DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

CLI Reference

FortiProxy CLI Interface
alertemail
- config alertemail setting
antivirus
- config antivirus heuristic
- config antivirus profile
- config antivirus quarantine
- config antivirus settings
application
- config application custom
- config application list
- config application name
- config application rule-settings
authentication
- config authentication rule
- config authentication scheme
- config authentication setting
certificate
- config certificate ca
- config certificate crl
- config certificate local
- config certificate remote
- config certificate setting
cifs
- config cifs domain-controller
- config cifs profile
credential-store
- config credential-store domain-controller
diagnose
- diagnose alertconsole
- diagnose antivirus bypass
- diagnose antivirus database-info
- diagnose antivirus quarantine
- diagnose antivirus test
- diagnose autoupdate
- diagnose central-mgmt script-history
- diagnose cp cp9kxp
- diagnose cp cp9vpn
- diagnose debug admin error-log
- diagnose debug application
- diagnose debug authd
- diagnose debug cli
- diagnose debug cmdb-trace
- diagnose debug cmdb-walk
- diagnose debug config-error-log
- diagnose debug console
- diagnose debug crashlog
- diagnose debug disable
- diagnose debug duration
- diagnose debug enable
- diagnose debug fsso-polling
- diagnose debug info
- diagnose debug kernel
- diagnose debug rating
- diagnose debug report
- diagnose debug reset
- diagnose debug sdnc valgrind
- diagnose debug sql-log-error
- diagnose debug urlfilter
- diagnose disktest
- diagnose fdsm account-info
- diagnose fdsm central-mgmt-status
- diagnose fdsm cfg-diff
- diagnose fdsm cfg-download
- diagnose fdsm cfg-list
- diagnose fdsm cfg-upload
- diagnose fdsm contract-controller-update
- diagnose fdsm fc-installer-download
- diagnose fdsm fds-update
- diagnose fdsm forticlient-net-info
- diagnose fdsm forticlient-update
- diagnose fdsm fortisw-download
- diagnose fdsm fortisw-latest-ver
- diagnose fdsm ftk-activiate
- diagnose fdsm image-download
- diagnose fdsm image-list
- diagnose fdsm image-upgrade-matrix
- diagnose fdsm log-controller-update
- diagnose fdsm message-update
- diagnose fdsm modem-list
- diagnose fdsm report-download
- diagnose fdsm report-list
- diagnose fdsm sslvpn-man-upgrade
- diagnose fdsm sslvpn-package-download
- diagnose firewall auth
- diagnose firewall fqdn list
- diagnose firewall ipgeo
- diagnose fortiguard ipblacklist
- diagnose fortitoken
- diagnose fortiview
- diagnose geoip
- diagnose hardware
- diagnose http-view
- diagnose internet-service
- diagnose ip address
- diagnose ip arp
- diagnose ip framed-ip
- diagnose ip route
- diagnose ip tcp
- diagnose ip udp
- diagnose ips
- get ips global
- get ips rule status
- get log custom-field
- get log disk
- get log eventfilter
- get log fortianalyzer setting
- get log fortianalyzer2 setting
- get log fortianalyzer3 setting
- get ssh-filter profile
- get system accprofile
- get system admin
- get system alias
- get system api-user
- get system arp-table
- get user
- get wanopt
- get webfilter categories
- get webfilter content
- get webfilter cookie-ovrd
- get webfilter content-header
dlp
- config dlp filepattern
- config dlp fp-sensitivity
- config dlp sensor
dnsfilter
- config dnsfilter domain-filter
- config dnsfilter profile
execute
- execute api-user
- execute auto-script backup
- execute auto-script delete
- execute auto-script result
- execute auto-script start
- execute auto-script status
- execute auto-script stop
- execute auto-script stopall
- execute backup
- execute batch
- execute central-mgmt
- execute certificate
- execute cfg reload
- execute cfg save
- execute clear system arp table
- execute cli
- execute date
- execute disconnect-admin-session
- execute disk
- execute erase-disk
- execute factoryreset-shutdown
- execute factoryreset
- execute factoryreset2
- execute firewall
- execute formatlogdisk
- execute forticlient info
- execute forticlient list
- execute fortiguard-log
- execute fortiguard-message
- execute fortitoken-mobile
- execute fortitoken
- execute fsso
- execute ha disconnect
