DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

CLI Reference

FortiProxy CLI Interface
alertemail
- config alertemail setting
antivirus
- config antivirus profile
- config antivirus quarantine
- config antivirus settings
application
- config application custom
- config application group
- config application list
- config application name
- config application rule-settings
authentication
- config authentication rule
- config authentication scheme
- config authentication setting
certificate
- config certificate ca
- config certificate crl
- config certificate local
- config certificate remote
dlp
- config dlp filepattern
- config dlp fp-doc-source
- config dlp sensitivity
- config dlp sensor
- config dlp settings
dnsfilter
- config dnsfilter domain-filter
- config dnsfilter profile
emailfilter
- config emailfilter block-allow-list
- config emailfilter bword
- config emailfilter dnsbl
- config emailfilter fortishield
- config emailfilter iptrust
- config emailfilter mheader
- config emailfilter options
- config emailfilter profile
endpoint-control
- config endpoint-control fctems
file-filter
- config file-filter profile
firewall
- config firewall access-proxy-ssh-client-cert
- config firewall access-proxy-virtual-host
- config firewall access-proxy
- config firewall access-proxy6
- config firewall address
- config firewall address6-template
- config firewall address6
- config firewall addrgrp
- config firewall addrgrp6
- config firewall auth-portal
- config firewall central-snat-map
- config firewall city
- config firewall country
- config firewall decrypted-traffic-mirror
- config firewall identity-based-route
- config firewall internet-service-addition
- config firewall internet-service-append
- config firewall internet-service-botnet
- config firewall internet-service-custom-group
- config firewall internet-service-custom
- config firewall internet-service-definition
- config firewall internet-service-extension
- config firewall internet-service-group
- config firewall internet-service-ipbl-reason
- config firewall internet-service-ipbl-vendor
- config firewall internet-service-list
- config firewall internet-service-name
- config firewall internet-service-owner
- config firewall internet-service-reputation
- config firewall internet-service-sld
- config firewall internet-service
- config firewall ippool
- config firewall ippool6
- config firewall policy
- config firewall profile-group
- config firewall profile-protocol-options
- config firewall proxy-address
- config firewall proxy-addrgrp
- config firewall region
- config firewall schedule group
- config firewall schedule onetime
- config firewall schedule recurring
- config firewall service category
- config firewall service custom
- config firewall service group
- config firewall shaping-policy
- config firewall shaping-profile
- config firewall sniffer
- config firewall ssh host-key
- config firewall ssh local-ca
- config firewall ssh local-key
- config firewall ssh setting
- config firewall ssl-server
- config firewall ssl-ssh-profile
- config firewall ssl default-certificate
- config firewall ssl keyring-list
- config firewall ssl setting
- config firewall traffic-class
- config firewall ttl-policy
- config firewall vendor-mac-summary
- config firewall vendor-mac
- config firewall vip
- config firewall vipgrp
- config firewall wildcard-fqdn custom
- config firewall wildcard-fqdn group
ftp-proxy
- config ftp-proxy explicit
hardware
- config hardware cpu
- config hardware memory
- config hardware nic
- config hardware status
icap
- config icap local-server
- config icap profile
- config icap remote-server-group
- config icap remote-server
image-analyzer
- config image-analyzer profile
ips
- config ips custom
- config ips decoder
- config ips global
- config ips rule-settings
- config ips rule
- config ips sensor
- config ips session
- config ips settings
- config ips view-map
ipsec
- config ipsec tunnel
isolator
- config isolator profile
log
- config log custom-field
- config log disk filter
- config log disk setting
- config log eventfilter
- config log fortianalyzer-cloud filter
- config log fortianalyzer-cloud override-filter
- config log fortianalyzer-cloud override-setting
- config log fortianalyzer-cloud setting
- config log fortianalyzer2 filter
- config log fortianalyzer2 override-filter
- config log fortianalyzer2 override-setting
- config log fortianalyzer2 setting
- config log fortianalyzer3 filter
- config log fortianalyzer3 override-filter
- config log fortianalyzer3 override-setting
- config log fortianalyzer3 setting
- config log fortianalyzer filter
- config log fortianalyzer override-filter
- config log fortianalyzer override-setting
- config log fortianalyzer setting
- config log fortiguard filter
- config log fortiguard override-filter
- config log fortiguard override-setting
- config log fortiguard setting
- config log gui-display
- config log memory filter
- config log memory global-setting
- config log memory setting
- config log null-device filter
- config log null-device setting
- config log setting
- config log syslogd2 filter
- config log syslogd2 override-filter
- config log syslogd2 override-setting
- config log syslogd2 setting
- config log syslogd3 filter
- config log syslogd3 override-filter
- config log syslogd3 override-setting
- config log syslogd3 setting
- config log syslogd4 filter
- config log syslogd4 override-filter
- config log syslogd4 override-setting
- config log syslogd4 setting
- config log syslogd filter
- config log syslogd override-filter
- config log syslogd override-setting
- config log syslogd setting
- config log tacacs+accounting2 filter
- config log tacacs+accounting2 setting
- config log tacacs+accounting3 filter
- config log tacacs+accounting3 setting
- config log tacacs+accounting filter
- config log tacacs+accounting setting
- config log threat-weight
- config log webtrends filter
- config log webtrends setting
mgmt-data
- config mgmt-data status
report
- config report layout
- config report setting
- config report sql status
router
- config router policy
- config router static
- config router static6
ssh-filter
- config ssh-filter profile
system
- config system accprofile
- config system acme
- config system admin
- config system affinity-interrupt
- config system affinity-packet-redistribution
- config system alarm
- config system alias
- config system api-user
- config system arp-table
- config system arp
- config system auto-install
- config system auto-script
- config system auto-update status
- config system auto-update versions
- config system automation-action
- config system automation-destination
- config system automation-stitch
- config system automation-trigger
- config system autoupdate schedule
- config system autoupdate tunneling
- config system central-management
- config system central-mgmt
- config system checksum status
- config system cmdb
- config system console
- config system csf
- config system custom-language
