manual fortinet

FortiGate CLI Reference Guide

FortiGate User Manual Volume 6

Version 2.5030 July 2003

© Copyright 2003 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations may be reproduced,transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical orotherwise, for any purpose, without prior written permission of Fortinet Inc.

FortiGate CLI Reference Guide Version 2.5030 July 2003

TrademarksProducts mentioned in this document are trademarks or registered trademarks of their respectiveholders.

Regulatory ComplianceFCC Class A Part 15 CSA/CUS

CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE.DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.

For technical support, please visit http://www.fortinet.com.

Send information about errors or omissions in this document or any Fortinet technical documentation to [email protected].

Contents

Table of ContentsIntroduction ............................................................................................................ 9

About this document ........................................................................................................... 9Conventions ...................................................................................................................... 10Fortinet documentation ..................................................................................................... 11

Comments on Fortinet technical documentation........................................................... 11Customer service and technical support........................................................................... 12

Using the CLI........................................................................................................ 13Access levels .................................................................................................................... 13Connecting to the CLI ....................................................................................................... 13

Connecting to the FortiGate console ............................................................................ 14Connecting to the FortiGate CLI using SSH ................................................................. 15Connecting to the FortiGate CLI using telnet................................................................ 16

CLI basics ......................................................................................................................... 17CLI command structure................................................................................................. 17Navigating command branches .................................................................................... 17Recalling commands..................................................................................................... 18Editing commands ........................................................................................................ 18Using command shortcuts ............................................................................................ 18Using command help .................................................................................................... 18Displaying the FortiGate configuration.......................................................................... 19Changing the configuration by editing the configuration file ......................................... 19Controlling the behavior of the command line console ................................................. 20

diagnose commands......................................................................................................... 20Changing the FortiGate firmware...................................................................................... 21

Upgrade to a new firmware version .............................................................................. 21Revert to a previous firmware version using the CLI .................................................... 22Install a firmware image from a system reboot ............................................................. 23Test a new firmware image before installing it .............................................................. 26Installing and using a backup firmware image .............................................................. 28

set commands...................................................................................................... 33set alertemail configuration ........................................................................................... 34set alertemail setting ..................................................................................................... 35set antivirus filepattern .................................................................................................. 36set antivirus quarantine................................................................................................. 37set antivirus service ...................................................................................................... 39set console.................................................................................................................... 41set emailfilter bannedword ............................................................................................ 42set emailfilter blocklist ................................................................................................... 43set emailfilter config ...................................................................................................... 44

FortiGate CLI Reference Guide 3

Contents

set emailfilter exemptlist................................................................................................ 45set firewall address ....................................................................................................... 46set firewall addrgrp........................................................................................................ 47set firewall dnstranslation.............................................................................................. 48set firewall ipmacbinding setting ................................................................................... 49set firewall ipmacbinding table ...................................................................................... 50set firewall ippool .......................................................................................................... 51set firewall onetimeschedule......................................................................................... 52set firewall policy........................................................................................................... 53set firewall profile .......................................................................................................... 57set firewall recurringschedule ....................................................................................... 61set firewall service custom ............................................................................................ 62set firewall service group .............................................................................................. 63set firewall vip ............................................................................................................... 64set log policy ................................................................................................................. 66set log setting................................................................................................................ 68set log trafficfilter rule.................................................................................................... 70set log trafficfilter setting ............................................................................................... 71set nids detection .......................................................................................................... 72set nids prevention........................................................................................................ 73set nids rule................................................................................................................... 77set system admin .......................................................................................................... 78set system autoupdate.................................................................................................. 79set system brctl ............................................................................................................. 81set system dhcpserver .................................................................................................. 82set system dns .............................................................................................................. 84set system ha................................................................................................................ 85set system hostname .................................................................................................... 88set system interface ...................................................................................................... 89set system mainregpage............................................................................................... 93set system management............................................................................................... 94set system opmode....................................................................................................... 95set system option .......................................................................................................... 96set system route number .............................................................................................. 97set system route policy ................................................................................................. 99set system route rip..................................................................................................... 101set system route rip filter............................................................................................. 103set system route rip interface...................................................................................... 106set system route rip neighbor...................................................................................... 108set system route rip timers.......................................................................................... 109set system session_ttl ................................................................................................. 110set system snmp ......................................................................................................... 111set system time ........................................................................................................... 113set system vlan ........................................................................................................... 114

4 Fortinet Inc.

Contents

set system zone .......................................................................................................... 115set user group ............................................................................................................. 116set user ldap ............................................................................................................... 117set user local............................................................................................................... 119set user radius ............................................................................................................ 121set vpn ipsec concentrator .......................................................................................... 122set vpn ipsec manualkey............................................................................................. 123set vpn ipsec phase1 .................................................................................................. 125set vpn ipsec phase2 .................................................................................................. 130set vpn l2tp.................................................................................................................. 133set vpn pptp ................................................................................................................ 134set webfilter cerberian................................................................................................. 135set webfilter content .................................................................................................... 136set webfilter exempturl ................................................................................................ 137set webfilter script ....................................................................................................... 138set webfilter url ............................................................................................................ 139

unset commands ............................................................................................... 141unset firewall address ................................................................................................. 142unset firewall addrgrp.................................................................................................. 143unset firewall ipmacbinding......................................................................................... 144unset firewall ippool .................................................................................................... 145unset firewall onetimeschedule................................................................................... 146unset firewall policy..................................................................................................... 147unset firewall profile .................................................................................................... 148unset firewall recurringschedule ................................................................................. 149unset firewall service................................................................................................... 150unset firewall vip ......................................................................................................... 151unset log filter.............................................................................................................. 152unset system admin .................................................................................................... 153unset system dhcpserver ............................................................................................ 154unset system hostname .............................................................................................. 155unset system route number ........................................................................................ 156unset system route policy ........................................................................................... 157unset system secondip ............................................................................................... 158unset system sessionttl ............................................................................................... 159unset system vlan ....................................................................................................... 160unset system zone ...................................................................................................... 161unset user group ......................................................................................................... 162unset user ldap ........................................................................................................... 163unset user local........................................................................................................... 164unset user radius ........................................................................................................ 165unset vpn certificates .................................................................................................. 166unset vpn ipsec ........................................................................................................... 167


Contents

get commands.................................................................................................... 169get alertemail configuration......................................................................................... 170get alertemail setting................................................................................................... 171get antivirus filepattern................................................................................................ 172get antivirus quarantine list ......................................................................................... 173get antivirus quarantine settings ................................................................................. 174get antivirus service .................................................................................................... 175get config .................................................................................................................... 176get console.................................................................................................................. 177get emailfilter............................................................................................................... 178get firewall address ..................................................................................................... 179get firewall addrgrp ..................................................................................................... 180get firewall dnstranslation ........................................................................................... 181get firewall ipmacbinding............................................................................................. 182get firewall ippool ........................................................................................................ 183get firewall profile ........................................................................................................ 184get firewall policy......................................................................................................... 185get firewall schedule ................................................................................................... 186get firewall service ...................................................................................................... 187get firewall vip ............................................................................................................. 188get log elog ................................................................................................................. 189get log logsetting......................................................................................................... 190get log policy ............................................................................................................... 191get log trafficfilter......................................................................................................... 192get nids detection........................................................................................................ 193get nids prevention...................................................................................................... 194get nids rule ................................................................................................................ 195get system admin........................................................................................................ 196get system autoupdate................................................................................................ 197get system dhcpserver................................................................................................ 198get system dns............................................................................................................ 199get system ha.............................................................................................................. 200get system interface.................................................................................................... 201get system mainregpage............................................................................................. 202get system management............................................................................................. 203get system objver........................................................................................................ 204get system option........................................................................................................ 205get system performance ............................................................................................. 206get system route policy ............................................................................................... 207get system route rip .................................................................................................... 208get system route table................................................................................................. 209get system serialno ..................................................................................................... 210get system sessionttl................................................................................................... 211

6 Fortinet Inc.

Contents

get system snmp......................................................................................................... 212get system status ........................................................................................................ 213get system time........................................................................................................... 214get system vlan ........................................................................................................... 215get system zone.......................................................................................................... 216get user ....................................................................................................................... 217get vpn certificates ...................................................................................................... 218get vpn ipsec............................................................................................................... 219get vpn l2tp range ....................................................................................................... 220get vpn pptp range ...................................................................................................... 221get webfilter................................................................................................................. 222

execute commands............................................................................................ 223execute backup........................................................................................................... 224execute factoryreset.................................................................................................... 225execute formatlogdisk ................................................................................................. 226execute ha manage .................................................................................................... 227execute ha synchronize .............................................................................................. 228execute ping................................................................................................................ 229execute ping-option..................................................................................................... 230execute reboot ............................................................................................................ 231execute reload ............................................................................................................ 232execute restore ........................................................................................................... 233execute save config .................................................................................................... 234execute shutdown ....................................................................................................... 235execute traceroute ...................................................................................................... 236execute updatecenter updatenow............................................................................... 237execute vpn certificates ca.......................................................................................... 238execute vpn certificates local ...................................................................................... 239

FortiGate maximum values matrix ................................................................... 243

Index .................................................................................................................... 245


Contents

8 Fortinet Inc.

FortiGate CLI Reference Guide Version 2.50

IntroductionThe FortiGate Antivirus Firewall supports network-based deployment of application-level services, including virus protection and full-scan content filtering. FortiGate units improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network.

The FortiGate unit is a dedicated easily managed security device that delivers a full suite of capabilities that include:

• application-level services such as virus protection and content filtering,• network-level services such as firewall, intrusion detection, VPN, and traffic shaping.

The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.

About this documentThis CLI Reference Guide describes how to use the FortiGate command line interface (CLI). This document contains the following chapters:

• Using the CLI describes how to connect to and use the FortiGate CLI.• set commands is an alphabetic reference to the set commands, which are used to change the

FortiGate system configuration.• unset commands is an alphabetic reference to the unset commands, which are used to remove an

entry from a table of values.• get commands is an alphabetic reference to the get commands, which are used to display the

FortiGate system configuration.• execute commands is an alphabetic reference to the execute commands, which are used to run

static commands (for example, commands to upload or download system configuration files or to check network connectivity).

• An appendix contains the FortiGate maximum values matrix that lists the limitations of each FortiGate model, such as the maximum number of firewall policies that can be added.

Note: Diagnose commands are also available from the FortiGate CLI. These commands are used to display system information and for debugging. Diagnose commands are intended for advanced users only, and they are not covered in detail this reference guide. Contact Fortinet technical support before using these commands.


Introduction

ConventionsThis guide uses the following conventions to describe command syntax.

• angle brackets < > to indicate variable keywordsFor example:

execute restore config <filename_str>

You enter restore config myfile.bak<xxx_str> indicates an ASCII string variable.<xxx_integer> indicates an integer variable.<xxx_ip> indicates an IP address variable.<xxx_hex> indicates a hexadecimal variable.

• vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywordsFor example:

set system opmode {nat | transparent}

You can enter set system opmode nat or set system opmode transparent• square brackets [ ] to indicate that a keyword is optional

For example:

get firewall ipmacbinding [dhcpipmac]

You can enter get firewall ipmacbinding or get firewall ipmacbinding dhcpipmac

• a space to separate options that can be entered in any combination and must be separated by spacesFor example:

set system interface internal config allowaccess {ping https ssh snmp http telnet}

You can enter any of the following:

set system interface internal config allowaccess ping

set system interface internal config allowaccess ping https ssh

set system interface internal config allowaccess https ping ssh

set system interface internal config allowaccess snmp

10 Fortinet Inc.

Introduction Comments on Fortinet technical documentation

Fortinet documentationInformation about FortiGate products is available from the following FortiGate User Manual volumes:

• Volume 1: FortiGate Installation and Configuration GuideDescribes installation and basic configuration for the FortiGate unit. Also describes how to use FortiGate firewall policies to control traffic flow through the FortiGate unit and how to use firewall policies to apply antivirus protection, web content filtering, and email filtering to HTTP, FTP and email content passing through the FortiGate unit.

• Volume 2: FortiGate VPN GuideContains in-depth information about FortiGate IPSec VPN using certificates, pre-shared keys and manual keys for encryption. Also contains basic configuration information for the Fortinet Remote VPN Client, detailed configuration information for FortiGate PPTP and L2TP VPN, and VPN configuration examples.

• Volume 3: FortiGate Content Protection GuideDescribes how to configure antivirus protection, web content filtering, and email filtering to protect content as it passes through the FortiGate unit.

• Volume 4: FortiGate NIDS GuideDescribes how to configure the FortiGate NIDS to detect and protect the FortiGate unit from network-based attacks.

• Volume 5: FortiGate Logging and Message Reference GuideDescribes how to configure FortiGate logging and alert email. Also contains the FortiGate log message reference.

• Volume 6: FortiGate CLI Reference GuideDescribes the FortiGate CLI and contains a reference to all FortiGate CLI commands.

The FortiGate online help also contains procedures for using the FortiGate web-based manager to configure and manage your FortiGate unit.

Comments on Fortinet technical documentationYou can send information about errors or omissions in this document or any Fortinet technical documentation to [email protected].


Comments on Fortinet technical documentation Introduction

Customer service and technical supportFor antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.

You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and modify your registration information at any time.

Fortinet email support is available from the following addresses:

For information on Fortinet telephone support, see http://support.fortinet.com.

When requesting technical support, please provide the following information:

• Your name• Company name• Location• Email address• Telephone number• FortiGate unit serial number• FortiGate model• FortiGate FortiOS firmware version• Detailed description of the problem

[email protected] For customers in the United States, Canada, Mexico, Latin America and South America.

[email protected] For customers in Japan, Korea, China, Hong Kong, Singapore, Malaysia, all other Asian countries, and Australia.

[email protected] For customers in the United Kingdom, Scandinavia, Mainland Europe, Africa, and the Middle East.

12 Fortinet Inc.


Using the CLIThis chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings.

This chapter describes:

• Access levels• Connecting to the CLI• CLI basics• diagnose commands• Changing the FortiGate firmware

Access levelsThere are three administration account access levels:

Connecting to the CLIThere are three methods to connect to the FortiGate CLI:

• Connecting to the FortiGate console• Connecting to the FortiGate CLI using SSH• Connecting to the FortiGate CLI using telnet

admin Has all permissions. Can view, add, edit, and delete administrator accounts. Can view and change the FortiGate configuration. The admin user is the only user who can use execute commands and can manually update FortiGate firmware, update the antivirus definitions, update the attack definitions, download or upload system settings, restore the FortiGate to factory defaults, restart the FortiGate, and shutdown the FortiGate. There is only one admin level user.

Read & Write Can view and change the FortiGate configuration. Can view but cannot add, edit, or delete administrator accounts. Can change their own administrator account password. Administrators with read and write access can use diagnose, get, set, and unset commands.

Read Only Can view the FortiGate configuration. Administrators with read only access can use get commands to view the FortiGate configuration.


Connecting to the FortiGate console Using the CLI

Connecting to the FortiGate consoleYou require:

• A computer with an available communications port,• A null modem cable with a 9-pin connector to connect to the FortiGate console port (RS-232 serial

connection) and to a communications port on your computer,• Terminal emulation software such as HyperTerminal for Windows.

To connect to the CLI:

1 Connect the null modem cable to the FortiGate console port and to the available communications port on your computer.

2 Make sure the FortiGate is powered on.

3 Start HyperTerminal, enter a name for the connection, select OK.

4 Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the null-modem cable.

5 Select OK.

6 Select the following port settings and select OK.

7 Press Enter to connect to the FortiGate CLI.A prompt similar to the following appears (shown for the FortiGate-300):FortiGate-300 login:

8 Type a valid administrator name and press Enter.

9 Type the password for this administrator and press Enter.The following prompt appears:Type ? for a list of commands.

Note: The following procedure describes how to connect to the FortiGate CLI using Windows HyperTerminal software. You can use any terminal emulation program.

Bits per second 9600 (115200 for the FortiGate-300)

Data bits 8

Parity None

Stop bits 1

Flow control None

14 Fortinet Inc.

Using the CLI Connecting to the FortiGate CLI using SSH

Connecting to the FortiGate CLI using SSHSecure Shell (SSH) provides strong secure authentication and secure communications to the FortiGate CLI from your internal network or the Internet. Once the FortiGate is configured to accept SSH connections, you can run an SSH client on your management computer and use this client to connect to the FortiGate CLI.

Accepting SSH connectionsTo configure the FortiGate to accept SSH connections you must set management access to SSH for the FortiGate interface to which you connect with your management computer. To use the web-based manager to configure FortiGate interfaces for SSH management, see the FortiGate Installation and Configuration Guide.

The following procedure describes how to use the CLI to configure a FortiGate interface to accept SSH connections.

1 Connect and log into the CLI using the FortiGate console port and your terminal emulation software.

2 Use the following command to configure an interface to accept SSH connections:

set system interface <intf_str> config allowaccess ssh

Where <intf_str> is the name of the FortiGate interface to be configured to accept SSH connections.For example, to configure the internal interface to accept SSH connections, enter:

set system interface internal config allowaccess ssh

3 To confirm that you have configured SSH access correctly, enter the following command to view the access settings for the interface:

get system interface

The CLI displays the interface settings including the management access settings for all interfaces.

Connecting to the CLI using SSH

To connect to the CLI using SSH, you must install an SSH client. Then:

1 Start the SSH client and connect to a FortiGate interface that is configured for SSH connections.For example, if you are running the SSH client on the internal network, connect to the IP address of the FortiGate internal interface.


3 Type the password for this administrator and press Enter.The following prompt appears:

Type ? for a list of commands.

You have connected to the FortiGate CLI, and you can enter CLI commands.

Note: For a list of available interfaces enter set system interface a space and a ?.

Note: The FortiGate supports the following encryption algorithms for SSH access: 3DES and Blowfish.


Connecting to the FortiGate CLI using telnet Using the CLI

Connecting to the FortiGate CLI using telnetYou can use telnet to connect to the FortiGate CLI from your internal network or the Internet. Once the FortiGate is configured to accept telnet connections, you can run a telnet client on your management computer and use this client to connect to the FortiGate CLI.

Accepting telnet connectionsTo configure the FortiGate to accept telnet connections you must set management access to telnet for the FortiGate interface to which you connect with your management computer. To use the web-based manager to configure FortiGate interfaces for telnet management, see the FortiGate Installation and Configuration Guide.

The following procedure describes how to use the CLI to configure a FortiGate interface to accept telnet connections.

1 Connect and log into the CLI using the FortiGate console port and your terminal emulation software.

2 Use the following command to configure an interface to accept telnet connections:

set system interface <intf_str> config allowaccess telnet

Where <intf_str> is the name of the FortiGate interface to be configured to accept telnet connections.For example, to configure the internal interface to accept telnet connections, enter:

set system interface internal config allowaccess telnet

3 To confirm that you have configured telnet access correctly, enter the following command to view the access settings for the interface:


The CLI displays the interface settings including the management access settings for all interfaces.

Connecting to the CLI using telnetTo connect to the CLI using telnet, you must install a telnet client. Then:

1 Start the telnet client and connect to a FortiGate interface that is configured for telnet connections.For example, if you are running the telnet client on the internal network, connect to the IP address of the FortiGate internal interface.


3 Type the password for this administrator and press Enter.The following prompt appears:

Type ? for a list of commands.

You have connected to the FortiGate CLI, and you can enter CLI commands.

Note: For a list of available interfaces enter set system interface a space and a ?.

16 Fortinet Inc.

Using the CLI CLI command structure

CLI basicsThis section describes entering commands using the FortiGate CLI.

• CLI command structure• Navigating command branches• Recalling commands• Editing commands• Using command shortcuts• Using command help• Displaying the FortiGate configuration• Changing the configuration by editing the configuration file• Controlling the behavior of the command line console

CLI command structureMost FortiGate CLI commands consist of the following parts:

Navigating command branchesMany CLI commands require you to enter multiple parameters. You can move down the command branch to where you can enter keywords and variables without retyping the complete command. You can move back up the command branches one step at a time or return to the top level prompt in one step.

Moving down a command branchUsing the command branch to configure firewall settings as an example, you can enter a full command, or you can type the following and press Enter:

# set firewall

The command prompt changes to:

(set-fw)#

You have moved down the set branch to set firewall. You can now configure firewall settings.

Moving up a command branchType exit and press Enter to move one level higher in the command branch.

For example, from the (set-fw)# prompt, type exit and press Enter. The prompt changes to (set)#. You can now access the other branches of the set command. You can also continue moving up the set command branch by typing exit and pressing Enter.

Command type diagnose, execute, exit, get, set, unset

Command branch

Each command type has multiple branches. For example, the set command includes the alertemail, antivirus, console, emailfilter, firewall, log, nids, system, user, vpn, and webfilter branches.

Command keywords

Most command branches include one or more command keywords that specify the action of the command. Each command keyword must be followed by a keyword value. For example:set system autoupdate schedule enableschedule is the keyword and enable is the keyword value.


Recalling commands Using the CLI

Returning to the top level command promptTo return to the top level command prompt from a command branch prompt, press CTRL+C.

For most commands you do not need to return to the top level prompt to enter them. If you do not return to the top level prompt, you must enter the entire command path, starting with set, get and so on to run the command.

Recalling commandsYou can recall previously entered commands by using the Up and Down arrow keys to cycle through commands you have entered. From lower level prompts within a branch of the command tree, the Up and Down arrow keys will only recall commands from within that command branch.

Editing commandsUse the Left and Right arrow keys to move the cursor back and forth in a recalled command. You can also use the Backspace and Delete keys and the control keys listed in Table 1 to edit the command.

Using command shortcutsYou can abbreviate commands and command options to the smallest number of non-ambiguous characters. For example, the command get system status can be abbreviated to g sy st.

Using command helpYou can press the tab key or the question mark (?) key to display command help.• Press the tab key or the question mark (?) key at the command prompt to display a list of the

commands available and a description of each command.• Type a command followed by a space and press the tab key or the question mark (?) key to display

a list of the options available for that command and a description of each option.• Type a command followed by an option and press the tab key or the question mark (?) key to

display a list of additional options available for that command option combination and a description of each option.

Table 1: Control keys for editing commands

Function Key combinationBeginning of line CTRL+A

End of line CTRL+E

Back one character CTRL+B

Forward one character CTRL+F

Delete current character CTRL+D

Previous command CTRL+P

Next command CTRL+N

Cancel command and return to # prompt CTRL+C

Return to top level command prompt CTRL+C

18 Fortinet Inc.

Using the CLI Displaying the FortiGate configuration

Displaying the FortiGate configurationAs you configure your FortiGate all of the changes you make to the configuration are saved in a configuration file. The changes are saved in the CLI command format.

You can use the get config command to view the configuration file. You can use the get config <keyword_str> command to view only those lines in the configuration file that contain the specified keyword. For example entering:

get config option

returns the current configuration for the set system option command. For example:

set system option admintimeout 50set system option language ENGLISHset system option authtimeout 15set system option interval 5 failtime 5set system option lcdpin 123456set system option lcdprotection disable

You can use the execute backup config command to backup your configuration by copying the configuration file to a TFTP server.

You can use the execute restore config command to restore your configuration by copying a configuration file from a TFTP server to your FortiGate.

You can also use these commands to transfer a configuration from one FortiGate to another as long as both FortiGates are the same model and are running the same firmware version.

For more information, see “get config” on page 176, “execute backup” on page 224, and “execute restore” on page 233.

Changing the configuration by editing the configuration fileYou can change the FortiGate configuration by copying the configuration file to a TFTP server. Then you can make changes to the file and copy it back to the FortiGate unit.

1 Use the execute backup config command to copy the configuration file to a TFTP server.

2 Edit the configuration file using a text editor.Related commands are listed together in the configuration file. For instance, all the system commands are grouped together, all the antivirus commands are grouped together and so on. You can edit the configuration by adding, changing or deleting the CLI commands in the configuration file.The first line of the configuration file contains information about the firmware version and FortiGate model. Do not edit this line. If this information is changed your FortiGate will reject the configuration file when you attempt to restore it.

3 Use the execute restore config command to copy the edited configuration file back to the FortiGate.The FortiGate receives the configuration file and checks to make sure the firmware version and model information is correct. If it is, the configuration file is loaded and each command is checked for errors. If the FortiGate finds an error, an error message is displayed after the command and the command is rejected. Then the FortiGate restarts and loads the new configuration.


Controlling the behavior of the command line console Using the CLI

Controlling the behavior of the command line consoleUsing the set console command you can specify the page setting of the command line console and the mode in which it operates. The page setting determines the number of lines that appear on each page of output. You can use the command set console line 30 to specify that the console page is 30 lines long. This means that commands that display multiple lines of output, display 30 lines at a time. The default line setting is 25 lines.

The command line console mode determines when commands are written to EEPROM. The console can operate in batch or line mode. Line mode is the default mode. In line mode, when you enter a set command it is immediately executed and written to EEPROM and to the FortiGate configuration file.

In batch mode when you enter a set command it is immediately executed. But the command is not written to EEPROM and the FortiGate configuration until you enter the execute save config command. The execute save command is only available when the console is set to batch mode.

Using the set console baudrate command you can change the console connection baud rate.

For more information, see “set console” on page 41.

diagnose commandsDiagnose commands display information that can be used for debugging the operation of the FortiGate unit. You can also use diagnose commands to set parameters for displaying different levels of diagnostic information.

Note: The set console baudrate command is available for FortiGate units with BIOS 3.03 and higher and FortiOS version 2.50 and higher.

! Caution: If downgrading from FortiOS version 2.50 to FortiOS version 2.36 or lower you must reset the baud rate to the default baud rate for the FortiGate model. (115200 for the FortiGate-300 and 9600 for all other models.)

! Caution: Diagnose commands are intended for advanced users only. Contact Fortinet technical support before using these commands.

20 Fortinet Inc.

Using the CLI Upgrade to a new firmware version

Changing the FortiGate firmwareAfter you download a FortiGate firmware image from Fortinet, you can use the procedures listed in Table 2 to install the firmware image on your FortiGate unit.

Upgrade to a new firmware versionUse the following procedure to upgrade the FortiGate to a newer firmware version. You cannot use this procedure to re-install the current firmware or to revert to an older version of the firmware. If you need to re-install the current firmware or revert to an older firmware version, see “Revert to a previous firmware version using the CLI” on page 22.

To use the following procedure you must have a TFTP server that you can connect to from the FortiGate unit.

To upgrade the FortiGate firmware from the CLI:

1 Make sure that the TFTP server is running.

2 Copy the new firmware image file to the root directory of your TFTP server.

3 Log into the CLI as the admin administrative user.

Table 2: Firmware upgrade procedures

Procedure DescriptionUpgrade to a new firmware version The most commonly-used CLI procedure for upgrading to a new

FortiOS firmware version or to a more recent build of the same firmware version.

Revert to a previous firmware version using the CLI

Use this procedure from the CLI to revert to a previous firmware version. This procedure reverts the FortiGate unit to its factory default configuration.

Install a firmware image from a system reboot

Use this procedure to install a new fimware version or revert to a previous firmware version. You must run this procedure by connecting to the CLI using the FortiGate console port and a null-modem cable. This procedure reverts your FortiGate unit to its factory default configuration.

Test a new firmware image before installing it

Use this procedure to test a new firmware image before installing it. You must run this procedure by connecting to the CLI using the FortiGate console port and a null-modem cable. This procedure temporarily installs a new firmware image using your current configuration. You can test the firmware image before installing it permanently. If the firmware image works correctly you can use one of the other procedures listed in this table to install it permanently.

Installing and using a backup firmware image

If the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the backup firmware image is installed you can switch to this backup image when required. Installing a backup firmware image is not available for the FortiGate-50 and 60.

Note: Installing firmware replaces your current antivirus and attack definitions with the definitions included with the firmware release that you are installing. When you have installed new firmware, use the command execute updatecenter updatenow to update the antivirus and attack definitions.


Revert to a previous firmware version using the CLI Using the CLI

4 Make sure the FortiGate unit can connect to the TFTP server.You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168:execute ping 192.168.1.168

5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate:

execute restore image <name_str> <tftp_ip>

Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.23, enter:

execute restore image FGT_300-v250-build045-FORTINET.out 192.168.1.168

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

6 Reconnect to the CLI.

7 To confirm that the new firmware image has been loaded, enter:

get system status

8 To update the antivirus and attack definitions to the most recent version, enter:

execute updatecenter updatenow

9 To confirm that the antivirus and attack definitions have been updated, enter the following command to display the current firmware version as well as the current antivirus and attack definition versions.

get system status

Revert to a previous firmware version using the CLIThis procedure reverts the FortiGate unit to its factory default configuration and deletes NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.

Before using this procedure you can:

• Backup the FortiGate unit configuration using the command execute backup config.• Backup the NIDS user defined signatures using the command execute backup

nidsuserdefsig

• Backup web content and email filtering lists, see the FortiGate Content Protection Guide.

If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup configuration file.

To use the following procedure you must have a TFTP server that you can connect to from the FortiGate unit.


2 Copy the new firmware image file to the root directory of the TFTP server.

3 Login to the FortiGate CLI as the admin administrative user.

4 Make sure the FortiGate unit can connect to the TFTP server.You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:execute ping 192.168.1.168

22 Fortinet Inc.

Using the CLI Install a firmware image from a system reboot

5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:execute restore image <name_str> <tftp_ip>

Where <name_str> is the name of the firmware image file on the TFTP server and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is FGT_300-v250-build045-FORTINET.out and the IP address of the TFTP server is 192.168.1.168, enter:

execute restore image FGT_300-v250-build045-FORTINET.out 192.168.1.168

The FortiGate unit uploads the firmware image file. Once the file has been uploaded a message similar to the following is displayed:Get image from tftp server OK.This operation will downgrade the current firmware version!Do you want to continue? (y/n)

6 Type Y

7 The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes.

8 ‘Reconnect to the CLI.See “Connecting to the CLI” on page 13.

9 To confirm that the older version of the firmware image has been loaded, enter:

get system status

10 Restore your previous configuration. Use the following command:

execute restore config

11 To update the antivirus engine and the virus and attack definitions to the most recent version, enter:


12 To confirm that the antivirus engine and the virus and attack definitions have been updated, enter the following command to display the current firmware version as well as the current antivirus and attack definition versions.

get system status

Install a firmware image from a system rebootThis procedure installs a specified firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or to re-install the current firmware.

To use this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,• install a TFTP server that you can connect to from the FortiGate interface required by your model

(see Table 3).

Note: There are a few variations on this procedure for different FortiGate BIOS versions. These variations are explained in the procedure steps that are affected. The version of the BIOS running on your FortiGate unit is displayed when you restart the FortiGate unit while accessing the CLI by connecting to the FortiGate console port using a null-modem cable.


Install a firmware image from a system reboot Using the CLI

This procedure reverts your FortiGate unit to its factory default configuration and deletes NIDS user-defined signatures, web content lists, email filtering lists, and changes to replacement messages.

Before running this procedure you can:

• Backup the FortiGate unit configuration using the command execute backup config.• Backup the NIDS user defined signatures using the command execute backup nidsuserdefsig• Backup web content and email filtering lists, see the FortiGate Content Protection Guide.

If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup configuration file.

To install firmware from a system reboot1 Connect to the CLI using the null modem cable and FortiGate console port.

See “Connecting to the FortiGate console” on page 14.

2 Make sure the TFTP server is running.


4 Make sure the required interface of the FortiGate unit can connect to the TFTP server.You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168:execute ping 192.168.1.168

Table 3: The interface that must connect to the TFTP server for each Fortigate model

FortiGate model Interface that connects to TFTP serverFortiGate-50FortiGate-60FortiGate-100FortiGate-200FortiGate-300

Internal interface

FortiGate-400 Interface 1

FortiGate-500 Internal interface





Note: Installing firmware replaces your current antivirus engine and virus and attack definitions with those included with the firmware release that you are installing. When you have installed new firmware, use the command execute updatecenter updatenow to update the antivirus engine and virus and attack definitions.

24 Fortinet Inc.

Using the CLI Install a firmware image from a system reboot

5 Enter the following command to restart the FortiGate unit:execute reboot

As the FortiGate unit starts, a series of system startup messages are displayed.When one of the following messages appears:• FortiGate unit running v2.x BIOS

Press Any Key To Download Boot Image. ...

• FortiGate unit running v3.x BIOSPress any key to enter configuration menu...........

6 Immediately press any key to interrupt the system startup.

When you successfully interrupt the startup process, one of the following messages appears:• FortiGate unit running v2.x BIOS

Enter TFTP Server Address [192.168.1.168]:

Go to step 8.• FortiGate unit running v3.x BIOS

[G]: Get firmware image from TFTP server.[F]: Format boot device.[Q]: Quit menu and continue to boot with default firmware.[H]: Display this list of options.

Enter G,F,Q,or H:

7 Type G to get the new firmware image from the TFTP server.

8 Type the address of the TFTP server and press Enter.The following message appears:Enter Local Address [192.168.1.188]:

9 Type the current address of the interface of the FortiGate unit that must connect to the TFTP server (see Table 3) and press Enter.

The following message appears:Enter File Name [image.out]:

Note: You only have 3 seconds to press any key. If you do not press any key soon enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command.

Note: The local IP address is only used to download the firmware image. After the firmware is installed the address of this interface is changed back to the default IP address for this interface.


Test a new firmware image before installing it Using the CLI

10 Enter the firmware image file name and press Enter.The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.• FortiGate unit running v2.x BIOS

Do You Want To Save The Image? [Y/n]

Type Y.• FortiGate unit running v3.x BIOS

Save as Default firmware/Run image without saving:[D/R]

Type D.

The FortiGate unit installs the new firmware image and restarts. The installation takes a few minutes to complete.

Restoring your previous configuration1 If required to connect to your network, change the IP address of the interface configured. You can do

this from the CLI using the set system interface command.

2 To restore your FortiGate unit configuration by uploading the saved configuration file, use the command execute restore config. To restore NIDS user defined signatures, use the command execute restore nidsuserdefsig. To restore web content and email filtering lists, see the FortiGate Content Protection Guide.If you are reverting to a previous firmware version (for example, reverting from FortiOS v2.50 to FortiOS v2.36) you may not be able to restore your previous configuration from the backup configuration file.