- execute ha manage
- execute ha set-priority
- execute ha synchronize
- execute http-view
- execute log backup
- execute log delete-all
- execute log delete
- execute log detail
- execute log display
- execute log filter
- execute log flush-cache-all
- execute log flush-cache
- execute log fortianalyzer
- execute log fortiguard
- execute log list
- execute log roll
- execute log shift-time
- execute ping-options
- execute ping
- execute ping6-options
- execute ping6
- execute preload http-transaction-log
- execute preload list
- execute preload show-log
- execute preload url-delete
- execute preload url
- execute reboot
- execute report-config
- execute report
- execute restore
- execute send-fds-statistics
- execute shutdown
- execute ssh
- execute system custom-language
- execute system fortisandbox
- execute tac
- execute telnet
- execute time
- execute traceroute-options
- execute traceroute
- execute tracert6
- execute update-av
- execute update-geo-ip
- execute update-ips
- execute update-list
- execute update-now
- execute upload
- execute usb-device disconnect
- execute usb-device list
- execute usb-disk
- execute vpn
- execute webcache
- execute webfilter
firewall
- config firewall address
- config firewall address6
- config firewall addrgrp
- config firewall addrgrp6
- config firewall central-snat-map
- config firewall decrypted-traffic-mirror
- config firewall internet-service-custom
- config firewall internet-service
- config firewall ippool
- config firewall ippool6
- config firewall policy
- config firewall profile-group
- config firewall profile-protocol-options
- config firewall proxy-address
- config firewall proxy-addrgrp
- config firewall schedule group
- config firewall schedule onetime
- config firewall schedule recurring
- config firewall service category
- config firewall service custom
- config firewall service group
- config firewall shaping-policy
- config firewall shaping-profile
- config firewall sniffer
- config firewall ssh host-key
- config firewall ssh local-ca
- config firewall ssh local-key
- config firewall ssh setting
- config firewall ssl-server
- config firewall ssl-ssh-profile
- config firewall ssl setting
- config firewall vip
- config firewall vipgrp
ftp-proxy
- config ftp-proxy explicit
icap
- config icap local-server
- config icap profile
- config icap remote-server-group
- config icap remote-server
image-analyzer
- config image-analyzer profile
ips
- config ips custom
- config ips decoder
- config ips global
- config ips rule-settings
- config ips rule
- config ips sensor
- config ips settings
log
- config log custom-field
- config log disk filter
- config log disk setting
- config log eventfilter
- config log fortianalyzer2 filter
- config log fortianalyzer2 setting
- config log fortianalyzer3 filter
- config log fortianalyzer3 setting
- config log fortianalyzer filter
- config log fortianalyzer override-filter
- config log fortianalyzer override-setting
- config log fortianalyzer setting
- config log fortiguard filter
- config log fortiguard override-filter
- config log fortiguard override-setting
- config log fortiguard setting
- config log gui-display
- config log memory filter
- config log memory global-setting
- config log memory setting
- config log null-device filter
- config log null-device setting
- config log setting
- config log syslogd2 filter
- config log syslogd2 setting
- config log syslogd3 filter
- config log syslogd3 setting
- config log syslogd4 filter
- config log syslogd4 setting
- config log syslogd filter
- config log syslogd override-filter
- config log syslogd override-setting
- config log syslogd setting
- config log threat-weight
- config log webtrends filter
- config log webtrends setting
report
- config report chart
- config report dataset
- config report layout
- config report setting
- config report style
- config report theme
router
- config router static
- config router static6
spamfilter
- config spamfilter bwl
- config spamfilter bword
- config spamfilter dnsbl
- config spamfilter fortishield
- config spamfilter iptrust
- config spamfilter mheader
- config spamfilter options
- config spamfilter profile
ssh-filter