- config system ddns
- config system dedicated-mgmt
- config system dhcp6 server
- config system dhcp server
- config system dns-database
- config system dns-server
- config system dns
- config system dscp-based-priority
- config system email-server
- config system external-resource
- config system federated-upgrade
- config system fips-cc
- config system fortianalyzer-connectivity
- config system fortiguard-log-service
- config system fortiguard-service
- config system fortiguard
- config system fortindr
- config system fortisandbox
- config system fsso-polling
- config system ftm-push
- config system geoip-country
- config system geoip-override
- config system global
- config system gre-tunnel
- config system ha-lic
- config system ha-monitor
- config system ha-nonsync-csum
- config system ha
- config system info admin ssh
- config system info admin status
- config system interface
- config system ip-conflict status
- config system ipam
- config system ips-urlfilter-dns
- config system ips-urlfilter-dns6
- config system ips
- config system ipv6-neighbor-cache
- config system link-monitor
- config system mac-address-table
- config system management-tunnel
- config system mgmt-csum
- config system nethsm
- config system network-visibility
- config system ntp
- config system object-tagging
- config system password-policy-guest-admin
- config system password-policy
- config system performance status
- config system performance top
- config system probe-response
- config system proxy-arp
- config system ptp
- config system replacemsg-group
- config system replacemsg-image
- config system replacemsg admin
- config system replacemsg alertmail
- config system replacemsg auth
- config system replacemsg automation
- config system replacemsg fortiguard-wf
- config system replacemsg ftp
- config system replacemsg http
- config system replacemsg icap
- config system replacemsg mail
- config system replacemsg nac-quar
- config system replacemsg spam
- config system replacemsg sslvpn
- config system replacemsg traffic-quota
- config system replacemsg utm
- config system replacemsg webproxy
- config system resource-limits
- config system saml
- config system sdn-connector
- config system session-ttl
- config system session
- config system session6
- config system settings
- config system sms-server
- config system snmp community
- config system snmp sysinfo
- config system snmp user
- config system source-ip status
- config system span-port
- config system speed-test-schedule
- config system speed-test-server
- config system sso-admin
- config system sso-forticloud-admin
- config system startup-error-log
- config system status
- config system storage
- config system vdom-dns
- config system vdom-exception
- config system vdom-link
- config system vdom-property
- config system vdom-radius-server
- config system vdom
- config system vne-tunnel
- config system vxlan
- config system wccp
- config system zone
test
- config test acd
- config test acsd
- config test autod
- config test awsd
- config test azd
- config test bfd
- config test csfd
- config test ddnscd
- config test dhcp6c
- config test dhcp6r
- config test dhcprelay
- config test dlpfingerprint
- config test dlpfpcache
- config test dnsproxy
- config test dsd
- config test fas
- config test fcnacd
- config test fds_notify
- config test fnbamd
- config test forticldd
- config test forticron
- config test fsd
- config test fsvrd
- config test gcpd
- config test harelay
- config test hasync
- config test hatalk
- config test ibmd
- config test imap
- config test init
- config test iotd
- config test ipamd
- config test ipamsd
- config test ipldbd
- config test ipsengine
- config test ipsmonitor
- config test ipsufd
- config test kubed
- config test l2tpcd
- config test lnkmtd
- config test miglogd
- config test mrd
- config test netxd
- config test nntp
- config test ocid
- config test openstackd
- config test ovrd
- config test pop3
- config test pptpcd
- config test quarantined
- config test radius-das
- config test radiusd
- config test radvd
- config test reportd
- config test rt_router
- config test sdncd
- config test sdnd
- config test sepmd
- config test sessionsync
- config test sfupgraded
- config test smtp
- config test snmpd
- config test syslogd
- config test updated
- config test uploadd
- config test urlfilter
- config test vned
- config test wad
- config test wccpd
- config test wf_monitor
- config test wiredapd
user
- config user adgrp
- config user certificate
- config user domain-controller
- config user exchange
- config user fortitoken
- config user fsso-polling
- config user fsso
- config user group
- config user krb-keytab
- config user ldap
- config user local
- config user password-policy
- config user peer
- config user peergrp
- config user pop3
- config user radius
- config user saml
- config user security-exempt-list
- config user setting
- config user tacacs+
videofilter
- config videofilter profile
- config videofilter youtube-channel-filter
- config videofilter youtube-key
vpn
- config vpn certificate ca
- config vpn certificate crl
- config vpn certificate local
- config vpn certificate ocsp-server
- config vpn certificate remote
- config vpn certificate setting
- config vpn ipsec phase1-interface
- config vpn ipsec phase2-interface
- config vpn ssl monitor
- config vpn ssl settings
- config vpn ssl web host-check-software
- config vpn ssl web portal
- config vpn ssl web realm
- config vpn ssl web user-bookmark
- config vpn ssl web user-group-bookmark
waf
- config waf main-class
- config waf profile
- config waf signature
- config waf sub-class
wanopt
- config wanopt auth-group
- config wanopt cache-service
- config wanopt content-delivery-network-rule
- config wanopt peer
- config wanopt profile
- config wanopt remote-storage
- config wanopt settings
web-proxy
- config web-proxy debug-url
- config web-proxy dynamic-bypass
- config web-proxy explicit-proxy
- config web-proxy forward-server-group
- config web-proxy forward-server
- config web-proxy global
- config web-proxy isolator-server
- config web-proxy pac-policy
- config web-proxy profile
- config web-proxy url-list
- config web-proxy url-match
- config web-proxy wisp
webcache
- config webcache prefetch
- config webcache reverse-cache-server
- config webcache settings
- config webcache user-agent
webfilter
- config webfilter categories
- config webfilter content-header
- config webfilter content
- config webfilter domain-list
- config webfilter fortiguard
- config webfilter ftgd-local-cat
- config webfilter ftgd-local-rating
- config webfilter ftgd-statistics
- config webfilter ips-urlfilter-cache-setting
- config webfilter ips-urlfilter-setting
- config webfilter ips-urlfilter-setting6
- config webfilter override-usr
- config webfilter override
- config webfilter profile
- config webfilter search-engine
- config webfilter status
- config webfilter url-list
- config webfilter urlfilter
Change log

