fortigate-cli-40-mr3

FortiOS CLI ReferenceFortiOS 4.0 MR3

Visit http://support.fortinet.com to register your FortiOS product. By registering you can receive product updates, technical support, and FortiGuard services.

FortiOS CLI Reference FortiOS 4.0 MR3 August 25 2011 01-432-99686-20110825 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks The symbols and denote respectively federally registered trademarks and unregistered trademarks of Fortinet, Inc., its subsidiaries and affiliates including, but not limited to, the following names: Fortinet, FortiGate, FortiOS, FortiASIC, FortiAnalyser, FortiSwitch, FortiBIOS, FortiLog, FortiVoIP, FortiResponse, FortiManager, FortiWiFi, FortiGuard, FortiReporter, FortiClient, FortiLog, APSecure, ABACAS. Other trademarks belong to their respective owners.

ContentsIntroductionHow this guide is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Availability of commands and options . . . . . . . . . . . . . . . . . . . . . . . Document conventions and other information . . . . . . . . . . . . . . . . . . . . .

2121 21 21

Whats newChanges for FortiOS 4.3 Patch 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2341

alertemailsetting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4344

antivirusheuristic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mms-checksum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4748 49 50

profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 config {http | https | ftp | ftps | imap | imaps | pop3 | pop3s | smtp | smtps | nntp | im} . 51 config nac-quar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . quarfilepattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 55 56 57

applicationlist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5960 63

dlpcompound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . filepattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6566 68

FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

3

Contents

fp-doc-source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . fp-sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

70 72 73 78 81

endpoint-controlapp-detect rule-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8384 85 87

firewalladdress, address6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . addrgrp, addrgrp6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . carrier-endpoint-bwl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . carrier-endpoint-ip-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . central-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dnstranslation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . gtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8990 92 93 94 95 96 97

interface-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 interface-policy6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 ipmacbinding setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 ipmacbinding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 ippool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 ldb-monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 local-in-policy, local-in-policy6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 mms-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . config dupe {mm1 | mm4} . . . . . . . . . . . . . . . . . . . . . . . . . config flood {mm1 | mm4} . . . . . . . . . . . . . . . . . . . . . . . . . config log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7} config notif-msisdn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 119 120 121 122 125

multicast-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 policy, policy6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 config identity-based-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 profile-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

4


Contents

profile-protocol-options . . config http . . . . . . config https . . . . . . config ftp . . . . . . . config ftps . . . . . . config imap . . . . . . config imaps . . . . . config pop3 . . . . . . config pop3s . . . . . config smtp . . . . . . config smtps . . . . . config nntp . . . . . . config im . . . . . . . config ssl-server . . . config mail-signature .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

140 142 143 144 145 146 146 147 147 148 149 149 150 150 151

schedule onetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 schedule recurring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 schedule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 service custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 service explicit-web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 service group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 service group-explicit-web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 shaper per-ip-shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 shaper traffic-shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 sniff-interface-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 sniff-interface-policy6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 ssl setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 vip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 vipgrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

ftp-proxy

183

explicit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

gui

185

console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

icap

187

profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188


5

Contents

server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

imp2p

191

aim-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 icq-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 msn-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 old-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 yahoo-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

ips

199

DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 config limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

log

211

custom-field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 {disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 disk setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 eventfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 {fortianalyzer | syslogd} override-filter . . . . . . . . . . . . . . . . . . . . . . . . . 224 fortianalyzer override-setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting. . . . . . . . . . . . . . . . . . 226 fortiguard setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 gui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 memory setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 memory global-setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 syslogd override-setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 {syslogd | syslogd2 | syslogd3} setting . . . . . . . . . . . . . . . . . . . . . . . . . 233 trafficfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

6

Contents

webtrends setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

netscan

237

assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

pbx

241

dialplan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 did . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 ringgrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 voice-menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 sip-trunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

report

253

chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 style. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

router

271

access-list, access-list6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 aspath-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 auth-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 bgp . . . . . . . . . . . . . . . config router bgp . . . . . . config admin-distance . . . config aggregate-address . config aggregate-address6 . config neighbor . . . . . . . config network . . . . . . . config network6. . . . . . . config redistribute . . . . . config redistribute6 . . . . .FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

276 279 282 283 283 283 289 289 290 290

7

Contents

community-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 gwdetect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 isis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . config isis-interface . . . . . . . . . . . . . . . . . . . config isis-net. . . . . . . . . . . . . . . . . . . . . . config redistribute {bgp | connected | ospf | rip | static} config summary-address . . . . . . . . . . . . . . . . multicast . . . . . . . . . Sparse mode . . . . . Dense mode . . . . . config router multicast config interface . . . . config pim-sm-global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 298 299 299 300 303 303 304 305 307 309 313 315 317 321 322 322 323 325 326

key-chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

multicast-flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 ospf . . . . . . . . . . . . . . config router ospf . . . . . config area . . . . . . . . config distribute-list . . . . config neighbor . . . . . . config network . . . . . . config ospf-interface . . . config redistribute . . . . config summary-address .