- config ssh-filter profile
system
- config system accprofile
- config system admin
- config system affinity-interrupt
- config system affinity-packet-redistribution
- config system alarm
- config system alias
- config system api-user
- config system arp-table
- config system auto-install
- config system auto-script
- config system autoupdate push-update
- config system autoupdate schedule
- config system autoupdate tunneling
- config system central-management
- config system console
- config system csf
- config system custom-language
- config system dhcp6 server
- config system dhcp server
- config system dns-database
- config system dns-server
- config system dns
- config system email-server
- config system external-resource
- config system fips-cc
- config system fm
- config system fortiguard
- config system fortimanager
- config system fortisandbox
- config system fsso-polling
- config system ftm-push
- config system geoip-override
- config system global
- config system gre-tunnel
- config system ha-monitor
- config system ha
- config system interface
- config system ips-urlfilter-dns
- config system link-monitor
- config system nethsm
- config system network-visibility
- config system ntp
- config system object-tag
- config system password-policy-guest-admin
- config system password-policy
- config system replacemsg-group
- config system replacemsg-image
- config system replacemsg admin
- config system replacemsg alertmail
- config system replacemsg auth
- config system replacemsg device-detection-portal
- config system replacemsg ec
- config system replacemsg fortiguard-wf
- config system replacemsg ftp
- config system replacemsg http
- config system replacemsg icap
- config system replacemsg mail
- config system replacemsg nac-quar
- config system replacemsg nntp
- config system replacemsg spam
- config system replacemsg sslvpn
- config system replacemsg traffic-quota
- config system replacemsg utm
- config system replacemsg webproxy
- config system resource-limits
- config system sdn-connector
- config system settings
- config system sms-server
- config system snmp community
- config system snmp sysinfo
- config system snmp user
- config system span-port
- config system storage
- config system vdom-dns
- config system vdom-property
- config system vdom-radius-server
- config system vdom
- config system wccp
- config system zone
user
- config user adgrp
- config user domain-controller
- config user fortitoken
- config user fsso-polling
- config user fsso
- config user group
- config user krb-keytab
- config user ldap
- config user local
- config user password-policy
- config user peer
- config user peergrp
- config user pop3
- config user radius
- config user saml
- config user setting
- config user tacacs+
vpn
- config vpn ipsec phase1-interface
- config vpn ipsec phase2-interface
- config vpn ssl settings
- config vpn ssl web host-check-software
- config vpn ssl web portal
- config vpn ssl web realm
- config vpn ssl web user-bookmark
- config vpn ssl web user-group-bookmark
wanopt
- config wanopt auth-group
- config wanopt cache-service
- config wanopt content-delivery-network-rule
- config wanopt peer
- config wanopt profile
- config wanopt settings
web-proxy
- config web-proxy debug-url
- config web-proxy dynamic-bypass
- config web-proxy explicit
- config web-proxy forward-server-group
- config web-proxy forward-server
- config web-proxy global
- config web-proxy isolator-server
- config web-proxy pac-policy
- config web-proxy profile
- config web-proxy url-list
- config web-proxy url-match
- config web-proxy wisp
webcache
- config webcache reverse-cache-prefetch-url
- config webcache reverse-cache-server
- config webcache settings
- config webcache user-agent
webfilter
- config webfilter content-header
- config webfilter content
- config webfilter cookie-ovrd
- config webfilter fortiguard
- config webfilter ftgd-local-cat
- config webfilter ftgd-local-rating
- config webfilter ips-urlfilter-cache-setting
- config webfilter ips-urlfilter-setting
- config webfilter override
- config webfilter profile
- config webfilter search-engine
- config webfilter urlfilter
Change log

