CLI Reference

Introduction
Using the CLI
- Command syntax
- Subcommands
- Permissions
- Tips & tricks
config endpoint-control
- config endpoint-control fctems
- config endpoint-control client
- config endpoint-control tag
config firewall
- config firewall connlimit
- config firewall connlimit6
- config firewall global
- config firewall nat-snat
- config firewall policy
- config firewall policy6
- config firewall qos-filter
- config firewall qos-filter6
- config firewall qos-queue
- config firewall vip
config global
- config config sync-list
- config log setting global_remote
- config log setting global_faz
- config system global
- config system vdom-link
config global-dns-server
- config global-dns-server address-group
- config global-dns-server dns64
- config global-dns-server dsset-info-list
- config global-dns-server general
- config global-dns-server policy
- config global-dns-server remote-dns-server
- config global-dns-server response-rate-limit
- config global-dns-server trust-anchor-key
- config global-dns-server zone
config global-load-balance
- config global load balance analytic
- config global-load-balance data-center
- config global-load-balance link
- config global-load-balance servers
- config global-load-balance setting
- config global-load-balance topology
- config global-load-balance virtual-server-pool
- config global-load-balance host
config link-load-balance
- config link-load-balance flow-policy
- config link-load-balance gateway
- config link-load-balance link-group
- config link-load-balance persistence
- config link-load-balance proximity-route
- config link-load-balance virtual-tunnel
config load-balance
- config load-balance auth-policy
- config load-balance caching
- config load-balance captcha-profile
- config load-balance certificate-caching
- config load-balance client-ssl-profile
- config load-balance clone-pool
- config load-balance compression
- config load-balance connection-pool
- config load-balance content-rewriting
- config load-balance content-routing
- config load-balance error-page
- config load-balance geoip-list
- config load-balance http2-profile
- config load-balance http3-profile
- config load-balance ippool
- config load-balance l2-exception-list
- config load-balance method
- config load-balance pagespeed
- config load-balance pagespeed-profile
- config load-balance persistence
- config load-balance pool
- config load-balance profile
- config load-balance real-server-ssl-profile
- config load-balance reputation
- config load-balance reputation-exception
- config load-balance reputation-black-list
- config load-balance schedule-pool
- config load-balance virtual-server
- config load-balance web-category
- config load-balance web-filter-profile
- config load-balance web-sub-category
- config load-balance allowlist
config log
- config log fast_report
- config log report
- config log report email
- config log report_queryset
- config log setting fast_stats
- config log setting local
- config log setting remote
- config log setting fortianalyzer
config router
- config router isp
- config router bgp
- config router bfd
- config router md5-ospf
- config router ospf
- config router policy
- config router setting
- config router static
config security
- config security antivirus profile
- config security antivirus quarantine
- config security antivirus settings
- config security dos dos-protection-profile
- config security dos http-access-limit
- config security dos dns-query-flood-protection
- config security dos dns-reverse-flood-protection
- config security dos http-connection-flood-protection
- config security dos http-request-flood-protection
- config security dos ip-fragmentation-protection
- config security dos tcp-access-flood-protection
- config security dos tcp-slowdata-attack-protection
- config security dos tcp-synflood-protection
- config security ips profile
- config security wad profile
- config security waf api-gateway-policy
- config security waf api-gateway-rule
- config security waf api-gateway-user
- config security waf api-discovery
- config security waf bot-detection
- config security waf threshold-based-detection
- config security waf biometrics-based-detection
- config security waf fingerprint-based-detection
- config security waf advanced-bot-protection
- config security waf exception
- config security waf heuristic-sql-xss-injection-detection
- config security waf http-protocol-constraint
- config security waf http-header-security
- config security waf action
- config security waf profile
- config security waf input-validation-policy
- config security waf parameter-validation-rule
- config security waf url-protection
- config security waf web-attack-signature
- config security waf json-validation-detection
- config security waf json-schema file
- config security waf xml-schema file
- config security waf xml-validation-detection
- config security waf openapi-schema-file
- config security waf openapi-validation-detection
- config security waf scanner
- config security waf brute-force-login
- config security waf advanced-protection
- config security waf cookie-security
- config security waf data-leak-protection
- config security waf sensitive-data-type
- config security waf dlp-dictionary
- config security waf dlp-sensors
- config security waf csrf-protection
- config security waf allowed-origin
- config security waf cors-headers
- config security waf cors-protection
- configure security ztna-profile
config system
- config system accprofile