ospf6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 prefix-list, prefix-list6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 rip . . . . . . . . . . . . config router rip. . . config distance . . . config distribute-list . config interface . . . config neighbor . . . config network . . . config offset-list. . . config redistribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 338 339 340 341 342 343 343 344

ripng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 route-map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Using route maps with BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

8


Contents

static6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

spamfilter

361

bword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 dnsbl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 emailbwl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 fortishield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 ipbwl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 iptrust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 mheader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 config {imap | imaps | pop3 | pop3s | smtp | smtps} . . . . . . . . . . . . . . . . 377 config {gmail | msn-hotmail | yahoo-mail} . . . . . . . . . . . . . . . . . . . . . 378

system

379

3g-modem custom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 accprofile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 alertemail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 amc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 arp-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 auto-install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 autoupdate clientoverride. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 autoupdate override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 autoupdate push-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 autoupdate schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 autoupdate tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 aux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 bug-report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 central-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 ddns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 dhcp reserved-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 dhcp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 dhcp6 server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

9

Contents

dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 dns-database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 dns-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 elbc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 fips-cc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 fortiguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 fortiguard-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 gi-gk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 gre-tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 ha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 ipv6-tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 mac-address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 npu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469 object-tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 password-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 port-pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 pstn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 replacemsg admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 replacemsg alertmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 replacemsg auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 replacemsg ec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 replacemsg fortiguard-wf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 replacemsg ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 replacemsg http. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 replacemsg im . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 replacemsg mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 replacemsg mm1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 replacemsg mm3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 replacemsg mm4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 replacemsg mm7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

10


Contents

replacemsg-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 replacemsg-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 replacemsg-image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 replacemsg nac-quar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 replacemsg nntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 replacemsg spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 replacemsg sslvpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 replacemsg traffic-quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 replacemsg webproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 resource-limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513 session-helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 session-sync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 session-ttl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 sit-tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 snmp community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 snmp sysinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 snmp user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 sp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 switch-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 tos-based-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 vdom-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 vdom-link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 vdom-property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 vdom-sflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 wccp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544

user

545

Configuring users for authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Configuring users for password authentication. . . . . . . . . . . . . . . . . . . 546 Configuring peers for certificate authentication . . . . . . . . . . . . . . . . . . 546 ban . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 fortitoken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551


11

Contents

fsso . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 ldap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 local. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 peergrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 sms-provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 tacacs+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

voip

571

profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 config sip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 config sccp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

vpn

581

certificate ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 certificate crl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 certificate local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 certificate ocsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 certificate remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 ipsec concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 ipsec forticlient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 ipsec manualkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 ipsec manualkey-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 ipsec phase1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 ipsec phase1-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 ipsec phase2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 ipsec phase2-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 l2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624 pptp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625 ssl settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 ssl web host-check-software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 ssl web portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 ssl web virtual-desktop-app-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

12

Contents

wanopt

639

auth-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646 ssl-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 webcache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 config cache-exemption-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652

web-proxy

653

explicit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654 forward-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

webfilter

659

content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 content-header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 fortiguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 ftgd-local-cat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 ftgd-local-rating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 ftgd-warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 override-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 profile . . . . . . . config ftgd-wf . config override config quota . config web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 672 673 673 674

urlfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675

wireless-controller

677

ap-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679 setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681


13

Contents

timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682 vap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686 wtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 wtp-profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

execute

691

backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 batch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 carrier-license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 central-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 cfg reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 cfg save. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 clear system arp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 cli check-template-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 cli status-msg-only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 disk raid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 dhcp lease-clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 dhcp lease-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 disconnect-admin-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 enter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710 factoryreset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711 firmware-list update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 formatlogdisk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713 forticlient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 fortiguard-log update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 fortitoken . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 fsso refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 ha disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 ha manage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 ha synchronize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720 interface dhcpclient-renew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721 interface pppoe-reconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 log client-reputation-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

14

Contents

log delete-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 log delete-rolled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725 log display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726 log filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 log fortianalyzer test-connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 log list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 log rebuild-sqldb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730 log recreate-sqldb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731 log-report reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 log roll. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 modem dial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 modem hangup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 modem trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 mrouter clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 netscan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738 pbx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739 ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741 ping-options, ping6-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744 report-config reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745 restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 revision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749 router clear bfd session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750 router clear bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751 router clear ospf process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752 router restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 send-fds-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754 set system session filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755 set-next-reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757 sfp-mode-sgmii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758 shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760 tac report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762 time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

15

Contents

traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 tracert6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765 update-ase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766 update-av . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767 update-ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768 update-modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769 update-now . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 upd-vd-license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771 upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772 usb-disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773 vpn certificate ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774 vpn certificate crl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775 vpn certificate local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 vpn certificate remote. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778 vpn ipsec tunnel down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779 vpn ipsec tunnel up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 vpn sslvpn del-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781 vpn sslvpn del-tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 vpn sslvpn del-web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 vpn sslvpn list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784 wireless-controller delete-wtp-image . . . . . . . . . . . . . . . . . . . . . . . . . . 785 wireless-controller list-wtp-image . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786 wireless-controller reset-wtp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 wireless-controller restart-acd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788 wireless-controller restart-wtpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789 wireless-controller upload-wtp-image. . . . . . . . . . . . . . . . . . . . . . . . . . 790

get

791

endpoint-control app-detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 firewall dnstranslation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 firewall iprope appctrl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 firewall iprope list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796 firewall proute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 firewall service predefined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798 firewall shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799 grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

