CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
credential-store
- credential-store domain-controller
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control fctems
extender-controller
- extender-controller dataplan
- extender-controller extender
file-filter
- file-filter profile
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall city
- firewall country
- firewall decrypted-traffic-mirror
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-append
- firewall internet-service-botnet
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall internet-service-ipbl-reason
- firewall internet-service-ipbl-vendor
- firewall internet-service-list
- firewall internet-service-name
- firewall internet-service-owner
- firewall internet-service-reputation
- firewall internet-service-sld
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall region
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vendor-mac
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
- ips view-map
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller global
- switch-controller initial-config template
- switch-controller initial-config vlans
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller mac-policy
- switch-controller managed-switch
- switch-controller nac-device
- switch-controller nac-settings
- switch-controller port-policy
- switch-controller ptp policy
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy local-access
- switch-controller snmp-community
- switch-controller snmp-user
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-profile
- switch-controller system
- switch-controller traffic-policy
- switch-controller virtual-port-pool
- switch-controller vlan-policy
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geneve
- system geoip-country
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system sdwan
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system standalone-cluster
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wire-pair
- system vne-tunnel
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user nac-policy
- user password-policy
- user peer
- user peergrp
- user pop3
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller access-control-list
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller apcfg-profile
- wireless-controller arrp-profile
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller mpsk-profile
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.4.3 CLI Reference

6.4.3

firewall profile-protocol-options

Configure protocol options.

  config firewall profile-protocol-options
      Description: Configure protocol options.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set oversize-log [disable|enable]
          set switching-protocols-log [disable|enable]
          config http
              Description: Configure HTTP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set comfort-interval {integer}
              set comfort-amount {integer}
              set range-block [disable|enable]
              set strip-x-forwarded-for [disable|enable]
              set post-lang {option1}, {option2}, ...
              set streaming-content-bypass [enable|disable]
              set switching-protocols [bypass|block]
              set unknown-http-version [reject|tunnel|...]
              set tunnel-non-http [enable|disable]
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set stream-based-uncompressed-limit {integer}
              set scan-bzip2 [enable|disable]
              set block-page-status-code {integer}
              set retry-count {integer}
              set tcp-window-type [system|static|...]
              set tcp-window-minimum {integer}
              set tcp-window-maximum {integer}
              set tcp-window-size {integer}
              set ssl-offloaded [no|yes]
          end
          config ftp
              Description: Configure FTP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set options {option1}, {option2}, ...
              set comfort-interval {integer}
              set comfort-amount {integer}
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set ssl-offloaded [no|yes]
          end
          config imap
              Description: Configure IMAP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set ssl-offloaded [no|yes]
          end
          config mapi
              Description: Configure MAPI protocol options.
              set ports {integer}
              set status [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
          end
          config pop3
              Description: Configure POP3 protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set ssl-offloaded [no|yes]
          end
          config smtp
              Description: Configure SMTP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set server-busy [enable|disable]
              set ssl-offloaded [no|yes]
          end
          config nntp
              Description: Configure NNTP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
          end
          config ssh
              Description: Configure SFTP and SCP protocol options.
              set options {option1}, {option2}, ...
              set comfort-interval {integer}
              set comfort-amount {integer}
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
          end
          config dns
              Description: Configure DNS protocol options.
              set ports {integer}
              set status [enable|disable]
          end
          config cifs
              Description: Configure CIFS protocol options.
              set ports {integer}
              set status [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set tcp-window-type [system|static|...]
              set tcp-window-minimum {integer}
              set tcp-window-maximum {integer}
              set tcp-window-size {integer}
              set server-credential-type [none|credential-replication|...]
              set domain-controller {string}
              config server-keytab
                  Description: Server keytab.
                  edit <principal>
                      set keytab {string}
                  next
              end
          end
          config mail-signature
              Description: Configure Mail signature.
              set status [disable|enable]
              set signature {string}
          end
          set rpc-over-http [enable|disable]
      next
  end

