CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
cifs
- cifs domain-controller
- cifs profile
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control client
- endpoint-control fctems
- endpoint-control settings
extender-controller
- extender-controller extender
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall consolidated policy
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ipv6-eh-filter
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy6
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall ttl-policy
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller 802-1X-settings
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller flow-tracking
- switch-controller global
- switch-controller igmp-snooping
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller mac-sync-settings
- switch-controller managed-switch
- switch-controller network-monitor-settings
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller quarantine
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy captive-portal
- switch-controller security-policy local-access
- switch-controller sflow
- switch-controller snmp-community
- switch-controller snmp-sysinfo
- switch-controller snmp-trap-threshold
- switch-controller snmp-user
- switch-controller storm-control
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-log
- switch-controller switch-profile
- switch-controller system
- switch-controller traffic-policy
- switch-controller traffic-sniffer
- switch-controller virtual-port-pool
- switch-controller vlan
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fm
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system management-tunnel
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system physical-switch
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg device-detection-portal
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg nntp
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system storage
- system stp
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-switch
- system virtual-wan-link
- system virtual-wire-pair
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user device
- user device-group
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user password-policy
- user peer
- user peergrp
- user pop3
- user quarantine
- user radius
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.2.1 CLI Reference

6.2.1

system snmp user

SNMP user configuration.

  config system snmp user
      Description: SNMP user configuration.
      edit <name>
          set status [enable|disable]
          set trap-status [enable|disable]
          set trap-lport {integer}
          set trap-rport {integer}
          set queries [enable|disable]
          set query-port {integer}
          set notify-hosts {ipv4-address}
          set notify-hosts6 {ipv6-address}
          set source-ip {ipv4-address}
          set source-ipv6 {ipv6-address}
          set ha-direct [enable|disable]
          set events {option1}, {option2}, ...
          set security-level [no-auth-no-priv|auth-no-priv|...]
          set auth-proto [md5|sha]
          set auth-pwd {password}
          set priv-proto [aes|des|...]
          set priv-pwd {password}
      next
  end