16

Contents

gui console status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801 gui topology status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802 hardware cpu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 hardware memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804 hardware nic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805 hardware npu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 806 hardware status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809 ips decoder status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 810 ips rule status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811 ips session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812 ipsec tunnel list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813 log sql status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 netscan scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815 netscan settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816 get pbx branch-office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 pbx dialplan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 818 pbx did . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 pbx extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820 pbx ftgd-voice-pkg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 pbx global. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 pbx ringgrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 pbx sip-trunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824 pbx voice-menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825 report database schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826 router info bfd neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827 router info bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 828 router info gwdetect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830 router info isis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 router info kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 router info multicast. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833 router info ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834 router info protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836 router info rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837 router info routing-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838 router info vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839 router info6 bgp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

17

Contents

router info6 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841 router info6 kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842 router info6 ospf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843 router info6 protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 844 router info6 rip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845 router info6 routing-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846 system admin list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 847 system admin status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848 system arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849 system auto-update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850 system central-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 system checksum. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852 system cmdb status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853 system dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854 system fdp-fortianalyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855 system fortianalyzer-connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856 system fortiguard-log-service status . . . . . . . . . . . . . . . . . . . . . . . . . . 857 system fortiguard-service status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858 system ha-nonsync-csum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859 system ha status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 system info admin ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862 system info admin status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863 system interface physical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864 system mgmt-csum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865 system performance firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866 system performance status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867 system performance top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868 system session list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869 system startup-error-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870 system session status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871 system session-helper-info list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872 system session-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873 system source-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874 system status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875 test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876 user adgrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878

18


Contents

vpn ike gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879 vpn ipsec tunnel details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880 vpn ipsec tunnel name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881 vpn ipsec stats crypto. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 882 vpn ipsec stats tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883 vpn ssl monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 884 vpn status l2tp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 vpn status pptp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886 vpn status ssl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887 webfilter ftgd-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 888 webfilter status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890 wireless-controller scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891

tree AppendixDocument conventions . . . . . . . . IP addresses . . . . . . . . . . . Example Network configuration . Cautions, Notes and Tips . . . . Typographical conventions . . . . CLI command syntax conventions Entering FortiOS configuration data Entering text strings (names). . Entering numeric values . . . . Selecting options from a list . . Enabling or disabling options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

893 896896 896 898 899 900 900 902 902 903 903 903

Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . 903 Fortinet products End User License Agreement . . . . . . . . . . . . . . . . . . . . 903 Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904 Documentation . . . . . . . . . . . . . . . . . . . . Fortinet Tools and Documentation CD . . . . . . Fortinet Knowledge Base . . . . . . . . . . . . Comments on Fortinet technical documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904 904 904 904

Customer service and technical support . . . . . . . . . . . . . . . . . . . . . . . . 904


19

Contents

20


IntroductionThis document describes FortiOS 4.0 MR3 CLI commands used to configure and manage a FortiGate unit from the command line interface (CLI). How this guide is organized

How this guide is organizedMost of the chapters in this document describe the commands for each configuration branch of the FortiOS CLI. The command branches and commands are in alphabetical order. This document also contains the following sections: Whats new describes changes to the 4.0 MR3 CLI. execute describes execute commands. get describes get commands. tree describes the tree command.

Availability of commands and optionsSome FortiOS CLI commands and options are not available on all FortiGate units. The CLI displays an error message if you attempt to enter a command or option that is not available. You can use the question mark ? to verify the commands and options that are available. Commands and options may not be available for the following reasons: FortiGate model. All commands are not available on all FortiGate models. For example, low end FortiGate models do not support the aggregate option of the config system interface command. Hardware configuration. For example, some AMC module commands are only available when an AMC module is installed. FortiOS Carrier, FortiGate Voice, FortiWiFi etc. Commands for extended functionality are not available on all FortiGate models. The CLI Reference includes commands only available for FortiWiFi units, FortiOS Carrier, and FortiGate Voice units

Document conventions and other informationSee Appendix on page 896.


