Fortinet black logo

CLI Reference

firewall vip

Configure virtual IP for IPv4.

  config firewall vip
      Description: Configure virtual IP for IPv4.
      edit <name>
          set id {integer}
          set uuid {uuid}
          set comment {var-string}
          set type [static-nat|load-balance|...]
          set dns-mapping-ttl {integer}
          set ldb-method [static|round-robin|...]
          set src-filter <range1>, <range2>, ...
          set service <name1>, <name2>, ...
          set extip {user}
          set extaddr <name1>, <name2>, ...
          set mappedip <range1>, <range2>, ...
          set mapped-addr {string}
          set extintf {string}
          set arp-reply [disable|enable]
          set server-type [http|https|...]
          set http-redirect [enable|disable]
          set persistence [none|http-cookie|...]
          set nat-source-vip [disable|enable]
          set portforward [disable|enable]
          set protocol [tcp|udp|...]
          set extport {user}
          set mappedport {user}
          set gratuitous-arp-interval {integer}
          set srcintf-filter <interface-name1>, <interface-name2>, ...
          set portmapping-type [1-to-1|m-to-n]
          config realservers
              Description: Select the real servers that this server load balancing VIP will distribute traffic to.
              edit <id>
                  set ip {ipv4-address-any}
                  set port {integer}
                  set status [active|standby|...]
                  set weight {integer}
                  set holddown-interval {integer}
                  set healthcheck [disable|enable|...]
                  set http-host {string}
                  set max-connections {integer}
                  set monitor {string}
                  set client-ip {user}
              next
          end
          set http-cookie-domain-from-host [disable|enable]
          set http-cookie-domain {string}
          set http-cookie-path {string}
          set http-cookie-generation {integer}
          set http-cookie-age {integer}
          set http-cookie-share [disable|same-ip]
          set https-cookie-secure [disable|enable]
          set http-multiplex [enable|disable]
          set http-ip-header [enable|disable]
          set http-ip-header-name {string}
          set outlook-web-access [disable|enable]
          set weblogic-server [disable|enable]
          set websphere-server [disable|enable]
          set ssl-mode [half|full]
          set ssl-certificate {string}
          set ssl-dh-bits [768|1024|...]
          set ssl-algorithm [high|medium|...]
          config ssl-cipher-suites
              Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
              edit <priority>
                  set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                  set versions {option1}, {option2}, ...
              next
          end
          set ssl-server-algorithm [high|medium|...]
          config ssl-server-cipher-suites
              Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
              edit <priority>
                  set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                  set versions {option1}, {option2}, ...
              next
          end
          set ssl-pfs [require|deny|...]
          set ssl-min-version [ssl-3.0|tls-1.0|...]
          set ssl-max-version [ssl-3.0|tls-1.0|...]
          set ssl-server-min-version [ssl-3.0|tls-1.0|...]
          set ssl-server-max-version [ssl-3.0|tls-1.0|...]
          set ssl-send-empty-frags [enable|disable]
          set ssl-client-fallback [disable|enable]
          set ssl-client-renegotiation [allow|deny|...]
          set ssl-client-session-state-type [disable|time|...]
          set ssl-client-session-state-timeout {integer}
          set ssl-client-session-state-max {integer}
          set ssl-client-rekey-count {integer}
          set ssl-server-session-state-type [disable|time|...]
          set ssl-server-session-state-timeout {integer}
          set ssl-server-session-state-max {integer}
          set ssl-http-location-conversion [enable|disable]
          set ssl-http-match-host [enable|disable]
          set ssl-hpkp [disable|enable|...]
          set ssl-hpkp-primary {string}
          set ssl-hpkp-backup {string}
          set ssl-hpkp-age {integer}
          set ssl-hpkp-report-uri {var-string}
          set ssl-hpkp-include-subdomains [disable|enable]
          set ssl-hsts [disable|enable]
          set ssl-hsts-age {integer}
          set ssl-hsts-include-subdomains [disable|enable]
          set monitor <name1>, <name2>, ...
          set max-embryonic-connections {integer}
          set color {integer}
      next
  end

