firewall profile-protocol-options
Use this command to configure protocol options.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
| Command | Description |
|---|---|
|
set strip-x-forwarded-for {enable | disable} |
Enable or disable the stripping of the HTTP X-Forwarded-For header. Enabling this feature replaces the X-Forwarded-For value with 1.1.1.1. IPS is best for on-the-fly packet inspection. If the data payload is modified, any current packets would be dropped and new packets would need to be generated and delivered. This feature helps alleviate this issue. Note that this command in only available in Flow-based NGFW Mode. |
config firewall profile-protocol-options
edit {name}
# Configure protocol options.
set name {string} Name. size[35]
set comment {string} Optional comments. size[255]
set replacemsg-group {string} Name of the replacement message group to be used size[35] - datasource(s): system.replacemsg-group.name
set oversize-log {disable | enable} Enable/disable logging for antivirus oversize file blocking.
set switching-protocols-log {disable | enable} Enable/disable logging for HTTP/HTTPS switching protocols.
config http
set ports {integer} Ports to scan for content (1 - 65535, default = 80). range[1-65535]
set status {enable | disable} Enable/disable the active status of scanning for this protocol.
set inspect-all {enable | disable} Enable/disable the inspection of all ports for the protocol.
set options {clientcomfort | servercomfort | oversize | chunkedbypass} One or more options that can be applied to the session.
clientcomfort Prevent client timeout.
servercomfort Prevent server timeout.
oversize Block oversized file/email.
chunkedbypass Bypass chunked transfer encoded sites.
set comfort-interval {integer} Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10). range[1-900]
set comfort-amount {integer} Amount of data to send in a transmission for client comforting (1 - 10240 bytes, default = 1). range[1-10240]
set range-block {disable | enable} Enable/disable blocking of partial downloads.
set http-policy {disable | enable} Enable/disable HTTP policy check.
set strip-x-forwarded-for {disable | enable} Enable/disable stripping of HTTP X-Forwarded-For header.
set post-lang {option} ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).
jisx0201 Japanese Industrial Standard 0201.
jisx0208 Japanese Industrial Standard 0208.
jisx0212 Japanese Industrial Standard 0212.
gb2312 Guojia Biaozhun 2312 (simplified Chinese).
ksc5601-ex Wansung Korean standard 5601.
euc-jp Extended Unicode Japanese.
sjis Shift Japanese Industrial Standard.
iso2022-jp ISO 2022 Japanese.
iso2022-jp-1 ISO 2022-1 Japanese.
iso2022-jp-2 ISO 2022-2 Japanese.
euc-cn Extended Unicode Chinese.
ces-gbk Extended GB2312 (simplified Chinese).
hz Hanzi simplified Chinese.
ces-big5 Big-5 traditional Chinese.
euc-kr Extended Unicode Korean.
iso2022-jp-3 ISO 2022-3 Japanese.
iso8859-1 ISO 8859 Part 1 (Western European).
tis620 Thai Industrial Standard 620.
cp874 Code Page 874 (Thai).
cp1252 Code Page 1252 (Western European Latin).
cp1251 Code Page 1251 (Cyrillic).
set fortinet-bar {enable | disable} Enable/disable Fortinet bar on HTML content.
set fortinet-bar-port {integer} Port for use by Fortinet Bar (1 - 65535, default = 8011). range[1-65535]
set streaming-content-bypass {enable | disable} Enable/disable bypassing of streaming content from buffering.
set switching-protocols {bypass | block} Bypass from scanning, or block a connection that attempts to switch protocol.
bypass Bypass connections when switching protocols.
block Block connections when switching protocols.
set oversize-limit {integer} Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-25809]
set uncompressed-oversize-limit {integer} Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-25809]
set uncompressed-nest-limit {integer} Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
set scan-bzip2 {enable | disable} Enable/disable scanning of BZip2 compressed files.
set block-page-status-code {integer} Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599, default = 403). range[100-599]
set retry-count {integer} Number of attempts to retry HTTP connection (0 - 100, default = 0). range[0-100]
config ftp
set ports {integer} Ports to scan for content (1 - 65535, default = 21). range[1-65535]
set status {enable | disable} Enable/disable the active status of scanning for this protocol.
set inspect-all {enable | disable} Enable/disable the inspection of all ports for the protocol.
