-20050204 201

config spamfilter emailbwl

Example
This example shows how to add and enable the email address [email protected] (mark as
spam) and the email address *@fortinet.com (mark as clear) to the list as the tenth and eleventh
entries.
config spamfilter emailbwl
edit 10
set status enable
set action spam
set pattern [email protected]
next
edit 11
set status enable
set action clear
set pattern *@fortinet.com
set pattern_type wildcard
end
This example shows how to display the spamfilter email list.
get spamfilter emailbwl
This example shows how to display the settings for the first entry in the spamfilter email list.
get spamfilter emailbwl 1
This example shows how to display the configuration for the entire email list.
show spamfilter emailbwl
If the show command returns you to the prompt, there are no URLs in the list.
This example shows how to display the configuration for the third entry in the email list.
show spamfilter emailbwl 3

Command History
FortiOS v2.80 New.

Related Commands
• config spamfilter bword
• config spamfilter ipbwl
• config spamfilter mheader
• config spamfilter rbl

202 01-28008-0015-20050204 Fortinet Inc.

config spamfilter fortishield

fortishield
Use this command to configure the settings for the FortiShield Antispam Service.
The FortiGate spam filters are generally applied in the following order:
• fortishield: FortiShield Antispam Service
• ipbwl : IP address list
• rbl: DNSBL & ORDBL
• emailbwl: Email address list
• mheader: MIME headers
• bword: Banned words
FortiShield is an antispam system from Fortinet that includes an IP address black list, a URL black list,
and spam filtering tools. The IP address black list contains IP addresses of email servers known to be
used to generate Spam. The URL black list contains URLs of website found in Spam email.
FortiShield compiles the IP address and URL list from email captured by spam probes located around
the world. Spam probes are email addresses purposely configured to attract spam and identify known
spam sources to create the antispam IP address and URL list. FortiShield combines IP address and
URL checks with other spam filter techniques in a two-pass process.
On the first pass, if spamfsip is selected in the protection profile, FortiShield extracts the SMTP mail
server source address and sends the IP address to a FortiShield server to see if this IP address
matches the list of known spammers. If spamfsurl is selected in the protection profile, FortiShield
checks the body of email messages to extract any URL links. These URL links will be sent to a
FortiShield server to see if any of them is listed. Typically Spam messages contain URL links to
advertisements (also called spamvertizing).
If an IP address or URL match is found, FortiShield terminates the session. If FortiShield does not find
a match, the mail server sends the email to the recipient.
As each email is received, FortiShield performs the second antispam pass by checking the header,
subject, and body of the email for common spam content. If FortiShield finds spam content, the email
is tagged or dropped according to the configuration in the firewall protection profile.
Both FortiShield antispam processes are completely automated and configured by Fortinet. With
constant monitoring and dynamic updates, FortiShield is always current. You can enable or disable
FortiShield in a firewall protection profile.

Command syntax pattern

config spamfilter fortishield
set <keyword> <variable>
end
config spamfilter fortishield
unset <keyword>
end
get spamfilter fortishield
show spamfilter fortishield

FortiGate CLI Reference Guide 01-28008-0015-20050204 203

config spamfilter fortishield

spamfilter bword command keywords and variables

Keywords and variables Description Default Availability
cache {enable | disable} Enable or disable caching the FortiShield IP disable All models.
address and URL block list. Enabling the cache
can improve performance because the FortiGate
unit does not need to access the server each time
the same IP address or URL appears as the
source of an email. The cache is configured to
use 6% of the of the FortiGate RAM. When the
cache is full, the least recently used IP address or
URL is deleted.
cache_ttl <ttl_integer> Enter a time to live, in seconds, for cache entries. 3600 All models.
Enter from 0 to 3600 seconds.
hostname <url_str> The host name of the FortiShield server. The antispam. All models.
FortiGate unit comes preconfigured with the host fortigate
name. Use this command only if you need to .com
change the host name.
status Enable or disable scanning email using the disable All models.
{enable | disable} FortiShield Service.

Examples
This example shows how to enable the FortiShield service, enable the cache, and set the TTL to 1800
seconds.
config spamfilter fortishield
set status enable
set cache enable
set cache_ttl 1800
end
This example shows how to display the spamfilter banned word list. When you use the get command
the FortiShield license type and expiry date are also displayed.
Fortigate-unit-prompt # get spamfilter fortishield
status : enable
cache : enable
cache_ttl : 1800
hostname : antispam.fortigate.com
license : Trial
expiration : N/A
This example shows how to display the FortiShield configuration.
Fortigate-unit-prompt # show spamfilter fortishield
config spamfilter fortishield
set status enable
set cache enable
set cache_ttl 1800
end

204 01-28008-0015-20050204 Fortinet Inc.

config spamfilter fortishield

Command History
FortiOS v2.80 MR7 New.

Related Commands
• config spamfilter bword
• config spamfilter emailbwl
• config spamfilter ipbwl
• config spamfilter mheader
• config spamfilter rbl

FortiGate CLI Reference Guide 01-28008-0015-20050204 205

config spamfilter ipbwl

ipbwl
Use this command to filter email based on the IP or subnet address.
The FortiGate spam filters are generally applied in the following order:
• fortishield: FortiShield Antispam Service
• ipbwl : IP address list
• rbl: DNSBL & ORDBL
• emailbwl: Email address list
• mheader: MIME headers
• bword: Banned words
The FortiGate unit uses the IP address list to filter incoming email. The FortiGate unit compares the IP
address of the sender to the list in sequence. If a match is found, the corresponding protection profile
action is taken. If no match is found, the email is passed on to the next spam filter.
You can enter an IP address and mask in two formats:
• x.x.x.x/x.x.x.x, for example 62.128.69.100/255.255.255.0
• x.x.x.x/x, for example 62.128.69.100/24
You can configure the FortiGate unit to filter email from specific IP addresses. You can mark each IP
address as clear, spam, or reject. You can filter single IP addresses, or a range of addresses at the
network level by configuring an address and mask.

Command syntax pattern

config spamfilter ipbwl
edit <address-ipv4_integer>
set <keyword> <variable>
end
config spamfilter ipbwl
edit <address-ipv4_integer>
unset <keyword>
end
config spamfilter ipbwl
delete <address-ipv4_integer>
end
get spamfilter ipbwl [<address-ipv4_integer>]
show spamfilter ipbwl [<address-ipv4_integer>]

spamfilter ipbwl command keywords and variables

Keywords and variables Description Default Availability
action Enter clear to exempt the email from the rest spam All models.
{clear | reject | spam} of the spam filters. Enter reject to drop any
curremt or incoming sessions. Enter spam to
apply the spam action configured in the
protection profile.

206 01-28008-0015-20050204 Fortinet Inc.

config spamfilter ipbwl

spamfilter ipbwl command keywords and variables (Continued)

Keywords and variables Description Default Availability
ip/subnet {<address_ipv4> The IP address to filter. You can also include a No default. All models.
| <address_ipv4mask>} subnet mask in the format 200.200.200.200/24.
status Enable or disable scanning email for each IP enable All models.
{enable | disable} address.

Example
This example shows how to add and enable the IP address and netmask 123.0.0.0./8 as the seventh
entry in the list and reject email from that subnet.
config spamfilter ipbwl
edit 7
set status enable
set action reject
set ip/subnet 123.0.0.0/8
end
This example shows how to display the spamfilter IP list.
get spamfilter ipbwl
This example shows how to display the settings for the second entry in the spamfilter IP list.
get spamfilter ipbwl 2
This example shows how to display the configuration for the entire IP list.
show spamfilter ipbwl
If the show command returns you to the prompt, there are no IP addresses in the list.
This example shows how to display the configuration for the seventh entry in the IP list.
show spamfilter ipbwl 7

Command History
FortiOS v2.80 New.

Related Commands
• config spamfilter bword
• config spamfilter emailbwl
• config spamfilter fortishield
• config spamfilter mheader
• config spamfilter rbl

FortiGate CLI Reference Guide 01-28008-0015-20050204 207

config spamfilter mheader

mheader
Use this command to filter email based on the MIME header.
The FortiGate spam filters are generally applied in the following order:
• fortishield: FortiShield Antispam Service
• ipbwl : IP address list
• rbl: DNSBL & ORDBL
• emailbwl: Email address list
• mheader: MIME headers
• bword: Banned words
The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in
sequence. If a match is found, the corresponding action is taken. If no match is found, the email is
passed on to the next spam filter.
MIME (Multipurpose Internet Mail Extensions) headers are added to email to describe content type
and content encoding, such as the type of text in the email body or the program that generated the
email. Some examples of MIME headers include:
• X-mailer: outgluck
• X-Distribution: bulk
• Content_Type: text/html
• Content_Type: image/jpg
The first part of the MIME header is called the header key, or just header. The second part is called the
value. Spammers often insert comments into header values or leave them blank. These malformed
headers can fool some spam and virus filters.
You can use the MIME headers list to mark email from certain bulk mail programs or with certain types
of content that are common in spam messages. You can choose to mark the email as spam or clear
for each header you configure.
You can use Perl regular expressions or wildcards to add MIME header patterns to the list. See “Using
Perl regular expressions” on page 28.

Note: MIME header entries are case sensitive.

Command syntax pattern

config spamfilter mheader
edit <mime_integer>
set <keyword> <variable>
end
config spamfilter mheader
edit <mime_integer>
unset <keyword>
end

208 01-28008-0015-20050204 Fortinet Inc.

config spamfilter mheader

config spamfilter mheader

delete <mime_integer>
end
get spamfilter mheader [<mime_integer>]
show spamfilter mheader [<mime_integer>]

spamfilter mheader command keywords and variables

Keywords and variables Description Default Availability
action {clear | spam} Enter clear to exempt the email from the rest of the spam All models.
spam filters. Enter spam to apply the spam action
configured in the protection profile.
fieldbody <mime_str> Enter the MIME header (key, header field body). No default. All models.
You can use wildcards or Perl regular expressions.
fieldname <mime_str> Enter the MIME header value (header field name). No default. All models.
You can use wildcards or Perl regular expressions.
pattern_type Enter the pattern_type for the MIME header. Choose wildcard All models.
{regexp | wildcard} from wildcards or Perl regular expressions.
status Enable or disable scanning email headers for each enable All models.
{enable | disable} entry.

Example
This example shows how to enable and add two MIME headers to the list. The first entry uses
wildcards and the second entry uses regular expressions.
config spamfilter mheader
edit 1
set status enable
set action clear
set fieldbody Content-Type
set fieldname text/*
set pattern_type wildcard
next
edit 2
set status enable
set action spam
set fieldbody Received
set fieldname 1/.2/.3/.4
set pattern_type regexps
end
This example shows how to display the spamfilter MIME header list.
get spamfilter mheader
This example shows how to display the settings for the second entry in the spamfilter MIME header
list.
get spamfilter mheader 2
This example shows how to display the configuration for the entire MIME header list.
show spamfilter mheader
If the show command returns you to the prompt, there are no MIME headers in the list.

FortiGate CLI Reference Guide 01-28008-0015-20050204 209

config spamfilter mheader

This example shows how to display the configuration for the seventh entry in the MIME header list.
show spamfilter mheader 7

Command History
FortiOS v2.80 New.

Related Commands
• config spamfilter bword
• config spamfilter emailbwl
• config spamfilter fortishield
• config spamfilter ipbwl
• config spamfilter rbl

210 01-28008-0015-20050204 Fortinet Inc.

config spamfilter rbl

rbl
Use this command to filter email using DNS-based Blackhole List (DNSBL) or Open Relay Database
List (ORDBL) servers.
The FortiGate spam filters are generally applied in the following order:
• fortishield: FortiShield Antispam Service
• ipbwl : IP address list
• rbl: DNSBL & ORDBL
• emailbwl: Email address list
• mheader: MIME headers
• bword: Banned words
The FortiGate unit compares the IP address or domain name of the sender to any database lists you
configure in sequence. If a match is found, the corresponding action is taken. If no match is found, the
email is passed on to the next spam filter.
Some spammers use unsecured third party SMTP servers to send unsolicited bulk email. Using
DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters your network. These lists
act as domain name servers that match the domain of incoming email to a list of IP addresses known
to send spam or allow spam to pass through.
There are several free and subscription servers available that provide reliable access to continually
updated DNSBLs and ORDBLs. Please check with the service you are using to confirm the correct
domain name for connecting to the server.

Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server, it
must be able to look up this name on the DNS server. For information on configuring DNS, see “config system
dns” on page 239.

Command syntax pattern

config spamfilter rbl
edit <server_integer>
set <keyword> <variable>
end
config spamfilter rbl
edit <server_integer>
unset <keyword>
end
config spamfilter rbl
delete <server_integer>
end
get spamfilter rbl [<server_integer>]
show spamfilter rbl [<server_integer>]

FortiGate CLI Reference Guide 01-28008-0015-20050204 211

config spamfilter rbl

spamfilter rbl command keywords and variables

Keywords and variables Description Default Availability
action {reject | spam} Enter reject to stop any further processing of the spam All models.
current session and to drop an incoming connection
at once. Enter spam to identify email as spam.
server <name_str> Enter the name of a Real-time Blackhole List server No All models.
or an Open Relay Database server. default.
status {enable | disable} Enable or disable querying a Real-time Blackhole List enable All models.
server or an Open Relay Database server.

Example
This example shows how to add the DNSBL server bl.spamcop.net to the second position in the
list and reject email identified as spam, and add the ORDBL relays.ordb.org to the third position
in the list and mark email identified as spam.
config spamfilter rbl
edit 2
set action reject
set server bl.spamcop.net
set status enable
next
edit 3
set action spam
set server relays.ordb.org
set status enable
end
This example shows how to display the spamfilter DNSBL list.
get spamfilter rbl
This example shows how to display the settings for the second entry in the spamfilter DNSBL list.
get spamfilter rbl 2
This example shows how to display the configuration for the entire DNSBL list.
show spamfilter rbl
If the show command returns you to the prompt, there are no DNSBLs in the list.
This example shows how to display the configuration for the third entry in the DNSBL list:
show spamfilter rbl 3

Command History
FortiOS v2.80 New.

212 01-28008-0015-20050204 Fortinet Inc.

config spamfilter rbl

Related Commands
• config spamfilter bword
• config spamfilter emailbwl
• config spamfilter fortishield
• config spamfilter ipbwl
• config spamfilter mheader
• config system dns

FortiGate CLI Reference Guide 01-28008-0015-20050204 213

config spamfilter rbl

214 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config system
accprofile interface
admin ipv6_tunnel
autoupdate clientoverride mac-address-table
autoupdate override manageip
autoupdate push-update modem
autoupdate schedule oobm interface
autoupdate tunneling oobm route
bug-report replacemsg {alertmail | catblock |
console ftp | http | mail | spam}
<message-type_str>
dhcp exclude_range
session-helper
dhcp ipmacbinding
session_ttl
dhcp server
snmp community
dns
snmp sysinfo
fm
vdom
get system performance
wireless mac_filter
get system status
wireless settings
global
zone
ha

FortiGate CLI Reference Guide 01-28008-0015-20050204 215

config system accprofile

accprofile
Use this command to add access profiles that control administrator access to FortiGate features. Each
FortiGate administrator account must include an access profile. You can create access profiles that
deny access to or allow read only, write only, or both read and write access to FortiGate features.

Command syntax pattern

config system accprofile
edit <profile-name_str>
set <keyword> <variable>
end
config system accprofile
edit <profile-name_str>
unset <keyword>
end
config system accprofile
delete <profile-name_str>
end
get system accprofile [<profile-name_str>]
show system accprofile [<profile-name_str>]

accprofile command keywords and variables

Keywords and variables Description Default Availability
admingrp {none | r | rw | Control administrator access to FortiGate none All models.
w} administrator accounts and access profiles.
none
• deny access.
r
• read only access.
rw
• read write access.
w
• write only access.
authgrp {none | r | rw | Control administrator access to users and none All models.
w} authentication including local users, RADIUS servers,
LDAP servers, and user groups.
none
• deny access.
r
• read only access.
rw
• read write access.
w
• write only access.

216 01-28008-0015-20050204 Fortinet Inc.

config system accprofile

accprofile command keywords and variables (Continued)

Keywords and variables Description Default Availability
loggrp {none | r | rw | Control administrator access to log and report none All models.
w} configuration including log settings, viewing logs and
alert email settings.
none
• deny access.
r
• read only access.
rw
• read write access.
w
• write only access.
secgrp {none | r | rw | Control administrator access to firewall configuration none All models.
w} including firewall policies, addresses, services,
schedules, virtual IPs, IP pools, IP/MAC binding, and
protection profiles.
none
• deny access.
r
• read only access.
rw
• read write access.
w
• write only access.
sysgrp {none | r | rw | Control administrator access to system configuration, none All models.
w} including all system and router settings.
none
• deny access.
r
• read only access.
rw
• read write access.
w
• write only access.
sysshutdowngrp {none | r Control administrator access to system shutdown none All models.
| rw | w} and reboot functions.
none
• deny access.
r
• read only access.
rw
• read write access.
w
• write only access.
updgrp {none | r | rw | Control administrator access to FortiProtect antivirus none All models.
w} and IPS updates.
none
• deny access.
r
• read only access.
rw
• read write access.
w
• write only access.

FortiGate CLI Reference Guide 01-28008-0015-20050204 217

config system accprofile

Example
Use the following commands to add a new access profile named policy_profile that allows read
and write access to firewall policies and that denies access to all other FortiGate features. An
administrator account with this access profile can view and edit firewall policies, but cannot view or
change any other FortiGate settings or features.
config system accprofile
edit policy_profile
set secgrp rw
end
This example shows how to display the settings for the system accprofile command.
get system accprofile
This example shows how to display the settings for the policy_profile access profile.
get system accprofile policy_profile
This example shows how to display the configuration for the system accprofile command.
show system accprofile
This example shows how to display the configuration for the policy_profile access profile.
get system accprofile policy_profile

Command History
FortiOS v2.80 New

Related Commands
• admin

218 01-28008-0015-20050204 Fortinet Inc.

config system admin

admin
Use this command to add, edit, and delete administrator accounts.
Use the admin account or an account with system configuration read and write privileges to add new
administrator accounts and control their permission levels. Each administrator account must include
an access profile. You cannot delete the admin administrator account. You cannot change the admin
administrator account permissions.

Command syntax pattern

config system admin
edit <name_str>
set <keyword> <variable>
end
config system admin
edit <name_str>
unset <keyword>
end
config system admin
delete <name_str>
end
get system admin [<name_str>]
show system admin [<name_str>]

admin command keywords and variables

Keywords and variables Description Default Availability
accprofile Enter the name of the access profile to assign to No All models.
<profile-name_str> this administrator account. Access profiles control default.
administrator access to FortiGate features.
password <password_str> Enter a password for the administrator account. For No All models.
improved security, the password should be at least default.
6 characters long.
trusthost1 An IP address or subnet address and netmask from 0.0.0.0/ All models.
<address_ipv4mask> which the administrator can connect to the 0.0.0.0
FortiGate unit.
If you want the administrator to be able to access
the FortiGate unit from any address, set one of the
trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.
trusthost2 An IP address or subnet address and netmask from 0.0.0.0/ All models.
<address_ipv4mask> which the administrator can connect to the 0.0.0.0
FortiGate unit.
If you want the administrator to be able to access
the FortiGate unit from any address, set one of the
trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.
trusthost3 An IP address or subnet address and netmask from 0.0.0.0/ All models.
<address_ipv4mask> which the administrator can connect to the 0.0.0.0
FortiGate unit.
If you want the administrator to be able to access
the FortiGate unit from any address, set one of the
trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.

FortiGate CLI Reference Guide 01-28008-0015-20050204 219

config system admin

Example
Use the following commands to add a new administrator account named new_admin with the
password set to p8ssw0rd and that includes an access profile named policy_profile.
Administrators that log in to this account will have administrator access to the FortiGate unit from any
IP address.
config system admin
edit new_admin
set password p8ssw0rd
set accprofile policy_profile
end
This example shows how to display the settings for the system admin command.
get system admin
This example shows how to display the settings for the new_admin administrator account.
get system admin new_admin
This example shows how to display the configuration for the system admin command.
show system admin

Command History
FortiOS v2.80 Revised.

Related Commands
• accprofile

220 01-28008-0015-20050204 Fortinet Inc.

config system autoupdate clientoverride

autoupdate clientoverride
Use this command to receive updates on a different interface than that connected to the FortiProtect
Distribution Network (FDN). This command changes the source IP address of update requests to the
FortiProtect server, causing it to send the update to the modified source address.

Command syntax pattern

config system autoupdate clientoverride
set <keyword> <variable>
end
config system autoupdate clientoverride
unset <keyword>
end
get system autoupdate clientoverride
show system autoupdate clientoverride

autoupdate override command keywords and variables

Keywords and variables Description Default Availability
address <address_ipv4> Enter the IP address to receive updates. No All models.
default.
status {disable | enable} Enable or disable using the clientoverride address. disable All models.

Example
This example shows how to add a push update client IP address 192.0.2.45.
config system autoupdate clientoverride
set address 192.0.2.45
set status enable
end
This example shows how to display the settings for the system autoupdate clientoverride
command.
get system autoupdate clientoverride
This example shows how to display the configuration for the system autoupdate override
command.
show system autoupdate clientoverride

Command History
FortiOS v2.80 Added.
MR6

FortiGate CLI Reference Guide 01-28008-0015-20050204 221

config system autoupdate clientoverride

Related Commands
• autoupdate override
• autoupdate push-update
• autoupdate schedule
• autoupdate tunneling
• execute update_now

222 01-28008-0015-20050204 Fortinet Inc.

config system autoupdate override

autoupdate override
Use this command to add the IP address of an override FDS server.
If you cannot connect to the FDN or if your organization provides updates using their own FortiProtect
server, you can add an override FDS server so that the FortiGate unit connects to this IP address
instead of the FortiProtect Distribution Network (FDN).

Command syntax pattern

config system autoupdate override
set <keyword> <variable>
end
config system autoupdate override
unset <keyword>
end
get system autoupdate override
show system autoupdate override

autoupdate override command keywords and variables

Keywords and variables Description Default Availability
address <address_str> Enter the IP address or fully qualified domain name No All models.
of the override FDS server. default.
status {disable | enable} Enable or disable using the override FDS server. disable All models.

Example
This example shows how to add and enable an FDS override server with IP address 192.168.87.45.
config system autoupdate override
set address 192.168.87.45
set status enable
end
This example shows how to display the settings for the system autoupdate override command.
get system autoupdate override
This example shows how to display the configuration for the system autoupdate override
command.
show system autoupdate override

Command History
FortiOS v2.80 Revised.

Related Commands
• autoupdate push-update
• autoupdate schedule
• autoupdate tunneling
• execute update_now

FortiGate CLI Reference Guide 01-28008-0015-20050204 223

config system autoupdate push-update

autoupdate push-update
Use this command to configure push updates. The FortiProtect Distribution Network (FDN) can push
updates to FortiGate units to provide the fastest possible response to critical situations. You must
register the FortiGate unit before it can receive push updates.
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP
message to the FDN. The next time an update is released, the FDN notifies all FortiGate units that are
configured for push updates that a new update is available. Within 60 seconds of receiving a push
notification, the FortiGate unit requests an update from the FDN.
Using this command you can enable or disable push updates. You can also configure push IP address
and port override. If the FDN must connect to the FortiGate unit through a NAT device, you must
configure port forwarding on the NAT device and add the port forwarding information to the push
update override configuration.

Note: You cannot receive push updates through a NAT device if the external IP address of the NAT device is
dynamic (for example, set using PPPoE or DHCP).

Command syntax pattern

config system autoupdate push-update
set <keyword> <variable>
end
config system autoupdate push-update
unset <keyword>
end
get system autoupdate push-update
show system autoupdate push-update

autoupdate push-update command keywords and variables

Keywords and variables Description Default Availability
address <server-address> If you enable push override, enter the External IP No All models.
address that the FDN connects to. This is the default.
address of the external interface of the NAT
device.
override Enable or disable a push override if the FortiGate disable All models.
{disable | enable} unit connects to the FDN through a NAT device.
port <port_integer> Enter the Port that the FDN connects to. This can 9443 All models.
be port 9443 or an override push port that you
assign.
status {disable | enable} Enable or disable push updates. disable All models.

Example
This example shows how to enable push updates.
config system autoupdate push-update
set status enable
end

224 01-28008-0015-20050204 Fortinet Inc.

config system autoupdate push-update

This example shows how to display the settings for the system autoupdate push-update
command.
get system autoupdate push-update
This example shows how to display the configuration for the system autoupdate push-update
command.
show system autoupdate push-update

Command History
FortiOS v2.80 Revised.

Related Commands
• autoupdate override
• autoupdate schedule
• autoupdate tunneling
• execute update_now

FortiGate CLI Reference Guide 01-28008-0015-20050204 225

config system autoupdate schedule

autoupdate schedule
Use this command to enable or disable scheduled updates, at regular intervals throughout the day,
once a day, or once a week.

Command syntax pattern

config system autoupdate schedule
set <keyword> <variable>
end
config system autoupdate schedule
unset <keyword>
end
get system autoupdate schedule
show system autoupdate schedule

autoupdate schedule command keywords and variables

Keywords and variables Description Default Availability
day <day_str> Enter the day of the week on which to check for Monday All models.
updates. <day_str> can be Sunday, Monday, weekly
Tuesday, Wednesday, Thursday, Friday, or only.
Saturday.
frequency {every | daily Schedule the FortiGate unit to check for updates every All models.
| weekly} every hour, once a day, or once a week.
every
• Check for updates periodically. Set time to the
time interval to wait between updates.
daily
• Check for updates once a day. Set time to the
time of day to check for updates.
weekly
• Check for updates once a week. Set day to the
day of the week to check for updates. Set time to
the time of day to check for updates.
status {disable | enable} Enable or disable scheduled updates. disable All models.
time <hh:mm> Enter the time at which to check for updates. 01:60 All models.
• hh can be 00 to 23
• mm can be 00-59, or 60 for random minute

Example
This example shows how to configure the FortiGate unit to check the FortiProtect Distribution Network
(FDN) for updates once a day at 3:00 in the morning.
config system autoupdate schedule
set frequency daily
set time 03:00
set status enable
end
This example shows how to display the settings for the system autoupdate schedule command.
get system autoupdate schedule

226 01-28008-0015-20050204 Fortinet Inc.

config system autoupdate schedule

This example shows how to display the configuration for the system autoupdate schedule
command.
show system autoupdate schedule

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 Can set time as well as day for weekly updates.
MR2

Related Commands
• autoupdate override
• autoupdate push-update
• autoupdate tunneling
• global

FortiGate CLI Reference Guide 01-28008-0015-20050204 227

config system autoupdate tunneling

autoupdate tunneling
Use this command to configure the FortiGate unit to use a proxy server to connect to the FortiProtect
Distribution Network (FDN). To use the proxy server you must enable tunneling and add the IP
address and port required to connect to the proxy server. If the proxy server requires authentication,
add the user name and password required to connect to the proxy server.
The FortiGate unit connects to the proxy server using the HTTP CONNECT method, as described in
RFC 2616. The FortiGate unit sends an HTTP CONNECT request to the proxy server (optionally with
authentication information) specifying the IP address and port required to connect to the FDN. The
proxy server establishes the connection to the FDN and passes information between the FortiGate unit
and the FDN.
The CONNECT method is used mostly for tunneling SSL traffic. Some proxy servers do not allow the
CONNECT to connect to any port; they restrict the allowed ports to the well known ports for HTTPS
and perhaps some other similar services. Because FortiGate autoupdates use HTTPS on port 8890 to
connect to the FDN, your proxy server might have to be configured to allow connections on this port.

Command syntax pattern

config system autoupdate tunneling
set <keyword> <variable>
end
config system autoupdate tunneling
unset <keyword>
end
get system autoupdate tunneling
show system autoupdate tunneling

autoupdate tunneling command keywords and variables

Keywords and variables Description Default Availability
address <address_str> The IP address or fully qualified domain name of No All models.
the proxy server. default.
password <password_str> If one is required, the password to connect to the No All models.
proxy server. default.
port <port_integer> The port required to connect to the proxy server. No All models.
default.
status {disable | enable} Enable or disable tunneling. disable All models.
username <name_str> The user name to connect to the proxy server. No All models.
default.

Example
This example shows how to enable tunneling where the FortiGate unit must connect to a proxy server
with IP address 67.35.50.34 that uses port 8080, requires the user id proxy_user and the password
proxy_pwd.

228 01-28008-0015-20050204 Fortinet Inc.

config system autoupdate tunneling

config system autoupdate tunneling

set address 67.35.50.34
set port 8080
set username proxy_user
set password proxy_pwd
set status enable
end
This example shows how to display the settings for the system autoupdate tunneling
command.
get system autoupdate tunneling
This example shows how to display the configuration for the system autoupdate tunneling
command.
show system autoupdate tunneling

Command History
FortiOS v2.80 Revised.

