fortigate-cli-52 (1)
TRANSCRIPT
-
8/10/2019 fortigate-cli-52 (1)
1/1092
FortiOS
CLI Reference for FortiOS 5.2
-
8/10/2019 fortigate-cli-52 (1)
2/1092
FortiOS CLI Reference for FortiOS 5.2
August 14, 2014
01-520-99686-20140814
Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare andFortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and otherFortinet names herein may also be registered and/or common law trademarks of Fortinet. Allother product or company names may be trademarks of their respective owners. Performanceand other metrics contained herein were attained in internal lab tests under ideal conditions,and actual performance and other resultsmay vary. Network variables, different networkenvironments and other conditions may affect performance results. Nothing herein representsany binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express orimplied, except to the extent Fortinet enters a binding written contract, signed by Fortinets
General Counsel, with a purchaser that expressly warrants that the identified product willperform according to certain expressly-identified performance metrics and, in such event, onlythe specific performance metrics expressly identified in such binding written contract shall bebinding on Fortinet. For absolute clarity, any such warranty will be limited to performance in thesame ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any covenants,representations,and guarantees pursuant hereto, whether express or implied. Fortinet reservesthe right to change, modify, transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback [email protected]
http://docs.fortinet.com/http://kb.fortinet.com/https://support.fortinet.com/http://training.fortinet.com/http://www.fortiguard.com/mailto:[email protected]?Subject=Technical%20Documentation%20Feedbackmailto:[email protected]?Subject=Technical%20Documentation%20Feedbackhttp://www.fortiguard.com/http://training.fortinet.com/https://support.fortinet.com/http://kb.fortinet.com/http://docs.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
3/1092
Page 3
Contents
Introduction..................................................................................................... 19
How this guide is organized............................................................................. 19Availability of commands and options............................................................. 19
Managing Firmware with the FortiGate BIOS.............................................. 20
Accessing the BIOS ............................................................................................... 20
Navigating the menu........................................................................................ 20
Loading firmware ................................................................................................... 21
Configuring TFTP parameters.......................................................................... 21
Initiating TFTP firmware transfer...................................................................... 22
Booting the backup firmware ................................................................................ 22
Whats new...................................................................................................... 23
antivirus........................................................................................................... 30
heuristic ................................................................................................................. 31
mms-checksum..................................................................................................... 32
notification ............................................................................................................. 33
profile ..................................................................................................................... 34
config {http | https | ftp | ftps | imap | imaps | mapi | pop3 | pop3s | smb | smtp |smtps | nntp}.................................................................................................. 35
config nac-quar................................................................................................ 36
quarantine.............................................................................................................. 37
service.................................................................................................................... 40settings .................................................................................................................. 41
application....................................................................................................... 42
custom................................................................................................................... 43
list .......................................................................................................................... 44
name...................................................................................................................... 47
dlp .................................................................................................................... 48
filepattern............................................................................................................... 49
fp-doc-source........................................................................................................ 51
fp-sensitivity........................................................................................................... 53sensor .................................................................................................................... 54
settings .................................................................................................................. 56
endpoint-control............................................................................................. 57
forticlient-registration-sync.................................................................................... 58
profile ..................................................................................................................... 59
settings .................................................................................................................. 64
-
8/10/2019 fortigate-cli-52 (1)
4/1092
Fortinet Technologies Inc. Page 4 FortiOS - CLI Reference for FortiOS 5.2
firewall ............................................................................................................. 65
address, address6 ................................................................................................. 66
addrgrp, addrgrp6 ................................................................................................. 69
auth-portal ............................................................................................................. 70
carrier-endpoint-bwl .............................................................................................. 71
carrier-endpoint-ip-filter......................................................................................... 73
central-nat.............................................................................................................. 74
dnstranslation ........................................................................................................ 75
DoS-policy, DoS-policy6 ....................................................................................... 76
gtp.......................................................................................................................... 78
identity-based-route .............................................................................................. 94
interface-policy ...................................................................................................... 95
interface-policy6 .................................................................................................... 97
ipmacbinding setting ............................................................................................. 99
ipmacbinding table .............................................................................................. 100
ippool, ippool6..................................................................................................... 101
ip-translation........................................................................................................ 103
ipv6-eh-filter......................................................................................................... 104
ldb-monitor .......................................................................................................... 105
local-in-policy, local-in-policy6............................................................................ 107
mms-profile.......................................................................................................... 108
config dupe {mm1 | mm4}.............................................................................. 115
config flood {mm1 | mm4}.............................................................................. 117
config log ....................................................................................................... 118
config notification {alert-dupe-1 | alert-flood-1 | mm1 | mm3 | mm4 | mm7}. 118config notif-msisdn ........................................................................................ 122
multicast-address ................................................................................................ 123
multicast-policy ................................................................................................... 125
policy, policy6...................................................................................................... 127
policy46, policy64 ................................................................................................ 143
profile-group ........................................................................................................ 145
profile-protocol-options....................................................................................... 147
config http...................................................................................................... 149
config ftp........................................................................................................ 150config dns ...................................................................................................... 151
config imap .................................................................................................... 151
config mapi .................................................................................................... 152
config pop3.................................................................................................... 152
config smtp .................................................................................................... 153
config nntp..................................................................................................... 154
config mail-signature ..................................................................................... 155
schedule onetime................................................................................................. 156
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
5/1092
Fortinet Technologies Inc. Page 5 FortiOS - CLI Reference for FortiOS 5.2
schedule recurring ............................................................................................... 157
schedule group.................................................................................................... 158
service category................................................................................................... 159
service custom..................................................................................................... 160
service group ....................................................................................................... 164