21

Document conventions and other information

Introduction

22


Whats newAs the FortiOS Handbook is being developed, the FortiGate CLI Reference is becoming a dictionary of FortiOS CLI commands. Examples have been removed from this CLI Reference and command explanations are being more sharply focused on defining the command and its options, ranges, defaults and dependencies. The CLI Reference now includes FortiOS Carrier commands and future versions will include FortiGate Voice commands. Also command histories have been removed. These changes are in progress and will be completed in future versions of this document. The table below lists CLI commands and options that have been added to FortiOS 4.0 MR3.Command config antivirus profile edit set filepattable set options file-filter set options strict-file config ftps config {http https ftp ftps smtp smtps pop3 pop3s imap imaps im nntp} set archive-block set archive-log config antivirus quarantine set drop-blocked ftps set heuristic ftps set drop-infected ftps config antivirus service ftps config application list edit set p2p-black-list config entries edit set action reset set block-video set chart config dlp filepattern config dlp fp-doc-source config dlp fp-sensitivity New option. Resets network connection. New. Blocks or allows MSN video chats. Removed. New command. Configures file patterns used for DLP file blocking. New command. Adds fingerprinting document sources. New command. Adds fingerprinting sensitivity labels. New field. Blacklists Bittorrent, eDonkey, or Skype. Changed. ftps option added. Changed. ftps option added. Changed. ftps option added. New command. New field. Selects archive types to block. New field. Selects archive types to block. Removed. Use config dlp sensor. Option removed. Use config dlp sensor. Option removed. Use config dlp sensor. New fields to configure antivirus for FTPS. Change


23

Whats new

Command config dlp rule edit set field file-size set field file-type set field fingerprint set field regexp set field file-bytes set file-bytes set file-byte-hex set file-byte-offset set protocol session-control config dlp sensor edit set flow-based set options strict-file config compound-rule config rule config filter

Change

New option. Searches for files of specified size. New option. Searches for files of specified type. New option. Searches for fingerprinted files. New option. Searches for a match using a regular expression string. New attribute. Searches for specific data at a specific location in the file. New field, Specifies data for file-bytes search. New field, Enables use of hexadecimal in file-bytes. New field. Location in file to find file-bytes data. Option removed.

New field. Enables flow-based DLP. Field moved from config antivirus profile. Subcommands removed. Use config filter. New subcommand. Configures DLP sensors, formerly configured in config compound-rule and config rule.

config endpoint-control profile edit set require-av warn set require-av warn New warn option, Warns user about non-compliance, but allows access.

set set set set

require-av-uptodate warn require-firewall warn require-license warn require-webfilter warn

config firewall address, address6 edit set color set country set tags New field. Sets icon color. New field. Set country code for geography type address. New field. Applies object tags. New option for Geography-based filtering.

set type geographyconfig firewall addrgrp, addrgrp6 edit set color

New field. Sets icon color.

config firewall local-in-policy, local-in- New command. Creates firewall policies for traffic destined for the FortiGate unit itself. policy6 config firewall multicast-policy edit set auto-asic-offload set logtraffic New field. Enables session offload to NP or SP processors. New field. Enables logging of multicast traffic.

24


Whats new

Command config firewall policy, policy6 edit set application set auth-method form set auto-asic-offload set bandwidth set client-reputation set client-reputation-mode set dynamic-profile set dynamic-profile-access set dynamic-profile-group set failed-connection set fsae set fsae-agent-for-ntlm set fsso set fsso-agent-for-ntlm set geo-location set global-label set icap-profile set logtraffic-app set ntlm-enabled-browsers set ntlm-guest set schedule-timeout set sessions set srcintf ftp-proxy set tags set web-auth-cookie set webcache set webproxy-forward-server config firewall profile-group edit set icap-profile

Change

New field. Enables tracking of application usage in auto profiling. New option. Form-based authentication in explicit webproxy. New field. Enables session offload to NP or SP processors. New field. Enables tracking of bandwidth usage in auto profiling. New field. Enables client reputation feature. New field. Select learning or monitoring mode for client reputation. New field. Enables dynamic profile. Enable dynamic profiles by protocol. Functionality moved from system dynamic profile. New field. Selects the dynamic profile group. New field. Enables tracking of failed connection attempts in auto profiling. Renamed to fsso. Renamed to fsso-agent-for-ntlm. Renamed from fsae. Renamed from fsae-agent-for-ntlm. New field. Enables tracking countries of destination IP addresses in auto profiling. New field. Places policy in the named subsection in the web-based manager policy list. New field. Select an Internet Content Adaptation Protocol (ICAP) profile. New field. Enables traffic logging when application list logging is enabled, regardless of logtraffic setting. New field. Defines HTTP-User-Agent strings of supported browsers. New field. Enables NTLM guest user access. New field. Enables forced timeout of session when policy schedule ends. New field. Enables taking a snapshot of the number of sessions every five minutes in auto profiling. New option. Use FTP proxy as source interface. New field. Applies object tags. New field. Enables cookies for explicit proxy sessions. New: Apply web caching in a firewall policy. New field. Sets name of web proxy forwarding server.

New field. Sets an Internet Content Adaptation Protocol (ICAP) profile.


25

Whats new

Command config firewall profile-protocol-options edit config ftp set post-lang config ftps config https set options ssl-ca-list set client-cert-request config ssl-server

Change

Removed. Post-lang does not apply to FTP. New subcommand. Configures FTPS protocol options. New option. Verifies SSL session server certificate against stored CA certificate list. New field. Selects action to take if the client certificate request fails during the SSL handshake. New subcommand. Configures SSL server settings for use with the secure protocols (HTTPS, FTPS, POP3S, SMTPS).

config firewall schedule group edit set color config firewall schedule onetime edit set color config firewall schedule recurring edit set color config firewall service custom edit set color set set set set set set set protocol TCP/UDP/SCTP tcp-halfopen-timer tcp-halfclose-timer tcp-timewait-timer udp-idle-timer check-reset-range session-ttl New field. Sets icon color. New session control options for custom services. New field. Sets icon color. New field. Sets icon color. New field. Sets icon color.

config firewall service explicit-web config firewall service group edit set color

New command. Configures explicit web proxy services.