Related Commands
• autoupdate override
• autoupdate push-update
• autoupdate schedule

FortiGate CLI Reference Guide 01-28008-0015-20050204 229

config system bug-report

bug-report
Use this command to configure a custom email relay for sending problem reports to Fortinet customer
support. For more information on sending problem reports, see the System Maintenance chapter of
the Administration Guide for your FortiGate model.

Command syntax pattern

config system bug-report
set <keyword> <variable>
end
config system bug-report
unset <keyword>
end
get system bug-report
show system bug-report

bug-report command keywords and variables

Keywords and variables Description Default Availability
auth {no | yes} Enter no if the SMTP server does not require no All models.
authentication. Enter yes if the SMTP server does
require authentication.
password <password_str> If the SMTP server requires authentication, enter the No All models.
password required. default.
server <name_str> The SMTP server to use for sending bug report email. See All models.
The default server is fortinetvirussubmit.com description.
username <name_str> A valid user name on the specified SMTP server. The See All models.
default user name is bug_report. description.

Example
config system bug-report
set auth yes
set password '123456'
set server '10.0.0.1'
set username 'User1'
end
This example shows how to display the settings for the bug-report command.
get system bug-report
This example shows how to display the configuration for the bug-report command.
show system bug-report

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Command changed from config bug-report to config system bug-report.

Related Commands
• system dns

230 01-28008-0015-20050204 Fortinet Inc.

config system console

console
Use this command to set the console command mode, the number of lines displayed by the console,
and the baud rate.

Command syntax pattern

config system console
set <keyword> <variable>
end
config system console
unset <keyword>
end
get system console
show system console

console command keywords and variables

Keywords and variables Description Default Availability
baudrate {9600 | 19200 | Set the console port baudrate. 9600 All models.
38400 | 57600 | 115200}
mode {batch | line} Set the console mode to line or batch. Used for line All models.
autotesting only.
output {standard | more} Set console output to standard (no pause) or more standard show or get
(pause after each screenful, resume on keypress). commands
only

Example
This example shows how to set the baudrate to 38400 and set the number of lines per page to 25.
config system console
set baudrate 38400
set page 25
end
This example shows how to display the settings for the console command.
get system console
This example shows how to display the configuration for the console command.
show system console

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR2 Command changed from config console to config system console.
FortiOS v2.80 MR4 page keyword removed. output keyword added.

FortiGate CLI Reference Guide 01-28008-0015-20050204 231

config system dhcp exclude_range

dhcp exclude_range
Use this command to add up to 16 exclusion ranges of IP addresses that FortiGate DHCP servers
cannot assign to DHCP clients. Exclusion ranges apply to all FortiGate DHCP servers.

Note: For this configuration to take effect you must set the interface to DHCP server mode using the dhcp-
server-mode keyword in the config system interface command.

Command syntax pattern

config system dhcp exclude_range
edit <index_integer>
set <keyword> <variable>
end
config system dhcp exclude_range
delete <index_integer>
end
get system dhcp exclude_range [<index_integer>]
show system dhcp exclude_range [<index_integer>]

exclude_range command keywords and variables

Keywords and variables Description Default Availability
end_ip <address_ipv4> The end IP address in the exclusion range. The start 0.0.0.0 All models.
IP and end IP must be in the same subnet.
start_ip <address_ipv4> The start IP address in the exclusion range. The start 0.0.0.0 All models.
IP and end IP must be in the same subnet.

Example
Use the following command to add an exclusion range from 192.168.20.22 to 192.168.20.25.
config system dhcp exclude_range
edit 1
set start-ip 192.168.20.22
set end-ip 192.168.20.25
end
This example shows how to display the settings for the system dhcp exclude command.
get system dhcp exclude_range
This example shows how to display the settings for the 1 exclusion range.
get system dhcp exclude_range 1
This example shows how to display the configuration for the system dhcp exclude command.
show system dhcp exclude_range
This example shows how to display the configuration for the 1 exclusion range.
show system dhcp exclude_range 1

232 01-28008-0015-20050204 Fortinet Inc.

config system dhcp exclude_range

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR3 Can now define up to 16 exclude ranges.

Related Commands
• dhcp ipmacbinding
• dhcp server
• interface

FortiGate CLI Reference Guide 01-28008-0015-20050204 233

config system dhcp ipmacbinding

dhcp ipmacbinding
Use this command to reserve an IP address for a particular device on the network according to the
MAC address of the device. When you add the MAC address and an IP address to the IP/MAC binding
list, the DHCP server always assigns this IP address to the MAC address. You can create up to 50
IP/MAC binding pairs.

Note: For this configuration to take effect you must set the interface to DHCP server mode using the dhcp-
server-mode keyword in the config system interface command.

Command syntax pattern

config system dhcp ipmacbinding
edit <name_str>
set <keyword> <variable>
end
config system dhcp ipmacbinding
delete <name_str>
end
get system dhcp ipmacbinding [<name_str>]
show system dhcp ipmacbinding [<name_str>]

dhcp ipmacbinding command keywords and variables

Keywords and variables Description Default Availability
ip <address_ipv4> Enter the IP address. 0.0.0.0 All models.
mac <address_hex> Enter the MAC address. 00:00:00:00:00:00 All models.

Example
Use the following command to add an IP/MAC binding pair named ipmac_pair consisting of IP
address 192.168.110.3 and MAC address 00:09:0F:0A:01:BC.
config system dhcp ipmacbinding
edit ipmac_pair
set ip 192.168.110.3
set mac 00:09:0F:0A:01:BC
end
This example shows how to display the settings for the system dhcp ipmacbinding command.
get system dhcp ipmacbinding
This example shows how to display the settings for the ipmac_pair IP/MAC binding pair.
get system dhcp ipmacbinding ipmac_pair
This example shows how to display the configuration for the system dhcp ipmacbinding
command.
show system dhcp ipmacbinding
This example shows how to display the configuration for the ipmac_pair IP/MAC binding pair.
show system dhcp ipmacbinding ipmac_pair

234 01-28008-0015-20050204 Fortinet Inc.

config system dhcp ipmacbinding

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• dhcp exclude_range
• dhcp server
• interface

FortiGate CLI Reference Guide 01-28008-0015-20050204 235

config system dhcp server

dhcp server
Use this command to add one or more DHCP servers for any FortiGate interface. As a DHCP server,
the interface dynamically assigns IP addresses to hosts on a network connected to the interface.
You can add more than one DHCP server to a single interface to be able to provide DHCP services to
multiple networks. For more information on configuring your network and FortiGate unit to use multiple
DHCP servers on one interface, see the System DHCP chapter in the Administration Guide for your
FortiGate unit.

Note: For this configuration to take effect you must set the interface to DHCP server mode using the dhcp-
server-mode keyword in the config system interface command.

You can configure up to 32 DHCP servers.

Command syntax pattern

config system dhcp server
edit <name_str>
set <keyword> <variable>
end
config system dhcp server
edit <name_str>
unset <keyword>
end
config system dhcp server
delete <name_str>
end
get system dhcp server [<name_str>]
show system dhcp server [<name_str>]

dhcp server command keywords and variables

Keywords and variables Description Default Availability
default-router The IP address of the default gateway that the DHCP 0.0.0.0 All models.
<address_ipv4> server assigns to DHCP clients. NAT/Route
mode only.
dns-server1 The IP address of the first DNS server that the DHCP 0.0.0.0 All models.
<address_ipv4> server assigns to DHCP clients. NAT/Route
mode only.
dns-server2 The IP address of the second DNS server that the 0.0.0.0 All models.
<address_ipv4> DHCP server assigns to DHCP clients. NAT/Route
mode only.
dns-server3 The IP address of the third DNS server that the 0.0.0.0 All models.
<address_ipv4> DHCP server assigns to DHCP clients. NAT/Route
mode only.
domain <domain- Domain name suffix for the IP addresses that the No All models.
name_str> DHCP server assigns to DHCP clients. default. NAT/Route
mode only.
end-ip The ending IP for the range of IP addresses that this 0.0.0.0 All models.
<address_ipv4> DHCP server assigns to DHCP clients. The IP range NAT/Route
is defined by the start-ip and the end-ip. mode only.

236 01-28008-0015-20050204 Fortinet Inc.

config system dhcp server

dhcp server command keywords and variables (Continued)

Keywords and variables Description Default Availability
interface The interface for which to configure the DHCP server. internal All models.
<interface-name_str> NAT/Route
mode only.
lease-time The interval in seconds after which a DHCP client 604800 All models.
<seconds_integer> must ask the DHCP server for new settings. The NAT/Route
lease duration must be between 5 and 144,000 mode only.
seconds. Set lease-time to 0 for an unlimited
lease time.
netmask The netmask that the DHCP server assigns to DHCP 0.0.0.0 All models.
<address_ipv4mask> clients. NAT/Route
mode only.
option1 The first custom DHCP option that can be sent by the No All models.
<option_code> DHCP server. option_code is the DHCP option default. NAT/Route
[<option_hex>] code in the range 1 to 255. option_hex is an even mode only.
number of hexadecimal characters. For detailed
information about DHCP options, see RFC 2132,
DHCP Options and BOOTP Vendor Extensions.
option2 The second custom DHCP option that can be sent by No All models.
<option_code> the DHCP server. option_code is the DHCP option default. NAT/Route
[<option_hex>] code in the range 1 to 255. option_hex is an even mode only.
number of hexadecimal characters. For detailed
information about DHCP options, see RFC 2132,
DHCP Options and BOOTP Vendor Extensions.
option3 The third custom DHCP option that can be sent by No All models.
<option_code> the DHCP server. option_code is the DHCP option default. NAT/Route
[<option_hex>] code in the range 1 to 255. option_hex is an even mode only.
number of hexadecimal characters. For detailed
information about DHCP options, see RFC 2132,
DHCP Options and BOOTP Vendor Extensions.
start-ip The starting IP for the range of IP addresses that this 0.0.0.0 All models.
<address_ipv4> DHCP server assigns to DHCP clients. The IP range NAT/Route
is defined by the start-ip and the end-ip. mode only.
wins-server1 The IP address of the first WINS server that the 0.0.0.0 All models.
<address_ipv4> DHCP server assigns to DHCP clients. NAT/Route
mode only.
wins-server2 The IP address of the second WINS server that the 0.0.0.0 All models.
<address_ipv4> DHCP server assigns to DHCP clients. NAT/Route
mode only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 237

config system dhcp server

Example
Use the following command to add a DHCP server named new_dhcp. This DHCP server assigns IP
addresses to computers connected to the same network as the internal interface. The IP addresses
assigned are in the range 192.168.33.100 to 192.168.33.200. The example DHCP configuration also
sets the netmask, default gateway, two DNS server IP addresses, the lease time, and one WINS
server.
config system dhcp server
edit new_dhcp
set interface internal
set start-ip 192.168.33.100
set end-ip 192.168.33.200
set netmask 255.255.255.0
set default-router 192.168.33.1
set dns_server1 56.34.56.96
set dns_server2 56.34.56.99
set lease-time 4000
set wins_server1 192.168.33.45
end
This example shows how to display the settings for the system dhcp server command.
get system dhcp server
This example shows how to display the settings for the new_dhcp DHCP server.
get system dhcp server new_dhcp
This example shows how to display the configuration for the system dhcp server command.
show system dhcp server
This example shows how to display the configuration for the new_dhcp DHCP server.
show system dhcp server new_dhcp

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR2 Added domain keyword.
Removed discard-age keyword.

Related Commands
• dhcp exclude_range
• dhcp ipmacbinding
• interface

238 01-28008-0015-20050204 Fortinet Inc.

config system dns

dns
Use this command to set the DNS server addresses. Several FortiGate functions, including sending
email alerts and URL blocking, use DNS.
On models numbered 100 and lower, you can use this command to set up DNS forwarding.

Command syntax pattern

config system dns
set <keyword> <variable>
end
config system dns
unset <keyword>
end
get system dns
show system dns

dns command keywords and variables

Keywords and variables Description Default Availability
autosvr Enable or disable DNS forwarding. disable Models numbered
{enable | disable} 100 and lower.
NAT/Route mode.
cache-notfound-responses Enable to cache NOTFOUND disable All models.
{enable | disable} responses from the DNS server.
dns-cache-limit Set maximum number of entries in 5000 All models.
<integer> the DNS cache.
fwdintf {internal | dmz} Enable DNS forwarding for either No default. Models numbered
internal or DMZ interface. 100 and lower.
NAT/Route mode.
primary <address_ipv4> Enter the primary DNS server IP 207.194.200.1 All models.
address.
secondary <address_ipv4> Enter the secondary DNS IP server 207.194.200.129 All models.
address.

Example
This example shows how to set the primary FortiGate DNS server IP address to 45.37.121.76 and
the secondary FortiGate DNS server IP address to 45.37.121.77.
config system dns
set primary 45.37.121.76
set secondary 45.37.121.77
end
This example shows how to display the settings for the system dns command.
get system dns
This example shows how to display the configuration for the system dns command.
show system dns

FortiGate CLI Reference Guide 01-28008-0015-20050204 239

config system dns

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR2 Added autosvr and fwdintf keywords for models numbered 100 and lower.
FortiOS v2.80 MR8 Added cache-notfound-responses keyword.

240 01-28008-0015-20050204 Fortinet Inc.

config system fm

fm
Use this command to configure the FortiGate unit for remote administration from a FortiManager
server. Use the config vpn ipsec commands to set up the IPSec VPN tunnel.

Command syntax pattern

config system fm
set id <name_str>
set ip <addr_ipv4>
end
get system fm
show system fm

fm command keywords and variables

Keywords and variables Description Default Availability
id Enter the name of the IPSec VPN tunnel No default. All models.
between the FortiGate unit and the
FortiManager Server.
ip Enter the IP address of a FortiManager Server. No default. All models.
status {enable | disable} Enable or disable remote administration with disable All models.
FortiManager.

Example
This example shows how to set the FortiGate to be managed by a FortiManager Server:
config system fm
set id FMServer_Gateway
set ip 192.20.120.100
end

Command History
FortiOS v2.80 MR2 Command moved from config system global and revised.
FortiOS v2.80 MR7 Added status keyword.

Related Commands
• config vpn ipsec manualkey
• config vpn ipsec phase1
• config vpn ipsec phase2

FortiGate CLI Reference Guide 01-28008-0015-20050204 241

config system get system performance

get system performance

Use this command to display FortiGate CPU usage, memory usage, and system up time.

Command syntax pattern

get system performance

242 01-28008-0015-20050204 Fortinet Inc.

config system get system status

get system status

Use this command to display system status information. This command displays:
• FortiGate firmware version and build number
• virus definitions version
• attack definitions version
• FortiGate unit serial number
• BIOS version
• log hard disk availability
• operation mode
• host name
• current virtual domain
• current HA status

Command syntax pattern

get system status

FortiGate CLI Reference Guide 01-28008-0015-20050204 243

config system global

global
Use this command to configure global settings that affect various FortiGate systems and
configurations.

Command syntax pattern

config system global
set <keyword> <variable>
end
config system global
unset <keyword>
end
get system global
show system global

system global command keywords and variables

Keywords and variables Description Default Availability
admintimeout Set the administrator idle timeout to control 5 All models.
<minutes_integer> the amount of inactive time before the
administrator must log in again. The
maximum admintimeout is 480 minutes
(8 hours). To improve security keep the idle
timeout at the default value.
allow-interface-subnet- Enable or disable limited support for disable All models.
overlap {disable | interface and VLAN subinterface IP address
enable} overlap. Use this command to enable
limited support for overlapping IP addresses
in an existing network configuration.
Caution: for advanced users only. Use this
only for existing network configurations that
cannot be changed to eliminate IP address
overlapping.
asymroute {disable | Enable or disable support for asymmetric disable All models.
enable} routing. Using asymmetric routing, packets
that are part of the same session travel
different routes and pass through different
gateways.
authtimeout Set the firewall user authentication time out 5 All models.
<minutes_integer> to control the amount of inactive time before
the user must authenticate again. The
maximum authtimeout is 480 minutes (8
hours).
av_failopen Set the action to take if there is an overload off Models
{off | one-shot | pass} of the antivirus system. numbered
Enter pass to bypass the antivirus system 300A and
when memory is low. Antivirus scanning higher.
resumes when low memory condition is
resolved.
Enter one-shot to bypass the antivirus
system when memory is low. You must
enter off or pass to restart antivirus
scanning.
conn_tracking Enable to drop SYN packets after the enable All models.
{enable | disable} connection has been established.

244 01-28008-0015-20050204 Fortinet Inc.

config system global

system global command keywords and variables (Continued)

Keywords and variables Description Default Availability
daily-restart Enable to restart the FortiGate unit every disable All models.
{enable | disable} day at time set in restart_time.
dst {disable | enable} Enable or disable daylight saving time. disable All models.
If you enable daylight saving time, the
FortiGate unit adjusts the system time when
the time zone changes to daylight saving
time and back to standard time.
failtime Set the dead gateway detection failover 0 All models.
<failures_integer> interval. Enter the number of times that ping
fails before the FortiGate unit assumes that
the gateway is no longer functioning. 0
disables dead gateway detection.
hostname <name_str> Type a name for this FortiGate unit. FortiGate All models.
model name.
ie6workaround {disable | Enable or disable the work around for a disable All models.
enable} navigation bar freeze issue caused by using
the FortiGate web-based manager with
Internet Explorer 6.
interval Set the dead gateway detection failover 0 All models.
<seconds_integer> interval. Enter a number in seconds to
specify how often the FortiGate unit pings
the target. 0 disables dead gateway
detection.
ip_signature {disable | disable disable All models.
enable} • only TCP, UDP and ICMP packets are
processed by IPS signatures.
enable
• other protocols in addition to TCP, UDP,
and ICMP are processed by IPS
signatures.
ips-open If for any reason the IPS should cease to enable All models.
{enable | disable} function, it will fail open by default. This
means that crucial network traffic will not be
blocked and the Firewall will continue to
operate while the problem is resolved.
ips-size <integer> Set IPS buffer size. The default value is model- All models.
correct in most cases. dependent
language {english french Set the web-based manager display english All models.
japanese korean simch language. You can set the language to
trach} English, French, Simplified Chinese,
Japanese, Korean, or Traditional Chinese.
lcdpin <pin_integer> Set the 6 digit PIN administrators must enter 123456 FortiGate
to use the LCD panel. models
numbered 300
to 3600.
lcdprotection {disable | Enable or disable LCD panel PIN protection. disable FortiGate
enable} models
numbered 300
to 3600.
local_anomaly {disable | disable disable All models.
enable} • anomaly detection and protection is not
used on traffic to the FortiGate unit.
enable
• anomaly detection and protection is used
on traffic to the FortiGate unit.
Traffic to the FortiGate unit will consist
mostly of management services.

FortiGate CLI Reference Guide 01-28008-0015-20050204 245

config system global

system global command keywords and variables (Continued)

Keywords and variables Description Default Availability
loglocaldeny {disable | Enable or disable logging of failed disable All models.
enable} connection attempts to the FortiGate unit
that use TCP/IP ports other than the TCP/IP
ports configured for management access
(443 for https, 22 for ssh, 23 for telnet, and
80 for HTTP).
management-vdom Select a management virtual domain. When root All models.
you select a management virtual domain,
the routing and interfaces of the selected
virtual domain are used for management
functions such as remote logging and
SNMP.
mc-ttl_notchange Enable to alter multicast forwarding so that it disable All models.
does not decrement the TTL in the packet
header. Disable for normal multicast
forwarding behavior.
multicast-forward Enable or disable multicast forwarding to disable All models.
{disable | enable} forward any multicast IP packets in which
the TTL is 2 or higher to all interfaces and
VLAN interfaces except the receiving
interface. The TTL in the IP header will be
reduced by 1.
ntpserver {<name_str> | Enter the domain name or IP address of a 132.246.16 All models.
<address_ipv4>} Network Time Protocol (NTP) server. 8.148
ntpsync {disable | Enable or disable automatically updating the disable All models.
enable} system date and time by connecting to a
Network Time Protocol (NTP) server. For
more information about NTP and to find the
IP address of an NTP server that you can
use, see http://www.ntp.org.
opmode {nat | Change the FortiGate operation mode to nat All models.
transparent} NAT/Route or Transparent mode.
optimize {antivirus | Optimize the firmware for either antivirus No default Models
throughput} performance or throughput performance. numbered
1000 and
higher.
phase1-rekey Enable or disable automatic rekeying enable All models.
{enable | disable} between IKE peers before the phase 1
keylife expires.
radius_port Change the default RADIUS port. The 1812 All models.
<port_integer> default port for RADIUS traffic is 1812. If
your RADIUS server is using port 1645 you
can use the CLI to change the default
RADIUS port.
refresh <seconds_integer> Set the Automatic Refresh Interval, in 0 All models.
seconds, for the web-based manager
System Status Monitor. Enter 0 for no
automatic refresh.

246 01-28008-0015-20050204 Fortinet Inc.

config system global

system global command keywords and variables (Continued)

Keywords and variables Description Default Availability
reset_sessionless_tcp Enabling this option may help resolve disable All models.
{enable | disable} issues with a problematic server, but it can NAT/Route
make the FortiGate unit more vulnerable to mode only.
denial of service attacks. In most cases you
should leave reset_sessionless_tcp
disabled.
The reset_sessionless_tcp
command determines what the FortiGate
unit does if it receives a TCP packet but
cannot find a corresponding session in its
session table. This happens most often
because the session has timed out.
If you disable reset_sessionless_tcp,
the FortiGate unit silently drops the packet.
The packet originator does not know that
the session has expired and might re-
transmit the packet several times before
attempting to start a new session. This is
normal network operation.
If you enable reset_sessionless_tcp,
the FortiGate unit sends a RESET packet to
the packet originator. The packet originator
ends the current session, but it can try to
establish a new session.
restart_time <time_str> Enter daily restart time in hh:mm format. No default. All models.
daily-
restart
enabled
syncinterval Enter how often, in minutes, the FortiGate 0 All models.
<minutes_integer> unit should synchronize its time with the
Network Time Protocol (NTP) server. The
syncinterval number can be 1 to 1440;
0 disables time synchronization.
tcp_option {disable | Enables SACK, timestamp and MSS TCP enable All models.
enable} options. For normal operation tcp_option
should be enabled. Disable for performance
testing or in rare cases where it impairs
performance.
timezone The number corresponding to your time 00 All models.
<timezone_integer> zone. Press ? to list time zones and their
numbers. Choose the time zone for the
FortiGate unit from the list and enter the
correct number.

Example
This example shows how to change to Transparent mode.
config system global
set opmode transparent
end
This example shows how to display the settings for the system global command.
get system global
This example shows how to display the configuration for the system global command.
show system global

FortiGate CLI Reference Guide 01-28008-0015-20050204 247

config system global

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 The ip-overlap keyword was changed to allow-interface-subnet-overlap.
FortiOS v2.80 MR3 Added av_failopen and reset_sessionless_tcp keywords.
FortiOS v2.80 MR4 date and time moved to execute branch.
phase1-rekey keyword added.
FortiOS v2.80 MR6 Added ips-open keyword.

248 01-28008-0015-20050204 Fortinet Inc.

config system ha

ha
Use this command to enable and configure FortiGate high availability (HA). HA is supported on
FortiGate models numbered 60 and higher and on the FortiWiFi-60. Using the config system ha
command you must configure all cluster members with the same group ID, mode, and password
before putting the cluster into HA mode.
Group ID, mode, and password are not synchronized between cluster units. The primary cluster unit
synchronizes all other configuration settings, including the other HA configuration settings.

Note: You cannot enable HA mode if one of the FortiGate unit interfaces is configured using DHCP or PPPoE. If
DHCP or PPPoE is configured, the config ha mode keyword is not available.

Command syntax pattern

config system ha
set <keyword> <variable>
end
config system ha
unset <keyword>
end
get system ha
show system ha

system ha command keywords and variables

Keywords and variables Description Default Availability
arps <arp_integer> Set the number of gratuitous ARP packets sent 3 Models
by the primary unit. Gratuitous ARP packets are numbered 60
sent when a cluster unit becomes a primary unit. and higher.
The gratuitous ARP plackets configure
connected networks to associate the cluster
virtual MAC address with the cluster IP address.
The range is 1 to 16 gratuitous ARP packets.
Normally you would not need to change the
number of gratuitious ARP packets.
authentication {disable Enable/disable HA heartbeat message disable Models
| enable} authentication. Enabling HA heartbeat message numbered 60
authentication prevents an attacker from creating and higher.
false HA heartbeat messages. False HA
heartbeat messages could affect the stability of
the cluster.
encryption {disable | Enable/disable HA heartbeat message disable Models
enable} encryption. Enabling HA heartbeat message numbered 60
encryption prevents an attacker from sniffing HA and higher.
packets to get HA cluster information.
groupid <id_integer> The HA group ID. The group ID range is from 0 to 0 Models
63. All members of the HA cluster must have the numbered 60
same group ID. and higher.

FortiGate CLI Reference Guide 01-28008-0015-20050204 249

config system ha

system ha command keywords and variables (Continued)

Keywords and variables Description Default Availability
hb-lost-threshold The lost heartbeat threshold, which is the number 6 Models
<threshold_integer> of seconds to wait to receive a heartbeat packet numbered 60
from another cluster unit before assuming that and higher.
the cluster unit has failed. The lost heartbeat
threshold range is 1 to 60 seconds.
If the primary cluster unit does not receive a
heartbeat packet from a subordinate unit before
the heartbeat threshold expires, the primary unit
assumes that the subordinate unit has failed.
If a subordinate unit does not receive a heartbeat
packet from the primary unit before the heartbeat
threshold expires, the subordinate unit assumes
that the primary unit has failed. The subordinate
unit then begins negotiating to become the new
primary unit.
The lower the lost heartbeat interval the faster
the cluster responds to a failure. However, you
can increase the heartbeat lost threshold if
repeated failovers occur because cluster units
cannot sent heartbeat packets quickly enough.
hb-interval The heartbeat interval, which is the time between 2 Models
<interval_integer> sending heartbeat packets. The heartbeat numbered 60
interval range is 1 to 20 (100*ms). and higher.
A heartbeat interval of 2 means the time between
heartbeat packets is 200 ms. Changing the
heartbeat interval to 5 changes the time between
heartbeat packets to 500 ms.
The HA heartbeat packets consume more
bandwidth if the hb-interval is short. But if the
hb-interval is very long, the cluster is not as
sensitive to topology and other network changes.

250 01-28008-0015-20050204 Fortinet Inc.

config system ha

system ha command keywords and variables (Continued)

Keywords and variables Description Default Availability
hbdev Enable or disable HA heartbeat communication See “Default Models
<interface-name_str> and set the heartbeat priority for each interface in hbdev numbered 60
<priority_integer> the cluster. settings for and higher.
By default HA heartbeat is set for two interfaces. each
You can disable the HA heartbeat for either of FortiGate
these interfaces or enable HA heartbeat for other model” on
interfaces. In most cases you can maintain the page 256.
default hbdev configuration as long as you can
connect the hbdev interfaces together.
Enter all of the names and heartbeat priorities for
the interfaces to be configured. If you want to
remove an interface from the list or add an
interface to the list, you must retype the list with
the interface and its priority removed or added.
The cluster units use the ethernet interfaces
configured with HA heartbeat priorities for HA
heartbeat communication. The HA heartbeat
communicates cluster session information,
synchronizs the cluster configuration,
synchronizes the cluster routing table, and
reports individual cluster member status. The HA
heartbeat constantly communicates HA status
information to make sure that the cluster is
operating properly.
The heartbeat priority range is 0 to 512. The
interface with the highest priority handles all of
the heartbeat traffic. If this interface fails or
becomes disconnected, the interface with the
next highest priority handles all of the heartbeat
traffic.
You can enable heartbeat communications for
physical interfaces, but not for VLAN
subinterfaces.
Enabling the HA heartbeat for more interfaces
increases reliability. If an interface fails, the HA
heartbeat can be diverted to another interface.
HA heartbeat traffic can use a considerable
amount of network bandwidth. If possible, enable
HA heartbeat traffic on interfaces only used for
HA heartbeat traffic or on interfaces connected to
less busy networks.
Heartbeat communication must be enabled on at
least one interface. If heartbeat communication is
interrupted the cluster stops processing traffic.
helo-holddown The hello state hold-down time, which is the 20 Models
<holddown_integer> number of seconds that a cluster unit waits numbered 60
before changing from hello state to work state. A and higher.
cluster unit changes from hello state to work state
when it starts up.
The hello state hold-down time range is 5 to 300
seconds.
load-balance-all Configure active-active HA to load balance all disable Models
{disable | enable} sessions or to load balance virus scanning numbered 60
sessions only. Enter enable to load balance all and higher.
communication sessions. Enter disable to load a-a mode
balance only virus scanning sessions. only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 251

config system ha

system ha command keywords and variables (Continued)

Keywords and variables Description Default Availability
mode {a-a | a-p | Set the HA mode. standalone Models
standalone} Enter a-p to create an Active-Passive HA numbered 60
cluster, in which the primary cluster unit is and higher.
actively processing all connections and the Not available
others are passively monitoring the status and if a FortiGate
remaining synchronized with the primary cluster interface
unit. mode is set
Enter a-a to create an Active-Active HA cluster, to dhcp or
in which each cluster unit is actively processing pppoe.
connections and monitoring the status of the
other FortiGate units.
All members of an HA cluster must be set to the
same HA mode.
Enter standalone to remove the FortiGate unit
from an HA cluster.
monitor Enable or disable monitoring FortiGate interfaces No default Models
{<interface-1_str> and setting monitor priorities. You can enter one numbered 60
<priority-1_integer> or more interface names followed by a space and and higher
a monitor priority. Use a space to separate each
<interface_2_str> interface name and priority pair. If you want to
<priority-2_integer>} remove an interface from the list, add an
interface to the list, or change the monitor priority
of an interface you must retype the list with the
options changed as required.
You can monitor physical interfaces but not
VLAN subinterfaces.
Increase the priority of interfaces connected to
higher priority networks or networks with more
traffic. The monitor priority range is 0 to 255.
If a high priority interface on the primary cluster
unit fails, one of the other units in the cluster
becomes the new primary unit to provide better
service to the high priority network.
If a low priority interface fails on one cluster unit
and a high priority interface fails on another
cluster unit, a unit in the cluster with a working
connection to the high priority interface would, if it
becomes necessary to negotiate a new primary
unit, be selected instead of a unit with a working
connection to the low priority interface.
override {disable | Configure the FortiGate unit to always override disable Models
enable} the current primary cluster unit and become the numbered 60
primary cluster unit in its place. Enable Override and higher.
Master for the cluster unit that you have given the
highest unit priority. Enabling Override Master
means that this cluster unit always becomes the
primary cluster unit.
password <password_str> Enter a password for the HA cluster. The No default Models
password must be the same for all FortiGate numbered 60
units in the HA cluster. The maximum password and higher.
length is 15 characters.
priority Optionally set the unit priority of the cluster unit. 128 Models
<priority_integer> Each cluster unit can have a different unit priority numbered 60
(the unit priority is not synchronized among and higher.
cluster members). During HA negotiation, the unit
with the highest unit priority becomes the primary
cluster unit. The unit priority range is 0 to 255.
You can use the unit priority to control the order
in which cluster units become the primary cluster
unit when a cluster unit fails.

