Fortinet white logo
Fortinet white logo

CLI Reference

config application list

config application list

Configure application control lists.

config application list
    Description: Configure application control lists.
    edit <name>
        set app-replacemsg [disable|enable]
        set comment {var-string}
        set control-default-network-services [disable|enable]
        set deep-app-inspection [disable|enable]
        config default-network-services
            Description: Default network service entries.
            edit <id>
                set port {integer}
                set services {option1}, {option2}, ...
                set violation-action [pass|monitor|...]
            next
        end
        set enforce-default-app-port [disable|enable]
        config entries
            Description: Application list entries.
            edit <id>
                set risk <level1>, <level2>, ...
                set category <id1>, <id2>, ...
                set application <id1>, <id2>, ...
                set protocols {user}
                set vendor {user}
                set technology {user}
                set behavior {user}
                set popularity {option1}, {option2}, ...
                set exclusion <id1>, <id2>, ...
                config parameters
                    Description: Application parameters.
                    edit <id>
                        config members
                            Description: Parameter tuple members.
                            edit <id>
                                set name {string}
                                set value {string}
                            next
                        end
                    next
                end
                set action [pass|block|...]
                set log [disable|enable]
                set log-packet [disable|enable]
                set rate-count {integer}
                set rate-duration {integer}
                set rate-mode [periodical|continuous]
                set rate-track [none|src-ip|...]
                set session-ttl {integer}
                set shaper {string}
                set shaper-reverse {string}
                set per-ip-shaper {string}
                set quarantine [none|attacker]
                set quarantine-expiry {user}
                set quarantine-log [disable|enable]
            next
        end
        set extended-log [enable|disable]
        set force-inclusion-ssl-di-sigs [disable|enable]
        set options {option1}, {option2}, ...
        set other-application-action [pass|block]
        set other-application-log [disable|enable]
        set p2p-block-list {option1}, {option2}, ...
        set replacemsg-group {string}
        set unknown-application-action [pass|block]
        set unknown-application-log [disable|enable]
    next
end

config application list

Parameter

Description

Type

Size

Default

app-replacemsg

Enable/disable replacement messages for blocked applications.

option

-

enable

Option

Description

disable

Disable replacement messages for blocked applications.

enable

Enable replacement messages for blocked applications.

comment

Comments.

var-string

Maximum length: 255

control-default-network-services

Enable/disable enforcement of protocols over selected ports.

option

-

disable

Option

Description

disable

Disable protocol enforcement over selected ports.

enable

Enable protocol enforcement over selected ports.

deep-app-inspection

Enable/disable deep application inspection.

option

-

enable

Option

Description

disable

Disable deep application inspection.

enable

Enable deep application inspection.

enforce-default-app-port

Enable/disable default application port enforcement for allowed applications.

option

-

disable

Option

Description

disable

Disable default application port enforcement.

enable

Enable default application port enforcement.

extended-log

Enable/disable extended logging.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

force-inclusion-ssl-di-sigs

Enable/disable forced inclusion of SSL deep inspection signatures.

option

-

disable

Option

Description

disable

Disable forced inclusion of signatures which normally require SSL deep inspection.

enable

Enable forced inclusion of signatures which normally require SSL deep inspection.

name

List name.

string

Maximum length: 35

options

Basic application protocol signatures allowed by default.

option

-

allow-dns

Option

Description

allow-dns

Allow DNS.

allow-icmp

Allow ICMP.

allow-http

Allow generic HTTP web browsing.

allow-ssl

Allow generic SSL communication.

allow-quic

Allow QUIC.

other-application-action

Action for other applications.

option

-

pass

Option

Description

pass

Allow sessions matching an application in this application list.

block

Block sessions matching an application in this application list.

other-application-log

Enable/disable logging for other applications.

option

-

disable

Option

Description

disable

Disable logging for other applications.

enable

Enable logging for other applications.

p2p-block-list

P2P applications to be block listed.

option

-

Option

Description

skype

Skype.

edonkey

Edonkey.

bittorrent

Bit torrent.

replacemsg-group

Replacement message group.

string

Maximum length: 35

unknown-application-action

Pass or block traffic from unknown applications.

option

-

pass

Option

Description

pass

Pass or allow unknown applications.

block

Drop or block unknown applications.

unknown-application-log

Enable/disable logging for unknown applications.

option

-

disable

Option

Description

disable

Disable logging for unknown applications.

enable

Enable logging for unknown applications.

config default-network-services

Parameter

Description

Type

Size

Default

id

Entry ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

port

Port number.

integer

Minimum value: 0 Maximum value: 65535

0

services

Network protocols.

option

-

Option

Description

http

HTTP.

ssh

SSH.

telnet

TELNET.

ftp

FTP.

dns

DNS.

smtp

SMTP.

pop3

POP3.

imap

IMAP.

snmp

SNMP.

nntp

NNTP.

https

HTTPS.

violation-action

Action for protocols not in the allowlist for selected port.

option

-

block

Option

Description

pass

Allow protocols not in the allowlist for selected port.

monitor

Monitor protocols not in the allowlist for selected port.

block

Block protocols not in the allowlist for selected port.

config entries

Parameter

Description

Type

Size

Default

id

Entry ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

risk <level>

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

integer

Minimum value: 0 Maximum value: 4294967295

category <id>

Category ID list.