config system snmp user

Parameter Name	Description	Type	Size
status	Enable/disable this SNMP user. enable: Enable setting. disable: Disable setting.	option	-
trap-status	Enable/disable traps for this SNMP user. enable: Enable setting. disable: Disable setting.	option	-
trap-lport	SNMPv3 local trap port (default = 162).	integer	Minimum value: 0 Maximum value: 65535
trap-rport	SNMPv3 trap remote port (default = 162).	integer	Minimum value: 0 Maximum value: 65535
queries	Enable/disable SNMP queries for this user. enable: Enable setting. disable: Disable setting.	option	-
query-port	SNMPv3 query port (default = 161).	integer	Minimum value: 0 Maximum value: 65535
notify-hosts	SNMP managers to send notifications (traps) to.	ipv4-address	Not Specified
notify-hosts6	IPv6 SNMP managers to send notifications (traps) to.	ipv6-address	Not Specified
source-ip	Source IP for SNMP trap.	ipv4-address	Not Specified
source-ipv6	Source IPv6 for SNMP trap.	ipv6-address	Not Specified
ha-direct	Enable/disable direct management of HA cluster members. enable: Enable setting. disable: Disable setting.	option	-
events	SNMP notifications (traps) to send. cpu-high: Send a trap when CPU usage is high. mem-low: Send a trap when available memory is low. log-full: Send a trap when log disk space becomes low. intf-ip: Send a trap when an interface IP address is changed. vpn-tun-up: Send a trap when a VPN tunnel comes up. vpn-tun-down: Send a trap when a VPN tunnel goes down. ha-switch: Send a trap after an HA failover when the backup unit has taken over. ha-hb-failure: Send a trap when HA heartbeats are not received. ips-signature: Send a trap when IPS detects an attack. ips-anomaly: Send a trap when IPS finds an anomaly. av-virus: Send a trap when AntiVirus finds a virus. av-oversize: Send a trap when AntiVirus finds an oversized file. av-pattern: Send a trap when AntiVirus finds file matching pattern. av-fragmented: Send a trap when AntiVirus finds a fragmented file. fm-if-change: Send a trap when FortiManager interface changes. Send a FortiManager trap. fm-conf-change: Send a trap when a configuration change is made by a FortiGate administrator and the FortiGate is managed by FortiManager. bgp-established: Send a trap when a BGP FSM transitions to the established state. bgp-backward-transition: Send a trap when a BGP FSM goes from a high numbered state to a lower numbered state. ha-member-up: Send a trap when an HA cluster member goes up. ha-member-down: Send a trap when an HA cluster member goes down. ent-conf-change: Send a trap when an entity MIB change occurs (RFC4133). av-conserve: Send a trap when the FortiGate enters conserve mode. av-bypass: Send a trap when the FortiGate enters bypass mode. av-oversize-passed: Send a trap when AntiVirus passes an oversized file. av-oversize-blocked: Send a trap when AntiVirus blocks an oversized file. ips-pkg-update: Send a trap when the IPS signature database or engine is updated. ips-fail-open: Send a trap when the IPS network buffer is full. faz-disconnect: Send a trap when a FortiAnalyzer disconnects from the FortiGate. wc-ap-up: Send a trap when a managed FortiAP comes up. wc-ap-down: Send a trap when a managed FortiAP goes down. fswctl-session-up: Send a trap when a FortiSwitch controller session comes up. fswctl-session-down: Send a trap when a FortiSwitch controller session goes down. load-balance-real-server-down: Send a trap when a server load balance real server goes down. device-new: Send a trap when a new device is found. per-cpu-high: Send a trap when per-CPU usage is high.	option	-
security-level	Security level for message authentication and encryption. no-auth-no-priv: Message with no authentication and no privacy (encryption). auth-no-priv: Message with authentication but no privacy (encryption). auth-priv: Message with authentication and privacy (encryption).	option	-
auth-proto	Authentication protocol. md5: HMAC-MD5-96 authentication protocol. sha: HMAC-SHA-96 authentication protocol.	option	-
auth-pwd	Password for authentication protocol.	password	Not Specified
priv-proto	Privacy (encryption) protocol. aes: CFB128-AES-128 symmetric encryption protocol. des: CBC-DES symmetric encryption protocol. aes256: CFB128-AES-256 symmetric encryption protocol. aes256cisco: CFB128-AES-256 symmetric encryption protocol compatible with CISCO.	option	-
priv-pwd	Password for privacy (encryption) protocol.	password	Not Specified

SNMP user configuration.

config system snmp user Description: SNMP user configuration. edit <name> set status [enable|disable] set trap-status [enable|disable] set trap-lport {integer} set trap-rport {integer} set queries [enable|disable] set query-port {integer} set notify-hosts {ipv4-address} set notify-hosts6 {ipv6-address} set source-ip {ipv4-address} set source-ipv6 {ipv6-address} set ha-direct [enable|disable] set events {option1}, {option2}, ... set security-level [no-auth-no-priv|auth-no-priv|...] set auth-proto [md5|sha] set auth-pwd {password} set priv-proto [aes|des|...] set priv-pwd {password} next end

config system snmp user

Parameter Name

Description

Type

Size

status

Enable/disable this SNMP user.
enable: Enable setting.
disable: Disable setting.

option

trap-status

Enable/disable traps for this SNMP user.
enable: Enable setting.
disable: Disable setting.

option

trap-lport

SNMPv3 local trap port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

trap-rport

SNMPv3 trap remote port (default = 162).

integer

Minimum value: 0 Maximum value: 65535

queries

Enable/disable SNMP queries for this user.
enable: Enable setting.
disable: Disable setting.

option

query-port

SNMPv3 query port (default = 161).