252 01-28008-0015-20050204 Fortinet Inc.

config system ha

system ha command keywords and variables (Continued)

Keywords and variables Description Default Availability
route-hold The time that the primary unit waits between 10 Models
<hold_integer> sending routing table updates to subordinate numbered 60
units in a cluster. and higher.
The route hold range is 0 to 3600 seconds.
To avoid the flooding routing table updates to
subordinate units, set route-hold to a
relatively long time to prevent subsequent
updates from occurring too quickly.
The route-hold time should be coordinated
with the route-wait time. See the
route-wait description for more information.
route-ttl <ttl_integer> The time to live for routes in a cluster unit routing 0 Models
table. numbered 60
The time to live range is 0 to 3600 seconds. and higher.
The time to live controls how long routes remain
active in a cluster unit routing table after the
cluster unit becomes a primary unit. To maintain
communication sessions after a cluster unit
becomes a primary unit, routes remain active in
the routing table for the route time to live while
the new primary unit acquires new routes.
Normally, the route-ttl is 0 and the primary
unit must acquire new routes before it can
continue processing traffic. Normally acquiring
new routes occurs very quickly so only a minor
delay is caused by acquiring new routes.
If the primary unit needs to acquire a very large
number of routes, or if for other reasons, there is
a delay in acquiring all routes, the primary unit
may not be able to maintain all communication
sessions. You can increase the route time to live
if communication sessions are lost after a failover
so that the primary unit can use routes that are
already in the routing table, instead of waiting to
acquire new routes.

FortiGate CLI Reference Guide 01-28008-0015-20050204 253

config system ha

system ha command keywords and variables (Continued)

Keywords and variables Description Default Availability
route-wait The time the primary unit waits after receiving a 0 Models
<wait_integer> routing table update before sending the update to numbered 60
the subordinate units in the cluster. and higher.
For quick routing table updates to occur, set
route-wait to a relatively short time so that the
primary unit does not hold routing table changes
for too long before updating the subordinate
units.
The route-wait range is 0 to 3600 seconds.
Normally, because the route-wait time is 0
seconds the primary unit sends routing table
updates to the subordinate units every time the
primary unit routing table changes.
Once a routing table update is sent, the primary
unit waits the route-hold time before sending
the next update.
Usually routing table updates are periodic and
sporadic. Subordinate units should receive these
changes as soon as possible so route-wait is
set to 0 seconds. route-hold can be set to a
relatively long time because normally the next
route update would not occur for a while.
In some cases, routing table updates can occur
in bursts. A large burst of routing table updates
can occur if a router or a link on a network fails or
changes. When a burst of routing table updates
occurs, there is a potential that the primary unit
could flood the subordinate units with routing
table updates. Setting route-wait to a longer
time reduces the frequency with which additional
routing updates are sent, which prevents flooding
of routing table updates from occurring.

254 01-28008-0015-20050204 Fortinet Inc.

config system ha

system ha command keywords and variables (Continued)

Keywords and variables Description Default Availability
schedule {hub | ip A-A load balancing schedule. round- Models
| ipport none: no load balancing. Use none when the robin numbered 60
| leastconnection | cluster interfaces are connected to load and higher.
none | random balancing switches.
| round-robin hub: load balancing if the cluster interfaces are
connected to a hub. Traffic is distributed to
| weight-round-robin} cluster units based on the Source IP and
Destination IP of the packet.
leastconnection: least connection load
balancing. If the cluster units are connected
using switches, use leastconnection to
distribute traffic to the cluster unit currently
processing the fewest connections.
round-robin: round robin load balancing. If the
cluster units are connected using switches, use
round-robin to distribute traffic to the next
available cluster unit.
weight-round-robin: weighted round robin
load balancing. Similar to round robin, but
weighted values are assigned to each of the units
in a cluster based on their capacity and on how
many connections they are currently processing.
For example, the primary unit should have a
lower weighted value because it handles
scheduling and forwards traffic. Weighted round
robin distributes traffic more evenly because
units that are not processing traffic will be more
likely to receive new connections than units that
are very busy. You can optionally use the
weight keyword to set a weighting for each
cluster unit.
random: random load balancing. If the cluster
units are connected using switches, use random
to randomly distribute traffic to cluster units.
ip: load balancing according to IP address. If the
cluster units are connected using switches, use ip
to distribute traffic to units in a cluster based on the
Source IP and Destination IP of the packet.
ipport: load balancing according to IP address
and port. If the cluster units are connected using
switches, use ipport to distribute traffic to units
in a cluster based on the source IP, source port,
destination IP, and destination port of the packet.
weight The weighted round robin loadbalancing weight 1 for all 32 Models
<priority-id_integer> to assign to each cluster unit. When you set units numbered 60
<weight_integer> schedule to weight-round-robin you can and higher.
use the weight keyword to set the weight of a-a mode
each cluster unit. The weight is set according to only.
the priorty of the unit in the cluster. A FortiGate schedule
HA cluster can contain up to 32 FortiGate units set to
so you can set up to 32 weights. weight-
priority-id_integer is a number from 0 to round-
31 that identifies the priority of the cluster unit. robin
weight-integer is a number between 0 and
32 that is the weight assigned to the clustet units
according to their priority in the cluster. Increase
the weight to increase the number of connections
processed by the cluster unit with that priority.

FortiGate CLI Reference Guide 01-28008-0015-20050204 255

config system ha

Default hbdev settings for each FortiGate model

FortiGate model hbdev enabled for hbdev_priority
FortiGate-60 and 60M WAN1 50
DMZ 100
FortiWiFi-60 and 60M WAN1 50
DMZ 100
FortiGate-100 external 50
DMZ 100
FortiGate-100A external 50
DMZ 2 100
FortiGate-200 external 50
DMZ 100
FortiGate-200A external 50
DMZ 2 100
FortiGate-300 external 50
DMZ/HA 100
FortiGate-300A Port 3 50
Port 4 100
FortiGate-400 Port 3 50
Port 4/HA 100
FortiGate-400A Port 3 50
Port 4 100
FortiGate-500 Port 1 50
HA 100
FortiGate-500A Port 3 50
Port 4 100
FortiGate-800 Port 1 50
HA 100
FortiGate-1000 Port 3 50
Port 4/HA 100
FortiGate-3000 Port 3 50
Port 4/HA 100
FortiGate-3600 Port 4 50
Port 5/HA 100
FortiGate-4000 External 50
oobm 100

Examples
This example shows how to configure a FortiGate unit for active-active HA operation. The example
shows how to enter the basic HA configuration (mode, group_id, and password). You would enter
the exact same command on every FortiGate unit in the cluster.
config system ha
set mode a-a
set groupid 15
set password HA1passw0rd
end

256 01-28008-0015-20050204 Fortinet Inc.

config system ha

The following example shows how to enable cluster communication for the internal interface and how
to set the priority to 100.
config system ha
set hbdev internal enable
set hbdev_priority internal 100
end
The following example shows how to enable connection monitoring for the external, internal and DMZ
interfaces and how to set the monitor priority of the internal interface to 200, the monitor priority of the
external interface to 100, and the monitor priority of the DMZ interface to 50.
config system ha
set monitor external enable
set monitor_priority internal 200
set monitor internal enable
set monitor_priority internal 100
set monitor dmz enable
set monitor_priority internal 50
end
The following example shows how to configure weighted round robin weights for a cluster of three
FortiGate units. You can enter the following commands to configure the weight values for each unit:

Table 4: Example weights for three cluster units

Cluster unit priority Weight

0 1
1 3
2 3

config system ha
set schedule weight-round-robin
set weight 0 1
set weight 1 3
set weight 2 3
end
These commands have the following results:
• The first connection is processed by the primary unit (priority 0, weight 1)
• The next three connections are processed by the first subordinate unit (priority 1, weight 3)
• The next three connections are processed by the second subordinate unit (priority 2, weight 3)
The subordinate units process more connections than the primary unit, and both subordinate units, on
average, process the same number of connections.
This example shows how to display the settings for the system ha command.
get system ha
This example shows how to display the configuration for the system ha command.
show system ha

FortiGate CLI Reference Guide 01-28008-0015-20050204 257

config system ha

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR2 Added load-balance-all keyword.
FortiOS v2.80 MR5 Added route-hold, route-wait, and route-ttl keywords.
FortiOS v2.80 MR6 Added authentication, arp, encryption, hb-lost-threshold, helo-holddown,
and hb-interval keywords.
FortiOS v2.80 MR7 Changes to the weight keyword.

Related Commands
• execute ha manage
• execute ha synchronize

258 01-28008-0015-20050204 Fortinet Inc.

config system interface

interface
Use this command to edit the configuration of a FortiGate physical interface or VLAN subinterface.
In the following table, VLAN subinterface can be substituted for interface in most places except that
you can only configure VLAN subinterfaces with static IP addresses. Use the edit command to add a
VLAN subinterface.

Command syntax pattern

Entering a name string for the edit keyword that is not the name of a physical interface adds a VLAN
subinterface.
config system interface
edit <name_str>
set <keyword> <variable>
end
config system interface
edit <name_str>
unset <keyword>
end
config system interface
delete <name_str>
end
get system interface <name_str>
show system interface <name_str>

Note: A VLAN cannot have the same name as a zone or a virtual domain.

The config system interface command has two subcommands.

config ip6-prefix-list
config secondaryip

Interface command keywords and variables

Keywords and variables Description Default Availability
allowaccess {http https Allow management access to the interface. You Varies All models.
ping snmp ssh telnet} can enter one or more of the management for each
access types separated by spaces. Enter all the interface.
management access options for the interface.
Use a space to separate the options. If you want
to remove an option from the list or add an option
to the list, you must retype the list with the option
removed or added.
arpforward Enable or disable layer 2 ARP forwarding for an enable All models.
{disable | enable} interface.
connection Enable or disable connecting to a PPPoE server disable All models.
{disable | enable} to configure the external interface. Not available in
Transparent
mode.
dhcp and
pppoe only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 259

config system interface

Interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
ddns {disable | enable} Enable or disable using a Dynamic DNS service disable All models.
(DDNS). If the FortiGate unit uses a dynamic IP NAT/Route
address, you can arrange with a DDNS service mode only.
provider to use a domain name to provide
redirection of traffic to your network whenever the
IP address changes.
ddns-domain Enter the domain name to use for the DDNS No All models.
<domain-name_str> service. default. NAT/Route
mode only.
ddns enable
ddns-server
not set to
dnsart.com
ddns-password Enter the password to use when connecting to No All models.
<password_str> the DDNS server. default. NAT/Route
mode only.
ddns enable
ddns-server
not set to
dipdns.net
ddns-profile-id <id_str> Enter your DDNS profile ID. This keyword is No All models.
available instead of ddns-domain if default. NAT/Route
ddns-server is dnsart.com. mode only.
ddns enable
ddns-server
set to
dnsart.com
ddns-server {dhs.org | Select a DDNS server to use. The client software No All models.
dipdns.net | dnsart.com for these services is built into the FortiGate default. NAT/Route
| dyndns.org | dyns.net firmware. The FortiGate unit can only connect mode only.
automatically to a DDNS server for the supported ddns enable
| now.net.cn | ods.org | clients.
tzo.com | vavic.com} • dhs.org supports members.dhs.org and
dnsalias.com.
• dipdns.net supports
dipdnsserver.dipdns.com.
• dnsart.com supports www.dnsart.com.
• dyndns.org supports members.dyndns.org.
• dyns.net supports www.dyns.net.
• now.net.cn supports ip.todayisp.com.
• ods.org supports ods.org.
• tzo.com supports rh.tzo.com.
• vavic.com supports ph001.oray.net.
ddns-sn <sn_str> Enter your DDNS serial number. This keyword is No All models.
available instead of ddns-username and default. NAT/Route
ddns-password if ddns-server is set to mode only.
dipdns.net. ddns enable
ddns-server
set to
dipdns.net

260 01-28008-0015-20050204 Fortinet Inc.

config system interface

Interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
ddns-username <name_str> Enter the user name to use when connecting to No All models.
the DDNS server. default.NAT/Route
mode only.
ddns enable
ddns-server
not set to
dipdns.net
defaultgw {enable | Enable or disable the interface as the default disable All models.
disable} gateway.
detectserver Add the IP address of a ping server. A ping No All models.
<address_ipv4> server is usually the next hop router on the default. Not available in
network connected to the interface. If gwdetect Transparent
is enabled, the FortiGate unit confirms mode.
connectivity with the server at this IP address.
Adding a ping server is required for routing
failover.
dhcp-relay-ip Set the DHCP relay IP address. Must not be set No All models.
<address_ipv4> to 0.0.0.0. default.dhcp-
server-mode
set to relay.
dhcp-relay-type Set DHCP relay to relay either IPSec or regular regular All models.
{ipsec | regular} firewall traffic.
dhcp-server-mode {none | Set the interface to act as a DHCP server, or none All models.
relay | server} relay agent, or not to provide DHCP services. A except
FortiGate interface can act either as a DHCP server
server or as a DHCP relay agent but not both. for
In a DHCP relay configuration, the FortiGate unit models
forwards DHCP requests from DHCP clients 50 & 60
through the FortiGate unit to a DHCP server. The internal
FortiGate unit also returns responses from the interface
DHCP server to the DHCP clients. The DHCP
server must have a route to the FortiGate unit
configured as the DHCP relay so that the packets
sent by the DHCP server to the DCHP client
arrive at the FortiGate unit performing DHCP
relay.
For more information on DHCP server
configuration, see “dhcp server” on page 236
disc_retry_timeout Set the initial discovery timeout in seconds. The 1 All models.
<seconds_integer> time to wait before retrying to start a PPPoE Not available in
discovery. Set disc_retry_timeout to 0 to Transparent
disable. mode.
pppoe
distance Configure the administrative distance for routes 1 All models.
<distance_integer> learned through PPPoE or DHCP. Using Not available in
administrative distance you can specify the Transparent
relative priorities of different routes to the same mode.
destination. A lower administrative distance pppoe dhcp
indicates a more preferred route. Distance can be
an integer from 1-255. See also static “distance
<distance_integer>” on page 192
dns-server-override Enable to allow the interface to use DNS server disable All models.
{enable | disable} addresses it acquired via DHCP or PPPoe. pppoe dhcp

FortiGate CLI Reference Guide 01-28008-0015-20050204 261

config system interface

Interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
gwdetect Enable or disable confirming connectivity with the disable All models.
{disable | enable} server at the detectserver IP address. The Not available in
frequency with which the FortiGate unit confirms Transparent
connectivity is set using the failtime and mode.
interval keywords in the command “global” on
page 244.
idle-timeout Disconnect if the PPPoE connection is idle for the 0 All models.
<seconds_integer> specified number of seconds. Not available in
Transparent
mode.
pppoe
ip <address_ipv4mask> The interface IP address and netmask. Varies Not available
for each for dhcp or
interface. pppoe.
Not available in
Transparent
mode.
ipmac {disable | enable} Enable or disable IP/MAC binding for the disable All models.
specified interface. See “ipmacbinding setting” on
page 70 and “ipmacbinding table” on page 72 for
information about configuring IP/MAC binding
settings.
ipunnumbered Enable IP unnumbered mode for PPPoE. Specify No pppoe.
<address_ipv4> the IP address to be borrowed by the interface. default. Not available in
This IP address can be the same as the IP Transparent
address of another interface or can be any IP mode.
address.
The Unnumbered IP may be used for PPPoE
interfaces for which no unique local address is
provided. If you have been assigned a block of IP
addresses by your ISP for example, you can add
any of these IP addresses to the Unnumbered IP.
ip6-address The interface IPv6 address and netmask. The ::/0 All models.
<address_ipv6mask> format for IPv6 addresses and netmasks is Not available in
described in RFC 3513. Transparent
mode.
ip6-default-life Enter the number, in seconds, to add to the 1800 All models.
<seconds_integer> Router Lifetime field of router advertisements Not available in
sent from the interface. The valid range is 0 to Transparent
9000. mode.
ip6-hop-limit Enter the number to be added to the Cur Hop 0 All models.
<hops_integer> Limit field in the router advertisements sent out Not available in
this interface. Entering 0 means no hop limit is Transparent
specified. mode.
ip6-link-mtu Enter the MTU number to add to the router 0 All models.
<mtu_integer> advertisements options field. Entering 0 means Not available in
that no MTU options are sent. Transparent
mode.
ip6-manage-flag Enable or disable the managed address disable All models.
{disable | enable} configuration flag in router advertisements. Not available in
Transparent
mode.
ip6-max-interval Enter the maximum time interval, in seconds, 600 All models.
<seconds_integer> between sending unsolicited multicast router Not available in
advertisements from the interface. The valid Transparent
range is 4 to 1800. mode.

262 01-28008-0015-20050204 Fortinet Inc.

config system interface

Interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
ip6-min-interval Enter the minimum time interval, in seconds, 198 All models.
<seconds_integer> between sending unsolicited multicast router Not available in
advertisements from the interface. The valid Transparent
range is 4 to 1800. mode.
ip6-other-flag Enable or disable the other stateful configuration disable All models.
{disable | enable} flag in router advertisements. Not available in
Transparent
mode.
ip6-reachable-time Enter the number to be added to the reachable 0 All models.
<unit_integer> time field in the router advertisements. The valid Not available in
range is 0 to 3600. Entering 0 means no Transparent
reachable time is specified. mode.
ip6-retrans-time Enter the number to be added to the Retrans 0 All models.
<unit_integer> Timer field in the router advertisements. Entering Not available in
0 means that the Retrans Timer is not specified. Transparent
mode.
ip6-send-adv Enable or disable the flag indicating whether or disable All models.
{disable | enable} not to send periodic router advertisements and to Not available in
respond to router solicitations. Transparent
mode.
l2forward {disable | Enable or disable layer 2 forwarding for an disable All models.
enable} interface.
lcp-echo-interval Set the interval in seconds between LCP echo 5 All models.
<seconds> requests. pppoe mode.
lcp-max-echo-failures Set the maximum number of missed LCP echoes 3 All models.
<integer> before the PPP link is disconnected. pppoe mode.
log {disable | enable} Enable or disable traffic logging of connections to disable All models.
this interface.
macaddr <address_octet> Override the factory set MAC address of this Factory All models.
interface by specifying a new MAC address. set.
mode Configure the connection mode for the interface. static All models.
{static | dhcp | pppoe} static Not available in
• Configure a static IP address for the interface. Transparent
dhcp mode.
• Configure the interface to receive its IP address
from a DHCP server.
pppoe
• Configure the interface to receive its IP address
from a PPPoE server.

FortiGate CLI Reference Guide 01-28008-0015-20050204 263

config system interface

Interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
mtu <mtu_integer> Set custom maximum transmission unit (MTU) 1500 All models.
size in bytes. Ideally mtu should be the same as mtu-
the smallest MTU of all the networks between override
this FortiGate unit and the destination of the enable
packets.
For static mode the <mtu_integer> range is
576 to 1500 bytes.
For dhcp mode the <mtu_integer> range is
576 to 1500 bytes.
For pppoe mode the <mtu_integer> range is
576 to 1492 bytes.
In Transparent mode, if you change the MTU of
an interface, you must change the MTU of all
interfaces to match the new MTU.
You cannot set the MTU of a VLAN larger than
the MTU of its physical interface. Also, you
cannot set the MTU of a physical interface
smaller than that of its VLANs.
mtu-override Select enable to use custom MTU size instead of disable All models.
{enable | disable} default (1500).
netbios-forward {disable Enable forwarding of NetBIOS broadcasts to a disable All models.
| enable} WINS server. Use the wins keyword to set the Not available in
WINS server IP address. Transparent
mode.
padt_retry_timeout Initial PPPoE Active Discovery Terminate (PADT) 1 All models.
<seconds_integer> timeout in seconds. Use this timeout to shut Not available in
down the PPPoE session if it is idle for this Transparent
number of seconds. PADT must be supported by mode.
your ISP. Set PADT timeout to 0 to use default. pppoe.
password <password_str> Enter the password to connect to the PPPoE No All models.
server. default. Not available in
Transparent
mode.
pppoe.
speed {1000full | The interface speed: auto Speed options
1000half | 100full | • auto, the default speed. The interface uses vary for
100half | 10full | auto-negotiation to determine the connection different
speed. Change the speed only if the interface is models and
10half | auto} interfaces.
connected to a device that does not support
auto-negotiation. Enter a space
• 10full, 10 Mbps, full duplex and a ? after
the speed
• 10half, 10 Mbps, half duplex keyword to see
• 100full, 100 Mbps, full duplex a list of speeds
• 100half, 100 Mbps, half duplex available for
• 1000full, 1000 Mbps, full duplex that model and
interface.
• 1000half, 1000 Mbps, half duplex
status {down | up} Start or stop the interface. If the interface is up All models.
stopped it does not accept or send packets. (down
If you stop a physical interface, VLAN interfaces for
associated with it also stop. VLANs)
stpforward {disable | Enable or disable forward Spanning Tree disable All models.
enable} Protocol (STP) packets through this interface.
subst {enable | disable} Substitute destination MAC address. disable All models.

264 01-28008-0015-20050204 Fortinet Inc.

config system interface

Interface command keywords and variables (Continued)

Keywords and variables Description Default Availability
substitute-dst-mac Substitute the destination MAC address in a No All models.
<destination- packet. default.
address_hex>
username Enter the user name to connect to the PPPoE No All models.
server. default. Not available in
Transparent
mode.
pppoe.
vdom <name_str> Enter the name of the virtual domain to add this root All models.
interface to.
The physical interface moves to the virtual
domain. Firewall IP pools and virtual IP added for
this interface are deleted. You should manually
delete any routes that include this interface.
vlanid <id_integer> Enter a VLAN ID that matches the VLAN ID of the No All models.
packets to be received by this VLAN default.
subinterface.
The VLAN ID can be any number between 1 and
4096 but must match the VLAN ID added by the
IEEE 802.1Q-compliant router. Two VLAN
subinterfaces added to the same physical
interface cannot have the same VLAN ID.
However, you can add two or more VLAN
subinterfaces with the same VLAN ID to different
physical interfaces.
wins-ip <address-ipv4> Enter the IP address of a WINS server to which No All models.
to forward NetBIOS broadcasts. This WINS default. NAT/Route
server address is only used if netbios- mode only.
forward is enabled.

Example
This example shows how to set the FortiGate-300 internal interface IP address and netmask to
192.168.100.159 255.255.255.0, and the management access to ping, https, and ssh.
config system interface
edit internal
set allowaccess ping https ssh
set ip 192.168.110.26 255.255.255.0
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 265

config system interface

config ip6-prefix-list
Access the ip6-prefix-list subcommand branch using the config system interface
command. You can create up to 32 entries. This command is available in NAT/Route mode only.

Command syntax pattern

config ip6-prefix-list
edit <address_ipv6mask>
set <keyword> <variable>
end
config ip6-prefix-list
delete <address_ipv6mask>
end
get system interface <name_str>
show system interface <name_str>

ip6-prefix-list command keywords and variables

Keywords and variables Description Default Availability
autonomous-flag Enable or disable the autonomous flag in the prefix disable All models.
{disable | enable} information option.
onlink-flag Enable or disable the on-link flag ("L-bit") in the disable All models.
{disable | enable} prefix Information option.
preferred-life-time Enter the number, in seconds, for the preferred 604800 All models.
<seconds_integer> lifetime in the prefix Information option.
valid-life-time Enter the number, in seconds, for the valid lifetime 2592000 All models.
<seconds_integer> in the prefix Information option.

config secondaryip
Access the secondaryip subcommand branch using the config system interface command.

Note: This command is not available in Transparent mode.

Command syntax pattern

config secondaryip
edit <id_integer>
set <keyword> <variable>
end
config secondaryip
edit <id_integer>
unset <keyword>
end
config secondaryip
delete <id_integer>
get system interface <name_str>
show system interface <name_str>

266 01-28008-0015-20050204 Fortinet Inc.

config system interface

secondaryip command keywords and variables

Keywords and variables Description Default Availability
allowaccess {http https Allow management access to the secondary IP No All models.
ping snmp ssh telnet} address of the interface. You can enter one or more default.
of the management access types separated by
spaces.
detectserver Add the IP address of a ping server for the secondary No All models.
<address_ipv4> IP address. A ping server is usually the next hop default.
router on the network connected to the interface. If
gwdetect is enabled, the FortiGate unit confirms
connectivity with the server at this IP address. Adding
a ping server is required for routing failover. The
primary and secondary ping_ip can be the same IP
address.
gwdetect Enable or disable confirming connectivity with the disable All models.
{disable | enable} server at the detectserv <ping_ip> IP address.
The frequency with which the FortiGate unit confirms
connectivity is set using the set system option
interval command.
ip <address_ipv4mask> Add or change the secondary static IP address and 0.0.0.0 All models.
netmask for the interface. The secondary IP address 0.0.0.0
can be on any subnet, including the same subnet as
the primary IP address. The secondary IP address
cannot be the same as the primary IP address.

Example
This example shows how to add a secondary IP address and netmask of 192.176.23.180
255.255.255.0 to the internal interface. Also configure ping and https management access to
this secondary IP address.
config system interface
edit internal
config secondaryip
edit 1
set allowaccess ping https
set ip 192.176.23.180 255.255.255.0
end
end
This example shows how to display the settings for the system interface command.
get system interface
This example shows how to display the configuration for the system interface command.
show system interface
This example shows how to display the settings for the internal interface. You can substitute any
model appropriate interface name.
get system interface internal
If the interface mode is DHCP, the display includes Lease Expires, Acquired DNS1, Acquired DNS2,
and DHCP Gateway. If the interface mode is PPPoE, the display includes Acquired DNS1, Acquired
DNS2 and PPPoE gateway.

FortiGate CLI Reference Guide 01-28008-0015-20050204 267

config system interface

This example shows how to display the configuration for the internal interface. You can substitute any
model appropriate interface name.
show system interface internal

Command History
FortiOS v2.80 Substantially revised. IPv6 added.
FortiOS v2.80 MR2 Added netbios-forward, wins-ip keywords.
VLAN-related keywords are available on all models.
Removed zone keyword. See config system zone.
FortiOS v2.80 MR3 Added defaultgw keyword.
FortiOS v2.80 MR6 Added mtu-override keyword.

268 01-28008-0015-20050204 Fortinet Inc.

config system ipv6_tunnel

ipv6_tunnel
Use this command to tunnel IPv6 traffic over an IPv4 network.

Note: This command is not available in Transparent mode.

Command syntax pattern

config system ipv6_tunnel
edit <name_str>
set <keyword> <variable>
end
config system ipv6_tunnel
edit <name_str>
unset <keyword>
end
config system ipv6_tunnel
delete <name_str>
end
get system interface <name_str>
show system interface <name_str>

ipv6_tunnel command keywords and variables

Keywords and variables Description Default Availability
destination The destination IPv4 address for this tunnel. 0.0.0.0 All models.
<address_ipv4>
interface <name_str> The interface used to send and receive traffic for this No All models.
tunnel. default.
ip6 <address_ipv6mask> The network prefix (IPv6 address and netmask) ::/0 All models.
assigned to the interface to enable IPv6 processing
on the interface.
mode {ipv6ip} Set the tunnel mode to IPv6 over IPv4. ipv6ip All models.
source <address_ipv4> The source IPv4 address for this tunnel. 0.0.0.0 All models.
vdom <name_str> The virtual domain that the interface for this tunnel root All models.
belongs to.