config firewall vip

Parameter Name Description Type Size
id Custom defined ID. integer Minimum value: 0 Maximum value: 65535
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
comment Comment. var-string Maximum length: 255
type Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.
static-nat: Static NAT.
load-balance: Load balance.
server-load-balance: Server load balance.
dns-translation: DNS translation.
fqdn: Fully qualified domain name.
option -
dns-mapping-ttl DNS mapping TTL (Set to zero to use TTL in DNS response, default = 0). integer Minimum value: 0 Maximum value: 604800
ldb-method Method used to distribute sessions to real servers.
static: Distribute to server based on source IP.
round-robin: Distribute to server based round robin order.
weighted: Distribute to server based on weight.
least-session: Distribute to server with lowest session count.
least-rtt: Distribute to server with lowest Round-Trip-Time.
first-alive: Distribute to the first server that is alive.
http-host: Distribute to server based on host field in HTTP header.
option -
src-filter <range> Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces.
Source-filter range.
string Maximum length: 79
service <name> Service name.
Service name.
string Maximum length: 79
extip IP address or address range on the external interface that you want to map to an address or address range on the destination network. user Not Specified
extaddr <name> External FQDN address name.
Address name.
string Maximum length: 79
mappedip <range> IP address or address range on the destination network to which the external IP address is mapped.
Mapped IP range.
string Maximum length: 79
mapped-addr Mapped FQDN address name. string Maximum length: 79
extintf Interface connected to the source network that receives the packets that will be forwarded to the destination network. string Maximum length: 35
arp-reply Enable to respond to ARP requests for this virtual IP address. Enabled by default.
disable: Disable ARP reply.
enable: Enable ARP reply.
option -
server-type Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
http: HTTP
https: HTTPS
imaps: IMAPS
pop3s: POP3S
smtps: SMTPS
ssl: SSL
tcp: TCP
udp: UDP
ip: IP
option -
http-redirect Enable/disable redirection of HTTP to HTTPS
enable: Enable redirection of HTTP to HTTPS.
disable: Disable redirection of HTTP to HTTPS.
option -
persistence Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
none: None.
http-cookie: HTTP cookie.
ssl-session-id: SSL session ID.
option -
nat-source-vip Enable/disable forcing the source NAT mapped IP to the external IP for all traffic.
disable: Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.
enable: Force the source NAT mapped IP to the external IP for all traffic.
option -
portforward Enable/disable port forwarding.
disable: Disable port forward.
enable: Enable port forward.
option -
protocol Protocol to use when forwarding packets.
tcp: TCP.
udp: UDP.
sctp: SCTP.
icmp: ICMP.
option -
extport Incoming port number range that you want to map to a port number range on the destination network. user Not Specified
mappedport Port number range on the destination network to which the external port number range is mapped. user Not Specified
gratuitous-arp-interval Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable. integer Minimum value: 5 Maximum value: 8640000
srcintf-filter <interface-name> Interfaces to which the VIP applies. Separate the names with spaces.
Interface name.
string Maximum length: 79
portmapping-type Port mapping type.
1-to-1: One to one.
m-to-n: Many to many.
option -
http-cookie-domain-from-host Enable/disable use of HTTP cookie domain from host field in HTTP.
disable: Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).
enable: Enable use of HTTP cookie domain from host field in HTTP.
option -
http-cookie-domain Domain that HTTP cookie persistence should apply to. string Maximum length: 35
http-cookie-path Limit HTTP cookie persistence to the specified path. string Maximum length: 35
http-cookie-generation Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. integer Minimum value: 0 Maximum value: 4294967295
http-cookie-age Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. integer Minimum value: 0 Maximum value: 525600
http-cookie-share Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
disable: Only allow HTTP cookie to match this virtual server.
same-ip: Allow HTTP cookie to match any virtual server with same IP.
option -
https-cookie-secure Enable/disable verification that inserted HTTPS cookies are secure.
disable: Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.
enable: Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.
option -
http-multiplex Enable/disable HTTP multiplexing.
enable: Enable HTTP session multiplexing.
disable: Disable HTTP session multiplexing.
option -
http-ip-header For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
enable: Enable adding HTTP header.
disable: Disable adding HTTP header.
option -
http-ip-header-name For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. string Maximum length: 35
outlook-web-access Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
disable: Disable Outlook Web Access support.
enable: Enable Outlook Web Access support.
option -
weblogic-server Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
disable: Do not add HTTP header indicating SSL offload for WebLogic server.
enable: Add HTTP header indicating SSL offload for WebLogic server.
option -
websphere-server Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
disable: Do not add HTTP header indicating SSL offload for WebSphere server.
enable: Add HTTP header indicating SSL offload for WebSphere server.
option -
ssl-mode Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
half: Client to FortiGate SSL.