config firewall profile-protocol-options

Parameter Name	Description	Type	Size
comment	Optional comments.	var-string	Maximum length: 255
replacemsg-group	Name of the replacement message group to be used	string	Maximum length: 35
oversize-log	Enable/disable logging for antivirus oversize file blocking. disable: Disable logging for antivirus oversize file blocking. enable: Enable logging for antivirus oversize file blocking.	option	-
switching-protocols-log	Enable/disable logging for HTTP/HTTPS switching protocols. disable: Disable logging for HTTP/HTTPS switching protocols. enable: Enable logging for HTTP/HTTPS switching protocols.	option	-
rpc-over-http	Enable/disable inspection of RPC over HTTP. enable: Enable inspection of RPC over HTTP. disable: Disable inspection of RPC over HTTP.	option	-

config http

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 80).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. clientcomfort: Prevent client timeout. servercomfort: Prevent server timeout. oversize: Block oversized file/email. chunkedbypass: Bypass chunked transfer encoded sites.	option	-
comfort-interval	Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10).	integer	Minimum value: 1 Maximum value: 900
comfort-amount	Amount of data to send in a transmission for client comforting (1 - 65535 bytes, default = 1).	integer	Minimum value: 1 Maximum value: 65535
range-block	Enable/disable blocking of partial downloads. disable: Disable blocking of partial downloads. enable: Enable blocking of partial downloads.	option	-
strip-x-forwarded-for	Enable/disable stripping of HTTP X-Forwarded-For header. disable: Disable changing of HTTP X-Forwarded-For header. enable: Enable replacement of X-Forwarded-For value with 1.1.1.1.	option	-
post-lang	ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets). jisx0201: Japanese Industrial Standard 0201. jisx0208: Japanese Industrial Standard 0208. jisx0212: Japanese Industrial Standard 0212. gb2312: Guojia Biaozhun 2312 (simplified Chinese). ksc5601-ex: Wansung Korean standard 5601. euc-jp: Extended Unicode Japanese. sjis: Shift Japanese Industrial Standard. iso2022-jp: ISO 2022 Japanese. iso2022-jp-1: ISO 2022-1 Japanese. iso2022-jp-2: ISO 2022-2 Japanese. euc-cn: Extended Unicode Chinese. ces-gbk: Extended GB2312 (simplified Chinese). hz: Hanzi simplified Chinese. ces-big5: Big-5 traditional Chinese. euc-kr: Extended Unicode Korean. iso2022-jp-3: ISO 2022-3 Japanese. iso8859-1: ISO 8859 Part 1 (Western European). tis620: Thai Industrial Standard 620. cp874: Code Page 874 (Thai). cp1252: Code Page 1252 (Western European Latin). cp1251: Code Page 1251 (Cyrillic).	option	-
streaming-content-bypass	Enable/disable bypassing of streaming content from buffering. enable: Enable setting. disable: Disable setting.	option	-
switching-protocols	Bypass from scanning, or block a connection that attempts to switch protocol. bypass: Bypass connections when switching protocols. block: Block connections when switching protocols.	option	-
unknown-http-version	How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1. reject: Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1. tunnel: Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied. best-effort: Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.	option	-
tunnel-non-http	Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port. enable: Pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied. disable: Drop or tear down non-HTTP sessions accepted by the profile.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
stream-based-uncompressed-limit	Maximum stream-based uncompressed data size that will be scanned (MB, 0 = unlimited (default). Stream-based uncompression used only under certain conditions.).	integer	Minimum value: 0 Maximum value: 4294967295
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
block-page-status-code	Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599, default = 403).	integer	Minimum value: 100 Maximum value: 599
retry-count	Number of attempts to retry HTTP connection (0 - 100, default = 0).	integer	Minimum value: 0 Maximum value: 100
tcp-window-type	Specify type of TCP window to use for this protocol. system: Use system default TCP window size for this protocol (Default). static: Manually specify TCP window size. dynamic: Vary TCP window size based on available memory, within limits.	option	-
tcp-window-minimum	Minimum dynamic TCP window size (default = 128KB).	integer	Minimum value: 65536 Maximum value: 1048576
tcp-window-maximum	Maximum dynamic TCP window size (default = 8MB).	integer	Minimum value: 1048576 Maximum value: 33554432
tcp-window-size	Set TCP static window size (default = 256KB).	integer	Minimum value: 65536 Maximum value: 33554432
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config ftp

