CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
credential-store
- credential-store domain-controller
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control fctems
extender-controller
- extender-controller dataplan
- extender-controller extender
file-filter
- file-filter profile
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall city
- firewall country
- firewall decrypted-traffic-mirror
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-append
- firewall internet-service-botnet
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall internet-service-ipbl-reason
- firewall internet-service-ipbl-vendor
- firewall internet-service-list
- firewall internet-service-name
- firewall internet-service-owner
- firewall internet-service-reputation
- firewall internet-service-sld
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall region
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vendor-mac
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
- ips view-map
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller global
- switch-controller initial-config template
- switch-controller initial-config vlans
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller mac-policy
- switch-controller managed-switch
- switch-controller nac-device
- switch-controller nac-settings
- switch-controller port-policy
- switch-controller ptp policy
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy local-access
- switch-controller snmp-community
- switch-controller snmp-user
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-profile
- switch-controller system
- switch-controller traffic-policy
- switch-controller virtual-port-pool
- switch-controller vlan-policy
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geneve
- system geoip-country
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system sdwan
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system standalone-cluster
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wire-pair
- system vne-tunnel
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user nac-policy
- user password-policy
- user peer
- user peergrp
- user pop3
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller access-control-list
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller apcfg-profile
- wireless-controller arrp-profile
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller mpsk-profile
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.4.2 CLI Reference

6.4.2

webfilter profile

Configure Web filter profiles.

  config webfilter profile
      Description: Configure Web filter profiles.
      edit <name>
          set comment {var-string}
          set feature-set [flow|proxy]
          set replacemsg-group {string}
          set options {option1}, {option2}, ...
          set https-replacemsg [enable|disable]
          set ovrd-perm {option1}, {option2}, ...
          set post-action [normal|block]
          config override
              Description: Web Filter override settings.
              set ovrd-cookie [allow|deny]
              set ovrd-scope [user|user-group|...]
              set profile-type [list|radius]
              set ovrd-dur-mode [constant|ask]
              set ovrd-dur {user}
              set profile-attribute [User-Name|NAS-IP-Address|...]
              set ovrd-user-group <name1>, <name2>, ...
              set profile <name1>, <name2>, ...
          end
          config web
              Description: Web content filtering settings.
              set bword-threshold {integer}
              set bword-table {integer}
              set urlfilter-table {integer}
              set content-header-list {integer}
              set blacklist [enable|disable]
              set whitelist {option1}, {option2}, ...
              set safe-search {option1}, {option2}, ...
              set youtube-restrict [none|strict|...]
              set log-search [enable|disable]
              set keyword-match <pattern1>, <pattern2>, ...
          end
          set youtube-channel-status [disable|blacklist|...]
          config youtube-channel-filter
              Description: YouTube channel filter.
              edit <id>
                  set channel-id {string}
                  set comment {var-string}
              next
          end
          config ftgd-wf
              Description: FortiGuard Web Filter settings.
              set options {option1}, {option2}, ...
              set exempt-quota {user}
              set ovrd {user}
              config filters
                  Description: FortiGuard filters.
                  edit <id>
                      set category {integer}
                      set action [block|authenticate|...]
                      set warn-duration {user}
                      set auth-usr-grp <name1>, <name2>, ...
                      set log [enable|disable]
                      set override-replacemsg {string}
                      set warning-prompt [per-domain|per-category]
                      set warning-duration-type [session|timeout]
                  next
              end
              config quota
                  Description: FortiGuard traffic quota settings.
                  edit <id>
                      set category {user}
                      set type [time|traffic]
                      set unit [B|KB|...]
                      set value {integer}
                      set duration {user}
                      set override-replacemsg {string}
                  next
              end
              set max-quota-timeout {integer}
              set rate-image-urls [disable|enable]
              set rate-javascript-urls [disable|enable]
              set rate-css-urls [disable|enable]
              set rate-crl-urls [disable|enable]
          end
          config antiphish
              Description: AntiPhishing profile.
              set status [enable|disable]
              set domain-controller {string}
              set default-action [exempt|log|...]
              set check-uri [enable|disable]
              set check-basic-auth [enable|disable]
              set max-body-len {integer}
              config inspection-entries
                  Description: AntiPhishing entries.
                  edit <name>
                      set fortiguard-category {user}
                      set action [exempt|log|...]
                  next
              end
              config custom-patterns
                  Description: Custom username and password regex patterns.
                  edit <pattern>
                      set category [username|password]
                  next
              end
          end
          set wisp [enable|disable]
          set wisp-servers <name1>, <name2>, ...
          set wisp-algorithm [primary-secondary|round-robin|...]
          set log-all-url [enable|disable]
          set web-content-log [enable|disable]
          set web-filter-activex-log [enable|disable]
          set web-filter-command-block-log [enable|disable]
          set web-filter-cookie-log [enable|disable]
          set web-filter-applet-log [enable|disable]
          set web-filter-jscript-log [enable|disable]
          set web-filter-js-log [enable|disable]
          set web-filter-vbs-log [enable|disable]
          set web-filter-unknown-log [enable|disable]
          set web-filter-referer-log [enable|disable]
          set web-filter-cookie-removal-log [enable|disable]
          set web-url-log [enable|disable]
          set web-invalid-domain-log [enable|disable]
          set web-ftgd-err-log [enable|disable]
          set web-ftgd-quota-usage [enable|disable]
          set extended-log [enable|disable]
          set web-extended-all-action-log [enable|disable]
          set web-antiphishing-log [enable|disable]
      next
  end