shaper per-ip-shaper........................................................................................... 165
shaper traffic-shaper ........................................................................................... 167
sniffer ................................................................................................................... 168
sniff-interface-policy............................................................................................ 171
sniff-interface-policy6 .......................................................................................... 174
ssl setting............................................................................................................. 177
ssl-ssh-profile ...................................................................................................... 178
config {ftps | https | imaps | pop3s | smtps} .................................................. 179
config ssl........................................................................................................ 180
config ssl-exempt .......................................................................................... 180
config ssl-server............................................................................................. 180ttl-policy ............................................................................................................... 182
vip ........................................................................................................................ 183
vip46 .................................................................................................................... 203
vip6 ...................................................................................................................... 205
vip64 .................................................................................................................... 207
vipgrp................................................................................................................... 209
vipgrp46............................................................................................................... 210
vipgrp64............................................................................................................... 211
ftp-proxy........................................................................................................ 212explicit.................................................................................................................. 213
gui .................................................................................................................. 214
console ................................................................................................................ 215
icap ................................................................................................................ 216
profile ................................................................................................................... 217
server ................................................................................................................... 218
ips .................................................................................................................. 219
custom................................................................................................................. 220
decoder................................................................................................................ 221
global ................................................................................................................... 222
rule ....................................................................................................................... 224
sensor .................................................................................................................. 225
setting.................................................................................................................. 230
log .................................................................................................................. 231
custom-field......................................................................................................... 232
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
6/1092
Fortinet Technologies Inc. Page 6 FortiOS - CLI Reference for FortiOS 5.2
{disk | fortianalyzer | fortianalyzer2 | fortianalyzer3 | memory | syslogd | syslogd2 |syslogd3 | webtrends | fortiguard} filter ............................................................. 233
disk setting........................................................................................................... 237
eventfilter ............................................................................................................. 241
{fortianalyzer | syslogd} override-filter ................................................................. 242
fortianalyzer override-setting ............................................................................... 243
{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting .......................................... 244
fortiguard setting.................................................................................................. 247
gui-display ........................................................................................................... 248
memory setting.................................................................................................... 249
memory global-setting......................................................................................... 250
setting.................................................................................................................. 251
syslogd override-setting ...................................................................................... 253
{syslogd | syslogd2 | syslogd3} setting................................................................ 255
threat-weight........................................................................................................ 257
webtrends setting ................................................................................................ 259
netscan.......................................................................................................... 260
assets................................................................................................................... 261
settings ................................................................................................................ 263
pbx ................................................................................................................. 265
dialplan ................................................................................................................ 266
did........................................................................................................................ 268
extension ............................................................................................................. 269
global ................................................................................................................... 271
ringgrp.................................................................................................................. 273
voice-menu .......................................................................................................... 274
sip-trunk............................................................................................................... 275
report ............................................................................................................. 277
chart..................................................................................................................... 278
dataset................................................................................................................. 283
layout ................................................................................................................... 284
style...................................................................................................................... 289
summary .............................................................................................................. 293
theme................................................................................................................... 294
router ............................................................................................................. 297
access-list, access-list6 ...................................................................................... 298
aspath-list ............................................................................................................ 300
auth-path ............................................................................................................. 301
bfd........................................................................................................................ 302
bgp....................................................................................................................... 303
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
7/1092
Fortinet Technologies Inc. Page 7 FortiOS - CLI Reference for FortiOS 5.2
config router bgp ........................................................................................... 307
config admin-distance ................................................................................... 310
config aggregate-address, config aggregate-address6 ................................ 311
config neighbor.............................................................................................. 312
config network, config network6 ................................................................... 321
config redistribute, config redistribute6......................................................... 322
community-list ..................................................................................................... 323gwdetect.............................................................................................................. 325
isis........................................................................................................................ 326
config isis-interface........................................................................................ 330
config isis-net................................................................................................. 331
config redistribute {bgp | connected | ospf | rip | static} ................................ 331
config summary-address ............................................................................... 332
key-chain ............................................................................................................. 333
multicast .............................................................................................................. 335
Sparse mode.................................................................................................. 335
Dense mode................................................................................................... 336
config router multicast ................................................................................... 338
config interface .............................................................................................. 339
config pim-sm-global..................................................................................... 342
multicast6 ............................................................................................................ 347
multicast-flow ...................................................................................................... 348
ospf...................................................................................................................... 349
config router ospf........................................................................................... 352
config area ..................................................................................................... 354