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 21).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. clientcomfort: Prevent client timeout. oversize: Block oversized file/email. splice: Enable splice mode. bypass-rest-command: Bypass REST command. bypass-mode-command: Bypass MODE command.	option	-
comfort-interval	Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10).	integer	Minimum value: 1 Maximum value: 900
comfort-amount	Amount of data to send in a transmission for client comforting (1 - 65535 bytes, default = 1).	integer	Minimum value: 1 Maximum value: 65535
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config imap

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 143).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. fragmail: Pass fragmented email. oversize: Block oversized file/email.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config mapi

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 135).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. fragmail: Pass fragmented email. oversize: Block oversized file/email.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-

config pop3

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 110).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. fragmail: Pass fragmented email. oversize: Block oversized file/email.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config smtp

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 25).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. fragmail: Pass fragmented email. oversize: Block oversized file/email. splice: Enable splice mode.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
server-busy	Enable/disable SMTP server busy when server not available. enable: Enable setting. disable: Disable setting.	option	-
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config nntp

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 119).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. oversize: Block oversized file/email. splice: Enable splice mode.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-

config ssh

Parameter Name	Description	Type	Size
options	One or more options that can be applied to the session. oversize: Block oversized file/email. clientcomfort: Prevent client timeout. servercomfort: Prevent server timeout.	option	-
comfort-interval	Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10).	integer	Minimum value: 1 Maximum value: 900
comfort-amount	Amount of data to send in a transmission for client comforting (1 - 65535 bytes, default = 1).	integer	Minimum value: 1 Maximum value: 65535
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-

config dns

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 53).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-

config cifs

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 445).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. oversize: Block oversized file/email.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
tcp-window-type	Specify type of TCP window to use for this protocol. system: Use system default TCP window size for this protocol (Default). static: Manually specify TCP window size. dynamic: Vary TCP window size based on available memory, within limits.	option	-
tcp-window-minimum	Minimum dynamic TCP window size (default = 128KB).	integer	Minimum value: 65536 Maximum value: 1048576
tcp-window-maximum	Maximum dynamic TCP window size (default = 8MB).	integer	Minimum value: 1048576 Maximum value: 33554432
tcp-window-size	Set TCP static window size (default = 256KB).	integer	Minimum value: 65536 Maximum value: 33554432
server-credential-type	CIFS server credential type. none: Credential derivation not set. credential-replication: Credential derived using Replication account on Domain Controller. credential-keytab: Credential derived using server keytab.	option	-
domain-controller	Domain for which to decrypt CIFS traffic.	string	Maximum length: 63

config server-keytab

Parameter Name	Description	Type	Size
keytab	Base64 encoded keytab file containing credential of the server.	string	Maximum length: 8191

config mail-signature

Parameter Name	Description	Type	Size
status	Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate. disable: Disable mail signature. enable: Enable mail signature.	option	-
signature	Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks).	string	Maximum length: 1023

Configure protocol options.

