fortigate 4.0 mr1 cli referencepub.kb.fortinet.com/ksmcontent/fortinet-public... · contents...

FortiGate™

Version 4.0 MR1CLI Reference

FortiGate CLI ReferenceVersion 4.0 MR119 October 200901-401-93051-20091019

© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory complianceFCC Class A Part 15 CSA/CUS

Contents

F0h

ContentsIntroduction ............................................................................................ 17About the FortiGate Unified Threat Management System ........................................ 17

Registering your Fortinet product............................................................................... 17

Customer service and technical support.................................................................... 18

Fortinet documentation ................................................................................................ 18Fortinet Tools and Documentation CD ..................................................................... 18Fortinet Knowledge Center ...................................................................................... 18Comments on Fortinet technical documentation ..................................................... 18

Conventions .................................................................................................................. 18IP addresses............................................................................................................. 18CLI constraints.......................................................................................................... 19Notes, Tips and Cautions ......................................................................................... 19Typographical conventions ....................................................................................... 19

What’s new ............................................................................................. 21

Using the CLI .......................................................................................... 31Connecting to the CLI................................................................................................... 31

Connecting to the CLI using a local console............................................................. 32Enabling access to the CLI through the network (SSH or Telnet) ............................ 32Connecting to the CLI using SSH............................................................................. 34Connecting to the CLI using Telnet .......................................................................... 35

Command syntax .......................................................................................................... 35

Sub-commands ............................................................................................................. 39

Permissions................................................................................................................... 41

Tips and tricks............................................................................................................... 44Help .......................................................................................................................... 44Shortcuts and key commands .................................................................................. 45Command abbreviation............................................................................................. 45Environment variables .............................................................................................. 45Special characters .................................................................................................... 46Language support & regular expressions ................................................................. 46Screen paging........................................................................................................... 49Baud rate .................................................................................................................. 49Editing the configuration file on an external host ...................................................... 49Using Perl regular expressions................................................................................. 50

ortiGate Version 4.0 MR1 CLI Reference1-401-93051-20091019 3ttp://docs.fortinet.com/ • Feedback

http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html

Contents

Working with virtual domains ............................................................... 53Creating and configuring VDOMs................................................................................ 54

Creating a VDOM ..................................................................................................... 54Assigning interfaces to a VDOM............................................................................... 54Setting VDOM operating mode................................................................................. 54Changing back to NAT/Route mode......................................................................... 55

Troubleshooting ARP traffic on VDOMs ..................................................................... 57Duplicate ARP packets ............................................................................................. 57Multiple VDOMs solution .......................................................................................... 57Forward-domain solution .......................................................................................... 57

global.............................................................................................................................. 59

vdom............................................................................................................................... 62

alertemail ................................................................................................ 67setting ............................................................................................................................ 68

antivirus .................................................................................................. 73filepattern....................................................................................................................... 74

heuristic ......................................................................................................................... 76

quarantine...................................................................................................................... 77

quarfilepattern ............................................................................................................... 80

service............................................................................................................................ 81

settings .......................................................................................................................... 83

application .............................................................................................. 85list ................................................................................................................................... 86

name............................................................................................................................... 92

dlp............................................................................................................ 93compound...................................................................................................................... 94

rule.................................................................................................................................. 96

sensor .......................................................................................................................... 100

endpoint-control................................................................................... 103apps-detect rule-list .................................................................................................... 104

profile ........................................................................................................................... 105

settings ........................................................................................................................ 107

firewall................................................................................................... 109address, address6....................................................................................................... 110

addrgrp, addrgrp6 ....................................................................................................... 112

dnstranslation ............................................................................................................. 113

FortiGate Version 4.0 MR1 CLI Reference4 01-401-93051-20091019

http://docs.fortinet.com/ • Feedback


Contents

F0h

interface-policy............................................................................................................ 115

interface-policy6.......................................................................................................... 117

ipmacbinding setting .................................................................................................. 119

ipmacbinding table ..................................................................................................... 121

ippool ........................................................................................................................... 123

ldb-monitor .................................................................................................................. 125

multicast-policy........................................................................................................... 127

policy, policy6 ............................................................................................................. 129

profile ........................................................................................................................... 139config log ................................................................................................................ 166config app-recognition ............................................................................................ 167

schedule onetime........................................................................................................ 171

schedule recurring...................................................................................................... 172

schedule group ........................................................................................................... 174

service custom ............................................................................................................ 175

service group............................................................................................................... 177

shaper per-ip-shaper .................................................................................................. 178

shaper traffic-shaper .................................................................................................. 180

sniff-interface-policy................................................................................................... 182

sniff-interface-policy6................................................................................................. 185

ssl setting .................................................................................................................... 187

vip ................................................................................................................................. 189

vipgrp ........................................................................................................................... 206

gui.......................................................................................................... 207console......................................................................................................................... 208

topology ....................................................................................................................... 209

imp2p..................................................................................................... 211aim-user ....................................................................................................................... 212

icq-user ........................................................................................................................ 213

msn-user ...................................................................................................................... 214

old-version................................................................................................................... 215

policy............................................................................................................................ 216

yahoo-user................................................................................................................... 217



