Fortinet white logo
Fortinet white logo

CLI Reference

config application list

config application list

Configure application control lists.

config application list

Description: Configure application control lists.

edit <name>

set comment {var-string}

set replacemsg-group {string}

set extended-log [enable|disable]

set other-application-action [pass|block]

set app-replacemsg [disable|enable]

set other-application-log [disable|enable]

set enforce-default-app-port [disable|enable]

set force-inclusion-ssl-di-sigs [disable|enable]

set unknown-application-action [pass|block]

set unknown-application-log [disable|enable]

set p2p-black-list {option1}, {option2}, ...

set deep-app-inspection [disable|enable]

set options {option1}, {option2}, ...

config entries

Description: Application list entries.

edit <id>

set risk <level1>, <level2>, ...

set category <id1>, <id2>, ...

set sub-category <id1>, <id2>, ...

set application <id1>, <id2>, ...

set protocols {user}

set vendor {user}

set technology {user}

set behavior {user}

set popularity {option1}, {option2}, ...

set exclusion <id1>, <id2>, ...

config parameters

Description: Application parameters.

edit <id>

set value {string}

next

end

set action [pass|block|...]

set log [disable|enable]

set log-packet [disable|enable]

set rate-count {integer}

set rate-duration {integer}

set rate-mode [periodical|continuous]

set rate-track [none|src-ip|...]

set session-ttl {integer}

set shaper {string}

set shaper-reverse {string}

set per-ip-shaper {string}

set quarantine [none|attacker]

set quarantine-expiry {user}

set quarantine-log [disable|enable]

next

end

set control-default-network-services [disable|enable]

config default-network-services

Description: Default network service entries.

edit <id>

set port {integer}

set services {option1}, {option2}, ...

set violation-action [pass|monitor|...]

next

end

next

end

config application list

Parameter name

Description

Type

Size

comment

comments

var-string

Maximum length: 255

replacemsg-group

Replacement message group.

string

Maximum length: 35

extended-log

Enable/disable extended logging.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

other-application-action

Action for other applications.

option

-

Option

Description

pass

Allow sessions matching an application in this application list.

block

Block sessions matching an application in this application list.

app-replacemsg

Enable/disable replacement messages for blocked applications.

option

-

Option

Description

disable

Disable replacement messages for blocked applications.

enable

Enable replacement messages for blocked applications.

other-application-log

Enable/disable logging for other applications.

option

-

Option

Description

disable

Disable logging for other applications.

enable

Enable logging for other applications.

enforce-default-app-port

Enable/disable default application port enforcement for allowed applications.

option

-

Option

Description

disable

Disable default application port enforcement.

enable

Enable default application port enforcement.

force-inclusion-ssl-di-sigs

Enable/disable forced inclusion of SSL deep inspection signatures.

option

-

Option

Description

disable

Disable forced inclusion of signatures which normally require SSL deep inspection.

enable

Enable forced inclusion of signatures which normally require SSL deep inspection.

unknown-application-action

Pass or block traffic from unknown applications.

option

-

Option

Description

pass

Pass or allow unknown applications.

block

Drop or block unknown applications.

unknown-application-log

Enable/disable logging for unknown applications.

option

-

Option

Description

disable

Disable logging for unknown applications.

enable

Enable logging for unknown applications.

p2p-black-list

P2P applications to be black listed.

option

-

Option

Description

skype

Skype.

edonkey

Edonkey.

bittorrent

Bit torrent.

deep-app-inspection

Enable/disable deep application inspection.

option

-

Option

Description

disable

Disable deep application inspection.

enable

Enable deep application inspection.

options

Basic application protocol signatures allowed by default.

option

-

Option

Description

allow-dns

Allow DNS.

allow-icmp

Allow ICMP.

allow-http

Allow generic HTTP web browsing.

allow-ssl

Allow generic SSL communication.

allow-quic

Allow QUIC.

control-default-network-services

Enable/disable enforcement of protocols over selected ports.

option

-

Option

Description

disable

Disable protocol enforcement over selected ports.

enable

Enable protocol enforcement over selected ports.

config entries

Parameter name

Description

Type

Size

risk <level>

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

integer

Minimum value: 0 Maximum value: 4294967295

category <id>

Category ID list.

Application category ID.

integer

Minimum value: 0 Maximum value: 4294967295

sub-category <id>

Application Sub-category ID list.

Application sub-category ID.

integer

Minimum value: 0 Maximum value: 4294967295

application <id>

ID of allowed applications.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

protocols

Application protocol filter.

user

Not Specified

vendor

Application vendor filter.

user

Not Specified

technology

Application technology filter.

user

Not Specified

behavior

Application behavior filter.

user

Not Specified

popularity

Application popularity filter (1 - 5, from least to most popular).

option

-

Option

Description

1

Popularity level 1.

