REFERENCE FortiGate CLI Version 3.0 MR6 Preliminary version: This version of the FortiGate CLI Reference was completed shortly before the FortiOS v3.0 MR6 GA release. Consult the most recent FortiOS 3.0 MR6 release notes and the Upgrade Guide for FortiOS v3.0 MR6 for up-to-date information about all new MR6 features. Fortinet Tech Docs will publish an updated version of the FortiGate CLI Reference before the end of March 2008. Contact
[email protected] if you have any questions or comments about this preliminary version of the FortiGate CLI Reference. Note: This version of the FortiGate CLI Reference also contains CLI commands for FortiOS Carrier 3.0 MR3
Visit http://support.fortinet.com to register your FortiGate CLI product. By registering you can receive product updates, technical support, and FortiGuard services.
www.fortinet.com
FortiGate CLI Reference Version 3.0 MR6 5 February 2008 01-30006-0015-20080205 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard Antispam, FortiGuard Antivirus, FortiGuard Intrusion Prevention, FortiGuard Web Filtering, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents Introduction ....................................................................................... 15 About the FortiGate Unified Threat Management System ............................ 15 About this document........................................................................................ 15 FortiGate documentation ................................................................................. 16 Related documentation .................................................................................... 18 FortiManager documentation ....................................................................... 18 FortiClient documentation ............................................................................ 18 FortiMail documentation ............................................................................... 18 FortiAnalyzer documentation ....................................................................... 18 Fortinet Tools and Documentation CD ......................................................... 19 Fortinet Knowledge Center .......................................................................... 19 Comments on Fortinet technical documentation .......................................... 19 Customer service and technical support ....................................................... 19 Register your Fortinet product........................................................................ 19
What’s new ........................................................................................ 21 Using the CLI ..................................................................................... 27 CLI command syntax........................................................................................ 27 Administrator access ....................................................................................... 28 Connecting to the CLI ...................................................................................... 30 Connecting to the FortiGate console............................................................ 30 Setting administrative access on an interface .............................................. 31 Connecting to the FortiGate CLI using SSH ................................................ 31 Connecting to the FortiGate CLI using Telnet .............................................. 32 Connecting to the FortiGate CLI using the web-based manager ................. 32 CLI objects ........................................................................................................ 33 CLI command branches ................................................................................... 33 config branch................................................................................................ 34 get branch .................................................................................................... 36 show branch................................................................................................. 38 execute branch............................................................................................. 39 diagnose branch........................................................................................... 39 Example command sequences .................................................................... 39 CLI basics.......................................................................................................... 43 Command help ............................................................................................. 43 Command completion .................................................................................. 43 Recalling commands .................................................................................... 44 Editing commands........................................................................................ 44 Line continuation .......................................................................................... 44 Command abbreviation ................................................................................ 44
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
3
Contents
Environment variables ................................................................................. 44 Encrypted password support ....................................................................... 45 Entering spaces in strings ............................................................................ 45 Entering quotation marks in strings.............................................................. 45 Entering a question mark (?) in a string ....................................................... 45 International characters ............................................................................... 46 Special characters ....................................................................................... 46 IP address formats....................................................................................... 46 Editing the configuration file ......................................................................... 46 Setting screen paging .................................................................................. 47 Changing the baud rate ............................................................................... 47 Using Perl regular expressions .................................................................... 48
Working with virtual domains.......................................................... 51 Enabling virtual domain configuration........................................................... 51 Accessing commands in virtual domain configuration................................ 51 Creating and configuring VDOMs ................................................................... 52 Creating a VDOM......................................................................................... 52 Assigning interfaces to a VDOM .................................................................. 52 Setting VDOM operating mode .................................................................... 52 Changing back to NAT/Route mode ............................................................ 53 Configuring inter-VDOM routing ..................................................................... 53 Changing the management VDOM.................................................................. 54 Creating VDOM administrators ....................................................................... 54 Troubleshooting ARP traffic on VDOMs ........................................................ 55 Duplicate ARP packets ................................................................................ 55 Multiple VDOMs solution.............................................................................. 55 Forward-domain solution ............................................................................. 55 global ................................................................................................................. 57 vdom .................................................................................................................. 60
alertemail ........................................................................................... 63 setting................................................................................................................ 64
antivirus ............................................................................................. 69 filepattern .......................................................................................................... 70 grayware............................................................................................................ 72 heuristic............................................................................................................. 74 quarantine ......................................................................................................... 75 quarfilepattern .................................................................................................. 78 service ............................................................................................................... 79
4
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Contents
firewall................................................................................................ 81 address, address6 ............................................................................................ 82 addrgrp, addrgrp6............................................................................................. 84 dnstranslation ................................................................................................... 85 gtp (FortiOS Carrier)......................................................................................... 87 ipmacbinding setting........................................................................................ 95 ipmacbinding table ........................................................................................... 97 ippool ................................................................................................................. 99 ldb-monitor...................................................................................................... 100 multicast-policy .............................................................................................. 102 policy, policy6 ................................................................................................. 104 profile............................................................................................................... 114 schedule onetime ........................................................................................... 149 schedule recurring ......................................................................................... 150 service custom................................................................................................ 152 service group .................................................................................................. 154 vip..................................................................................................................... 155 vipgrp............................................................................................................... 164
gui..................................................................................................... 165 console ............................................................................................................ 166 topology........................................................................................................... 167
imp2p................................................................................................ 169 aim-user........................................................................................................... 170 icq-user............................................................................................................ 171 msn-user.......................................................................................................... 172 old-version ...................................................................................................... 173 policy ............................................................................................................... 174 yahoo-user ...................................................................................................... 175
ips ..................................................................................................... 177 DoS................................................................................................................... 178 custom ............................................................................................................. 181 decoder............................................................................................................ 182 global ............................................................................................................... 183 rule ................................................................................................................... 185 sensor .............................................................................................................. 186
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
5
Contents
log..................................................................................................... 189 custom-field .................................................................................................... 190 {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter.... 191 disk setting...................................................................................................... 196 fortianalyzer setting ....................................................................................... 199 fortiguard setting............................................................................................ 201 memory setting............................................................................................... 202 memory global setting ................................................................................... 203 report customization ...................................................................................... 204 report definition .............................................................................................. 205 report filter ...................................................................................................... 206 report output ................................................................................................... 207 report period ................................................................................................... 209 report schedule............................................................................................... 210 report scope.................................................................................................... 211 report selection............................................................................................... 213 report summary-layout .................................................................................. 214 syslogd setting ............................................................................................... 216 trafficfilter........................................................................................................ 218 config rule .................................................................................................. 218 webtrends setting........................................................................................... 220
notification (FortiOS Carrier) ......................................................... 221 notification ...................................................................................................... 222
router................................................................................................ 223 access-list ....................................................................................................... 224 aspath-list........................................................................................................ 226 auth-path ......................................................................................................... 228 bgp ................................................................................................................... 229 config router bgp ........................................................................................ 231 config admin-distance ................................................................................ 234 config aggregate-address .......................................................................... 235 config neighbor .......................................................................................... 235 config network............................................................................................ 239 config redistribute....................................................................................... 240 community-list ................................................................................................ 242 key-chain ......................................................................................................... 245
6
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Contents
multicast .......................................................................................................... 247 Sparse mode .............................................................................................. 247 Dense mode............................................................................................... 248 Syntax ........................................................................................................ 248 config router multicast ................................................................................ 249 config interface ........................................................................................... 251 config pim-sm-global .................................................................................. 253 ospf .................................................................................................................. 257 Syntax ........................................................................................................ 257 config router ospf ....................................................................................... 259 config area ................................................................................................. 261 config distribute-list .................................................................................... 265 config neighbor........................................................................................... 266 config network ............................................................................................ 266 config ospf-interface ................................................................................... 267 config redistribute ....................................................................................... 269 config summary-address ............................................................................ 270 policy ............................................................................................................... 272 prefix-list.......................................................................................................... 275 rip ..................................................................................................................... 278 config router rip .......................................................................................... 279 config distance ........................................................................................... 280 config distribute-list .................................................................................... 281 config interface ........................................................................................... 281 config neighbor........................................................................................... 283 config network ............................................................................................ 283 config offset-list .......................................................................................... 284 config redistribute ....................................................................................... 284 route-map ........................................................................................................ 286 Using route maps with BGP ....................................................................... 288 static ................................................................................................................ 292 static6 .............................................................................................................. 294
spamfilter ......................................................................................... 295 bword ............................................................................................................... 296 emailbwl........................................................................................................... 299 fortishield ........................................................................................................ 301 ipbwl................................................................................................................. 303 iptrust............................................................................................................... 305 mheader........................................................................................................... 306 options............................................................................................................. 308 DNSBL ............................................................................................................. 309 FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
7
Contents
system.............................................................................................. 311 accprofile......................................................................................................... 312 admin ............................................................................................................... 316 alertemail......................................................................................................... 321 arp-table .......................................................................................................... 322 auto-install ...................................................................................................... 323 autoupdate clientoverride.............................................................................. 324 autoupdate override ....................................................................................... 325 autoupdate push-update................................................................................ 326 autoupdate schedule...................................................................................... 328 autoupdate tunneling ..................................................................................... 330 aux ................................................................................................................... 332 bug-report ....................................................................................................... 333 console ............................................................................................................ 334 dhcp reserved-address .................................................................................. 335 dhcp server ..................................................................................................... 336 dns ................................................................................................................... 339 fortianalyzer, fortianalyzer2, fortianalyzer3 ................................................. 340 fortiguard......................................................................................................... 342 fortiguard-log .................................................................................................. 346 fortimanager.................................................................................................... 347 gi-gk (FortiOS Carrier).................................................................................... 349 global ............................................................................................................... 350 gre-tunnel ........................................................................................................ 358 ha ..................................................................................................................... 360 interface........................................................................................................... 373 ipv6-tunnel ...................................................................................................... 389 mac-address-table.......................................................................................... 390 management-tunnel ....................................................................................... 391 modem............................................................................................................. 393 npu ................................................................................................................... 396 proxy-arp ......................................................................................................... 397 replacemsg admin .......................................................................................... 398 replacemsg alertmail...................................................................................... 399 replacemsg auth ............................................................................................. 401 replacemsg fortiguard-wf .............................................................................. 404
8
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Contents
replacemsg ftp ................................................................................................ 406 replacemsg http .............................................................................................. 408 replacemsg im................................................................................................. 410 replacemsg mail.............................................................................................. 412 replacemsg mm1 (FortiOS Carrier) ............................................................... 414 replacemsg mm3 (FortiOS Carrier) ............................................................... 417 replacemsg mm4 (FortiOS Carrier) ............................................................... 419 replacemsg mm7 (FortiOS Carrier) ............................................................... 421 replacemsg nntp ............................................................................................. 424 replacemsg spam ........................................................................................... 426 replacemsg sslvpn ......................................................................................... 428 replacemsg-group (FortiOS Carrier) ............................................................. 429 replacemsg-image (FortiOS Carrier)............................................................. 432 session-helper ................................................................................................ 433 session-sync ................................................................................................... 434 Notes and limitations.................................................................................. 435 Configuring session synchronization.......................................................... 435 Configuring the session synchronization link ............................................. 436 session-ttl........................................................................................................ 439 settings ............................................................................................................ 440 snmp community ............................................................................................ 443 snmp sysinfo................................................................................................... 446 switch-interface .............................................................................................. 447 tos-based-priority ........................................................................................... 448 vdom-link......................................................................................................... 449 wireless mac-filter .......................................................................................... 451 wireless settings............................................................................................. 452 zone.................................................................................................................. 455
user................................................................................................... 457 Configuring users for authentication ........................................................... 458 Configuring users for password authentication .......................................... 458 Configuring peers for certificate authentication .......................................... 458 adgrp................................................................................................................ 459 dynamic-profile (FortiOS Carrier).................................................................. 460 msisdn-bwl (FortiOS Carrier)......................................................................... 462 msisdn-ip-filter (FortiOS Carrier) .................................................................. 464 msisdn-translation (FortiOS Carrier) ............................................................ 465 FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
9
Contents
fsae .................................................................................................................. 467 group ............................................................................................................... 469 ldap .................................................................................................................. 473 local ................................................................................................................. 476 peer .................................................................................................................. 478 peergrp ............................................................................................................ 480 radius............................................................................................................... 481 settings............................................................................................................ 483 tacacs+ ............................................................................................................ 484
vpn.................................................................................................... 487 certificate ca.................................................................................................... 488 certificate crl ................................................................................................... 489 certificate local ............................................................................................... 491 certificate ocsp ............................................................................................... 492 certificate remote............................................................................................ 493 ipsec concentrator ......................................................................................... 494 ipsec forticlient ............................................................................................... 495 ipsec manualkey............................................................................................. 496 ipsec manualkey-interface............................................................................. 499 ipsec phase1 ................................................................................................... 502 ipsec phase1-interface................................................................................... 510 ipsec phase2 ................................................................................................... 519 ipsec phase2-interface................................................................................... 526 l2tp ................................................................................................................... 533 pptp.................................................................................................................. 535 ssl monitor ...................................................................................................... 537 ssl settings...................................................................................................... 538 ssl web bookmarks ........................................................................................ 541 ssl web bookmarks-group ............................................................................. 543 ssl web favorite............................................................................................... 544
webfilter ........................................................................................... 547 bword............................................................................................................... 548 exmword.......................................................................................................... 550 fortiguard......................................................................................................... 552 FortiGuard-Web category blocking ............................................................ 552 ftgd-local-cat ................................................................................................... 555
10
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Contents
ftgd-local-rating .............................................................................................. 556 ftgd-ovrd .......................................................................................................... 557 urlfilter ............................................................................................................. 559
execute............................................................................................. 561 backup ............................................................................................................. 562 batch ................................................................................................................ 564 central-mgmt ................................................................................................... 565 cfg reload......................................................................................................... 566 cfg save ........................................................................................................... 567 clear system arp table .................................................................................... 568 cli status-msg-only ......................................................................................... 569 cli check-template-status............................................................................... 570 date .................................................................................................................. 571 deploy .............................................................................................................. 572 dhcp lease-clear.............................................................................................. 573 dhcp lease-list................................................................................................. 574 disconnect-admin-session ............................................................................ 575 factoryreset ..................................................................................................... 576 formatlogdisk .................................................................................................. 577 fortiguard-log update ..................................................................................... 578 fsae refresh ..................................................................................................... 579 ha disconnect.................................................................................................. 580 ha manage ....................................................................................................... 581 ha synchronize................................................................................................ 583 interface dhcpclient-renew ............................................................................ 585 interface pppoe-reconnect............................................................................. 586 log delete-all.................................................................................................... 587 log delete-filtered............................................................................................ 588 log delete-rolled .............................................................................................. 589 log display ....................................................................................................... 590 log filter............................................................................................................ 591 log fortianalzyer test-connectivity ................................................................ 593 log list .............................................................................................................. 594 log roll.............................................................................................................. 595 modem dial...................................................................................................... 596 modem hangup ............................................................................................... 597 FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
11
Contents
mrouter clear................................................................................................... 598 ping .................................................................................................................. 599 ping-options.................................................................................................... 600 ping6 ................................................................................................................ 602 reboot .............................................................................................................. 603 restore ............................................................................................................. 604 router clear bgp .............................................................................................. 606 router clear bfd ............................................................................................... 607 router clear ospf process .............................................................................. 608 router restart ................................................................................................... 609 send-fds-statistics.......................................................................................... 610 set-next-reboot ............................................................................................... 611 shutdown......................................................................................................... 612 ssh ................................................................................................................... 613 telnet ................................................................................................................ 614 time .................................................................................................................. 615 traceroute ........................................................................................................ 616 update-av......................................................................................................... 617 update-ips ....................................................................................................... 618 update-now ..................................................................................................... 619 upd-vd-license ................................................................................................ 620 usb-disk........................................................................................................... 621 vpn certificate ca ............................................................................................ 622 vpn certificate crl............................................................................................ 624 vpn certificate local ........................................................................................ 625 vpn certificate remote .................................................................................... 628 vpn sslvpn del-tunnel..................................................................................... 629 vpn sslvpn del-web ........................................................................................ 630
get..................................................................................................... 631 chassis status................................................................................................. 632 firewall service predefined ............................................................................ 635 gui console status .......................................................................................... 636 gui topology status ........................................................................................ 637 hardware status .............................................................................................. 638 ips decoder ..................................................................................................... 639 ips rule............................................................................................................. 640
12
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Contents
ipsec tunnel list............................................................................................... 641 router info bgp ................................................................................................ 642 router info bfd ................................................................................................. 644 router info multicast ....................................................................................... 645 router info ospf ............................................................................................... 647 router info protocols ...................................................................................... 649 router info rip .................................................................................................. 650 router info routing-table ................................................................................ 651 system admin list............................................................................................ 652 system admin status ...................................................................................... 653 system arp....................................................................................................... 654 system central-mgmt status .......................................................................... 655 system checksum........................................................................................... 656 system cmdb status ....................................................................................... 657 system dashboard .......................................................................................... 658 system fortianalyzer-connectivity................................................................. 659 system fortiguard-log-service status............................................................ 660 system fortiguard-service status .................................................................. 661 system ha status............................................................................................. 662 About the HA cluster index and the execute ha manage command .......... 664 system info admin ssh ................................................................................... 668 system info admin status............................................................................... 669 system performance status ........................................................................... 670 system session list......................................................................................... 672 system session status ................................................................................... 673 system status.................................................................................................. 674
Index................................................................................................. 675
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
13
Contents
14
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Introduction
About the FortiGate Unified Threat Management System
Introduction This chapter introduces you to the FortiGate Unified Threat Management System and the following topics: •
About the FortiGate Unified Threat Management System
•
About this document
•
FortiGate documentation
•
Related documentation
•
Customer service and technical support
•
Register your Fortinet product
About the FortiGate Unified Threat Management System The FortiGate Unified Threat Management System supports network-based deployment of application-level services, including virus protection and full-scan content filtering. FortiGate units improve network security, reduce network misuse and abuse, and help you use communications resources more efficiently without compromising the performance of your network. The FortiGate unit is a dedicated easily managed security device that delivers a full suite of capabilities that include: •
application-level services such as virus protection and content filtering,
•
network-level services such as firewall, intrusion detection, VPN, and traffic shaping.
