FortiCache 4.2.1 CLI Reference - Amazon S3

FortiCache - CLI ReferenceVersion 4.2.1

FORTINET DOCUMENT LIBRARY

http://docs.fortinet.com

FORTINET VIDEO GUIDE

http://video.fortinet.com

FORTINET BLOG

https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATE COOKBOOK

http://cookbook.fortinet.com

FORTINET TRAINING SERVICES

http://www.fortinet.com/training

FORTIGUARD CENTER

http://www.fortiguard.com

FORTICAST

http://forticast.fortinet.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

5/31/2017

FortiCache - CLI Reference

Revision 1

http://docs.fortinet.com/

http://video.fortinet.com/

https://blog.fortinet.com/

https://support.fortinet.com/

http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

http://cookbook.fortinet.com/

http://www.fortinet.com/training/

http://www.fortiguard.com/

http://forticast.fortinet.com/

http://www.fortinet.com/doc/legal/EULA.pdf

mailto:[email protected]

TABLE OF CONTENTS

Introduction 7antivirus 8

heuristic 8profile 8

config {http | ftp} 8config nac-quar 9

settings 10dlp 11

filepattern 11config entries 11

fp-sensitivity 12sensor 13

config filter 13replacemsg-group <name> 14

firewall 16address | address6 16addgrp | addgrp6 18ippool 19policy 20

config identity-based-policy 20profile-group 27profile-protocol-options 27

config http 27config ftp 30config rtmp 31

schedule {group | onetime | recurring} 31service {category | custom | group} 34socks-authentication 40ssl {exemption | setting} 41ssl-ssh-profile 42

gui 46console 46

icap 47

profile 47server 48

image-analyzer 49profile 49

log 51custom-field 51disk {filter | setting} 51eventfilter 55{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting 56gui-display 58memory {filter | global-setting | setting} 58setting 60{syslogd | syslogd2 | syslogd3} {filter | setting} 61webtrends 63

router 65static | static6 65

system 67accprofile 67admin 70auto-install 71autoupdate {push-update | schedule | tunneling} 72console 74custom-language 74dns 75dns-database 76email-server 78fortiguard 79fsso-polling 81global 81ha 91interface 93ntp 98object-tag 99password-policy 99replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy} 100replacemsg-group 104replacemsg-image 110settings 111snmp {community | sysinfo | user} 112storage 116wccp 117zone 118

user 119adgrp 119fsso 119fsso-polling 120group 121

config guest 121group-type {firewall | fsso-service | rsso | guest} 121authtimeout <minutes> 122sso-attribute-value <name> 122auth-concurrent-override {enable | disable} 122auth-concurrent-value <limit> 122http-digest-realm <attribute> 122member <name> 122user-id {email | auto-generate | specify} 122password {auto-generate | specify | disable} 122user-name {disable | enable} 123sponsor {optional | mandatory | disabled} 123company {optional | mandatory | disabled} 123email {disable | enable} 123mobile-phone {disable | enable} 123expire-type {immediately | first-successful-login} 123expire <seconds> 123max-accounts <limit> 123multiple-guest-add {disable | enable} 124

krb-keytab 124ldap 124local 126password-policy 128radius 128setting 131tacacs+ 133

vpn 135certificate {ca | crl | local | ocsp-server | remote | setting} 135

wanopt 138auth-group 138cache-service 139content-delivery-network-rule 140peer 143profile 144settings 146ssl-server 146storage 148

webcache 148web-proxy 151

debug-url 151explicit 151forward-server 154forward-server-group 155global 156profile 157url-match 158

webfilter 159content 159content-header 160fortiguard 161ftgd-local-cat 162ftgd-local-rating 162override 163profile 164search-engine 170urlfilter 170

Appendix A: Replacement message tags 172

Introduction

Introduction

This document describes FortiCache 4.2.1 commands used to configure and manage a FortiCache from thecommand line interface (CLI).

This document contains all potential config commands as well as a Replacement message tags appendix.

For the purposes of this guide, a FortiCache 1000D was used; this is an important distinction as not allcommands, entries, or available settings are available on all models.

If in doubt, use the question mark (?) at any time to verify available commands and options.

FortiCache 4.2.1 CLI ReferenceFortinet Technologies Inc.

7

antivirus

Use config antivirus to configure the following AntiVirus related options:

heuristicprofilesettings

heuristic

Use this command to configure the global heuristic options used for virus scanning.

mode {pass | block | disable}Mode to use for heuristics. The following options are available:

l pass: Enable heuristics but pass any detected files.l block: Enable heuristics and block any detected files.l disable: Turn off heuristics (set by default).

profile

Use this command to create and edit AntiVirus profiles that can be applied to firewall policies.

config {http | ftp}Use this configuration method to define how this profile handles the specific protocols HTTP and FTP.

options {scan | avmonitor | avquery}

Action to take for traffic using this protocol:

l scan:Scan files transferred over this protocol for viruses.l avmonitor: Log detected viruses, but allow them through the firewall without modification.l avquery: Use the FortiGuard AVQuery service.

archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled}

Types of archive to block:

l encrypted: Block encrypted archives.l corrupted: Block corrupted archives.l multipart: Block multipart archives.l nested: Block nested archives.

8 FortiCache 4.2.1 CLI ReferenceFortinet Technologies Inc.

antivirus profile

l mailbomb: Block mail bomb archives.l unhandled: Block unhandled archives.

archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled}

Types of archive to log:

l encrypted: Log encrypted archives.l corrupted: Log corrupted archives.l multipart: Log multipart archives.l nested: Log nested archives.l mailbomb: Log mail bomb archives.l unhandled: Log archives.

emulator {enable | disable}

Enable (by default) or disable the virus emulator. This is used in the detection of malware, and can help improvethroughput.

config nac-quarUse this configuration method to define Network Access Control (NAC) quarantine virus scanning options.

infected {none | quar-src-ip}

Select to quarantine infected hosts to a banned-user list:

l none: No action is taken (set by default).l quar-src-ip: Quarantine all traffic from the source IP.

log {enable | disable}

Enable or disable (by default) logging for NAC quarantine.

comment <comment>Optional comments.

replacemsg-group <name>Name of the replacement message group to assign to this profile.

To create replacement message groups, see replacemsg-group.

av-virus-log {enable | disable}Enable (by default) or disable logging for virus scanning.

av-block-log {enable | disable}Enable (by default) or disable logging for virus file blocking.


9

settings antivirus

settings

Use this command to configure grayware detection as part of virus scanning.

grayware {enable | disable}Enable or disable (by default) detection of grayware, malicious software that conceivably falls in the "gray area"between normal software and viruses.


dlp

Use config dlp to configure the following Data Leak Prevention (DLP) related options:

filepatternfp-sensitivitysensor

filepattern

Use this command to create and edit file patterns used for DLP file blocking and to set which protocols to checkfor files to block.

config entriesUse this configuration method to define specific filters based on pattern, type, and file type.

filter-type {pattern | type}

Filter filter detection setting:

l pattern: Examine files by their names only (set by default). For example, if you set filter-type to pattern, and thepattern is *.zip, all files ending in .zip will trigger this file filter. Note that even files ending in .zip that are notactually ZIP archives will trigger this filter.

l type: Examine files by their type. Once set, use the file-type entry (see below) to determine the file-types to befiltered.

file-type <type>

Note: This entry is only available when filter-type is set to type.

Select the file-type to be filtered. Note that unlike the file pattern filter, this filter will examine the file contents todetermine what type of file it is; neither the file name nor extension is used.

Note that two of the available options are not file types: ignored and unknown.

Enter unknown (set by default) to configure a rule affecting every file format that the filter does not recognize.Unknown includes every file format not available in this command.

Enter ignored to configure a rule affecting traffic that is typically not scanned, primarily streaming audio andvideo.

File types

7z elf activemime

arj exe jpeg


11

fp-sensitivity dlp

File types

cab hta gif

lzh html tiff

rar jad png

tar class bmp

zip cod ignored

bzip javascript unknown

gzip msoffice mpeg

bzip2 msofficex mov

xz fsg mp3

bat upx wma

msc petite wav

uue aspack pdf

mime prc avi

base64 sis rm

binhex hlp torrent

name <name>Name for the file pattern header list.


fp-sensitivity

Use this command to define fingerprinting DLP sensitivity levels that can be applied to document sources andDLP rules.

There are no configurable entries within this command, except the name. The names can be used as labels todescribe DLP rules. These can be referenced in fp-sensitivity <name>, under config filter.


dlp sensor

sensor

Use this command to create and edit DLP sensors, including action, archive, and severity for each rule orcompound rule.

config filterUse this configuration method to define DLP filters.

name <name>

Name of the filter.

severity {info | low | medium | high | critical}

Event severity (medium by default).

type {file | message}

Either check the content of email messages or the content of downloaded files, or files attached to emails (file bydefault).

proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}

Note: The http-get and ftp entries are not available when type is set tomessage; all options are available whentype is set to file.

The protocols for the sensor to detect: SMTP, POP3, IMAP, HTTPGET, HTTP POST, FTP, NNTP, and MAPI.

filter-by {credit-card | ssn | regexp | file-type | file-size | watermark | encrypted}

Note: The file-type, file-size, watermark, and encrypted entries are not available when type is set tomessage; all options are available when type is set to file.

Filter method for the sensor:

l credit-card: Sensor that logs traffic (both files and messages) containing credit card numbers in the formats usedby American Express, MasterCard, and Visa (set by default).

l ssn: Sensor that logs traffic containing Social Security numbers, with the exception of WebEx invitation emails.l regexp: Sensor that searches for specific text pattern matches. Regular expressions are text patterns consisting of

special characters (or metacharacters) and are used to match against text strings. Once enabled, use the regexpentry (see below) to specify the regular expressions to filter by.

l file-type: Sensor that filters by file type.Once enabled, use the file-type entry (see below) to specify the file type tofilter by.

l file-size: Sensor that filters by file size. Once enabled, use the file-size entry (see below) to specify the file size tofilter by.

l watermark: Sensor that filters for defined file watermarks. Once enabled, use the company-identifier and fp-sensitivity entries (see below) to specify watermark filter options.

l encrypted: Sensor that filters for encrypted files.


13

sensor dlp

regexp <string>

Note: This entry is only available when filter-by is set to regexp.

Enter the regular expression characters for the sensor to use for filtering. The regular expression library used byFortinet is a variation of the Perl Compatible Regular Expressions (PCRE) library.

file-type <string>

Note: This entry is only available when filter-by is set to file-type.

Enter the file types for the sensor to use for filtering.

file-size <kb>

Note: This entry is only available when filter-by is set to file-size.

File size in kB. Files that exceed this file size will match the filter.

company-identifier <name>

Note: This entry is only available when filter-by is set towatermark.

Company name, or identifier, for watermarking.

fp-sensitivity <name>

Note: This entry is only available when filter-by is set towatermark.

Name of the fingerprinting DLP sensitivity levels that can be applied to document sources and DLP rules. Tocreate these sensitivity level labels, see fp-sensitivity.

action {none | log-only | block | quarantine-ip}

Action to take when the filter makes a detection (none by default):

l none: No action taken (set by default).l log-only: Only logs the leak.l block: Blocks the message.l quarantine-ip: Quarantines all traffic from the IP address.


replacemsg-group <name>Name of the replacement message group to assign to this sensor.

To create replacement message groups, see replacemsg-group.

dlp-log {enable | disable}Enable (by default) or disable logging for DLP.


dlp sensor

nac-quar-log {enable | disable}Enable or disable (by default) logging for NAC quarantine creation.

options {strict-file}Optionally set this entry to strict-file (not set by default). This is required for file filtering to function when the URLcontains a ? special character.

For example, a file pattern configured to block *.exewill block file.exeURLs, however a URL such aswww.example.com/download?filename=file.exe will not be blocked unless strict-file is specified.

summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}Enter the protocols to always log summary.


15

firewall

Use config firewall to configure the following firewall related options:

address | address6addgrp | addgrp6ippoolpolicyprofile-groupprofile-protocol-optionsschedule {group | onetime | recurring}service {category | custom | group}socks-authenticationssl {exemption | setting}ssl-ssh-profile

address | address6

Use these commands to create and edit IPv4 and IPv6 firewall addresses, and define their type and subnetnetmasks.

An IPv4 firewall address is a set of one or more IP addresses, represented as a domain name, an IP address, andsubnet mask, or an IP address range. An IPv6 firewall address is an IPv6 6-to-4 address prefix.

Each firewall address has a Universally Unique Identifier (UUID) that is automatically assigned. To view it, usethe command get firewall address or get firewall address6 and look for the uuid field.

subnet <ip-subnet>Note: This entry is only available for address and when type is set to ipmask.

IP address and subnet mask. This can be entered in two different formats: dotted decimal format and separatedby a space, or in Classless Inter-Domain Routing (CIDR) format with no separation (as shown in the examplesbelow, respectively):

l 172.168.2.5 255.255.255.255

l 172.168.2.5/35

type {ipmask | iprange | fqdn | wildcard | url | ipprefix}Note:Only the ipprefix and iprange entries are available for address6.

Type of firewall address:

l ipmask: IP/netmask (set by default for address). Once enabled, use the subnet entry (see above) to set the IPand netmask.

l iprange: IP address range. Once enabled, use the start-ip and end-ip entries (see below) to set the IP range.


firewall address | address6

l fqdn: Fully qualified domain name (FQDN). Once enabled, use the fqdn and cache-ttl entries (see below) to setFQDN options.

l wildcard: IP/wildcard-netmask. Once enabled, use thewildcard entry (see below) to set the IP and wildcardnetmask.

l url: URL pattern (only applies to the explicit web proxy). Once enabled, use the url entry (see below) to set the URLpattern.

l ipprefix: IP/prefix (set by default for address6). Once enabled, use the ip6 entry (see below) to set the IPv6address prefix.

ip6 <prefix>Note: This entry is only available for address6 and when type is set to ipprefix.

IPv6 address prefix in the following format:

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx

visibility {enable | disable}Note: This entry is only available for address6.

Enable (by default) or disable visibility/availability of this address in firewall policy address selection.

color <color-code>Note: This entry is only available for address6.

Icon color to use in the web-based manager. Assign a color-code from 0-32 (see below).

Note that entering 0 sets the default, color 1.

1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

tags <name>Note: This entry is only available for address6.

Object tags applied to this address. To enter multiple tags, separate each entry with a space.


17

addgrp | addgrp6 firewall

start-ip <ip-address>Note: This entry is only available when type is set to iprange.

Starting, or first, IP address in the range.

end-ip <ip-address>Note: This entry is only available when type is set to iprange.

Ending, or last, IP address in the range.

fqdn <fqdn>Note: This entry is only available for address and when type is set to fqdn.

FQDN of the firewall address.

cache-ttl <min-ttl>Note: This entry is only available for address and when type is set to fqdn.

Minimum time to live (TTL), measured in seconds, of individual IP addresses in the FQDN cache.

wildcard <ip-netmask>Note: This entry is only available for address and when type is set towildcard.

Wildcard IP address and subnet mask. Like the subnet entry, this can be entered in two different formats: dotteddecimal format and separated by a space, or in CIDR format with no separation (see subnet for examples).

url <url>Note: This entry is only available for address and when type is set to url.

Address URL pattern.


addgrp | addgrp6

Use these commands to create and edit IPv4 and IPv6 firewall address groups used in firewall policies.

Address groups allow you to organize related firewall addresses into firewall address groups to simplify firewallpolicy configuration. For example, rather than creating three separate firewall policies for three firewalladdresses, you could create a firewall address group consisting of the three firewall addresses, then create onefirewall policy using that firewall address group.

An address group can be a member of another address group.


firewall ippool

Each address group has a UUID that is automatically assigned. To view it, use the command get firewalladdrgrp or get firewall addrgrp6 and look for the uuid field.

member <name>Names of the IPv4 or IPv6 addresses to add to the group. To enter multiple members, separate each entry with aspace.


visibility {enable | disable}Enable (by default) or disable visibility/availability of this address group in firewall policy address group selection.

color <color-code>Icon color to use in the web-based manager. Assign a color-code from 0-32 (see below).

Note that entering 0 (set by default) sets the color to code 1.

1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

tags <name>Object tags applied to this address group. To enter multiple tags, separate each entry with a space.

ippool

Use this command to create and edit IP pools that allow sessions leaving the FortiCache to use NAT.

An IP pool can either define a single IP address or a range of IP addresses to be used as the source address forthe duration of a session. These addresses will be used instead of the IP addresses assigned to the FortiCacheinterface selected in the IP pool.


19

policy firewall

intf <name>Interface or port to assign to the IP pool's addresses.

ip <ip-address>IP address or IP range. This entry can only be set once an interface has been assigned.

netmask <ip-netmask>Netmask for the IP address or IP range.

policy

Use this command to create and edit firewall policies.

Firewall policies control all traffic passing through the FortiCache. Firewall policies are used to decide what to dowith a connection request.

Each policy has a Universally Unique IDentifier (UUID) that is automatically assigned. To view it, use thecommand get firewall policy and look for the uuid field.

config identity-based-policyNote: This configuratuion method is only available when identity-based is set to enable.

Use this configuration method to create and edit an identity-based firewall policy. This is equivalent to creating afirewall policy in the GUI and setting itsPolicy Subtype to User Identity.

To reduce repetition, the following entries are available when creating these policies (see entries below fordefinitions and applicable notes):

schedule webfilter-profile

logtraffic dlp-sensor

logtraffic-start icap-profile

log-http-transaction profile-protocol-options

utm-status ssl-ssh-profile

profile-type groups

profile-group users

av-profile action

ia-profile


firewall policy

srcintf <name>Name of existing interfaces to be added as the source interface of the traffic that the policy will manage. To entermultiple interfaces, separate each entry with a space.

dstintf <name>Name of existing interfaces to be added as the destination interface of the traffic that the policy will manage. Toenter multiple interfaces, separate each entry with a space.

srcaddr | srcaddr6 <address>IPv4 or IPv6 source address objects whose traffic will be managed by this policy. To enter multiple objects,separate each entry with a space.

dstaddr | dstaddr6 <address>IPv4 or IPv6 destination address objects whose traffic will be managed by this policy. To enter multiple objects,separate each entry with a space.

action {accept | deny}Action to take when traffic matches the firewall policy:

l accept: Allows packets that match the firewall policy. Optionally, enable NAT (see nat entry below) to make this aNAT policy (NAT/Route mode only). Also, once set, use thewanopt entry to enable and configure furtherWAN optimization settings if required.

l deny: Denies packets that match the firewall policy (set by default).

status {enable | disable}Enable (by default) or disable the policy.

schedule <name>Note: This entry is not available when identity-based is set to enable.

Name of a pre-existing schedule used by the policy. Schedules are created in the GUI as eitherRecurring orOne-time schedules.

service <service>Set the services matched by the policy. To enter multiple services, separate each entry with a space. Enter setservice ? to view the available services.

utm-status {enable | disable}Note: This entry is only available when the source and destination related-entries have been set.


21

policy firewall

Enable or disable (by default) the ability to add UTM security profiles to this firewall policy. If enabled, at least oneprofile must be added to the policy.

profile-type {single | group}Note: This entry is only available when utm-status is set to enable, but before any security profiles have beenconfigured in the policy.

Determine whether to use a singleUTM security profile (set by default) or a profile group for the firewall policy.

profile-group <name>Note: This entry is only available when profile-type is set to group.

Name of a UTM security profile group to asssign to this firewall policy.

av-profile <name>Note: This entry is only available when utm-status is set to enable.

Name of an AntiVirus profile to assign to this firewall policy.

ia-profile <name>Note: This entry is only available when utm-status is set to enable.

Name of an image analyzer profile to assign to this firewall policy.

webfilter-profile <name>Note: This entry is only available when utm-status is set to enable.

Name of a Web Filter profile to assign to this firewall policy.

dlp-sensor <name>Note: This entry is only available when utm-status is set to enable.

Name of a Data Leak Prevention (DLP) sensor profile to assign to this firewall policy.

icap-profile <name>Note: This entry is only available when utm-status is set to enable.

Name of an Internet Content Adaptation Protocol (ICAP) profile to assign to this firewall policy.

profile-protocol-options <name>Name of a protocol options profile to assign to this firewall policy.


firewall policy

ssl-ssh-profile <name>Name of an SSL/SSH profile to assign to this firewall policy.

logtraffic <method>Method used for recording traffic logs for this policy:

l all: Record logs for all traffic accepted by this policy.l utm: Records logs for all UTM events and matched application traffic (set by default). Note that this only appears

available when utm-status is set to enable.l disable: Disable logging for this policy.

logtraffic-start {enable | disable}Enable or disable (by default) the ability to log session starts and stops.

log-http-transaction {enable | disable}Enable or disable (by default) the ability to log HTTP transactions.

wanopt {enable | disable}Note: This entry is only available when action is set to accept.

Enable or disable (by default) use of WAN optimization for this policy.

wanopt-detection {active | passive | off}Note: This entry is only available whenwanopt is set to enable.

Peer auto-detection mode for WAN optimization:

l active: Active WAN optimization peer auto-detection (set by default).l passive: Passive WAN optimization peer auto-detection. Once set, use thewanopt-passive-opt entry below to

configure passive mode options.l off: Turn off WAN optimization peer auto-detection.

wanopt-passive-opt {default | transparent | non-transparent}Note: This entry is only available whenwanopt-detection is set to passive.

WAN optimization passive mode options used to determine what IP address is used to connect to the server.

l default: Allow the client side WAN optimization peer to decide (set by default).l transparent: Use the client's address to connect to the server.l non-transparent: Use the local FortiCache's address to connect to the server.


23

policy firewall

wanopt-profile <name>Note: This entry is only available whenwanopt is set to enable. This entry is not available whenwanopt-detection is set to passive.

Name of a WAN optimization profile to assign to the policy.

wanopt-peer <peer>Note: This entry is only available whenwanopt-detection is set to off.

Manually set the WAN optimization peer.

identity-based {enable | disable}Note: This entry is only available when action is set to accept.

Enable or disable (by default) identity-based policy. Once set, use the active-auth-method and sso-auth-method entries to set various identity-based authentication methods for this policy. In addition, when enabled,use the identity-based-policy configuration method to configure further settings.

ip-based {enable | disable}Note: This entry is only available when identity-based is set to enable, and an identity based policy has beenconfigured using the identity-based-policy configuration method (see above).

Enable (by default) or disable IP address-based authentication.

active-auth-method {ntlm | basic | digest | form | negotiate | none}Note: This entry is only available when identity-based is set to enable.

Active authentication method:

l ntlm: NT LAN Manager (NTLM) authentication. An FSSO agent must already be configured to select this option.l basic: Basic HTTP authentication (set by default).l digest: Digest HTTP authentication.l form: Form-based HTTP authentication.l negotiate: Negotiate authentication.l none: No authentication.

transaction-based {enable | disable}Note: This entry is only available when ip-based is set to disable.

Enable or disable (by default) transaction-based authentication.

sso-auth-method {fsso | rsso | none}Note: This entry is only available when identity-based and ip-based are both set to enable.

Single Sign-on (SSO) authentication method:


firewall policy

l fsso: Fortinet SSO (FSSO).l rsso: RADIUS SSO (RSSO). An RSSO server must already be configured to select this option.l none: No SSO authentication (set by default).

web-auth-cookie {enable | disable}Note: This entry is only available when srcintf is set toweb-proxy.

Enable or disable (by default) use of web authentication cookies.

nat {enable | disable}Note: This entry is only available when action is set to accept and when srcintf is set to a port (i.e. not web-proxy).

Enable or disable (by default) the use of Network Address Translation (NAT) for this policy.

wccp {enable | disable}Note: This entry is not available when srcintf is set toweb-proxy.

Enable or disable (by default) Web Cache Coordination Protocol (WCCP) for this policy.

ippool <name>Note: This entry is only available when srcintf is set toweb-proxy.

Name of an IP pool to assign to the policy. When NAT is enabled, and an IP pool is assigned to the policy, sourceaddresses are translated to an address randomly selected from the IP pool added to the destination interface ofthe policy.

comments <comment>Optional comments.

label`

global-label`

webproxy-profile <name>Name of a Web Proxy profile to assign to this firewall policy.

webcache {enable | disable}Enable or disable (by default) web caching.


25

policy firewall

webcache-https {disable | any}Enable (any) or disable (by default) web caching of HTTPS traffic that matches the policy.

custom-log-fields <index>Note: This entry is not available when using a web proxy source interface.

Log field index numbers used to add custom log fields to the log message for this policy. Custom fields mustalready be configured to configure this option. To create custom log fields, see custom-field.

webproxy-forward-server <name>Note: This entry is only availablwe when srcintf is set toweb-proxy.

Name of a Web Proxy Forwarding Server to assign to this firewall policy.

transparent {enable | disable}Note: This entry is only availablwe when srcintf is set toweb-proxy.

Enable or disable (by default) setting the web proxy to use the original client address.

tags <name>Object tags applied to this policy. To enter multiple tags, separate each entry with a space.

replacemsg-override-group <name>Name of a replacement message override group. This will override the default replacement message for thispolicy. To create custom replacement message groups, see replacemsg-group

srcaddr-negate {enable | disable}Enable or disable (by default) srcaddr negation. When enabled, this causes srcaddr to specify what the sourceaddress must not be.

dstaddr-negate {enable | disable}Enable or disable (by default) dstaddr negation. When enabled, this causes dstaddr to specify what thedestination address must not be.

service-negate {enable | disable}Enable or disable (by default) service negation. When enabled, this causes service to specify what the servicemust not be.


firewall profile-group

profile-group

Use this command to create and edit profile groups used to contain multiple security profiles. Profile groups canbe used in firewall policies, as a more efficient way to apply multiple profiles to a policy at once, if you set thefirewall policy's profile-type to group.

av-profile <name>Name of an AntiVirus profile to assign to this profile group.

ia-profile <name>Name of an image analyzer profile to assign to this profile group.

webfilter-profile <name>Name of a Web Filter profile to assign to this profile group.

dlp-sensor <name>Name of a Data Leak Prevention (DLP) sensor profile to assign to this profile group.

icap-profile <name>Name of an Internet Content Adaptation Protocol (ICAP) profile to assign to this profile group.

profile-protocol-options <name>Name of a protocol options profile to assign to this profile group.

ssl-ssh-profile <name>Name of an SSL/SSH profile to assign to this profile group.

profile-protocol-options

Use this command to configure UTM protocol options profiles for firewall policies. Protocol options determinehow UTM-functionality identifies content from HTTP, FTP, and RTMP protocols. Every firewall policy thatincludes UTM profiles must include a protocol options profile.