Example
config system ipv6_tunnel
edit test_tunnel
set destination 10.10.10.1
set interface internal
set ip6 12AB:0:0:CD30::/60
set mode ipv6ip
set source192.168.50.1
set vd root
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 269

config system ipv6_tunnel

This example shows how to display the settings for the system ipv6_tunnel command.
get system ipv6_tunnel
This example shows how to display the configuration for the system ipv6_tunnel command.
show system ipv6_tunnel
This example shows how to display the settings for the ipv6_tunnel named test_tunnel.
get system ipv6_tunnel test_tunnel
This example shows how to display the configuration for the ipv6_tunnel named test_tunnel.
show system ipv6_tunnel test_tunnel

Command History
FortiOS v2.80 New.

Related Commands
• interface

270 01-28008-0015-20050204 Fortinet Inc.

config system mac-address-table

mac-address-table
Use this command to create a static MAC table. You can make up to 50 entries. This command is
available in Transparent mode only.

Command syntax pattern

config system mac-address-table
edit <mac-address_hex>
set <keyword> <variable>
end
config system mac-address-table
edit <mac-address_hex>
unset <keyword>
end
config system mac-address-table
delete <name_str>
end
get system mac-address-table <name_str>
show system mac-address-table <name_str>

mac-address-table command keywords and variables

Keywords and variables Description Default Availability
interface <name_str> Enter the name of the interface for this entry in the No All models.
static MAC table. default. Transparent
mode only.

Example
Use the following commands to add a static MAC entry for the internal interface.
config system mac-address-table
edit 11:22:33:00:ff:aa
set interface internal
end
This example shows how to display the settings for the mac-address-table command.
get system mac-address-table
This example shows how to display the configuration for the mac-address-table command.
show system mac-address-table
This example shows how to display the settings for the MAC address 11:22:33:00:ff:aa.
get system mac-address-table 11:22:33:00:ff:aa
This example shows how to display the configuration for the MAC address 11:22:33:00:ff:aa.
show system mac-address-table 11:22:33:00:ff:aa

Command History
FortiOS v2.80 Renamed and Revised. Formerly set system brctl.

FortiGate CLI Reference Guide 01-28008-0015-20050204 271

config system manageip

manageip
Configure the Transparent mode management IP address. Use the management IP address for
management access to the FortiGate unit running in Transparent mode. The FortiProtect Distribution
Network (FDN) also connects to the management IP address for antivirus and attack definition and
engine updates.

Command syntax pattern

config system manageip
set <keyword> <variable>
end
config system manageip
unset <keyword>
end
get system manageip
show system manageip

manageip command keywords and variables

Keywords and variables Description Default Availability
ip <address_ipv4mask> Set the IP address and netmask of the 10.10.10.1 All models.
Transparent mode management interface. 255.255.255.0 Only
available in
Transparent
mode.

Example
This example shows how to set the transparent mode management IP address to 192.168.1.80 and
the netmask to 255.255.255.0.
config system manageip
set ip 192.168.1.80 255.255.255.0
end
This example shows how to display the settings for the manageip command.
get system manageip
This example shows how to display the configuration for the manageip command.
show system manageip

Command History
FortiOS v2.80 Revised.

Related Commands
• interface

272 01-28008-0015-20050204 Fortinet Inc.

config system modem

modem
Use this command to configure a FortiGate-60M modem or a serial modem connected using a serial
converter to the FortiGate 50A or FortiGate-60 USB port.
You can add the information to connect to up to three dialup accounts. The FortiGate-60 or FortiGate-
60M unit modem interface can act as a backup interface for one of the FortiGate ethernet interfaces or
as a standalone dialup interface.
These commands are available in NAT/Route mode only and apply only to models 50A, 60, 60M and
60-WiFi.

Command syntax pattern

config system modem
set <keyword> <variable>
end
config system modem
unset <keyword>
end
get system modem
show system modem

modem command keywords and variables

Keywords and variables Description Default Availability
altmode Enable for installations using PPP in China. enable
{enable | disable}
auto_dial Enable to dial the modem automatically if the disable dial_on_demand
{enable | disable} connection is lost or the FortiGate unit is disable
restarted. mode standalone
dial_on_demand Enable to dial the modem when packets are disable mode standalone
{enable | disable} routed to the modem interface. The modem auto_dial
disconnects after the idle_timer period. disable
holddown_timer Used only when the modem is configured as 60 mode redundant
<seconds_integer> a backup for an interface. Set the time (1-60
seconds) that the FortiGate unit waits before
switching from the modem interface to the
primary interface, after the primary interface
has been restored.
idle_timer Set the number of minutes the modem 5 mode standalone
<minutes_integer> connection can be idle before it is
disconnected.
interface <name_str> Enter an interface name to associate the No default.
modem interface with the ethernet interface
that you want to either back up (backup
configuration) or replace (standalone
configuration).
mode {standalone | standalone
redundant}
passwd1 Enter the password used to access the No default.
<password_str> specified dialup account.
passwd2 Enter the password used to access the No default.
<password_str> specified dialup account.

FortiGate CLI Reference Guide 01-28008-0015-20050204 273

config system modem

modem command keywords and variables (Continued)

Keywords and variables Description Default Availability
passwd3 Enter the password used to access the No default.
<password_str> specified dialup account.
phone1 Enter the phone number required to connect No default.
<phone-number_str> to the dialup account. Do not add spaces to
the phone number. Make sure to include
standard special characters for pauses,
country codes, and other functions as
required by your modem to connect to your
dialup account.
phone2 <phone- Enter the phone number required to connect No default.
number_str> to the dialup account. Do not add spaces to
the phone number. Make sure to include
standard special characters for pauses,
country codes, and other functions as
required by your modem to connect to your
dialup account.
phone3 <phone- Enter the phone number required to connect No default.
number_str> to the dialup account. Do not add spaces to
the phone number. Make sure to include
standard special characters for pauses,
country codes, and other functions as
required by your modem to connect to your
dialup account.
redial {none | Set the maximum number of times (1-10) No default.
<tries_integer>} that the FortiGate unit dials the ISP to
restore an active connection on the modem
interface. Select none to allow the modem to
redial without a limit.
status Enable or disable modem support. disable
{disable | enable}
username1 <name_str> Enter the user name used to access the No default.
specified dialup account.
username2 <name_str> Enter the user name used to access the No default.
specified dialup account.
username3 <name_str> Enter the user name used to access the No default.
specified dialup account.

Example
This example shows how to enable the modem and configure the modem to act as a backup for the
WAN1 interface. Only one dialup account is configured. The FortiGate unit and modem will attempt to
dial this account 10 times. The FortiGate unit will wait 5 seconds after the WAN1 interface recovers
before switching back to the WAN1 interface.
config system modem
set action dial
set status enable
set holddown_time 5
set interface wan1
set passwd1 acct1passwd
set phone1 1234567891
set redial 10
set username1 acct1user
end

274 01-28008-0015-20050204 Fortinet Inc.

config system modem

This example shows how to display the settings for the modem command.
get system modem
This example shows how to display the configuration for the modem command.
show system modem

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR3 Default for altmode changed to enable.

Related Commands
• interface

FortiGate CLI Reference Guide 01-28008-0015-20050204 275

config system oobm interface

oobm interface
Use this command to configure the Out-of-Band Management interface on the FortiGate 4000 unit.

Command syntax pattern

config system oobm interface
set <keyword> <variable>
end

oobm interface command keywords and variables

Keywords and variables Description Default Availability
allowaccess Allow management access to the oobm interface. none Model 4000
{ping | http | https | You can enter one or more of the management only.
snmp | ssh | telnet} access types separated by spaces. Enter all the
management access options for the interface. Use a
space to separate the options. If you want to remove
an option from the list or add an option to the list, you
must retype the list with the option removed or added.
ip <address_ipv4mask> Set the IP address and netmask of the oobm none Model 4000
interface. only.
mtu <mtu_integer> Enter the maximum transmission unit (MTU) size in 1500 Model 4000
bytes. Ideally mtu should be the same as the only.
smallest MTU of all the networks between this
FortiGate unit and the destination of the packets.

Command History
FortiOS v2.80 MR3 Added.

Related Commands
• oobm route

276 01-28008-0015-20050204 Fortinet Inc.

config system oobm route

oobm route
Use this command to configure an Out-of-Band Management route on the FortiGate 4000 unit.

Command syntax pattern

config system oobm route
set <keyword> <variable>
end

oobm route command keywords and variables

Keywords and variables Description Default Availability
distance Enter a number from 1 to 255, to set the 10 Model 4000
<distance_integer> administrative distance. only.
dst Set the destination IP address and netmask for this none Model 4000
<address_ipv4mask> route. only.
gateway <gateway- The IP address of the first next hop router to which No Model 4000
address_ipv4> this route directs traffic. default. only.

Command History
FortiOS v2.80 MR3 Added.

Related Commands
• oobm interface

FortiGate CLI Reference Guide 01-28008-0015-20050204 277

config system replacemsg {alertmail | catblock | ftp | http | mail | spam} <message-type_str>

replacemsg {alertmail | catblock | ftp | http | mail | spam}

<message-type_str>
Use this command to change default replacement messages. Change replacement messages to
customize the content of alert email messages and to customize information that the FortiGate unit
adds to content streams such as email messages, web pages, and FTP sessions. The FortiGate unit
adds replacement messages to a variety of content streams. For example, if a virus is found in an
email message, the file is removed from the email and replaced with a replacement message. The
same applies to pages blocked by web filtering and emails blocked by spam filtering.

Command syntax pattern

config system replacemsg { alertmail | catblock | ftp | http | mail |
spam} <message-type_str>
set <keyword> <variable>
end
config system replacemsg <message-type_str>
unset <keyword>
end
get system replacemsg { alertmail | catblock | ftp | http | mail | spam}
[<message-type_str>]
show system replacemsg { alertmail | catblock | ftp | http | mail | spam}
[<message-type_str>]

system replacemsg <message-type_str> command keywords and variables

Keywords and variables Description Default Availability
buffer <message_str> Type a new replacement message to replace the Depends All models.
current replacement message. on the
message
type.
format The format of the message. html for HTTP No All models.
{html | none | text} replacement messages, text for email messages. default
header The format of the message header. Depends All models.
{8bit | http | none} on the
message
type.

278 01-28008-0015-20050204 Fortinet Inc.

config system replacemsg {alertmail | catblock | ftp | http | mail | spam} <message-type_str>

<message-type_str>
Defaults
Name <message-type_str> Description Format Header
alertmail Alert email messages sent to system administrators.
alertmail_test Email message sent when the administrator text none
tests alert email.
alertmail_virus Virus log is enabled for alert email and a none none
virus is detected.
alertmail_block Virus log is enabled for alert email and text none
antivirus file blocking blocks a file.
alertmail_nids_event Attack log is enabled for alert email and the text none
IPS detects an attack.
alertmail_crit_event Event log is enabled for alert email and a text none
critical system message is sent.
alertmail_disk_full Event log is enabled for alert email and the text none
log disk is full.
catblock Messages that appear on web pages blocked by category blocking.
cat_block Web category blocking blocks a web page. text none
ftp Messages added to FTP sessions when the antivirus engine blocks a file either because of a
matching file pattern or because a virus is detected.
ftp_dl_infected Antivirus system detects a virus in a file text none
being downloaded and blocks the file.
ftp_dl_blocked Antivirus system blocks a file that matches a text none
file pattern.
ftp_dl_filesize Antivirus system blocks an oversize file (one text none
that is too large to be virus scanned).
http Messages added to web pages when the antivirus engine blocks a file in an HTTP session
because of a matching file pattern or because a virus is detected; or when web filter blocks a web
page.
bannedword The web filter banned word list blocks a web html http
page.
url_block Web filter URL blocking blocks a web page. html http
http_block The antivirus system blocks a file that html http
matches a file pattern.
http_virus The antivirus system blocks a file that html http
contains a virus.
http_filesize The antivirus system blocks a file that is too html http
large to be virus scanned.
http_client_block The antivirus system blocks a file that html http
matches a file pattern.
http_client_virus The antivirus system blocks a file that html http
contains a virus.
http_client_filesize The antivirus system blocks a file that is too html http
large to be virus scanned.
http_client_bannedword The web filter banned word list blocks a web html http
page.

FortiGate CLI Reference Guide 01-28008-0015-20050204 279

config system replacemsg {alertmail | catblock | ftp | http | mail | spam} <message-type_str>

<message-type_str>
Defaults
Name <message-type_str> Description Format Header
mail Messages added to email messages when the antivirus engine blocks a file
either because of a matching file pattern or because a virus is detected; or
when spam filter blocks an email.
email_block The antivirus system blocks a file that text 8bit
matches a file pattern.
email_virus The antivirus system deletes a file from an text 8bit
email messages that contains a virus.
email_filesize The antivirus system blocks an email text 8bit
message that is too large to be virus
scanned.
partial The FortiGate unit deletes a part of a text 8bit
fragmented email message.
smtp_block The antivirus system blocks a file in an text 8bit
SMTP email message that matches a file
pattern.
smtp_virus The antivirus system deletes a file from an text 8bit
SMTP email messages that contains a
virus.
smtp_filesize The antivirus system blocks an SMTP email text 8bit
message that is too large to be virus
scanned.
spam Messages added to SMTP email messages when spam filter blocks an email message
ipblocklist The spam filter IP address list marked an text 8bit
email message as reject or as spam.
smtp_spam_rbl The spam filter DNSBL & ORDBL list text 8bit
marked an email message as reject or as
spam.
smtp_spam_helo An email message is blocked because the text 8bit
HELO/EHLO domain is invalid.
smtp_spam_emailblack The spam filter email address list marked a text 8bit
message as spam.
smtp_spam_mimeheader The spam MIME headers list marked a text 8bit
message as spam.
reversedns Spam filtering return-email DNS check text 8bit
identified a message as spam.
smtp_spam_bannedword The spam filter email address list marked an text 8bit
SMTP message as spam.

280 01-28008-0015-20050204 Fortinet Inc.

config system replacemsg {alertmail | catblock | ftp | http | mail | spam} <message-type_str>

Replacement messages can include replacement message tags. When users receive the replacement
message, the replacement message tag is replaced with content relevant to the message.

Replacement message tags

Tag Description
%%FILE%% The name of a file that has been removed from a content stream. This could be a file
that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be
used in virus and file block messages.
%%VIRUS%% The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can
be used in virus messages
%%QUARFILENAME%% The name of a file that has been removed from a content stream and added to the
quarantine. This could be a file that contained a virus or was blocked by antivirus file
blocking. %%QUARFILENAME%% can be used in virus and file block messages.
Quarantining is only available on FortiGate units with a local disk.
%%URL%% The URL of a web page. This can be a web page that is blocked by web filter content
or URL blocking. %%URL%% can also be used in http virus and file block messages to
be the URL of the web page from which a user attempted to download a file that is
blocked.
%%CRITICAL_EVENT%% Added to alert email critical event email messages. %%CRITICAL_EVENT%% is
replaced with the critical event message that triggered the alert email.
%%PROTOCOL%% The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected.
%%PROTOCOL%% is added to alert email virus messages.
%%SOURCE_IP%% The IP address from which a virus was received. For email this is the IP address of the
email server that sent the email containing the virus. For HTTP this is the IP address
of the web page that sent the virus.
%%DEST_IP%% The IP address of the computer that would have received the blocked file. For email
this is the IP address of the user’s computer that attempted to download the message
from which the file was removed.
%%EMAIL_FROM%% The email address of the sender of the message from which the file was removed.
%%EMAIL_TO%% The email address of the intended receiver of the message from which the file was
removed.
%%NIDS_EVENT%% The IPS attack message. %%NIDS_EVENT%% is added to alert email intrusion
messages.

Example
This example shows how to change the email message that is sent to test the alert email system.
config system replacemsg alertmail alertmail_test
set buffer "A test of the FortiGate alert email system."
end

Command History
FortiOS v2.80 New
FortiOS v2.80 MR2 Changed cerb keyword to catblock.

FortiGate CLI Reference Guide 01-28008-0015-20050204 281

config system session-helper

session-helper
A session-helper binds a service to a TCP port. By default, there are 14 session helpers binding
services to standard ports. Use this command to configure a new session helper or to edit an existing
one.

1 pptp port 1723 protocol 6 8 tftp port 69 protocol 17

2 h323 port 1720 protocol 6 9 rtsp port 554 protocol 6
3 ras port 1719 protocol 17 10 rtsp port 7070 protocol 6
4 tns port 1521 protocol 6 11 ftp port 21 protocol 6
5 ident port 21 protocol 6 12 mms 1863 protocol 6
6 ident port 23 protocol 6 13 pmap port 111 protocol 6
7 ident port 25 protocol 6 14 pmap port 111 protocol 17

Command syntax pattern

config system session-helper
edit <id_integer>
set <keyword> <variable>
end
config system session-helper
edit <id_integer>
unset <keyword>
end
config system session-helper
delete <id_integer>
end

system session_helper command keywords and variables

Keywords and variables Description Default Availability
name {dns_tcp | dns_udp The name of the session helper. No default. All models.
| ftp | h245I | h2450 |
h323 | ident | mms |
pmap | pptp | ras | rtsp
| sip | tftp | tns }
port <port_integer> A port number to use for this session helper. No default. All models.
protocol The protocol number for this session helper. No default. All models.
<protocol_integer>

Example
Use the following commands to change the ftp port from 21 to 1021:
config system session-helper
edit 11
set port 1021
end

282 01-28008-0015-20050204 Fortinet Inc.

config system session-helper

Command History
FortiOS v2.80 New

FortiGate CLI Reference Guide 01-28008-0015-20050204 283

config system session_ttl

session_ttl
Use this command when you want to increase or decrease the length of time a TCP session can be
idle before being dropped.

Command syntax pattern

config system session_ttl
set <keyword> <variable>
end
config system session_ttl
unset <keyword>
end
get system session_ttl
show system session_ttl
The config system session_ttl command has 1 subcommand.
config port

session_ttl command keywords and variables

Keywords and variables Description Default Availability
default <seconds_integer> Enter a number of seconds to change the default 3600 All models.
session timeout.

Example
Use the following commands to increase the default session timeout.
config system session_ttl
set default 62000
end
This example shows how to display the settings for the session_ttl command.
get system session_ttl
This example shows how to display the configuration for the session_ttl command.
show system session_ttl

config port
Access the port subcommand branch using the sesion_ttl command. Use this command to
control the timeout for a specific port.

Command syntax pattern

config port
edit <port_integer>
set <keyword> <variable>
end

284 01-28008-0015-20050204 Fortinet Inc.

config system session_ttl

config port
edit <port_integer>
unset <keyword>
end
config port
delete <port_integer>
end
get system session_ttl
show system session_ttl

port command keywords and variables

Keywords and variables Description Default Availability
timeout <seconds_integer> Enter the number of seconds the session can be idle 300 All models.
for this port.

Example
Use the following command to change the session timeout for SSH on port 22 to 3600 seconds.
config system session_ttl
config port
edit 22
set 3600
end
end

Command History
FortiOS v2.80 Revised.

FortiGate CLI Reference Guide 01-28008-0015-20050204 285

config system snmp community

snmp community
Use this command to configure SNMP communities. Add SNMP communities so that SNMP
managers can connect to the FortiGate unit to view system information and receive SNMP traps. You
can add up to three SNMP communities. Each community can have a different configuration for SNMP
queries and traps. Each community can be configured to monitor the FortiGate unit for a different set
of events. You can also the add IP addresses of up to 8 SNMP managers to each community.

Command syntax pattern

config system snmp community
edit <id_integer>
set <keyword> <variable>
end
config system snmp community
edit <id_integer>
unset <keyword>
end
config system snmp community
delete <id_integer>
end
get system snmp community [<id_integer>]
show system snmp community [<id_integer>]
The config system snmp community command has one subcommand.
config hosts

286 01-28008-0015-20050204 Fortinet Inc.

config system snmp community

snmp community command keywords and variables

Keywords and variables Description Default Availability
events {av_virus cpu_high Enable the events for which the FortiGate unit All events All models.
fm_if_change ha_switch should send traps to the SNMP managers in this enabled.
intf_ip log_full mem_low community.
nids_portscan av_virus
nids_synflood • A virus is detected.
vpn_tun_down vpn_tun_up} cpu_high
• CPU usage exceeds 90%.
fm_if_change
• FortiManager interface changes.
ha_switch
• The primary unit in a HA cluster fails and is
replaced with a new HA unit.
intf_ip
• The IP address of a FortiGate interface changes.
log_full
• On a FortiGate unit with a hard drive, hard drive
usage exceeds 90%.
mem_low
• Memory usage exceeds 90%.
nids_portscan
• The IPS detects a port scan attack.
nids_synflood
• The IPS detects a syn flood attack.
vpn_tun_down
• A VPN tunnel stops.
vpn_tun_up
• A VPN tunnel starts.
name <name_str> The name of the SNMP community. No All models.
default.
query_v1_port SNMP v1 query port number used for queries by 161 All models.
<port_number_integer> the SNMP managers added to this SNMP
community.
query_v1_status {disable Enable or disable SNMP v1 queries for this SNMP enable All models.
| enable} community.
query_v2c_port SNMP v2c query port number used for queries by 161 All models.
<port_number_integer> the SNMP mainlanders added to this SNMP
community.
query_v2c_status {disable Enable or disable SNMP v2c queries for this SNMP enable All models.
| enable} community.
status {disable | enable} Enable or disable the SNMP community. enable All models.
trap_v1_lport SNMP v1 local port number used for sending traps 162 All models.
<local-port_integer> to the SNMP managers added to this SNMP
community.
trap_v1_rport SNMP v1 remote port number used for sending 162 All models.
<remote-port_integer> traps to the SNMP managers added to this SNMP
community.
trap_v1_status {disable Enable or disable SNMP v1 traps for this SNMP enable All models.
| enable} community.
trap_v2c_lport SNMP v2c local port number used for sending 162 All models.
<local-port_integer> traps to the SNMP managers added to this SNMP
community.

FortiGate CLI Reference Guide 01-28008-0015-20050204 287

config system snmp community

snmp community command keywords and variables (Continued)

Keywords and variables Description Default Availability
trap_v2c_rport SNMP v2c remote port number used for sending 162 All models.
<remote-port_integer> traps to the SNMP managers added to this SNMP
community.
trap_v2c_status {disable Enable or disable SNMP v2c traps for this SNMP enable All models.
| enable} community.

Example
This example shows how to add a new SNMP community named SNMP_Com1. The default
configuration can be used in most cases with only a few modifications. In the example below the
community is added, given a name, and then because this community is for an SNMP manager that is
SNMP v1 compatible, all v2c functionality is disabled. After the community is configured the SNMP
manager is added. The SNMP manager IP address is 192.168.20.34 and it connects to the FortiGate
unit internal interface.
config system snmp community
edit 1
set name SNMP_Com1
set query_v2c_status disable
set trap_v2c_status disable
config hosts
edit 1
set interface internal
set ip 192.168.10.34
end
end
This example shows how to display the settings for the system snmp community command.
get system snmp community
This example shows how to display the settings for the SNMP community with ID 1.
get system snmp community 1
This example shows how to display the configuration for the snmp community command.
show system snmp community
This example shows how to display the configuration for the SNMP community with ID 1.
show system snmp community 1

config hosts
Access the hosts subcommand using the snmp community command. Use this command to add
SNMP manager IP addresses to an SNMP community and to specify the FortiGate interface that each
SNMP manager connects to.

Command syntax pattern

config hosts
edit <id_integer>
set <keyword> <variable>
end

288 01-28008-0015-20050204 Fortinet Inc.

config system snmp community

config hosts
edit <id_integer>
unset <keyword>
end
config hosts
delete <id_integer>
end
get system snmp community [<id_integer>]
show system snmp community [<id_integer>]

hosts command keywords and variables

Keywords and variables Description Default Availability
interface <name_str> The name of the FortiGate interface the SNMP No
manager connects to Default
ip <address_ipv4> The IP address of the SNMP manager. 0.0.0.0

Example
Use the following command to add an SNMP manager with IP address 192.34.56.78 that connects to
the external interface of the FortiGate unit.
config system snmp
edit 1
config hosts
edit 1
set interface external
set ip 192.34.56.78
end
end

Command History
FortiOS v2.80 Substantially revised.
FortiOS v2.80 MR6 fm_if_change added to events

Related Commands
• snmp sysinfo

FortiGate CLI Reference Guide 01-28008-0015-20050204 289

config system snmp sysinfo

snmp sysinfo
Use this command to enable the FortiGate SNMP agent and to enter basic FortiGate system
information that is used by the FortiGate SNMP agent. Use system information to identify the FortiGate
unit so that when your SNMP manager receives configuration information or traps from the FortiGate
unit you can identify the FortiGate unit that sent the information.

Command syntax pattern

config system snmp sysinfo
set <keyword> <variable>
end
config system snmp sysinfo
unset <keyword>
end
get system snmp sysinfo
show system snmp sysinfo

snmp sysinfo command keywords and variables

Keywords and variables Description Default Availability
contact_info <info_str> Add the contact information for the person No All models.
responsible for this FortiGate unit. The contact default
information can be up to 35 characters long.
description <desc_str> Add a name or description of the FortiGate unit. No All models.
The description can be up to 35 characters long. default
location <location_str> Describe the physical location of the FortiGate unit. No All models.
The system location description can be up to 35 default
characters long.
status {disable | enable} Enable or disable the FortiGate SNMP agent. disable All models.

Example
This example shows how to enable the FortiGate SNMP agent and add basic SNMP system
information.
config system snmp sysinfo
set status enable
set contact info ‘System Admin ext 245’
set description ‘FortiGate unit’
set location ‘Server Room’
end
This example shows how to display the settings for the system snmp sysinfo command.
get system snmp sysinfo
This example shows how to display the configuration for the system snmp sysinfo command.
show system snmp sysinfo

Command History
FortiOS v2.80 Revised.

290 01-28008-0015-20050204 Fortinet Inc.

config system snmp sysinfo

Related Commands
• snmp community

FortiGate CLI Reference Guide 01-28008-0015-20050204 291

config system vdom

vdom
Use this command to add virtual domains. The number of virtual domains you can add is dependent
on the FortiGate model.
By default, each FortiGate unit runs a virtual domain named root. This virtual domain includes all of the
FortiGate physical interfaces, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN
settings.
Once you add a virtual domain you can configure it by adding VLAN subinterfaces, zones, firewall
policies, routing settings, and VPN settings. You can also move physical interfaces from the root virtual
domain to other virtual domains and move VLAN subinterfaces from one virtual domain to another.
By default all physical interfaces are in the root virtual domain. You cannot remove a physical interface
from a virtual domain if firewall policies have been added for it. Delete the firewall policies or remove
the interface from the firewall policies first. If the interface has been added to a zone, it is removed
from the zone when you move it to a different virtual domain.
You cannot delete the default root virtual domain and you cannot delete a virtual domain that is used
for system management.

Note: A virtual domain cannot have the same name as a VLAN.

Command syntax pattern

config system vdom
edit <name_str>
end
config system vdom
delete <name_str>
end
get system vdom <name_str>
show system vdom <name_str>

Example
This example shows how to add a virtual domain called Test1.
config system vdom
edit Test1
end

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• global
• interface

292 01-28008-0015-20050204 Fortinet Inc.

config system wireless mac_filter

wireless mac_filter
Use this command to configure the WLAN interface wireless MAC filter.

Command syntax pattern

config system wireless mac_filter
set <keyword> <variable>
end
config system wireless mac_filter
unset <keyword>
end
get system wireless mac_filter
show system wireless mac_filter
The config system wireless mac_filter command has one subcommand:
config mac_list

wireless command keywords and variables

Keywords and variables Description Default Availability
default_acl Select whether unlisted MAC addresses are deny FortiWifi-60 only.
{allow | deny} allowed or denied access. AP mode only.
status Enable or disable MAC filter. disable FortiWifi-60 only.
{enable | disable} Status is always disable in Client mode. AP mode only.

config mac_list
Use the config mac_list command to add MAC addresses to the Allow list or to the Deny list.
Access this command using the config system wireless mac_filter command.

Command syntax pattern

config mac_list
edit <integer>
set <keyword> <variable>
end
get system wireless mac_filter
show system wireless mac_filter

config mac_list command keywords and variables

Keyword and variables Description Default Availability
acl {allow | deny } Select Alow list or Deny list. deny FortiWiFi-60 only.
mac <mac_addr_str> Set the MAC address to add to the list. No default. FortiWiFi-60 only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 293

config system wireless mac_filter

Examples
This example shows how to enable the MAC filter, specify that unlisted MAC addresses should be
denied access, and add MAC address 12:34:56:78:90:AB to the MAC filter Allow list:
config system wireless mac_filter
set status enable
set default_acl deny
config mac_list
edit 1
set acl allow
set mac 12:34:56:78:90:AB
end
end
This example shows how to display the wireless mac_filter:
show system wireless mac_filter

Command History
FortiOS v2.80E New command, incorporating config system network wireless wlan command
and adding new subcommands and keywords.