The FortiGate unit employs Fortinet’s Accelerated Behavior and Content Analysis System (ABACAS™) technology, which leverages breakthroughs in chip design, networking, security, and content analysis. The unique ASIC-based architecture analyzes content and behavior in real-time, enabling key applications to be deployed right at the network edge where they are most effective at protecting your networks. The FortiGate series complements existing solutions, such as host-based antivirus protection, and enables new applications and services while greatly lowering costs for equipment, administration, and maintenance.
About this document This document describes how to use the FortiGate Command Line Interface (CLI). This document contains the following chapters: •
Using the CLI describes how to connect to and use the FortiGate CLI.
•
Working with virtual domains describes how to create and administer multiple VDOMs. It also explains how enabling vdom-admin changes the way you work with the CLI.
•
alertemail is an alphabetic reference to the commands used to configure alertemail.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
15
FortiGate documentation
Introduction
•
antivirus is an alphabetic reference to the commands used to configure antivirus features.
•
firewall is an alphabetic reference to the commands used to configure firewall policies and settings.
•
gui is an alphabetic reference to the commands used to set preferences for the web-based manager CLI console and topology viewer.
•
imp2p is an alphabetic reference to the commands used to configure user access to Instant Messaging and Person-to-Person applications.
•
ips is an alphabetic reference to the commands used to configure intrusion detection and prevention features.
•
log is an alphabetic reference to the commands used to configure logging.
•
notification (FortiOS Carrier) is an alphabetic reference to the commands used to configure FortiOS Carrier event notification.
•
router is an alphabetic reference to the commands used to configure routing.
•
spamfilter is an alphabetic reference to the commands used to configure spam filtering features.
•
system is an alphabetic reference to the commands used to configure the FortiGate system settings.
•
user is an alphabetic reference to the commands used to configure authorized user accounts and groups.
•
vpn is an alphabetic reference to the commands used to configure FortiGate VPNs.
•
webfilter is an alphabetic reference to the commands used to configure web content filtering.
•
execute is an alphabetic reference to the execute commands, which provide some useful utilities such as ping and traceroute, and some commands used for maintenance tasks.
•
get is an alphabetic reference to commands that retrieve status information about the FortiGate unit.
Note: Diagnose commands are also available from the FortiGate CLI. These commands are used to display system information and for debugging. Diagnose commands are intended for advanced users only, and they are not covered in this document. Contact Fortinet technical support before using these commands.
FortiGate documentation Information about FortiGate products is available from the following guides: •
FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit.
•
FortiGate Installation Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number.
16
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Introduction
FortiGate documentation
•
FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protection, web content filtering, and spam filtering; and how to configure a VPN.
•
FortiGate online help Provides a context-sensitive and searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.
•
FortiGate CLI Reference Describes how to use the FortiGate CLI and contains a reference to all FortiGate CLI commands.
•
FortiGate Log Message Reference Describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units.
•
FortiGate High Availability User Guide Contains in-depth information about the FortiGate high availability feature and the FortiGate clustering protocol.
•
FortiGate IPS User Guide Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks.
•
FortiGate IPSec VPN User Guide Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager.
•
FortiGate SSL VPN User Guide Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and describes how to configure web-only mode and tunnel-mode SSL VPN access for remote users through the web-based manager.
•
FortiGate PPTP VPN User Guide Explains how to configure a PPTP VPN using the web-based manager.
•
FortiGate Certificate Management User Guide Contains procedures for managing digital certificates including generating certificate requests, installing signed certificates, importing CA root certificates and certificate revocation lists, and backing up and restoring installed certificates and private keys.
•
FortiGate VLANs and VDOMs User Guide Describes how to configure VLANs and VDOMS in both NAT/Route and Transparent mode. Includes detailed examples.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
17
Related documentation
Introduction
Related documentation Additional information about Fortinet products is available from the following related documentation.
FortiManager documentation •
FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.
•
FortiManager System Administration Guide
•
FortiManager System online help
Describes how to use the FortiManager System to manage FortiGate devices. Provides a searchable version of the Administration Guide in HTML format. You can access online help from the FortiManager Console as you work.
FortiClient documentation •
FortiClient Host Security User Guide Describes how to use FortiClient Host Security software to set up a VPN connection from your computer to remote networks, scan your computer for viruses, and restrict access to your computer and applications by setting up firewall policies.
•
FortiClient Host Security online help Provides information and procedures for using and configuring the FortiClient software.
FortiMail documentation •
FortiMail Administration Guide Describes how to install, configure, and manage a FortiMail unit in gateway mode and server mode, including how to configure the unit; create profiles and policies; configure antispam and antivirus filters; create user accounts; and set up logging and reporting.
•
FortiMail online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.
•
FortiMail Web Mail Online Help Describes how to use the FortiMail web-based email client, including how to send and receive email; how to add, import, and export addresses; and how to configure message display preferences.
FortiAnalyzer documentation •
FortiAnalyzer Administration Guide Describes how to install and configure a FortiAnalyzer unit to collect FortiGate and FortiMail log files. It also describes how to view FortiGate and FortiMail log files, generate and view log reports, and use the FortiAnalyzer unit as a NAS server.
•
FortiAnalyzer online help Provides a searchable version of the Administration Guide in HTML format. You can access online help from the web-based manager as you work.
18
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Introduction
Customer service and technical support
Fortinet Tools and Documentation CD All Fortinet documentation is available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation visit the Fortinet Technical Documentation web site at http://docs.forticare.com.
Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.
Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to
[email protected].
Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.
Register your Fortinet product Register your Fortinet product to receive Fortinet customer services such as product updates and technical support. You must also register your product for FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention updates and for FortiGuard Web Filtering and AntiSpam. Register your product by visiting http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the Fortinet products that you or your organization have purchased. You can register multiple Fortinet products in a single session without re-entering your contact information.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
19
Register your Fortinet product
20
Introduction
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
What’s new
What’s new The table below lists commands which have changed since the previous release, MR5. Command
Change
config firewall ldb-monitor
New command. Configures health check settings which can be used when enabling health checks for load balanced real servers associated with a virtual IP.
config firewall policy, policy6 edit
set auth-path
New keyword. Enables authentication-based routing.
set auth-redirect-addr
New keyword. Specifies address used in URL when performing HTTP-to-HTTPS redirects for policy authentication.
set custom-log-fields
New keyword. Selects custom log fields to append to the policy’s log message.
set sslvpn-auth tacacs+
New SSL VPN client authentication option. Selects TACACS+ authentication method when the firewall policy action is set to ssl-vpn.
config firewall profile
Removed filetype option for all protocol variables (smtp, pop3, etc.). Instead, the block option is now used in conjunction with file-pat-table.
edit set aim block-long-chat
New option. Blocks oversize chat messages.
set ftgd-wf-options redir-block
New option redir-block. Blocks HTTP redirects.
set ftgd-wf-ovrd-group
Keyword removed.
set ftp scanextended
New option scanextended. Scans for viruses and worms using the extended database of virus definitions.
set http scanextended
New option scanextended. Scans for viruses and worms using the extended database of virus definitions.
set icq archive-full
Option archive-full renamed from content-full.
set icq archive-summary
Option archive-summary renamed from content-meta.
set ips-anomaly
Keyword removed. IPS sensors, formerly signatures, are now configured by selecting a sensor name.
set icq content-full
Option content-full renamed to archive-full.
set icq content-meta
Option content-meta renamed to archive-summary.
set ips-log
Keyword renamed to log-ips.
set ips-signature
Keyword removed. Denial of service (DoS) sensors, formerly anomalies, are no longer configured in protection profiles.
set ips-sensor
New keyword. Selects the IPS sensor name.
set ips-sensor-status
New keyword. Enables use of IPS sensors.
set log-ips
Keyword renamed from ips-log.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
21
What’s new
Command
Change
config firewall profile (continued) set msn archive-full
Option archive-full renamed from content-full.
set msn archive-summary
Option archive-summary renamed from content-meta.
set msn content-full
Option content-full renamed to archive-full.
set msn content-meta
Option content-meta renamed to archive-summary.
set yahoo archive-full
Option archive-full renamed from content-full.
set yahoo archive-summary
Option archive-summary renamed from content-meta.
set yahoo content-full
Option content-full renamed to archive-full.
set yahoo content-meta
Option content-meta renamed to archive-summary.
config firewall vip edit set http
New keyword. Enables multiplexing of port forwarded HTTP connections into a few connections to the destination.
set http-ip-header
New keyword. Preserves the original client’s IP address in the X-Forwarded-For HTTP header line when using HTTP multiplexing.
set max-embryonic-connections
New keyword. Specifies the maximum number of partially established SSL or HTTP connections when the virtual IP is performing HTTP multiplexing or SSL offloading.
set ssl
New keywords. These keywords configure SSL acceleration that offloads SSL operations from the destination to the FortiGate unit.
set ssl-certificate set ssl-client-session-state-max set ssl-client-session-state-timeout set ssl-client-session-state-type set ssl-dh-bits set ssl-http-location-conversion set ssl-http-match-host set ssl-max-version set ssl-min-version set ssl-send-empty-frags set ssl-server-session-state-max set ssl-server-session-state-timeout set ssl-server-session-state-type config realservers edit
22
set healthcheck
New keyword. Enables check of server responsiveness before forwarding traffic. You must also configure monitor.
set monitor
New keyword. Sets name(s) of healthcheck monitor settings to use.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
What’s new
Command
Change
config fortianalyzer
Removed.
config global config system session-sync
New command is global in scope.
execute vpn sslvpn del-tunnel
Command is now per-VDOM.
execute vpn sslvpn del-web
Command is now per-VDOM.
config ips anomaly
Command renamed to config ips DoS and extensively revised.
config ips decoder
New command. Modifies ports on which IPS expects particular traffic types.
config ips DoS
Command renamed from config ips anomaly and extensively revised. Anomalies are now defined in DoS sensors.
config ips global set ip-protocol
Keyword removed.
config ips group
Command removed.
config ips rule
New command. Displays IPS settings for each signature.
config ips sensor
New command. Configures IPS sensors to detect attacks. IPS sensors are made up of filters that specify signature attributes and rules to override individual sensors.
config log custom-field
New command. Customizes the log fields with a name and/or value that appears in log messages.
config log disk setting set full-first-warning threshold set full-second-warning threshold
New keywords. Define percentage thresholds for warnings as the available disk space for logs fills up.
set full-final-warning threshold config log memory setting set diskfull overwrite
The nolog and blocktraffic options are removed.
config log memory global setting
New command. Configures percentage thresholds for warnings as memory allocated to logs fills up. Also configures maximum number of lines in memory buffer log.
config router auth-path
New command. Configures authentication-based routing.
config system accprofile edit set
New option for : imp2pgrp
config system admin edit set schedule
New keyword. Selects schedule that determines when an administrator can log in.
set radius-auth
Keyword renamed to remote-auth.
set radius-group
Keyword renamed to remote-group.
set remote-auth
Keyword renamed from radius-auth.
set remote-group
Keyword renamed from radius-group.
config dashboard
New subcommand. Configures web-based manager dashboard for this administrator.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
23
What’s new
Command
Change
config dhcp server set ipsec-lease-hold
New keyword. Sets time to wait before expiring DHCPover-IPSec lease after IPSec tunnel goes down.
config system fm
Command replaced by config system fortimanager.
config system fortimanager
New command. Replaces config system fm. Configures central management on the FortiGate unit.
config system global set auth-secure-http
Keyword moved to config user settings.
set auth-type
Keyword moved to config user settings.
set authtimeout
Keyword moved to config user settings.
set fds-statistics-period
New keyword. Sets the number of minutes in the FDS report period when fds-statistics is enabled.
set local-anomaly
Keyword removed.
config system interface edit set gateway_address
Keyword renamed to gwaddr.
set gwaddr
Keyword renamed from gwaddr.
set ha-priority
New keyword. Sets the HA priority to assign to the ping servers configured on an interface when the interface is added to an HA remote IP monitoring configuration.
set l2tp-client
Keyword removed.
set lcp-max-echo-failures
Keyword renamed to lcp-max-echo-fail.
set lcp-max-echo-fail
Keyword renamed from lcp-max-echo-failures.
set pptp-client
New keyword. Enables PPTP client on interface.
set pptp-user
New keyword. Sets the name of the PPTP user.
set pptp-password
New keyword. Sets the password for the PPTP user.
set pptp-server-ip
New keyword. Sets the IP address of the PPTP server.
set pptp-auth-type
New keyword. Sets the authentication type for the PPTP user.
set pptp-timeout
New keyword. Sets the PPTP idle timeout in minutes.
config l2tp-client
Subcommand and all of its variables removed.
config system management-tunnel
New command. Configures the remote management tunnel and permitted remote management actions from either the FortiManager unit or FortiGuard Management Service.
config system session-sync
New command. Configures TCP session synchronization with another FortiGate unit.
config system settings set p2p-rate-limit
New keyword. Sets whether P2P bandwidth limit is per-profile or per-policy.
set sip-nat-trace
New keyword. Enables recording the original IP address of the phone.
set status
New keyword. Enables or disables this VDOM.
set utf8-spam-tagging
New keyword. Enable conversion of spam tags to UTF8 for better non-ascii character support.
config system switch-interface
24
New command. Groups interfaces as a virtual switch.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
What’s new
Command
Change
config user fsae edit set ldap_server
New keyword. Sets the name of the LDAP server used to access Windows AD user and group information.
config user radius edit set auth-type
New keyword. Set authentication type to CHAP, PAP, MS-CHAP, MS-CHAPv2 or Auto.
set radius-port
New keyword. Changes RADIUS port for this server.
config user settings
New command. Replaces system global keywords authtimeout, auth-type, and auth-securehttp.
config user tacacs+
New command. Configures TACACS+ authentication.
config vpn certificate local edit set comments
New keyword. Enters descriptive comment about the certificate.
config vpn ipsec phase1-interface set default-gw
New keyword. Configures a default route for this IPSec interface.
set default-gw-priority
New keyword. Sets priority of default route defined with set default-gw.
config vpn ssl settings set auth-timeout
You can set a value of 0 for no timeout.
set idle-timeout
You can set a value of 0 for no timeout.
execute cli check-template-status
New command. Reports the status of the SCP script template.
execute fortiguard-log delete
Command removed.
execute log list
Removed category ids.
execute log stats display
Command removed.
execute log stats reset
Command removed.
execute send-fds-statistics
New command. Sends an FDS statistics report immediately.
firewall service predefined
New command. Retrieves information about predefined services.
get ips anomaly status
Command removed. Replaced by get ips rule status.
get ips custom status
Command removed.
get ips decoder status
New command.
get ips group status
Command removed.
get ips rule status
New command. Replaces get ips anomaly status.
get system session list
Command now applies per-VDOM.
get system session status
New command. Returns the number of active sessions in this VDOM. If VDOMs are not enabled, returns number of active sessions on FortiGate unit.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
25
What’s new
26
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI command syntax
Using the CLI This chapter explains how to connect to the CLI and describes the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings. This chapter describes: •
CLI command syntax
•
Administrator access
•
Connecting to the CLI
•
CLI objects
•
CLI command branches
•
CLI basics
CLI command syntax This guide uses the following conventions to describe command syntax. •
Angle brackets < > to indicate variables. For example: execute restore config You enter: execute restore config myfile.bak indicates a dotted decimal IPv4 address. indicates a dotted decimal IPv4 netmask. indicates a dotted decimal IPv4 address followed by a dotted decimal IPv4 netmask. indicates an IPv6 address. indicates an IPv6 netmask. indicates an IPv6 address followed by an IPv6 netmask.