3 To update the antivirus engine and virus and attack definitions to the most recent version, use the following command.


4 To confirm that the antivirus engine and virus and attack definitions have been updated, enter:

get system status

Test a new firmware image before installing itYou can test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts it will be operating with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure “Upgrade to a new firmware version” on page 21.

To run this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,• install a TFTP server that you can connect to from the FortiGate interface required by your model

(see Table 3).

Note: To update the virus and attack definitions you must add DNS server IP addresses using set system dns.

26 Fortinet Inc.

Using the CLI Test a new firmware image before installing it

To test a new firmware image:

1 Connect to the CLI using a null modem cable and FortiGate console port.

2 Make sure the TFTP server is running.


4 Make sure the required interface of the FortiGate unit can connect to the TFTP server.You can use the following command to ping the computer running the TFTP server. For example, if the TFTP server's IP address is 192.168.1.168:

execute ping 192.168.1.168

5 Enter the following command to restart the FortiGate unit:

execute reboot

6 As the FortiGate unit reboots, press any key to interrupt the system startup.As the FortiGate units starts, a series of system startup messages are displayed.When one of the following messages appears:• FortiGate unit running v2.x BIOS

Press Any Key To Download Boot Image. ...

• FortiGate unit running v3.x BIOSPress any key to enter configuration menu...........

7 Immediately press any key to interrupt the system startup.I

When you successfully interrupt the startup process, one of the following messages appears:• FortiGate unit running v2.x BIOS

Enter TFTP Server Address [192.168.1.168]:

Go to step 9.• FortiGate unit running v3.x BIOS

[G]: Get firmware image from TFTP server.[F]: Format boot device.[Q]: Quit menu and continue to boot with default firmware.[H]: Display this list of options.

Enter G,F,Q,or H:



10 Type the current address of the interface of the FortiGate unit that must connect to the TFTP server (see Table 3) and press Enter.



Installing and using a backup firmware image Using the CLI

The following message appears:Enter File Name [image.out]:

11 Enter the firmware image file name and press Enter.The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.• FortiGate unit running v2.x BIOS

Do You Want To Save The Image? [Y/n]

Type N.• FortiGate unit running v3.x BIOS

Save as Default firmware/Run image without saving:[D/R]

Type R.

The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image but with its current configuration.

12 You can login to the CLI or the web-based manager using any administrative account.

13 To confirm that the new firmware image has been loaded, from the CLI enter:get system status

You can test the new firmware image as required.

Installing and using a backup firmware imageIf the FortiGate unit is running BIOS version v3.x, you can install a backup firmware image. Once the backup firmware image is installed you can switch to this backup image when required.

This section describes:

• Installing a backup firmware image• Switching to the backup firmware image• Switching back to the default firmware image

Installing a backup firmware imageTo run this procedure you:

• access the CLI by connecting to the FortiGate console port using a null-modem cable,• install a TFTP server that you can connect to from the FortiGate interface required by the FortiGate

model (see Table 3).

To install a backup firmware image:

1 Connect to the CLI using the null modem cable and FortiGate console port.


Note: The local IP address is only used to download the firmware image. After the firmware is installed the address of this interface is changed back to the default IP address for this interface.

Note: Installing a backup firmware image is not available for the FortiGate-50 and 60.

28 Fortinet Inc.

Using the CLI Installing and using a backup firmware image


4 To confirm that the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the TFTP server’s IP address is 192.168.1.168:execute ping 192.168.1.168


As the FortiGate units starts, a series of system startup messages are displayed.When the following message id displayed:Press any key to enter configuration menu...........


If you successfully interrupt the startup process, the following messages are displayed:[G]: Get firmware image from TFTP server.[F]: Format boot device.[B]: Boot with backup firmware and set as default.[Q]: Quit menu and continue to boot with default firmware.[H]: Display this list of options.

Enter G,F,B,Q,or H:



9 Type the address of the interface of the FortiGate unit that can connect to the TFTP server and press Enter.The following message appears:Enter File Name [image.out]:

10 Enter the firmware image file name and press Enter.The TFTP server uploads the firmware image file to the FortiGate unit and messages similar to the following appear.Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]

11 Type B.

The FortiGate unit saves the backup firmware image and restarts. When the FortiGate unit restarts it is running the previously installed firmware version.

Switching to the backup firmware imageUse this procedure to switch your FortiGate unit to operating with a backup firmware image that you have previous installed. When you switch the FortiGate unit to the backup firmware image, the FortiGate unit operates using the configuration that was saved with that firmware image.




If you install a new backup image from a reboot the configuration saved with this firmware image is the factory default configuration. If you use the procedure “Switching back to the default firmware image” on page 30 to switch to a backup firmware image that was previously running as the default firmware image, the configuration saved with this firmware image is restored.



As the FortiGate units starts, a series of system startup messages are displayed.When the following message is displayed:Press any key to enter configuration menu...........



Enter G,F,B,Q,or H:

4 Type B to load the backup firmware image.

The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts it is running the backup firmware version and the configuration is set to factory default.

Switching back to the default firmware imageUse this procedure to switch the FortiGate unit to operating with the backup firmware image that had been running as the default firmware image. When you switch to this backup firmware image, the configuration saved with this firmware image is restored.



As the FortiGate unit starts, a series of system startup messages are displayed.When the following message is displayed:Press any key to enter configuration menu...........

3 Immediately press any key to interrupt the system startup.


30 Fortinet Inc.

Using the CLI Installing and using a backup firmware image


Enter G,F,B,Q,or H:

4 Type B to load the backup firmware image.

The FortiGate unit loads the backup firmware image and restarts. When the FortiGate unit restarts it is running the backup firmware version with a restored configuration.




32 Fortinet Inc.


set commandsUse the commands in this chapter to configure the functionality of the FortiGate Antivirus Firewall.

set alertemail configuration

set alertemail setting

set antivirus filepattern

set antivirus quarantine

set antivirus service

set console

set emailfilter bannedword

set emailfilter blocklist

set emailfilter config

set emailfilter exemptlist

set firewall addressset firewall addrgrp

set firewall dnstranslation

set firewall ipmacbinding setting

set firewall ipmacbinding table

set firewall ippoolset firewall onetimeschedule

set firewall policy

set firewall profile

set firewall recurringschedule

set firewall service custom

set firewall service groupset firewall vip

set log policy

set log setting

set log trafficfilter rule

set log trafficfilter setting

set nids detection

set nids prevention

set nids rule

set system adminset system autoupdate

set system brctl

set system dhcpserver

set system dns

set system ha

set system hostname

set system interfaceset system mainregpageset system management set system opmodeset system optionset system route number

set system route policy

set system route rip

set system route rip filter

set system route rip interface

set system route rip neighbor

set system route rip timers

set system session_ttl

set system snmpset system timeset system vlanset system zoneset user group

set user ldap

set user localset user radiusset vpn ipsec concentratorset vpn ipsec manualkey

set vpn ipsec phase1

set vpn ipsec phase2

set vpn l2tpset vpn pptp

set webfilter cerberian

set webfilter contentset webfilter exempturlset webfilter scriptset webfilter url


set alertemail configuration set commands

set alertemail configurationUse this command to configure the FortiGate unit to send alert email to up to three email addresses. You can enable sending alert email for virus incidents, intrusions, and critical firewall or VPN events or violations. If you have configured logging to a local disk, you can enable sending an alert email when the hard disk is almost full.

Syntax description

ExamplesUse the following command to configure the FortiGate unit to send alert email with the following settings:

• SMTP server: smtp.ourcompany.com• SMTP user: [email protected]• SMTP authentication: enable• SMTP user password: secret• First email: [email protected]• Second email: [email protected]

set alertemail configuration server smtp.ourcompany.com user [email protected] auth enable passwd secret mailto [email protected] [email protected]

Use the following command to change the SMTP user password to bettersecret and to add the administrator email address [email protected]:

set alertemail configuration passwd bettersecret mailto [email protected] [email protected] [email protected]

Related commands• get alertemail configuration• set alertemail setting• set system dns• get system dns

Note: Because the FortiGate uses the SMTP server name to connect to the mail server, it must be able to look up this name on your DNS server. See “set system dns” on page 84.

Keyword Description Default Availabilityauth {enable | disable} Enable SMTP authentication if the FortiGate unit is

required to authenticate before using the SMTP server.

disable All models.

mailto {<email1_str> [<email2_str> [<email3_str>]] | none}

Enter up to three destination email addresses or none to clear all the addresses. These are the actual email addresses to which the FortiGate sends alert email.

No default.

All models.

passwd <password_str> Enter the password that the FortiGate unit needs to access the SMTP server.

No default.

All models.

server <smtp-server_str> Enter the name of the SMTP server, in the format smtp.domain.com, to which the FortiGate unit should send email. The SMTP server can be located on any network connected to the FortiGate unit.

No default.

All models.

user <smtp-user_str> Enter a valid email address in the format [email protected]. This address appears in the From header of the alert email.

No default.

All models.

34 Fortinet Inc.

set commands set alertemail setting

set alertemail settingUse this command to enable sending alert email for virus incidents, intrusions, and critical firewall or VPN events or violations. If you have configured logging to a local disk, you can enable sending an alert email when the hard disk is almost full.

Syntax description

ExamplesUse the following command to enable sending alert email for virus incidents and for attacks:

set alertemail setting virusincidents intrusions

Use the following command to disable sending alert email for all categories:

set alertemail setting none

Related commands• get alertemail setting• set alertemail configuration

Keyword Description Default Availabilityoption {virusincidents | blockincidents | intrusions | critical | diskfull | none}

virusincidents: send alert email when antivirus scanning detects a virus.blockincidents: send alert email when the FortiGate unit blocks files, URLs, or emails. intrusions: send alert email to notify the system administrator of attacks detected by the NIDS.critical: send alert email when a critical firewall or VPN event occurs. • Critical firewall events include failed authentication

attempts. • Critical VPN events include when replay detection

detects a replay packet. Replay detection can be configured for both manual key and AutoIKE Key VPN tunnels.

diskfull: send an alert email when the hard disk is almost full. Available only for models with a hard disk and logging to local disk enabled.none: clear all settings.

No default.

All models.


set antivirus filepattern set commands

set antivirus filepatternUse this command to add or delete the file patterns used for virus blocking.

Syntax description

ExamplesUse the following command to add the file pattern *.flw to the list of file patterns to block, and to enable this file pattern for all services.

set antivirus filepattern add *.flw enableall

Use the following command to delete file pattern 5.

set antivirus filepattern delete 5

Related commands• get antivirus filepattern• set antivirus service• set firewall profile

Keyword Description Default Availabilityadd <fp_str> {enableall | disableall}

Add a file pattern to the list of file patterns to block. Enable or disable it for all services. You can use the asterisk (*) to represent any characters.

No default.

All models.

delete <fp_integer> The number of a file pattern to delete from the file pattern list. Use the command get antivirus filepattern for a numbered list of file patterns.

No default.

All models.

36 Fortinet Inc.

set commands set antivirus quarantine

set antivirus quarantineUse this command to set file quarantine options.

FortiGate units with hard disks can be configured to quarantine blocked or infected files. The quarantined files are removed from the content stream and stored on the FortiGate hard disk. Users receive a message informing them that the removed files have been quarantined.

Syntax descriptionKeyword Description Default Availabilityagelimit <hours_integer> Specify how long files are left in quarantine.

The maximum number of hours is 479. The FortiGate unit automatically deletes a file when the TTL (time to live) reaches 00:00. Enter 0 to keep files indefinitely.

0 FortiGate models numbered 200 and higher.

deletefile <all | checksum_hex>

Delete a quarantined file from the hard disk. The file is identified by the checksum that was calculated for the file when it was put into quarantine. Use the command get antivirus quarantine list for a list of quarantined files including the checksum for each file.

No default.

FortiGate models numbered 200 and higher.

download <checksum_hex> Download a quarantined file from the FortiGate unit. The file is identified by the checksum that was calculated for the file when it was put into quarantine. Use the command get antivirus quarantine list for a list of quarantined files including the checksum for each file.

No default.


lowspace <drop_new | ovwr_old>

Select the method for handling additional files when the FortiGate hard disk is running out of space.Select ovwr_old to drop the oldest file (lowest TTL), or drop_new to drop new quarantine files.

ovwr_old


maxfilesize <filesize_integer>

Specify, in MB, the maximum file size to quarantine.The FortiGate unit keeps any existing quarantined files over the limit.The FortiGate unit does not quarantine any new files larger than this value. The file size range is 1-499 MB. Enter 0 for unlimited file size.


service {http | ftp | pop3 | imap | smtp}

Select the service for which you want to quarantine infected or blocked files. You can select http, ftp, pop3, imap or smtp to quarantine infected files. You can select pop3, imap, or smtp to quarantine blocked files. You can enable or disable quarantining for one service at a time.

No default.


infected <enable | disable>

For a chosen service the file can be quarantined if it is found to be infected. Quarantining infected files is available for http, ftp, pop3, imap or smtp.

enable FortiGate models numbered 200 and higher.service only.

blocked <enable | disable>

For a chosen service the file can be quarantined if it is blocked by a filename pattern. Quarantining blocked files is available for pop3, imap, or smtp only. HTTP and FTP files are blocked during the request; therefore, there is no data to quarantine.

enable FortiGate models numbered 200 and higher.service only.


set antivirus quarantine set commands

ExamplesUse the following commands to enable quarantining of infected HTTP files and blocked smtp files:

set antivirus quarantine service http infected enable

set antivirus quarantine service smtp blocked enable

Use the following commands to set the TTL of files in the quarantine to 60 and the maximum quarantine file size to 50:

set antivirus quarantine agelimit 60

set antivirus quarantine maxfilesize 50

Related commands• set antivirus filepattern• set antivirus service• get antivirus filepattern• get antivirus quarantine list• get antivirus service• set firewall profile

38 Fortinet Inc.

set commands set antivirus service

set antivirus serviceUse this command to configure antivirus protection settings to control how the FortiGate unit applies antivirus protection to the web, FTP, and email traffic allowed by firewall policies.

You can also use this command to configure antivirus scanning on a non-standard port number or multiple port numbers for HTTP, SMTP, POP3 and IMAP proxies. You can configure how the FortiGate unit handles interaction with an SMTP server for delivery of email with infected email file attachments, and how it handles buffering and uploading of files to an ftp server.

Syntax descriptionKeyword Description Default Availability{http | smtp | pop3 | ftp | imap}

Select a service for which to configure antivirus protection settings.

No default.

All models.

block {fp_integer | all} {enable | disable>

Enable or disable blocking for the selected service. Blocking deletes files that match enabled file patterns.Enter a file pattern number to enable or disable the specified file pattern. Use the command get antivirus filepattern for a numbered list of file patterns.Enter all to enable or disable all file patterns.

No default.

All models.All services.

filesizelimit value <MB_integer>

Enter the oversized file and email limit in Mbytes.Because available memory varies for different FortiGate models, use the command set antivirus service {http | smtp | pop3 | ftp | imap} filesizelimit value followed by a space and a ? to find the acceptable range in MB for your model. You can configure the FortiGate unit to use 1% to 15% of available memory to store oversized files and email. The FortiGate unit then blocks a file or email that exceeds this limit instead of bypassing antivirus scanning and sending the file or email directly to the server or receiver.

Varies. All models.All services.

port {add <port_integer> | delete <port_integer>)

Configure antivirus scanning on a nonstandard port number or multiple port numbers for HTTP and email proxies. You can use ports from the range 1-65535. You can add up to 20 ports. You must re-enter the complete command for each port you want to add or delete.Use the command get antivirus service <service_str> ports for a list of ports used for antivirus scanning for the specified service.

http 80smtp 25pop3 110imap 143

All models.HTTP, SMTP, POP3, IMAP services.


set antivirus service set commands

ExamplesUse the following command to enable a block pattern for http.

set antivirus service http block 5 enable

Use the following command to add a port for http traffic.

set antivirus service http port add 8080

Use the following command to disable smtp splicing.

set antivirus service smtp splice disable

Use the following command to set a maximum file size limit for ftp to 8MB.

set antivirus service ftp filesizelimit value 8

Related commands• get antivirus filepattern• get antivirus service• set antivirus filepattern• set firewall policy

splice {enable | disable}

Enable or disable splice for the smtp or ftp services.SMTP spliceConfigure how the FortiGate unit handles interaction with an SMTP server for delivery of email with infected file attachments. When splice is enabled for smtp, the FortiGate unit simultaneously scans an email and sends it to the SMTP server. If the FortiGate unit detects a virus, it terminates the server connection and returns an error message to the sender, listing the virus name and infected filename. In this mode, the SMTP server is not able to deliver the email if it was sent with an infected attachment. Throughput is higher when splice is enabled for smtp.When splice is disabled for smtp, the FortiGate unit scans the email first. If the FortiGate unit detects a virus, it removes the infected attachment, adds a customizable message, and sends the email to the SMTP server for delivery.Selecting enable for the splice keyword returns an error message to the sender if an attachment is infected. The receiver does not receive the email or the attachment.Selecting disable for the splice keyword removes an infected attachment and forwards the email (without the attachment) to the SMTP server for delivery to the receiver.FTP spliceConfigure how the FortiGate unit handles buffering and uploading of files to an ftp server.When splice is enabled for ftp, the FortiGate unit simultaneously buffers the file for scanning and uploads the file to an ftp server. If a virus is detected, the FortiGate unit stops the upload and attempts to delete the partially uploaded file from the FTP server. For deleting the file to work the server permissions must be set to allow deletes. Enabling splice for ftp reduces FTP timeouts when uploading large files.When splice is disabled for ftp, the FortiGate unit buffers the file for scanning before uploading it to the FTP server. If the file is clean, the FortiGate unit will allow the upload to continue.

enable All models.SMTP, FTP services.

Keyword Description Default Availability

40 Fortinet Inc.

set commands set console

set consoleSet the console command mode, the number of lines displayed by the console, and the baud rate.

Syntax description

ExamplesUse the following command to limit console output to 24 lines per page:

set console page 24

Use the following command to change the baud rate to 38400:

set console mode baudrate 38400

Related commands• get console• execute reload• execute save config

Note: The set console baudrate command is available for FortiGate units with BIOS 3.03 and higher and FortiOS version 2.50 and higher.

! Caution: If downgrading from FortiOS version 2.50 to FortiOS version 2.36 or lower you must reset the baud rate to the default baud rate for the FortiGate model. (115200 for the FortiGate-300 and 9600 for all other models.)

Keyword Description Default Availabilitybaudrate {9600 | 19200 | 38400 | 57600 | 115200}

Select a baud rate for the FortiGate unit. The change is effective immediately; therefore, you must change the baud rate of the connected terminal to match the new FortiGate console baud rate.

Varies. All models. Version 2.5 and higher. BIOS 3.03 and higher

mode {line | batch} Set the console mode to line or batch. In line mode commands are immediately executed and written to EEPROM.In batch mode commands are executed immediately but are only written to EEPROM when you enter the execute save config command. The execute save config command is available only when the console is set to batch mode.

Line All models.

page {<page_integer> | 0} Set the number of lines that appear on each page of command line console output.Set this value to 0 to allow output to flow without paging.

25 All models.


set emailfilter bannedword set commands

set emailfilter bannedwordUse this command to filter email containing banned words or phrases.

When the FortiGate unit detects email that contains a word or phrase in the banned word list, the FortiGate unit adds a tag to the subject line of the email and writes a message to the event log. Receivers can then use their mail client software to filter messages based on the subject tag.

You can add banned words to the list in many languages using Western, Simplified Chinese, Traditional Chinese, Japanese, or Korean character sets.

Syntax description

ExamplesUse the following command to add the English phrase bad word to the email filter list and enable the phrase:

set emailfilter bannedword add word bad+word language 0 state enable

Related commands• get emailfilter• set emailfilter blocklist• set emailfilter config• set emailfilter exemptlist• set firewall profile

Keyword Description Default Availabilityadd word <word_str> language {0 | 1 | 2 | 3 | 4} state {enable | disable}

Add a word or phrase to the banned word list. If you enter a single word (for example, banned), the FortiGate unit tags all email containing that word.If you type a phrase, you must add + between the words (for example, banned+phrase). The FortiGate unit tags all email containing both of the words.If you type a phrase in quotes, you must also include the + (for example, "banned+word"). The FortiGate unit tags all email where the words are found together as a phrase.Email filtering is not case-sensitive. You cannot include special characters in banned words.The language or character set for the banned word or phrase. You can choose 0 for Western, 1 for Simplified Chinese, 2 for Traditional Chinese, 3 for Japanese, or 4 for Korean.Enable or disable email filtering for this word or phrase.

No default.

All models.

delete {<word_integer> | all}

Enter a number to delete the specified word or phrase from the banned word list. Use the command get emailfilter bannedword for a numbered list of banned words. Enter all to delete all the words on the banned word list.

No default.

All models.

edit <word_integer> word <word_str> language {0 | 1 | 2 | 3 | 4} state {enable | disable}

Edit a word or phrase on the banned word list. Enter a number to edit the specified word or phrase from the banned word list. Use the command get emailfilter bannedword for a numbered list of banned words.You can make changes to any or all of the word or phrase, language or character set, or state.

No default.

All models.

42 Fortinet Inc.

set commands set emailfilter blocklist

set emailfilter blocklistUse this command to add or delete email address block patterns.

You can configure the FortiGate unit to tag all IMAP and POP3 protocol traffic sent from unwanted email addresses. When the FortiGate unit detects an email sent from an unwanted address pattern, the FortiGate unit adds a tag to the subject line of the email and writes a message to the email filter log. Receivers can then use their mail client software to filter messages based on the subject tag.

You can tag email from a specific sender address or from all address subdomains by adding the top-level domain name. Alternatively, you can tag email sent from individual subdomains by including the subdomain to block.

Syntax description

ExamplesUse the following command to add the email address [email protected] to the email address pattern block list and to enable blocking the address:

set emailfilter blocklist add [email protected] state enable

Related commands• get emailfilter• set emailfilter bannedword• set emailfilter config• set emailfilter exemptlist• set firewall profile

Keyword Description Default Availabilityadd <block-pattern_str> state {enable | disable}

Add and enable or disable an email address block pattern.To tag email from a specific email address, type the email address. For example, [email protected] tag email from a specific domain, type the domain name. For example, abccompany.com.To tag email from a specific subdomain, type the subdomain name. For example, mail.abccompany.com.To tag email from an entire organization category, type the top-level domain name. For example, type com to tag emails sent from all organizations that use .com as the top-level domain.

No default.

All models.

delete {<block-pattern_str> | all}

Delete the specified email address block pattern or delete the entire list. Use the command get emailfilter blocklist for a list of email address block patterns.

No default.

All models.

edit <block-pattern_integer> address <block-pattern_str> state {enable | disable}

Edit an email address block pattern. Enter a number to edit the specified address block pattern. Use the command get emailfilter blocklist for a numbered list of address block patterns.

No default.

All models.


set emailfilter config set commands

set emailfilter configUse this command to configure the email filter subject tag.

When the FortiGate unit receives email from an unwanted address or email that contains an item in the email banned word list, the FortiGate unit adds a tag to the subject line and sends the message to the destination email address. Email users can use their mail client software to filter the messages based on the subject tag.

Syntax description

ExamplesUse the following command to change the email filter subject tag to UNWANTED:

set emailfilter config subjecttag UNWANTED

Related commands• get emailfilter• set emailfilter bannedword• set emailfilter blocklist• set emailfilter exemptlist• set firewall profile

Keyword Description Default Availabilitysubjecttag <tag_str> Type the subject tag that you want to display in the

subject line of email received from unwanted addresses or containing banned words.

No default.

All models.

44 Fortinet Inc.

set commands set emailfilter exemptlist

set emailfilter exemptlistUse this command to add or delete email address exempt patterns

Add address patterns to the exempt list to allow legitimate IMAP and POP3 traffic that might otherwise be tagged by email or content blocking. For example, if the email banned word list is set to block email that contains pornography-related words and a reputable company sends email that contains these words, the FortiGate unit would normally add a subject tag to the email. Adding the domain name of the reputable company to the exempt list allows IMAP and POP3 traffic from the company to bypass email and content blocking.

Syntax description

ExamplesUse the following command to add the email address [email protected] to the email address pattern exempt list and to enable exempting the address:

set emailfilter exemptlist add [email protected] state enable

Related commands• get emailfilter• set emailfilter bannedword• set emailfilter blocklist• set emailfilter config• set firewall profile

Keyword Description Default Availabilityadd <pattern_str> state {enable | disable}

Add and enable or disable an email address exempt pattern.To exempt email sent from a specific email address, type the email address. For example, [email protected]. To exempt email sent from a specific domain, type the domain name. For example, abccompany.com.To exempt email sent from a specific subdomain, type the subdomain name. For example, mail.abccompany.com.To exempt email sent from an entire organization category, type the top-level domain name. For example, type net to exempt email sent from all organizations that use .net as the top-level domain.

No default.

All models.

delete {<pattern_str> | all}

Delete the specified email address exempt pattern or delete the entire list. Use the command get emailfilter exemptlist for a list of email address block patterns.

No default.

All models.

edit <pattern_integer> address <pattern_str> state {enable | disable}

Edit an email address exempt pattern. Enter a number to edit the specified address exempt pattern. Use the command get emailfilter exemptlist for a numbered list of address exempt patterns.

No default.

All models.


set firewall address set commands

set firewall addressAdd and edit addresses used in firewall policies. Use the command unset firewall address to delete addresses.

An address must be added to an interface before you can add policies for that interface. On FortiGate models 400 and up, an address must be added to a VLAN subinterface or zone before you can add policies for that VLAN subinterface or zone.

Syntax description

ExamplesUse the following command to add the address of a network to the Internal address list. The address name is User_Network, the IP address is 192.168.22.0, and the netmask is 255.255.255.0.

set firewall address internal User_Network subnet 192.168.1.0 255.255.255.0

Use the following command to edit this address to change its IP address to 192.168.2.0.set firewall address internal User_Network subnet 192.168.2.0

255.255.255.0

Use the following command to add the address of a single computer on the 192.168.2.0 network.set firewall address internal User_1 subnet 192.168.2.1 255.255.255.255

Use the following command to edit an address added to a VLAN subinterface named VLAN_1. The name of the address is Web_Server. The command changes the IP address to 10.10.10.34 and the netmask to 255.255.255.255.

set firewall address VLAN_1 Web_Server subnet 10.10.10.34 255.255.255.255

Related commands• unset firewall address• set firewall addrgrp• set firewall policy• get firewall address• get firewall addrgrp

Keyword Description Default Availability<interface_str> The name of the interface, VLAN subinterface, or

zone to which to add the address.No default.

All models.

<name_str> Enter an address name to identify the address. No default.

All models.

subnet <address_ip> <netmask_ip>

The IP Address can be the IP address of a single computer (for example, 192.45.46.45) or the address of a subnetwork (for example, 192.168.1.0). The Netmask should correspond to the address that you are adding. For example, • The netmask for the IP address of a single

computer should be 255.255.255.255. • The netmask for a class A subnet should be

255.0.0.0.• The netmask for a class B subnet should be

255.255.0.0.• The netmask for a class C subnet should be

255.255.255.0.

0.0.0.00.0.0.0

All models.

46 Fortinet Inc.

set commands set firewall addrgrp

set firewall addrgrpAdd and edit address groups used in firewall policies. Use the command unset firewall addrgrp to delete address groups.

For all FortiGate models, you add address groups to interfaces. For FortiGate models 400 and up you can also add address groups to VLAN subinterfaces and zones.

Syntax description

ExamplesUse the following command to add an address group to the Internal address list. The address group is User_Network, and its members include Internal_1, Internal_2, and Internal_4.

set firewall addrgrp Internal User_Network member Internal_1 Internal_2 Internal_4

Use the following command to edit an address group named User_Network, so that it contains the addresses Internal_1, Internal_2, Internal_3, and Internal_4.

set firewall addrgrp Internal User_Network member Internal_1 Internal_2 Internal_3 Internal_4

Use the following command to remove Internal_1 from the address group named User_Group.

set firewall addrgrp Internal User_Network member Internal_2 Internal_3 Internal_4

Related commands• unset firewall addrgrp• set firewall address• set firewall policy• get firewall address• get firewall addrgrp

Keyword Description Default Availability<interface_str> The name of the interface, VLAN subinterface, or

zone to which to add or edit the address group. The interface can be physical or a VLAN. Enter set firewall addrgrp followed by a space and a ? for a list of available interfaces.

No default.

All models.

<adress-group_str> The name of the address group to add or edit. No default.

All models.

member <name_str> [<name_str> <name_str> ...]

The names of the addresses to add to the address group. The member addresses must already have been added to the interface, VLAN subinterface, or zone to which you are adding the address group. Enter set firewall addrgrp <interface_str> <address-group_str> member followed by a space and a ? for a list of addresses added to that interface, VLAN subinterface, or zone. Use spaces to separate the address names. Leaving an address name out of the list removes it from the address group.

No default.

All models


set firewall dnstranslation set commands

set firewall dnstranslationUse this command to enable or disable DNS translation and to add or delete a DNS translation entry.DNS translation translates IP addresses in packets sent by a DNS server from the internal network to the external network. Use DNS translation if you have a DNS server on your internal network that can be accessed by users on the external network to find the IP addresses of servers on your internal network.If users on the external network can access a server on your internal network using virtual IP mapping, you may allow them to find the IP address of the server using a DNS query. If they query a DNS server that is also on your internal network, the DNS server would return the internal IP address of the server. The external users would not be able to use this IP address to access the internal server.Using DNS translation, you can map the internal IP address of the server to an address that external users can use to access this server. So, when the firewall receives DNS packets from the internal network that match a DNS translation source address, DNS translation changes the IP address in the DNS packet to the DNS translation destination IP address and forwards the packet through the firewall to the external user.

Syntax description

ExamplesUse the following commands to enable DNS translation and translate DNS addresses for one server that has an IP address on your internal network of 192.168.1.23 but from the external network the IP address of the server should be 64.23.2.23 (as set using virtual IP mapping).

set firewall dnstranslation enable

set firewall dnstranslation add src 192.168.1.23 dst 64.23.2.23 netmask 255.255.255.255

Use the following command if you have configured symmetrical IP mapping between the external and internal networks and the subnet on the internal network is 192.168.20.0 and the subnet on the external network is 64.28.4.0.

set firewall dnstranslation add src 192.168.20.0 dst 64.28.4.0 netmask 255.255.255.0

Related commands• set firewall vip• get firewall dnstranslation• get firewall vip

Keyword Description Default Availabilityadd src <source_ip> dst <destination_ip> netmask <netmask_ip>

Add a DNS translation entry. Specify the source address, destination address, and netmask.The source address can be a single IP address on your internal network or the IP address of a subnet.The destination address can be a single external IP address or the IP address of a subnet accessible from the external network. Set the netmask as required.The source and destination addresses must both be single IP addresses or must both be subnet addresses. The netmask applies to both the source and destination addresses.

No default.

All models.

del src <source_ip> dst <destination_ip> netmask <netmask_ip>

Delete a DNS translation entry. Specify the source address, destination address, and netmask.

No default.

All models.

{enable | disable} Enable or disable DNS translation. disable All models.

48 Fortinet Inc.

set commands set firewall ipmacbinding setting

set firewall ipmacbinding settingUse this command to configure IP/MAC binding settings. You can enable or disable IP/MAC binding for traffic going to or through the FortiGate unit. You can allow or block traffic not defined in the IP/MAC binding table.

Syntax description

ExampleUse the following command to enable IP/MAC binding for traffic through the firewall and to allow traffic with IP and MAC addresses that are not defined in the IP/MAC list.

set firewall ipmacbinding setting bindthroughfw enable undefinedhost allow

Use the following command to enable IP/MAC binding in traffic to the firewall and to block traffic with IP and MAC addresses that are not defined in the IP/MAC list.

set firewall ipmacbinding setting bindtofw enable undefinedhost block

Related commands• get firewall ipmacbinding• unset firewall ipmacbinding• set firewall ipmacbinding table

Keyword Description Default Availabilitybindthroughfw {enable | disable}

Enable or disable IP/MAC binding going through the firewall.

disable All models.

bindtofw {enable | disable}

Enable or disable IP/MAC binding going to the firewall.

disable All models.

undefinedhost {allow | block}

Available when you enable either bindthroughfw or bindtofw. Configure how IP/MAC binding handles packets with IP and MAC addresses that are not defined in the IP/MAC list. Setting undefinedhost configures this behavior for traffic going through the firewall and traffic going to the firewall.Enter allow to allow packets with IP and MAC address pairs that are not added to the IP/MAC binding list.Enter block to block packets with IP and MAC address pairs that are not added to the IP/MAC binding list.

block All models.


set firewall ipmacbinding table set commands

set firewall ipmacbinding tableUse this command to add IP and MAC address pairs to the IP/MAC binding table or to edit IP and MAC address pairs added to the IP/MAC binding table. Use the command unset firewall ipmacbinding to delete IP and MAC address pairs from the IP/MAC binding table.

Syntax description

ExamplesUse the following command to add an IP/MAC address pair with IP address 205.33.44.55 and MAC address 00:10:F3:04:7A:4C. The name for the IP/MAC binding pair is remoteadmin.

set firewall ipmacbinding name remoteadmin ip 205.33.44.55 mac 00:10:F3:04:7A:4C

Use the following command to enable the IP/MAC address pair:

set firewall ipmacbinding name remoteadmin status enable

Related commands• set firewall ipmacbinding setting• get firewall ipmacbinding• unset firewall ipmacbinding

Keyword Description Default Availabilityip <address_ip> The IP address to add to the IP/MAC binding table.

You can bind multiple IP addresses to the same MAC address. You cannot bind multiple MAC addresses to the same IP address. You can set the IP address to 0.0.0.0 for multiple MAC address. This means that all packets with the MAC address are allowed continue through the firewall to be matched with a firewall policy.

0.0.0.0 All models.

mac <address_hex> The MAC address to add to the IP/MAC binding table. You can set the MAC address to 00:00:00:00:00:00 for multiple IP addresses. This means that all packets with these IP addresses are allowed to continue through the firewall to be matched with a firewall policy.

00:00:00:00:00:00

All models.

name <name_str> Optional name for this entry on the IP/MAC address table.

No default.

All models.

status {enable | disable} Enable or disable IP/MAC binding for this address pair.

disable All models.