config distribute-list ....................................................................................... 359
config neighbor .............................................................................................. 360
config network ............................................................................................... 361
config ospf-interface...................................................................................... 362
config redistribute.......................................................................................... 365
config summary-address ............................................................................... 366
ospf6.................................................................................................................... 367
policy, policy6...................................................................................................... 373
prefix-list, prefix-list6 ........................................................................................... 377
rip......................................................................................................................... 379
config router rip.............................................................................................. 380config distance............................................................................................... 382
config distribute-list ....................................................................................... 382
config interface .............................................................................................. 383
config neighbor .............................................................................................. 385
config network ............................................................................................... 386
config offset-list ............................................................................................. 386
config redistribute.......................................................................................... 387
ripng..................................................................................................................... 388
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
8/1092
Fortinet Technologies Inc. Page 8 FortiOS - CLI Reference for FortiOS 5.2
config distance............................................................................................... 390
route-map ............................................................................................................ 394
Using route maps with BGP .......................................................................... 396
setting.................................................................................................................. 401
static .................................................................................................................... 402
static6 .................................................................................................................. 404
spamfilter ...................................................................................................... 405
bwl ....................................................................................................................... 406
bword................................................................................................................... 409
dnsbl .................................................................................................................... 411
fortishield ............................................................................................................. 413
iptrust................................................................................................................... 415
mheader............................................................................................................... 416
options................................................................................................................. 418
profile ................................................................................................................... 419
config {imap | imaps | mapi | pop3 | pop3s | smtp | smtps}........................... 421
config {gmail | msn-hotmail | yahoo-mail}...................................................... 422
switch-controller .......................................................................................... 423
managed-switch .................................................................................................. 424
vlan ...................................................................................................................... 425
system ........................................................................................................... 426
3g-modem custom .............................................................................................. 427
accprofile ............................................................................................................. 428
admin................................................................................................................... 431
amc...................................................................................................................... 440
arp-table .............................................................................................................. 441
auto-install ........................................................................................................... 442
autoupdate push-update ..................................................................................... 443
autoupdate schedule ........................................................................................... 444
autoupdate tunneling........................................................................................... 445
aux ....................................................................................................................... 446
bug-report............................................................................................................ 447
bypass ................................................................................................................. 448
central-management............................................................................................ 449
console ................................................................................................................ 451
ddns..................................................................................................................... 452
dedicated-mgmt .................................................................................................. 454
dhcp reserved-address........................................................................................ 455
dhcp server.......................................................................................................... 456
dhcp6 server........................................................................................................ 461
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
9/1092
Fortinet Technologies Inc. Page 9 FortiOS - CLI Reference for FortiOS 5.2
dns ....................................................................................................................... 463
dns-database....................................................................................................... 464
dns-server............................................................................................................ 467
elbc ...................................................................................................................... 468
email-server ......................................................................................................... 469
fips-cc .................................................................................................................. 470
fortiguard ............................................................................................................. 471
fortisandbox......................................................................................................... 476
geoip-override...................................................................................................... 477
gi-gk..................................................................................................................... 478
global ................................................................................................................... 479
gre-tunnel............................................................................................................. 498
ha ......................................................................................................................... 499
interface ............................................................................................................... 511
ipip-tunnel............................................................................................................ 539
ips-urlfilter-dns..................................................................................................... 540
ipv6-neighbor-cache............................................................................................ 541
ipv6-tunnel ........................................................................................................... 542
mac-address-table .............................................................................................. 543
modem................................................................................................................. 544
monitors............................................................................................................... 548
nat64.................................................................................................................... 550
network-visibility .................................................................................................. 551
npu....................................................................................................................... 552
ntp........................................................................................................................ 553
object-tag ............................................................................................................ 554
password-policy .................................................................................................. 555
physical-switch .................................................................................................... 556
port-pair ............................................................................................................... 557
probe-response ................................................................................................... 558
proxy-arp ............................................................................................................. 559
pstn...................................................................................................................... 560
replacemsg admin ............................................................................................... 562
replacemsg alertmail............................................................................................ 563
replacemsg auth .................................................................................................. 565
replacemsg device-detection-portal.................................................................... 569
replacemsg ec ..................................................................................................... 570
replacemsg fortiguard-wf .................................................................................... 572
replacemsg ftp..................................................................................................... 574