Related Commands
• wireless settings
• interface

294 01-28008-0015-20050204 Fortinet Inc.

config system wireless settings

wireless settings
Use this command to configure the WLAN interface wireless settings.

Command syntax pattern

config system wireless settings
set <keyword> <variable>
end
config system wireless settings
unset <keyword>
end
get system wireless settings
show system wireless settings

wireless command keywords and variables

Keywords and variables Description Default Availability
beacon_interval Set the interval between between beacon 100 FortiWifi-60 only.
<integer> packets. Access Points broadcast Beacons or AP mode only.
Traffic Indication Messages (TIM) to
synchronize wireless networks. In an
environment with high interference, decreasing
the Beacon Interval might improve network
performance. In a location with few wireless
nodes, you can increase this value.
broadcast_ssid Enable if you want FortiWiFi-60E to broadcast FortiWifi-60 only.
{enable | disable} its SSID. AP mode only.
channel Select a channel number for your FortiWiFi-60 5 FortiWifi-60 only.
<channel_integer> wireless network.
Users who want to use the FortiWiFi-60
wireless network should configure their
computers to use this channel for wireless
networking.
fragment_threshold Set the maximum size of a data packet before it 2346 FortiWifi-60 only.
<integer> is broken into two or more packets. Reducing AP mode only.
the threshold can improve performance in
environments that have high interference.
Range 800-2346.
geography {Americas | Select the country or region that this FortiWifi- World FortiWifi-60 only.
EMEA | Israel | Japan | 60 will operate in.
World}
key <WEP-key_hex> Enter a WEP key. The WEP key must be 10 or No default. FortiWifi-60 only.
26 hexadecimal digits (0-9 a-f). For a 64-bit security set to
WEP key, enter 10 hexadecimal digits. For a WEP128 or
128-bit WEP key, enter 26 hexadecimal digits. WEP64.
mode {Client | AP} Select Access Point (AP) or Client operation for AP FortiWifi-60 only.
the wireless interface.
passphrase <string> Set shared key for WPA_PSK security. No default. FortiWifi-60 only.
security set to
WPA_PSK.
power_level <integer> Set transmitter power level in dBm. 31 FortiWifi-60 only.
Range 0 to 31. AP mode only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 295

config system wireless settings

wireless command keywords and variables (Continued)

Keywords and variables Description Default Availability
radius_server Set Radius server name for WPA_RADIUS No default. FortiWifi-60 only.
<name_str> security. security set to
WPA_RADIUS.
AP mode only.
rts_threshold <integer> The Request to Send (RTS) threshold sets the 2347 FortiWifi-60 only.
time the unit waits for Clear to Send (CTS) AP mode only.
acknowledgement from another wireless
device. Range 256-2347.
security Set security (encryption). None FortiWifi-60 only.
{None | WEP128 | WEP64
| WPA_PSK | WPA_RADIUS}
ssid <ssid_string> Change the Service Set ID (SSID) as required. fortinet FortiWifi-60 only.
The SSID is the wireless network name that the
FortiWiFi-60 broadcasts. Users who wish to use
the FortiWiFi-60 wireless network should
configure their computers to connect to the
network that broadcasts this network name.

Example
This example shows how to configure the wireless interface.
config system wireless settings
set channel 4
set geography Americas
set key 0123456789abcdeffedcba9876
set security WEP128
set ssid test_wifi
end
This example shows how to display the wireless settings.
get system wireless settings
This example shows how to display the wireless settings.
show system wireless settings

Command History
FortiOS v2.80E Command was config system wireless wlan
Keywords added: beacon_interval, broadcast_ssid, fragment_threshold,
passphrase, power_level, radius_server, rts_threshold

Related Commands
• interface
• wireless mac_filter

296 01-28008-0015-20050204 Fortinet Inc.

config system zone

zone
Use this command to add or edit zones.

Command syntax pattern

config system zone
edit <name_str>
set <keyword> <variable>
end
config system zone
edit <name_str>
unset <keyword>
end
config system zone
delete <name_str>
end
get system zone <name_str>
show system zone <name_str>

zone command keywords and variables

Keywords and variables Description Default Availability
interface <name_str> Add the specified interface to this zone. You cannot No All models.
add an interface if it belongs to another zone or if default.
firewall policies are defined for it.
intrazone {allow | deny} Allow or deny traffic routing between different deny All models.
interfaces in the same zone.

Example
This example shows how to add a zone named Zone1, to add the internal interface to it, and to deny
routing between different zones.
config system zone
edit Zone1
set interface internal
set intrazone deny
end

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR2 intrazone now available on all models. All models support zones.
Added interface keyword (was part of config system interface).

Related Commands
• interface

FortiGate CLI Reference Guide 01-28008-0015-20050204 297

config system zone

298 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config user
group
ldap
local
peer
peergrp
radius

FortiGate CLI Reference Guide 01-28008-0015-20050204 299

config user group

group
Use this command to add or edit user groups.
To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or
more user groups. You can then select a user group when you require authentication. You can select
a user group to configure authentication for:
• Policies that require authentication.
Only users in the selected user group or users that can authenticate with the RADIUS or LDAP
servers added to the user group can authenticate with these policies.
• IPSec VPN Phase 1 configurations for dialup users.
Only users in the selected user group can authenticate to use the VPN tunnel.
• XAuth for IPSec VPN Phase 1 configurations.
Only users in the selected user group can be authenticated using XAuth.
• The FortiGate PPTP configuration.
Only users in the selected user group can use PPTP.
• The FortiGate L2TP configuration.
Only users in the selected user group can use L2TP.
When you add user names, RADIUS servers, and LDAP servers to a user group, the order in which
they are added determines the order in which the FortiGate unit checks for authentication. If user
names are first, then the FortiGate unit checks for a match with these local user names. If a match is
not found, the FortiGate unit checks the RADIUS or LDAP server. If a RADIUS or LDAP server is
added first, the FortiGate unit checks the server and then the local user names.
If the user group contains user names, RADIUS servers, and LDAP servers, the FortiGate unit checks
them in the order in which they have been added to the user group.

Command syntax pattern

config user group
edit <groupname_str>
set <keyword> <variable>
end
config user group
edit <groupname_str>
unset <keyword>
end
get user group [<groupname_str>]
show user group [<groupname_str>]

300 01-28008-0015-20050204 Fortinet Inc.

config user group

user group command keywords and variable

Keywords and variables Description Default Availability
member <name_str> Enter the names of users, LDAP servers, or RADIUS No All models.
[<name_str> [<name_str> servers to add to the user group. Separate names by default.
[<name_str> ... ]]] spaces. To add or remove names from the group you
must re-enter the whole list with the additions or
deletions required.
profile Enter the name of the firewall protection profile to No All models.
<profilename_str> associate with this user group. default.

Example
This example shows how to add a group named User_Grp_1, and add User_2, User_3, Radius_2 and
LDAP_1 as members of the group, and set the protection profile to strict:
config user group
edit User_Grp_1
set member User_2 User_3 Radius_2 LDAP_1
set profile strict
end
This example shows how to display the list of configured user groups.
get user group
This example shows how to display the settings for the user group User_Grp_1.
get user group User_Grp_1
This example shows how to display the configuration for all the user groups.
show user group
This example shows how to display the configuration for the user group User_Grp_1.
show user group User_Grp_1

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR3 Added profile keyword.

Related Commands
• config user ldap
• config user local
• config user peer
• config user peergrp
• config user radius

FortiGate CLI Reference Guide 01-28008-0015-20050204 301

config user ldap

ldap
Use this command to add or edit the information used for LDAP authentication.
To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit
sends this user name and password to the LDAP server. If the LDAP server can authenticate the user,
the user is successfully authenticated with the FortiGate unit. If the LDAP server cannot authenticate
the user, the connection is refused by the FortiGate unit.
The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and
validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with
LDAP v3.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of password
expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply
information to the user about why authentication failed.
LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With
PPTP, L2TP, and IPSec VPN, PAP (Packet Authentication Protocol) is supported and CHAP
(Challenge Handshake Authentication Protocol) is not.

Command syntax pattern

config user ldap
edit <name_str>
set <keyword> <variable>
end
config user ldap
edit <name_str>
unset <keyword>
end
config user ldap
delete <name_str>
end
get user ldap [<name_str>]
show user ldap [<name_str>]

ldap command keywords and variables

Keywords and variables Description Default Availability
cnid <name_str> Enter the common name identifier for the LDAP cn All models.
server.
The common name identifier for most LDAP
servers is cn. However some servers use other
common name identifiers such as uid.
dn <name_str> Enter the distinguished name used to look up No default. All models.
entries on the LDAP server. It reflects the
hierarchy of LDAP database object classes
above the Common Name Identifier. The
FortiGate unit passes this distinguished name
unchanged to the server.

302 01-28008-0015-20050204 Fortinet Inc.

config user ldap

ldap command keywords and variables (Continued)

Keywords and variables Description Default Availability
port <port_integer> Enter the port number for communication with the 389 All models.
LDAP server.
server {<name_str> | Enter the LDAP server domain name or IP No default. All models.
<address_ipv4>} address.

Example
This example shows how to add an LDAP server called LDAP1 using the IP address 23.64.67.44,
the default port, the common name cn, and the distinguished names
ou=marketing,dc=fortinet,dc=com.
config user ldap
edit LDAP1
set server 23.64.67.44
set cnid cn
set dn ou=marketing,dc=fortinet,dc=com
end
This example shows how to change the distinguished name in the example above to
ou=accounts,ou=marketing,dc=fortinet,dc=com.
config user ldap
edit LDAP1
set dn ou=accounts,ou=marketing,dc=fortinet,dc=com
end
This example shows how to display the list of configured LDAP servers.
get user ldap
This example shows how to display the settings for the LDAP server LDAP1.
get user ldap LDAP1
This example shows how to display the configuration for all the LDAP servers.
show user ldap
This example shows how to display the configuration for the LDAP server LDAP1.
show user ldap LDAP1

Command History
FortiOS v2.80 Revised.

Related Commands
• config user group
• config user local
• config user peer
• config user peergrp
• config user radius

FortiGate CLI Reference Guide 01-28008-0015-20050204 303

config user local

local
Use this command to add local user names and configure user authentication for the FortiGate unit. To
add authentication by LDAP or RADIUS server you must first add servers using the config user
ldap and config user radius commands.

Command syntax pattern

config user local
edit <name_str>
set <keyword> <variable>
end
config user local
edit <name_str>
unset <keyword>
end
config user local
delete <name_str>
end
get user local [<name_str>]
show user local [<name_str>]

local command keywords and variables

Keywords and variables Description Default Availability
ldap_server <name_str> Enter the name of the LDAP server with which No default. All models.
the user must authenticate. You can only select type ldap
an LDAP server that has been added to the list only.
of LDAP servers. See “ldap” on page 302.
passwd <password_str> Enter the password with which the user must No default. All models.
authenticate. Passwords at least 6 characters type
long provide better security than shorter password
passwords. only.
radius_server <name_str> Enter the name of the RADIUS server with which No default. All models.
the user must authenticate. You can only select type
a RADIUS server that has been added to the list radius only.
of RADIUS servers. See “radius” on page 310.
status {disable | enable} Enter enable to allow the local user to enable All models.
authenticate with the FortiGate unit.
type {ldap | password | Require the user to use a password, a RADIUS No default. All models.
radius} server, or an LDAP server for authentication.

304 01-28008-0015-20050204 Fortinet Inc.

config user local

Example
This example shows how to add and enable a local user called Admin7 for authentication using the
RADIUS server RAD1, with the provision to try other RADIUS servers if unable to contact RAD1.
config user local
edit Admin7
set status enable
set type radius
set radius_server RAD1
set try_other enable
end
This example shows how to change the authentication method for the user Admin7 to password and
enter the password.
config user local
edit Admin7
set type password
set passwd abc123
end
This example shows how to display the list of configured local user names.
get user local
This example shows how to display the settings for the local user Admin7.
get user local Admin7
This example shows how to display the configuration for all local user names.
show user local
This example shows how to display the configuration for the local user Admin7.
show user local Admin7

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR2 Removed try_other keyword.

Related Commands
• config user group
• config user ldap
• config user peer
• config user peergrp
• config user radius

FortiGate CLI Reference Guide 01-28008-0015-20050204 305

config user peer

peer
Use this command to add or edit peer (digital certificate holder) information. You use the peers you
define here in the config vpn ipsec phase1 command if you specify peertype as peer. Also,
you can add these peers to peer groups you define in the config user peergrp command.
This command refers to certificates imported into the FortiGate unit. You import CA certificates using
the execute vpn certificate ca import command. You import local certificates using the
execute vpn certificate key import or execute vpn certificate local import
commands.

Command syntax pattern

config user peer
edit <name_str>
set <keyword> <variable>
end
config user peer
edit <name_str>
unset <keyword>
end
config user peer
delete <name_str>
end
get user peer [<name_str>]
show user peer [<name_str>]

peer command keywords and variables

Keywords and variables Description Default Availability
ca Enter the CA certificate name, as returned by No default. All models.
execute vpn certificate ca list.
cn Enter the peer certificate common name. No default. All models.
cn-type {FDQN | email | Enter the peer certificate common name type. string All models.
ipv4 | string}
subject Optionally, enter any of the peer certificate name No default. All models.
constraints.

Example
This example shows how to add the branch_office peer.
Configure the peer using the CA certificate name and peer information:
config user peer
edit branch_office
set ca CA_Cert_1
set cn [email protected]
set cn-type email
end

306 01-28008-0015-20050204 Fortinet Inc.

config user peer

This example shows how to display the list of configured peers.

get user peer
This example shows how to display the settings for the peer branch_office.
get user peer branch_office
This example shows how to display the configuration for all the peers.
show user peer
This example shows how to display the configuration for the peer branch_office.
show user peer branch_office

Command History
FortiOS v2.80 MR2 New.

Related Commands
• config user peergrp
• config vpn ipsec phase1
• execute vpn certificate ca
• execute vpn certificate key
• execute vpn certificate local

FortiGate CLI Reference Guide 01-28008-0015-20050204 307

config user peergrp

peergrp
Use this command to add or edit a peer group. Peers are digital certificate holders defined using the
config user peer command. You use the peer groups you define here in the config vpn ipsec
phase1 command if you specify peertype as peergrp.

Command syntax pattern

config user peergrp
edit <name_str>
set <keyword> <variable>
end
config user peergrp
edit <name_str>
unset <keyword>
end
config user peergrp
delete <name_str>
end
get user peergrp [<name_str>]
show user peergrp [<name_str>]

peergrp command keywords and variables

Keywords and variables Description Default Availability
member <name_str> Enter the names of peers to add to the peer No default. All models.
[<name_str> [<name_str> group. Separate names by spaces. To add or
[<name_str> ... ]]] remove names from the group you must re-enter
the whole list with the additions or deletions
required.

Example
This example shows how to add peers to the peergrp EU_branches.
config user peergrp
edit EU_branches
set member Sophia_branch Valencia_branch Cardiff_branch
end
This example shows how to display the list of configured peer groups.
get user peergrp
This example shows how to display the settings for the peergrp EU_branches.
get user peergrp EU_branches
This example shows how to display the configuration for all the peers groups.
show user peergrp
This example shows how to display the configuration for the peergrp EU_branches.
show user peergrp EU_branches

308 01-28008-0015-20050204 Fortinet Inc.

config user peergrp

Command History
FortiOS v2.80 MR2 New.

Related Commands
• config user peer
• config vpn ipsec phase1

FortiGate CLI Reference Guide 01-28008-0015-20050204 309

config user radius

radius
Use this command to add or edit the information used for RADIUS authentication.
The default port for RADIUS traffic is 1812. If your RADIUS server is using a different port you can
change the default RADIUS port. See config system global, and set “radius_port
<port_integer>” on page 246.

Command syntax pattern

config user radius
edit <name_str>
set <keyword> <variable>
end
config user radius
edit <name_str>
unset <keyword>
end
config user radius
delete <name_str>
end
get user radius [<name_str>]
show user radius [<name_str>]

radius command keywords and variables

Keywords and variables Description Default Availability
secret <password_str> Enter the RADIUS server shared secret. No default. All models.
server {<name_str> | Enter the RADIUS server domain name or IP No default. All models.
<address_ipv4>} address.

Example
This example shows how to add the radius server RAD1 at the IP address 206.205.204.203 and set
the shared secret as R1a2D3i4U5s.
config user radius
edit RAD1
set server 206.205.204.203
set secret R1a2D3i4U5s
end
This example shows how to display the list of configured RADIUS servers.
get user radius
This example shows how to display the settings for the RADIUS server RAD1.
get user radius RAD1
This example shows how to display the configuration for all the RADIUS servers.
show user radius

310 01-28008-0015-20050204 Fortinet Inc.

config user radius

This example shows how to display the configuration for the RADIUS server RAD1.
show user radius RAD1

Command History
FortiOS v2.80 Revised.

Related Commands
• config user group
• config user ldap
• config user local
• config system global, set radius_port

FortiGate CLI Reference Guide 01-28008-0015-20050204 311

config user radius

312 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config vpn
ipsec concentrator
ipsec manualkey
ipsec phase1
ipsec phase2
ipsec vip
l2tp
pinggen
pptp

FortiGate CLI Reference Guide 01-28008-0015-20050204 313

config vpn ipsec concentrator

ipsec concentrator
Use this command to add IPSec phase 2 configurations (IPSec VPN tunnels) to a VPN concentrator.
The VPN concentrator collects hub-and-spoke tunnels into a group. The concentrator allows VPN
traffic to pass from one tunnel to the other through the FortiGate unit. The FortiGate unit functions as a
concentrator, or hub, in a hub-and-spoke network.

Note: VPN concentrators are not available in Transparent mode.

Command syntax pattern

config vpn ipsec concentrator
edit <name_str>
set <keyword> <variable>
end
config vpn ipsec concentrator
edit <name_str>
unset <keyword>
end
config vpn ipsec concentrator
delete <name_str>
end
get vpn ipsec concentrator [<name_str>]
show vpn ipsec concentrator [<name_str>]

ipsec concentrator command keywords and variables

Keywords and variables Description Default Availability
member <name_str> The names of up to three VPN tunnels to add to the No All models.
[<name_str>] [<name_str>] concentrator. Separate the tunnel names with default.
spaces. To add or remove tunnels from the
concentrator you must re-enter the whole list with the
required additions or deletions. You can add AutoIKE
key and manual key tunnels to a concentrator.

Example
Use the following commands to add an IPSec VPN concentrator named Concen_1 and add three
tunnels to the concentrator.
config vpn ipsec concentrator
edit Concen_1
set member Tunnel_1 Tunnel_2 Tunnel_3
end
This example shows how to remove all tunnels assigned to an IPSec VPN concentrator named
Concen_1.
config vpn ipsec concentrator
unset member
end

314 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec concentrator

This example shows how to display the settings for the Concen_1 concentrator.
get vpn ipsec concentrator Concen_1
This example shows how to display the configuration for the vpn ipsec concentrator command.
show vpn ipsec concentrator

Command History
FortiOS v2.80 Revised
FortiOS v2.80 MR4 Method for adding concentrators changed

Related Commands
• config vpn ipsec phase1
• config vpn ipsec phase2

FortiGate CLI Reference Guide 01-28008-0015-20050204 315

config vpn ipsec manualkey

ipsec manualkey
Use this command to configure manual key IPSec VPN tunnels.
Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a
remote IPSec VPN client or gateway that is also using manual key. A manual key VPN tunnel consists
of a name for the tunnel, the IP address of the VPN gateway or client at the opposite end of the tunnel,
and the encryption and authentication algorithms to use for the tunnel. Because the keys are created
when you configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the
VPN gateway or client that connects to this tunnel must use the same encryption and authentication
algorithms and must have the same encryption and authentication keys.

Command syntax pattern

config vpn ipsec manualkey
edit <name_str>
set <keyword> <variable>
end
config vpn ipsec manualkey
edit <name_str>
unset <keyword>
end
config vpn ipsec manualkey
delete <name_str>
end
get vpn ipsec manualkey [<name_str>]
show vpn ipsec manualkey [<name_str>]

ipsec manualkey command keywords and variables

Keywords and variables Description Default Availability
authentication Select an authentication algorithm from null All models.
{md5 | null | sha1} the list. Make sure you use the same
algorithm at both ends of the tunnel.
authkey If authentication is md5, enter a 32 No All models.
<authentication-key_hex> digit (16 byte) hexadecimal number. default. authentication
Separate each 16 digit (8 byte) must be set to md5
hexadecimal segment with a hyphen. or sha1.
If authentication is sha1, enter a 40
digit (20 byte) hexadecimal number. Use a
hyphen to separate the first 16 digits (8
bytes) from the remaining 24 digits (12
bytes).
Digits can be 0 to 9, and a to f.
Use the same authentication key at both
ends of the tunnel.
concentrator <name_str> The name of a concentrator to which to No All models.
add the manual key tunnel. default. NAT/Route mode
only.
encryption {3des | aes128 Select an encryption algorithm from the null All models.
| aes192 | aes256 | des | list. Make sure you use the same
null} algorithm at both ends of the tunnel.

316 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec manualkey

ipsec manualkey command keywords and variables (Continued)

Keywords and variables Description Default Availability
enckey If encryption is des, enter a 16 digit (8 No All models.
<encryption-key_hex> byte) hexadecimal number. default. encryption must
If encryption is 3des, enter a 48 digit be set to 3des,
(24 byte) hexadecimal number. aes128, aes192,
If encryption is aes128, enter a 32 digit aes256, or des.
(16 byte) hexadecimal number.
If encryption is aes192, enter a 48 digit
(24 byte) hexadecimal number.
If encryption is aes256, enter a 64 digit
(32 byte) hexadecimal number.
Digits can be 0 to 9, and a to f.
For all of the above, separate each 16
digit (8 byte) hexadecimal segment with a
hyphen.
Use the same encryption key at both ends
of the tunnel.
gateway <address_ipv4> The IP address of the remote gateway 0.0.0.0 All models.
external interface.
localspi <spi_hex> Local Security Parameter Index. Enter a 0x0 All models.
hexadecimal number of up to eight digits
(digits can be 0 to 9, a to f) in the range
bb8 to FFFFFFF. This number must be
added to the Remote SPI at the opposite
end of the tunnel.
remotespi <spi_hex> Remote Security Parameter Index. Enter 0x0 All models.
a hexadecimal number of up to eight digits
in the range bb8 to FFFFFFF. This number
must be added to the Local SPI at the
opposite end of the tunnel.

Example
Use the following command to add an IPSec VPN manual key tunnel with the following characteristics:
• Tunnel name: Manual_Tunnel
• Local SPI: 1000ff
• Remote SPI: 2000ff
• Remote gateway IP address: 206.37.33.45
• Encryption algorithm: 3DES
• Encryption keys: 003f2b01a9002f3b 004f4b0209003f01 3b00f23bff003eff
• Authentication algorithm: MD5
• Authentication keys: ff003f012ba900bb 00f402303f0100ff
config vpn ipsec manualkey
edit Manual_Tunnel
set localspi 1000ff
set remotespi 2000ff
set gateway 206.37.33.45
set encryption 3des
set enckey 003f2b01a9002f3b-004f4b0209003f01-3b00f23bff003eff
set authentication md5
set authkey ff003f012ba900bb-00f402303f0100ff
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 317

config vpn ipsec manualkey

This example shows how to display the settings for the vpn ipsec manualkey command.
get vpn ipsec manualkey
This example shows how to display the settings for the Manual_tunnel manual key configuration.
get vpn ipsec manualkey Manual_Tunnel
This example shows how to display the configuration for the vpn ipsec manualkey command.
show vpn ipsec manualkey

Command History
FortiOS v2.80 Revised
FortiOS v2.80 MR3 concentrator keyword available in NAT/Route mode only.

Related Commands
• config vpn ipsec phase2

318 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec phase1

ipsec phase1
Use this command to add or edit IPSec phase 1 configurations.
When you add a phase 1 configuration, you define how the FortiGate unit and a remote VPN peer
(gateway or client) authenticate themselves to each other as part of establishing an IPSec VPN tunnel.
The phase 1 configuration specifies the name of a remote VPN peer, the nature of the connection
(static IP, dialup, or dynamic DNS), the encryption and authentication keys for the phase 1 proposal,
and the authentication method (preshared key or certificate). For authentication to be successful, the
FortiGate unit and the remote VPN peer must be configured with compatible phase 1 settings.
You can change all settings except the type setting after you define the configuration: if the address
type of a remote peer changes, you must delete the original phase 1 configuration and define a new
one. As a general rule, create only one phase 1 configuration per remote VPN peer.

Command syntax pattern

config vpn ipsec phase1
edit <name_str>
set <keyword> <variable>
end
config vpn ipsec phase1
edit <name_str>
unset <keyword>
end
config vpn ipsec phase1
delete <name_str>
end
get vpn ipsec phase1 [<name_str>]
show vpn ipsec phase1 [<name_str>]

ipsec phase1 command keywords and variables

Keywords and variables Description Default Availability
authmethod {psk | Enter psk to authenticate using a pre-shared psk All models.
rsa-signature} key. Use psksecret to enter the pre-shared
key.
Enter rsa-signature to authenticate using a
digital certificate. Use set rsa-signature
to enter the name of the digital certificate.
You must configure certificates before selecting
rsa-signature here. For more information,
see execute “vpn certificate local” on page 379
and execute “vpn certificate ca” on page 377.
authpasswd <password_str> Enter the XAuth client password for the No All models.
FortiGate unit when xauthtype is set to default. xauthtype
client. must be set to
client.
authusr <name_str> Enter the XAuth client user name for the null All models.
FortiGate unit when xauthtype is set to xauthtype
client. must be set to
client.

FortiGate CLI Reference Guide 01-28008-0015-20050204 319

config vpn ipsec phase1

ipsec phase1 command keywords and variables (Continued)

Keywords and variables Description Default Availability
authusrgrp <name_str> When the FortiGate unit is configured as an null All models.
XAuth server, select the user group to xauthtype
authenticate remote VPN peers. The user must be set to
group can contain local users, LDAP servers, mixed, pap,
and RADIUS servers. The user group must be or chap.
added to the FortiGate configuration before it
can be selected here. For more information,
see “config user group” on page 300, “config
user ldap” on page 302, “config user local” on
page 304, and “config user radius” on
page 310.
dhgrp {1 2 5} Select one or more Diffie-Hellman groups from 5 All models.
DH group 1, 2, and 5.
When using aggressive mode, DH groups
cannot be negotiated.
• If both VPN peers have static IP addresses
and use aggressive mode, select a single DH
group. The setting on the FortiGate unit must
be identical to the setting on the remote peer
or client.
• When the VPN peer or client has a dynamic
IP address and uses aggressive mode, select
up to three DH groups on the FortiGate unit
and one DH group on the remote peer or
dialup client. The setting on the remote peer
or client must be identical to one of the
selections on the FortiGate unit.
• If the VPN peer or client employs main mode,
you can select multiple DH groups. At least
one of the settings on the remote peer or
client must be identical to the selections on
the FortiGate unit.
dpd {disable | enable} Enable or disable DPD (Dead Peer Detection). disable All models.
DPD detects the status of the connection
between VPN peers. Enabling DPD facilitates
cleaning up dead connections and establishing
new VPN tunnels. DPD is not supported by all
vendors and is not used unless DPD is
supported and enabled by both VPN peers.
dpd-idlecleanup The DPD long idle setting when dpd is set to 300 All models.
<seconds_integer> enable. Set the time, in seconds, that a link seconds dpd must be set
must remain unused before the local VPN peer to enable.
pro-actively probes its state. After this period of
time expires, the local peer will send a DPD
probe to determine the status of the link even if
there is no traffic between the local peer and
the remote peer. The dpd-idlecleanup
range is 100 to 28 800 and must be greater
than the dpd-idleworry setting.
dpd-idleworry The DPD short idle setting when dpd is set to 10 All models.
<seconds_integer> enable. Set the time, in seconds, that a link seconds dpd must be set
must remain unused before the local VPN peer to enable.
considers it to be idle. After this period of time
expires, whenever the local peer sends traffic
to the remote VPN peer it will also send a DPD
probe to determine the status of the link. The
dpd-idleworry range is 1 to 300.
To control the length of time that the FortiGate
unit takes to detect a dead peer with DPD
probes, use the dpd-retrycount and dpd-
retryinterval keywords.

