Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

system fortiguard

Use this command to configure communications with the FortiGuard Distribution Network (FDN) for FortiGuard subscription services, such as FortiGuard Intrusion Prevention Service (IPS), Anti-Virus, Web Filtering, Anti-Spam, and Application Control. You can also use this command to configure a FortiGate unit to communicate with a FortiManager system, which can act as a private FortiGuard Distribution Server (FDS) for Anti-Virus, IPS, Web Filtering, and Anti-Spam services.

By default, FortiGate units connect to the FDN using a set of default connection settings. You can override these settings to use IP addresses and port numbers other than the defaults. For example, if you have a FortiManager unit, you might download a local copy of FortiGuard service updates to the FortiManager unit, then redistribute those updates by configuring each FortiGate unit’s server override feature to connect to the FortiManager unit’s private FDS IP address.

If the FortiGate unit is unable to connect to the FDN, verify connectivity on required ports. For a list of required ports, see Fortinet communication ports and protocols.

Remote administration by a FortiManager system is mutually exclusive with remote administration by the FortiGuard Analysis and Management Service. For more information about configuring remote administration by a FortiManager system, see the system central-management command instead.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set auto-join-forticloud {enable | disable}

New option to automatically connect to and log in to FortiCloud. Disabled by default.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set outbreak-prevention-cache-ttl <seconds>

Changed the default cache entry lifespan for Virus Outbreak Prevention value from 1800 seconds (or 30 minutes) to 300 seconds (or 5 minutes).

config system fortiguard
    set port {53 | 8888 | 80}   Port used to communicate with the FortiGuard servers.
            53    UDP Port 53 for server communication (for use by FortiGuard or FortiManager).
            8888  UDP Port 8888 for server communication (for use by FortiGuard or FortiManager).
            80    TCP Port 80 for server communication (for use only by FortiManager).
    set service-account-id {string}   Service account ID. size[50]
    set load-balance-servers {integer}   Number of servers to alternate between as first FortiGuard option. range[1-266]
    set auto-join-forticloud {enable | disable}   Automatically connect to and login to FortiCloud.
    set update-server-location {usa | any}   Signature update server location.
            usa  FGD servers in United States.
            any  FGD servers in any location.
    set antispam-force-off {enable | disable}   Enable/disable turning off the FortiGuard antispam service.
    set antispam-cache {enable | disable}   Enable/disable FortiGuard antispam request caching. Uses a small amount of memory but improves performance.
    set antispam-cache-ttl {integer}   Time-to-live for antispam cache entries in seconds (300 - 86400). Lower times reduce the cache size. Higher times may improve performance since the cache will have more entries. range[300-86400]
    set antispam-cache-mpercent {integer}   Maximum percent of FortiGate memory the antispam cache is allowed to use (1 - 15%). range[1-15]
    set antispam-license {integer}   Interval of time between license checks for the FortiGuard antispam contract. range[0-4294967295]
    set antispam-expiration {integer}   Expiration date of the FortiGuard antispam contract. range[0-4294967295]
    set antispam-timeout {integer}   Antispam query time out (1 - 30 sec, default = 7). range[1-30]
    set outbreak-prevention-force-off {enable | disable}   Turn off FortiGuard Virus Outbreak Prevention service.
    set outbreak-prevention-cache {enable | disable}   Enable/disable FortiGuard Virus Outbreak Prevention cache.
    set outbreak-prevention-cache-ttl {integer}   Time-to-live for FortiGuard Virus Outbreak Prevention cache entries (300 - 86400 sec, default = 300). range[300-86400]
    set outbreak-prevention-cache-mpercent {integer}   Maximum percent of memory FortiGuard Virus Outbreak Prevention cache can use (1 - 15%, default = 2). range[1-15]
    set outbreak-prevention-license {integer}   Interval of time between license checks for FortiGuard Virus Outbreak Prevention contract. range[0-4294967295]
    set outbreak-prevention-expiration {integer}   Expiration date of FortiGuard Virus Outbreak Prevention contract. range[0-4294967295]
    set outbreak-prevention-timeout {integer}   FortiGuard Virus Outbreak Prevention time out (1 - 30 sec, default = 7). range[1-30]
    set webfilter-force-off {enable | disable}   Enable/disable turning off the FortiGuard web filtering service.
    set webfilter-cache {enable | disable}   Enable/disable FortiGuard web filter caching.
    set webfilter-cache-ttl {integer}   Time-to-live for web filter cache entries in seconds (300 - 86400). range[300-86400]
    set webfilter-license {integer}   Interval of time between license checks for the FortiGuard web filter contract. range[0-4294967295]
    set webfilter-expiration {integer}   Expiration date of the FortiGuard web filter contract. range[0-4294967295]
    set webfilter-timeout {integer}   Web filter query time out (1 - 30 sec, default = 7). range[1-30]
    set sdns-server-ip {string}   IP address of the FortiDNS server.
    set sdns-server-port {integer}   Port used to communicate with FortiDNS servers. range[1-65535]
    set source-ip {ipv4 address}   Source IPv4 address used to communicate with FortiGuard.
    set source-ip6 {ipv6 address}   Source IPv6 address used to communicate with FortiGuard.
    set ddns-server-ip {ipv4 address}   IP address of the FortiDDNS server.
    set ddns-server-port {integer}   Port used to communicate with FortiDDNS servers. range[1-65535]
end

