FortiGate CLI Reference - pub.kb.fortinet.com · FortiGate units improve network security, reduce...
Transcript of FortiGate CLI Reference - pub.kb.fortinet.com · FortiGate units improve network security, reduce...
-
FortiGate™
Version 4.0CLI Reference
-
FortiGate CLI ReferenceVersion 4.015 April 200901-400-93051-20090415
© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory complianceFCC Class A Part 15 CSA/CUS
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.
-
Contents
F0h
ContentsIntroduction ............................................................................................ 15About the FortiGate Unified Threat Management System ........................................ 15
Registering your Fortinet product............................................................................... 15
Customer service and technical support.................................................................... 16
Fortinet documentation ................................................................................................ 16Fortinet Tools and Documentation CD ..................................................................... 16Fortinet Knowledge Center ...................................................................................... 16Comments on Fortinet technical documentation ..................................................... 16
Conventions .................................................................................................................. 16IP addresses............................................................................................................. 16CLI constraints.......................................................................................................... 17Notes, Tips and Cautions ......................................................................................... 17Typographical conventions ....................................................................................... 17
What’s new ............................................................................................. 19
Using the CLI .......................................................................................... 29CLI command syntax .................................................................................................... 29
Administrator access.................................................................................................... 30
Connecting to the CLI................................................................................................... 32Connecting to the FortiGate console ........................................................................ 32Setting administrative access on an interface .......................................................... 33Connecting to the FortiGate CLI using SSH............................................................. 33Connecting to the FortiGate CLI using Telnet .......................................................... 34Connecting to the FortiGate CLI using the web-based manager.............................. 34
CLI objects..................................................................................................................... 35
CLI command branches ............................................................................................... 35config branch ............................................................................................................ 36get branch................................................................................................................. 37show branch ............................................................................................................. 39execute branch ......................................................................................................... 40diagnose branch ....................................................................................................... 40Example command sequences................................................................................. 41
CLI basics ...................................................................................................................... 43Command help ......................................................................................................... 44Command completion............................................................................................... 44Recalling commands ................................................................................................ 44Editing commands .................................................................................................... 44Line continuation....................................................................................................... 45Command abbreviation............................................................................................. 45Environment variables .............................................................................................. 45
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 3ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
Encrypted password support .................................................................................... 45Entering spaces in strings......................................................................................... 46Entering quotation marks in strings .......................................................................... 46Entering a question mark (?) in a string.................................................................... 46International characters ............................................................................................ 46Special characters .................................................................................................... 46IP address formats.................................................................................................... 47Editing the configuration file...................................................................................... 47Setting screen paging ............................................................................................... 47Changing the baud rate ............................................................................................ 48Using Perl regular expressions................................................................................. 48
Working with virtual domains ............................................................... 51Enabling virtual domain configuration ....................................................................... 51
Accessing commands in virtual domain configuration ............................................ 51
Creating and configuring VDOMs................................................................................ 52Creating a VDOM ..................................................................................................... 52Assigning interfaces to a VDOM............................................................................... 52Setting VDOM operating mode................................................................................. 52Changing back to NAT/Route mode......................................................................... 53
Configuring inter-VDOM routing.................................................................................. 54
Changing the management VDOM .............................................................................. 55
Creating VDOM administrators.................................................................................... 55
Troubleshooting ARP traffic on VDOMs ..................................................................... 55Duplicate ARP packets ............................................................................................. 55Multiple VDOMs solution .......................................................................................... 55Forward-domain solution .......................................................................................... 56
global.............................................................................................................................. 57
vdom............................................................................................................................... 60
alertemail ................................................................................................ 65setting ............................................................................................................................ 66
antivirus .................................................................................................. 71filepattern....................................................................................................................... 72
grayware ........................................................................................................................ 74
heuristic ......................................................................................................................... 76
quarantine...................................................................................................................... 77
quarfilepattern ............................................................................................................... 79
service............................................................................................................................ 80
FortiGate Version 4.0 CLI Reference4 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
F0h
application .............................................................................................. 83list ................................................................................................................................... 84
name............................................................................................................................... 90
dlp............................................................................................................ 91compound...................................................................................................................... 92
rule.................................................................................................................................. 93
sensor ............................................................................................................................ 97
endpoint-control..................................................................................... 99apps-detection............................................................................................................. 100
settings ........................................................................................................................ 101
firewall................................................................................................... 103address, address6....................................................................................................... 104
addrgrp, addrgrp6 ....................................................................................................... 106
dnstranslation ............................................................................................................. 107
interface-policy............................................................................................................ 109
interface-policy6.......................................................................................................... 111
ipmacbinding setting .................................................................................................. 112
ipmacbinding table ..................................................................................................... 114
ippool ........................................................................................................................... 116
ldb-monitor .................................................................................................................. 117
multicast-policy........................................................................................................... 119
policy, policy6 ............................................................................................................. 121
profile ........................................................................................................................... 132config log ................................................................................................................ 154config app-recognition ............................................................................................ 155
schedule onetime........................................................................................................ 159
schedule recurring...................................................................................................... 160
service custom ............................................................................................................ 162
service group............................................................................................................... 164
ssl setting .................................................................................................................... 165
traffic-shaper ............................................................................................................... 167
vip ................................................................................................................................. 168
vipgrp ........................................................................................................................... 179
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 5ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