replacemsg http................................................................................................... 576
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
10/1092
Fortinet Technologies Inc. Page 10 FortiOS - CLI Reference for FortiOS 5.2
replacemsg im ..................................................................................................... 579
replacemsg mail................................................................................................... 581
replacemsg mm1................................................................................................. 584
replacemsg mm3................................................................................................. 587
replacemsg mm4................................................................................................. 589
replacemsg mm7................................................................................................. 591
replacemsg-group ............................................................................................... 594
replacemsg-group ............................................................................................... 596
replacemsg-image ............................................................................................... 599
replacemsg nac-quar........................................................................................... 600
replacemsg nntp.................................................................................................. 602
replacemsg spam ................................................................................................ 604
replacemsg sslvpn............................................................................................... 607
replacemsg traffic-quota ..................................................................................... 608
replacemsg utm................................................................................................... 609
replacemsg webproxy ......................................................................................... 611
resource-limits ..................................................................................................... 612
server-probe ........................................................................................................ 614
session-helper ..................................................................................................... 615
session-sync........................................................................................................ 617
session-ttl ............................................................................................................ 620
settings ................................................................................................................ 622
sit-tunnel .............................................................................................................. 628
sflow..................................................................................................................... 629
sms-server ........................................................................................................... 630
snmp community ................................................................................................. 631
snmp sysinfo........................................................................................................ 635
snmp user ............................................................................................................ 637
sp ......................................................................................................................... 640
storage................................................................................................................. 642
stp........................................................................................................................ 643
switch-interface ................................................................................................... 644
tos-based-priority ................................................................................................ 646
vdom-dns............................................................................................................. 647
vdom-link ............................................................................................................. 648
vdom-property..................................................................................................... 649
vdom-radius-server ............................................................................................. 652
vdom-sflow.......................................................................................................... 653
virtual-switch........................................................................................................ 654
wccp .................................................................................................................... 655
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
11/1092
Fortinet Technologies Inc. Page 11 FortiOS - CLI Reference for FortiOS 5.2
zone ..................................................................................................................... 658
user ................................................................................................................ 659
Configuring users for authentication.................................................................... 660
Configuring users for password authentication............................................. 660
Configuring peers for certificate authentication............................................. 660
ban....................................................................................................................... 661
device .................................................................................................................. 664
device-access-list................................................................................................ 665
device-category................................................................................................... 666
device-group........................................................................................................ 667
fortitoken.............................................................................................................. 668
fsso ...................................................................................................................... 669
fsso-polling .......................................................................................................... 671
group.................................................................................................................... 673
ldap...................................................................................................................... 677
local ..................................................................................................................... 680
password-policy .................................................................................................. 682
peer...................................................................................................................... 683
peergrp ................................................................................................................ 685
pop3..................................................................................................................... 686
radius ................................................................................................................... 687
security-exempt-list............................................................................................. 692
setting.................................................................................................................. 693
tacacs+ ................................................................................................................ 695
voip ................................................................................................................ 696
profile ................................................................................................................... 697
config sip ....................................................................................................... 699
config sccp .................................................................................................... 708
vpn ................................................................................................................. 709
certificate ca ........................................................................................................ 710
certificate crl ........................................................................................................ 711
certificate local..................................................................................................... 713
certificate ocsp-server ......................................................................................... 715
certificate remote................................................................................................. 716
certificate setting ................................................................................................. 717
ipsec concentrator............................................................................................... 718
ipsec forticlient..................................................................................................... 719
ipsec manualkey .................................................................................................. 720
ipsec manualkey-interface................................................................................... 723
ipsec phase1........................................................................................................ 726
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
12/1092
Fortinet Technologies Inc. Page 12 FortiOS - CLI Reference for FortiOS 5.2
ipsec phase1-interface ........................................................................................ 735
ipsec phase2........................................................................................................ 749
ipsec phase2-interface ........................................................................................ 756
l2tp....................................................................................................................... 765
pptp ..................................................................................................................... 767
ssl settings........................................................................................................... 769
ssl web host-check-software............................................................................... 775
ssl web portal....................................................................................................... 777
ssl web realm....................................................................................................... 785
ssl web user-bookmark ....................................................................................... 786
ssl web virtual-desktop-app-list .......................................................................... 789
wanopt........................................................................................................... 790
auth-group ........................................................................................................... 791
peer...................................................................................................................... 792
profile ................................................................................................................... 793
settings ................................................................................................................ 797
ssl-server ............................................................................................................. 798