Additional information

The following section is for those options that require additional explanation.

antispam-cache {enable | disable}

Enable (default) or disable the caching of FortiGuard Anti-spam query results, including IP address and URL block list.

Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN or FortiManager unit each time the same IP address or URL appears as the source of an email. When the cache is full, the least recently used cache entry is replaced.

antispam-cache-mpercent <percent>

Enter the maximum percentage of memory (RAM) to use for anti-spam caching.

Possible values: 1 to 15 percent. The default value is 2.

antispam-cache-ttl <seconds>

Enter a time to live (TTL), in seconds, for anti-spam cache entries. When the TTL expires, the cache entry is removed, and the FortiGate unit will query the FDN or FortiManager unit the next time that item occurs in scanned traffic.

Possible values: 300 to 86400 seconds. The default value is 1800.

antispam-expiration

View the expiration date of the FortiGuard Anti-spam service contract.

You can view this variable using the get command. You cannot set this variable.

antispam-force-off {enable | disable}

Enable or disable (default) the FortiGuard Anti-spam service on this FortiGate unit.

antispam-license

View the interval of time between license checks for the FortiGuard Anti-spam service contract.

You can view this variable using the get command. You cannot set this variable.

antispam-timeout <seconds>

Enter the time limit, in seconds, for the FortiGuard Anti-spam query timeout.

Possible values: 1 to 30 seconds. The default value is 7.

auto-join-forticloud {enable | disable}

Enable or disable (default) automatic joining for the FortiCloud service.

ddns-server-ip <IPv4_address>

Enter the IP address of the FortiDDNS service.

ddns-server-port <port_number>

Enter the port to use for the FortiDDNS service.

Possible values: 1 to 65535. The default value is 443.

load-balance-servers <number_of_servers>

Enter the number of FortiGuard servers to connect to.

By default, the FortiGate unit uses the first server in its FortiGuard server list to connect to the FortiGuard network and load-balance-servers is set to 1. You can increase this number up to 20 if you want the FortiGate unit to use a different FortiGuard server each time it contacts the FortiGuard network. If you set load-balance-servers to 2, the FortiGate unit alternates between checking the first two servers in the FortiGuard server list.

Possible values: 1 to 20. The default value is 1.

set auto-join-forticloud {enable | disable}

Automatically connect to and log in to FortiCloud. Disabled by default.

port {53 | 8888 | 80}

Enter the port to use for rating queries to the FortiGuard Web Filtering or FortiGuard Anti-spam service.