config webfilter profile

Parameter Name	Description	Type	Size
comment	Optional comments.	var-string	Maximum length: 255
feature-set	Flow/proxy feature set. flow: Flow feature set. proxy: Proxy feature set.	option	-
replacemsg-group	Replacement message group.	string	Maximum length: 35
options	Options. activexfilter: ActiveX filter. cookiefilter: Cookie filter. javafilter: Java applet filter. block-invalid-url: Block sessions contained an invalid domain name. jscript: Javascript block. js: JS block. vbs: VB script block. unknown: Unknown script block. intrinsic: Intrinsic script block. wf-referer: Referring block. wf-cookie: Cookie block. per-user-bwl: Per-user black/white list filter	option	-
https-replacemsg	Enable replacement messages for HTTPS. enable: Enable setting. disable: Disable setting.	option	-
ovrd-perm	Permitted override types. bannedword-override: Banned word override. urlfilter-override: URL filter override. fortiguard-wf-override: FortiGuard Web Filter override. contenttype-check-override: Content-type header override.	option	-
post-action	Action taken for HTTP POST traffic. normal: Normal, POST requests are allowed. block: POST requests are blocked.	option	-
youtube-channel-status	YouTube channel filter status. disable: Disable YouTube channel filter. blacklist: Block matches. whitelist: Allow matches.	option	-
wisp	Enable/disable web proxy WISP. enable: Enable web proxy WISP. disable: Disable web proxy WISP.	option	-
wisp-servers `<name>`	WISP servers. Server name.	string	Maximum length: 79
wisp-algorithm	WISP server selection algorithm. primary-secondary: Select the first healthy server in order. round-robin: Select the next healthy server. auto-learning: Select the lightest loading healthy server.	option	-
log-all-url	Enable/disable logging all URLs visited. enable: Enable setting. disable: Disable setting.	option	-
web-content-log	Enable/disable logging logging blocked web content. enable: Enable setting. disable: Disable setting.	option	-
web-filter-activex-log	Enable/disable logging ActiveX. enable: Enable setting. disable: Disable setting.	option	-
web-filter-command-block-log	Enable/disable logging blocked commands. enable: Enable setting. disable: Disable setting.	option	-
web-filter-cookie-log	Enable/disable logging cookie filtering. enable: Enable setting. disable: Disable setting.	option	-
web-filter-applet-log	Enable/disable logging Java applets. enable: Enable setting. disable: Disable setting.	option	-
web-filter-jscript-log	Enable/disable logging JScripts. enable: Enable setting. disable: Disable setting.	option	-
web-filter-js-log	Enable/disable logging Java scripts. enable: Enable setting. disable: Disable setting.	option	-
web-filter-vbs-log	Enable/disable logging VBS scripts. enable: Enable setting. disable: Disable setting.	option	-
web-filter-unknown-log	Enable/disable logging unknown scripts. enable: Enable setting. disable: Disable setting.	option	-
web-filter-referer-log	Enable/disable logging referrers. enable: Enable setting. disable: Disable setting.	option	-
web-filter-cookie-removal-log	Enable/disable logging blocked cookies. enable: Enable setting. disable: Disable setting.	option	-
web-url-log	Enable/disable logging URL filtering. enable: Enable setting. disable: Disable setting.	option	-
web-invalid-domain-log	Enable/disable logging invalid domain names. enable: Enable setting. disable: Disable setting.	option	-
web-ftgd-err-log	Enable/disable logging rating errors. enable: Enable setting. disable: Disable setting.	option	-
web-ftgd-quota-usage	Enable/disable logging daily quota usage. enable: Enable setting. disable: Disable setting.	option	-
extended-log	Enable/disable extended logging for web filtering. enable: Enable setting. disable: Disable setting.	option	-
web-extended-all-action-log	Enable/disable extended any filter action logging for web filtering. enable: Enable setting. disable: Disable setting.	option	-
web-antiphishing-log	Enable/disable logging of AntiPhishing checks. enable: Enable setting. disable: Disable setting.	option	-