  config firewall profile-protocol-options
      Description: Configure protocol options.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set oversize-log [disable|enable]
          set switching-protocols-log [disable|enable]
          config http
              Description: Configure HTTP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set comfort-interval {integer}
              set comfort-amount {integer}
              set range-block [disable|enable]
              set strip-x-forwarded-for [disable|enable]
              set post-lang {option1}, {option2}, ...
              set streaming-content-bypass [enable|disable]
              set switching-protocols [bypass|block]
              set unknown-http-version [reject|tunnel|...]
              set tunnel-non-http [enable|disable]
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set stream-based-uncompressed-limit {integer}
              set scan-bzip2 [enable|disable]
              set block-page-status-code {integer}
              set retry-count {integer}
              set tcp-window-type [system|static|...]
              set tcp-window-minimum {integer}
              set tcp-window-maximum {integer}
              set tcp-window-size {integer}
              set ssl-offloaded [no|yes]
          end
          config ftp
              Description: Configure FTP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set options {option1}, {option2}, ...
              set comfort-interval {integer}
              set comfort-amount {integer}
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set ssl-offloaded [no|yes]
          end
          config imap
              Description: Configure IMAP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set ssl-offloaded [no|yes]
          end
          config mapi
              Description: Configure MAPI protocol options.
              set ports {integer}
              set status [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
          end
          config pop3
              Description: Configure POP3 protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set ssl-offloaded [no|yes]
          end
          config smtp
              Description: Configure SMTP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set server-busy [enable|disable]
              set ssl-offloaded [no|yes]
          end
          config nntp
              Description: Configure NNTP protocol options.
              set ports {integer}
              set status [enable|disable]
              set inspect-all [enable|disable]
              set proxy-after-tcp-handshake [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
          end
          config ssh
              Description: Configure SFTP and SCP protocol options.
              set options {option1}, {option2}, ...
              set comfort-interval {integer}
              set comfort-amount {integer}
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
          end
          config dns
              Description: Configure DNS protocol options.
              set ports {integer}
              set status [enable|disable]
          end
          config cifs
              Description: Configure CIFS protocol options.
              set ports {integer}
              set status [enable|disable]
              set options {option1}, {option2}, ...
              set oversize-limit {integer}
              set uncompressed-oversize-limit {integer}
              set uncompressed-nest-limit {integer}
              set scan-bzip2 [enable|disable]
              set tcp-window-type [system|static|...]
              set tcp-window-minimum {integer}
              set tcp-window-maximum {integer}
              set tcp-window-size {integer}
              set server-credential-type [none|credential-replication|...]
              set domain-controller {string}
              config server-keytab
                  Description: Server keytab.
                  edit <principal>
                      set keytab {string}
                  next
              end
          end
          config mail-signature
              Description: Configure Mail signature.
              set status [disable|enable]
              set signature {string}
          end
          set rpc-over-http [enable|disable]
      next
  end

config firewall profile-protocol-options

Parameter Name	Description	Type	Size
comment	Optional comments.	var-string	Maximum length: 255
replacemsg-group	Name of the replacement message group to be used	string	Maximum length: 35
oversize-log	Enable/disable logging for antivirus oversize file blocking. disable: Disable logging for antivirus oversize file blocking. enable: Enable logging for antivirus oversize file blocking.	option	-
switching-protocols-log	Enable/disable logging for HTTP/HTTPS switching protocols. disable: Disable logging for HTTP/HTTPS switching protocols. enable: Enable logging for HTTP/HTTPS switching protocols.	option	-
rpc-over-http	Enable/disable inspection of RPC over HTTP. enable: Enable inspection of RPC over HTTP. disable: Disable inspection of RPC over HTTP.	option	-