320 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec phase1

ipsec phase1 command keywords and variables (Continued)

Keywords and variables Description Default Availability
dpd-retrycount The DPD retry count when dpd is set to 3 All models.
<retry_integer> enable. Set the number of times that the local dpd must be set
VPN peer sends a DPD probe before it to enable.
considers the link to be dead and tears down
the security association (SA). The dpd-
retrycount range is 0 to 10.
To avoid false negatives due to congestion or
other transient failures, set the retry count to a
sufficiently high value for your network.
dpd-retryinterval The DPD retry interval when dpd is set to 5 All models.
<seconds_integer> enable. Set the time, in seconds, that the local seconds dpd must be set
VPN peer waits between sending DPD probes. to enable.
The dpd-retryinterval range is 1 to 60.
keepalive Set the NAT traversal keepalive frequency. This 5 All models.
<seconds_integer> number specifies, in seconds, how frequently seconds nattraversal
empty UDP packets are sent through the NAT must be set to
device to make sure that the NAT mapping enable.
does not change until P1 and P2 security
associations expire. The keepalive frequency
can be from 0 to 900 seconds.
keylife <seconds_integer> Set the keylife time in seconds. 28800 All models.
The keylife is the amount of time in seconds seconds
before the phase 1 encryption key expires.
When the key expires, a new key is generated
without interrupting service.
seconds_integer can be from 120 to
172,800 seconds.
localid <id_str> Optionally enter a local ID if the FortiGate unit null All models.
is functioning as a client and uses its local ID to
authenticate itself to the remote VPN peer.
If you add a local ID, the FortiGate unit sends it
as if it is a domain name. If you do not add a
local ID, the FortiGate unit sends the IP
address of its external interface (pre-shared
key authentication) or its distinguished name
(certificate authentication).
To exchange IDs, both VPN peers must use
Aggressive mode.
mode {aggressive | main} Enter aggressive or main (ID Protection) main All models.
mode. Both modes establish a secure channel.
When using aggressive mode, the VPN peers
exchange identifying information in the clear.
When using main mode, identifying information
is hidden.
Aggressive mode is typically used when one
VPN peer has a dynamic (dialup) address and
uses its ID as part of the authentication
process. Main mode is typically used when
both VPN peers have static IP addresses.
nattraversal {disable | Enable NAT traversal if you expect the IPSec disable All models.
enable} VPN traffic to go through a gateway that
performs NAT. If no NAT device is detected,
enabling NAT traversal has no effect. Both
ends of the VPN must have the same NAT
traversal setting. If you enable NAT traversal
you can set the keepalive frequency.

FortiGate CLI Reference Guide 01-28008-0015-20050204 321

config vpn ipsec phase1

ipsec phase1 command keywords and variables (Continued)

Keywords and variables Description Default Availability
peer <peer_str> Enter the name of the peer certificate that will null All models.
be used to authenticate remote VPN clients or peertype
peers when peertype is set to peer. Use the must be set to
command config user peer to add peer peer.
certificates. Peer certificates must be added to
the FortiGate configuration before you can
select one here. For more information, see
“config user peer” on page 306.
peerid <peerid_str> Enter the peer ID that will be used to null All models.
authenticate remote clients or peers by peer ID peertype
when peertype is set to one. must be set to
one.
peergrp <name_str> Enter the name of the peer certificate group null All models.
that will be used to authenticate remote clients peertype
or peers when peertype is set to peergrp. must be set to
The peer certificate group must be created peergrp.
before you can select it here. For more
information, see “config user peergrp” on
page 308.
peertype {any | dialup | Select the method for authenticating remote any All models.
one | peer | peergrp} clients or peers when they connect to the dialup is not
FortiGate unit: available unless
• Enter any to accept any remote client or peer type is set to
(peer IDs are not used for authentication dynamic and
purposes). authmethod is
• Enter one to authenticate remote VPN clients set to psk.
and/or peers that use the same peer ID. Use peer is not
the peerid keyword to set the peer ID. available unless
• Enter dialup to authenticate dialup VPN authmethod is
clients that use unique peer IDs. In this case, set to rsa-
you must create a group of dialup users for signature.
authentication purposes. Use the usrgrp peergrp is not
keyword to set the user group name. available unless
• Enter peer to authenticate one or more type is set to
certificate holders that use the same dynamic and
certificate. Use the peer keyword to enter authmethod is
the certificate name. set to rsa-
• Enter peergrp to authenticate certificate signature.
holders that use unique certificates. In this
case, you must create a group of certificate
holders for authentication purposes. Use the
peergrp keyword to set the certificate group
name.

322 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec phase1

ipsec phase1 command keywords and variables (Continued)

Keywords and variables Description Default Availability
proposal {3des-md5 Select a minimum of one and a maximum of No All models.
3des-sha1 aes128-md5 three encryption-message digest combinations default.
aes128-sha1 aes192-md5 for the Phase 1 proposal (for example,
3des-md5). The remote peer must be
aes192-sha1 aes256-md5 configured to use at least one of the proposals
aes256-sha1 des-md5 that you define. Use a space to separate the
des-sha1} combinations.
You can select any of the following symmetric-
key encryption algorithms:
• null-Do not use an encryption algorithm.
• des-Digital Encryption Standard, a 64-bit
block algorithm that uses a 56-bit key.
• 3des-Triple-DES, in which plain text is
encrypted three times by three keys.
• aes128-A 128-bit block algorithm that uses a
128-bit key.
• aes192-A 128-bit block algorithm that uses a
192-bit key.
• aes256-A 128-bit block algorithm that uses a
256-bit key.
You can select either of the following message
digests to check the authenticity of messages
during an encrypted session:
• null-Do not use a message digest.
• md5-Message Digest 5, the hash algorithm
developed by RSA Data Security.
• sha1-Secure Hash Algorithm 1, which
produces a 160-bit message digest.
psksecret <password_str> Enter the pre-shared key if authmethod is set No All models.
to psk. The pre-shared key must be the same default. authmethod
on the remote VPN gateway or client and must be set to
should only be known by network psk.
administrators. The key must consist of at least
6 printable characters. For optimum protection
against currently known attacks, the key should
consist of a minimum of 16 randomly chosen
alphanumeric characters.
remotegw <address_ipv4> Enter the static IP address of the remote VPN 0.0.0.0 All models.
peer when type is set to static. type must be
set to static.
remotegw-ddns <name_str> Enter the fully qualified domain name of the No All models.
remote VPN peer when type is set to ddns. default. type must be
Use this setting when the remote peer has a set to ddns.
static domain name and a dynamic IP address
(the IP address is obtained dynamically from an
ISP and the remote peer subscribes to a
dynamic DNS service).
rsa-certificate Enter the name of the digital certificate if null All models.
<name_str> authmethod is set to rsa-signature. You authmethod
must configure certificates before selecting must be set to
rsa-certificate here. For more rsa-
information, see “vpn certificate local” on signature.
page 379 and “vpn certificate ca” on page 377.

FortiGate CLI Reference Guide 01-28008-0015-20050204 323

config vpn ipsec phase1

ipsec phase1 command keywords and variables (Continued)

Keywords and variables Description Default Availability
type {ddns | dynamic | If the remote VPN peer has a static IP address, static All models.
static} select static. Use the remotegw keyword to
enter the IP address.
If the remote VPN peer has a dynamically
assigned IP address (DHCP or PPPoE), select
dynamic.
If the remote VPN peer has a dynamically
assigned IP address and subscribes to a
dynamic DNS service, enter ddns. Use the
remotegw-ddns keyword to enter the domain
name of the remote VPN peer.
usrgrp <name_str> Enter the name of the group of dialup VPN null All models.
clients to authenticate when peertype is set peertype
to dialup. The user group must be added to must be set to
the FortiGate configuration before it can be dialup.
cross-referenced here. For more information,
see “config user group” on page 300, “config
user ldap” on page 302, “config user local” on
page 304, and “config user radius” on
page 310.
xauthtype {chap | client Optionally configure XAuth (eXtended disable All models.
| disable | mixed | pap} Authentication).
Select disable to disable XAuth.
Select client to configure the FortiGate unit
to act as an XAuth client. Use the authuser
keyword to add the XAuth user name and
password.
Select mixed, pap, or chap to configure the
FortiGate unit as an XAuth server. Use the
authusrgrp keyword to select the user group
containing members that must authenticate
using XAuth.

Example
Use the following command to add an IPSec VPN phase 1 configuration with the following
characteristics:
• Phase 1 configuration name: Simple_GW
• Remote peer address type: Dynamic
• Encryption and authentication proposal: des-md5
• Authentication method: psk
• Pre-shared key: Qf2p3O93jIj2bz7E
• Mode: aggressive
• Dead Peer Detection: disable
config vpn ipsec phase1
edit Simple_GW
set Type dynamic
set proposal des-md5
set authmethod psk
set psksecret Qf2p3O93jIj2bz7E
set mode aggressive
set dpd disable
end

324 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec phase1

This example shows how to display the settings for the vpn ipsec phase1 command.
get vpn ipsec phase1
This example shows how to display the settings for the Simple_GW Phase 1 configuration.
get vpn ipsec phase1 Simple_GW
This example shows how to display the configuration for the vpn ipsec phase1 command.
show vpn ipsec phase1

Command History
FortiOS v2.80 Revised
FortiOS v2.80 MR2 Added two new parameters to the peertype keyword {peer | peergrp}.
Added two new keywords: peer and peergrp.

Related Commands
• config vpn ipsec phase2
• config user group
• config user local
• config user peer
• config user peergrp
• config user radius
• vpn certificate local
• vpn certificate ca

FortiGate CLI Reference Guide 01-28008-0015-20050204 325

config vpn ipsec phase2

ipsec phase2
Use this command to add or edit an IPSec VPN phase 2 configuration. The FortiGate unit uses the
phase 2 configuration to create and maintain an IPSec VPN tunnel with a remote VPN peer (the VPN
gateway or client). The phase 2 configuration consists of a name for the VPN tunnel, the name or
names of already configured phase 1 remote gateways, the proposal settings (encryption and
authentication algorithms) and DH group used for phase 2. For phase 2 to be successful, the FortiGate
unit and the remote VPN peer must be configured with compatible proposal settings.

Command syntax pattern

config vpn ipsec phase2
edit <name_str>
set <keyword> <variable>
end
config vpn ipsec phase2
edit <name_str>
unset <keyword>
end
config vpn ipsec phase2
delete <name_str>
end
get vpn ipsec phase2 [<name_str>]
show vpn ipsec phase2 [<name_str>]

ipsec phase2 command keywords and variables

Keywords and variables Description Default Availability
bindtoif This setting is not required for most null All models.
<interface-name_str> configurations. The setting binds the tunnel
to a single network interface (channel
redundancy is disabled).
concentrator <name_str> Select a concentrator if you want the tunnel No All models.
to be part of a hub and spoke VPN default. NAT/Route
configuration that has already been added to mode.
the FortiGate unit.
dhcp-ipsec If the tunnel will service remote dialup clients disable All models.
{disable | enable} that broadcast a DHCP request when phase1name
connecting to the tunnel, enable dhcp- must name a
ipsec. The FortiGate unit can relay the dialup gateway
request to an external DHCP server. configuration.
dhgrp {1 | 2 | 5} Select the Diffie-Hellman group to propose 5 All models.
for Phase 2 of the IPSec VPN connection.
Select one of DH 1, 2 or 5. The VPN peers
must use the same DH Group.
dstaddr <name_str> Enter the name of the firewall destination IP null All models.
address that corresponds to the recipient or selector must
network behind the remote VPN peer. be set to
You must create the firewall address using specify.
the config firewall address
command before you can select it here. For
more information, see “config firewall
address” on page 64.

326 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec phase2

ipsec phase2 command keywords and variables (Continued)

Keywords and variables Description Default Availability
dstport <port_integer> Enter the port number that the remote VPN 0 All models.
peer uses to transport traffic related to the selector must
specified service (see protocol). The be set to
dstport range is 1 to 65535. To specify all specify.
ports, type 0.
internetbrowsing Select the Interface through which remote null All models.
<interface-name_str> VPN users using this VPN tunnel can
connect to the Internet. Configure Internet
browsing to allow dialup VPN clients to
browse the internet over the IPSec VPN
tunnel.
keepalive Enable keep alive to keep the VPN tunnel disable All models.
{disable | enable} running even if no data is being processed.
keylife_type Set when the phase 2 key expires. When the seconds All models.
{both | kbs | seconds} key expires, a new key is generated without
interrupting service.
• To make the key expire after a period of
time has expired and after an amount of
data is transmitted, select both.
• To make the key expire after an amount of
data is transmitted, select kbs. Use the
keylifekbs keyword to set the amount of
data that is transmitted.
• To make the key expire after a number of
seconds elapses, select seconds. Use the
keylifeseconds keyword to set the
amount of time that elapses.
keylifekbs <kb_integer> Set the number of KBytes of data to transmit 5120 All models.
before the phase 2 key expires. keylife_type
kbyte_integer can be 5120 to 99999 must be set to
KBytes. kbs or both.
keylifeseconds Set the number of seconds to elapse before 1800 All models.
<seconds_integer> the phase 2 key expires. keylife_type
seconds_integer can be 120 to 172800 must be set to
seconds. seconds or
both.
pfs {disable | enable} Optionally, enable or disable perfect forward disable All models.
secrecy (PFS). PFS ensures that each key
created during Phase 2 is unrelated to keys
created during Phase 1 or to other keys
created during Phase 2. PFS may cause
minor delays during key generation.
phase1name <name_str> Select a phase 1 gateway configuration No All models.
name. Enter set phase1name followed by default.
a space and a ? to view a list of available
configurations.

FortiGate CLI Reference Guide 01-28008-0015-20050204 327

config vpn ipsec phase2

ipsec phase2 command keywords and variables (Continued)

Keywords and variables Description Default Availability
proposal {3des-md5 Select a minimum of one and a maximum of No All models.
3des-null 3des-sha1 three encryption-message digest default.
aes128-md5 aes128-null combinations (for example, 3des-md5). The
remote peer must be configured to use at
aes128-sha1 aes192-md5 least one of the proposals that you define.
aes192-null aes192-sha1 Use a space to separate the combinations.
aes256-md5 aes256-null You can select any of the following
aes256-sha1 des-md5 symmetric-key encryption algorithms:
des-null des-sha1 null-md5 • null-Do not use an encryption algorithm.
null-null null-sha1} • des-Digital Encryption Standard, a 64-bit
block algorithm that uses a 56-bit key.
• 3des-Triple-DES, in which plain text is
encrypted three times by three keys.
• aes128-A 128-bit block algorithm that
uses a 128-bit key.
• aes192-A 128-bit block algorithm that
uses a 192-bit key.
• aes256-A 128-bit block algorithm that
uses a 256-bit key.
You can select either of the following
message digests to check the authenticity of
messages during an encrypted session:
• null-Do not use a message digest.
• md5-Message Digest 5, the hash algorithm
developed by RSA Data Security.
• sha1-Secure Hash Algorithm 1, which
produces a 160-bit message digest.
protocol Enter the IP protocol number for the service. 0 All models.
<protocol_integer> The protocol range is 1 to 255. To specify selector must
all services, type 0. be set to
specify.
replay {disable | enable} Optionally, enable or disable replay disable All models.
detection. Replay attacks occur when an
unauthorized party intercepts a series of
IPSec packets and replays them back into
the tunnel. Enable replay detection to check
the sequence number of every IPSec packet
to see if it has been received before. If
packets arrive out of sequence, the FortiGate
units discards them.
You can configure the FortiGate unit to send
an alert email when it detects a replay
packet. See “config alertemail” on page 31.

328 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec phase2

ipsec phase2 command keywords and variables (Continued)

Keywords and variables Description Default Availability
selector { policy | Enter the method for choosing selectors for policy All models.
specify | wildcard} IKE negotiations:
• Select policy to choose a selector from a
firewall encryption policy. The VPN tunnel
specified in the firewall encryption policy
will be referenced.
• Select specify to specify the firewall
encryption policy source and destination IP
addresses, ports, and IP protocol to use for
selector negotiations. When you choose
specify, you must also enter values for
the srcaddr, dstaddr, protocol,
srcport, and dstport keywords.
• Select wildcard to disable selector
negotiation for this tunnel. Use this option
to avoid negotiation errors (such as invalid
ID information) when the set of policies
between the peers is not symmetric.
single-source {disable | Enable or disable all dialup clients to connect disable All models.
enable} using the same phase 2 tunnel definition.
srcaddr <name_str> Enter the name of the firewall source IP null All models.
address that corresponds to the local selector must
sender or network behind the local VPN be set to
peer. You must create the firewall address specify.
using the config firewall address
command before you can select it here. For
more information, see “config firewall
address” on page 64.
srcport <port_integer> Enter the port number that the local VPN 0 All models.
peer uses to transport traffic related to the selector must
specified service (see protocol). The be set to
srcport range is 1 to 65535. To specify all specify.
ports, type 0.

Example
Use the following command to add a phase 2 configuration with the following characteristics:
• Name: New_Tunnel
• Phase 1 name: Simple_GW
• Encryption and authentication proposal: 3des-sha1 aes256-sha1 des-md5
• Keylife type: seconds
• Keylife seconds: 18001
• Diffie-Hellman group: 2
• Replay detection: enable
• Perfect forward secrecy: enable
• Keepalive: enable

FortiGate CLI Reference Guide 01-28008-0015-20050204 329

config vpn ipsec phase2

config vpn ipsec phase2

edit New_Tunnel
set phase1name Simple_GW
set proposal 3des-sha1 aes256-sha1 des-md5
set keylife_type seconds
set keylifeseconds 18001
set dhgrp 2
set replay enable
set pfs enable
set keepalive enable
end
This example shows how to display the settings for the vpn ipsec phase2 command.
get vpn ipsec phase2
This example shows how to display the settings for the New_Tunnel Phase 2 configuration.
get vpn ipsec phase2 New_Tunnel
This example shows how to display the configuration for the vpn ipsec phase2 command.
show vpn ipsec phase2

Command History
FortiOS v2.80 Revised
FortiOS v2.80 MR3 concentrator keyword available in NAT/Route mode only.
FortiOS v2.80 MR7 wildcardid keyword removed.
selector keyword and associated srcaddr, dstaddr, protocol,
srcport, and dstport keywords added.
single-source keyword added.

Related Commands
• config vpn ipsec phase1
• config alertemail filter
• config alertemail setting
• config firewall policy

330 01-28008-0015-20050204 Fortinet Inc.

config vpn ipsec vip

ipsec vip
A FortiGate unit can act as a proxy by answering ARP requests locally and forwarding the associated
traffic to the intended destination host over an IPSec VPN tunnel. The feature is intended to enable
IPSec VPN communications between two hosts that coordinate the same private address space on
physically separate networks. The IP addresses of both the source host and the destination host must
be unique. The ipsec vip command lets you specify the IP addresses that can be accessed at the
remote end of the VPN tunnel. You must configure IPSec virtual IP (VIP) addresses at both ends of the
IPSec VPN tunnel.
Adding an IPSec VIP entry to the VIP table enables a FortiGate unit to respond to ARP requests
destined for remote servers and route traffic to the intended destinations automatically. Each IPSec
VIP entry is identified by an integer. An entry identifies the name of the FortiGate interface to the
destination network, and the IP address of a destination host on the destination network. Specify a VIP
address for every host that needs to be accessed on the other side of the tunnel—you can define a
maximum of 32 IPSec VIP addresses on the same interface.

Note: The interface to the destination network must be associated with a VPN tunnel through a firewall encryption
policy (action must be set to encrypt). The policy determines which VPN tunnel will be selected to forward
traffic to the destination. When you create IPSec VIP entries, check the encryption policy on the FortiGate
interface to the destination network to ensure that it meets your requirements.

Command syntax pattern

config vpn ipsec vip
edit <vip_integer>
set <keyword> <variable>
end
config vpn ipsec vip
edit <vip_integer>
unset <keyword>
end
config vpn ipsec vip
delete <vip_integer>
end
get vpn ipsec vip [<vip_integer>]
show vpn ipsec vip [<vip_integer>]

ipsec vip command keywords and variables

Keywords and variables Description Default Availability
ip <address_ipv4> The IP address of the destination host on 0.0.0.0 All models.
the destination network.
out-interface The name of the FortiGate interface to the null All models.
<interface-name_str> destination network.

FortiGate CLI Reference Guide 01-28008-0015-20050204 331

config vpn ipsec vip

Example
The following commands add IPSec VIP entries for two remote hosts that can be accessed by a
FortiGate unit through an IPSec VPN tunnel on the external interface of the FortiGate unit. Similar
commands must be entered on the FortiGate unit at the other end of the IPSec VPN tunnel.
config vpn ipsec vip
edit 1
set ip 192.168.12.1
set out-interface external
next
edit 2
set ip 192.168.12.2
set out-interface external
end

Note: Typing next lets you define another VIP address without leaving the vip shell.

This example shows how to display the settings for the vpn ipsec vip command.
get vpn ipsec vip
This example shows how to display the settings for the VIP entry named 1.
get vpn ipsec vip 1
This example shows how to display the current configuration of all existing VIP entries.
show vpn ipsec vip

Command History
FortiOS v2.80 MR4 New

Related Commands
• config vpn ipsec phase1
• config vpn ipsec phase2

332 01-28008-0015-20050204 Fortinet Inc.

config vpn l2tp

l2tp
Use this command to enable L2TP and specify a local address range to reserve for remote L2TP
clients. When a remote L2TP client connects to the internal network through a L2TP VPN, the client is
assigned an IP address from the specified range.
L2TP clients must authenticate with the FortiGate unit when a L2TP session starts. To support L2TP
authentication on the FortiGate unit, you must define the L2TP users who need access and then add
them to a user group. For more information, see “config user group” on page 300, “config user ldap” on
page 302, “config user local” on page 304, and “config user radius” on page 310.
You need to define a firewall policy to control services inside the L2TP tunnel. For more information,
see “config firewall” on page 63. When you define the firewall policy:
• Create an external -> internal policy.
• Set the source address to match the L2TP address range.
• Set the destination address to reflect the private address range of the internal network behind the
local FortiGate unit.
• Set the policy service(s) to match the type(s) of traffic that L2TP users may generate.
• Set the policy action to accept.
• Enable NAT if required.

Note: The first time you configure the L2TP address range you must enter a starting IP, an ending IP, and a user
group.

Note: You can configure L2TP VPNs on FortiGate units that run in NAT/Route mode.

Command syntax pattern

config vpn l2tp
set <keyword> <variable>
end
config vpn l2tp
unset <keyword>
end
get vpn l2tp
show vpn l2tp

l2tp command keywords and variables

Keywords and variables Description Default Availability
eip <address_ipv4> The ending IP address of the L2TP 0.0.0.0 All models.
address range. NAT/Route mode
only.
sip <address_ipv4> The starting IP address of the L2TP 0.0.0.0 All models.
address range. NAT/Route mode
only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 333

config vpn l2tp

l2tp command keywords and variables (Continued)

Keywords and variables Description Default Availability
status {disable | enable} Enable or disable L2TP VPN. disable All models.
NAT/Route mode
only.
usrgrp <name_str> Enter the name of the user group for null All models.
authenticating L2TP clients. The user NAT/Route mode
group must be added to the FortiGate only.
configuration before it can be specified status must be
here. For more information, see “config set to enable.
user group” on page 300, “config user
ldap” on page 302, “config user local” on
page 304, and “config user radius” on
page 310.

Example
This example shows how to enable L2TP and set the L2TP address range for the first time using a
starting address of 192.168.1.150, an ending address of 192.168.1.160 and an existing group of
L2TP users named L2TP_users:
config vpn l2tp
set sip 192.168.1.150
set eip 192.168.1.160
set status enable
set usrgrp L2TP_users
end
This example shows how to display the settings for the vpn l2tp command.
get vpn l2tp
This example shows how to display the configuration for the vpn l2tp command.
show vpn l2tp

Command History
FortiOS v2.80 Revised

Related Commands
• config user group
• config firewall policy

334 01-28008-0015-20050204 Fortinet Inc.

config vpn pinggen

pinggen
Use this command to generate periodic traffic on one or two VPN tunnels.
The ping generator generates traffic in an IPSec VPN tunnel to keep the tunnel connection open at
times when no traffic is being generated inside the tunnel. For example, the ping generator is useful in
scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes
periodically—traffic may be suspended while the IP address changes. You may also use the ping
generator to trouble-shoot network connectivity inside a VPN tunnel.
You can configure settings to generate traffic through two tunnels simultaneously. The ping interval is
fixed at 40 seconds.
The source and destination IP addresses refer to the source and destination addresses of IP packets
that are to be transported through the VPN. When source and destination addresses of 0.0.0.0 are
specified, no ping traffic is generated between the source and destination.

Command syntax pattern

config vpn pinggen
set <keyword> <variable>
end
config vpn pinggen
unset <keyword>
end

pinggen command keywords and variables

Keywords and variables Description Default Availability
dst <address_ipv4> Enter the IP address of the computer to ping at the 0.0.0.0 All models.
remote end of the VPN tunnel.
dst2 <address_ipv4> If you want to generate traffic on a second VPN 0.0.0.0 All models.
tunnel simultaneously, enter the IP address of the
computer to ping at the remote end of the second
VPN tunnel.
src <address_ipv4> Enter the private IP address from which traffic may 0.0.0.0 All models.
originate locally (for example, 192.168.20.1).
src2 <address_ipv4> If you want to generate traffic on a second VPN 0.0.0.0 All models.
tunnel simultaneously, enter a second private IP
address from which traffic may originate locally (for
example, 192.168.20.2).
status {disable | enable} Disable or enable pinging between the specified disable All models.
source and destination addresses.

FortiGate CLI Reference Guide 01-28008-0015-20050204 335

config vpn pinggen

Example
This example shows how to enable the generation of traffic between a local computer at IP address
192.168.20.1 and a remote computer at IP address 172.16.2.12. The computers communicate
through an IPSec VPN.
config vpn pinggen
set src 192.168.20.1
set dst 172.16.2.12
set status enable
end
This example shows how to display the settings for the vpn pinggen command.
get vpn pinggen
This example shows how to display the configuration for the vpn pinggen command.
show vpn pinggen

Command History
FortiOS v2.80 Revised

Related Commands
• config vpn ipsec phase2

336 01-28008-0015-20050204 Fortinet Inc.

config vpn pptp

pptp
Use this command to enable PPTP and specify a local address range to reserve for remote PPTP
clients. When a remote PPTP client connects to the internal network through a PPTP VPN, the client is
assigned an IP address from the specified range.
PPTP clients must authenticate with the FortiGate unit when a PPTP session starts. To support PPTP
authentication on the FortiGate unit, you must define the PPTP users who need access and then add
them to a user group. For more information, see “config user group” on page 300, “config user ldap” on
page 302, “config user local” on page 304, and “config user radius” on page 310.
You need to define a firewall policy to control services inside the PPTP tunnel. For more information,
see “config firewall” on page 63. When you define the firewall policy:
• Create an external -> internal policy.
• Set the source address to match the PPTP address range.
• Set the destination address to reflect the private address range of the internal network behind the
local FortiGate unit.
• Set the policy service(s) to match the type(s) of traffic that PPTP users may generate.
• Set the policy action to accept.
• Enable NAT if required.

Note: The first time you configure the PPTP address range you must enter a starting IP, an ending IP, and a user
group.

Note: You can configure PPTP VPNs on FortiGate units that run in NAT/Route mode.

Command syntax pattern

config vpn pptp
set <keyword> <variable>
end
config vpn pptp
unset <keyword>
end
get vpn pptp
show vpn pptp

pptp command keywords and variables

Keywords and variables Description Default Availability
eip <address_ipv4> The ending address of the PPTP address 0.0.0.0 All models.
range. NAT/Route mode
only.
sip <address_ipv4> The starting address of the PPTP address 0.0.0.0 All models.
range. NAT/Route mode
only.

FortiGate CLI Reference Guide 01-28008-0015-20050204 337

config vpn pptp

pptp command keywords and variables (Continued)

Keywords and variables Description Default Availability
status {disable | enable} Enable or disable PPTP VPN. disable All models.
NAT/Route mode
only.
usrgrp <name_str> Enter the name of the user group for null All models.
authenticating PPTP clients. The user group NAT/Route mode
must be added to the FortiGate only.
configuration before it can be specified here. status must be
For more information, see “config user set to enable.
group” on page 300, “config user ldap” on
page 302, “config user local” on page 304,
and “config user radius” on page 310.

Example
This example shows how to enable PPTP and set the PPTP address range for the first time using a
starting address of 192.168.1.100, an ending address of 192.168.1.130 and an existing group of
PPTP users named PPTP_users:
config vpn pptp
set sip 192.168.1.100
set eip 192.168.1.130
set status enable
set usrgrp PPTP_users
end
This example shows how to display the settings for the vpn pptp command.
get vpn pptp
This example shows how to display the configuration for the vpn pptp command.
show vpn pptp

Command History
FortiOS v2.80 Revised

Related Commands
• config user group
• config firewall policy

338 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

config webfilter
bword
catblock
script
urlblock
urlexm
urlpat

FortiGate CLI Reference Guide 01-28008-0015-20050204 339

config webfilter bword

bword
Use this command to add or edit and configure options for the Web content block list.
You can add one or more banned words to block Web pages containing those words. Banned words
can be one word or a text string up to 80 characters long. The maximum number of banned words and
patterns in the list is 32. The FortiGate unit blocks Web pages containing banned words and displays a
replacement message instead.
If you enter a single word, the FortiGate unit blocks all Web pages that contain that word. You can add
phrases by enclosing the phrase in ‘single quotes’. If you enter a phrase, the FortiGate unit blocks all
Web pages containing any word in the phrase. You can add exact phrases by enclosing the phrases in
“quotation marks”. If you enclose the phrase in quotation marks, the FortiGate unit blocks all Web
pages containing the exact phrase.
You can create banned word patterns using wildcards or Perl regular expressions. See “Using Perl
regular expressions” on page 28.

