Fortinet white logo
Fortinet white logo

CLI Reference

config firewall profile-protocol-options

config firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options
    Description: Configure protocol options.
    edit <name>
        set comment {var-string}
        set replacemsg-group {string}
        set oversize-log [disable|enable]
        set switching-protocols-log [disable|enable]
        config proxy-redirect
            Description: Configure proxy redirection protocol options.
            set ports {integer}
            set status [enable|disable]
        end
        config http
            Description: Configure HTTP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set comfort-interval {integer}
            set comfort-amount {integer}
            set range-block [disable|enable]
            set strip-x-forwarded-for [disable|enable]
            set post-lang {option1}, {option2}, ...
            set streaming-content-bypass [enable|disable]
            set dns-protection [enable|disable]
            set switching-protocols [bypass|block]
            set unknown-http-version [reject|tunnel|...]
            set tunnel-non-http [enable|disable]
            set h2c [enable|disable]
            set unknown-content-encoding [block|inspect|...]
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set stream-based-uncompressed-limit {integer}
            set scan-bzip2 [enable|disable]
            set verify-dns-for-policy-matching [enable|disable]
            set block-page-status-code {integer}
            set retry-count {integer}
            set domain-fronting [allow|block|...]
            set tcp-window-type [auto-tuning|system|...]
            set tcp-window-minimum {integer}
            set tcp-window-maximum {integer}
            set tcp-window-size {integer}
            set ssl-offloaded [no|yes]
            set address-ip-rating [enable|disable]
        end
        config ftp
            Description: Configure FTP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set comfort-interval {integer}
            set comfort-amount {integer}
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set stream-based-uncompressed-limit {integer}
            set scan-bzip2 [enable|disable]
            set tcp-window-type [auto-tuning|system|...]
            set tcp-window-minimum {integer}
            set tcp-window-maximum {integer}
            set tcp-window-size {integer}
            set ssl-offloaded [no|yes]
            set explicit-ftp-tls [enable|disable]
        end
        config imap
            Description: Configure IMAP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set address-ip-rating [enable|disable]
        end
        config mapi
            Description: Configure MAPI protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
        end
        config pop3
            Description: Configure POP3 protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
        end
        config smtp
            Description: Configure SMTP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
            set server-busy [enable|disable]
            set ssl-offloaded [no|yes]
        end
        config nntp
            Description: Configure NNTP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
        end
        config ssh
            Description: Configure SFTP and SCP protocol options.
            set options {option1}, {option2}, ...
            set comfort-interval {integer}
            set comfort-amount {integer}
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set stream-based-uncompressed-limit {integer}
            set scan-bzip2 [enable|disable]
            set tcp-window-type [auto-tuning|system|...]
            set tcp-window-minimum {integer}
            set tcp-window-maximum {integer}
            set tcp-window-size {integer}
            set ssl-offloaded [no|yes]
        end
        config dns
            Description: Configure DNS protocol options.
            set ports {integer}
            set status [enable|disable]
        end
        config cifs
            Description: Configure CIFS protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
            set tcp-window-type [auto-tuning|system|...]
            set tcp-window-minimum {integer}
            set tcp-window-maximum {integer}
            set tcp-window-size {integer}
            set server-credential-type [none|credential-replication|...]
            set domain-controller {string}
            config server-keytab
                Description: Server keytab.
                edit <principal>
                    set keytab {string}
                next
            end
        end
        config mail-signature
            Description: Configure Mail signature.
            set status [disable|enable]
            set signature {string}
        end
        set rpc-over-http [enable|disable]
    next
end

config firewall profile-protocol-options

Parameter

Description

Type

Size

Default

name

Name.

string

Maximum length: 35

comment

Optional comments.

var-string

Maximum length: 255

replacemsg-group

Name of the replacement message group to be used.

string

Maximum length: 35

oversize-log

Enable/disable logging for antivirus oversize file blocking.

option

-

disable

Option

Description

disable

Disable logging for antivirus oversize file blocking.

enable

Enable logging for antivirus oversize file blocking.

switching-protocols-log

Enable/disable logging for HTTP/HTTPS switching protocols.

option

-

disable

Option

Description

disable

Disable logging for HTTP/HTTPS switching protocols.

enable

Enable logging for HTTP/HTTPS switching protocols.

rpc-over-http

Enable/disable inspection of RPC over HTTP.

option

-

disable

Option

Description

enable

Enable inspection of RPC over HTTP.

disable

Disable inspection of RPC over HTTP.

config proxy-redirect

Parameter

Description

Type

Size

Default

ports

Ports to inspect all for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config http

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

oversize

Block oversized file.

chunkedbypass

Bypass chunked transfer encoded sites.