integer

Minimum value: 0 Maximum value: 65535

notify-hosts

SNMP managers to send notifications (traps) to.

ipv4-address

Not Specified

notify-hosts6

IPv6 SNMP managers to send notifications (traps) to.

ipv6-address

Not Specified

source-ip

Source IP for SNMP trap.

ipv4-address

Not Specified

source-ipv6

Source IPv6 for SNMP trap.

ipv6-address

Not Specified

ha-direct

Enable/disable direct management of HA cluster members.
enable: Enable setting.
disable: Disable setting.

option

events

SNMP notifications (traps) to send.
cpu-high: Send a trap when CPU usage is high.
mem-low: Send a trap when available memory is low.
log-full: Send a trap when log disk space becomes low.
intf-ip: Send a trap when an interface IP address is changed.
vpn-tun-up: Send a trap when a VPN tunnel comes up.
vpn-tun-down: Send a trap when a VPN tunnel goes down.
ha-switch: Send a trap after an HA failover when the backup unit has taken over.
ha-hb-failure: Send a trap when HA heartbeats are not received.
ips-signature: Send a trap when IPS detects an attack.
ips-anomaly: Send a trap when IPS finds an anomaly.
av-virus: Send a trap when AntiVirus finds a virus.
av-oversize: Send a trap when AntiVirus finds an oversized file.
av-pattern: Send a trap when AntiVirus finds file matching pattern.
av-fragmented: Send a trap when AntiVirus finds a fragmented file.
fm-if-change: Send a trap when FortiManager interface changes. Send a FortiManager trap.
fm-conf-change: Send a trap when a configuration change is made by a FortiGate administrator and the FortiGate is managed by FortiManager.
bgp-established: Send a trap when a BGP FSM transitions to the established state.
bgp-backward-transition: Send a trap when a BGP FSM goes from a high numbered state to a lower numbered state.
ha-member-up: Send a trap when an HA cluster member goes up.
ha-member-down: Send a trap when an HA cluster member goes down.
ent-conf-change: Send a trap when an entity MIB change occurs (RFC4133).
av-conserve: Send a trap when the FortiGate enters conserve mode.
av-bypass: Send a trap when the FortiGate enters bypass mode.
av-oversize-passed: Send a trap when AntiVirus passes an oversized file.
av-oversize-blocked: Send a trap when AntiVirus blocks an oversized file.
ips-pkg-update: Send a trap when the IPS signature database or engine is updated.
ips-fail-open: Send a trap when the IPS network buffer is full.
faz-disconnect: Send a trap when a FortiAnalyzer disconnects from the FortiGate.
wc-ap-up: Send a trap when a managed FortiAP comes up.
wc-ap-down: Send a trap when a managed FortiAP goes down.
fswctl-session-up: Send a trap when a FortiSwitch controller session comes up.
fswctl-session-down: Send a trap when a FortiSwitch controller session goes down.
load-balance-real-server-down: Send a trap when a server load balance real server goes down.
device-new: Send a trap when a new device is found.
per-cpu-high: Send a trap when per-CPU usage is high.

option

security-level

Security level for message authentication and encryption.
no-auth-no-priv: Message with no authentication and no privacy (encryption).
auth-no-priv: Message with authentication but no privacy (encryption).
auth-priv: Message with authentication and privacy (encryption).

option

auth-proto

Authentication protocol.
md5: HMAC-MD5-96 authentication protocol.
sha: HMAC-SHA-96 authentication protocol.

option

auth-pwd

Password for authentication protocol.

password

Not Specified

priv-proto

Privacy (encryption) protocol.
aes: CFB128-AES-128 symmetric encryption protocol.
des: CBC-DES symmetric encryption protocol.
aes256: CFB128-AES-256 symmetric encryption protocol.
aes256cisco: CFB128-AES-256 symmetric encryption protocol compatible with CISCO.

option

priv-pwd

Password for privacy (encryption) protocol.

password

Not Specified