2

Popularity level 2.

3

Popularity level 3.

4

Popularity level 4.

5

Popularity level 5.

exclusion <id>

ID of excluded applications.

Excluded application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

action

Pass or block traffic, or reset connection for traffic from this application.

option

-

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

log

Enable/disable logging for this application list.

option

-

Option

Description

disable

Disable logging.

enable

Enable logging.

log-packet

Enable/disable packet logging.

option

-

Option

Description

disable

Disable packet logging.

enable

Enable packet logging.

rate-count

Count of the rate.

integer

Minimum value: 0 Maximum value: 65535

rate-duration

Duration (sec) of the rate.

integer

Minimum value: 1 Maximum value: 65535

rate-mode

Rate limit mode.

option

-

Option

Description

periodical

Allow configured number of packets every rate-duration.

continuous

Block packets once the rate is reached.

rate-track

Track the packet protocol field.

option

-

Option

Description

none

none

src-ip

Source IP.

dest-ip

Destination IP.

dhcp-client-mac

DHCP client.

dns-domain

DNS domain.

session-ttl

Session TTL (0 = default).

integer

Minimum value: 0 Maximum value: 4294967295

shaper

Traffic shaper.

string

Maximum length: 35

shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

quarantine

Quarantine method.

option

-

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.

user

Not Specified

quarantine-log

Enable/disable quarantine logging.

option

-

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

config parameters

Parameter name

Description

Type

Size

value

Parameter value.

string

Maximum length: 63

config default-network-services

Parameter name

Description

Type

Size

port

Port number.

integer

Minimum value: 0 Maximum value: 65535

services

Network protocols.

option

-

Option

Description

http

HTTP.

ssh

SSH.

telnet

TELNET.

ftp

FTP.

dns

DNS.

smtp

SMTP.

pop3

POP3.

imap

IMAP.

snmp

SNMP.

nntp

NNTP.

https

HTTPS.

violation-action

Action for protocols not white listed under selected port.

option

-

Option

Description

pass

Allow protocols not white listed under selected port.

monitor

Monitor protocols not white listed under selected port.

block

Block protocols not white listed under selected port.

config application list

config application list

Configure application control lists.

config application list

Description: Configure application control lists.

edit <name>

set comment {var-string}

set replacemsg-group {string}

set extended-log [enable|disable]

set other-application-action [pass|block]

set app-replacemsg [disable|enable]

set other-application-log [disable|enable]

set enforce-default-app-port [disable|enable]

set force-inclusion-ssl-di-sigs [disable|enable]

set unknown-application-action [pass|block]

set unknown-application-log [disable|enable]

set p2p-black-list {option1}, {option2}, ...

set deep-app-inspection [disable|enable]

set options {option1}, {option2}, ...

config entries

Description: Application list entries.

edit <id>

set risk <level1>, <level2>, ...

set category <id1>, <id2>, ...

set sub-category <id1>, <id2>, ...

set application <id1>, <id2>, ...

set protocols {user}

set vendor {user}

set technology {user}

set behavior {user}

set popularity {option1}, {option2}, ...

set exclusion <id1>, <id2>, ...

config parameters

Description: Application parameters.

edit <id>

set value {string}

next

end

set action [pass|block|...]

set log [disable|enable]

set log-packet [disable|enable]

set rate-count {integer}

set rate-duration {integer}

set rate-mode [periodical|continuous]

set rate-track [none|src-ip|...]

set session-ttl {integer}

set shaper {string}

set shaper-reverse {string}

set per-ip-shaper {string}

set quarantine [none|attacker]

set quarantine-expiry {user}

set quarantine-log [disable|enable]

next

end

set control-default-network-services [disable|enable]

config default-network-services

Description: Default network service entries.

edit <id>

set port {integer}

set services {option1}, {option2}, ...

set violation-action [pass|monitor|...]

next

end

next

end

config application list

Parameter name

Description

Type

Size

comment

comments

var-string

Maximum length: 255

replacemsg-group

Replacement message group.

string

Maximum length: 35

extended-log

Enable/disable extended logging.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

other-application-action

Action for other applications.

option

-

Option

Description

pass

Allow sessions matching an application in this application list.

block

Block sessions matching an application in this application list.

app-replacemsg

Enable/disable replacement messages for blocked applications.

option

-

Option

Description

disable

Disable replacement messages for blocked applications.

enable

Enable replacement messages for blocked applications.