•
Vertical bar and curly brackets {|} to separate alternative, mutually exclusive required keywords. For example: set opmode {nat | transparent} You can enter set opmode nat or set opmode transparent.
•
Square brackets [ ] to indicate that a keyword or variable is optional. For example: show system interface [] To show the settings for all interfaces, you can enter show system interface. To show the settings for the internal interface, you can enter show system interface internal.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
27
Administrator access
Using the CLI
•
A space to separate options that can be entered in any combination and must be separated by spaces. For example: set allowaccess {ping https ssh snmp http telnet} You can enter any of the following: set set set set
allowaccess allowaccess allowaccess allowaccess
ping ping https ssh https ping ssh snmp
In most cases to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
Administrator access The access profile you are assigned in your administrator account controls which CLI commands you can access. You need read access to view configurations and write access to make changes. Access control in access profiles is divided into groups, as follows: Table 1: Access profile control of access to CLI commands
28
Access control group
Available CLI commands
Admin Users (admingrp)
system admin system accprofile
Antivirus Configuration (avgrp)
antivirus
Auth Users (authgrp)
user
Firewall Configuration (fwgrp)
firewall
FortiProtect Update (updategrp)
system autoupdate execute update-av execute update-ips execute update-now
IM, P2P & VoIP Configuration (imp2pgrp)
imp2p
IPS Configuration (ipsgrp)
ips
Log & Report (loggrp)
alertemail log system fortianalyzer execute log
Maintenance (mntgrp)
execute execute execute execute execute
backup batch formatlogdisk restore usb-disk
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
Administrator access
Table 1: Access profile control of access to CLI commands Network Configuration (netgrp)
system arp-table system dhcp system interface system zone execute clear system arp table execute dhcp lease-clear execute dhcp lease-list execute interface
Router Configuration (routegrp)
router execute mrouter execute router
Spamfilter Configuration (spamgrp)
spamfilter
System Configuration (sysgrp)
system except accprofile, admin, arp-table, autoupdate fortianalyzer, interface and zone. execute cfg execute date execute deploy execute disconnect-adminsession execute factoryreset execute ha execute ping execute ping6 execute ping-options execute reboot execute set-next-reboot execute shutdown execute ssh execute telnet execute time execute traceroute
VPN Configuration (vpngrp)
vpn execute vpn
Webfilter Configuration (webgrp)
webfilter
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
29
Connecting to the CLI
Using the CLI
Connecting to the CLI You can use a direct console connection, SSH, Telnet or the web-based manager to connect to the FortiGate CLI. •
Connecting to the FortiGate console
•
Setting administrative access on an interface
•
Connecting to the FortiGate CLI using SSH
•
Connecting to the FortiGate CLI using Telnet
•
Connecting to the FortiGate CLI using the web-based manager
Connecting to the FortiGate console Only the admin administrator or a regular administrator of the root domain can log in by connecting to the console interface. You need: •
a computer with an available communications port
•
a null modem cable, provided with your FortiGate unit, to connect the FortiGate console port and a communications port on your computer
•
terminal emulation software such as HyperTerminal for Windows
Note: The following procedure describes how to connect to the FortiGate CLI using Windows HyperTerminal software. You can use any terminal emulation program.
To connect to the CLI 1
Connect the FortiGate console port to the available communications port on your computer.
2
Make sure the FortiGate unit is powered on.
3
Start HyperTerminal, enter a name for the connection, and select OK.
4
Configure HyperTerminal to connect directly to the communications port on the computer to which you have connected the FortiGate console port.
5
Select OK.
6
Select the following port settings and select OK. Bits per second 9600 (115200 for the FortiGate-300)
7
Data bits
8
Parity
None
Stop bits
1
Flow control
None
Press Enter to connect to the FortiGate CLI. A prompt similar to the following appears (shown for the FortiGate-300): FortiGate-300 login:
8
Type a valid administrator name and press Enter.
9
Type the password for this administrator and press Enter. The following prompt appears: Welcome! You have connected to the FortiGate CLI, and you can enter CLI commands.
30
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
Connecting to the CLI
Setting administrative access on an interface To perform administrative functions through a FortiGate network interface, you must enable the required types of administrative access on the interface to which your management computer connects. Access to the CLI requires SSH or Telnet access. If you want to use the web-based manager, you need HTTPS or HTTP access. To use the web-based manager to configure FortiGate interfaces for SSH or Telnet access, see the FortiGate Administration Guide. To use the CLI to configure SSH or Telnet access 1
Connect and log into the CLI using the FortiGate console port and your terminal emulation software.
2
Use the following command to configure an interface to accept SSH connections: config system interface edit set allowaccess end Where is the name of the FortiGate interface to be configured to allow administrative access and is a whitespaceseparated list of access types to enable. For example, to configure the internal interface to accept HTTPS (web-based manager), SSH and Telnet connections, enter: config system interface edit set allowaccess https ssh telnet end Note: Remember to press Enter at the end of each line in the command example. Also, type end and press Enter to commit the changes to the FortiGate configuration.
3
To confirm that you have configured SSH or Telnet access correctly, enter the following command to view the access settings for the interface: get system interface The CLI displays the settings, including allowaccess, for the named interface.
Other access methods The procedure above shows how to allow access only for Telnet or only for SSH. If you want to allow both or any of the other management access types you must include all the options you want to apply. For example to allow PING, HTTPS and SSH access to an interface, the set portion of the command is set allowaccess ping https ssh.
Connecting to the FortiGate CLI using SSH Secure Shell (SSH) provides strong secure authentication and secure communications to the FortiGate CLI from your internal network or the internet. Once the FortiGate unit is configured to accept SSH connections, you can run an SSH client on your management computer and use this client to connect to the FortiGate CLI.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
31
Connecting to the CLI
Using the CLI
Note: A maximum of 5 SSH connections can be open at the same time.
To connect to the CLI using SSH 1
Install and start an SSH client.
2
Connect to a FortiGate interface that is configured for SSH connections.
3
Type a valid administrator name and press Enter.
4
Type the password for this administrator and press Enter. The FortiGate model name followed by a # is displayed. You have connected to the FortiGate CLI, and you can enter CLI commands.
Connecting to the FortiGate CLI using Telnet You can use Telnet to connect to the FortiGate CLI from your internal network or the Internet. Once the FortiGate unit is configured to accept Telnet connections, you can run a Telnet client on your management computer and use this client to connect to the FortiGate CLI.
!
Caution: Telnet is not a secure access method. SSH should be used to access the FortiGate CLI from the Internet or any other unprotected network.
Note: A maximum of 5 Telnet connections can be open at the same time.
To connect to the CLI using Telnet 1
Install and start a Telnet client.
2
Connect to a FortiGate interface that is configured for Telnet connections.
3
Type a valid administrator name and press Enter.
4
Type the password for this administrator and press Enter. The following prompt appears: Welcome! You have connected to the FortiGate CLI, and you can enter CLI commands.
Connecting to the FortiGate CLI using the web-based manager The web-based manager also provides a CLI console that can be detached as a separate window. To connect to the CLI using the web-based manager 1
Connect to the web-based manager and log in. For information about how to do this, see the FortiGate Administration Guide.
32
2
Go to System > Status.
3
If you do not see the CLI Console display, select Add Content > CLI Console.
4
Click in the CLI Console display to connect.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI objects
CLI objects The FortiGate CLI is based on configurable objects. The top-level objects are the basic components of FortiGate functionality. Table 2: CLI objects alertemail
sends email to designated recipients when it detects log messages of a defined severity level
antivirus
scans services for viruses and grayware, optionally providing quarantine of infected files
firewall
controls connections between interfaces according to policies based on IP addresses and type of service, applies protection profiles
gui
controls preferences for the web-based manager CLI console and topology viewer
imp2p
controls user access to Internet Messaging and Person-to-Person applications
ips
intrusion prevention system
log
configures logging
notification
configures event notification in FortiOS Carrier.
router
moves packets from one network segment to another towards a network destination, based on packet headers
spamfilter
filters email based on MIME headers, a banned word list, lists of banned email and ip addresses
system
configures options related to the overall operation of the FortiGate unit, such as interfaces, virtual domains, and administrators
user
authenticates users to use firewall policies or VPNs
vpn
provides Virtual Private Network access through the FortiGate unit
webfilter
blocks or passes web traffic based on a banned word list, filter URLs, and FortiGuard-Web category filtering
There is a chapter in this manual for each of these top-level objects. Each of these objects contains more specific lower level objects. For example, the firewall object contains objects for addresses, address groups, policies and protection profiles.
CLI command branches The FortiGate CLI consists of the following command branches: •
config branch
•
get branch
•
show branch
•
execute branch
•
diagnose branch
Examples showing how to enter command sequences within each branch are provided in the following sections. See also “Example command sequences” on page 39.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
33
CLI command branches
Using the CLI
config branch The config commands configure CLI objects, such as the firewall, the router, antivirus protection, and so on. For more information about CLI objects, see “CLI objects” on page 33. Top-level objects are containers for more specific lower level objects that are each in the form of a table. For example, the firewall object contains tables of addresses, address groups, policies and protection profiles. You can add, delete or edit the entries in the table. Table entries consist of keywords that you can set to particular values. To configure an object, you use the config command to navigate to the object’s command “shell”. For example, to configure administrators, you enter the command config system admin The command prompt changes to show that you are now in the admin shell. (admin)# This is a table shell. You can use any of the following commands:
34
delete
Remove an entry from the FortiGate configuration. For example in the config system admin shell, type delete newadmin and press Enter to delete the administrator account named newadmin.
edit
Add an entry to the FortiGate configuration or edit an existing entry. For example in the config system admin shell: • type edit admin and press Enter to edit the settings for the default admin administrator account. • type edit newadmin and press Enter to create a new administrator account with the name newadmin and to edit the default settings for the new administrator account.
end
Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. You return to the root FortiGate CLI prompt. The end command is also used to save set command changes and leave the shell.
get
List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the keywords and their values.
move
Change the position of an entry in an ordered table. For example in the config firewall policy shell: • type move 3 after 1 and press Enter to move the policy in the third position in the table to the second position in the table. • type move 3 before 1 and press Enter to move the policy in the third position in the table to the first position in the table.
purge
Remove all entries configured in the current shell. For example in the config user local shell: • type get to see the list of user names added to the FortiGate configuration, • type purge and then y to confirm that you want to purge all the user names, • type get again to confirm that no user names are displayed.
rename
Rename a table entry. For example, in the config system admin shell, you could rename “admin3” to “fwadmin” like this: rename admin3 to fwadmin
show
Show changes to the default configuration in the form of configuration commands.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI command branches
If you enter the get command, you see a list of the entries in the table of administrators. To add a new administrator, you enter the edit command with a new administrator name: edit admin_1 The FortiGate unit acknowledges the new table entry and changes the command prompt to show that you are now editing the new entry: new entry 'admin_1' added (admin_1)#
From this prompt, you can use any of the following commands: abort
Exit an edit shell without saving the configuration.
config
In a few cases, there are subcommands that you access using a second config command while editing a table entry. An example of this is the command to add a secondary IP address to a network interface. See the example “To add two secondary IP addresses to the internal interface” on page 40.
end
Save the changes you have made in the current shell and leave the shell. Every config command must be paired with an end command. The end command is also used to save set command changes and leave the shell.
get
List the configuration. In a table shell, get lists the table members. In an edit shell, get lists the keywords and their values.
next
Save the changes you have made in the current shell and continue working in the shell. For example if you want to add several new user accounts enter the config user local shell. • Type edit User1 and press Enter. • Use the set commands to configure the values for the new user account. • Type next to save the configuration for User1 without leaving the config user local shell. • Continue using the edit, set, and next commands to continue adding user accounts. • Type end and press Enter to save the last configuration and leave the shell.
set
Assign values. For example from the edit admin command shell, typing set passwd newpass changes the password of the admin administrator account to newpass. Note: When using a set command to make changes to lists that contain options separated by spaces, you need to retype the whole list including all the options you want to apply and excluding all the options you want to remove.
show
Show changes to the default configuration in the form of configuration commands.
unset
Reset values to defaults. For example from the edit admin command shell, typing unset password resets the password of the admin administrator account to the default of no password.
The config branch is organized into configuration shells. You can complete and save the configuration within each shell for that shell, or you can leave the shell without saving the configuration. You can only use the configuration commands for the shell that you are working in. To use the configuration commands for another shell you must leave the shell you are working in and enter the other shell.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
35
CLI command branches
Using the CLI
get branch Use get to display system status information. For information about these commands, see “get” on page 631. You can also use get within a config shell to display the settings for that shell, or you can use get with a full path to display the settings for a particular object. To use get from the root prompt, you must include a path to a shell. The root prompt is the FortiGate host name followed by a #.
Example The command get hardware status provides information about various physical components of the FortiGate unit. # get hardware status Model name: Fortigate-300 ASIC version: CP SRAM: 64M CPU: Pentium III (Coppermine) RAM: 250 MB Compact Flash: 122 MB /dev/hda Hard disk: 38154 MB /dev/hdc Network Card chipset: Intel(R) 8255x-based Ethernet Adapter (rev.0x0009) Note: Interface names vary for different FortiGate models. The following examples use the interface names for a FortiGate-300 unit.
Example When you type get in the config system interface shell, information about all of the interfaces is displayed. At the (interface)# prompt, type: get The screen displays: == [ internal ] name: internal mode: static ip: 192.168.20.200 255.255.255.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6-send-adv: disable == [ external ] name: external mode: static ip: 192.168.100.99 255.255.255.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6-send-adv: disable ...
36
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI command branches
Example When you type get in the internal interface shell, the configuration values for the internal interface are displayed. edit internal At the (internal)# prompt, type: get The screen displays: name allowaccess arpforword cli_conn_status detectserver gwdetect ip
: : : : : : :
internal ping https ssh enable 0 (null) disable 192.168.20.200 255.255.255.0
and so on.
Example You are working in the config system global shell and want to see information about the FortiGate interfaces. At the (global)# prompt, type: get system interface The screen displays: == [ internal ] name: internal mode: static ip: 192.168.20.200 255.255.255.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6-send-adv: disable == [ external ] name: external mode: static ip: 192.168.100.99 255.255.255.0 status: up netbios-forward: disable type: physical ip6-address: ::/0 ip6-send-adv: disable ...
Example You want to confirm the IP address and netmask of the internal interface from the root prompt. At the # prompt, type: get system interface internal
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
37
CLI command branches
Using the CLI
The screen displays: name allowaccess arpforword cli_conn_status detectserver gwdetect ip ip6-address ip6-default-life ...
: : : : : : : : :
internal ping https ssh enable 0 (null) disable 192.168.20.200 255.255.255.0 ::/0 1800
show branch Use show to display the FortiGate unit configuration. By default, only changes to the default configuration are displayed. Use show full-configuration to display the complete configuration. You can use show within a config shell to display the configuration of that shell, or you can use show with a full path to display the configuration of the specified object. To display the configuration of all objects, you can use show from the root prompt. The root prompt is the FortiGate host or model name followed by a #.
Example When you type show and press Enter within the internal interface shell, the changes to the default internal interface configuration are displayed. At the (internal)# prompt, type: show The screen displays: config system interface edit internal set allowaccess ssh ping https set ip 192.168.20.200 255.255.255.0 next end
Example You are working in the internal interface shell and want to see the system global configuration. At the (internal)# prompt, type: show system global
38
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI command branches
The screen displays: config system global set admintimeout 5 set authtimeout 15 set failtime 5 set hostname 'Fortigate-300' set interval 5 set lcdpin 123456 set ntpserver '132.246.168.148' set syncinterval 60 set timezone 04 end
execute branch Use execute to run static commands, to reset the FortiGate unit to factory defaults, to back up or restore FortiGate configuration files. The execute commands are available only from the root prompt. The root prompt is the FortiGate host or model name followed by a #.
Example At the root prompt, type: execute reboot and press Enter to restart the FortiGate unit.
diagnose branch Commands in the diagnose branch are used for debugging the operation of the FortiGate unit and to set parameters for displaying different levels of diagnostic information. The diagnose commands are not documented in this CLI Reference Guide.
!
Caution: Diagnose commands are intended for advanced users only. Contact Fortinet technical support before using these commands.
Example command sequences Note: Interface names vary for different FortiGate models. The following examples use the interface names for a FortiGate_300 unit.
