Document
Library

CLI Reference

FortiProxy CLI Interface
alertemail
- config alertemail setting
antivirus
- config antivirus profile
- config antivirus quarantine
- config antivirus settings
application
- config application custom
- config application group
- config application list
- config application name
- config application rule-settings
authentication
- config authentication rule
- config authentication scheme
- config authentication setting
certificate
- config certificate ca
- config certificate crl
- config certificate local
- config certificate remote
dlp
- config dlp filepattern
- config dlp fp-doc-source
- config dlp sensitivity
- config dlp sensor
- config dlp settings
dnsfilter
- config dnsfilter domain-filter
- config dnsfilter profile
emailfilter
- config emailfilter block-allow-list
- config emailfilter bword
- config emailfilter dnsbl
- config emailfilter fortishield
- config emailfilter iptrust
- config emailfilter mheader
- config emailfilter options
- config emailfilter profile
endpoint-control
- config endpoint-control fctems
file-filter
- config file-filter profile
firewall
- config firewall access-proxy-ssh-client-cert
- config firewall access-proxy-virtual-host
- config firewall access-proxy
- config firewall access-proxy6
- config firewall address
- config firewall address6-template
- config firewall address6
- config firewall addrgrp
- config firewall addrgrp6
- config firewall auth-portal
- config firewall central-snat-map
- config firewall city
- config firewall country
- config firewall decrypted-traffic-mirror
- config firewall identity-based-route
- config firewall internet-service-addition
- config firewall internet-service-append
- config firewall internet-service-botnet
- config firewall internet-service-custom-group
- config firewall internet-service-custom
- config firewall internet-service-definition
- config firewall internet-service-extension
- config firewall internet-service-group
- config firewall internet-service-ipbl-reason
- config firewall internet-service-ipbl-vendor
- config firewall internet-service-list
- config firewall internet-service-name
- config firewall internet-service-owner
- config firewall internet-service-reputation
- config firewall internet-service-sld
- config firewall internet-service
- config firewall ippool
- config firewall ippool6
- config firewall policy
- config firewall profile-group
- config firewall profile-protocol-options
- config firewall proxy-address
- config firewall proxy-addrgrp
- config firewall region
- config firewall schedule group
- config firewall schedule onetime
- config firewall schedule recurring
- config firewall service category
- config firewall service custom
- config firewall service group
- config firewall shaping-policy
- config firewall shaping-profile
- config firewall sniffer
- config firewall ssh host-key
- config firewall ssh local-ca
- config firewall ssh local-key
- config firewall ssh setting
- config firewall ssl-server
- config firewall ssl-ssh-profile
- config firewall ssl default-certificate
- config firewall ssl keyring-list
- config firewall ssl setting
- config firewall traffic-class
- config firewall ttl-policy
- config firewall vendor-mac-summary
- config firewall vendor-mac
- config firewall vip
- config firewall vipgrp
- config firewall wildcard-fqdn custom
- config firewall wildcard-fqdn group
ftp-proxy
- config ftp-proxy explicit
hardware
- config hardware cpu
- config hardware memory
- config hardware nic
- config hardware status
icap
- config icap local-server
- config icap profile
- config icap remote-server-group
- config icap remote-server
image-analyzer
- config image-analyzer profile
ips
- config ips custom
- config ips decoder
- config ips global
- config ips rule-settings
- config ips rule
- config ips sensor
- config ips session
- config ips settings
- config ips view-map
ipsec
- config ipsec tunnel
isolator
- config isolator profile
log
- config log custom-field
- config log disk filter
- config log disk setting
- config log eventfilter
- config log fortianalyzer-cloud filter
- config log fortianalyzer-cloud override-filter
- config log fortianalyzer-cloud override-setting
- config log fortianalyzer-cloud setting
- config log fortianalyzer2 filter
- config log fortianalyzer2 override-filter
- config log fortianalyzer2 override-setting
- config log fortianalyzer2 setting
- config log fortianalyzer3 filter
- config log fortianalyzer3 override-filter
- config log fortianalyzer3 override-setting
- config log fortianalyzer3 setting
- config log fortianalyzer filter
- config log fortianalyzer override-filter
