Fortinet black logo

CLI Reference

ssh-filter profile

SSH filter profile.

  config ssh-filter profile
      Description: SSH filter profile.
      edit <name>
          set block {option1}, {option2}, ...
          set log {option1}, {option2}, ...
          set default-command-log [enable|disable]
          config shell-commands
              Description: SSH command filter.
              edit <id>
                  set type [simple|regex]
                  set pattern {string}
                  set action [block|allow]
                  set log [enable|disable]
                  set alert [enable|disable]
                  set severity [low|medium|...]
              next
          end
          config file-filter
              Description: File filter.
              set status [enable|disable]
              set log [enable|disable]
              set scan-archive-contents [enable|disable]
              config entries
                  Description: File filter entries.
                  edit <filter>
                      set comment {var-string}
                      set action [log|block]
                      set direction [incoming|outgoing|...]
                      set password-protected [yes|any]
                      set file-type <name1>, <name2>, ...
                  next
              end
          end
      next
  end

config ssh-filter profile

Parameter Name Description Type Size
block SSH blocking options.
x11: X server forwarding.
shell: SSH shell.
exec: SSH execution.
port-forward: Port forwarding.
tun-forward: Tunnel forwarding.
sftp: SFTP.
scp: SCP.
unknown: Unknown channel.
option -
log SSH logging options.
x11: X server forwarding.
shell: SSH shell.
exec: SSH execution.
port-forward: Port forwarding.
tun-forward: Tunnel forwarding.
sftp: SFTP.
scp: SCP.
unknown: Unknown channel.
option -
default-command-log Enable/disable logging unmatched shell commands.
enable: Enable log unmatched shell commands.
disable: Disable log unmatched shell commands.
option -

config shell-commands

Parameter Name Description Type Size
type Matching type.
simple: Match single command.
regex: Match command line using regular expression.
option -
pattern SSH shell command pattern. string Maximum length: 128
action Action to take for URL filter matches.
block: Block the SSH shell command.
allow: Allow the SSH shell command.
option -
log Enable/disable logging.
enable: Enable logging.
disable: Disable logging.
option -
alert Enable/disable alert.
enable: Enable alert.
disable: Disable alert.
option -
severity Log severity.
low: Severity low.
medium: Severity medium.
high: Severity high.
critical: Severity critical.
option -

config file-filter

Parameter Name Description Type Size
status Enable/disable file filter.
enable: Enable file filter.
disable: Disable file filter.
option -
log Enable/disable file filter logging.
enable: Enable file filter logging.
disable: Disable file filter logging.
option -
scan-archive-contents Enable/disable file filter archive contents scan.
enable: Enable file filter archive contents scan.
disable: Disable file filter archive contents scan.
option -

config entries

Parameter Name Description Type Size
comment Comment. var-string Maximum length: 255
action Action taken for matched file.
log: Allow the content and write a log message.
block: Block the content and write a log message.
option -
direction Match files transmitted in the session's originating or reply direction.
incoming: Match files transmitted in the session's originating direction.
outgoing: Match files transmitted in the session's reply direction.
any: Match files transmitted in the session's originating and reply direction.
option -
password-protected Match password-protected files.
yes: Match only password-protected files.
any: Match any file.
option -
file-type <name> Select file type.
File type name.
string Maximum length: 39

SSH filter profile.

  config ssh-filter profile
      Description: SSH filter profile.
      edit <name>
          set block {option1}, {option2}, ...
          set log {option1}, {option2}, ...
          set default-command-log [enable|disable]
          config shell-commands
              Description: SSH command filter.
              edit <id>
                  set type [simple|regex]
                  set pattern {string}
                  set action [block|allow]
                  set log [enable|disable]
                  set alert [enable|disable]
                  set severity [low|medium|...]
              next
          end
          config file-filter
              Description: File filter.
              set status [enable|disable]
              set log [enable|disable]
              set scan-archive-contents [enable|disable]
              config entries
                  Description: File filter entries.
                  edit <filter>
                      set comment {var-string}
                      set action [log|block]
                      set direction [incoming|outgoing|...]
                      set password-protected [yes|any]
                      set file-type <name1>, <name2>, ...
                  next
              end
          end
      next
  end

config ssh-filter profile

Parameter Name Description Type Size
block SSH blocking options.
x11: X server forwarding.
shell: SSH shell.
exec: SSH execution.
port-forward: Port forwarding.
tun-forward: Tunnel forwarding.
sftp: SFTP.
scp: SCP.
unknown: Unknown channel.
option -
log SSH logging options.
x11: X server forwarding.
shell: SSH shell.
exec: SSH execution.
port-forward: Port forwarding.
tun-forward: Tunnel forwarding.
sftp: SFTP.
scp: SCP.
unknown: Unknown channel.
option -
default-command-log Enable/disable logging unmatched shell commands.
enable: Enable log unmatched shell commands.
disable: Disable log unmatched shell commands.
option -

config shell-commands

Parameter Name Description Type Size
type Matching type.
simple: Match single command.
regex: Match command line using regular expression.
option -
pattern SSH shell command pattern. string Maximum length: 128
action Action to take for URL filter matches.
block: Block the SSH shell command.
allow: Allow the SSH shell command.
option -
log Enable/disable logging.
enable: Enable logging.
disable: Disable logging.
option -
alert Enable/disable alert.
enable: Enable alert.
disable: Disable alert.
option -
severity Log severity.
low: Severity low.
medium: Severity medium.
high: Severity high.
critical: Severity critical.
option -

config file-filter

Parameter Name Description Type Size
status Enable/disable file filter.
enable: Enable file filter.
disable: Disable file filter.
option -
log Enable/disable file filter logging.
enable: Enable file filter logging.
disable: Disable file filter logging.
option -
scan-archive-contents Enable/disable file filter archive contents scan.
enable: Enable file filter archive contents scan.
disable: Disable file filter archive contents scan.
option -

config entries

Parameter Name Description Type Size
comment Comment. var-string Maximum length: 255
action Action taken for matched file.
log: Allow the content and write a log message.
block: Block the content and write a log message.
option -
direction Match files transmitted in the session's originating or reply direction.
incoming: Match files transmitted in the session's originating direction.
outgoing: Match files transmitted in the session's reply direction.
any: Match files transmitted in the session's originating and reply direction.
option -
password-protected Match password-protected files.
yes: Match only password-protected files.
any: Match any file.
option -
file-type <name> Select file type.
File type name.
string Maximum length: 39