Home FortiProxy 2.0.13 CLI Reference

2.0.13

config firewall policy

Configure firewall policies.

config firewall policy
    Description: Configure firewall policies.
    edit <policyid>
        set type [explicit-web|transparent|...]
        set force-proxy [enable|disable]
        set dynamic-bypass [enable|disable]
        set name {string}
        set explicit-web-proxy {string}
        config srcintf
            Description: Incoming (ingress) interface.
            edit <name>
            next
        end
        config dstintf
            Description: Outgoing (egress) interface.
            edit <name>
            next
        end
        config srcaddr
            Description: Source address and address group names.
            edit <name>
            next
        end
        config srcaddr6
            Description: IPv6 source address (web proxy only).
            edit <name>
            next
        end
        set transparent [enable|disable]
        config poolname
            Description: Name of IP pool object.
            edit <name>
            next
        end
        config dstaddr
            Description: Destination address and address group names.
            edit <name>
            next
        end
        config dstaddr6
            Description: IPv6 destination address (web proxy only).
            edit <name>
            next
        end
        set internet-service [enable|disable]
        config internet-service-id
            Description: Internet Service ID.
            edit <id>
            next
        end
        config internet-service-custom
            Description: Custom Internet Service Name.
            edit <name>
            next
        end
        set action [accept|deny|...]
        set status [enable|disable]
        set schedule {string}
        config service
            Description: Service and service group names.
            edit <name>
            next
        end
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set log-http-transaction [enable|disable]
        set wanopt [enable|disable]
        set wanopt-detection [active|passive|...]
        set wanopt-passive-opt [default|transparent|...]
        set wanopt-profile {string}
        set wanopt-peer {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set reverse-cache [disable|enable]
        set webproxy-profile {string}
        set http-tunnel-auth [enable|disable]
        set ssh-policy-redirect [enable|disable]
        set webproxy-forward-server {string}
        set isolator-server {string}
        config groups
            Description: Names of user groups that can authenticate with this policy.
            edit <name>
            next
        end
        config users
            Description: Names of individual users that can authenticate with this policy.
            edit <name>
            next
        end
        set disclaimer [disable|domain|...]
        set comments {var-string}
        set redirect-url {var-string}
        config custom-log-fields
            Description: Custom fields to append to log messages for this policy.
            edit <field-id>
            next
        end
        config tags
            Description: Names of object-tags applied to this policy.
            edit <name>
            next
        end
        set replacemsg-override-group {string}
        set srcaddr-negate [enable|disable]
        set dstaddr-negate [enable|disable]
        set service-negate [enable|disable]
        set internet-service-negate [enable|disable]
        set decrypted-traffic-mirror {string}
        set scan-botnet-connections [disable|block]
        set utm-status [enable|disable]
        set profile-type [single|group]
        set profile-group {string}
        set av-profile {string}
        set ia-profile {string}
        set webfilter-profile {string}
        set dnsfilter-profile {string}
        set spamfilter-profile {string}
        set dlp-sensor {string}
        set ips-sensor {string}
        set application-list {string}
        set icap-profile {string}
        set cifs-profile {string}
        set ssh-filter-profile {string}
        set profile-protocol-options {string}
        set ssl-ssh-profile {string}
        set max-session-per-user {integer}
    next
end

config firewall policy

Parameter

Description

Type

Size

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

type

Type of policy.

option

Option	Description
explicit-web	Explicit Web Proxy policy
transparent	Transparent firewall policy
explicit-ftp	Explicit FTP Proxy policy
ssh-tunnel	SSH Tunnel policy
ssh	SSH policy
wanopt	WANopt Tunnel

force-proxy

Force proxy.

option

Option	Description
enable	Force all TCP transparent traffic to proxy.
disable	Do not force TCP transparent traffic to proxy.

dynamic-bypass

Dynamic bypass.

option

Option	Description
enable	Enable dynamic bypass to all HTTP traffic in this policy.
disable	Disable dynamic bypass to all HTTP traffic in this policy.

name

Policy name.

string

Maximum length: 35

explicit-web-proxy

Explicit web proxy.

string

Maximum length: 35

transparent

set webproxy to use original client address.

option

Option	Description
enable	Enable using original client address for webproxy.
disable	Disable using original client address for webproxy.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

Option	Description
enable	Enable use of Internet Services in policy.
disable	Disable use of Internet Services in policy.

action

Policy action (allow/deny).

option

Option	Description
accept	Allows session that match the firewall policy.
deny	Blocks sessions that match the firewall policy.
redirect	Redirect sessions that match the firewall policy to a url.
isolate	Isolate sessions that match the firewall policy with isolator.

status

Enable or disable this policy.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

schedule

Schedule name.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

Option	Description
all	Log all sessions accepted or denied by this policy.
utm	Log traffic that has a security profile applied to it.
disable	Disable all logging for this policy.

logtraffic-start

Record logs when a session starts and ends.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

log-http-transaction

Enable/disable http transaction log.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

wanopt

Enable/disable WAN optimization.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

wanopt-detection

WAN optimization auto-detection mode.

option

Option	Description
active	Active WAN optimization peer auto-detection.
passive	Passive WAN optimization peer auto-detection.
off	Turn off WAN optimization peer auto-detection.