Application category ID.

integer

Minimum value: 0 Maximum value: 4294967295

application <id>

ID of allowed applications.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

protocols

Application protocol filter.

user

Not Specified

all

vendor

Application vendor filter.

user

Not Specified

all

technology

Application technology filter.

user

Not Specified

all

behavior

Application behavior filter.

user

Not Specified

all

popularity

Application popularity filter.

option

-

1 2 3 4 5

Option

Description

1

Popularity level 1.

2

Popularity level 2.

3

Popularity level 3.

4

Popularity level 4.

5

Popularity level 5.

exclusion <id>

ID of excluded applications.

Excluded application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

action

Pass or block traffic, or reset connection for traffic from this application.

option

-

block

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

log

Enable/disable logging for this application list.

option

-

enable

Option

Description

disable

Disable logging.

enable

Enable logging.

log-packet

Enable/disable packet logging.

option

-

disable

Option

Description

disable

Disable packet logging.

enable

Enable packet logging.

rate-count

Count of the rate.

integer

Minimum value: 0 Maximum value: 65535

0

rate-duration

Duration (sec) of the rate.

integer

Minimum value: 1 Maximum value: 65535

60

rate-mode

Rate limit mode.

option

-

continuous

Option

Description

periodical

Allow configured number of packets every rate-duration.

continuous

Block packets once the rate is reached.

rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

none

src-ip

Source IP.

dest-ip

Destination IP.

dhcp-client-mac

DHCP client.

dns-domain

DNS domain.

session-ttl

Session TTL.

integer

Minimum value: 0 Maximum value: 4294967295

0

shaper

Traffic shaper.

string

Maximum length: 35

shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

quarantine

Quarantine method.

option

-

none

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine.. Requires quarantine set to attacker.

user

Not Specified

5m

quarantine-log

Enable/disable quarantine logging.

option

-

enable

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

config parameters

Parameter

Description

Type

Size

Default

id

Parameter tuple ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

config members

Parameter

Description

Type

Size

Default

id

Parameter.

integer

Minimum value: 0 Maximum value: 4294967295

0

name

Parameter name.

string

Maximum length: 31

value

Parameter value.

string

Maximum length: 199

config application list

config application list

Configure application control lists.

config application list
    Description: Configure application control lists.
    edit <name>
        set app-replacemsg [disable|enable]
        set comment {var-string}
        set control-default-network-services [disable|enable]
        set deep-app-inspection [disable|enable]
        config default-network-services
            Description: Default network service entries.
            edit <id>
                set port {integer}
                set services {option1}, {option2}, ...
                set violation-action [pass|monitor|...]
            next
        end
        set enforce-default-app-port [disable|enable]
        config entries
            Description: Application list entries.
            edit <id>
                set risk <level1>, <level2>, ...
                set category <id1>, <id2>, ...
                set application <id1>, <id2>, ...
                set protocols {user}
                set vendor {user}
                set technology {user}
                set behavior {user}
                set popularity {option1}, {option2}, ...
                set exclusion <id1>, <id2>, ...
                config parameters
                    Description: Application parameters.
                    edit <id>
                        config members
                            Description: Parameter tuple members.
                            edit <id>
                                set name {string}
                                set value {string}
                            next
                        end
                    next
                end
                set action [pass|block|...]
                set log [disable|enable]
                set log-packet [disable|enable]
                set rate-count {integer}
                set rate-duration {integer}
                set rate-mode [periodical|continuous]
                set rate-track [none|src-ip|...]
                set session-ttl {integer}
                set shaper {string}
                set shaper-reverse {string}
                set per-ip-shaper {string}
                set quarantine [none|attacker]
                set quarantine-expiry {user}
                set quarantine-log [disable|enable]
            next
        end
        set extended-log [enable|disable]
        set force-inclusion-ssl-di-sigs [disable|enable]
        set options {option1}, {option2}, ...
        set other-application-action [pass|block]
        set other-application-log [disable|enable]
        set p2p-block-list {option1}, {option2}, ...
        set replacemsg-group {string}
        set unknown-application-action [pass|block]
        set unknown-application-log [disable|enable]
    next
end

config application list

Parameter

Description

Type

Size

Default

app-replacemsg

Enable/disable replacement messages for blocked applications.

option

-

enable

Option

Description

disable

Disable replacement messages for blocked applications.

enable

Enable replacement messages for blocked applications.

comment

Comments.

var-string

Maximum length: 255

control-default-network-services

Enable/disable enforcement of protocols over selected ports.

option

-

disable

Option

Description

disable

Disable protocol enforcement over selected ports.

enable

Enable protocol enforcement over selected ports.

deep-app-inspection

Enable/disable deep application inspection.