- config log fortianalyzer override-setting
- config log fortianalyzer setting
- config log fortiguard filter
- config log fortiguard override-filter
- config log fortiguard override-setting
- config log fortiguard setting
- config log gui-display
- config log memory filter
- config log memory global-setting
- config log memory setting
- config log null-device filter
- config log null-device setting
- config log setting
- config log syslogd2 filter
- config log syslogd2 override-filter
- config log syslogd2 override-setting
- config log syslogd2 setting
- config log syslogd3 filter
- config log syslogd3 override-filter
- config log syslogd3 override-setting
- config log syslogd3 setting
- config log syslogd4 filter
- config log syslogd4 override-filter
- config log syslogd4 override-setting
- config log syslogd4 setting
- config log syslogd filter
- config log syslogd override-filter
- config log syslogd override-setting
- config log syslogd setting
- config log tacacs+accounting2 filter
- config log tacacs+accounting2 setting
- config log tacacs+accounting3 filter
- config log tacacs+accounting3 setting
- config log tacacs+accounting filter
- config log tacacs+accounting setting
- config log threat-weight
- config log webtrends filter
- config log webtrends setting
mgmt-data
- config mgmt-data status
report
- config report layout
- config report setting
- config report sql status
router
- config router policy
- config router static
- config router static6
ssh-filter
- config ssh-filter profile
system
- config system accprofile
- config system acme
- config system admin
- config system affinity-interrupt
- config system affinity-packet-redistribution
- config system alarm
- config system alias
- config system api-user
- config system arp-table
- config system arp
- config system auto-install
- config system auto-script
- config system auto-update status
- config system auto-update versions
- config system automation-action
- config system automation-destination
- config system automation-stitch
- config system automation-trigger
- config system autoupdate schedule
- config system autoupdate tunneling
- config system central-management
- config system central-mgmt
- config system checksum status
- config system cmdb
- config system console
- config system csf
- config system custom-language
- config system ddns
- config system dedicated-mgmt
- config system dhcp6 server
- config system dhcp server
- config system dns-database
- config system dns-server
- config system dns
- config system dscp-based-priority
- config system email-server
- config system external-resource
- config system federated-upgrade
- config system fips-cc
- config system fortianalyzer-connectivity
- config system fortiguard-log-service
- config system fortiguard-service
- config system fortiguard
- config system fortindr
- config system fortisandbox
- config system fsso-polling
- config system ftm-push
- config system geoip-country
- config system geoip-override
- config system global
- config system gre-tunnel
- config system ha-monitor
- config system ha-nonsync-csum
- config system ha
- config system info admin ssh
- config system info admin status
- config system interface
- config system ip-conflict status
- config system ipam
- config system ips-urlfilter-dns
- config system ips-urlfilter-dns6
- config system ips
- config system ipv6-neighbor-cache
- config system link-monitor
- config system mac-address-table
- config system management-tunnel
- config system mgmt-csum
- config system nethsm
- config system network-visibility
- config system ntp
- config system object-tagging
- config system password-policy-guest-admin
- config system password-policy
- config system performance status
- config system performance top
- config system probe-response
- config system proxy-arp
- config system ptp
- config system replacemsg-group
- config system replacemsg-image
- config system replacemsg admin
- config system replacemsg alertmail
- config system replacemsg auth
- config system replacemsg automation
- config system replacemsg fortiguard-wf
- config system replacemsg ftp
- config system replacemsg http
- config system replacemsg icap
- config system replacemsg mail
- config system replacemsg nac-quar
- config system replacemsg spam
- config system replacemsg sslvpn
- config system replacemsg traffic-quota
- config system replacemsg utm
- config system replacemsg webproxy
- config system resource-limits
- config system saml
- config system sdn-connector
- config system session-ttl
- config system session
- config system session6