New field. Sets icon color.

config firewall service group-explicit-web New command. Configures explicit web proxy service groups. config firewall shaper per-ip-shaper edit set set set set diffserv-forward diffservcode-forward diffserv-reverse diffservcode-rev New fields. Manage differentiated services code point (DSCP) values.

26


Whats new

Command config firewall shaper traffic-shaper edit set diffserv set diffservcode config firewall sniff-interface-policy edit set logtraffic config firewall vip set extip set http-cookie-domain-from-host set ldb-method http-host set ssl-algorithm set ssl-client-renegotiation secure set ssl-pfs set src-filter config realserver edit set http-host config ftp-proxy explicit config icap profile config icap server config ips rule set tags config ips sensor edit config filter config entries

Change

New fields. Starts differentiated services for network traffic.

New field. Enable traffic logging on one-arm policy. Changed. Now also accepts address range. New field. Sets handling of SetCookie. Changed. New method http-host added. New field. Sets the permitted encryption algorithms for SSL sessions according to encryption strength. New option. Requires secure renegotiation. New field. Enables Perfect Forward Secrecy on SSL connections. New field. Specifies a source IP address filter.

New field. Sets the value of HOST header to match. New. Configuration branch for enabling and configuring the explicit FTP proxy. New command. Configures an Internet Content Adaptation Protocol (ICAP) profile. New command. Configures an Internet Content Adaptation Protocol (ICAP) server. New field. Applies object tags.

Renamed to config entries. Renamed from config filter. config filter now includes all fields from former config override subcommand. Changed from . New fields. Configure signature threshold in filter.

edit set rate-count

set rate-duration set rate-mode set rate-trackset tags config override New field. Applies object tags. Removed. Fields moved into config override subcommand.


27

Whats new

Command config log {disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 | syslogd3 | webtrends | fortiguard} filter set extended-traffic-log set explicit-proxy-traffic set other-traffic set webproxy-traffic config log disk setting ms-per-transaction rows-per-transaction set upload-format set upload-ssl-conn config log eventfilter set dns config log fortianalyzer override-setting set enc-algorithm config log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting set enc-algorithm config log fortiguard setting set enc-algorithm config log gui config netscan assets edit set scheduled set status config netscan settings set os-detection set scheduled-pause set pause-from set pause-to set service-detection set schedule set tcp-scan set udp-scan config pbx

Change

Renamed from other-traffic. Field name changed from webproxy-traffic. Rename to extended-traffic-log. Field name changed to explicit-proxy-traffic. New field, Sets the maximum time logs wait to be committed. New field. Sets the number of log entries that triggers a log commit. New field. Selects either compact or text format for uploaded logs. New field. Sets strength of algorithm used for communication with FortiAnalyzer units. New field. Enables logging of DNS lookups. New field. Sets strength of algorithm used for communication with FortiAnalyzer units.

New field. Sets strength of algorithm used for communication with FortiAnalyzer units. New field. Sets strength of algorithm used for communication with FortiManager and FortiAnalyzer units. New command. Select the device from which logs are displayed in the web-based manager.

New. Enables asset to be included in scheduled scans. Removed. Use scheduled. New field. Enables host OS detection. New fields. Enables a scheduled pause in network scanning and sets the start and end of that pause. New field. Enables service detection. Removed. Use set scheduled in config netscan assets. New field. Enables TCP scan. New field. Enables UDP scan. New commands. Configure the PBX feature of the FortiGate Voice unit.

28


Whats new

Command config report chart edit set drill-down-chart set period config report layout edit set cache-time-out set cutoff-option set cutoff-time set email-recipients set email-send config body-item edit set parameter1 config router multicast config interface edit set multicast-flow set static-group config router multicast-flow config router ospf6 config area edit config area set nssa-default-informationoriginate set nssa-default-informationoriginate-mteric set nssa-default-informationoriginate-mteric-type

Change

New field. Specifies chart for drill-down. New field. Selects 24-hour or seven-day chart period.

New field. Set the timeout period for cached report datasets. New field. Chooses report run-time or custom time for end of report period. New field. Sets report custom cutoff-time. New field. Specifies recipients of emailed reports. New field. Enables emailing of reports.

New field. Sets the parameter value for this body item.

New field. Connects the named multicast flow to this interface. New field. Statically joins this interface to the named multicast group. New command. Configures the source allowed for a multicast flow when using PIM-SM or PIM-SSM.

New fields. Same function as in config router ospf command.

set nssa-redistribution set nssa-translator-roleconfig spamfilter fortishield set report-status Field removed.