config override

Parameter Name	Description	Type	Size
ovrd-cookie	Allow/deny browser-based (cookie) overrides. allow: Allow browser-based (cookie) override. deny: Deny browser-based (cookie) override.	option	-
ovrd-scope	Override scope. user: Override for the user. user-group: Override for the user's group. ip: Override for the initiating IP. browser: Create browser-based (cookie) override. ask: Prompt for scope when initiating an override.	option	-
profile-type	Override profile type. list: Profile chosen from list. radius: Profile determined by RADIUS server.	option	-
ovrd-dur-mode	Override duration mode. constant: Constant mode. ask: Prompt for duration when initiating an override.	option	-
ovrd-dur	Override duration.	user	Not Specified
profile-attribute	Profile attribute to retrieve from the RADIUS server. User-Name: Use this attribute. NAS-IP-Address: Use this attribute. Framed-IP-Address: Use this attribute. Framed-IP-Netmask: Use this attribute. Filter-Id: Use this attribute. Login-IP-Host: Use this attribute. Reply-Message: Use this attribute. Callback-Number: Use this attribute. Callback-Id: Use this attribute. Framed-Route: Use this attribute. Framed-IPX-Network: Use this attribute. Class: Use this attribute. Called-Station-Id: Use this attribute. Calling-Station-Id: Use this attribute. NAS-Identifier: Use this attribute. Proxy-State: Use this attribute. Login-LAT-Service: Use this attribute. Login-LAT-Node: Use this attribute. Login-LAT-Group: Use this attribute. Framed-AppleTalk-Zone: Use this attribute. Acct-Session-Id: Use this attribute. Acct-Multi-Session-Id: Use this attribute.	option	-
ovrd-user-group `<name>`	User groups with permission to use the override. User group name.	string	Maximum length: 79
profile `<name>`	Web filter profile with permission to create overrides. Web profile.	string	Maximum length: 79

config web

Parameter Name	Description	Type	Size
bword-threshold	Banned word score threshold.	integer	Minimum value: 0 Maximum value: 2147483647
bword-table	Banned word table ID.	integer	Minimum value: 0 Maximum value: 4294967295
urlfilter-table	URL filter table ID.	integer	Minimum value: 0 Maximum value: 4294967295
content-header-list	Content header list.	integer	Minimum value: 0 Maximum value: 4294967295
blacklist	Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist. enable: Enable setting. disable: Disable setting.	option	-
whitelist	FortiGuard whitelist settings. exempt-av: Exempt antivirus. exempt-webcontent: Exempt web content. exempt-activex-java-cookie: Exempt ActiveX-JAVA-Cookie. exempt-dlp: Exempt DLP. exempt-rangeblock: Exempt RangeBlock. extended-log-others: Support extended log.	option	-
safe-search	Safe search type. url: Insert safe search string into URL. header: Insert safe search header.	option	-
youtube-restrict	YouTube EDU filter level. none: Full access for YouTube. strict: Strict access for YouTube. moderate: Moderate access for YouTube.	option	-
log-search	Enable/disable logging all search phrases. enable: Enable setting. disable: Disable setting.	option	-
keyword-match `<pattern>`	Search keywords to log when match is found. Pattern/keyword to search for.	string	Maximum length: 79

