Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

firewall profile-protocol-options

Use this command to configure protocol options.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set strip-x-forwarded-for {enable | disable}

Enable or disable the stripping of the HTTP X-Forwarded-For header. Enabling this feature replaces the X-Forwarded-For value with 1.1.1.1.

IPS is best for on-the-fly packet inspection. If the data payload is modified, any current packets would be dropped and new packets would need to be generated and delivered. This feature helps alleviate this issue.

Note that this command in only available in Flow-based NGFW Mode.

config firewall profile-protocol-options
    edit {name}
    # Configure protocol options.
        set name {string}   Name. size[35]
        set comment {string}   Optional comments. size[255]
        set replacemsg-group {string}   Name of the replacement message group to be used size[35] - datasource(s): system.replacemsg-group.name
        set oversize-log {disable | enable}   Enable/disable logging for antivirus oversize file blocking.
        set switching-protocols-log {disable | enable}   Enable/disable logging for HTTP/HTTPS switching protocols.
        config http
            set ports {integer}   Ports to scan for content (1 - 65535, default = 80). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {clientcomfort | servercomfort | oversize | chunkedbypass}   One or more options that can be applied to the session.
                    clientcomfort  Prevent client timeout.
                    servercomfort  Prevent server timeout.
                    oversize       Block oversized file/email.
                    chunkedbypass  Bypass chunked transfer encoded sites.
            set comfort-interval {integer}   Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10). range[1-900]
            set comfort-amount {integer}   Amount of data to send in a transmission for client comforting (1 - 10240 bytes, default = 1). range[1-10240]
            set range-block {disable | enable}   Enable/disable blocking of partial downloads.
            set http-policy {disable | enable}   Enable/disable HTTP policy check.
            set strip-x-forwarded-for {disable | enable}   Enable/disable stripping of HTTP X-Forwarded-For header.
            set post-lang {option}   ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).
                    jisx0201      Japanese Industrial Standard 0201.
                    jisx0208      Japanese Industrial Standard 0208.
                    jisx0212      Japanese Industrial Standard 0212.
                    gb2312        Guojia Biaozhun 2312 (simplified Chinese).
                    ksc5601-ex    Wansung Korean standard 5601.
                    euc-jp        Extended Unicode Japanese.
                    sjis          Shift Japanese Industrial Standard.
                    iso2022-jp    ISO 2022 Japanese.
                    iso2022-jp-1  ISO 2022-1 Japanese.
                    iso2022-jp-2  ISO 2022-2 Japanese.
                    euc-cn        Extended Unicode Chinese.
                    ces-gbk       Extended GB2312 (simplified Chinese).
                    hz            Hanzi simplified Chinese.
                    ces-big5      Big-5 traditional Chinese.
                    euc-kr        Extended Unicode Korean.
                    iso2022-jp-3  ISO 2022-3 Japanese.
                    iso8859-1     ISO 8859 Part 1 (Western European).
                    tis620        Thai Industrial Standard 620.
                    cp874         Code Page 874 (Thai).
                    cp1252        Code Page 1252 (Western European Latin).
                    cp1251        Code Page 1251 (Cyrillic).
            set fortinet-bar {enable | disable}   Enable/disable Fortinet bar on HTML content.
            set fortinet-bar-port {integer}   Port for use by Fortinet Bar (1 - 65535, default = 8011). range[1-65535]
            set streaming-content-bypass {enable | disable}   Enable/disable bypassing of streaming content from buffering.
            set switching-protocols {bypass | block}   Bypass from scanning, or block a connection that attempts to switch protocol.
                    bypass  Bypass connections when switching protocols.
                    block   Block connections when switching protocols.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
            set block-page-status-code {integer}   Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599, default = 403). range[100-599]
            set retry-count {integer}   Number of attempts to retry HTTP connection (0 - 100, default = 0). range[0-100]
        config ftp
            set ports {integer}   Ports to scan for content (1 - 65535, default = 21). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {option}   One or more options that can be applied to the session.
                    clientcomfort        Prevent client timeout.
                    oversize             Block oversized file/email.
                    splice               Enable splice mode.
                    bypass-rest-command  Bypass REST command.
                    bypass-mode-command  Bypass MODE command.
            set comfort-interval {integer}   Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10). range[1-900]
            set comfort-amount {integer}   Amount of data to send in a transmission for client comforting (1 - 10240 bytes, default = 1). range[1-10240]
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config imap
            set ports {integer}   Ports to scan for content (1 - 65535, default = 143). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {fragmail | oversize}   One or more options that can be applied to the session.
                    fragmail  Pass fragmented email.
                    oversize  Block oversized file/email.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config mapi
            set ports {integer}   Ports to scan for content (1 - 65535, default = 135). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set options {fragmail | oversize}   One or more options that can be applied to the session.
                    fragmail  Pass fragmented email.
                    oversize  Block oversized file/email.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config pop3
            set ports {integer}   Ports to scan for content (1 - 65535, default = 110). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {fragmail | oversize}   One or more options that can be applied to the session.
                    fragmail  Pass fragmented email.
                    oversize  Block oversized file/email.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config smtp
            set ports {integer}   Ports to scan for content (1 - 65535, default = 25). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {fragmail | oversize | splice}   One or more options that can be applied to the session.
                    fragmail  Pass fragmented email.
                    oversize  Block oversized file/email.
                    splice    Enable splice mode.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
            set server-busy {enable | disable}   Enable/disable SMTP server busy when server not available.
        config nntp
            set ports {integer}   Ports to scan for content (1 - 65535, default = 119). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {oversize | splice}   One or more options that can be applied to the session.
                    oversize  Block oversized file/email.
                    splice    Enable splice mode.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config dns
            set ports {integer}   Ports to scan for content (1 - 65535, default = 53). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
        config mail-signature
            set status {disable | enable}   Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate.
            set signature {string}   Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks). size[1023]
        set rpc-over-http {enable | disable}   Enable/disable inspection of RPC over HTTP.
    next
end