To configure SSL-related options for secure protocols, see ssl-ssh-profile.

config httpUse this configuration method to create and edit HTTP protocol options.


27

profile-protocol-options firewall

ports <port>

Ports to use for scanning for HTTP traffic. Set the value between 1-65535. The default is set to 80.

status {enable | disable}

Enable (by default) or disable the protocol inspection of HTTP traffic.

options {clientcomfort | servercomfort | oversize | chunkedbypass}

Options to apply to HTTP sessions. To apply more than one option, separate each entry with a space:

l clientcomfort: Apply client comforting and prevent client timeout.l servercomfort: Apply server comforting and prevent server timeout.l oversize: Block files that are over the file size limit.l chunkedbypass: Allow web sites that use chunked encoding for HTTP to bypass the firewall. Chunked encoding

means the HTTPmessage-body is altered to allow it to be transferred in a series of chunks.

Use of chunkedbypass is a risk, as malicious content could enter the network if webcontent is allowed to bypass the firewall.

comfort-interval <seconds>

Period of time in seconds before client comforting starts after a download has begun. This also determines theinterval between subsequent client comforting. Set the value between 1-900 (or one second to 15 minutes). Thedefault is set to 10.

comfort-amount <bytes>

Size of intervals in bytes that client comforting sends to show that an HTTP download is progressing. Set thevalue between 1-10240 (or one byte to just over ten kilobytes). The default is set to 1.

post-lang <language>

Character sets to convert to UTF-8 for ban words and DLP on HTTP posts. To enter multiple sets, separate eachentry with a space, for a maximum of five character sets:

l jisx0201: Japanese Industrial Standard 0201.l jisx0208: Japanese Industrial Standard 0208.l jisx0212: Japanese Industrial Standard 0212.l gb2312: Guojia Biaozhun 2312 (simplified Chinese).l ksc5601-ex: Wansung Korean standard 5601.l euc-jp: Extended Unicode Japanese.l sjis: Shift Japanese Industrial Standard.l iso2022-jp: ISO 2022 Japanese.l iso2022-jp-1: ISO 2022-1 Japanese.l iso2022-jp-2: ISO 2022-2 Japanese.l euc-cn: Extended Unicode Chinese.l ces-gbk: Extended GB2312 (simplified Chinese).


firewall profile-protocol-options

l hz: Hanzi simplified Chinese.l ces-big5: Big-5 traditional Chinese.l euc-kr: Extended Unicode Korean.l iso2022-jp-3: ISO 2022-3 Japanese.l iso8859-1: ISO 8859 Part 1 (Western European).l tis620: Thai Industrial Standard 620.l cp874: Code Page 874 (Thai).l cp1252: Code Page 1252 (Western European Latin).l cp1251: Code Page 1251 (Cyrillic).

streaming-content-bypass {enable | disable}

Enable (by default) or disable streaming content to be bypassed rather than buffered.

switching-protocols {bypass | block}

Action to take when connections switch protocols:

l bypass: Bypass scanning when connections switch protocols (set by default).l block: Block scanning when connections switch protocols.

oversize-limit <megabytes>

Maximum file size in megabytes; any file larger than this limit will be either passed or blocked, depending onwhether oversize is a selected HTTP option (see the options entry above).

The maximum file size for scanning in memory is 10% of the FortiCache’s RAM. For the purposes of thisdocument, a FortiCache 1000D is used, which has a maximum RAM of 16 gigabytes. In this case, you can set thevalue between 1-1602 (or one megabyte to just over 1.6 gigabytes). The default is set to 10.

uncompressed-oversize-limit <megabytes>

Maximum uncompressed file size that can be scanned in megabytes. As with oversize-limit, the limit is 10% ofyour FortiCache's maximum RAM — in this case, a FortiCache 1000D with a RAM of 16 gigabytes. In this case,set the value between 1-1602 (or one megabyte to just over 1.6 gigabytes), or set to 0 for unlimited. The defaultis set to 10.

uncompressed-nest-limit <levels>

Maximum nested compression levels that can be scanned. Set the value between 2-100. The default is set to 12.

scan-bzip2 {enable | disable}

Enable (by default) or disable scanning of BZip2 compressed files. Note that BZip2 scanning is extemely CPUintensive.

block-page-status-code <blocked-pages>

Return code of blocked HTTP pages. Set the value between 100-599. The default is set to 200.


29

profile-protocol-options firewall

retry-count <retries>

Maximum number of times to retry etsablishing an HTTP connection when the connection fails on the firstattempt. Set the value between 0-100. The default is set to 0.

This allows the web server proxy to repeat the connection attempt on behalf of the browser if the server refusesthe connection the first time. This helps to reduce the number of hang-ups or page not found errors for busy webservers.

config ftpUse this configuration method to create and edit FTP protocol options.

ports <port>

Ports to use for scanning for FTP traffic. Set the value between 1-65535. The default is set to 21.


Enable (by default) or disable the protocol inspection of FTP traffic.

options {clientcomfort | oversize | splice | bypass-rest-command | bypass-mode-command}

Options to apply to FTP sessions. To apply more than one option, separate each entry with a space:

l clientcomfort: Apply client comforting and prevent client timeout.l oversize: Block files that are over the file size limit.l splice: Simultaneously scan a file and send it to the recipient (set by default). If the FortiCache unit detects a virus,

it prematurely terminates the connection.l bypass-rest-command: Bypass REST command.l bypass-mode-command: Bypass MODE command.

comfort-interval <seconds>

Period of time in seconds before client comforting starts after a download has begun. This also determines theinterval between subsequent client comforting. Set the value between 1-900 (or one second to 15 minutes). Thedefault is set to 10.

comfort-amount <bytes>

Size of intervals in bytes that client comforting sends to show that an HTTP download is progressing. Set thevalue between 1-10240 (or one byte to just over ten kilobytes). The default is set to 1.

oversize-limit <megabytes>

Maximum file size in megabytes; any file larger than this limit will be either passed or blocked, depending onwhether oversize is a selected FTP option (see the options entry above).

The maximum file size for scanning in memory is 10% of the FortiCache’s RAM. For the purposes of thisdocument, a FortiCache 1000D is used, which has a maximum RAM of 16 gigabytes. In this case, you can set thevalue between 1-1602 (or one megabyte to just over 1.6 gigabytes). The default is set to 10.


firewall schedule {group | onetime | recurring}

uncompressed-oversize-limit <megabytes>

Maximum uncompressed file size that can be scanned in megabytes. As with oversize-limit, the limit is 10% ofyour FortiCache's maximum RAM — in this case, a FortiCache 1000D with a RAM of 16 gigabytes. In this case,set the value between 1-1602 (or one megabyte to just over 1.6 gigabytes), or set to 0 for unlimited. The defaultis set to 10.

uncompressed-nest-limit <levels>

Maximum nested compression levels that can be scanned. Set the value between 2-100. The default is set to 12.

scan-bzip2 {enable | disable}

Enable (by default) or disable scanning of BZip2 compressed files. Note that BZip2 scanning is extemely CPUintensive.

config rtmpUse this configuration method to create and edit RTMP protocol options.

ports <port>

Ports to use for scanning for RTMP traffic. Set the value between 1-65535. The default is set to 1935.


Enable or disable (by default) the protocol inspection of RTMP traffic.


replacemsg-group <name>Name of a replacement message group for the profile to use.

oversize-log {enable | disable}Enable or disable (by default) logging of antivirus oversize file blocking.

switching-protocols-log {enable | disable}Enable or disable (by default) logging of HTTP/HTTPS switching protcols.

schedule {group | onetime | recurring}

The schedule command is divided into three configurable options: create and edit schedule groups, one-timeschedules for policies that are effective once from the period of time specified in the schedule, and schedules thatcan recur weekly.


31

schedule {group | onetime | recurring} firewall

groupUse this command to configure schedule groups.

member <name>

Names of existing one-time or recurring firewall schedules to add to this group. To add more than one member,separate each entry with a space.

color <color-code>



1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

onetimeUse this command to configure one-time schedules that can be used to determine when policies are active orinactive for a specific time period.

start <time-date>

Start time and date of the schedule in the format hh:mm yyyy/mm/dd. The default is set to 00:00 2001/01/01.

Note that all time and date entries can be entered within the expected ranges except the minutes, which can onlybe set to either 00, 15, 30, or 45.

end <time-date>

End time and date of the schedule in the format hh:mm yyyy/mm/dd. The default is set to 00:00 2001/01/01.

Note that all time and date entries can be entered within the expected ranges except the minutes, which can onlybe set to either 00, 15, 30, or 45.

color <color-code>




firewall schedule {group | onetime | recurring}

1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

expiration-days <days>

Number of days before the schedule's expiration that an event log will be generated. Set the value between 0-100, where 0 disables the option. The default is set to 3.

recurringUse this command to configure recurring schedules that can be used to determine when policies are active orinactive for either specific times of day or days of the week.

If a recurring schedule is created with an end time that occurs before the start time,the schedule starts at the start time and finishes at the stop time on the next day. Youcan use this technique to create recurring schedules that run from one day to thenext.

To create a recurring schedule that runs for 24 hours, set the start and stop times tothe same time (e.g. 00:00).

start <time>

Start time of the schedule in the format hh:mm. The default is set to 00:00.

Note that the hours can be entered within the expected ranges except the minutes, which can only be set to either00, 15, 30, or 45.

end <time>

End time of the schedule in the format hh:mm. The default is set to 00:00.

Note that the hours can be entered within the expected ranges except the minutes, which can only be set to either00, 15, 30, or 45.

day {sunday | monday | tuesday | wednesday | thursday | friday | saturday | none}

Days of the week that the schedule remains valid. To make the schedule invalid, enter none. To add more thanone day, separate each entry with a space. The default is set to sunday.

color <color-code>



33

service {category | custom | group} firewall


1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

service {category | custom | group}

The service command is divided into three configurable options: create and edit service categories, customservices, and service groups.

Groups make policy creation easier as you can create groups of services and then add one policy to provide orblock access for all the services in the group. A service group can contain predefined services and custom servicesin any combination.

categoryUse this command to create new and edit predefined categories, and optionally add comments to betterdistinguish the firewall service categories. To assign services to these categories, use the custom servicecommand (see below).

The following predefined categories are available for editing:

l Generall Web Accessl File Accessl Emaill Network Servicesl Authenticationl Remote Accessl Tunnelingl VoIP, Messaging & Other Applicationsl Web Proxy

comment <comment>

Optional comments.


firewall service {category | custom | group}

customUse this command to create new and edit predefined firewall services.

The following predefined services are available for editing, including those that are considered uncategorized (i.e.not under one of the categories listed above):

File types

ALL NNTP TELNET

ALL_TCP NTP TFTP

ALL_UDP OSPF MGCP

ALL_ICMP PC-Anywhere UUCP

ALL_ICMP6 PING VDOLIVE

GRE TIMESTAMP WAIS

AH INFO_REQUEST WINFRAME

ESP INFO_ADDRESS X-WINDOWS

AOL ONC-RPC PING6

BGP DCE-RPC MS-SQL

DHCP POP3 MYSQL

DNS POP3S RDP

FINGER PPTP VNC

FTP QUAKE DHCP6

FTP_GET RAUDIO SQUID

FTP_PUT REXEC SOCKS

GOPHER RIP WINS

H323 RLOGIN RADIUS

HTTP RSH RADIUS-OLD

HTTPS SCCP CVSPSERVER

IKE SIP AFS3


35


File types

IMAP SIP-MSNmessenger TRACEROUTE

IMAPS SAMBA RTSP

Internet-Locator-Service SMTP MMS

IRC SMTPS KERBEROS

L2TP SNMP LDAP_UDP

LDAP SSH SMB

NetMeeting SYSLOG NONE

NFS TALK webproxy

The options below are available when editing a service.

explicit-proxy {enable | disable}

Enable or disable (by default) this service as an explicit web proxy service. When enabled, this service will beavailable to explicit proxy firewall policies but not to regular firewall policies.

category <name>

Assign this service to a service category.

protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP} {HTTP | FTP | CONNECT | SOCKS-TCP |SOCKS-UDP | ALL}

Note: The protocols available depend on whether explicit-web-proxy is set to enable or disable (see listsbelow).

Protocol used by this service. When explicit-web-proxy is set to disable, the following protocols are available:

l TCP/UDP/SCTP (set by default)l ICMPl ICMP6l IP

When explicit-web-proxy is set to enable, the following protocols are available:

l HTTPl FTPl CONNECTl SOCKS-TCPl SOCKS-UDPl ALL (set by default)



iprange <address>

Note: This entry is not available when protocol is set to either ICMP, ICMP6, or IP.

IP address or address range for this service. Enter a hyphen (-) inbetween the addresses if you wish to enter anaddress range.

fqdn <fqdn>


Fully qualified domain name (FQDN) for this service.

tcp-portrange <ranges>


Destination and source port ranges for TCP services in the following format:

<dstportlow>-<dstporthigh>:<srcportlow>-<srcporthigh>

For example:

100-150:1100-1150

When setting this option, bear in mind the following:

l If the destination port range can be any port, enter 0-65535.l If the destination and/or source is a single port, enter a single number for each.l If the source port range can be any port, no entry is required.l To enter multiple port ranges, separate each range with a space. This can be done up to a maximum of 16 port

ranges.

udp-portrange <ranges>

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set toTCP/UDP/SCTP.

Destination and source port ranges for UDP services. See tcp-portrange above for formatting considerations.

sctp-portrange <ranges>


Destination and source port ranges for SCTP services. See tcp-portrange above for formatting considerations.

tcp-halfclose-timer <seconds>


Period of time in seconds the FortiCache waits before it closes a session after one peer has sent a FIN packet,but the other has not responded. Set the value between 1-86400 (or one second to one day). Enter 0 (set bydefault) to use the global setting defined in global.


37


tcp-halfopen-timer <seconds>


Period of time in seconds the FortiCache waits before it closes a session after one peer has sent an open sessionpacket, but the other has not responded. Set the value between 1-86400 (or one second to one day). Enter 0 (setby default) to use the global setting defined in global.

tcp-timewait-timer <seconds>


Duration of the TCP TIME-WAIT state in seconds, a state which represents waiting for enough time to pass to besure the remote TCP received the acknowledgment of its connection termination request (for more information,see RFC 793).

Set the value between 1-300 (or one second to five minutes). Enter 0 (set by default) to use the global settingdefined in global.

Note that a smaller value means terminated sessions can be closed faster, meaning more new sessions can beopened before the session limit is reached.

udp-idle-timer <seconds>


Period of time in seconds before an idle UDP connection times out. Set the value between 1-86400 (or onesecond to one day). Enter 0 (set by default) to use the global setting defined in global.

session-ttl <seconds>


Period of time in seconds before the session times out. Set the value between 300-604800 (or five minutes to oneweek). Enter 0 (set by default) to use either the per-policy or per-VDOM session-ttl, as applicable.

check-reset-range {disable | strict | default}


ICMP error message verification method:

l disable: ICMP error messages are not validated.l strict: If an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header is received, then if the A:C-

>B:D session can be located, it checks to make sure that the sequence number in the TCP header is within therange recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If log-invalid-packet is enabled (see setting), logs will show that the ICMP packet was dropped. Strict checking alsoaffects how the anti-replay option checks packets.

l default: Global setting defined in global is used (set by default).


https://tools.ietf.org/html/rfc793


icmptype <number>

Note: This entry is only available when protocol is set to either ICMP or ICMP6.

ICMP type number. Set the value between 0-255. To view all the ICMP types and code numbers, go to theInternet Assigned Numbers Authority (IANA) Protocol Registry and see ICMP Type Numbers.

protocol-number <number

Note: This entry is only available when protocol is set to IP.

IP protocol number for an IP service. Set the value between 0-254. To view all the protocol numbers, go to theInternet Assigned Numbers Authority (IANA) Protocol Registry and see Assigned Internet Protocol Numbers.

comment <comment>

Optional comments.

color <color-code>



1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

visibility {enable | disable}

Enable (by default) or disable visibility/availability of this service in firewall policy service selection.

groupUse this command to create new and edit predefined firewall service groups.

The following predefined groups are available for editing:

l Email Accessl Exchange Serverl Web Accessl Windows AD


39

https://www.iana.org/protocols

https://www.iana.org/protocols

socks-authentication firewall

member <name>

Names of firewall services to add to this service group. To add more than one member, separate each entry witha space.

explicit-proxy {enable | disable}

Enable or disable (by default) this service group as explicit web proxy services. This service group will be availableto explicit proxy firewall policies but not to regular firewall policies.

comment <comment>

Optional comments.

color <color-code>



1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

socks-authentication

Use this command to create and edit Socket Secure (SOCKS) authentication options. Authentication takes placefirst, then once the destination is obtained, a policy match is implemented, to which the authenticated credentialsare used to perform authorization.

proxy <name>Explicit web proxy to add for SOCKS authentication. While there is no default, the default choice isweb-proxy.

srcaddr <name>Name of an address for the policy.

action {no-auth | auth}Policy action:


firewall ssl {exemption | setting}

l no-auth: Deny authentication to traffic that matches the policy (set by default).l auth: Grant authentication to traffic that matches the policy.

ip-based {enable | disable}Enable or disable (by default) IP address-based authentication.

active-auth-method {active | kerberos}SOCKS active authentication method:

l basic: Basic HTTP authentication.l kerberos: Kerberos authentication.

sso-auth-method {fsso | rsso}Note: This entry is only available when ip-based is set to enable.

SOCKS passive Single Sign-on (SSO) authentication method:

l fsso: Fortinet SSO (FSSO) authentication.l rsso: RADIUS SSO (RSSO) authentication.

ssl {exemption | setting}

The ssl command is divided into two configurable options: create and edit ssl exemption lists of domains andconfigure ssl proxy settings.

exemptionUse this command to create lists of domains that are exempted from SSL inspection.

The following predefined exemptions, along with their domain addresses, are already available by default:

l Android update: *.client.google.coml Apple Update 1: swscan.apple.coml Apple Update 2: swquery.apple.coml Apple Update 3: swdownload.apple.coml Apple Update 4: swcdn.apple.coml Microsoft Update 1: *.windowsupdate.microsoft.coml Microsoft Update 2: update.microsoft.coml Microsoft Update 3: windowsupdate.coml Microsoft Update 4: *.download.windowsupdate.coml Microsoft Update 5: download.microsoft.coml Microsoft Update 6: test.stats.update.microsoft.coml Microsoft Update 7: ntservicepack.microsoft.coml Skype Message: msg.skype.com


41

ssl-ssh-profile firewall

address <domain>

Domain name address to be exempted from SSL inspection.

settingUse this command to configure SSL proxy settings which can be applied to antivirus scanning, web filtering, spamfiltering, DLP, and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic. For more information, seeprofile-protocol-options

proxy-connect-timeout <seconds>

Period of time in seconds before an internal connection is made to the appropriate proxy process. Set the valuebetween 1-60 (or one second to one minute). The default is set to 30.

ssl-dh-bits {768 | 1024 | 1536 | 2048}

Size of Diffie-Hellman prime used in DHE_RSA negotiation: 768-bit, 1024-bit (by default), 1536-bit, or 2048-bitDH prime.

ssl-send-empty-frags {enable | disable}

Enable (by default) or disable sending empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).

no-matching-cipher-action {bypass | drop}

Bypass (by default) or drop the connection when an unsupported cipher is being used by the server.

cert-cache-capacity <limit>

Capacity of the host certificate cache. Set the range between 0-500. The default is set to 200.

cert-cache-timeout <minutes>

Time limit in minutes to keep the certificate cache. Set the value between 1-120 (or one minute to two hours).The default is set to 10.

session-cache-capacity <limit>

Capacity of the SSL session cache. Set the value between 0-1000. The default is set to 500.

session-cache-timeout <minutes>

Time limit in minutes to keep SSL session state. Set the value between 1-60 (or one minute to one hour). Thedefault is set to 20.

ssl-ssh-profile

Use this command to create and edit SSL deep inspection profiles for firewall policies. Deep inspection profilesdetermine how UTM functionality identifies secure content protocols such as HTTPS, FTPS, and SMTPS.


firewall ssl-ssh-profile

Client comforting options are controlled by the corresponding nonsecure protocol options in profile-protocol-options.

The following predefined profiles are already available by default:

l certificate-inspectionl deep-inspection

config httpsUse this configuration method to configure SSL protocol options.

ports <port>

Ports to scan for HTTPS traffic. To enter multiple ports, separate each entry with a space. Set the value between1-65535. The default is set to 443.

status {disable | certificate-inspection | deep-inspection}

Inspection method:

l disable: Inspection is disabled.l certificate-inspection: Inspect SSL handshake only.l deep-inspection: Full SSL inspection (set by default).

client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the SSL handshake: bypass (set bydefault), inspect, or block.

Note that SSL sessions using client-certificates will bypass the SSL inspection by default. This command offersthe option to inspect or block that traffic.

unsupported-ssl {bypass | block}

Action to take by the SSL proxy for undecryptable SSL sessions: bypass (set by default) or block.

allow-invalid-server-cert {enable | disable}

Enable or disable (by default) allowing SSL sessions whose server certificate validation failed.

ssl-ca-list {enable | disable}

Enable or disable (by default) verification of SSL session server certificate against stored CA certificate list.

common-ssl-exemption {enable | disable}

Enable or disable (by default) common SSL exemption.

config ssl-exemptUse this configuration method to configure servers that are exempt from SSL inspection.


43

ssl-ssh-profile firewall

The following predefined exemptions, along with their FortiGuard web category and category ID, are alreadyavailable by default:

l 1: This entry has an assigned fortiguard-category of 31, corresponding to Finance and Banking.l 2: This entry has an assigned fortiguard-category of 33, corresponding to Health and Wellness.l 3: This entry has an assigned fortiguard-category of 87, corresponding to Personal Privacy.

These are the default web categories assigned when creating a new SSL Inspection Profile.

type {fortiguard-category | address | address6}

SSL exemption type:

l fortiguard-category: FortiGuard web categories (set by default).l address4: IPv4 address.l address6: IPv6 address.

fortiguard-category <id>

Note: This entry is only available when type is set to fortiguard-category.

Category ID that corresponds to a FortiGuard web category. To view the full list of categories, enter setfortiguard-category ?.

address <ipv4>

Note: This entry is only available when type is set to address.

IPv4 address to exempt.

address6 <ipv6>

Note: This entry is only available when type is set to address6.

IPv6 address to exempt.

config ssl-serverUse this configuration method to configure SSL server settings for use with secure protocols: HTTPS, SMTPS,POP3S, IMAPS, and FTPS.

SSL sessions that use client-certificates bypass the SSL inspection by default. The commands below offer theoption to inspect or block that traffic per protocol.

ip <address>

IP address of the SSL server.

https-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the HTTPS client handshake:bypass (set by default), inspect, or block.


firewall ssl-ssh-profile

smtps-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the SMTPS client handshake:bypass (set by default), inspect, or block.

pop3s-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the POP3S client handshake:bypass (set by default), inspect, or block.

imaps-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the IMAPS client handshake:bypass (set by default), inspect, or block.

ftps-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the FTPS client handshake:bypass (set by default), inspect, or block.

ssl-other-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the client handshake forSSL protocols other than those available above: bypass (set by default), inspect, or block.


server-cert-mode {re-sign | replace}Either re-sign (set by default) or replace the server's certificate.

caname <name>Name of a CA certificate used by SSL content scanning and inspection for establishing encrypted SSL sessions.The default is set to Fortinet_CA_SSLProxy.

certname <name>Name of a server certifcate used by SSL inspection. The default is set to Fortinet_SSLProxy.

ssl-invalid-server-cert-log {enable | disable}Enable or disable (by default) logging of invalid SSL server certificates.


45

gui

Use config gui to configure the following GUI related options:

console

console

This command stores a base-64 encoded file that contains the configuration of the System > Dashboard> Statusweb-based manager page.

preferences <base64-file>Base64-encoded file to upload containing the commands to set up the web-based manager CLI console on theFortiCache unit.


icap

Use config icap to configure the following Internet Content Adaptation Protocol (ICAP) related options:

profileserver

profile

Use this command to create and edit ICAP profiles that reference ICAP servers. To create and edit ICAP servers,see server.

replacemsg-group <name>Name of a replacement message group to assign to this profile.

request {enable | disable}Enable or disable (by default) sending requests to an ICAP server.

response {enable | disable}Enable or disable (by default) sending HTTP responses to an ICAP server.

streaming-content-bypass {enable | disable}Enable or disable (by default) bypassing the ICAP server for streaming content.

request-server <name>Note: This entry is only available when request is set to enable.

Name of ICAP server to use for HTTP requests.

request-failure {error | bypass}Note: This entry is only available when request is set to enable.

Action to take if the ICAP server cannot be contacted when processing an HTTP request.

request-path <path>Note: This entry is only available when request is set to enable.

Path component of the ICAPURI that identifies the HTTP request processing service.


47

server icap

response-server <name>Note: This entry is only available when response is set to enable.

Name of ICAP server to use for HTTP responses.

response-failure {error | bypass}Note: This entry is only available when response is set to enable.

Action to take if the ICAP server cannot be contacted when processing an HTTP response.

response-path <path>Note: This entry is only available when response is set to enable.

Path component of the ICAPURI that identifies the HTTP response processing service.

server

Delete this text and replace it with your own content.

ip-version {4 | 6}Either IPv4 (by default) or IPv6 addressing.

ip-address <ipv4>Note: This entry is only available when ip-version is set to 4.

ICAP server IPv4 address.

ip6-address <ipv6>Note: This entry is only available when ip-version is set to 6.

