Fortinet black logo

CLI Reference

firewall sniffer

Configure sniffer.

  config firewall sniffer
      Description: Configure sniffer.
      edit <id>
          set status [enable|disable]
          set logtraffic [all|utm|...]
          set ipv6 [enable|disable]
          set non-ip [enable|disable]
          set interface {string}
          set host {string}
          set port {string}
          set protocol {string}
          set vlan {string}
          set application-list-status [enable|disable]
          set application-list {string}
          set ips-sensor-status [enable|disable]
          set ips-sensor {string}
          set dsri [enable|disable]
          set av-profile-status [enable|disable]
          set av-profile {string}
          set webfilter-profile-status [enable|disable]
          set webfilter-profile {string}
          set emailfilter-profile-status [enable|disable]
          set emailfilter-profile {string}
          set dlp-sensor-status [enable|disable]
          set dlp-sensor {string}
          set ips-dos-status [enable|disable]
          config anomaly
              Description: Configuration method to edit Denial of Service (DoS) anomaly settings.
              edit <name>
                  set status [disable|enable]
                  set log [enable|disable]
                  set action [pass|block]
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
                  set threshold {integer}
                  set threshold(default) {integer}
              next
          end
          set max-packet-count {integer}
      next
  end

config firewall sniffer

Parameter Name Description Type Size
status Enable/disable the active status of the sniffer.
enable: Enable sniffer status.
disable: Disable sniffer status.
option -
logtraffic Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
ipv6 Enable/disable sniffing IPv6 packets.
enable: Enable sniffer for IPv6 packets.
disable: Disable sniffer for IPv6 packets.
option -
non-ip Enable/disable sniffing non-IP packets.
enable: Enable sniffer for non-IP packets.
disable: Disable sniffer for non-IP packets.
option -
interface Interface name that traffic sniffing will take place on. string Maximum length: 35
host Hosts to filter for in sniffer traffic (Format examples: 1.1.1.1, 2.2.2.0/24, 3.3.3.3/255.255.255.0, 4.4.4.0-4.4.4.240). string Maximum length: 63
port Ports to sniff (Format examples: 10, :20, 30:40, 50-, 100-200). string Maximum length: 63
protocol Integer value for the protocol type as defined by IANA (0 - 255). string Maximum length: 63
vlan List of VLANs to sniff. string Maximum length: 63
application-list-status Enable/disable application control profile.
enable: Enable setting.
disable: Disable setting.
option -
application-list Name of an existing application list. string Maximum length: 35
ips-sensor-status Enable/disable IPS sensor.
enable: Enable setting.
disable: Disable setting.
option -
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
dsri Enable/disable DSRI.
enable: Enable DSRI.
disable: Disable DSRI.
option -
av-profile-status Enable/disable antivirus profile.
enable: Enable setting.
disable: Disable setting.
option -
av-profile Name of an existing antivirus profile. string Maximum length: 35
webfilter-profile-status Enable/disable web filter profile.
enable: Enable setting.
disable: Disable setting.
option -
webfilter-profile Name of an existing web filter profile. string Maximum length: 35
emailfilter-profile-status Enable/disable emailfilter.
enable: Enable setting.
disable: Disable setting.
option -
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor-status Enable/disable DLP sensor.
enable: Enable setting.
disable: Disable setting.
option -
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-dos-status Enable/disable IPS DoS anomaly detection.
enable: Enable setting.
disable: Disable setting.
option -
max-packet-count Maximum packet count (1 - 10000, default = 4000). integer Minimum value: 1 Maximum value: 10000

config anomaly

Parameter Name Description Type Size
status Enable/disable this anomaly.
disable: Disable this status.
enable: Enable this status.
option -
log Enable/disable anomaly logging.
enable: Enable anomaly logging.
disable: Disable anomaly logging.
option -
action Action taken when the threshold is reached.
pass: Allow traffic but record a log message if logging is enabled.
block: Block traffic if this anomaly is found.
option -
quarantine Quarantine method.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
quarantine-log Enable/disable quarantine logging.
disable: Disable quarantine logging.
enable: Enable quarantine logging.
option -
threshold Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. integer Minimum value: 1 Maximum value: 2147483647
threshold(default) Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. integer Minimum value: 0 Maximum value: 4294967295