config youtube-channel-filter

Parameter Name	Description	Type	Size
channel-id	YouTube channel ID to be filtered.	string	Maximum length: 255
comment	Comment.	var-string	Maximum length: 255

config ftgd-wf

Parameter Name	Description	Type	Size
options	Options for FortiGuard Web Filter. error-allow: Allow web pages with a rating error to pass through. rate-server-ip: Rate the server IP in addition to the domain name. connect-request-bypass: Bypass connection which has CONNECT request. ftgd-disable: Disable FortiGuard scanning.	option	-
exempt-quota	Do not stop quota for these categories.	user	Not Specified
ovrd	Allow web filter profile overrides.	user	Not Specified
max-quota-timeout	Maximum FortiGuard quota used by single page view in seconds (excludes streams).	integer	Minimum value: 1 Maximum value: 86400
rate-image-urls	Enable/disable rating images by URL. disable: Disable rating images by URL (blocked images are replaced with blanks). enable: Enable rating images by URL (blocked images are replaced with blanks).	option	-
rate-javascript-urls	Enable/disable rating JavaScript by URL. disable: Disable rating JavaScript by URL. enable: Enable rating JavaScript by URL.	option	-
rate-css-urls	Enable/disable rating CSS by URL. disable: Disable rating CSS by URL. enable: Enable rating CSS by URL.	option	-
rate-crl-urls	Enable/disable rating CRL by URL. disable: Disable rating CRL by URL. enable: Enable rating CRL by URL.	option	-

config filters

Parameter Name	Description	Type	Size
category	Categories and groups the filter examines.	integer	Minimum value: 0 Maximum value: 255
action	Action to take for matches. block: Block access. authenticate: Authenticate user before allowing access. monitor: Allow access while logging the action. warning: Allow access after warning the user.	option	-
warn-duration	Duration of warnings.	user	Not Specified
auth-usr-grp `<name>`	Groups with permission to authenticate. User group name.	string	Maximum length: 79
log	Enable/disable logging. enable: Enable setting. disable: Disable setting.	option	-
override-replacemsg	Override replacement message.	string	Maximum length: 28
warning-prompt	Warning prompts in each category or each domain. per-domain: Per-domain warnings. per-category: Per-category warnings.	option	-
warning-duration-type	Re-display warning after closing browser or after a timeout. session: After session ends. timeout: After timeout occurs.	option	-

config quota

Parameter Name	Description	Type	Size
category	FortiGuard categories to apply quota to (category action must be set to monitor).	user	Not Specified
type	Quota type. time: Use a time-based quota. traffic: Use a traffic-based quota.	option	-
unit	Traffic quota unit of measurement. B: Quota in bytes. KB: Quota in kilobytes. MB: Quota in megabytes. GB: Quota in gigabytes.	option	-
value	Traffic quota value.	integer	Minimum value: 1 Maximum value: 4294967295
duration	Duration of quota.	user	Not Specified
override-replacemsg	Override replacement message.	string	Maximum length: 28

config antiphish

Parameter Name	Description	Type	Size
status	Toggle AntiPhishing functionality. enable: Enable AntiPhishing functionality. disable: Disable AntiPhishing functionality.	option	-
domain-controller	Domain for which to verify received credentials against.	string	Maximum length: 63
default-action	Action to be taken when there is no matching rule. exempt: Exempt requests from matching. log: Log all matched requests. block: Block all matched requests.	option	-
check-uri	Enable/disable checking of GET URI parameters for known credentials. enable: Enable checking of GET URI for username and password fields. disable: Disable checking of GET URI for username and password fields.	option	-
check-basic-auth	Enable/disable checking of HTTP Basic Auth field for known credentials. enable: Enable checking of HTTP Basic Auth field for known credentials. disable: Disable checking of HTTP Basic Auth field for known credentials.	option	-
max-body-len	Maximum size of a POST body to check for credentials.	integer	Minimum value: 0 Maximum value: 4294967295

config inspection-entries

Parameter Name	Description	Type	Size
fortiguard-category	FortiGuard category to match.	user	Not Specified
action	Action to be taken upon an AntiPhishing match. exempt: Exempt requests from matching. log: Log all matched requests. block: Block all matched requests.	option	-

config custom-patterns

Parameter Name	Description	Type	Size
category	Category that the pattern matches. username: Pattern matches username fields. password: Pattern matches password fields.	option	-