To configure the primary and secondary DNS server addresses 1
Starting at the root prompt, type: config system dns and press Enter. The prompt changes to (dns)#.
2
At the (dns)# prompt, type ?
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
39
CLI command branches
Using the CLI
The following options are displayed. set unset get show abort end 3
Type set ? The following options are displayed. primary secondary domain dns-cache-limit cache-not-found-responses
4
To set the primary DNS server address to 172.16.100.100, type: set primary 172.16.100.100 and press Enter.
5
To set the secondary DNS server address to 207.104.200.1, type: set secondary 207.104.200.1 and press Enter.
6
To restore the primary DNS server address to the default address, type unset primary and press Enter.
7
To restore the secondary DNS server address to the default address, type unset secondary and press Enter.
8
If you want to leave the config system dns shell without saving your changes, type abort and press Enter.
9
To save your changes and exit the dns sub-shell, type end and press Enter.
10
To confirm your changes have taken effect after leaving the dns sub-shell, type get system dns and press Enter. To add two secondary IP addresses to the internal interface
1
Starting at the root prompt, type: config system interface and press Enter. The prompt changes to (interface)#.
2
At the (interface)# prompt, type ? The following options are displayed. edit delete purge rename get show end
40
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI command branches
3
At the (interface)# prompt, type: edit internal and press Enter. The prompt changes to (internal)#.
4
At the (internal)# prompt, type ? The following options are displayed. config set unset get show next abort end
5
At the (internal)# prompt, type: config secondaryip and press Enter. The prompt changes to (secondaryip)#.
6
At the (secondaryip)# prompt, type ? The following options are displayed. edit delete purge rename get show end
7
To add a secondary IP address with the ID number 0, type: edit 0 and press Enter. The prompt changes to (0)#.
8
At the (0)# prompt, type ? The following options are displayed. set unset get show next abort end
9
Type set ? The following options are displayed. allowaccess detectserver gwdetect ip
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
41
CLI command branches
Using the CLI
10
To set the secondary IP address with the ID number 0 to 192.168.100.100 and the netmask to 255.255.255.0, type: set ip 192.168.100.100 255.255.255.0 and press Enter.
11
To add another secondary IP address to the internal interface, type next and press Enter. The prompt changes to (secondaryip)#.
12
To add a secondary IP address with the ID number 1, type: edit 1 and press Enter. The prompt changes to (1)#.
13
To set the secondary IP address with the ID number 1 to 192.168.100.90 and the netmask to 255.255.255.0, type: set ip 192.168.100.90 255.255.255.0 and press Enter.
14
To restore the secondary IP address with the ID number 1 to the default, type unset ip and press Enter.
15
If you want to leave the secondary IP address 1 shell without saving your changes, type abort and press Enter.
16
To save your changes and exit the secondary IP address 1 shell, type end and press Enter. The prompt changes to (internal)#.
42
17
To delete the secondary IP address with the ID number 1, type delete 1 and press Enter.
18
To save your changes and exit the internal interface shell, type end and press Enter.
19
To confirm your changes have taken effect after using the end command, type get system interface internal and press Enter.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI basics
CLI basics This section includes: •
Command help
•
Command completion
•
Recalling commands
•
Editing commands
•
Line continuation
•
Command abbreviation
•
Environment variables
•
Encrypted password support
•
Entering spaces in strings
•
Entering quotation marks in strings
•
Entering a question mark (?) in a string
•
International characters
•
Special characters
•
IP address formats
•
Editing the configuration file
•
Setting screen paging
•
Changing the baud rate
•
Using Perl regular expressions
Command help You can press the question mark (?) key to display command help. •
Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.
•
Type a command followed by a space and press the question mark (?) key to display a list of the options available for that command and a description of each option.
•
Type a command followed by an option and press the question mark (?) key to display a list of additional options available for that command option combination and a description of each option.
Command completion You can use the tab key or the question mark (?) key to complete commands. •
You can press the tab key at any prompt to scroll through the options available for that prompt.
•
You can type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position.
•
After completing the first word of a command, you can press the space bar and then the tab key to scroll through the options available at the current cursor position.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
43
CLI basics
Using the CLI
Recalling commands You can recall previously entered commands by using the Up and Down arrow keys to scroll through commands you have entered.
Editing commands Use the Left and Right arrow keys to move the cursor back and forth in a recalled command. You can also use the Backspace and Delete keys and the control keys listed in Table 3 to edit the command. Table 3: Control keys for editing commands Function
Key combination
Beginning of line
CTRL+A
End of line
CTRL+E
Back one character
CTRL+B
Forward one character
CTRL+F
Delete current character
CTRL+D
Previous command
CTRL+P
Next command
CTRL+N
Abort the command
CTRL+C
If used at the root prompt, exit the CLI
CTRL+C
Line continuation To break a long command over multiple lines, use a \ at the end of each line.
Command abbreviation You can abbreviate commands and command options to the smallest number of non-ambiguous characters. For example, the command get system status can be abbreviated to g sy st.
Environment variables The FortiGate CLI supports the following environment variables. $USERFROM
The management access type (SSH, Telnet and so on) and the IP address of the logged in administrator.
$USERNAME
The user account name of the logged in administrator.
$SerialNum
The serial number of the FortiGate unit.
Variable names are case sensitive. In the following example, the unit hostname is set to the serial number. config system global set hostname $SerialNum end
44
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI basics
Encrypted password support After you enter a clear text password using the CLI, the FortiGate unit encrypts the password and stores it in the configuration file with the prefix ENC. For example: show system admin user1 lists the user1 administrator password as follows: config system admin edit "user1" set accprofile "prof_admin" set password ENC XXNFKpSV3oIVk next end It is also possible to enter an already encrypted password. For example, type: config system admin and press Enter. Type: edit user1 and press Enter. Type: set password ENC XXNFKpSV3oIVk and press Enter. Type: end and press Enter.
Entering spaces in strings When a string value contains a space, do one of the following: •
Enclose the string in quotation marks, "Security Administrator", for example.
•
Enclose the string in single quotes, 'Security Administrator', for example.
•
Use a backslash (“\”) preceding the space, Security\ Administrator, for example.
Entering quotation marks in strings If you want to include a quotation mark, single quote or apostrophe in a string, you must precede the character with a backslash character. To include a backslash, enter two backslashes.
Entering a question mark (?) in a string If you want to include a question mark (?) in a string, you must precede the question mark with CTRL-V. Entering a question mark without first entering CTRL-V causes the CLI to display possible command completions, terminating the string.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
45
CLI basics
Using the CLI
International characters The CLI supports international characters in strings.The web-based manager dashboard CLI Console applet supports the appropriate character set for the current administration language. If you want to enter strings that contain Asian characters, configure the CLI Console to use the external command input box. International character support with external applications such as SSH clients depends on the capabilities and settings of the application.
Special characters The characters <, >, (, ), #, ’, and ” are not permitted in most CLI fields. The exceptions are: •
passwords
•
replacemsg buffer
•
firewall policy comments
•
ips custom signature
•
antivirus filepattern
•
antivirus exemptfilepattern
•
webfilter bword
•
spamfilter bword pattern
•
system interface username (PPPoE mode)
•
system modem phone numbers or account user names
•
firewall profile comment
•
spamfilter mheader fieldbody
•
spamfilter mheader fieldbody
•
spamfilter emailbwl email_pattern
•
router info bgp regular expressions
•
router aspath-list rule regular expressions
IP address formats You can enter an IP address and subnet using either dotted decimal or slash-bit format. For example you can type either: set ip 192.168.1.1 255.255.255.0 or set ip 192.168.1.1/24 The IP address is displayed in the configuration file in dotted decimal format.
Editing the configuration file You can change the FortiGate configuration by backing up the configuration file to a TFTP server. Then you can make changes to the file and restore it to the FortiGate unit. 1
46
Use the execute backup config command to back up the configuration file to a TFTP server.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI basics
2
Edit the configuration file using a text editor. Related commands are listed together in the configuration file. For instance, all the system commands are grouped together, all the antivirus commands are grouped together and so on. You can edit the configuration by adding, changing or deleting the CLI commands in the configuration file. The first line of the configuration file contains information about the firmware version and FortiGate model. Do not edit this line. If you change this information the FortiGate unit will reject the configuration file when you attempt to restore it.
3
Use the execute restore config command to copy the edited configuration file back to the FortiGate unit. The FortiGate unit receives the configuration file and checks to make sure the firmware version and model information is correct. If it is, the FortiGate unit loads the configuration file and checks each command for errors. If the FortiGate unit finds an error, an error message is displayed after the command and the command is rejected. Then the FortiGate unit restarts and loads the new configuration.
Setting screen paging Using the config system console command, you can configure the display to pause when the screen is full. This is convenient for viewing the lengthy output of a command such as get system global. When the display pauses, the bottom line of the console displays --More--. You can then do one of the following: •
Press the spacebar to continue.
•
Press Q to end the display. One more line of output is displayed, followed by the shell prompt.
To set paged output, enter the following command: config system console set output more end
Changing the baud rate Using set baudrate in the config system console shell, you can change the default console connection baud rate. Note: Changing the default baud rate is available for FortiGate units with BIOS 3.03 and higher and FortiOS version 2.50 and higher.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
47
CLI basics
Using the CLI
Using Perl regular expressions Some FortiGate features, such as spam filtering and web content filtering can use either wildcards or Perl regular expressions. See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular expressions.
Some differences between regular expression and wildcard pattern matching In Perl regular expressions, ‘.’ character refers to any single character. It is similar to the ‘?’ character in wildcard pattern matching. As a result: •
fortinet.com not only matches fortinet.com but also matches fortinetacom, fortinetbcom, fortinetccom and so on.
To match a special character such as '.' and ‘*’, regular expressions use the ‘\’ escape character. For example: •
To match fortinet.com, the regular expression should be fortinet\.com.
In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not 0 or more times of any character. For example: •
forti*\.com matches fortiiii.com but does not match fortinet.com.
To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’ means 0 or more times. For example: •
the wildcard match pattern forti*.com is equivalent to the regular expression forti.*\.com.
Word boundary In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression “test” not only matches the word “test” but also matches any word that contains the word “test” such as “atest”, “mytest”, “testimony”, “atestb”. The notation “\b” specifies the word boundary. To match exactly the word “test”, the expression should be \btest\b.
Case sensitivity Regular expression pattern matching is case sensitive in the Web and Spam filters. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of “bad language” regardless of case. Table 4: Perl regular expression examples
48
Expression
Matches
abc
abc (that exact character sequence, but anywhere in the string)
^abc
abc at the beginning of the string
abc$
abc at the end of the string
a|b
either of a and b
^abc|abc$
the string abc at the beginning or at the end of the string
ab{2,4}c
an a followed by two, three or four b's followed by a c FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Using the CLI
CLI basics
Table 4: Perl regular expression examples ab{2,}c
an a followed by at least two b's followed by a c
ab*c
an a followed by any number (zero or more) of b's followed by a c
ab+c
an a followed by one or more b's followed by a c
ab?c
an a followed by an optional b followed by a c; that is, either abc or ac
a.c
an a followed by any single character (not newline) followed by a c
a\.c
a.c exactly
[abc]
any one of a, b and c
[Aa]bc
either of Abc and abc
[abc]+
any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa)
[^abc]+
any (nonempty) string which does not contain any of a, b and c (such as defg)
\d\d
any two decimal digits, such as 42; same as \d{2}
/i
makes the pattern case insensitive. For example, /bad language/i blocks any instance of “bad language” regardless of case.
\w+
a "word": a nonempty sequence of alphanumeric characters and low lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk
the strings 100 and mk optionally separated by any amount of white space (spaces, tabs, newlines)
abc\b
abc when followed by a word boundary (e.g. in abc! but not in abcd)
perl\B
perl when not followed by a word boundary (e.g. in perlert but not in perl stuff)
\x
tells the regular expression parser to ignore white space that is neither backslashed nor within a character class. You can use this to break up your regular expression into (slightly) more readable parts.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
49
CLI basics
50
Using the CLI
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Working with virtual domains
Enabling virtual domain configuration
Working with virtual domains By default, the FortiGate unit has one virtual domain (root) and one administrator (admin) with unrestricted access to the system configuration. If you enable virtual domain configuration, the super admin account can also: •
Use the vdom command to create and configure additional virtual domains.
•
Use the global command to create and assign administrators to each virtual domain.
•
Use the global command to configure features that apply to all virtual domains.
This section contains the following topics: Enabling virtual domain configuration
Creating VDOM administrators
Accessing commands in virtual domain configuration
Troubleshooting ARP traffic on VDOMs
Creating and configuring VDOMs
global
Configuring inter-VDOM routing
vdom
Changing the management VDOM
Enabling virtual domain configuration The administrators with the super_admin profile can enable virtual domain configuration through either the web-based manager or the CLI. In the CLI, use the following command: config system global set vdom-admin enable end Log off and then log on again with a super_admin admin account. By default, there is no password for the default admin account.
Accessing commands in virtual domain configuration When you log in as admin with virtual domain configuration enabled, you have only four top-level commands: config global
Enter config global to access global commands. In the global shell, you can execute commands that affect all virtual domains, such as config system autoupdate. For a list of the global commands, see “global” on page 57.
config vdom
Enter config vdom to access VDOM-specific commands. In the vdom shell, use the edit command to create a new VDOM or to edit the configuration of an existing VDOM. In the shell, you can execute commands to configure options that apply only within the VDOM, such as config firewall policy. For a list of VDOM-specific commands, see “vdom” on page 60. When you have finished, enter next to edit another vdom, or end.
get system status System status. See “vdom-link” on page 449. exit
Log off.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
51
Creating and configuring VDOMs
Working with virtual domains
Creating and configuring VDOMs When virtual domain configuration is enabled, admin has full access to the global FortiGate unit configuration and to the configuration of each VDOM. All of the commands described in this Reference are available to admin, but they are accessed through a special top-level command shell.
Creating a VDOM You create a new VDOM using the config vdom command. For example, to create a new VDOM called vdomain2, you enter the following: config vdom edit vdomain2 end This creates a new VDOM operating in NAT/Route mode. You can have up to 10 VDOMs on your FortiGate unit by default. For this VDOM to be useful, you need to assign interfaces or VLAN subinterfaces to it.
Assigning interfaces to a VDOM By default, all interfaces belong to the root domain. You can reassign an interface or VLAN subinterface to another VDOM if the interface is not already used in a VDOM-specific configuration such as a firewall policy. Interfaces are part of the global configuration of the FortiGate unit, so only the admin account can configure them. For example, to assign port3 and port4 to vdomain2, log on as admin and enter the following commands: config global config system interface edit port3 set vdom vdomain2 next edit port4 set vdom vdomain2 end end
Setting VDOM operating mode When you create a VDOM, its default operating mode is NAT/Route. You can change the operating mode of each VDOM independently.
Changing to Transparent mode When you change the operating mode of a VDOM from NAT/Route to Transparent mode, you must specify the management IP address and the default gateway IP address. The following example shows how to change vdomain2 to Transparent mode. The management IP address is 192.168.10.100, and the default gateway is 192.168.10.1: config vdom edit vdomain3 config system settings set opmode transparent set manageip 192.168.10.100 255.255.255.0 set gateway 192.168.10.1 end
52
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Working with virtual domains
Configuring inter-VDOM routing
For more information, see “system settings” on page 440.
Changing back to NAT/Route mode If you change a Transparent mode VDOM back to NAT/Route mode, you must specify which interface you will use for administrative access and the IP address for that interface. This ensures that administrative access is configured on the interface. You must also specify the default gateway IP address and the interface that connects to the gateway. For example, config vdom edit vdomain3 config system settings set opmode nat end config system interface edit port1 set ip 192.168.10.100 255.255.255.0 end For more information, see “system settings” on page 440.
Configuring inter-VDOM routing By default, VDOMs are independent of each other and to communicate they need to use physical interfaces that are externally connected. By using the vdom-link command that was added in FortiOS v3.0, this connection can be moved inside the FortiGate unit, freeing up the physical interfaces. This feature also allows you to determine the level of inter-VDOM routing you want - only 2 VDOMs inter-connected, or interconnect all VDOMs. The vdom-link command creates virtual interfaces, so you have access to all the security available to physical interface connections. These internal interfaces have the added bonus of being faster the physical interfaces unless the CPU load is very heavy. As of FortiOS v3.0 MR3, BGP is supported over inter-VDOM links. In this example you already have configured two VDOMs called v1 and v2. You want to set up a link between them. The following command creates the VDOM link called v12_link. Once you have the link in place, you need to bind the two ends of the link to the VDOMs it will be connecting. Then you are free to apply firewall policies or other security measures. t. config global config system vdom-link edit v12_link end config system interface edit v12_link0 set vdom v1 next edit v12_link1 set vdom v2 next end Note: When you are naming VDOM links you are limited to 8 characters for the base name. In the example below the link name v12_link that is used is correct, but a link name of v12_verylongname is too long.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
53
Changing the management VDOM
Working with virtual domains
To remove the vdom-link, delete the vdom-link. You will not be able to delete the ends of the vdom-link by themselves. To delete the above set up, enter: config global config system vdom-link delete v12_link end Note: In an HA setup with virtual clusters, inter-VDOM routing must be entirely within one cluster. You cannot create links between virtual clusters, and you cannot move a VDOM that is linked into another virtual cluster. In HA mode, with multiple vclusters when you create the vdom-link in system vdom-link there is an option to set which vcluster the link will be in.
