CLI Reference

FortiProxy CLI Interface
alertemail
- config alertemail setting
antivirus
- config antivirus heuristic
- config antivirus profile
- config antivirus quarantine
- config antivirus settings
application
- config application custom
- config application list
- config application name
- config application rule-settings
authentication
- config authentication rule
- config authentication scheme
- config authentication setting
certificate
- config certificate ca
- config certificate crl
- config certificate local
- config certificate remote
- config certificate setting
cifs
- config cifs domain-controller
- config cifs profile
credential-store
- config credential-store domain-controller
diagnose
- diagnose alertconsole
- diagnose antivirus bypass
- diagnose antivirus database-info
- diagnose antivirus quarantine
- diagnose antivirus test
- diagnose autoupdate
- diagnose central-mgmt script-history
- diagnose cp cp9kxp
- diagnose cp cp9vpn
- diagnose debug admin error-log
- diagnose debug application
- diagnose debug authd
- diagnose debug cli
- diagnose debug cmdb-trace
- diagnose debug cmdb-walk
- diagnose debug config-error-log
- diagnose debug console
- diagnose debug crashlog
- diagnose debug disable
- diagnose debug duration
- diagnose debug enable
- diagnose debug fsso-polling
- diagnose debug info
- diagnose debug kernel
- diagnose debug rating
- diagnose debug report
- diagnose debug reset
- diagnose debug sdnc valgrind
- diagnose debug sql-log-error
- diagnose debug urlfilter
- diagnose disktest
- diagnose fdsm account-info
- diagnose fdsm central-mgmt-status
- diagnose fdsm cfg-diff
- diagnose fdsm cfg-download
- diagnose fdsm cfg-list
- diagnose fdsm cfg-upload
- diagnose fdsm contract-controller-update
- diagnose fdsm fc-installer-download
- diagnose fdsm fds-update
- diagnose fdsm forticlient-net-info
- diagnose fdsm forticlient-update
- diagnose fdsm fortisw-download
- diagnose fdsm fortisw-latest-ver
- diagnose fdsm ftk-activiate
- diagnose fdsm image-download
- diagnose fdsm image-list
- diagnose fdsm image-upgrade-matrix
- diagnose fdsm log-controller-update
- diagnose fdsm message-update
- diagnose fdsm modem-list
- diagnose fdsm report-download
- diagnose fdsm report-list
- diagnose fdsm sslvpn-man-upgrade
- diagnose fdsm sslvpn-package-download
- diagnose firewall auth
- diagnose firewall fqdn list
- diagnose firewall ipgeo
- diagnose fortiguard ipblacklist
- diagnose fortitoken
- diagnose fortiview
- diagnose geoip
- diagnose hardware
- diagnose http-view
- diagnose internet-service
- diagnose ip address
- diagnose ip arp
- diagnose ip framed-ip
- diagnose ip route
- diagnose ip tcp
- diagnose ip udp
- diagnose ips
- get ips global
- get ips rule status
- get log custom-field
- get log disk
- get log eventfilter
- get log fortianalyzer setting
- get log fortianalyzer2 setting
- get log fortianalyzer3 setting
- get ssh-filter profile
- get system accprofile
- get system admin
- get system alias
- get system api-user
- get system arp-table
- get user
- get wanopt
- get webfilter categories
- get webfilter content
- get webfilter cookie-ovrd
- get webfilter content-header
dlp
- config dlp filepattern
- config dlp fp-sensitivity
- config dlp sensor
dnsfilter
- config dnsfilter domain-filter
- config dnsfilter profile
execute
- execute api-user
- execute auto-script backup
- execute auto-script delete
- execute auto-script result
- execute auto-script start
- execute auto-script status
- execute auto-script stop
- execute auto-script stopall
- execute backup
- execute batch
- execute central-mgmt
- execute certificate
- execute cfg reload
- execute cfg save
- execute clear system arp table
- execute cli
- execute date
- execute disconnect-admin-session
- execute disk
- execute erase-disk
- execute factoryreset-shutdown
- execute factoryreset
- execute factoryreset2
- execute firewall
- execute formatlogdisk
- execute forticlient info
- execute forticlient list
- execute fortiguard-log
- execute fortiguard-message
- execute fortitoken-mobile
- execute fortitoken
- execute fsso
- execute ha disconnect
- execute ha manage
- execute ha set-priority