Configure sniffer.

  config firewall sniffer
      Description: Configure sniffer.
      edit <id>
          set status [enable|disable]
          set logtraffic [all|utm|...]
          set ipv6 [enable|disable]
          set non-ip [enable|disable]
          set interface {string}
          set host {string}
          set port {string}
          set protocol {string}
          set vlan {string}
          set application-list-status [enable|disable]
          set application-list {string}
          set ips-sensor-status [enable|disable]
          set ips-sensor {string}
          set dsri [enable|disable]
          set av-profile-status [enable|disable]
          set av-profile {string}
          set webfilter-profile-status [enable|disable]
          set webfilter-profile {string}
          set emailfilter-profile-status [enable|disable]
          set emailfilter-profile {string}
          set dlp-sensor-status [enable|disable]
          set dlp-sensor {string}
          set ips-dos-status [enable|disable]
          config anomaly
              Description: Configuration method to edit Denial of Service (DoS) anomaly settings.
              edit <name>
                  set status [disable|enable]
                  set log [enable|disable]
                  set action [pass|block]
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
                  set threshold {integer}
                  set threshold(default) {integer}
              next
          end
          set max-packet-count {integer}
      next
  end

config firewall sniffer

Parameter Name Description Type Size
status Enable/disable the active status of the sniffer.
enable: Enable sniffer status.
disable: Disable sniffer status.
option -
logtraffic Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
ipv6 Enable/disable sniffing IPv6 packets.
enable: Enable sniffer for IPv6 packets.
disable: Disable sniffer for IPv6 packets.
option -
non-ip Enable/disable sniffing non-IP packets.
enable: Enable sniffer for non-IP packets.
disable: Disable sniffer for non-IP packets.
option -
interface Interface name that traffic sniffing will take place on. string Maximum length: 35
host Hosts to filter for in sniffer traffic (Format examples: 1.1.1.1, 2.2.2.0/24, 3.3.3.3/255.255.255.0, 4.4.4.0-4.4.4.240). string Maximum length: 63
port Ports to sniff (Format examples: 10, :20, 30:40, 50-, 100-200). string Maximum length: 63
protocol Integer value for the protocol type as defined by IANA (0 - 255). string Maximum length: 63
vlan List of VLANs to sniff. string Maximum length: 63
application-list-status Enable/disable application control profile.
enable: Enable setting.
disable: Disable setting.
option -
application-list Name of an existing application list. string Maximum length: 35
ips-sensor-status Enable/disable IPS sensor.
enable: Enable setting.
disable: Disable setting.
option -
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
dsri Enable/disable DSRI.
enable: Enable DSRI.
disable: Disable DSRI.
option -
av-profile-status Enable/disable antivirus profile.
enable: Enable setting.
disable: Disable setting.
option -
av-profile Name of an existing antivirus profile. string Maximum length: 35
webfilter-profile-status Enable/disable web filter profile.
enable: Enable setting.
disable: Disable setting.
option -
webfilter-profile Name of an existing web filter profile. string Maximum length: 35
emailfilter-profile-status Enable/disable emailfilter.
enable: Enable setting.
disable: Disable setting.
option -
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor-status Enable/disable DLP sensor.
enable: Enable setting.
disable: Disable setting.
option -
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-dos-status Enable/disable IPS DoS anomaly detection.
enable: Enable setting.
disable: Disable setting.
option -
max-packet-count Maximum packet count (1 - 10000, default = 4000). integer Minimum value: 1 Maximum value: 10000

config anomaly

Parameter Name Description Type Size
status Enable/disable this anomaly.
disable: Disable this status.
enable: Enable this status.
option -
log Enable/disable anomaly logging.
enable: Enable anomaly logging.
disable: Disable anomaly logging.
option -
action Action taken when the threshold is reached.
pass: Allow traffic but record a log message if logging is enabled.
block: Block traffic if this anomaly is found.
option -
quarantine Quarantine method.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
quarantine-log Enable/disable quarantine logging.
disable: Disable quarantine logging.
enable: Enable quarantine logging.
option -
threshold Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. integer Minimum value: 1 Maximum value: 2147483647
threshold(default) Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. integer Minimum value: 0 Maximum value: 4294967295