Contents

ips .......................................................................................................... 219DoS ............................................................................................................................... 220

config limit............................................................................................................... 220

custom ......................................................................................................................... 223

decoder ........................................................................................................................ 224

global............................................................................................................................ 225

rule................................................................................................................................ 227

sensor .......................................................................................................................... 228

log.......................................................................................................... 233custom-field................................................................................................................. 234

{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter ................................................................... 235

disk setting .................................................................................................................. 240

{fortianalyzer | syslogd} override-filter ..................................................................... 244

fortianalyzer override-setting..................................................................................... 245

{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting ............................................ 246

fortiguard setting ........................................................................................................ 248

memory setting ........................................................................................................... 249

memory global-setting................................................................................................ 250

syslogd override-setting ............................................................................................ 251

{syslogd | syslogd2 | syslogd3} setting.................................................................... 252

webtrends setting ....................................................................................................... 254

trafficfilter .................................................................................................................... 255

report..................................................................................................... 257chart ............................................................................................................................. 258

dataset.......................................................................................................................... 262

summary ...................................................................................................................... 263

Example SQL report configurations.......................................................................... 264Example WAN optimization SQL report configuration ............................................ 264Example attack SQL report configuration ............................................................... 266




Contents

F0h

SQL reports database schema .................................................................................. 268Event Log................................................................................................................ 268Traffic log ................................................................................................................ 269Attack log ................................................................................................................ 270Antivirus log ............................................................................................................ 271Web Filter log.......................................................................................................... 271Spam filter or email filter log ................................................................................... 272DLP log ................................................................................................................... 273Application control log............................................................................................. 273

router..................................................................................................... 275access-list, access-list6 ............................................................................................. 276

aspath-list .................................................................................................................... 279

auth-path...................................................................................................................... 281

bgp................................................................................................................................ 283config router bgp..................................................................................................... 286config admin-distance............................................................................................. 289config aggregate-address ....................................................................................... 289config aggregate-address6..................................................................................... 289config neighbor ....................................................................................................... 290config network......................................................................................................... 296config network6....................................................................................................... 296config redistribute ................................................................................................... 297config redistribute6 ................................................................................................. 297

community-list............................................................................................................. 299

key-chain...................................................................................................................... 302

multicast ...................................................................................................................... 304Sparse mode .......................................................................................................... 304Dense mode ........................................................................................................... 305config router multicast............................................................................................. 306config interface ....................................................................................................... 308config pim-sm-global............................................................................................... 310

ospf............................................................................................................................... 314config router ospf .................................................................................................... 316config area .............................................................................................................. 318config distribute-list ................................................................................................. 322config neighbor ....................................................................................................... 323config network......................................................................................................... 323config ospf-interface ............................................................................................... 324config redistribute ................................................................................................... 326config summary-address ........................................................................................ 327

ospf6............................................................................................................................. 328

policy............................................................................................................................ 333



Contents

prefix-list, prefix-list6.................................................................................................. 337

rip.................................................................................................................................. 340config router rip....................................................................................................... 341config distance........................................................................................................ 342config distribute-list ................................................................................................. 343config interface ....................................................................................................... 344config neighbor ....................................................................................................... 345config network......................................................................................................... 346config offset-list....................................................................................................... 346config redistribute ................................................................................................... 347

ripng ............................................................................................................................. 349

route-map..................................................................................................................... 354Using route maps with BGP.................................................................................... 356

setting .......................................................................................................................... 360

static............................................................................................................................. 361

static6........................................................................................................................... 364

spamfilter .............................................................................................. 365bword ........................................................................................................................... 366

dnsbl............................................................................................................................. 368

emailbwl ....................................................................................................................... 370

fortishield..................................................................................................................... 372

ipbwl ............................................................................................................................. 374

iptrust ........................................................................................................................... 376

mheader ....................................................................................................................... 377

options ......................................................................................................................... 379

system................................................................................................... 381accprofile ..................................................................................................................... 382

admin............................................................................................................................ 385

alertemail ..................................................................................................................... 392

amc............................................................................................................................... 394

arp-table ....................................................................................................................... 395

auto-install ................................................................................................................... 396

autoupdate clientoverride .......................................................................................... 397

autoupdate override.................................................................................................... 398

autoupdate push-update ............................................................................................ 399

autoupdate schedule .................................................................................................. 400

autoupdate tunneling.................................................................................................. 402