Before inter-VDOM routing, VDOMs were completely separate entities. Now, many new configurations are available such as a service provider configuration (a number of VDOMS that go through one main VDOM to access the internet) or a mesh configuration (where some or all VDOMs are connected to some or all other VDOMs). These configurations are discussed in-depth in the FortiGate VLANs and VDOMs Guide.
Changing the management VDOM All management traffic leaves the FortiGate unit through the management VDOM. Management traffic includes all external logging, remote management, and other Fortinet services. By default the management VDOM is root. You can change this to another VDOM so that the traffic will leave your FortiGate unit over the new VDOM. You cannot change the management VDOM if any administrators are using RADIUS authentication.
If you want to change the management VDOM to vdomain2, you enter: config global config system global set management-vdom vdomain2 end
Creating VDOM administrators The super_admin admin accounts can create regular administrators and assign them to VDOMs. The system admin command, when accessed by admin, includes a VDOM assignment. For example, to create an administrator, admin2, for VDOM vdomain2 with the default profile prof_admin, you enter: config global config system admin edit admin2 set accprofile prof_admin set password hardtoguess set vdom vdomain2 end The admin2 administrator account can only access the vdomain2 VDOM and can connect only through an interface that belongs to that VDOM. The VDOM administrator can access only VDOM-specific commands, not global commands.
54
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Working with virtual domains
Troubleshooting ARP traffic on VDOMs
Troubleshooting ARP traffic on VDOMs Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Normally you want ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router.
Duplicate ARP packets ARP traffic can cause problems, especially in Transparent mode where ARP packets arriving on one interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network traffic to slow down.
Multiple VDOMs solution One solution is to configure multiple VDOMs on the FortiGate unit, one for each VLAN. This means one inbound and one outbound VLAN interface in each virtual domain. ARP packets are not forwarded between VDOMs. By default, physical interfaces are in the root domain. Do not configure any of your VLANs in the root domain. As a result of this VDOM configuration, the switches do not receive multiple ARP packets with the same source MAC but different VLAN IDs, and the instability does not occur.
Forward-domain solution You may run into problems using the multiple VDOMs solution. It is possible that you have more VLANs than licensed VDOMs, not enough physical interfaces or your configuration may work better by grouping some VLANs together. In these situations the separate VDOMs solution may not work for you. In these cases, the solution is to use the forward-domain command. This command tags VLAN traffic as belonging to a particular forward-domain collision group, and only VLANs tagged as part of that collision group receive that traffic. By default ports and VLANs are part of forward-domain collision group 0. For more information, see the FortiGate VLANs and VDOMs Guide. There are many benefits for this solution from reduced administration, to using fewer physical interfaces to being able to allowing you more flexible network solutions. In the following example, forward-domain collision group 340 includes VLAN 340 traffic on Port1 and untagged traffic on Port2. Forward-domain collision group 341 includes VLAN 341 traffic on Port1 and untagged traffic on Port3. All other ports are part of forward-domain collision group 0 by default. These are the CLI commands to accomplish this setup. config system interface edit “port1” next edit "port2" set forward_domain 340 next edit “port3” set forward_domain 341 next
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
55
Troubleshooting ARP traffic on VDOMs
Working with virtual domains
edit "port1-340" set forward_domain 340 set interface "port1" set vlanid 340 next edit "port1-341" set forward_domain 341 set interface "port1" set vlanid 341 next end There is a more detailed discussion of this issue in the Asymmetric Routing and Other FortiGate Layer2 Installation Issues technical note.
56
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Working with virtual domains
global
global From the super_admin accounts, use this command to configure features that apply to all virtual domains. Virtual domain configuration (vdom-admin) must be enabled. See “system global” on page 350.
Syntax This command syntax shows how you access the commands within config global. For information on these commands, refer to the relevant sections in this Reference. config global config antivirus ... config firewall service config gui console config imp2p ... config ips ... config log fortianalyzer setting config log report definition config log report filter config log report output config log report period config log report schedule config log report scope config log report selection config log syslogd setting config log webtrends setting config spamfilter ... config system accprofile config system admin config system alertemail config system auto-install config system autoupdate clientoverride config system autoupdate override config system autoupdate override config system autoupdate push-update config system autoupdate schedule config system autoupdate tunneling config system bug-report config system console config system dns config system fortiguard config system fortianalyzer, fortianalyzer2, fortianalyzer3 config system fortiguard config system gi-gk (FortiOS Carrier) config system global config system ha config system interface config system replacemsg admin config system replacemsg alertmail config system replacemsg auth config system replacemsg fortiguard-wf config system replacemsg ftp config system replacemsg http
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
57
global
Working with virtual domains
config system replacemsg im config system replacemsg mail config system replacemsg mm1 (FortiOS Carrier) config system replacemsg mm3 (FortiOS Carrier) config system replacemsg mm4 (FortiOS Carrier) config system replacemsg mm7 (FortiOS Carrier) config system replacemsg nntp config system replacemsg spam config system replacemsg sslvpn config system replacemsg-group (FortiOS Carrier) config system replacemsg-image (FortiOS Carrier) config system session-helper config system session-sync config system snmp community config system snmp sysinfo config system vdom-link config user dynamic-profile (FortiOS Carrier) config vpn certificate ca config vpn certificate crl config vpn certificate local config vpn certificate remote config webfilter fortiguard execute backup execute batch execute central-mgmt execute cfg reload execute cfg save execute cli execute date execute deploy execute dhcp lease-list execute disconnect-admin-session execute factoryreset execute formatlogdisk execute fsae refresh execute ha disconnect execute ha manage execute ha synchronize execute log delete-all execute log delete-filtered execute log delete-rolled execute log display execute log filter execute log list execute log roll execute reboot execute restore execute set-next-reboot execute shutdown execute time execute update-av execute update-ips execute update-now execute usb-disk
58
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Working with virtual domains
global
execute vpn certificate ... get firewall vip ... end
History FortiOS v3.0
New.
FortiOS v3.0 MR1 Added vdom-link, vpn, webfilter, execute backup, batch, dhcp lease-client, dhcp leaselist, fsae refresh, restore, telnet, and traceroute. FortiOS v3.0 MR5 Added config firewall service, gui console, system console, system fortiguard, system replacemsg admin/alertemail/auth/nntp, vpn certificate crl/local/remote, execute central-mgmt, execute cfg ..., execute update-ips, and execute update-now. FortiOS v3.0 MR6 Added config system session-sync, expanded command to vpn certificate ... .Removed vpn sslvpn.
Related topics •
vdom
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
59
vdom
Working with virtual domains
vdom From the super admin account, use this command to add and configure virtual domains. The number of virtual domains you can add is dependent on the FortiGate model. Virtual domain configuration (vdom-admin) must be enabled. See “system global” on page 350. Once you add a virtual domain you can configure it by adding zones, firewall policies, routing settings, and VPN settings. You can also move physical interfaces from the root virtual domain to other virtual domains and move VLAN subinterfaces from one virtual domain to another. By default all physical interfaces are in the root virtual domain. You cannot remove an interface from a virtual domain if the interface is part of any of the following configurations: •
routing
•
proxy arp
•
DHCP server
•
zone
•
firewall policy
•
IP pool
•
redundant pair
•
link aggregate (802.3ad) group
Delete these items or modify them to remove the interface first. You cannot delete the default root virtual domain and you cannot delete a virtual domain that is used for system management.
Syntax This command syntax shows how you access the commands within config global. Refer to the relevant sections in this Reference for information on these commands. config vdom edit config antivirus config firewall address, address6 config firewall addrgrp, addrgrp6 config firewall dnstranslation config firewall ipmacbinding setting config firewall ipmacbinding table config firewall ippool config firewall multicast-policy config firewall policy, policy6 config firewall schedule onetime config firewall schedule recurring config firewall service custom config firewall service group config firewall vip config gui config log {disk | fortianalyzer | memory | syslogd | webtrends | fortiguard} filter config log fortianalyzer setting config log memory setting config log trafficfilter config router ... config system admin
60
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Working with virtual domains
vdom
config system arp-table config system dhcp reserved-address config system dhcp server config system gre-tunnel config system interface config system ipv6-tunnel config system proxy-arp config system session-ttl config system settings config system zone config user adgrp config user fsae config user group config user ldap config user local config user msisdn-bwl (FortiOS Carrier) config user msisdn-translation (FortiOS Carrier) config user peer config user peergrp config user radius config vpn ... execute backup execute date execute deploy execute dhcp lease-list execute disconnect-admin-session execute fsae refresh execute ha disconnect execute ha manage execute ha synchronize execute log delete-all execute log delete-filtered execute log delete-rolled execute log display execute log filter execute log list execute log roll execute ping execute ping-options execute ping6 execute reboot execute restore execute router clear bgp execute router clear ospf process execute router restart execute set-next-reboot execute traceroute execute usb-disk execute vpn sslvpn del-tunnel next edit config ... execute ... end FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
61
vdom
Working with virtual domains
end Variable
Description
Default
edit
Enter a new name to create a new VDOM. Enter an existing VDOM name to configure that VDOM. The VDOM you enter becomes the current VDOM. A VDOM cannot have the same name as a VLAN. A VDOM name cannot exceed 11 characters in length.
Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If you attempt to name a new VDOM vsys_ha or vsys_fgfm it will generate an error.
Note: Use config system settings set opmode {nat | transparent} to set the operation mode for this VDOM to nat (NAT/Route) or transparent.
Example This example shows how to add a virtual domain called Test1. config system vdom edit Test1 end
History FortiOS v3.0
New.
FortiOS v3.0 MR1 Added system admin, interface, ipv6-tunnel commands. Added batch, date, reboot, execute router clear ospf process commands. Removed log fortianalyzer, log syslogd, log webtrends, router graceful-restart commands. FortiOS v3.0 MR1 Added system setting multicast-forward and multicast-ttl-notchange. FortiOS v3.0 MR5 Removed config alertemail, and execute batch. Added config gui, system arp-table, system proxy-arp, all of system settings.
Related topics •
62
global
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
alertemail
alertemail Use alertemail commands to configure the FortiGate unit to monitor logs for log messages with certain severity levels. If the message appears in the logs, the FortiGate unit sends an email to a predefined recipient(s) of the log message encountered. Alert emails provide immediate notification of issues occurring on the FortiGate unit, such as system failures or network attacks. By default, the alertemail commands do not appear if no SMTP server is configured. An SMTP server is configured using the system alertemail commands. See “system alertemail” on page 321 for more information.
When configuring an alert email, you must configure at least one DNS server. The FortiGate unit uses the SMTP server name to connect to the mail server and must look up this name on your DNS server. See “dns” on page 339 for more information about configuring DNS servers. This chapter contains the following section: setting
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
63
setting
alertemail
setting Use this command to configure the FortiGate unit to send an alert email to up to three recipients. This command can also be configured to send an alert email a certain number of days before the FDS license expires and/or when the disk usage exceeds a certain threshold amount. You need to configure an SMTP server before configuring alert email settings. See “system alertemail” on page 321 for more information. Note: The FortiGate unit must be able to look up the SMTP server name on your DNS server because the FortiGate unit uses the SMTP server to connect to the mail server. See “system dns” on page 339 for more information.
Syntax config alertemail setting set username set mailto1 set mailto2 set mailto3 set filter-mode set email-interval set severity {alert | critical | debug | emergency | error | information | notification | warning} set emergency-interval set alert-interval set critical-interval set error-interval set warning-interval set notification-interval set information-interval set debug-interval set IPS-logs {disable | enable} set firewall-authentication-failure-logs {disable | enable} set HA-logs {enable | disable} set IPsec-error-logs {disable | enable} set FDS-update-logs {disable | enable} set PPP-errors-logs {disable | enable} set sslvpn-authentication-errors-logs {disable | enable} set antivirus-logs {disable | enable} set webfilter-logs {disable | enable} set configuration-changes-logs {disable | enable} set violation-traffic-logs {disable | enable} set admin-login-logs {disable | enable} set local-disk-usage-warning {disable | enable} set FDS-license-expiring-warning {disable | enable} set FDS-license-expiring-days set local-disk-usage set fortiguard-log-quota-warning end
64
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
alertemail
setting
Keywords and variables
Description
Default
username
Enter a valid email address in the format [email protected]. This address appears in the From header of the alert email.
No default.
mailto1
Enter an email address. This is one of the email addresses where No default. the FortiGate unit sends an alert email.
mailto2
Enter an email address. This is one of the email addresses where No default. the FortiGate unit sends an alert email.
mailto3
Enter an email address. This is one of the email addresses where No default. the FortiGate unit sends an alert email.
filter-mode
Enter to set the filter mode of the alert email.The following only displays when threshold is entered: • emergency-interval • alert-interval • critical-interval • error-interval • warning-interval • notification-interval • information-interval • debug-interval
email-interval
Enter the number of minutes the FortiGate unit should wait before 5 sending out an alert email. This is not available when filtermode threshold is enabled.
emergency-interval
Enter the number of minutes the FortiGate unit should wait before 1 sending out alert email for emergency level messages. Only available when filter-mode threshold is entered.
alert-interval
Enter the number of minutes the FortiGate unit should wait before 2 sending out an alert email for alert level messages. Only available when filter-mode threshold is entered.
critical-interval
Enter the number of minutes the FortiGate unit should wait before 3 sending out an alert email for critical level messages. Only available when filter-mode threshold is entered.
error-interval
Enter the number of minutes the FortiGate unit should wait before 5 sending out an alert email for error level messages. Only available when filter-mode threshold is entered.
warning-interval
Enter the number of minutes the FortiGate unit should wait before 10 sending out an alert email for warning level messages. Only available when filter-mode threshold is entered.
notification-interval
Enter the number of minutes the FortiGate unit should wait before 20 sending out an alert email for notification level messages. Only available when filter-mode threshold is entered.
information-interval
Enter the number of minutes the FortiGate unit should wait before 30 sending out an alert email for information level messages. Only available when filter-mode threshold is entered.
debug-interval
Enter the number of minutes the FortiGate unit should wait before 60 sending out an alert email for debug level messages. Only available when filter-mode threshold is entered.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
category
65
setting
alertemail
Keywords and variables
Description
Default
severity {alert | critical | debug | emergency | error | information | notification | warning}
Select the logging severity level. This is only available when alert filter-mode threshold is entered. The FortiGate unit logs all messages at and above the logging severity level you select. For example, if you error, the unit logs error, critical, alert, and emergency level messages. alert – Immediate action is required. critical – Functionality is affected. debug – Information used for diagnosing or debugging the FortiGate unit. emergency – The system is unusable. error – An erroneous condition exists and functionality is probably affected. information – General information about system operations notification – Information about normal events. warning – Functionality might be affected.
IPS-logs {disable | enable}
Enable or disable IPS logs.
disable
firewallEnable or disable firewall authentication failure logs. authentication-failurelogs {disable | enable}
66
disable
HA-logs {enable | disable}
Enable or disable high availability (HA) logs.
disable
IPsec-error-logs {disable | enable}
Enable or disable IPSec error logs
disable
FDS-update-logs {disable | enable}
Enable or disable FDS update logs.
disable
PPP-errors-logs {disable | enable}
Enable or disable PPP error logs.
disable
sslvpn-authenticationerrors-logs {disable | enable}
Enable or disable SSL VPN authentication error logs.
disable
antivirus-logs {disable | enable}
Enable or disable antivirus logs.
disable
webfilter-logs {disable | enable}
Enable or disable web filter logs.
disable
configuration-changeslogs {disable | enable}
Enable or disable configuration changes logs.
disable
violation-traffic-logs {disable | enable}
Enable or disable traffic violation logs.
disable
admin-login-logs {disable | enable}
Enable or disable admin login logs
disable
local-disk-usagewarning {disable | enable}
Enable or disable local disk usage warning in percent. For example enter the number 15 for a warning when the local disk usage is at 15 percent. The number cannot be 0 or 100.
disable
FDS-license-expiringwarning {disable | enable}
Enable or disable to receive an email notification of the expire date disable of the FDS license.