Configure Web filter profiles.

  config webfilter profile
      Description: Configure Web filter profiles.
      edit <name>
          set comment {var-string}
          set feature-set [flow|proxy]
          set replacemsg-group {string}
          set options {option1}, {option2}, ...
          set https-replacemsg [enable|disable]
          set ovrd-perm {option1}, {option2}, ...
          set post-action [normal|block]
          config override
              Description: Web Filter override settings.
              set ovrd-cookie [allow|deny]
              set ovrd-scope [user|user-group|...]
              set profile-type [list|radius]
              set ovrd-dur-mode [constant|ask]
              set ovrd-dur {user}
              set profile-attribute [User-Name|NAS-IP-Address|...]
              set ovrd-user-group <name1>, <name2>, ...
              set profile <name1>, <name2>, ...
          end
          config web
              Description: Web content filtering settings.
              set bword-threshold {integer}
              set bword-table {integer}
              set urlfilter-table {integer}
              set content-header-list {integer}
              set blacklist [enable|disable]
              set whitelist {option1}, {option2}, ...
              set safe-search {option1}, {option2}, ...
              set youtube-restrict [none|strict|...]
              set log-search [enable|disable]
              set keyword-match <pattern1>, <pattern2>, ...
          end
          set youtube-channel-status [disable|blacklist|...]
          config youtube-channel-filter
              Description: YouTube channel filter.
              edit <id>
                  set channel-id {string}
                  set comment {var-string}
              next
          end
          config ftgd-wf
              Description: FortiGuard Web Filter settings.
              set options {option1}, {option2}, ...
              set exempt-quota {user}
              set ovrd {user}
              config filters
                  Description: FortiGuard filters.
                  edit <id>
                      set category {integer}
                      set action [block|authenticate|...]
                      set warn-duration {user}
                      set auth-usr-grp <name1>, <name2>, ...
                      set log [enable|disable]
                      set override-replacemsg {string}
                      set warning-prompt [per-domain|per-category]
                      set warning-duration-type [session|timeout]
                  next
              end
              config quota
                  Description: FortiGuard traffic quota settings.
                  edit <id>
                      set category {user}
                      set type [time|traffic]
                      set unit [B|KB|...]
                      set value {integer}
                      set duration {user}
                      set override-replacemsg {string}
                  next
              end
              set max-quota-timeout {integer}
              set rate-image-urls [disable|enable]
              set rate-javascript-urls [disable|enable]
              set rate-css-urls [disable|enable]
              set rate-crl-urls [disable|enable]
          end
          config antiphish
              Description: AntiPhishing profile.
              set status [enable|disable]
              set domain-controller {string}
              set default-action [exempt|log|...]
              set check-uri [enable|disable]
              set check-basic-auth [enable|disable]
              set max-body-len {integer}
              config inspection-entries
                  Description: AntiPhishing entries.
                  edit <name>
                      set fortiguard-category {user}
                      set action [exempt|log|...]
                  next
              end
              config custom-patterns
                  Description: Custom username and password regex patterns.
                  edit <pattern>
                      set category [username|password]
                  next
              end
          end
          set wisp [enable|disable]
          set wisp-servers <name1>, <name2>, ...
          set wisp-algorithm [primary-secondary|round-robin|...]
          set log-all-url [enable|disable]
          set web-content-log [enable|disable]
          set web-filter-activex-log [enable|disable]
          set web-filter-command-block-log [enable|disable]
          set web-filter-cookie-log [enable|disable]
          set web-filter-applet-log [enable|disable]
          set web-filter-jscript-log [enable|disable]
          set web-filter-js-log [enable|disable]
          set web-filter-vbs-log [enable|disable]
          set web-filter-unknown-log [enable|disable]
          set web-filter-referer-log [enable|disable]
          set web-filter-cookie-removal-log [enable|disable]
          set web-url-log [enable|disable]
          set web-invalid-domain-log [enable|disable]
          set web-ftgd-err-log [enable|disable]
          set web-ftgd-quota-usage [enable|disable]
          set extended-log [enable|disable]
          set web-extended-all-action-log [enable|disable]
          set web-antiphishing-log [enable|disable]
      next
  end