Contents

F0h

aux ................................................................................................................................ 404

bug-report .................................................................................................................... 405

central-management ................................................................................................... 406

console......................................................................................................................... 408

dhcp reserved-address............................................................................................... 409

dhcp server.................................................................................................................. 410

dns................................................................................................................................ 413

dns-database ............................................................................................................... 414

fips-cc........................................................................................................................... 416

fortiguard ..................................................................................................................... 417

fortiguard-log............................................................................................................... 422

global............................................................................................................................ 423

gre-tunnel..................................................................................................................... 433

ha .................................................................................................................................. 435

interface ....................................................................................................................... 448

ipv6-tunnel ................................................................................................................... 467

mac-address-table ...................................................................................................... 468

modem ......................................................................................................................... 469

npu................................................................................................................................ 473

ntp................................................................................................................................. 474

password-policy.......................................................................................................... 475

proxy-arp...................................................................................................................... 476

replacemsg admin....................................................................................................... 477

replacemsg alertmail .................................................................................................. 478

replacemsg auth.......................................................................................................... 480

replacemsg ec ............................................................................................................. 484

replacemsg fortiguard-wf ........................................................................................... 486

replacemsg ftp............................................................................................................. 488

replacemsg http .......................................................................................................... 490

replacemsg im ............................................................................................................. 493

replacemsg mail .......................................................................................................... 495

replacemsg-group....................................................................................................... 497

replacemsg nac-quar .................................................................................................. 498

replacemsg nntp ......................................................................................................... 500

replacemsg spam........................................................................................................ 502

replacemsg sslvpn...................................................................................................... 504



Contents

replacemsg traffic-quota ............................................................................................ 505

resource-limits ............................................................................................................ 506

session-helper............................................................................................................. 508

session-sync ............................................................................................................... 509Notes and limitations .............................................................................................. 510Configuring session synchronization ...................................................................... 510Configuring the session synchronization link.......................................................... 511

session-ttl .................................................................................................................... 515

settings ........................................................................................................................ 517

sit-tunnel ...................................................................................................................... 522

snmp community ........................................................................................................ 523

snmp sysinfo ............................................................................................................... 526

snmp user .................................................................................................................... 528

switch-interface........................................................................................................... 530

tos-based-priority........................................................................................................ 532

vdom-link ..................................................................................................................... 533

vdom-property............................................................................................................. 535

wccp ............................................................................................................................. 537

wireless ap-status ....................................................................................................... 539

wireless settings ......................................................................................................... 540

zone .............................................................................................................................. 542

user........................................................................................................ 543Configuring users for authentication........................................................................ 544

Configuring users for password authentication....................................................... 544Configuring peers for certificate authentication ...................................................... 544

ban................................................................................................................................ 545

fsae ............................................................................................................................... 549

group ............................................................................................................................ 551

ldap............................................................................................................................... 555

local .............................................................................................................................. 558

peer............................................................................................................................... 560

peergrp......................................................................................................................... 562

radius ........................................................................................................................... 563

setting .......................................................................................................................... 565

tacacs+......................................................................................................................... 567




Contents

F0h

vpn......................................................................................................... 569certificate ca ................................................................................................................ 570

certificate crl................................................................................................................ 572

certificate local ............................................................................................................ 574

certificate ocsp............................................................................................................ 576

certificate remote ........................................................................................................ 577

ipsec concentrator ...................................................................................................... 578

ipsec forticlient............................................................................................................ 579

ipsec manualkey ......................................................................................................... 580

ipsec manualkey-interface ......................................................................................... 583

ipsec phase1................................................................................................................ 586

ipsec phase1-interface ............................................................................................... 593

ipsec phase2................................................................................................................ 605

ipsec phase2-interface ............................................................................................... 611

l2tp................................................................................................................................ 618

pptp .............................................................................................................................. 620

ssl settings .................................................................................................................. 622

ssl web host-check-software ..................................................................................... 626

ssl web portal .............................................................................................................. 628

ssl web virtual-desktop-app-list ................................................................................ 633

wanopt................................................................................................... 635auth-group ................................................................................................................... 636

cache-storage.............................................................................................................. 638

peer............................................................................................................................... 639

rule................................................................................................................................ 640

settings ........................................................................................................................ 646

ssl-server ..................................................................................................................... 647Example: SSL offloading for a WAN optimization tunnel........................................ 648

storage ......................................................................................................................... 651

webcache ..................................................................................................................... 653

web-proxy ............................................................................................. 655explicit.......................................................................................................................... 656

global............................................................................................................................ 657