FDS-license-expiringdays
Enter the number of days to be notified by email when the FDS license expires. For example, if you want notification five days in advance, enter 5.
15
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
alertemail
setting
Keywords and variables
Description
Default
local-disk-usage
Enter a number for when the local disk’s usage exceeds that number.
75
fortiguard-log-quotawarning
Enter to receive an alert email when the FortiGuard Log & Analysis server reaches its quota.
disable
Examples This example shows how to configure the user name, add three email addresses for sending alerts to, and what type of emails will contain which log messages, such as HA and antivirus. config set set set set set set set set set set set end
alertemail setting username [email protected] mail1 [email protected] mail2 [email protected] mail3 [email protected] filter-mode category HA-logs enable FDS-update-logs enable antivirus-logs enable webfilter-logs enable admin-login-logs enable violation-traffic-logs enable
History FortiOS v2.80
Substantially revised and expanded.
FortiOS v3.0
Moved authentication, server and password to config system alertemail.
FortiOS v3.0MR2
New keywords added for: • IPS-logs • firewall-authentication-failure-logs • HA-logs • IPSec-errors-logs • FDS-update-logs • PPP-errors-logs • sslvpn-authentication-errors-logs • antivirus-logs • webfilter-logs • configuration-changes-logs • violation-traffic-logs • admin-login-logs • FDS-license-expiring-warning • local-disk-usage-warning • FDS-license-expiring-days • local-disk-usage
FortiOS 3.0MR4
Added fortiguard-log-quota-warning keyword.
Related topics •
system alertemail
•
system dns
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
67
setting
68
alertemail
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
antivirus
antivirus Use antivirus commands to configure antivirus scanning for services, quarantine options, and to enable or disable grayware and heuristic scanning. This chapter contains the following sections: filepattern grayware heuristic quarantine quarfilepattern service
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
69
filepattern
antivirus
filepattern Use this command to add, edit or delete the file patterns used for virus blocking and to set which protocols to check for files to block. If you need to add configuration via CLI that requires ? as part of config, you need to input CTRL-V first. If you enter the question mark (?) without first using CTRL-V, the question mark has a different meaning in CLI: it will show available command options in that section. For example, if you enter ? without CTRL-V: edit "*.xe token line: Unmatched double quote. If you enter ? with CTRL-V: edit "*.xe?" new entry '*.xe?' added
Syntax config antivirus filepattern edit set name set comment config entries edit set action set active {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set file-type {unknown | ignored | activemime | arj | aspack | base64 | bat | binhex | bzip | bzip2 | cab | com | elf | exe | fsg | genscript | gzip | hlp | hta | html | javascript | lzh | mime | msc | msoffice | perlscript | petite | rar | shellscript | sis | tar | upx | uue | vbs | zip} (FortiOS Carrier) set filter-type {pattern | type} (FortiOS Carrier) end Keywords and variables
Description
Default
A unique number to identify the file pattern list.
The name of the file pattern header list.
The comment attached to the file pattern header list.
70
The name of the file pattern being configured. This can be any character string.
action
The action taken when a matching file is being transferred via a block set active protocol. • Select allow to have the FortiGate unit allow matching files. • Select block to have the FortiGate unit block matching files. • Select intercept to allow matching files, with a copy sent to a quarantine. Note that the store-intercepted command in config antivirus quarantine must also be configured to quarantine intercepted files. The intercept action is supported in FortiOS Carrier.
active {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
The action specified will affect the file pattern in the selected protocols. NNTP support for this keyword will be added in the future. MM1, MM3, MM4, and MM7 traffic types supported in FortiOS Carrier.
Varies.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
antivirus
filepattern
Keywords and variables
Description
Default
file-type {unknown | ignored | activemime | arj | aspack | base64 | bat | binhex | bzip | bzip2 | cab | com | elf | exe | fsg | genscript | gzip | hlp | hta | html | javascript | lzh | mime | msc | msoffice | perlscript | petite | rar | shellscript | sis | tar | upx | uue | vbs | zip} (FortiOS Carrier)
This command is only available and valid when filter-type unknown is set to type. Select the type of file the file filter will search for. Note that unlike the file pattern filter, this file type filter will examine the file contents to determine the what type of file it is. The file name and file extension is ignored. Because of the way the file type filter works, renaming files to make them appear to be of a different type will not allow them past the FortiGate unit without detection. Two of the available options are not file types: • Select unknown to configure a rule affecting every file format the file type filter unit does not recognize. Unknown includes every file format not available in the file-type command. • Select ignored to configure a rule affecting traffic the FortiGate unit typically does not scan. This includes primarily streaming audio and video.
filter-type {pattern | type} (FortiOS Carrier)
Select the file filter detection method. pattern • Enter pattern to examine files only by their names. For example, if filter-type is set to pattern, and the pattern is *.zip, all files ending in .zip will trigger this file filter. Even files ending in .zip that are not actually ZIP archives will trigger this filter. • Enter type to examine files only by their contents. Using the above example, if filter-type is set to type, and the type is zip, all ZIP archives will trigger this file filter. Even files renamed with non-zip file extensions will trigger this filter.
History FortiOS v2.80
Substantially revised.
FortiOS v3.0
Added IM. Added multiple-list capability for models 800 and above.
Related topics •
antivirus heuristic
•
antivirus grayware
•
antivirus quarantine
•
antivirus quarfilepattern
•
antivirus service
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
71
grayware
antivirus
grayware Use this command to enable or disable grayware scanning for the specified category. Grayware programs are unsolicited commercial software programs that get installed on computers, often without the user’s consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious purposes. The FortiGate unit scans for known grayware executable programs in each category enabled. The category list and contents are added or updated whenever the FortiGate unit receives a virus update package. New categories may be added at any time and are loaded with virus updates. By default, all new categories are disabled. Adware
Adware is usually embedded in freeware programs and causes ads to pop up whenever the program is opened or used.
BHO
BHOs (Browser Helper Objects) are DLL files that are often installed as part of a software package so the software can control the behavior of Internet Explorer 4.x and higher. Not all BHOs are malicious, but the potential exists to track surfing habits and gather other information.
Dial
Dialers allow others to use the PC modem to call premium numbers or make long distance calls.
Download
Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software.
Game
Games are usually joke or nuisance games that may be blocked from network users.
HackerTool Hijacker
Browser hijacking occurs when a ‘spyware’ type program changes web browser settings, including favorites or bookmarks, start pages, and menu options.
Joke
Joke programs can include custom cursors and programs that appear to affect the system.
Keylog
Keylogger programs can record every keystroke made on a keyboard including passwords, chat, and instant messages.
Misc
The miscellaneous grayware category.
NMT
Network management tools can be installed and used maliciously to change settings and disrupt network security.
P2P
P2P, while a legitimate protocol, is synonymous with file sharing programs that are used to swap music, movies, and other files, often illegally.
Plugin
Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the browser window. Some toolbars and plugins can attempt to control or record and send browsing preferences.
RAT
Remote administration tools allow outside users to remotely change and monitor a computer on a network.
Spy
Spyware, like adware, is often included with freeware. Spyware is a tracking and analysis program that can report users’ activities, such as web browsing habits, to the advertiser’s web site where it may be recorded and analyzed.
Toolbar
While some toolbars are harmless, spyware developers can use these toolbars to monitor web habits and send information back to the developer.
Grayware scanning is enabled in a protection profile when Virus Scan is enabled.
72
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
antivirus
grayware
Syntax config antivirus grayware set status {enable | disable} end Note: The FortiGate CLI is case sensitive and the first letter of all grayware category names is uppercase.
Keywords and variables
Description
The grayware category being configured.
status {enable | disable} Enable or disable grayware scanning for the specified category.
Default disable
Example This example shows how to enable grayware scanning for Adware programs. config antivirus grayware Adware set status enable end
History FortiOS v2.80
New.
Related topics •
antivirus filepattern
•
antivirus heuristic
•
antivirus quarantine
•
antivirus quarfilepattern
•
antivirus service
•
system autoupdate schedule
•
execute update-av
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
73
heuristic
antivirus
heuristic Use this command to configure heuristic scanning for viruses in binary files.
Syntax config antivirus heuristic set mode {pass | block | disable} end Keywords and variables
Description
Default
mode {pass | block | disable}
Enter pass to enable heuristics but pass detected files to the recipient. Suspicious files are quarantined if quarantine is enabled. Enter block to enable heuristics and block detected files. A replacement message is forwarded to the recipient. Blocked files are quarantined if quarantine is enabled. Enter disable to disable heuristics.
pass
Example This example shows how to disable heuristic scanning. config antivirus heuristic set mode disable end
History FortiOS v2.80
New.
Related topics
74
•
antivirus filepattern
•
antivirus quarantine
•
antivirus quarfilepattern
•
antivirus service
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
antivirus
quarantine
quarantine Use this command to set file quarantine options. FortiGate units with a local disk can quarantine blocked and infected files. The quarantined files are removed from the content stream and stored on the FortiGate local disk. Users receive a message informing them that the removed files have been quarantined. FortiGate units that do not have a local disk can quarantine blocked and infected files to a FortiAnalyzer unit. View the file names and status information about the file in the quarantined file list. Submit specific files and add file patterns to the autoupload list so they are automatically uploaded to Fortinet for analysis.
Syntax config antivirus quarantine set agelimit set drop-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set drop-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set drop-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set drop-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS Carrier) set lowspace {drop-new | ovrw-old} set maxfilesize set quar-to-fortianalyzer {enable | disable} set store-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set store-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set store-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp} set store-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS Carrier) end Keywords and variables
Description
agelimit
Specify how long files are kept in quarantine to a maximum of 479 0 hours. The age limit is used to formulate the value in the TTL column of the quarantined files list. When the limit is reached the TTL column displays EXP and the file is deleted (although a record is maintained in the quarantined files list). Entering an age limit of 0 (zero) means files are stored on disk indefinitely depending on low disk space action.
drop-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
Do not quarantine blocked files found in traffic for the specified imap protocols. The files are deleted. nntp NNTP support for this keyword will be added in the future. HTTP, FTP, MM1, MM3, MM4, and MM7 traffic types supported in FortiOS Carrier.
drop-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
Do not quarantine files found by heuristic scanning in traffic for the specified protocols. NNTP support for this keyword will be added in the future. MM1, MM3, MM4, and MM7 traffic types supported in FortiOS Carrier.
http im imap nntp pop3 smtp
drop-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
Do not quarantine virus infected files found in traffic for the specified protocols. NNTP support for this keyword will be added in the future. MM1, MM3, MM4, and MM7 traffic types supported in FortiOS Carrier.
im imap nntp
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Default
75
quarantine
antivirus
Keywords and variables
Description
Default
drop-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS Carrier)
Do not quarantine intercepted files found in traffic for the specified imap protocols. The files are deleted. smtp pop3 http ftp mm1 mm3 mm4 mm7
lowspace {drop-new | ovrw-old}
Select the method for handling additional files when the FortiGate ovrw-old hard disk is running out of space. Enter ovwr-old to drop the oldest file (lowest TTL), or drop-new to drop new quarantine files.
maxfilesize
Specify, in MB, the maximum file size to quarantine. The FortiGate unit keeps any existing quarantined files over the limit. The FortiGate unit does not quarantine any new files larger than this value. The file size range is 0-499 MB. Enter 0 for unlimited file size.
0
quar-to-fortianalyzer {enable | disable}
For FortiGate units that do not have a local disc, send infected files to a FortiAnalyzer unit.
disable
store-blocked {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
Quarantine blocked files found in traffic for the specified protocols. No default. NNTP support for this keyword will be added in the future. HTTP, FTP, MM1, MM3, MM4, and MM7 traffic types supported in FortiOS Carrier.
store-heuristic {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
Quarantine files found by heuristic scanning in traffic for the specified protocols. NNTP support for this keyword will be added in the future. MM1, MM3, MM4, and MM7 traffic types supported in FortiOS Carrier.
No default.
store-infected {ftp http im imap mm1 mm3 mm4 mm7 nntp pop3 smtp}
Quarantine virus infected files found in traffic for the specified protocols. NNTP support for this keyword will be added in the future. MM1, MM3, MM4, and MM7 traffic types supported in FortiOS Carrier.
No default.
store-intercepted {ftp http imap mm1 mm3 mm4 mm7 pop3 smtp} (FortiOS Carrier)
Quarantine intercepted files found in traffic for the specified protocols.
imap smtp pop3 http ftp mm1 mm3 mm4 mm7
Example This example shows how to set the quarantine age limit to 100 hours, not quarantine blocked files from SMTP and POP3 traffic, not quarantine heuristic tagged files from SMTP and POP3 traffic, set the quarantine to drop new files if the memory is full, set the maximum file size to quarantine at 2 MB, quarantine files from IMAP traffic with blocked status, quarantine files with heuristic status in IMAP, HTTP, and FTP traffic.config antivirus quarantine set agelimit 100 set drop-blocked smtp pop3 set drop-heuristic smtp pop3 set lowspace drop-new set maxfilesize 2 set store-blocked imap set store-heuristic imap http ftp end
76
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
antivirus
quarantine
History FortiOS v2.80
Substantially revised.
FortiOS v2.80 MR2 The enable_auto_upload keyword was changed to enable-auto-submit. FortiOS v3.0
Added IM and NNTP options.
FortiOS v3.0 MR5
Removed set enable-auto-submit, set sel-status, set use-fpat, set use-status.
Related topics •
antivirus filepattern
•
antivirus heuristic
•
antivirus quarfilepattern
•
antivirus service
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
77
quarfilepattern
antivirus
quarfilepattern Use this command to configure the file patterns used by automatic file uploading. This command is only available on FortiGate units with a hard drive. Configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. Add file patterns to be uploaded to the autoupload list using the * wildcard character. File patterns are applied for autoupload regardless of file blocking settings. Also upload files to Fortinet based on status (blocked or heuristics) or submit individual files directly from the quarantined files list. For more information, see antivirus quarantine.
Syntax config antivirus quarfilepattern edit pattern_str set status {enable | disable} end Keywords and variables
Description
pattern_str
The file pattern to be quarantined.
Default
status {enable | disable} Enable or disable using a file pattern.
disable
Example Use the following commands to enable automatic upload of *.bat files. config antivirus quarfilepattern edit *.bat set status enable end
History FortiOS v2.80
New.
FortiOS v3.0 MR5
Entire command removed.
Related topics
78
•
antivirus filepattern
•
antivirus heuristic
•
antivirus quarantine
•
antivirus service
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
antivirus
service
service Use this command to configure how the FortiGate unit handles antivirus scanning of large files in HTTP, HTTPS, FTP, POP3, IMAP, and SMTP traffic and what ports the FortiGate unit scans for these services. For HTTPS, you can only configure the ports.
Syntax config antivirus service set port set scan-bzip2 {enable | disable} set uncompnestlimit set uncompsizelimit end Keywords and variables
Description
The service being configured: HTTP, HTTPS, FTP, IM, IMAP, NNTP, POP3, SMTP.
Default
port
Configure antivirus scanning on a nonstandard port number or HTTP: 80 multiple port numbers for the service. Use ports from the HTTPS: 443 range 1-65535. Add up to 20 ports. FTP: 21 IMAP: 143 NNTP: 119 POP3: 110 SMTP: 25
scan-bzip2 {enable | disable}
Enable to allow the antivirus engine to scan the contents of disable bzip2 compressed files. Requires antivirus engine 1.90 for full functionality. Bzip2 scanning is extemely CPU intensive. Unless this feature is required, leave scan-bzip2 disabled.
uncompnestlimit
Set the maximum number of archives in depth the AV engine 12 will scan with nested archives. The limit is from 2 to 100. The supported compression formats are arj, bzip2, cab, gzip, lha, lzh, msc, rar, tar, and zip. Bzip2 support is disabled by default.
uncompsizelimit
Set the maximum uncompressed file size that can be buffered 10 (MB) to memory for virus scanning. Enter a value in megabytes between 1 and the maximum oversize threshold. Enter “?” to display the range for your FortiGate unit. Enter 0 for no limit (not recommended).
Note: If the file in uncompnestlimit has more levels than the limit you set, or if the file in uncompsizelimit is larger than the limit you set, the file will pass through without being virus scanned.
How file size limits work The uncompsizelimit applies to the uncompressed size of the file. If other files are included within the file, the uncompressed size of each one is checked against the uncompsizelimit value. If any one of the uncompressed files is larger than the limit, the file is passed without scanning, but the total size of all uncompressed files within the original file can be greater than the uncompsizelimit.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
79
service
antivirus
Example This example shows how to set the maximum uncompressed file size that can be buffered to memory for scanning at 15 MB, and how to enable antivirus scanning on ports 70, 80, and 443 for HTTP traffic. config antivirus service http set uncompsizelimit 15 set port 70 set port 80 set port 443 end
History FortiOS v2.80
Substantially revised.