option

-

enable

Option

Description

disable

Disable deep application inspection.

enable

Enable deep application inspection.

enforce-default-app-port

Enable/disable default application port enforcement for allowed applications.

option

-

disable

Option

Description

disable

Disable default application port enforcement.

enable

Enable default application port enforcement.

extended-log

Enable/disable extended logging.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

force-inclusion-ssl-di-sigs

Enable/disable forced inclusion of SSL deep inspection signatures.

option

-

disable

Option

Description

disable

Disable forced inclusion of signatures which normally require SSL deep inspection.

enable

Enable forced inclusion of signatures which normally require SSL deep inspection.

name

List name.

string

Maximum length: 35

options

Basic application protocol signatures allowed by default.

option

-

allow-dns

Option

Description

allow-dns

Allow DNS.

allow-icmp

Allow ICMP.

allow-http

Allow generic HTTP web browsing.

allow-ssl

Allow generic SSL communication.

allow-quic

Allow QUIC.

other-application-action

Action for other applications.

option

-

pass

Option

Description

pass

Allow sessions matching an application in this application list.

block

Block sessions matching an application in this application list.

other-application-log

Enable/disable logging for other applications.

option

-

disable

Option

Description

disable

Disable logging for other applications.

enable

Enable logging for other applications.

p2p-block-list

P2P applications to be block listed.

option

-

Option

Description

skype

Skype.

edonkey

Edonkey.

bittorrent

Bit torrent.

replacemsg-group

Replacement message group.

string

Maximum length: 35

unknown-application-action

Pass or block traffic from unknown applications.

option

-

pass

Option

Description

pass

Pass or allow unknown applications.

block

Drop or block unknown applications.

unknown-application-log

Enable/disable logging for unknown applications.

option

-

disable

Option

Description

disable

Disable logging for unknown applications.

enable

Enable logging for unknown applications.

config default-network-services

Parameter

Description

Type

Size

Default

id

Entry ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

port

Port number.

integer

Minimum value: 0 Maximum value: 65535

0

services

Network protocols.

option

-

Option

Description

http

HTTP.

ssh

SSH.

telnet

TELNET.

ftp

FTP.

dns

DNS.

smtp

SMTP.

pop3

POP3.

imap

IMAP.

snmp

SNMP.

nntp

NNTP.

https

HTTPS.

violation-action

Action for protocols not in the allowlist for selected port.

option

-

block

Option

Description

pass

Allow protocols not in the allowlist for selected port.

monitor

Monitor protocols not in the allowlist for selected port.

block

Block protocols not in the allowlist for selected port.

config entries

Parameter

Description

Type

Size

Default

id

Entry ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

risk <level>

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

integer

Minimum value: 0 Maximum value: 4294967295

category <id>

Category ID list.

Application category ID.

integer

Minimum value: 0 Maximum value: 4294967295

application <id>

ID of allowed applications.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

protocols

Application protocol filter.

user

Not Specified

all

vendor

Application vendor filter.

user

Not Specified

all

technology

Application technology filter.

user

Not Specified

all

behavior

Application behavior filter.

user

Not Specified

all

popularity

Application popularity filter.

option

-

1 2 3 4 5

Option

Description

1

Popularity level 1.

2

Popularity level 2.

3

Popularity level 3.

4

Popularity level 4.

5

Popularity level 5.

exclusion <id>

ID of excluded applications.

Excluded application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

action

Pass or block traffic, or reset connection for traffic from this application.

option

-

block

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

log

Enable/disable logging for this application list.

option

-

enable

Option

Description

disable

Disable logging.

enable

Enable logging.

log-packet

Enable/disable packet logging.

option

-

disable

Option

Description

disable

Disable packet logging.

enable

Enable packet logging.

rate-count

Count of the rate.

integer

Minimum value: 0 Maximum value: 65535

0

rate-duration

Duration (sec) of the rate.

integer

Minimum value: 1 Maximum value: 65535

60

rate-mode

Rate limit mode.

option

-

continuous

Option

Description

periodical

Allow configured number of packets every rate-duration.

continuous

Block packets once the rate is reached.

rate-track

Track the packet protocol field.

option

-

none

Option

Description

none

none

src-ip

Source IP.

dest-ip

Destination IP.

dhcp-client-mac

DHCP client.

dns-domain

DNS domain.

session-ttl

Session TTL.

integer

Minimum value: 0 Maximum value: 4294967295

0

shaper

Traffic shaper.

string

Maximum length: 35

shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

quarantine

Quarantine method.

option

-

none

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine.. Requires quarantine set to attacker.

user

Not Specified

5m

quarantine-log

Enable/disable quarantine logging.

option

-

enable

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

config parameters

Parameter

Description

Type

Size

Default

id

Parameter tuple ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

config members

Parameter

Description

Type

Size

Default

id

Parameter.

integer

Minimum value: 0 Maximum value: 4294967295

0

name

Parameter name.

string

Maximum length: 31

value

Parameter value.

string

Maximum length: 199