The default value is 8888.

sdns-server-ip <IP_address>

Enter the IP address of the FortiDNS server. This is used for DNS-based web filtering.

sdns-server-port <port_number>

Enter the destination port of the SDNS server. This is used for DNS-based web filtering.

Possible values: 1 to 65535. The default value is 53.

This value should not be changed if using FortiGuard SDNS servers.

service-account-id <ID>

Enter your service account ID.

The limit is 50 characters.

source-ip <IPv4_address>

Enter the source IP address to use to communicate with the FortiGuard servers.

This setting is not available if fortimanager-fds-override is enabled in system central-management.

source-ip6 <IPv6_address>

Enter the source IPv6 address to use to communicate with the FortiGuard servers.

This setting is not available if fortimanager-fds-override is enabled in system central-management.

webfilter-cache {enable | disable}

Enable (default) or disable the caching of FortiGuard Web Filtering query results, including category ratings for URLs.

Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN or FortiManager unit each time the same IP address or URL is requested. When the cache is full, the least recently used cache entry is replaced.

webfilter-cache-ttl <seconds>

Enter a time to live (TTL), in seconds, for web filtering cache entries. When the TTL expires, the cache entry is removed, and the FortiGate unit will query the FDN or FortiManager unit the next time that item occurs in scanned traffic.

Possible values: 300 to 86400 seconds. The default value is 3600.

webfilter-expiration

View the expiration date of the FortiGuard Web Filtering service contract.

You can view this variable using the get command. You cannot set this variable.

webfilter-force-off {enable | disable}

Enable or disable (default) the FortiGuard Web Filtering service on this FortiGate unit.

webfilter-license

View the interval of time between license checks for the FortiGuard Web Filtering service contract.

Initially this value is unknown and is set after the FortiGate contacts the FDN to validate the FortiGuard Web Filtering license.

You can view this variable using the get command. You cannot set this variable.

webfilter-timeout <seconds>

Enter the FortiGuard Web Filtering query timeout.

Possible values: 1 to 30 seconds. The default value is 15.

system fortiguard

Use this command to configure communications with the FortiGuard Distribution Network (FDN) for FortiGuard subscription services, such as FortiGuard Intrusion Prevention Service (IPS), Anti-Virus, Web Filtering, Anti-Spam, and Application Control. You can also use this command to configure a FortiGate unit to communicate with a FortiManager system, which can act as a private FortiGuard Distribution Server (FDS) for Anti-Virus, IPS, Web Filtering, and Anti-Spam services.

By default, FortiGate units connect to the FDN using a set of default connection settings. You can override these settings to use IP addresses and port numbers other than the defaults. For example, if you have a FortiManager unit, you might download a local copy of FortiGuard service updates to the FortiManager unit, then redistribute those updates by configuring each FortiGate unit’s server override feature to connect to the FortiManager unit’s private FDS IP address.

If the FortiGate unit is unable to connect to the FDN, verify connectivity on required ports. For a list of required ports, see Fortinet communication ports and protocols.

Remote administration by a FortiManager system is mutually exclusive with remote administration by the FortiGuard Analysis and Management Service. For more information about configuring remote administration by a FortiManager system, see the system central-management command instead.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.5.

Command Description

set auto-join-forticloud {enable | disable}

New option to automatically connect to and log in to FortiCloud. Disabled by default.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set outbreak-prevention-cache-ttl <seconds>

Changed the default cache entry lifespan for Virus Outbreak Prevention value from 1800 seconds (or 30 minutes) to 300 seconds (or 5 minutes).