config http

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 80).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. clientcomfort: Prevent client timeout. servercomfort: Prevent server timeout. oversize: Block oversized file/email. chunkedbypass: Bypass chunked transfer encoded sites.	option	-
comfort-interval	Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10).	integer	Minimum value: 1 Maximum value: 900
comfort-amount	Amount of data to send in a transmission for client comforting (1 - 65535 bytes, default = 1).	integer	Minimum value: 1 Maximum value: 65535
range-block	Enable/disable blocking of partial downloads. disable: Disable blocking of partial downloads. enable: Enable blocking of partial downloads.	option	-
strip-x-forwarded-for	Enable/disable stripping of HTTP X-Forwarded-For header. disable: Disable changing of HTTP X-Forwarded-For header. enable: Enable replacement of X-Forwarded-For value with 1.1.1.1.	option	-
post-lang	ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets). jisx0201: Japanese Industrial Standard 0201. jisx0208: Japanese Industrial Standard 0208. jisx0212: Japanese Industrial Standard 0212. gb2312: Guojia Biaozhun 2312 (simplified Chinese). ksc5601-ex: Wansung Korean standard 5601. euc-jp: Extended Unicode Japanese. sjis: Shift Japanese Industrial Standard. iso2022-jp: ISO 2022 Japanese. iso2022-jp-1: ISO 2022-1 Japanese. iso2022-jp-2: ISO 2022-2 Japanese. euc-cn: Extended Unicode Chinese. ces-gbk: Extended GB2312 (simplified Chinese). hz: Hanzi simplified Chinese. ces-big5: Big-5 traditional Chinese. euc-kr: Extended Unicode Korean. iso2022-jp-3: ISO 2022-3 Japanese. iso8859-1: ISO 8859 Part 1 (Western European). tis620: Thai Industrial Standard 620. cp874: Code Page 874 (Thai). cp1252: Code Page 1252 (Western European Latin). cp1251: Code Page 1251 (Cyrillic).	option	-
streaming-content-bypass	Enable/disable bypassing of streaming content from buffering. enable: Enable setting. disable: Disable setting.	option	-
switching-protocols	Bypass from scanning, or block a connection that attempts to switch protocol. bypass: Bypass connections when switching protocols. block: Block connections when switching protocols.	option	-
unknown-http-version	How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1. reject: Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1. tunnel: Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied. best-effort: Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.	option	-
tunnel-non-http	Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port. enable: Pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied. disable: Drop or tear down non-HTTP sessions accepted by the profile.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
stream-based-uncompressed-limit	Maximum stream-based uncompressed data size that will be scanned (MB, 0 = unlimited (default). Stream-based uncompression used only under certain conditions.).	integer	Minimum value: 0 Maximum value: 4294967295
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
block-page-status-code	Code number returned for blocked HTTP pages (non-FortiGuard only) (100 - 599, default = 403).	integer	Minimum value: 100 Maximum value: 599
retry-count	Number of attempts to retry HTTP connection (0 - 100, default = 0).	integer	Minimum value: 0 Maximum value: 100
tcp-window-type	Specify type of TCP window to use for this protocol. system: Use system default TCP window size for this protocol (Default). static: Manually specify TCP window size. dynamic: Vary TCP window size based on available memory, within limits.	option	-
tcp-window-minimum	Minimum dynamic TCP window size (default = 128KB).	integer	Minimum value: 65536 Maximum value: 1048576
tcp-window-maximum	Maximum dynamic TCP window size (default = 8MB).	integer	Minimum value: 1048576 Maximum value: 33554432
tcp-window-size	Set TCP static window size (default = 256KB).	integer	Minimum value: 65536 Maximum value: 33554432
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config ftp

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 21).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. clientcomfort: Prevent client timeout. oversize: Block oversized file/email. splice: Enable splice mode. bypass-rest-command: Bypass REST command. bypass-mode-command: Bypass MODE command.	option	-
comfort-interval	Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10).	integer	Minimum value: 1 Maximum value: 900
comfort-amount	Amount of data to send in a transmission for client comforting (1 - 65535 bytes, default = 1).	integer	Minimum value: 1 Maximum value: 65535
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config imap

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 143).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. fragmail: Pass fragmented email. oversize: Block oversized file/email.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config mapi

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 135).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. fragmail: Pass fragmented email. oversize: Block oversized file/email.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-

config pop3

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 110).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. fragmail: Pass fragmented email. oversize: Block oversized file/email.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config smtp