Home FortiProxy 7.2.3 CLI Reference

7.2.3

config vpn ipsec phase1-interface

Configure VPN remote gateway.

config vpn ipsec phase1-interface
    Description: Configure VPN remote gateway.
    edit <name>
        set interface {string}
        set ike-version [1|2]
        set local-gw {ipv4-address}
        set remote-gw {ipv4-address}
        set keylife {integer}
        set certificate <name1>, <name2>, ...
        set authmethod [psk|signature]
        set mode [aggressive|main]
        set peertype {option}
        set peerid {string}
        set peer {string}
        set proposal {option1}, {option2}, ...
        set psksecret {password-3}
        set keepalive {integer}
        set distance {integer}
        set priority {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set negotiate-timeout {integer}
        set fragmentation [enable|disable]
        set comments {var-string}
        set send-cert-chain [enable|disable]
        set dhgrp {option1}, {option2}, ...
        set eap [enable|disable]
        set eap-identity [use-id-payload|send-request]
        set eap-exclude-peergrp {string}
        set acct-verify [enable|disable]
        set ppk [disable|allow|...]
        set ppk-secret {password-3}
        set ppk-identity {string}
        set wizard-type [custom|dialup-forticlient|...]
        set xauthtype [disable|client|...]
        set reauth [disable|enable]
        set authusr {string}
        set authpasswd {password}
        set group-authentication [enable|disable]
        set group-authentication-secret {password-3}
        set authusrgrp {string}
        set idle-timeout [enable|disable]
        set idle-timeoutinterval {integer}
        set inbound-dscp-copy [enable|disable]
        set auto-discovery-sender [enable|disable]
        set auto-discovery-receiver [enable|disable]
        set auto-discovery-forwarder [enable|disable]
        set auto-discovery-psk [enable|disable]
        set auto-discovery-shortcuts [independent|dependent]
        set fragmentation-mtu {integer}
        set childless-ike [enable|disable]
        set rekey [enable|disable]
        set digital-signature-auth [enable|disable]
        set signature-hash-alg {option1}, {option2}, ...
        set rsa-signature-format [pkcs1|pss]
        set enforce-unique-id [disable|keep-new|...]
        set cert-id-validation [enable|disable]
        set network-overlay [disable|enable]
        set network-id {integer}
        set loopback-asymroute [enable|disable]
    next
end