gui.......................................................................................................... 181console......................................................................................................................... 182
topology ....................................................................................................................... 183
imp2p..................................................................................................... 185aim-user ....................................................................................................................... 186
icq-user ........................................................................................................................ 187
msn-user ...................................................................................................................... 188
old-version................................................................................................................... 189
policy............................................................................................................................ 190
yahoo-user................................................................................................................... 191
ips.......................................................................................................... 193DoS ............................................................................................................................... 194
config limit............................................................................................................... 194
custom ......................................................................................................................... 197
decoder ........................................................................................................................ 198
global............................................................................................................................ 199
rule................................................................................................................................ 201
sensor .......................................................................................................................... 202
log.......................................................................................................... 207custom-field................................................................................................................. 208
{disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter ................ 209
disk setting .................................................................................................................. 214
fortianalyzer setting .................................................................................................... 218
fortiguard setting ........................................................................................................ 219
memory setting ........................................................................................................... 220
memory global setting................................................................................................ 221
syslogd setting............................................................................................................ 222
webtrends setting ....................................................................................................... 224
trafficfilter .................................................................................................................... 225
router..................................................................................................... 227access-list.................................................................................................................... 228
aspath-list .................................................................................................................... 231
auth-path...................................................................................................................... 233
FortiGate Version 4.0 CLI Reference6 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
F0h
bgp................................................................................................................................ 235config router bgp..................................................................................................... 237config admin-distance............................................................................................. 240config aggregate-address ....................................................................................... 241config neighbor ....................................................................................................... 241config network......................................................................................................... 245config redistribute ................................................................................................... 246
community-list............................................................................................................. 248
key-chain...................................................................................................................... 251
multicast ...................................................................................................................... 253Sparse mode .......................................................................................................... 253Dense mode ........................................................................................................... 254config router multicast............................................................................................. 255config interface ....................................................................................................... 256config pim-sm-global............................................................................................... 259
ospf............................................................................................................................... 263config router ospf .................................................................................................... 265config area .............................................................................................................. 267config distribute-list ................................................................................................. 271config neighbor ....................................................................................................... 271config network......................................................................................................... 272config ospf-interface ............................................................................................... 273config redistribute ................................................................................................... 275config summary-address ........................................................................................ 276
policy............................................................................................................................ 278
prefix-list ...................................................................................................................... 282
rip.................................................................................................................................. 285config router rip....................................................................................................... 286config distance........................................................................................................ 287config distribute-list ................................................................................................. 288config interface ....................................................................................................... 289config neighbor ....................................................................................................... 290config network......................................................................................................... 291config offset-list....................................................................................................... 291config redistribute ................................................................................................... 292
route-map..................................................................................................................... 294Using route maps with BGP.................................................................................... 295
setting .......................................................................................................................... 300
static............................................................................................................................. 301
static6........................................................................................................................... 303
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 7ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
spamfilter .............................................................................................. 305bword ........................................................................................................................... 306
emailbwl ....................................................................................................................... 308
fortishield..................................................................................................................... 310
ipbwl ............................................................................................................................. 312
iptrust ........................................................................................................................... 314
mheader ....................................................................................................................... 315
options ......................................................................................................................... 317
DNSBL.......................................................................................................................... 318
system................................................................................................... 321accprofile ..................................................................................................................... 322
admin............................................................................................................................ 326
alertemail ..................................................................................................................... 331
amc............................................................................................................................... 333
arp-table ....................................................................................................................... 334
auto-install ................................................................................................................... 335
autoupdate clientoverride .......................................................................................... 336
autoupdate override.................................................................................................... 337
autoupdate push-update ............................................................................................ 338
autoupdate schedule .................................................................................................. 339
autoupdate tunneling.................................................................................................. 341
aux ................................................................................................................................ 343
bug-report .................................................................................................................... 344
central-management ................................................................................................... 345
console......................................................................................................................... 347
dhcp reserved-address............................................................................................... 348
dhcp server.................................................................................................................. 349
dns................................................................................................................................ 352
fips-cc........................................................................................................................... 354
fortianalyzer, fortianalyzer2, fortianalyzer3 .............................................................. 355
fortiguard ..................................................................................................................... 357
fortiguard-log............................................................................................................... 362
global............................................................................................................................ 363
gre-tunnel..................................................................................................................... 373
ha .................................................................................................................................. 375
