Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

firewall sniffer

Use this command to configure sniffer policies.

config firewall sniffer
    edit {id}
    # Configure sniffer.
        set id {integer}   Sniffer ID. range[0-9999]
        set status {enable | disable}   Enable/disable the active status of the sniffer.
        set logtraffic {all | utm | disable}   Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy.
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set ipv6 {enable | disable}   Enable/disable sniffing IPv6 packets.
        set non-ip {enable | disable}   Enable/disable sniffing non-IP packets.
        set interface {string}   Interface name that traffic sniffing will take place on. size[35] - datasource(s): system.interface.name
        set host {string}   Hosts to filter for in sniffer traffic (Format examples: 1.1.1.1, 2.2.2.0/24, 3.3.3.3/255.255.255.0, 4.4.4.0-4.4.4.240). size[63]
        set port {string}   Ports to sniff (Format examples: 10, :20, 30:40, 50-, 100-200). size[63]
        set protocol {string}   Integer value for the protocol type as defined by IANA (0 - 255). size[63]
        set vlan {string}   List of VLANs to sniff. size[63]
        set application-list-status {enable | disable}   Enable/disable application control profile.
        set application-list {string}   Name of an existing application list. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS sensor.
        set ips-sensor {string}   Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus profile.
        set av-profile {string}   Name of an existing antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filter profile.
        set webfilter-profile {string}   Name of an existing web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable spam filter.
        set spamfilter-profile {string}   Name of an existing spam filter profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP sensor.
        set dlp-sensor {string}   Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name
        set ips-dos-status {enable | disable}   Enable/disable IPS DoS anomaly detection.
        config anomaly
            edit {name}
            # Configuration method to edit Denial of Service (DoS) anomaly settings.
                set name {string}   Anomaly name. size[63]
                set status {disable | enable}   Enable/disable this anomaly.
                set log {enable | disable}   Enable/disable anomaly logging.
                set action {pass | block | proxy}   Action taken when the threshold is reached.
                        pass   Allow traffic but record a log message if logging is enabled.
                        block  Block traffic if this anomaly is found.
                        proxy  Use a proxy to control the traffic flow.
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
                set threshold {integer}   Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. range[1-2147483647]
                set threshold(default) {integer}   Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. range[0-4294967295]
            next
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning of connections to Botnet servers.
                disable  Do not scan connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set max-packet-count {integer}   Maximum packet count (1 - 1000000, default = 10000). range[1-1000000]
    next
end

Additional information

The following section is for those options that require additional explanation.

firewall sniffer

Use this command to configure sniffer policies.

config firewall sniffer
    edit {id}
    # Configure sniffer.
        set id {integer}   Sniffer ID. range[0-9999]
        set status {enable | disable}   Enable/disable the active status of the sniffer.
        set logtraffic {all | utm | disable}   Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy.
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set ipv6 {enable | disable}   Enable/disable sniffing IPv6 packets.
        set non-ip {enable | disable}   Enable/disable sniffing non-IP packets.
        set interface {string}   Interface name that traffic sniffing will take place on. size[35] - datasource(s): system.interface.name
        set host {string}   Hosts to filter for in sniffer traffic (Format examples: 1.1.1.1, 2.2.2.0/24, 3.3.3.3/255.255.255.0, 4.4.4.0-4.4.4.240). size[63]
        set port {string}   Ports to sniff (Format examples: 10, :20, 30:40, 50-, 100-200). size[63]
        set protocol {string}   Integer value for the protocol type as defined by IANA (0 - 255). size[63]
        set vlan {string}   List of VLANs to sniff. size[63]
        set application-list-status {enable | disable}   Enable/disable application control profile.
        set application-list {string}   Name of an existing application list. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS sensor.
        set ips-sensor {string}   Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus profile.
        set av-profile {string}   Name of an existing antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filter profile.
        set webfilter-profile {string}   Name of an existing web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable spam filter.
        set spamfilter-profile {string}   Name of an existing spam filter profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP sensor.
        set dlp-sensor {string}   Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name
        set ips-dos-status {enable | disable}   Enable/disable IPS DoS anomaly detection.
        config anomaly
            edit {name}
            # Configuration method to edit Denial of Service (DoS) anomaly settings.
                set name {string}   Anomaly name. size[63]
                set status {disable | enable}   Enable/disable this anomaly.
                set log {enable | disable}   Enable/disable anomaly logging.
                set action {pass | block | proxy}   Action taken when the threshold is reached.
                        pass   Allow traffic but record a log message if logging is enabled.
                        block  Block traffic if this anomaly is found.
                        proxy  Use a proxy to control the traffic flow.
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
                set threshold {integer}   Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. range[1-2147483647]
                set threshold(default) {integer}   Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. range[0-4294967295]
            next
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning of connections to Botnet servers.
                disable  Do not scan connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set max-packet-count {integer}   Maximum packet count (1 - 1000000, default = 10000). range[1-1000000]
    next
end

Additional information

The following section is for those options that require additional explanation.