29

Whats new

Command config spamfilter profile edit set spam-filtering set options set options spamfsphish config gmail config msn-hotmail config yahoo-mail config system 3g-modem custom config system accprofile edit set scope {vdom | global} set utmgrp custom config utmgrp-permission set icap config system admin edit set accprofile-override set allow-remove-admin-session set gui-detail-panel-location set radius-accprofile-override config dashboard edit

Change

New field. Enables or disables spam filtering. Field moved from protocol level. New option. Detect phishing URLs in email. New subcommand. Spamfilters gmail. New subcommand. Spamfilters MSN Hotmail. New subcommand. Spamfilters Yahoo mail. New command. Configures 3G PCMCIA modems.

New field. Select global or single-VDOM scope for administrator.

New option. Configures level of access to Internet Content Adaptation Protocol (ICAP) configuration.

Changed from radius-accprofile-override. Now, TACACS+ servers can also specify profile. New field. Admins with super_admin profile can prevent other admins from closing their session. New field. Sets the position of the log details panel. Changed to accprofile-override.

set widget-type sessions-history New option. Configures new sessions/second widget. set widget-type dlp-usage set widget-type pol-usage set widget-type protocol-usage set widget-type sys-res set widget-type top-attacks set widget-type top-viruses set ip-version Removed. Use system monitors command. Removed. Use system monitors command. New option. Configures Protocol Usage widget. New option. Configures System Resources widget. Removed. Use system monitors command. Removed. Use system monitors command. New field for sessions widget. Sets whether to display IPv4 sessions, IPv6 sessions, or both.

config system carrier-endpoint-translation Command removed.

30


Whats new

Command config system central-management set authorize-manager-only set auto-backup set copy-local-revision set enc-algorithm set mode set serial-number config chassis-loadbalance config system ddns config system dhcp reserved-address config system dhcp server edit set auto-configuration set vci-match set vci-string config reserved-address edit set ip set mac config system dhcp6 server config system dns set source-ip config system dynamic profile

Change Removed. Removed. Removed. New field. Sets strength of algorithm used for communication with FortiManager and FortiAnalyzer units. New field. Selects alternate backup mode for backup to a FortiManager unit. Removed. Removed. Configuration for chassis load balance is now determined by the FortiSwitch configuration. New command. Configures DDNS. DDNS was removed from system interface. Removed. Use config reserved-address subcommand of system dhcp server.

Update cached hardware address on HA events to support option 116. Enabled by default. New fields. Enables applying DHCP service only to hosts with specified Vendor Class Identifier (VCI). New subcommand. Replaces system dhcp reserved-address command.

New command. Configures IPv6 DHCP servers. Set allowed source IP for communications to DNS server. Part of Local-Out policy. Command removed. Most options moved to user radius. See also dynamic-profile-access in firewall policy. New command. Sets chassis load balancing (ELBC) information for the FortiOS unit. Set allowed source IP for communications to FAMS. Part of Local-Out policy. New field. Sets maximum time permitted between making an SSH connection to the FortiGate unit and authenticating. New field. Enables use of the CA attribute in the certificate. New field. Sets timeout for idle explicit web proxy sessions. New field. Starts XG2 load balancing. New. Enables custom AP profile configuration options on the web-based manager. New. Enables central NAT table configuration options on the web-based manager. New. Enables client reputation feature.

config system elbc config system fortiguard-log set source-ip config system global set admin-ssh-grace-time set csr-ca-attribute set explicit-proxy-auth-timeout set fmc-xg2-load-balance set gui-ap-profile set gui-central-nat-table set gui-client-reputation FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback

31

Whats new

Command config system global (continued) set gui-dns-database set gui-dynamic-profile-display set gui-icap set gui-implicit-id-based-policy set gui-implicit-policy set gui-ipsec-manual-key set gui-object-tags set ipv6-accept-dad set num-cpus set sql-logging set sslvpn-sport set strict-dirty-session-check set wifi-certificate

Change New. Enables display of DNS database menu in the webbased manager. New. Enables display of dynamic profile feature controls in the web-based manager. New. Enable or disable ICAP configuration options on the web-based manager. New. Enable or disable identity-based firewall implicit policy configuration options on the web-based manager. New. Enable or disable implicit firewall policy configuration options on the web-based manager. New. Enables manual key IPsec configuration in the webbased manager. New. Enable or disable object tagging and object coloring configuration options on the web-based manager. New. Configures IPv6 DAD (Duplicate Address Detection) operation. New field. Sets number of active CPUs. New field. Enables SQL logging on models equipped with hard disk, not SSD. Field removed. Use set port in vpn ssl settings. New field. Enables dropping of sessions that no longer match policy due to routing or policy change. New fields. Select WiFi server certificates. New field. Enables access to a WIMAX 4G USB device. New field. Sets wireless operating mode for FortiWiFi units. New. Improve performance by synchronizing session only if they are active for more than 30 seconds. New. Specify up to 8 interfaces to be used for session synchronization (session pickup) instead of the heartbeat interface. Removed. Not necessary. Underlying NIC driver supports subsecond link failure detection. User can set the hb-interval/threshold values for subsecond failover. Default changed to set all weights to 40. Range changed to 0 to 255 (was 0 to 31). New. Configure dynamic weighted load balancing for CPU usage. New. Change the cluster age difference margin (grace period) ignored by the cluster when selecting a primary unit based on age. New. Configure dynamic weighted load balancing for memory usage. New. Configure dynamic weighted load balancing for HTTP proxy sessions. New. Configure dynamic weighted load balancing for FTP proxy sessions. New. Configure dynamic weighted load balancing for IMAP proxy sessions.

