Fortinet white logo
Fortinet white logo

CLI Reference

config firewall profile-protocol-options

config firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options
    Description: Configure protocol options.
    edit <name>
        config cifs
            Description: Configure CIFS protocol options.
            set domain-controller {string}
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set scan-bzip2 [enable|disable]
            set server-credential-type [none|credential-replication|...]
            config server-keytab
                Description: Server keytab.
                edit <principal>
                    set keytab {string}
                next
            end
            set status [enable|disable]
            set tcp-window-maximum {integer}
            set tcp-window-minimum {integer}
            set tcp-window-size {integer}
            set tcp-window-type [auto-tuning|system|...]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        set comment {var-string}
        config dns
            Description: Configure DNS protocol options.
            set ports {integer}
            set status [enable|disable]
        end
        config ftp
            Description: Configure FTP protocol options.
            set comfort-amount {integer}
            set comfort-interval {integer}
            set explicit-ftp-tls [enable|disable]
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set stream-based-uncompressed-limit {integer}
            set tcp-window-maximum {integer}
            set tcp-window-minimum {integer}
            set tcp-window-size {integer}
            set tcp-window-type [auto-tuning|system|...]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        config http
            Description: Configure HTTP protocol options.
            set address-ip-rating [enable|disable]
            set block-page-status-code {integer}
            set comfort-amount {integer}
            set comfort-interval {integer}
            set h2c [enable|disable]
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set post-lang {option1}, {option2}, ...
            set proxy-after-tcp-handshake [enable|disable]
            set range-block [disable|enable]
            set retry-count {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set stream-based-uncompressed-limit {integer}
            set streaming-content-bypass [enable|disable]
            set strip-x-forwarded-for [disable|enable]
            set switching-protocols [bypass|block]
            set tcp-window-maximum {integer}
            set tcp-window-minimum {integer}
            set tcp-window-size {integer}
            set tcp-window-type [auto-tuning|system|...]
            set tunnel-non-http [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
            set unknown-content-encoding [block|inspect|...]
            set unknown-http-version [reject|tunnel|...]
            set verify-dns-for-policy-matching [enable|disable]
        end
        config imap
            Description: Configure IMAP protocol options.
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        config mail-signature
            Description: Configure Mail signature.
            set signature {string}
            set status [disable|enable]
        end
        config mapi
            Description: Configure MAPI protocol options.
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set scan-bzip2 [enable|disable]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        config nntp
            Description: Configure NNTP protocol options.
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set scan-bzip2 [enable|disable]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        set oversize-log [disable|enable]
        config pop3
            Description: Configure POP3 protocol options.
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        set replacemsg-group {string}
        set rpc-over-http [enable|disable]
        config smtp
            Description: Configure SMTP protocol options.
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set scan-bzip2 [enable|disable]
            set server-busy [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        config ssh
            Description: Configure SFTP and SCP protocol options.
            set comfort-amount {integer}
            set comfort-interval {integer}
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set stream-based-uncompressed-limit {integer}
            set tcp-window-maximum {integer}
            set tcp-window-minimum {integer}
            set tcp-window-size {integer}
            set tcp-window-type [auto-tuning|system|...]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        set switching-protocols-log [disable|enable]
    next
end

config firewall profile-protocol-options

Parameter

Description

Type

Size

Default

comment

Optional comments.

var-string

Maximum length: 255

name

Name.

string

Maximum length: 35

oversize-log

Enable/disable logging for antivirus oversize file blocking.

option

-

disable

Option

Description

disable

Disable logging for antivirus oversize file blocking.

enable

Enable logging for antivirus oversize file blocking.

replacemsg-group

Name of the replacement message group to be used.

string

Maximum length: 35

rpc-over-http

Enable/disable inspection of RPC over HTTP.

option

-

disable

Option

Description

enable

Enable inspection of RPC over HTTP.

disable

Disable inspection of RPC over HTTP.

switching-protocols-log

Enable/disable logging for HTTP/HTTPS switching protocols.

option

-

disable

Option

Description

disable

Disable logging for HTTP/HTTPS switching protocols.

enable

Enable logging for HTTP/HTTPS switching protocols.

config cifs

Parameter

Description

Type

Size

Default

domain-controller

Domain for which to decrypt CIFS traffic.

string

Maximum length: 63

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

server-credential-type

CIFS server credential type.

option

-

none

Option

Description

none

Credential derivation not set.

credential-replication

Credential derived using Replication account on Domain Controller.

credential-keytab

Credential derived using server keytab.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config server-keytab

Parameter

Description

Type

Size

Default

keytab

Base64 encoded keytab file containing credential of the server.

