Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiAnalyzer 6.0.3 CLI Reference
    6.0.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.8
    5.6.7
    5.6.7
    5.6.6
    5.6.6
    5.6.5
    5.6.5
    5.6.4
    5.6.4
    5.6.3
    5.6.3
    5.6.2
    5.6.2
    5.6.1
    5.6.1
    5.6.0
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.5
    5.4.4
    5.4.4
    5.4.3
    5.4.3
    5.4.2
    5.4.2
    5.4.1
    5.4.1
    5.4.0
    5.4.0
    5.2.10
    5.2.9
    5.2.9
    5.2.7
    5.2.7
    5.2.6
    5.2.6
    5.2.5
    5.2.5
    5.2.4
    5.2.4
    5.2.3
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.13
    5.0.11
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    5.0.1
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    sql

    sql

    Configure Structured Query Language (SQL) settings.

    Syntax

    config system sql

    set background-rebuild {enable | disable}

    set database-name <string>

    set database-type <postgres>

    set device-count-high {enable | disable}

    set event-table-partition-time <integer>

    set fct-table-partition-time <integer>

    set logtype {none | app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan}

    set password <passwd>

    set prompt-sql-upgrade {enable | disable}

    set rebuild-event {enable | disable}

    set rebuild-event-start-time <hh:mm> <yyyy/mm/dd>

    set server <string>

    set start-time <hh>:<mm> <yyyy>/<mm>/<dd>

    set status {disable | local | remote}

    set text-search-index {enable | disable}

    set traffic-table-partition-time <integer>

    set utm-table-partition-time <integer>

    set username <string>

    config custom-index

    edit <id>

    set case-sensitive {enable | disable}

    set device-type {FortiCache | FortiGate | FortiMail | FortiSandbox | FortiWeb}

    set index-field <Field-Name>

    set log-type <Log-Enter>

    end

    config ts-index-field

    edit <category>

    set <value> <string>

    end

    end

    Variable

    Description

    background-rebuild {enable | disable}

    Disable/enable rebuilding the SQL database in the background (default = enable).

    database-name <string>

    Remote SQL database name (character limit = 64).

    database-type <postgres>

    Database type (default = postgres).

    device-count-high {enable | disable}

    Enable/disable a high device count (default = disable).

    You must set to enable if the count of registered devices is greater than 8000:

    • disable: Set to disable if device count is less than 8000.
    • enable: Set to enable if device count is equal to or greater than 8000.

    Caution: Enabling or disabling this command will result in an SQL database rebuild. The time required to rebuild the database is dependent on the size of the database. Please plan a maintenance window to complete the database rebuild. This operation will also result in a device reboot.

    event-table-partition-time <integer>

    Maximum SQL database table partitioning time range for event logs, in minutes (0 - 525600, 0 = unlimited, default = 0).

    fct-table-partition-time <integer>

    Maximum SQL database table partitioning time range for FortiClient logs, in minutes (0 - 525600, 0 = unlimited, default = 240).

    logtype {none | app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan}

    Log type.

    password <passwd>

    The password that the Fortinet unit will use to authenticate with the remote database.

    prompt-sql-upgrade {enable | disable}

    Prompt to convert log database into SQL database at start time on GUI (default = enable).

    rebuild-event {enable | disable}

    Enable/disable a rebuild event during SQL database rebuilding (default = enable).

    rebuild-event-start-time <hh:mm> <yyyy/mm/dd>

    The rebuild event starting date and time (default = 00:00 2000/01/01).

    server <string>

    Set the database ip or hostname.

    start-time <hh>:<mm> <yyyy>/<mm>/<dd>

    The date and time that logs will start to be inserted.

    status {disable | local | remote}

    SQL database status:

    • disable: Disable SQL database.
    • local: Enable local database (default).
    • remote: Enable remote database.

    text-search-index {enable | disable}

    Enable/disable the creation of a text search index (default = disable).

    traffic-table-partition-time <integer>

    Maximum SQL database table partitioning time range for traffic logs (0 - 525600, 0 = unlimited, default = 0).

    utm-table-partition-time <integer>

    Maximum SQL database table partitioning time range in minutes for UTM logs (0 - 525600, 0 = unlimited, default = 0).

    username <string>

    The user name that the unit will use to authenticate with the remote database (character limit = 64).