- config system address
- config system address6
- config system addrgrp
- config system addrgrp6
- config system admin
- config system auto backup
- config system azure
- config system azure-lb-backend-ip
- config system certificate ca
- config system certificate ca_group
- config system certificate certificate_verify
- config system certificate crl
- config system certificate intermediate_ca
- config system certificate intermediate_ca_group
- config system certificate local
- config system certificate local_cert_group
- config system certificate remote
- config system certificate ocsp
- config system certificate ocsp_stapling
- config system certificate remote
- config system dns
- config system dns-vdom
- config system external-resource
- config system fortiguard
- config system ha
- config system health-check
- config system health-check-script
- config system interface
- config system isp-addr
- config system mailserver
- config system one-click-glb-server
- config system overlay-tunnel
- config system password-policy
- config system schedule-group
- config system scripting
- config system sdn-connector
- config system service
- config system servicegrp
- config system setting
- config system snmp community
- config system snmp sysinfo
- config system snmp user
- config system tcpdump
- config system time manual
- config system time ntp
- config system web-filter
- config system fortisandbox
- config system alert
- config system alert-action
- config system alert-policy
- config system alert-email
- config system alert-snmp-trap
- config system central-management
config user
- config user ldap
- config user local
- config user radius
- config user tacacs+
- config user user-group
- config user authentication-relay
- config user oauth
- config user saml-idp
- config user saml-sp
diagnose
- diagnose antivirus quarantine
- diagnose debug cmdb
- diagnose debug enable/disable
- diagnose debug flow
- diagnose debug info
- diagnose debug module
- diagnose debug module fcnacd
- diagnose debug module fnginx
- diagnose debug module httproxy scripting
- diagnose debug module httproxy ssl
- diagnose debug module httproxy ztna
- diagnose debug module kernel
- diagnose debug module miglogd syslog
- diagnose debug module named
- diagnose debug module waf
- diagnose debug module wassd
- diagnose debug timestamp
- diagnose endpoint-control client list
- diagnose endpoint-control tag list
- diagnose firewall-session clear
- diagnose hardware deviceinfo
- diagnose hardware ioport
- diagnose hardware pciconfig
- diagnose hardware sysinfo
- diagnose llb policy list
- diagnose netlink backlog
- diagnose netlink device
- diagnose netlink interface
- diagnose netlink ip/ipv6
- diagnose netlink neighbor/neighbor6
- diagnose netlink route/route6
- diagnose netlink tcp
- diagnose netlink udp
- diagnose server load balance dns-clients
- diagnose server-load-balance persistence
- diagnose server-load-balance session
- diagnose server-load-balance slb_load
- diagnose sniffer packet
- diagnose system top
- diagnose system vm
- diagnose system threat-analytics info
- diagnose tech-report
- diagnose waf api-security memory
execute
- execute autoupdate
- execute caching
- execute certificate ca
- execute certificate crl
- execute certificate local
- execute certificate local import automated
- execute certificate remote
- execute certificate config
- execute checklogdisk
- execute clean
- execute config-sync
- execute date
- execute discovery-glb-virtual-server
- execute dumpsystem
- execute dumpsystem-file
- execute factoryreset
- execute factoryreset2
- execute fixlogdisk
- execute formatlogdisk
- execute geolookup
- execute glb-dprox-lookup
- execute glb-persistence-lookup
- execute ha force fetch-peers-info
- execute ha force standby
- execute ha force sync-config
- execute ha force transfer-file
- execute ha manage
- execute hardware-ssl list-ciphers
- execute health-check-verify
- execute hwmon
- execute isplookup
- execute log delete-file
- execute log delete-type
- execute log list-type
- execute log rebuild-db
- execute nslookup
- execute oas-file import
- execute packet-capture/packet-capture6
- execute packet-capture-file
- execute ping-option/ping6-option
- execute ping/ping6
- execute reboot
- execute reload
- execute restore
- execute scan-report export
- execute scan-report import
- execute scripting-shared-table
- execute shutdown
- execute ssh
- execute statistics-db
- execute ssli mode
- execute telnet
- execute traceroute
- execute vm license
- execute web-category-test
- execute SSL client-side session statistics
- execute SSL handshake record statistics
- execute waf block-ip
- execute web vulnerability scan
- execute web-vulnerability-scan mitigate
- execute forticloud create-account
- execute forticloud login
- execute forticloud try
- execute fctems
- execute update-now
- execute update-dldb
get
- get firewall global
- get router info ospf
- get router info routing-table
- get security waf-signature-status
- get security scan-report
- get security scan-task
- get system ha-status
- get system performance
- get system status
- get system traffic-group
- get system traffic-group status
- get router info bgp all
- get router info bgp ip
- get router info bgp neighbors
- get router info bgp regexp
- get router info bgp summary
- get router info6 bgp all
- get router info6 bgp ip
- get router info6 bgp neighbors
- get router info6 bgp regexp
- get router info6 bgp summary
show
Appendix A: Virtual domains
Change Log