full: Client to FortiGate and FortiGate to Server SSL.
option -
ssl-certificate The name of the SSL certificate to use for SSL acceleration. string Maximum length: 35
ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
768: 768-bit Diffie-Hellman prime.
1024: 1024-bit Diffie-Hellman prime.
1536: 1536-bit Diffie-Hellman prime.
2048: 2048-bit Diffie-Hellman prime.
3072: 3072-bit Diffie-Hellman prime.
4096: 4096-bit Diffie-Hellman prime.
option -
ssl-algorithm Permitted encryption algorithms for SSL sessions according to encryption strength.
high: High encryption. Allow only AES and ChaCha.
medium: Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low: Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
custom: Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.
option -
ssl-server-algorithm Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
high: High encryption. Allow only AES and ChaCha.
medium: Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low: Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
custom: Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.
client: Use the same encryption algorithms for both client and server sessions.
option -
ssl-pfs Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
require: Allow only Diffie-Hellman cipher-suites, so PFS is applied.
deny: Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
allow: Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
option -
ssl-min-version Lowest SSL/TLS version acceptable from a client.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-max-version Highest SSL/TLS version acceptable from a client.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-server-min-version Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
client: Use same value as client configuration.
option -
ssl-server-max-version Highest SSL/TLS version acceptable from a server. Use the client setting by default.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
client: Use same value as client configuration.
option -
ssl-send-empty-frags Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
enable: Send empty fragments.
disable: Do not send empty fragments.
option -
ssl-client-fallback Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
disable: Disable.
enable: Enable.
option -
ssl-client-renegotiation Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
allow: Allow a SSL client to renegotiate.
deny: Abort any client initiated SSL re-negotiation attempt.
secure: Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.
option -
ssl-client-session-state-type How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
disable: Do not keep session states.
time: Expire session states after this many minutes.
count: Expire session states when this maximum is reached.
both: Expire session states based on time or count, whichever occurs first.
option -
ssl-client-session-state-timeout Number of minutes to keep client to FortiGate SSL session state. integer Minimum value: 1 Maximum value: 14400
ssl-client-session-state-max Maximum number of client to FortiGate SSL session states to keep. integer Minimum value: 1 Maximum value: 10000
ssl-client-rekey-count Maximum length of data in MB before triggering a client rekey (0 = disable). integer Minimum value: 200 Maximum value: 1048576
ssl-server-session-state-type How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
disable: Do not keep session states.
time: Expire session states after this many minutes.
count: Expire session states when this maximum is reached.
both: Expire session states based on time or count, whichever occurs first.
option -
ssl-server-session-state-timeout Number of minutes to keep FortiGate to Server SSL session state. integer Minimum value: 1 Maximum value: 14400
ssl-server-session-state-max Maximum number of FortiGate to Server SSL session states to keep. integer Minimum value: 1 Maximum value: 10000
ssl-http-location-conversion Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
enable: Enable HTTP location conversion.
disable: Disable HTTP location conversion.
option -
ssl-http-match-host Enable/disable HTTP host matching for location conversion.
enable: Match HTTP host in response header.
disable: Do not match HTTP host.
option -
ssl-hpkp Enable/disable including HPKP header in response.
disable: Do not add a HPKP header to each HTTP response.
enable: Add a HPKP header to each a HTTP response.
report-only: Add a HPKP Report-Only header to each HTTP response.
option -
ssl-hpkp-primary Certificate to generate primary HPKP pin from. string Maximum length: 79
ssl-hpkp-backup Certificate to generate backup HPKP pin from. string Maximum length: 79
ssl-hpkp-age Number of seconds the client should honour the HPKP setting. integer Minimum value: 60 Maximum value: 157680000
ssl-hpkp-report-uri URL to report HPKP violations to. var-string Maximum length: 255
ssl-hpkp-include-subdomains Indicate that HPKP header applies to all subdomains.
disable: HPKP header does not apply to subdomains.
enable: HPKP header applies to subdomains.
option -
ssl-hsts Enable/disable including HSTS header in response.
disable: Do not add a HSTS header to each a HTTP response.
enable: Add a HSTS header to each HTTP response.
option -
ssl-hsts-age Number of seconds the client should honour the HSTS setting. integer Minimum value: 60 Maximum value: 157680000
ssl-hsts-include-subdomains Indicate that HSTS header applies to all subdomains.
disable: HSTS header does not apply to subdomains.
enable: HSTS header applies to subdomains.
option -
monitor <name> Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
Health monitor name.
string Maximum length: 79
max-embryonic-connections Maximum number of incomplete connections. integer Minimum value: 0 Maximum value: 100000
color Color of icon on the GUI. integer Minimum value: 0 Maximum value: 32