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

option

Option	Description
default	Allow client side WAN opt peer to decide.
transparent	Use address of client to connect to server.
non-transparent	Use local FortiProxy address to connect to server.

wanopt-profile

WAN optimization profile.

string

Maximum length: 35

wanopt-peer

WAN optimization peer.

string

Maximum length: 35

webcache

Enable/disable web cache.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

webcache-https

Enable/disable web cache for HTTPS.

option

Option	Description
disable	Disable web cache for HTTPS.
enable	Enable web cache for HTTPS.

reverse-cache

Enable/disable reverse cache servers.

option

Option	Description
disable	Disable reverse cache.
enable	Enable reverse cache servers.

webproxy-profile

Web proxy profile using when none matched policy.

string

Maximum length: 63

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

ssh-policy-redirect

Redirect SSH traffic to match ssh policy.

option

Option	Description
enable	Enable SSH policy redirect.
disable	Disable SSH policy redirect.

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

isolator-server

isolator server name.

string

Maximum length: 63

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

Option	Description
disable	Disable disclaimer.
domain	Display disclaimer for domain
policy	Display disclaimer for policy
user	Display disclaimer for current user

comments

Comment.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further web proxy processing.

var-string

Maximum length: 1023

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

Option	Description
enable	Enable source address negate.
disable	Disable source address negate.

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

Option	Description
enable	Enable destination address negate.
disable	Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

Option	Description
enable	Enable negated service match.
disable	Disable negated service match.

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

Option	Description
enable	Enable negated Internet Service match.
disable	Disable negated Internet Service match.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

scan-botnet-connections

Block or monitor connections to Botnet servers or disable Botnet scanning.

option

Option	Description
disable	Do not scan connections to botnet servers.
block	Block connections to botnet servers.

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

Option	Description
single	Do not allow security profile groups.
group	Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

ia-profile

Image analyzer profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

spamfilter-profile

Name of an existing Spam filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

max-session-per-user

Max UTM sessions per user.

integer

Minimum value: 0 Maximum value: 4294967295

config srcintf

Parameter	Description	Type	Size
name	Interface name.	string	Maximum length: 64

config dstintf

Parameter	Description	Type	Size
name	Interface name.	string	Maximum length: 64

config srcaddr

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config srcaddr6

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config poolname

Parameter	Description	Type	Size
name	IP pool name.	string	Maximum length: 64

config dstaddr

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config dstaddr6

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config internet-service-id

Parameter	Description	Type	Size
id	Internet Service ID.	integer	Minimum value: 0 Maximum value: 4294967295

config internet-service-custom

Parameter	Description	Type	Size
name	Custom Internet Service name.	string	Maximum length: 64

config service

Parameter	Description	Type	Size
name	Service and service group names.	string	Maximum length: 64

config groups

Parameter	Description	Type	Size
name	Group name.	string	Maximum length: 64

config users

Parameter	Description	Type	Size
name	Names of individual users that can authenticate with this policy.	string	Maximum length: 64

config custom-log-fields

Parameter	Description	Type	Size
field-id	Custom log field.	string	Maximum length: 35

config tags

Parameter	Description	Type	Size
name	Tag name.	string	Maximum length: 64

config firewall policy

Configure firewall policies.