Contents

webfilter ................................................................................................ 659content ......................................................................................................................... 660

content-header ............................................................................................................ 662

fortiguard ..................................................................................................................... 663FortiGuard-Web category blocking ......................................................................... 663

ftgd-local-cat................................................................................................................ 666

ftgd-local-rating........................................................................................................... 667

ftgd-ovrd ...................................................................................................................... 668

ftgd-ovrd-user.............................................................................................................. 670

urlfilter.......................................................................................................................... 672

wireless-controller ............................................................................... 675ap-status ...................................................................................................................... 676

global............................................................................................................................ 677

timers ........................................................................................................................... 678

vap ................................................................................................................................ 679

vap-group..................................................................................................................... 681

wtp ................................................................................................................................ 682

execute.................................................................................................. 685backup.......................................................................................................................... 686

batch............................................................................................................................. 689

central-mgmt ............................................................................................................... 690

cfg reload ..................................................................................................................... 691

cfg save........................................................................................................................ 692

clear system arp table ................................................................................................ 693

cli check-template-status ........................................................................................... 694

cli status-msg-only ..................................................................................................... 695

date............................................................................................................................... 696

dhcp lease-clear .......................................................................................................... 697

dhcp lease-list ............................................................................................................. 698

disconnect-admin-session......................................................................................... 699

enter ............................................................................................................................. 700

factoryreset.................................................................................................................. 701

firmware-list update .................................................................................................... 702

formatlogdisk .............................................................................................................. 703

fortiguard-log update.................................................................................................. 704

fsae refresh.................................................................................................................. 705




Contents

F0h

ha disconnect .............................................................................................................. 706

ha manage ................................................................................................................... 707

ha synchronize ............................................................................................................ 708

interface dhcpclient-renew......................................................................................... 710

interface pppoe-reconnect ......................................................................................... 711

log delete-all ................................................................................................................ 712

log delete-rolled .......................................................................................................... 713

log display ................................................................................................................... 714

log filter ........................................................................................................................ 715

log fortianalyzer test-connectivity............................................................................. 716

log list........................................................................................................................... 717

log roll .......................................................................................................................... 718

modem dial .................................................................................................................. 719

modem hangup ........................................................................................................... 720

modem trigger ............................................................................................................. 721

mrouter clear ............................................................................................................... 722

ping............................................................................................................................... 723

ping-options, ping6-options....................................................................................... 724

ping6............................................................................................................................. 726

reboot ........................................................................................................................... 727

restore .......................................................................................................................... 728

router clear bfd session ............................................................................................. 731

router clear bgp........................................................................................................... 732

router clear ospf process ........................................................................................... 733

router restart................................................................................................................ 734

scsi-dev........................................................................................................................ 735

send-fds-statistics ...................................................................................................... 737

set-next-reboot ............................................................................................................ 738

sfp-mode-sgmii ........................................................................................................... 739

shutdown ..................................................................................................................... 740

ssh ................................................................................................................................ 741

telnet............................................................................................................................. 742

time............................................................................................................................... 743

traceroute..................................................................................................................... 744

update-ase ................................................................................................................... 745

update-av ..................................................................................................................... 746



Contents

update-ips .................................................................................................................... 747

update-now .................................................................................................................. 748

upd-vd-license............................................................................................................. 749

usb-disk ....................................................................................................................... 750

vpn certificate ca......................................................................................................... 751

vpn certificate crl ........................................................................................................ 753

vpn certificate local..................................................................................................... 754

vpn certificate remote................................................................................................. 757

vpn sslvpn del-all ........................................................................................................ 758

vpn sslvpn del-tunnel ................................................................................................. 759

vpn sslvpn del-web ..................................................................................................... 760

vpn sslvpn list ............................................................................................................. 761

wireless-controller delete-wtp-image........................................................................ 762

wireless-controller reset-wtp ..................................................................................... 763

wireless-controller restart-daemon ........................................................................... 764

wireless-controller upload-wtp-image ...................................................................... 765