ICAP server IPv6 address.

port <port>ICAP server port number. Set the value between 1-65535. The default is set to 1344.

max-connections <limit>Maximum permitted number of concurrent connections to the ICAP server. Set the value between 1-65535. Thedefault is set to 100.


image-analyzer

Use config image-analyzer to configure the following image/content analysis related options:

profile

profile

Use this command to create and edit Content Analysis profiles for image analysis of adult-content. Note that thedefault settings provide a good balance, but may require adjustment.


image-score-threshold <threshold>Image score threshold. If an image scores higher than this threshold, the image will either be passed or blocked,depending on what rating-err-action is set to (see below). Set the value between 0-10000. The default is set to600.

Note that raising the threshold beyond the default value may increase the number of false positive results, wherelegitimate images may be blocked. Conversely, if the threshold is too low, explicit images may be allowed.

image-skip-size <kilobytes>Image skip size in kilobytes. Any images this size will be skipped by the image scan unit. Set the value between 1-2048. The default is set to 1.

Note that images that are too small are difficult to scan and are more likely to be rated incorrectly by the imagescan engine.

image-rating-sensitivity <sensitivity>Image rating sensitivity. Set the value between 0-100. The default is set to 75.

Note that raising the sensitivity beyond the default value may increase the number of false positive results, wherelegitimate images may be blocked. Conversely, if the sensitivty is too low, explicit images may be allowed.

rating-err-action {block | pass}Action to take when an image exceeds the rating threshold: block or pass (by default) the image.

replace-image-action {no-resize | resize}Action to take when a replacement image will be displayed in place of explicit images:


49

profile image-analyzer

l no-resize: Leave the replacement image at its default size (by default).l resize: Re-size the replacement image to match the size of the original image.

replace-image <image>Specify replacement image.


log

Use config log to configure the following logging related options:

custom-fielddisk {filter | setting}eventfilter{fortianalyzer | fortianalyzer2 | fortianalyzer3} settinggui-displaymemory {filter | global-setting | setting}setting{syslogd | syslogd2 | syslogd3} {filter | setting}webtrends

custom-field

Use this command to customize the log fields with a name and/or a value, which will appear in the log message.

name <name>Name to identify the log. All alphanumeric characters and the underscore (_) symbol are permitted, however noother special characters. The name cannot exceed 16 characters.

value <value>Firewall policy number to associate a firewall policy with the logs.

disk {filter | setting}

The disk command is divided into two configurable options: create and edit types of log messages sent to thedisk log, and configure log settings for logging to the local disk.

filterUse this command to define the types of log messages sent to the disk log.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Logging severity level:

l emergency: The system is unusable.l alert: Immediate action is required.l critical: Functionality is affected.


51

disk {filter | setting} log

l error: Functionality is probably affected, due to a false condition.l warning: Functionality might be affected.l notification: Information about normal events.l information: General information about system operations (set by default).l debug: Information used for diagnosing or debugging.

As shown, the order they appear in corelates to their severity in descending order. In light of this, the FortiCachewill log all messages at and above the logging-severity level you select. For example, if you select error, theFortiCache will log error, critical, alert, and emergency level messages.

forward-traffic {enable | disable}

Enable (by default) or disable logging of forwarded traffic messages.

local-traffic {enable | disable}

Enable (by default) or disable logging of local-in or local-out traffic messages.

dlp-archive {enable | disable}

Enable (by default) or disable logging of DLP content archive events.

settingUse this command to define log settings for logging to the local disk.


Enable or disable (by default) logging to the local disk.

ips-archive {enable | disable}

Note: This entry is only available when status is set to enable.

Enable (by default) or disable IPS packet archive logs.

max-log-file-size <megabytes>


Maximum log file size in megabytes that is saved to the local disk. When this limit is reached, the FortiCachesaves the current log file and starts a new active log file. Set the range between 1-1024. The default is set to 100.

storage <name>


Name for the storage log file.

max-policy-packet-capture-size <megabytes>

Maximum packet capture size for firewall policies in megabytes. The default is set to 10. Set to 0 for unlimited.


log disk {filter | setting}

roll-schedule {daily | weekly}


Frequency of log rolling. The FortiCache will roll the log event on a daily (by default) or weekly basis, so long asthe maximum size has not been reached.

roll-time <time>


Time of day that the FortiCache saves the current log file and starts a new active log file in the format hh:mm.The default is set to 00:00.

diskfull {overwrite | nolog}


Action to take when the local disk is full:

l overwrite: Overwrite the oldest log (set by default).l nolog: Stop logging.

log-quota <megabytes>

Disk space allocated for disk logging in megabytes. The default is set to 0.

dlp-archive-quota <megabytes>

Disk space allocated for DLP logs in megabytes. The default is set to 0.

maximum-log-age <days>

Maximum age for logs in days; logs older than this value are purged. The default is set to 7.

upload {enable | disable}


Enable or disable (by default) uploading files to a remote FTP directory. Once enabled, use the various upload-related entries below to configure information required to connect to the FTP server.

upload-destination {ftp-server}

Note: This entry is only available when upload is set to enable.

Upload destination; ftp-server (set by default) is the only available option.

uploadip <address>


IP address of the FTP server.

uploadport <port>



53

disk {filter | setting} log

Port number used by the FTP server. The default is set to the standard FTP port, 21.

source-ip <address>


Source IP address of the disk log uploading.

uploaduser <name>


User account for uploading to the FTP server.

uploadpass <password>


Password required to connect to the FTP server.

uploaddir <directory>


Name of the path on the FTP server where the log files will be transferred to. If you do not specify a remotedirectory, the log files are uploaded to the root directory of the FTP server.

uploadtype {traffic | event | virus | ... }


Log files to upload to the FTP server:

l traffic: Upload traffic log.l event: Upload event log.l virus: Upload anti-virus log.l webfilter: Upload web filter log.l IPS: Upload IPS log.l spamfilter: Upload spam filter log.l dlp-archive: Upload content log and archive.l anomaly: Upload anomaly log.l voip: Upload VoIP log.l dlp: Upload DLP log.l app-ctrl: Upload application control log.

uploadzip {enable | disable}


Enable to compress the log files after uploading to the FTP server. If disabled (by default), the log files areuploaded to the FTP server in plain text format.

uploadsched {enable | disable}



log eventfilter

Enable to upload logs at a specific time of the day. If disabled (by default), the FortiCache uploads the logs whenthe logs are rolled. Once enabled, use the uploadtime entry to specify the time of day for logs to be uploaded.

uploadtime <hour>


Time of day (hour only) when the FortiCache uploads the logs. Set the value between 0-23. The default is set to 0(or midnight).

upload-delete-files {enable | disable}


Enable (by default) or disable the removal of log files once the FortiCache has uploaded the log file to the FTPserver.

full-first-warning-threshold <percentage>

First warning as a percentage before reaching the traffic log threshold. Set the value between 1-98. The default isset to 75.

full-second-warning-threshold <percentage>

Second warning as a percentage before reaching the traffic log threshold. Set the value between 2-99. Thedefault is set to 90.

full-final-warning-threshold <percentage>

Final warning as a percentage before reaching the traffic log threshold. Set the value between 3-100. The defaultis set to 95.

eventfilter

Use this command to configure event logging.

Note: The event entry must be enabled for all other entries in this command to be available.

event {enable | disable}Enable (by default) or disable logging of event messages.

system {enable | disable}Enable (by default) or disable logging of system activity messages.

user {enable | disable}Enable (by default) or disable logging of user authentication and activity messages.


55

{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting log

router {enable | disable}Enable (by default) or disable logging of router activity messages.

wan-opt {enable | disable}Enable (by default) or disable logging of WAN optimization messages.

endpoint {enable | disable}Enable (by default) or disable logging of endpoint control messages.

ha {enable | disable}Enable (by default) or disable logging of HA events.

{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

Use these commands to configure the FortiCache to send log files to up to a maximum of three FortiAnalyzers formaximum failover protection of log data.

Note: The status entry must be enabled for all other entries in this command to be available.

status {enable | disable}Enable or disable (by default) communication with the FortiAnalyzer.

ips-archive {enable | disable}Enable (by default) or disable IPS packet archive.

server <address>IP address of the FortiAnalyzer.

enc-algorithm {default | high | low | disable}Encryption-strength for communications between the FortiCache and FortiAnalyzer:

l default: SSL with high-strength algorithms and the following medium-strength 128-bit key length algorithms: RC4-SHA, RC4-MD5, and RC4-MD (set by default).

l high: SSL with 128-bit and the following larger key length algorithms: DHE-RSA-AES256-SHA, AES256-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-RSA-AES128-SHA, and AES128-SHA.

l low: SSL with the following 64-bit or 56-bit key length algorithms without export restrictions: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, and DES-CBC-MD5.

l disable: Disable the use of SSL.


log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

localid <id>Identifier up to a maximum of 64 characters. You must use the same identifier on both the FortiCache and theFortiAnalyzer.

conn-timeout <seconds>Period of time in seconds before the FortiAnalyzer connection times out. The default is set to 10.

monitor-keepalive-period <seconds>Period of time in seconds between OFTP keepalive transmissions. Set the range between 1-120. The default isset to 5.

monitor-failure-retry-period <seconds>Period of time in seconds between connection retries. The default is set to 5.

source-ip <address>Source IP address of the FortiAnalyzer.

upload-option {store-and-upload | realtime}Method for how logs are uploaded to the FortiAnalyzer:

l store-and-upload: Log to hard disk, then upload on the schedule defined by the upload-interval, upload-day,and upload-time entries (see below).

l realtime: Send logs directly to the FortiAnalyzer (set by default).

Note that store-and-upload requires disk logging to be enabled.

upload-interval {daily | weekly | monthly}Note: This entry is only available when upload-option is set to store-and-upload.

Frequency of log uploads, either on a daily (set by default), weekly, or monthly basis.

upload-day <days>Note: This entry is only available when upload-option is set to store-and-upload.

Day of the week or month to upload logs:

l If upload-interval is set toweekly, enter the days of the week for log uploads (between monday-sunday).l If upload-interval is set tomonthly, enter the dates of the month for log uploads (between 1-31).

upload-time <time>Note: This entry is only available when upload-option is set to store-and-upload.


57

gui-display log

Time of day for log uploads in the format hh:mm. The default is set to 00:59.

reliable {enable | disable}Enable or disable (by default) logging to a syslog server using TCP, ensuring a more reliable connection setupand transmission of data.

gui-display

Use this command to configure how logs are displayed in the web-based manager.

resolve-hosts {enable | disable}Enable (by default) or disable resolving IP addresses to hostnames using reverse-DNS lookup.

resolve-apps {enable | disable}Enable (by default) or disable resolving unknown applications using the remote application database.

fortiview-unscanned-apps {enable | disable}Enable or disable (by default) includion of unscanned traffic in FortiView application charts.

fortiview-local-traffic {enable | disable}Enable or disable (by default) inclusion of local-in traffic in FortiView relatime charts.

location {memory | disk | fortianalyzer | fortiguard}Location from which to display logs: memory (by default), disk, FortiAnalyzer, or FortiGuard.

memory {filter | global-setting | setting}

Thememory command is divided into three configurable options: configure log settings for logging to memory,logging threshold warnings, and other memory settings.

filterUse this command to configure log settings for logging to memory.



l emergency: The system is unusable.l alert: Immediate action is required.


log memory {filter | global-setting | setting}

l critical: Functionality is affected.l error: Functionality is probably affected, due to a false condition.l warning: Functionality might be affected.l notification: Information about normal events.l information: General information about system operations (set by default).l debug: Information used for diagnosing or debugging.






global-settingUse this command to configure log threshold warnings and maximum buffer lines for the FortiCache's systemmemory.

max-size <bytes>

Maximum size of the memory buffer log in bytes. Set the value between 65536-2796189 (or 65kB to nearly2.8MB). The default is set to 98304.

full-first-warning-threshold <percentage>

First warning as a percentage before reaching the traffic log threshold. Set the value between 1-98. The default isset to 75.

full-second-warning-threshold <percentage>

Second warning as a percentage before reaching the traffic log threshold. Set the value between 2-99. Thedefault is set to 90.

full-final-warning-threshold <percentage>

Final warning as a percentage before reaching the traffic log threshold. Set the value between 3-100. The defaultis set to 95.

settingUse this command to configure further log settings for logging to the FortiCache system memory.

The FortiCache's system memory has a limited capacity and only displays the most recent log entries. Traffic logsare not stored in the memory buffer, due to the high volume of traffic information.

After all available memory is used, by default, the FortiCache begins to overwrite the oldest messages. All logentries are deleted when the FortiCache restarts.


59

setting log


Enable or disable (by default) logging to the FortiCache system memory.

diskfull <overwrite>

Action to take when the memory reaches is capacity; overwrite (set by default) is the only available option,whereby the FortiCache will begin overwriting the oldest file.

setting

Use this command to configure geenral logging settings.

resolve-ip {enable | disable}Enable or disable (by default) resolving IP address in traffic log to domain name (if possible).

resolve-port {enable | disable}Enable (by default) or disable resolving port number in traffic log to service name (if possible).

log-user-in-upper {enable | disable}Enable or disable (by default) collecting log with the user-in-upper.

{fwpolicy-implicit-log | fwpolicy6-implicit-log} {enable | disable}Enable or disable (by default) collecting firewall implicit IPv4 or IPv6 policy log.

log-invalid-packet {enable | disable}Enable or disable (by default) International Computer Security Association (ICSA) compliant logs.

Independent of traffic log settings, traffic log entries are generated:

l for all ICMP packets,l for all dropped, invalid IP packets,l and for session start and on session deletion.

This setting is not rate limited. Note that a large volume of invalid packets can dramatically increase the numberof log entries, affecting overall performance.

local-in-allow {enable | disable}Enable (by default) or disable collecting local-in policy accepted log.

local-in-deny-unicast {enable | disable}Enable (by default) or disable collecting local-in policy dropped unicast log.


log {syslogd | syslogd2 | syslogd3} {filter | setting}

local-in-deny-broadcast {enable | disable}Enable or disable (by default) collecting local-in policy dropped broadcast log.

local-out {enable | disable}Enable (by default) or disable collecting local-out log.

daemon-log {enable | disable}Enable or disable (by default) collecting daemon log.

neighbor-event {enable | disable}Enable or disable (by default) collecting neighbor-event log (ARP and IPv6 neighbor discovery events).

brief-traffic-format {enable | disable}Enable or disable (by default) using brief format for traffic log.

user-anonymize {enable | disable}Enable or disable (by default) replacing user name with “anonymous” in logs.

{syslogd | syslogd2 | syslogd3} {filter | setting}

Use these commands to configure the FortiCache to send log files to up to a maximum of three syslog servers.The syslogd commands are divided into two configurable options to configure filters and log settings for loggingto a remote syslog server.

filterUse this command to configure log settings for logging to a syslog server.



l emergency: The system is unusable.l alert: Immediate action is required.l critical: Functionality is affected.l error: Functionality is probably affected, due to a false condition.l warning: Functionality might be affected.l notification: Information about normal events.l information: General information about system operations (set by default).l debug: Information used for diagnosing or debugging.


61

{syslogd | syslogd2 | syslogd3} {filter | setting} log






settingUse this command to configure further log settings for logging to a remote syslog server.

Note: The status entry must be enabled for all other entries in this command to be available.


Enable or disable (by default) logging to a remote syslog server.

server <address>

IP address of the syslog server. Note that the host names must comply with RFC 1035.

reliable {enable | disable}

Enable or disable (by default) reliable delivery of syslog messages to the syslog server. Reliable syslog protectslog information through authentication and data encryption and ensures that the log messages are reliablydelivered in the correct order.

For more information about reliable delivery for syslog, see RFC 3195.

port <port>

Port number for communication with the syslog server. The default is set to 514.

csv {enable | disable}

Enable or disable (by default) producing the log in Comma Separated Value (CSV) format. If disabled, theFortiCache will produce plain text files.

facility {kernel | user | mail | ... }

Facility type. This value identifies the source of the log message to syslog. Changing the facility can help topdistinguish log messages from different FortiCaches. Available facility types are shown below:

Facility types

kernel: Kernel messages cron: Clock daemon

user: Random user-level messages authpriv: Security/authorization messages (private)


https://www.ietf.org/rfc/rfc1035.txt


log webtrends

Facility types

mail: Mail system ftp: FTP daemon

daemon: System daemons ntp: NTP daemon

auth: Security/authorization messages audit: Log audit

syslog: Messages generated internally by syslog alert: Log alert

lpr: Line printer subsystem clock: Clock daemon

news: Network news subsystem local0 - local7: Reserved for local use

uucp: Network news subsystem

source-ip <address>

Source IP address for the syslog server.

webtrends

Thewebtrends command is divided into two configurable options to configure log settings for logging to aremote computer running a NetIQ WebTrends firewall reporting server.

filterUse this command to configure log settings for logging to WebTrends.



l emergency: The system is unusable.l alert: Immediate action is required.l critical: Functionality is affected.l error: Functionality is probably affected, due to a false condition.l warning: Functionality might be affected.l notification: Information about normal events.l information: General information about system operations (set by default).l debug: Information used for diagnosing or debugging.





63

webtrends log



settingUse this command to configure further log settings for logging to WebTrends.


Enable or disable (by default) logging to the WebTrends server.

server <address>

IP address of the WebTrends server.


router

Use config router to configure the following router related options:

static | static6

static | static6

Use these commands to create and edit static routes for both IPv4 and IPv6 traffic.

Note that all entries are available for both static and static6 commands except the following:

l weightl blackholel dynamic-gateway

dst <address>Destination address and network mask for this route.

gateway <address>Note: This entry is only available when blackhole is set to disable.

Address of the next-hop router to which traffic is forwarded.

distance <distance>Administrative distance for the route which may influence route preference in the FortiCache routing table. Setthe value between 1-255. The default is set to 10.

weight <weight>Weight for the static routes. More traffic is directed to routes with higher weight values. Set the value between 0-255. The default is set to 0.

priority <priority>Note: This entry is only available when blackhole is set to disable.

Priority for the static routes. The administrative priority value is used to resolve ties in route selection. Lowerpriority routes are preferred routes. Set the value between 0-4294967295. The default is set to 0.

In the case where both routes have the same priority, such as equal cost multi-path (ECMP), the IP source hash(based on the pre-NATed IP address) for the routes will be used to determine which route is selected.


65

static | static6 router

device <name>Note: This entry is only available when blackhole is set to disable.

Name of the FortiCache unit interface through which to route traffic. Enter set device ? to view the full list ofinterfaces.


blackhole {enable | disable}Enable or disable (by default) dropping all packets that match this route. This route is advertised to neighborsthrough dynamic routing protocols as any other static route.

dynamic-gateway {enable | disable}Note: This entry is only available when blackhole is set to disable.

Enable or disable (by default) the dynamic-gateway feature. When enabled, dynamic-gateway hides the gatewayvariable for a dynamic interface, such as a DHCP or PPPoE interface. When the interface connects ordisconnects, the corresponding routing entries are updated to reflect the change.


system

Use config system to configure the following system related options:

accprofileadminauto-installautoupdate {push-update | schedule | tunneling}consolecustom-languagednsdns-databaseemail-serverfortiguardfsso-pollingglobalhainterfacentpobject-tagpassword-policyreplacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy}replacemsg-groupreplacemsg-imagesettingssnmp {community | sysinfo | user}storagewccpzone

accprofile

Use this command to edit settings that can deny access, allow read only, or allow both read and write access toFortiCache features.

config fwgrp-permissionNote: This configuration method is only available when fwgrp is set to custom.

policy {none | read | read-write}

Level of administrator access to firewall policies. The default is set to none.


67

accprofile system

address {none | read | read-write}

Level of administrator access to firewall addresses. The default is set to none.

service {none | read | read-write}

Level of administrator access to firewall service definitions. The default is set to none.

schedule {none | read | read-write}

Level of administrator access to firewall schedules. The default is set to none.

others {none | read | read-write}

Level of administrator access to virtual IP configurations. The default is set to none.

loggrp-permissionNote: This configuration method is only available when loggrp is set to custom.

config {none | read | read-write}

Level of administrator access to the logging configuration. The default is set to none.

data-access {none | read | read-write}

Level of administrator access to the log data. The default is set to none.

report-access {none | read | read-write}

Level of administrator access to report data. The default is set to none.

threat-weight {none | read | read-write}

Level of administrator access to threat-weight data. The default is set to none.

utmgrp-permissionNote: This configuration method is only available when utmgrp is set to custom.

antivirus {none | read | read-write}

Level of administrator access to antivirus configuration data. The default is set to none.

webfilter {none | read | read-write}

Level of administrator access to web filter data. The default is set to none.

data-loss-prevention {none | read | read-write}

Level of administrator access to DLP data. The default is set to none.


system accprofile

icap {none | read | read-write}

Level of administrator access to the Internet Content Adaptation Protocol (ICAP) configuration. The default is setto none.

image-analyzer {none | read | read-write}

Level of administrator access to content analysis data. The default is set to none.

scope {vdom | global}Administrator access scope: a single VDOM (set by default) or Global.


mntgrp {none | read | read-write}Level of administrator access to maintenance commands, including resetting to factory defaults, formatting logdisk, reboot, restore, and shut down. The default is set to none.

admingrp {none | read | read-write}Level of administrator access to administrator accounts and access profiles. The default is set to none.

updategrp {none | read | read-write}Level of administrator access to FortiGuard antivirus and IPS updates (both manual and automatic). The defaultis set to none.

authgrp {none | read | read-write}Level of administrator access to user authentication, including local users, RADIUS and LDAP servers, and usergroups. The default is set to none.

sysgrp {none | read | read-write}Level of administrator access to system configuration except accprofile, admin, and autoupdate. The default isset to none.

netgrp {none | read | read-write}Level of administrator access to the network configuration, including interfaces, DHCP servers, and zones. Thedefault is set to none.


69

admin system

loggrp {none | read | read-write | custom}Level of administrator access to the log and report configuration including log settings, viewing logs and alertemail settings. The default is set to none.

routegrp {none | read | read-write}Level of administrator access to the router configuration. The default is set to none.

fwgrp {none | read | read-write | custom}Level of administrator access to the firewall configuration. The default is set to none.

vpngrp {none | read | read-write}Level of administrator access to the VPN configuration. The default is set to none.

utmgrp {none | read | read-write | custom}Level of administrator access to the UTM configuration. The default is set to none.

wanoptgrp {none | read | read-write}Level of administrator access to the WAN optimization configuration. The default is set to none.

admin

Use this command to create and edit administrator accounts.

remote-auth {enable | disable}Enable or disable (by default) authentication of this administrator using a remote RADIUS, LDAP, or TACACS+server.

password <password>Password for this administrator, up to a maximum of 64 characters.

peer-auth {enable | disable}Enable or disable (by default) peer certificate authentication for HTTPS admin access.

{trusthost1 | trusthost2 | trusthost3 ... trusthost10} <address>IPv4 address or subnet address and netmask from which the administrator can connect to the FortiCache.


system auto-install

If you want the administrator to be able to access the FortiGate unit from any address, set the trusted hosts to0.0.0.0 and the netmask to 0.0.0.0.

{ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 ... ip6-trusthost10} <address>IPv6 address or subnet address and netmask from which the administrator can connect to the FortiCache.

If you want the administrator to be able to access the FortiGate unit from any address, set the trusted hosts to::/0.

accprofile <name>Name of the access profile to assign to this administrator account. Access profiles control administrator access toFortiCache features.


{ssh-public-key1 | ssh-public-key2 | ssh-public-key3} <key>Public keys for up to three SSH clients. These clients are authenticated without being asked for the administratorpassword. You must create the public-private key pair in the SSH client application.

Enter the public keys in the format of:

<key-type> <key-value>

<key-type> is ssh-dss for a DSA key or ssh-rsa for an RSA key.<key-value> is the public key string of the SSH client.

ssh-certificate <certificate>Certificate to use for PKI authentication of the administrator.

schedule <name>Configuration name of the restrict-times that an administrator can log in (as defined in schedule {group | onetime |recurring}).

guest-auth {enable | disable}Enable or disable (by default) guest authentication.

auto-install

Use this command to configure automatic installation of firmware and system configuration from a USB diskwhen the FortiCache restarts. This command is only available for units that have a USB disk connection.


71

autoupdate {push-update | schedule | tunneling} system

If you set both configuration and firmware image update, both occur on the same reboot. The FortiCache will notreload a firmware or configuration file that is already loaded.

Third-party USB disks are supported, however the USB disk must be formatted as a FAT16 drive. No otherpartition type is supported.

auto-install-config {enable | disable}Enable or disable (by default) automatic loading of the system configuration from a USB disk on the next reboot.

auto-install-image {enable | disable}Enable or disable (by default) automatic installation of firmware from a USB disk on the next reboot.

default-config-file <filename>Name of the configuration file on the USB disk. The default is set to fgt_system.conf.

default-image-file <filename>Name of the image file on the USB disk. The default is set to image.out.

autoupdate {push-update | schedule | tunneling}

The autoupdate command is divided into three configurable options: configure push updates, scheduleFortiGuard Distribution Network (FDN) updates, and configure ther FortiCache to use a proxy server to connect tothe FDN.

push-updateUse this command to configure push updates in order to provide the fastest possible response to criticalsituations such as software exploits or viruses. The FortiCache must be registered in order to receive pushnotifications.

When you configure the FortiCache to allow push updates, the FortiCache sends a SETUPmessage to the FDN.The next time an update is released, the FDN notifies all FortiCache units that are configured for push updatesthat a new update is available. Within 60 seconds of receiving a push notification, the FortiCache unit requests anupdate from the FDN.

You can also configure push IP addresses and port overrides. If the FDNmust connect to the FortiCache througha NAT device, you must configure port forwarding on the NAT device and add the port forwarding information tothe push update override configuration.

You cannot receive push updates through a NAT device if the external IP address ofthe NAT device is dynamic (e.g. PPPoE or DHCP).


system autoupdate {push-update | schedule | tunneling}


Enable or disable (by default) FDN push updates.

override {enable | disable}

Enable or disable (by default) the override of push updates. Set to enable if the FortiCache connects to the FDNthrough a NAT device.

address <address>

External IP address that the FDN connects to if you want to enable push override. This is the address of theexternal interface of your NAT device.

port <port>

Port number that the FDN connects to. Set the value between 0-65535. The default is set to 9443.

scheduleUse this command to schedule FDN updates at regular intervals throughout the day, once a day, or once a week.