50 Fortinet Inc.

set commands set firewall ippool

set firewall ippoolUse this command to add IP address pools used in NAT mode policies set to dynamic IP pool. Using dynamic IP pools, NAT mode firewall policies translate source addresses to an address randomly selected from the IP pool. You can add multiple IP pools to any interface, but only the first IP pool is used by the Firewall.

Syntax description

ExamplesUse the following command to add an IP pool with these characteristics to the firewall configuration.

• interface name: internal• start of IP address range: 192.168.1.100• end of IP address range: 192.168.1.200

set firewall ippool interface internal 192.168.1.100-192.168.1.200

Use the following command to add two IP pools with these characteristics to the firewall configuration:

• interface name: external• start of first IP pool address range: 32.34.67.100• end of first IP pool address range: 32.34.67.110• start of second IP pool address range: 32.34.67.130• end of second IP pool address range: 32.34.67.140

set firewall ippool interface internal 32.34.67.100-32.34.67.110 32.34.67.130-32.34.67.140

Related commands• get firewall ippool• get firewall policy• unset firewall ippool

Keyword Description Default Availabilityinterface <intf_str> <start_ip-end_ip> [<start_ip-end_ip> [<start_ip-end_ip> ...]]

Add an IP pool with the specified start and end IP addresses to the named interface. Separate the start and end IP addresses with a hyphen. On FortiGate models 400 and up the interface can also be a VLAN subinterface.The start IP and end IP of an IP pool must define the start and end of an address range. The start IP must be lower than the end IP. The start IP and end IP must be on the same subnet as the IP address of the interface for which you are adding the IP pool.

No default.

All models.Not available in Transparent mode.


set firewall onetimeschedule set commands

set firewall onetimescheduleAdd and edit one-time schedules.

Use scheduling to control when policies are active or inactive. You can use one-time schedules to create policies that are effective once for the period of time specified in the schedule.

Syntax description

ExampleUse the following command to add a one-time schedule named Holiday that is valid from 5:00 pm on 30 August 2003 until 8:45 am on 3 September 2003.

set firewall onetimeschedule Holiday start 2003/08/30 17:00 end 2003/09/03 08:45

Related commands• set firewall policy• set firewall recurringschedule• get firewall schedule• unset firewall onetimeschedule

Note: To edit a schedule, you must redefine the entire schedule, including your changes. This means entering all of the schedule parameters, both those that are changing and those that are not.

Keyword Description Default Availability<name_str> Add or edit a one-time schedule. <name_str> is

the name of the one-time schedule to add or edit.No default.

All models.

end <yyyy/mm/dd> <hh:mm> The ending day and time of the schedule.• mm - 01 to 12• dd - 01 to 31• hh - 00 to 23• mm - 00, 15, 30, or 45

No default.

All models.

start <yyyy/mm/dd> <hh:mm> The starting day and time of the schedule.• mm - 01 to 12• dd - 01 to 31• hh - 00 to 23• mm - 00, 15, 30, or 45

No default.

All models.

52 Fortinet Inc.

set commands set firewall policy

set firewall policyUse this command to add and edit firewall policies.

Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. The policy directs the firewall to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN packet.

Syntax descriptionKeyword Description Default Availabilitysrcintf <intf_str> Enter the source interface for the policy. On all

FortiGate models srcintf can be the name of a FortiGate interface to which a firewall address has been added.In NAT/Route mode on FortiGate models 400 and up this name can also be a VLAN subinterface to which firewall addresses have been added.In NAT/Route mode on FortiGate models 400 and up this name can also be a zone if you have added firewall addresses to the zone and if you have added at least one interface or VLAN subinterface to the zone.You cannot add an interface or VLAN subinterface that has been added to a zone.

No default.

All models.

dstintf <intf_str> Enter the destination interface for the policy. On all FortiGate models dstintf can be the name of a FortiGate interface to which a firewall address has been added. In NAT/Route mode on FortiGate models 400 and up this name can also be a VLAN subinterface to which firewall addresses have been added. In NAT/Route mode on FortiGate models 400 and up this name can also be a zone if you have added firewall addresses to the zone and if you have added at least one interface or VLAN subinterface to the zone.You cannot add an interface or VLAN subinterface that has been added to a zone.

No default.

All models.

move <sequence-number_integer> to <sequence-number_integer>

Change the order of policies in a policy list by changing the number of a policy. Changing the number of the policy moves it from its current place in a policy list to another location in the same policy list. Enter get firewall policy to list all policies.

No default.

All models.

policyid <policy-id_integer>

Enter an ID number for the policy. Every firewall policy is identified by its srcintf, dstintf, and policyid. Every srcintf, dstintf, and policyid combination must be unique. If you enter a new srcintf, dstintf, and policyid, this command adds a new policy. If you enter a srcintf, dstintf, and policyid that already exists, this command edits that policy.The web-based manager assigns policy IDs automatically. When using the CLI, policy IDs must be assigned manually. Enter get firewall policy to list the policy ID numbers already in use.

No default.

All models.


set firewall policy set commands

action {accept | deny | encrypt}

Enter the action for the policy.Enter accept to accept packets that match the firewall policy. If you enter accept you can also enter authentication to enable authentication for the policy, nat to make this a NAT policy (NAT/Route mode only), ippool so that the NAT policy selects a source address for packets from a pool of IP addresses added to the destination interface, and fixedport so that the NAT policy does not translate the packet source port.Enter deny to deny packets that match the firewall policy. If you enter deny you do not have to add additional keywords.Enter encrypt to configure the policy to be an encrypt policy for IPSec tunnels. If you enter encrypt you can also enter inbound, natinbound, outbound, and natoutbound to control the VPN traffic allowed by the policy. encrypt is available in NAT/Route mode only.

deny All models.

avwebfilter {<profile_str> | none}

Turn on antivirus protection, web content filtering, and email filtering for a policy and specify a content profile. Turn off antivirus protection, web content filtering, and email filtering for a policy. Enter a profile name to add the content profile to the policy. profile_str is case-sensitive.Enter none to remove the current content profile from the policy.

none action set to accept or encrypt.

comment <comment_str> Optionally add a description or other information about the policy. comment_str is limited to 63 characters and cannot contain spaces.

No default.

All models.

dstaddr <name_str> Enter the destination address for the policy. The destination address must have been added to the destination interface. For a NAT policy you can also add a virtual IP. See “set firewall vip” on page 64. name_str is case-sensitive.

No default.

All models.

logtraffic {enable | disable}

Enable or disable recording traffic log messages for connections accepted by this policy.

disable action set to accept or encrypt.

schedule <name_str> Enter the name of the one-time or recurring schedule to use for the policy. name_str is case-sensitive.

Always All models.

service <name_str> Enter the name of the service to use for the policy. name_str is case-sensitive.

ANY All models.

srcaddr <name_str> Enter the source address for the policy. The source address must have been added to the source interface. name_str is case-sensitive.

No default.

All models.

status {enable | disable} Enable or disable a policy. enable All models.

trafficshaping {enable | disable}

Enable or disable traffic shaping. If you enable traffic shaping you can set gbandwidth, maxbandwidth, and priority.

disable action set to accept or encrypt.


54 Fortinet Inc.

set commands set firewall policy

Dependent Keyword Description Default Availabilityauthentication {enable <usrgrp_str> | disable}

Enable or disable authentication for the policy. If you enable authentication, enter the name of the user group to be used for authenticating users that connect using this policy. usrgrp_str is case sensitive.

disable NAT/Route mode, action set to accept.

nat {enable | disable} Configure the policy for network address translation (NAT). NAT translates the source address and the source port of packets accepted by the policy. If you enable NAT you can enter ippool and fixedport.

disable NAT/Route mode, action set to accept.

fixedport {enable | disable}

Prevent a NAT policy from translating the source port. Some applications do not function correctly if the source port is changed. If you enter fixedport, you should also enable IP pools. If you do not enable IP pools a policy with fixedport can only allow one connection at a time for this port or service.

disable NAT/Route mode, action set to accept, nat and ippool enabled.

ippool {enable | disable} Configure a NAT policy to translate the source address to an address randomly selected from the first IP pool added to the destination interface of the policy. Use IP pools if you must specify fixedport for a service or for dynamic NAT.

disable NAT/Route mode, action set to accept, nat enabled.

inbound {allow | deny} Configure the policy to allow or deny inbound VPN tunnels that match this policy.

allow action set to encrypt.

natinbound {enable | disable}

Enable or disable inbound NAT for VPN tunnels that match this policy.

disable action set to encrypt.

natoutbound {enable | disable}

Enable or disable outbound NAT for VPN tunnels that match this policy.


outbound {allow | deny} Configure the policy to allow or deny outbound VPN tunnels that match this policy.

allow action set to encrypt.

vpntunnel <tunnel-name_str>

Enter the name of the AutoIKE key or manual key tunnel for the IPSec policy. tunnel-name_str is case sensitive.


gbandwidth <bandwidth_integer>

Guarantee the amount of bandwidth available for traffic controlled by the policy. gband_integer can be 0 to 100000 Kbytes/second.

0 Traffic shaping enabled.

maxbandwidth <bandwidth_integer>

Limit the maximum amount of bandwidth available for traffic controlled by the policy. maxband_integer can be 0 to 100000 Kbytes/second. If maximum bandwidth is set to 0 no traffic is allowed by the policy.

0 Traffic shaping enabled.

priority {high | medium | low}

Set the priority for traffic controlled by the policy. The available settings are high for high priority traffic, medium for medium priority traffic, and low for low priority traffic.

high Traffic shaping enabled.


set firewall policy set commands

ExamplesOn a FortiGate-100, 200, or 300, use the following command to add a policy that allows users on the external network to access a web server on a DMZ network. The policy:

• Is for connections from the external interface (srcintf is external) to the DMZ interface (dstintf is dmz)

• Has a policy ID of 100• Is enabled• Allows users from any IP address on the Internet to access the web server (srcaddr is

External_All)• Allows access to an address on the DMZ network (dstaddr is an address previously added to the

DMZ interface and named DMZ_Web_Server)• Sets the schedule to Always so that users can access the web server 24 hours a day, seven

days a week• Sets the service to HTTP to limit access to the web server to HTTP connections• Sets action to accept to allow connections• Applies network address translation (nat is enabled)• Applies traffic shaping to guarantee 100 KBytes/s of bandwidth is available, to limit the maximum

bandwidth to 500 KBytes/second, and to set the priority for the traffic accepted by this policy to medium (trafficshaping enabled, gbandwidth set to 100, maxbandwidth set to 500, priority set to medium)

• Applies virus scanning using the Web content profile (avwebfilter set to Web)

set firewall policy srcintf external dstintf dmz policyid 100 status enable srcaddr External_All dstaddr DMZ_Web_Server schedule Always action accept trafficshaping enable gbandwidth 100 maxbandwidth 500 priority medium avwebfilter Web

Related commands• get firewall policy• unset firewall policy

56 Fortinet Inc.

set commands set firewall profile

set firewall profileUse this command to add or edit firewall content profiles. This command starts a shell to configure the content profile. In this shell you can view and change the content profile settings.

Use content profiles to apply different protection settings for content traffic controlled by firewall policies.

Syntax description

For each profile, you can change settings for the HTTP, SMTP, POP3, IMAP, and FTP services.

ftp

Keyword Description Default Availability<profilename_str> The name of the profile to add or edit. Type in the

profile name and press return to access the profile shell.

No default.

All models.

exit {Yes/No} Exit the profile shell without saving your changes. Type Yes to exit the profile shell. Type No to return to the profile setting shell prompt. If you have just used set firewall profile to add a new profile, typing exit in the profile shell exits without saving the new profile. If you enter exit while editing a profile that was previously added, changes you have made to the profile are lost, but the profile is not deleted.Use the command unset firewall profile <profilename_str> to delete a profile.

No default.

All models.

save Exit the profile shell and save your changes. No default.

All models.

show [<service_str>] In the content profile shell show the settings for all services. Entering a <service_str> shows the settings for that service. <service_str> can be http, smtp, pop3, imap, or ftp.

No default.

All models.

Keyword Description Default Availabilityblock {enable | disable} For this content profile, enable or disable deleting

files from FTP traffic with blocked file patterns.disable All models.

oversize {pass | block} For this content profile, allow oversized files in FTP traffic to pass through the firewall or block oversized files in FTP traffic from passing through the firewall.

pass All models.

quarantine {enable | disable}

For this content profile, enable or disable quarantining blocked or infected files found in FTP traffic.

disable Models with a hard disk only.

scan {enable | disable} For this content profile, enable or disable scanning FTP traffic for viruses and worms.

disable All models.


set firewall profile set commands

http

imap

Keyword Description Default Availabilitybannedword {enable | disable}

For this content profile, enable or disable web content filtering content blocking (also called the banned word list).

disable All models

block {enable | disable} For this content profile, enable or disable deleting files from HTTP traffic with blocked file patterns.

disable All models.

oversize {pass | block} For this content profile, allow oversized files in HTTP traffic to pass through the firewall or block oversized files in HTTP traffic from passing through the firewall.

pass All models


For this content profile, enable or disable quarantining blocked or infected files found in HTTP traffic.


scan {enable | disable} For this content profile, enable or disable scanning HTTP traffic for viruses and worms.

disable All models.

scriptfilter {enable | disable}

For this content profile, enable or disable the web content filtering script filter.

disable All models

urlblock {enable | disable}

For this content profile, enable or disable web content filtering URL blocking.

disable All models

urlexempt {enable | disable}

For this content profile, enable or disable the web content filtering exempt URL list.

disable All models


For this content profile, enable or disable tagging of IMAP email containing words on the email filter content blocking (also called the banned word) list.

disable All models.

block {enable | disable} For this content profile, enable or disable deleting files from IMAP traffic with blocked file patterns.

disable All models.

blocklist {enable | disable}

For this content profile, enable or disable tagging of IMAP email from email addresses on the email filter block list.

disable All models.

exemptlist {enable | disable}

For this content profile, enable or disable exempting IMAP email from email addresses on the email filter exempt list.

disable All models.

fragmail {pass | block} For this content profile, allow fragmented IMAP email messages to pass through the firewall or block fragmented IMAP email messages from passing through the firewall.

block All models.

oversize {pass | block} For this content profile, allow oversized files in IMAP traffic to pass through the firewall or block oversized files in IMAP traffic from passing through the firewall.

pass All models.


For this content profile, enable or disable quarantining blocked or infected files found in IMAP traffic.


scan {enable | disable} For this content profile, enable or disable scanning IMAP traffic for viruses and worms.

disable All models.

58 Fortinet Inc.

set commands set firewall profile

pop3

smtp

ExamplesUse the following commands to add a new content profile named ScanPOP3 that applies virus scanning to POP3 traffic and quarantines all infected files. In addition the following commands turn off virus scanning for HTTP, FTP, SMTP, and IMAP traffic.

set firewall profile ScanPOP3Entering configure mode for firewall profile "ScanPOP3" . . .Use "save" to commit changes and "exit" to cancel


For this content profile, enable or disable tagging of POP3 email containing words on the email filter content blocking (also called the banned word) list.

disable All models.

block {enable | disable} For this content profile, enable or disable deleting files from POP3 traffic with blocked file patterns.

disable All models.

blocklist {enable | disable}

For this content profile, enable or disable tagging of POP3 email from email addresses on the email filter block list.

disable All models.

exemptlist {enable | disable}

For this content profile, enable or disable exempting POP3 email from email addresses on the email filter exempt list.

disable All models.

fragmail {pass | block} Allow fragmented POP3 email messages to pass through the firewall or block fragmented POP3 email messages from passing through the firewall in this content profile.

block All models.

oversize {pass | block} For this content profile, allow oversized files in POP3 traffic to pass through the firewall or block oversized files in POP3 traffic from passing through the firewall.

pass All models.


Enable or disable storing blocked or infected files found in POP3 traffic in the file quarantine on the FortiGate hard disk in this content profile.


scan {enable | disable} For this content profile, enable or disable scanning POP3 traffic for viruses and worms.

disable All models.

Keyword Description Default Availabilityblock {enable | disable} For this content profile, enable or disable deleting

files from SMTP traffic with blocked file patterns.disable All models.

fragmail {pass | block} For this content profile, allow fragmented SMTP email messages to pass through the firewall or block fragmented SMTP email messages from passing through the firewall.

block All models

oversize {pass | block} For this content profile, allow oversized files in SMTP traffic to pass through the firewall or block oversized files in SMTP traffic from passing through the firewall.

pass All models


For this content profile, enable or disable quarantining blocked or infected files found in SMTP traffic.


scan {enable | disable} For this content profile, enable or disable scanning SMTP traffic for viruses and worms.

disable All models.


set firewall profile set commands

Use the show command to view the default settings for the new content profile.

show

Enable quarantine for POP3.

pop3 quarantine enable

Disable scanning for HTTP, SMTP, IMAP, and FTP:

http scan disable

smtp scan disable

imap scan disable

ftp scan disable

Save your changes and exit from the profile shell.

save

View the configuration of the new content profile.

get firewall profile ScanPOP3

Related commands• get firewall profile• unset firewall profile

60 Fortinet Inc.

set commands set firewall recurringschedule

set firewall recurringscheduleUse this command to add and edit recurring schedules used in firewall policies.

Use scheduling to control when policies are active or inactive. Use recurring schedules to create policies that repeat weekly. You can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week.

Syntax description

ExampleUse the following command to add a recurring schedule named access so that it is valid Monday to Friday from 7:45 am to 5:30 pm.

set firewall recurringschedule access day monday tuesday wednesday thursday friday start 07:45 end 17:30

Edit the recurring schedule named access so that it is no longer valid on Fridays.

set firewall recurringschedule access day monday tuesday wednesday thursday start 07:45 end 17:30

Related commands• set firewall policy• set firewall onetimeschedule• get firewall schedule• unset firewall recurringschedule

Note: If you create a recurring schedule with a stop time that occurs before the start time, the schedule will start at the start time and finish at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time.

Keyword Description Default Availability<schedule-name_str> Add or edit a recurring schedule.

<schedule-name_str> is the name of the recurring schedule to add or edit.

No default.

All models.

day {sunday monday tuesday wednesday thursday friday saturday}

Enter the names of one or more days of the week for which the schedule is valid. Separate the names with a space.

No default.

All models.

end <hh:mm> The ending time of the schedule.• hh can be 00 to 23• mm can be 00, 15, 30, or 45 only

00:00 All models.

start <hh:mm> The starting time of the schedule.• hh can be 00 to 23• mm can be 00, 15, 30, or 45 only

00:00 All models.


set firewall service custom set commands

set firewall service customAdd or edit custom firewall services.

Add a custom service if you need to create a policy for a service that is not in the predefined service list.

Syntax description

ExampleUse the following command to add a custom service called Custom_1. The service can use any source port. The service destination port range is TCP 4501 to 4503.

set firewall service custom Custom_1 tcp 1-65535 4501-4503

Use the following command to edit Custom_1 to add a udp destination port of 5632.

set firewall service custom Custom_1 tcp 1-65535 4501-4503 udp 1-65535 5632-5632

Related commands• unset firewall service• set firewall policy• set firewall service group• get firewall service

Keyword Description Default Availability<service-name_str> Add or edit a custom service. <service-name_str>

is the name of the custom service to add or edit.No default.

All models.

{tcp | udp} The protocol used by the service (tcp or udp). No default.

All models.

<srcport-low_integer-srcport-high_integer>

The source port range for the service.If the source port range can be any port, enter 1-65535.To specify a single port, enter the same port number for srcport-low_integer and srcport-high_integer. For example, if the single port is 5003, enter 5003-5003.

No default.

All models.

<dstport-low_integer-dstport-high_integer>

The destination port range for the service.If the destination port range can be any port, enter 1-65535.To specify a single port, enter the same port number for dstport-low_integer and dstport-high_integer. For example, if the single port is 5003, enter 5003-5003.

No default.

All models.

62 Fortinet Inc.

set commands set firewall service group

set firewall service groupAdd or edit firewall service groups.

To make it easier to add policies, you can create groups of services and then add one policy to provide or block access for all the services in the group. A service group can contain predefined services and custom services in any combination. You cannot add service groups to another service group.

Syntax description

ExampleUse the following command to add a service group called Web_Services that includes the FTP, HTTP, HTTPS, and Real Audio services.

set firewall service group Web_Services member FTP HTTP HTTPS RAUDIO

Use the following command to add the TELNET service to the Web_Services service group.

set firewall service group Web_Services member FTP HTTP HTTPS RAUDIO TELNET

Related commands• unset firewall service• set firewall policy• set firewall service custom• get firewall service

Note: To edit a service group, you must enter all of the members of the service group, both those you are changing and those that are staying the same.

Keyword Description Default Availability<group-name_str> Add or edit a service group. <group-name_str> is

the name of the service group to add or edit.No default.

All models.

member {<service_str> <service_str> <service_str> ...}

The names, separated by spaces, of the predefined and custom firewall services to add to the service group. Use the command get firewall service group <group-name_str> followed by a space and a ? to list the predefined custom services. <service_str> is case-sensitive.

No default.

All models.


set firewall vip set commands

set firewall vipAdd and edit virtual IPs. You can add static NAT virtual IPs or port forwarding virtual IPs.

Use virtual IPs to provide access to IP addresses on a destination network that are hidden from the source network by NAT security policies. To allow connections between these networks, you must create a mapping between an address on the source network and the real address on the destination network. This mapping is called a virtual IP.

You can create two types of virtual IPs:

Syntax description

Static NAT Used to translate an address on a source network to a hidden address on a destination network. Static NAT translates the source address of return packets to the address on the source network.

Port Forwarding Used to translate an address and a port number on a source network to a hidden address and, optionally, a different port number on a destination network. Using port forwarding you can also route packets with a specific port number and a destination address that matches the IP address of the interface that receives the packets. This technique is called port forwarding or port address translation (PAT). You can also use port forwarding to change the destination port of the forwarded packets.

Note: Virtual IPs are not available in transparent mode.

Keyword Description Default Availability<vip-name_str> Enter the name for the VIP. If the name is new, this

command adds a new VIP. If the name already exists, this command edits the VIP.

No default.

All models.

extintf <intf_str> The name of the interface connected to the source network that receives the packets to be forwarded to the destination network.On the FortiGate-400 and up <intf_str> can be the name of an interface or VLAN subinterface.

No default.

All models.

extip <external_ip> The external IP address to be mapped to an address on the destination network.For example, if the virtual IP provides access from the Internet to a web server on a destination network, the external IP address must be a static IP address obtained from your ISP for your web server. For a static NAT virtual IP, this address must be a unique address that is not used by another host and cannot be the same as the IP address of the extintf <intf_str>. However, this address must be routed to this interface.For port forwarding virtual IP, this address can be any IP address including the IP address of the extintf <intf_str>.For FortiGate models 50, 60, 100, 200, and 300 if the IP address of extintf <intf_str> is set using PPPoE or DHCP, <external_ip> can be 0.0.0.0. The FortiGate unit substitutes the IP address set for this interface using PPPoE or DHCP.

No default.

All models.

64 Fortinet Inc.

set commands set firewall vip

ExampleUse the following command to add a static NAT virtual IP named Web_Server that allows users on the Internet to connect to a web server on your internal network. The internet address of the web server is 64.32.21.34 and the real IP address of the web server on the internal network is 192.168.1.44.

set firewall vip Web_Server type staticnat extintf external extip 64.32.21.34 mappedip 192.168.1.44

Use the following command to edit the static NAT virtual IP named Web_Server to change the real IP address of the web server on the internal network to 192.168.110.23.

set firewall vip Web_Server type staticnat mappedip 192.168.110.23

Use the following command to add a port forwarding virtual IP that uses port address translation to allow external access to a web server on your internal network if you do not have a separate external IP address for the web server. In this example, the IP address of the external interface is 192.168.100.99 and the real IP address of the web server on the internal network is 192.168.1.93.

set firewall vip Web_Server type portforward extintf external extip 192.168.100.99 extport 80 mappedip 192.168.1.93 mappedport 80

Related commands• set firewall policy• get firewall vip• unset firewall vip

extport <ext-port_integer>

The external service port number for which to configure port forwarding. Required for port forwarding virtual IPs. Not required for static NAT virtual IPs.The external port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides access from the Internet to a Web server, the external service port number would be 80 (the HTTP port).

No default.

All models.Required if type is set to portforward

mappedip <mapped_ip> The real IP address in the more secure network or zone to which to map the <external_ip>.

No default.

All models.

mappedport <map-port_integer>

Enter mappedport <map-port_integer> if you want the port forwarding virtual IP to translate the destination port to a different port number.You only have to specify the mappedport if you want to translate the port.

No default.


protocol {tcp | upd} The protocol, TCP or UDP, to be used by the forwarded packets.

No default.


type {portforward | staticnat}

The type of virtual IP to add or edit.Enter portforward to add or edit a port forwarding virtual IP. Enter staticnat to add or edit a static NAT virtual IP.

No default.

All models.



set log policy set commands

set log policyA logging configuration consists of enabling logging on an interface, selecting a location or locations to which to log, and selecting the type of log to record. If the FortiGate unit has a hard drive you can also view, search and maintain logs saved to the hard disk.

Syntax description

Category

Keyword Description Default Availabilitydestination {syslog | webtrends | local | console}

Select the log locations:• syslog - record logs on a remote computer.• webtrends - record logs on a NetIQ WebTrends

server.• local - record logs on the FortiGate hard disk or if

no hard disk is available record logs to system memory.

• console - record logs to the console.Use the command set log setting to enable logging to a destination and to set the log severity level.

No default.

All models.

{emailfilter | event | ids | traffic | update | virus | webfilter}

Select a log type. You can select one log type at a time. The traffic log type is not available if set log policy destination is set to local and the FortiGate unit does not have a hard disk.

No default.

All models.

status {enable | disable} Enable or disable the specified log type. disable All models.

category <category_str> [<category_str> [<category_str> ... ]]

See the Category table for the list of categories for each log type.

No default.

All models.

Log type Category Descriptionemailfilter email Blocklist email detected.

bword Banned word email detected.

none Turn off emailfilter log categories.

event configuration Configuration change event.

ipsec IPSec negotiation event.

dhcp DHCP service event.

ppp L2TP, PPTP, PPPoE service event.

login Administrator login/logout event.

ipmac IP/MAC binding event.

system System activity event.

ha High Availability activity event.

auth Firewall authentication event.

routegateway Route gateway event.

none Turn off event log categories.

ids detection Attack detection activity.

prevention Attack prevention activity.

66 Fortinet Inc.

set commands set log policy

ExamplesUse the following command to record High Availability activities authentication events to the event log on the FortiGate local hard disk:

set log policy destination local event status enable category ha auth

Related commands• get log elog• get log logsetting• get log policy• set log setting• set log trafficfilter rule• set log trafficfilter setting

none Turn off ids log categories.

traffic See “set log trafficfilter rule” on page 70.

update failed Failed update incident.

succeeded Successful update incident.

fdn Fortinet Distribution Network error.

none Turn off update log categories.

virus infected Infected file incidents.

filename Blocked file incidents.

oversize Oversized file incidents.

none Turn off Virus log categories.

webfilter content File blocked by content block list.

urlblock File blocked by URL block list.

urlexempt File exempted by URL exempt list.

none Turn off webfilter log categories.

Log type Category Description


set log setting set commands

set log settingYou can configure logging to record logs to one or more of:

• a computer running a syslog server,• a computer running a WebTrends firewall reporting server,• the FortiGate hard disk (if your FortiGate unit contains a hard disk),• the console (using the CLI).

You can also configure logging to record some logs to the FortiGate system memory if your FortiGate unit does not contain a hard disk. Logging to memory allows quick access to only the most recent log entries. If the FortiGate unit restarts, the log entries are lost.

You can select the same or different severity level for each log location. For example, you might want to record only emergency and alert level messages to the FortiGate memory and record all levels of messages on a remote computer.

Syntax description

Note: The optional hard disk is not available for all FortiGate models and the FortiGate-50 does not have the option to record logs to memory. Use the command get system status to confirm whether or not a hard disk is available on the FortiGate unit.

Keyword Description Default Availability{console | local | memory | syslog | webtrends}

Select a log location. To log to more than one location, configure each log location separately. If the FortiGate unit contains a hard disk, local is displayed as a choice. If the FortiGate unit does not contain a hard disk, memory is displayed instead of local.Neither local nor memory are available for FortiGate-50 units.

No default.

All models.

csv {enable | disable} Enable or disable saving logs in comma separated value (CSV) format.

disable All models.syslog only.

diskfull {overwrite | blocktraffic | nolog}

Set the options to use when the FortiGate hard disk runs out of space:• overwrite deletes the oldest log file when the

hard disk is full.• blocktraffic blocks all network traffic when the

hard disk is full.• nolog stops logging messages when the hard disk

is full.

overwrite

Not available on the FortiGate-50.local only.

filesz <file-size_integer>

Set a maximum log file size in Mbytes.When the log file reaches this size, the current log file is closed and saved and a new active log file is started. The default maximum log file size is 10 Mbytes and the maximum allowed is 2 Gbytes.

10 Mbytes

Not available on the FortiGate-50.local only.

68 Fortinet Inc.

set commands set log setting

ExamplesUse the following command to enable logging to a syslog server with the IP address 192.168.23.95 and a log level of 3:

set log setting syslog server 192.168.23.95 loglevel 3

Related commands• get log logsetting• set log policy• set log trafficfilter rule• set log trafficfilter setting

loglevel <severity_integer>

Set the log severity level. Enter the command set log setting <location_str> loglevel followed by a space and a ? for a list of severity levels and their corresponding numbers.0 - Emergency - The system has become unusable.1 - Alert - Immediate action is required.2 - Critical - Functionality is affected.3 - Error - An erroneous condition exists and functionality is probably affected.4 - Warning - Functionality might be affected.5 - Notification - Information about normal events.6 - Information - General information about system operations.The FortiGate unit will log all levels of severity up to but not higher than the number you select. For example, if you want to record emergency, alert, critical, and error messages, select 3. If you do not select a severity level, the default level 0 will be used.

0 All models.All log locations.

logtime <days_integer> Set a log time interval in days.After the specified time interval, the current log file is closed and saved and a new one is started. The default log time interval is 10 days.

10 days Not available on the FortiGate-50.local only.

port <port_integer> Set the remote host (syslog) server port. 514 All models.syslog only.

server <server_ip> Set the server IP address. The server IP address must be set separately for the webtrends keyword and the syslog keyword.

No default.

All models.syslog and webtrends

status {enable | disable} Enable or disable logging to the specified log location.

disable All models.All log locations.



set log trafficfilter rule set commands

set log trafficfilter ruleThe FortiGate unit can filter traffic logs for any source and destination address and service.

Syntax description

ExampleUse the following command to log the HTTP traffic coming from 192.168.0.0 and going to 192.168.23.10:

set log trafficfilter rule rule1 src 192.168.0.0 255.255.0.0 dst 192.168.23.10 service http

Related commands• get log trafficfilter• unset log filter• set log trafficfilter setting• set log policy

Note: Traffic logging is not available when logging to system memory.

Keyword Description Default Availability<name_str> Type a name to identify the traffic log filter. No

default.All models.

dst <destination _ip> <netmask_ip>

Type the destination IP address and netmask for which you want the FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network.

No default.

All models.

service <name_str> Select the service group or individual service for which you want the FortiGate unit to log traffic messages. Use the command set log trafficfilter rule <name_str> service followed by a space and a ? for a list of available services.

No default.

All models.

src <souce_ip> <netmask_ip>

Type the source IP address and netmask for which you want the FortiGate unit to log traffic messages. The address can be an individual computer, subnetwork, or network.

No default.

All models.

70 Fortinet Inc.

set commands set log trafficfilter setting

set log trafficfilter settingYou can enable the following global settings for traffic log entries:

• resolve IP addresses to host names,• record session or packet information,• display the port number or service.

Syntax description

ExamplesUse the following command to set the trafficfilter setting to session and the display to name:

set log trafficfilter setting type session display name

Related commands• get log trafficfilter• set log trafficfilter rule• set system dns


Keyword Description Default Availabilitydisplay {port | name} Select port if you want traffic log messages to list

the port number, for example, 80/tcp. Select name if you want traffic log messages to list the name of the service, for example, TCP.

port All models.

resolve {enable | disable}

Select enable if you want traffic log messages to list the IP address and the domain name stored on the DNS. If the primary and secondary DNS addresses provided to you by your ISP have not already been added, see “set system dns” on page 84 for information on how to add DNS addresses.

disable All models.

type {session | packet} If you select session, the FortiGate unit records the number of packets sent and received for each session. If you select packet, the FortiGate unit records the average packet length, in bytes, for each session.

session All models.


set nids detection set commands

set nids detectionUse this command to configure how the FortiGate network intrusion detection system (NIDS) detects network attacks. You can select the interface on which the NIDS monitors network traffic for attacks, and you can also set the NIDS for checksum verification. Checksum verification tests the integrity of packets received at the monitored interface.

Syntax description

ExamplesUse the following command to enable NIDS monitoring on the internal interface.

set nids detection interface internal status enable

Use the following command to run checksum verification for the IP and ICMP protocols.

set nids detection checksum ip,icmp

Related commands• get nids detection• set nids prevention• set nids rule

Keyword Description Default Availabilitychecksum {none | ip,tcp,udp,icmp}

Enter one or more protocols, separated by commas, to enable checksum verification for that type of traffic. Enter none to turn off all checksum verification.Configure the NIDS to run checksums to verify that packets passing through the FortiGate have not been altered. For maximum protection, you can turn on checksum verification for all types of protocols. However, if the FortiGate does not need to do checksum verification, you can turn it off for some or all types of traffic to improve performance. You may not need to run checksum verifications if your FortiGate is installed behind a router that also does checksum verification.

none All models.

interface <name_str> status {enable | disable}

Enable or disable NIDS monitoring on the specified interface. Enter set nids detection interface followed by a space and ? for a list of available interfaces. For all models except the FortiGate-50, you can enable NIDS monitoring for up to four interfaces. For the FortiGate-50 you can enable NIDS monitoring for one interface.

disable All models.

72 Fortinet Inc.

set commands set nids prevention

set nids preventionUse this command to enable or disable NIDS prevention signatures.

The NIDS Prevention module contains signatures that are designed to protect your network against attacks. The signatures detect anomalies in the data packets and protocol definitions for ICMP, IP, TCP and UDP. When anomalies are found, the system takes action to prevent damage. In some cases packets are dropped; in other cases network access is blocked.