get.......................................................................................................... 767endpoint-control app-detect predefined-category status ....................................... 768

endpoint-control app-detect predefined-group status ............................................ 769

endpoint-control app-detect predefined-signature status ...................................... 770

endpoint-control app-detect predefined-vendor status .......................................... 771

firewall service predefined ......................................................................................... 772

gui console status....................................................................................................... 773

gui topology status ..................................................................................................... 774

hardware status........................................................................................................... 775

ips decoder status ...................................................................................................... 776

ips rule status.............................................................................................................. 777

ipsec tunnel list ........................................................................................................... 778

report database schema............................................................................................. 779

router info bfd neighbor ............................................................................................. 780

router info bgp............................................................................................................. 781

router info multicast ................................................................................................... 784

router info ospf............................................................................................................ 786

router info protocols................................................................................................... 788

router info rip............................................................................................................... 789

router info routing-table ............................................................................................ 790




Contents

F0h

router info6 bgp........................................................................................................... 791

router info6 interface .................................................................................................. 792

router info6 ospf.......................................................................................................... 793

router info6 protocols................................................................................................. 794

router info6 rip............................................................................................................. 795

router info6 routing-table ........................................................................................... 796

system admin list ........................................................................................................ 797

system admin status................................................................................................... 798

system arp ................................................................................................................... 799

system central-management...................................................................................... 800

system checksum ....................................................................................................... 801

system cmdb status.................................................................................................... 802

system dashboard ...................................................................................................... 803

system fdp-fortianalyzer............................................................................................. 804

system fortianalyzer-connectivity ............................................................................. 805

system fortiguard-log-service status ........................................................................ 806

system fortiguard-service status............................................................................... 807

system ha status ......................................................................................................... 808About the HA cluster index and the execute ha manage command....................... 810

system info admin ssh ............................................................................................... 814

system info admin status ........................................................................................... 815

system interface physical .......................................................................................... 816

system performance status ....................................................................................... 817

system session list ..................................................................................................... 818

system session status................................................................................................ 819

system status .............................................................................................................. 820

system wireless detected-ap ..................................................................................... 821

user adgrp.................................................................................................................... 822

vpn ssl monitor ........................................................................................................... 823

wireless-controller scan ............................................................................................. 824

wireless-controller status........................................................................................... 825

Index...................................................................................................... 827



Contents




Introduction About the FortiGate Unified Threat Management System

F0h

IntroductionThis chapter introduces you to the FortiGate Unified Threat Management System and the following topics:• About the FortiGate Unified Threat Management System• Registering your Fortinet product• Customer service and technical support• Fortinet documentation• Conventions

About the FortiGate Unified Threat Management SystemThe FortiGate Unified Threat Management System supports network-based deployment of application-level services, including virus protection and full-scan content filtering. FortiGate units improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.The FortiGate unit is a dedicated easily managed security device that delivers a full suite of capabilities that include:• application-level services such as virus protection and content filtering,• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.

Registering your Fortinet productBefore you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.


https://support.fortinet.comhttp://kc.forticare.com/default.asp?id=2071http://kc.forticare.com/default.asp?id=2071http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html

Customer service and technical support Introduction

Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Center article What does Fortinet Technical Support require in order to best assist the customer?

Fortinet documentationThe Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.

Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Center The Fortinet Knowledge Center provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to [email protected].

ConventionsFortinet technical documentation uses the conventions described below.

IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.



http://kc.forticare.com/default.asp?id=1068http://kc.forticare.com/default.asp?id=1068http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttps://support.fortinet.comhttp://docs.fortinet.comhttp://docs.fortinet.comhttp://kc.fortinet.commailto:[email protected]://ietf.org/rfc/rfc1918.txt?number-1918

Introduction Conventions

F0h

CLI constraintsCLI constraints, such as , indicate which data types or string patterns are acceptable input for a given parameter or variable value. CLI constraint conventions are described in the CLI Reference document for each product.

Notes, Tips and CautionsFortinet technical documentation uses the following guidance and styles for notes, tips and cautions.

Typographical conventionsFortinet documentation uses the following typographical conventions:

Tip: Highlights useful additional information, often tailored to your workplace activity.

Note: Also presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Table 1: Typographical conventions in Fortinet technical documentation

Convention ExampleButton, menu, text box, field, or check box label

From Minimum log level, select Notification.

CLI input config system dnsset primary

end

CLI output FGT-602803030703 # get system settingscomments : (null)opmode : nat

Emphasis HTTP connections are not secure and can be intercepted by a third party.