Enable (by default) or disable scheduled updates.

frequency {every | daily | weekly}

Frequency at which the FortiCache checks for updates:

l every: Check for updates periodically. Once set, use the time entry to set the hourly time interval to wait betweenupdates.

l daily: Check for updates once a day. Once set, use the time entry to set the time of the day to check for updates.l weekly: Check for updates once a week. Once set, use the day entry to set the day of the week, and use the time

entry to set the time of the day you selected, to check for updates.

time <time>

Time of the scheduled update in the format hh:mm.

Note that both the hours and minutes can be entered within the expected ranges, except you can also setminutes to 60 for a random time within one hour or 240 for a random time within four hours to check for updates.The default is set to 01:240.

tunnelingUse this command to configure the FortiCache to use a proxy server to connect to the FDN. You must enabletunneling, add the IP address and port, and add the user name and password (if authentication is required) toconnect to the proxy server.


Enable or disable (by default) tunneling.


73

console system

address <address>

IP address or FQDN of the proxy server.

port <port>

Port number used to connect to the proxy server.

username <username>

Username used to connect to the proxy server.

password <password>

User's password used to connect to the proxy server.

console

Use this command to configure console command settings, including its mode, the number of lines the consolecan display, and the baud rate, the rate at which information is transferred in a communication channel (e.g. abaud rate of 9600means the console is capable of transferring a maximum of 9,600 bps).

mode {batch | line}Console mode: batch or line (set by default). This is only used for autotesting.

baudrate {9600 | 19200 | 38400 | 57600 | 115200}Baud rate of the command console: 9,600 (set by default), 19,200, 38,400, 57,600, or 115,200 bps.

output {standard | more}Console output style upon entering the show or get commands:

l standard: No pause.l more: Pause after each screen is full, resuming on a keypress (set by default).

login {enable | disable}Enable (by default) or disable logon via console.

fortiexplorer {enable | disable}Enable (by default) or disable FortiExplorer access.

custom-language

Use this command to create and edit the display language by customizing the content of language files.


system dns

By default, the content of the predefined language options (listed below) is provided by Fortinet. The followingpredefined language profiles are already available for editing by default:

l GB2312: Simplified Chinese. Using the Guojia Biaozhun (GB), or "national standard" in Chinese, is the registeredcharacter set of the People’s Republic of China used for Simplified Chinese characters.

l big5: Traditional Chinese. Big5, or Big-5, is a Chinese character encoding method used in Taiwan, Hong Kong, andMacau for Traditional Chinese characters.

l en: English, using the English character set (Caribbean).l euc-kr: Korean. The Extended Unix Code (EUC) is a character encoding system used for Japanese, Korean, and

Simplified Chinese. This featured option is specifically for Korean.l fr: French, using the French character set (Standard).l pg: Portuguese, using the Proto-Germanic (PG), also called Common Germanic, character set.l sp: Spanish, using the Spanish character set.l x-sjis: Japanese. The Shift Japanese Industrial Standards (SJIS) is a Japanese character encoding method.

filename <filename>Filename path, up to a maximum of 64 characters.


dns

Use this command to configure DNS server addresses which are used for several FortiCache functions, includingsending email alerts and URL blocking.

{primary | secondary} <address>IPv4 primary and/or secondary DNS server IP address.

domain <name>Optional local domain name.

{ip6-primary | ip6-secondary} <address>IPv6 primary and/or secondary DNS server IP address.

dns-cache-limit <limit>Maximum number of entries in the DNS cache. The default is se to 5000.


75

dns-database system

dns-cache-ttl <seconds>Period of time in seconds that the DNS cache retains information. Set the value between 60-86400 (or oneminute to one day). The default is set to 1800.

cache-notfound-responses {enable | disable}Enable or disable (by default) caching NOTFOUND responses from the DNS server.

source-ip <address>Source IP address for communication with the DNS server.

dns-database

Use this command to configure the FortiCache DNS database so that DNS lookups from an internal network areresolved by the DNS database. The database is managed by adding zones, with each zone assigned its owndomain name and entries added with host names and IP addresses.

config dns-entryUse this configuration method to determine the entry-type and other settings.


Enable (by default) or disable the DNS entry.

type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}

DNS entry type:

l A: Host; an IPv4 address (set by default).l NS: Name server.l CNAME: Canonical name.l MX: Mail exchange.l AAAA: IPv6 host.l PTR: Pointer.l PTR_V6: IPv6 pointer.

ttl <seconds>

Optional entry-specific setting to override the zone's time-to-live value in seconds. Set to 0 (by default) to use thezone's ttl value.

preference

Note: This entry is only available when type is set toMX.

Preference level. Set the value between 0-65535 (0 is the highest preference).


system dns-database

ip <address>

Note: This entry is only available when type is set to eitherA or PTR.

IPv4 address of the host.

ipv6 <address>

Note: This entry is only available when type is set to eitherAAAA or PTR_V6.

IPv6 address of the host.

hostname <name>

Name of the host.

canonical-name <name>

Note: This entry is only available when type is set to CNAME.

Canonical name of the host.

status {enable | disable}Enable (by default) or disable the DNS zone.

domain <name>Domain name of the DNS zone, used when matching lookup DNS queries.

allow-transfer <address-list>DNS zone transfer IP address list.

type {master | slave}Zone type:

l master: Manages entries directly (set by default).l slave: Imports entries from outside source.

view {shadow | public}Type of view for the zone:

l shadow: To service internal clients (set by default).l public: To service public clients.

primary-name <name>Domain name of the default DNS server for the zone.The default is set to dns.


77

email-server system

contact <email>Email address of the administrator for the zone. If the email address is in this zone, you may only enter theusername-portion of the email address. The default is set to hostmaster.

ttl <seconds>Period of time in seconds for packet time-to-live. The default is set to 86400 (or one day).

authoritative {enable | disable}Enable (by default) or disable declaring this zone as an authoritative zone.

forwarder <address-list>IP address of the DNS zone forwarder.

source-ip <address>Source IP address to use when forwarding to the DNS server.

email-server

Use this command to configure the FortiCache to access an SMTP server to send alert emails.

type {custom}Email server type; custom (set by default) is the only available option.

reply-to <email>Optional setting to specify the reply-to email address.

server <server>Hostname or IP address of the SMTP server. If entering a hostname, use the format smtp.domain.com.

port <port>Port number used to connect to the SMTP server. The default is set to the standard SMTP port, 25.

{source-ip | source-ip6} <address>SMTP server's source IPv4 or IPv6 address.


system fortiguard

authenticate {enable | disable}Enable or disable (by default) SMTP authentication if the FortiCache is required to authenticate before using theSMTP server.

username <name>Note: This entry is only available when authenticate is set to enable.

Username for the SMTP server that the FortiCache will send email alerts.

password <password>Note: This entry is only available when authenticate is set to enable.

Password that the FortiCache needs to access the SMTP server.

security {none | starttls | smtps}Security profile to use for email: none (set by default), STARTTLS, or SMTPS.

fortiguard

Use this command to configure communications with the FortiGuard Distribution Network (FDN) for FortiGuardsubscription services, including:

l FortiGuard AntiVirus (AV) and IPSl FortiGuard Web Filtering and Antispaml FortiGuard Analysis and Management Servicel FortiGuard DNS-based web filtering

If the FortiCache is unable to connect to the FDN, verify connectivity on required ports. For a list of required ports,see the Fortinet Communication Ports and Protocols guide.

port {53 | 8888}Port number used for rating queries to the FortiGuard Web Filtering or FortiGuard Antispam service. The defaultis set to 53.

load-balance-servers <servers>Number of FortiGuard servers to connect to. Set the value between 1-266. The default is set to 1.

avquery-force-off {enable | disable}Enable or disable (by default) stopping FortiGuard AV query service on the FortiCache.


79

http://docs.fortinet.com/d/fortinet-communication-ports-and-protocols-56

fortiguard system

avquery-cache {enable | disable}Enable (by default) or disable caching of FortiGuard AV query results.

Enabling the cache can improve performance because the FortiCache does not need to access the FDN eachtime the same IP address or URL appears as the source of an email. When the cache is full, the oldest cacheentry is replaced.

avquery-cache-ttl <seconds>Period of time in seconds for AV cache entry time-to-live. Set the value between 300-86400 (or five minutes toone day). The default is set to 1800 (or 30 minutes).

When the TTL expires, the cache entry is removed, requiring the FortiCache to query the FDN the next time thatitem occurs in scanned traffic.

avquery-cache-mpercent <percentage>Maximum percentage of memory to be used for FortiGuard AV query caching. Set the value between 1-15. Thedefault is set to 2.

avquery-timeout <seconds>Period of time in seconds for the FortiGuard AV service query timeout. Set the value between 1-30. The default isset to 7.

webfilter-force-off {enable | disable}Enable or disable (by default) the FortiGuard Web Filter service.

webfilter-cache {enable | disable}Enable (by default) or disable caching of FortiGuard Web Filtering query results, including category ratings forURLs.

Enabling the cache can improve performance because the FortiCache does not need to access the FDN eachtime the same IP address or URL is requested. When the cache is full, the oldest cache entry is replaced.

webfilter-cache-ttl <seconds>Period of time in seconds for Web Filtering cache entry time-to-live. Set the value between 300-86400 (or fiveminutes to one day). The default is set to 3600 (or one hour).

webfilter-timeout <seconds>Period of time in seconds for the FortiGuard Web Filtering query timeout. Set the value between 1-30. Thedefault is set to 15.


system fsso-polling

webfilter-sdns-server-ip <address>IP address of the DNS server, used for DNS-based web filtering.

webfilter-sdns-server-port <port>Port number of the DNS server, used for DNS-based web filtering. The default is set to 53.

source-ip <address>Source IP address used to communicate with the FortiGuard servers.

ddns-server-ip <address>IP address of the FortiDDNS service.

ddns-server-port <port>Port number used for the FortiDDNS service. The default is set to 443.

fsso-polling

Use this command to configure Fortinet Single Sign-On (FSSO) polling server settings.

status {enable | disable}Enable (by default) or disable FSSO Polling Mode status.

listening-port <port>Listening port to accept clients. Set the value between 1-65535. The defautl is set to 8000.

authentication {enable | disable}Enable or disable (by default) FSSO Agent Authentication status.

auth-password <password>Note: This entry is only available when authentication is set to enable.

Authentication password used to connect to the FSSO Agent.

global

Use this command to configure global settings that affect various FortiCache systems and configurations.


81

global system

admin-concurrent {enable | disable}Enable (by default) or disable concurrent administrator logins. If disabled, concurrent access from the sameadmin user name is permitted but restricted to different IP addresses.

Use the policy-auth-concurrent entry below for firewall authenticated users.

admin-console-timeout <seconds>Period of time in seconds for the console login timeout. Set the value between 15-300 (or 15 seconds to fiveminutes). The default is set to 0.

Note that this timeout value overrides the value specified in the admintimeout entry below.

admin-https-pki-required {enable | disable}Enable to allow users to login with a valid certificate if PKI is enabled for HTTPS administrative access. Disable(by default) to allow admin users to log in by providing a valid certificate or password.

admin-https-redirect {enable | disable}Enable (by default) or disable redirection of HTTP administrative access to HTTPS.

admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3}Permitted versions of SSL/TLS:

l tlsv1-0: TLS 1.0.l tlsv1-1: TLS 1.1 (set by default).l tlsv1-2: TLS 1.2 (set by default).l sslv3: SSLv3.

admin-lockout-duration <seconds>Duration of time in seconds that the administration account remains on lockout for the firewall. Repeated failedlogin attempts will enable the lockout. The default is set to 60 (or one minute).

Once set, use the admin-lockout-threshold entry below to set the number of failed attempts that will trigger thelockout.

admin-lockout-threshold <threshold>Number of failed login attempts to trigger the administrative account lockout. The lockout will last for as long asthe value indicates in the admin-lockout-duration entry above. Set the value between 1-10. The default is setto 3.


system global

admin-login-max <max-admins>Maximum number of administrators who can log in at the same time. Set the value between 1-100. The default isset to 100.

admin-maintainer {enable | disable}Enable (by default) or disable the hidden "maintainer" user login, used for password recovery.

When enabled, the maintainer account can log in from the console after a hard reboot (power off followed bypower on), using the password "bcpb" followed by the FortiCache unit's serial number (e.g.bcpbFCH1AB2C34567890). Note that you have a limited time to complete this login.

admin-port <port>Port number used for HTTP administrative access. Set the value between 1-65535. The default is set to 80.

admin-scp {enable | disable}Enable or disable (by default) allowing the system configuration to be downloaded by the Secure Copy Protocol(SCP).

admin-server-cert <certificate>Administrator HTTPS server certificate to use. The default is set to self-sign.

admin-sport <port>Port number used for HTTPS administrative access. Set the value between 1-65535. The default is set to 443.

admin-ssh-grace-time <seconds>Maximum period of time in seconds permitted between making an SSH connection to the FortiCache andsuccessfully authenticating. Set the value between 10-3600 (or ten seconds to one hour). The default is set to120 (or two minutes).

admin-ssh-port <port>Port number used for SSH administrative access. Set the value between 1-65535. The default is set to 22.

admin-ssh-v1 {enable | disable}Enable or disable (by default) compatibility with SSH v1.0.

admin-telnet-port <port>Port number used for telnet administrative access. Set the value between 1-65535. The default is set to 23.


83

global system

admintimeout <minutes>Period of time in minutes before an idle administrator times out. Set the value between 1-480 (or one minute toeight hours). The default is set to 480.

For improved security, keep the idle timeout at a lower value.

arp-max-entry <limit>Maximum number of dynamically learned MAC addresses that can be added to the ARP table. Set the valuebetween 131072-2147483647. The default is set to 131072. If set to 0, kernel holds the default number ofentries.

auth-cert <certificate>HTTPS server certificate to use for policy authentication. The default is set to self-sign.

auth-http-port <port>Port number used for HTTP authentication. Set the value between 1-65535. The default is set to 1000.

auth-https-port <port>Port number used for HTTPS authentication. Set the value between 1-65535. The default is set to 1003.

auth-keepalive {enable | disable}Enable or disable (by default) extending the authentication time of the session through periodic traffic to preventand idle timeout.

batch-cmdb {enable | disable}Enable (by default) or disable batch mode, used to enter a series of commands, and executing the commands asa group once they are loaded.

cert-chain-max <limit>Maximum depth for a certificate chain. The default is set to 8.

cfg-revert-timeout <seconds>Note: This entry is only available when cfg-save is set to revert.

Period of time in seconds before an idle timeout occurs and the FortiCache reverts back to the last savedconfiguration. The default is set to 600 (or ten minutes).

cfg-save {automatic | manual | revert}Method for saving the FortiCache system configuration and enter into runtime-only configuration mode:


system global

l automatic: Automatically save the configuration after every change (set by default).l manual: Manually save the configuration by entering the execute cfg save command.l revert: Manually save the current configuration and then revert to the saved configuration after cfg-revert-timeout

expires.

clt-cert-req {enable | disable}Enable or disable (by default) requiring a client certificate before an administrator logs on to the web-basedmanager using HTTPS.

conntrack <limit>Maximum number of connection tracking (or conntrack), a table that stores information about all connections toand from the FortiCache, such as source and destination IP address, port number pairs (or socket pairs), protocoltypes, connection state, and timeouts. Set the value between 60000-5000000. The default is set to 1600000.

csr-ca-attribute {enable | disable}Enable (by default) or disable using the CA attribute in your certificate. Note that some CA servers reject CSRsthat have the CA attribute.

daily-restart {enable | disable}Enable or disable (by default) restarting the FortiCache every day. Once enabled, use the restart-time entry tospecify the time of the restart.

dst {enable | disable}Enable (by default) or disable daylight saving time. When enabled, the FortiCache automatically adjusts thesystem time accordingly between daylight saving time and standard time.

explicit-proxy-auth-timeout <seconds>Period of time in seconds before idle explicit web proxy sessions timeout. Set the value between 1-600 (or onesecond to ten minutes). The default is set to 300 (or five minutes).

fds-statistics {enable | disable}Enable (by default) or disable AV/IPS signature reporting.

fds-statistics-period <minutes>Period of time in minutes to be covered in the FDS report. Set the value between 1-1440 (or one minute to oneday). The default is set to 60 (or one hour).


85

global system

fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attack | new-antivirus-db| new-attack-db}

Kinds of alerts to receive from FortiGuard:

l advisory: FortiGuard advisories; reports and new alerts (set by default).l latest-threat: Latest FortiGuard threat alerts (set by default).l latest-virus: Latest FortiGuard virus alerts.l latest-attack: Latest FortiGuard attack alerts.l new-antivirus-db: FortiGuard AV database release alerts.l new-attack-db: FortiGuard IPS database release alerts.

gui-antivirus {enable | disable | flow-only}Enable (by default) or disable AntiVirus profiles in the web-based manager, or only show them while in Flowmode.

gui-certificates {enable | disable}Enable (by default) or disable certificate configuration in the web-based manager.

gui-custom-language {enable | disable}Enable or disable (by default) custom language configuration in the web-based manager.

gui-dlp {enable | disable}Enable (by default) or disable Data Leak Prevention (DLP) in the web-based manager.

gui-dns-database {enable | disable}Enable (by default) or disable the DNS database menu in the web-based manager.

gui-explicit-proxy {enable | disable}Enable (by default) or disable Explicit Proxy options in the web-based manager.

gui-icap {enable | disable}Enable (by default) or disable ICAP configuration options in the web-based manager.

gui-implicit-policy {enable | disable}Enable (by default) or disable implicit firewall policy configuration options in the web-based manager.

gui-lines-per-page <lines>Number of lines displayed on table lists per page. Set the value between 20-1000. The default is set to 50.


system global

gui-multiple-utm-profiles {enable | disable}Enable (by default) or disable the display of UTM profiles in the web-based manager.

gui-replacement-message-groups {enable | disable}Enable or disable (by default) the Replacement Message Groups feature in the web-based manager.

gui-utm-monitors {enable | disable}Enable or disable (by default) UTM monitors in the web-based manager.

gui-wan-load-balancing {enable | disable}Enable (by default) or disable the WAN load-balancing feature in the web-based manager.

gui-wanopt-cache {enable | disable}Enable (by default) or disable the WAN optimization configuration options in the web-based manager.

gui-webfilter {enable | disable | flow-based}Enable (by default) or disable Web Filter profiles in the web-based manager, or only show them while in Flowmode.

gui-webfilter-advanced {enable | disable}Enable or disable (by default) advanced Web Filter configuration options in the web-based manager.

hostname <name>Name to identify the FortiCache that can only consist of letters, numbers, hyphens, and underscores; no spacesare allowed. The default is set to the FortiCache's unique serial number.

While the hostname can be longer than 24 characters, if it is longer than 24 characters it will be truncated with a ~symbol. The trailing three characters preceded by the ~ truncation character and the first N-3 characters areshown. This shortened hostname will be displayed in the CLI, and any other locations that the hostname is used.Some models support hostnames of up to 35 characters.

http-obfuscate {none | modified | header-only | no-error}Level at which the identity of the FortiCache web server is hidden/obfuscated in the browser address field,including URLs provided via SSL VPN bookmarks (web mode only):

l none: Web server's identity is not hidden.l modified: Modified error responses are provided (set by default).l header-only: HTTP server banner is hidden.l no-error: Suppresses error resonses.


87

global system

http-view {enable | disable}Enable or disable (by default) logging and display of HTTP/S cache traffic.

ip-src-port-range <range>IP source port range used for traffic originating from the FortiCache. Set the lower and upper range limitsbetween 1-65535 inclusive, with a hyphen separating the lowest and highest values. The default is set to 1024-25000.

ipv6-accept-dad {0 | 1 | 2 }IPv6 Duplicate Address Dedection (DAD) operation:

l 0: Disable DAD.l 1: Enable DAD (set by default).l 2: Enable DAD and disable IPv6 operation if MAC-based duplicate link-local address has been found.

language {english | french | spanish | portuguese | japanese | trach | simch | korean}Display language used in the web-based manager: English (set by default), French, Spanish, Portuguese,Japanese, Traditional Chinese, Simplified Chinese, or Korean.

ldapconntimeout <milliseconds>LDAP connection timeout in milliseconds. Set the value between 0-4294967295 (or no timeout to just under 50days). The default is set to 500 (or half a second).

login-timestamp {enable | disable}Enable or disable (by default) logging of login timestamps.

max-dlpstat-memory <percentage>Memory limit as a percentage for the DLP stat daemon. Set the value between 1-15. The default is set to 5.

miglogd-children <processes>Maximum number of miglogd child (a logging daemon) processes to run at a time. Set the value between 0-15.The default is set to 0.

ndp-max-entry <limit>Maximum number of Neighbor Discovery Protocol (NDP) table entries. Set the value to 65536 or higher. Thedefault is set to 0, whereby the kernel holds 65,536 entries.


system global

policy-auth-concurrent <max-users>Maximum limit of concurrent logins for the same user. Set the value between 0-100. The default is set to 0.

Use the admin-concurrent entry above for admin accounts.

post-login-banner {enable | disable}Enable or disable (by default) the display of the administrator access disclaimer message after successful logon.

To set the disclaimer message, see admin {post_admin-disclaimer-text | pre_admin-disclaimer-text}.

pre-login-banner {enable | disable}Enable or disable (by default) the display of the administrator access disclaimer message prior to logon.

To set the disclaimer message, see admin {post_admin-disclaimer-text | pre_admin-disclaimer-text}.

radius-port <port>Port number for RADIUS traffic. Set the value between 1-65535. The default is set to the standard RADIUS port,1812.

refresh <seconds>Interval of time in seconds for the System Status Monitor to automatically refresh. The default is set to 0.

registration-notification {enable | disable}Enable (by default) or disable displaying the registration notification in the web-based manager if the FortiCacheis not registered.

remoteauthtimeout <seconds>Period of time in seconds that the FortiCache waits for responses from remote RADIUS, LDAP, or TACACS+authentication servers. Set the value between 0-300 (or no timeout to five minutes). The default is set to 5.

Note that, to improve security, it's recommended to keep the remote authentication timeout at the default valueof 5 seconds. However, if a RADIUS request needs to traverse multiple hops, or several RADIUS requests aremade, the default timeout may not be long enough to receive a response.

restart-time <time>Note: This entry is only available when daily-restart is set to enable.

Time of day that the FortiCache carries out its daily restart in the format hh:mm. The default is set to 00:00.


89

global system

scanunit-count <scans>Number of scanunit processes the FortiCache undergoes. The range and default value depend on the model; aFortiCache 1000D, for example, can be set between 1-4, with the default set to 3. This command isrecommended for advanced users.

service-expire-notification {enable | disable}Enable (by default) or disable displaying a notification on the web-based manager 30 days before theFortiCache's support contract expires.

session-timeout <seconds>Period of time in seconds for a session timeout. Set the value between 600-432000 (or ten minutes to five days).The default is set to 3600 (or one hour).

special-file-23-support {enable | disable}Enable or disable (by default) IPS detection of Hibun format files in DLP. Hibun formatted files are speciallyencrypted corporate data designed to protect against unauthorized access.

ssh-cbc-cipher {enable | disable}Note: This entry is only available when strong-crypto is set to disable.

Enable (by default) or disable the use of CBC-cipher for SSH access.

ssh-hmac-md5 {enable | disable}Note: This entry is only available when strong-crypto is set to disable.

Enable (by default) or disable the use of HMAC-MD5 for SSH access.

strong-crypto {enable | disable}Enable or disable (by default) the use of strong encryption (i.e. only allow strong ciphers, such as AES, TLS, and3DES, and digest such as SHA1) for HTTPS/SSH administrator access.

sys-perf-log-interval <minutes>Period of time in minutes before performance statistics logging occurs. Set the value between 0-15, where 0disables the option. The default is set to 5.

tcp-option {enable | disable}Enable (by default) or disable SACK, timestamp, and MSS TCP options. Disable only for performance testing, orin rare cases where it impairs performance.


system ha

timezone {00 | 01 | 02 | ... }Number corresponding to one of 86 available timezones; many options have the same numerical time over orunder GMT, but are specific to certain cities or regions. The default is set to 04, or (GMT-8:00)Pacific Time(US&Canada).

To see the full list of available timezones, enter set timezone ?.

traffic-priority {tos | dscp}Either type of service TOS (set by default) or differentiated services code point (DSCP) for traffic prioritization.

traffic-priority-level {low | medium | high}Level of priority for traffic prioritization, determining the priority of traffic for scheduling, typically set on a perservice type level: low, medium (set by default), or high.

user-server-cert <certificate>Name of a certificate used for HTTPS user authentication. The default is set to self-sign.

wad-csvc-cs-count <max-processes>Maximum number of concurrent WAD-cache-service object-cache processes. The range and default valuedepend on the model; a FortiCache 1000D, for example, can only be set to 1.

wad-csvc-db-count <max-processes>Maximum number of concurrent WAD-cache-service byte-cache processes. The range and default value dependon the model; a FortiCache 1000D, for example, can be set between 1-4, with a default set to 1.

wad-worker-count <max-workers>Maximum number of concurrent explicit proxyWAD workers. The range and default value depend on the model;a FortiCache 1000D, for example, can be set between 1-4, with the default set to 2.

ha

Use this command to configure high availability (HA) and virtual clustering.

group-id <id>HA group ID. Set the value between 0-255. The default is set to 0.

Changing the group ID changes the cluster virtual MAC address. Note that all members of the HA cluster musthave the same group ID.


91

ha system

group-name <name>HA group name, up to a maximum of 32 characters.