- execute ha synchronize
- execute http-view
- execute log backup
- execute log delete-all
- execute log delete
- execute log detail
- execute log display
- execute log filter
- execute log flush-cache-all
- execute log flush-cache
- execute log fortianalyzer
- execute log fortiguard
- execute log list
- execute log roll
- execute log shift-time
- execute ping-options
- execute ping
- execute ping6-options
- execute ping6
- execute preload http-transaction-log
- execute preload list
- execute preload show-log
- execute preload url-delete
- execute preload url
- execute reboot
- execute report-config
- execute report
- execute restore
- execute send-fds-statistics
- execute shutdown
- execute ssh
- execute system custom-language
- execute system fortisandbox
- execute tac
- execute telnet
- execute time
- execute traceroute-options
- execute traceroute
- execute tracert6
- execute update-av
- execute update-geo-ip
- execute update-ips
- execute update-list
- execute update-now
- execute upload
- execute usb-device disconnect
- execute usb-device list
- execute usb-disk
- execute vpn
- execute webcache
- execute webfilter
firewall
- config firewall address
- config firewall address6
- config firewall addrgrp
- config firewall addrgrp6
- config firewall central-snat-map
- config firewall decrypted-traffic-mirror
- config firewall internet-service-custom
- config firewall internet-service
- config firewall ippool
- config firewall ippool6
- config firewall policy
- config firewall profile-group
- config firewall profile-protocol-options
- config firewall proxy-address
- config firewall proxy-addrgrp
- config firewall schedule group
- config firewall schedule onetime
- config firewall schedule recurring
- config firewall service category
- config firewall service custom
- config firewall service group
- config firewall shaping-policy
- config firewall shaping-profile
- config firewall sniffer
- config firewall ssh host-key
- config firewall ssh local-ca
- config firewall ssh local-key
- config firewall ssh setting
- config firewall ssl-server
- config firewall ssl-ssh-profile
- config firewall ssl setting
- config firewall vip
- config firewall vipgrp
ftp-proxy
- config ftp-proxy explicit
icap
- config icap local-server
- config icap profile
- config icap remote-server-group
- config icap remote-server
image-analyzer
- config image-analyzer profile
ips
- config ips custom
- config ips decoder
- config ips global
- config ips rule-settings
- config ips rule
- config ips sensor
- config ips settings
log
- config log custom-field
- config log disk filter
- config log disk setting
- config log eventfilter
- config log fortianalyzer2 filter
- config log fortianalyzer2 setting
- config log fortianalyzer3 filter
- config log fortianalyzer3 setting
- config log fortianalyzer filter
- config log fortianalyzer override-filter
- config log fortianalyzer override-setting
- config log fortianalyzer setting
- config log fortiguard filter
- config log fortiguard override-filter
- config log fortiguard override-setting
- config log fortiguard setting
- config log gui-display
- config log memory filter
- config log memory global-setting
- config log memory setting
- config log null-device filter
- config log null-device setting
- config log setting
- config log syslogd2 filter
- config log syslogd2 setting
- config log syslogd3 filter
- config log syslogd3 setting
- config log syslogd4 filter
- config log syslogd4 setting
- config log syslogd filter
- config log syslogd override-filter
- config log syslogd override-setting
- config log syslogd setting
- config log threat-weight
- config log webtrends filter
- config log webtrends setting
report
- config report chart
- config report dataset
- config report layout
- config report setting
- config report style
- config report theme
router
- config router static
- config router static6
spamfilter
- config spamfilter bwl
- config spamfilter bword
- config spamfilter dnsbl
- config spamfilter fortishield
- config spamfilter iptrust
- config spamfilter mheader
- config spamfilter options
- config spamfilter profile
ssh-filter
- config ssh-filter profile