    Variables for config custom-index subcommand:

    case-sensitive {enable | disable}

    Enable/disable case sensitivity.

    device-type {FortiAuthenticator | FortiCache | FortiClient | FortiDDoS | FortiGate | FortiMail | FortiManager | FortiSandbox | FortiWeb}

    Set the device type (default = FortiGate).

    index-field <Field-Name>

    Enter a valid field name. Select one of the available field names. The available options for index-field is dependent on the device-type entry.

    log-type <Log-Enter>

    Enter the log type. The available options for log-type is dependent on the device-type entry.

    Variables for config ts-index-field subcommand:

    <category>

    Category of the text search index fields. The following is the list of categories and their default fields.

    Category Value
    FGT-app-ctrl user,group,srcip,dstip,dstport,service,app,action,hostname
    FGT-attack severity,srcip,dstip,action,user,attack
    FGT-content from,to,subject,action,srcip,dstip,hostname,status
    FGT-dlp user,srcip,service,action,filename
    FGT-emailfilter user,srcip,from,to,subject
    FGT-event subtype,ui,action,msg
    FGT-traffic user,srcip,dstip,service,app,utmaction
    FGT-virus service,srcip,dstip,action,filename,virus,user
    FGT-voip action,user,src,dst,from,to
    FGT-webfilter user,srcip,dstip,service,action,catdesc,hostname
    FGT-netscan user,dstip,vuln,severity,os
    FGT-fct-event (null)
    FGT-fct-traffic (null)
    FGT-fct-netscan (null)
    FGT-waf user,srcip,dstip,service,action
    FGT-gtp msisdn,from,to,status
    FGT-dns (null)
    FGT-ssh login,srcip,dstip,direction,action
    FML-emailfilter client_name,dst_ip,from,to,subject
    FML-event subtype,msg
    FML-history classifier,disposition,from,to,client_name,direction,domain,virus
    FML-virus src,msg,from,to
    FWB-attack http_host,http_url,src,dst,msg,action
    FWB-event ui,action,msg
    FWB-traffic src,dst,service,http_method,msg

    value <string>

    Fields of the text search filter. Enter one or more field names separated with a comma.
    Previous
    Next

    sql

    sql

    Configure Structured Query Language (SQL) settings.

    Syntax

    config system sql

    set background-rebuild {enable | disable}

    set database-name <string>

    set database-type <postgres>

    set device-count-high {enable | disable}

    set event-table-partition-time <integer>

    set fct-table-partition-time <integer>

    set logtype {none | app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan}

    set password <passwd>

    set prompt-sql-upgrade {enable | disable}

    set rebuild-event {enable | disable}

    set rebuild-event-start-time <hh:mm> <yyyy/mm/dd>

    set server <string>

    set start-time <hh>:<mm> <yyyy>/<mm>/<dd>

    set status {disable | local | remote}

    set text-search-index {enable | disable}

    set traffic-table-partition-time <integer>

    set utm-table-partition-time <integer>

    set username <string>

    config custom-index

    edit <id>

    set case-sensitive {enable | disable}

    set device-type {FortiCache | FortiGate | FortiMail | FortiSandbox | FortiWeb}

    set index-field <Field-Name>

    set log-type <Log-Enter>

    end

    config ts-index-field

    edit <category>

    set <value> <string>

    end

    end

    Variable

    Description

    background-rebuild {enable | disable}

    Disable/enable rebuilding the SQL database in the background (default = enable).

    database-name <string>

    Remote SQL database name (character limit = 64).

    database-type <postgres>

    Database type (default = postgres).

    device-count-high {enable | disable}

    Enable/disable a high device count (default = disable).

    You must set to enable if the count of registered devices is greater than 8000:

    • disable: Set to disable if device count is less than 8000.
    • enable: Set to enable if device count is equal to or greater than 8000.