storage................................................................................................................. 801
webcache ............................................................................................................ 802
config cache-exemption-list .......................................................................... 804
webfilter......................................................................................................... 805
content................................................................................................................. 806
content-header .................................................................................................... 808
fortiguard ............................................................................................................. 809
ftgd-local-cat ....................................................................................................... 811
ftgd-local-rating ................................................................................................... 812
ftgd-warning ........................................................................................................ 813
ips-urlfilter-cache-setting..................................................................................... 815
ips-urlfilter-setting................................................................................................ 816
override ................................................................................................................ 817
override-user........................................................................................................ 818
profile ................................................................................................................... 820
config ftgd-wf................................................................................................. 824
config override ............................................................................................... 826
config quota................................................................................................... 826
config web ..................................................................................................... 827
search-engine ...................................................................................................... 828
urlfilter .................................................................................................................. 829
web-proxy ..................................................................................................... 831
explicit.................................................................................................................. 832
forward-server ..................................................................................................... 836
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
13/1092
Fortinet Technologies Inc. Page 13 FortiOS - CLI Reference for FortiOS 5.2
forward-server-group........................................................................................... 837
global ................................................................................................................... 838
url-match.............................................................................................................. 840
wireless-controller ....................................................................................... 841
ap-status.............................................................................................................. 842
global ................................................................................................................... 843
setting.................................................................................................................. 844
timers................................................................................................................... 845
vap ....................................................................................................................... 846
wids-profile .......................................................................................................... 851
wtp ....................................................................................................................... 854
wtp-profile............................................................................................................ 858
execute.......................................................................................................... 864
backup................................................................................................................. 865
batch.................................................................................................................... 868
bypass-mode....................................................................................................... 869
carrier-license ...................................................................................................... 870
central-mgmt ....................................................................................................... 871
cfg reload............................................................................................................. 872
cfg save ............................................................................................................... 873
clear system arp table ......................................................................................... 874
cli check-template-status .................................................................................... 875
cli status-msg-only .............................................................................................. 876
client-reputation................................................................................................... 877
date...................................................................................................................... 878
disk ...................................................................................................................... 879
disk raid ............................................................................................................... 880
dhcp lease-clear .................................................................................................. 881
dhcp lease-list ..................................................................................................... 882
disconnect-admin-session .................................................................................. 883
enter..................................................................................................................... 884
erase-disk ............................................................................................................ 885
factoryreset.......................................................................................................... 886factoryreset2........................................................................................................ 887
formatlogdisk....................................................................................................... 888
forticarrier-license................................................................................................ 889
forticlient .............................................................................................................. 890
FortiClient-NAC.................................................................................................... 891
fortiguard-log....................................................................................................... 892
fortisandbox test-connectivity ............................................................................. 893
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
14/1092
Fortinet Technologies Inc. Page 14 FortiOS - CLI Reference for FortiOS 5.2
fortitoken.............................................................................................................. 894
fortitoken-mobile.................................................................................................. 895
fsso refresh .......................................................................................................... 896
ha disconnect ...................................................................................................... 897
ha ignore-hardware-revision................................................................................ 898
ha manage ........................................................................................................... 899
ha synchronize..................................................................................................... 900
interface dhcpclient-renew.................................................................................. 901
interface pppoe-reconnect .................................................................................. 902
log client-reputation-report.................................................................................. 903
log convert-oldlogs.............................................................................................. 904
log delete-all ........................................................................................................ 905
log delete-oldlogs ................................................................................................ 906
log detail .............................................................................................................. 907
log display............................................................................................................ 908
log filter ................................................................................................................ 909
log fortianalyzer test-connectivity........................................................................ 910
log list................................................................................................................... 911
log rebuild-sqldb.................................................................................................. 912
log recreate-sqldb ............................................................................................... 913
log-report reset .................................................................................................... 914
log roll .................................................................................................................. 915
log upload-progress ............................................................................................ 916
modem dial .......................................................................................................... 917
modem hangup.................................................................................................... 918
modem trigger ..................................................................................................... 919
mrouter clear........................................................................................................ 920
netscan ................................................................................................................ 921
pbx....................................................................................................................... 922
ping...................................................................................................................... 924
ping-options, ping6-options ................................................................................ 925
ping6.................................................................................................................... 927
policy-packet-capture delete-all.......................................................................... 928
reboot .................................................................................................................. 929