system
- config system accprofile
- config system admin
- config system affinity-interrupt
- config system affinity-packet-redistribution
- config system alarm
- config system alias
- config system api-user
- config system arp-table
- config system auto-install
- config system auto-script
- config system autoupdate push-update
- config system autoupdate schedule
- config system autoupdate tunneling
- config system central-management
- config system console
- config system csf
- config system custom-language
- config system dhcp6 server
- config system dhcp server
- config system dns-database
- config system dns-server
- config system dns
- config system email-server
- config system external-resource
- config system fips-cc
- config system fm
- config system fortiguard
- config system fortimanager
- config system fortisandbox
- config system fsso-polling
- config system ftm-push
- config system geoip-override
- config system global
- config system gre-tunnel
- config system ha-monitor
- config system ha
- config system interface
- config system ips-urlfilter-dns
- config system link-monitor
- config system nethsm
- config system network-visibility
- config system ntp
- config system object-tag
- config system password-policy-guest-admin
- config system password-policy
- config system replacemsg-group
- config system replacemsg-image
- config system replacemsg admin
- config system replacemsg alertmail
- config system replacemsg auth
- config system replacemsg device-detection-portal
- config system replacemsg ec
- config system replacemsg fortiguard-wf
- config system replacemsg ftp
- config system replacemsg http
- config system replacemsg icap
- config system replacemsg mail
- config system replacemsg nac-quar
- config system replacemsg nntp
- config system replacemsg spam
- config system replacemsg sslvpn
- config system replacemsg traffic-quota
- config system replacemsg utm
- config system replacemsg webproxy
- config system resource-limits
- config system sdn-connector
- config system settings
- config system sms-server
- config system snmp community
- config system snmp sysinfo
- config system snmp user
- config system span-port
- config system storage
- config system vdom-dns
- config system vdom-property
- config system vdom-radius-server
- config system vdom
- config system wccp
- config system zone
user
- config user adgrp
- config user domain-controller
- config user fortitoken
- config user fsso-polling
- config user fsso
- config user group
- config user krb-keytab
- config user ldap
- config user local
- config user password-policy
- config user peer
- config user peergrp
- config user pop3
- config user radius
- config user saml
- config user setting
- config user tacacs+
vpn
- config vpn ipsec phase1-interface
- config vpn ipsec phase2-interface
- config vpn ssl settings
- config vpn ssl web host-check-software
- config vpn ssl web portal
- config vpn ssl web realm
- config vpn ssl web user-bookmark
- config vpn ssl web user-group-bookmark
wanopt
- config wanopt auth-group
- config wanopt cache-service
- config wanopt content-delivery-network-rule
- config wanopt peer
- config wanopt profile
- config wanopt settings
web-proxy
- config web-proxy debug-url
- config web-proxy dynamic-bypass
- config web-proxy explicit
- config web-proxy forward-server-group
- config web-proxy forward-server
- config web-proxy global
- config web-proxy isolator-server
- config web-proxy pac-policy
- config web-proxy profile
- config web-proxy url-list
- config web-proxy url-match
- config web-proxy wisp
webcache
- config webcache reverse-cache-prefetch-url
- config webcache reverse-cache-server
- config webcache settings
- config webcache user-agent
webfilter
- config webfilter content-header
- config webfilter content
- config webfilter cookie-ovrd
- config webfilter fortiguard
- config webfilter ftgd-local-cat
- config webfilter ftgd-local-rating
- config webfilter ips-urlfilter-cache-setting
- config webfilter ips-urlfilter-setting
- config webfilter override
- config webfilter profile
- config webfilter search-engine
- config webfilter urlfilter
Change log