string

Maximum length: 8191

principal

Service principal. For example, host/cifsserver.example.com@example.com.

string

Maximum length: 511

config dns

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config ftp

Parameter

Description

Type

Size

Default

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

explicit-ftp-tls

Enable/disable FTP redirection for explicit FTPS.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

clientcomfort

Prevent client timeout.

oversize

Block oversized file.

splice

Enable splice mode.

bypass-rest-command

Bypass REST command.

bypass-mode-command

Bypass MODE command.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config http

Parameter

Description

Type

Size

Default

address-ip-rating

Enable/disable IP based URL rating.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

block-page-status-code

Code number returned for blocked HTTP pages.

integer

Minimum value: 100 Maximum value: 599

403

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

h2c

Enable/disable h2c HTTP connection upgrade.

option

-

disable

Option

Description

enable

Allow h2c HTTP connection upgrades. h2c tunnels do not support content scan.

disable

Do not allow h2c HTTP connection upgrades.

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

oversize

Block oversized file.

chunkedbypass

Bypass chunked transfer encoded sites.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

post-lang

ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).

option

-

Option

Description

jisx0201

Japanese Industrial Standard 0201.

jisx0208

Japanese Industrial Standard 0208.

jisx0212

Japanese Industrial Standard 0212.

gb2312

Guojia Biaozhun 2312 (simplified Chinese).

ksc5601-ex

Wansung Korean standard 5601.

euc-jp

Extended Unicode Japanese.

sjis

Shift Japanese Industrial Standard.

iso2022-jp

ISO 2022 Japanese.

iso2022-jp-1

ISO 2022-1 Japanese.

iso2022-jp-2

ISO 2022-2 Japanese.

euc-cn

Extended Unicode Chinese.

ces-gbk

Extended GB2312 (simplified Chinese).

hz

Hanzi simplified Chinese.

ces-big5

Big-5 traditional Chinese.

euc-kr

Extended Unicode Korean.

iso2022-jp-3

ISO 2022-3 Japanese.

iso8859-1

ISO 8859 Part 1 (Western European).

tis620

Thai Industrial Standard 620.

cp874

Code Page 874 (Thai).

cp1252

Code Page 1252 (Western European Latin).

cp1251

Code Page 1251 (Cyrillic).

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

range-block

Enable/disable blocking of partial downloads.

option

-

disable

Option

Description

disable

Disable range header blocking (allow partial file downloads)

enable

Enable range header blocking (treat all partial file downloads as full file download)

retry-count

Number of attempts to retry HTTP connection.

integer

Minimum value: 0 Maximum value: 100

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

streaming-content-bypass

Enable/disable bypassing of streaming content from buffering.

option

-

enable

Option

Description

enable

Enable bypassing of streaming content from buffering

disable

Disable bypassing of streaming content from buffering

strip-x-forwarded-for

Enable/disable stripping of HTTP X-Forwarded-For header.

option

-

disable

Option

Description

disable

Disable changing of HTTP X-Forwarded-For header.

enable

Enable replacement of X-Forwarded-For value with 1.1.1.1.

switching-protocols

Bypass from scanning, or block a connection that attempts to switch protocol.

option

-

bypass

Option

Description

bypass

Bypass connections when switching protocols.

block

Block connections when switching protocols.

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tunnel-non-http

Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port.

option

-

enable

Option

Description

enable

Pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

disable

Drop or tear down non-HTTP sessions accepted by the profile.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

unknown-content-encoding

Configure the action the FortiGate unit will take on unknown content-encoding.

option

-

block

Option

Description

block

Block HTTP session when unknown content-encoding is detected.

inspect

Scan HTTP traffic as plain-text when unknown content-encoding is detected.

bypass

Bypass scan when unknown content-encoding is detected.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

verify-dns-for-policy-matching

Enable/disable verification of DNS for policy matching.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

** Values may differ between models.

config imap

Parameter

Description

Type

Size

Default

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config mail-signature

Parameter

Description

Type

Size

Default

signature

Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks).

string

Maximum length: 1023

status

Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate.

option

-

disable

Option

Description

disable

Disable mail signature.

enable

Enable mail signature.

config mapi

Parameter

Description

Type

Size

Default

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config nntp

Parameter

Description

Type

Size

Default

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

splice

Enable splice mode.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config pop3

Parameter

Description

Type

Size

Default

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config smtp

Parameter

Description

Type

Size

Default

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

splice

Enable splice mode.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

server-busy

Enable/disable SMTP server busy when server not available.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config ssh

Parameter

Description

Type

Size

Default

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config firewall profile-protocol-options

config firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options
    Description: Configure protocol options.
    edit <name>
        config cifs
            Description: Configure CIFS protocol options.
            set domain-controller {string}
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set scan-bzip2 [enable|disable]
            set server-credential-type [none|credential-replication|...]
            config server-keytab
                Description: Server keytab.
                edit <principal>
                    set keytab {string}
                next
            end
            set status [enable|disable]
            set tcp-window-maximum {integer}
            set tcp-window-minimum {integer}
            set tcp-window-size {integer}
            set tcp-window-type [auto-tuning|system|...]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        set comment {var-string}
        config dns
            Description: Configure DNS protocol options.
            set ports {integer}
            set status [enable|disable]
        end
        config ftp
            Description: Configure FTP protocol options.
            set comfort-amount {integer}
            set comfort-interval {integer}
            set explicit-ftp-tls [enable|disable]
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set stream-based-uncompressed-limit {integer}
            set tcp-window-maximum {integer}
            set tcp-window-minimum {integer}
            set tcp-window-size {integer}
            set tcp-window-type [auto-tuning|system|...]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        config http
            Description: Configure HTTP protocol options.
            set address-ip-rating [enable|disable]
            set block-page-status-code {integer}
            set comfort-amount {integer}
            set comfort-interval {integer}
            set h2c [enable|disable]
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set post-lang {option1}, {option2}, ...
            set proxy-after-tcp-handshake [enable|disable]
            set range-block [disable|enable]
            set retry-count {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set stream-based-uncompressed-limit {integer}
            set streaming-content-bypass [enable|disable]
            set strip-x-forwarded-for [disable|enable]
            set switching-protocols [bypass|block]
            set tcp-window-maximum {integer}
            set tcp-window-minimum {integer}
            set tcp-window-size {integer}
            set tcp-window-type [auto-tuning|system|...]
            set tunnel-non-http [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
            set unknown-content-encoding [block|inspect|...]
            set unknown-http-version [reject|tunnel|...]
            set verify-dns-for-policy-matching [enable|disable]
        end
        config imap
            Description: Configure IMAP protocol options.
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        config mail-signature
            Description: Configure Mail signature.
            set signature {string}
            set status [disable|enable]
        end
        config mapi
            Description: Configure MAPI protocol options.
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set scan-bzip2 [enable|disable]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        config nntp
            Description: Configure NNTP protocol options.
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set scan-bzip2 [enable|disable]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        set oversize-log [disable|enable]
        config pop3
            Description: Configure POP3 protocol options.
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        set replacemsg-group {string}
        set rpc-over-http [enable|disable]
        config smtp
            Description: Configure SMTP protocol options.
            set inspect-all [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set scan-bzip2 [enable|disable]
            set server-busy [enable|disable]
            set ssl-offloaded [no|yes]
            set status [enable|disable]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        config ssh
            Description: Configure SFTP and SCP protocol options.
            set comfort-amount {integer}
            set comfort-interval {integer}
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set stream-based-uncompressed-limit {integer}
            set tcp-window-maximum {integer}
            set tcp-window-minimum {integer}
            set tcp-window-size {integer}
            set tcp-window-type [auto-tuning|system|...]
            set uncompressed-nest-limit {integer}
            set uncompressed-oversize-limit {integer}
        end
        set switching-protocols-log [disable|enable]
    next
end

config firewall profile-protocol-options

Parameter

Description

Type

Size

Default

comment

Optional comments.

var-string

Maximum length: 255

name

Name.

string

Maximum length: 35

oversize-log

Enable/disable logging for antivirus oversize file blocking.

option

-

disable

Option

Description

disable

Disable logging for antivirus oversize file blocking.

enable

Enable logging for antivirus oversize file blocking.

replacemsg-group

Name of the replacement message group to be used.

string

Maximum length: 35

rpc-over-http

Enable/disable inspection of RPC over HTTP.

option

-

disable

Option

Description

enable

Enable inspection of RPC over HTTP.

disable

Disable inspection of RPC over HTTP.

switching-protocols-log

Enable/disable logging for HTTP/HTTPS switching protocols.

option

-

disable

Option

Description

disable

Disable logging for HTTP/HTTPS switching protocols.

enable

Enable logging for HTTP/HTTPS switching protocols.

config cifs

Parameter

Description

Type

Size

Default

domain-controller

Domain for which to decrypt CIFS traffic.

string

Maximum length: 63

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

server-credential-type

CIFS server credential type.

option

-

none

Option

Description

none

Credential derivation not set.

credential-replication

Credential derived using Replication account on Domain Controller.

credential-keytab

Credential derived using server keytab.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config server-keytab

Parameter

Description

Type

Size

Default

keytab

Base64 encoded keytab file containing credential of the server.