Home FortiADC 7.4.2 CLI Reference

7.4.2

config router bgp

Use these commands to configure BGP-related options, such as AS ID, router ID, distance of routes, redistribute route , etc., including BGP network, neighbor, and ha-router-id-list configurations.

Before you begin:

You must know how BGP has been implemented in your network, i.e., the configuration details of the implementation.
You must have read-write permission for system settings.
You must have configured all the required access (IPv6) lists and prefix (IPv6) lists.

Syntax

config router bgp

set as <id>

set router-id <ipv4 address>

set distance-external <1-255>

set distance-external6 <1-255>

set distance-internal <1-255>

set distance-internal6 <1-255>

set distance-local <1-255>

set distance-local6 <1-255>

set redistribute-ospf {enable|disable}

set redistribute-connected {enable|disable}

set redistribute-static {enable|disable}

set redistribute-connected6 {enable|disable}

set redistribute-static6 {enable|disable}

set always-compare-med {enable|disable}

set deterministic-med {enable|disable}

set bestpath-as-path-ignore {enable|disable}

set bestpath-cmp-routerid {enable|disable}

set bestpath-med-missing-as-worst {enable|disable}

config network

edit <id>

set type {ipv4|ipv6}

set prefix <ipv4-netmask>

set prefix6 <ipv6-netmask>

end

config neighbor

edit <id>

set remote-as <id>

set addr-type {ipv4|ipv6}

set ip <ipv4 address>

set ip6 <ipv6 address>

set interface <interface name>

set port <0-65535>

set keepalive-timer <0-65535>

set holdtime-timer <0-65535>

set default-originate {enable|disable}

set distribute-list-in <access list name>

set distribute-list-out <access list name>

set distribute-list-in6 <ipv6 access list name>

set distribute-list-out6 <ipv6 access list name>

set prefix-list-in <prefix list name>

set prefix-list-out <prefix list name>

set prefix-list-in6 <ipv6 prefix list name>

set prefix-list-out6 <ipv6 prefix list name>

set ebgp-multihop <1-255 >

set next-hop-self {enable|disable}

set passive {enable|disable}

set password <password>

set shutdown {enable|disable}

set ttl-security <1-254>

set update-source-type {interface|address}

set update-source-interface <interface name>

set update-source-ip <ipv4 address>

set update-source-ip6 <ipv6 address>

set weight <0-65535>

set bfd {enable|disable}

end

config ha-router-id-list

edit <id>

set router-id <ipv4 address>

set node <0-7>

end

as <id>	Specify the AS (Autonomous System) number.
router-id	Specify a unique value to identify the router, using an IPv4 address.
distance-external	Specify the distance for routes external to the AS.
distance-external6	Specify the distance for IPv6 routes external to the AS.
distance-internal	Specify the distance for routes internal to the AS.
distance-internal6	Specify the distance for IPv6 routes internal to the AS.
distance-local	Specify the distance for routes local to the AS.
distance-local6	Specify the distance for IPv6 routes local to the AS.
redistribute-ospf	Enable/disable the redistribute OSPF route to the BGP server.
redistribute-connected	Enable/disable the redistribute connected route to the BGP server.
redistribute-static	Enable/disable the redistribute static route to the BGP server.
redistribute-connected6	Enable/disable the redistribute connected IPv6 route to the BGP server.
redistribute-static6	Enable/disable the redistribute static IPv6 route to the BGP server.
always-compare-med	Enable/disable always compare MED (Multi-Exit Discriminator) for BGP decision.
deterministic-med	Enable/disable enforce deterministic comparison of MED for BGP decision.
bestpath-as-path-ignore	Enable/disable ignore AS path for BGP decision.
bestpath-cmp-routerid	Enable/disable compare router ID for identical EBGP paths for BGP decision.
bestpath-med-missing-as-worst	Enable/disable treat missing MED as least preferred for BGP decision.
Network
type	Specify the address type: IPv4 or IPv6.
prefix	Specify the network prefix when (address) type is IPv4, using the IP/mask format.
prefix6	Specify the network prefix when (address) type is IPv6, using the IPv6/mask format.
Neighbor
remote-as	The AS number of the neighbor.
addr-type	Address type used to configure the neighbor
ip	IP address of the neighbor.
ip6	IPv6 address of the neighbor.
interface	Interface that connected to neighbor
port	Port number that communicate with the neighbor.
keepalive-timer	Frequency to send keep alive requests.
holdtime-timer	Number of seconds to mark peer as dead.
default-originate	Enable/disable originate default route to this neighbor.
distribute-list-in	Filter for IP updates from this neighbor.
distribute-list-out	Filter for IP updates to this neighbor.
distribute-list-in6	Filter for IPv6 updates from this neighbor.
distribute-list-out6	Filter for IPv6 updates to this neighbor.
prefix-list-in	IP Inbound filter for updates from this neighbor.
prefix-list-out	IP Outbound filter for updates to this neighbor.
prefix-list-in6	IPv6 Inbound filter for updates from this neighbor.
prefix-list-out6	IPv6 Outbound filter for updates to this neighbor.
ebgp-multihop	Specify the maximum multi-hops allowed for EBGP neighbors. Only need for EBGP neighbor, cannot set with ttl-security.
next-hop-self	Enable/disable IP next-hop calculation for this neighbor.
passive	Enable/disable sending of open messages to this neighbor.
password	Set Password.
shutdown	Enable/disable shutdown for this neighbor.
update-source-type	Type of source for routing updates.
update-source-interface	Interface Source for routing updates.
update-source-ip	IP address Source for routing updates.
update-source-ip6	IPv6 address Source for routing updates.
weight	Default weight for routes from this neighbor. Range is <0-65535>.
bfd	Enable to activate Bidirectional Forwarding Detection (BFD) on the BGP session. When BFD detects a path failure, a neighbor Down event is notified immediately to the BGP process, triggering a BGP neighbor status change.
HA router ID list
router-id	Specify the router ID, using IPv4 address.
node <0-7>	Specify Node ID of HA Node.