report ................................................................................................................... 930
report-config reset ............................................................................................... 931
restore.................................................................................................................. 932
revision................................................................................................................. 936
router clear bfd session ....................................................................................... 937
router clear bgp ................................................................................................... 938
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
15/1092
Fortinet Technologies Inc. Page 15 FortiOS - CLI Reference for FortiOS 5.2
router clear ospf process..................................................................................... 939
router restart ........................................................................................................ 940
send-fds-statistics ............................................................................................... 941
set system session filter ...................................................................................... 942
set-next-reboot.................................................................................................... 944
sfp-mode-sgmii ................................................................................................... 945
shutdown ............................................................................................................. 946
ssh ....................................................................................................................... 947
sync-session........................................................................................................ 948
tac report ............................................................................................................. 949
telnet .................................................................................................................... 950
time ...................................................................................................................... 951
traceroute............................................................................................................. 952
tracert6................................................................................................................. 953
update-av............................................................................................................. 954
update-geo-ip...................................................................................................... 955
update-ips............................................................................................................ 956
update-now.......................................................................................................... 957
update-src-vis...................................................................................................... 958
upd-vd-license..................................................................................................... 959
upload.................................................................................................................. 960
usb-device ........................................................................................................... 961
usb-disk ............................................................................................................... 962
vpn certificate ca ................................................................................................. 963
vpn certificate crl ................................................................................................. 964
vpn certificate local export .................................................................................. 965
vpn certificate local generate............................................................................... 966
vpn certificate local import .................................................................................. 968
vpn certificate remote.......................................................................................... 969
vpn ipsec tunnel down......................................................................................... 970
vpn ipsec tunnel up ............................................................................................. 971
vpn sslvpn del-all................................................................................................. 972
vpn sslvpn del-tunnel........................................................................................... 973
vpn sslvpn del-web.............................................................................................. 974
vpn sslvpn list ...................................................................................................... 975
webfilter quota-reset............................................................................................ 976
wireless-controller delete-wtp-image.................................................................. 977
wireless-controller list-wtp-image ....................................................................... 978
wireless-controller reset-wtp ............................................................................... 979
wireless-controller restart-acd............................................................................. 980
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
16/1092
-
8/10/2019 fortigate-cli-52 (1)
17/1092
-
8/10/2019 fortigate-cli-52 (1)
18/1092
Fortinet Technologies Inc. Page 18 FortiOS - CLI Reference for FortiOS 5.2
user adgrp.......................................................................................................... 1072
vpn ike gateway................................................................................................. 1073
vpn ipsec tunnel details ..................................................................................... 1074
vpn ipsec tunnel name....................................................................................... 1075
vpn ipsec stats crypto ....................................................................................... 1076
vpn ipsec stats tunnel........................................................................................ 1077
vpn ssl monitor .................................................................................................. 1078
vpn status l2tp ................................................................................................... 1079
vpn status pptp.................................................................................................. 1080
vpn status ssl..................................................................................................... 1081
webfilter ftgd-statistics ...................................................................................... 1082
webfilter status .................................................................................................. 1084
wireless-controller rf-analysis............................................................................ 1085
wireless-controller scan..................................................................................... 1086
wireless-controller status................................................................................... 1087
wireless-controller vap-status ........................................................................... 1088
wireless-controller wlchanlistlic......................................................................... 1089
wireless-controller wtp-status ........................................................................... 1092
tree............................................................................................................... 1094
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
19/1092
Page 19
Introduction
This document describes FortiOS 5.2 CLI commands used to configure and manage aFortiGate unit from the command line interface (CLI).
How this guide is organized
Most of the chapters in this document describe the commands for each configuration branch ofthe FortiOS CLI. The command branches and commands are in alphabetical order.
This document also contains the following sections:
Managing Firmware with the FortiGate BIOSdescribes how to change firmware at the consoleduring FortiGate unit boot-up.
Whats newdescribes changes to the 5.2 CLI.
config chapters describe the config commands.
executedescribes execute commands.
getdescribes get commands.
treedescribes the tree command.
Availability of commands and options
Some FortiOS CLI commands and options are not available on all FortiGate units. The CLIdisplays an error message if you attempt to enter a command or option that is not available. Youcan use the question mark ? to verify the commands and options that are available.
Commands and options may not be available for the following reasons:
FortiGate model. All commands are not available on all FortiGate models. For example, lowend FortiGate models do not support the aggregateinterface typeoption of the configsystem interfacecommand.
Hardware configuration. For example, some AMC module commands are only availablewhen an AMC module is installed.
FortiOS Carrier, FortiGate Voice, FortiWiFi etc. Commands for extended functionality arenot available on all FortiGate models. The CLI Reference includes commands only availablefor FortiWiFi units, FortiOS Carrier, and FortiGate Voice units
-
8/10/2019 fortigate-cli-52 (1)
20/1092
Page 20
Managing Firmware with the FortiGateBIOS
FortiGate units are shipped with firmware installed. Usually firmware upgrades are performedthrough the web-based manager or by using the CLI execute restorecommand. From theconsole, you can also interrupt the FortiGate units boot-up process to load firmware using theBIOS firmware that is a permanent part of the unit.
Using the BIOS, you can:
view system information
format the boot device
load firmware and reboot (see Loading firmware on page 21)
reboot the FortiGate unit from the backup firmware, which then becomes the defaultfirmware (see Booting the backup firmware on page 22)
Accessing the BIOS
The BIOS menu is available only through direct connection to the FortiGate units Console port.During boot-up, Press any key appears briefly. If you press any keyboard key at this time,boot-up is suspended and the BIOS menu appears. If you are too late, the boot-up processcontinues as usual.
Navigating the menu
The main BIOS menu looks like this:
[C]: Configure TFTP parameters[R]: Review TFTP paramters
[T]: Initiate TFTP firmware transfer
[F]: Format boot device
[Q]: Quit menu and continue to boot
[I]: System Information
[B]: Boot with backup firmare and set as default
[Q]: Quit menu and continue to boot
[H]: Display this list of options
Enter C,R,T,F,I,B,Q,or H:
Typing the bracketed letter selects the option. Input is case-sensitive. Most options present asubmenu. An option value in square brackets at the end of the Enter line is the default valuewhich you can enter simply by pressing Return. For example,
Enter image download port number [WAN1]:
In most menus, typing H re-lists the menu options and typing Q returns to the previous menu.
-
8/10/2019 fortigate-cli-52 (1)
21/1092
Fortinet Technologies Inc. Page 21 FortiOS - CLI Reference for FortiOS 5.2
Loading firmware
The BIOS can download firmware from a TFTP server that is reachable from a FortiGate unitnetwork interface. You need to know the IP address of the server and the name of the firmwarefile to download.
The downloaded firmware can be saved as either the default or backup firmware. It is alsopossible to boot the downloaded firmware without saving it.
Configuring TFTP parameters
Starting from the main BIOS menu
[C]: Configure TFTP parameters.