- config system settings
- config system sms-server
- config system snmp community
- config system snmp sysinfo
- config system snmp user
- config system source-ip status
- config system span-port
- config system speed-test-schedule
- config system speed-test-server
- config system sso-admin
- config system sso-forticloud-admin
- config system startup-error-log
- config system status
- config system storage
- config system vdom-dns
- config system vdom-exception
- config system vdom-property
- config system vdom-radius-server
- config system vdom
- config system vne-tunnel
- config system vxlan
- config system wccp
- config system zone
test
- config test acd
- config test acsd
- config test autod
- config test awsd
- config test azd
- config test bfd
- config test csfd
- config test ddnscd
- config test dhcp6c
- config test dhcp6r
- config test dhcprelay
- config test dlpfingerprint
- config test dlpfpcache
- config test dnsproxy
- config test dsd
- config test fas
- config test fcnacd
- config test fds_notify
- config test fnbamd
- config test forticldd
- config test forticron
- config test fsd
- config test fsvrd
- config test gcpd
- config test harelay
- config test hasync
- config test hatalk
- config test ibmd
- config test imap
- config test init
- config test iotd
- config test ipamd
- config test ipamsd
- config test ipldbd
- config test ipsengine
- config test ipsmonitor
- config test ipsufd
- config test kubed
- config test l2tpcd
- config test lnkmtd
- config test miglogd
- config test mrd
- config test netxd
- config test nntp
- config test ocid
- config test openstackd
- config test ovrd
- config test pop3
- config test pptpcd
- config test quarantined
- config test radius-das
- config test radiusd
- config test radvd
- config test reportd
- config test rt_router
- config test sdncd
- config test sdnd
- config test sepmd
- config test sessionsync
- config test sfupgraded
- config test smtp
- config test snmpd
- config test syslogd
- config test updated
- config test uploadd
- config test urlfilter
- config test vned
- config test wad
- config test wccpd
- config test wf_monitor
- config test wiredapd
user
- config user adgrp
- config user certificate
- config user domain-controller
- config user exchange
- config user fortitoken
- config user fsso-polling
- config user fsso
- config user group
- config user krb-keytab
- config user ldap
- config user local
- config user password-policy
- config user peer
- config user peergrp
- config user pop3
- config user radius
- config user saml
- config user security-exempt-list
- config user setting
- config user tacacs+
videofilter
- config videofilter profile
- config videofilter youtube-channel-filter
- config videofilter youtube-key
vpn
- config vpn certificate ca
- config vpn certificate crl
- config vpn certificate local
- config vpn certificate ocsp-server
- config vpn certificate remote
- config vpn certificate setting
- config vpn ipsec phase1-interface
- config vpn ipsec phase2-interface
- config vpn ssl monitor
- config vpn ssl settings
- config vpn ssl web host-check-software
- config vpn ssl web portal
- config vpn ssl web realm
- config vpn ssl web user-bookmark
- config vpn ssl web user-group-bookmark
waf
- config waf main-class
- config waf profile
- config waf signature
- config waf sub-class
wanopt
- config wanopt auth-group
- config wanopt cache-service
- config wanopt content-delivery-network-rule
- config wanopt peer
- config wanopt profile
- config wanopt remote-storage
- config wanopt settings
web-proxy
- config web-proxy debug-url
- config web-proxy dynamic-bypass
- config web-proxy explicit-proxy
- config web-proxy forward-server-group
- config web-proxy forward-server
- config web-proxy global
- config web-proxy isolator-server
- config web-proxy pac-policy
- config web-proxy profile
- config web-proxy url-list
- config web-proxy url-match
- config web-proxy wisp
webcache
- config webcache prefetch
- config webcache reverse-cache-server
- config webcache settings
- config webcache user-agent
webfilter
- config webfilter categories
- config webfilter content-header
- config webfilter content
- config webfilter fortiguard
- config webfilter ftgd-local-cat
- config webfilter ftgd-local-rating
- config webfilter ftgd-statistics
- config webfilter ips-urlfilter-cache-setting
- config webfilter ips-urlfilter-setting
- config webfilter ips-urlfilter-setting6
- config webfilter override-usr
- config webfilter override
- config webfilter profile
- config webfilter search-engine
- config webfilter status
- config webfilter urlfilter
Change Log

Home FortiProxy 7.2.1 CLI Reference

7.2.1

config firewall service custom

config firewall service custom

Configure custom services.

config firewall service custom
    Description: Configure custom services.
    edit <name>
        set proxy [enable|disable]
        set category {string}
        set protocol [TCP/UDP/SCTP|ICMP|...]
        set iprange {user}
        set fqdn {string}
        set protocol-number {integer}
        set icmptype {integer}
        set icmpcode {integer}
        set tcp-portrange {user}
        set udp-portrange {user}
        set sctp-portrange {user}
        set tcp-halfclose-timer {integer}
        set tcp-halfopen-timer {integer}
        set tcp-timewait-timer {integer}
        set tcp-rst-timer {integer}
        set udp-idle-timer {integer}
        set session-ttl {user}
        set check-reset-range [disable|strict|...]
        set comment {var-string}
        set color {integer}
        set visibility [enable|disable]
        set app-service-type [disable|app-id|...]
        set app-category <id1>, <id2>, ...
        set application <id1>, <id2>, ...
        set fabric-object [enable|disable]
    next
end

config firewall service custom

Parameter

Description

Type

Size

Default

proxy

Enable/disable web proxy service.

option

-

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

category

Service category.

string

Maximum length: 63

protocol

Protocol type based on IANA numbers.

option

-

TCP/UDP/SCTP

Option	Description
TCP/UDP/SCTP	TCP, UDP and SCTP.
ICMP	ICMP.
ICMP6	ICMP6.
IP	IP.
HTTP	HTTP - for web proxy.
FTP	FTP - for web proxy.
CONNECT	Connect - for web proxy.
SOCKS-TCP	Socks TCP - for web proxy.
SOCKS-UDP	Socks UDP - for web proxy.
ALL	All - for web proxy.

iprange

Start and end of the IP range associated with service.

user

Not Specified

fqdn

Fully qualified domain name.

string

Maximum length: 255

protocol-number

IP protocol number.

integer

Minimum value: 0 Maximum value: 254

0

icmptype

ICMP type.

integer

Minimum value: 0 Maximum value: 4294967295

icmpcode

ICMP code.

integer

Minimum value: 0 Maximum value: 255

tcp-portrange

Multiple TCP port ranges.

user

Not Specified

udp-portrange

Multiple UDP port ranges.

user

Not Specified

sctp-portrange

Multiple SCTP port ranges.

user

Not Specified

tcp-halfclose-timer

Wait time to close a TCP session waiting for an unanswered FIN packet .

integer

Minimum value: 0 Maximum value: 86400

0

tcp-halfopen-timer

Wait time to close a TCP session waiting for an unanswered open session packet .

integer

Minimum value: 0 Maximum value: 86400

0

tcp-timewait-timer

Set the length of the TCP TIME-WAIT state in seconds .

integer

Minimum value: 0 Maximum value: 300

0

tcp-rst-timer

Set the length of the TCP CLOSE state in seconds .

integer

Minimum value: 5 Maximum value: 300

0

udp-idle-timer

UDP half close timeout .

integer

Minimum value: 0 Maximum value: 86400

0

session-ttl

Session TTL .

user

Not Specified

check-reset-range

Configure the type of ICMP error message verification.

option

-

default

Option	Description
disable	Disable RST range check.
strict	Check RST range strictly.
default	Using system default setting.

comment

Comment.

var-string

Maximum length: 255

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0

visibility

Enable/disable the visibility of the service on the GUI.

option

-

enable

Option	Description
enable	Show in service selection.
disable	Hide from service selection.

app-service-type

Application service type.

option

-

disable

Option	Description
disable	Disable application type.
app-id	Application ID.
app-category	Applicatin category.

app-category <id>

Application category ID.

Application category id.

integer

Minimum value: 0 Maximum value: 4294967295

application <id>

Application ID.

Application id.

integer

Minimum value: 0 Maximum value: 4294967295

fabric-object

Security Fabric global object setting.

option

-

disable

Option	Description
enable	Object is set as a security fabric-wide global object.
disable	Object is local to this security fabric member.

Previous

Next

config firewall service custom

Configure custom services.

config firewall service custom
    Description: Configure custom services.
    edit <name>
        set proxy [enable|disable]
        set category {string}
        set protocol [TCP/UDP/SCTP|ICMP|...]
        set iprange {user}
        set fqdn {string}
        set protocol-number {integer}
        set icmptype {integer}
        set icmpcode {integer}
        set tcp-portrange {user}
        set udp-portrange {user}
        set sctp-portrange {user}
        set tcp-halfclose-timer {integer}
        set tcp-halfopen-timer {integer}
        set tcp-timewait-timer {integer}
        set tcp-rst-timer {integer}
        set udp-idle-timer {integer}
        set session-ttl {user}
        set check-reset-range [disable|strict|...]
        set comment {var-string}
        set color {integer}
        set visibility [enable|disable]
        set app-service-type [disable|app-id|...]
        set app-category <id1>, <id2>, ...
        set application <id1>, <id2>, ...
        set fabric-object [enable|disable]
    next
end

config firewall service custom

Parameter

Description

Type

Size

Default

proxy

Enable/disable web proxy service.

option

-

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

category

Service category.

string

Maximum length: 63

protocol

Protocol type based on IANA numbers.

option

-

TCP/UDP/SCTP

Option	Description
TCP/UDP/SCTP	TCP, UDP and SCTP.
ICMP	ICMP.
ICMP6	ICMP6.
IP	IP.
HTTP	HTTP - for web proxy.
FTP	FTP - for web proxy.
CONNECT	Connect - for web proxy.
SOCKS-TCP	Socks TCP - for web proxy.
SOCKS-UDP	Socks UDP - for web proxy.
ALL	All - for web proxy.

iprange

Start and end of the IP range associated with service.

user

Not Specified

fqdn

Fully qualified domain name.

string

Maximum length: 255

protocol-number

IP protocol number.

integer

Minimum value: 0 Maximum value: 254

0

icmptype

ICMP type.

integer

Minimum value: 0 Maximum value: 4294967295

icmpcode

ICMP code.

integer

Minimum value: 0 Maximum value: 255

tcp-portrange

Multiple TCP port ranges.

user

Not Specified

udp-portrange

Multiple UDP port ranges.

user

Not Specified

sctp-portrange

Multiple SCTP port ranges.

user

Not Specified

tcp-halfclose-timer

Wait time to close a TCP session waiting for an unanswered FIN packet .

integer

Minimum value: 0 Maximum value: 86400

0

tcp-halfopen-timer

Wait time to close a TCP session waiting for an unanswered open session packet .

integer

Minimum value: 0 Maximum value: 86400

0

tcp-timewait-timer

Set the length of the TCP TIME-WAIT state in seconds .

integer

Minimum value: 0 Maximum value: 300

0

tcp-rst-timer

Set the length of the TCP CLOSE state in seconds .

integer

Minimum value: 5 Maximum value: 300

0

udp-idle-timer

UDP half close timeout .

integer

Minimum value: 0 Maximum value: 86400

0

session-ttl

Session TTL .

user

Not Specified

check-reset-range

Configure the type of ICMP error message verification.

option

-

default

Option	Description
disable	Disable RST range check.
strict	Check RST range strictly.
default	Using system default setting.

comment

Comment.

var-string

Maximum length: 255

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0

visibility

Enable/disable the visibility of the service on the GUI.

option

-

enable

Option	Description
enable	Show in service selection.
disable	Hide from service selection.

app-service-type

Application service type.

option

-

disable

Option	Description
disable	Disable application type.
app-id	Application ID.
app-category	Applicatin category.

app-category <id>

Application category ID.

Application category id.

integer

Minimum value: 0 Maximum value: 4294967295

application <id>

Application ID.

Application id.

integer

Minimum value: 0 Maximum value: 4294967295

fabric-object

Security Fabric global object setting.

option

-

disable

Option	Description
enable	Object is set as a security fabric-wide global object.
disable	Object is local to this security fabric member.

Previous

Next