This entry can be unset ifmode is set to standard. Note that all members of the HA cluster must have the samegroup name.

mode {standalone | a-a}HA mode:

l standalone: Disable HA (set by default).l a-a: Create an Active-Active cluster.

password <password>Password for the HA cluster, up to a maximum of 15 characters. The password must be the same for all clusterunits.

hbdev <heartbeat>Heartbeat interfaces and their heartbeat priorities. The heartbeat interface with the highest priority processes allheartbeat traffic. If two or more heartbeat interfaces have the same priority, the heartbeat interface with thelowest hash map order value processes all heartbeat traffic.

By default two interfaces are configured to be heartbeat interfaces and the priority for both these interfaces is setto 50. Set the heartbeat interface priority value between 0-512. The default is set to "port4" 50 "port3" 50.

sync-config {enable | disable}Enable (by default) or disable automatic synhronization of primary unit configuration changes to all cluster units.

encryption {enable | disable}Enable or disable (by default) HA heartbeat message encryption using AES-128 for encryption and SHA1 forauthentication.

authentication {enable | disable}Enable or disable (by default) HA heartbeat message authentication using SHA1.

hb-interval <milliseconds>Heartbeat interval in milliseconds between sending heartbeat packets. Set the value between 1-20(100*milliseconds), for example, an hb-interval of 2 (set by default) means a heartbeat packet is sent every 200milliseconds.


system interface

hb-lost-threshold <threshold>Lost heartbeat threshold (i.e. the number of consecutive heartbeat packets that are not received) from anothercluster unit) before assuming that the cluster unit has failed. Set the value between 1-60. The default is set to 6.

helo-holddown <seconds>Hello state hold-down time in seconds that a cluster unit waits before changing from a hello state to a work state.Set the value between 5-300 (or five seconds to five minutes). The default is set to 20.

uninterruptible-upgrade {enable | disable}Enable (by default) or disable upgrading the cluster without interrupting cluster traffic processing.

When enabled, traffic processing is not interrupted during a normal firmware upgrade. This process can,however, take some time and may reduce the capacity of the cluster for a short time.

When disabled, traffic processing is interrupted as expected during a normal firmware upgrade.

override {enable | disable}Enable or disable (by default) forcing the cluster to renegotiate and select a new primary unit every time a clusterunit leaves or joins a cluster, changes status within a cluster, or every time the HA configuration of a cluster unitchanges.

priority <priority>Device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, thecluster unit with the highest device priority becomes the primary unit. Set the value between 0-255. The default isset to 128.

interface

Use this command to create and edit physical interfaces and configure IPv6 address settings.

An interface’s IPv6 address can be included in a Multicast Listener Discovery (MLD) report. By default, theFortiCache includes no addresses in the MLD report. For more information, see the ip6-send-adv entry below.

config secondaryipNote: This configuration method is only available when secondary-IP is set to enable.

Use this configuration method to configure a secondary IP for this interface.

ip <address>

Interface's secondary IP address and netmask.


93

interface system

allowaccess {ping | https | ssh | snmp | http | telnet | radius-acct | fgfm}

Management access types permitted on this interface. To enter multiple types, separate each entry with a space:PING, HTTPS, SSH, SNMP, HTTP, TELNET, RADIUS Accounting, and/or FortiManager management access.

config ipv6Use this configuration method to configure various IPv6 settings.

config ip6-extra-addr

Use this configuration method to configure extra IPv6 address prefixes of the interface.

ip6-mode {static | dhcp}

Either static (set by default) or DHCP-assigned address for this interface in IPv6 operation.

ip6-address <address>

Interface IPv6 address and netmask.

ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap}

Management access types permitted on this IPv6 interface. To enter multiple types, separate each entry with aspace: PING, HTTPS, SSH, SNMP, HTTP, TELNET, FortiManager management, and/or CAPWAP access.

ip6-send-adv {enable | disable}

Enable or disable (by default) the flag indicating whether or not to send periodic router advertisements and torespond to router solicitations.

When enabled, this interface’s address will be added to all-routers group (FF02::02) and be included in an MLDreport. If no interfaces on the FortiCache have ip6-send-adv enabled, FortiCache will only listen to the all-hostsgroup (FF02::01), which is explicitly excluded from MLD reports (according to section 5 of RFC 2710).

ip6-reachable-time <milliseconds>

Period of time in milliseconds to be added to the reachable time field in the router advertisements. Set the valuebetween 0-3600000 (or no time to one hour). The default is set to 0.

ip6-retrans-time <milliseconds>

Period of time in milliseconds to be added to the Retrans Timer field in the router advertisements. The default isset to 0.

ip6-hop-limit <limit>

Hop limit to be added to the Cur Hop Limit field in the router advertisements sent out this interface. The default isset to 0.

autoconf {enable | disable}

Enable or disable (by default) automatic configuration of the IPv6 address.



system interface

vdom {root}Note: This entry is only available when creating a new interface entry.

VDOM for this interface; root (set by default) is the only available option, as FortiCache doesn't support multipleVDOMs.

mode {static}Connection mode for this interface; static (set by default), a static IP address for the interface, is the onlyavailable option.

ip <address>IP address and netmask for the interface. The IP address cannot be on the same subnet as any other Forticacheinterface.

allowaccess {ping | https | ssh | snmp | http | telnet | radius-acct | fgfm}Management access types permitted on this interface. To enter multiple types, separate each entry with a space:PING, HTTPS, SSH, SNMP, HTTP, TELNET, RADIUS Accounting, and/or FortiManager management access.

macaddr <address>Note: This entry is only available when editing a preexisting physical interface.

MAC address of this interface, in the format xx:xx:xx:xx:xx:xx.

speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000auto}Note: This entry is only available when editing a preexisting physical interface.

Interface speed in megabits per second, depending on your FortiCache model; a FortiCache 1000D, for example,has the following available speeds:

l auto: Automatically adjusts speed accordingly.l 10full: 10 Mbps, full duplex.l 10half: 10 Mbps, half duplex.l 100full: 100 Mbps, full duplex.l 100half: 100 Mbps, half duplex.l 1000full: 1000 Mbps, full duplex.l 1000half: 1000 Mbps, half duplex.l 1000auto: 1000 Mbps, auto adjust.

status {up | down}Start (up; set by default) or stop the interface. If down, the interface stops accepting or sending packets.


95

interface system

type {aggregate | redundant | loopback | physical}Note: The physical option for this entry is only available when editing a preexisting physical interface; inaddition, when editing a preexisting interface, physical is the only available option.

Interface type.

Note that, when type is set to loopback, the only other available entries are as follows: ip, allowaccess,status, type, explicit-web-proxy, description, alias, snmp-index, and secondary-IP.

dedicated-to {none | management}Note: This entry is only available when editing a preexisting physical interface that is not already in use.

Determine whether this port is dedicated to unit management or not. The default is set to none.

mtu-override {enable | disable}Note: This entry is only available when editing a preexisting physical interface, or when type is set to aggregateor redundant.

Enable or disable (by default) configuring custom maximum transmission unit (MTU) size.

mtu <bytes>Note: This entry is only available whenmtu-override is set to enable.

Custom MTU size in bytes. Ideally, this value should be set to the size of the smallest MTU of all the networkbetween the FortiCache and the packet destination.

wccp {enable | disable}Enable or disable (by default) Web Cache Communication Protocol (WCCP) on this interface.

explicit-web-proxy {enable | disable}Enable or disable (by default) explicit Web proxy on this interface.

weight <weight>Default weight for static routes on this interface. Set the value between 0-255. The default is set to 0.

member <interfaces>Note: This entry is only available when creating a new interface entry.

List of physical interfaces that are part of an aggregate or redundant group. An interface is available to be part ofsuch a group only if:

l it is a physical interface,l it is not already part of an aggregated or redundant interface,


system interface

l it has no defined IP address and is not configured for DHCP or PPPoE,l it has no DHCP server or relay configured on it,l it does not have any VLAN subinterfaces,l it is not referenced in any firewall policy,l and it is not an HA heartbeat device or monitored by HA.

Note that the order you specify the interfaces in the member list is the order they will become active in theredundant group.

lacp-mode {static | passive | active}Note: This entry is only available when type is set to aggregate.

Link Aggregation Control Protocol (LACP) mode:

l static: Use static aggregation; do not send LACPmessages, and ignore any LACPmessages.l passive: Passively use LACP to negotiate 802.3ad aggregation.l active: Actively use LACP to negotiate 802.3ad aggregation (set by default).

lacp-ha-slave {enable | disable}Note: This entry is only available when type is set to aggregate.

Enable (by default) or disable the HA slave's ability to send and/or receive LACPmessages.

lacp-speed {slow | fast}Note: This entry is only available when type is set to aggregate.

Frequency at which LACPmessages are sent:

l slow: Send LACPmessages every 30 seconds (set by default).l fast: Send LACPmessages every second.

algorithm {L2 | L3 | L4}Note: This entry is only available when type is set to aggregate.

Frame distribution algorithm:

l L2: Use layer 2 address for distribution.l L3: Use layer 3 address for distribution.l L4: Use layer 4 information for distribution (set by default).

description <description>Optional description.


97

ntp system

alias <alias>Alias name for this interface, to make it easier to distinguish between other interfaces, up to a maximum of 25characters.

snmp-index <index>Optional index number of this interface for SNMP purposes.

secondary-IP {enable | disable}Enable or disable (by default) the configuration method for adding a secondary IP address to this interface (seeconfig secondaryip above).

ntp

Use this command to configure Network Time Protocol (NTP) servers.

config ntpserverNote: This configuration method is only available when type is set to custom.

server <server>

IPv4 address or host name for the NTP server. You can also add an IPv4 address and hostname in the format1.1.1.1/abcd.

ntpv3 {enable | disable}

Enable or disable (by default) the use of NTPv3 protocol instead of NTPv4.

ntpsync {enable | disable}Enable (by default) or disable synchronizing the FortiCache's syetm time with the NTP server.

type {fortiguard | custom}Type of NTP server: FortiGuard (set by default) or a custom NTP server.

syncinterval <minutes>Period of time in minutes between contacting NTP server to synchronize the time. Set the value between 1-1440(or one minute to one day). The default is set to 60 (or one hour).

source-ip <address>Source IP address for communications to the NTP server.


system object-tag

object-tag

Use this command to create object tags.

There are no configurable entries within this command, except the name of the object tag.

password-policy

Use this command to configure password policy settings, allowing for higher security requirements ofadministrators regarding their passwords and IPsec VPN pre-shared keys.

Note: By default, the only option available to begin with is status. All other options in this command only becomeavailable when status is set to enable.

status {enable | disable}Enable or disable (by default) password policy settings.

apply-to {admin-password | ipsec-prehsared-key}Determine whether the password policy applies to administrator passwords (set by default) or IPsec presharedkeys.

minimum-length <length>Minimum character-length of password. Set the value between 8-128. The default is set to 8.

min-lower-case-letter <characters>Minimum lower-case characters required for password. Set the value between 0-128. The default is set to 0.

min-upper-case-letter <characters>Minimum upper-case characters required for password. Set the value between 0-128. The default is set to 0.

min-non-alphanumeric <characters>Minimum non-alphanumeric characters required for password. Set the value between 0-128. The default is set to0.

min-number <characters>Minimum numeric characters required for password. Set the value between 0-128. The default is set to 0.


99

replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy} system

change-4-characters {enable | disable}Enable or disable (by default) requiring the new password to differ from the old password by four or morecharacters.

expire-status {enable | disable}Enable or disable (by default) password expiration. Once enabled, use the expire-day entry to set the number ofdays an administrator user's password will remain valid before it expires.

expire-day <days>Note: This entry is only available when expire-status is set to enable.

Number of days before an administrator user's password will expire. Set the value between 1-999 (or one day toover 32 months). The default is set to 90 (or approximately three months).

replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm |webproxy}

The replacemsg command is divided into nine configurable options; configure replacement messages for:

l administration disclaimer pages,l alert mail text messages with HTTP headers,l user authentication login pages,l web pages that FortiGuard web filtering may block,l FTP clients when a file contains a virus in an FTP session,l AntiVirus blocked HTTP session pages,l NAC quarantine pages (for DLP, DoS, IPS, and detected viruses),l when data leaks occur or viruses are detected,l and web proxy user authentication failures and HTTP errors.

To view available replacement message tags that can be added to the various messages shown below, seeAppendix A: Replacement message tags.

admin {post_admin-disclaimer-text | pre_admin-disclaimer-text}Use this command to configure administration disclaimer page replacement messages.

For the FortiCache to display the Administration Login disclaimer whenever an administrator logs into theFortiCache's web-based manager, enter the following:

config system globalset pre-login-banner <enable>set post-login-banner <enable>

end

This disclaimer contains the text of the Login Disclaimer replacement message, as well asAccept and Declineoptions. The administrator must select Accept to login.


system replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy}

buffer <message>

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html.

alertmail {alertmail-block | alertmail-crit-event | alertmail-disk-full | ... }Use this command to configure the alert email messages sent to administrators.

To see the full list of available alertmail replacement messages to edit, enter config system replacemsgalertmail ?.

buffer <message>






auth {auth-block-notification-page | auth-cert-passwd-page | auth-challenge-page | ... }Use this command to configure user authentication HTML page replacement messages.

To see the full list of available auth replacement messages to edit, enter config system replacemsg auth ?.

buffer <message>






fortiguard-wf {ftgd-block | ftgd-ovrd | ftgd-quota | ... }Use this command to configure FortiGuard Web Filtering blocked-page replacement messages.


101

replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy} system

To see the full list of available fortiguard replacement messages to edit, enter config system replacemsgfortiguard ?.

buffer <message>






ftp {ftp-dl-archive-block | ftp-dl-blocked | ftp-dl-dlp-ban | ... }Use this command to configure FTP session-related replacement messages.

To see the full list of available ftp replacement messages to edit, enter config system replacemsg ftp ?.

buffer <message>






http {bannedword | http-archive-block | http-block | ... }Use this command to configure HTTP session-related replacement messages.

To see the full list of available http replacement messages to edit, enter config system replacemsg http ?.

buffer <message>






nac-quar {nac-quar-admin | nac-quar-dlp | nac-quar-dos | ... }Use this command to configure NAC quarantine page replacement messages.


system replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy}

To see the full list of available nac-quar replacement messages to edit, enter config system replacemsg nac-quar ?.

buffer <message>






utm {appblk-html | dlp-html | dlp-text | ... }Use this command to configure blocked item (due to data leaks or detected viruses) replacement messages.

To see the full list of available utm replacement messages to edit, enter config system replacemsg utm ?.

buffer <message>






webproxy {auth-authorization-fail | auth-challenge | auth-ip-blackout | ... }Use this command to configure failed user authentication and HTTP error page replacement messages.

To see the full list of availablewebproxy replacement messages to edit, enter config system replacemsgwebproxy ?.

buffer <message>







103

replacemsg-group system

replacemsg-group

Use this command to create and edit replacement message profiles to be applied to specific users or user groups.

The following replacement message categories can be customized in groups when group-type is set to auth:

l webproxyl auth

The following replacement message categories can be customized in groups when group-type is set to utm:

l httpl webproxyl fortiguard-wfl alertmaill adminl nac-quarl utml custom-messagel ftp

Note:Despitewebproxy being available for both group-types, the two configure different message types.

config webproxyNote: The message types found in this configuration method are only available when group-type is set to auth.

Use this configuration method to configure the message types defined for web proxy messages.

The following message types can be edited:

l denyl user-limitl auth-challengel auth-login-faill auth-authorization-faill http-errl auth-ip-blackout

buffer <message>



Format of the message header: none, http, or 8bit.


Format of the message: none, text, or html.


system replacemsg-group

config authNote: This configuration method is only available when group-type is set to auth.

Use this configuration method to configure the message types defined for authentication messages.


l auth-disclaimer-page-1l auth-disclaimer-page-2l auth-disclaimer-page-3l auth-reject-pagel auth-login-pagel auth-login-failed-pagel auth-token-login-pagel auth-token-login-failed-pagel auth-success-msgl auth-challenge-pagel auth-keepalive-pagel auth-portal-page

l auth-password-pagel auth-fortitoken-pagel auth-next-fortitoken-pagel auth-email-token-pagel auth-sms-token-pagel auth-email-harvesting-pagel auth-email-failed-pagel auth-cert-passwd-pagel auth-guest-print-pagel auth-guest-email-pagel auth-success-pagel auth-block-notification-page

buffer <message>






config httpNote: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for HTTPmessages.



105


l bannedwordl url-blockl urlfilter-errl infcache-blockl http-blockl http-filesizel http-dlp-banl http-archive-block

l http-contenttypeblockl https-invalid-cert-blockl http-client-blockl http-client-filesizel http-client-bannedwordl http-post-blockl http-client-archive-blockl switching-protocols-block

buffer <message>






config webproxyNote: The message types found in this configuration method are only available when group-type is set to utm.

Use this configuration method to configure the message types defined for web proxy messages.


l bannedwordl url-blockl urlfilter-errl infcache-blockl http-blockl http-filesizel http-dlp-banl http-archive-block

l http-contenttypeblockl https-invalid-cert-blockl http-client-blockl http-client-filesizel http-client-bannedwordl http-post-blockl http-client-archive-blockl switching-protocols-block

buffer <message>








config fortiguard-wfNote: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for FortiGuard web filtering messages.


l ftgd-blockl ftgd-errl ftgd-ovrdl ftgd-quotal ftgd-warning

buffer <message>






config alertmailNote: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for alert mail messages.


l alertmail-virusl alertmail-blockl alertmail-nids-eventl alertmail-crit-eventl alertmail-disk-full

buffer <message>







107


config adminNote: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for administration messages.


l pre_admin-disclaimer-textl post_admin-disclaimer-text

buffer <message>






config nac-quarNote: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for NAC quarantine messages.


l nac-quar-virusl nac-quar-dosl nac-quar-ipsl nac-quar-dlpl nac-quar-admin

buffer <message>






config utmNote: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for UTM messages.




l virus-htmll virus-textl dlp-htmll dlp-textl appblk-html

buffer <message>






config custom-messageNote: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message type defined for custom messages.

The following message type can be edited:

l msg-type

buffer <message>






config ftpNote: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for FTPmessages.


l ftp-dl-blockedl ftp-dl-filesizel ftp-dl-dlp-ban


109

replacemsg-image system

l ftp-explicit-bannerl ftp-dl-archive-block

buffer <message>







group-type {utm | auth}Type of replacement message group this group is:

l auth: For use with authentication pages in firewall policies (set by default).l utm: For use with UTM settings in firewall policies.

replacemsg-image

Use this command to create and edit images to be used in HTTP replacement messages. Note that both entriesavailable (image-type and image-base64) must be set for a valid entry.

The following predefined images are available for editing:

l logo_fguard_wfl logo_fnetl logo_fw_authl logo_v2_fguard_appl logo_v2_fguard_wfl logo_v2_fnet

image-type {gif | jpg | tiff | png}Format of the image: GIF, JPG, TIFF, or PNG.

image-base64 <base64>Image in base64 encoding.


system settings

settings

Use this command to configure settings that affect various FortiCache features such as operating mode anddefault gateway.

opmode {nat | transparent}Operation mode: NAT (set by default) or transparent.

firewall-session-dirty {check-all | check-new | check-policy-option}Method for managing changes to firewall policies:

l check-all: Flush all current sessions and re-evaluate them (set by default).l check-new: Keep existing sessions and apply policy change to new sessions only (this can lead to reduced CPU

load and the possibility of packet loss).l check-policy-option: Use the option selected in the firewall policy.

{manageip | manageip6} <address>Note: These entries are only available when opmode is changed from nat to transparent before you commit thechange by entering end or next.

IPv4/IPv6 IP address and netmask of the Transparent mode management interface.

{gateway | gateway6} <address>Note: These entries are only available when opmode is changed from nat to transparent, or vice-versa, beforeyou commit the change by entering end or next.

Default gateway IPv4/IPv6 address.

{ip | ip6} <address>Note: These entries are only available when opmode is changed from transparent to nat before you commit thechange by entering end or next.

IPv4/IPv6 IP address.

device <interface>Note: This entry is only available when opmode is changed from transparent to nat before you commit thechange by entering end or next.

Interface, or port, for management access; this is the interface to which the ip entry above applies.

bypass {off | powerup | powerdown | both}Bypass interface mode:


111

snmp {community | sysinfo | user} system

l off: Disable bypass (set by default).l powerup: Bypass when power is up.l powerdown: Bypass when power is down.l both: Bypass regardless of power status.

wccp-cache-engine {enable | disable}Note: This entry is only available when opmode is changed from nat to transparent, or vice-versa, before youcommit the change by entering end or next.

Enable or disable (by default) the FortiCache to operate as a WCCP cache engine. Once enabled, use the configsystem wccp command to configure WCCP cache engine settings.

Conversely, if disabled, the FortiCache will operate as a WCCP router.

gui-default-policy-columns <columns>Default columns to display for firewall policy list in the web-based manager. To view the full list of columns, enterset gui-default-policy-columns ?.

snmp {community | sysinfo | user}

The snmp command is divided into three configurable options: create and edit SNMP communities, enter basicsystem information used by the SNMP agent, and create and edit SNMP users.

communityUse this command to configure SNMP communities so that SNMP managers can connect to the FortiCache toview system information and receive SNMP traps. SNMP traps are triggered when system events happen such aswhen AntiVirus checking is bypassed, or when the log disk is almost full.

config {hosts | hosts6}

Use this configuration method to configure IPv4 and/or IPv6 hosts.

{source-ip | source-ip6} <address>

IPv4 or IPv6 source IP address for SNMP traps sent by the FortiCache.

{ip | ipv6} <address>

IPv4 or IPv6 IP address of the SNMP manager.

interface <port>

Note: This entry is only available when ha-direct is set to disable.

Interface, or port, to which the SNMPmanager connects. The default is set to any.


system snmp {community | sysinfo | user}

ha-direct {enable | disable}

Enable or disable (by default) direct management of cluster members.

host-type {any | query | trap}

Permitted actions for this host, depending upon the type:

l any: Any SMTP action (set by default).l query: Make queries only.l trap: Receive traps only.

name <name>

SNMP community name.


Enable (by default) or disable the SNMP community.

query-v1-status {enable | disable}

Enable (by default) or disable SNMP v1 queries for this SNMP community.

query-v1-port <port>

SNMP v1 query port number used for SNMPmanager queries. The default is set to 161.

query-v2c-status {enable | disable}

Enable (by default) or disable SNMP v2c queries for this SNMP community.

query-v2c-port <port>

SNMP v2c query port number used for SNMPmanager queries. The default is set to 161.

trap-v1-status {enable | disable}

Enable (by default) or disable SNMP v1 traps for this SNMP community.

trap-v1-lport <local-port>

SNMP v1 local port number used for sending traps to the SNMPmanagers. The defautl is set to 162.

trap-v1-rport <remote-port>

SNMP v1 remote port number used for sending traps to the SNMPmanagers. The defautl is set to 162.

trap-v2c-status {enable | disable}

Enable (by default) or disable SNMP v2c traps for this SNMP community.

trap-v2c-lport <local-port>

SNMP v2c local port number used for sending traps to the SNMPmanagers. The defautl is set to 162.


113

snmp {community | sysinfo | user} system

trap-v2c-rport <remote-port>

SNMP v2c remote port number used for sending traps to the SNMPmanagers. The defautl is set to 162.

events {cpu-high | mem-low | log-full | ... }

Events for which the FortiCache should send traps to the SNMPmanagers in this community. To enter multipleevents, separate each entry with a space.

To view the the full list of events, enter set events ?.

sysinfoUse this command to configure basic system information used by the SNMP agent. When your SNMPmanagerreceives traps from the FortiCache, you will know which unit sent the information through the following identifyinginformation.


Enable or disable (by default) the FortiCache SNMP agent.

engine-id <id>

Optional unique SNMP engine identifier, or snmpEngineID, up to a maximum of 24 characters. This value isincluded in each message sent to or from the SNMP engine. The snmpEngineID is made up of two parts:

1. Fortinet prefix of 0x8000304404 (not set in this command).2. Engine-id string, 24 character maximum length, as defined in this entry.

description <description>

Optional description.

contact-info <info>

Contact information for the person responsible for this FortiCache, up to a maximum of 35 characters.

location <location>

Physical location description of the FortiCache unit, up to a maximum of 35 characters. Note that XSSvulnerability checking is disabled, so XSS characters such as brackets, "(" and ")", are permitted.

trap-high-cpu-threshold <percentage>

Percentage of CPU used that will trigger the threshold SNMP trap for the high-cpu. This feature prevents frequentand unnecessary traps. The default is set to 80.

trap-low-memory-threshold <percentage>

Percentage of memory used that will be the threshold SNMP trap for the low-memory. The default is set to 80.

trap-log-full-threshold <percentage>

Percentage of disk space used that will trigger the threshold SNMP trap for the log-full. The default is set to 90.


system snmp {community | sysinfo | user}

userUse this command to configure an SNMP user including which SNMP events the user wants to be notified about,which hosts will be notified, and, if queries are enabled, which port to listen to for them.

queries {enable | disable}

Enable (by default) or disable SNMP v3 queries for this user. Queries are used to determine the status of SNMPvariables.

query-port <port>

Port number used for SNMP v3 queries. If multiple versions of SNMP are being supported, each version shouldlisten on a different port. The default is set to 161.

{notify-hosts | notify-hosts6} <address>

IPv4 or IPv6 IP addresses to send SNMP notifications (SNMP traps) to when events occur. To enter multiplenotification hosts, separate each entry with a space.

{source-ip | source-ipv6} <address>

Optional IPv4 or IPv6 source IP address to use in traps.

ha-direct {enable | disable}

Enable or disable (by default) direct management of cluster members.

events {cpu-high | mem-low | log-full | ... }

Events for which the FortiCache should send traps to the SNMPmanagers in this community. To enter multipleevents, separate each entry with a space.

To view the the full list of events, enter set events ?.

security-level {no-auth-no-priv | auth-no-priv | auth-priv}

Security level:

l no-auth-no-priv: No authentication or privacy (set by default).l auth-no-priv: Authentication but no privacy.l auth-priv: Authentication and privacy.

auth-proto {md5 | sha}

Note: This entry is only available when security-level is set to either auth-no-priv and auth-priv.