Home FortiProxy 2.0.12 CLI Reference

2.0.12

config vpn ipsec phase1-interface

Configure VPN remote gateway.

config vpn ipsec phase1-interface
    Description: Configure VPN remote gateway.
    edit <name>
        set interface {string}
        set ike-version [1|2]
        set local-gw {ipv4-address}
        set remote-gw {ipv4-address}
        set keylife {integer}
        config certificate
            Description: The names of up to 4 signed personal certificates.
            edit <name>
            next
        end
        set authmethod [psk|signature]
        set mode [aggressive|main]
        set peertype {option}
        set peerid {string}
        set peer {string}
        set proposal [des-md5|des-sha1|...]
        set psksecret {password-3}
        set keepalive {integer}
        set distance {integer}
        set priority {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set negotiate-timeout {integer}
        set fragmentation [enable|disable]
        set comments {var-string}
        set send-cert-chain [enable|disable]
        set dhgrp [1|2|...]
        set eap [enable|disable]
        set eap-identity [use-id-payload|send-request]
        set acct-verify [enable|disable]
        set wizard-type [custom|dialup-forticlient|...]
        set xauthtype [disable|client|...]
        set reauth [disable|enable]
        set authusr {string}
        set authpasswd {password}
        set group-authentication [enable|disable]
        set group-authentication-secret {password-3}
        set authusrgrp {string}
        set idle-timeout [enable|disable]
        set idle-timeoutinterval {integer}
        set auto-discovery-sender [enable|disable]
        set auto-discovery-receiver [enable|disable]
        set auto-discovery-forwarder [enable|disable]
        set auto-discovery-psk [enable|disable]
        set fragmentation-mtu {integer}
        set childless-ike [enable|disable]
        set rekey [enable|disable]
        set digital-signature-auth [enable|disable]
        set signature-hash-alg [sha1|sha2-256|...]
        set rsa-signature-format [pkcs1|pss]
        set enforce-unique-id [disable|keep-new|...]
    next
end

config vpn ipsec phase1-interface

Parameter

Description

Type

Size

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

ike-version

IKE protocol version.

option

Option	Description
1	Use IKEv1 protocol.
2	Use IKEv2 protocol.

local-gw

IPv4 address of the local gateway's external interface.

ipv4-address

Not Specified

remote-gw

IPv4 address of the remote gateway's external interface.

ipv4-address

Not Specified

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

authmethod

Authentication method.

option

Option	Description
psk	PSK authentication method.
signature	Signature authentication method.

mode

The ID protection mode used to establish a secure channel.

option

Option	Description
aggressive	Aggressive mode.
main	Main mode.

peertype

Accept this peer type.

option

Option	Description
any	Accept any peer ID.

peerid

Accept this peer identity.

string

Maximum length: 255

peer

Accept this peer certificate.

string

Maximum length: 35

proposal

Phase1 proposal.

option

Option	Description
des-md5	des-md5
des-sha1	des-sha1
des-sha256	des-sha256
des-sha384	des-sha384
des-sha512	des-sha512
3des-md5	3des-md5
3des-sha1	3des-sha1
3des-sha256	3des-sha256
3des-sha384	3des-sha384
3des-sha512	3des-sha512
aes128-md5	aes128-md5
aes128-sha1	aes128-sha1
aes128-sha256	aes128-sha256
aes128-sha384	aes128-sha384
aes128-sha512	aes128-sha512
aes192-md5	aes192-md5
aes192-sha1	aes192-sha1
aes192-sha256	aes192-sha256
aes192-sha384	aes192-sha384
aes192-sha512	aes192-sha512
aes256-md5	aes256-md5
aes256-sha1	aes256-sha1
aes256-sha256	aes256-sha256
aes256-sha384	aes256-sha384
aes256-sha512	aes256-sha512

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

distance

Distance for routes added by IKE .

integer

Minimum value: 1 Maximum value: 255

priority

Priority for routes added by IKE .