File content Firewall AuthenticationYou must authenticate to use this service.

Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.

Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.

Navigation Go to VPN > IPSEC > Auto Key (IKE).Publication For details, see the FortiGate Administration Guide.


http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttps://support.fortinet.comhttps://support.fortinet.comhttp://docs.fortinet.com/fgt.html

Conventions Introduction




What’s new

F0h

What’s newThe table below lists commands that have changed since the previous release, version 4.0.

Note: There are some changes in terminology in this CLI Reference intended to make syntax descriptions more accurate and consistent. Mainly, the term “keyword” has been replaced by the terms “field”, “option”, and “value”. A field can be set to either an entered value, such as an IP address, or to one of several fixed named options. For detailed information, see “Command syntax” on page 35.

Command Changeconfig application list

edit

config entries

edit

set open-contact-pinhole New field to open or close SIP pinholes for non-REGISTER SIP requests (usually INVITE requests).

set open-register-pinhole New field to open or close SIP pinholes for SIP REGISTER requests.

set rfc2543-branch New field to support RFC 2543-complaint SIP calls involving branch commands that are missing or that are valid for RFC 2543 but are invalid for RFC 3261.

set sccp-archive-fullset sccp-archive-summaryset simple-archive-fullset simple-archive-summaryset sip-archive-summaryset sip-archive-full

fields removed.

config dlp rule

edit rule_name

set field New option always. Matches all transfers.

set protocol New option session-ctrl.

config dlp sensor

config rule

edit

set archive New option summary-only enables summary DLP archiving for the rule or compound rule.

set severity New field. An integer from 1 to 5 to indicate the seriousness of the problems that would result from the content passing through the FortiGate unit.

config endpoint-control apps-detection Renamed to config endpoint-control apps-detect rule-list

config endpoint-control apps-detect rule-list rule-list

Renamed from config endpoint-control apps-detection

config endpoint-control profile New command. Configures an Endpoint NAC profile.



What’s new

config endpoint-control settings

set compliance-timeout New field. Sets the authentication timeout for compliant endpoints.

set enforce-minimum-version New field. Requires endpoints to run a defined minimum version of FortiClient Host Security.

config firewall address, address6

edit

set cache-ttl New field. Sets minimum time-to-live (TTL) of individual IP addresses in FQDN cache.

config firewall interface-policy

edit

set application-list New field. Specifies the application black/white list the FortiGate unit uses when examining network traffic.

set application-list-status New field. Enables use of application black/white list on matching network traffic.

config firewall interface-policy6

edit

set application-list New field. Specifies the application black/white list the FortiGate unit uses when examining network traffic.

set application-list-status New field. Enables use of application black/white list on matching network traffic.

config firewall ippool

edit

set interface Field removed.

config firewall policy, policy6

edit

set endpoint-allow-collect-sysinfoset endpoint-redir-portalset endpoint-restrict-check

Fields removed.

set endpoint-profile New field. Specifies which endpoint NAC profile to apply.

config firewall profile

edit

set ftp archive-fullset ftp archive-summary

Options removed. Archiving is now part of Data Leak Prevention.

set ftp scanextended Option removed. Use ftp-avdb field to select normal or extended database for AV scan.

set ftp-avdb New field. Select normal or extended AV database for FTP traffic. Replaces scanextended option.

set http content-type check New option.

set http scanextended Option removed. Use http-avdb field to select normal or extended database for AV scan.

set http-avdb New field. Select normal or extended AV database for HTTP traffic. Replaces scanextended option.

set http-post-lang New field. Specifies up to five character set encodings to use when applying spam filtering banned word checking, web filtering or DLP content scanning.

set https-avdb New field. Select normal or extended AV database for HTTPS traffic. Replaces scanextended option.

Command Change




What’s new

F0h

config firewall profile (continued)

edit

set im scanextended Option removed. Use im-avdb field to select normal or extended database for AV scan.

set im-avdb New field. Select normal or extended AV database for IM traffic. Replaces scanextended option.

set imap archive-full set imap archive-summary


set imap scanextended Option removed. Use imap-avdb field to select normal or extended database for AV scan.

set imap-avdb New field. Select normal or extended AV database for IMAP traffic. Replaces scanextended option.

set imaps archive-full set imaps archive-summary


set imaps scanextended Option removed. Use imaps-avdb field to select normal or extended database for AV scan.

set imaps-avdb New field. Select normal or extended AV database for IMAPS traffic. Replaces scanextended option.

set nntp archive-full set nntp archive-summary


set nntp quarantine New option. Quarantines infected files.