FortiOS v2.80 MR6
Removed diskfilesizelimit keyword.
FortiOS v2.80 MR7
Added uncompsizelimit keyword.
FortiOS v3.0
Combined all services into one section. Added IM. Added scan_bzip2. Removed client comforting and file size limit commands.
FortiOS v3.0 MR3
Added support for HTTPS. But only ports can be configured.
Related topics
80
•
antivirus filepattern
•
antivirus heuristic
•
antivirus quarantine
•
antivirus quarfilepattern
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
firewall Use firewall commands to configure firewall policies and the data they use, including protection profiles, IP addresses and virtual IP addresses, schedules, and services. You can also configure DNS translation, IP/MAC binding, and multicast policies. This chapter contains the following sections: address, address6 addrgrp, addrgrp6 dnstranslation gtp (FortiOS Carrier) ipmacbinding setting ipmacbinding table ippool ldb-monitor multicast-policy policy, policy6 profile schedule onetime schedule recurring service custom service group vip vipgrp
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
81
address, address6
firewall
address, address6 Use this command to configure firewall addresses used in firewall policies. An IPv4 firewall address is a set of one or more IP addresses, represented as a domain name, an IP address and a subnet mask, or an IP address range. An IPv6 firewall address is an IPv6 6-to-4 address prefix. By default, FortiGate units have the firewall address All, which represents any IP address. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. If an address is selected in a policy, it cannot be deleted until it is deselected from the policy.
Syntax config firewall address edit set associated-interface set end-ip set fqdn set start-ip set subnet set type {ipmask | iprange | fqdn} end config firewall address6 edit set ip6 end Keywords and variables
Description
Default
The following commands are for config firewall address.
Enter the name of the address.
No default.
associated-interface
Enter the name of the associated interface. If not configured, the firewall address is bound to an interface during firewall policy configuration.
No default.
end-ip
If type is iprange, enter the last IP address in the range.
0.0.0.0
fqdn
If type is fqdn, enter the fully qualified domain name (FQDN). No default.
start-ip
If type is iprange, enter the first IP address in the range.
subnet
If type is ipmask, enter an IP address then its subnet mask, in 0.0.0.0 dotted decimal format and separated by a space, or in CIDR 0.0.0.0 format with no separation. For example, you could enter either: • 172.168.2.5/32 • 172.168.2.5 255.255.255.255 The IP address can be for a single computer or a subnetwork. The subnet mask corresponds to the class of the IP address being added. • A single computer’s subnet mask is 255.255.255.255 or /32. • A class A subnet mask is 255.0.0.0 or /8. • A class B subnet mask is 255.255.0.0 or /26. • A class C subnet mask is 255.255.255.0 or /24.
type {ipmask | iprange | fqdn}
Select whether this firewall address is a subnet address, an address range, or fully qualified domain name.
0.0.0.0
ipmask
The following command is for config firewall address6.
82
Enter the name of the IPv6 address prefix.
No default.
ip6
If the IP address is IPv6, enter an IPv6 IP address prefix.
::/0
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
address, address6
Example This example shows how to add one IPv4 address of each type: ipmask, iprange, and fqdn. It also shows how to configure an IPv6 address prefix. config firewall address edit Example_Subnet set type ipmask set subnet 192.168.1.0 255.255.255.0 next edit Example_Range set type iprange set start-ip 10.10.1.10 set end-ip 10.10.1.30 next edit Example_Domain set type fqdn set fqdn www.example.com end config firewall address6 edit Example_ipv6_Prefix set ip6 2002:CF8E:83CA::/48 end
History FortiOS v2.80
Substantially revised. IP address range option added. Requiring that an address be added to an interface removed.
FortiOS v3.0
Added fqdn.
FortiOS v3.0 MR4
Added option associated-interface.
Related topics •
firewall addrgrp, addrgrp6
•
firewall policy, policy6
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
83
addrgrp, addrgrp6
firewall
addrgrp, addrgrp6 Use this command to configure firewall address groups used in firewall policies. You can organize related firewall addresses into firewall address groups to simplify firewall policy configuration. For example, rather than creating three separate firewall policies for three firewall addresses, you could create a firewall address group consisting of the three firewall addresses, then create one firewall policy using that firewall address group. Addresses, address groups, and virtual IPs must all have unique names to avoid confusion in firewall policies. If an address group is selected in a policy, it cannot be deleted unless it is first deselected in the policy.
Syntax config firewall addrgrp, addrgrp6 edit set member end Keywords and variables
Description
Default
Enter the name of the address group.
No default.
member
Enter one or more names of firewall addresses to add to the No default. address group. Separate multiple names with a space. To remove an address name from the group, retype the entire new list, omitting the address name.
Example This example shows how to add two firewall addresses to a firewall address group. config firewall addrgrp edit Group1 set Example_Subnet Example_Range end
History FortiOS v2.80
Revised.
Related topics
84
•
firewall address, address6
•
firewall policy, policy6
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
dnstranslation
dnstranslation Use this command to add, edit or delete a DNS translation entry. If DNS translation is configured, the FortiGate unit rewrites the payload of outbound DNS query replies from internal DNS servers, replacing the resolved names’ internal network IP addresses with external network IP address equivalents, such as a virtual IP address on a FortiGate unit’s external network interface. This allows external network hosts to use an internal network DNS server for domain name resolution of hosts located on the internal network. For example, if a virtual IP provided network address translation (NAT) between a public network, such as the Internet, and a private network containing a web server, hosts on the public network could access the web server by using its virtual IP address. However, if hosts attempted to access the web server by domain name, and the DNS server performing name resolution for that domain name was also located on the private network, the DNS query reply would contain a private network IP address, which is not routable from the external network. To solve this, you might configure DNS translation, and substitute the web server’s private network IP address with the virtual IP address in DNS query replies to the public network. DNS translation mappings between src and dst must be one-to-one; you cannot create one-to-many or many-to-one mappings. For example, if src is a single IP address, it cannot be DNS translated into a dst subnet; dst must be a single IP address, like src. If src is a subnet, dst must also be a subnet.
Syntax config firewall dnstranslation edit set dst set netmask set src end Keywords and variables
Description
Default
Enter the unique ID number of the DNS translation entry.
No default.
dst
Enter the IP address or subnet on the external network to substitute for the resolved address in DNS query replies. dst can be either a single IP address or a subnet on the external network, but must be equal in number to the number of mapped IP addresses in src.
0.0.0.0
netmask
If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.
0.0.0.0
src
Enter the IP address or subnet on the internal network to 0.0.0.0 compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.
Example This example shows how to translate the resolved addresses in DNS query replies, from an internal (source) subnet to an external (destination) subnet. config firewall dnstranslation edit 1 set src 192.168.100.12 set dst 172.16.200.190 set netmask 255.255.255.0 end FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
85
dnstranslation
firewall
History FortiOS v2.80
Revised.
Related topics •
86
firewall vip
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
gtp (FortiOS Carrier)
gtp (FortiOS Carrier) Use this command to configure GTP (GPRS Tunneling Protocol) profiles.
Syntax config firewall gtp edit config apn edit index_int set action {allow | deny} set selection-mode {ms net vrf} set value end config ie-remove-policy edit set remove-ies {apn-restriction rat-type rai uli imei} set sgsn-addr end config imsi edit set action {allow | deny} set apn set mcc-mnc set selection-mode {ms net vrf} end config ip-policy edit set action {allow | deny} set dstaddr set srcaddr end config noip-policy edit set action {allow | deny} set start set end set type {etsi | ietf} end config policy edit set action {allow | deny} set apn set imei set imsi set max-apn-restriction {all | private-1 | private-2 | public-1 | public-2} set messages {create-req create-res update-req update-res} set rai set rat-type {any geran utran wlan} set uli end set addr-notify set apn-filter {enable | disable}
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
87
gtp (FortiOS Carrier)
firewall
set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set set
88
authorized-sgsns context-id control-plane-message-rate-limit create-aa-pdp {allow | deny} create-pdp {allow | deny} data-record {allow | deny} default-apn-action {allow | deny} default-imsi-action {allow | deny} default-ip-action {allow | deny} default-noip-action {allow | deny} default-policy-action {allow | deny} delete-aa-pdp {allow | deny} delete-pdp {allow | deny} denied-log {enable | disable} echo {allow | deny} error-indication {allow | deny} extension-log {enable | disable} failure-report {allow | deny} forwarded-log {enable | disable} fwd-relocation {allow | deny} fwd-srns-context {allow | deny} gtp-in-gtp {allow | deny} gtp-pdu {allow | deny} handover-group identification {allow | deny} ie-remover {enable | disable} imsi-filter {enable | disable} interface-notify invalid-reserved-field {allow | deny} ip-filter {enable | disable} log-freq max-message-length min-message-length miss-must-ie {allow | deny} node-alive {allow | deny} noip-filter {enable | disable} note-ms-present {allow | deny} out-of-state-ie {allow | deny} out-of-state-message {allow | deny} pdu-notification {allow | deny} policy-filter {enable | disable} port-notify ran-info {allow | deny} rate-limited-log {enable | disable} redirection {allow | deny} relocation-cancel {allow | deny} reserved-ie {allow | deny} send-route {allow | deny} seq-number-validate {enable | disable} sgsn-context {allow | deny} spoof-src-addr {allow | deny}
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
gtp (FortiOS Carrier)
set set set set set set set set set end
state-invalid-log {enable | disable} support-extension {allow | deny} traffic-count-log {enable | disable} tunnel-limit tunnel-limit-log {enable | disable} tunnel-timeout unknown-message-action {allow | deny} update-pdp {allow | deny} version-not-support {allow | deny}
Keywords and variables
Description
Default
Enter the name of this GTP profile.
No default.
apn The following commands are the options for config apn. index_int
Enter the unique ID number of the APN filter profile.
action {allow | deny}
Select to allow or deny traffic matching both the APN and allow Selection Mode specified for this APN filter profile.
No default.
selection-mode {ms net vrf}
Select the selection mode or modes required for the APN. ms net vrf The selection mode indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription. • Enter ms to specify a mobile station provided APN, subscription not verified. This Selection Mode indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network. • Enter net to specify a network-provided APN, subscription not verified. This Selection Mode indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network. • Enter vrf to specify a mobile station or networkprovided APN, subscription verified. This Selection Mode indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network.
value
Enter the network ID and operator ID of the APN.
No default.
ie-remove-policy The following commands are the set options for config ie-remove-policy.
Enter the unique ID number of the IE removal policy.
No default.
remove-ies {apn-restriction rat-type rai uli imei}
Select the information elements to be removed from messages prior to being forwarding to the HGGSN. Any combination of R6 information elements (RAT, RAI, ULI, IMEI-SV and APN restrictions) may be specified.
apnrestriction rat-type rai uli imei
sgsn-addr
Enter an SGSN address or group the IE removal policy will be applied to.
all
imsi The following commands are the options for config imsi.
Enter the unique ID number of the IMSI filtering policy.
action {allow | deny}
Select to allow or deny traffic matching both the APN and allow Selection Mode specified for this APN filter profile
apn
Enter the network ID and operator ID of the APN.
No default.
mcc-mnc
Enter the MCC and MNC.
No default.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
No default.
89
gtp (FortiOS Carrier)
firewall
Keywords and variables
Description
Default
selection-mode {ms net vrf}
Select the selection mode or modes. The selection mode ms net vrf indicates where the APN originated and whether the Home Location Register (HLR) has verified the user subscription. • Enter ms to specify a mobile station provided APN, subscription not verified. This Selection Mode indicates that the mobile station (MS) provided the APN and that the HLR did not verify the user's subscription to the network. • Enter net to specify a network-provided APN, subscription not verified. This Selection Mode indicates that the network provided a default APN because the MS did not specify one, and that the HLR did not verify the user's subscription to the network. • Enter vrf to specify a mobile station or networkprovided APN, subscription verified. This Selection Mode indicates that the MS or the network provided the APN and that the HLR verified the user's subscription to the network.
ip-policy The following commands are the options for config ip-policy.
Enter the unique ID number of the encapsulated IP traffic No default. filtering policy.
action {allow | deny}
Select to allow or deny traffic matching both the source and destination addresses specified for this APN filter profile
allow
dstaddr
Enter the name of a destination address or address group.
No default.
srcaddr
Enter the name of a source address or address group.
No default.
noip-policy The following commands are the options for config noip-policy.
Enter the unique ID number of the encapsulated non-IP traffic filtering policy.
No default.
action {allow | deny}
Select to allow or deny traffic matching the message protocol specified for this APN filter profile
allow
start
Enter the number of the start protocol. Acceptable rate values range from 0 to 255.
0
end
Enter the number of the end protocol. Acceptable rate values range from 0 to 255.
0
type {etsi | ietf}
Select an ETSI or IETF protocol type.
etsi
policy The following commands are the options for config policy.
90
Enter the unique ID number of the advanced filtering policy.
No default.
action {allow | deny}
Select to allow or deny traffic matching the message attributes specified for this advanced filtering policy
allow
apn
Enter the APN suffix, if required.
No default.
imei
Enter the IMEI (SV) pattern, if required.
No default.
imsi
Enter the IMSI prefix, if required.
No default.
max-apn-restriction {all | private-1 | private-2 | public-1 | public-2}
Select the maximum APN restriction.
all
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
gtp (FortiOS Carrier)
Keywords and variables
Description
Default
messages {create-req create-res update-req update-res}
Enter the type or types of GTP messages.
create-req
rai
Enter the RAI pattern.
No default.
rat-type {any geran utran wlan}
Enter the RAT type or types.
any
uli
Enter the ULI pattern.
No default.
The following commands are the options for edit . addr-notify
Enter the IP address of the Gi firewall.
0.0.0.0
apn-filter {enable | disable}
Select to apply APN filter policies.
disable
authorized-sgsns
Enter authorized SSGN addresses or groups. Any SSGN all groups not specified will not be able to send packets to the GGSN. All firewall addresses and groups defined on the FortiGate unit are available for use with this command.
context-id
Enter the security context ID. This ID must match the ID entered on the server Gi firewall.
696
control-plane-messagerate-limit
Enter the control plane message rate limit. Acceptable rate values range from 0 (no limiting) to 2147483674 packets per second. FortiGate units can limit the packet rate to protect the GSNs from possible Denial of Service (DoS) attacks, such as Border gateway bandwidth saturation or a GTP flood.
0
create-aa-pdp {allow | deny}
Select to allow or deny all create AA pop messages.
allow
create-pdp {allow | deny}
Select to allow or deny all create pop messages.
allow
data-record {allow | deny}
Select to allow or deny all data record messages.
allow
default-apn-action {allow | deny}
Select to allow or deny any APN that is not explicitly defined with in an APN policy.
allow
default-imsi-action {allow | deny}
Select to allow or deny any IMSI that is not explicitly defined in an IMSI policy.
allow
default-ip-action {allow | deny}
Select to allow or deny any encapsulated IP address traffic that is not explicitly defined in an IP policy.
allow
default-noip-action {allow | deny}
Select to allow or deny any encapsulated non-IP protocol allow that is not explicitly defined in a non-IP policy.
default-policy-action {allow | deny}
Select to allow or deny any traffic that is not explicitly defined in an advanced filtering policy.
allow
delete-aa-pdp {allow | deny}
Select to allow or deny all delete AA pop messages.
allow
delete-pdp {allow | deny}
Select to allow or deny all delete pop messages.
allow
denied-log {enable | disable}
Select to log denied GTP packets.
disable
echo {allow | deny}
Select to allow or deny all echo messages.
allow
error-indication {allow | deny}
Select to allow or deny all error indication messages.
allow
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
91
gtp (FortiOS Carrier)
92
firewall
Keywords and variables
Description
Default
extension-log {enable | disable}
Select to log extended information about GTP packets. disable When enabled, this additional information will be included in log entries: • IMSI • MSISDN • APN • Selection Mode • SGSN address for signaling • SGSN address for user data • GGSN address for signaling • GGSN address for user data
failure-report {allow | deny}
Select to allow or deny all failure report messages.
allow
forwarded-log {enable | disable}
Select to log forwarded GTP packets.
disable
fwd-relocation {allow | deny}
Select to allow or deny all forward relocation messages.
allow
fwd-srns-context {allow | deny}
Select to allow or deny all forward SRNS messages.
allow
gtp-in-gtp {allow | deny}
Select to allow or deny GTP packets that contains another GTP packet in its message body.
allow
gtp-pdu {allow | deny}
Select to allow or deny all G-PDU messages.
allow
handover-group
Endeavor requests will be honored only from the addresses listed in the specified address group. This way, an entrusted GSN cannot high-jack a GTP tunnel with a endeavor request.
identification {allow | deny}
Select to allow or deny all identification messages.
allow
ie-remover {enable | disable}
Select whether to use information element removal policies.
disable
imsi-filter {enable | disable}
Select whether to use IMSI filter policies.
disable
interface-notify
Enter any local interface of the FortiGate unit. The interface IP address will be used to send the “clear session” message.
invalid-reserved-field {allow | deny}
Select to allow or deny GTP packets with invalid reserved deny fields. Depending on the GTP version, a varying number of header fields are reserved and should contain specific values. If the reserved fields contain incorrect values, the packet will be blocked if this keyword is set to deny.
ip-filter {enable | disable}
Select whether to use encapsulated IP traffic filtering policies.
log-freq
Enter the number of messages to drop between logged 0 messages. An overflow of log messages can sometimes occur when logging rate-limited GTP packets exceed their defined threshold. To conserve resources on the syslog server and the FortiGate unit, you can specify that some log messages are dropped. For example, if you want only every twentieth message to be logged, set a logging frequency of 19. This way, 19 messages are skipped and the next logged. Acceptable frequency values range from 0 to 2147483674. When set to ‘0’, no messages are skipped.
disable
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
gtp (FortiOS Carrier)
Keywords and variables
Description
max-message-length
Enter the maximum GTP message size, in bytes, that the 1452 FortiGate unit will allows to pass. Acceptable values range from 0 to 2147483674 bytes. When set to ‘0’, the maximum size restriction is disabled.
min-message-length
Enter the minimum GTP message size, in bytes, that the FortiGate unit will allows to pass. Acceptable values range from 0 to 2147483674 bytes. When set to ‘0’, the minimum size restriction is disabled.