config vpn ipsec phase1-interface

Parameter

Description

Type

Size

Default

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

ike-version

IKE protocol version.

option

Option	Description
1	Use IKEv1 protocol.
2	Use IKEv2 protocol.

local-gw

IPv4 address of the local gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

remote-gw

IPv4 address of the remote gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

86400

certificate <name>

The names of up to 4 signed personal certificates.

Certificate name.

string

Maximum length: 79

authmethod

Authentication method.

option

psk

Option	Description
psk	PSK authentication method.
signature	Signature authentication method.

mode

The ID protection mode used to establish a secure channel.

option

main

Option	Description
aggressive	Aggressive mode.
main	Main mode.

peertype

Accept this peer type.

option

Option	Description
any	Accept any peer ID.

peerid

Accept this peer identity.

string

Maximum length: 255

peer

Accept this peer certificate.

string

Maximum length: 35

proposal

Phase1 proposal.

option

Option	Description
des-md5	des-md5
des-sha1	des-sha1
des-sha256	des-sha256
des-sha384	des-sha384
des-sha512	des-sha512

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

distance

Distance for routes added by IKE .

integer

Minimum value: 1 Maximum value: 255

priority

Priority for routes added by IKE .

integer

Minimum value: 1 Maximum value: 65535

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

auto

Option	Description
auto	Select ID type automatically.
fqdn	Use fully qualified domain name.
user-fqdn	Use user fully qualified domain name.
keyid	Use key-id string.
address	Use local IP address.
asn1dn	Use ASN.1 distinguished name.

negotiate-timeout

IKE SA negotiation timeout in seconds .

integer

Minimum value: 1 Maximum value: 300

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

enable

Option	Description
enable	Enable intra-IKE fragmentation support on re-transmission.
disable	Disable intra-IKE fragmentation support.

comments

Comment.

var-string

Maximum length: 255

send-cert-chain

Enable/disable sending certificate chain.

option

enable

Option	Description
enable	Enable sending certificate chain.
disable	Disable sending certificate chain.

dhgrp

DH group.

option

Option	Description
1	DH Group 1.
2	DH Group 2.
5	DH Group 5.
14	DH Group 14.
15	DH Group 15.
16	DH Group 16.
17	DH Group 17.
18	DH Group 18.
19	DH Group 19.
20	DH Group 20.
21	DH Group 21.
27	DH Group 27.
28	DH Group 28.
29	DH Group 29.
30	DH Group 30.
31	DH Group 31.
32	DH Group 32.

eap

Enable/disable IKEv2 EAP authentication.

option

disable

Option	Description
enable	Enable IKEv2 EAP authentication.
disable	Disable IKEv2 EAP authentication.

eap-identity

IKEv2 EAP peer identity type.

option

use-id-payload

Option	Description
use-id-payload	Use IKEv2 IDi payload to resolve peer identity.
send-request	Use EAP identity request to resolve peer identity.

eap-exclude-peergrp

Peer group excluded from EAP authentication.

string

Maximum length: 35

acct-verify

Enable/disable verification of RADIUS accounting record.

option

disable

Option	Description
enable	Enable verification of RADIUS accounting record.
disable	Disable verification of RADIUS accounting record.

ppk

Enable/disable IKEv2 Postquantum Preshared Key (PPK).

option

disable

Option	Description
disable	Disable use of IKEv2 Postquantum Preshared Key (PPK).
allow	Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
require	Require use of IKEv2 Postquantum Preshared Key (PPK).