Examples for IPv4 BGP configuration

Configure BGP router

FortiADC-VM (root) # config router bgp

FortiADC-VM (bgp) # set as 101

FortiADC-VM (bgp) # set router-id 10.0.6.217

FortiADC-VM (bgp) # set distance-internal 300

FortiADC-VM (bgp) # set redistribute-static enable

Configure BGP network

FortiADC-VM (bgp) # config network

FortiADC-VM (network) # edit 1

FortiADC-VM (1) # set type ipv4

FortiADC-VM (1) # set prefix 172.15.1.0/24

FortiADC-VM (1) # next

FortiADC-VM (network) # edit 2

FortiADC-VM (1) # set type ipv4

FortiADC-VM (1) # set prefix 192.168.11.0/24

FortiADC-VM (1) # next

FortiADC-VM (network) # end

Configure BGP neighbor

FortiADC-VM (bgp) # config neighbor

FortiADC-VM (neighbor) # edit 1

FortiADC-VM (1) # set remote-as 101

FortiADC-VM (1) # set ip 172.15.11.218

FortiADC-VM (1) # set interface port2

FortiADC-VM (1) # next

FortiADC-VM (neighbor) # end

FortiADC-VM (bgp) # get

as : 101

router-id : 10.0.6.217

distance-external : 20

distance-internal : 250

distance-local : 200

redistribute-ospf : disable

redistribute-connected : disable

redistribute-static : enable

redistribute-connected6 : disable

redistribute-static6 : disable

always-compare-med : disable

deterministic-med : disable

bestpath-as-path-ignore : disable

bestpath-cmp-routerid : disable

bestpath-med-missing-as-worst : disable

== [ 1 ]

== [ 2 ]

== [ 1 ]

FortiADC-VM (bgp) # end

Examples for IPv6 BGP configuration

Configure BGP router (IPv6)

FortiADC-VM (root) # config router bgp

FortiADC-VM (bgp) # set as 101

FortiADC-VM (bgp) # set router-id 10.0.6.217

FortiADC-VM (bgp) # config network #configure BGP network

FortiADC-VM (network) # edit 1

FortiADC-VM (1) # set type ipv6

FortiADC-VM (1) # set prefix6 2015::/64

FortiADC-VM (1) # next

FortiADC-VM (network) # edit 2

FortiADC-VM (1) # set type ipv4

FortiADC-VM (1) # set prefix6 2016::/64

FortiADC-VM (1) # next

FortiADC-VM (network) # end

Configure BGP network (IPv6)

FortiADC-VM (bgp) # config network

FortiADC-VM (network) # edit 1

FortiADC-VM (1) # set type ipv6

FortiADC-VM (1) # set prefix6 2015::/64

FortiADC-VM (1) # next

FortiADC-VM (network) # edit 2

FortiADC-VM (1) # set type ipv4

FortiADC-VM (1) # set prefix6 2016::/64

FortiADC-VM (1) # next

FortiADC-VM (network) # end

Configure BGP neighbor (IPv6)

FortiADC-VM (bgp) # config neighbor #configure BGP neighbor

FortiADC-VM (neighbor) # edit 1

FortiADC-VM (1) # set remote-as 101

FortiADC-VM (1) # set addr-type ipv6

FortiADC-VM (1) # set ip6 2016::2

FortiADC-VM (1) # set interface port2

FortiADC-VM (1) # next

FortiADC-VM (neighbor) # end

FortiADC-VM (bgp) # end