Note: Perl regular expression patterns are case sensitive for Web Filter content block. To make a word or phrase
case insensitive, use the regular expression /i. For example, /bad language/i blocks all instances of bad
language regardless of case. Wildcard patterns are not case sensitive.

Command syntax pattern

config webfilter bword
edit <word_str>
set <keyword> <variable>
end
config webfilter bword
edit <word_str>
unset <keyword>
end
config webfilter bword
delete <word_str>
end
get webfilter bword [<word_str>]
show webfilter bword [<word_str>]

bword command keywords and variables

Keywords and variables Description Default Availability
language {french | Enter the language character set used for the western All models.
japanese | korean | simch banned word or phrase. Choose from French,
| thai | trach | western} Japanese, Korean, Simplified Chinese, Thai,
Traditional Chinese, or Western.
pattern_type Set the pattern type for the banned word. Choose wildcard All models.
{regexp | wildcard} from regexp or wildcard. You can create
patterns for banned words using Perl regular
expressions or wildcards.
status {disable | enable} Enable or disable the banned word. No default. All models.

340 01-28008-0015-20050204 Fortinet Inc.

config webfilter bword

Example
This example shows how to add the exact phrase “free credit report” to the Web content block list,
enable it, and set the language (character set) as Western.
config webfilter bword
edit “free credit report”
set status enable
set lang Western
end
This example shows how to display the webfilter banned word list.
get webfilter bword
This example shows how to display the settings for the banned word badword.
get webfilter bword badword
This example shows how to display the configuration for the entire banned word list.
show webfilter bword
If the show command returns you to the prompt, there are no banned words in the list.
This example shows how to display the configuration for the banned word badword.
show webfilter bword badword

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• webfilter catblock
• webfilter script
• webfilter urlblock
• webfilter urlexm
• webfilter urlpat

FortiGate CLI Reference Guide 01-28008-0015-20050204 341

config webfilter catblock

catblock
Use this command to configure Web filtering by specific categories using FortiGuard URL filtering.

FortiGuard category blocking

FortiGuard is a web filtering solution provided by Fortinet. FortiGuard sorts thousands of Web pages
into a wide variety of categories that users can allow, block, or monitor. Categories are also organized
into broader groups to make configuration fast and easy. The FortiGate unit accesses the nearest
FortiGuard server to determine the category of a requested web page and then follows the firewall
policy configured for that user or interface. FortiGuard servers are located worldwide.

FortiGuard licensing
Every FortiGate unit comes with a free 30 day FortiGuard trial license. FortiGuard license
management is done by the FortiGuard server, so there is no need to enter a license number. The
FortiGate unit automatically contacts the FortiGuard servers when you enable FortiGuard category
blocking.
When you want to renew your FortiGuard license after the free trial, contact Fortinet Technical
Support.

FortiGuard configuration
Once enabled, FortiGuard category block settings apply globally. After enabling FortiGuard you can
configure different categories for each firewall protection profile you create.
See “config firewall profile” on page 84 to configure FortiGuard category blocking in a protection
profile.
See “FortiGuard categories” in the FortiGate Administration Guide for a complete list and description of
the FortiGuard web filter categories.

Command syntax pattern

config webfilter catblock
set <keyword> <variable>
end
config webfilter cerb
unset <keyword>
end
get webfilter catblock
show webfilter catblock

342 01-28008-0015-20050204 Fortinet Inc.

config webfilter catblock

catblock command keywords and variables

Keywords and variables Description Default Availability
cache {disable | enable} Enable or disable caching of disable All models.
category ratings for accessed
URLs. This means that the
FortiGate unit does not have to
contact the server each time a
commonly requested URL is
accessed. The cache is configured
to use 6% of the of the FortiGate
RAM. When the cache is full, the
least recently accessed URL is
deleted
cache_ttl <ttl_integer> Enter the cache time to live (TTL) 3600 All models.
in seconds. Represents the
number of seconds to store URL
ratings in the cache before
contacting the server again.
ftgd_hostname <url_str> The host name of the FortiGuard guard.fortinet.com All models.
servers. The FortiGate unit comes service
preconfigured with the host name. fortiguard
Use this command only if you only.
need to change the host name.
img_sink_ip <image_ipv4> The IP address of the blanking 208.181.115.201 All models.
image used when FortiGuard has
replaced a rated image with a
blank image. Change this IP
address if you have changed the
FortiGuard server host name.
service Set the Web category blocking fortiguard All models.
{fortiguard } service.
status {disable | enable} Enable or disable the Web disable All models.
category blocking service.

Example
This example shows how to enable FortiGuard category blocking with cache enabled and a TTL of 30
minutes (1800 seconds).
config webfilter catblock
set status enable
set service fortiguard
set cache enable
set cache_ttl 1800
end
This example shows how to display the catblock settings.
get webfilter catblock
This example shows how to display the configuration for the catblock settings.
show webfilter catblock
If the show command returns you to the prompt, the settings are at default.

FortiGate CLI Reference Guide 01-28008-0015-20050204 343

config webfilter catblock

Command History
FortiOS v2.80 New.
FortiOS v2.80 MR2 Added cerb_hostname, cerb_port, ftgd_hostname, and ftgd_port keywords.
Changed license to cerb_license.
FortiOS v2.80 MR4 Removed cerb_hostname, cerb_license, and cerb_port keywords.
Removed ftgd_port keyword.
FortiOS v2.80 MR8 Added spamfsurl for the FortiShield spam filter URL blacklist to imap, pop3, and smtp
keywords. Added the rate_image_urls setting to the cat_options keyword.

Related Commands
• config firewall profile
• config webfilter bword
• config webfilter script
• config webfilter urlblock
• config webfilter urlexm
• config webfilter urlpat

344 01-28008-0015-20050204 Fortinet Inc.

config webfilter script

script
Use this command to configure the FortiGate unit to block Java applets, cookies, ActiveX controls, or
scripts from Web pages.

Note: Blocking any of these items may prevent some Web pages from functioning and displaying correctly.

Command syntax pattern

config webfilter script
set <keyword> <variable>
end
config webfilter script
unset <keyword>
end
get webfilter script
show webfilter script

script command keywords and variables

Keywords and variables Description Default Availability
filter {activex cookie Enter activex, cookie, and java as required to No All models.
java} block Web pages containing these items. default.

Example
This example shows how to configure the FortiGate unit to block Web pages containing ActiveX
controls and Java applets.
config webfilter script
set filter activex java
end
This example shows how to display the script settings.
get webfilter script
This example shows how to display the configuration for the script settings.
show webfilter script
If the show command returns you to the prompt, the settings are at default.

Command History
FortiOS v2.80 Revised.
FortiOS v2.80 MR6 Removed script variable from filter keyword. No change in functionality.

FortiGate CLI Reference Guide 01-28008-0015-20050204 345

config webfilter script

Related Commands
• webfilter bword
• webfilter catblock
• webfilter urlblock
• webfilter urlexm
• webfilter urlpat

346 01-28008-0015-20050204 Fortinet Inc.

config webfilter urlblock

urlblock
Use this command to block access to specific URLs by adding them to the URL block list. The
FortiGate unit blocks Web pages matching any specified URLs and displays a replacement message
instead.
You can configure the FortiGate unit to block all pages on a website by adding the top-level URL or IP
address. You can also block individual pages on a website by including the full path and filename of
the web page to block.
Type a top-level URL or IP address to block access to all pages on a website. For example,
www.badsite.com or 122.133.144.155 blocks access to all pages at this website.
Type a top-level URL followed by the path and filename to block access to a single page on a website.
For example, www.badsite.com/news.html or 122.133.144.155/news.html blocks the news
page on this website.
To block all pages with a URL that ends with badsite.com, add badsite.com to the block list. For
example, adding badsite.com blocks access to www.badsite.com, mail.badsite.com,
www.finance.badsite.com, and so on.

Command syntax pattern

config webfilter urlblock
edit <url_str>
set <keyword> <variable>
end
config webfilter urlblock
edit <url_str>
unset <keyword>
end
config webfilter urlblock
delete <url_str>
end
get webfilter urlblock [<url_str>]
show webfilter urlblock [<url_str>]

urlblock command keywords and variables

Keywords and variables Description Default Availability
status {disable | enable} Enable or disable URL blocking for each URL. disable All models.

Example
This example shows how to add the Web page www.badsite.com to the URL block list and enable
URL blocking for this site.
config webfilter urlblock
edit www.badsite.com
set status enable
end

FortiGate CLI Reference Guide 01-28008-0015-20050204 347

config webfilter urlblock

This example shows how to display the webfilter URL block list.
get webfilter urlblock
This example shows how to display the settings for the URL www.badsite.com.
get webfilter urlblock www.badsite.com
This example shows how to display the configuration for the entire URL block list.
show webfilter urlblock
If the show command returns you to the prompt, there are no URLs in the list.
This example shows how to display the configuration for the URL www.badsite.com.
show webfilter urlblock www.badsite.com

Command History
FortiOS v2.80 Substantially revised

Related Commands
• webfilter bword
• webfilter catblock
• webfilter script
• webfilter urlexm
• webfilter urlpat

348 01-28008-0015-20050204 Fortinet Inc.

config webfilter urlexm

urlexm
Use this command to configure specific URLs as exempt from any of the Web Filtering block lists. You
can configure the URL exempt list with trusted URLs that you do not want to be subject to any
blocking. The URL exempt list functions the same way as the URL block list.

Command syntax pattern

config webfilter urlexm
edit <url_str>
set <keyword> <variable>
end
config webfilter urlexm
edit <url_str>
unset <keyword>
end
config webfilter urlexm
delete <url_str>
end
get webfilter urlexm [<url_str>]
show webfilter urlexm [<url_str>]

urlexm command keywords and variables

Keywords and variables Description Default Availability
status {disable | enable} Enable or disable URL exempt for each URL. disable All models.

Example
Use the following commands to enable and add the Web page www.fortinet.com to the URL
exempt list.
config webfilter urlexm
edit www.fortinet.com
set status enable
end
This example shows how to display the webfilter URL exempt list.
get webfilter urlexm
This example shows how to display the settings for the URL www.fortinet.com.
get webfilter urlexm www.fortinet.com
This example shows how to display the configuration for the entire URL exempt list.
show webfilter urlexm
If the show command returns you to the prompt, there are no URLs in the list.
This example shows how to display the configuration for the URL www.fortinet.com.
show webfilter urlexm www.fortinet.com

FortiGate CLI Reference Guide 01-28008-0015-20050204 349

config webfilter urlexm

Command History
FortiOS v2.80 Substantially revised.

Related Commands
• webfilter bword
• webfilter catblock
• webfilter script
• webfilter urlblock
• webfilter urlpat

350 01-28008-0015-20050204 Fortinet Inc.

config webfilter urlpat

urlpat
Use this command to block all URLs that match patterns you create using text and regular expressions
(or wildcard characters). For example, badsite.* matches badsite.com, badsite.org,
badsite.net and so on. The FortiGate unit blocks Web pages that match any configured pattern
and displays a replacement message instead.

FortiGate web pattern blocking supports standard regular expressions. You can add up to 20 patterns
to the web pattern block list.

Command syntax pattern

config webfilter urlpat
edit <url-pattern_str>
set <keyword> <variable>
end
config webfilter urlpat
edit <url-pattern_str>
unset <keyword>
end
config webfilter urlpat
delete <url-pattern_str>
end
get webfilter urlpat [<url-pattern_str>]
show webfilter urlpat [<url-pattern_str>]

urlpat command keywords and variables

Keywords and variables Description Default Availability
status {disable | enable} Enable or disable URL blocking for each pattern. disable All models.

Example
This example shows how to enable and add the pattern badsite.* to the URL block list.
config webfilter urlpat
edit badsite.*
set status enable
end
This example shows how to display the webfilter URL pattern block list.
get webfilter urlpat
This example shows how to display the settings for the URL pattern www.badsite.*.
get webfilter urlpat www.badsite.*
This example shows how to display the configuration for the entire URL pattern block list.
show webfilter urlpat
If the show command returns you to the prompt, there are no URL patterns in the list.

FortiGate CLI Reference Guide 01-28008-0015-20050204 351

config webfilter urlpat

This example shows how to display the configuration for the URL pattern www.badsite.*.
show webfilter urlpat www.badsite.*

Command History
FortiOS v2.80 New.

Related Commands
• webfilter bword
• webfilter catblock
• webfilter script
• webfilter urlblock
• webfilter urlexm

352 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

execute
backup ping6
date reboot
dhcpclear restore
enter router restart
factoryreset router restart-graceful
formatlogdisk shutdown
ha manage time
ha synchronize traceroute
modem dial update_now
modem hangup vpn certificate ca
ping vpn certificate key
ping-options vpn certificate local

FortiGate CLI Reference Guide 01-28008-0015-20050204 353

execute backup

backup
Backup the FortiGate configuration file or IPS user defined signatures file to a TFTP server.

Command syntax
execute backup allconfig <filename_str> <tftp-server_ipv4> <password_str>
execute backup config <filename_str> <tftp-server_ipv4>
execute backup ipsuserdefsig <filename_str> <tftp-server_ipv4>

backup command keywords and variables

Keywords and variables Description Availability
allconfig Back up all configuration files. All models.
config Back up system configuration files. All models.
ipsuserdefsig Back up the IPS custom signatures file. All models.
<filename_str> The name to give the file that is copied to the TFTP server. All models.
<tftp-server_ipv4> The TFTP server IP address. All models.
<password_str> The password required to open the configuration file. All models.

Example
This example shows how to backup a system configuration file from the FortiGate unit to a TFTP
server. The name to give the configuration file on the TFTP sever is fgt.cfg. The IP address of the
TFTP server is 192.168.1.23.
execute backup config fgt.cfg 192.168.1.23

Command History
FortiOS v2.80 Revised.

Related Commands
• execute restore
• config ips custom

354 01-28008-0015-20050204 Fortinet Inc.

execute date

date
Get or set the system date.

Command syntax
execute date [<date_str>]
date_str has the form mm/dd/yyyy, where
• mm is the month and can be 01 to 12
• dd is the day of the month and can be 01 to 31
• yyyy is the year and can be 2001 to 2100
If you do not specify a date, the command returns the current system date.

Example
This example sets the date to 17 September 2004:
execute date 09/17/2004

Command History
FortiOS v2.80 MR4 New.

FortiGate CLI Reference Guide 01-28008-0015-20050204 355

execute dhcpclear

dhcpclear
Clear the DHCP IP/MAC binding table.

Command syntax
execute dhcpclear

Command History
FortiOS v2.80 MR2 New.

Related Commands
• config system dhcp server
• config system dhcp ipmacbinding

356 01-28008-0015-20050204 Fortinet Inc.

execute enter

enter
Use this command to switch to the named virtual domain.

Command syntax
execute enter <virtual-domain-name_str>

Example
This example shows how to switch to the virtual domain called Client2.
execute enter Client2

Command History
FortiOS v2.80 New.

Related Commands
• config system vdom

FortiGate CLI Reference Guide 01-28008-0015-20050204 357

execute factoryreset

factoryreset
Reset the FortiGate configuration to factory default settings.

Command syntax
execute factoryreset

Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the
! system to its original configuration, including resetting interface addresses.

Command History
FortiOS v2.80 Unchanged.

Related Commands
• execute backup
• execute reboot

358 01-28008-0015-20050204 Fortinet Inc.

execute formatlogdisk

formatlogdisk
Format the FortiGate hard disk to enhance performance for logging.

Command syntax
execute formatlogdisk

! Caution: This operation will erase all quarantine files and logging data on the hard disk.

Command History
FortiOS v2.80 Unchanged.

FortiGate CLI Reference Guide 01-28008-0015-20050204 359

execute ha manage

ha manage
Use this command from the CLI of the primary unit in an HA cluster to connect to the CLI of another
unit in the cluster.

Command syntax
execute ha manage <cluster-member_integer>

Example
This example shows how to connect to a subordinate unit in a cluster of three FortiGate units.
execute ha manage ?
<1> Subsidary unit FPS3012803021709
<2> Subsidary unit FPS3082103021989

Type 2 and press enter to connect to the second unit in the list. The CLI prompt changes to the host
name of this unit. To return to the primary unit, type exit.

Command History
FortiOS v2.80 Unchanged.

Related Commands
• execute ha synchronize
• config system ha

360 01-28008-0015-20050204 Fortinet Inc.

execute ha synchronize

ha synchronize
Use this command from a subordinate HA unit in an HA cluster to manually synchronize its
configuration with the primary unit. Using this command you can synchronize the following:
• Configuration changes made to the primary unit (normal system configuration, firewall
configuration, VPN configuration and so on stored in the FortiGate configuration file),
• Antivirus engine and antivirus definition updates received by the primary unit from the FortiProtect
Distribution Network (FDN),
• IPS attack definition updates received by the primary unit from the FDN,
• Web filter lists added to or changed on the primary unit,
• Email filter lists added to or changed on the primary unit,
• Certification Authority (CA) certificates added to the primary unit,
• Local certificates added to the primary unit.
You can also use the start and stop keywords to force the cluster to synchronize its configuration or
to stop a synchronization process that is in progress.

Command syntax
execute ha synchronize {config| avupd| attackdef| weblists| emaillists|
ca| localcert| all | start | stop}

ha synchronize command keywords and variables

Keywords and variables Description Availability
config Synchronize the FortiGate configuration. Models numbered 60 and
higher.
avupd Synchronize the antivirus engine and antivirus Models numbered 60 and
definitions. higher.
attackdef Synchronize attack definitions. Models numbered 60 and
higher.
weblists Synchronize web filter lists. Models numbered 60 and
higher.
emaillists Synchronize email filter lists. Models numbered 60 and
higher.
ca Synchronize CA certificates. Models numbered 60 and
higher.
localcert Synchronize local certificates. Models numbered 60 and
higher.
all Synchronize all of the above. Models numbered 60 and
higher.
start Start synchronizing the cluster configuration. Models numbered 60 and
higher.
stop Stop the cluster from completing synchronizing its Models numbered 60 and
configuration. higher.

Example
From the CLI on a subordinate unit, use the following commands to synchronize the antivirus and
attack definitions on the subordinate FortiGate unit with the primary unit after the FDN has pushed new
definitions to the primary unit.
execute ha synchronize avupd
execute ha synchronize attackdef

FortiGate CLI Reference Guide 01-28008-0015-20050204 361

execute ha synchronize

Command History
FortiOS v2.80 Unchanged.
FortiOS v2.80 MR6 Added start and stop keywords.

Related Commands
• execute ha manage
• config system ha

362 01-28008-0015-20050204 Fortinet Inc.

execute modem dial

modem dial
Dial the modem.
The dial command dials the accounts configured in config system modem until it makes a
connection or it has made the maximum configured number of redial attempts.
This command applies only to models 50A, 60, 60M and 60-WiFi and is effective only if the modem is
in Standalone mode.

Command syntax
execute modem dial

Command History
FortiOS v2.80 New

Related Commands
• config system modem
• execute modem hangup

FortiGate CLI Reference Guide 01-28008-0015-20050204 363

execute modem hangup

modem hangup
Hang up the modem.
This command applies only to models 50A, 60, 60M and 60-WiFi and is effective only if the modem is
in Standalone mode.

Command syntax
execute modem hangup

Command History
FortiOS v2.80 New

Related Commands
• config system modem
• execute modem dial

364 01-28008-0015-20050204 Fortinet Inc.

execute ping

ping
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and
another network device.

Command syntax
execute ping {<address_ipv4> | <host-name_str>}

Example
This example shows how to ping a host with the IP address 192.168.1.23.
execute ping 192.168.1.23

Command History
FortiOS v2.80 Unchanged.

Related Commands
• execute ping6
• execute traceroute

FortiGate CLI Reference Guide 01-28008-0015-20050204 365

execute ping-options

ping-options
Set ICMP echo request (ping) options to control the way ping tests the network connection between
the FortiGate unit and another network device.

Syntax description
Keyword Description Default Availability
data-size <byte_integer> Specify the datagram size in bytes. 56 All models.
df-bit {yes | no} Set df-bit to yes to prevent the ICMP packet from no All models.
being fragmented. Set df-bit to no to allow the
ICMP packet to be fragmented.
pattern <2-byte_hex> Used to fill in the optional data buffer at the end of the No All models.
ICMP packet. The size of the buffer is specified using default.
the data_size parameter. This allows you to send
out packets of different sizes for testing the effect of
packet size on the connection.
repeat-count Specify how many times to repeat ping. 5 All models.
<repeat_integer>
source {auto | <source- Specify the FortiGate interface from which to send auto All models.
intf_ip>} the ping. If you specify auto, the FortiGate unit
selects the source address and interface based on
the route to the <host-name_str> or <host_ip>.
Specifying the IP address of a FortiGate interface
tests connections to different network segments from
the specified interface.
timeout <seconds_integer> Specify, in seconds, how long to wait until ping times 2 All models.
out.
tos Set the ToS (Type of Service) field in the packet default/ All models.
{default | lowcost | header to provide an indication of the quality of 0
lowdelay | reliability | service wanted.
throughput} • lowdelay = minimize delay
• throughput = maximize throughput
• reliability = maximize reliability
• lowcost = minimize cost
• default = 0
ttl <ttl_integer> Specify the time to live. Time to live is the number of 64 All models.
hops the ping packet should be allowed to make
before being discarded or returned.
validate-reply {yes | no} Select yes to validate reply data. no All models.
view-settings Display the current ping-option settings. No All models.
default

Example
Use the following command to increase the number of pings sent.
execute ping-options repeat-count 10
Use the following command to send all pings from the FortiGate interface with IP address
192.168.10.23.
execute ping-options source 192.168.10.23

Command History
FortiOS v2.80 Unchanged.

366 01-28008-0015-20050204 Fortinet Inc.

execute ping-options

Related commands
• execute ping
• execute ping6
• execute traceroute

FortiGate CLI Reference Guide 01-28008-0015-20050204 367

execute ping6

ping6
Send an ICMP echo request (ping) to test the network connection between the FortiGate unit and an
IPv6 capable network device.

Command syntax
execute ping6 {<address_ipv6> | <host-name_str>}

Example
This example shows how to ping a host with the IPv6 address
12AB:0:0:CD30:123:4567:89AB:CDEF.
execute ping 12AB:0:0:CD30:123:4567:89AB:CDEF

Command History
FortiOS v2.80 New.

Related Commands
• execute ping
• execute ping-options
• execute traceroute

368 01-28008-0015-20050204 Fortinet Inc.

execute reboot

reboot
Restart the FortiGate unit.

Command syntax
execute reboot

Command History
FortiOS v2.80 Unchanged.

Related Commands
• execute backup
• execute factoryreset

FortiGate CLI Reference Guide 01-28008-0015-20050204 369

execute restore

restore
Use this command to restore a backup configuration, to change the FortiGate firmware, or to restore
an IPS custom signature file.

Command syntax
execute restore allconfig <filename_str> <tftp-server_ipv4>
<password_str>
execute restore config <filename_str> <tftp-server_ipv4>
execute restore image <filename_str> <tftp-server_ipv4>
execute restore ipsuserdefsig <filename_str> <tftp-server_ipv4>

restore command keywords and variables

Keywords and variables Description Availability
allconfig Restore all configuration files. All models.
config Restore a system configuration. The new configuration All models.
replaces the existing configuration, including administrator
accounts and passwords.
image Upload a firmware image from a TFTP server to the FortiGate All models.
unit. The FortiGate unit reboots, loading the new firmware.
ipsuserdefsig Restore an IPS custom signature file. The file will overwrite the All models.
existing IPS custom signature file.
<filename_str> The name of file that is uploaded from the TFTP server. All models.
<tftp-server_ipv4> The TFTP server IP address. All models.
<password_str> The password required to be able to open the configuration All models.
file.

Example
This example shows how to upload a configuration file from a TFTP server to the FortiGate unit and
restart the FortiGate unit with this configuration. The name of the configuration file on the TFTP server
is backupconfig. The IP address of the TFTP server is 192.168.1.23.
execute restore config backupconfig 192.168.1.23

Command History
FortiOS v2.80 Revised.

Related Commands
• execute backup
• config ips custom

370 01-28008-0015-20050204 Fortinet Inc.

execute router restart

router restart
Use this command to restart the routing software.

Command syntax
execute router restart

Command History
FortiOS v2.80 MR2 New.

Related Commands
• config router ospf
• config router rip
• config router static
• config router static6
• get router info ospf
• get router info protocols
• get router info rip
• get router info routing_table

FortiGate CLI Reference Guide 01-28008-0015-20050204 371

execute router restart-graceful

router restart-graceful
Use this command to restart the RIP daemon without stopping forwarding of RIP routes.
When you use the restart-graceful command, RIP informs its neighbors that it is restarting and
requests a grace period. RIP can still forward traffic during the restart period. This reduces disruption
of the network during the restart period. The duration of the grace period can be 1 to 65535 seconds.

Command syntax
execute router restart-graceful <duration_integer>

Example
This example shows how to restart the RIP demon with a grace period of 120 seconds.
execute router restart-graceful 120

Command History
FortiOS v2.80 New.

Related Commands
• get router info protocols
• get router info rip
• get router info routing_table
• config router rip

372 01-28008-0015-20050204 Fortinet Inc.

execute shutdown

shutdown
Shut down the FortiGate unit.

Command syntax
execute shutdown

Command History
FortiOS v2.80 MR8 New.

FortiGate CLI Reference Guide 01-28008-0015-20050204 373

execute time

time
Get or set the system time.

Command syntax
execute time [<time_str>]
time_str has the form hh:mm:ss, where
• hh is the hour and can be 00 to 23
• mm is the minutes and can be 00 to 59
• ss is the seconds and can be 00 to 59
If you do not specify a time, the command returns the current system time.

Example
This example sets the system time to 15:31:03:
execute time 15:31:03

Command History
FortiOS v2.80 MR4 New.

374 01-28008-0015-20050204 Fortinet Inc.

execute traceroute

traceroute
Test the connection between the FortiGate unit and another network device, and display information
about the network hops between the device and the FortiGate unit.

Command syntax
execute traceroute {<address_ipv4> | <host-name_str>}

Example
This example shows how to ping a host with the IP address 192.168.1.23.
execute ping 192.168.1.23

Command History
FortiOS v2.80 Unchanged.

Related Commands
• execute ping
• execute ping-options

FortiGate CLI Reference Guide 01-28008-0015-20050204 375

execute update_now

update_now
Use this command to manually initiate virus and attack definitions and engine updates.

Command syntax
execute update_now

Command History
FortiOS v2.80 Revised.

Related Commands
• config system autoupdate override
• config system autoupdate push-update
• config system autoupdate schedule
• config system autoupdate tunneling

376 01-28008-0015-20050204 Fortinet Inc.

execute vpn certificate ca

vpn certificate ca
Use this command to import a CA certificate from a TFTP server to the FortiGate unit, or to download
a CA certificate from the FortiGate unit to a TFTP server.
Before using this command you must obtain a CA certificate issued by a CA.
Digital certificates are used to ensure that both participants in an IPSec communications session are
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The CA certificate
is the certificate that the FortiGate unit uses to validate digital certificates received from other devices.

Note: The CA certificate must adhere to the X.509 standard.

Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced
feature provided for the convenience of system administrators. This manual assumes the user has prior
knowledge of how to configure digital certificates for their implementation.

Syntax description
Keyword Description Availability
delete Delete the CA certificate from the FortiGate unit. All models.
<certificate-name_str> Type ? for a list of certificates.
export Export or copy the CA certificate from the FortiGate unit to a All models.
<certificate-name_str> file on a TFTP server. Type ? for a list of certificates.
<file-name_str> <tftp_ip>
import Import the CA certificate from a TFTP server to the FortiGate All models.
<name_str> <tftp_ip> unit.
list List CA certificates All models.

Examples
Use the following command to import the CA certificate named trust_ca to the FortiGate unit from a
TFTP server with the address 192.168.21.54.
execute vpn certificate ca import trust_ca 192.168.21.54

Command History
FortiOS v2.80 MR2 The delete keyword was added.
The download keyword was changed to export.

Related commands
• execute vpn certificate key
• execute vpn certificate local
• config vpn ipsec phase1

FortiGate CLI Reference Guide 01-28008-0015-20050204 377

execute vpn certificate key

vpn certificate key

Export or import a local certificate and private key as a password protected PKCS12 file. When you
backup a FortiGate configuration that includes IPSec VPN tunnels using certificates, you must also
backup the local certificate and private key in a password protected PKCS12 file. Before restoring the
configuration, you must import the PKCS12 file and set the certificate name to the same as it was in
the original configuration.

Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced
feature provided for the convenience of system administrators. This manual assumes the user has prior
knowledge of how to configure digital certificates for their implementation.