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Maximum length: 35

wizard-type

GUI VPN Wizard Type.

option

custom

Option	Description
custom	Custom VPN configuration.
dialup-forticlient	Dial Up - FortiClient Windows, Mac and Android.
dialup-ios	Dial Up - iPhone / iPad Native IPsec Client.
dialup-android	Dial Up - Android Native IPsec Client.
dialup-windows	Dial Up - Windows Native IPsec Client.
dialup-cisco	Dial Up - Cisco IPsec Client.
static-fortiproxy	Site to Site - FortiProxy.
dialup-fortiproxy	Dial Up - FortiProxy.
static-cisco	Site to Site - Cisco.
dialup-cisco-fw	Dialup Up - Cisco Firewall.
simplified-static-fortiproxy	Site to Site - FortiProxy (SD-WAN).
hub-fortiproxy-auto-discovery	Hub role in a Hub-and-Spoke auto-discovery VPN.
spoke-fortiproxy-auto-discovery	Spoke role in a Hub-and-Spoke auto-discovery VPN.

xauthtype

XAuth type.

option

disable

Option	Description
disable	Disable.
client	Enable as client.
pap	Enable as server PAP.
chap	Enable as server CHAP.
auto	Enable as server auto.

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

disable

Option	Description
disable	Disable IKE SA re-authentication.
enable	Enable IKE SA re-authentication.

authusr

XAuth user name.

string

Maximum length: 64

authpasswd

XAuth password (max 35 characters).

password

Not Specified

group-authentication

Enable/disable IKEv2 IDi group authentication.

option

disable

Option	Description
enable	Enable IKEv2 IDi group authentication.
disable	Disable IKEv2 IDi group authentication.

group-authentication-secret

Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.

password-3

Not Specified

authusrgrp

Authentication user group.

string

Maximum length: 35

idle-timeout

Enable/disable IPsec tunnel idle timeout.

option

disable

Option	Description
enable	Enable IPsec tunnel idle timeout.
disable	Disable IPsec tunnel idle timeout.

idle-timeoutinterval

IPsec tunnel idle timeout in minutes .

integer

Minimum value: 5 Maximum value: 43200

inbound-dscp-copy

Enable/disable copy the dscp in the ESP header to the inner IP Header.

option

disable

Option	Description
enable	Enable copy the dscp in the ESP header to the inner IP Header.
disable	Disable copy the dscp in the ESP header to the inner IP Header.

auto-discovery-sender

Enable/disable sending auto-discovery short-cut messages.

option

disable

Option	Description
enable	Enable sending auto-discovery short-cut messages.
disable	Disable sending auto-discovery short-cut messages.

auto-discovery-receiver

Enable/disable accepting auto-discovery short-cut messages.

option

disable

Option	Description
enable	Enable receiving auto-discovery short-cut messages.
disable	Disable receiving auto-discovery short-cut messages.

auto-discovery-forwarder

Enable/disable forwarding auto-discovery short-cut messages.

option

disable

Option	Description
enable	Enable forwarding auto-discovery short-cut messages.
disable	Disable forwarding auto-discovery short-cut messages.

auto-discovery-psk

Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.

option

disable

Option	Description
enable	Enable use of pre-shared-secret authentication for auto-discovery tunnels.
disable	Disable use of authentication defined by 'authmethod' for auto-discovery tunnels.

auto-discovery-shortcuts

Control deletion of child short-cut tunnels when the parent tunnel goes down.

option

independent

Option	Description
independent	Short-cut tunnels remain up if the parent tunnel goes down.
dependent	Short-cut tunnels are brought down if the parent tunnel goes down.

fragmentation-mtu

IKE fragmentation MTU .

integer

Minimum value: 500 Maximum value: 16000

1200

childless-ike

Enable/disable childless IKEv2 initiation (RFC 6023).

option

disable

Option	Description
enable	Enable childless IKEv2 initiation (RFC 6023).
disable	Disable childless IKEv2 initiation (RFC 6023).

rekey

Enable/disable phase1 rekey.

option

enable

Option	Description
enable	Enable phase1 rekey.
disable	Disable phase1 rekey.

digital-signature-auth

Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

option

disable

Option	Description
enable	Enable IKEv2 Digital Signature Authentication (RFC 7427).
disable	Disable IKEv2 Digital Signature Authentication (RFC 7427).

signature-hash-alg

Digital Signature Authentication hash algorithms.

option

sha2-512

Option	Description
sha1	SHA1.
sha2-256	SHA2-256.
sha2-384	SHA2-384.
sha2-512	SHA2-512.