set wifi-ca-certificateset wimax-4g-usb set wireless-mode config system ha set session-pickup-delay {enable | disable} set session-sync-dev

set subsecond

set weight set cpu-threshold set ha-uptime-diff-margin

set memory-threshold set http-proxy-threshold set ftp-proxy-threshold set imap-proxy-threshold

32


Whats new

Command set nntp-proxy-threshold set pop3-proxy-threshold set smtp-proxy-threshold config system interface edit set elbc-default-gw set explicit-ftp-proxy set ddns (and related ddns- fields) set fp-disable set npu-fastpath set peer-interface set secondary-IP set vrrp-virtual-mac config ipv6 set ip6-allowaccess config system modem

Change New. Configure dynamic weighted load balancing for NNTP proxy sessions. New. Configure dynamic weighted load balancing for POP3 proxy sessions. New. Configure dynamic weighted load balancing for SMTP proxy sessions.

New field. Adds a default gateway to hidden front panel ports in ELBC mode. New field. Enables use of explicit FTP proxy. Removed. See new system ddns command. Removed. Removed. Removed. Use config system port-pair command. New field. Enables configuration of a secondary IP address on the interface. New field. Enables VRRP virtual MAC addresses for the VRRP routers added to this interface. Added SNMP option.

set wireless-custom-product-id Removed. Use config system 3g-modem custom. set wireless-custom-vendor-id config system monitors config system npu set elbc-mode config system ntp set source-ip config ntpserver edit set authentication set key set key-id config system password-policy set must-contain set min-lower-case set min-upper-case set min-non-alphanumeric set-min-number set expire set expire-day set expire-status Removed. New fields. These fields replace the must-contain field and its options. New fields. Configure MD5 authentication on NTPv3 servers. Set allowed source IP for communications to NTP server. Part of Local-Out policy. New field. Selects required configuration of internal NPUs of a FGT-5001 for ELBC. New command. Adds per-VDOM monitoring widgets moved from system admin dashboard configuration.

Changed to set expire-day. Name changed from set expire. New field. Enables password expiry.


33

Whats new

Command config system port-pair config system object-tag config system replacemsg ftp ftp-dl-archive-block config system replacemsg ftp explicit-banner config system replacemsg http http-archive-block config system replacemsg http http-client-archive-block config system replacemsg http http-invalid-cert-block config system replacemsg im im-video-chat-block config system replacemsg-image config system snmp community edit config hosts set ip config hosts6 config system snmp user edit set notify hosts6 config system sp config system vdom-dns set source-ip config system wccp edit set server-list config system wireless ap-status config system wireless settings config user fortitoken config user fsso set source-ip config user ldap edit set filter set group-member-check set group-object-filter

Change New command. Defines Transparent mode port pairs. New command. Creates object tags. New message. Archive file transfer was blocked. New message. Greeting banner for explicit FTP proxy. New message. Transfer contained a blocked archive. New message. The user is not allowed to upload the file. New message. An invalid security certificate was detected. New replacement message type for blocked MSN video chats. New command for FortiOS. Stores images for some replacement message pages.

Changed. Now accepts IP/Netmask. New. Configures IPv6 hosts.

New. Sets IPv6 IP addresses to which SNMP notifications (SNMP traps) are sent when events occur. New command. Configures offloading traffic to a FortiASIC Security Processing (SP) Module. Set allowed source IP for communications to DNS server. Part of Local-Out policy.

Changed. Now accepts up to four server IP addresses. Command removed. Use wireless-controller ap-status. Command removed. Use wireless-controller setting and wireless-controller wtp-profile. New command. Registers a FortiToken device with the FortiGate unit. Set allowed source IP for communications to FSAE server. Part of Local-Out policy.

Field renamed to group-object-filter. New fields. Configure how group membership is determined.

34


Whats new

Command config user peer edit set ldap-mode config user radius set dynamic-profile-access set dp- options set source-ip config user setting set auth-multi-group set auth-invalid-max set auth-timeout-type config user sms-provider

Change

New field. Selects either password or userPrincipalName authentication of the user. Fields moved from system dynamic profile. Set allowed source IP for communications to RADIUS server. Part of Local-Out policy. New field. Can improve performance in some Active Directory configurations. New field, Sets the maximum number of failed authentication attempts to allow before the client is blocked. New field. Enables hard timeouts for user sessions. New command. Configures a cell phone service provider for the FortiToken two-factor authentication SMS text message option. Set allowed source IP for communications to TACACS+ server. Part of Local-Out policy.