config firewall policy
    Description: Configure firewall policies.
    edit <policyid>
        set type [explicit-web|transparent|...]
        set force-proxy [enable|disable]
        set dynamic-bypass [enable|disable]
        set name {string}
        set explicit-web-proxy {string}
        config srcintf
            Description: Incoming (ingress) interface.
            edit <name>
            next
        end
        config dstintf
            Description: Outgoing (egress) interface.
            edit <name>
            next
        end
        config srcaddr
            Description: Source address and address group names.
            edit <name>
            next
        end
        config srcaddr6
            Description: IPv6 source address (web proxy only).
            edit <name>
            next
        end
        set transparent [enable|disable]
        config poolname
            Description: Name of IP pool object.
            edit <name>
            next
        end
        config dstaddr
            Description: Destination address and address group names.
            edit <name>
            next
        end
        config dstaddr6
            Description: IPv6 destination address (web proxy only).
            edit <name>
            next
        end
        set internet-service [enable|disable]
        config internet-service-id
            Description: Internet Service ID.
            edit <id>
            next
        end
        config internet-service-custom
            Description: Custom Internet Service Name.
            edit <name>
            next
        end
        set action [accept|deny|...]
        set status [enable|disable]
        set schedule {string}
        config service
            Description: Service and service group names.
            edit <name>
            next
        end
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set log-http-transaction [enable|disable]
        set wanopt [enable|disable]
        set wanopt-detection [active|passive|...]
        set wanopt-passive-opt [default|transparent|...]
        set wanopt-profile {string}
        set wanopt-peer {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set reverse-cache [disable|enable]
        set webproxy-profile {string}
        set http-tunnel-auth [enable|disable]
        set ssh-policy-redirect [enable|disable]
        set webproxy-forward-server {string}
        set isolator-server {string}
        config groups
            Description: Names of user groups that can authenticate with this policy.
            edit <name>
            next
        end
        config users
            Description: Names of individual users that can authenticate with this policy.
            edit <name>
            next
        end
        set disclaimer [disable|domain|...]
        set comments {var-string}
        set redirect-url {var-string}
        config custom-log-fields
            Description: Custom fields to append to log messages for this policy.
            edit <field-id>
            next
        end
        config tags
            Description: Names of object-tags applied to this policy.
            edit <name>
            next
        end
        set replacemsg-override-group {string}
        set srcaddr-negate [enable|disable]
        set dstaddr-negate [enable|disable]
        set service-negate [enable|disable]
        set internet-service-negate [enable|disable]
        set decrypted-traffic-mirror {string}
        set scan-botnet-connections [disable|block]
        set utm-status [enable|disable]
        set profile-type [single|group]
        set profile-group {string}
        set av-profile {string}
        set ia-profile {string}
        set webfilter-profile {string}
        set dnsfilter-profile {string}
        set spamfilter-profile {string}
        set dlp-sensor {string}
        set ips-sensor {string}
        set application-list {string}
        set icap-profile {string}
        set cifs-profile {string}
        set ssh-filter-profile {string}
        set profile-protocol-options {string}
        set ssl-ssh-profile {string}
        set max-session-per-user {integer}
    next
end

config firewall policy

Parameter

Description

Type

Size

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

type

Type of policy.

option

Option	Description
explicit-web	Explicit Web Proxy policy
transparent	Transparent firewall policy
explicit-ftp	Explicit FTP Proxy policy
ssh-tunnel	SSH Tunnel policy
ssh	SSH policy
wanopt	WANopt Tunnel

force-proxy

Force proxy.

option

Option	Description
enable	Force all TCP transparent traffic to proxy.
disable	Do not force TCP transparent traffic to proxy.

dynamic-bypass

Dynamic bypass.

option

Option	Description
enable	Enable dynamic bypass to all HTTP traffic in this policy.
disable	Disable dynamic bypass to all HTTP traffic in this policy.

name

Policy name.

string

Maximum length: 35

explicit-web-proxy

Explicit web proxy.

string

Maximum length: 35

transparent

set webproxy to use original client address.

option

Option	Description
enable	Enable using original client address for webproxy.
disable	Disable using original client address for webproxy.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

Option	Description
enable	Enable use of Internet Services in policy.
disable	Disable use of Internet Services in policy.

action

Policy action (allow/deny).

option

Option	Description
accept	Allows session that match the firewall policy.
deny	Blocks sessions that match the firewall policy.
redirect	Redirect sessions that match the firewall policy to a url.
isolate	Isolate sessions that match the firewall policy with isolator.

status

Enable or disable this policy.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

schedule

Schedule name.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

Option	Description
all	Log all sessions accepted or denied by this policy.
utm	Log traffic that has a security profile applied to it.
disable	Disable all logging for this policy.

logtraffic-start

Record logs when a session starts and ends.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

log-http-transaction

Enable/disable http transaction log.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

wanopt

Enable/disable WAN optimization.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

wanopt-detection

WAN optimization auto-detection mode.

option

Option	Description
active	Active WAN optimization peer auto-detection.
passive	Passive WAN optimization peer auto-detection.
off	Turn off WAN optimization peer auto-detection.