config realservers

Parameter Name Description Type Size
ip IP address of the real server. ipv4-address-any Not Specified
port Port for communicating with the real server. Required if port forwarding is enabled. integer Minimum value: 1 Maximum value: 65535
status Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
active: Server status active.
standby: Server status standby.
disable: Server status disable.
option -
weight Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. integer Minimum value: 1 Maximum value: 255
holddown-interval Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active. integer Minimum value: 30 Maximum value: 65535
healthcheck Enable to check the responsiveness of the real server before forwarding traffic.
disable: Disable per server health check.
enable: Enable per server health check.
vip: Use health check defined in VIP.
option -
http-host HTTP server domain name in HTTP header. string Maximum length: 63
max-connections Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers. integer Minimum value: 0 Maximum value: 2147483647
monitor Name of the health check monitor to use when polling to determine a virtual server's connectivity status. string Maximum length: 79
client-ip Only clients in this IP range can connect to this real server. user Not Specified

config ssl-cipher-suites

Parameter Name Description Type Size
cipher
versions SSL/TLS versions that the cipher suite can be used with.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -

config ssl-server-cipher-suites

Parameter Name Description Type Size
cipher
versions SSL/TLS versions that the cipher suite can be used with.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -

Configure virtual IP for IPv4.

  config firewall vip
      Description: Configure virtual IP for IPv4.
      edit <name>
          set id {integer}
          set uuid {uuid}
          set comment {var-string}
          set type [static-nat|load-balance|...]
          set dns-mapping-ttl {integer}
          set ldb-method [static|round-robin|...]
          set src-filter <range1>, <range2>, ...
          set service <name1>, <name2>, ...
          set extip {user}
          set extaddr <name1>, <name2>, ...
          set mappedip <range1>, <range2>, ...
          set mapped-addr {string}
          set extintf {string}
          set arp-reply [disable|enable]
          set server-type [http|https|...]
          set http-redirect [enable|disable]
          set persistence [none|http-cookie|...]
          set nat-source-vip [disable|enable]
          set portforward [disable|enable]
          set protocol [tcp|udp|...]
          set extport {user}
          set mappedport {user}
          set gratuitous-arp-interval {integer}
          set srcintf-filter <interface-name1>, <interface-name2>, ...
          set portmapping-type [1-to-1|m-to-n]
          config realservers
              Description: Select the real servers that this server load balancing VIP will distribute traffic to.
              edit <id>
                  set ip {ipv4-address-any}
                  set port {integer}
                  set status [active|standby|...]
                  set weight {integer}
                  set holddown-interval {integer}
                  set healthcheck [disable|enable|...]
                  set http-host {string}
                  set max-connections {integer}
                  set monitor {string}
                  set client-ip {user}
              next
          end
          set http-cookie-domain-from-host [disable|enable]
          set http-cookie-domain {string}
          set http-cookie-path {string}
          set http-cookie-generation {integer}
          set http-cookie-age {integer}
          set http-cookie-share [disable|same-ip]
          set https-cookie-secure [disable|enable]
          set http-multiplex [enable|disable]
          set http-ip-header [enable|disable]
          set http-ip-header-name {string}
          set outlook-web-access [disable|enable]
          set weblogic-server [disable|enable]
          set websphere-server [disable|enable]
          set ssl-mode [half|full]
          set ssl-certificate {string}
          set ssl-dh-bits [768|1024|...]
          set ssl-algorithm [high|medium|...]
          config ssl-cipher-suites
              Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
              edit <priority>
                  set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                  set versions {option1}, {option2}, ...
              next
          end
          set ssl-server-algorithm [high|medium|...]
          config ssl-server-cipher-suites
              Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
              edit <priority>
                  set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                  set versions {option1}, {option2}, ...
              next
          end
          set ssl-pfs [require|deny|...]
          set ssl-min-version [ssl-3.0|tls-1.0|...]
          set ssl-max-version [ssl-3.0|tls-1.0|...]
          set ssl-server-min-version [ssl-3.0|tls-1.0|...]
          set ssl-server-max-version [ssl-3.0|tls-1.0|...]
          set ssl-send-empty-frags [enable|disable]
          set ssl-client-fallback [disable|enable]
          set ssl-client-renegotiation [allow|deny|...]
          set ssl-client-session-state-type [disable|time|...]
          set ssl-client-session-state-timeout {integer}
          set ssl-client-session-state-max {integer}
          set ssl-client-rekey-count {integer}
          set ssl-server-session-state-type [disable|time|...]
          set ssl-server-session-state-timeout {integer}
          set ssl-server-session-state-max {integer}
          set ssl-http-location-conversion [enable|disable]
          set ssl-http-match-host [enable|disable]
          set ssl-hpkp [disable|enable|...]
          set ssl-hpkp-primary {string}
          set ssl-hpkp-backup {string}
          set ssl-hpkp-age {integer}
          set ssl-hpkp-report-uri {var-string}
          set ssl-hpkp-include-subdomains [disable|enable]
          set ssl-hsts [disable|enable]
          set ssl-hsts-age {integer}
          set ssl-hsts-include-subdomains [disable|enable]
          set monitor <name1>, <name2>, ...
          set max-embryonic-connections {integer}
          set color {integer}
      next
  end