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

range-block

Enable/disable blocking of partial downloads.

option

-

disable

Option

Description

disable

Disable range header blocking (allow partial file downloads)

enable

Enable range header blocking (treat all partial file downloads as full file download)

strip-x-forwarded-for

Enable/disable stripping of HTTP X-Forwarded-For header.

option

-

disable

Option

Description

disable

Disable changing of HTTP X-Forwarded-For header.

enable

Enable replacement of X-Forwarded-For value with 1.1.1.1.

post-lang

ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).

option

-

Option

Description

jisx0201

Japanese Industrial Standard 0201.

jisx0208

Japanese Industrial Standard 0208.

jisx0212

Japanese Industrial Standard 0212.

gb2312

Guojia Biaozhun 2312 (simplified Chinese).

ksc5601-ex

Wansung Korean standard 5601.

euc-jp

Extended Unicode Japanese.

sjis

Shift Japanese Industrial Standard.

iso2022-jp

ISO 2022 Japanese.

iso2022-jp-1

ISO 2022-1 Japanese.

iso2022-jp-2

ISO 2022-2 Japanese.

euc-cn

Extended Unicode Chinese.

ces-gbk

Extended GB2312 (simplified Chinese).

hz

Hanzi simplified Chinese.

ces-big5

Big-5 traditional Chinese.

euc-kr

Extended Unicode Korean.

iso2022-jp-3

ISO 2022-3 Japanese.

iso8859-1

ISO 8859 Part 1 (Western European).

tis620

Thai Industrial Standard 620.

cp874

Code Page 874 (Thai).

cp1252

Code Page 1252 (Western European Latin).

cp1251

Code Page 1251 (Cyrillic).

streaming-content-bypass

Enable/disable bypassing of streaming content from buffering.

option

-

enable

Option

Description

enable

Enable bypassing of streaming content from buffering

disable

Disable bypassing of streaming content from buffering

dns-protection

Enable/disable DNS protection for HTTP/HTTPS traffic.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

switching-protocols

Bypass from scanning, or block a connection that attempts to switch protocol.

option

-

bypass

Option

Description

bypass

Bypass connections when switching protocols.

block

Block connections when switching protocols.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

tunnel-non-http

Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port.

option

-

enable

Option

Description

enable

Pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

disable

Drop or tear down non-HTTP sessions accepted by the profile.

h2c

Enable/disable h2c HTTP connection upgrade.

option

-

disable

Option

Description

enable

Allow h2c HTTP connection upgrades. h2c tunnels do not support content scan.

disable

Do not allow h2c HTTP connection upgrades.

unknown-content-encoding

Configure the action the FortiGate unit will take on unknown content-encoding.

option

-

block

Option

Description

block

Block HTTP session when unknown content-encoding is detected.

inspect

Scan HTTP traffic as plain-text when unknown content-encoding is detected.

bypass

Bypass scan when unknown content-encoding is detected.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

verify-dns-for-policy-matching

Enable/disable verify DNS for policy matching.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

block-page-status-code

Code number returned for blocked HTTP pages.

integer

Minimum value: 100 Maximum value: 599

403

retry-count

Number of attempts to retry HTTP connection.

integer

Minimum value: 0 Maximum value: 100

0

domain-fronting

Configure HTTP domain fronting.

option

-

block

Option

Description

allow

Allow domain fronting.

block

Block and log domain fronting.

monitor

Allow and log domain fronting.