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

option

Option	Description
default	Allow client side WAN opt peer to decide.
transparent	Use address of client to connect to server.
non-transparent	Use local FortiProxy address to connect to server.

wanopt-profile

WAN optimization profile.

string

Maximum length: 35

wanopt-peer

WAN optimization peer.

string

Maximum length: 35

webcache

Enable/disable web cache.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

webcache-https

Enable/disable web cache for HTTPS.

option

Option	Description
disable	Disable web cache for HTTPS.
enable	Enable web cache for HTTPS.

reverse-cache

Enable/disable reverse cache servers.

option

Option	Description
disable	Disable reverse cache.
enable	Enable reverse cache servers.

webproxy-profile

Web proxy profile using when none matched policy.

string

Maximum length: 63

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

ssh-policy-redirect

Redirect SSH traffic to match ssh policy.

option

Option	Description
enable	Enable SSH policy redirect.
disable	Disable SSH policy redirect.

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

isolator-server

isolator server name.

string

Maximum length: 63

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

Option	Description
disable	Disable disclaimer.
domain	Display disclaimer for domain
policy	Display disclaimer for policy
user	Display disclaimer for current user

comments

Comment.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further web proxy processing.

var-string

Maximum length: 1023

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

Option	Description
enable	Enable source address negate.
disable	Disable source address negate.

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

Option	Description
enable	Enable destination address negate.
disable	Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

Option	Description
enable	Enable negated service match.
disable	Disable negated service match.

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

Option	Description
enable	Enable negated Internet Service match.
disable	Disable negated Internet Service match.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

scan-botnet-connections

Block or monitor connections to Botnet servers or disable Botnet scanning.

option

Option	Description
disable	Do not scan connections to botnet servers.
block	Block connections to botnet servers.

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

Option	Description
enable	Enable setting.
disable	Disable setting.

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

Option	Description
single	Do not allow security profile groups.
group	Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

ia-profile

Image analyzer profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

spamfilter-profile

Name of an existing Spam filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

max-session-per-user

Max UTM sessions per user.

integer

Minimum value: 0 Maximum value: 4294967295

config srcintf

Parameter	Description	Type	Size
name	Interface name.	string	Maximum length: 64

config dstintf

Parameter	Description	Type	Size
name	Interface name.	string	Maximum length: 64

config srcaddr

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config srcaddr6

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config poolname

Parameter	Description	Type	Size
name	IP pool name.	string	Maximum length: 64

config dstaddr

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config dstaddr6

Parameter	Description	Type	Size
name	Address name.	string	Maximum length: 64

config internet-service-id

Parameter	Description	Type	Size
id	Internet Service ID.	integer	Minimum value: 0 Maximum value: 4294967295

config internet-service-custom

Parameter	Description	Type	Size
name	Custom Internet Service name.	string	Maximum length: 64

config service

Parameter	Description	Type	Size
name	Service and service group names.	string	Maximum length: 64

config groups

Parameter	Description	Type	Size
name	Group name.	string	Maximum length: 64

config users

Parameter	Description	Type	Size
name	Names of individual users that can authenticate with this policy.	string	Maximum length: 64

config custom-log-fields

Parameter	Description	Type	Size
field-id	Custom log field.	string	Maximum length: 35

config tags

Parameter	Description	Type	Size
name	Tag name.	string	Maximum length: 64

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config firewall policy

config firewall policy

config firewall policy

config srcintf

config dstintf

config srcaddr

config srcaddr6

config poolname

config dstaddr

config dstaddr6

config internet-service-id