config user tacacs+ set source-ip config voip profile edit config sip set ips-rtp config vpn ipsec manualkey edit set authentication config vpn ipsec manualkey-interface edit set auth-alg config vpn ipsec phase1 edit set auto-negotiate set negotiate-timeout set proposal config vpn ipsec phase1-interface edit set auto-negotiate set dns-mode set negotiate-timeout set proposal config vpn ssl settings set port FortiOS 4.0 MR3 CLI Reference 01-432-99686-20110825 http://docs.fortinet.com/ Feedback New field. Configures SSL VPN port for this VDOM. New field. Enables auto-retry of phase 1 connection. New field. Selects automatic or manual assignment of DNS servers. New field. Sets how long to wait for IPsec SA to establish. New authentication options: SHA384 and SHA 512. New field. Enables auto-retry of phase 1 connection. New field. Sets how long to wait for IPsec SA to establish. New authentication options: SHA384 and SHA 512. New authentication options: SHA384 and SHA 512. New authentication options: SHA384 and SHA 512. New field. Causes RTP traffic to inherit the IPS settings from the SIP firewall policy.

35

Whats new

Command config vpn ssl web portal edit set allow-access citrix portforward rdpnative set skip-check-for-unsupportedbrowser set skip-check-for-unsupported-os config widget edit set allow-apps config bookmarks

Change

New allow-access application types. New field. Enables skipping host check on browsers that do not support it. New field. Enables skipping host check on operating systems that do not support it.

New application types available: citrix portforward rdpnative

edit set apptype set additional-params set keyboard-layout set listening-port set logon-user New application types available: citrix portforward rdpnative New field. Sends additional command-line parameters to the application. New field. Sets keyboard layout for RDP bookmark. New field. Sets listening port for portforward bookmark. New fields. Set logon credentials for RDP bookmark. New field. Sets remote port for portforward bookmark. New field. Sets screen height for RDP or Native RDP bookmark. New field. Sets screen width for RDP or Native RDP bookmark. New field. Enables status window for portforward bookmark. Selects encryption strength for secure tunnel. New field. Sets the permitted encryption algorithms for SSL sessions according to encryption strength. New field. Sets portion of storage used for web cache.

set logon-passwordset remote-port set screen-height set screen-width set show-status-window config wanopt settings set tunnel-ssl-algorithm config wanopt ssl-server set ssl-algorithm config wanopt storage set webcache-storage-percentage config wanopt webcache set explicit config web-proxy explicit set outgoing-ip config web-proxy forward-server config webfilter fortiguard set request-packet-size-limit config webfilter ftgd-ovrd New. Limit size of URL request packets sent to FDS server. Renamed to webfilter override. Changed. Multiple IP addresses are now accepted. New command. Configures explicit web proxy Removed: Web caching can now be applied in a firewall policy.

forwarding, also called proxy chaining.

36


Whats new

Command config webfilter ftgd-ovrd-user config webfilter override config webfilter override-user config webfilter profile config override set profile-attribute set profile-type config webfilter profile edit set options {intrinsic javafilter js jscript unknown vbs wf-cookie wf-referer} config ftgd-wf set options ftgd-disable set options log-all-urls config webfilter urlfilter edit config entries edit set exempt {all | activex-java-cookie | av | dlp | filepattern | fortiguard | web-content} config webfilter profile edit set flow-based config ftgd-wf config filter edit set log config wireless-controller global set ac-discovery-type set ac-port set ac-radio-type set data-ethernet-II set local-radio-vdom set max-discoveries set max-failed-dtls set plain-control-message

Change Renamed to webfilter override-user. Renamed from ftgd-ovrd. Extensively reorganized to simplify configuration. Renamed from ftgd-ovrd-user. Extensively reorganized to simplify configuration. Extensively reorganized to simplify configuration. New fields. If profile type is radius, the override profile is configured based on the retrieved attribute. Command reorganized to simplify configuration of the webfilter profile. New options for web filtering of HTTP content.

New option. Disables FortiGuard. New option. Logs all URLs even if FortiGuard disabled.

New exempt options for URL filtering.

New field. Enables flow-based web filtering.

New field. Disables FortiGuard logging. New field. Sets type of controller discovery APs use. New field. Sets control traffic port. Removed. Use band in wireless-controller wtpprofile. New field. Enables use of Ethernet frame type with 802.3 data tunnel mode. New field. Selects the VDOM to which the FortiWiFi units built-in wireless access point belongs. New field. Sets the maximum number of Discovery Request messages per round. New field. Sets the maximum number of DTLS session attempts. Removed.


37

Whats new

Command set rogue-scan-mac-adjacency

Change New field. Sets the maximum numeric difference between an APs Ethernet and wireless MAC values to match for rogue detection. New field. Per-VDOM country selection to determine WiFi channel selection. New field. Sets interval for DARRP optimization. New field. Sets interval for DARRP channel selection. New field. Sets interval for periodic logging or rogue APs.

config wireless-controller setting

set countryconfig wireless-controller timers set darrp-optimize set darrp-wtp-tune set rogue-ap-log config wireless

fortigate-cli-40-mr3

Documents

enhanced security

recent virus

citrix portforward

vpn ike gateway

regular expression

regular virus

applies object

logging severity