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

address-ip-rating

Enable/disable IP based URL rating.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config ftp

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

clientcomfort

Prevent client timeout.

oversize

Block oversized file.

splice

Enable splice mode.

bypass-rest-command

Bypass REST command.

bypass-mode-command

Bypass MODE command.

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

explicit-ftp-tls

Enable/disable deep inspection of FTP control session over STARTTLS.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

config imap

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

address-ip-rating

Enable/disable IP based URL rating.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config mapi

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config pop3

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

config smtp

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

splice

Enable splice mode.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

server-busy

Enable/disable SMTP server busy when server not available.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

config nntp

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

splice

Enable splice mode.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config ssh

Parameter

Description

Type

Size

Default

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

config dns

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config cifs

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

server-credential-type

CIFS server credential type.

option

-

none

Option

Description

none

Credential derivation not set.

credential-replication

Credential derived using Replication account on Domain Controller.

credential-keytab

Credential derived using server keytab.

domain-controller

Domain for which to decrypt CIFS traffic.

string

Maximum length: 63

config server-keytab

Parameter

Description

Type

Size

Default

principal

Service principal. For example, host/cifsserver.example.com@example.com.

string

Maximum length: 511

keytab

Base64 encoded keytab file containing credential of the server.

string

Maximum length: 8191

config mail-signature

Parameter

Description

Type

Size

Default

status

Enable/disable adding an email signature to SMTP email messages as they pass through the FortiProxy.

option

-

disable

Option

Description

disable

Disable mail signature.

enable

Enable mail signature.

signature

Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks).

string

Maximum length: 1023

config firewall profile-protocol-options

config firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options
    Description: Configure protocol options.
    edit <name>
        set comment {var-string}
        set replacemsg-group {string}
        set oversize-log [disable|enable]
        set switching-protocols-log [disable|enable]
        config proxy-redirect
            Description: Configure proxy redirection protocol options.
            set ports {integer}
            set status [enable|disable]
        end
        config http
            Description: Configure HTTP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set comfort-interval {integer}
            set comfort-amount {integer}
            set range-block [disable|enable]
            set strip-x-forwarded-for [disable|enable]
            set post-lang {option1}, {option2}, ...
            set streaming-content-bypass [enable|disable]
            set dns-protection [enable|disable]
            set switching-protocols [bypass|block]
            set unknown-http-version [reject|tunnel|...]
            set tunnel-non-http [enable|disable]
            set h2c [enable|disable]
            set unknown-content-encoding [block|inspect|...]
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set stream-based-uncompressed-limit {integer}
            set scan-bzip2 [enable|disable]
            set verify-dns-for-policy-matching [enable|disable]
            set block-page-status-code {integer}
            set retry-count {integer}
            set domain-fronting [allow|block|...]
            set tcp-window-type [auto-tuning|system|...]
            set tcp-window-minimum {integer}
            set tcp-window-maximum {integer}
            set tcp-window-size {integer}
            set ssl-offloaded [no|yes]
            set address-ip-rating [enable|disable]
        end
        config ftp
            Description: Configure FTP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set comfort-interval {integer}
            set comfort-amount {integer}
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set stream-based-uncompressed-limit {integer}
            set scan-bzip2 [enable|disable]
            set tcp-window-type [auto-tuning|system|...]
            set tcp-window-minimum {integer}
            set tcp-window-maximum {integer}
            set tcp-window-size {integer}
            set ssl-offloaded [no|yes]
            set explicit-ftp-tls [enable|disable]
        end
        config imap
            Description: Configure IMAP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
            set address-ip-rating [enable|disable]
        end
        config mapi
            Description: Configure MAPI protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
        end
        config pop3
            Description: Configure POP3 protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
            set ssl-offloaded [no|yes]
        end
        config smtp
            Description: Configure SMTP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
            set server-busy [enable|disable]
            set ssl-offloaded [no|yes]
        end
        config nntp
            Description: Configure NNTP protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
        end
        config ssh
            Description: Configure SFTP and SCP protocol options.
            set options {option1}, {option2}, ...
            set comfort-interval {integer}
            set comfort-amount {integer}
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set stream-based-uncompressed-limit {integer}
            set scan-bzip2 [enable|disable]
            set tcp-window-type [auto-tuning|system|...]
            set tcp-window-minimum {integer}
            set tcp-window-maximum {integer}
            set tcp-window-size {integer}
            set ssl-offloaded [no|yes]
        end
        config dns
            Description: Configure DNS protocol options.
            set ports {integer}
            set status [enable|disable]
        end
        config cifs
            Description: Configure CIFS protocol options.
            set ports {integer}
            set status [enable|disable]
            set options {option1}, {option2}, ...
            set oversize-limit {integer}
            set uncompressed-oversize-limit {integer}
            set uncompressed-nest-limit {integer}
            set scan-bzip2 [enable|disable]
            set tcp-window-type [auto-tuning|system|...]
            set tcp-window-minimum {integer}
            set tcp-window-maximum {integer}
            set tcp-window-size {integer}
            set server-credential-type [none|credential-replication|...]
            set domain-controller {string}
            config server-keytab
                Description: Server keytab.
                edit <principal>
                    set keytab {string}
                next
            end
        end
        config mail-signature
            Description: Configure Mail signature.
            set status [disable|enable]
            set signature {string}
        end
        set rpc-over-http [enable|disable]
    next
end