integer

Minimum value: 0 Maximum value: 4294967295

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

Option	Description
auto	Select ID type automatically.
fqdn	Use fully qualified domain name.
user-fqdn	Use user fully qualified domain name.
keyid	Use key-id string.
address	Use local IP address.
asn1dn	Use ASN.1 distinguished name.

negotiate-timeout

IKE SA negotiation timeout in seconds .

integer

Minimum value: 1 Maximum value: 300

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

Option	Description
enable	Enable intra-IKE fragmentation support on re-transmission.
disable	Disable intra-IKE fragmentation support.

comments

Comment.

var-string

Maximum length: 255

send-cert-chain

Enable/disable sending certificate chain.

option

Option	Description
enable	Enable sending certificate chain.
disable	Disable sending certificate chain.

dhgrp

DH group.

option

Option	Description
1	DH Group 1.
2	DH Group 2.
5	DH Group 5.
14	DH Group 14.
15	DH Group 15.
16	DH Group 16.
17	DH Group 17.
18	DH Group 18.
19	DH Group 19.
20	DH Group 20.
21	DH Group 21.
27	DH Group 27.
28	DH Group 28.
29	DH Group 29.
30	DH Group 30.

eap

Enable/disable IKEv2 EAP authentication.

option

Option	Description
enable	Enable IKEv2 EAP authentication.
disable	Disable IKEv2 EAP authentication.

eap-identity

IKEv2 EAP peer identity type.

option

Option	Description
use-id-payload	Use IKEv2 IDi payload to resolve peer identity.
send-request	Use EAP identity request to resolve peer identity.

acct-verify

Enable/disable verification of RADIUS accounting record.

option

Option	Description
enable	Enable verification of RADIUS accounting record.
disable	Disable verification of RADIUS accounting record.

wizard-type

GUI VPN Wizard Type.

option

Option	Description
custom	Custom VPN configuration.
dialup-forticlient	Dial Up - FortiClient Windows, Mac and Android.
dialup-ios	Dial Up - iPhone / iPad Native IPsec Client.
dialup-android	Dial Up - Android Native IPsec Client.
dialup-windows	Dial Up - Windows Native IPsec Client.
dialup-cisco	Dial Up - Cisco IPsec Client.
static-fortiproxy	Site to Site - FortiProxy.
dialup-fortiproxy	Dial Up - FortiProxy.
static-cisco	Site to Site - Cisco.
dialup-cisco-fw	Dialup Up - Cisco Firewall.

xauthtype

XAuth type.

option

Option	Description
disable	Disable.
client	Enable as client.
pap	Enable as server PAP.
chap	Enable as server CHAP.
auto	Enable as server auto.

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

Option	Description
disable	Disable IKE SA re-authentication.
enable	Enable IKE SA re-authentication.

authusr

XAuth user name.

string

Maximum length: 64

authpasswd

XAuth password (max 35 characters).

password

Not Specified

group-authentication

Enable/disable IKEv2 IDi group authentication.

option

Option	Description
enable	Enable IKEv2 IDi group authentication.
disable	Disable IKEv2 IDi group authentication.

group-authentication-secret

Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.)

password-3

Not Specified

authusrgrp

Authentication user group.

string

Maximum length: 35

idle-timeout

Enable/disable IPsec tunnel idle timeout.

option

Option	Description
enable	Enable IPsec tunnel idle timeout.
disable	Disable IPsec tunnel idle timeout.

idle-timeoutinterval

IPsec tunnel idle timeout in minutes .

integer

Minimum value: 5 Maximum value: 43200

auto-discovery-sender

Enable/disable sending auto-discovery short-cut messages.

option

Option	Description
enable	Enable sending auto-discovery short-cut messages.
disable	Disable sending auto-discovery short-cut messages.

auto-discovery-receiver

Enable/disable accepting auto-discovery short-cut messages.

option

Option	Description
enable	Enable receiving auto-discovery short-cut messages.
disable	Disable receiving auto-discovery short-cut messages.

