Fortinet white logo
Fortinet white logo

CLI Reference

config firewall vip

config firewall vip

Configure virtual IP for IPv4.

config firewall vip
    Description: Configure virtual IP for IPv4.
    edit <name>
        set id {integer}
        set uuid {uuid}
        set comment {var-string}
        set type [static-nat|access-proxy]
        set extip {user}
        set mappedip <range1>, <range2>, ...
        set extintf {string}
        set arp-reply [disable|enable]
        set server-type [http|https|...]
        set http-redirect [enable|disable]
        set portforward [disable|enable]
        set status [disable|enable]
        set protocol [tcp|udp|...]
        set extport {user}
        set mappedport {user}
        set gratuitous-arp-interval {integer}
        set ssl-certificate {string}
        set ssl-dh-bits [768|1024|...]
        set ssl-algorithm [high|medium|...]
        set ssl-pfs [require|deny|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set color {integer}
    next
end

config firewall vip

Parameter

Description

Type

Size

Default

name

Virtual IP name.

string

Maximum length: 79

id

Custom defined ID.

integer

Minimum value: 0 Maximum value: 65535

0

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

comment

Comment.

var-string

Maximum length: 255

type

Configure between a static NAT and access proxy VIP.

option

-

static-nat

Option

Description

static-nat

Static NAT.

access-proxy

Access proxy.

extip

IP address or address range on the external interface that you want to map to an address or address range on the destination network.

user

Not Specified

mappedip <range>

IP address or address range on the destination network to which the external IP address is mapped.

Mapped IP range.

string

Maximum length: 79

extintf

Interface connected to the source network that receives the packets that will be forwarded to the destination network.

string

Maximum length: 35

arp-reply

Enable to respond to ARP requests for this virtual IP address. Enabled by default.

option

-

enable

Option

Description

disable

Disable ARP reply.

enable

Enable ARP reply.

server-type

Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

option

-

Option

Description

http

HTTP.

https

HTTPS.

imaps

IMAPS.

pop3s

POP3S.

smtps

SMTPS.

ssl

SSL.

tcp

TCP.

udp

UDP.

ip

IP.

http-redirect

Enable/disable redirection of HTTP to HTTPS.

option

-

disable

Option

Description

enable

Enable redirection of HTTP to HTTPS.

disable

Disable redirection of HTTP to HTTPS.

portforward

Enable/disable port forwarding.

option

-

disable

Option

Description

disable

Disable port forward.

enable

Enable port forward.

status

Enable/disable VIP.

option

-

enable

Option

Description

disable

Disable the VIP.

enable

Enable the VIP.

protocol

Protocol to use when forwarding packets.

option

-

tcp

Option

Description

tcp

TCP.

udp

UDP.

sctp

SCTP.

icmp

ICMP.

extport

Incoming port number range that you want to map to a port number range on the destination network.

user

Not Specified

mappedport

Port number range on the destination network to which the external port number range is mapped.

user

Not Specified

gratuitous-arp-interval

Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.

integer

Minimum value: 5 Maximum value: 8640000

0

ssl-certificate

The name of the certificate to use for SSL handshake.

string

Maximum length: 35

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom

Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

-

require

Option

Description

require

Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny

Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow

Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

-

tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0

config firewall vip

config firewall vip

Configure virtual IP for IPv4.

config firewall vip
    Description: Configure virtual IP for IPv4.
    edit <name>
        set id {integer}
        set uuid {uuid}
        set comment {var-string}
        set type [static-nat|access-proxy]
        set extip {user}
        set mappedip <range1>, <range2>, ...
        set extintf {string}
        set arp-reply [disable|enable]
        set server-type [http|https|...]
        set http-redirect [enable|disable]
        set portforward [disable|enable]
        set status [disable|enable]
        set protocol [tcp|udp|...]
        set extport {user}
        set mappedport {user}
        set gratuitous-arp-interval {integer}
        set ssl-certificate {string}
        set ssl-dh-bits [768|1024|...]
        set ssl-algorithm [high|medium|...]
        set ssl-pfs [require|deny|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set color {integer}
    next
end

config firewall vip

Parameter

Description

Type

Size

Default

name

Virtual IP name.

string

Maximum length: 79

id

Custom defined ID.

integer

Minimum value: 0 Maximum value: 65535

0

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

comment

Comment.

var-string

Maximum length: 255

type

Configure between a static NAT and access proxy VIP.

option

-

static-nat

Option

Description

static-nat

Static NAT.

access-proxy

Access proxy.

extip

IP address or address range on the external interface that you want to map to an address or address range on the destination network.

user

Not Specified

mappedip <range>

IP address or address range on the destination network to which the external IP address is mapped.

Mapped IP range.

string

Maximum length: 79

extintf

Interface connected to the source network that receives the packets that will be forwarded to the destination network.

string

Maximum length: 35

arp-reply

Enable to respond to ARP requests for this virtual IP address. Enabled by default.

option

-

enable

Option

Description

disable

Disable ARP reply.

enable

Enable ARP reply.

server-type

Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

option

-

Option

Description

http

HTTP.

https

HTTPS.

imaps

IMAPS.

pop3s

POP3S.

smtps

SMTPS.

ssl

SSL.

tcp

TCP.

udp

UDP.

ip

IP.

http-redirect

Enable/disable redirection of HTTP to HTTPS.

option

-

disable

Option

Description

enable

Enable redirection of HTTP to HTTPS.

disable

Disable redirection of HTTP to HTTPS.

portforward

Enable/disable port forwarding.

option

-

disable

Option

Description

disable

Disable port forward.

enable

Enable port forward.

status

Enable/disable VIP.

option

-

enable

Option

Description

disable

Disable the VIP.

enable

Enable the VIP.

protocol

Protocol to use when forwarding packets.

option

-

tcp

Option

Description

tcp

TCP.

udp

UDP.

sctp

SCTP.

icmp

ICMP.

extport

Incoming port number range that you want to map to a port number range on the destination network.

user

Not Specified

mappedport

Port number range on the destination network to which the external port number range is mapped.

user

Not Specified

gratuitous-arp-interval

Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.

integer

Minimum value: 5 Maximum value: 8640000

0

ssl-certificate

The name of the certificate to use for SSL handshake.

string

Maximum length: 35

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom

Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

-

require

Option

Description

require

Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny

Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow

Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

-

tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0