Additional information

The following section is for those options that require additional explanation.

firewall profile-protocol-options

Use this command to configure protocol options.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set strip-x-forwarded-for {enable | disable}

Enable or disable the stripping of the HTTP X-Forwarded-For header. Enabling this feature replaces the X-Forwarded-For value with 1.1.1.1.

IPS is best for on-the-fly packet inspection. If the data payload is modified, any current packets would be dropped and new packets would need to be generated and delivered. This feature helps alleviate this issue.

Note that this command in only available in Flow-based NGFW Mode.

config firewall profile-protocol-options
    edit {name}
    # Configure protocol options.
        set name {string}   Name. size[35]
        set comment {string}   Optional comments. size[255]
        set replacemsg-group {string}   Name of the replacement message group to be used size[35] - datasource(s): system.replacemsg-group.name
        set oversize-log {disable | enable}   Enable/disable logging for antivirus oversize file blocking.
        set switching-protocols-log {disable | enable}   Enable/disable logging for HTTP/HTTPS switching protocols.
        config http
            set ports {integer}   Ports to scan for content (1 - 65535, default = 80). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {clientcomfort | servercomfort | oversize | chunkedbypass}   One or more options that can be applied to the session.
                    clientcomfort  Prevent client timeout.
                    servercomfort  Prevent server timeout.
                    oversize       Block oversized file/email.
                    chunkedbypass  Bypass chunked transfer encoded sites.
            set comfort-interval {integer}   Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10). range[1-900]
            set comfort-amount {integer}   Amount of data to send in a transmission for client comforting (1 - 10240 bytes, default = 1). range[1-10240]
            set range-block {disable | enable}   Enable/disable blocking of partial downloads.
            set http-policy {disable | enable}   Enable/disable HTTP policy check.
            set strip-x-forwarded-for {disable | enable}   Enable/disable stripping of HTTP X-Forwarded-For header.
            set post-lang {option}   ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).
                    jisx0201      Japanese Industrial Standard 0201.
                    jisx0208      Japanese Industrial Standard 0208.
                    jisx0212      Japanese Industrial Standard 0212.
                    gb2312        Guojia Biaozhun 2312 (simplified Chinese).
                    ksc5601-ex    Wansung Korean standard 5601.
                    euc-jp        Extended Unicode Japanese.
                    sjis          Shift Japanese Industrial Standard.
                    iso2022-jp    ISO 2022 Japanese.
                    iso2022-jp-1  ISO 2022-1 Japanese.
                    iso2022-jp-2  ISO 2022-2 Japanese.
                    euc-cn        Extended Unicode Chinese.
                    ces-gbk       Extended GB2312 (simplified Chinese).
                    hz            Hanzi simplified Chinese.
                    ces-big5      Big-5 traditional Chinese.
                    euc-kr        Extended Unicode Korean.
                    iso2022-jp-3  ISO 2022-3 Japanese.
                    iso8859-1     ISO 8859 Part 1 (Western European).
                    tis620        Thai Industrial Standard 620.
                    cp874         Code Page 874 (Thai).
                    cp1252        Code Page 1252 (Western European Latin).
                    cp1251        Code Page 1251 (Cyrillic).
            set fortinet-bar {enable | disable}   Enable/disable Fortinet bar on HTML content.
            set fortinet-bar-port {integer}   Port for use by Fortinet Bar (1 - 65535, default = 8011). range[1-65535]
            set streaming-content-bypass {enable | disable}   Enable/disable bypassing of streaming content from buffering.
            set switching-protocols {bypass | block}   Bypass from scanning, or block a connection that attempts to switch protocol.
                    bypass  Bypass connections when switching protocols.
                    block   Block connections when switching protocols.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