auto-discovery-forwarder

Enable/disable forwarding auto-discovery short-cut messages.

option

Option	Description
enable	Enable forwarding auto-discovery short-cut messages.
disable	Disable forwarding auto-discovery short-cut messages.

auto-discovery-psk

Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.

option

Option	Description
enable	Enable use of pre-shared-secret authentication for auto-discovery tunnels.
disable	Disable use of authentication defined by 'authmethod' for auto-discovery tunnels.

fragmentation-mtu

IKE fragmentation MTU .

integer

Minimum value: 500 Maximum value: 16000

childless-ike

Enable/disable childless IKEv2 initiation (RFC 6023).

option

Option	Description
enable	Enable childless IKEv2 initiation (RFC 6023).
disable	Disable childless IKEv2 initiation (RFC 6023).

rekey

Enable/disable phase1 rekey.

option

Option	Description
enable	Enable phase1 rekey.
disable	Disable phase1 rekey.

digital-signature-auth

Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

option

Option	Description
enable	Enable IKEv2 Digital Signature Authentication (RFC 7427).
disable	Disable IKEv2 Digital Signature Authentication (RFC 7427).

signature-hash-alg

Digital Signature Authentication hash algorithms.

option

Option	Description
sha1	SHA1.
sha2-256	SHA2-256.
sha2-384	SHA2-384.
sha2-512	SHA2-512.

rsa-signature-format

Digital Signature Authentication RSA signature format.

option

Option	Description
pkcs1	RSASSA PKCS#1 v1.5.
pss	RSASSA Probabilistic Signature Scheme (PSS).

enforce-unique-id

Enable/disable peer ID uniqueness check.

option

Option	Description
disable	Disable peer ID uniqueness enforcement.
keep-new	Enforce peer ID uniqueness, keep new connection if collision found.
keep-old	Enforce peer ID uniqueness, keep old connection if collision found.

config vpn ipsec phase1-interface

Configure VPN remote gateway.

config vpn ipsec phase1-interface
    Description: Configure VPN remote gateway.
    edit <name>
        set interface {string}
        set ike-version [1|2]
        set local-gw {ipv4-address}
        set remote-gw {ipv4-address}
        set keylife {integer}
        config certificate
            Description: The names of up to 4 signed personal certificates.
            edit <name>
            next
        end
        set authmethod [psk|signature]
        set mode [aggressive|main]
        set peertype {option}
        set peerid {string}
        set peer {string}
        set proposal [des-md5|des-sha1|...]
        set psksecret {password-3}
        set keepalive {integer}
        set distance {integer}
        set priority {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set negotiate-timeout {integer}
        set fragmentation [enable|disable]
        set comments {var-string}
        set send-cert-chain [enable|disable]
        set dhgrp [1|2|...]
        set eap [enable|disable]
        set eap-identity [use-id-payload|send-request]
        set acct-verify [enable|disable]
        set wizard-type [custom|dialup-forticlient|...]
        set xauthtype [disable|client|...]
        set reauth [disable|enable]
        set authusr {string}
        set authpasswd {password}
        set group-authentication [enable|disable]
        set group-authentication-secret {password-3}
        set authusrgrp {string}
        set idle-timeout [enable|disable]
        set idle-timeoutinterval {integer}
        set auto-discovery-sender [enable|disable]
        set auto-discovery-receiver [enable|disable]
        set auto-discovery-forwarder [enable|disable]
        set auto-discovery-psk [enable|disable]
        set fragmentation-mtu {integer}
        set childless-ike [enable|disable]
        set rekey [enable|disable]
        set digital-signature-auth [enable|disable]
        set signature-hash-alg [sha1|sha2-256|...]
        set rsa-signature-format [pkcs1|pss]
        set enforce-unique-id [disable|keep-new|...]
    next
end

config vpn ipsec phase1-interface

Parameter

Description

Type

Size

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

ike-version

IKE protocol version.