Syntax description
Keyword Description Availability
delete Enter the name of the local certificate to delete. All models.
<certificate-name_str> Type ? for a list of certificates.
export Enter the name of the local certificate to backup by exporting All models.
<name_str> <filename_str> the certificate to a file on a TFTP server. Enter a name for the
<tftp_ip> <password_str> password protected PKCS12 file. Enter the TFTP server IP
address. Enter a password for the PKCS12 file.
import Enter the name of the certificate to restore. Enter the name of All models.
<name_str> <filename_str> the password protected PKCS12 file. Enter the TFTP server IP
<tftp_ip> <password_str> address. Enter the password for the PKCS12 file.
list List key certificates. All models.

Examples
Use the following command to backup the certificate and keys for the branch_cert local certificate.
The TFTP server address is 192.168.21.54 and the PKCS12 file name and password are
backup_brcrt and aV193bb12.
execute vpn certificate key download branch_cert backup_brcrt
192.168.21.54 aV193bb12

Command History
FortiOS v2.80 MR2 The delete keyword was added.
The download keyword was changed to export.

Related commands
• execute vpn certificate ca
• execute vpn certificate local
• config vpn ipsec phase1

378 01-28008-0015-20050204 Fortinet Inc.

execute vpn certificate local

vpn certificate local

Use this command to generate a local certificate, to download a local certificate from the FortiGate unit
to a TFTP server, and to import a local certificate from a TFTP server to the FortiGate unit.
Digital certificates are used to ensure that both participants in an IPSec communications session are
trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The local
certificate is the certificate that the FortiGate unit uses to authenticate itself to other devices.
When you generate the certificate request, you create a private and public key pair for the local
FortiGate unit. The public key accompanies the certificate request. The private key remains
confidential.
To obtain a signed local certificate:
1 Download the certificate request.
2 Submit the certificate request to the CA.
3 Retrieve the signed certificate from the CA.
4 Import the signed certificate.

Note: VPN peers must use digital certificates that adhere to the X.509 standard.

Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced
feature provided for the convenience of system administrators. This manual assumes the user has prior
knowledge of how to configure digital certificates for their implementation.

Syntax description
Keyword Description Availability
delete Enter the name of the local certificate to delete. All models.
<certificate-name_str> Type ? for a list of certificates.
export Export or save the local certificate from the FortiGate unit to a All models.
<certificate-name_str> file on the TFTP server. Type ? for a list of certificates.
<file-name_str> <tftp_ip>

FortiGate CLI Reference Guide 01-28008-0015-20050204 379

execute vpn certificate local

Keyword Description Availability

generate Generate a local certificate. All models.
<certificate-name_str> The name can contain numbers (0-9), uppercase and
{1024 | 1536 | 2048} lowercase letters (A-Z, a-z), and the special characters - and
{<host_ip> | _. Other special characters and spaces are not allowed.
<domain-name_str> | Enter a key size of 1024 Bit, 1536 Bit or 2048 Bit.
email-addr_str>} host_ip, domain-name_str, or email-addr_str,
identifies the FortiGate unit being certified. Preferably use an
[<optional_information>] IP address or domain name. If this is impossible (such as with
a dialup client), use an e-mail address.
For host_ip, enter the IP address of the FortiGate unit.
For domain-name_str, enter the fully qualified domain name
of the FortiGate unit.
For email-addr_str, enter an email address that identifies
the FortiGate unit.
If you specify a host IP or domain name, use the IP address or
domain name associated with the interface on which IKE
negotiations will take place (usually the external interface of
the local FortiGate unit). If the IP address in the certificate
does not match the IP address of this interface (or if the
domain name in the certificate does not match a DNS query of
the FortiGate unit’s IP), then some implementations of IKE
may reject the connection. Enforcement of this rule varies for
different IPSec products.
Enter optional_information as required to further identify
the certificate. See “Optional information variables” on
page 380 for the list of optional information variables. You
must enter the optional variables in order that they are listed in
the table. To enter any optional variable you must enter all of
the variables that come before it in the list. For example, to
enter the organization_name_str, you must first enter the
country_code_str, state_name_str, and
city_name_str. While entering optional variables, you can
type ? for help on the next required variable.
import Import the local certificate from a TFTP server to the FortiGate All models.
<name_str> <tftp_ip> unit.
list List local certificates. All models

Optional information variables

Keyword Description Availability
<country_code_str> Enter the two-character country code. Enter execute vpn All models.
certificates local generate <name_str> country
followed by a ? for a list of country codes. The country code is
case sensitive. Enter null if you do not want to specify a
country.
<state_name_str> Enter the name of the state or province where the FortiGate All models.
unit is located.
<city_name_str> Enter the name of the city, or town, where the person or All models.
organization certifying the FortiGate unit resides.
<organization-name_str> Enter the name of the organization that is requesting the All models.
certificate for the FortiGate unit.
<organization-unit_name_ Enter a name that identifies the department or unit within the All models.
str> organization that is requesting the certificate for the FortiGate
unit.
<email_address_str> Enter a contact e-mail address for the FortiGate unit. All models.

380 01-28008-0015-20050204 Fortinet Inc.

execute vpn certificate local

Examples
Use the following command to generate a local certificate request with the name branch_cert, the
domain name www.example.com and a key size of 1536.
set vpn certificates local generate branch_cert www.example.com 1536
Use the following command to download the local certificate request generated in the above example
from the FortiGate unit to a TFTP server. The example uses the file name testcert for the
downloaded file and the TFTP server address 192.168.21.54.
set vpn certificates local download branch_cert testcert 192.168.21.54
Use the following command to import the signed local certificate named branch_cert to the
FortiGate unit from a TFTP server with the address 192.168.21.54.
set vpn certificates local import branch_cert 192.168.21.54

Command History
FortiOS v2.80 MR2 The delete keyword was added.
The download keyword was changed to export.
FortiOS v2.80 MR3 Keywords were removed from the execute vpn certificate local
keyword and replaced with variables.

Related commands
• execute vpn certificate ca

FortiGate CLI Reference Guide 01-28008-0015-20050204 381

execute vpn certificate local

382 01-28008-0015-20050204 Fortinet Inc.

 FortiGate CLI Reference Guide
Version 2.80 MR8

Index
A allconfig
backup 354
abort 18 restore 370
abr-type 151 allow 40
accept-lifetime 148 allowaccess
access-list interface 259
router 140 oobm interface 276
router ospf distribute-list 162 secondaryip 267
router rip distance 180 allowed
router rip offset-list 187 log filter 120
accprofile allow-interface-subnet-overlap 244
system 216 altmode 273
system admin 219 anomaly
action alertemail filter 32
firewall policy 79 ips 108
ips anomaly 109 log filter 120
ips rule 117 area 164
router access-list rule 141
arpforward 259
router prefix-list rule 176
router route-map rule 190 arps 249
spamfilter bword 199 asymroute 244
spamfilter emailbwl 201 attack
spamfilter ipbwl 206 alertemail filter 32
spamfilter mheader 209 log filter 120
spamfilter rbl 212 attackdef 361
address 224 auth
firewall 64 alertemail filter 32
system autoupdate clientoverride 221 log filter 120
system autoupdate override 223 system bug-report 230
system autoupdate tunneling 228 authenticate 36
addrgrp 66 authentication
admin router ospf area 154
alertemail filter 32 router ospf area virtual-link 159
log filter 120 router ospf-interface 166
system 219 system ha 249
admingrp 216 vpn ipsec manualkey 316
Administrator access 13 authentication-key
admintimeout 244 router ospf area virtual-link 159
advertise router ospf-interface 166
router ospf area range 158 authgrp 216
router ospf summary-address 171 authkey 316
agelimit 47 auth-keychain 183
alert-interval 36 authmethod 319
alertmail auth-mode 183
replacement messages 279 authpasswd 319
all 361 auth-string 183

FortiGate CLI Reference Guide 01-28008-0015-20050204 383

Index

authtimeout 244 chassis

authusr 319 alertemail filter 32
authusrgrp 320 log filter 121
auto_dial 273 city 380
autonomous-flag 266 CLI basics 25
autosvr 239 CLI command organization 17
autoupdate clientoverride 221 CLI Structure 17
autoupdate override 223 cnid 302
codepoint 115
autoupdate push-update 224
Command abbreviation 26
autoupdate schedule 226
Command completion 25
autoupdate tunneling 228
Command help 25
av_failopen 244
comments 79
avupd 361
Comments on Fortinet technical documentation 12
concentrator
B vpn ipsec manualkey 316
backup 354 vpn ipsec phase2 326
bad_flag_list 115 config 361
bindthroughfw 70 backup 354
restore 370
bindtofw 70
config alertemail 31
bindtoif 326
config antispam 197
block 40
config antivirus 39
blocked
config area
alertemail filter 32
router ospf 153
log filter 120
config branch of CLI 17
buffer 278
config distance
bug-report 230 router rip 180
bword config distribute-list
spamfilter 198 router ospf 161
webfilter 340 router rip 181
config firewall 63
C config hosts 288
ca 361 config interface
cache 343 router rip 182
config ip6-prefix-list 266
cache_ttl 343
config ips 107
cache-notfound-responses 239
config key 147
Case sensitivity
config limit 110
Perl regular expressions 29
config log 119
cat_allow 84
config neighbor
cat_block
router ospf 162
alertemail filter 32
router rip 184
log filter 120
config network
cat_deny 84 router ospf 164
cat_errors router rip 185
alertemail filter 32 config offset-list
log filter 120 router ospf 170
cat_monitor router rip 186
alertemail filter 32 config ospf-interface
firewall profile 84 router ospf 165
log filter 120 config port 284
cat_options 85 config redistribute
catblock 342 router ospf 169
replacement message 279 router rip 187
channel 295 config router 139

384 01-28008-0015-20050204 Fortinet Inc.

 Index

config rule day

ips group 116 firewall schedule 97
log trafficfilter 134 system autoupdate schedule 226
router access-list 140 ddns 260
router prefix-list 175 ddns-domain 260
router route-map 189 ddns-password 260
config secondaryip 266 ddns-profile-id 260
config system 215 ddns-server 260
config user 299 ddns-sn 260
config vpn 313 ddns-username 261
config webfilter 339 dead-interval
conn_tracking 244 router ospf virtual-link 160
Connecting to the CLI 14 router ospf-interface 166
Connecting to the FortiGate CLI using SSH 16 debug-interval 36
Connecting to the FortiGate CLI using Telnet 16 default 284
Connecting to the FortiGate console 14 default-cost 154
connection 259 defaultgw 261
console 231 default-information-metric 151
contact_info 290 default-information-metric-type 151
content_log default-information-originate
alertemail filter 32 router ospf 151
log filter 121 router rip 178
content_log_ftp default-information-route-map 151
alertemail filter 32 default-metric
log filter 121 router ospf 151
content_log_http router rip 178
alertemail filter 32 default-router 236
log filter 121
delete
content_log_imap vpn ca certificate 377
alertemail filter 33
vpn key certificate 378
log filter 121
vpn local certificate 379
content_log_pop3
delete command
alertemail filter 33
config branch 17
log filter 121
description 290
content_log_smtp
alertemail filter 33 destination 269
log filter 121 detectserver
Conventions 11 system interface 261
system secondaryip 267
cost
router ospf neighbor 163 device
router ospf-interface 166 router static 192
router static6 194
country 380
critical-interval 36 df-bit 366
csv 131 dhcp
alertemail filter 33
custom 112
log filter 121
Customer service and technical support 12
dhcp exclude_range 232
dhcp ipmacbinding 234
D dhcp server 236
daily-restart 245 dhcpclear 356
database dhcp-ipsec 326
RIP 145 dhcp-relay-ip 261
database-filter-out 166 dhcp-relay-type 261
database-overflow 151 dhcp-server-mode 261
database-overflow-max-lsas 151 dhgrp
database-overflow-time-to-recover 151 vpn ipsec phase1 320
data-size 366 vpn ipsec phase2 326
date 355 Diagnose commands 10

FortiGate CLI Reference Guide 01-28008-0015-20050204 385

Index

dial_on_demand 273 duration 124

diffserv_forward 79
diffserv_reverse 79 E
diffservcode_forward 79
edit 17
diffservcode_rev 79 Editing commands 25
direction Editing the configuration file 27
ips group 115
eip
router ospf filter-list 156
vpn l2tp 333
router rip distribute-list 181
vpn pptp 337
router rip offset-list 187
email
disc_retry_timeout 261
alertemail filter 33
disk setting 124 log filter 121
diskfull 124 vpn certificate local 380
display 133 email_log _imap
distance alertemail filter 33
oobm route 277 log filter 121
router ospf 152 email_log_pop3
router rip 180 alertemail filter 33
router static 192 log filter 121
system interface 261 email_log_smtp
dn 302 alertemail filter 33
dns 239 log filter 121
dns-cache-limit 239 email_pattern 201
dns-server1 236 emailbwl 201
dns-server2 236 emaillists 361
dns-server3 236 emergency-interval 36
dns-server-override 261 enable_auto_upload 47
dnstranslation 68 enckey 317
domain 236 encrypt
dpd 320 for VPN to FortiLog unit 127
dpd-idlecleanup 320 Encrypted password support 26
dpd-idleworry 320 encryption
dpd-retrycount 321 ha 249
dpd-retryinterval 321 vpn ipsec manualkey 316
drop_blocked 47 end
firewall schedule onetime 95
drop_heuristic 47
firewall schedule recurring 97
drop_infected 47
end command
dst config branch 17
firewall dnstranslation 68
end_ip
log trafficfilter rule 134
firewall address 64
router policy 172
system dhcp exclude_range 232
router static 192
end_port 172
router static6 194
system global 245 end-ip 236
system oobm route 277 endip 74
vpn pinggen 335 enter 357
dst2 335 error-interval 36
dstaddr event
firewall multicast policy 76 alertemail filter 33
firewall policy 79 log filter 121
vpn ipsec phase2 326 events 287
dstintf exact_match 141
firewall multicast policy 76 Example command sequences 22
firewall policy 79 execute 353
dstport exempt
firewall service custom 99 alertemail filter 33
vpn ipsec phase2 327 log filter 121

386 01-28008-0015-20050204 Fortinet Inc.

 Index

export H
vpn certificate ca 377
vpn certificate key 378 ha
vpn certificate local 379 alertemail filter 33
arps 249
extintf 104
authentication 249
extip 104 encryption 249
extport 104 groupid 249
hb-interval 250
F hb-lost-threshold 250
helo-holddown 251
facility 131 load-balance-all 251
factoryreset 358 log filter 121
failtime 245 mode 252
fieldbody 209 monitor 252
fieldname 209 override 252
filepattern 40 password 252
priority 252
filesize 124
route-hold 253
filter route-ttl 253
alertemail 32 route-wait 254
webfilter script 345 schedule 255
fixedport 80 system ha command 249
fm 241 weight 255
format 278 ha manage 360
formatlogdisk 359 ha synchronize 361
fortilog setting 127 hbdev 251
FortiManager, configuration for 241 hbdev_priority 256
Fortinet documentation 12 hb-interval 250
frequency 226 hb-lost-threshold 250
ftp 86 header 278
replacement messages 279 hello-interval
router ospf area virtual-link 160
fwdintf 239
router ospf ospf-interface 167
helo-holddown 251
G heuristic 45
garbage-timer 179 holddown_timer 273
gateway hostname 245
oobm route 277 http 87
router policy 172 replacement messages 279
router static 192
router static6 194 I
vpn ipsec manualkey 317
icmpcode 99
gbandwidth 80
icmptype 99
ge 176
id (FortiManager) 241
generate 380 idle_timeout 115
geography 295 idle_timer 273
get system performance 242 idle-timeout 262
get system status 243 ie6workaround 245
global 244 image 370
grayware 42 imap 88
group imap_spamaction 88
ips 114 imap_spamtagmsg 88
user 300 imap_spamtagtype 88
groupid 249 import
gwdetect vpn certificate ca 377
system interface 262 vpn certificate key 378
system secondaryip 267 vpn certificate local 380

FortiGate CLI Reference Guide 01-28008-0015-20050204 387

Index

inbound 80 ippool
infected firewall 74
alertemail filter 33 firewall policy 80
log filter 121 ips 89
information-interval 36 ipsec 33
input_device 172 log filter 122
Interface ipsec concentrator 314
adding to a zone 297 ipsec manualkey 316
interface ipsec phase1 319
firewall ippool 74 ipsec phase2 326
RIP 145 ipsec vip 331
router ospf-interface 167
ipsuserdefsig
router rip distribute-list 181
execute backup 354
router rip offset-list 187
execute restore 370
system 259
system dhcp server 237 ipunnumbered 262
system ipv6tunnel 269 ipv6_tunnel 269
system mac-address-table 271
system modem 273 K
system snmp community hosts 289
keepalive
International characters 27 vpn ipsec phase1 321
internetbrowsing 327 vpn ipsec phase2 327
interval 245 key 295
intrazone 297 key-chain 147
Introduction 9 keylife 321
ip keylife_type 327
firewall ipmacbinding table 72
keylifekbs 327
FortiManager 241
oobm interface 276 keylifeseconds 327
router ospf neighbor 163 key-string 148
router ospf-interface 167
router rip neighbor 185 L
secondary ip 267
l2forward 263
snmp community hosts 289
system dhcp ipmacbinding 234 l2tp 333
system interface 262 language
system manageip 272 spamfilter bword 199
vpn ipsec vip 331 system global 245
IP address formats 27 webfilter bword 340
ip/subnet 207 lcdpin 245
ip_signature 245 lcdprotection 245
ip6 269 lcp-echo-interval 263
ip6-address 262 lcp-max-echo-failures 263
ip6-default-life 262 ldap 302
ip6-hop-limit 262 ldap_server 304
ip6-link-mtu 262 le 176
ip6-manage-flag 262 lease-time 237
ip6-max-interval 262 Line continuation 26
ip6-min-interval 263 list 156
ip6-other-flag 263 list CA certificates 377
ip6-reachable-time 263 list key certificates 378
ip6-retrans-time 263 list local certificates 380
ip6-send-adv 263 listname 182
ipaddress 111 load-balance-all 251
ipbwl 206 local 304
ipmacbinding setting 70 local_anomaly 245
ipmacbinding table 72 localcert 361

388 01-28008-0015-20050204 Fortinet Inc.

 Index

localid metric
log fortilog setting 127 router ospf redistribute 169
vpn ipsec phase1 321 router rip redistribute 188
localspi 317 metric-type 169
location 290 mheader 208
log min_ttl 115
ips anomaly 109 mode
ips group 117 antivirus heuristic 45
system interface 263 modem 273
loggrp 217 system console 231
loglocaldeny 246 system ha 252
logtraffic 80 system interface 263
lowspace 47 system ipv6_tunnel 269
system wireless 295
M vpn ipsec phase1 321
modem
mac auto_dial 273
firewall ipmacbinding table 72 dial 363
system dhcp ipmacbinding 234 dial_on_demand 273
macaddr 263 hangup 364
mac-address-table 271 mode 273
mail option for China 273
replacement messages 280 system 273
mail_sig 89 monitor 252
mailsig-status 89 move 17
mailto1 36 mtu
mailto2 36 oobm interface 276
mailto3 36 router ospf-interface 167
manageip 272 system interface 264
management ip, transparent mode 272 mtu-ignore 167
management-vdom 246 multicast-forward 246
mappedip 104 multicast-policy 76
mappedport 104
match-interface 190 N
match-ip-address 190 name
match-ip-nexthop 190 firewall ipmacbinding table 72
match-metric 190 system session-helper 282
match-route-type 190 system snmp community 287
match-tag 190 nat
maxbandwidth 80 firewall multicast-policy 76
maxfilesize 48 firewall policy 80
mc-ttl_notchange 246 natinbound 80
md5-key natip 81
router ospf area virtual-link 160 natoutbound 81
router ospf-interface 167 nattraversal 321
member netbios-forward 264
firewall addrgrp 66 netmask
firewall service group 101 firewall dnstranslation 68
user group 301 system dhcp server 237
user peergrp 308 network-type 167
vpn ipsec concentrator 314
next 18
memfilesizelimit
notification-interval 36
antivirus service ftp 54
antivirus service http 52 nssa-default-information-originate 154
antivirus service imap 58 nssa-default-information-originate-metric 154
antivirus service pop3 56 nssa-default-information-originate-metric-typ 154
antivirus service smtp 60 nssa-redistribution 154
memory setting 129 nssa-translator-role 154

FortiGate CLI Reference Guide 01-28008-0015-20050204 389

Index

ntpserver 246 peer

ntpsync 246 router ospf area virtual-link 160
vpn ipsec phase1 322
O peergrp 322
peerid 322
offset 187 peertype 322
onlink-flag 266 Perl regular expressions
oobm interface 276 using 28
oobm route 277 pfs 327
opmode 246 phase1name 327
change to Transparent mode example 247 phone1 274
optimize 246 phone2 274
option1 237 phone3 274
option2 237 ping 365
option3 237 ping6 368
org 380 pinggen 335
OSPF 150 policy
outbound 81 firewall 78
out-interface 331 router 172
out-of-band management poll-interval 163
interface 276 pop3 89
route 277 pop3_spamaction 90
output_device 173 pop3_spamtagmsg 90
override pop3_spamtagtype 90
system autoupdate push-update 224 port
system ha 252 antivirus service ftp 54
oversized antivirus service http 52
alertemail filter 33 antivirus service imap 58
antivirus service pop3 56
log filter 122
antivirus service smtp 60
log syslogd setting 131
P system autoupdate push-update 224
padt_retry_timeout 264 system autoupdate tunneling 228
passive-interface system session-helper 282
user ldap 303
router ospf 152
router rip 179 port_list 115
passwd 304 ppp
alertemail filter 33
passwd1 273 log filter 122
passwd2 273 pptp 337
passwd3 274 preferred-life-time 266
password prefix
alertemail setting 36 router access-list rule 141
system admin 219 router ospf area range 158
system autoupdate tunneling 228 router ospf network 164
system bug-report 230 router ospf summary-address 171
system ha 252 router prefix-list rule 176
system interface 264 router rip distance 180
pattern router rip network 186
alertemail filter 33 prefix-list 175
log filter 122 pre-shared key
ping-options 366 VPN to FortiLog unit 127
spamfilter bword 199 primary 239
pattern_type priority
spamfilter bword 199 firewall policy 81
spamfilter emailbwl 201 router ospf neighbor 163
spamfilter mheader 209 router ospf-interface 168
webfilter bword 340 system ha 252

390 01-28008-0015-20050204 Fortinet Inc.

 Index

profile route-map 189

firewall 84 routemap
firewall policy 81 router ospf redistribute 169
profile_status 81 router rip redistribute 188
proposal router restart-graceful 372
vpn ipsec phase1 323 router-id 152
vpn ipsec phase2 328 route-ttl 253
prot 282 route-wait 254
protocol rsa-certificate 323
firewall service custom 99
firewall vip 104
router ospf distribute-list 162
S
router policy 173 schedule
vpn ipsec phase2 328 firewall policy 81
protocol-number 99 system ha 255
psksecret schedule onetime 95
log fortilog setting 127 schedule recurring 97
vpn ipsec phase1 323 script 345
purge 17 secgrp 217
secondary 239
Q secret 310
quarantine 47 security 296
quarfilepattern 50 sel_status 48
query_v1_port 287 selector 329
query_v1_status 287 send-lifetime 148
query_v2c_port 287 send-version 183
query_v2c_status 287 send-version1-compatible 183
server
R alertemail setting 37
log fortilog setting 127
radius 310 log syslogd setting 131
radius_port 246 log webtrends setting 136
radius_server 304 spamfilter rbl 212
rbl 211 system bug-report 230
reboot 369 user ldap 303
Recalling commands 25 user radius 310
receive-version 183 service
redial 274 firewall policy 81
refresh 246 log trafficfilter rule 134
remotegw 323 webfilter catblock 343
remotegw-ddns 323 service custom 99
remotespi 317 service ftp 54
repeat-count 366 service group 101
replacemsg 278 service http 52
replay 328 service imap 58
reset_sessionless_tcp 247 service pop3 56
resolve 133 service smtp 60
restart_time 247 sess_helper 282
restore 370 session_ttl 284
retransmit-interval set 18
router ospf area virtual-link 160 set-ip-nexthop 190
router ospf-interface 168 set-metric 190
rfc1583-compatible 152 set-metric-type 190
rip 178 set-tag 190
rollday 124 setting 36
rolltime 124 Setting administrative access for SSH or Telnet 15
route-hold 253 Setting page length 28

FortiGate CLI Reference Guide 01-28008-0015-20050204 391

Index

severity static6 194

alertemail filter 34 status
log filter 122 antivirus grayware 43
shortcut 154 antivirus quarfilepattern 50
signature autoupdate clientoverride 221
alertemail filter 34 firewall ipmacbinding table 72
ips custom 112 firewall policy 82
log filter 122 FortiManager 241
single-source 329 ips anomaly 110
sip ips group 115
ips group rule 117
vpn l2tp 333
log disk setting 124
vpn pptp 337
log fortilog setting 127
smtp 91 log memory setting 129
smtp_spamaction 92 log syslogd setting 131
smtp_spamtagmsg 92 log webtrends setting 136
smtp_spamtagtype 92 pinggen 335
snmp community 286 router ospf redistribute 169
snmp sysinfo 290 router ospf-interface 168
source router rip distribute-list 182
ping-options 366 router rip offset-list 187
system ipv6_tunnel 269 router rip redistribute 188
spam spamfilter rbl 212
replacement messages 280 system autoupdate override 223
system autoupdate push-update 224
speed 264
system autoupdate schedule 226
spf-timers 152 system autoupdate tunneling 228
split-horizon 184 system fm 241
split-horizon-status 184 system interface 264
src system modem 274
firewall dnstranslation 68 system snmp community 287
log trafficfilter rule 134 system snmp sysinfo 290
router policy 173 user local 304
vpn pinggen 335 vpn l2tp 334
src2 335 vpn pptp 338
srcaddr webfilter bword 340
firewall multicast-policy 76 webfilter catblock 343
firewall policy 81 webfilter urlblock 347
vpn ipsec phase2 329 webfilter urlexm 349
srcintf webfilter urlpat 351
firewall multicast-policy 76 stop 361
firewall policy 82 store_blocked 48
srcport store_heuristic 48
firewall service custom 99 store_infected 48
vpn ipsec phase2 329 stpforward 264
ssid 296 stub-type 155
start subnet 64
firewall schedule onetime 95 subst 264
firewall schedule recurring 97 substitute 158
ha synchronize 361 substitute-dst-mac 265
start_ip substitute-status 158
firewal address 65 syncinterval 247
system dhcp exclude_range 232 sysgrp 217
start_port 173 syslogd setting 131
start-ip 237 sysshutdowngrp 217
startip 74 system
state 380 alertemail filter 34
static 192 log filter 122

392 01-28008-0015-20050204 Fortinet Inc.

 Index

T urlpat 351
use_fpat 48
tag use_status 48
router ospf redistribute 169
username
router ospf summary-address 171
alertemail setting 37
tcp_option 247 system autoupdate tunneling 228
threshold system bug-report 230
ips anomaly 110 system interface 265
ips anomaly limit 111 username1 274
time username2 274
system autoupdate schedule 226
username3 274
time, execute time command 374
Using single quotes to enter tabs or spaces in strings 27
timeout
Using the CLI 13
ping-options 366
system session_ttl port 285 usrgrp
firewall policy 80
timeout-timer 179
vpn ipsec phase1 324
timezone 247 vpn l2tp 334
tos 366 vpn pptp 338
traceroute 375
traffic V
log filter 122
trafficfilter 133 validate-reply 366
trafficshaping 82 valid-life-time 266
transmit-delay vd 269
router ospf area virtual-link 160 vdom
router ospf-interface 168 system 292
trap_v1_lport 287 system interface 265
trap_v1_rport 287 version 179
trap_v1_status 287 view-settings 366
trap_v2c_lport 287 violation
trap_v2c_rport 288 log filter 122
trap_v2c_status 288 vip 103
trusthost1 219 virus 34
log filter 122
trusthost2 219
vlanid 265
trusthost3 219
vpn certificate ca 377
ttl 366
vpn certificate key 378
type
firewall address 65 vpn certificate local 379
firewall vip 104 vpntunnel 82
router ospf area 155
user local 304 W
vpn ipsec phase1 324 warning-interval 37
web 34
U log filter 122
undefinedhost 70 web_content
unit alertemail filter 34
log disk setting 124 log filter 122
vpn certificate local 380 weblists 361
unset 18 webtrends setting 136
update_now 376 weight 255
update-timer 179 where 199
updgrp 217 wildcard 28
url_block wildcard pattern matching 28
alertemail filter 34 wildcardid 330
log filter 122 wins-ip 265
urlblock 347 wins-server1 237
urlexm 349 wins-server2 237

FortiGate CLI Reference Guide 01-28008-0015-20050204 393

Index

wireless 295 X
mac_filter 293
mac_list 293 xauthtype 324
settings 295
Word boundary
Z
Perl regular expressions 29 zone 297

394 01-28008-0015-20050204 Fortinet Inc.