config firewall vip

Parameter Name Description Type Size
id Custom defined ID. integer Minimum value: 0 Maximum value: 65535
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
comment Comment. var-string Maximum length: 255
type Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.
static-nat: Static NAT.
load-balance: Load balance.
server-load-balance: Server load balance.
dns-translation: DNS translation.
fqdn: Fully qualified domain name.
option -
dns-mapping-ttl DNS mapping TTL (Set to zero to use TTL in DNS response, default = 0). integer Minimum value: 0 Maximum value: 604800
ldb-method Method used to distribute sessions to real servers.
static: Distribute to server based on source IP.
round-robin: Distribute to server based round robin order.
weighted: Distribute to server based on weight.
least-session: Distribute to server with lowest session count.
least-rtt: Distribute to server with lowest Round-Trip-Time.
first-alive: Distribute to the first server that is alive.
http-host: Distribute to server based on host field in HTTP header.
option -
src-filter <range> Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces.
Source-filter range.
string Maximum length: 79
service <name> Service name.
Service name.
string Maximum length: 79
extip IP address or address range on the external interface that you want to map to an address or address range on the destination network. user Not Specified
extaddr <name> External FQDN address name.
Address name.
string Maximum length: 79
mappedip <range> IP address or address range on the destination network to which the external IP address is mapped.
Mapped IP range.
string Maximum length: 79
mapped-addr Mapped FQDN address name. string Maximum length: 79
extintf Interface connected to the source network that receives the packets that will be forwarded to the destination network. string Maximum length: 35
arp-reply Enable to respond to ARP requests for this virtual IP address. Enabled by default.
disable: Disable ARP reply.
enable: Enable ARP reply.
option -
server-type Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
http: HTTP
https: HTTPS
imaps: IMAPS
pop3s: POP3S
smtps: SMTPS
ssl: SSL
tcp: TCP
udp: UDP
ip: IP
option -
http-redirect Enable/disable redirection of HTTP to HTTPS
enable: Enable redirection of HTTP to HTTPS.
disable: Disable redirection of HTTP to HTTPS.
option -
persistence Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
none: None.
http-cookie: HTTP cookie.
ssl-session-id: SSL session ID.
option -
nat-source-vip Enable/disable forcing the source NAT mapped IP to the external IP for all traffic.
disable: Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.
enable: Force the source NAT mapped IP to the external IP for all traffic.
option -
portforward Enable/disable port forwarding.
disable: Disable port forward.
enable: Enable port forward.
option -
protocol Protocol to use when forwarding packets.
tcp: TCP.
udp: UDP.
sctp: SCTP.
icmp: ICMP.
option -
extport Incoming port number range that you want to map to a port number range on the destination network. user Not Specified
mappedport Port number range on the destination network to which the external port number range is mapped. user Not Specified
gratuitous-arp-interval Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable. integer Minimum value: 5 Maximum value: 8640000
srcintf-filter <interface-name> Interfaces to which the VIP applies. Separate the names with spaces.
Interface name.
string Maximum length: 79
portmapping-type Port mapping type.
1-to-1: One to one.
m-to-n: Many to many.
option -
http-cookie-domain-from-host Enable/disable use of HTTP cookie domain from host field in HTTP.
disable: Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).
enable: Enable use of HTTP cookie domain from host field in HTTP.
option -
http-cookie-domain Domain that HTTP cookie persistence should apply to. string Maximum length: 35
http-cookie-path Limit HTTP cookie persistence to the specified path. string Maximum length: 35
http-cookie-generation Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. integer Minimum value: 0 Maximum value: 4294967295
http-cookie-age Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. integer Minimum value: 0 Maximum value: 525600
http-cookie-share Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
disable: Only allow HTTP cookie to match this virtual server.
same-ip: Allow HTTP cookie to match any virtual server with same IP.