interface ....................................................................................................................... 387
FortiGate Version 4.0 CLI Reference8 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
F0h
ipv6-tunnel ................................................................................................................... 404
mac-address-table ...................................................................................................... 405
management-tunnel .................................................................................................... 406
modem ......................................................................................................................... 408
npu................................................................................................................................ 412
ntp................................................................................................................................. 413
proxy-arp...................................................................................................................... 414
replacemsg admin....................................................................................................... 415
replacemsg alertmail .................................................................................................. 417
replacemsg auth.......................................................................................................... 419
replacemsg ec ............................................................................................................. 423
replacemsg fortiguard-wf ........................................................................................... 424
replacemsg ftp............................................................................................................. 426
replacemsg http .......................................................................................................... 428
replacemsg im ............................................................................................................. 431
replacemsg mail .......................................................................................................... 433
replacemsg nac-quar .................................................................................................. 435
replacemsg nntp ......................................................................................................... 437
replacemsg spam........................................................................................................ 439
replacemsg sslvpn...................................................................................................... 441
resource-limits ............................................................................................................ 442
session-helper............................................................................................................. 444
session-sync ............................................................................................................... 446Notes and limitations .............................................................................................. 447Configuring session synchronization ...................................................................... 447Configuring the session synchronization link.......................................................... 448
session-ttl .................................................................................................................... 452
settings ........................................................................................................................ 453
sit-tunnel ...................................................................................................................... 457
snmp community ........................................................................................................ 458
snmp sysinfo ............................................................................................................... 462
snmp user .................................................................................................................... 464
switch-interface........................................................................................................... 466
tos-based-priority........................................................................................................ 468
vdom-link ..................................................................................................................... 469
vdom-property............................................................................................................. 471
wccp ............................................................................................................................. 473
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 9ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
wireless ap-status ....................................................................................................... 475
wireless mac-filter....................................................................................................... 476
wireless settings ......................................................................................................... 477
zone .............................................................................................................................. 479
user........................................................................................................ 481Configuring users for authentication........................................................................ 482
Configuring users for password authentication....................................................... 482Configuring peers for certificate authentication ...................................................... 482
adgrp ............................................................................................................................ 483
ban................................................................................................................................ 484
fsae ............................................................................................................................... 488
group ............................................................................................................................ 490
ldap............................................................................................................................... 495
local .............................................................................................................................. 498
peer............................................................................................................................... 500
peergrp......................................................................................................................... 502
radius ........................................................................................................................... 503
settings ........................................................................................................................ 505
tacacs+......................................................................................................................... 506
vpn......................................................................................................... 507certificate ca ................................................................................................................ 508
certificate crl................................................................................................................ 509
certificate local ............................................................................................................ 511
certificate ocsp............................................................................................................ 512
certificate remote ........................................................................................................ 513
ipsec concentrator ...................................................................................................... 514
ipsec forticlient............................................................................................................ 515
ipsec manualkey ......................................................................................................... 516
ipsec manualkey-interface ......................................................................................... 519
ipsec phase1................................................................................................................ 522
ipsec phase1-interface ............................................................................................... 530
ipsec phase2................................................................................................................ 539
ipsec phase2-interface ............................................................................................... 546
l2tp................................................................................................................................ 552
pptp .............................................................................................................................. 554
ssl monitor................................................................................................................... 556
FortiGate Version 4.0 CLI Reference10 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
F0h
ssl settings .................................................................................................................. 557
ssl web portal .............................................................................................................. 560
wanopt................................................................................................... 563auth-group ................................................................................................................... 564
cache-storage.............................................................................................................. 566
iscsi .............................................................................................................................. 569
peer............................................................................................................................... 570
rule................................................................................................................................ 571
settings ........................................................................................................................ 577
ssl-server ..................................................................................................................... 578Example: SSL offloading for a WAN optimization tunnel........................................ 579
storage ......................................................................................................................... 582
webcache ..................................................................................................................... 584
web-proxy ............................................................................................. 587explicit.......................................................................................................................... 588
global............................................................................................................................ 589
webfilter ................................................................................................ 591bword ........................................................................................................................... 592
exmword ...................................................................................................................... 594
fortiguard ..................................................................................................................... 596FortiGuard-Web category blocking ......................................................................... 596
ftgd-local-cat................................................................................................................ 599
ftgd-local-rating........................................................................................................... 600
ftgd-ovrd ...................................................................................................................... 601
ftgd-ovrd-user.............................................................................................................. 603
urlfilter.......................................................................................................................... 605
execute.................................................................................................. 607backup.......................................................................................................................... 608
batch............................................................................................................................. 611
central-mgmt ............................................................................................................... 612
cfg reload ..................................................................................................................... 613
cfg save........................................................................................................................ 614
clear system arp table ................................................................................................ 615