In addition to being able to enable and disable all signatures, you can also modify the threshold value for some signatures. When the threshold is exceeded, the NIDS Prevention module will take action to block the attack.

Some signatures are enabled by default.

Syntax description

Syntax description for icmp NIDS prevention signatures

Keyword Description Default Availabilityicmp <attack_str> Enter the name of the Internet Control Message Protocol

(ICMP) NIDS prevention signature that you want to enable, or disable or for which to change the threshold value. Use the command set nids prevention icmp followed by a space and a ? for list of ICMP NIDS prevention signatures.

No default.

All models.

ip <attack_str> Enter the name of the Internet Protocol (IP) NIDS prevention signature that you want to enable, or disable or for which to change the threshold value. Use the command set nids prevention ip followed by a space and a ? for list of IP NIDS prevention signatures.

No default.

All models.

reset Select Reset to restore the default status for all NIDS Prevention signatures and to restore default threshold values.

No default.

All models.

status {enable | disable}

Enable or disable the NIDS Prevention module.The NIDS Prevention module is disabled by default. You must enable it when you configure a new FortiGate unit, or when you reboot a FortiGate unit.

disable All models.

tcp <attack_str> Enter the name of the Transmission Control Protocol (TCP) NIDS prevention signature that you want to enable, or disable or for which to change the threshold value. Use the command set nids prevention tcp followed by a space and a ? for list of TCP NIDS prevention signatures.

No default.

All models

udp <attack_str> Enter the name of the User Datagram Protocol (UDP) NIDS prevention signature that you want to enable, or disable or for which to change the threshold value. Use the command set nids prevention udp followed by a space and a ? for list of UDP NIDS prevention signatures.

No default.

All models.

Keyword Description Default Availabilityicmpdeath status {enable | disable}

Enable or disable the ICMP Death (ping of death) prevention signature.

enable All models.

icmpflood status {enable | disable} threshold <packets/sec_integer>

Enable or disable the ICMP Flood prevention signature.Threshold unit - maximum number of packets per second to a single destination.• Minimum value - 128 • Maximum value - 102400

enable256

All models.


set nids prevention set commands

Syntax description for ip NIDS prevention signatures

icmpfrag status {enable | disable}

Enable or disable the ICMP Fragment prevention signature.

disable All models.

icmpland status {enable | disable}

Enable or disable the ICMP Land prevention signature.

enable All models.

icmplarge status {enable | disable} threshold <bytes_integer>

Enable or disable the large ICMP packet prevention signature.Threshold unit - maximum packet size in bytes.• Minimum value - 1024 • Maximum value - 64000

enable32000

All models.

icmpsrcsession status {enable | disable} threshold <sessions/source_integer>

Enable or disable the ICMP Source Session Limit prevention signature.Threshold unit - maximum ICMP sessions from a single source.• Minimum value - 64 • Maximum value - 2048

disable128

All models.

icmpsweep status {enable | disable} threshold <requests/second_integer>

Enable or disable the ICMP Sweep prevention signature.Threshold unit - maximum ICMP echo requests per second from a single source.• Minimum value - 16 • Maximum value - 2048

enable32

All models.

Keyword Description Default Availabilityipfrag status {enable | disable}

Enable or disable the IP Fragmentation prevention signature.

disable All models.

ipland status {enable | disable}

Enable or disable the IP Land prevention signature. disable All models.

iplsrr status {enable | disable}

Enable or disable the IP Loose Source Record Routing prevention signature.

disable All models.

iprr status {enable | disable}

Enable or disable the IP Record Routing prevention signature.

disable All models.

ipsecurity status {enable | disable}

Enable or disable the IP Security Option prevention signature.

disable All models.

ipspoofing status {enable | disable}

Enable or disable the IP Spoofing prevention signature.

enable All models.

ipssrr status {enable | disable}

Enable or disable the IP Strict Source Record Routing prevention signature.

disable All models.

ipstream status {enable | disable}

Enable or disable the IP Stream Option prevention signature.

disable All models.

iptimestamp status {enable | disable}

Enable or disable the IP Timestamp Option prevention signature.

disable All models.

ipunknoption status {enable | disable}

Enable or disable the IP Unknown Option prevention signature.

enable All models.

ipunknproto status {enable | disable}

Enable or disable the IP Unknown Protocol prevention signature.

enable All models.


74 Fortinet Inc.

set commands set nids prevention

Syntax description for tcp NIDS prevention signaturesKeyword Description Default Availabilityfinnoack status {enable | disable}

Enable or disable the TCP FIN without ACK prevention signature.

enable All models.

ftpovfl status {enable | disable} threshold <bytes_integer>

Enable or disable the TCP FTP Buffer Overflow prevention signature. Threshold unit - maximum command buffer size in bytes.• Minimum value - 128 • Maximum value - 1024

enable256

All models.

land status {enable | disable}

Enable or disable the TCP Land prevention signature.

enable All models.

noflag status {enable | disable}

Enable or disable the TCP with No Flag prevention signature.

enable All models.

pop3ovfl status {enable | disable} threshold <bytes_integer>

Enable or disable the TCP POP3 Buffer Overflow prevention signature. Threshold unit - maximum command buffer size in bytes.• Minimum value - 128 • Maximum value - 1024

enable512

All models.

portscan status {enable | disable} threshold <syn/second_integer>

Enable or disable the TCP Port Scan prevention signature. Threshold unit - SYN per second.• Minimum value - 10 • Maximum value - 256

enable128

All models.

smtpovfl status {enable | disable} threshold <bytes_integer>

Enable or disable the TCP SMTP Buffer Overflow prevention signature.Threshold unit - maximum command buffer size in bytes.• Minimum value - 128 • Maximum value - 1024

enable512

All models.

srcsession status {enable | disable} threshold <sessions_integer>

Enable or disable the TCP Source Session Limit prevention signature. Threshold unit - maximum TCP sessions from a single source.• Minimum value - 128 • Maximum value - 10240

disable2048

All models.

synfin status {enable | disable}

Enable or disable the TCP SYN with FIN prevention signature.

enable All models.

synflood queue_size <prox-connect_integer> status {enable | disable} threshold <syn/second_integer> timeout <seconds_integer>

Enable or disable the TCP SYN Flood prevention signature. Threshold unit - SYN per second.• Minimum value - 30 • Maximum value - 3000• Default value - 200Queue size unit - maximum proxied connections.• Minimum value - 10 • Maximum value - 1024• Default value - 1024Timeout unit - seconds.• Minimum value - 3 • Maximum value - 60• Default value - 15

disableSee descrip-tion

All models.


set nids prevention set commands

Syntax description for udp NIDS prevention signatures

ExamplesUse the following command to enable the NIDS Prevention module:

set nids prevention status enable

Use the following command to restore the NIDS Prevention to its default configuration:

set nids prevention reset

Use the following command to enable TCP Port Scan signature and set the threshold to 200 SYN per second:

set nids prevention tcp portscan status enable threshold 130

Use the following command to change the TCP Port Scan attack threshold to 100 SYN per second:

set nids prevention tcp portscan threshold 100

Related commands• get nids prevention• set nids detection• set nids rule

synfrag status {enable | disable}

Enable or disable the TCP SYN Fragment prevention signature.

enable All models.

url status {enable | disable}

Enable or disable the TCP Invalid URL prevention signature.

enable All models.

winnuke status {enable | disable}

Enable or disable the TCP Winnuke prevention signature.

enable All models.

Keyword Description Default Availabilityudpflood status {enable | disable} threshold <packets/second_integer>

Enable or disable the UDP Flood prevention signature. Threshold unit - maximum packets per second to a single destination.• Minimum value - 512 • Maximum value - 102400

disable2048

All models.

udpland status {enable | disable}

Enable or disable the UDP Land prevention signature.

enable All models.

udpsrcsession status {enable | disable} threshold <sessions_integer>

Enable or disable the UDP Source Session Limit prevention signature. Threshold unit - maximum UDP sessions from a single source.• Minimum value - 512 • Maximum value - 102400

disable1024

All models.


76 Fortinet Inc.

set commands set nids rule

set nids ruleUse this command to enable or disable the NIDS Detection signature groups.

The NIDS Detection module uses over 1,000 signatures. These signatures are arranged into groups based on the type of attack. By default, all signature groups are enabled. For a list of all the signatures in a signature group, see “get nids rule” on page 195.

You cannot enable or disable individual signatures contained within a signature group. All signatures within a group are either enabled or disabled when you enable or disable the group.

By disabling a signature group, you can improve system performance and reduce the number of log messages and alert emails that the NIDS generates. For example, the NIDS detects a large number of web server attacks. If you do not provide access to a web server behind your firewall, you might want to disable all web server attack signatures.

You can also add a user-defined attack signature to detect attacks not included in the current attack definitions file.

Use the syntax described in the “Creating user-defined signatures” chapter of the FortiGate NIDS Guide to create user-defined signature rules in a text file. You can then upload the text file to the FortiGate unit using the command “execute restore” on page 233. The FortiGate unit assigns a unique ID to each rule in the file, and adds the signatures to the User Defined Signature group on the signature groups list.

Once you have created and uploaded a user-defined signature list, you can then use the command “execute backup” on page 224 to download the list from the FortiGate unit. You can edit existing signature rules or add new signature rules, and then restore the edited list to the FortiGate unit.

Syntax description

ExamplesUse the following command to disable the web-apache signature group:

set nids rule web-apache status disable

Related commands• get nids rule• execute backup• execute restore

Note: User-defined signatures are an advanced feature and should only be created and added to the FortiGate unit by IT specialists who are familiar with programming concepts and with network intrusion detection systems.

Keyword Description Default Availability<group-name_str> The name of the signature group to enable or disable.

Use the command set nids rule followed by a space and ? or the command get nids rule for a list of signature groups.

No default.

All models.

status {enable | disable} Enable or disable the specified signature group. enable All models.


set system admin set commands

set system adminUse this command to add or edit administrative user accounts.

When the FortiGate unit is initially installed, it is configured with a single administrator account with the user name admin. From this administrator account, you can add and edit administrator accounts. You can also control the access level of each of these administrator accounts and, optionally, control the IP address from which the administrator can connect to the FortiGate unit.

Syntax description

ExamplesYou can use the following commands to add a readonly administrator account with the name new_adm.

set system admin username new_adm password a2b4c6 permission readonly

Then you can use the following command to edit this account.set system admin username new_adm permission readwrite

Related commands• get system admin• unset system admin

Keywords Description Default Availabilityusername <name_str> A name for this administrator account. If the

administrator account name already exists, this command changes its account settings. If the administrator account name does not exist, this command adds a new administrator account name.

No default. All models.

password <passwd_str> Enter a password for the administrator account. For improved security, the password should be at least 6 characters long.


permission {readonly | readwrite}

If you set the permission level for the administrator to readwrite, the administrator can:• view and change the FortiGate configuration

from the web-based manager, or from the CLI using get and set commands,

• change his or her administrator account password using the web-based manager.

The administrator cannot use the set system admin command from the CLI and can not add, edit, or delete administrator accounts using the web-based manager.If you set the permission level for the administrator to readonly, the administrator can view the FortiGate configuration using the web-based manager or using the CLI get commands. See “Access levels” on page 13 for more information.

readonly All models.You cannot change the admin administrator account permissions.

trusthost <address_ip> <netmask_ip>

The IP address or subnet address and netmask from which the administrator can connect to the FortiGate.If you want the administrator to be able to access the FortiGate from any address, set the trusted host to 0.0.0.0 and the netmask to 0.0.0.0.

0.0.0.0/0.0.0.0 All models.

78 Fortinet Inc.

set commands set system autoupdate

set system autoupdateUse this command to configure scheduled and push updates.

You can configure the FortiGate unit to connect to the FortiResponse Distribution Network (FDN) and automatically update the antivirus and attack definitions and antivirus engine. You can also configure the FortiGate unit to accept push updates from the FDN.

Before the FortiGate unit can receive scheduled updates and push updates, you must register the FortiGate unit on the Fortinet Support web page.

For more information on registering your FortiGate unit and customizing and troubleshooting the connection to the FDN, see the Installation and Configuration Guide.

For server and push update availability status, see “get system autoupdate” on page 197.

For current update status including version information, see “get system objver” on page 204.

Syntax description

Note: You can also initiate an update at any time using the command execute updatecenter updatenow.

Keywords Description Default Availabilitypushaddressoverride {enable <server_ip> <port> | disable}

Enable or disable a push address override. You must enable pushupdate before enabling pushaddressoverride.If the FDN must connect to the FortiGate unit through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. See “set firewall vip” on page 64.Enter the External IP address that the FDN connects to. This is the address of the external interface of the FortiGate NAT device. Enter the External Service Port that the FDN connects to. This can be port 9443 or an override push port that you assign.You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (for example, set using PPPoE or DHCP).

disable All models.

pushupdate {enable | disable}

Enable or disable updates initiated by the update center.

disable All models.

schedule {enable | disable}

Enable or disable scheduled updates, at regular intervals throughout the day, once a day, or once a week.

disable All models.

every <hh:mm> Schedule updates at regular intervals throughout the day.<hh:mm> is the time interval to wait between updates.• hh can be 00 to 23• mm can be 00, 15, 30, or 45

No default. All models.schedule must be enabled.


set system autoupdate set commands

ExamplesYou can use the following command to schedule updates once a day at 07:30:

set system autoupdate schedule enable daily 07:30

Related commands• get system autoupdate• execute updatecenter updatenow• set firewall vip

daily <hh:mm> Schedule updates once a day.<hh:mm> is the time of day at which to update.• hh can be 00 to 23• mm can be 00, 15, 30, or 45


weekly <day_integer> <hh:mm>]

Schedule updates once a week.<day_integer> is the day of the week on which to update.• 0 Sunday• 1 Monday• 2 Tuesday• 3 Wednesday• 4 Thursday• 5 Friday• 6 Saturday<hh:mm> is the time of day at which to update.• hh can be 00 to 23• mm can be 00, 15, 30, or 45


serveroverride {enable <server_ip> | disable}

If you cannot connect to the FDN or if your organization provides updates using their own FortiResponse server, you can enable serveroverride and add the IP address of an override FortiResponse server.

disable All models.

tunneling {enable [address <proxy-address_ip> [port <proxy-port> [username <username_str> [password <password_str>]]]] | disable [address <proxy-address_ip> [port <proxy-port> [username <username_str> [password <password_str>]]]]}

Configure the FortiGate unit to use a proxy server to connect to the FDN. To use the proxy server you must enable tunnelling and add the IP address and port required to connect to the proxy server. If the proxy server requires authentication, add the user name and password required to connect to the proxy server. To disable connecting to a proxy server, enter the command set system autoupdate tunneling disable address <address_ip>. Where <address_ip> can be any IP address.To change the tunnelling configuration, re-enter the complete new tunnelling configuration, including the parameters that do not change.

disable All models.

Keywords Description Default Availability

80 Fortinet Inc.

set commands set system brctl

set system brctlUse this command to create a static MAC table.

Syntax description

ExampleUse the following command to add a static MAC entry for the internal interface:

set system brctl add interface internal mac 11:00:aa:ff:33:22

Keyword Description Default Availabilityadd interface <intf_str> mac <address_hex>

Enter an interface name. Use the command set system brctl add interface followed by a space and a ? for a list of available interfaces. Enter a MAC address.

No default.

All models.Transparent mode only.

del mac [interface] [<mac-address_hex>]

Delete entries from the mac table. You can enter either an interface name or a MAC address.

No default.


list Show the static MAC entries. No default.



set system dhcpserver set commands

set system dhcpserverConfigure the FortiGate to be a DHCP server for your internal network.

Syntax descriptionKeywords Description Default Availabilitydefaultroute <gateway_ip>

The default route to be assigned to DHCP clients. The defaultroute, exclusionrange, iprange, and reserve IP addresses must all be on the same subnet as the internal interface.

FortiGate-50 and 60: 192.168.1.99.Other models, no default.

All models.

dns <dns_ip> [<dns_ip>] [<dns_ip>]

The IP addresses of up to 3 DNS servers that the DHCP clients can use for looking up domain names. Use a space to separate the IP addresses. To remove a DNS IP, set the IP to 0.0.0.0.


domain <domain_str> The domain name that the DHCP server assigns to the DHCP clients.


exclusionrange {<start1_ip-end1_ip> | none} [{<start2_ip-end2_ip>| none}] [{<start3_ip-end3_ip> | none}] [{<start4_ip-end4_ip> | none}]

Enter up to 4 exclusion ranges of IP addresses within the starting IP and ending IP addresses that cannot be assigned to DHCP clients. Separate the IP addresses in the range with a dash (-). Do not add spaces. Use a space to separate ranges. The defaultroute, exclusionrange, iprange, and reserve IP addresses must all be on the same subnet as the internal interface. To change an exclusion range you must redefine all of the exclusion ranges. To remove all exclusion ranges, replace the first exclusion range with none.

FortiGate-50 and 60: 192.168.1.99-192.168.1.99Other models, no default.

All models.

iprange <start_ip-end_ip>

The starting IP and the ending IP for the range of IP addresses that the FortiGate unit can assign to DHCP clients. The defaultroute, exclusionrange, iprange, and reserve IP addresses must all be on the same subnet as the internal interface.

FortiGate-50 and 60: 192.168.1.1-192.168.1.254.Other models, no default.

All models.

leaseduration <lease_int>

The interval in seconds after which a DHCP client must ask the DHCP server for a new address. The lease duration must be between 300 and 8000000 seconds.

FortiGate-50 and 60: 604800 (7 days).Other models, no default.

All models.

netmask <netmask_ip> The Netmask that the FortiGate DHCP server assigns to the DHCP clients.

FortiGate-50 and 60: 255.255.255.0.Other models, no default.

All models.

reserve <reserve_ip> <reserve_mac> [<name_str> | none]

Reserve an IP address so that the FortiGate DHCP server always assigns this IP address to the device with the specified MAC address. Optionally specify a name for the IP and MAC address pair. The reserved IP cannot be assigned to any other device. You can only add a given IP address or MAC address once. The defaultroute, exclusionrange, iprange, and reserve IP addresses must all be on the same subnet as the internal interface.


82 Fortinet Inc.

set commands set system dhcpserver

ExamplesUse the following command to create a DHCP configuration that assigns IPs in the range 192.168.1.100 to 192.168.1.200 with a netmask of 255.255.255.0, configures DHCP clients to request a new IP address once a day, and assigns DHCP clients a default route of 192.168.1.99.

set system dhcpserver iprange 192.168.1.100-192.168.1.200 netmask 255.255.255.0 leaseduration 1440 defaultroute 192.168.1.99

Use the following command to enable the FortiGate DHCP server.

set system dhcpserver status enable

Use the following command to assign the address 205.34.123.1 to the first DNS server assigned to DHCP clients.

set system dhcpserver dns 205.34.123.1

Use the following command to set up the first exclusion range for DHCP clients and to exclude IP addresses from 192.168.1.120 to 192.168.1.130 from that range.

set system dhcpserver exclusionrange 192.168.1.120-192.168.1.130

Related commands• get system dhcpserver• unset system dhcpserver


Enable or disable the FortiGate DHCP server for your internal network.

disable All models.

winsserver {<server1_ip> | none} [{<server2_ip> | none}]

Enter one or two WINS server IP addresses that are assigned to DHCP clients.


Keywords Description Default Availability


set system dns set commands

set system dnsUse this command to set the DNS server addresses. Several FortiGate functions, including sending email alerts and URL blocking, use DNS.

Syntax description

ExamplesUse the following command to set the primary DNS server to 207.194.200.2:

set system dns primary 207.194.200.2

Use the following command to delete the primary DNS server:

set system dns primary none

Related commands• get system dns

Keyword Description Default Availabilityprimary {<server_ip> | none}

Enter the primary DNS server IP address. Enter none to delete the primary DNS server IP address.

207.194.200.1 All models.

secondary {<server_ip> | none}

Enter the secondary DNS IP server address. Enter none to delete the secondary DNS server IP address.

207.194.200.129 All models.

84 Fortinet Inc.

set commands set system ha

set system haUse this command to configure FortiGate high availability (HA). HA is supported on FortiGate units 300 and up. On all FortiGate units that support HA, except the FortiGate-500, you must use the command set system interface <int_str> config hamode enable to configure the HA interface for HA operation before the set system ha command is available.

Except for priority, override, and monitor the HA configuration that you create using the set system ha command must be identical for each FortiGate unit in the cluster.

Syntax descriptionKeyword Description Default Availabilitygroupid <id_integer> The HA group ID. The group ID range is from 0 to 63.

All members of the HA cluster must have the same group ID.

0 Models numbered 300 and higher.

mode {standalone | a-a | a-p}

The HA mode.Enter standalone to remove the FortiGate unit from an HA cluster.Enter a-a to create an active-active HA cluster. In an active-active cluster, all units process traffic and the primary unit performs load balancing to share connections among all units in the cluster.Enter a-p to create an active-passive HA cluster, where one FortiGate in the HA cluster is the primary unit that processes all connections and the others are in active standby, monitoring the status and remaining synchronized with the primary FortiGate unit.

standalone Models numbered 300 and higher.

monitor <intf_str> <intf_str> <intf_str> ... none

Enter the names of the FortiGate interfaces that are to be monitored. Separate each name with a space.Configure monitor to monitor FortiGate interfaces to make sure they are up and actively processing network traffic. If the interface fails or is disconnected the FortiGate unit reverts to a standby state and is removed from the cluster.Enter none to remove all the interface names.

none Models numbered 300 and higher.

override {enable | disable}

Configure the FortiGate unit to override another primary unit in the cluster with the same priority and become the primary unit.

disable Models numbered 300 and higher.

password <passwd_str> Enter a password for the HA cluster. The password must be the same for all FortiGate units in the HA cluster. The maximum password length is 8 characters.

No default. Models numbered 300 and higher.

priority {<priority_int> | default}

Set the clustering priority of the FortiGate unit. The unit with the lowest priority becomes the primary unit. The priority range is 0 to 255. If more than one unit in the cluster has the same priority, the cluster negotiates between these units to select the primary unit.

255 Models numbered 300 and higher.


set system ha set commands

ExamplesUse the following commands to configure a FortiGate-500 for active-active HA mode with a group ID of 23 and an HA password of hapass. Also configure the FortiGate-500 to monitor the internal, external, and port1 interfaces:

set system ha mode a-a

set system ha groupid 23

set system ha password hapass

set system ha monitor internal external port1

schedule {none | hub | leastconnection | round-robin | weight-round-robin | random | ip | ipport}

A-A load balancing schedule.none: no load balancing. Use none when the cluster interfaces are connected to load balancing switches.hub: load balancing if the cluster interfaces are connected to a hub. Traffic is distributed to units in a cluster based on the Source IP and Destination IP of the packet.leastconnection: least connection load balancing. If the FortiGate units are connected using switches, use leastconnection to distribute traffic to the cluster unit currently processing the fewest connections.round-robin: round robin load balancing. If the FortiGate units are connected using switches, use round-robin to distribute traffic to the next available cluster unit.weight-round-robin: weighted round robin load balancing. Similar to round robin, but weighted values are assigned to each of the units in a cluster based on their capacity and on how many connections they are currently processing. For example, the primary unit should have a lower weighted value because it handles scheduling and forwards traffic. Weighted round robin distributes traffic more evenly because units that are not processing traffic will be more likely to receive new connections than units that are very busy. You can optionally use the weight keyword to set a weighting for each FortiGate unit.random: random load balancing. If the FortiGate units are connected using switches, use random to randomly distribute traffic to cluster units.ip: load balancing according to IP address. If the FortiGate units are connected using switches, use ip to distribute traffic to units in a cluster based on the Source IP and Destination IP of the packet.ipport: load balancing according to IP address and port. If the FortiGate units are connected using switches, use ipport to distribute traffic to units in a cluster based on the source IP, source port, destination IP, and destination port of the packet.

round-robin

Models numbered 300 and higher.a-a mode only.

weight <p1_weight_ integer> [<p2_weight_integer> [<p3_weight_integer>] ... [<p32_weight_integer>]

For weighted-round robin scheduling, the weight to assign to each unit in the cluster according to its priority. Weights are assigned by priority and the unit with that priority is assigned that weight.By default the weight for all priorities is 1. Increase the weight of a priority to increase the number of connections processed by the cluster unit with that priority. Weight can be from 0 to 32.

All priority IDs set to 1.

Models numbered 300 and higher.a-a mode onlyweight-round-robin only


86 Fortinet Inc.

set commands set system ha

Use the following command to set the HA priority of a FortiGate unit to 0 so that this unit always becomes the primary unit in the cluster.

set system ha priority 0

Related commands• get system ha• execute ha manage• execute ha synchronize• set system interface


set system hostname set commands

set system hostnameChange the host name of the FortiGate unit.

The FortiGate host name is used as the SNMP system name. By default the host name is the FortiGate model name.

Syntax description

ExamplesUse the following command to change the FortiGate unit host name to Main_Office:

set system hostname Main_Office

Related commands• get system status• unset system hostname• set system snmp

Keyword Description Default Availability<hostname_str> Type a name for this FortiGate unit. The host name

can be up to 31 characters long and can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and the \ < > [ ] ` $ % & characters are not allowed.

Model name.

All models.

88 Fortinet Inc.

set commands set system interface

set system interfaceUse this command to edit the configuration of a FortiGate interface.

For FortiGate models 400 and up, use this command to edit the configuration of a VLAN subinterface. In the following table, VLAN subinterface can be substituted for interface in most places except that you can only configure VLAN subinterfaces with static IP addresses. Use the command set system vlan to add a VLAN subinterface.

Syntax descriptionKeywords Description Default Availability<intf_str> The name of the interface to configure. Enter

set system interface followed by a space and a ? to display the list of interfaces. For FortiGate models 400 and up <intf_str> can also be a VLAN subinterface.


mode {dhcp | pppoe | static}

Configure the connection mode for the interface and configure the primary IP address for the interface.static, configure a static IP address for the interface.dhcp, configure the interface to receive its IP address from a DHCP server.pppoe, configure the interface to receive its IP address from a PPPoE server.

No default. All models.dhcp and pppoe are available for the FortiGate-50, 100, 200, and 300 external interface and FortiGate-60 wan1 interface.Not available in Transparent mode.

config Set interface parameters. No default. All models.

Keyword for dhcp Description Default Availabilityconnection {enable | disable}

Enable or disable connecting to a DHCP server to configure the external interface.

FortiGate-100, 200, 300: disable.FortiGate-50 and 60: enable.

FortiGate-50, 100, 200, and 300 external interface. FortiGate-60 wan1 interface.Not available in Transparent mode.

Keywords for pppoe Description Default Availabilityconnection {enable | disable}

Enable or disable connecting to a PPPoE server to configure the external interface.

FortiGate-100, 200, 300: disable.FortiGate-50 and 60: enable.

FortiGate-50, 100, 200, and 300 external interface. FortiGate-60 wan1 interface.Not available in Transparent mode.

ipunnumbered {enable [borrow <address_ip>] | disable}

Enable or disable IP unnumbered mode for PPPoE. Specify the IP address to be borrowed by the interface. This IP address can be the same as the IP address of another interface or can be any IP address.

disable FortiGate-50, 100, 200, and 300 external interface. FortiGate-60 wan1 interface.Not available in Transparent mode.


set system interface set commands

password <password_str> Enter the password to connect to the PPPoE server.

No default. FortiGate-50, 100, 200, and 300 external interface. FortiGate-60 wan1 interface.Not available in Transparent mode.

username <name_str> Enter the user name to connect to the PPPoE server.

No default. FortiGate-50, 100, 200, and 300 external interface. FortiGate-60 wan1 interface.Not available in Transparent mode.

Note: The first time you configure a FortiGate external interface for PPPoE you must enter both the username and password keywords.

Keyword for static Description Default Availabilityip <intf_ip> <netmask_ip>

The interface IP address and netmask. Varies for each interface.


Keywords for config Description Default Availabilityallowaccess {ping https snmp ssh http telnet}

Allow management access to the interface. You can enter one or more of the management access types separated by spaces.

Varies for each interface.

All models.

arpforward {enable | disable}

Enable or disable layer 2 ARP forwarding for an interface.

disable All models.

denyaccess {ping https snmp ssh http telnet}

Deny management access to the interface. You can enter one or more of the management access types separated by spaces.


detectserver <ping_ip> Add the IP address of a ping server. A ping server is usually the next hop router on the network connected to the interface. If gwdetect is enabled, the FortiGate unit confirms connectivity with the server at this IP address. Adding a ping server is required for routing failover.

No default. All models.Not available in Transparent mode.

gwdetect {enable | disable}

Enable or disable confirming connectivity with the server at the detectserv <ping_ip> IP address. The frequency with which the FortiGate unit confirms connectivity is set using the set system option interval command.

disable All models.Not available in Transparent mode.

Keywords for pppoe Description Default Availability

90 Fortinet Inc.

set commands set system interface

hamode {enable | disable}

Enable or disable high availability (HA) mode for this interface and for the FortiGate unit. Except for the FortiGate-500, which has a dedicated HA interface, HA cannot be configured until the interface to be used for HA operation has been set to HA mode.When the interface is configured for HA mode, you cannot connect a network to it.

disable FortiGate-300 dmz/ha interface.FortiGate-400, 1000, 2000 and 3000 4/ha interface.FortiGate-3600 5/ha interface.

log {enable | disable} Enable or disable traffic logging of connections to this interface.

disable All models.

macaddr {<new_mac> | factorydefault}

Override the factory set MAC address of this interface by specifying a new MAC address. If you have changed the MAC address, you can use factorydefault to revert to the factory set MAC address.

Factory set.

All models.

mtu <mtu_integer> Enter the maximum transmission unit size in bytes. Ideally mtu should be the same as the smallest MTU of all the networks between this FortiGate unit and the destination of the packets. The <mtu_integer> range is 68 to 1500 bytes.

1500 All models.Not available in Transparent mode.

secallowaccess {ping https snmp ssh http telnet}

Allow management access to the secondary IP address of the interface. You can enter one or more of the management access types separated by spaces.

Varies for each interface.


secdenyaccess {ping https snmp ssh http telnet}

Deny management access to the secondary IP address of the interface. You can enter one or more of the management access types separated by spaces.


secdetectserv <ping_ip> Add the IP address of a ping server for the secondary IP address. A ping server is usually the next hop router on the network connected to the interface. If secgwdetect is enabled, the FortiGate unit confirms connectivity with the server at this IP address. Adding a ping server is required for routing failover. The primary and the secondary ping_ip can be the same IP address.


secgwdetect {enable | disable}

Enable or disable confirming connectivity with the server at the secdetectserv <ping_ip> IP address. The frequency with which the FortiGate unit confirms connectivity is set using the set system option interval command.

disable All models.Not available in Transparent mode.

secip <intf_ip> <netmask_ip>

Add or change the secondary static IP address and netmask for the interface. The secondary IP address can be on any subnet, including the same subnet as the primary IP address. The secondary IP address cannot be the same as the primary IP address.

0.0.0.0 0.0.0.0


Keywords for config Description Default Availability


set system interface set commands

Example:Use the following commands to set the FortiGate-500 port1 interface IP address and netmask to 192.168.100.159 255.255.255.0, the management access to ping and https and to add the interface to a zone named Zone1.

set system interface port1 mode static ip 192.168.100.159 255.255.255.0

set system interface port1 config allowaccess ping https zone Zone1

Use the following commands to set the IP address and netmask of a VLAN subinterface named VLAN_1 to 192.168.200.20 255.255.255.0, the management access to ping and https and to add the VLAN subinterface to a zone named Zone2.

set system interface VLAN_1 mode static ip 192.168.200.20 255.255.255.0

set system interface VLAN_1 config allowaccess ping https zone Zone2

Use the following command to add a secondary IP address to the internal interface. The secondary IP address and netmask is 192.176.23.180 255.255.255.0. Also configure ping and https management access to this secondary IP address.

set system interface internal config secip 192.176.23.180 255.255.255.0

set system interface internal config secallowaccess ping https

Related commands• set system vlan• set system zone• get system interface• unset system secondip• unset system vlan• unset system zone

speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half}

The interface speed:• auto, the default speed. The interface uses

auto-negotiation to determine the connection speed. Change the speed only if the interface is connected to a device that does not support auto-negotiation.

• 10full, 10 Mbps, full duplex• 10half, 10 Mbps, half duplex• 100full, 100 Mbps, full duplex• 100half, 100 Mbps, half duplex• 1000full, 1000 Mbps, full duplex• 1000half, 1000 Mbps, half duplex

auto Speed options vary for different models and interfaces. Enter a space and a ? after the speed keyword to see a list of speeds available for that model and interface.

status {down | up} Start or stop the interface. If the interface is stopped it does not accept or send packets.

up All models.

zone <zone_str> Enter the name of the zone to add this interface to. You can add one or more interfaces to a zone. If you have added firewall addresses to an interface, you must delete these firewall addresses before you can add the interface to a zone. When you add an interface to a zone, you cannot add firewall addresses to the interface and the interface does not appear on the policy grid.

No default. FortiGate-400 and up.Not available in Transparent mode.

Keywords for config Description Default Availability

92 Fortinet Inc.

set commands set system mainregpage

set system mainregpageShow or hide the registration window that appears when an administration user logs into the FortiGate web-based manager.

You can use the information on this registration window to register your FortiGate. Register your FortiGate so that Fortinet can contact you for firmware updates. Registering is also required to receive updates to your antivirus and intrusion detection databases.

Syntax description

Example:Use the following command to hide the registration window on the web-based manager:

set system mainregpage hide

Related commands• get system mainregpage

Keyword Description Default Availabilitymainregpage {hide | show} Show or hide the registration window on the

web-based manager.show All models.


set system management set commands

set system managementConfigure the Transparent mode management IP address. Use the management IP address for management access to the FortiGate unit running in Transparent mode. The FortiResponse Distribution Network (FDN) also connects to the management IP address for antivirus engine, antivirus definition, and attack definition updates.

Syntax description

ExampleUse the following command to set the transparent mode management IP address to 192.168.1.80 and the netmask to 255.255.255.0:

set system management ip 192.168.1.80 255.255.255.0

Related commands• get system management

Keyword Description Default Availabilityip <manage_ip> <netmask_ip> Set the IP address and netmask of the

Transparent mode management interface.