Selecting the VLAN (if VLANs are used)
[V]: Set local VLAN ID.
Choose port and whether to use DHCP
[P]: Set firmware download port.
The options listed depend on the FortiGate model. Choose the network interface throughwhich the TFTP server can be reached. For example:
[0]: Any of port 1 - 7
[1]: WAN1
[2]: WAN2
Enter image download port number [WAN1]:
[D]: Set DHCP mode.
Please select DHCP setting
[1]: Enable DHCP
[2]: Disable DHCP
If there is a DHCP server on the network, select [1]. This simplifies configuration.
Otherwise, select [2].
Non-DHCP steps
[I]: Set local IP address.
Enter local IP address [192.168.1.188]:
This is a temporary IP address for the FortiGate unit network interface. Use a unique addresson the same subnet to which the network interface connects.
[S]: Set local subnet mask.
Enter local subnet mask [255.255.252.0]:
[G]: Set local gateway.
The local gateway IP address is needed if the TFTP server is on a different subnet than theone to which the FortiGate unit is connected.
TFTP and filename
[T]: Set remote TFTP server IP address.
Enter remote TFTP server IP address [192.168.1.145]:
[F]: Set firmware file name.
Enter firmware file name [image.out]:
Enter [Q]to return to the main menu.
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
22/1092
Fortinet Technologies Inc. Page 22 FortiOS - CLI Reference for FortiOS 5.2
Initiating TFTP firmware transfer
Starting from the main BIOS menu
[T]: Initiate TFTP firmware transfer.
Please connect TFTP server to Ethernet port 'WAN1'.
MAC: 00:09:0f:b5:55:28
Connect to tftp server 192.168.1.145 ...
##########################################################
Image Received.
Checking image... OK
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?
After you choose any option, the FortiGate unit reboots. If you choose [D] or [B], there is first apause while the firmware is copied:
Programming the boot device now.................................................................
................................................................
Booting the backup firmware
You can reboot the FortiGate unit from the backup firmware, which then becomes the defaultfirmware.
Starting from the main BIOS menu
[B]: Boot with backup firmware and set as default.
If the boot device contains backup firmware, the FortiGate unit reboots. Otherwise the unitresponds:
Failed to mount filesystem. . .
Mount back up partition failed.
Back up image open failed.
Press Y or y to boot default image.
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
23/1092
Page 23
Whats new
The FortiGate CLI Reference for FortiOS 5.2is a dictionary of FortiOS CLI commands definingeach command and its options, ranges, defaults and dependencies. The CLI Reference nowincludes FortiOS Carrier commands and future versions will include FortiGate Voice commands.
The table below lists the CLI commands and options in FortiOS 5.2 that have changed since thelast major release of FortiOS.
Command Change
config antivirus profile
edit
config im Option removed.
set block-botnet-connections Option removed. See scan-botnet-connections.
set extended-utm-log Field removed.
set scan-botnet-connections New field. Enables monitoring or blocking of botnetcommunication.
config antivirus quarantine
set drop-heuristic im Option removed.
set drop-infected im Option removed.
set store-heuristic im Option removed.
set store-infected im Option removed.
config application list
edit
config entries
edit
set block-audio Field removed.
set block-encrypt Field removed.
set block-file Field removed.
set block-im Field removed.
set block-long-chat Field removed.
set block-photo Field removed.
set im-no-content-summary Field removed.
set imoversizechat Field removed.
set log Field removed.
config client-reputation profile Renamed to config log threat-weight.config dlp sensor
edit
set full-archive-proto aim icq msn
yahoo
Options removed.
set summary-proto aim icq msn yahoo Options removed.
config filter
edit
-
8/10/2019 fortigate-cli-52 (1)
24/1092
Fortinet Technologies Inc. Page 24 FortiOS - CLI Reference for FortiOS 5.2
set proto aim icq msn yahoo Options removed.
set name
set severity
Fields added.
config endpoint-control profile
edit
config forticlient-winmac-settings
set auto-vpn-when-off-net
set auto-vpn-name
New fields. Enable automatic connection to a VPNwhen the endpoint is not directly connected to theFortiGate network.
set client-log-when-on-net New field. Enables client-based logging when on-net.
config firewall address, address6
edit
set type url New option. Creates URL address for explicit proxy.
config firewall deep-inspection-options Renamed to config firewall ssl-ssh-profileand re-organized.
config firewall gtp
edit
set gtpu-denied-log New field. Enables logging of denied GTP-U packets.
set gtpu-forwarded-log New field. Enables logging of forwarded GTP-Upackets.
set gtpu-log-freq New field. Sets logging rate in packets per log entry.
config firewall ldb-monitor
edit
set http-max-redirects New field. Sets maximum number of HTTP redirectsallowed.
config firewall policy, policy6
set captive-portal-exempt New field. Exempts users of this policy from theinterface captive portal.
set identity-based
set identity-from
set fall-through-unauthenticated
set log-unmatched-traffic
set device-detection-portal
set email-collection-portal
set forticlient-compliance-enforcement-
portal
set forticlient-compliance-devices
Fields removed.
set deep-inspection-options Field renamed to ssl-ssh-profile.
set devices
set endpoint-compliance
set groups
set users
Fields moved fromconfig identity-based-policy.
config identity-based policy Subcommand removed.
set ssl-ssh-profile Field renamed from deep-inspection-options.The only profiles now are certificate-inspectionand deep-inspection.