cli check-template-status ........................................................................................... 616
cli status-msg-only ..................................................................................................... 617
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 11ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
date............................................................................................................................... 618
dhcp lease-clear .......................................................................................................... 619
dhcp lease-list ............................................................................................................. 620
disconnect-admin-session......................................................................................... 621
enter ............................................................................................................................. 622
factoryreset.................................................................................................................. 623
formatlogdisk .............................................................................................................. 624
fortiguard-log update.................................................................................................. 625
fsae refresh.................................................................................................................. 626
ha disconnect .............................................................................................................. 627
ha manage ................................................................................................................... 628
ha synchronize ............................................................................................................ 629
interface dhcpclient-renew......................................................................................... 631
interface pppoe-reconnect ......................................................................................... 632
log delete-all ................................................................................................................ 633
log delete-filtered ........................................................................................................ 634
log delete-rolled .......................................................................................................... 635
log display ................................................................................................................... 636
log filter ........................................................................................................................ 637
log fortianalyzer test-connectivity............................................................................. 638
log list........................................................................................................................... 639
log roll .......................................................................................................................... 640
modem dial .................................................................................................................. 641
modem hangup ........................................................................................................... 642
modem trigger ............................................................................................................. 643
ping............................................................................................................................... 644
ping-options, ping6-options....................................................................................... 645
ping6............................................................................................................................. 647
reboot ........................................................................................................................... 648
router clear bfd............................................................................................................ 649
restore .......................................................................................................................... 650
router clear bgp........................................................................................................... 653
router clear ospf process ........................................................................................... 654
router restart................................................................................................................ 655
scsi-dev........................................................................................................................ 656
send-fds-statistics ...................................................................................................... 658
FortiGate Version 4.0 CLI Reference12 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
F0h
set-next-reboot ............................................................................................................ 659
sfp-mode-sgmii ........................................................................................................... 660
shutdown ..................................................................................................................... 661
ssh ................................................................................................................................ 662
telnet............................................................................................................................. 663
time............................................................................................................................... 664
traceroute..................................................................................................................... 665
update-ase ................................................................................................................... 666
update-av ..................................................................................................................... 667
update-ips .................................................................................................................... 668
update-now .................................................................................................................. 669
upd-vd-license............................................................................................................. 670
usb-disk ....................................................................................................................... 671
vpn certificate ca......................................................................................................... 672
vpn certificate crl ........................................................................................................ 674
vpn certificate local..................................................................................................... 675
vpn certificate remote................................................................................................. 678
vpn sslvpn del-tunnel ................................................................................................. 679
vpn sslvpn del-web ..................................................................................................... 680
get.......................................................................................................... 681firewall service predefined ......................................................................................... 682
gui console status....................................................................................................... 683
gui topology status ..................................................................................................... 684
hardware status........................................................................................................... 685
ips decoder status ...................................................................................................... 686
ips rule status.............................................................................................................. 687
ipsec tunnel list ........................................................................................................... 688
router info bfd neighbor ............................................................................................. 689
router info bgp............................................................................................................. 690
router info multicast ................................................................................................... 693
router info ospf............................................................................................................ 695
router info protocols................................................................................................... 697
router info rip............................................................................................................... 698
router info routing-table ............................................................................................ 699
router info6 interface .................................................................................................. 700
router info6 routing-table ........................................................................................... 701
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 13ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Contents
system admin list ........................................................................................................ 702
system admin status................................................................................................... 703
system arp ................................................................................................................... 704
system central-management...................................................................................... 705
system checksum ....................................................................................................... 706
system cmdb status.................................................................................................... 707
system dashboard ...................................................................................................... 708
system fdp-fortianalyzer............................................................................................. 709
system fortianalyzer-connectivity ............................................................................. 710
system fortiguard-log-service status ........................................................................ 711
system fortiguard-service status............................................................................... 712
system ha status ......................................................................................................... 713About the HA cluster index and the execute ha manage command....................... 715
system info admin ssh ............................................................................................... 719
system info admin status ........................................................................................... 720
system interface physical .......................................................................................... 721
system performance status ....................................................................................... 722
system session list ..................................................................................................... 723
system session status................................................................................................ 724
system status .............................................................................................................. 725
system wireless detected-ap ..................................................................................... 726
Index...................................................................................................... 727
FortiGate Version 4.0 CLI Reference14 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Introduction About the FortiGate Unified Threat Management System
F0h
IntroductionThis chapter introduces you to the FortiGate Unified Threat Management System and the following topics:• About the FortiGate Unified Threat Management System• Registering your Fortinet product• Customer service and technical support• Fortinet documentation• Conventions
About the FortiGate Unified Threat Management SystemThe FortiGate Unified Threat Management System supports network-based deployment of application-level services, including virus protection and full-scan content filtering. FortiGate units improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.The FortiGate unit is a dedicated easily managed security device that delivers a full suite of capabilities that include:• application-level services such as virus protection and content filtering,• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.
Registering your Fortinet productBefore you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 15ttp://docs.fortinet.com/ • Feedback
https://support.fortinet.comhttp://kc.forticare.com/default.asp?id=2071http://kc.forticare.com/default.asp?id=2071http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Customer service and technical support Introduction
Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Center article What does Fortinet Technical Support require in order to best assist the customer?