option

Option	Description
1	Use IKEv1 protocol.
2	Use IKEv2 protocol.

local-gw

IPv4 address of the local gateway's external interface.

ipv4-address

Not Specified

remote-gw

IPv4 address of the remote gateway's external interface.

ipv4-address

Not Specified

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

authmethod

Authentication method.

option

Option	Description
psk	PSK authentication method.
signature	Signature authentication method.

mode

The ID protection mode used to establish a secure channel.

option

Option	Description
aggressive	Aggressive mode.
main	Main mode.

peertype

Accept this peer type.

option

Option	Description
any	Accept any peer ID.

peerid

Accept this peer identity.

string

Maximum length: 255

peer

Accept this peer certificate.

string

Maximum length: 35

proposal

Phase1 proposal.

option

Option	Description
des-md5	des-md5
des-sha1	des-sha1
des-sha256	des-sha256
des-sha384	des-sha384
des-sha512	des-sha512
3des-md5	3des-md5
3des-sha1	3des-sha1
3des-sha256	3des-sha256
3des-sha384	3des-sha384
3des-sha512	3des-sha512
aes128-md5	aes128-md5
aes128-sha1	aes128-sha1
aes128-sha256	aes128-sha256
aes128-sha384	aes128-sha384
aes128-sha512	aes128-sha512
aes192-md5	aes192-md5
aes192-sha1	aes192-sha1
aes192-sha256	aes192-sha256
aes192-sha384	aes192-sha384
aes192-sha512	aes192-sha512
aes256-md5	aes256-md5
aes256-sha1	aes256-sha1
aes256-sha256	aes256-sha256
aes256-sha384	aes256-sha384
aes256-sha512	aes256-sha512

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

distance

Distance for routes added by IKE .

integer

Minimum value: 1 Maximum value: 255

priority

Priority for routes added by IKE .

integer

Minimum value: 0 Maximum value: 4294967295

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

Option	Description
auto	Select ID type automatically.
fqdn	Use fully qualified domain name.
user-fqdn	Use user fully qualified domain name.
keyid	Use key-id string.
address	Use local IP address.
asn1dn	Use ASN.1 distinguished name.

negotiate-timeout

IKE SA negotiation timeout in seconds .

integer

Minimum value: 1 Maximum value: 300

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

Option	Description
enable	Enable intra-IKE fragmentation support on re-transmission.
disable	Disable intra-IKE fragmentation support.

comments

Comment.

var-string

Maximum length: 255

send-cert-chain

Enable/disable sending certificate chain.

option

Option	Description
enable	Enable sending certificate chain.
disable	Disable sending certificate chain.

dhgrp

DH group.

option

Option	Description
1	DH Group 1.
2	DH Group 2.
5	DH Group 5.
14	DH Group 14.
15	DH Group 15.
16	DH Group 16.
17	DH Group 17.
18	DH Group 18.
19	DH Group 19.
20	DH Group 20.
21	DH Group 21.
27	DH Group 27.
28	DH Group 28.
29	DH Group 29.
30	DH Group 30.

eap

Enable/disable IKEv2 EAP authentication.

option

Option	Description
enable	Enable IKEv2 EAP authentication.
disable	Disable IKEv2 EAP authentication.

eap-identity

IKEv2 EAP peer identity type.

option

Option	Description
use-id-payload	Use IKEv2 IDi payload to resolve peer identity.
send-request	Use EAP identity request to resolve peer identity.

acct-verify

Enable/disable verification of RADIUS accounting record.

option

Option	Description
enable	Enable verification of RADIUS accounting record.
disable	Disable verification of RADIUS accounting record.

wizard-type

GUI VPN Wizard Type.