rsa-signature-format

Digital Signature Authentication RSA signature format.

option

pkcs1

Option	Description
pkcs1	RSASSA PKCS#1 v1.5.
pss	RSASSA Probabilistic Signature Scheme (PSS).

enforce-unique-id

Enable/disable peer ID uniqueness check.

option

disable

Option	Description
disable	Disable peer ID uniqueness enforcement.
keep-new	Enforce peer ID uniqueness, keep new connection if collision found.
keep-old	Enforce peer ID uniqueness, keep old connection if collision found.

cert-id-validation

Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

option

enable

Option	Description
enable	Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
disable	Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

network-overlay

Enable/disable network overlays.

option

disable

Option	Description
disable	Disable network overlays.
enable	Enable network overlays.

network-id

VPN gateway network ID.

integer

Minimum value: 0 Maximum value: 255

loopback-asymroute

Enable/disable asymmetric routing for IKE traffic on loopback interface.

option

enable

Option	Description
enable	Allow ingress/egress IKE traffic to be routed over different interfaces.
disable	Ingress/egress IKE traffic must be routed over the same interface.

config vpn ipsec phase1-interface

Configure VPN remote gateway.

config vpn ipsec phase1-interface
    Description: Configure VPN remote gateway.
    edit <name>
        set interface {string}
        set ike-version [1|2]
        set local-gw {ipv4-address}
        set remote-gw {ipv4-address}
        set keylife {integer}
        set certificate <name1>, <name2>, ...
        set authmethod [psk|signature]
        set mode [aggressive|main]
        set peertype {option}
        set peerid {string}
        set peer {string}
        set proposal {option1}, {option2}, ...
        set psksecret {password-3}
        set keepalive {integer}
        set distance {integer}
        set priority {integer}
        set localid {string}
        set localid-type [auto|fqdn|...]
        set negotiate-timeout {integer}
        set fragmentation [enable|disable]
        set comments {var-string}
        set send-cert-chain [enable|disable]
        set dhgrp {option1}, {option2}, ...
        set eap [enable|disable]
        set eap-identity [use-id-payload|send-request]
        set eap-exclude-peergrp {string}
        set acct-verify [enable|disable]
        set ppk [disable|allow|...]
        set ppk-secret {password-3}
        set ppk-identity {string}
        set wizard-type [custom|dialup-forticlient|...]
        set xauthtype [disable|client|...]
        set reauth [disable|enable]
        set authusr {string}
        set authpasswd {password}
        set group-authentication [enable|disable]
        set group-authentication-secret {password-3}
        set authusrgrp {string}
        set idle-timeout [enable|disable]
        set idle-timeoutinterval {integer}
        set inbound-dscp-copy [enable|disable]
        set auto-discovery-sender [enable|disable]
        set auto-discovery-receiver [enable|disable]
        set auto-discovery-forwarder [enable|disable]
        set auto-discovery-psk [enable|disable]
        set auto-discovery-shortcuts [independent|dependent]
        set fragmentation-mtu {integer}
        set childless-ike [enable|disable]
        set rekey [enable|disable]
        set digital-signature-auth [enable|disable]
        set signature-hash-alg {option1}, {option2}, ...
        set rsa-signature-format [pkcs1|pss]
        set enforce-unique-id [disable|keep-new|...]
        set cert-id-validation [enable|disable]
        set network-overlay [disable|enable]
        set network-id {integer}
        set loopback-asymroute [enable|disable]
    next
end

config vpn ipsec phase1-interface

Parameter

Description

Type

Size

Default

interface

Local physical, aggregate, or VLAN outgoing interface.

string

Maximum length: 35

ike-version

IKE protocol version.

option

Option	Description
1	Use IKEv1 protocol.
2	Use IKEv2 protocol.

local-gw

IPv4 address of the local gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

remote-gw

IPv4 address of the remote gateway's external interface.

ipv4-address

Not Specified

0.0.0.0

keylife

Time to wait in seconds before phase 1 encryption key expires.

integer

Minimum value: 120 Maximum value: 172800

86400

certificate <name>

The names of up to 4 signed personal certificates.