Fortinet documentationThe Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.
Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Center The Fortinet Knowledge Center provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com.
Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to [email protected].
ConventionsFortinet technical documentation uses the conventions described below.
IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
FortiGate Version 4.0 CLI Reference16 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://kc.forticare.com/default.asp?id=1068http://kc.forticare.com/default.asp?id=1068http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttps://support.fortinet.comhttp://docs.fortinet.comhttp://docs.fortinet.comhttp://kc.fortinet.commailto:[email protected]://ietf.org/rfc/rfc1918.txt?number-1918
-
Introduction Conventions
F0h
CLI constraintsCLI constraints, such as , indicate which data types or string patterns are acceptable input for a given parameter or variable value. CLI constraint conventions are described in the CLI Reference document for each product.
Notes, Tips and CautionsFortinet technical documentation uses the following guidance and styles for notes, tips and cautions.
Typographical conventionsFortinet documentation uses the following typographical conventions:
Tip: Highlights useful additional information, often tailored to your workplace activity.
Note: Also presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Table 1: Typographical conventions in Fortinet technical documentation
Convention ExampleButton, menu, text box, field, or check box label
From Minimum log level, select Notification.
CLI input config system dnsset primary
end
CLI output FGT-602803030703 # get system settingscomments : (null)opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a third party.
File content Firewall AuthenticationYou must authenticate to use this service.
Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).Publication For details, see the FortiGate Administration Guide.
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 17ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.htmlhttps://support.fortinet.comhttps://support.fortinet.comhttp://docs.fortinet.com/fgt.html
-
Conventions Introduction
FortiGate Version 4.0 CLI Reference18 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
F0h
What’s newThe tables below list commands which have changed since the previous release, version 3.0 MR7.
Command Changeconfig antivirus filepattern
set file-type New keyword. Select the type of file the file filter will search for. This was previously available on FortiCarrier units only.
set filter-type New keyword. Selects whether the file type is detected by file content of file name extension. This was previously available on FortiCarrier units only.
config application list New command. Configures application control list entries.
config application name New command. Displays the settings for each application under application control.
config dlp compound New command. Creates compound DLP rules.
config dlp rule New command. Creates Data Leak Prevention (DLP) rules.
config dlp sensor New command. Creates a DLP sensor.
config endpoint-control New command. Configures the Endpoint Control feature.
config firewall address, address6
edit
set comment New keyword. Adds a comment
config firewall addrgrp, addrgrp6 .
edit
set comment New keyword. Adds a comment
config firewall interface-policy New command. Applies DoS sensors and IPS sensors to network traffic on an interface. In the web-based manager, interface policies are called DoS policies.
config firewall interface-policy6 New command. Applies IPS sensors to IPv6 network traffic on an interface.
config firewall policy, policy6
edit
set endpoint-allow-collect-sysinfoset endpoint-checkset endpoint-restrict-checkset endpoint-redir-portal
New keywords. These keywords configure the Endpoint Control feature, which replaces the v3.0 FortiClient Check feature.
set forticlient-checkset forticlient-ra-db-outdatedset forticlient-ra-no-avset forticlient-ra-no-fwset forticlient-ra-notinstalledset forticlient-ra-notlicensedset forticlient-ra-no-wfset forticlient-redir-portal
Keywords removed. These keywords configured the FortiClient Check feature. In FortiOS v4.0, the Endpoint Control feature replaces the FortiClient Check feature.
set gbandwidth Keyword removed. Use the guaranteed-bandwidth keyword in the new config firewall traffic-shaper command.
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 19ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
set groups Keyword moved to config identity-based-policy subcommand.
set identity-based enableconfig identity-based-policy
edit set groupsset logtrafficset profileset scheduleset serviceset traffic-shaperset traffic-shaper-reverse
New keyword. Enables identity-based policies which are defined in the new config identity-based-policy subcommand. The groups keyword defines the user groups who can use this policy. The other keywords in the subcommand have the same meaning as they do in the main config firewall policy command.
set match-vip New keyword. If enabled, the FortiGate unit checks whether DNATed traffic matches the policy, even in non-VIP policies.
set maxbandwidth Keyword removed. Use the maximum-bandwidth keyword in the new config firewall traffic-shaper command.
set session-ttl New keyword. Overrides the global timeout setting defined in config system session-ttl.
set traffic-shaper New keyword. Selects a traffic shaper defined in the new config firewall traffic-shaper command.
set traffic-shaper-reverse New keyword. Selects a traffic shaper defined in the new config firewall traffic-shaper command. This traffic shaper applies to traffic from destination to source.
set traffic-shaping Keyword removed. In FortiOS 4.0, you define traffic shapers with the new config firewall traffic-shaper command and select traffic shapers in the firewall policy using the traffic-shaper and traffic-shaper-reverse keywords.
set wccp New keyword. Enables web caching on the policy.
config firewall profile
edit
set aimset bittorrentset bittorrent-limitset edonkeyset edonkey-limitset gnutellaset gnutella-limitset icqset imoversizechatset kazaaset kazaa-limitset msnset p2pset skypeset winnyset winny-limitset yahoo
Keywords removed. In FortiOS 4.0 you define application control lists that you can select in firewall profiles. See the config application chapter.
set log-antispam-mass-mmsset log-av-endpoint-filterset log-imset log-p2pset log-voipset log-voip-violations
Keywords removed. In FortiOS 4.0, you enable logging in application control settings. See the config application chapter.