10.10.10.1 255.255.255.0

All models.Only available in Transparent mode.

94 Fortinet Inc.

set commands set system opmode

set system opmodeChange the FortiGate operation mode.

Syntax description

ExampleUse the following command to set firewall operation mode to Transparent:

set system opmode transparent

Related commands• get system status

Keyword Description Default Availabilityopmode {nat | transparent} Change the FortiGate operation to

NAT/Route or Transparent mode.nat All models.


set system option set commands

set system optionSet the system timeout and the firewall authorization timeout. Set the web-based manager display language and automatic refresh interval. For models with an LCD, set the front panel LCD pin.

You can also change dead gateway detection settings. Change dead gateway detection settings to control how the FortiGate unit confirms connectivity with a ping server added to an interface configuration. For more information on adding a ping server to an interface, see “set system interface” on page 89.

Syntax description

ExamplesUse the following command to set the idle timeout to 50 minutes:

set system option admintimeout 50

Use the following command to require administrators to enter 654321 to access the LCD panel:

set system option lcdprotection enable lcdpin 654321

Related commands• get system option• set system interface

Keyword Description Default Availabilityadmintimeout <timeout_integer>

Set the administrator idle time out to control the amount of inactive time before the administrator must log in again. The maximum admintimeout is 480 minutes (8 hours).

5 minutes All models.

authtimeout <timeout_integer>

Set the firewall user authentication time out to control the amount of inactive time before the user must authenticate again. The maximum authtimeout is 480 minutes (8 hours).

15 minutes All models.

failtime <failover_integer>

Set the Dead gateway detection failover number. Enter the number of times that ping fails before the FortiGate unit assumes that the gateway is no longer functioning.

5 All models.

interval <interval_integer>

Set the Dead gateway detection failover interval. Enter a number in seconds to specify how often the FortiGate unit pings the target.

5 seconds All models.

language {english | simplifiedchinese | traditionalchinese | korean | japanese}

Set the web-based manager display language. You can enter English, Simplified Chinese, Japanese, Korean, or Traditional Chinese.

english All models.

lcdpin <pin_integer> Set the 6 digit PIN administrators must enter to use the LCD panel.


lcdprotection (enable | disable}

Enable or disable LCD panel PIN protection. disable FortiGate models numbered 300 and higher.

refresh {<interval_integer> | none}

Set the Automatic Refresh Interval, in seconds, for the web-based manager System > Status > Monitor.

none All models.

96 Fortinet Inc.

set commands set system route number

set system route numberUse this command to add or edit destination-based routes in the FortiGate routing table. Add destination-based routes to control the destination of traffic exiting the FortiGate unit. You configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses. The gateways are the next hop routers to which to route traffic that matches the destination addresses in the route.

You can add one or two gateways to a route. If you add one gateway, the FortiGate unit routes the traffic to that gateway. You can add a second gateway to route traffic to the second gateway if the first gateway fails.

To support routing failover, the IP address of each gateway must be added to the ping server of the interface connected to the same network as the gateway. See “set system interface” on page 89.

‘Syntax descriptionKeyword Description Default Availability<route_integer> The number of the route to specify the location

of the route in the routing table. Entering a new route number adds a new route. Entering an existing route number edits that route.Enter set system route number followed by a space and ? to see a list of existing routes and their numbers.

No default.

All models.

dev1 {<intf_str> | auto} The name of the FortiGate interface through which to route traffic. If dev1 is set to auto, the FortiGate routes traffic to the interface that is on the same subnet as gw1.

auto All models.NAT/Route mode only.

dev2 <intf_str> The name of the FortiGate interface through which to route traffic. If dev2 is set to auto, the FortiGate routes traffic to the interface that is on the same subnet as gw2.

auto All models.NAT/Route mode only.

dst <destination_ip> <netmask_ip>

The destination IP address and netmask for this route. Enter 0.0.0.0 0.0.0.0 for the destination IP and netmask to add a default route.

0.0.0.0 0.0.0.0

All models.

gw1 <gateway1_ip> The IP address of the first next hop router to which this route directs traffic. In NAT/Route mode, <gateway1_ip> must be on the same subnet as one of the FortiGate interfaces. If you specify dev1 the <gateway1_ip> must be on the same subnet as the dev1 interface.In Transparent mode, <gateway1_ip> must be on the same subnet as the Transparent mode management IP.

No default.

All models.

gw2 <gateway2_ip> The IP address of the second next hop router to which this route directs traffic.In NAT/Route mode, <gateway2_ip> must be on the same subnet as one of the FortiGate interfaces. If you specify dev2 the <gateway2_ip> must be on the same subnet as the dev2 interface.In Transparent mode, <gateway2_ip> must be on the same subnet as the Transparent mode management IP.

No default.

All models.NAT/Route mode only.


set system route number set commands

ExampleUse the following command in NAT/Route mode to add a default gateway with the IP address 192.168.100.1:

set system route number 0 gw1 192.168.100.1

Use the following command in NAT/Route mode to add a route with the number 0, the destination IP address and netmask 64.23.11.0 255.255.255.0 and using a gateway with the IP address 192.168.100.1:

set system route number 0 dst 64.23.11.0 255.255.255.0 gw1 192.168.100.1

Use the following command in NAT/Route mode for route 0 to change gateway 1 to a gateway with the IP address 172.168.200.1 and to add a second gateway with the IP address 192.168.1.12:

set system route number 0 gw1 172.168.200.1 gw2 192.168.1.12

Use the following command in NAT/Route mode to add a route for primary and backup links to the Internet. In this route, the external interface is the primary link to the Internet and the IP address of the next hop router on the network connected to the external interface is 1.1.1.1. The DMZ interface is the secondary link to the Internet and the IP address of the next hop router in the network connected to the DMZ interface is 2.2.2.2:

set system route number 0 dst 0.0.0.0 0.0.0.0 gw1 1.1.1.1 dev1 external gw2 2.2.2.1 dev2 dmz

Use the following command in transparent mode to add a default to a gateway with the IP address 192.168.100.1:

set system route number 0 gw1 192.168.100.1

Use the following command in Transparent mode to add a route with the number 1, the destination IP address and netmask 64.23.11.0 255.255.255.0 and using a gateway with the IP address 192.168.100.1:

set system route number 1 dst 64.23.11.0 255.255.255.0 gw1 192.168.100.1

Related commands• get system route table• unset system route number

98 Fortinet Inc.

set commands set system route policy

set system route policyPolicy routing extends the functions of destination routing. Using policy routing you can route traffic based on:

• Source address• Protocol, service type, or port range• Incoming or source interface

Using policy routing you can build a routing policy database (RPDB) that selects the appropriate route for traffic by executing a set of routing rules. To select a route for traffic the FortiGate unit matches the traffic with the policy routes added to the RPDB starting at the top of the list. The first policy route to match the traffic is used to set the route for the traffic. The route supplies the next hop gateway as well the FortiGate interface to be used by the traffic.

For policy routing to work as expected, the gateway added to a policy route must also be added to a destination route (using the set system route number command). When the FortiGate unit matches packets with a route in the RPDB, the FortiGate unit looks in the destination routing table for the gateway that was added to the policy route. If a match is found, the FortiGate routes the packet using the matched destination route. If a match is not found, the FortiGate routes the packet using normal routing.

Syntax descriptionKeyword Description Default Availability<policy_integer> The number of the route to specify the location of the

route in the routing table. Entering a new route number adds a new route. Entering an existing route number edits that route.Enter set system route number followed by a space and ? to see a list of existing routes and their numbers.

No default.


dst <destination_ip> <netmask_ip>

The destination IP address and netmask for this route.

0.0.0.0 0.0.0.0


gw <gateway_ip> The IP address of the first next hop router to which this route directs traffic.In NAT/Route mode, <gateway1_ip> must be on the same subnet as one of the FortiGate interfaces. If you specify dev1 the <gateway1_ip> must be on the same subnet as the dev1 interface.

0.0.0.0 All models.NAT/Route mode only.

iifname <intf_str> The source interface for the route. <intf_str> is the name of the FortiGate interface from which this route directs traffic.

No default.


oifname <intf_str> The destination interface for the route. <intf_str> is the name of the FortiGate interface through which to route traffic.

No default.


port <low_integer> <high_integer>

Add a port range to a policy route. If you add a port range, the policy route will route packets with a matching destination port range.

0 0 All models.NAT/Route mode only.


set system route policy set commands

ExamplesIf a FortiGate unit provides internet access for multiple internal subnets, you can use policy routing to control the route that traffic from each network takes to the Internet. For example, if the internal network includes the subnets 192.168.10.0 and 192.168.20.0 you can enter the following policy routes:

• Enter the following command to route traffic from the 192.168.10.0 subnet to the 100.100.100.0 external network:

set system route policy 1 src 192.168.10.0 255.255.255.0 dst 100.100.100.0 255.255.255.0 gw 1.1.1.1

• Enter the following command to route traffic from the 192.168.20.0 subnet to the 200.200.200.0 external network:

set system route policy 2 src 192.168.20.0 255.255.255.0 dst 200.200.200.0 255.255.255.0 gw 2.2.2.1

You can use the following policy routes to direct all HTTP traffic (using port 80) to one external network and all other traffic to the other external network.

• Enter the following command to route all HTTP traffic using port 80 to the next hop gateway with IP address 1.1.1.1.

set system route policy 1 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 protocol 6 port 1 1000 gw 1.1.1.1

• Enter the following command to route all other traffic to the next hop gateway with IP address 2.2.2.1.

Set system route policy 2 src 0.0.0.0 0.0.0.0 dst 0.0.0.0 0.0.0.0 gw 2.2.2.1

Related commands• unset system route policy• get system route policy

protocol <protocol_integer>

Add a protocol number to a policy route. If you add a protocol, the policy route will route packets with a matching protocol number.

0 All models.NAT/Route mode only.

src <source_ip> <netmask_ip>

The source IP address and netmask for this route. 0.0.0.0 0.0.0.0



100 Fortinet Inc.

set commands set system route rip

set system route ripSet routing information protocol (RIP) settings to enable basic RIP functionality and metrics and to configure RIP timers.

The FortiGate implementation of RIP supports both RIP version 1 (as defined by RFC 1058) and RIP version 2 (also called RIP2 and defined by RFC 2453). RIP2 enables RIP messages to carry more information and support simple authentication. RIP2 also supports subnet masks, a feature not available in RIP.

Syntax description

Example:Use the following command to enable RIP server support:

set system route rip enable

Use the following command to change the RIP default metric to 5:

set system route rip default-metric 5

Keyword Description Default Availability{enable | disable} Enable or disable RIP server support. When you enable

RIP server support, the FortiGate acts like a RIP server, broadcasting RIP packets to other nearby routers.

disable All models except FortiGate-50. NAT/Route mode only.

advertise-default {enable | disable}

Enable or disable including the FortiGate default route in RIP routing table updates.


auto-summary {enable | disable}

Enable or disable automatically summarizing subnet routes into network-level routes.If auto-summary is not enabled, the FortiGate unit transmits sub-prefix routing information across classfull network boundaries.


default-metric <metric_integer>

Change the default metric that is applied to routes with incompatible metrics. The default metric assists in resolving how routes with incompatible metrics are redistributed. Whenever metrics do not convert, RIP uses the default metric to provide a reasonable substitute and allows the redistribution to proceed.

2 All models except FortiGate-50. NAT/Route mode only.

input-queue <queue-size_integer>

Change the depth of the RIP input queue. The larger the numerical value, the larger the depth of the queue. Consider changing the input-queue depth if you have a FortiGate unit sending at high speed to a low-speed router that might not be able to receive at the high speed. Configuring this command will help prevent the routing table losing information. <queue-size_integer> can be from 0 to 1024. A queue size of 0 means there is no input queue.


output-delay <delay_integer>

Change the output delay to add a delay in milliseconds between packets in a multiple-packet RIP update. A typical output delay is 8 to 50 milliseconds. Add an output delay if you are configuring RIP on a FortiGate unit that could be sending packets to a router that cannot receive the packets at the rate the FortiGate unit is sending them. The default output delay is 0 milliseconds.



set system route rip set commands

Related commands• get system route rip• set system route rip filter• set system route rip interface• set system route rip neighbor• set system route rip timers

102 Fortinet Inc.

set commands set system route rip filter

set system route rip filterUse RIP filters to control the routing information received by the FortiGate unit and sent by the FortiGate unit. You can create filters for two purposes:

A RIP filter consists of the IP address and netmask of a route, the action the filter should perform for this route (allow or deny), and the interface on which this filter entry should be applied. Routes that do not match a route added to a RIP filter are allowed.

A single RIP filter contains instructions for allowing or denying a single route. You can add multiple RIP filter entries under the same RIP filter name to create a RIP filter list. Using a RIP filter list you can filter multiple routes.

After creating RIP filters and filter lists you can configure the neighbors filter or routes filter by selecting a filter or filter list for each of these filter types. If you do not select a RIP filter for neighbors or routes, no filtering is applied. You can add a total of four RIP filters or RIP filter lists, but you can only have one active neighbors filter and one active routes filter.

Syntax description

Neighbors filter For filtering routes received from neighboring routers. When the FortiGate unit receives routes from a neighboring router, the neighbors filter defines what routes received from the neighbor will be stored in the FortiGate routing table and what routes will be discarded.

Routes filter For filtering routes before a routing table update is sent to neighboring routers. Before the FortiGate unit sends routes to neighboring routers, the routes filter defines what routes can be sent and what routes cannot be sent.

Keyword Description Default Availabilityadd name <filter-name_str>

Add and specify the name of a RIP filter list. Each RIP filter and RIP filter list must have a unique name. The name can be 15 characters long and can contain upper and lower case letters, numbers, and special characters. The name cannot contain spaces.

No default.

All models except FortiGate-50. NAT/Route mode only.

del name <filter-name_str>

Delete the named RIP filter or RIP filter list. No default.


name [<filter-name_str> {add | del} address <route_ip> <netmask_ip> action {allow | deny} interface <intf_str>]

Add a route prefix to a filter list or delete a route prefix from a filter list. A route prefix consists of the IP address and netmask for the route, the action to be performed by the filter (allow or deny), and the name of the interface on which to apply the route filter. To add or delete a route prefix you must enter all of the parameters of the route prefix.Set action to allow so that the filter permits this route to be communicated. Set action to deny to stop this route from being communicated.Enter set system route rip filter name to view the list of filter lists. You must add the route prefix to one of these filter lists. Use the command set system route rip filter add name to add a filter list.

No default.



set system route rip filter set commands

Example:Use the following commands to add two filter lists named Filter_List1 and Filter_List2:

set system route rip filter add name Filter_List1

set system route rip filter add name Filter_List2

Use the following command to add route prefixes to each filter list:

set system route rip filter name Filter_List1 add address 1.2.3.4 255.255.255.0 action allow interface internal

set system route rip filter name Filter_List1 add address 4.5.6.7 255.255.255.0 action deny interface internal

set system route rip filter name Filter_List2 add address 11.22.33.44 255.255.255.0 action allow interface internal

set system route rip filter name Filter_List2 add address 44.55.66.77 255.255.255.0 action deny interface internal

Use the following commands to set the neighbors filter to Filter_List1 and enable the neighbors filter:

set system route rip filter neighbors filter-list Filter_List1

set system route rip filter neighbors mode filtered

Use the following commands to set the routes filter to Filter_List2 and enable the routes filter:

set system route rip filter routes filter-list Filter_List2

set system route rip filter routes mode filtered

Use the following command to view RIP filter settings:

get system route rip filter

neighbors {filter-list [<filter-name_str>] | mode [none | filtered]}

Enable or disable the neighbors filter. Specify a filter or filter list to become the neighbors filter. mode filtered enables the neighbors filter. mode none disables the neighbors filter.filter-list <filter-name_str> selects the <filter-name_str> to be the neighbors filter. Only one filter list can be the neighbors filter. To change the neighbors filter, re-enter this command and specify a different <filter-name_str>.Enter set system route rip filter neighbors filter-list to view the current neighbors filter list.

The default mode is none.


routes {filter-list [<filter-name_str>] | mode [none | filtered]}

Enable or disable the routes filter. Specify a filter or filter list to become the routes filter.mode filtered enables the routes filter. mode none disables the routes filter.filter-list <filter-name_str> selects the <filter-name_str> to be the routes filter. Only one filter list can be the routes filter. To change the routes filter, re-enter this command and specify a different <filter-name_str>.Enter set system route rip filter routes filter-list to view the current routes filter list.

The default mode is none.



104 Fortinet Inc.

set commands set system route rip filter

Route RIP filter settings:Filter: Filter_List1ip = 1.2.3.4, mask = 255.255.255.0, action = allow, interface = internalip = 4.5.6.7, mask = 255.255.255.0, action = deny, interface = internalFilter: Filter_List2

ip = 11.22.33.44, mask = 255.255.255.0, action = allow, interface = internalip = 44.55.66.77, mask = 255.255.255.0, action = deny, interface = internal

Filter neighbors mode = filteredFilter neighbors filter-list = Filter_List1Filter routes mode = filteredFilter routes filter-list = Filter_List2

Related commands• get system route rip• set system route rip• set system route rip interface• set system route rip neighbor• set system route rip timers


set system route rip interface set commands

set system route rip interfaceYou can create a unique RIP configuration for each FortiGate interface. On FortiGate models 400 and up you can also create a unique RIP configuration for each VLAN subinterface. This allows you to customize RIP for the network to which each interface or each VLAN subinterface is connected. For example:

• If you have a complex internal network containing other devices that use the RIP2 protocol, you might want to configure RIP2 send and receive for the internal interface.

• If the external interface is connected to the Internet you may not want to enable RIP send for this interface so that the internal routes are not exposed to the Internet. However, you may want to configure RIP receive so that the FortiGate unit receives routes from your ISP.

• If the DMZ interface is connected to a small DMZ network you may not need to configure RIP for this interface.

Syntax descriptionKeyword Description Default Availability<intf_str> The name of the interface or VLAN subinterface for

which to configure RIP settings.No default.


auth {enable <password_str> mode {clear | md5} | disable}

Enable or disable authentication for RIP2 packets sent and received by an interface. Authentication is only supported by the RIP2 standard. Disable authentication if receive or send are set to v1 or v12.The <password_str> can be up to 16 characters long.mode defines how the FortiGate authenticates RIP2 packets. clear means send the password as plain text. md5 means use MD5 authentication.


passive {enable | disable}

Passive mode is not supported in this version.

receive {v1 | v2 | v12} {enable | disable}

Enable or disable listening on an interface on port 520 for RIP broadcasts. v1 the interface listens for RIP1 messages. v2 the interface listens for RIP2 messages. v12 the interface listens for RIP1 and RIP2 messages.


send {v1 | v2 | v12} metric <metric_int> {enable | disable}

Enable or disable sending RIP broadcasts from an interface to the network it is connected to. The routing messages are UDP packets with a destination port of 520.v1 the interface sends RIP1 messages. v2 the interface sends RIP2 messages. v12 the interface sends RIP1 and RIP2 messages.Optionally change the metric for routes sent by this interface. All routes sent from this interface will have this metric added to their current metric value. You can change the interface metric to give higher priorities to some interfaces. For example, if you have two interfaces that can be used to route packets to the same destination, if you set the metric of one interface higher than the other, the routes to the interface with the lower metric will seem to have a lower cost, so more traffic will use routes to the interface with the lower metric. <metric_int> can be from 1 to 16.

disableDefault metric is 1.


106 Fortinet Inc.

set commands set system route rip interface

ExamplesUse the following commands to configure the internal interface to send and receive RIP2 routes.

set system route rip interface internal send v2 metric 1 enable

set system route rip interface internal receive v2 enable

Use the following command to configure RIP2 authentication for the internal interface, set the password to RIPpass and set the authentication mode to MD5:

set system route rip interface internal auth enable RIPpass mode md5

Related commands• get system route rip• set system route rip• set system route rip filter• set system route rip neighbor• set system route rip timers

split-horizon {enable | disable}

Enable or disable split-horizon for an interface to prevent routing loops. Split-horizon should only be disabled if you are sure that routing loops cannot be created from this interface.

enable All models except FortiGate-50. NAT/Route mode only.

Note: MD5 authentication is used to verify the integrity of the routing message sent by the FortiGate unit. Using MD5 authentication, the password is added to the routing message and MD5 is applied to create the MD5 digest of the routing message. The password is replaced in the routing message with this MD5 digest and this message is broadcast. When a router receives the routing message, it replaces the MD5 digest with the password, computes the MD5 digest of this new message and then compares the result with the MD5 digest sent with the original message. If the two MD5 digests are identical, the receiver accepts the message. If they are not, the receiver rejects the message.



set system route rip neighbor set commands

set system route rip neighborAdd RIP neighbors to define a neighboring router with which to exchange routing information. Add neighbors on non-broadcast networks.

When you add neighbors, the FortiGate unit exchanges routing information with the neighbor router directly, instead of relying on broadcasting routes. This point-to-point exchange of routing information between the FortiGate unit and the routers added to the neighbor list is more secure and reduces network traffic. Adding neighbors is required to be able to exchange routes over non-broadcast networks.

When used in combination with the RIP filters, the FortiGate unit can be configured to exchange routing information with a subset of routers and access servers on a LAN.

Syntax description

ExamplesUse the following commands to add a neighbor at IP address 192.168.110.94 and configure the FortiGate unit to send RIP1 and RIP2 messages to this neighbor:

set system route rip neighbor 192.168.110.94 send v1 enable

set system route rip neighbor 192.168.110.94 send v2 enable

Use the following command to disable sending RIP2 messages to this neighbor:

set system route rip neighbor 192.168.110.94 send v2 disable

Related commands• get system route rip• set system route rip• set system route rip filter• set system route rip interface• set system route rip timers

Keyword Description Default Availability<neighbor_ip> The IP address of a neighbor router that you want the

FortiGate unit to exchange routing information with.No default.


send {v1 | v2 } {enable | disable}

Enable or disable sending RIP1 and RIP2 messages to the <neighbor_ip>.v1 the interface sends RIP1 messages.v2 the interface sends RIP2 messages.To send by RIP1 and RIP2 messages configure the neighbor twice, once for RIP1 and once for RIP

No default.


108 Fortinet Inc.

set commands set system route rip timers

set system route rip timersChange the RIP timers to fine tune RIP performance. RIP timer defaults are effective in most configurations. You should only have to change these timers to troubleshoot problems with your RIP configuration. Using the set system route rip timers command you can change individual RIP timers by entering the keyword for the timer and the new timer setting.

Syntax description

ExampleUse the following command to change the RIP update timer:

set system route rip update 50

Related commands• get system route rip• set system route rip• set system route rip filter• set system route rip interface• set system route rip neighbor

Keyword Description Default Availabilityflush <flush-timer_integer>

The amount of time in seconds that must pass before a route is removed from the routing table. The value for flush should be greater than the value for invalid. If the value for flush is less than this sum, the proper holddown interval cannot elapse, which results in a new route being accepted before the holddown interval expires.


holddown <holddown-timer_integer>

The time interval in seconds during which routing information regarding better paths is suppressed. holddown should be at least three times the value of update. A route enters into a holddown state when an update packet is received that indicates the route is unreachable. The route is marked inaccessible and advertised as unreachable and is no longer used for forwarding packets. When holddown expires, the route can be flushed from the routing table.


invalid <invalid-timer_integer>

The time interval in seconds after which a route is declared invalid. invalid should be at least three times the value of update. A route becomes invalid when there is an absence of updates that refresh the route. The route then enters holddown. The route is marked inaccessible and advertised as unreachable. However, the route is still used for forwarding packets.


update <update-timer_integer>

The time interval in seconds between sending routing table updates.



set system session_ttl set commands

set system session_ttlUse this command when you want to extend the length of time a TCP session can be idle.

Syntax description

ExamplesUse the following command to change the default session timeout to 3600 seconds:

set system session_ttl default 3600

Use the following command to change the session timeout for SSH on port 22 to 3600 seconds:

set system session_ttl port 22 timeout 3600

Related commands• get system sessionttl• unset system sessionttl

Keyword Description Default Availabilitydefault <default_integer> Enter a number of seconds to change the default

session timeout.300 All models.

port <port_integer> timeout <timeout_integer>

To increase the session timeout for a specific port, enter the port number and the number of seconds the session can be idle.

No default.

All models.

110 Fortinet Inc.

set commands set system snmp

set system snmpConfigure FortiGate SNMP support. The default system name is the FortiGate unit host name. By default the FortiGate unit host name is the FortiGate model name. To change the FortiGate unit host name, see “set system hostname” on page 88.

Syntax descriptionKeyword Description Default Availability{enable | disable | value}

Enable or disable FortiGate SNMP support. Use the value keyword to configure SNMP support on the FortiGate unit.

disable All models.

<location_str> The physical location of the FortiGate. The system location description can be up to 31 characters long and can contain spaces, numbers (0-9), upper and lower case letters (A-Z, a-z), and the special characters - and _. The \ < > [ ] ` $ % & characters are not allowed. If you add spaces, enclose the system-location in quotes.

No default.

All models.

<info_str> Contact information for the person responsible for this FortiGate. The contact information can be up to 31 characters long and can contain spaces, numbers (0-9), upper and lower case letters (A-Z, a-z), and the special characters - and _. The \ < > [ ] ` $ % & characters are not allowed. If you add spaces, enclose the contact-information in quotes.

No default.

All models.

<get-community_str> A password to identify SNMP get requests sent to the FortiGate. Also called read community. When an SNMP manager sends a get request to the FortiGate, it must include the correct get community string.The default get community string is “public”. Change the default get community string to keep intruders from using get requests to retrieve information about your network configuration. The get community string must be used in your SNMP manager to enable it to access FortiGate SNMP information.The get community string can be up to 31 characters long and can contain numbers (0-9), upper and lower case letters (A-Z, a-z), and the special characters - and _. Spaces and the \ < > [ ] ` $ % & characters are not allowed.

No default.

All models.

<set-community>_str A string sent with SNMP traps that functions like a password.The default trap community string is “public”. Change the trap community string to the one accepted by your trap receivers.The trap community string can be up to 31 characters long and can contain numbers (0-9), upper and lower case letters (A-Z, a-z), and the special characters - and _. Spaces and the \ < > [ ] ` $ % & characters are not allowed.

No default.

All models.

<first-receiver_ip>[<second-receiver_ip><third-receiver_ip>]]

The IP addresses of up to three trap receivers on your network configured to receive traps from your FortiGate. Traps are sent only to these addresses.

0.0.0.0 All models.


set system snmp set commands

ExampleUse the following command to create an SNMP configuration with the following parameters:

• The location of the system is Server room (entered on the command line as "Server room")• The contact information for the system administrator is ext 3345 (entered on the command line

as "ext 3345")• The get community string is our_get_com• The trap community string is our_trap_com• The IP address of the first trap receiver is 192.33.44.55• The IP address of the second trap receiver is 143.44.52.7• There is no third trap receiver

set system snmp enable

set system snmp value "Server room" "ext 3345" our_get_com our_trap_com 192.33.44.55 143.44.52.7

Related commands• get system snmp• set system hostname

112 Fortinet Inc.

set commands set system time

set system timeSet the system date and time or configure the FortiGate to connect to a network time protocol (NTP) server to automatically update the system date and time.

Syntax description

ExampleUse the following command to set the system date and time manually, the time zone to 4, and daylight saving time to disable:

set system time manual date 12/23/2002 clock 13:55:30 zone 4 dst disable

Use the following command to synchronize the time with an NTP server:

set system time ntp ntpsync enable ntpserver 1.1.1.1 syncinterval 60

Related commands• get system time

Keyword Description Default Availabilitymanual Manually set the system date and time. No default. All models.

ntp Automatically update the system date and time by connecting to an NTP server.


clock <hh:mm:ss> Set the system time.• hh is the hour and can be 00 to 23• mm is the minutes and can be 00 to 59• ss is the seconds and can be 00 to 59

System time All models.manual only

date <mm/dd/yyyy> Set the system date:• mm is the month and can be 01 to 12• dd is the day of the month and can be 01

to 31• yyyy is the year and can be set from 2001

to 2100

System date All models.manual only

dst {enable | disable} Enable or disable daylight saving time. disable All models.

ntpserver <server_ip> Enter the IP address of an NTP server. 132.246.168.148 All models.ntp only

ntpsync {enable | disable}

Enable or disable synchronizing system time with an NTP server time.

disable All models.ntp only

syncinterval <interval_integer>

Enter how often, in minutes, the FortiGate should synchronize its time with the NTP server. The syncinterval number can be 1 to 1440.

60 All models.ntp only

zone <timezone_integer> The number corresponding to your time zone. Enter set system time manual zone or set system time ntp zone and a space followed by ? to list time zones and their numbers. Choose your time zone from the list and enter the correct number.

GMT-8 All models.


set system vlan set commands

set system vlanUse this command to add VLAN subinterfaces. Use “set system interface” on page 89 to configure the VLAN IP address, netmask, and management access and to add the VLAN to a zone.

Using Virtual LAN (VLAN) technology, a single FortiGate unit can provide security services and control connections between multiple security domains.

Syntax description

Example:Use the following command to add a VLAN subinterface with the following settings:

• name: newvlan • id: 10• interface: internal

set system vlan newvlan id 10 interface internal

Related commands• get system vlan• unset system vlan

Keyword Description Default Availability<name_str> Enter a name to identify the VLAN

subinterface.No default. Models

numbered 400 and higher.NAT/Route mode only.

id <id_integer> Enter a VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. The VLAN ID can be any number between 1 and 4096 but must match the VLAN ID added by the IEEE 802.1Q-compliant router. Two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN IDs to difference physical interfaces.

No default. Models numbered 400 and higher.NAT/Route mode only.

interface <name_str> Enter the name of the interface that receives the VLAN packets intended for this VLAN subinterface.


114 Fortinet Inc.

set commands set system zone

set system zoneUse this command to add or edit zones.

In NAT/Route mode, you can group related interfaces or VLAN subinterfaces into zones. Grouping interfaces and subinterfaces into zones simplifies policy creation. For example, if you have two interfaces connected to the Internet, you can add both of these interfaces to the same zone. Then you can configure policies for connections to and from this zone, rather than to and from each interface.

To add interfaces to zones, see “set system zone” on page 115.

Syntax description

ExampleUse the following command to add a zone named Internal and to deny routing between different interfaces in the zone.

set system zone Internal intrazone deny

Related commands• get system zone• unset system zone

Keyword Description Default Availability<name_str> Enter the name for the zone. If the name is

new, this command adds a new zone. If the name already exists, this command edits the zone. Use the command set system zone followed by a space and a ? for a list of zones to edit.


intrazone {allow | deny} Allow or deny traffic routing between different interfaces in the same zone.

allow Models numbered 400 and higher.NAT/Route mode only.


set user group set commands

set user groupAdd or edit user groups.

To enable authentication, you must add user names, RADIUS servers and LDAP servers to one or more user groups. You can then select a user group when you require authentication. You can select a user group to configure authentication for:

• Policies that require authentication. Only users in the selected user group or that can authenticate with the RADIUS or LDAP servers added to the user group can authenticate with these policies.

• IPSec VPN Phase 1 configurations for dialup users. Only users in the selected user group can authenticate to use the VPN tunnel.

• XAuth for IPSec VPN Phase 1 configurations. Only users in the selected user group can be authenticated using XAuth.

• The FortiGate PPTP and L2TP configurations. Only users in the selected user group can use PPTP or L2TP

When you add user names, RADIUS servers, and LDAP servers to a user group the order in which they are added affects the order in which the FortiGate unit checks for authentication. If user names are first, then the FortiGate unit checks for a match with these local users. If a match is not found, the FortiGate unit checks the RADIUS or LDAP server. If a RADIUS or LDAP server is added first, the FortiGate unit checks the server and then the local users.If the user group contains users, RADIUS servers, and LDAP servers, the FortiGate unit checks them in the order in which they have been added to the user group.

Syntax description

ExamplesUse the following command to add a group named User_Grp_1, and add User_2, User_3, Radius_2 and LDAP_1 as members of the group:

set user group User_Grp_1 member User_2 User_3 Radius_2 LDAP_1

Related commands• get user• set user local• set user ldap• set user radius• unset user group

Keyword Description Default Availability<name_str> A name for the user group. If the user group name is

new, this command adds a new user group. If the user group name already exists, this command edits the user group.The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

No default.

All models.

member {<name_str> [<name_str> [<name_str> [<name_str> ... ]]]| none}

The name of a user RADIUS or LDAP server to add to the user group. Enter set user group <name_str> member then a space and a ? for a list of possible group members. Enter all the user names you want to include in the user group. Use a space to separate the names. Enter none to remove names from the user group.

No default.

All models.

116 Fortinet Inc.

set commands set user ldap

set user ldapAdd or edit the information used for LDAP authentication.

If you have configured LDAP support and a user is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication.

The FortiGate unit supports LDAP protocol functionality defined in RFC2251 for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3.

FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply information to the user about why authentication failed.

LDAP user authentication is supported for PPTP, L2TP, IPSec VPN and firewall authentication. With PPTP, L2TP, and IPSec VPN, PAP (packet authentication protocol) is supported and CHAP (Challenge-Handshake Authentication Protocol) is not.

Syntax description

ExamplesUse the following command to add an LDAP server using the IP address 23.64.67.44, the default port, the common name cn and the distinguished name ou=marketing,dc=fortinet,dc=com:

set user ldap LDAP_1 server 23.64.67.44 cnid cn dn ou=marketing,dc=fortinet,dc=com

Keyword Description Default Availability<name_str> Enter the name of the LDAP server. If the server

name is new, this command adds a new server. If the server name already exists, this command edits the server information.The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

No default.

All models.

cnid <identifier_str> Enter the common name identifier for the LDAP server.The common name identifier for most LDAP servers is cn. However some servers use other common name identifiers such as uid.

No default.

All models.

dn <name_str> Enter the distinguished name used to look up entries on the LDAP server. Enter the base distinguished name for the server using the correct X.509 format. The FortiGate unit passes this distinguished name unchanged to the server.

No default.

All models.

port <port-number_integer>

Enter the port used to communicate with the LDAP server.By default LDAP uses port 389.

389 All models.

server {<domain-name_str> | <address_ip>}

Enter the domain name or IP address of the LDAP server.

No default.