set options {option} One or more options that can be applied to the session.
clientcomfort Prevent client timeout.
oversize Block oversized file/email.
splice Enable splice mode.
bypass-rest-command Bypass REST command.
bypass-mode-command Bypass MODE command.
set comfort-interval {integer} Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10). range[1-900]
set comfort-amount {integer} Amount of data to send in a transmission for client comforting (1 - 10240 bytes, default = 1). range[1-10240]
set oversize-limit {integer} Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-25809]
set uncompressed-oversize-limit {integer} Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-25809]
set uncompressed-nest-limit {integer} Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
set scan-bzip2 {enable | disable} Enable/disable scanning of BZip2 compressed files.
config imap
set ports {integer} Ports to scan for content (1 - 65535, default = 143). range[1-65535]
set status {enable | disable} Enable/disable the active status of scanning for this protocol.
set inspect-all {enable | disable} Enable/disable the inspection of all ports for the protocol.
set options {fragmail | oversize} One or more options that can be applied to the session.
fragmail Pass fragmented email.
oversize Block oversized file/email.
set oversize-limit {integer} Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-25809]
set uncompressed-oversize-limit {integer} Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-25809]
set uncompressed-nest-limit {integer} Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
set scan-bzip2 {enable | disable} Enable/disable scanning of BZip2 compressed files.
config mapi
set ports {integer} Ports to scan for content (1 - 65535, default = 135). range[1-65535]
set status {enable | disable} Enable/disable the active status of scanning for this protocol.
set options {fragmail | oversize} One or more options that can be applied to the session.
fragmail Pass fragmented email.
oversize Block oversized file/email.
set oversize-limit {integer} Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-25809]
set uncompressed-oversize-limit {integer} Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-25809]
set uncompressed-nest-limit {integer} Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
set scan-bzip2 {enable | disable} Enable/disable scanning of BZip2 compressed files.
config pop3
set ports {integer} Ports to scan for content (1 - 65535, default = 110). range[1-65535]
set status {enable | disable} Enable/disable the active status of scanning for this protocol.
set inspect-all {enable | disable} Enable/disable the inspection of all ports for the protocol.
set options {fragmail | oversize} One or more options that can be applied to the session.
fragmail Pass fragmented email.
oversize Block oversized file/email.
set oversize-limit {integer} Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-25809]
set uncompressed-oversize-limit {integer} Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-25809]
set uncompressed-nest-limit {integer} Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
set scan-bzip2 {enable | disable} Enable/disable scanning of BZip2 compressed files.
config smtp
set ports {integer} Ports to scan for content (1 - 65535, default = 25). range[1-65535]
set status {enable | disable} Enable/disable the active status of scanning for this protocol.
set inspect-all {enable | disable} Enable/disable the inspection of all ports for the protocol.
set options {fragmail | oversize | splice} One or more options that can be applied to the session.
fragmail Pass fragmented email.
oversize Block oversized file/email.
splice Enable splice mode.
set oversize-limit {integer} Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-25809]
set uncompressed-oversize-limit {integer} Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-25809]
set uncompressed-nest-limit {integer} Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
set scan-bzip2 {enable | disable} Enable/disable scanning of BZip2 compressed files.
set server-busy {enable | disable} Enable/disable SMTP server busy when server not available.
config nntp
set ports {integer} Ports to scan for content (1 - 65535, default = 119). range[1-65535]
set status {enable | disable} Enable/disable the active status of scanning for this protocol.
set inspect-all {enable | disable} Enable/disable the inspection of all ports for the protocol.
set options {oversize | splice} One or more options that can be applied to the session.
oversize Block oversized file/email.
splice Enable splice mode.
set oversize-limit {integer} Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10). range[1-25809]
set uncompressed-oversize-limit {integer} Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10). range[0-25809]
set uncompressed-nest-limit {integer} Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12). range[2-100]
set scan-bzip2 {enable | disable} Enable/disable scanning of BZip2 compressed files.
config dns
set ports {integer} Ports to scan for content (1 - 65535, default = 53). range[1-65535]
set status {enable | disable} Enable/disable the active status of scanning for this protocol.
config mail-signature
set status {disable | enable} Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate.
set signature {string} Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks). size[1023]
set rpc-over-http {enable | disable} Enable/disable inspection of RPC over HTTP.
next
end
Additional information
The following section is for those options that require additional explanation.