Authentication protocol:

l md5: HMAC-MD5-96 authentication protocol.l sha: HMAC-SHA-96 authentication protocol (set by default).

auth-pwd <password>

Note: This entry is only available when security-level is set to either auth-no-priv and auth-priv.


115

storage system

Authentication key, up to a maximum of 32 characters.

priv-proto {aes | des | aes256}

Note: This entry is only available when security-level is set to auth-priv.

Privacy encryption protocol:

l aes: CFB128-AES-128 symmetric encryption protocol (set by default).l des: CBC-DES symmetric encryption protocol.l aes256: CFB128-AES-256 symmetric encryption protocol.

priv-pwd <password>

Note: This entry is only available when security-level is set to auth-priv.

Privacy encryption key, up to a maximum of 32 characters.

storage

Use this command to view local disk storage settings.

There are no configurable entries within this command, however you can use get to view the FortiCache'spartitions and related information. To edit the disks and their partitions, use the web-based manager.

To format the disks, the reference number for the disk you wish to edit must be known.

Note that formatting storage disks will erase all data on them and require theFortiCache to reboot.

To list all the disks and view their reference numbers, enter the following command (the following is an example-output):

execute disk list

Disk HD1 ref: 255 1.8TB1863.0GB type: ASM-S08 [ATA TOSHIBA MG03ACA2] dev: /dev/sdapartition ref: 1 522.6GB, N/A free mounted: Y label: 51E5704F595F257F dev: /dev/sda1partition ref: 2 531.0GB, N/A free mounted: N label: dev: /dev/sda2partition ref: 3 707.9GB, N/A free mounted: N label: dev: /dev/sda3

Disk HD2 ref: 16 1.8TB1863.0GB type: ASM-S08 [ATA TOSHIBA MG03ACA2] dev: /dev/sdbpartition ref: 17 522.6GB, N/A free mounted: Y label: 5C1E39A15B5D99B6 dev: /dev/sdb1partition ref: 18 531.0GB, N/A free mounted: N label: dev: /dev/sdb2partition ref: 19 707.9GB, N/A free mounted: N label: dev: /dev/sdb3

Disk HD3 ref: 32 1.8TB1863.0GB type: ASM-S08 [ATA TOSHIBA MG03ACA2] dev: /dev/sdcpartition ref: 33 522.6GB, N/A free mounted: Y label: 052B6FF20FD65D60 dev: /dev/sdc1partition ref: 34 531.0GB, N/A free mounted: N label: dev: /dev/sdc2partition ref: 35 707.9GB, N/A free mounted: N label: dev: /dev/sdc3

Disk HD4 ref: 48 1.8TB1863.0GB type: ASM-S08 [ATA TOSHIBA MG03ACA2] dev: /dev/sddpartition ref: 49 522.6GB, N/A free mounted: Y label: 4092229C66B548A0 dev: /dev/sdd1partition ref: 50 531.0GB, N/A free mounted: N label: dev: /dev/sdd2


system wccp

partition ref: 51 707.9GB, N/A free mounted: N label: dev: /dev/sdd3

In the example shown above, disks 1, 2, 3, and 4 are assigned reference numbers 255, 16, 32, and 48(respectively).

To format a disk enter the following command (the following example uses disk 2with its reference number of16):

execute disk format 16

Request format for: 16 (device=/dev/sdb)Formatting this storage will erase all data on it, including WanOpt caches;This action requires the unit to reboot.Do you want to continue? (y/n) y

Performing format on the requested disk(s) and rebooting, please wait...

FortiCache # Formatting the disk...DEBUG: received request /dev/sdb 1 30 30 40Received Partitioning request for device=/dev/sdb wanopt_req=1 pct[0]=30, pct[1]=30, pct

[2]=40.Partitioning and formatting /dev/sdb ... Sending request for partno=0 start=63

stop=5282160Sending request for partno=1 start=5282161 stop=10564320Sending request for partno=2 start=10564321 stop=17607239done

wccp

Use this command to configure settings for Web Cache Communication Protocol (WCCP).

cache-id <address>IP address of the cache engine.

group-address <address>IP multicast address used by the cache routers. The default is set to 0.0.0.0, whereby the FortiCache ignoresmulticast WCCP traffic. Otherwise, set the value between 224.0.0.0-239.255.255.255.

router-list <address>IP addresses of one or more WCCP routers that can communicate with a WCCP cache engine. To enter multipleaddresses, separate each entry with a space.

authentication {enable | disable}Enable or disable (by default) using MD5 authentication for the WCCP configuration.


117

zone system

password <password>Note: This entry is only available when authentication is set to enable.

Authentication password, up to a maximum of eight characters.

cache-engine-method {GRE | L2}Method that traffic is forwarded to route or returned to cache engine:

l GRE: GRE encapsulation (set by default).l L2: L2 rewrite.

service-type {auto | standard | dynamic}WCCP service type used by the cache server: automatic (set by default), standard, or dynamic service.

assignment-weight <weight>Assignment weight for the WCCP cache engine. Set the value between 0-255. The default is set to 0.

assignment-bucket-format {wccp-v2 | cisco-implementation}Assignment bucket format for the WCCP cache engine: WCCP-v2, or Cisco bucket format (set by default).

zone

Use this command to create and edit zones, grouping related interfaces that can help simplify policy creation byconfiguring policies for connections to and from a zone, rather than to and from each interface.

intrazone {allow | deny}Allow or deny (by default) traffic routing between different interfaces within the same zone.

interface <port>Interface to be added to this zone. Note that you cannot add an interface that already belongs to another zone, orif firewall policies are defined for it.


user

Use config user to configure the following user related options:

adgrpfssofsso-pollinggroupkrb-keytabldaplocalpassword-policyradiussettingtacacs+

adgrp

Use this command to configure Fortinet Single Sign-On (FSSO) groups.

server-name <name>Name of the FSSO agent.

polling-id <id>FSSO polling ID. The default is set to 0.

fsso

Use this command to create and edit up to five FSSO collector agents as part of a redundant configuration sothat, if the first agent fails, the FortiCache can attempt to connect to the next agent in the list.

Note that each server, port, and password entry corresponds to their specific numeric-counterparts, and noother.

{server | server2 | server3 | server4 | server5} <address>Domain name or IP address for each collector agent, up to a maximum of 63 characters.

{port | port2 | port3 | port4 | port5} <port>Port number used for communication with FortiCache and each collector agent. The default is set to 8000.


119

fsso-polling user

{password | password2 | password3 | password4 | password5} <password>Password for each collector agent.

ldap-server <server>Name of the LDAP server to be used to access the Directory Service.

source-ip <address>Source IP address for communications to the FSSO server.

fsso-polling

Use this command to configure polling of servers for FSSO.

config adgrpUse this configuration method to simply specify the Windows AD group name for which FSSO polling will beconducted.

status {enable | disable}Enable (by default) or disable FSSO polling.

server <server>IP address or AD server name.

default-domain <name>Default domain name of this server.

port <port>Server port number. Set the value between 0-65535. The default is set to 0.

user <name>User account name for the AD server.

password <password>Password used to connect to the AD server.


user group

ldap-server <server>Name of the LDAP server for groups and user names.

logon-history <hours>Length of logon history. Set the value between 1-48 (or one hour to two days), or enter 0 to keep logon historyforever. The default is se to 8.

polling-frequency <seconds>Frequency in seconds at which polling occurs. Set the value between 1-30. The default is set to 10.

group

Use this command to create and edit user groups.

config matchNote: This configuration method is only available when group-type is set to firewall.

Use this configuration method to .

server-name <name>

Name of the remote authentication server.

group-name <name>

Name of the matching group on the remote authentication server.

config guestNote: This configuration method is not configurable here; all guest user related entries can be configured whengroup-type is set to guest (see entries below).

group-type {firewall | fsso-service | rsso | guest}Group type, that in turn determines the user type:

l firewall: Users defined in the user local, user ldap, or user radius commands (set by default).l fsso-service: SSO users.l rsso: RSSO users.l guest: Guest users.


121

group user

authtimeout <minutes>Period of time in minutes an authentication timeout for this user group lasts for. Set the value between 0-1440 (orglobal timeout value to one day). The default is set to 0.

sso-attribute-value <name>Note: This entry is only available when group-type is set to rsso.

Name of the RADIUS user group this user group represents.

auth-concurrent-override {enable | disable}Note: This entry is only available when group-type is set to either firewall or guest.

Enable or disable (by default) overriding the entry in config system global, policy-auth-concurrent.

auth-concurrent-value <limit>Note: This entry is only available when auth-concurrent-override is set to enable.

Maximum limit of concurrent logins for the same user. Set the value between 0-100. The default is set to 0,whereby there is no limit.

http-digest-realm <attribute>Note: This entry is not available when group-type is set to rsso.

Realm attribute for MD5-digest authentication.

member <name>Note: This entry is only available when group-type is set to either firewall or fsso-service.

Namse of users, peers, LDAP servers, or RADIUS servers to add to the user group. To enter multiple names,separate each entry with a space.

user-id {email | auto-generate | specify}Note: This entry is only available when group-type is set to guest.

Source of the guest user ID: use the guest's email address (set by default), automatically generate a random userID, or specify a user ID.

password {auto-generate | specify | disable}Note: This entry is only available when group-type is set to guest.

Source of the guest user ID: automatically generate a random user ID (set by default), specify a user ID, ordisable the requirement of a password.


user group

user-name {disable | enable}Note: This entry is only available when group-type is set to guest.

Enable or disable (by default) guest user name entry.

sponsor {optional | mandatory | disabled}Note: This entry is only available when group-type is set to guest.

Sponsor field in the web-based manager Guest Management form: present but optional (set by default),mandatory, or disabled.

company {optional | mandatory | disabled}Note: This entry is only available when group-type is set to guest.

Company field in the web-based manager Guest Management form: present but optional (set by default),mandatory, or disabled.

email {disable | enable}Note: This entry is only available when group-type is set to guest.

Enable (by default) or disable the Email field in the web-based manager Guest Management form.

mobile-phone {disable | enable}Note: This entry is only available when group-type is set to guest.

Enable or disable (by default) the Mobile Phone Number field in the web-based manager Guest Managementform

expire-type {immediately | first-successful-login}Note: This entry is only available when group-type is set to guest.

When expiry time countdown begins: immediately (set by default) or after the user's first successful login.

expire <seconds>Note: This entry is only available when group-type is set to guest.

Period of time in seconds before the user account expires. Set the value between 1-31536000 (or one second toone year). The default is set to 14400 (or four hours)

max-accounts <limit>Note: This entry is only available when group-type is set to guest.

Maximum limit of accounts permitted. The default is set to 0, whereby there is no limit.


123

krb-keytab user

multiple-guest-add {disable | enable}Note: This entry is only available when group-type is set to guest.

Enable or disable (by default) the Multiple Guest Add option in the web-based manager User Group form.

krb-keytab

Use this command to configure Kerberos keytab entries.

Keytab files are used to authenticate to various remote systems using Kerberos without entering a password, andwithout requiring human interaction or access to password stored in a plain-text file. The script is then able to usethe acquired credentials to access files stored on a remote system.

principal <service-principal>Kerberos server principal (e.g. HTTP/[email protected]).

ldap-server <name>Name of the LDAP server.

keytab <base64>Keytab file, that's base64 coded, containing a pre-shared key.

ldap

Use this command to create and edit the definition of an LDAP server for user authentication.

LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. Note that, withPPTP, L2TP, and IPSec VPN, Packet Authentication Protocol (PAP) is supported, while Challenge HandshakeAuthentication Protocol (CHAP) is not.

server <address>IP address or domain name of the primary LDAP server.

secondary-server <address>Second IP address or domain name of the LDAP server.

tertiary-server <address>Third IP address or domain name of the LDAP server.


user ldap

source-ip <address>Optional source IP address to use for LDAP requests.

cnid <identifier>Common name identifier (CNID) for the LDAP server, up to a maximum of 20 characters. The default is set to cn,which is the CNID for most LDAP servers. In light of this, note that some servers use other common nameidentifiers, such as uid.

dn <dn>Note: You must provide a dn value if type is set to simple.

Distinguished name (DN) used to lookup entries on the LDAP server, up to a maximum of 512 characters. Itreflects the hierarchy of LDAP database object classes above the CNID.

type {simple | anonymous | regular}Authentication type for LDAP searches:

l simple: Simple password authentication without search (set by default).l anonymous: Bind using anonymous user search.l regular: Bind using username, password, and then search.

Use simple if the user records are all under one DN that you know. If the users are under more than one DN, useanonymous or regular, which can search the entire LDAP database for the required user name.

If your LDAP server requires authentication to perform searches, use regular, and provide values for usernameand password (see entries below).

username <name>Note: This entry is only available when type is set to regular.

User name for regular LDAP authentication.

password <password>Note: This entry is only available when type is set to regular.

User's password for regular LDAP authentication.

group-member-check {user-attr | group-object}Method used for group membership checking: user attribute (set by default), or group object.

secure {disable | starttls | ldaps}Port to be used in authentication:


125

local user

l disable: No SSL; port 389 (set by default).l starttls: Use StartTLS; port 389.l ldaps: Use LDAPS; port 636.

ca-cert <certificate>Note: This entry is only available when secure is either set to starttls or ldaps.

Certificate authority (CA) certificate used for user authentication. The CA certificate will be used by the LDAPlibrary to validate the public certificate provided by the LDAP server.

port <port>Note: This entry changes to 636when secure is set to ldaps. It will also change back to its default value of 389when secure is set back to either disable or starttls.

Port number for communication with the LDAP server. The default is set to the standard LDAP port, 389.

password-expiry-warning {enable | disable}Enable or disable (by default) password expiry warnings.

password-renewal {enable | disable}Enable or disable (by default) online password renewals.

member-attr <attribute>Group attribute for user authentication. The default is set tomemberOf.

search-type {nested}Retrieve the complete nested-user-group chain information of a user in a particular Microsoft AD domain; nested(set by default) is the only available option.

local

Use this command to create and edit local users and configure user authentication.

status {enable | disable}Enable (by default) or disable the local user to authenticate with FortiCache.

type {password | radius | tacacs+ | ldap}User authentication type:


user local

passwd <password>Note: This entry is only available when type is set to password.

User's password with which to authenticate.

passwd-policy <name>Note: This entry is only available when type is set to password.

Name of a password policy to apply to this user and their password. To create a password policy, see config userpassword-policy.

passwd-time <date-time>Note: This entry is only available when type is set to password.

Start time and date of the last password update in the format yyyy-mm-dd hh:mm:ss. The default is set to 0000-00-00 00:00:00.

radius-server <name>Note: This entry is only available when type is set to radius.

Name of the RADIUS server with which the user must authenticate. A RADIUS server must have already beenadded to the list of RADIUS servers; see config user radius for more information.

tacacs+-server <name>Note: This entry is only available when type is set to tacacs+.

Name of the TACACS+ server with which the user must authenticate. A TACACCS+ server must have alreadybeen added to the list of TACACS+ servers; see config user tacacs+ for more information.

ldap-server <name>Note: This entry is only available when type is set to ldap.

Name of the LDAP server with which the user must authenticate. A LDAP server must have already been addedto the list of LDAP servers; see config user ldap for more information.

authtimeout <minutes>0-1440`0 uses global

workstation <name>Note: This entry is only available when type is set to ldap.

Name of a remote user workstation, if you wish to permit the user to authenticate only from a particularworkstation.


127

password-policy user

auth-concurrent-override {enable | disable}Enable or disable (by default) overriding the entry in config system global, policy-auth-concurrent.

auth-concurrent-value <limit>Note: This entry is only available when auth-concurrent-override is set to enable.

Maximum limit of concurrent logins for the same user. Set the value between 0-100. The default is set to 0,whereby there is no limit.

password-policy

Use this command to define password policies that set user password expiry and provide expiry warnings.

expire-days <days>Number of days before password expiry. Set the value between 0-999 (or no expiry to almost 33 months). Thedefault is set to 180 (or almost six months).

warn-days <days>Number of days prior to password expiry that an expiry warning is provided. Set the value between 0-30 (or nowarning to approx. one month). The default is set to 15.

radius

Use this command to create and edit information used for RADIUS authentication.

To reduce repetition, the following entries are not available when rsso is set to enable:

l serverl secretl nas-ipl acct-interim-intervall radius-portl auth-typel source-ip

Likewise, all SSO-related entries below are only available when rsso is set to enable.

server <address>IP address or domain name of the RADIUS server.


user radius

secret <password>Password for the RADIUS server, up to a maximum of 16 characters.

timeout <seconds>Period of time in seconds between resending authentication requests. Set the value between 0-300 (or notimeout to five minutes). The default is set to 5.

These requests occur during the remoteuathtimeout period set in config system global.

nas-ip <address>IP address used as the NAS-IP-Address and Called-Station-ID attributes in RADIUS access requests.

acct-interim-interval <seconds>Period of time in seconds between each accounting interim update message. Set the value between 600-86400(or ten minutes to one day). The default is set to 0.

radius-port <port>Port number used for communication with the RADIUS server. The default is set to 0. Note that the standardRADIUS port is 1812.

h3c-compatibility {enable | disable}Enable or disable (by default) compatibility with the H3C Intelligent Management Platform (IMC) server. Thesupplicant requests 802.1X authentication and then sends a second phase security check request to the H3C IMCserver.

rsso-radius-server-port <port>Port number used by the RADIUS accounting server for sending Start and Stop RADIUS records.The default isset to 1813.

rsso-radius-response {enable | disable}Enable or disable (by default) sending responses after receiving RADIUS Start and Stop records. This setting maybe required by your accounting system.

rsso-validate-request-secret {enable | disable}Enable or disable (by default) verifying that the RADIUS secretmatches the RADIUS secret in the Start or Endrecord.

rsso-secret <password>RADIUS secret used by the RADIUS accounting server.


129

radius user

rsso-endpoint-attribute <attribute>Name of the RADIUS attribute that contains the end point identifier in order to extract the user end point identifierfrom the RADIUS Start record. The default is set to Calling-Station-Id.

To view the full list of attributes, enter set rsso-endpoint-attribute ?.

rsso-endpoint-block-attribute <attribute>Name of the RADIUS attribute that can be used to block a user. If set to Block, all traffic from the user's IPaddress will be blocked. The default is set to Calling-Station-Id.

To view the full list of attributes, enter set rsso-endpoint-block-attribute ?.

sso-attribute <attribute>Name of the RADIUS attribute that contains the profile group name in order to extract a profile group from theRADIUS Start record. The default is set to Class.

To view the full list of attributes, enter set sso-attribute ?.

sso-attribute-key <key>Profile key, if the profile attribute contains more data than just the profile group name, up to a maximum of 36characters. The profile key always comes directly before the profile group name in the profile attribute. Forexample, the class attribute could include: profile=<profile_name>, where <profile_name> is the name of theprofile group.

rsso-context-timeout <seconds>Period of time in seconds before a user (that's been added to a "user context list" of logged-on users) is loggedoff, so long as there has been no communication from the user end point. The default is set to 28800 (or eighthours).

The other way a user can be logged off is when the FortiCache receives a RADIUS Stop record for the user's endpoint. Therefore, this timeout is only necessary if RADIUS Stop records aren't received, however it'srecommended to use this timeout in case a Stop record is missed.

rsso-log-period <seconds>Period of time in seconds that group-event log messages for dynamic profile events are generated. For example,if set to 30 seconds, groups of event log messages are generated every 30 seconds inetad of generating eventlog messages continously. The default is set to 0, whereby all event log messages are generated in real time.

rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | accounting-event | endpoint-block | radiusd-other | none}

Options to configure event log messages for RSSO events. To enter multiple flags, separate each entry with aspace. By default, all are selected except none (see below):


user setting

l protocol-error: Write an event log message if RADIUS protocol errors occur. For example, when a RADIUS recordcontains a RADIUS secret that does not match the one added to the dynamic profile.

l profile-missing: Write an event log message whenever a group name cannot be found in a RADIUS Startmessage that matches the name of an RSSO user group in the FortiCache.

l acounting-stop-missed: Write an event log message whenever a user context entry timeout expires (see rsso-context-timeout above), indicating that an entry was removed from the user context list without receiving aRADIUS Stop message.

l accounting-event: Write an event log message when unexpected information is found in a RADIUS record. Forexample, if a RADIUS record contains more than the expected number of addresses.

l endpoint-block: Write an event log message whenever a user is blocked because the attribute specified in thersso-endpoint-block-attribute entry is set to Block.

l radiusd-other: Write event log messages for other events. For example, write a log message if the memory limitfor the user context list is reached and the oldest entries in the table have been dropped. The event is described inthe log message.

l none: Disable logging of RSSO events.

rsso-flush-ip-session {enable | disable}Enable or disable (by default) flushing user IP sessions on RADIUS accounting Stop messages.

auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}Authentication method for this RADIUS server: auto (set by default), MS-CHAPv2, CHAP, and PAP.

Note that auto uses all three methods together.

source-ip <address>Source IP address for communicating with the RADIUS server.

rsso {enable | disable}Enable or disable (by default) configurable options for the RSSO agent. Once enabled, all other RSSO-relatedentries will become available (see above). In addition, FortiCache will accept connections on the port-valueentered in the rsso-radius-server-port entry.

setting

Use this command to configure user settings, including firewall user authentication timeout and protocol supportfor firewall policy authentication.

config auth-portsUse this configuration method to configure non-standard ports for authentication.

type {http | https | ftp | telnet}

Protocol to use with the authentication port: HTTP (set by default), HTPPS, FTP, or TELNET.


131

setting user

port <port>

Port number to use for authentication. Set the value between 1-65535. The default is set to 1024.

auth-type {http | https | ftp | telnet}Protocol to use with the authentication port: HTTP, HTPPS, FTP, or TELNET; by default, all four are selected.

auth-cert <certificate>HTTPS server certificate to use for policy authentication. To see the full list of available certificates, enter setauth-cert ?.

auth-ca-cert <certificate>CA certificate used for user authentication.

auth-secure-http {enable | disable}Enable or disable (by default) redirecting HTTP user authentication to HTTPS.

auth-http-basic {enable | disable}Enable or disable (by default) support for HTTP basic authentication for identity-based firewall policies. HTTPbasic authentication usually causes a browser to display a pop-up authentication window instead of displaying anauthentication web page. Some basic web browsers (e.g. web browsers on mobile devices) may only supportHTTP basic authentication.

auth-multi-group {enable | disable}Enable (by default) or disable multiple user group firewall authentication. This can be disabled if the ActiveDirectory structure is setup such that users belong to only one group.

auth-timeout <minutes>Period of time in minutes before the user is required to authenticate again. Set the value between 1-1440 (or oneminute to one day). The default is set to 5.

auth-timeout-type {idle-timeout | hard-timeout | new-session}Type of authentication timeout:

l idle-timeout: Applies only to idle sessions (set by default).l hard-timeout: Applies to all sessions.l new-session: Applies only to new sessions.

radius-ses-timeout-act {hard-timeout | ignore-timeout}RADIUS timeout option:


user tacacs+

l hard-timeout: Use RADIUS timeout (set by default).l ignore-timeout: Ignore RADIUS timeout.

auth-blackout-time <seconds>Period of time in seconds that an authentication blackout lasts for. This occurs when a firewall authenticationattempt fails five times within one minute, resulting in the source IP address of the attempts being denied access.Set the value between 0-3600 (or no blackout to one hour). The default is set to 0.

auth-invalid-max <limit>Maximum number of failed authentication attempts before the client is blocked. Set the value between 1-100.The default is set to 5.

auth-lockout-threshold <limit>Maximum number of login attempts before the login lockout is triggered (see auth-lockout-duration below). Setthe value between 1-10. The default is set to 3.

auth-lockout-duration <seconds>Period of time seconds that the login lockout lasts for. The default is set to 0.

tacacs+

Use this command to create and edit information used for Terminal Access Controller Access-Control System(TACACS+) authentication.

server <address>IP address or domain name of the primary TACACS+ server.

secondary-server <address>Second IP address or domain name of the TACACS+ server.

tertiary-server <address>Third IP address or domain name of the TACACS+ server.

port <port>Port number for communication with the LDAP server. The default is set to the standard TACACS+ port, 49.

key <key>Password key to access the primary TACACS+ server, up to a maximum of 16 characters.


133

tacacs+ user

secondary-key <key>Password key to access the second TACACS+ server, up to a maximum of 16 characters.

tertiary-server <key>Password key to access the third TACACS+ server, up to a maximum of 16 characters.

authen-type {mschap | chap | pap | ascii | auto}Protocol to use for this TACACS+ server: MSCHAP, CHAP, PAP, ASCII, auto (set by default).

Note that auto uses PAP, MS-CHAPv2, and CHAP.

authorization {enable | disable}Enable or disable (by default) TACACS+ authorization.

source-ip <address>Source IP address for communicating with the TACACS+ server.


vpn

Use config vpn to configure the following VPN related options:

certificate {ca | crl | local | ocsp-server | remote | setting}

certificate {ca | crl | local | ocsp-server | remote | setting}

The certificate command is divided into six configurable options: install CA root certificates, CRLs, and localcertificates, set the revocation server for an Online Certificate Status Protocol (OCSP) server certificate, installremote certificates, and set options for obtaining certificates by OCSP.

caUse this command to install CA root certificates. When a CA processes your CSR, it sends you the CA certificate,the signed local certificate, and the CRL.

The CA certificate can update automatically from a Simple Certificate Enrollment Protocol (SCEP) server.

ca <pem-file>

CA certificate in base64 encoded PEM format.

scep-url <url>

URL of the SCEP server.

source-ip <address>

Source IP address that can be used to verify that the request is sent from the expected IP.

crlUse this command to install a CRL. When a CA processes your CSR, it sends you the CA certificate, the signedlocal certificate, and the CRL.

crl <pem-file>

CRL in PEM format.

ldap-server <server>

Name of the LDAP server, as set in config user ldap.

http-url <url>

URL of an HTTP server used for automatic CRL certificate updates, beginning with either http:// or https://.