option -
https-cookie-secure Enable/disable verification that inserted HTTPS cookies are secure.
disable: Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.
enable: Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.
option -
http-multiplex Enable/disable HTTP multiplexing.
enable: Enable HTTP session multiplexing.
disable: Disable HTTP session multiplexing.
option -
http-ip-header For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
enable: Enable adding HTTP header.
disable: Disable adding HTTP header.
option -
http-ip-header-name For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. string Maximum length: 35
outlook-web-access Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
disable: Disable Outlook Web Access support.
enable: Enable Outlook Web Access support.
option -
weblogic-server Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
disable: Do not add HTTP header indicating SSL offload for WebLogic server.
enable: Add HTTP header indicating SSL offload for WebLogic server.
option -
websphere-server Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
disable: Do not add HTTP header indicating SSL offload for WebSphere server.
enable: Add HTTP header indicating SSL offload for WebSphere server.
option -
ssl-mode Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
half: Client to FortiGate SSL.
full: Client to FortiGate and FortiGate to Server SSL.
option -
ssl-certificate The name of the SSL certificate to use for SSL acceleration. string Maximum length: 35
ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
768: 768-bit Diffie-Hellman prime.
1024: 1024-bit Diffie-Hellman prime.
1536: 1536-bit Diffie-Hellman prime.
2048: 2048-bit Diffie-Hellman prime.
3072: 3072-bit Diffie-Hellman prime.
4096: 4096-bit Diffie-Hellman prime.
option -
ssl-algorithm Permitted encryption algorithms for SSL sessions according to encryption strength.
high: High encryption. Allow only AES and ChaCha.
medium: Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low: Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
custom: Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.
option -
ssl-server-algorithm Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
high: High encryption. Allow only AES and ChaCha.
medium: Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low: Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
custom: Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.
client: Use the same encryption algorithms for both client and server sessions.
option -
ssl-pfs Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
require: Allow only Diffie-Hellman cipher-suites, so PFS is applied.
deny: Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
allow: Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
option -
ssl-min-version Lowest SSL/TLS version acceptable from a client.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-max-version Highest SSL/TLS version acceptable from a client.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-server-min-version Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
client: Use same value as client configuration.
option -
ssl-server-max-version Highest SSL/TLS version acceptable from a server. Use the client setting by default.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
client: Use same value as client configuration.
option -
ssl-send-empty-frags Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
enable: Send empty fragments.
disable: Do not send empty fragments.
option -
ssl-client-fallback Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
disable: Disable.
enable: Enable.
option -
ssl-client-renegotiation Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
allow: Allow a SSL client to renegotiate.
deny: Abort any client initiated SSL re-negotiation attempt.
secure: Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.
option -
ssl-client-session-state-type How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
disable: Do not keep session states.
time: Expire session states after this many minutes.
count: Expire session states when this maximum is reached.
both: Expire session states based on time or count, whichever occurs first.
option -
ssl-client-session-state-timeout Number of minutes to keep client to FortiGate SSL session state. integer Minimum value: 1 Maximum value: 14400
ssl-client-session-state-max Maximum number of client to FortiGate SSL session states to keep. integer Minimum value: 1 Maximum value: 10000