Command Change
FortiGate Version 4.0 CLI Reference20 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
F0h
set application-listset application-list-status
Keyword added. Sets application list to use in this profile.Keyword added. Enables application control in this profile.
set dlp-sensor-table Keyword added. Selects a Data Leak Prevention sensor for this profile.
set httppostaction Keyword added. Selects action to take against HTTP uploads.
set httpsoversizelimit Keyword added. Sets maximum in-memory file size that will be scanned for files received with HTTPS protocol.
set https-deep-scan Keyword added. Enables decryption and additional scanning of the content of the HTTPS traffic.
set https-retry-count Keyword added. Sets the number of times to retry establishing an HTTPs connection.
set httpscomfortinterval Keyword added. Sets the interval between client comforting sends.
set httpscomfortamount Keyword added. Sets the number of bytes client comforting sends each time.
set imaps Keyword added. Selects actions that the FortiGate unit performs on IMAP connections.
set imapsoversizelimit Keyword added. Sets maximum in-memory file size that will be scanned for files received with IMAPS protocol.
set nac-quar-expiry Keyword added. Sets the duration of quarantine.
set nac-quar-infected Keyword added. Enables quarantine of infected hosts to banned user list.
set pop3s Keyword added. Selects actions that the FortiGate unit performs on POP3 connections.
set pop3soversizelimit Keyword added. Sets maximum in-memory file size that will be scanned for files received with POP3 protocol.
set smtps Keyword added. Selects actions that the FortiGate unit performs on SMTP connections.
set smtpsoversizelimit Keyword added. Sets maximum in-memory file size that will be scanned for files received with SMTP protocol.
config sccp Subcommand removed. See config application list command.
config simple Subcommand removed. See config application list command.
config sip Subcommand removed. See config application list command.
config app-recognitionedit
set inspect-allset port
Subcommand added. Configures application recognition.
Keyword added. Enables monitoring all ports for this protocol.Keyword added. Sets port to monitor if not monitoring all ports.
config firewall service custom
edit
set comment Keyword added. Adds a comment.
config firewall service group
edit
set comment Keyword added. Adds a comment.
config firewall ssl setting New command. Configures SSL proxy settings that apply antivirus scanning, web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic.
config firewall traffic-shaper New command. Defines traffic shapers. In FortiOS 4.0, traffic shaping settings are configured in traffic shapers. In the firewall profile, you select a traffic shaper.
Command Change
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 21ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
config firewall vip
edit
set gratuitous-arp-interval New keyword. Sets the time interval between sending ARP packets from a virtual IP address.
set http Keyword renamed to http-multiplex.
set http-multiplex Keyword renamed from http. Enables the FortiGate unit’s HTTP proxy to multiplex multiple client connections destined for the web server into a few connections between the FortiGate unit and the web server.
set monitor New keyword. Selects the health check monitor to use to determine a virtual server’s connectivity status.
set persistence New keyword. Set connection persistence option.
set server-type New keyword. Selects the communication protocol that the virtual server uses.
set ssl Keyword renamed to ssl-mode.
set ssl-mode Keyword renamed from ssl. Sets SSL offloading option.
config realservers
edit
set client-ip New keyword. Sets the IP address of the client in the X-Forwarded-For HTTP header.
set dead-interval Removed keyword.
set max-connections New keyword. Sets the limit on the number of active connections directed to a real server.
set ping-detect Removed keyword.
set wake-interval Removed keyword.
config global application, system replacemsg ec, system replacemsg nac-quar, and system vdom-property added to global config commands.execute scsi-dev, execute sfpmode-sgmii, execute send-fsd-statistics, execute update-ase added to global commands.
config imp2p policy Default value is allow for all imp2p policy commands.
config ips DoS
config address Subcommand removed. Addresses are now specified in the DoS policy. See firewall interface-policy.
config anomaly
set quarantine New keyword. Quarantines the attacker to the banned user list.
config ips global
set algorithm New keyword. Selects the method that the IPS engine uses to determine whether traffic matches signatures.
config ips sensor
edit
config filter
edit
set quarantine New keyword. Quarantines the attacker to the banned user list.