config webfilter profile

Parameter Name	Description	Type	Size
comment	Optional comments.	var-string	Maximum length: 255
feature-set	Flow/proxy feature set. flow: Flow feature set. proxy: Proxy feature set.	option	-
replacemsg-group	Replacement message group.	string	Maximum length: 35
options	Options. activexfilter: ActiveX filter. cookiefilter: Cookie filter. javafilter: Java applet filter. block-invalid-url: Block sessions contained an invalid domain name. jscript: Javascript block. js: JS block. vbs: VB script block. unknown: Unknown script block. intrinsic: Intrinsic script block. wf-referer: Referring block. wf-cookie: Cookie block. per-user-bwl: Per-user black/white list filter	option	-
https-replacemsg	Enable replacement messages for HTTPS. enable: Enable setting. disable: Disable setting.	option	-
ovrd-perm	Permitted override types. bannedword-override: Banned word override. urlfilter-override: URL filter override. fortiguard-wf-override: FortiGuard Web Filter override. contenttype-check-override: Content-type header override.	option	-
post-action	Action taken for HTTP POST traffic. normal: Normal, POST requests are allowed. block: POST requests are blocked.	option	-
youtube-channel-status	YouTube channel filter status. disable: Disable YouTube channel filter. blacklist: Block matches. whitelist: Allow matches.	option	-
wisp	Enable/disable web proxy WISP. enable: Enable web proxy WISP. disable: Disable web proxy WISP.	option	-
wisp-servers `<name>`	WISP servers. Server name.	string	Maximum length: 79
wisp-algorithm	WISP server selection algorithm. primary-secondary: Select the first healthy server in order. round-robin: Select the next healthy server. auto-learning: Select the lightest loading healthy server.	option	-
log-all-url	Enable/disable logging all URLs visited. enable: Enable setting. disable: Disable setting.	option	-
web-content-log	Enable/disable logging logging blocked web content. enable: Enable setting. disable: Disable setting.	option	-
web-filter-activex-log	Enable/disable logging ActiveX. enable: Enable setting. disable: Disable setting.	option	-
web-filter-command-block-log	Enable/disable logging blocked commands. enable: Enable setting. disable: Disable setting.	option	-
web-filter-cookie-log	Enable/disable logging cookie filtering. enable: Enable setting. disable: Disable setting.	option	-
web-filter-applet-log	Enable/disable logging Java applets. enable: Enable setting. disable: Disable setting.	option	-
web-filter-jscript-log	Enable/disable logging JScripts. enable: Enable setting. disable: Disable setting.	option	-
web-filter-js-log	Enable/disable logging Java scripts. enable: Enable setting. disable: Disable setting.	option	-
web-filter-vbs-log	Enable/disable logging VBS scripts. enable: Enable setting. disable: Disable setting.	option	-
web-filter-unknown-log	Enable/disable logging unknown scripts. enable: Enable setting. disable: Disable setting.	option	-
web-filter-referer-log	Enable/disable logging referrers. enable: Enable setting. disable: Disable setting.	option	-
web-filter-cookie-removal-log	Enable/disable logging blocked cookies. enable: Enable setting. disable: Disable setting.	option	-
web-url-log	Enable/disable logging URL filtering. enable: Enable setting. disable: Disable setting.	option	-
web-invalid-domain-log	Enable/disable logging invalid domain names. enable: Enable setting. disable: Disable setting.	option	-
web-ftgd-err-log	Enable/disable logging rating errors. enable: Enable setting. disable: Disable setting.	option	-
web-ftgd-quota-usage	Enable/disable logging daily quota usage. enable: Enable setting. disable: Disable setting.	option	-
extended-log	Enable/disable extended logging for web filtering. enable: Enable setting. disable: Disable setting.	option	-
web-extended-all-action-log	Enable/disable extended any filter action logging for web filtering. enable: Enable setting. disable: Disable setting.	option	-
web-antiphishing-log	Enable/disable logging of AntiPhishing checks. enable: Enable setting. disable: Disable setting.	option	-