Certificate name.

string

Maximum length: 79

authmethod

Authentication method.

option

psk

Option	Description
psk	PSK authentication method.
signature	Signature authentication method.

mode

The ID protection mode used to establish a secure channel.

option

main

Option	Description
aggressive	Aggressive mode.
main	Main mode.

peertype

Accept this peer type.

option

Option	Description
any	Accept any peer ID.

peerid

Accept this peer identity.

string

Maximum length: 255

peer

Accept this peer certificate.

string

Maximum length: 35

proposal

Phase1 proposal.

option

Option	Description
des-md5	des-md5
des-sha1	des-sha1
des-sha256	des-sha256
des-sha384	des-sha384
des-sha512	des-sha512

psksecret

Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

keepalive

NAT-T keep alive interval.

integer

Minimum value: 10 Maximum value: 900

distance

Distance for routes added by IKE .

integer

Minimum value: 1 Maximum value: 255

priority

Priority for routes added by IKE .

integer

Minimum value: 1 Maximum value: 65535

localid

Local ID.

string

Maximum length: 63

localid-type

Local ID type.

option

auto

Option	Description
auto	Select ID type automatically.
fqdn	Use fully qualified domain name.
user-fqdn	Use user fully qualified domain name.
keyid	Use key-id string.
address	Use local IP address.
asn1dn	Use ASN.1 distinguished name.

negotiate-timeout

IKE SA negotiation timeout in seconds .

integer

Minimum value: 1 Maximum value: 300

fragmentation

Enable/disable fragment IKE message on re-transmission.

option

enable

Option	Description
enable	Enable intra-IKE fragmentation support on re-transmission.
disable	Disable intra-IKE fragmentation support.

comments

Comment.

var-string

Maximum length: 255

send-cert-chain

Enable/disable sending certificate chain.

option

enable

Option	Description
enable	Enable sending certificate chain.
disable	Disable sending certificate chain.

dhgrp

DH group.

option

Option	Description
1	DH Group 1.
2	DH Group 2.
5	DH Group 5.
14	DH Group 14.
15	DH Group 15.
16	DH Group 16.
17	DH Group 17.
18	DH Group 18.
19	DH Group 19.
20	DH Group 20.
21	DH Group 21.
27	DH Group 27.
28	DH Group 28.
29	DH Group 29.
30	DH Group 30.
31	DH Group 31.
32	DH Group 32.

eap

Enable/disable IKEv2 EAP authentication.

option

disable

Option	Description
enable	Enable IKEv2 EAP authentication.
disable	Disable IKEv2 EAP authentication.

eap-identity

IKEv2 EAP peer identity type.

option

use-id-payload

Option	Description
use-id-payload	Use IKEv2 IDi payload to resolve peer identity.
send-request	Use EAP identity request to resolve peer identity.

eap-exclude-peergrp

Peer group excluded from EAP authentication.

string

Maximum length: 35

acct-verify

Enable/disable verification of RADIUS accounting record.

option

disable

Option	Description
enable	Enable verification of RADIUS accounting record.
disable	Disable verification of RADIUS accounting record.

ppk

Enable/disable IKEv2 Postquantum Preshared Key (PPK).

option

disable

Option	Description
disable	Disable use of IKEv2 Postquantum Preshared Key (PPK).
allow	Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK).
require	Require use of IKEv2 Postquantum Preshared Key (PPK).

ppk-secret

IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

ppk-identity

IKEv2 Postquantum Preshared Key Identity.

string

Maximum length: 35

wizard-type

GUI VPN Wizard Type.

option

custom

Option	Description
custom	Custom VPN configuration.
dialup-forticlient	Dial Up - FortiClient Windows, Mac and Android.
dialup-ios	Dial Up - iPhone / iPad Native IPsec Client.
dialup-android	Dial Up - Android Native IPsec Client.
dialup-windows	Dial Up - Windows Native IPsec Client.
dialup-cisco	Dial Up - Cisco IPsec Client.
static-fortiproxy	Site to Site - FortiProxy.
dialup-fortiproxy	Dial Up - FortiProxy.
static-cisco	Site to Site - Cisco.
dialup-cisco-fw	Dialup Up - Cisco Firewall.
simplified-static-fortiproxy	Site to Site - FortiProxy (SD-WAN).
hub-fortiproxy-auto-discovery	Hub role in a Hub-and-Spoke auto-discovery VPN.
spoke-fortiproxy-auto-discovery	Spoke role in a Hub-and-Spoke auto-discovery VPN.

xauthtype

XAuth type.

option

disable

Option	Description
disable	Disable.
client	Enable as client.
pap	Enable as server PAP.
chap	Enable as server CHAP.
auto	Enable as server auto.

reauth

Enable/disable re-authentication upon IKE SA lifetime expiration.

option

disable

Option	Description
disable	Disable IKE SA re-authentication.
enable	Enable IKE SA re-authentication.