Command Change
FortiGate Version 4.0 CLI Reference22 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
F0h
config log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter
set amc-intf-bypass New keyword. Enables logging of AMC interfaces entering bypass mode.
set app-ctrl New keyword. Enables logging of application control logs.
set app-ctrl-all New keyword. Enables logging of application control log sub-categories.
set content-log New keyword. Enables log content archiving to an AMC hard disk.
set content-log-ftp New keyword. Enables FTP log content archiving.
set content-log-http New keyword. Enables HTTP log content archiving.
set content-log-imap New keyword. Enables IMAP log content archiving.
set content-log-pop3 New keyword. Enables POP3 log content archiving.
set content-log-smtp New keyword. Enables SMTP log content archiving.
set dlp New keyword. Enables logging of data leak prevention logs.
set dlp-all New keyword. Enables logging of data leak prevention subcategories.
set im Keyword removed.
set im-all Keyword removed.
set voip Keyword removed.
set voip-all Keyword removed.
set wan-opt New keyword. Enables logging of wan optimization messages.
config router setting New command. Sets a prefix list as a filter to show routes.
config system amc
set asm-cx4 New option. Support for ASM-CX4 single-width card.
set asm-fx2 New option. Support for ASM-FX2 single-width card.
config spamfilter fortishield
set reports-status New keyword. Enables storage of FortiGuard Antispam statistics on the FortiGate unit hard drive.
config system accprofile
edit
set Removed avgrp, imp2pgrp and spamgrp options for . Use new utmgrp instead. Also added endpoint-control-grp and wanoptgrp as options.
config system central-management Command renamed from config system fortimanager.
config system fortimanager Command renamed to config system central-management.
Command Change
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 23ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
config system global
set admin-lockout-duration New keyword. Sets the administrator lockout duration in seconds. Lockout occurs after repeated failed login attempts.
set admin-lockout-threshold New keyword. Sets the number of failed attempts that triggers administrator lockout.
set auth-policy-exact-match New keyword. Enables requirement that traffic must match an authenticated policy for policy id in addition to IP address.
set batch-cmdb Renamed from batch_cmdb.
set batch_cmdb Rename to batch-cmdb.
set check-protocol-header New keyword. Selects the loose or strict checking of protocol headers.
set endpoint-control-portal-port New keyword. Selects port used for endpoint control portal.
set send-pmtu-icmp New keyword. Enables sending path maximum transmission unit (PMTU) - ICMP destination unreachable packets to support PTMUD protocol.
config system interface
set gwaddr Keyword removed.
set mux-type Keyword removed.
set ips-sniffer-mode New keyword. Enables one-armed IPS on the interface.
set nontp-web-proxy New keyword. Enables web cache support for this interface.
set type Removed adsl option.
set vci Keyword removed.
set vpi Keyword removed.
set wccp New keyword. Enables Web Cache Control Protocol (WCCP) on this interface.
config system modem
set account-relation New keyword. Sets the account relationship as either equal or fallback.
set extra-init1set extra-init2set extra-init3
New keywords. Send extra initialization strings to the modem.
set modem-dev1set modem-dev2set modem-dev3
New keywords. Selects the PCMCIA wireless card or the normal interface for the modem device.
set pin-init New keyword. Configures an AT command string to set the PIN.
set wireless-custom-product-id New keyword. Configures the product ID of an installed 3G wireless PCMCIA modem.
set wireless-custom-vendor-id New keyword. Configure the vendor ID of an installed 3G wireless PCMCIA modem.
config system replacemsg ec New command. Changes the endpoint check download portal replacement message page.
config system replacemsg mail email-dlp New replacement message for email blocked because a data leak was detected.
config system replacemsg mail email-dlp-ban
New replacement messages for email blocked because a data leak was detected and the email was banned.
config system replacemsg mail email-dlp-ban-sender
New replacement messages for email blocked because the sender was banned for a data leak.
Command Change
FortiGate Version 4.0 CLI Reference24 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
F0h
config system replacemsg mail email-dlp-subject
New replacement message for email blocked because a data leak was detected.
config system replacemsg nac-quar New command. Changes the NAC quarantine pages for data leak (DLP), denial of service (DoS), IPS, and virus detected.
config system replacemsg spam smtp-spam-ase
New replacement message for an email message that the antispam engine marked as spam.
config system replacemsg spam smtp-spam-dnsbl
New replacement message for an email message that the spam filter marked as spam because it originated from a blacklisted IP address.
config system resource-limits New command. Sets limits on global system resources, and customizes limits for particular resources.
config system settings
set p2p-rate-limit Keyword removed.
set vpn-stats-log New keyword. Enables periodic VPN log statistics for selected traffic.
set vpn-stats-period New keyword. Sets the interval in seconds for vpn-stats-log to collect VPN statistics.
config system snmp user New command. Configures an SNMP user.
config system switch-interface All FortiGate models now support this command.
config system vdom-property New command. Sets maximum and guaranteed system resource limits for the specified virtual domain (VDOM).