config override

Parameter Name	Description	Type	Size
ovrd-cookie	Allow/deny browser-based (cookie) overrides. allow: Allow browser-based (cookie) override. deny: Deny browser-based (cookie) override.	option	-
ovrd-scope	Override scope. user: Override for the user. user-group: Override for the user's group. ip: Override for the initiating IP. browser: Create browser-based (cookie) override. ask: Prompt for scope when initiating an override.	option	-
profile-type	Override profile type. list: Profile chosen from list. radius: Profile determined by RADIUS server.	option	-
ovrd-dur-mode	Override duration mode. constant: Constant mode. ask: Prompt for duration when initiating an override.	option	-
ovrd-dur	Override duration.	user	Not Specified
profile-attribute	Profile attribute to retrieve from the RADIUS server. User-Name: Use this attribute. NAS-IP-Address: Use this attribute. Framed-IP-Address: Use this attribute. Framed-IP-Netmask: Use this attribute. Filter-Id: Use this attribute. Login-IP-Host: Use this attribute. Reply-Message: Use this attribute. Callback-Number: Use this attribute. Callback-Id: Use this attribute. Framed-Route: Use this attribute. Framed-IPX-Network: Use this attribute. Class: Use this attribute. Called-Station-Id: Use this attribute. Calling-Station-Id: Use this attribute. NAS-Identifier: Use this attribute. Proxy-State: Use this attribute. Login-LAT-Service: Use this attribute. Login-LAT-Node: Use this attribute. Login-LAT-Group: Use this attribute. Framed-AppleTalk-Zone: Use this attribute. Acct-Session-Id: Use this attribute. Acct-Multi-Session-Id: Use this attribute.	option	-
ovrd-user-group `<name>`	User groups with permission to use the override. User group name.	string	Maximum length: 79
profile `<name>`	Web filter profile with permission to create overrides. Web profile.	string	Maximum length: 79

config web

Parameter Name	Description	Type	Size
bword-threshold	Banned word score threshold.	integer	Minimum value: 0 Maximum value: 2147483647
bword-table	Banned word table ID.	integer	Minimum value: 0 Maximum value: 4294967295
urlfilter-table	URL filter table ID.	integer	Minimum value: 0 Maximum value: 4294967295
content-header-list	Content header list.	integer	Minimum value: 0 Maximum value: 4294967295
blacklist	Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist. enable: Enable setting. disable: Disable setting.	option	-
whitelist	FortiGuard whitelist settings. exempt-av: Exempt antivirus. exempt-webcontent: Exempt web content. exempt-activex-java-cookie: Exempt ActiveX-JAVA-Cookie. exempt-dlp: Exempt DLP. exempt-rangeblock: Exempt RangeBlock. extended-log-others: Support extended log.	option	-
safe-search	Safe search type. url: Insert safe search string into URL. header: Insert safe search header.	option	-
youtube-restrict	YouTube EDU filter level. none: Full access for YouTube. strict: Strict access for YouTube. moderate: Moderate access for YouTube.	option	-
log-search	Enable/disable logging all search phrases. enable: Enable setting. disable: Disable setting.	option	-
keyword-match `<pattern>`	Search keywords to log when match is found. Pattern/keyword to search for.	string	Maximum length: 79

config youtube-channel-filter

Parameter Name	Description	Type	Size
channel-id	YouTube channel ID to be filtered.	string	Maximum length: 255
comment	Comment.	var-string	Maximum length: 255