135

certificate {ca | crl | local | ocsp-server | remote | setting} vpn

scep-url <url>

URL of the SCEP server used for automatic CRL certificate updates, beginning with either http:// or https://.

scep-cert <certificate>

Local certificate used for SCEP communication for CRL auto-update. The default is set to Fortinet_Firmware.

update-interval <seconds>

Period of time in seconds before the FortiCache checks for an updated CRL. The default is set to 0, whereby theCRL will only be updated when it expires.

source-ip <address>


localUse this command to install local certificates.

password <password>

Password in PEM format.

comments <comment>

Optional comments.

private-key <key>

Private key in PEM format.

state <state>

CSR state.

scep-url <url>

URL of the SCEP server.

source-ip <address>


ike-localid-type {asn1dn | fqdn}

Local ID type: use ASN.1 DN ID (set by default) or FQDN.

ocsp-serverUse this command to specify the revocation for an OCSP server certificate. You can also specify the action totake if the server is not available.


vpn certificate {ca | crl | local | ocsp-server | remote | setting}

url <url>

URL of the OCSP server.

cert <certificate>

OCSP server public certificate.

secondary-url <url>

URL of the second OCSP server.

secondary-cert <certificate>

Second OCSP server public certificate.

unavail-action {revoke | ignore}

Action to take on client certification when the OCSP server is unreachable: revoke (set by default) or ignore.

source-ip <address>


remoteUse this command to install remote certificates, public certificates without a private key that are used as OCSPserver certificates.

To view all information about the certificate, enter the get command.

remote <description>

Description of the remote certificate.

settingUse this command to enable receiving certificates by OCSP.

ocsp-status {enable | disable}

Enable or disable (by default) obtaining certificates using OCSP.

ocsp-default-server <server>

Name of the default OCSP server (i.e. one of the servers defined in vpn certificate ocsp-server above).

check-ca-start {enable | disable}

Enable (by default) or disable checking the certificate and failing authentication if the CA certificate is not found.


137

wanopt

Use config wanopt to configure the following WAN Optimization related options:

auth-groupcache-servicecontent-delivery-network-rulepeerprofilesettingsssl-serverstoragewebcache

auth-group

Use this command to configure WAN optimization authentication groups. Add authentication groups to supportauthentication and secure tunneling between WAN optimization peers.

auth-method {cert | psk}Authentication method for the group: using a certificate (set by default) or using a preshared key.

cert <certificate>Note: This entry is only available when auth-method is set to cert.

Local certificate to be used by the peers in this group. To add a local certificate, see config vpn certificate local.

psk <key>Note: This entry is only available when auth-method is set to psk.

Pre-shared key to be used for this group.

peer-accept {any | defined | one}Determine which peers may use the authentication group:

l any: Authentication group can be used for any peer (set by default).l defined: Authentication group can be used for only the users added to the FortiCache.l one: Authentication group can be used for just one peer. Once set, use the peer entry below to specify the peer.

peer <name>Note: This entry is only available when peer-accept is set to one.


wanopt cache-service

Name of the peer to add to this authentication group. The peer must have already been added to the FortiCacheusing the config wanopt peer command.

cache-service

Use this command to designate cache-services for WAN optimization and web cache.

config dst-peerUse this configuration method to .

auth-type

Authentication type for the destination peer. The default is set to 0.

encode-type

Encode type for the destination peer. The default is set to 0.

priority <priority>

Priority for the destination peer. The default is set to 1.

ip <address>

Cluster IP address of the destination peer device.

config src-peerUse this configuration method to .

auth-type

Authentication type for the source peer. The default is set to 0.

encode-type

Encode type for the source peer. The default is set to 0.

priority <priority>

Priority for the source peer. The default is set to 1.

ip <address>

Cluster IP address of the source peer device.

prefer-senario {balance | prefer-speed | prefer-cache}Caching preference:


139

content-delivery-network-rule wanopt

l balance: Balance between speed and cache-hit-ratio (set by default).l prefer-speed: Prefer high response speed with more cache bypassing.l prefer-cache: Prefer high hit-ratio with lower response speed.

collaboration {enable | disable}Enable or disable (by default) cache-collaboration.

device-id <id>Device ID of this device. The default is set to default_dev_id.

acceptable-connections {any | peers}Determine how the device accepts collaboration-connections:

l any: Accept any cache-collaboration connection (set by default).l peers: Only accept connections that are already configured in src-peers (see entry above).

content-delivery-network-rule

Use this command to configure variousWAN optimization Content Delivery Network (CDN) rules, allowingcontent to be served at high availability and increased performance.

The following rules are already available by default:

update://windowsupdate/ vcache://llnwd/

vcache:// vcache://maker.tv/

vcache://2mdn-ads/ vcache://metacafe/

vcache://amazonaws-ads/ vcache://ms-ads/

vcache://aol/ vcache://ooyala/

vcache://break/ vcache://pornhub/

vcache://cbc/ vcache://redtube/

vcache://clipfish/ vcache://serving-sys-ads/

vcache://cnn/ vcache://stupidvideos/

vcache://dailymotion/ vcache://tube8/

vcache://discovery/ vcache://tudou/


wanopt content-delivery-network-rule

vcache://edgesuite-ads/ vcache://vevo/

vcache://eyereturn-ads/ vcache://vimeo/

vcache://eyewonder-ads/ vcache://xtube/

vcache://foxnews/ vcache://yahoo/

vcache://googlevideo/ vcache://youku/

vcache://gorillanation-ads/ vcache://youporn/

vcache://howcast/ vcache://youtube/

vcache://liveleak vcache://yumenetworks-ads/

config rulesUse this configuration method to create and edit existing WAN optimization CDN rules.

config match-entries

Use this configuration method to create and edit rule match entries.

target {path | parameter | referrer | youtube-map | youtube-id}

Option from the HTTP header or URL to match:

l path: Entire URL path (set by default).l parameter: URL parameters.l referrer: Referrer from HTTP header.l youtube-map: YouTube Content ID collection.l youtube-id: YouTube Content ID.

pattern <name>

Referrer or URL pattern.

config skip-entries

Use this configuration method to create and edit rule skip entries.

target {path | parameter | referrer | youtube-map | youtube-id}


l path: Entire URL path (set by default).l parameter: URL parameters.l referrer: Referrer from HTTP header.l youtube-map: YouTube Content ID collection.l youtube-id: YouTube Content ID.


141

content-delivery-network-rule wanopt

pattern <name>

Referrer or URL pattern.

config content-id


target {path | parameter | referrer | youtube-map | youtube-id | hls-manifest | hls-fragment}


l path: Entire URL path (set by default).l parameter: URL parameters.l referrer: Referrer from HTTP header.l youtube-map: YouTube Content ID collection.l youtube-id: YouTube Content ID.l hls-manifest: HTTP Live Streaming (HLS) manifest.l hls-fragment: HLS fragment.

start-str <start-string>

Text string from which to start search.

start-skip <number>

Number of characters in the URL to skip after start-str has been matched. The default is set to 0.

start-direction {forward | backward}

Search direction from start-strmatch: forward (set by default) or backward.

end-str <end-string>

Text string from which to end search.

end-skip <number>

Number of characters in the URL to skip after end-str has been matched. The default is set to 0.

end-direction {forward | backward}

Search direction from end-strmatch: forward (set by default) or backward.

range-str <name>

Name of Content ID within the start and end strings.

match-mode {all | any}

Criteria the FortiCache must match in order to collect content ID:

l all: Must match all the match entries (set by default).l any: Must match any of the match entries.

skip-rule-mode {all | any}

Criteria the FortiCache will use to skip rules:


wanopt peer

l all: Must match all skip entries (set by default).l any: Must match any of the skip entries.


status {enable | disable}Enable (by default) or disable WAN optimization CDN rules.

host-domain-name-suffix <fqdn-suffix>Suffix of the FQDN (e.g. example.com).

category {vcache | youtube}CDN rule category: Vcache CDN (set by default) or YouTube CDN.

request-cache-control {enable | disable}Enable or disable (by default) HTTP request cache control.

response-cache-control {enable | disable}Enable or disable (by default) HTTP response cache control.

updateserver {enable | disable}Enable or disable (by default) updating the server.

peer

Use this command to create and edit WAN optimization peers for the FortiCache to identify itself in order to formWAN optimization tunnels with other local FortiCache units.

To add the local host ID to a FortiCache, use the config wanopt settings command.

ip <address>IP address of the interface that the remote FortiCache will use to connect to the local FortiCache.


143

profile wanopt

profile

Use this command to create and edit WAN optimization profiles, where traffic can be optimized. It's important tonote that no traffic will be processed without first being accepted by a firewall policy. All sessions accepted by afirewall policy that alsomatch a WAN optimization profile are processed byWAN optimization.

WAN optimization profiles must be added at each end of the tunnel. Firewall policies use the specified WANoptimization profile to determine how to optimize the traffic over the WAN.

config {http | cifs | mapi | ftp | tcp}Use these configuration methods to configure different WAN optimization profiles for each availableprotocol: HTTP, CIFS, MAPI, FTP, and TCP.


Enable or disable (by default) thhe profile.

secure-tunnel {enable | disable}

Enable or disable (by default) encrypting and securing the traffic in the WAN optimization tunnel, where FortiASICacceleration is used to accelerate SSL decryption and encryption of the secure tunnel. The secure tunnel uses thesame TCP port as a non-secure tunnel (TCP port 7810).

byte-caching {enable | disable}

Note: *This entry is set to enable by default for all protocols except tcp.

Enable (by default*) or disable WAN optimization byte caching for the traffic accepted by this profile. Byte cachingis a WAN optimization technique that reduces the amount of data that has to be transmitted across a WAN bycaching file data to serve it later as required.

byte-caching-opt {mem-only | mem-disk}

Note: This entry is only available when configuring tcp.

Determine whether byte-caching optimization uses memory only (set by default) or both memory and the disk.

prefer-chunking {dynamic | fix}

Note: This entry is only available when configuring http, cifs, and ftp.

Chunking preference:

l dynamic: Dynamic data chunking, helps to detect persistent data chunks in a changed file or in an embeddedunknown protocol.

l fix: Fixed data chunking (set by default).

Note that TCP and MAPI do not have this entry. For TCP, if byte-caching-opt is set tomem-disk, its chunkingalgorithm will be dynamic. For MAPI, only dynamic is used.

tunnel-sharing {private | shared | express-shared}

Tunnel sharing mode for this tunnel:


wanopt profile

l private: For profiles that accept aggressive protocols such as HTTP and FTP, so they do not share tunnels withless-aggressive protocols (set by default).

l shared: For profiles that accept non-aggressive and non-interactive protocols.l express-shared: For profiles that accept interactive protocols, such as Telnet.

log-traffic {enable | disable}

Enable (by default) or disable traffic logging.

port <port>

Port number or port range for the profile. Only packets whose destination port number matches this port numberor port number range will be accepted by and subject to this profile.

The default value depends on the protocol being configured: http is set to 80, cifs is set to 445,mapi is set to135, ftp is set to 21, and tcp is set to 1-65535.

ssl {enable | disable}

Note: This entry is only available when configuring http and tcp.

Enable or disable (by default) applying SSL offloading for HTTPS traffic from one or more HTTP servers. If set toenable, you must add an SSL server for each HTTP server that you want to offload SSL encryption/decryptionfor. To do this, see config wanopt ssl-server.

unknown-http-version {reject | tunnel | best-effort}

Note: This entry is only available when configuring http.

Determine how the profile handles HTTP traffic that does not comply with HTTP 0.9, 1.0, or 1.1:

l reject: Drops HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.l tunnel: Passes HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization,

byte-caching, or web caching. TCP protocol optimization is applied to this HTTP traffic (set by default).l best-effort: Assumes all HTTP sessions accepted by the profile comply with HTTP 0.9, 1.0, or 1.1. If a session

uses a different HTTP version, WAN optimization may not parse it correctly. As a result, sessions may stop beingforwarded, whereby the session and connection may be lost.

tunnel-non-http {enable | disable}

Note: This entry is only available when configuring http.

Determine how to process non-HTTP traffic when a profile configured to accept and optimize HTTP trafficaccepts a non-HTTP session. This can occur if an application sends non-HTTP traffic using an HTTP destinationport.

Enable to pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, orweb caching. TCP protocol optimization is applied to non-HTTP sessions. Disable (by default) to drop non-HTTPsessions accepted by the profile.

transparent {enable | disable}Enable (by default) or disable Transparent mode.


145

settings wanopt


auth-group <name>Peer authentication group to add to the profile. To create peer authentication groups, use the config wanopt auth-group command.

settings

Use this command to create and edit the WAN optimization local host ID and enable traffic logging for WANoptimization and WAN optimization web caching sessions.

host-id <id>Local host ID. Note that WAN optimization can only be performed with other FortiCaches that have this local hostID in their peer list.

tunnel-ssl-algorithm {high | medium | low}Encryption strength accepted for SSL tunnel negotiation:

l high: Allows AES and 3DES.l medium: Allows AES, 3DES, and RC4 (set by default).l low: Allows AES, 3DES, RC4, and DES.

auto-detect-algorithm {simple | diff-req-resp}Auto-detection algorithms used in tunnel negotiation:

l simple: Uses the same TCP option value in SYN/SYNACK packets (set by default).l diff-req-resp: Uses different TCP option value in SYN/SYNACK packets to avoid false positive detection.

ssl-server

Use this command to create and edit one or more SSL servers to support WAN optimization SSL offloading. WANoptimization supports SSL encryption/decryption offloading for HTTP servers. You enable WAN optimization SSLoffloading by enabling the ssl field in a WAN optimization profile; see config wanopt profile for more information.

ip <address>IP address for the SSL server. This IP address should be the same as the IP address of the HTTP server that thisSSL server will be offloading for.


wanopt ssl-server

When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination IP addressof the session is matched with this IP address to select the SSL server configuration to use.

port <port>Port number to be used by the SSL server; typically this would be set to port 443 for an HTTPS server. The defaultis set to 0.

ssl-mode {half | full}Determine whether the SSL server should operate in half mode or full mode (set by default). Half mode offloadsSSL from the backend server to the server-side FortiCache unit.

ssl-cert <certificate>Local certificate to be used for this SSL server.

ssl-dh-bits {768 | 1024 | 1536 | 2048}Diffie-Hellman (DH) prime size to be used in DHE_RSA negotiation. The default is set to 1024.

ssl-algorithm {high | medium | low}Determine the permitted encryption algorithms for SSL sessions according to strength:

l high: AES and 3DES.l medium: AES, 3DES, and RC4 (set by default).l low: AES, 3DES, RC4, and DES.

ssl-client-renegotiation {allow | deny | secure}Status of client renegotiation:

l allow: Allows client renegotiation (set by default).l deny: Aborts any SSL connection that attempts to renegotiate.l secure: Rejects any SSL connection that does not offer a Secure Renegotiation Indication (for more information,

see RFC 5746).

ssl-min-version {ssl-3.0 | tls-1.0}Lowest or oldest SSL/TLS version to offer when negotiating. The default is set to ssl-3.0; note that TLS 1.0 ismore secure than SSL 3.0.

ssl-max-version {ssl-3.0 | tls-1.0}Highest or newest SSL/TLS version to offer when negotiating. The default is set to tls-1.0; note that TLS 1.0 ismore secure than SSL 3.0.


147

https://tools.ietf.org/html/rfc5746

storage wanopt

ssl-send-empty-frags {enable | disable}Enable (by default) or disable sending empty fragments before sending the actual payload. Sending emptyfragments is a technique used to avoid cipher-block chaining (CBC) plaintext attacks if the initiation vector (IV) isknown (also called the CBC IV).

Note that some SSL implementations are not compatible with sending empty fragments; if required by your SSLimplementation, set ssl-send-empty-frags to disable.

storage

Use this command to edit the usage-types for WAN optimization storage disks.

usage_type {wanopt_only | webcache_only | wanopt_webcache}Usage-type for this storage disk: WAN optimization, web cache, or both WAN optimization and web cache (set bydefault).

status {enable | disable}Enable (by default) or disable WAN optimization storage of this disk.

webcache

Use this command to determine how the WAn optimization web cache operates. In most cases the defaultsettings are acceptable, however you may want to change these settings to improve performance or optimize thecache for your configuration.

max-object-size <kb>Maximum size of objects to cache in kB. Set the value between 1-2147483 (or 1kB to just over 2GB). The defaultis set to 512000 (or 512MB).

Note that all objects retrieved that exceed the maximum size are still delivered to the client, but are not stored inthe web cache.

neg-resp-time <minutes>Period of time in minutes to cache negative responses. The default is set to 0, whereby no negative responsesare cached.

fresh-factor <percentage>Fresh factor as a percentage. For cached objects that have no expiry time, the web cache periodically checks theserver to see if the object has expired; the higher the fresh factor, the less often the checks occur. Set the valuebetween 1-100. The default is set to 100.


wanopt webcache

max-ttl <minutes>Maximum time-to-live in minutes, or the maximum amount of time an object can stay in the web cache withoutchecking to see if it has expired on the server. Set the value between 1-5256000 (or one minute to ten years). Thedefault is set to 7200 (or five days).

min-ttl <minutes>Minimum time-to-live in minutes, or the minimum amount of time an object can stay in the web cache withoutchecking to see if it has expired on the server. Set the value between 1-5256000 (or one minute to ten years). Thedefault is set to 5.

default-ttl <minutes>Default expiry time for objects that do not have any expiry time set by the wenb server. Set the value between 1-5256000 (or one minute to ten years). The default is set to 1440 (or one day).

ignore-ims {enable | disable}By default, the time specified by the if-modified-since (IMS) header in the client's conditional request is greaterthan the last modified time of the object in the cache, it is a strong indication that the copy in the cache is stale. Ifso, HTTP does a conditional GET to the Overlay Caching Scheme (OCS), based on the last modified time of thecached object. Enable ignore-ims to override this behavior. The default is set to disable.

ignore-conditional {enable | disable}Enable or disable (by default) controlling the behaviour of cache-control header values. HTTP 1.1 providesadditional controls to the client over the behaviour of caches concerning the staleness of the object.

ignore-pnc {enable | disable}Enable or disable (by default) ignoring pragma-no-cache (PNC) header requests, resulting in increasedperformance and a decrease in server-side bandwidth utilization.

ignore-ie-reload {enable | disable}Enable (by default) or disable ignoring the PNC interpretation of Internet ExplorerAccept: / headers uponrefresh.

cache-expired {enable | disable}Enable or disable (by default) the caching of type-1 objects that are already expired at the time of acquisition, solong as all other conditions are met to make the object cachable.

cache-cookie {enable | disable}Enable or disable (by default) caching of cookies. Typically an HTTP response with a cookie contains data for aspecific user, so it's recommended to not enable cookie caching.


149

webcache wanopt

reval-pnc {enable | disable}The PNC header in a client's request can affect efficiency from a bandwidth gain perspective. If you do not wantto completely ignore PNC in client requests, you can lower the impact of the PNC by enabling reval-pnc. As aresult, a client's non-conditional PNC-GET request results in a conditional GET request sent to the OCS if theobject is already in the cache. This gives the OCS a chance to return the 304 Not Modified response, consumingless server-side bandwidth, because it has not been forced to return full content even though the contents havenot actually changed.

The default is set to disable. Note that most download managers make byte-range requests with a PNC header.To serve such requests from the cache, it is recommended to set reval-pnc to enable.

always-revalidate {enable | disable}Enable or disable (by default) revalidation of requested cached objects with content on the server before serving itto the client.

cache-by-default {enable | disable}Enable or disable (by default) caching of content lacking an explicit caching policy from the server.

host-validate {enable | disable}Enable or disable (by default) validating Host:with the original server IP.

ssl_algorithm {high | medium | low}Determine the permitted encryption algorithms for SSL sessions according to strength:



web-proxy

Use config web-proxy to configure the following web proxy related options:

debug-urlexplicitforward-serverforward-server-groupglobalprofileurl-match

debug-url

Use this command to configure debug URL addresses.

url-pattern <url>URL exemption pattern/address.

status {enable | disable}Enable (by default) or disable this URL exemption.

exact {enable | disable}Enable (by default) or disable matching the exact URL path.

explicit

Use this command to configure explicit web proxy options, including the TCP port used by the explicit proxy.

status {enable | disable}Enable or disable (by default) the explicit web proxy for HTTP and HTTPS sessions.

interface <name>Name of the interface.


151

explicit web-proxy

ftp-over-http {enable | disable}Enable or disable (by default) FTP-over-HTTP, where the explicit proxy proxies FTP sessions sent from a webbrowser. Note that the explicit proxy only supports FTP with a web browser and not with a standalone FTP client.

socks {enable | disable}Enable or disable (by default) the explicit proxy to proxy SOCKS sessions sent from a web browser.

http-incoming-port <port>Port number that HTTP traffic from client web browsers will use to connect to the explicit proxy. Note that explicitproxy users must configure their web browser’s HTTP proxy settings to use this port. The default is set to 8080.

https-incoming-port <port>Port number that HTTPS traffic from client web browsers will use to connect to the explicit proxy. Note thatexplicit proxy users must configure their web browser’s HTTPS proxy settings to use this port. The default is set to0, whereby it uses the same port as HTTP.

incoming-ip <address>Incoming IPv4 IP address of a FortiCache interface that should accept sessions for the explicit web proxy.Entering an IP address restricts the explicit web proxy to only accept sessions from this particular interface.

ipv6-status {enable | disable}Enable or disable (by default) IPv6 web-proxy destination in policy.

incoming-ip6 <address>Note: This entry is only available when both status and ipv6-status are set to enable.

Incoming IPv6 IP address of a FortiCache interface that should accept sessions for the explicit web proxy.Entering an IP address restricts the explicit web proxy to only accept sessions from this particular interface.

strict-guest {enable | disable}Enable or disable (by default) strict guest user check in explicit proxy.

pref-dns-result {ipv4 | ipv6}Note: This entry is only available when both status and ipv6-status are set to enable.

Either IPv4 (set by default) or IPv6 DNS results preference.

unknown-http-version {reject | best-effort}Action to take when the proxy server must handle an unknown HTTP version request or message:


web-proxy explicit

l reject: Treats unknown HTTP traffic as malformed and drops it (set by default).l best-effort: Attempts to handle the HTTP traffic as best as it can.

realm <name>Name of an authentication realm to identify the explicit web proxy, up to a maximum of 63 characters. Enclosethe realm's name in quotes if the it includes spaces. Only alphanumeric characters are permitted; no specialcharacters. The default is set to default.

sec-default-action {accept | deny}Action to take if no explicit web proxy firewall policies have been created:

l accept: Accept the session.l deny: Deny the session (set by default).

To add firewall policies for the explicit web proxy, create a firewall policy and set the source interface to web-proxyunder config firewall policy.

https-replacement-message {enable | disable}Enable (by default) or disable returning replacement messages for SSL requests by default.

message-upon-server-error {enable | disable}Enable (by default) or disable returning replacement messages upon server error detection.

pac-file-server-status {enable | disable}Enable or disable (by default) support for proxy auto-config (PAC). Once enabled, you can configure a PAC file onthe FortiCache and distribute the URL of this file to your web browser users. These users can enter this URL asan automatic proxy configuration URL and their browsers will automatically download proxy configurationsettings.

Note that you can view the pac-file-url by entering get. This value is determined by the FortiCache's IP address,the incoming port for HTTP, and the pac-file-name (see the default example below):

http://<FORTICACHE_IP>:8080/proxy.pac

pac-file-server-port <port>Note: This entry is only available when pac-file-server-status is set to enable.

Port number that PAC traffic from client web browsers use to connect to the explicit proxy. Note that explicit proxyusers must configure their web browser’s PAC proxy settings to use this port. The default is set to 0, whereby ituses the same port as HTTP.

pac-file-name <name>Note: This entry is only available when pac-file-server-status is set to enable.

Name of the PAC file. The default is set to proxy.pac.


153

forward-server web-proxy

pac-file-data <data>Note: This entry is only available when pac-file-server-status is set to enable.

Contents of the PAC file made available from the explicit proxy server for PAC support. Enclose the PAC file textin quotes. You can also copy the contents of a PAC text file and paste the contents into the CLI using this option.Enter the command, followed by two sets of quotes, and paste the file content within the quotes.

The maximum PAC file size is 8192 bytes. You can use any PAC file syntax that is supported by your users’sbrowsers.

ssl-algorithm {high | medium | low}Determine the permitted encryption algorithms for SSL sessions according to strength:


forward-server

Use this command to support explicit web proxy forwarding, also called proxy chaining.

ip <address>Note: This entry is only available when addr-type is set to ip.

IP address of the forwarding proxy server.

fqdn <address>Note: This entry is only available when addr-type is set to fqdn.

FQDN of the forwarding web proxy server.

addr-type {ip | fqdn}Proxy address type: IP (set by default) or FQDN.

port <port>Port number that the forwarding web proxy server uses to receive HTTP sessions. The default is set to 3128.

healthcheck {enable | disable}Enable or disable (by default) proxy server health check. Health checking attempts to connect to a web server tomake sure that the remote forwarding server is operating.


web-proxy forward-server-group

monitor <url>Note: This entry is only available when healthcheck is set to enable.

URL to use for health check monitoring. This would be a URL that the web proxy would attempt to connect tothrough the forwarding server. If the web proxy can’t connect to this URL it assumes the forwarding server isdown. The default is set to http://www.google.com.

server-down-option {block | pass}Action to take when the forwarding proxy server is down:

l block: Block sessions until the server comes back up (set by default).l pass: Allow sessions to connect to their destination.


forward-server-group

Use this command to configure a load-balanced group of web proxy forward servers.

config server-listUse this configuration method to configure weight load balancing for this server.

weight <weight>

Note: This entry is only available if ldb-method is set to enable prior to entering this configuration method.

Weight of this server for load balancing. Set the value between 1-100. The default is set to 10.

affinity {enable | disable}Enable (by default) or disable attaching the source-ip's traffic to assigned forward-server until the forward-server-affinity-timeout is reached (see config web-proxy global).

ldb-method {weighted | least-session}Load-balancing method:

l weighted: Distribute to server based on weight (set by default).l least-session: Distribute to server with lowest session-count.

group-down-option {block | pass}Action to take if all forward servers are down: block traffic (set by default) or pass traffic through.