config system fortiguard
    set port {53 | 8888 | 80}   Port used to communicate with the FortiGuard servers.
            53    UDP Port 53 for server communication (for use by FortiGuard or FortiManager).
            8888  UDP Port 8888 for server communication (for use by FortiGuard or FortiManager).
            80    TCP Port 80 for server communication (for use only by FortiManager).
    set service-account-id {string}   Service account ID. size[50]
    set load-balance-servers {integer}   Number of servers to alternate between as first FortiGuard option. range[1-266]
    set auto-join-forticloud {enable | disable}   Automatically connect to and login to FortiCloud.
    set update-server-location {usa | any}   Signature update server location.
            usa  FGD servers in United States.
            any  FGD servers in any location.
    set antispam-force-off {enable | disable}   Enable/disable turning off the FortiGuard antispam service.
    set antispam-cache {enable | disable}   Enable/disable FortiGuard antispam request caching. Uses a small amount of memory but improves performance.
    set antispam-cache-ttl {integer}   Time-to-live for antispam cache entries in seconds (300 - 86400). Lower times reduce the cache size. Higher times may improve performance since the cache will have more entries. range[300-86400]
    set antispam-cache-mpercent {integer}   Maximum percent of FortiGate memory the antispam cache is allowed to use (1 - 15%). range[1-15]
    set antispam-license {integer}   Interval of time between license checks for the FortiGuard antispam contract. range[0-4294967295]
    set antispam-expiration {integer}   Expiration date of the FortiGuard antispam contract. range[0-4294967295]
    set antispam-timeout {integer}   Antispam query time out (1 - 30 sec, default = 7). range[1-30]
    set outbreak-prevention-force-off {enable | disable}   Turn off FortiGuard Virus Outbreak Prevention service.
    set outbreak-prevention-cache {enable | disable}   Enable/disable FortiGuard Virus Outbreak Prevention cache.
    set outbreak-prevention-cache-ttl {integer}   Time-to-live for FortiGuard Virus Outbreak Prevention cache entries (300 - 86400 sec, default = 300). range[300-86400]
    set outbreak-prevention-cache-mpercent {integer}   Maximum percent of memory FortiGuard Virus Outbreak Prevention cache can use (1 - 15%, default = 2). range[1-15]
    set outbreak-prevention-license {integer}   Interval of time between license checks for FortiGuard Virus Outbreak Prevention contract. range[0-4294967295]
    set outbreak-prevention-expiration {integer}   Expiration date of FortiGuard Virus Outbreak Prevention contract. range[0-4294967295]
    set outbreak-prevention-timeout {integer}   FortiGuard Virus Outbreak Prevention time out (1 - 30 sec, default = 7). range[1-30]
    set webfilter-force-off {enable | disable}   Enable/disable turning off the FortiGuard web filtering service.
    set webfilter-cache {enable | disable}   Enable/disable FortiGuard web filter caching.
    set webfilter-cache-ttl {integer}   Time-to-live for web filter cache entries in seconds (300 - 86400). range[300-86400]
    set webfilter-license {integer}   Interval of time between license checks for the FortiGuard web filter contract. range[0-4294967295]
    set webfilter-expiration {integer}   Expiration date of the FortiGuard web filter contract. range[0-4294967295]
    set webfilter-timeout {integer}   Web filter query time out (1 - 30 sec, default = 7). range[1-30]
    set sdns-server-ip {string}   IP address of the FortiDNS server.
    set sdns-server-port {integer}   Port used to communicate with FortiDNS servers. range[1-65535]
    set source-ip {ipv4 address}   Source IPv4 address used to communicate with FortiGuard.
    set source-ip6 {ipv6 address}   Source IPv6 address used to communicate with FortiGuard.
    set ddns-server-ip {ipv4 address}   IP address of the FortiDDNS server.
    set ddns-server-port {integer}   Port used to communicate with FortiDDNS servers. range[1-65535]
end

Additional information

The following section is for those options that require additional explanation.

antispam-cache {enable | disable}

Enable (default) or disable the caching of FortiGuard Anti-spam query results, including IP address and URL block list.

Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN or FortiManager unit each time the same IP address or URL appears as the source of an email. When the cache is full, the least recently used cache entry is replaced.

antispam-cache-mpercent <percent>

Enter the maximum percentage of memory (RAM) to use for anti-spam caching.

Possible values: 1 to 15 percent. The default value is 2.

antispam-cache-ttl <seconds>

Enter a time to live (TTL), in seconds, for anti-spam cache entries. When the TTL expires, the cache entry is removed, and the FortiGate unit will query the FDN or FortiManager unit the next time that item occurs in scanned traffic.