config ftgd-wf

Parameter Name	Description	Type	Size
options	Options for FortiGuard Web Filter. error-allow: Allow web pages with a rating error to pass through. rate-server-ip: Rate the server IP in addition to the domain name. connect-request-bypass: Bypass connection which has CONNECT request. ftgd-disable: Disable FortiGuard scanning.	option	-
exempt-quota	Do not stop quota for these categories.	user	Not Specified
ovrd	Allow web filter profile overrides.	user	Not Specified
max-quota-timeout	Maximum FortiGuard quota used by single page view in seconds (excludes streams).	integer	Minimum value: 1 Maximum value: 86400
rate-image-urls	Enable/disable rating images by URL. disable: Disable rating images by URL (blocked images are replaced with blanks). enable: Enable rating images by URL (blocked images are replaced with blanks).	option	-
rate-javascript-urls	Enable/disable rating JavaScript by URL. disable: Disable rating JavaScript by URL. enable: Enable rating JavaScript by URL.	option	-
rate-css-urls	Enable/disable rating CSS by URL. disable: Disable rating CSS by URL. enable: Enable rating CSS by URL.	option	-
rate-crl-urls	Enable/disable rating CRL by URL. disable: Disable rating CRL by URL. enable: Enable rating CRL by URL.	option	-

config filters

Parameter Name	Description	Type	Size
category	Categories and groups the filter examines.	integer	Minimum value: 0 Maximum value: 255
action	Action to take for matches. block: Block access. authenticate: Authenticate user before allowing access. monitor: Allow access while logging the action. warning: Allow access after warning the user.	option	-
warn-duration	Duration of warnings.	user	Not Specified
auth-usr-grp `<name>`	Groups with permission to authenticate. User group name.	string	Maximum length: 79
log	Enable/disable logging. enable: Enable setting. disable: Disable setting.	option	-
override-replacemsg	Override replacement message.	string	Maximum length: 28
warning-prompt	Warning prompts in each category or each domain. per-domain: Per-domain warnings. per-category: Per-category warnings.	option	-
warning-duration-type	Re-display warning after closing browser or after a timeout. session: After session ends. timeout: After timeout occurs.	option	-

config quota

Parameter Name	Description	Type	Size
category	FortiGuard categories to apply quota to (category action must be set to monitor).	user	Not Specified
type	Quota type. time: Use a time-based quota. traffic: Use a traffic-based quota.	option	-
unit	Traffic quota unit of measurement. B: Quota in bytes. KB: Quota in kilobytes. MB: Quota in megabytes. GB: Quota in gigabytes.	option	-
value	Traffic quota value.	integer	Minimum value: 1 Maximum value: 4294967295
duration	Duration of quota.	user	Not Specified
override-replacemsg	Override replacement message.	string	Maximum length: 28

config antiphish

Parameter Name	Description	Type	Size
status	Toggle AntiPhishing functionality. enable: Enable AntiPhishing functionality. disable: Disable AntiPhishing functionality.	option	-
domain-controller	Domain for which to verify received credentials against.	string	Maximum length: 63
default-action	Action to be taken when there is no matching rule. exempt: Exempt requests from matching. log: Log all matched requests. block: Block all matched requests.	option	-
check-uri	Enable/disable checking of GET URI parameters for known credentials. enable: Enable checking of GET URI for username and password fields. disable: Disable checking of GET URI for username and password fields.	option	-
check-basic-auth	Enable/disable checking of HTTP Basic Auth field for known credentials. enable: Enable checking of HTTP Basic Auth field for known credentials. disable: Disable checking of HTTP Basic Auth field for known credentials.	option	-
max-body-len	Maximum size of a POST body to check for credentials.	integer	Minimum value: 0 Maximum value: 4294967295

config inspection-entries

Parameter Name	Description	Type	Size
fortiguard-category	FortiGuard category to match.	user	Not Specified
action	Action to be taken upon an AntiPhishing match. exempt: Exempt requests from matching. log: Log all matched requests. block: Block all matched requests.	option	-

config custom-patterns

Parameter Name	Description	Type	Size
category	Category that the pattern matches. username: Pattern matches username fields. password: Pattern matches password fields.	option	-

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

webfilter profile

Configure Web filter profiles.

config webfilter profile

config override

config web

config youtube-channel-filter

config ftgd-wf

config filters

config quota

config antiphish

config inspection-entries

config custom-patterns

webfilter profile