155

global web-proxy

global

Use this command to configure settings that control how the web proxy functions and handles web traffic. In mostcases you should not have to change the default settings of this command..

proxy-fqdn <fqdn>FQDN for the proxy; the domain that clients connect to. The default is set to default.fqdn.

max-request-length <kb>Maximum length of the HTTP request line in kB. Set the value between 2-64. The default is set to 4.

max-message-length <kb>Maximum length of the HTTPmessage (not including body) in kB. Set the value between 16-256. The default isset to 32.

strict-web-check {enable | disable}Enable or disable (by default) strict web checking. If enabled, web sites that send incorrect headers that do notconform to HTTP 1.1 are blocked. If disabled, websites that send the incorrect headers are allowed and cached.

forward-proxy-auth {enable | disable}Enable or disable (by default) forwarding proxy authentication headers.

tunnel-non-http {enable | disable}Enable (by default) or disable allowing non-HTTP traffic.

unknown-http-version {reject | tunnel | best-effort}Action to take if the HTTP version is unknown:

l reject: Reject the traffic.l tunnel: Tunnel the traffic.l best-effort: Proceed with best-effort (set by default).

forward-server-affinity-timeout <minutes>Period of time in minutes that the source-ip's traffic will remain attached to the assigned forward-server. Set thevalue between 6-60 (or six minutes to one hour). The default is set to 30.

webproxy-profile <name>Name of the web proxy profile to use when there are no matching policies.


web-proxy profile

explicit-outgoing-ip <address>Outgoing HTTP requests by the explicit web proxy will leave this IP. Note that an interface must have this IPv4 IPaddress.

explicit-outgoing-ip6 <address>Outgoing HTTP requests by the explicit web proxy will leave this IP. Note that an interface must have this IPv6 IPaddress.

profile

Use this command to configure web proxy profiles that control how the web proxy functions and handles webtraffic.

config headersUse this configuration method to create and edit headers and add actions.

name <name>

HTTP forwarded header name.

action {add-to-request | add-to-response | remove-from-request | remove-from-response}

Header action. The default is set to add-to-request.

content <content>

Header content.

header-client-ip {pass | add | remove}Action to take on client IP header in forwarded requests. The default is se to pass.

header-via-request {pass | add | remove}Action to take on via-request header in forwarded requests. The default is se to pass.

header-via-response {pass | add | remove}Action to take on via-response header in forwarded requests. The default is se to pass.

header-x-forwarded-for {pass | add | remove}Action to take on x-forwarded-for header in forwarded requests. The default is se to pass.


157

url-match web-proxy

header-front-end-https {pass | add | remove}Action to take on front-end-https header in forwarded requests. The default is se to pass.

url-match

Use this command to define URLs for forward-matching or cache exemption.

status {enable | disable}Enable (by default) or disable per-URL pattern web proxy forwarding and cache exemptions.

url-pattern <url>URL pattern.

forward-server <name>Name of the forward server.

cache-exemption {enable | disable}Enable or disable (by default) cache exemption, whereby this URL pattern will be exempted from caching.



webfilter

Use config webfilter to configure the following web filter related options:

contentcontent-headerfortiguardftgd-local-catftgd-local-ratingoverrideprofilesearch-engineurlfilter

content

Use this command to control web content by blocking or exempting words, phrases, or patterns. Each time ablockmatch is found, values assigned to the pattern are totalled. If a user-defined threshold value is exceeded,the web page is blocked.

When a single word is entered, web pages are checked for that word. Add phrases by enclosing the phrase in‘single quotes’.

When a phrase is entered, web pages are checked for any word in the phrase. Add exact phrases by enclosing thephrases in “quotation marks”.

Create patterns using wildcards or Perl regular expressions.

Note: Perl regular expression patterns are case sensitive for web content filtering. To make a word or phrase caseinsensitive, use the regular expression /i. For example, /bad language/i blocks all instances of bad language,regardless of case. Wildcard patterns are not case sensitive.

config entriesUse this configuration method to configure specific options such as language, score, and action to take when amatch occurs.

pattern-type {wildcard | regexp}

Pattern type for the content: perl regular expression or wildcard (set by default).


Enable or disable (by default) the content entry.


159

content-header webfilter

lang {western | simch | trach | japanese | korean | french | thai | spanish | cyrillic}

Language character set used for the content: Western (American-English; set by default), Simplified Chinese,Traditional Chinese, Japanese, Korean, French, Thai, Spanish, or Cyrillic.

score <score>

Numerical weighting applied to the content which is used to add up to a total for a web page's overall score; if thetotal is greater than the bwordthreshold entry (see config webfilter profile), the page is processed according tothe banned word options set in the web filter profile. The score for banned content is counted once even if itappears multiple times on the web page. The default is set to 10.

action {block | exempt}

Determine whether to block (set by default) or exempt the web page if the pattern matches.

If the pattern matches and is blocked, the score is added to the total for the web page. The page is blocked if thetotal score of the web page exceeds the web content block threshold defined in the web filter profile.

If the pattern matches and is exempted, the web page will not be blocked even if there are matching blockentries.

name <name>Name of the banned word list.


content-header

Use this command to filter web content according to the MIME content header. You can use this feature tobroadly block content by type, but it is also useful to exempt audio and video streaming files from antivirusscanning, as scanning these file types can be problematic.

config entriesUse this configuration method to create and edit pattern match entries.

action {block | allow | exempt}

Action to take when a pattern match occurs:

l block: If the pattern matches, block the content.l allow: If the pattern matches, permit the content.(set by default).l exempt: If the pattern matches, exempt the content from antivirus scanning.

category {1 | 2 | 3 | ... }

FortiGuard category to match. To enter multiple categories, separate each entry with a space.


webfilter fortiguard

To see the full list of available categories, enter set category ?.

name <name>Name of the content header list.


fortiguard

Use this command to enable web filtering by specific categories using FortiGuard web URL filtering.

cache-mode {ttl | db-ver}Cache entry expiration mode:

l ttl: Cache entries are deleted after a number of seconds determined by the cache-ttl value (see config systemfortiguard) (set by default).

l db-ver: Cache entries are kept until the FortiGuard database changes, or until newer cache entries forice theremoval of older ones.

cache-prefix-match {enable | disable}Enable (by default) or disable prefix matching.

cache-mem-percent <percentage>Maximum percentage of memory the cache will use. Set the value between 1-15. The default is set to 2.

ovrd-auth-port-http <port>Port number to use for FortiGuard web filter HTTP override authentication. The default is set to 8008.

ovrd-auth-port-https <port>Port number to use for FortiGuard web filter HTTPS override authentication. The default is set to 8010.

ovrd-auth-port-warning <port>Port number to use for FortiGuard web filter warning override authentication. The default is set to 8020.

ovrd-auth-https {enable | disable}Enable (by default) or disable using HTTPS for override authentication.


161

ftgd-local-cat webfilter

warn-auth-https {enable | disable}Enable (by default) or disable using HTTPS for warning and authentication.

close-ports {enable | disable}Enable or disable (by default) closing ports used for HTTP and/or HTTPS authentication. Enabling this entry alsodisables user overrides.

request-packet-size-limit <bytes>Maximum packet size in bytes. This can be useful as, in some cases, FortiGuard request packets may bedropped due to IP fragmentation. Set the value between 576-10000 (or 576 bytes to 10kB). The default is set to0, which actually uses the default size of 1,100 bytes.

ovrd-auth-hostname <name>Host name to use for FortiGuard web filter HTTPS override authentication.

ovrd-auth-cert <certificate>Certificate name to use for FortiGuard web filter HTTPS override authentication. The default is set to Fortinet_Firmware.

ftgd-local-cat

Use this command to add local categories to the global URL category list. The categories defined here appear inthe global URL category list when configuring a web filter profile. Users can rate URLs based on the localcategories.

id <id>Local category unique ID number. The default is set to 140.

ftgd-local-rating

Use this command to rate URLs using local categories. Users can create user-defined categories then specify theURLs that belong to the category. This allows users to block groups of web sites on a per profile basis. The usercan also specify whether the local rating is used in conjunction with the FortiGuard rating or is used as anoverride.

status {enable | disable}Enable (by default) or disable the local rating.


webfilter override

rating {1 | 2 | 3 | ... }Categories and/or groups. To enter multiple codes, separate each entry with a space.

To view the full list of codes and categories, enter set rating ?.

override

Use this command to configure FortiGuard web filter administrative overrides.

status {enable | disable}Enable or disable (by default) the override rule.

scope {user | user-group | ip | ip6}Scope of the override rule. The default is set to user.

user <name>Note: This entry is only available when scope is set to user.

Name of the user that the override rule applies.

user-group <name>Note: This entry is only available when scope is set to user-group.

Name of the user group that the override rule applies.

ip <address>Note: This entry is only available when scope is set to ip.

IPv4 IP address that the override rule applies.

old-profile <name>Name of the web filter profile that the override rule applies. Note that this entry and the new-profile entry cannotbe set to the same profile.

new-profile <name>Name of the new web filter profile that the override rule applies. Note that this entry and the old-profile entrycannot be set to the same profile.


163

profile webfilter

ip6 <address>Note: This entry is only available when scope is set to ip6.

IPv6 IP address that the override rule applies.

expires <expiration>Date and time the override expires in the format yyyy/mm/dd hh:mm:ss. Set the value between five minutes fromnow to 365 days in the future.

initiatorInitiating user of the override; admin (set by default) is the only available option.

profile

Use this command to configure UTM FortiGuard web filtering profiles for firewall policies.

config overrideUse this configuration method to configure web filtering overrides.

ovrd-scope {user | user-group | ip | ask}

Scope of the web filtering override: either override for the user (set by default), for a user group, for the initiatingIP address, or ask for scope when initiating an override.

profile-type {list | radius}

Profile type: If the override profile is chosen from a list, set to list (set by default). If the profile is determined by aRADIUS server, set to radius.

ovrd-dur-mode {constant | ask}

FortiGuard web filtering duration type:

l constant: as specified in themax-quota-timeout entry under config ftgd-wf (set by default).l ask: Ask for duration when initiating override.

ovrd-dur <duration>

FortiGuard web filtering override duration in days, hours, and minutes, in any order. For example, 200d12h45mfor 200 days, 12 hours, and 45 minutes. Set the value up to a maximum of 364d23h59m. The default is set to15m.

profile-attribute <attribute>

Note: This entry is only available when profile-type is set to radius.

Name of the profile attribute to retrieve from the RADIUS server. The default is set to Login-LAT-Service.


webfilter profile

ovrd-user-group <name>

Names of user groups that can be used for FortiGuard web filter overrides. To enter multiple groups, separateeach entry with a space.

profile <name>

Note: This entry is only available when profile-type is set to list.

Name of the web profile.

config webUse this configuration method to specify the web content filtering the web URL filtering lists to use with the webfiltering profile and set other configuration setting such as the web content filter threshold.

bword-threshold <threshold>

If the combined scores of the web content filter patterns appearing in a web page exceed the threshold value, theweb page is blocked. Set the value between 0-2147483647. The default is set to 10.

bword-table <id>

Name of the web content filter list to use with the web filtering profile. The default is set to 0.

urlfilter-table <id>

Name of the URL filter list to use with the web filtering profile. The default is set to 0.

content-header-list <list>

Content header list. The default is set to 0.

safe-search {url | header}

Determine whether safe search is based on the request URL or the header.

youtube-edu-filter-id <id>

Note: This entry is only available when safe-search is set to header.

Account ID for the YouTube Education Filter.

log-search {enable | disable}

Enable or disable (by default) logging of all search phrases.

keyword-match <keywords>

Search keywords to log.

config ftgd-wfUse this configuration method to configure FortiGuard web filtering options.


165

profile webfilter

config filters


category {1 | 2 | 3 | ... }

Categories and groups the filter will examine. To enter multiple categories and groups, separate each entry with aspace. The default is set to 0.

action {block | authenticate | monitor | warning}

Action to take for matches:

l block: Prevent the user from loading the web page.l authenticate: Permit authenticated users to load the web page.l monitor: Permit the user to load the web page but log the action (set by default).l warning: Require that the user acknowledge a warning before they can proceed.

log {enable | disable}

Enable (by default) or disable logging for this filter.

config quota

Use this configuration method to configure FortiGuard quotas.

category <id>

Category or group category ID.

type {time | traffic}

Quota type: time-based (set by default) or traffic-based.

duration <duration>

FortiGuard quota duration in hours, minutes, and seconds, in any order. For example, 12h45m30s for 12 hours,45 minutes, and 30 seconds. Set the value up to a maximum of 23h59m59s. The default is set to 5m.

override-replacemsg <name>

Name of an override replacement message.

options {error-allow | http-err-detail | rate-server-ip | redir-block | connect-request-bypass |ftgd-disable}

HTTP FortiGuard web filtering options; to enter and apply multiple options, separate each entry with a space:

l error-allow: Allow web pages with a rating error to pass through.l http-err-detail: Display a replacement message for 4xx and 5xx HTTP errors. If error pages are allowed, malicious

or objectionable sites could use these common error pages to circumvent web category blocking. Note that thisoption does not apply to HTTPS.

l rate-server-ip: Send both the URL and the IP address of the requested site for checking, providing additionalsecurity against attempts to bypass the FortiGuard system.

l redir-block: Block HTTP redirects. Many web sites use HTTP redirects legitimately; however, in some cases,redirects may be designed specifically to circumvent web filtering, as the initial web page could have a differentrating than the destination web page of the redirect.


webfilter profile

l connect-request-bypass: Bypass FortiGuard Web Filtering for HTTP sessions to the same address as bypassedHTTPS connections.

l ftgd-disable: Disable FortiGuard (set by default).

category-override <id>

Categories or groups to take precedence over FortiGuard web filtering categories. To enter and apply multiplecategories, separate each entry with a space.

exempt-quota <id>

Do not stop quota for the categories set here. To enter and apply multiple categories, separate each entry with aspace.

ovrd <id>

Allow override of the web filter profile.

max-quota-timeout <seconds>

Maximum period of time in seconds FortiGuard quote is used by a single page view (excludes streams). Set thevalue between 1-86400 (or one second to one day). The default is set to 300 (or five minutes).


replacemsg-group <name>Name of replacement message group to display for non-deep SSL inspection.

options {rangeblock | activexfilter | cookiefilter | ... }One or more options to apply to web filtering; to enter and apply multiple options, separate each entry with aspace:

l rangeblock: Block downloading parts of a file that have already been partially downloaded. Selecting this optionprevents the unintentional download of virus files hidden in fragmented files. Note that some types of files, such asPDF, fragment files to increase download speed; enabling this option can cause download interruptions. Also,enabling this option may break certain applications that use the Range Header in the HTTP protocol, such as YUM,a Linux update manager.

l activexfilter: Block ActiveX plugins.l cookiefilter: Block cookies.l javafilter: Block Java applets.l block-invalid-url: Block web pages with an invalid domain name.l jscript: Block JavaScript applets.l js: Block JavaScript applets.l vbs: Block VB scripts.l unknown: Block unknown scripts.l intrinsic: Block intrinsic scripts.


167

profile webfilter

l wf-referer: Block the contents of the HTTP headerReferer.l wf-cookie: Block the contents of the HTTP headerCookie.

https-replacemsg {enable | disable}Enable (by default) or disable replacement message display for non-deep SSL inspection.

ovrd-perm {bannedword-override | urlfilter-override | fortiguard-wf-override | contenttype-check-override}

Override permit options:

l bannedword-override: Content block.l urlfilter-override: Web URL filter override.l fortiguard-wf-override: FortiGuard web filter block override.l contenttype-check-override: Filter-based on content-type header override.

post-action {normal | comfort | block}Action to take with HTTP POST traffic (this option is available for HTTPS):

l normal: Do not affect HTTP POST traffic (set by default).l comfort: Prevents a server timeout when scanning or other filtering tool is operating. Use the comfort-interval

and comfort-amount entries in config firewall profile-protocol-options to send comfort bytes to the server in casethe client connection is too slow.

l block: Block HTTP POST requests. When the post request is blocked the FortiCache sends the httppost-blockreplacement message to the user’s web browser.

log-all-url {enable | disable}Enable or disable (by default) logging all URLs, even if FortiGuard is not enabled.

web-content-log {enable | disable}Enable (by default) or disable logging for web content blocking.

web-filter-activex-log {enable | disable}Enable (by default) or disable logging for activex script web filtering.

web-filter-command-block-log {enable | disable}Enable (by default) or disable logging of web filter command block messages.

web-filter-cookie-log {enable | disable}Enable (by default) or disable logging for cookie script web filtering.


webfilter profile

web-filter-applet-log {enable | disable}Enable (by default) or disable logging for applet script web filtering.

web-filter-jscript-log {enable | disable}Enable (by default) or disable logging for web script filtering on javascripts.

web-filter-js-log {enable | disable}Enable (by default) or disable logging for web script filtering on javascripts.

web-filter-vbs-log {enable | disable}Enable (by default) or disable logging for web filtering on VBS scripts.

web-filter-unknown-log {enable | disable}Enable (by default) or disable logging for web filtering on unknown scripts.

web-filter-referer-log {enable | disable}Enable (by default) or disable logging for web filtering referer block.

web-filter-cookie-removal-log {enable | disable}Enable (by default) or disable logging for web filtering cookie block

web-url-log {enable | disable}Enable (by default) or disable logging for web URL filtering.

web-invalid-domain-log {enable | disable}Enable (by default) or disable logging for web filtering of invalid domain names.

web-ftgd-err-log {enable | disable}Enable (by default) or disable logging for FortiGuard web filtering daily quota usage.

web-ftgd-quota-usage {enable | disable}Enable (by default) or disable logging for FortiGuard web filtering rating errors.


169

search-engine webfilter

search-engine

Use this command to configure search engine definitions. Definitions for well-known search engines are includedby default.

hostname <name>Regular expression to match the hostname portion of the search URL.

url <url>Regular expression to match the search URL.

query <query>Code used to prefix a query; must end with an equals (=) sign.

safesearch {disable | url | header}Determine how to request safe search on this site:

l disable: Site does not support safe search (set by default).l url: Selected with a parameter in the URL.l header: Selected by search header (e.g. youtube.edu).

safesearch-str <parameter>Note: This entry is only available when safesearch is set to url.

Safe search paramater used in the URL.

urlfilter

Use this command to control access to specific URLs by adding them to the URL filter list. The FortiCacheexempts or blocks web pages matching any specified URLs and displays a replacement message instead. Eitherallow, block, or exempt all pages on a website by adding the top-level URL or IP address and setting the action toallow, block, exempt, ormonitor.

config entriesUse this configuration method to configure URL filtering settings.

url <url>

URL you wish to add.


webfilter urlfilter

type {simple | regex | wildcard}

Type of URL filter: simple (set by default), regular expression, or wildcard.

action {exempt | block | allow | monitor}

Action to take for when matches occur:

l exempt: Stops all further checking including AV scanning for the current HTTP session, which can affect multipleURLs (set by default).

l block: Blocks the URL; no further checking will be done.l allow: Exits the URL filter list and checks the other web filters.l monitor: Passes the URL and generates a log message. Note that the request is still subject to other

UTM inspections.


Enable (by default) or disable the URL filter.

exempt {av | web-content | activex-java-cookie | dlp | fortiguard | range-block | pass | all}

Types of scanning to skip for the exempt URLs (all entries are set by default except pass):

l av: AV scanning.l web-content: Web filter content matching.l activex-java-cookie: ActiveX, Java, and cookies.l dlp: DLP scanning.l fortiguard: FortiGuard web filtering.l range-block: Do not allow range-block.l pass: Pass single connection from all.l all: Exempt from all.

referrer-host <name>

Referrer host name.

name <name>Name of the URL filter list.



171

Appendix A: Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message,the replacement message tag, shown below, are replaced with content relevant to the message. Generally thereis not a large call for these tags in disclaimer pages, but can be of some use.

To view all replacement message disclaimer page options, see replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy}.

Administration disclaimerpage tags Description

%%AUTH_REDIR_URL%% Link to open a new window (optional).

%%AUTH_LOGOUT%% Immediately close the connection policy.

%%KEEPALIVEURL%% URL the keep alive page connects to that keeps the connection policy alive.Connects every%%TIMEOUT%% seconds.

%%TIMEOUT%% Configured number of seconds between%%KEEPALIVEURL%%connections.

Alert mail message tags Description

%%FILE%% Name of a file that has been removed from a content stream. This could bea file that contained a virus or was blocked by AntiVirus file blocking.%%FILE%% can be used in virus and file block messages.

%%VIRUS%% Name of a virus that was found in a file by the AntiVirus system.%%VIRUS%% can be used in virus messages.

%%URL%% URL of a web page. This can be a web page that is blocked byWeb Filtercontent or URL blocking.%%URL%% can also be used in HTTP virus andfile block messages to be the URL of the web page from which a userattempted to download a file that is blocked.

%%CRITICAL_EVENT%%Added to alert email critical event email messages,%%CRITICAL_EVENT%% is replaced with the critical event message that triggered thealert email.

%%PROTOCOL%% Protocol (either HTTP, FTP, POP3, IMAP, or SMTP) in which a virus wasdetected.%%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%% IP address of the email server that sent the email containing the virus.



Alert mail message tags Description

%%DEST_IP%% IP address of the user’s computer that attempted to download themessage from which the file was removed.

%%EMAIL_FROM%% Email address of the sender of the message from which the file wasremoved.

%%EMAIL_TO%% Email address of the intended receiver of the message from which the filewas removed.

%%NIDS_EVENT%% IPS attack message,%%NIDS_EVENT%% is added to alert emailintrusion messages.

Authentication messagetags Description

%%AUTH_REDIR_URL%% Link to open a new window (optional).

%%AUTH_LOGOUT%% Immediately close the connection policy.

%%EXTRAINFO%% Provide extra help on two-factor authentication.

%%FAILED_MESSAGE%% Message displayed on failed login page after user login fails.

%%KEEPALIVEURL%% URL the keep alive page connects to that keeps the connection policy alive.Connects every%%TIMEOUT%% seconds.

%%QUESTION%%

The default login and rejected login pages use this text immediatelypreceding the Username and Password fields. The default challenge pageuses this as the challenge question. These are treated as two differentvariables by the server.

If you want to use different text, replace%%QUESTION%% with the textyou prefer.

%%TIMEOUT%% Configured number of seconds between%%KEEPALIVEURL%%connections.

%%TOKENCODE%% FortiToken authentication code used for two-factor authentication.

%%USERNAMEID%% Username of the user logging in. This tag is used on the login and failedlogin pages.

%%PASSWORDID%% Password of the user logging in. This tag is used on the challenge, loginand failed login pages.


173


FortiGuard Web Filteringmessage tags Description

%%OVRD_FORM%% Provides the form used to initiate an override if FortiGuard Web Filteringblocks access to a page.

Do no remove this from the replacement message.

FTP message tags Description

%%FILE%% Name of a file that has been removed from a content stream. This could bea file that contained a virus or was blocked by AntiVirus file blocking.%%FILE%% can be used in virus and file block messages.


%%QUARFILENAME%% Name of a file that has been removed from a content stream and added tothe quarantine. This could be a file that contained a virus or was blocked byAntiVirus file blocking.%%QUARFILENAME%% can be used in virusand file block messages.

%%URL%%

URL of a web page. This can be a web page that is blocked by web filtercontent or URL blocking.%%URL%% can also be used in HTTP virus andfile block messages to be the URL of the web page from which a userattempted to download a file that is blocked.

%%PROTOCOL%% The protocol (either HTTP, FTP, POP3, IMAP, or SMTP) in which a viruswas detected.%%PROTOCOL%% is added to alert email virusmessages.

%%SOURCE_IP%%IP address from which a virus was received. For email this is the IP addressof the email server that sent the email containing the virus. For HTTP thisis the IP address of the web page that sent the virus.

%%DEST_IP%% IP address of the computer that would have received the blocked file. Foremail this is the IP address of the user’s computer that attempted todownload the message from which the file was removed.

HTTP message tags Description

%%FILE%% The name of a file that has been removed from a content stream. Thiscould be a file that contained a virus or was blocked by AntiVirus fileblocking.%%FILE%% can be used in virus and file block messages.




HTTP message tags Description


%%URL%%

URL of a web page. This can be a web page that is blocked by web filtercontent or URL blocking.%%URL%% can also be used in HTTP virus andfile block messages to be the URL of the web page from which a userattempted to download a file that is blocked.

%%PROTOCOL%% The protocol (either HTTP, FTP, POP3, IMAP, or SMTP) in which a viruswas detected.%%PROTOCOL%% is added to alert email virusmessages.

%%SOURCE_IP%%IP address from which a virus was received. For email this is the IP addressof the email server that sent the email containing the virus. For HTTP thisis the IP address of the web page that sent the virus.

%%DEST_IP%% IP address of the computer that would have received the blocked file. Foremail this is the IP address of the user’s computer that attempted todownload the message from which the file was removed.

UTM page tags Description

%%FILE%% The name of a file that has been removed from a content stream. Thiscould be a file that contained a virus or was blocked by AntiVirus fileblocking.%%FILE%% can be used in virus and file block messages.



%%PROTOCOL%%The protocol (either HTTP, FTP, POP3, IMAP, or SMTP) in which a viruswas detected.%%PROTOCOL%% is added to alert email virusmessages.

Web proxy page tags Description

%%HTTP_ERR_CODE%% The returned HTTP error code, “404” for example.

%%HTTP_ERR_DESC%% The returned HTTP error message, “Not Found” for example.


175


Web proxy page tags Description

%%PROTOCOL%% The protocol that applies to the traffic, “http://” for example.

%%URL%% The URL (not including protocol) that caused the error


Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or companynames may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, andactual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing hereinrepresents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding writtencontract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identifiedperformancemetrics and, in such event, only the specific performancemetrics expressly identified in such binding written contract shall be binding on Fortinet. Forabsolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make anycommitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,transfer, or otherwise revise this publication without notice, and themost current version of the publication shall be applicable.

Date post:	27-Feb-2023
Category:	Documents
Upload:	khangminh22
View:	1 times
Download:	0 times

FortiCache 4.2.1 CLI Reference - Amazon S3

Documents