ssl-client-rekey-count Maximum length of data in MB before triggering a client rekey (0 = disable). integer Minimum value: 200 Maximum value: 1048576
ssl-server-session-state-type How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
disable: Do not keep session states.
time: Expire session states after this many minutes.
count: Expire session states when this maximum is reached.
both: Expire session states based on time or count, whichever occurs first.
option -
ssl-server-session-state-timeout Number of minutes to keep FortiGate to Server SSL session state. integer Minimum value: 1 Maximum value: 14400
ssl-server-session-state-max Maximum number of FortiGate to Server SSL session states to keep. integer Minimum value: 1 Maximum value: 10000
ssl-http-location-conversion Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
enable: Enable HTTP location conversion.
disable: Disable HTTP location conversion.
option -
ssl-http-match-host Enable/disable HTTP host matching for location conversion.
enable: Match HTTP host in response header.
disable: Do not match HTTP host.
option -
ssl-hpkp Enable/disable including HPKP header in response.
disable: Do not add a HPKP header to each HTTP response.
enable: Add a HPKP header to each a HTTP response.
report-only: Add a HPKP Report-Only header to each HTTP response.
option -
ssl-hpkp-primary Certificate to generate primary HPKP pin from. string Maximum length: 79
ssl-hpkp-backup Certificate to generate backup HPKP pin from. string Maximum length: 79
ssl-hpkp-age Number of seconds the client should honour the HPKP setting. integer Minimum value: 60 Maximum value: 157680000
ssl-hpkp-report-uri URL to report HPKP violations to. var-string Maximum length: 255
ssl-hpkp-include-subdomains Indicate that HPKP header applies to all subdomains.
disable: HPKP header does not apply to subdomains.
enable: HPKP header applies to subdomains.
option -
ssl-hsts Enable/disable including HSTS header in response.
disable: Do not add a HSTS header to each a HTTP response.
enable: Add a HSTS header to each HTTP response.
option -
ssl-hsts-age Number of seconds the client should honour the HSTS setting. integer Minimum value: 60 Maximum value: 157680000
ssl-hsts-include-subdomains Indicate that HSTS header applies to all subdomains.
disable: HSTS header does not apply to subdomains.
enable: HSTS header applies to subdomains.
option -
monitor <name> Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
Health monitor name.
string Maximum length: 79
max-embryonic-connections Maximum number of incomplete connections. integer Minimum value: 0 Maximum value: 100000
color Color of icon on the GUI. integer Minimum value: 0 Maximum value: 32

config realservers

Parameter Name Description Type Size
ip IP address of the real server. ipv4-address-any Not Specified
port Port for communicating with the real server. Required if port forwarding is enabled. integer Minimum value: 1 Maximum value: 65535
status Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
active: Server status active.
standby: Server status standby.
disable: Server status disable.
option -
weight Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. integer Minimum value: 1 Maximum value: 255
holddown-interval Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active. integer Minimum value: 30 Maximum value: 65535
healthcheck Enable to check the responsiveness of the real server before forwarding traffic.
disable: Disable per server health check.
enable: Enable per server health check.
vip: Use health check defined in VIP.
option -
http-host HTTP server domain name in HTTP header. string Maximum length: 63
max-connections Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers. integer Minimum value: 0 Maximum value: 2147483647
monitor Name of the health check monitor to use when polling to determine a virtual server's connectivity status. string Maximum length: 79
client-ip Only clients in this IP range can connect to this real server. user Not Specified

config ssl-cipher-suites

Parameter Name Description Type Size
cipher
versions SSL/TLS versions that the cipher suite can be used with.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -

config ssl-server-cipher-suites

Parameter Name Description Type Size
cipher
versions SSL/TLS versions that the cipher suite can be used with.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -