Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

Configure application control lists.

  config application list
      Description: Configure application control lists.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set extended-log [enable|disable]
          set other-application-action [pass|block]
          set app-replacemsg [disable|enable]
          set other-application-log [disable|enable]
          set enforce-default-app-port [disable|enable]
          set unknown-application-action [pass|block]
          set unknown-application-log [disable|enable]
          set p2p-black-list {option1}, {option2}, ...
          set deep-app-inspection [disable|enable]
          set options {option1}, {option2}, ...
          config entries
              Description: Application list entries.
              edit <id>
                  set risk <level1>, <level2>, ...
                  set category <id1>, <id2>, ...
                  set sub-category <id1>, <id2>, ...
                  set application <id1>, <id2>, ...
                  set protocols {user}
                  set vendor {user}
                  set technology {user}
                  set behavior {user}
                  set popularity {option1}, {option2}, ...
                  config parameters
                      Description: Application parameters.
                      edit <id>
                          set value {string}
                      next
                  end
                  set action [pass|block|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  set session-ttl {integer}
                  set shaper {string}
                  set shaper-reverse {string}
                  set per-ip-shaper {string}
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
          set control-default-network-services [disable|enable]
          config default-network-services
              Description: Default network service entries.
              edit <id>
                  set port {integer}
                  set services {option1}, {option2}, ...
                  set violation-action [pass|monitor|...]
              next
          end
      next
  end

config application list

Parameter Name Description Type Size
comment comments var-string Maximum length: 255
replacemsg-group Replacement message group. string Maximum length: 35
extended-log Enable/disable extended logging.
enable: Enable setting.
disable: Disable setting.
option -
other-application-action Action for other applications.
pass: Allow sessions matching an application in this application list.
block: Block sessions matching an application in this application list.
option -
app-replacemsg Enable/disable replacement messages for blocked applications.
disable: Disable replacement messages for blocked applications.
enable: Enable replacement messages for blocked applications.
option -
other-application-log Enable/disable logging for other applications.
disable: Disable logging for other applications.
enable: Enable logging for other applications.
option -
enforce-default-app-port Enable/disable default application port enforcement for allowed applications.
disable: Disable default application port enforcement.
enable: Enable default application port enforcement.
option -
unknown-application-action Pass or block traffic from unknown applications.
pass: Pass or allow unknown applications.
block: Drop or block unknown applications.
option -
unknown-application-log Enable/disable logging for unknown applications.
disable: Disable logging for unknown applications.
enable: Enable logging for unknown applications.
option -
p2p-black-list P2P applications to be black listed.
skype: Skype.
edonkey: Edonkey.
bittorrent: Bit torrent.
option -
deep-app-inspection Enable/disable deep application inspection.
disable: Disable deep application inspection.
enable: Enable deep application inspection.
option -
options Basic application protocol signatures allowed by default.
allow-dns: Allow DNS.
allow-icmp: Allow ICMP.
allow-http: Allow generic HTTP web browsing.
allow-ssl: Allow generic SSL communication.
allow-quic: Allow QUIC.
option -
control-default-network-services Enable/disable enforcement of protocols over selected ports.
disable: Disable protocol enforcement over selected ports.
enable: Enable protocol enforcement over selected ports.
option -

config entries

Parameter Name Description Type Size
risk <level> Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
integer Minimum value: 0 Maximum value: 4294967295
category <id> Category ID list.
Application category ID.
integer Minimum value: 0 Maximum value: 4294967295
sub-category <id> Application Sub-category ID list.
Application sub-category ID.
integer Minimum value: 0 Maximum value: 4294967295
application <id> ID of allowed applications.
Application IDs.
integer Minimum value: 0 Maximum value: 4294967295
protocols Application protocol filter. user Not Specified
vendor Application vendor filter. user Not Specified
technology Application technology filter. user Not Specified
behavior Application behavior filter. user Not Specified
popularity Application popularity filter (1 - 5, from least to most popular).
1: Popularity level 1.
2: Popularity level 2.
3: Popularity level 3.
4: Popularity level 4.
5: Popularity level 5.
option -
action Pass or block traffic, or reset connection for traffic from this application.
pass: Pass or allow matching traffic.
block: Block or drop matching traffic.
reset: Reset sessions for matching traffic.
option -
log Enable/disable logging for this application list.
disable: Disable logging.
enable: Enable logging.
option -
log-packet Enable/disable packet logging.
disable: Disable packet logging.
enable: Enable packet logging.
option -
rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
rate-mode Rate limit mode.
periodical: Allow configured number of packets every rate-duration.
continuous: Block packets once the rate is reached.
option -
rate-track Track the packet protocol field.
none: none
src-ip: Source IP.
dest-ip: Destination IP.
dhcp-client-mac: DHCP client.
dns-domain: DNS domain.
option -
session-ttl Session TTL (0 = default). integer Minimum value: 0 Maximum value: 4294967295
shaper Traffic shaper. string Maximum length: 35
shaper-reverse Reverse traffic shaper. string Maximum length: 35
per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
quarantine Quarantine method.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
quarantine-log Enable/disable quarantine logging.
disable: Disable quarantine logging.
enable: Enable quarantine logging.
option -

config parameters

Parameter Name Description Type Size
value Parameter value. string Maximum length: 63

config default-network-services

Parameter Name Description Type Size
port Port number. integer Minimum value: 0 Maximum value: 65535
services Network protocols.
http: HTTP.
ssh: SSH.
telnet: TELNET.
ftp: FTP.
dns: DNS.
smtp: SMTP.
pop3: POP3.
imap: IMAP.
snmp: SNMP.
nntp: NNTP.
https: HTTPS.
option -
violation-action Action for protocols not white listed under selected port.
pass: Allow protocols not white listed under selected port.
monitor: Monitor protocols not white listed under selected port.
block: Block protocols not white listed under selected port.
option -

Configure application control lists.

  config application list
      Description: Configure application control lists.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set extended-log [enable|disable]
          set other-application-action [pass|block]
          set app-replacemsg [disable|enable]
          set other-application-log [disable|enable]
          set enforce-default-app-port [disable|enable]
          set unknown-application-action [pass|block]
          set unknown-application-log [disable|enable]
          set p2p-black-list {option1}, {option2}, ...
          set deep-app-inspection [disable|enable]
          set options {option1}, {option2}, ...
          config entries
              Description: Application list entries.
              edit <id>
                  set risk <level1>, <level2>, ...
                  set category <id1>, <id2>, ...
                  set sub-category <id1>, <id2>, ...
                  set application <id1>, <id2>, ...
                  set protocols {user}
                  set vendor {user}
                  set technology {user}
                  set behavior {user}
                  set popularity {option1}, {option2}, ...
                  config parameters
                      Description: Application parameters.
                      edit <id>
                          set value {string}
                      next
                  end
                  set action [pass|block|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  set session-ttl {integer}
                  set shaper {string}
                  set shaper-reverse {string}
                  set per-ip-shaper {string}
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
          set control-default-network-services [disable|enable]
          config default-network-services
              Description: Default network service entries.
              edit <id>
                  set port {integer}
                  set services {option1}, {option2}, ...
                  set violation-action [pass|monitor|...]
              next
          end
      next
  end

config application list

Parameter Name Description Type Size
comment comments var-string Maximum length: 255
replacemsg-group Replacement message group. string Maximum length: 35
extended-log Enable/disable extended logging.
enable: Enable setting.
disable: Disable setting.
option -
other-application-action Action for other applications.
pass: Allow sessions matching an application in this application list.
block: Block sessions matching an application in this application list.
option -
app-replacemsg Enable/disable replacement messages for blocked applications.
disable: Disable replacement messages for blocked applications.
enable: Enable replacement messages for blocked applications.
option -
other-application-log Enable/disable logging for other applications.
disable: Disable logging for other applications.
enable: Enable logging for other applications.
option -
enforce-default-app-port Enable/disable default application port enforcement for allowed applications.
disable: Disable default application port enforcement.
enable: Enable default application port enforcement.
option -
unknown-application-action Pass or block traffic from unknown applications.
pass: Pass or allow unknown applications.
block: Drop or block unknown applications.
option -
unknown-application-log Enable/disable logging for unknown applications.
disable: Disable logging for unknown applications.
enable: Enable logging for unknown applications.
option -
p2p-black-list P2P applications to be black listed.
skype: Skype.
edonkey: Edonkey.
bittorrent: Bit torrent.
option -
deep-app-inspection Enable/disable deep application inspection.
disable: Disable deep application inspection.
enable: Enable deep application inspection.
option -
options Basic application protocol signatures allowed by default.
allow-dns: Allow DNS.
allow-icmp: Allow ICMP.
allow-http: Allow generic HTTP web browsing.
allow-ssl: Allow generic SSL communication.
allow-quic: Allow QUIC.
option -
control-default-network-services Enable/disable enforcement of protocols over selected ports.
disable: Disable protocol enforcement over selected ports.
enable: Enable protocol enforcement over selected ports.
option -

config entries

Parameter Name Description Type Size
risk <level> Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
integer Minimum value: 0 Maximum value: 4294967295
category <id> Category ID list.
Application category ID.
integer Minimum value: 0 Maximum value: 4294967295
sub-category <id> Application Sub-category ID list.
Application sub-category ID.
integer Minimum value: 0 Maximum value: 4294967295
application <id> ID of allowed applications.
Application IDs.
integer Minimum value: 0 Maximum value: 4294967295
protocols Application protocol filter. user Not Specified
vendor Application vendor filter. user Not Specified
technology Application technology filter. user Not Specified
behavior Application behavior filter. user Not Specified
popularity Application popularity filter (1 - 5, from least to most popular).
1: Popularity level 1.
2: Popularity level 2.
3: Popularity level 3.
4: Popularity level 4.
5: Popularity level 5.
option -
action Pass or block traffic, or reset connection for traffic from this application.
pass: Pass or allow matching traffic.
block: Block or drop matching traffic.
reset: Reset sessions for matching traffic.
option -
log Enable/disable logging for this application list.
disable: Disable logging.
enable: Enable logging.
option -
log-packet Enable/disable packet logging.
disable: Disable packet logging.
enable: Enable packet logging.
option -
rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
rate-mode Rate limit mode.
periodical: Allow configured number of packets every rate-duration.
continuous: Block packets once the rate is reached.
option -
rate-track Track the packet protocol field.
none: none
src-ip: Source IP.
dest-ip: Destination IP.
dhcp-client-mac: DHCP client.
dns-domain: DNS domain.
option -
session-ttl Session TTL (0 = default). integer Minimum value: 0 Maximum value: 4294967295
shaper Traffic shaper. string Maximum length: 35
shaper-reverse Reverse traffic shaper. string Maximum length: 35
per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
quarantine Quarantine method.
none: Quarantine is disabled.
attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
option -
quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
quarantine-log Enable/disable quarantine logging.
disable: Disable quarantine logging.
enable: Enable quarantine logging.
option -

config parameters

Parameter Name Description Type Size
value Parameter value. string Maximum length: 63

config default-network-services

Parameter Name Description Type Size
port Port number. integer Minimum value: 0 Maximum value: 65535
services Network protocols.
http: HTTP.
ssh: SSH.
telnet: TELNET.
ftp: FTP.
dns: DNS.
smtp: SMTP.
pop3: POP3.
imap: IMAP.
snmp: SNMP.
nntp: NNTP.
https: HTTPS.
option -
violation-action Action for protocols not white listed under selected port.
pass: Allow protocols not white listed under selected port.
monitor: Monitor protocols not white listed under selected port.
block: Block protocols not white listed under selected port.
option -