string

Maximum length: 8191

principal

Service principal. For example, host/cifsserver.example.com@example.com.

string

Maximum length: 511

config dns

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config ftp

Parameter

Description

Type

Size

Default

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

explicit-ftp-tls

Enable/disable FTP redirection for explicit FTPS.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

clientcomfort

Prevent client timeout.

oversize

Block oversized file.

splice

Enable splice mode.

bypass-rest-command

Bypass REST command.

bypass-mode-command

Bypass MODE command.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config http

Parameter

Description

Type

Size

Default

address-ip-rating

Enable/disable IP based URL rating.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

block-page-status-code

Code number returned for blocked HTTP pages.

integer

Minimum value: 100 Maximum value: 599

403

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

h2c

Enable/disable h2c HTTP connection upgrade.

option

-

disable

Option

Description

enable

Allow h2c HTTP connection upgrades. h2c tunnels do not support content scan.

disable

Do not allow h2c HTTP connection upgrades.

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

oversize

Block oversized file.

chunkedbypass

Bypass chunked transfer encoded sites.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

post-lang

ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).

option

-

Option

Description

jisx0201

Japanese Industrial Standard 0201.

jisx0208

Japanese Industrial Standard 0208.

jisx0212

Japanese Industrial Standard 0212.

gb2312

Guojia Biaozhun 2312 (simplified Chinese).

ksc5601-ex

Wansung Korean standard 5601.

euc-jp

Extended Unicode Japanese.

sjis

Shift Japanese Industrial Standard.

iso2022-jp

ISO 2022 Japanese.

iso2022-jp-1

ISO 2022-1 Japanese.

iso2022-jp-2

ISO 2022-2 Japanese.

euc-cn

Extended Unicode Chinese.

ces-gbk

Extended GB2312 (simplified Chinese).

hz

Hanzi simplified Chinese.

ces-big5

Big-5 traditional Chinese.

euc-kr

Extended Unicode Korean.

iso2022-jp-3

ISO 2022-3 Japanese.

iso8859-1

ISO 8859 Part 1 (Western European).

tis620

Thai Industrial Standard 620.

cp874

Code Page 874 (Thai).

cp1252

Code Page 1252 (Western European Latin).

cp1251

Code Page 1251 (Cyrillic).

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

range-block

Enable/disable blocking of partial downloads.

option

-

disable

Option

Description

disable

Disable range header blocking (allow partial file downloads)

enable

Enable range header blocking (treat all partial file downloads as full file download)

retry-count

Number of attempts to retry HTTP connection.

integer

Minimum value: 0 Maximum value: 100

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

streaming-content-bypass

Enable/disable bypassing of streaming content from buffering.

option

-

enable

Option

Description

enable

Enable bypassing of streaming content from buffering

disable

Disable bypassing of streaming content from buffering

strip-x-forwarded-for

Enable/disable stripping of HTTP X-Forwarded-For header.

option

-

disable

Option

Description

disable

Disable changing of HTTP X-Forwarded-For header.

enable

Enable replacement of X-Forwarded-For value with 1.1.1.1.

switching-protocols

Bypass from scanning, or block a connection that attempts to switch protocol.

option

-

bypass

Option

Description

bypass

Bypass connections when switching protocols.

block

Block connections when switching protocols.

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tunnel-non-http

Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port.

option

-

enable

Option

Description

enable

Pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

disable

Drop or tear down non-HTTP sessions accepted by the profile.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

unknown-content-encoding

Configure the action the FortiGate unit will take on unknown content-encoding.

option

-

block

Option

Description

block

Block HTTP session when unknown content-encoding is detected.

inspect

Scan HTTP traffic as plain-text when unknown content-encoding is detected.

bypass

Bypass scan when unknown content-encoding is detected.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

verify-dns-for-policy-matching

Enable/disable verification of DNS for policy matching.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

** Values may differ between models.

config imap

Parameter

Description

Type

Size

Default

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config mail-signature

Parameter

Description

Type

Size

Default

signature

Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks).

string

Maximum length: 1023

status

Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate.

option

-

disable

Option

Description

disable

Disable mail signature.

enable

Enable mail signature.

config mapi

Parameter

Description

Type

Size

Default

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config nntp

Parameter

Description

Type

Size

Default

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

splice

Enable splice mode.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config pop3

Parameter

Description

Type

Size

Default

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config smtp

Parameter

Description

Type

Size

Default

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

splice

Enable splice mode.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

server-busy

Enable/disable SMTP server busy when server not available.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.

config ssh

Parameter

Description

Type

Size

Default

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 1606 **

10

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 1606 **

10

** Values may differ between models.