Command Change
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
25/1092
-
8/10/2019 fortigate-cli-52 (1)
26/1092
Fortinet Technologies Inc. Page 26 FortiOS - CLI Reference for FortiOS 5.2
config system accprofile
edit
set loggrp-permission custom
config loggrp-permission
set threat-weight New field. Sets threat-weight log access.
config system dhcp serveredit
set forticlient-on-net-status New field. Enables sending FortiGate serial number toendpoint devices to check on-net status.
config system global
set auth-policy-exact-match Field removed.
set gui-client-reputation Field renamed to gui-threat-weight.
set gui-threat-weight Field renamed from gui-client-reputation.
config system interface
edit
set min-links
set min-links-downNew fields. Set minimum number of working membersfor an aggregrate interface and whether an interfacetaken down for too few members is downoperationally or only operationally.
set security-exempt-list New field. Specifies list of devices or addresses thatwill bypass the captive portal.
set security-redirect-url New field. Specifies a URL for redirection after captiveportal authentication.
config user pop3 New command. Configures users who authenticate ona POP3 server.
config user radius
edit set timeout New field. Sets RADIUS authenticatio timeout.
config user security-exempt-list New command. Configures exempt lists for captiveportals.
config vpn ipsec phase1
edit
set acct-verify New field. Enables VPN to require accountingmessage from RADIUS server for EAP authenticationin IKEv2.
set authmethod rsa-signature Field renamed to signature.
set authmethod signature Field rename from rsa-signature.
set certificate Field renamed from rsa-certificate.
set dhgrp New options: DH Groups 19, 20, 21.
set eap
set eap-identity
New fields. Configure EAP authentication in IKEv2.
set rsa-certificate Field renamed to certificate.
Command Change
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
27/1092
Fortinet Technologies Inc. Page 27 FortiOS - CLI Reference for FortiOS 5.2
config vpn ipsec phase1-interface
edit
set acct-verify New field. Enables VPN to require accountingmessage from RADIUS server for EAP authenticationin IKEv2.
set authmethod rsa-signature Option renamed to signature.set authmethod signature Option renamed from rsa-signature.
set backup-gateway New field. Specifies backup gateways for IKEmode-cfg dialup VPNs.
set certificate Field renamed from rsa-certificate.
set dhgrp New options: DH Groups 19, 20, 21.
set eap
set eap-identity
New fields. Configure EAP authentication in IKEv2.
set rsa-certificate Field renamed to certificate.
config vpn ipsec phase2
edit
set dhgrp New options: DH Groups 19, 20, 21.
config vpn ipsec phase2-interface
edit
set dhgrp New options: DH Groups 19, 20, 21.
config vpn ssl settings
allow-ssl-big-buffer Field renamed to ssl-big-buffer.
allow-ssl-client-renegotiation Field renamed to ssl-client-renegotiation.
allow-ssl-insert-empty-fragment Field renamed to ssl-insert-empty-fragment.
allow-unsafe-legacy-renegotiation Field renamed to unsafe-legacy-renegotiation.
auto-tunnel-policy Field removed. No longer relevant due to other SSLVPN changes.
default-portal New field. Selects default SSL VPN portal.
source-address
source-address6
New field. Optionally limits client source address.
source-address-negate
source-address6-negate
New field. Inverts source-addressselection.
source-interface New field. Sets port on which FortiGate listens for SSLVPN clients.
ssl-big-buffer Field renamed from allow-ssl-big-buffer.
ssl-client-renegotiation Field renamed from allow-ssl-client-renegotiation.
ssl-insert-empty-fragment Field renamed from allow-ssl-insert-empty-fragment.
source-interface New field. Specifies interfaces to listen on for clients.
unsafe-legacy-renegotiation Field renamed fromallow-unsafe-legacy-renegotiation.
New field. Allows renegotiating clients to use a less-secure legacy method.
Command Change
http://www.fortinet.com/http://www.fortinet.com/ -
8/10/2019 fortigate-cli-52 (1)
28/1092
-
8/10/2019 fortigate-cli-52 (1)
29/1092
Fortinet Technologies Inc. Page 29 FortiOS - CLI Reference for FortiOS 5.2
config wireless-controller wtp-profile
edit
set split-tunneling-acl-local-ap-
subnet
New field. Enables split tunneling so that traffic local toAP is not routed through WiFi controller.
config radio-1 or config radio-2
set amsdu New field. Enables AMSDU support.set ap-handoff New field. Enables handoff of clients to other APs.
set ap-sniffer-addr
set ap-sniffer-bufsize
set ap-sniffer-chan
set ap-sniffer-ctl
set ap-sniffer-data
set ap-sniffer-mgmt-beacon
set ap-s