Possible values: 300 to 86400 seconds. The default value is 1800.

antispam-expiration

View the expiration date of the FortiGuard Anti-spam service contract.

You can view this variable using the get command. You cannot set this variable.

antispam-force-off {enable | disable}

Enable or disable (default) the FortiGuard Anti-spam service on this FortiGate unit.

antispam-license

View the interval of time between license checks for the FortiGuard Anti-spam service contract.

You can view this variable using the get command. You cannot set this variable.

antispam-timeout <seconds>

Enter the time limit, in seconds, for the FortiGuard Anti-spam query timeout.

Possible values: 1 to 30 seconds. The default value is 7.

auto-join-forticloud {enable | disable}

Enable or disable (default) automatic joining for the FortiCloud service.

ddns-server-ip <IPv4_address>

Enter the IP address of the FortiDDNS service.

ddns-server-port <port_number>

Enter the port to use for the FortiDDNS service.

Possible values: 1 to 65535. The default value is 443.

load-balance-servers <number_of_servers>

Enter the number of FortiGuard servers to connect to.

By default, the FortiGate unit uses the first server in its FortiGuard server list to connect to the FortiGuard network and load-balance-servers is set to 1. You can increase this number up to 20 if you want the FortiGate unit to use a different FortiGuard server each time it contacts the FortiGuard network. If you set load-balance-servers to 2, the FortiGate unit alternates between checking the first two servers in the FortiGuard server list.

Possible values: 1 to 20. The default value is 1.

set auto-join-forticloud {enable | disable}

Automatically connect to and log in to FortiCloud. Disabled by default.

port {53 | 8888 | 80}

Enter the port to use for rating queries to the FortiGuard Web Filtering or FortiGuard Anti-spam service.

The default value is 8888.

sdns-server-ip <IP_address>

Enter the IP address of the FortiDNS server. This is used for DNS-based web filtering.

sdns-server-port <port_number>

Enter the destination port of the SDNS server. This is used for DNS-based web filtering.

Possible values: 1 to 65535. The default value is 53.

This value should not be changed if using FortiGuard SDNS servers.

service-account-id <ID>

Enter your service account ID.

The limit is 50 characters.

source-ip <IPv4_address>

Enter the source IP address to use to communicate with the FortiGuard servers.

This setting is not available if fortimanager-fds-override is enabled in system central-management.

source-ip6 <IPv6_address>

Enter the source IPv6 address to use to communicate with the FortiGuard servers.

This setting is not available if fortimanager-fds-override is enabled in system central-management.

webfilter-cache {enable | disable}

Enable (default) or disable the caching of FortiGuard Web Filtering query results, including category ratings for URLs.

Enabling the cache can improve performance because the FortiGate unit does not need to access the FDN or FortiManager unit each time the same IP address or URL is requested. When the cache is full, the least recently used cache entry is replaced.

webfilter-cache-ttl <seconds>

Enter a time to live (TTL), in seconds, for web filtering cache entries. When the TTL expires, the cache entry is removed, and the FortiGate unit will query the FDN or FortiManager unit the next time that item occurs in scanned traffic.

Possible values: 300 to 86400 seconds. The default value is 3600.

webfilter-expiration

View the expiration date of the FortiGuard Web Filtering service contract.

You can view this variable using the get command. You cannot set this variable.

webfilter-force-off {enable | disable}

Enable or disable (default) the FortiGuard Web Filtering service on this FortiGate unit.

webfilter-license

View the interval of time between license checks for the FortiGuard Web Filtering service contract.

Initially this value is unknown and is set after the FortiGate contacts the FDN to validate the FortiGuard Web Filtering license.

You can view this variable using the get command. You cannot set this variable.

webfilter-timeout <seconds>

Enter the FortiGuard Web Filtering query timeout.

Possible values: 1 to 30 seconds. The default value is 15.