0
miss-must-ie {allow | deny}
Select to allow or deny passage of GTP packets with missing mandatory information elements to the GGSN.
deny
node-alive {allow | deny}
Select to allow or deny all node alive messages.
allow
noip-filter {enable | disable}
Enable or disable the configured encapsulated non-IP traffic filtering policies.
disable
note-ms-present {allow | deny}
Select to allow or deny all note MS GPRS present messages.
allow
out-of-state-ie {allow | deny}
Select to allow or deny passage of GTP Packets with out of sequence information elements.
deny
out-of-state-message {allow | deny}
Select to allow or deny out of state messages. The GTP protocol requires a certain state to be kept by both the GGSN and SGSN. Since the GTP has a state, some message types can only be sent when in specific states. Packets that do not make sense in the current state should be filtered or rejected
deny
pdu-notification {allow | deny}
Select to allow or deny all pdu notification messages.
allow
policy-filter {enable | disable}
Enable or disable the configured advanced filtering policies.
disable
port-notify
Enter the server firewall’s listening port number.
21123
ran-info {allow | deny}
Select to allow or deny all RAN info relay messages.
allow
rate-limited-log {enable | disable}
Enable or disable the logging of rate-limited GTP packets. disable
redirection {allow | deny}
Select to allow or deny all redirection messages.
allow
relocation-cancel {allow | deny}
Select to allow or deny all relocation cancel messages.
allow
reserved-ie {allow | deny}
Select to allow or deny GTP messages with reserved or undefined information elements.
deny
send-route {allow | deny}
Select to allow or deny all send route messages.
allow
seq-number-validate {enable | disable}
Enable or disable sequence number validation The GTP packet header contains a sequence number. The receiving GGSN and the sending GGSN use this number to ensure the packets are in sequence. The FortiGate unit can assume this task and save GGSN resources.
disable
sgsn-context {allow | deny}
Select to allow or deny all SGSN context messages.
allow
spoof-src-addr {allow | deny}
deny Select to allow or deny packets containing spoofed MS addresses. As the MS address is negotiated within the PDP Context creation handshake, any packets originating from the MS that contain a different source address will be detected and dropped if this keyword is set to deny.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
Default
93
gtp (FortiOS Carrier)
firewall
Keywords and variables
Description
Default
state-invalid-log {enable | disable}
Enable or disable the logging of GTP packets that have failed stateful inspection.
disable
support-extension {allow | deny}
Select to allow or deny all support extension messages.
allow
traffic-count-log {enable | disable}
Enable or disable logging the total number of control and user data messages received from and forwarded to the GGSNs and SGSNs the FortiGate unit protects.
disable
tunnel-limit
Enter the maximum number of GTP tunnels according to the GSN capacity.
0
tunnel-limit-log {enable | disable}
Enable or disable packets dropped because the maximum limit of GTP tunnels for the destination GSN is reached.
disable
tunnel-timeout
Enter a tunnel timeout value, in seconds. By setting a 86400 timeout value, you can configure the FortiGate unit to remove hanging tunnels. Acceptable values range from 0 to 2147483674 seconds. When set to ‘0’, the timeout is disabled.
unknown-message-action {allow | deny}
Select to allow or deny all unknown message types.
allow
update-pdp {allow | deny}
Select to allow or deny all update pdp messages.
allow
version-not-support {allow | deny}
Select to allow or deny all version not supported messages.
allow
History FortiOS v3.00
Revised.
Related topics •
94
firewall vip
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
ipmacbinding setting
ipmacbinding setting Use this command to configure IP to MAC address binding settings. IP/MAC binding protects the FortiGate unit and/or the network from IP address spoofing attacks. IP spoofing attacks attempt to use the IP address of a trusted computer to connect to, or through, the FortiGate unit from a different computer. It is simple to change a computer’s IP address to mimic that of a trusted host, but MAC addresses are often added to Ethernet cards at the factory, and are more difficult to change. By requiring that traffic from trusted hosts reflect both the IP address and MAC address known for that host, fraudulent connections are more difficult to construct. To configure the table of IP addresses and the MAC addresses bound to them, see “ipmacbinding table” on page 97. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see ipmac in “system interface” on page 373. Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC binding list, the new or changed hosts will not have access to or through the FortiGate unit. For details on updating the IP/MAC binding table, see “ipmacbinding table” on page 97.
!
Caution: If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP server.
Syntax config firewall ipmacbinding setting set bindthroughfw {enable | disable} set bindtofw {enable | disable} set undefinedhost {allow | block} end Keywords and variables
Description
Default
bindthroughfw {enable | disable}
Select to use IP/MAC binding to filter packets that a firewall policy would normally allow through the FortiGate unit.
disable
bindtofw {enable | disable}
Select to use IP/MAC binding to filter packets that would normally connect to the FortiGate unit.
disable
undefinedhost {allow | block}
Select how IP/MAC binding handles packets with IP and MAC block addresses that are not defined in the IP/MAC list for traffic going through or to the FortiGate unit. • allow: Allow packets with IP and MAC address pairs that are not in the IP/MAC binding list. • block: Block packets with IP and MAC address pairs that are not in the IP/MAC binding list. This option is available only when either or both bindthroughfw and bindtofw are enable.
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
95
ipmacbinding setting
firewall
Example This example shows how to enable IP/MAC binding for traffic both going to and through the FortiGate unit, and block undefined hosts (IP/MAC address pairs). config firewall ipmacbinding setting set bindthroughfw enable set bindtofw enable set undefinedhost block end
History FortiOS v2.80
Revised.
Related topics •
96
firewall ipmacbinding table
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
ipmacbinding table
ipmacbinding table Use this command to configure IP and MAC address pairs in the IP/MAC binding table. You can bind multiple IP addresses to the same MAC address, but you cannot bind multiple MAC addresses to the same IP address. To configure the IP/MAC binding settings, see “ipmacbinding setting” on page 95. To enable or disable IP/MAC binding for an individual FortiGate unit network interface, see ipmac in “system interface” on page 373. Note: If IP/MAC binding is enabled, and the IP address of a host with an IP or MAC address in the IP/MAC table is changed, or a new computer is added to the network, update the IP/MAC table. If you do not update the IP/MAC binding list, the new or changed hosts will not have access to or through the FortiGate unit.
!
Caution: If a client receives an IP address from the FortiGate unit’s DHCP server, the client’s MAC address is automatically registered in the IP/MAC binding table. This can simplify IP/MAC binding configuration, but can also neutralize protection offered by IP/MAC binding if untrusted hosts are allowed to access the DHCP server. Use caution when enabling and providing access to the DHCP server.
Syntax config firewall ipmacbinding table edit set ip set mac set name set status {enable | disable} end Keywords and variables
Description
Default
Enter the unique ID number of this IP/MAC pair.
No default.
ip
Enter the IP address to bind to the MAC address. 0.0.0.0 To allow all packets with the MAC address, regardless of the IP address, set the IP address to 0.0.0.0.
mac
00:00:00: Enter the MAC address. To allow all packets with the IP address, regardless of the MAC 00:00:00 address, set the MAC address to 00:00:00:00:00:00.
name
Enter a name for this entry on the IP/MAC address table. (Optional.)
noname
status {enable | disable}
Select to enable this IP/MAC address pair. Packets not matching any IP/MAC binding will be dropped. Packets matching an IP/MAC binding will be matched against the firewall policy list.
disable
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
97
ipmacbinding table
firewall
Example This example shows how to add and enable an IP/MAC entry to the IP/MAC binding table. config firewall ipmacbinding table edit 1 set ip 172.16.44.55 set mac 00:10:F3:04:7A:4C set name RemoteAdmin set status enable end
History FortiOS v2.80
Revised.
Related topics •
98
firewall ipmacbinding setting
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
ippool
ippool Use this command to configure IP address pools that you can use to configure NAT mode firewall policies. An IP pool, also called a dynamic IP pool, is a range of IP addresses added to a firewall interface. You can enable Dynamic IP Pool in a firewall policy to translate the source address to an address randomly selected from the IP pool. To use IP pools, the IP pool interface must be the same as the firewall policy destination interface. Add an IP pool if in order to add NAT mode policies that translate source addresses to addresses randomly selected from the IP pool rather than being limited to the IP address of the destination interface. IP pools are only available in NAT/Route mode. Add multiple IP pools to any interface and configure the firewall policy to select the IP pool to use for that firewall policy.
Syntax config firewall ippool edit set endip set interface set startip end Keywords and variables
Description
Default
The unique ID number of this IP pool.
No default.
endip
The end IP of the address range. The end IP must be higher than the start IP. The end IP does not have to be on the same subnet as the IP address of the interface for which you are adding the IP pool.
0.0.0.0
interface
Enter the name of a network interface, binding the IP pool to that interface. On FortiGate-200 models and greater, the network interface can also be a VLAN subinterface.
No default.
startip
The start IP of the address range. The start IP does not have to 0.0.0.0 be on the same subnet as the IP address of the interface for which you are adding the IP pool.
Example You might use the following commands to add an IP pool to the internal network interface. The IP pool would then be available when configuring firewall policies. config firewall ippool edit 1 set startip 192.168.1.100 set endip 192.168.1.200 set interface internal end
History FortiOS v2.80
Revised.
Related topics •
firewall policy, policy6
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
99
ldb-monitor
firewall
ldb-monitor Use this command to configure health check settings. Health check settings can be used by load balancing VIPs to determine if a real server is currently responsive before forwarding traffic. One health check is sent per interval using the specified protocol, port and HTTP-GET, where applicable to the protocol. If the server does not respond during the timeout period, the health check fails and, if retries are configured, another health check is performed. If all health checks fail, the server is deemed unavailable, and another real server is selected to receive the traffic according to the selected load balancing algorithm. Health check settings can be re-used by multiple real servers. For details on enabling health checking and using configured health check settings, see “firewall vip” on page 155.
Syntax config firewall ldb-monitor edit set http-get set http-match set interval set port set retry set timeout set type {http | ping | tcp} end Keywords and variables
Description
Default
Enter the name of the health check monitor.
No default.
http-get
Enter the path (URI) of the HTTP-GET request to use when testing the responsivity of the server. This option appears only if type is http.
No default.
http-match
Enter the content of the server’s reply to the HTTP request that No default. must be matched for the health check to succeed. If the FortiGate unit does not receive a reply from the server, or its reply does not contain matching content, the health check fails. This option appears only if type is http.
interval
Enter the interval time in seconds between health checks.
10
port
Enter the port number that will be used by the health check. This option does not appear if type is ping.
0
retry
Enter the number of times that the FortiGate unit should retry the health check if a health check fails. If all health checks, including retries, fail, the server is deemed unavailable.
3
timeout
Enter the timeout in seconds. If the FortiGate unit does not 2 receive a response to the health check in this period of time, the the health check fails.
type {http | ping | tcp}
Select the protocol used by the health check monitor.
No default.
Example You might configure a health check for a server using the HTTP protocol to retrieve a web page. To ensure that a web page reply containing an error message, such as an HTTP 404 page, does not inadvertently cause the health check to succeed, you might search the reply for text that does not occur in any web server error page, such as unique text on a main page.
100
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
ldb-monitor
config firewall ldp-monitor edit httphealthchecksettings set type http set port 8080 set http-get “/index.php” set http-match “Welcome to Example, Inc.” set interval 5 set timeout 2 set retry 2 end
History FortiOS v3.0 MR6
New command. Configures health check settings which can be used when enabling health checks for load balanced real servers associated with a virtual IP. This extends and replaces deprecated commands in config realserver for health check by ICMP ECHO (ping).
Related topics •
firewall vip
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
101
multicast-policy
firewall
multicast-policy Use this command to configure a source NAT IP. This command can also be used in Transparent mode to enable multicast forwarding by adding a multicast policy. The matched forwarded (outgoing) IP multicast source IP address is translated to the configured IP address.
Syntax config firewall multicast-policy edit set action {accept | deny} set dnat set dstaddr set dstintf set nat set srcaddr set srcintf set protocol set start-port set end-port end
102
Keywords and variables
Description
Default
Enter the unique ID number of this multicast policy.
No default.
action {accept | deny}
Enter the policy action.
accept
dnat
Enter an IP address to destination network address translate (DNAT) externally received multicast destination addresses to addresses that conform to your organization's internal addressing policy.
0.0.0.0
dstaddr
Enter the destination IP address and netmask, separated by a space, to match against multicast NAT packets.
0.0.0.0 0.0.0.0
dstintf
Enter the destination interface name to match against multicast No default. NAT packets.
nat
Enter the IP address to substitute for the original source IP address.
0.0.0.0
srcaddr
Enter the source IP address and netmask to match against multicast NAT packets.
0.0.0.0 0.0.0.0
srcintf
Enter the source interface name to match against multicast NAT packets.
No default.
protocol
Limit the number of protocols (services) sent out via multicast using the FortiGate unit.
0
start-port
The beginning of the port range used for multicast.
No default.
end-port
The end of the port range used for multicast.
65535
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
multicast-policy
Example This example shows how to configure a multicast NAT policy. config firewall multicast-policy edit 1 set dstaddr 10.0.0.1 255.255.255.0 set dstintf dmz set nat 10.0.1.1 set srcaddr 192.168.100.12 255.255.255.0 set srcintf internal end
History FortiOS v2.80
Revised.
FortiOS v3.0 MR4 Added protocol, start-port, and end-port to multicast-policy. FortiOS v3.0 MR5 Added dnat.
Related topics •
system global
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
103
policy, policy6
firewall
policy, policy6 Use this command to add, edit, or delete firewall policies. Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. The policy directs the firewall to allow the connection, deny the connection, require authentication before the connection is allowed, or apply IPSec or SSL VPN processing. Note: If you are creating an IPv6 policy, some of the IPv4 options, such as NAT and VPN settings, are not applicable.
Syntax config firewall policy, policy6 edit set action {accept | deny | ipsec | ssl-vpn} set auth-cert set auth-path {enable | disable} set auth-redirect-addr set comments set custom-log-fields set diffserv-forward {enable | disable} set diffserv-reverse {enable | disable} set diffservcode-forward set diffservcode-rev set disclaimer {enable | disable} set dstaddr set dstintf set fixedport {enable | disable} set forticlient-check {enable | disable} set forticlient-ra-notinstalled {enable | disable} set forticlient-ra-notlicensed {enable | disable} set forticlient-ra-db-outdated {enable | disable} set forticlient-ra-no-av {enable | disable} set forticlient-ra-no-fw {enable | disable} set forticlient-ra-no-wf {enable | disable} set forticlient-redir-portal {enable | disable} set fsae {enable | disable} set fsae-guest-profile set gbandwidth set groups set gtp_profile (FortiOS Carrier) set inbound {enable | disable} set ippool {enable | disable} set logtraffic {enable | disable} set maxbandwidth set nat {enable | disable} set natinbound {enable | disable} set natip set natoutbound {enable | disable} set ntlm {enable | disable} set outbound {enable | disable} set poolname
104
FortiGate CLI Version 3.0 MR6 Reference 01-30006-0015-20080205
firewall
policy, policy6
set set set set set set set set set set set set set set set set end
priority {high | low | medium} profile profile-status {enable | disable} redirect-url