set nntp scanextended Option removed. Use nntp-avdb field to select normal or extended database for AV scan.

set nntp-avdb New field. Select normal or extended AV database for NNTP traffic. Replaces scanextended option.

set per-ip-shaper New field. Specifies the per-IP traffic shaper to apply.

set pop3 scanextended Option removed. Use pop3-avdb field to select normal or extended database for AV scan.

set pop3-avdb New field. Select normal or extended AV database for POP3 traffic. Replaces scanextended option.

set pop3s scanextended Option removed. Use pop3s-avdb field to select normal or extended database for AV scan.

set pop3s-avdb New field. Select normal or extended AV database for POP3S traffic. Replaces scanextended option.

set safesearch New field. Enforces use of safe search feature on Google, Yahoo, or Bing search engines.

set smtp scanextended Option removed. Use smtp-avdb field to select normal or extended database for AV scan.

set smtp-avdb New field. Select normal or extended AV database for SMTP traffic. Replaces scanextended option.

set smtps scanextended Option removed. Use smtps-avdb field to select normal or extended database for AV scan.

set smtps-avdb New field. Select normal or extended AV database for SMTPS traffic. Replaces scanextended option.

config logset log-imset log-p2pset log-voipset log-violations

Fields removed.

config firewall schedule group New command. Configures schedule groups.

Command Change



What’s new

config firewall shaper per-ip-shaper New command. Configures traffic shaping that is applied per IP address, instead of per policy or per shaper.

config firewall shaper traffic-shaper Renamed from config firewall traffic-shaper.

edit

set action New field. Selects traffic accounting logging or blocking or traffic exceeding the quota.

set quota New field. Sets the traffic quota.

set type New field. Selects hourly, daily, weekly or monthly period for accounting logs or traffic quota enforcement.

config firewall sniff-interface-policyconfig firewall sniff-interface-policy6

New commands. Configure FortiGate unit interface to operate as a one-arm intrusion detection system (IDS) appliance.

config firewall traffic-shaper Renamed config firewall shaper traffic-shaper.

config log disk setting

set sql-max-size New field. Sets maximum size of SQL logs.

set sql-max-size-action New field. Selects action when maximum log size is reached.

set sql-oldest-entry New field. Sets number of days to keep log entries.

config sql-logging New subcommand. Enables or disables SQL logging by log type.

config log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

set wanopt-traffic New field. Enables WAN optimization traffic logging.

set webcache-traffic New field. Enables WAN optimization web caching traffic logging.

config log {fortianalyzer | syslogd} override-filter

New command. Overrides the global configuration created with the config log {fortianalyzer | syslogd} filter command.

config log fortianalyzer override-setting

New command. Overrides the global configuration created with the config log fortianalyzer setting command.

config log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

Renamed from config system fortianalyzer.

set address-mode New field. Selects auto-discovery or static addressing.

set conn-timeout New field. Sets the FortiAnalyzer connection timeout.

set encrypt New field. Enables use of IPSec VPN tunnel for communication.

set fdp-device New field. Sets serial number of the Fortianalyzer unit.

set localid New field. Sets the identifier that both FortiGate and FortiAnalyzer units use.

set psksecret New field. Sets the pre-shared key for the IPSec VPN tunnel.

set server New field. Sets the IP address of the FortiAnalyzer unit.

set ver-1 Field removed.

config log syslogd override-setting New command. Overrides for this VDOM the global configuration created with the config log syslogd setting command.

config log {syslogd | syslogd2 | syslogd3} setting

set reliable New field. Enables reliable delivery of syslog messages in compliance with RFC 3195.

config report ... New commands. Configure log reports.

Command Change



http://www.faqs.org/rfcs/rfc3195.htmlhttp://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html

What’s new

F0h

config router access-list, access-list6 New command (access-list6).

config router bgp

config aggregate-address6 New subcommand. IPv6 version of config aggregate-address.

config neighbor Many IPv6 fields added. All end with “6”.

config network6 New subcommand. IPv6 version of config network.

config redistribute6 New subcommand. IPv6 version of config redistribute.

config router prefix-list, prefix-list6 New command (prefix-list6). IPv6 version of prefix-list.

config router ripng New command. Configures the “next generation” Routing Information Protocol, RIPng.

config router static

edit

set weight New field. Adds weights to ECMP static routes if the ECMP route failover and load balance method is set to weighted.

config spamfilter ipbwl

config entries

set addr-type New field. Selects IPv4 or IPv6 addressing.

set ip4-subnet New field. Specifies IPv4 trusted address.