config firewall profile-protocol-options

Parameter

Description

Type

Size

Default

name

Name.

string

Maximum length: 35

comment

Optional comments.

var-string

Maximum length: 255

replacemsg-group

Name of the replacement message group to be used.

string

Maximum length: 35

oversize-log

Enable/disable logging for antivirus oversize file blocking.

option

-

disable

Option

Description

disable

Disable logging for antivirus oversize file blocking.

enable

Enable logging for antivirus oversize file blocking.

switching-protocols-log

Enable/disable logging for HTTP/HTTPS switching protocols.

option

-

disable

Option

Description

disable

Disable logging for HTTP/HTTPS switching protocols.

enable

Enable logging for HTTP/HTTPS switching protocols.

rpc-over-http

Enable/disable inspection of RPC over HTTP.

option

-

disable

Option

Description

enable

Enable inspection of RPC over HTTP.

disable

Disable inspection of RPC over HTTP.

config proxy-redirect

Parameter

Description

Type

Size

Default

ports

Ports to inspect all for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config http

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

oversize

Block oversized file.

chunkedbypass

Bypass chunked transfer encoded sites.

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

range-block

Enable/disable blocking of partial downloads.

option

-

disable

Option

Description

disable

Disable range header blocking (allow partial file downloads)

enable

Enable range header blocking (treat all partial file downloads as full file download)

strip-x-forwarded-for

Enable/disable stripping of HTTP X-Forwarded-For header.

option

-

disable

Option

Description

disable

Disable changing of HTTP X-Forwarded-For header.

enable

Enable replacement of X-Forwarded-For value with 1.1.1.1.

post-lang

ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).

option

-

Option

Description

jisx0201

Japanese Industrial Standard 0201.

jisx0208

Japanese Industrial Standard 0208.

jisx0212

Japanese Industrial Standard 0212.

gb2312

Guojia Biaozhun 2312 (simplified Chinese).

ksc5601-ex

Wansung Korean standard 5601.

euc-jp

Extended Unicode Japanese.

sjis

Shift Japanese Industrial Standard.

iso2022-jp

ISO 2022 Japanese.

iso2022-jp-1

ISO 2022-1 Japanese.

iso2022-jp-2

ISO 2022-2 Japanese.

euc-cn

Extended Unicode Chinese.

ces-gbk

Extended GB2312 (simplified Chinese).

hz

Hanzi simplified Chinese.

ces-big5

Big-5 traditional Chinese.

euc-kr

Extended Unicode Korean.

iso2022-jp-3

ISO 2022-3 Japanese.

iso8859-1

ISO 8859 Part 1 (Western European).

tis620

Thai Industrial Standard 620.

cp874

Code Page 874 (Thai).

cp1252

Code Page 1252 (Western European Latin).

cp1251

Code Page 1251 (Cyrillic).

streaming-content-bypass

Enable/disable bypassing of streaming content from buffering.