All models.


set user ldap set commands

Use the following command to change the distinguished name in the example above to ou=accounts,ou=marketing,dc=fortinet,dc=com:

set user ldap LDAP_1 dn ou=accounts,ou=marketing,dc=fortinet,dc=com

Related commands• get user• set user group• set user local• set user radius• unset user ldap

118 Fortinet Inc.

set commands set user local

set user localAdd user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also allow the user to authenticate using specified RADIUS or LDAP servers. You can enable or disable user authentication.

FortiGate units support user authentication to the FortiGate user database, to a RADIUS server, and to an LDAP server.

To enable authentication, you must add user names to one or more user groups. You can also add RADIUS servers and LDAP servers to user groups. You can then select a user group when you require authentication.

Syntax description

ExamplesUse the following command to add a new user named User_1, with authentication type set to password and a password of 23E9jz6 to authenticate using the internal database. The user is enabled by default.

set user local User_1 type password 23E9jz6

Keyword Description Default Availability<name_str> A name for the user. If the user name is new,

this command adds a new user. If the user name already exists, this command edits the user information.The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.



Enable allows this user to authenticate. Disable prevents the user from authenticating.

enable All models.

tryother {enable | disable}

If the connection to the RADIUS server configured using set user local <name_str> type radius fails, enable or disable trying to connect to other RADIUS servers added to the FortiGate RADIUS configuration.

disable All models.

type Require the user to use a password a RADIUS server or LDAP server for authentication.


password <password_str>

Enter the password that this user must use to authenticate using the internal database. The password should be at least six characters long.

No default. All models.type only.

radius <server_str> Enter the name of the RADIUS server to which the user must authenticate. You can only select a RADIUS server that has been added to the FortiGate RADIUS configuration. Enter set user local <name_str> type radius a space and a ? for a list of available RADIUS servers.


ldap <server_str> Enter the name of the LDAP server to which the user must authenticate. You can only select an LDAP server that has been added to the FortiGate LDAP configuration. Enter set user local <name_str> type ldap a space and a ? for a list of available LDAP servers.



set user local set commands

Use the following command to disable authentication for User_1:

set user local User_1 status disable

Use the following command to add a new user named User_4, with authentication type set to ldap. The user is enabled by default.

set user local User_4 type ldap LDAP_1

Use the following command to add a new user named User_3, with authentication type set to radius and tryother enabled. The user is enabled by default.

set user local User_3 type radius Radius_2 tryother enable

Related commands• get user• set user group• set user ldap• set user radius• unset user local

120 Fortinet Inc.

set commands set user radius

set user radiusAdd or edit the information used for RADIUS authentication.

If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit contacts the RADIUS server for authentication.

Syntax description

ExamplesUse the following command to add the information for a new RADIUS server named radserv_1, with IP address 23.64.67.47 and a server secret of secret_1.

set user radius radserv_1 server 23.64.67.47 secret secret_1

Use the following command to change the server secret for radserv_1 to new_secret.

set user radius radserv_1 secret new_secret

Related commands• get user• set user group• set user ldap• set user local• unset user radius

Keyword Description Default Availability<name_str> A name for the RADIUS server. If the server name is

new, this command adds a new server. If the server name already exists, this command edits the server information.The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

No default.

All models.

secret <password_str> Enter the RADIUS server secret. No default.

All models.

server {<name_str | server_ip>}

Enter the domain name or IP address of the RADIUS server.

No default.

All models.


set vpn ipsec concentrator set commands

set vpn ipsec concentratorAdd and edit IPSec VPN concentrators. You can add VPN tunnels to a VPN concentrator grouping to create a hub and spoke configuration. The VPN concentrator allows VPN traffic to pass from one tunnel to the other through the FortiGate.

In a hub-and-spoke network, all VPN tunnels terminate at a single VPN peer known as a hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing the VPN connections between the spokes.

Syntax description

ExampleUse the following command to add an IPSec VPN concentrator named Concentrator_1 containing two AutoIKE tunnels named Auto_1, Auto_2, and one manual key tunnel named Manual_1.

set vpn ipsec concentrator Concentrator_1 member Auto_1 Auto_2 Manual_1

Related commands• set vpn ipsec phase1• set vpn ipsec phase2• set vpn ipsec manualkey• get vpn ipsec

Note: VPN peers are required to have static IP addresses in order to join a hub-and-spoke network. VPN peers with dynamic IP addresses (dialup peers) cannot join a hub-and-spoke network.

Note: Add the concentrator configuration to the central FortiGate unit (the hub) after adding the tunnels for all spokes.

Note: VPN is not available in transparent mode.

Keyword Description Default Availability<name_str> If the concentrator name is new, this command adds

a VPN concentrator. If the concentrator name already exists, this command edits the VPN concentrator.

No default.


member {none | <tunnel_str> <tunnel_str> ...}

The names of the VPN tunnels to add to the concentrator. You can add AutoIKE key and manual key tunnels to a concentrator. Separate the tunnel names with spaces. Use none to create a concentrator with no tunnels.

No default.


122 Fortinet Inc.

set commands set vpn ipsec manualkey

set vpn ipsec manualkeyUse this command to configure manual key IPSec VPN tunnels.

Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote IPSec VPN client or gateway that is also using manual key. A manual key VPN tunnel consists of a name for the tunnel, the IP address of the VPN gateway or client at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel. Because the keys are created when you configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the VPN gateway or client that connects to this tunnel must use the same encryption and authentication algorithms and must have the same encryption and authentication keys.

Syntax description


Keyword Description Default Availability<tunnel_str> Enter a name for the VPN tunnel. The name can contain

numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.If the name is new, this command adds a new tunnel. If the name already exists, this command edits the tunnel.

No default.


authalg {null | md5 | sha1}

Select an authentication algorithm from the list. Make sure you use the same algorithm at both ends of the tunnel.

null All models. NAT/Route mode only.

authkey <key_hex> MD5: Enter a 32 digit (16 byte) hexadecimal number. Separate each 16 digit (8 byte) hexadecimal segment with a hyphen.SHA1: Enter a 40 digit (20 byte) hexadecimal number.Use a hyphen to separate the first 16 digits (8 bytes) from the remaining 24 digits (12 bytes).Digits can be 0 to 9, and a to f.Use the same authentication key at both ends of the tunnel.

No default.

All models. NAT/Route mode only.

concentrator {<name_str> | none}

Enter the name of a VPN Concentrator if you want the tunnel to be a member of a group of VPN tunnels. Select none to remove the manual key tunnel from a concentrator.

none All models. NAT/Route mode only.

encalg {null | des | 3des | aes128 | aes192 | aes256}

Select an encryption algorithm from the list. Make sure you use the same algorithm at both ends of the tunnel.

null All models.NAT/Route mode only.

enckey <key_hex> DES: Enter a 16 digit (8 byte) hexadecimal number. 3DES: Enter a 48 digit (24 byte) hexadecimal number.AES128: Enter a 32 digit (16 byte) hexadecimal number.AES192: Enter a 48 digit (24 byte) hexadecimal number.AES256: Enter a 64 digit (32 byte) hexadecimal number. Digits can be 0 to 9, and a to f.For all of the above, separate each 16 digit (8 byte) hexadecimal segment with a hyphen.Use the same encryption key at both ends of the tunnel.

No default.

All models. NAT/Route mode only.

gateway <gateway_ip> The external IP address of the FortiGate unit or other IPSec gateway at the opposite end of the tunnel.

No default.



set vpn ipsec manualkey set commands

ExampleUse the following command to add an IPSec VPN manual key tunnel with the following characteristics:

• Tunnel name: Manual_Tunnel• Local SPI: 1000ff• Remote SPI: 2000ff• Remote gateway IP: 206.37.33.45• Encryption algorithm: 3DES• Encryption keys: 003f2b01a9002f3b 004f4b0209003f01 3b00f23bff003eff• Authentication algorithm: MD5• Authentication keys: ff003f012ba900bb 00f402303f0100ff • Concentrator: none

set vpn ipsec manualkey Manual_Tunnel localspi 1000ff remotespi 2000ff gateway 206.37.33.45 encalg 3des enckey 003f2b01a9002f3b-004f4b0209003f01-3b00f23bff003eff authalg md5 authkey ff003f012ba900bb-00f402303f0100ff concentrator none

Use the following command to change the local SPI to bb8 and the authentication algorithm to null for the tunnel created in the example above.

set vpn ipsec manualkey Manual_Tunnel localspi bb8 authalg null.

Related commands• set vpn ipsec concentrator• get vpn ipsec• unset vpn ipsec

localspi <spi_hex> Local Security Parameter Index. Enter a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Remote SPI at the opposite end of the tunnel.

No default.


remotespi <spi_hex> Remote Security Parameter Index. Enter a hexadecimal number of up to eight digits in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel.

No default.



124 Fortinet Inc.

set commands set vpn ipsec phase1

set vpn ipsec phase1Add or edit IPSec VPN phase 1 configurations.

When you add a phase 1 configuration, you define how the FortiGate unit and a remote VPN peer (gateway or client) authenticate themselves to each other prior to the establishment of an IPSec VPN tunnel. The phase 1 configuration consists of the name of a remote VPN peer, the address type of the remote peer (static IP or dynamic (dialup)), the proposal settings (encryption and authentication algorithms) used in the authentication process, and the pre-shared key. For authentication to be successful, the FortiGate unit and the remote VPN peer must be configured with compatible phase 1 proposal settings.

After you have added a phase 1 configuration, you can change most settings. You cannot, however, change the type setting (static or dynamic (dialup)). If the VPN peer address changes from either static to dynamic (dialup) address, or dynamic (dialup) to static address, you must delete the original phase 1 configuration and add a new one. As a general rule, add only one phase 1 configuration per remote VPN peer.

Syntax description


Keyword Description Default Availability<name_str> If the phase 1 name is new, this command adds a

new configuration. If the phase 1 name already exists, this command edits the phase 1 configuration.

No default.


authmethod {psk <preshared-key_str | rsasig <certificate-name_str>}

Select psk to authenticate using a pre-shared key.The key must be the same on the remote VPN gateway or client and should only be known by network administrators. The key must consist of at least 6 printable characters. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.Select rsasig to authenticate using a digital certificate. You must enter the name of the digital certificate.You must configure certificates before selecting rsasig here. For more information, see “execute vpn certificates local” on page 239 and “execute vpn certificates ca” on page 238.

No default.


dhgrp {[1] [2] [5]} Select one or more Diffie-Hellman groups to propose for Phase 1.• When the VPN peers have static IP addresses and

use aggressive mode, select a single matching DH group.

• When the VPN peers have dynamic (dialup) IP addresses, select up to three DH groups for a server configuration and select one DH group for a dynamic (dialup) client or gateway.

• When the VPN peers use main mode, you can select multiple DH groups.



set vpn ipsec phase1 set commands

dpd {enable | disable} Enable or disable DPD (Dead Peer Detection). DPD detects the status of the connection between VPN peers. Enabling DPD facilitates cleaning up dead connections and establishing new VPN tunnels. DPD is not supported by all vendors. It will not be used unless both VPN peers include DPD support.

enable All models.NAT/Route mode only.

dpdidlecleanup <long-idle_integer>

The DPD long idle setting. Set the time, in seconds, that a link must remain unused before the local VPN peer pro-actively probes its state. After this period of time expires, the local peer will send a DPD probe to determine the status of the link even if there is no traffic between the local peer and the remote peer. The dpdidlecleanup setting must be greater than 100 and greater than the dpdidleworry setting.

300 seconds

All models.DPD enabled only.NAT/Route mode only.

dpdidleworry <short-idle_integer>

The DPD short idle setting. Set the time, in seconds, that a link must remain unused before the local VPN peer considers it to be idle. After this period of time expires, whenever the local peer sends traffic to the remote VPN peer it will also send a DPD probe to determine the status of the link. The dpdidleworry range is 1 to 300. To control the length of time that the FortiGate unit takes to detect a dead peer with DPD probes, use the dpdretrycount and dpdretryinterval keywords.

10 seconds


dpdretrycount <retry_integer>

The DPD retry count. Set the number of times that the local VPN peer sends a DPD probe before it considers the link to be dead and tears down the security association (SA). The dpdretrycount range is 0 to 10.To avoid false negatives due to congestion or other transient failures, set the retry count to a sufficiently high value for your network.

3 All models.DPD enabled only.NAT/Route mode only.

dpdretryinterval <interval_integer>

The DPD retry interval. Set the time, in seconds, that the local VPN peer waits between sending DPD probes. The dpdretryinterval range is 1 to 60.

5 seconds


keylife <keylife_integer> Set the keylife time in seconds.The keylife is the amount of time in seconds before the phase 1 encryption key expires. When the key expires, a new key is generated without interrupting service. P1 proposal <keylife-integer> can be from 120 to 172,800 seconds.

28800 seconds



126 Fortinet Inc.


mode {aggressive | main} Enter Aggressive or Main (ID Protection) mode. Both modes establish a secure channel. When using aggressive mode, the VPN peers exchange identifying information in the clear. When using main mode, identifying information is hidden. Aggressive mode is typically used when one VPN peer has a dynamic (dialup) address and uses its ID as part of the authentication process. Main mode is typically used when both VPN peers have static IP addresses.When using aggressive mode, Diffie-Hellman (DH) groups cannot be negotiated. Therefore, you should enter matching DH configurations on the VPN peers when you use aggressive mode. The VPN peers must use the same mode.

No default.


nattraversal {enable | disable}

Enable NAT traversal if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal has no effect. Both ends of the VPN must have the same NAT traversal setting. If you enable NAT traversal you can set the keepalive frequency.

enable All models.NAT/Route mode only.

keepalive <frequency_integer>

Set the NAT traversal keepalive frequency. This number specifies, in seconds, how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 security associations expire. The keepalive frequency can be from 0 to 900 seconds.

5 seconds

All models.NAT traversal only.NAT/Route mode only.

peertype {any | one | dialup}

Optionally select a peer type.Enter any to accept any peer ID (and therefore not authenticate remote VPN peers by ID).Enter one to authenticate a specific VPN peer or a group of VPN peers with a shared id. Use the peerid keyword to set the peer ID. Select dialup to authenticate each remote VPN peer with a unique ID. Use the usrgrp keyword to select the required user group.

any All models.NAT/Route mode only.

peerid <peerid_str> Enter the peer ID used to authenticate a group of remote VPN peers when peertype is set to one.

No default.

All models.Peer type only.NAT/Route mode only.

usrgrp {<name_str> | none}

Enter the user group used to authenticate remote VPN peers when peertype is set to dialup. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before it can be selected here. For more information, see “set user group” on page 116, “set user local” on page 119, and “set user radius” on page 121.

none All models.Peertype only.NAT/Route mode only.




proposal {des-md5 des-sha1 3des-md5 3des-sha1 aes128-md5 aes128-sha1 aes192-md5 aes192-sha1 aes256-md5 aes256-sha1}

Select a minimum of one and a maximum of three encryption and authentication algorithm combinations for the Phase 1 proposal.• DES encryption-MD5 authentication• DES encryption-SHA1 authentication• 3DES encryption-MD5 authentication• 3DES encryption-SHA1 authentication• AES128 encryption-MD5 authentication• AES128 encryption-SHA1 authentication• AES192 encryption-MD5 authentication• AES192 encryption-SHA1 authentication• AES256 encryption-MD5 authentication• AES256 encryption-SHA1 authentication

No default.


type {static | dynamic} If the remote VPN peer has a static IP address, select static or dynamic depending on your requirements.If the remote VPN peer has a dynamically assigned IP address (DHCP or PPPoE), select dynamic (dialup).

No default.


gw <gateway_ip> If the remote VPN peer has a static IP address, enter the IP address.

No default.

All models.Static only.NAT/Route mode only.

localid <localid_str> Optionally enter a local ID if the FortiGate unit is functioning as a client and uses its local ID to authenticate itself to the remote VPN peer. If you add a local ID, the FortiGate unit sends it as if it is a domain name. If you do not add a local ID, the FortiGate unit sends the IP address of its external interface (pre-shared key authentication) or its distinguished name (certificate authentication).To exchange IDs, both VPN peers must use Aggressive mode.

No default.

All models.Static only.NAT/Route mode only.

xauthtype {disable | client | server}

Optionally configure XAuth (eXtended Authentication). Select disable to disable XAuth.Select client to configure the FortiGate unit to act as an XAuth client. Use the authuser keyword to add the XAuth user name and password.Select server to configure the FortiGate unit as an XAuth server. Use the authsrvtype keyword to set the encryption method used for authentication. Use the authusrgrp keyword to select the user group containing members that must authenticate using XAuth.

disable All models.NAT/Route mode only.

authusr <user_str> <password_str>

Enter the XAuth client user name and password for the FortiGate unit.

No default.

All models.XAuth client only.NAT/Route mode only.


128 Fortinet Inc.


ExamplesUse the following command to add an IPSec VPN phase 1 configuration with the following characteristics:

• Tunnel name: Simple_GW• Type: Dynamic• Encryption and authentication proposal: DES-MD5

• Authentication method: psk• Pre-shared key: Qf2p3O93jIj2bz7E• Mode: aggressive• Dead Peer Detection: disable

set vpn ipsec phase1 Simple_GW type dynamic proposal des-md5 authmethod psk Qf2p3O93jIj2bz7E mode aggressive dpd disable

Use the following command to change the DH group of the example above to 2 and to add des-sha1 as a second encryption and authentication protocol.

set vpn ipsec phase1 Simple_GW dhgrp 2 proposal des-md5 des-sha1

Related commands• set vpn ipsec phase2• get vpn ipsec• unset vpn ipsec

authsrvtype {pap | chap | mixed}

Enter the encryption method used between the XAuth client, the FortiGate unit and the authentication server.Select pap to use the Password Authentication Protocol. Select chap to use the Challenge-Handshake Authentication Protocol.Select mixed to use PAP between the XAuth client and the FortiGate unit, and CHAP between the FortiGate unit and the authentication server. Use CHAP whenever possible. Use PAP if the authentication server does not support CHAP. Use mixed if the authentication server supports CHAP but the XAuth client does not.

pap All models.XAuth server only.NAT/Route mode only.

authusrgrp <user-group-name_str>

When the FortiGate unit is configured as an XAuth server, select the user group used to authenticate remote VPN peers. The user group can contain local users, LDAP servers, and RADIUS servers. The user group must be added to the FortiGate configuration before it can be selected here. For more information, see “set user group” on page 116, “set user local” on page 119, and “set user radius” on page 121.

No default.

All models.XAuth server only.NAT/Route mode only.




set vpn ipsec phase2Add or edit an IPSec VPN phase 2 configuration.

The FortiGate unit uses the phase 2 configuration to create and maintain an IPSec VPN tunnel with a remote VPN peer (the VPN gateway or client). The phase 2 configuration consists of a name for the VPN tunnel, the name or names of already configured phase 1 remote gateways, the proposal settings (encryption and authentication algorithms) and DH group used for phase 2. For phase 2 to be successful, the FortiGate unit and the remote VPN peer must be configured with compatible proposal settings.

Syntax description


Keyword Description Default Availability<name_str> If the phase 2 name is new, this command adds a

new configuration. If the phase 2 name already exists, this command edits the phase 2 configuration.

No default.


concentrator {<name_str> | none}

Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration.

none All models.NAT/Route mode only.

dhgrp {1 | 2 | 5} Select the Diffie-Hellman group to propose for Phase 2 of the IPSec VPN connection. Select one of DH 1, 2 or 5. The VPN peers must use the same DH Group.


keepalive {enable | disable}

Enable keep alive to keep the VPN tunnel running even if no data is being processed.


keylifekbs<Kbytes_integer>

Set the number of Kbytes of data transmitted before the phase 2 key expires.If you configure both keylifeseconds and keylifekbs, the key expires when either condition is met, whichever occurs first. When the key expires, a new key is generated without interrupting service.<kbyte_integer> can be 5120 to 99999 kbytes.


keylifeseconds <seconds_integer>

Set the number of seconds that can elapse before the phase 2 key expires.If you configure both keylifeseconds and keylifekbs, the key expires when either condition is met, whichever occurs first. When the key expires, a new key is generated without interrupting service.<seconds_integer> can be 120 to 172800 seconds.


pfs {enable | disable} Optionally, enable or disable perfect forward secrecy (PFS). PFS ensures that each key created during Phase 2 is unrelated to keys created during Phase 1 or to other keys created during Phase 2. PFS may cause minor delays during key generation.


130 Fortinet Inc.


phase1name {[<name_str> [<name_str> [<name_str>]]]}

Select up to 3 phase 1 names. Enter set vpn ipsec phase2 test phase1name followed by a space and a ? for a list of available phase1 names.Choose either a single dynamic (dialup) phase 1 configuration, or up to three static phase 1 configurations. IPSec redundancy requires multiple static phase 1 configurations.

No default.


proposal {null-null null-md5 null-sha1 des-null des-md5 des-sha1 3des-null 3des-md5 3des-sha1 aes128-null aes128-md5 aes128-sha1 aes192-null aes192-md5 aes192-sha1 aes256-null aes256-md5 aes256-sha1}

Select a minimum of one and a maximum of three encryption and authentication algorithm combinations to propose for phase 2. Use a space to separate the combinations.The VPN peers must use the same P2 proposal settings.• null encryption-null authentication (test only)• null encryption-MD5 authentication• null encryption-SHA1 authentication• DES encryption-null authentication• DES encryption-MD5 authentication• DES encryption-SHA1 authentication• 3DES encryption-null authentication• 3DES encryption-MD5 authentication• 3DES encryption-SHA1 authentication• AES128 encryption-null authentication• AES128 encryption-MD5 authentication• AES128 encryption-SHA1 authentication• AES192 encryption-null authentication• AES192 encryption-MD5 authentication• AES192 encryption-SHA1 authentication• AES256 encryption-null authentication• AES256 encryption-MD5 authentication• AES256 encryption-SHA1 authentication

No default.


replay {enable | disable} Optionally, enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel. Enable replay detection to check the sequence number of every IPSec packet to see if it has been received before. If packets arrive out of sequence, the FortiGate units discards them.You can configure the FortiGate unit to send an alert email when it detects a replay packet. See “set alertemail configuration” on page 34 and “set alertemail setting” on page 35.


wildcardid {enable | disable}

Enable or disable a wildcard id selector for quick mode.





ExamplesUse the following command to add a phase 2 configuration with the following characteristics:

• Name: New_Tunnel• Phase 1 name: Simple_GW• Encryption and authentication proposal: des-md5• Keylife seconds: 18001 • Diffie-Hellman group: 2• Replay detection: enable• Perfect forward secrecy: enable• Keepalive: enable• Concentrator: none

set vpn ipsec phase2 New_Tunnel phase1name Simple_GW proposal des-md5 keylifeseconds 18001 dhgrp 2 replay enable pfs enable keepalive enable concentrator none

Use the following command to change the DH group to 5 and to disable replay detection in the phase 2 example configuration above.

set vpn ipsec phase2 New_Tunnel dhgrp 5 replay disable

Related commands• set vpn ipsec phase1• get vpn ipsec• unset vpn ipsec

132 Fortinet Inc.

set commands set vpn l2tp

set vpn l2tpL2TP clients must be able to authenticate with the FortiGate unit to start an L2TP session. To support L2TP authentication, you must add a user group to the FortiGate configuration. See “set user group” on page 116.

After you have added a user group, use this command to enable L2TP and specify an L2TP address range. The L2TP address range is the range of addresses that must be reserved for remote L2TP clients. When a remote L2TP client connects to the internal network using L2TP, the client computer is assigned an IP address from this range. The L2TP address range can be on any subnet.

You can also use this command to disable L2TP, change the starting or ending IP of the L2TP address range, or change the user group.

Add external to internal firewall policies to control the access that L2TP users have through the FortiGate unit. Set the source address to match the L2TP address range and the destination address to the address on your internal network or zone to which L2TP users can connect. Set the policy service to the service that matches the traffic type inside the L2TP VPN tunnel. For example, if L2TP users can access a web server, set service to HTTP. Set the policy action to ACCEPT and select NAT if required. See “set firewall policy” on page 53

Syntax description

ExampleUse the following command to enable L2TP and set the L2TP address range for the first time using a starting IP of 192.168.1.150, an ending IP of 192.168.1.160 and a user group named L2TP_users:

set vpn l2tp status enable sip 192.168.1.150 eip 192.168.1.160 usrgrp L2TP users

Use the following command to change the starting IP of the L2TP address range:set vpn l2tp status enable sip 192.168.1.140

Related commands• get vpn l2tp range

Note: The first time you configure the L2TP address range you must enter a starting IP, an ending IP and a user group.

Note: L2TP VPN is not available in transparent mode.

Keyword Description Default Availabilityeip <ending_ip> The ending IP address of the L2TP address range. 0.0.0.0 All models.

NAT/Route mode only.

sip <starting_ip> The starting IP address of the L2TP address range. 0.0.0.0 All models.NAT/Route mode only.


Enable or disable L2TP VPN. disable All models.NAT/Route mode only.

usrgrp <name_str> Add a user group to support L2TP authentication. The user group can contain users added to the FortiGate user database, authentication servers (LDAP and RADIUS), or both.

No default.



set vpn pptp set commands

set vpn pptpPPTP clients must be able to authenticate with the FortiGate unit to start a PPTP session. To support PPTP authentication, you must add a user group to the FortiGate configuration. See “set user group” on page 116.

After you have added a user group, use this command to enable PPTP and specify a PPTP address range. The PPTP address range is the range of addresses that must be reserved for remote PPTP clients. When a remote PPTP client connects to the internal network using PPTP, the client computer is assigned an IP address from this range. The PPTP address range can be on any subnet.

You can also use this command to disable PPTP, change the starting or ending IP of the PPTP address range, or change the user group.

Add external to internal firewall policies to control the access that PPTP users have through the FortiGate unit. Set the source address to match the PPTP address range and the destination address to the address on your internal network or zone to which PPTP users can connect. Set the policy service to the service that matches the traffic type inside the PPTP VPN tunnel. For example, if PPTP users can access a web server, set service to HTTP. Set the policy action to ACCEPT and select NAT if required.

Syntax description

ExampleUse the following command to enable PPTP and set the PPTP address range for the first time using a starting IP of 192.168.1.100, an ending IP of 192.168.1.130 and a user group named PPTP_users:

set vpn pptp status enable sip 192.168.1.100 eip 192.168.1.130 usrgrp PPTP_users

Use the following command to change the starting IP of the PPTP address range:set vpn pptp status enable sip 192.168.1.110

Related commands• get vpn pptp range

Note: The first time you configure the PPTP address range you must enter a starting IP, an ending IP and a user group.

Note: PPTP VPN is not available in transparent mode.

Keyword Description Default Availabilityeip <ending_ip> The ending address of the PPTP address range. 0.0.0.0 All models.

NAT/Route mode only.

sip <starting_ip> The starting address of the PPTP address range. 0.0.0.0 All models.NAT/Route mode only.


Enable or disable PPTP VPN. disable All models.NAT/Route mode only.

usrgrp <name_str> Add a user group to support L2TP authentication. The user group can contain users added to the FortiGate user database, authentication servers (LDAP and RADIUS), or both.

No default. All models.NAT/Route mode only.

134 Fortinet Inc.

set commands set webfilter cerberian

set webfilter cerberianUse this command to configure support for Cerberian web filtering. For information about Cerberian web filtering, see www.cerberian.com.

You can purchase a Cerberian web filtering licence when you purchase your FortiGate unit. To use Cerberian web filtering, the FortiGate unit must have access to the Internet.

Syntax description

ExamplesUse the following commands to:

• add the cerberian licence key, testkey• add the Cerberian user with the IP address 192.168.100.19, the netmask 255.255.255.255 and the

alias User_1, to the FortiGate unit• enable your Cerberian web filtering settings for use in content profiles

set webfilter cerberian license testkey

set webfilter cerberian add 192.168.100.19 255.255.255.255 alias User_1

set webfilter cerberian status enable

Related commands• get webfilter• set firewall profile

Keyword Description Default Availabilityadd <address_ip> <netmask_ip> [alias <user-name_str>]

Add an IP address and netmask to identify the FortiGate user. This can be the address of a single computer or of a subnet. If IP addresses on your internal network are set using DHCP, use a subnet that includes the addresses controlled by the DHCP server.Optionally enter an alias for the user. The alias is the user name you add to a user group on the Cerberian server. If you do not enter an alias, the IP address is added to the default user group on the Cerberian server.

No default.

All models

delete <address_ip> <netmask_ip>

Delete the user information. No default.

All models

license <license_str> Enter the Cerberian license key. You must have a licence key to use Cerberian web filtering.

No default.

All models

status {enable | disable} Enable or disable Cerberian web filtering. For Cerberian web filtering to work, you must enable URL Block for HTTP in a content profile. For more information on content profiles, see “set firewall profile” on page 57.

disable All models.


set webfilter content set commands

set webfilter contentUse this command to add, edit or delete words or phrases on the Web Filter content block list.

For the content block list to work, you must enable Banned Word for HTTP in a content profile. For more information, see “set firewall profile” on page 57.

Syntax description

ExampleUse the following command to add the exact phrase "banned phrase" in the Western character set to the Web Filter content filtering list.

set webfilter content add word "banned+phrase" language 0 state enable


Keyword Description Default Availabilityadd word <word_str> language {0 | 1 | 2 | 3 | 4} state {enable | disable}

Add a word or phrase to the banned word list. If you enter a single word (for example, banned), the FortiGate blocks all web pages that contain that word.If you type a phrase, you must add + between the words (for example, banned+phrase). The FortiGate blocks web pages that contain both of the words.If you type a phrase in quotes, you must also include the + (for example, "banned+word"). The FortiGate blocks all web pages where the words are found together as a phrase.Content filtering is not case-sensitive. You cannot include special characters in banned words.The language or character set for the banned word or phrase. You can choose 0 for Western, • 1 for Simplified Chinese• 2 for Traditional Chinese• 3 for Japanese• 4 for KoreanEnable or disable content filtering for this word or phrase.

No default.

All models.

delete {<word_integer> | all}

Enter a number to delete the specified word or phrase from the content block list. Use the command get webfilter content for a numbered list of banned words. Enter all to delete all the words on the content block list.

No default.

All models.

edit <word_integer> word <word_str> language {0 | 1 | 2 | 3 | 4} state {enable | disable}

Edit a word or phrase on the banned word list. Enter a number to edit the specified word or phrase from the content block list. Use the command get webfilter content for a numbered list of banned words.You can make changes to any or all of the word or phrase, language or character set, or state.

No default.

All models.

136 Fortinet Inc.

set commands set webfilter exempturl

set webfilter exempturlUse this command to add, edit or delete URLs on the URL Exempt list.

For the URL Exempt list to work, you must enable URL Exempt for HTTP in a content profile. For more information, see “set firewall profile” on page 57.

Syntax description

ExampleUse the following command to add the URL www.oksite.com/index.html to the list of URLs that are exempt from content and URL blocking.

set webfilter exempturl add www.oksite.com/index.html state enable


Note: Content downloaded from exempt web pages is not blocked or scanned by antivirus protection.

Keyword Description Default Availabilityadd <exempt-url_str> state {enable | disable}

Enter a complete URL, including path and filename, to exempt access to a page on a web site. For example, www.goodsite.com/index.html exempts access to the main page of this example website. You can also add IP addresses; for example, 122.63.44.67/index.html exempts access to the main web page at this address. Do not include http:// in the URL to exempt.Exempting a top level URL, such as www.goodsite.com, exempts all requested subpages (for example, www.goodsite.com/badpage) from all content and URL filtering rules.Exempting a top level URL will not exempt pages such as mail.goodsite.com from all content and URL filtering rules unless goodsite.com (without the www) is added to the Exempt List. Enable or disable exempting this URL

No default.

All models.

delete {<url_integer> | all}

Enter a number to delete the specified URL from the exempt list. Use the command get webfilter exempturl for a numbered list of exempt URLs. Enter all to delete all the URLs on the exempt list.

No default.

All models.

edit <url_integer> newurl<exempt-url_str> state {enable | disable}

Edit a URL on the exempt list. Enter a number to edit the specified URL from the exempt list. Use the command get webfilter exempturl for a numbered list of exempt URLs.You can make changes to the URL or state.

No default.

All models.


set webfilter script set commands

set webfilter scriptUse this command to enable or disable script filtering to block Java applets, cookies, and ActiveX controls.

For script filtering to work, you must enable Script FIlter for HTTP in a content profile. For more information, see “set firewall profile” on page 57.

Syntax description

ExamplesUse the following command to configure script filtering to block cookies.

set webfilter script cookie status enable


Keyword Description Default Availability{activex | cookie | java} Select activex, cookie or java as required. No

default.All models.

status {enable | disable} For each keyword above, enable or disable blocking Java applets, cookies, or ActiveX controls.

disable All models.

138 Fortinet Inc.

set commands set webfilter url

set webfilter urlUse this command to add, edit or delete URLs on the URL Block list.

For the URL Block list to work, you must enable URL Block for HTTP in a content profile. For more information, see “set firewall profile” on page 57.

Syntax description

ExampleUse the following commands to add the example URL www.badsite.com/index.html to the URL block list.

set webfilter url add www.badsite.com/index.html state enable


Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com. Instead, you can use firewall policies to deny FTP connections.

Keyword Description Default Availabilityadd <url_str> state {enable | disable}

You can configure the FortiGate unit to block all pages on a website by adding the top-level URL or IP address. You can also block individual pages on a website by including the full path and filename of the web page to block.Type a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com or 122.133.144.155 blocks access to all pages at this website.Type a top-level URL followed by the path and filename to block access to a single page on a website. For example, www.badsite.com/news.html or 122.133.144.155/news.html blocks the news page on this website.To block all pages with a URL that ends with badsite.com, add badsite.com to the block list. For example, adding badsite.com blocks access to www.badsite.com, mail.badsite.com, www.finance.badsite.com, and so on.Enable or disable blocking this URL.

No default.

All models.

delete {<url_integer> | all}

Enter a number to delete the specified URL from the block list. Use the command get webfilter url for a numbered list of blocked URLs. Enter all to delete all the URLs on the block list.

No default.

All models.

edit <url_integer> newurl <block-url_str> state {enable | disable}

Edit a URL on the block list. Enter a number to edit the specified URL from the block list. Use the command get webfilter url for a numbered list of blocked URLs.You can make changes to the URL or state.

No default.