other-application-log

Enable/disable logging for other applications.

option

-

Option

Description

disable

Disable logging for other applications.

enable

Enable logging for other applications.

enforce-default-app-port

Enable/disable default application port enforcement for allowed applications.

option

-

Option

Description

disable

Disable default application port enforcement.

enable

Enable default application port enforcement.

force-inclusion-ssl-di-sigs

Enable/disable forced inclusion of SSL deep inspection signatures.

option

-

Option

Description

disable

Disable forced inclusion of signatures which normally require SSL deep inspection.

enable

Enable forced inclusion of signatures which normally require SSL deep inspection.

unknown-application-action

Pass or block traffic from unknown applications.

option

-

Option

Description

pass

Pass or allow unknown applications.

block

Drop or block unknown applications.

unknown-application-log

Enable/disable logging for unknown applications.

option

-

Option

Description

disable

Disable logging for unknown applications.

enable

Enable logging for unknown applications.

p2p-black-list

P2P applications to be black listed.

option

-

Option

Description

skype

Skype.

edonkey

Edonkey.

bittorrent

Bit torrent.

deep-app-inspection

Enable/disable deep application inspection.

option

-

Option

Description

disable

Disable deep application inspection.

enable

Enable deep application inspection.

options

Basic application protocol signatures allowed by default.

option

-

Option

Description

allow-dns

Allow DNS.

allow-icmp

Allow ICMP.

allow-http

Allow generic HTTP web browsing.

allow-ssl

Allow generic SSL communication.

allow-quic

Allow QUIC.

control-default-network-services

Enable/disable enforcement of protocols over selected ports.

option

-

Option

Description

disable

Disable protocol enforcement over selected ports.

enable

Enable protocol enforcement over selected ports.

config entries

Parameter name

Description

Type

Size

risk <level>

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

integer

Minimum value: 0 Maximum value: 4294967295

category <id>

Category ID list.

Application category ID.

integer

Minimum value: 0 Maximum value: 4294967295

sub-category <id>

Application Sub-category ID list.

Application sub-category ID.

integer

Minimum value: 0 Maximum value: 4294967295

application <id>

ID of allowed applications.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

protocols

Application protocol filter.

user

Not Specified

vendor

Application vendor filter.

user

Not Specified

technology

Application technology filter.

user

Not Specified

behavior

Application behavior filter.

user

Not Specified

popularity

Application popularity filter (1 - 5, from least to most popular).

option

-

Option

Description

1

Popularity level 1.

2

Popularity level 2.

3

Popularity level 3.

4

Popularity level 4.

5

Popularity level 5.

exclusion <id>

ID of excluded applications.

Excluded application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

action

Pass or block traffic, or reset connection for traffic from this application.

option

-

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

log

Enable/disable logging for this application list.

option

-

Option

Description

disable

Disable logging.

enable

Enable logging.

log-packet

Enable/disable packet logging.

option

-

Option

Description

disable

Disable packet logging.

enable

Enable packet logging.

rate-count

Count of the rate.

integer

Minimum value: 0 Maximum value: 65535

rate-duration

Duration (sec) of the rate.

integer

Minimum value: 1 Maximum value: 65535

rate-mode

Rate limit mode.

option

-

Option

Description

periodical

Allow configured number of packets every rate-duration.

continuous

Block packets once the rate is reached.

rate-track

Track the packet protocol field.

option

-

Option

Description

none

none

src-ip

Source IP.

dest-ip

Destination IP.

dhcp-client-mac

DHCP client.

dns-domain

DNS domain.

session-ttl

Session TTL (0 = default).

integer

Minimum value: 0 Maximum value: 4294967295

shaper

Traffic shaper.

string

Maximum length: 35

shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

quarantine

Quarantine method.

option

-

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.

user

Not Specified

quarantine-log

Enable/disable quarantine logging.

option

-

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

config parameters

Parameter name

Description

Type

Size

value

Parameter value.

string

Maximum length: 63

config default-network-services

Parameter name

Description

Type

Size

port

Port number.

integer

Minimum value: 0 Maximum value: 65535

services

Network protocols.

option

-

Option

Description

http

HTTP.

ssh

SSH.

telnet

TELNET.

ftp

FTP.

dns

DNS.

smtp

SMTP.

pop3

POP3.

imap

IMAP.

snmp

SNMP.

nntp

NNTP.

https

HTTPS.

violation-action

Action for protocols not white listed under selected port.

option

-

Option

Description

pass

Allow protocols not white listed under selected port.

monitor

Monitor protocols not white listed under selected port.

block

Block protocols not white listed under selected port.