authusr

XAuth user name.

string

Maximum length: 64

authpasswd

XAuth password (max 35 characters).

password

Not Specified

group-authentication

Enable/disable IKEv2 IDi group authentication.

option

disable

Option	Description
enable	Enable IKEv2 IDi group authentication.
disable	Disable IKEv2 IDi group authentication.

group-authentication-secret

Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.

password-3

Not Specified

authusrgrp

Authentication user group.

string

Maximum length: 35

idle-timeout

Enable/disable IPsec tunnel idle timeout.

option

disable

Option	Description
enable	Enable IPsec tunnel idle timeout.
disable	Disable IPsec tunnel idle timeout.

idle-timeoutinterval

IPsec tunnel idle timeout in minutes .

integer

Minimum value: 5 Maximum value: 43200

inbound-dscp-copy

Enable/disable copy the dscp in the ESP header to the inner IP Header.

option

disable

Option	Description
enable	Enable copy the dscp in the ESP header to the inner IP Header.
disable	Disable copy the dscp in the ESP header to the inner IP Header.

auto-discovery-sender

Enable/disable sending auto-discovery short-cut messages.

option

disable

Option	Description
enable	Enable sending auto-discovery short-cut messages.
disable	Disable sending auto-discovery short-cut messages.

auto-discovery-receiver

Enable/disable accepting auto-discovery short-cut messages.

option

disable

Option	Description
enable	Enable receiving auto-discovery short-cut messages.
disable	Disable receiving auto-discovery short-cut messages.

auto-discovery-forwarder

Enable/disable forwarding auto-discovery short-cut messages.

option

disable

Option	Description
enable	Enable forwarding auto-discovery short-cut messages.
disable	Disable forwarding auto-discovery short-cut messages.

auto-discovery-psk

Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels.

option

disable

Option	Description
enable	Enable use of pre-shared-secret authentication for auto-discovery tunnels.
disable	Disable use of authentication defined by 'authmethod' for auto-discovery tunnels.

auto-discovery-shortcuts

Control deletion of child short-cut tunnels when the parent tunnel goes down.

option

independent

Option	Description
independent	Short-cut tunnels remain up if the parent tunnel goes down.
dependent	Short-cut tunnels are brought down if the parent tunnel goes down.

fragmentation-mtu

IKE fragmentation MTU .

integer

Minimum value: 500 Maximum value: 16000

1200

childless-ike

Enable/disable childless IKEv2 initiation (RFC 6023).

option

disable

Option	Description
enable	Enable childless IKEv2 initiation (RFC 6023).
disable	Disable childless IKEv2 initiation (RFC 6023).

rekey

Enable/disable phase1 rekey.

option

enable

Option	Description
enable	Enable phase1 rekey.
disable	Disable phase1 rekey.

digital-signature-auth

Enable/disable IKEv2 Digital Signature Authentication (RFC 7427).

option

disable

Option	Description
enable	Enable IKEv2 Digital Signature Authentication (RFC 7427).
disable	Disable IKEv2 Digital Signature Authentication (RFC 7427).

signature-hash-alg

Digital Signature Authentication hash algorithms.

option

sha2-512

Option	Description
sha1	SHA1.
sha2-256	SHA2-256.
sha2-384	SHA2-384.
sha2-512	SHA2-512.

rsa-signature-format

Digital Signature Authentication RSA signature format.

option

pkcs1

Option	Description
pkcs1	RSASSA PKCS#1 v1.5.
pss	RSASSA Probabilistic Signature Scheme (PSS).

enforce-unique-id

Enable/disable peer ID uniqueness check.

option

disable

Option	Description
disable	Disable peer ID uniqueness enforcement.
keep-new	Enforce peer ID uniqueness, keep new connection if collision found.
keep-old	Enforce peer ID uniqueness, keep old connection if collision found.

cert-id-validation

Enable/disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

option

enable

Option	Description
enable	Enable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.
disable	Disable cross validation of peer ID and the identity in the peer's certificate as specified in RFC 4945.

network-overlay

Enable/disable network overlays.

option

disable

Option	Description
disable	Disable network overlays.
enable	Enable network overlays.

network-id

VPN gateway network ID.

integer

Minimum value: 0 Maximum value: 255

loopback-asymroute

Enable/disable asymmetric routing for IKE traffic on loopback interface.

option

enable

Option	Description
enable	Allow ingress/egress IKE traffic to be routed over different interfaces.
disable	Ingress/egress IKE traffic must be routed over the same interface.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface

config vpn ipsec phase1-interface