All models.


set webfilter url set commands

140 Fortinet Inc.


unset commandsUse unset commands to delete settings from your FortiGate configuration.

unset firewall address

unset firewall addrgrp

unset firewall ipmacbinding

unset firewall ippool

unset firewall onetimeschedule

unset firewall policy

unset firewall profile

unset firewall recurringschedule

unset firewall service

unset firewall vip

unset log filter

unset system admin

unset system dhcpserver

unset system hostname

unset system route number

unset system route policy

unset system secondip

unset system sessionttl

unset system vlan

unset system zone

unset user group

unset user ldap

unset user local

unset user radius

unset vpn certificates

unset vpn ipsec


unset firewall address unset commands

unset firewall addressUse this command to delete addresses no longer needed in firewall policies. To delete an address that has been added to a policy, you must first remove the address from the policy.

Syntax description

ExamplesUse the following command to delete the address named User_1.

unset firewall address User_1

Related commands• set firewall address• get firewall address

Keyword Description Availability<name_str> The name of the address to delete. Use the command

unset firewall address followed by a space and ? for a list of addresses. If you try to delete an address that is in use by a policy the FortiGate CLI returns the error message: Entry is used.

All models.

142 Fortinet Inc.

unset commands unset firewall addrgrp

unset firewall addrgrpUse this command to delete address groups no longer needed in firewall policies. To delete an address group that has been added to a policy, you must first remove the address group from the policy.

Syntax description

ExamplesUse the following command to delete the address group named Internal_1.

unset firewall addrgrp Internal_1

Related commands• set firewall addrgrp• get firewall addrgrp

Keyword Description Availability<name_str> The name of the address group to delete. Use the

command unset firewall addressgrp followed by a space and ? for a list of address groups.

All models.


unset firewall ipmacbinding unset commands

unset firewall ipmacbindingUse this command to delete IP and MAC address pairs from the IP/MAC binding table.

Syntax description

ExamplesUse the following command to delete the IP and MAC address pair numbered 2.

unset firewall ipmacbinding table 2

Related commands• set firewall ipmacbinding setting• get firewall ipmacbinding

Keyword Description Availabilitytable <order_integer> The order number of the IP/MAC binding pair on the

IP/MAC binding table. Use the command unset firewall ipmacbinding table followed by a space and ? to display the IP/MAC binding table.

All models.

144 Fortinet Inc.

unset commands unset firewall ippool

unset firewall ippoolUse this command to remove IP address pools.

Syntax description

ExamplesUse the following command to remove an IP pool numbered 2.

unset firewall ippool 2

Related commands• set firewall ippool• get firewall ippool

Keyword Description Availabilityippool <id_integer> Delete an IP pool with the specified number. Enter the

command unset firewall ippool followed by a space and a ? for a list of IP pools and their corresponding numbers and interfaces.

All models. Not available in Transparent mode.


unset firewall onetimeschedule unset commands

unset firewall onetimescheduleUse this command to delete a one-time schedule. To delete a schedule that has been added to a policy, you must first remove the schedule from the policy

Syntax description

ExamplesUse the following command to delete the schedule named Holiday.

unset firewall onetimeschedule Holiday

Related commands• set firewall onetimeschedule• get firewall schedule

Keyword Description Availability<name_str> Enter the name of the one-time schedule to delete.

Use the command unset firewall onetimeschedule followed by a space and ? to get a list of one-time schedules.

All models.

146 Fortinet Inc.

unset commands unset firewall policy

unset firewall policyUse this command to delete a firewall policy.

Syntax description

ExamplesUse the following command to delete the policy in the Internal to External policy list with the policy id number 3.

unset firewall policy srcintf internal dstintf external policyid 3

Related commands• set firewall policy• get firewall policy

Keyword Description Availabilitysrcintf <name_str> Enter the source interface for the policy. On all

FortiGate models srcintf can be the name of a FortiGate interface to which a firewall address has been added.In NAT/Route mode on FortiGate models 400 and up this name can also be a VLAN subinterface to which firewall addresses have been added.In NAT/Route mode on FortiGate models 400 and up this name can also be a zone if you have added firewall addresses to the zone and if you have added at least one interface or VLAN subinterface to the zone.Use the command unset firewall policy srcintf followed by a space and ? for a list of available interfaces.

All models.

dstintf <name_str> Enter the destination interface for the policy. On all FortiGate models dstintf can be the name of a FortiGate interface to which a firewall address has been added. In NAT/Route mode on FortiGate models 400 and up this name can also be a VLAN subinterface to which firewall addresses have been added. In NAT/Route mode on FortiGate models 400 and up this name can also be a zone if you have added firewall addresses to the zone and if you have added at least one interface or VLAN subinterface to the zone.Use the command unset firewall policy srcintf <intf_str> dstintf followed by a space and ? for a list of available interfaces.

All models.

policyid <id_int> Enter an ID number for the policy. Every firewall policy is identified by its srcintf, dstintf, and policyid. Every srcintf, dstintf, and policyid combination is unique.Use the command unset firewall policy srcintf <intf_str> dstintf <intf_str> policyid followed by a space and ? for a list of available policies and their id numbers.

All models.


unset firewall profile unset commands

unset firewall profileDelete a firewall profile.

Syntax description

ExamplesUse the following command to unset the profile named Newtest.

unset firewall profile Newtest

Related commands• set firewall profile• get firewall profile

Note: The profile cannot be removed if it used in any firewall policies.

Keyword Description Availability<name_str> The name of the profile to delete. Use the command

get firewall profile for a list of profiles. The profile name is case sensitive.

All models.

148 Fortinet Inc.

unset commands unset firewall recurringschedule

unset firewall recurringscheduleUse this command to delete a recurring schedule. To delete a schedule that has been added to a policy, you must first remove the schedule from the policy

Syntax description

ExamplesUse the following command to delete the recurring schedule named access.

unset firewall recurringschedule access

Related commands• set firewall recurringschedule• get firewall schedule

Keyword Description Availability<name_str> Enter the name of the recurring schedule to delete.

Use the command unset firewall recurringschedule followed by a space and ? to get a list of one-time schedules.

All models.


unset firewall service unset commands

unset firewall serviceDelete custom services or service groups.

Syntax description

ExamplesUse the following command to delete a service group named marketing.

unset firewall service group marketing

Related commands• set firewall service custom• set firewall service group• get firewall service

Keyword Description Availabilitycustom <name_str> The name of the custom service to delete. Use the

command get firewall service custom for a list of custom services.

All models.

group <name_str> The name of the service group to delete. Use the command get firewall service group for a list of custom services.

All models.

150 Fortinet Inc.

unset commands unset firewall vip

unset firewall vipDelete virtual IPs. You cannot delete virtual IPs that have been added to firewall policies.

Syntax description

ExamplesUse the following command to delete a virtual IP named http_server.

unset firewall vip http_server

Related commands• set firewall vip• get firewall vip

Note: Virtual IPs are not available in Transparent mode.

Keyword Description Availability<name_str> The name of the virtual IP to delete. Enter unset

firewall vip followed by a space and ? for a list of virtual IPs.

All models.


unset log filter unset commands

unset log filterRemove a traffic log filtering rule.

Syntax description

ExamplesUse the following command to delete the traffic filter rule named test.

unset log filter traffic rule test

Related commands• set log trafficfilter rule• get log trafficfilter


Keyword Description Availabilitytraffic rule <name_str> Remove the named traffic log filtering rule. Use the

command get log trafficfilter for a list of traffic filter rules.

All models.

152 Fortinet Inc.

unset commands unset system admin

unset system adminUse this command to delete an administrator account.

When the FortiGate unit is initially installed, it is configured with a single administrator account with the user name admin. This is the only account with permissions to delete other administrator accounts.The admin account cannot be deleted.

Syntax description

ExamplesUse the following command to delete an administrator account with the user name newadmin.

unset system admin username newadmin

Related commands• set system admin• get system admin

Keyword Description Availabilityusername <name_str> The user name of the administrator account to delete.

Enter unset system admin username followed by a space and ? for a list of administrator account names.

All models.


unset system dhcpserver unset commands

unset system dhcpserverRemove a reserved IP/MAC address pair added to the FortiGate DHCP server configuration. Reserved IP and MAC address pairs are added to the FortiGate DHCP server configuration so that the device with the given MAC address is always assigned the specified IP address.

Syntax description

ExamplesUse the following command to remove the IP/MAC address pair with a reserved IP address of 192.168.20.45

unset system dhcpserver reserve 192.168.20.45

Related commands• set system dhcpserver• get system dhcpserver

Keyword Description Availabilityreserve <reserve_ip> Enter unset system dhcpserver reserve a

space and then ? for a list of reserved IP/MAC pairs. Enter the IP address for the pair that you want to remove.

All models.

154 Fortinet Inc.

unset commands unset system hostname

unset system hostnameRemove the FortiGate unit host name. The FortiGate host name is used as the SNMP system name.

ExamplesUse the following command to remove the FortiGate unit host name.

unset system hostname

Related commands• get system status• set system hostname• set system snmp


unset system route number unset commands

unset system route numberRemove a destination route from the routing table.

Syntax description

ExamplesUse the following command to delete destination route number 1.

unset system route number no 1

Related commands• set system route number• get system route table

Keyword Description Availability<route_integer> The number of the destination route to delete from the

routing table. Enter unset system route number followed by a space and ? for a list of routes.

All models.

156 Fortinet Inc.

unset commands unset system route policy

unset system route policyRemove a policy route from the policy routing database.

Syntax description

ExamplesUse the following command to delete route policy number 5.

unset system route policy 5

Related commands• set system route policy• get system route policy

Keyword Description Availability<policy_integer> The number of the policy route to delete from the

policy routing database. Enter unset system route policy followed by a space and ? for a list of policy routes.

All models.


unset system secondip unset commands

unset system secondipRemove the secondary IP address and netmask from an interface. This command sets the secondary IP address and netmask to 0.0.0.0 and 0.0.0.0. Other secondary interface configuration information is not changed by this command.

Syntax description

ExamplesUse the following command to set the secondary IP and netmask of the external interface to 0.0.0.0 and 0.0.0.0.

unset system secondip external

Related commands• set system interface• get system interface

Keyword Description Availability<intf-name_str> The name of the interface for which to set the

secondary IP address and netmask to 0.0.0.0 and 0.0.0.0.


158 Fortinet Inc.

unset commands unset system sessionttl

unset system sessionttlUse this command to remove session timeout configurations for specific ports.

Syntax description

ExamplesUse the following command to remove the session timeout configuration for SSH on port 22:

unset system sessionttl 22

Related commands• set system session_ttl• get system sessionttl

Keyword Description Availability<port_integer> The number of the port for which to remove a session

timeout configuration.All models.


unset system vlan unset commands

unset system vlanUse this command to delete a VLAN subinterface. You cannot delete a VLAN subinterface if you have added addresses to it.

Syntax description

ExamplesUse the following command to delete a VLAN subinterface named Sub_1.

unset system vlan Sub_1

Related commands• get system vlan• set system vlan

Keyword Description Availabilityvlan <name_str> The name of the VLAN subinterface to delete. Use the

command unset system vlan followed by a space and ? for a list of VLANs.

Models numbered 400 and higher.NAT/Route mode only.

160 Fortinet Inc.

unset commands unset system zone

unset system zoneUse this command to delete a zone. You cannot delete a zone if you have added an interface to it.

Syntax description

ExamplesUse the following command to delete a zone named Finance.

unset system zone Finance

Related commands• get system zone• set system zone

Keyword Description Availabilityzone <name_str> The name of a zone to delete. Enter unset system

zone followed by a space and ? for a list of zones.Models numbered 400 and higher.NAT/Route mode only.


unset user group unset commands

unset user groupDelete a user group. You cannot delete user groups that have been added to a policy, remote gateway, PPTP, or L2TP configuration.

Syntax description

ExamplesUse the following command to delete a user group named FTP_grp:

unset user group name FTP_grp

Related commands• set user group• get user

Keyword Description Availabilityname <name_str> The name of the user group to delete. Enter unset

user group name followed by a space and ? for a list of user group names.

All models.

162 Fortinet Inc.

unset commands unset user ldap

unset user ldapDelete an LDAP server. You cannot delete LDAP servers that have been added to user groups.

Syntax description

ExamplesUse the following command to delete the LDAP server named LDAP_1.

unset user ldap server LDAP_1

Related commands• set user group• set user ldap• get user

Keyword Description Availabilityserver <name_str> The name of the LDAP server to delete. Enter unset

user ldap server followed by a space and ? for a list of LDAP server names.

All models.


unset user local unset commands

unset user localDelete a user name from the local FortiGate user database. To delete a user name, the user name must be removed from any user groups that it has been added to.

Syntax description

ExamplesUse the following command to delete the user name User1:

unset user local name User1

Related commands• set user group• set user local• get user

Keyword Description Availabilityname <name_str> The user name to delete. Enter unset user

local name followed by a space and ? for a list of user names.

All models.

164 Fortinet Inc.

unset commands unset user radius

unset user radiusDelete a RADIUS server. You cannot delete RADIUS servers that have been added to user groups.

Syntax description

ExamplesUse the following command to delete the RADIUS server named MainRADIUS:

unset user radius server MainRADIUS

Related commands• set user group• set user radius• get user

Keyword Description Availabilityserver <name_str> The name of the RADIUS server to delete. Enter

unset user radius server followed by a space and ? for a list of RADIUS server names.

All models.


unset vpn certificates unset commands

unset vpn certificatesUse this command to delete local and CA certificates.

Syntax description

ExamplesUse the following command to delete a local certificate:

unset vpn certificates local branch_office_ca

Use the following command to delete a CA certificate:

unset vpn certificates ca trust_ca

Related commands• execute vpn certificates ca• execute vpn certificates local• get vpn certificates

Note: The unset vpn certificates command is not available in Transparent mode.

Keyword Description Availabilityca <name_str> Delete the named CA certificate. Use the command

unset vpn certificates ca followed by a space and ? for a list of CA certificate names.

All models.

local <name_str> Delete the named local certificate. Use the command unset vpn certificates local followed by a space and ? for a list of CA certificate names.

All models.

166 Fortinet Inc.

unset commands unset vpn ipsec

unset vpn ipsecUse this command to delete IPSec VPN phase 1, phase 2, concentrator, or manual key tunnel configurations. Phase 1 configurations must be removed from phase 2 configurations before the phase 1 configuration can be deleted.

Syntax description

ExamplesUse the following command to delete an IPSec VPN concentrator.

unset vpn ipsec concentrator Concentrator_1

Use the following command to delete an IPSec VPN manual key tunnel.

unset vpn ipsec manualkey Manual_1

Use the following command to delete an IPSec VPN phase 1 configuration.

unset vpn ipsec phase1 Remote_GW

Use the following command to delete an IPSec VPN phase 2 configuration.

unset vpn ipsec phase2 Auto_1

Related commands• set vpn ipsec phase1• set vpn ipsec phase2• set vpn ipsec concentrator• set vpn ipsec manualkey• get vpn ipsec

Note: The unset vpn ipsec command is not available in Transparent mode.

Keyword Description Availabilityconcentrator <name_str> Delete an IPSec VPN concentrator. Use the command

unset vpn ipsec concentrator followed by a space and ? for a list of concentrator configurations.

All models.

manualkey <name_str> Delete an IPSec manual key tunnel. Use the command unset vpn ipsec manualkey followed by a space and ? for a list of manual key configurations.

All models.

phase1 <name_str> Delete the named IPSec phase 1 configuration. Use the command unset vpn ipsec phase1 followed by a space and ? for a list of phase 1 configurations.

All models.

phase2 <name_str> Delete the named IPSec phase 2 configuration. Use the command unset vpn ipsec phase2 followed by a space and ? for a list of phase 2 configurations.

All models.


unset vpn ipsec unset commands

168 Fortinet Inc.


get commandsUse get commands to list FortiGate configuration settings. You can also view these configuration settings from the web-based manager. Configuration settings are static settings that can be configured by an administrative user with write permission. All these settings can be uploaded and downloaded, and they do not change while the FortiGate is in operation.

get alertemail configuration

get alertemail setting

get antivirus filepattern

get antivirus quarantine list

get antivirus quarantine settings

get antivirus service

get config

get console

get emailfilter

get firewall address

get firewall addrgrp

get firewall dnstranslation

get firewall ipmacbinding

get firewall ippool

get firewall profile

get firewall policy

get firewall schedule

get firewall service

get firewall vip

get log elog

get log logsetting

get log policy

get log trafficfilter

get nids detection

get nids prevention

get nids rule

get system admin

get system autoupdate

get system dhcpserver

get system dns

get system ha


get system mainregpage

get system management

get system objver

get system option

get system performance

get system route policy

get system route rip

get system route table

get system serialno

get system sessionttl

get system snmp

get system status

get system time

get system vlan

get system zone

get user

get vpn certificates

get vpn ipsec

get vpn l2tp range

get vpn pptp range

get webfilter


get alertemail configuration get commands

get alertemail configurationDisplay the SMTP server address, SMTP user name, SMTP authentication status, encrypted SMTP password and the email addresses to which alert email will be sent.

get alertemail configuration

Related commands• set alertemail configuration• get alertemail setting• set alertemail setting• get system dns• set system dns

170 Fortinet Inc.

get commands get alertemail setting

get alertemail settingDisplay the status for sending alert email for virus incidents, block incidents, network intrusions, and critical firewall or VPN events or violations, and if you have configured logging to a local disk, the status for sending an alert email when the hard disk is almost full.

get alertemail setting

Related commands• get alertemail configuration• set alertemail configuration• set alertemail setting


get antivirus filepattern get commands

get antivirus filepatternDisplay the full list of file patterns that FortiGate antivirus protection can block, or display a specific file pattern.

Syntax description

ExamplesUse the following command to display the master list of filename patterns:

get antivirus filepattern

Use the following command to display the tenth filename pattern in the list.

get antivirus filepattern 10

Related commands• set antivirus filepattern• set antivirus service• get antivirus service

Keyword Description Default Availability[<fp_integer>] Display the master list of file patterns that FortiGate

antivirus protection can block. Enter the number of a file pattern to display only that file pattern.

No default.

All models.

172 Fortinet Inc.

get commands get antivirus quarantine list

get antivirus quarantine listUse this command to list files in the quarantine. The entries displayed show:

• the filename in the format <checksum>.<filename>, • the date and time the first copy of the file was quarantined, • the service from which the file was quarantined, • a message indicating why the file was quarantined,• a duplicate count number indicating how many times the same file was received after the first

instance of the file was quarantined,• the TTL (time to live) of the file in quarantine.

Syntax description

ExamplesUse the following command to list all the files in quarantine:

get antivirus quarantine list

Use the following command to list all the blocked files in quarantine:

get antivirus quarantine list filter status value blocked

Use the following command to list all the files quarantined from SMTP traffic:

get antivirus quarantine list filter service value smtp

Related commands• set antivirus quarantine

Note: In the case of duplicate files, all fields relate to the originally quarantined file except TTL, which is refreshed with every new instance of a given file. Duplicate files (based on checksum) are never stored, but an internal counter for each file records the number of duplicates encountered.

Keyword Description Default Availabilityfilter Filter the list of quarantined files using either the

service or status keywords.No default.

FortiGate-200 and higher.

service value {http | ftp | smtp | imap | pop3}

Filter the list of quarantined files according to the service from which the file was quarantined.

No default.


status value {infected | blocked}

Filter the list of quarantined files based on whether the file was blocked or infected.

No default.



get antivirus quarantine settings get commands

get antivirus quarantine settingsDisplay the quarantine general and service specific settings. The display of the general settings shows the quarantine maximum file size and file age limit, and what action to take when the quarantine is full. The display of the service specific settings shows whether or not quarantining is in effect for infected and/or blocked files of that service type.

get antivirus quarantine settings

Related commands• set antivirus quarantine

174 Fortinet Inc.

get commands get antivirus service

get antivirus serviceDisplay the antivirus protection settings that control how the FortiGate unit applies antivirus protection to the web, FTP, and email traffic allowed by firewall policies.

This command also displays the port numbers used for HTTP and email traffic, and the SMTP splice status.

Syntax description

ExamplesUse the following command to display the list of file name patterns for HTTP and the status of each file name pattern.

get antivirus service http block

Use the following command to display the file size limit for POP3.

get antivirus service pop3 filesizelimit

Use the following command to list the ports used for HTTP traffic.

get antivirus service http ports

Use the following command to display the SMTP splice status.

get antivirus service smtp splice

Related commands• set antivirus service

Keyword Description Default Availability{http | smtp | pop3 | imap | ftp}

Select a service for which to display antivirus protection settings.

No default.

All models.

block Display the list of filename patterns and whether they are enabled or disabled.

enabled All models.All services.

filesizelimit Displays, in Mbytes, the file size limit for the specified service.

Varies. All models.All services.

ports List the port or ports used for HTTP, SMTP, POP3 and IMAP traffic.

http 80smtp 25pop3 110imap 143

All models.HTTP, SMTP, POP3, IMAP services.

splice Show whether splice is enabled or disabled for smtp or ftp.

enabled All models.SMTP, FTP services.


get config get commands

get configDisplay the current FortiGate system configuration. For more information, see “Displaying the FortiGate configuration” on page 19.

Syntax description

ExamplesUse the following command to display the current FortiGate system configuration:

get config

Use the following command to display the configuration for the keyword option:

get config option

Related commands• execute backup• execute reload• execute restore• set console

Keyword Description Availability[<keyword_str>] Enter a keyword to display all the lines in the configuration file that

contain that keyword.All models.

176 Fortinet Inc.

get commands get console

get consoleDisplay the number of lines per page, the mode of operation and the baud rate of the command line console.

get console

Related commands• set console

Note: The baud rate information will display only for FortiGate units with BIOS 3.03 and higher and FortiOS version 2.50 and higher. When default displays for baud rate, the baud rate has not been set and the FortiGate unit uses the default setting (115200 for the FortiGate-300 and 9600 for all other models).


get emailfilter get commands

get emailfilterDisplay the email filtering banned word, address block, and address exempt lists, and the subject tag configuration.

Syntax description

ExamplesUse the following command to display the list of email address block patterns:

get emailfilter blocklist

Related commands• set emailfilter bannedword• set emailfilter blocklist• set emailfilter config• set emailfilter exemptlist

Keyword Description Default Availabilitybannedword Display the list of email filter banned words and

phrases. The list includes a number for each entry, the word or phrase, the language of the entry and whether the entry is enabled or disabled.

No default.

All models.

blocklist Display the list of email address block patterns. The list includes a number for each entry, and whether the patterns are enabled or disabled.

No default.

All models.

config Display the subject tag added to filtered email. All models.

exemptlist Display the list of email address exempt patterns. The list includes a number for each entry, and whether the patterns are enabled or disabled.

No default.

All models.

178 Fortinet Inc.

get commands get firewall address

get firewall addressDisplay the addresses that have been added to the FortiGate configuration. These addresses can be used in policies. The display lists each address name, IP address and netmask. The display also lists the interface or, for zone and VLAN capable models, the zone and VLAN subinterface to which each address has been added.

get firewall address

Related commands• get firewall addrgrp• set firewall address• unset firewall address• set firewall addrgrp


get firewall addrgrp get commands

get firewall addrgrpDisplay the address groups that have been added to the FortiGate configuration. These address groups can be used in policies. The display lists the name of each address group, the names of the addresses in the group, and the interface or, for zone and VLAN capable models, zone or VLAN to which each address group has been added.

get firewall addrgrp

Related commands• set firewall addrgrp• unset firewall addrgrp

180 Fortinet Inc.

get commands get firewall dnstranslation

get firewall dnstranslationDisplay the DNS translation settings including whether DNS translation is enabled or disabled, and the DNS translation source, and destination addresses and netmask.

Exampleget firewall dnstranslation

Related commands• set firewall dnstranslation


get firewall ipmacbinding get commands

get firewall ipmacbindingDisplay the current static or dynamic IP/MAC binding configuration. The display indicates whether IP/MAC binding for traffic going to or through the FortiGate unit is enabled or disabled. The display also lists the IP and MAC address pairs that have been added to the table, and whether the address pair is enabled or disabled.

Syntax description

ExamplesUse the following command to display the IP/MAC binding configuration for static IP/MAC binding:

get firewall ipmacbinding

Use the following command to display the dynamic IP/MAC binding list:

get firewall ipmacbinding dhcpipmac

Related commands• get system dhcpserver• set firewall ipmacbinding setting• set firewall ipmacbinding table• unset firewall address• set system dhcpserver

Keyword Description Availability[dhcpipmac] Display the dynamic IP/MAC binding list. This list is

available if you have configured the FortiGate to be a DHCP server.

All Models.

Note: You can also display the dynamic IP/MAC binding list using the get system dhcpipmac command.

182 Fortinet Inc.

get commands get firewall ippool

get firewall ippoolDisplay IP address pools that have been added to FortiGate interfaces. For each IP pool the display shows a number, the interface name, the start IP, and the end IP.

get firewall ippool

Related commands• set firewall ippool• unset firewall address

Note: IP pools are not available in Transparent mode.


get firewall profile get commands

get firewall profileDisplay the settings for the named profile.

Syntax description

ExamplesUse the following command to display the settings for the default profile named Strict:

get firewall profile Strict

Use the following command to display the HTTP settings for the default profile named Strict:

get firewall profile Strict http

Related commands• set firewall profile• unset firewall profile

Keyword Description Default Availability<name_str> Enter a profile name to list the settings for all services

for that profile. Enter get firewall profile for a list of profiles. The profile name is case sensitive. Enter a service name to list the settings for that service only.

No default.

All models.

[<service_str>] Enter a service name to list the settings for that service only. Enter get firewall profile <name_str> followed by a space and ? for a list of services. The service name is not case sensitive.

No default.

All models.

184 Fortinet Inc.

get commands get firewall policy

get firewall policyDisplay the firewall policy lists or detailed information for a policy. The policy lists show all of the policies added to the firewall configuration. For each policy, the display includes the policy sequence number, policy id number, source and destination addresses, service, schedule, action, and policy status (enabled or disabled).

Syntax description

ExamplesUse the following command to display all the policy lists:

get firewall policy

Use the following command to display the Internal to External policy list:get firewall policy srcintf internal dstintf external

Use the following command to display detailed information for the policy in the Internal to External policy list with the policy id number 3:

get firewall policy srcintf internal dstintf external policyid 3

Related commands• set firewall policy• unset firewall policy

Required Keyword Description Default Availabilitysrcintf <intf_str> Enter the source interface for the policy. On all FortiGate

models srcintf can be the name of a FortiGate interface to which a firewall address has been added.In NAT/Route mode on FortiGate models 400 and up this name can also be a VLAN subinterface to which firewall addresses have been added.In NAT/Route mode on FortiGate models 400 and up this name can also be a zone if you have added firewall addresses to the zone and if you have added at least one interface or VLAN subinterface to the zone.Use the command get firewall policy srcintf followed by a space and ? for a list of available interfaces.

No default.

All models.

dstintf <intf_str> Enter the destination interface for the policy. On all FortiGate models dstintf can be the name of a FortiGate interface to which a firewall address has been added. In NAT/Route mode on FortiGate models 400 and up this name can also be a VLAN subinterface to which firewall addresses have been added. In NAT/Route mode on FortiGate models 400 and up this name can also be a zone if you have added firewall addresses to the zone and if you have added at least one interface or VLAN subinterface to the zone.Use the command get firewall policy srcintf <intf_str> dstintf followed by a space and ? for a list of available interfaces.

No default.

All models.

policyid <policy-id_integer>

Enter an ID number for the policy. Every firewall policy is identified by its srcintf, dstintf, and policyid. Every srcintf, dstintf, and policyid combination is unique.Use the command get firewall policy srcintf <intf_str> dstintf <intf_str> policyid followed by a space and ? for a list of available policies and their id numbers.

No default.

All models.


get firewall schedule get commands

get firewall scheduleDisplay the lists of one-time or recurring schedules.

Syntax description

ExamplesUse the following command to display the list of one-time schedules:

get firewall schedule onetime

Use the following command to display the list of recurring schedules:

get firewall schedule recurring

Related commands• set firewall onetimeschedule• set firewall recurringschedule

Keyword Description Default Availabilityonetime Display the list of one-time schedules. The display

shows details about each schedule including the name, begin day, begin time, end day, and end time.

No default.

All models.

recurring Display the list of recurring schedules. The display shows details about each schedule including the name, days of the week the schedule is active, and the begin time and end time.

Always. All models.

186 Fortinet Inc.

get commands get firewall service

get firewall serviceDisplay the lists of custom or predefined firewall services. Display the list of service groups.

Syntax description

ExampleUse the following command to display the list of custom services:

get firewall service custom

Use the following command to display the list of service groups:

get firewall service group

Use the following command to display the list of predefined services:

get firewall service predefined

Related commands• set firewall service custom• set firewall service group• unset firewall service

Keyword Description Default Availabilitycustom Display the list of custom services. The display

shows the service name and port information.No default.

All models.

group Display the list of service groups. The display shows the service group name, and the names of the services added to the service group.

No default.

All models.

predefined The list of predefined services. The display shows the service name and port information.

No default.

All models.


get firewall vip get commands

get firewall vipDisplay the list of static NAT and port forwarding virtual IPs. The display lists the name, type, external interface, external IP address and port, and map to IP address and port.

get firewall vip

Related commands• set firewall vip• unset firewall vip

Note: The get firewall vip command is not available in transparent mode.

188 Fortinet Inc.

get commands get log elog

get log elogDisplay the event log messages that have been saved to memory or to the optional FortiGate hard disk.

Examplesget log elog

Related commands• set log policy• set log setting

Note: Not available on FortiGate-50 models.


get log logsetting get commands

get log logsettingDisplay the Log to locations and whether logging to that location is turned on or off. Display the log severity level for each log location. Display the remote host and webtrends server configurations. For FortiGate units with a hard disk, show Log file size, Log time and Log options when disk is full settings.

Examplesget log logsetting

Related commands• set log setting• set log policy

190 Fortinet Inc.

get commands get log policy

get log policyFor each log destination display the types of logs enabled or disabled.

Syntax description

ExamplesUse the following command to display the status of all log types for all log locations.

get log policy

Use the following command to display the status, enabled or disabled, of the syslog traffic log:

get log policy destination syslog traffic

Related commands

• set log policy• set log setting

Keyword Description Default Availabilitydestination {syslog | webtrends | local | console}

Specify a destination for which to display log type status and category settings.If the FortiGate unit has a hard disk local will display the local log settings. If the FortiGate unit does not have a hard disk local will display the memory log settings. Use the command get system status to confirm whether or not a hard disk is available on the FortiGate unit.

No default.

All models.

{event | ids | traffic | update | virus | webfilter}

Specify a log type for which to display status and category settings.

No default.

All models.


get log trafficfilter get commands

get log trafficfilterDisplay the traffic log filtering rules and global settings.

Examplesget log trafficfilter

Related commands• set log trafficfilter rule• set log trafficfilter setting• unset log filter


192 Fortinet Inc.

get commands get nids detection

get nids detectionDisplay NIDS detection settings.

Syntax description

ExampleUse the following command to display the checksum settings:

get nids detection checksum

Use the following command to find out which interfaces the NIDS monitors for attacks:

get nids detection interface

Related commands• set nids detection

Keyword Description Default Availabilitychecksum Display whether or not the NIDS is set to run

checksums for IP, TCP, UPD, and ICMP traffic.off All models.

interface Display whether or not the NIDS is set to monitor each interface for attacks.

off All models.


get nids prevention get commands

get nids preventionDisplay whether the NIDS Prevention module is enabled or disabled. Display whether NIDS Prevention signatures are enabled or disabled and the threshold value for signatures that have threshold values.

Syntax description

ExamplesUse the following command to display whether the NIDS Prevention module is enabled or disabled:

get nids prevention status

Use the following command to display the settings for the TCP SYN flood signature:

get nids prevention tcp synflood

Related commands• set nids prevention• get nids detection• get nids rule

Keyword Description Default Availabilityicmp <attack_str> Specify an Internet Control Message Protocol (ICMP)

NIDS prevention signature. The display shows whether the signature is enabled or disabled, and the threshold value if the specified signature has a threshold value.Use the command get nids prevention icmp followed by a space and a ? to display a list of ICMP signatures.

No default.

All models.

ip <attack_str> Specify an Internet Protocol (IP) NIDS prevention signature. The display shows whether the signature is enabled or disabled, and the threshold value if the specified signature has a threshold value.Use the command get nids prevention ip followed by a space and a ? to display a list of IP signatures.

No default.

All models.

status Display whether the NIDS Prevention module is enabled or disabled.

disabled All models.

tcp <attack_str> Specify a Transmission Control Protocol (TCP) NIDS prevention signature. The display shows whether the signature is enabled or disabled, and the threshold value if the specified signature has a threshold value.Use the command get nids prevention tcp followed by a space and a ? to display a list of TCP signatures.

No default.

All models.

udp <attack_str> Specify a User Datagram Protocol (UDP) NIDS prevention signature. The display shows whether the signature is enabled or disabled, and the threshold value if the specified signature has a threshold value.Use the command get nids prevention udp followed by a space and a ? to display a list of UDP signatures.

No default.

All models.

194 Fortinet Inc.

get commands get nids rule

get nids ruleDisplay the current list of NIDS detection signature groups and whether the groups are enabled or disabled. You can also display the ID, rule name, and revision number for the signatures in each group.

Syntax description

ExamplesUse the following command to show the list of signature groups and whether each group is enabled or disabled.

get nids rule

Use the following command to show the ID, rule name, and revision number for each signature in the telnet signature group:

get nids rule telnet

Related commands• set nids rule• get nids detection• execute backup• execute restore

Keyword Description Default Availability<group_str> Specify the signature group for which to display the

ID, rule name and revision number of the signatures in the group. Use the command get nids rule followed by a space and ? to display the list of signature groups.

No default.

All models.


get system admin get commands

get system adminDisplay the current list of FortiGate administrator accounts including the user name for the account, the IP address and netmask from which this account can manage the FortiGate unit, and the account read and write permissions.

get system admin

Related commands• set system admin• unset system admin

196 Fortinet Inc.

get commands get system autoupdate

get system autoupdateDisplay the antivirus and attack definitions update configuration. The display shows whether push and scheduled updating are enabled or disabled, whether antivirus and NIDS definitions updates are enabled or disabled and whether server and push overrides are enabled or disabled. If server override is enabled, the override IP address is displayed. If push address override is enabled the override IP address and port are displayed. This command also displays FortiResponse Distribution Network FDN server and push update availability status.