set ip/subnet Field replaced by ip4-subnet and ip6-subnet.

config spamfilter iptrust

config entries




set ip/subnet Field replaced by ip4-subnet and ip6-subnet.

config system admin

edit

set force-password-change New field. Requires this administrator to change password at next login.

set ip6-trusthost1set ip6-trusthost2set ip6-trusthost3

New fields. Set IPv6 trusted hosts.

set moduleid Field removed.

set password-expire New field. Sets a date and time for password expiry.

config system dns

set autosvr Field removed

set fwdintf Field removed

config system dns-database New command. Configures the FortiGate DNS database.

config system fortianalyzerconfig system fortianalyzer2config system fortianalyzer3

Commands renamed config log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting.

Command Change



What’s new

config system fortiguard

config serv-ovrd-list


set ip6 New field. IPv6 version of ip.

config system global

set anti-replay New field. Sets level of protection against packet replay exploits. Replaces conn-tracking.

set conn-tracking Replaced by anti-replay.

set registration-notification New field. Enables displaying the registration notification in the web-based manager if the FortiGate unit is not registered.

set internal-switch-mode {hub | interface | switch}

New hub option for enabling hub mode which is similar to switch mode.

set log-user-in-upper New field. Enables logging of user name in upper case.

set service-expire-notification New field. Enables displaying a notification on the web-based manager 30 days before the FortiGate unit support contract expires.

set wireless-controller New field. Enables wireless controller feature.

set wireless-controller-port New field. Sets control and data ports for wireless controller mode.

set wireless-terminal New field. Enables FortiWiFi unit to be managed by another FortiGate unit’s wireless controller feature.

set wireless-terminal-port New field. Sets control and data ports for wireless terminal mode.

config system interface

edit

set detectprotocol New field. Selects the protocols to use to detect interface connection status.

set dhcp-client-identifier New field. Change the default DHCP client identifier.

set dns-query New field. Configures interface to accept DNS queries, recursive or non-recursive.

set explicit-web-proxy New field. Enables explicit web proxy on this interface.

set spillover-threshold New field. Limits the amount of bandwidth processed by the Interface.

config system modem

set authtype1set authtype2set authtype3

New fields. Sets the authentication methods to use for 3G modems.

set wireless-port New field. Sets TTY Port for 3G modems.

config system password-policy New command. Configures higher security requirements for administrator passwords and IPsec VPN pre-shared keys.

config system replacemsg ec Changed command. Now also configures Endpoint NAC Recommendation Portal.

config system replacemsg traffic-quota New command. Formats traffic shaping quota replacement messages.

config system replacemsg-group New command. Defines replacement messages for your VDOM, overriding global replacement messages.

config system settings

set v4-ecmp-mode New field. Sets the ECMP route failover and load balance method.

Command Change




What’s new

F0h

config system snmp sysinfo

set engine-id New field. Sets optional engine-id string for snmpEngineID.

config system snmp user

edit

set auth-proto New field. Selects authentication protocol.

set auth-pwd New field. Sets user’s password.

set priv-proto New field. Selects privacy (encryption) protocol.

set priv-pwd New field. Sets the privacy encryption key.

set security-level New field. Enables authentication and privacy.

config system wireless settingsset geography Default changed from World to Americas.

config user group

edit

set ldap-memberof New field. Specifies the LDAP groups to which members of this user group belong.

config user peer

edit

set password New field. Sets password for two-factor authentication.

set two-factor New field. Enables two-factor authentication.

config user setting

set auth-blackout-time New field. Sets blackout time for failed user authentication attempts.

set auth-http-basic New field. Enables HTTP basic authentication for identify-based firewall policies.

config auth-ports New subcommand. Configures non-standard ports for firewall authentication.

config vpn certificate ca

edit

set auto-update-days New field. Sets the number of days prior to expiry that the FortiGate unit requests an updated CA certificate.

set auto-update-days-warning New field. Sets how many days before CA certificate expiry the FortiGate generates a warning message.

set scep-url New field. Specifies the URL of the SCEP server.

config vpn certificate crl

edit

set update-interval New field. Sets how frequently the FortiGate unit checks for an updated CRL.

config vpn certificate local

edit

set auto-regenerate-days New field. Sets the number of days prior to expiry that the FortiGate unit requests an updated local certificate.

set auto-regenerate-days-warning New field. Sets how many days before local certificate expiry the Fort

fortigate 4.0 mr1 cli referencepub.kb.fortinet.com/ksmcontent/fortinet-public... · contents...

Documents