Fortinet black logo

Administration Guide

Script syntax

Script syntax

Most script syntax is the same as that used by FortiOS. For information see the FortiOS CLI Reference, available in the Fortinet Document Library.

Some special syntax is required by the FortiManager to run CLI scripts on devices.

Syntax applicable for address and address6

config firewall address

edit xxxx

...regular FOS command here...

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set subnet x.x.x.x x.x.x.x

next

end

Syntax applicable for ippool and ippool6

config firewall ippool

edit xxxx

...regular FOS command here...

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set startip x.x.x.x

set endip x.x.x.x

next

end

Syntax applicable for vip, vip6, vip46, and vip64

config firewall vip

edit xxxx

...regular FOS command here...

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set extintf "any"

set extip x.x.x.x-x.x.x.x

set mappedip x.x.x.x-x.x.x.x

set arp-reply enable|disable

next

end

Syntax applicable for dynamic zone

config dynamic interface

edit xxxx

set single-intf disable

set default-mapping enable|disable

set defmap-intf xxxx

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set local-intf xxxx

set intrazone-deny enable|disable

next

end

next

end

Syntax applicable for dynamic interface

config dynamic interface

edit xxxx

set single-intf enable

set default-mapping enable|disable

set defmap-intf xxxx

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set local-intf xxxx

set intrazone-deny enable|disable

next

end

next

end

Syntax applicable for dynamic multicast interface

config dynamic multicast interface

edit xxx

set description xxx

config dynamic_mapping

edit "fgtname"-"vdom"

set local-intf xxx

next

end

next

end

Syntax applicable for local certificate (dynamic mapping)

config dynamic certificate local

edit xxxx

config dynamic_mapping

edit "<dev_name>"-"global"

set local-cert xxxx

next

end

Syntax applicable for vpn tunnel

config dynamic vpntunnel

edit xxxx

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set local-ipsec "<tunnel_name>"

next

end

Syntax applicable for vpn console table

config vpnmgr vpntable

edit xxxx

set topology star|meshed|dial

set psk-auto-generate enable|disable

set psksecret xxxx

set ike1proposal 3des-sha1 3des-md5 ...

set ike1dhgroup XXXX

set ike1keylifesec 28800

set ike1mode aggressive|main

set ike1dpd enable|disable

set ike1nattraversal enable|disable

set ike1natkeepalive 10

set ike2proposal 3des-sha1 3des-md5

set ike2dhgroup 5

set ike2keylifetype seconds|kbyte|both

set ike2keylifesec 1800

set ike2keylifekbs 5120

set ike2keepalive enable|disable

set replay enable|disable

set pfs enable|disable

set ike2autonego enable|disable

set fcc-enforcement enable|disable

set localid-type auto|fqdn|user-fqdn|keyid|addressasn1dn

set authmethod psk|signature

set inter-vdom enable|disable

set certificate XXXX

next

end

Syntax applicable for vpn console node

config vpnmgr node

edit "1"

set vpntable "<table_name>"

set role hub|spoke

set iface xxxx

set hub_iface xxxx

set automatic_routing enable|disable

set extgw_p2_per_net enable|disable

set banner xxxx

set route-overlap use-old|use-new|allow

set dns-mode manual|auto

set domain xxxx

set local-gw x.x.x.x

set unity-support enable|disable

set xauthtype disable|client|pap|chap|auto

set authusr xxxx

set authpasswd xxxx

set authusrgrp xxxx

set public-ip x.x.x.x

config protected_subnet

edit 1

set addr xxxx xxxx ...

next

end

Syntax applicable for setting installation target on policy package

config firewall policy

edit x

...regular policy command here...

set _scope "<dev_name>"-"<vdom_name>"

next

end

Syntax applicable for global policy

config global header policy

...regular policy command here...

end

config global footer policy

...regular policy command here...

end

Script syntax

Most script syntax is the same as that used by FortiOS. For information see the FortiOS CLI Reference, available in the Fortinet Document Library.

Some special syntax is required by the FortiManager to run CLI scripts on devices.

Syntax applicable for address and address6

config firewall address

edit xxxx

...regular FOS command here...

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set subnet x.x.x.x x.x.x.x

next

end

Syntax applicable for ippool and ippool6

config firewall ippool

edit xxxx

...regular FOS command here...

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set startip x.x.x.x

set endip x.x.x.x

next

end

Syntax applicable for vip, vip6, vip46, and vip64

config firewall vip

edit xxxx

...regular FOS command here...

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set extintf "any"

set extip x.x.x.x-x.x.x.x

set mappedip x.x.x.x-x.x.x.x

set arp-reply enable|disable

next

end

Syntax applicable for dynamic zone

config dynamic interface

edit xxxx

set single-intf disable

set default-mapping enable|disable

set defmap-intf xxxx

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set local-intf xxxx

set intrazone-deny enable|disable

next

end

next

end

Syntax applicable for dynamic interface

config dynamic interface

edit xxxx

set single-intf enable

set default-mapping enable|disable

set defmap-intf xxxx

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set local-intf xxxx

set intrazone-deny enable|disable

next

end

next

end

Syntax applicable for dynamic multicast interface

config dynamic multicast interface

edit xxx

set description xxx

config dynamic_mapping

edit "fgtname"-"vdom"

set local-intf xxx

next

end

next

end

Syntax applicable for local certificate (dynamic mapping)

config dynamic certificate local

edit xxxx

config dynamic_mapping

edit "<dev_name>"-"global"

set local-cert xxxx

next

end

Syntax applicable for vpn tunnel

config dynamic vpntunnel

edit xxxx

config dynamic_mapping

edit "<dev_name>"-"<vdom_name>"

set local-ipsec "<tunnel_name>"

next

end

Syntax applicable for vpn console table

config vpnmgr vpntable

edit xxxx

set topology star|meshed|dial

set psk-auto-generate enable|disable

set psksecret xxxx

set ike1proposal 3des-sha1 3des-md5 ...

set ike1dhgroup XXXX

set ike1keylifesec 28800

set ike1mode aggressive|main

set ike1dpd enable|disable

set ike1nattraversal enable|disable

set ike1natkeepalive 10

set ike2proposal 3des-sha1 3des-md5

set ike2dhgroup 5

set ike2keylifetype seconds|kbyte|both

set ike2keylifesec 1800

set ike2keylifekbs 5120

set ike2keepalive enable|disable

set replay enable|disable

set pfs enable|disable

set ike2autonego enable|disable

set fcc-enforcement enable|disable

set localid-type auto|fqdn|user-fqdn|keyid|addressasn1dn

set authmethod psk|signature

set inter-vdom enable|disable

set certificate XXXX

next

end

Syntax applicable for vpn console node

config vpnmgr node

edit "1"

set vpntable "<table_name>"

set role hub|spoke

set iface xxxx

set hub_iface xxxx

set automatic_routing enable|disable

set extgw_p2_per_net enable|disable

set banner xxxx

set route-overlap use-old|use-new|allow

set dns-mode manual|auto

set domain xxxx

set local-gw x.x.x.x

set unity-support enable|disable

set xauthtype disable|client|pap|chap|auto

set authusr xxxx

set authpasswd xxxx

set authusrgrp xxxx

set public-ip x.x.x.x

config protected_subnet

edit 1

set addr xxxx xxxx ...

next

end

Syntax applicable for setting installation target on policy package

config firewall policy

edit x

...regular policy command here...

set _scope "<dev_name>"-"<vdom_name>"

next

end

Syntax applicable for global policy

config global header policy

...regular policy command here...

end

config global footer policy

...regular policy command here...

end