For current virus and attack definition version information, see “get system status” on page 213.

get system autoupdate

Related commands• get system status• set system autoupdate• get system objver


get system dhcpserver get commands

get system dhcpserverDisplay the settings for the FortiGate DHCP server. Display the reserved IP/MAC pairs. Display the dynamic IP/MAC binding list.

Syntax description

ExamplesUse the following command to display the DHCP server settings:

get system dhcpserver

Use the following command to display the list of reserved IP/MAC pairs:

get system dhcpserver reserve

Use the following command to display the dynamic IP/MAC binding list:

get system dhcpserver reserve dhcpipmac

You can also display this list using the get firewall ipmacbinding dhcpipmac command.

Related commands• get firewall ipmacbinding• set system dhcpserver• unset system dhcpserver

Keyword Description Availabilityreserve Display the list of reserved IP/MAC pairs. All models.

reserve dhcpipmac

Display the dynamic IP/MAC binding list. The dynamic IP/MAC binding list is available if you have configured the FortiGate unit as a DHCP server.

All models.

198 Fortinet Inc.

get commands get system dns

get system dnsDisplay the IP addresses of the primary and secondary DNS servers that the FortiGate unit uses for DNS lookups.

get system dns

Related commands• set system dns


get system ha get commands

get system haDisplay the FortiGate HA configuration and display statistics for the HA cluster.

Syntax description

ExampleUse the following command to display the HA mode:

get system ha mode

Use the following command to display the statistics for the HA group.

get system ha statistic

Related commands• get system interface• set system ha• execute ha manage• execute ha synchronize• set system interface

Keyword Description Availabilitymode Display the HA mode, Group ID, HA unit priority, HA master override

setting, and the list of monitored interfaces. In A-A mode, display the schedule. If schedule is set to weight-round robin, display the weights for each priority ID.

Models numbered 300 and higher.

statistic Display the statistics for the HA cluster. The statistics include health information for each FortiGate unit in the cluster (CPU usage, memory usage, and network usage) and HA statistics (number of sessions, packets, and bytes processed by each unit in the cluster).

Models numbered 300 and higher.

200 Fortinet Inc.

get commands get system interface

get system interfaceDisplay the configuration of all FortiGate interfaces. For FortiGate models 400 and up this command also displays the configuration of all FortiGate VLAN subinterfaces.

Depending on the interface, in NAT/Route mode this command displays the addressing mode (static, DHCP or PPPoE), IP address, netmask, MAC address, speed, administrative access, MTU setting, and status (up or down) for each interface.

In Transparent mode, this command displays the speed, administrative access, and status for each interface.

ExampleUse the following command to display the configuration of all the interfaces:


Related commands• get system management• set system interface• set system management• unset system secondip


get system mainregpage get commands

get system mainregpageDisplay whether the registration window on the web-based manager shows or is hidden.

get system mainregpage

Related commands• set system mainregpage

202 Fortinet Inc.

get commands get system management

get system managementDisplay the Transparent mode management IP address and netmask.

get system management

Related commands• set system management

Note: The get system management command is only available in Transparent mode.


get system objver get commands

get system objverDisplay the antivirus engine, virus and attack definitions version, contract expiry, and last update attempt information.

get system objver

Related commands• get system autoupdate• set system autoupdate• get system status

204 Fortinet Inc.

get commands get system option

get system optionDisplay the administration timeout, the authorization timeout, the dead gateway detection ping interval and failover time, the web-based manager language, the front panel and LCD pin settings and the GUI refresh interval.

get system option

Related commands• set system option

Note: Front panel and LCD pin settings are available only on FortiGate models numbered 300 and higher.


get system performance get commands

get system performanceDisplay FortiGate system status information, including CPU states, memory states, and up time.

get system performance


206 Fortinet Inc.

get commands get system route policy

get system route policyDisplay the policy routing list. The display includes the policy route number, source and destination addresses, protocol and port numbers, gateway address and in and out interface names.

Examplesget system route policy

Related commands• set system route policy• unset system route policy


get system route rip get commands

get system route ripDisplay the Routing Information Protocol (RIP) configuration. The information displayed includes the basic RIP configuration, the RIP neighbors that have been added, and the RIP configuration for each interface.

Syntax description

Related commands• set system route rip• set system route rip filter• set system route rip interface• set system route rip neighbor• set system route rip timers

Keyword Description Availabilityfilter Display RIP filter settings. All models except

FortiGate-50. NAT/Route mode only.

208 Fortinet Inc.

get commands get system route table

get system route tableDisplay the FortiGate static routing table. For each route in the routing table, the command displays the route number, the destination IP address and netmask, and the gateways and interfaces for each static route.

ExampleUse the following command to display the list of routes:

get system route table

Related commands• set system route number• unset system route number


get system serialno get commands

get system serialnoDisplay the serial number of the FortiGate unit.

Examplesget system serialno


210 Fortinet Inc.

get commands get system sessionttl

get system sessionttlDisplay the TCP session timeout configuration including the default session timeout and, if set, the session timeout for specific ports.

Examplesget system sessionttl

Related commands• set system session_ttl• unset system sessionttl


get system snmp get commands

get system snmpDisplay the FortiGate SNMP configuration. The command displays whether SNMP is enabled or disabled. The command also displays the SNMP system name, system location, contact information, get community string, set/trap community string, and the first, second, and third trap receiver IP addresses. SNMP can be used for remote monitoring of the FortiGate unit.

get system snmp

Related commands• set system snmp

212 Fortinet Inc.

get commands get system status

get system statusDisplay system status information. This command displays the FortiGate firmware version and build number, virus definitions version, attack definitions version, FortiGate serial number, the availability of a hard disk for logging, operation mode and hostname.

get system status

Related commands• get system performance• get system autoupdate• get system objver


get system time get commands

get system timeDisplay the FortiGate system date, time, time zone, and Network Time Protocol (NTP) settings.

Syntax description

ExampleUse the following command to display the FortiGate time settings.

get system time time

Use the following command to display the FortiGate NTP settings.

get system time ntp

Related commands• set system time

Keyword Description Default Availabilityntp Display the NTP configuration, including whether

NTP is enabled or disabled, the NTP server IP address, and the NTP synchronization interval.

Disabled. 132.246.168.148. Interval 60.

All models.

time Display the system date, time and time zone and whether daylight saving time is enabled or disabled.

System time and date. GM-8. DST disabled.

All models.

214 Fortinet Inc.

get commands get system vlan

get system vlanDisplay the configuration of the VLAN subinterfaces added to a physical FortiGate interface. The command displays the VLAN subinterface name, VLAN ID, IP address and netmask, and management access. The display also shows the zone if the VLAN has been added to a zone.

Syntax description

ExampleUse the following command to display the configuration of the VLAN subinterfaces added to the internal interface.

get system vlan interface internal

Related commands• set system vlan• unset system vlan

Keyword Description Availability[interface <name_str>]

Enter a physical interface name to display the VLAN subinterfaces added to this physical interface. Use the command get system vlan interface followed by a space and a ? for a list of physical interfaces.

Models numbered 400 and higher.NAT/Route mode only.


get system zone get commands

get system zoneDisplay the zone list. The command lists the number and name of the zone and whether the zone is configured to block traffic between interfaces in the same zone.

get system zone

Related commands• set system zone• unset system zone

Note: Zones are available on FortiGate models numbered 400 and higher. Zones are not available in Transparent mode.

216 Fortinet Inc.

get commands get user

get userDisplay information about user names and passwords. Display information about user groups used to authenticate with firewall policies, PPTP and L2TP VPNs, and IPSec VPN. Display information about RADIUS and LDAP server settings.

Syntax description

ExampleUse the following command to display user group information:

get user group

Use the following command to display user names and information:

get user local

Related commands• set user group• set user local• set user radius• unset user group• unset user local• unset user radius

Keyword Description Default Availabilitygroup Display the list of user groups. The list includes the

number and name for the group, and the members of the group.

No default.

All models.

ldap Display information about LDAP servers. The list includes the LDAP server number, name, IP address, port, common name and base distinguished name.

No default.

All models.

local Display the list of user names in the local FortiGate user database that can be added to user groups. The list includes user number and name, authentication type, and password. If RADIUS authentication is set for the user, the list includes the name of the RADIUS server and indicates if other servers should be tried. If LDAP authentication is set for the user, the list includes the name of the LDAP server. The list also indicates whether the user name is enabled or disabled.

No default.

All models.

radius Display information about RADIUS servers. The list includes the number, name and IP address of the server. The server secret is masked by an *.

No default.

All models.


get vpn certificates get commands

get vpn certificatesDisplay information about local and CA certificates.

Syntax description

ExamplesUse the following command to delete a local certificate:

get vpn certificates local

Use the following command to delete a CA certificate:

get vpn certificates ca

Related commands• execute vpn certificates ca• execute vpn certificates local• unset vpn certificates

Note: The get vpn certificates command is not available in Transparent mode.

Keyword Description Default Availabilityca Display the list of CA certificates. The list includes the

certificate name, subject, issuer, validity from and to dates, finger print, and whether or not this is a root ca.

No default.

All models.

local Display the list of local certificates. The list includes the certificate name, subject and type.

No default.

All models.

218 Fortinet Inc.

get commands get vpn ipsec

get vpn ipsecDisplay IPSec VPN AutoIKE phase 1, and phase 2 configuration, IPSec manual key configuration and VPN concentrator configuration.

Syntax description

ExampleUse the following command to display the configuration of the IPSec VPN manual key tunnels:

get vpn ipsec manualkey

Use the following command to display the configuration of the IPSec VPN concentrators:

get vpn ipsec concentrator

Related commands• set vpn ipsec concentrator• set vpn ipsec manualkey• set vpn ipsec phase1• set vpn ipsec phase2• unset vpn ipsec

Note: The get vpn ipsec command is not available in Transparent mode.

Keyword Description Default Availabilityconcentrator Display the names of the IPSec VPN concentrators

and the names of the member tunnels in each one.No default.


manualkey Display the configuration of each IPSec VPN manual key tunnel including the tunnel name, local SPI, remote SPI, remote gateway IP address, encryption algorithm, authentication algorithm and concentrator name (if the tunnel has been added to a concentrator). The encryption and authentication keys are hidden.

No default.


phase1 Display the settings of each IPSec VPN Phase 1 configuration. The information displayed includes the gateway name, remote gateway type, Diffie-Hellman group, P1 proposal, keylife, authentication method, authentication key, Dead Peer Detection settings, XAuth settings and other settings.

No default.


phase2 Display the settings of each IPSec VPN phase 2 configuration. The information displayed includes the tunnel name, remote gateway name, P2 proposal configuration, keylife, autokey keepalive configuration, and concentrator name (if the tunnel has been added to a concentrator).

No default.



get vpn l2tp range get commands

get vpn l2tp rangeDisplay whether L2TP VPN is enabled or disabled, the L2TP range starting and ending IP addresses, and the L2TP user group.

get vpn l2tp range

Related commands• set vpn l2tp

Note: The get vpn l2tp command is not available in Transparent mode.

220 Fortinet Inc.

get commands get vpn pptp range

get vpn pptp rangeDisplay whether PPTP VPN is enabled or disabled, the PPTP range starting and ending IP addresses, and the PPTP user group.

get vpn pptp range

Related commands• set vpn pptp

Note: The get vpn pptp command is not available in Transparent mode.


get webfilter get commands

get webfilterDisplay the current web content filtering configuration.

Syntax description

ExampleUse the following command to display the list of blocked URLs.

get webfilter url

Related commands• set webfilter cerberian• set webfilter content• set webfilter script• set webfilter url• set webfilter exempturl

Keyword Description Default Availabilitycerberian Display the Cerberian support configuration including

whether Cerberian support is enabled or disabled, the Cerberian licence key and seat count, and the list of IP addresses, netmasks, and aliases for Cerberian users.


content Display a numbered list of banned words, the language for each banned word, and whether each banned word is enabled or disabled.

No default.

All models.

exempturl Display a numbered list of exempt URLs and whether each one is enabled or disabled.

No default.

All models.

script Display whether Java applet, cookie, and ActiveX filtering is enabled or disabled.


url Display a numbered list of blocked URLs, and whether each URL is enabled or disabled.

No default

All models.

222 Fortinet Inc.


execute commandsUse execute commands to perform system functions similar to those available using the System > Status page of the web-based manager. Using execute commands, you can shut down or restart the FortiGate unit, and restore factory defaults. You can also download firmware from a TFTP server, and upload and download system settings.

Note: Before running execute commands in Transparent mode, make sure that the IP address of the management interface is configured correctly. See “set system management” on page 94.

execute backup

execute factoryreset

execute formatlogdisk

execute ha manage

execute ha synchronize

execute ping

execute ping-option

execute reboot

execute reload

execute restore

execute save config

execute shutdown

execute traceroute


execute vpn certificates ca

execute vpn certificates local


execute backup execute commands

execute backupBackup the FortiGate configuration file or NIDS user defined signatures file to a TFTP server.

Syntax description

ExampleUse the following command to backup a configuration file from the FortiGate unit to a TFTP server. The name to give the configuration file on the TFTP sever is fgt.cfg. The IP address of the TFTP server is 192.168.1.23.

execute backup config fgt.cfg 192.168.1.23

Related commands• execute restore• execute reload• get config• set nids rule

Keyword Description Availabilityconfig <name_str> <tftp_ip> The name to give the configuration file that is copied to

the TFTP server. The TFTP server IP address.All models.

nidsuserdefsig <name_str> <tftp_ip>

The name to give the NIDS user defined signature file that is copied to the TFTP server. The TFTP server IP address.

All models.

224 Fortinet Inc.

execute commands execute factoryreset

execute factoryresetReset the FortiGate configuration to factory default settings. This procedure does not change the firmware version or the antivirus or attack definitions.

execute factoryreset

Related commands• execute reboot• execute reload• get config

! Caution: This procedure deletes all changes that you have made to the FortiGate configuration and reverts the system to its original configuration, including resetting interface addresses.


execute formatlogdisk execute commands

execute formatlogdiskFormat the FortiGate hard disk to enhance performance for logging.

execute formatlogdisk

! Caution: This operation will erase all quarantine files and logging data on the hard disk.

226 Fortinet Inc.

execute commands execute ha manage

execute ha manageUse this command from the CLI of the primary unit in an HA cluster to connect to the CLI of a secondary unit in the cluster.

Syntax description

ExampleUse the following command to connect to a secondary unit in a cluster of three FortiGate units.

execute ha manage ?<1> Subsidary unit FPS3012803021709<2> Subsidary unit FPS3082103021989

Type 2 and press enter to connect to the second unit in the list. The CLI prompt changes to the host name of this unit.

Related commands• execute ha synchronize• set system ha• get system ha• get config

Keyword Description Availability<cluster-nember_int> The number of the secondary unit in the cluster to which

to connect. Enter execute ha manage followed by a space and a question mark to view the list of FortiGate units in the cluster. The list includes the serial number and host name of each secondary unit in the cluster as well as a number for the unit.

Models numbered 300 and higher.Primary unit in an HA cluster.


execute ha synchronize execute commands

execute ha synchronizeUse this command from a subordinate HA unit in an HA cluster to manually synchronize its configuration with the primary unit. Using this command you can synchronize the following:

• Configuration changes made to the primary unit (normal system configuration, firewall configuration, VPN configuration and so on stored in the FortiGate configuration file),

• Antivirus engine and antivirus definition updates received by the primary unit from the FortiResponse Distribution Network (FDN),

• NIDS attack definition updates received by the primary unit from the FDN,• Web filter lists added to or changed on the primary unit,• Email filter lists added to or changed on the primary unit,• Replacement messages changed on the primary unit,• Certification Authority (CA) certificates added to the primary unit,• Local certificates added to the primary unit.

Syntax description

ExampleFrom the CLI on a subordinate unit, use the following commands to synchronize the antivirus and attack definitions on the subordinate FortiGate unit with the primary unit after the FDN has pushed new definitions to the primary unit.

execute ha synchronize avupd

execute ha synchronize attackdef

Related commands• execute ha manage• set system ha• get system ha• get config

Keyword Description Availabilityconfig Synchronize the FortiGate configuration. Models numbered 300 and higher.

avupd Synchronize the antivirus engine and antivirus definitions. Models numbered 300 and higher.

attackdef Synchronize attack definitions. Models numbered 300 and higher.

weblists Synchronize web filter lists. Models numbered 300 and higher.

emaillists Synchronize email filter lists. Models numbered 300 and higher.

resmsg Synchronize replacement messages. Models numbered 300 and higher.

ca Synchronize CA certificates. Models numbered 300 and higher.

localcert Synchronize local certificates. Models numbered 300 and higher.

all Synchronize all of the above. Models numbered 300 and higher.

228 Fortinet Inc.

execute commands execute ping

execute pingSend an ICMP echo request (ping) to test the network connection between the FortiGate unit and another network device.

Syntax description

ExampleUse the following command to ping a host with the IP address 192.168.1.23

execute ping 192.168.1.23

Related commands• execute ping-option• execute traceroute• set system interface• get system interface

Note: You can change the default ping options using the command execute ping-option.

Note: To display ping option settings use the command execute ping-option view-settings.

Keyword Description Availability{<host-name_str> | <host_ip>}

The domain name or IP address of the network device that you want the FortiGate unit to ping.

All models.


execute ping-option execute commands

execute ping-optionSet ICMP echo request (ping) options to control the way ping tests the network connection between the FortiGate unit and another network device.

Syntax description

ExampleUse the following command to increase the number of pings sent.

execute ping-option repeat-count 10

Use the following command to send all pings from the FortiGate interface with IP address 192.168.10.23.

execute ping-option source 192.168.10.23

Related commands• execute ping• execute traceroute• get system interface

Keyword Description Default Availabilitydata-size <byte_integer> Specify the datagram size in bytes. 56 All models.df-bit {yes | no} Set df-bit to yes to prevent the ICMP packet from

being fragmented. Set df-bit to no to allow the ICMP packet to be fragmented.

no All models.

pattern {none | <2-byte_hex}

Used to fill-in the optional data buffer at the end of the ICMP packet. The size of the buffer is specified using the data_size parameter. This allows you to send out packets of different sizes for testing the effect of packet size on the connection.

No default.

All models.

repeat-count <repeat_integer>

Specify how many times to repeat ping. 5 All models.

source {auto | <source-intf_ip}

Specify the FortiGate interface from which to send the ping. If you specify auto, the FortiGate unit selects the source address and interface based on the route to the <host-name_str> or <host_ip>. Specifying the IP address of a FortiGate interface tests connections to different network segments from the specified interface.

auto All models.

timeout <seconds_integer> Specify, in seconds, how long to wait until ping times out.

2 All models.

tos {lowdelay | throughput | reliability | lowcost | default}

Set the ToS (Type of Service) field in the packet header to provide an indication of the quality of service desired. lowdelay = minimize delaythroughput = maximize throughputreliability = maximize reliabilitylowcost = minimize costdefault = 0

default/0

All models.

ttl <ttl_integer> Specify the time to live. Time to live is the number of hops the ping packet should be allowed to make before being discarded or returned.

64 All models.

validate-reply {yes | no} Select yes to validate reply data. no All models.view-settings Display the current ping-option settings. No

defaultAll models.

230 Fortinet Inc.

execute commands execute reboot

execute rebootRestart the FortiGate unit.

execute reboot

Related commands• execute reload• execute factoryreset• execute shutdown


execute reload execute commands

execute reloadFlush the current configuration from system memory and reload the configuration from a saved configuration file.

execute reload

Related commands• execute reboot• execute factoryreset• execute shutdown• execute backup• get config

232 Fortinet Inc.

execute commands execute restore

execute restoreCopy a configuration file, firmware image or NIDS user defined signature file from a TFTP server to the FortiGate unit. Use this command to restore a backup configuration, to change the FortiGate firmware, or to add a new or edited NIDS user defined signature file.

For more information on changing the FortiGate firmware, see “Changing the FortiGate firmware” on page 21.

Syntax description

ExampleUse the following command to copy a configuration file from a TFTP server to the FortiGate unit and restart the FortiGate unit with this configuration. The name of the configuration file on the TFTP server is backupconfig. The IP address of the TFTP server is 192.168.1.23.

execute restore config backupconfig 192.168.1.23

Related commands• execute backup• execute reload• get config• get system status• set nids rule• get nids rule

Keyword Description Availabilityconfig <name_str> <tftp_ip> Copy a configuration file from a TFTP server to the

FortiGate unit. The FortiGate unit reboots. The new configuration replaces the existing configuration, including administrator accounts and passwords.

All models.

image <name_str> <tftp_ip> Copy a firmware image from a TFTP server to the FortiGate unit. The FortiGate unit reboots, loading the new firmware.

All models.

nidsuserdefsig <name_str> <tftp_ip>

Copy a NIDS user defined signature file from a TFTP server to the FortiGate unit. If you have already uploaded a NIDS user defined signature file, this command replaces this file.

All models.


execute save config execute commands

execute save configUse this command to save configuration changes when the command line console mode is set to batch mode.

execute save config

Related commands• set console• get console

Note: This command is only available when you have set the CLI console mode to batch. See “set console” on page 41.

234 Fortinet Inc.

execute commands execute shutdown

execute shutdownShutdown the FortiGate unit. You can use this command to remotely shutdown the FortiGate unit so that it stops processing network traffic. To restart the FortiGate unit you must turn the power off and then on.

execute shutdown

Related commands• execute reboot• execute reload• execute factoryreset


execute traceroute execute commands

execute tracerouteTest the connection between the FortiGate unit and another network device, and display information about the network hops between the device and the FortiGate unit. Some gateways and routers do not respond to traceroute. In those instances, three asterisks will be displayed.

Syntax description

ExampleUse the following command to test the connection to a device with the IP address 192.168.1.23

execute traceroute 192.168.1.23

Related commands• execute ping• execute ping-option

Keyword Description Availabilitytraceroute <host_ip> The IP address of the network device to which to trace the route. All models.

236 Fortinet Inc.

execute commands execute updatecenter updatenow

execute updatecenter updatenowUse this command to manually initiate virus definitions, antivirus engine, and attack definitions updates.


Related commands• set system autoupdate• set system dns• get system autoupdate• get system status


execute vpn certificates ca execute commands

execute vpn certificates caUse this command to import a CA certificate from a TFTP server to the FortiGate unit, or to download a CA certificate from the FortiGate unit to a TFTP server.

Before using this command you must obtain a CA certificate issued by a CA.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The CA certificate is the certificate that the FortiGate unit uses to validate digital certificates received from other devices.

Syntax description

ExamplesUse the following command to import the CA certificate named trust_ca to the FortiGate unit from a TFTP server with the address 192.168.21.54.

execute vpn certificates ca import trust_ca 192.168.21.54

Related commands• execute vpn certificates local• get vpn certificates• unset vpn certificates

Note: The CA certificate must adhere to the X.509 standard.

Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation.

Keyword Description Default Availabilitydownload<name_str> <tftp_ip>

Copy the CA certificate from the FortiGate unit to a TFTP server.

No default.


import<name_str> <tftp_ip>

Import the CA certificate from a TFTP server to the FortiGate unit.

No default.


238 Fortinet Inc.

execute commands execute vpn certificates local

execute vpn certificates localUse this command to generate a local certificate, to download a local certificate from the FortiGate unit to a TFTP server, and to import a local certificate from a TFTP server to the FortiGate unit.

Digital certificates are used to ensure that both participants in an IPSec communications session are trustworthy, prior to an encrypted VPN tunnel being set up between the participants. The local certificate is the certificate that the FortiGate unit uses to authenticate itself to other devices.

When you generate the certificate request, you create a private and public key pair for the local FortiGate unit. The public key accompanies the certificate request. The private key remains confidential.

To obtain a signed local certificate:

1 Download the certificate request.

2 Submit the certificate request to the CA.

3 Retrieve the signed certificate from the CA.

4 Import the signed certificate.

Syntax description

Keywords for generate

Note: VPN peers must use digital certificates that adhere to the X.509 standard.

Note: Digital certificates are not required for configuring FortiGate VPNs. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation.

Keyword Description Default Availabilitydownload<certificate-name_str> <file-name_str> <tftp_ip>

Download the local certificate from the FortiGate unit to a TFTP server.

No default.


generate <name_str> Generate the local certificate. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

No default.


import<name_str> <tftp_ip>

Import the local certificate from a TFTP server to the FortiGate unit.

No default.


Keyword Description Default Availabilitycity <name_str> Enter the name of the city, or town, where the person

or organization certifying the FortiGate unit resides.No default.

All models.Optional.NAT/Route mode only.

country <code_str> Enter the two-character country code. Enter execute vpn certificates local generate <name_str> country followed by a ? for a list of country codes. The country code is case sensitive. Enter null if you do not want to specify a country.

No default.



execute vpn certificates local execute commands

ExamplesUse the following command to generate a local certificate request with the name branch_cert, the domain name www.example.com and a keysize of 1536.

set vpn certificates local generate branch_cert subject www.example.com keysize 1536

Use the following command to download the local certificate request generated in the above example from the FortiGate unit to a TFTP server. The example uses the filename testcert for the downloaded file and the TFTP server address 192.168.21.54.

set vpn certificates local download branch_cert testcert 192.168.21.54

email <address_str> Enter a contact e-mail address for the FortiGate unit. No default.


keysize {1024 | 1536 | 2048}

Select one of 1024 Bit, 1536 Bit or 2048 Bit. If you do not specify a keysize, the default keysize will be used. Larger keys are slower to generate but more secure.

1024 All models.Optional.NAT/Route mode only.

org <organization-name_str>

Enter the name of the organization that is requesting the certificate for the FortiGate unit.

No default.


state <name_str> Enter the name of the state or province where the FortiGate unit is located.

No default.


subject{<host_ip> | <domain-name_str> | email-addr_str>}

The subject information identifies the FortiGate unit being certified. Preferably use an IP address or domain name. If this is impossible (such as with a dialup client), use an e-mail address.For host_ip, enter the IP address of the FortiGate unit.For domain-name_str, enter the fully qualified domain name of the FortiGate unit.For email-addr_str, enter an email address that identifies the FortiGate unit.If you specify a host IP or domain name, use the IP address or domain name associated with the interface on which IKE negotiations will take place (e.g. the external interface of the local FortiGate unit). If the IP address in the certificate does not match the IP address of the local interface (or if the domain name in the certificate does not match a DNS query of the FortiGate unit’s IP), then some implementations of IKE may reject the connection. Enforcement of this rule varies for different IPSec products.

No default.

All models.Required.NAT/Route mode only.

unit <name_str> Enter a name that identifies the department or unit within the organization that is requesting the certificate for the FortiGate unit.

No default.



240 Fortinet Inc.

execute commands execute vpn certificates local

Use the following command to import the signed local certificate named branch_cert to the FortiGate unit from a TFTP server with the address 192.168.21.54.

set vpn certificates local import branch_cert 192.168.21.54

Related commands• execute vpn certificates ca• get vpn certificates• unset vpn certificates


execute vpn certificates local execute commands

242 Fortinet Inc.


FortiGate maximum values matrixTable 4: FortiGate maximum values matrix

FortiGate model50 60 100 200 300 400 500 1000 2000 3000 3600

Policy 200 500 1000 2000 5000 5000 20000 50000 50000 50000 50000

Address 500 500 500 500 3000 3000 6000 10000 10000 10000 10000

Address group 500 500 500 500 500 500 500 500 500 500 500

Service 500 500 500 500 500 500 500 500 500 500 500

Service group 500 500 500 500 500 500 500 500 500 500 500

Recurring schedule 256 256 256 256 256 256 256 256 256 256 256

Onetime schedule 256 256 256 256 256 256 256 256 256 256 256

User 20 500 1000 1000 1000 1000 1000 1000 1000 1000 1000

User group 100 100 100 100 100 100 100 100 100 100 100

Group members 300 300 300 300 300 300 300 300 300 300 300

Virtual IPs 500 500 500 500 500 500 500 500 500 500 500

IP/MAC binding 50 100 1000 1000 2000 2000 2000 5000 5000 5000 5000

Route 500 500 500 500 500 500 500 500 500 500 500

Policy route gateway 500 500 500 500 500 500 500 500 500 500 500

Admin user 500 500 500 500 500 500 500 500 500 500 500

IPsec Phase 1 20 50 80 200 1500 1500 3000 5000 5000 5000 5000

VPN concentrator 500 500 500 500 500 500 500 500 500 500 500

VLAN subinterface N/A N/A N/A N/A N/A 1024* 1024* 2048* 2048* 8192* 8192*

Zone N/A N/A N/A N/A N/A 100 100 200 200 300 500

IP pool 50 50 50 50 50 50 50 50 50 50 50

RADIUS server 6 6 6 6 6 6 6 6 6 6 6

File pattern 56 56 56 56 56 56 56 56 56 56 56

PPTP user 500 500 500 500 500 500 500 500 500 500 500

L2TP user 500 500 500 500 500 500 500 500 500 500 500

URL block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit

Content block no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit

Exempt URL no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit no limit


FortiGate maximum values matrix

244 Fortinet Inc.


IndexAaccess levels

administrator 13administrator

access levels 13autoupdate

tunnelling 80

Bbackup

config 224NIDS user defined signature 224

baudrateconsole 41

CCLI

basics 17command structure 17connecting to 13reverting the firmware 22

commandconventions 10editing 18help 18recalling 18shortcuts 18

command branchnavigating 17

command line console 20command structure 17configuration

displaying 19configuration file

editing 19connecting

to the CLI using SSH 15to the CLI using telnet 16to the console 14

connecting to the CLI 13console 20

baudrate 41conventions 10

customer service 12

Ddiagnose commands 20displaying the configuration 19DNS translation 48

Eediting commands 18execute backup 224execute commands 223execute factoryreset 225execute formatlogdisk 226execute ha manage 227execute ha synchronize 228execute ping 229execute ping-option 230execute reboot 231execute reload 232execute restore 233execute save config 234execute shutdown 235execute traceroute 236execute updatecenter updatenow 237execute vpn certificates ca 238execute vpn certificates local 239

Ffirmware

backup image 28changing 21installing 23re-installing current version 23reverting to an older version 23reverting using the CLI 22switching to backup image 29testing 26upgrading 21upgrading to a new version 21

FortiGate product feature matrix 243Fortinet customer service 12ftp splice 40


Index

Gget alertemail configuration 170get alertemail setting 171get antivirus filepattern 172get antivirus quarantine list 173get antivirus quarantine settings 174get antivirus service 175get commands 169get config 176get console 177get emailfilter 178get firewall address 179get firewall addrgrp 180get firewall dnstranslation 181get firewall ipmacbinding 182get firewall ippool 183get firewall policy 185get firewall profile 184get firewall schedule 186get firewall service 187get firewall vip 188get log elog 189get log logsetting 190get log policy 191get log trafficfilter 192get nids detection 193get nids prevention 194get nids rule 195get system admin 196get system autoupdate 197get system dhcpserver 198get system dns 199get system ha 200get system interface 201get system mainregpage 202get system management 203get system objver 204get system option 205get system performance 206get system route policy 207get system route rip 208get system route table 209get system serialno 210get system sessionttl 211get system snmp 212get system status 213get system time 214get system vlan 215get system zone 216get user 217get vpn certificates 218get vpn ipsec 219get vpn l2tp range 220get vpn pptp range 221get webfilter 222

Hhelp

command 18

Nnavigating

command branches 17NIDS user defined signature

backup 224restore 233

Pphase2

wildcardid 131port forwarding

virtual IP 64proxy server

autoupdate tunnelling 80

Rrecalling commands 18restore

image 233NIDS user defined signature 233

revertingfirmware to an older version 23firmware using the CLI 22

Sset alertemail configuration 34set alertemail setting 35set antivirus filepattern 36set antivirus quarantine 37set antivirus service 39set commands 33set console 20, 41set emailfilter bannedword 42set emailfilter blocklist 43set emailfilter config 44set emailfilter exemptlist 45set firewall address 46set firewall addrgrp 47set firewall dnstranslation 48set firewall ipmacbinding setting 49set firewall ipmacbinding table 50set firewall ippool 51set firewall onetimeschedule 52set firewall policy 53set firewall profile 57set firewall recurringschedule 61set firewall service custom 62set firewall service group 63set firewall vip 64set log policy 66

246 Fortinet Inc.

Index

set log setting 68set log trafficfilter rule 70set log trafficfilter setting 71set nids detection 72set nids prevention 73set nids rule 77set system admin 78set system autoupdate 79set system brctl 81set system dhcpserver 82set system dns 84set system ha 85set system hostname 88set system interface 89set system mainregpage 93set system management 94set system opmode 95set system option 96set system route number 97set system route policy 99set system route rip 101set system route rip filter 103set system route rip interface 106set system route rip neighbor 108set system route rip timers 109set system session_ttl 110set system snmp 111set system time 113set system vlan 114set system zone 115set user group 116set user ldap 117set user local 119set user radius 121set vpn ipsec concentrator 122set vpn ipsec manualkey 123set vpn ipsec phase1 125set vpn ipsec phase2 130set vpn l2tp 133set vpn pptp 134set webfilter cerberian 135set webfilter content 136set webfilter exempturl 137set webfilter script 138set webfilter url 139shortcuts

command 18smtp splice 40splice 40

ftp 40smtp 40

SSHconnecting to the CLI 15

Ttechnical support 12telnet

connecting to the CLI 16tunnelling 80

Uunset commands 141unset firewall address 142unset firewall addrgrp 143unset firewall ipmacbinding 144unset firewall ippool 145unset firewall onetimeschedule 146unset firewall policy 147unset firewall profile 148unset firewall recurringschedule 149unset firewall service 150unset firewall vip 151unset log filter 152unset system admin 153unset system dhcpserver 154unset system hostname 155unset system route number 156unset system route policy 157unset system secondip 158unset system sessionttl 159unset system vlan 160unset system zone 161unset user group 162unset user ldap 163unset user local 164unset user radius 165unset vpn certificates 166unset vpn ipsec 167upgrade

firmware 21upgrading

firmware 21

Vvirtual IP

port forwarding 64

Wwildcardid 131


Index

248 Fortinet Inc.

manual fortinet

Documents