config system wccp New command. Configures Web Cache Communication Protocol (WCCP) settings.
config system wireless ap-status New command. Designates an access point as either “accepted” or “rogue”. This designation affects the web-based manager Rogue AP listing. For FortiWiFi models only.
config system wireless settings
set bgscanset bgscan-idleset bgscan-interval
New keywords. Configures background scanning for access points while the FortiWiFi unit is in AP mode.
set broadcast_ssidset fragment_thresholdset keyset passphraseset radius_serverset rts_thresholdset securityset ssid
Keywords removed. These keywords applied to models not supported in FortiOS 4.0. Equivalent keywords prefixed with wifi- are available in the config system interface command on FortiWiFi models.
config user ban New command. Configures Banned User List entries.
config vpn ipsec concentratoredit
set src-check New keyword. Enables checking the source address of the phase2 selector when locating the best matching phase2 in a concentrator. The default is to check only the destination selector.
Command Change
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 25ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
config vpn ipsec phase1edit
set dpd Default changed to enable.
set nattraversal Default changed to enable.
set proposal Default changed to aes128-sha1 3des-sha1.
config vpn ipsec phase1-interfaceedit
set pfs Default changed to enable.
set nattraversal Default changed to enable.
set proposal Default changed to aes128-sha1 3des-sha1.
config vpn ipsec phase2edit
set add-route New keyword. Enables routes to be propagated to routing peers over a dynamic routing protocol (RIP, OSPF, or BGP).
set pfs Default changed to enable.
set proposal Default changed to aes128-sha1 3des-sha1.
set replay Default changed to enable.
config vpn ipsec phase2-interfaceedit
set dhcp-ipsec New keyword. Enables assignment of IP addresses to dialup clients using DHCP over IPsec.
set pfs Default changed to enable.
set proposal Default changed to aes128-sha1 3des-sha1.
set replay Default changed to enable.
config vpn pptp
set ip-mode New keyword. Enables assignment of PPTP client IP addresses according to PPTP user group. The default mode is to select an IP address from the pre-configured IP address range.
set local-ip New keyword. Sets the FortiGate unit PPTP gateway IP address.
config vpn ssl web portal New command. Configures an SSL VPN web portal.
config vdom Added application, dlp, config endpoint-control, firewall interface-policy, firewall traffic-shape, system ipv6-tunnel, system modem, system wccp to VDOM config commands.Added execute interface, execute modem dial, execute modem hangup, execute ping6-options, execute sfp-mode-sgmii, and execute ssh to VDOM execute commands.
config wanopt ... New commands. Configure WAN Optimization.
config web-proxy explicit New command. Configures an explicit web proxy.
config web-proxy global New command. Configures global web-proxy settings.
execute backup ftp ... Added the ability to back up all logs and individual log types to FTP servers as well as TFTP servers.
execute ha synchronize ase New command. Synchronizes the antispam engine and antispam rule sets.
execute log delete-rolled app-ctrl ...execute log delete-rolled dlp ...
Added Application control (app-ctrl) and Data leak prevention (dlp) log categories.
Command Change
FortiGate Version 4.0 CLI Reference26 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
F0h
execute log filter category app-ctrl ...execute log filter category dlp ...
Added Application control (app-ctrl) and Data leak prevention (dlp) log categories.
execute log list app-ctrlexecute log list dlp
Added Application control (app-ctrl) and Data leak prevention (dlp) log categories.
execute router clear bfd ase ftp ...execute router clear bfd ase tftp ...
Restore the antispam engine from an ftp or tftp server.
execute scsi-dev ... New commands. Change the SCSI device configuration as part of WAN optimization.
execute update-ase New command. Manually initiates an antispam engine and rules update.
get router info6 interface New command. Lists information about IPv6 interfaces.
get router info6 routing-table New command. Lists the routes in the IPv6 routing table.
get system fdp-fortianalyzer New command. Lists the serial number of the FortiAnalyzer unit you use for logging.
get system interface physical New command. Lists information about the unit’s physical network interfaces.
get system wireless detected-ap Lists the detected access points. For WiFi models only.
Command Change
ortiGate Version 4.0 CLI Reference1-400-93051-20090415 27ttp://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
What’s new
FortiGate Version 4.0 CLI Reference28 01-400-93051-20090415
http://docs.fortinet.com/ • Feedback
http://docs.fortinet.com/http://docs.fortinet.com/surveyredirect.html
-
Using the CLI CLI command syntax
F0h
Using the CLIThis chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.This chapter describes:• CLI command syntax• Administrator access• Connecting to the CLI• CLI objects• CLI command branches• CLI basics
CLI command syntaxThis guide uses the following conventions to describe command syntax.• Angle brackets < > to indicate variables.
For example:execute restore config
You enter:execute restore config myfile.bak
indicates a dotted decimal IPv4 address. indicates a dotted decimal IPv4 netmask. indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4