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 25).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. fragmail: Pass fragmented email. oversize: Block oversized file/email. splice: Enable splice mode.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
server-busy	Enable/disable SMTP server busy when server not available. enable: Enable setting. disable: Disable setting.	option	-
ssl-offloaded	SSL decryption and encryption performed by an external device. no: SSL decryption and encryption performed by FortiGate when deep-inspection is enabled. yes: SSL decryption and encryption performed by an external device.	option	-

config nntp

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 119).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
inspect-all	Enable/disable the inspection of all ports for the protocol. enable: Enable setting. disable: Disable setting.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. oversize: Block oversized file/email. splice: Enable splice mode.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-

config ssh

Parameter Name	Description	Type	Size
options	One or more options that can be applied to the session. oversize: Block oversized file/email. clientcomfort: Prevent client timeout. servercomfort: Prevent server timeout.	option	-
comfort-interval	Period of time between start, or last transmission, and the next client comfort transmission of data (1 - 900 sec, default = 10).	integer	Minimum value: 1 Maximum value: 900
comfort-amount	Amount of data to send in a transmission for client comforting (1 - 65535 bytes, default = 1).	integer	Minimum value: 1 Maximum value: 65535
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-

config dns

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 53).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-

config cifs

Parameter Name	Description	Type	Size
ports	Ports to scan for content (1 - 65535, default = 445).	integer	Minimum value: 1 Maximum value: 65535
status	Enable/disable the active status of scanning for this protocol. enable: Enable setting. disable: Disable setting.	option	-
options	One or more options that can be applied to the session. oversize: Block oversized file/email.	option	-
oversize-limit	Maximum in-memory file size that can be scanned (1 - 383 MB, default = 10).	integer	Minimum value: 1 Maximum value: 6446
uncompressed-oversize-limit	Maximum in-memory uncompressed file size that can be scanned (0 - 383 MB, 0 = unlimited, default = 10).	integer	Minimum value: 0 Maximum value: 6446
uncompressed-nest-limit	Maximum nested levels of compression that can be uncompressed and scanned (2 - 100, default = 12).	integer	Minimum value: 2 Maximum value: 100
scan-bzip2	Enable/disable scanning of BZip2 compressed files. enable: Enable setting. disable: Disable setting.	option	-
tcp-window-type	Specify type of TCP window to use for this protocol. system: Use system default TCP window size for this protocol (Default). static: Manually specify TCP window size. dynamic: Vary TCP window size based on available memory, within limits.	option	-
tcp-window-minimum	Minimum dynamic TCP window size (default = 128KB).	integer	Minimum value: 65536 Maximum value: 1048576
tcp-window-maximum	Maximum dynamic TCP window size (default = 8MB).	integer	Minimum value: 1048576 Maximum value: 33554432
tcp-window-size	Set TCP static window size (default = 256KB).	integer	Minimum value: 65536 Maximum value: 33554432
server-credential-type	CIFS server credential type. none: Credential derivation not set. credential-replication: Credential derived using Replication account on Domain Controller. credential-keytab: Credential derived using server keytab.	option	-
domain-controller	Domain for which to decrypt CIFS traffic.	string	Maximum length: 63

config server-keytab

Parameter Name	Description	Type	Size
keytab	Base64 encoded keytab file containing credential of the server.	string	Maximum length: 8191

config mail-signature

Parameter Name	Description	Type	Size
status	Enable/disable adding an email signature to SMTP email messages as they pass through the FortiGate. disable: Disable mail signature. enable: Enable mail signature.	option	-
signature	Email signature to be added to outgoing email (if the signature contains spaces, enclose with quotation marks).	string	Maximum length: 1023

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options

config http

config ftp

config imap

config mapi

config pop3

config smtp

config nntp

config ssh

config dns

config cifs