option

-

enable

Option

Description

enable

Enable bypassing of streaming content from buffering

disable

Disable bypassing of streaming content from buffering

dns-protection

Enable/disable DNS protection for HTTP/HTTPS traffic.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

switching-protocols

Bypass from scanning, or block a connection that attempts to switch protocol.

option

-

bypass

Option

Description

bypass

Bypass connections when switching protocols.

block

Block connections when switching protocols.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

tunnel-non-http

Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port.

option

-

enable

Option

Description

enable

Pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

disable

Drop or tear down non-HTTP sessions accepted by the profile.

h2c

Enable/disable h2c HTTP connection upgrade.

option

-

disable

Option

Description

enable

Allow h2c HTTP connection upgrades. h2c tunnels do not support content scan.

disable

Do not allow h2c HTTP connection upgrades.

unknown-content-encoding

Configure the action the FortiGate unit will take on unknown content-encoding.

option

-

block

Option

Description

block

Block HTTP session when unknown content-encoding is detected.

inspect

Scan HTTP traffic as plain-text when unknown content-encoding is detected.

bypass

Bypass scan when unknown content-encoding is detected.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

verify-dns-for-policy-matching

Enable/disable verify DNS for policy matching.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

block-page-status-code

Code number returned for blocked HTTP pages.

integer

Minimum value: 100 Maximum value: 599

403

retry-count

Number of attempts to retry HTTP connection.

integer

Minimum value: 0 Maximum value: 100

0

domain-fronting

Configure HTTP domain fronting.

option

-

block

Option

Description

allow

Allow domain fronting.

block

Block and log domain fronting.

monitor

Allow and log domain fronting.

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

address-ip-rating

Enable/disable IP based URL rating.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config ftp

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

clientcomfort

Prevent client timeout.

oversize

Block oversized file.

splice

Enable splice mode.

bypass-rest-command

Bypass REST command.

bypass-mode-command

Bypass MODE command.

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

explicit-ftp-tls

Enable/disable deep inspection of FTP control session over STARTTLS.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

config imap

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

address-ip-rating

Enable/disable IP based URL rating.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config mapi

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config pop3

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

config smtp

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized email.

splice

Enable splice mode.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

server-busy

Enable/disable SMTP server busy when server not available.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

config nntp

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

splice

Enable splice mode.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config ssh

Parameter

Description

Type

Size

Default

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

comfort-interval

Interval between successive transmissions of data for client comforting (seconds).

integer

Minimum value: 1 Maximum value: 900

10

comfort-amount

Number of bytes to send in each transmission for client comforting (bytes).

integer

Minimum value: 1 Maximum value: 65535

1

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned in megabytes. Stream-based uncompression used only under certain conditions.

integer

Minimum value: 0 Maximum value: 4294967295

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

Option

Description

no

SSL decryption and encryption performed by FortiProxy when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

config dns

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

config cifs

Parameter

Description

Type

Size

Default

ports

Ports to scan for content.

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

Option

Description

oversize

Block oversized file.

oversize-limit

Maximum in-memory file size that can be scanned (MB).

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned.

integer

Minimum value: 1 Maximum value: 26214

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned.

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-type

TCP window type to use for this protocol.

option

-

auto-tuning

Option

Description

auto-tuning

Allow system to auto-tune TCP window size (default).

system

Use system default TCP window size for this protocol.

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

server-credential-type

CIFS server credential type.

option

-

none

Option

Description

none

Credential derivation not set.

credential-replication

Credential derived using Replication account on Domain Controller.

credential-keytab

Credential derived using server keytab.

domain-controller

Domain for which to decrypt CIFS traffic.

string

Maximum length: 63

config server-keytab

Parameter

Description

Type

Size

Default

principal

Service principal. For example, host/cifsserver.example.com@example.com.

string

Maximum length: 511

keytab

Base64 encoded keytab file containing credential of the server.

string

Maximum length: 8191

config mail-signature

Parameter

Description

Type

Size

Default

status

Enable/disable adding an email signature to SMTP email messages as they pass through the FortiProxy.

option

-

disable

Option

Description

disable

Disable mail signature.

enable

Enable mail signature.

signature

Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks).

string

Maximum length: 1023