    Caution: Enabling or disabling this command will result in an SQL database rebuild. The time required to rebuild the database is dependent on the size of the database. Please plan a maintenance window to complete the database rebuild. This operation will also result in a device reboot.

    event-table-partition-time <integer>

    Maximum SQL database table partitioning time range for event logs, in minutes (0 - 525600, 0 = unlimited, default = 0).

    fct-table-partition-time <integer>

    Maximum SQL database table partitioning time range for FortiClient logs, in minutes (0 - 525600, 0 = unlimited, default = 240).

    logtype {none | app-ctrl | attack | content | dlp | emailfilter | event | generic | history | traffic | virus | voip | webfilter | netscan}

    Log type.

    password <passwd>

    The password that the Fortinet unit will use to authenticate with the remote database.

    prompt-sql-upgrade {enable | disable}

    Prompt to convert log database into SQL database at start time on GUI (default = enable).

    rebuild-event {enable | disable}

    Enable/disable a rebuild event during SQL database rebuilding (default = enable).

    rebuild-event-start-time <hh:mm> <yyyy/mm/dd>

    The rebuild event starting date and time (default = 00:00 2000/01/01).

    server <string>

    Set the database ip or hostname.

    start-time <hh>:<mm> <yyyy>/<mm>/<dd>

    The date and time that logs will start to be inserted.

    status {disable | local | remote}

    SQL database status:

    • disable: Disable SQL database.
    • local: Enable local database (default).
    • remote: Enable remote database.

    text-search-index {enable | disable}

    Enable/disable the creation of a text search index (default = disable).

    traffic-table-partition-time <integer>

    Maximum SQL database table partitioning time range for traffic logs (0 - 525600, 0 = unlimited, default = 0).

    utm-table-partition-time <integer>

    Maximum SQL database table partitioning time range in minutes for UTM logs (0 - 525600, 0 = unlimited, default = 0).

    username <string>

    The user name that the unit will use to authenticate with the remote database (character limit = 64).

    Variables for config custom-index subcommand:

    case-sensitive {enable | disable}

    Enable/disable case sensitivity.

    device-type {FortiAuthenticator | FortiCache | FortiClient | FortiDDoS | FortiGate | FortiMail | FortiManager | FortiSandbox | FortiWeb}

    Set the device type (default = FortiGate).

    index-field <Field-Name>

    Enter a valid field name. Select one of the available field names. The available options for index-field is dependent on the device-type entry.

    log-type <Log-Enter>

    Enter the log type. The available options for log-type is dependent on the device-type entry.

    Variables for config ts-index-field subcommand:

    <category>

    Category of the text search index fields. The following is the list of categories and their default fields.

    Category Value
    FGT-app-ctrl user,group,srcip,dstip,dstport,service,app,action,hostname
    FGT-attack severity,srcip,dstip,action,user,attack
    FGT-content from,to,subject,action,srcip,dstip,hostname,status
    FGT-dlp user,srcip,service,action,filename
    FGT-emailfilter user,srcip,from,to,subject
    FGT-event subtype,ui,action,msg
    FGT-traffic user,srcip,dstip,service,app,utmaction
    FGT-virus service,srcip,dstip,action,filename,virus,user
    FGT-voip action,user,src,dst,from,to
    FGT-webfilter user,srcip,dstip,service,action,catdesc,hostname
    FGT-netscan user,dstip,vuln,severity,os
    FGT-fct-event (null)
    FGT-fct-traffic (null)
    FGT-fct-netscan (null)
    FGT-waf user,srcip,dstip,service,action
    FGT-gtp msisdn,from,to,status
    FGT-dns (null)
    FGT-ssh login,srcip,dstip,direction,action
    FML-emailfilter client_name,dst_ip,from,to,subject
    FML-event subtype,msg
    FML-history classifier,disposition,from,to,client_name,direction,domain,virus
    FML-virus src,msg,from,to
    FWB-attack http_host,http_url,src,dst,msg,action
    FWB-event ui,action,msg
    FWB-traffic src,dst,service,http_method,msg

    value <string>

    Fields of the text search filter. Enter one or more field names separated with a comma.
    Previous
    Next