            set block-page-status-code {integer}   Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599, default = 403). range[100-599]
            set retry-count {integer}   Number of attempts to retry HTTP connection (0 - 100, default = 0). range[0-100]
        config ftp
            set ports {integer}   Ports to scan for content (1 - 65535, default = 21). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {option}   One or more options that can be applied to the session.
                    clientcomfort        Prevent client timeout.
                    oversize             Block oversized file/email.
                    splice               Enable splice mode.
                    bypass-rest-command  Bypass REST command.
                    bypass-mode-command  Bypass MODE command.
            set comfort-interval {integer}   Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10). range[1-900]
            set comfort-amount {integer}   Amount of data to send in a transmission for client comforting (1 - 10240 bytes, default = 1). range[1-10240]
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config imap
            set ports {integer}   Ports to scan for content (1 - 65535, default = 143). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {fragmail | oversize}   One or more options that can be applied to the session.
                    fragmail  Pass fragmented email.
                    oversize  Block oversized file/email.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config mapi
            set ports {integer}   Ports to scan for content (1 - 65535, default = 135). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set options {fragmail | oversize}   One or more options that can be applied to the session.
                    fragmail  Pass fragmented email.
                    oversize  Block oversized file/email.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config pop3
            set ports {integer}   Ports to scan for content (1 - 65535, default = 110). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {fragmail | oversize}   One or more options that can be applied to the session.
                    fragmail  Pass fragmented email.
                    oversize  Block oversized file/email.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config smtp
            set ports {integer}   Ports to scan for content (1 - 65535, default = 25). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {fragmail | oversize | splice}   One or more options that can be applied to the session.
                    fragmail  Pass fragmented email.
                    oversize  Block oversized file/email.
                    splice    Enable splice mode.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
            set server-busy {enable | disable}   Enable/disable SMTP server busy when server not available.
        config nntp
            set ports {integer}   Ports to scan for content (1 - 65535, default = 119). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
            set inspect-all {enable | disable}   Enable/disable the inspection of all ports for the protocol.
            set options {oversize | splice}   One or more options that can be applied to the session.
                    oversize  Block oversized file/email.
                    splice    Enable splice mode.
            set oversize-limit {integer}   Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-9667]
            set uncompressed-oversize-limit {integer}   Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-9667]
            set uncompressed-nest-limit {integer}   Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
            set scan-bzip2 {enable | disable}   Enable/disable scanning of BZip2 compressed files.
        config dns
            set ports {integer}   Ports to scan for content (1 - 65535, default = 53). range[1-65535]
            set status {enable | disable}   Enable/disable the active status of scanning for this protocol.
        config mail-signature
            set status {disable | enable}   Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate.
            set signature {string}   Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks). size[1023]
        set rpc-over-http {enable | disable}   Enable/disable inspection of RPC over HTTP.
    next
end

Additional information

The following section is for those options that require additional explanation.