option

Option	Description
custom	Custom VPN configuration.
dialup-forticlient	Dial Up - FortiClient Windows, Mac and Android.
dialup-ios	Dial Up - iPhone / iPad Native IPsec Client.
dialup-android	Dial Up - Android Native IPsec Client.
dialup-windows	Dial Up - Windows Native IPsec Client.
dialup-cisco	Dial Up - Cisco IPsec Client.
static-fortiproxy	Site to Site - FortiProxy.
dialup-fortiproxy	Dial Up - FortiProxy.
static-cisco	Site to Site - Cisco.
dialup-cisco-fw	Dialup Up - Cisco Firewall.

xauthtype

XAuth type.

option

Option	Description
disable	Disable.
client	Enable as client.
pap	Enable as server PAP.
chap	Enable as server CHAP.
auto	Enable as server auto.

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

Option	Description
disable	Disable IKE SA re-authentication.
enable	Enable IKE SA re-authentication.

authusr

XAuth user name.

string

Maximum length: 64

authpasswd

XAuth password (max 35 characters).

password

Not Specified

group-authentication

Enable/disable IKEv2 IDi group authentication.

option

Option	Description
enable	Enable IKEv2 IDi group authentication.
disable	Disable IKEv2 IDi group authentication.

group-authentication-secret

Password for IKEv2 IDi group authentication. (ASCII string or hexadecimal indicated by a leading 0x.)

password-3

Not Specified

authusrgrp

Authentication user group.

string

Maximum length: 35

idle-timeout

Enable/disable IPsec tunnel idle timeout.

option

Option	Description
enable	Enable IPsec tunnel idle timeout.
disable	Disable IPsec tunnel idle timeout.

idle-timeoutinterval

IPsec tunnel idle timeout in minutes .

integer

Minimum value: 5 Maximum value: 43200

auto-discovery-sender

Enable/disable sending auto-discovery short-cut messages.

option

Option	Description
enable	Enable sending auto-discovery short-cut messages.
disable	Disable sending auto-discovery short-cut messages.

auto-discovery-receiver

Enable/disable accepting auto-discovery short-cut messages.

option

Option	Description
enable	Enable receiving auto-discovery short-cut messages.
disable	Disable receiving auto-discovery short-cut messages.

auto-discovery-forwarder

Enable/disable forwarding auto-discovery short-cut messages.

option

Option	Description
enable	Enable forwarding auto-discovery short-cut messages.
disable	Disable forwarding auto-discovery short-cut messages.

auto-discovery-psk

Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.

option

Option	Description
enable	Enable use of pre-shared-secret authentication for auto-discovery tunnels.
disable	Disable use of authentication defined by 'authmethod' for auto-discovery tunnels.

fragmentation-mtu

IKE fragmentation MTU .

integer

Minimum value: 500 Maximum value: 16000

childless-ike

Enable/disable childless IKEv2 initiation (RFC 6023).

option

Option	Description
enable	Enable childless IKEv2 initiation (RFC 6023).
disable	Disable childless IKEv2 initiation (RFC 6023).

rekey

Enable/disable phase1 rekey.

option

Option	Description
enable	Enable phase1 rekey.
disable	Disable phase1 rekey.

digital-signature-auth

Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

option

Option	Description
enable	Enable IKEv2 Digital Signature Authentication (RFC 7427).
disable	Disable IKEv2 Digital Signature Authentication (RFC 7427).

signature-hash-alg

Digital Signature Authentication hash algorithms.

option

Option	Description
sha1	SHA1.
sha2-256	SHA2-256.
sha2-384	SHA2-384.
sha2-512	SHA2-512.

rsa-signature-format

Digital Signature Authentication RSA signature format.

option

Option	Description
pkcs1	RSASSA PKCS#1 v1.5.
pss	RSASSA Probabilistic Signature Scheme (PSS).

enforce-unique-id

Enable/disable peer ID uniqueness check.

option

Option	Description
disable	Disable peer ID uniqueness enforcement.
keep-new	Enforce peer ID uniqueness, keep new connection if collision found.
keep-old	Enforce peer ID uniqueness, keep old connection if collision found.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface