Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config application list

Configure application control lists.

config application list

Description: Configure application control lists.

edit <name>

set comment {var-string}

set replacemsg-group {string}

set extended-log [enable|disable]

set other-application-action [pass|block]

set app-replacemsg [disable|enable]

set other-application-log [disable|enable]

set enforce-default-app-port [disable|enable]

set force-inclusion-ssl-di-sigs [disable|enable]

set unknown-application-action [pass|block]

set unknown-application-log [disable|enable]

set p2p-black-list {option1}, {option2}, ...

set deep-app-inspection [disable|enable]

set options {option1}, {option2}, ...

config entries

Description: Application list entries.

edit <id>

set risk <level1>, <level2>, ...

set category <id1>, <id2>, ...

set application <id1>, <id2>, ...

set protocols {user}

set vendor {user}

set technology {user}

set behavior {user}

set popularity {option1}, {option2}, ...

set exclusion <id1>, <id2>, ...

config parameters

Description: Application parameters.

edit <id>

config members

Description: Parameter tuple members.

edit <id>

set name {string}

set value {string}

next

end

next

end

set action [pass|block|...]

set log [disable|enable]

set log-packet [disable|enable]

set rate-count {integer}

set rate-duration {integer}

set rate-mode [periodical|continuous]

set rate-track [none|src-ip|...]

set session-ttl {integer}

set shaper {string}

set shaper-reverse {string}

set per-ip-shaper {string}

set quarantine [none|attacker]

set quarantine-expiry {user}

set quarantine-log [disable|enable]

next

end

set control-default-network-services [disable|enable]

config default-network-services

Description: Default network service entries.

edit <id>

set port {integer}

set services {option1}, {option2}, ...

set violation-action [pass|monitor|...]

next

end

next

end

config application list

Parameter

Description

Type

Size

Default

comment

comments

var-string

Maximum length: 255

replacemsg-group

Replacement message group.

string

Maximum length: 35

extended-log

Enable/disable extended logging.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

other-application-action

Action for other applications.

option

-

pass

 

Option

Description

pass

Allow sessions matching an application in this application list.

block

Block sessions matching an application in this application list.

app-replacemsg

Enable/disable replacement messages for blocked applications.

option

-

enable

 

Option

Description

disable

Disable replacement messages for blocked applications.

enable

Enable replacement messages for blocked applications.

other-application-log

Enable/disable logging for other applications.

option

-

disable

 

Option

Description

disable

Disable logging for other applications.

enable

Enable logging for other applications.

enforce-default-app-port

Enable/disable default application port enforcement for allowed applications.

option

-

disable

 

Option

Description

disable

Disable default application port enforcement.

enable

Enable default application port enforcement.

force-inclusion-ssl-di-sigs

Enable/disable forced inclusion of SSL deep inspection signatures.

option

-

disable

 

Option

Description

disable

Disable forced inclusion of signatures which normally require SSL deep inspection.

enable

Enable forced inclusion of signatures which normally require SSL deep inspection.

unknown-application-action

Pass or block traffic from unknown applications.

option

-

pass

 

Option

Description

pass

Pass or allow unknown applications.

block

Drop or block unknown applications.

unknown-application-log

Enable/disable logging for unknown applications.

option

-

disable

 

Option

Description

disable

Disable logging for unknown applications.

enable

Enable logging for unknown applications.

p2p-black-list

P2P applications to be black listed.

option

-

 

Option

Description

skype

Skype.

edonkey

Edonkey.

bittorrent

Bit torrent.

deep-app-inspection

Enable/disable deep application inspection.

option

-

enable

 

Option

Description

disable

Disable deep application inspection.

enable

Enable deep application inspection.

options

Basic application protocol signatures allowed by default.

option

-

allow-dns

 

Option

Description

allow-dns

Allow DNS.

allow-icmp

Allow ICMP.

allow-http

Allow generic HTTP web browsing.

allow-ssl

Allow generic SSL communication.

allow-quic

Allow QUIC.

control-default-network-services

Enable/disable enforcement of protocols over selected ports.

option

-

disable

 

Option

Description

disable

Disable protocol enforcement over selected ports.

enable

Enable protocol enforcement over selected ports.

config entries

Parameter

Description

Type

Size

Default

risk <level>

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

integer

Minimum value: 0 Maximum value: 4294967295

0

category <id>

Category ID list.

Application category ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

application <id>

ID of allowed applications.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

0

protocols

Application protocol filter.

user

Not Specified

all

vendor

Application vendor filter.

user

Not Specified

all

technology

Application technology filter.

user

Not Specified

all

behavior

Application behavior filter.

user

Not Specified

all

popularity

Application popularity filter (1 - 5, from least to most popular).

option

-

1 2 3 4 5

 

Option

Description

1

Popularity level 1.

2

Popularity level 2.

3

Popularity level 3.

4

Popularity level 4.

5

Popularity level 5.

exclusion <id>

ID of excluded applications.

Excluded application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

0

action

Pass or block traffic, or reset connection for traffic from this application.

option

-

block

 

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

log

Enable/disable logging for this application list.

option

-

enable

 

Option

Description

disable

Disable logging.

enable

Enable logging.

log-packet

Enable/disable packet logging.

option

-

disable

 

Option

Description

disable

Disable packet logging.

enable

Enable packet logging.

rate-count

Count of the rate.

integer

Minimum value: 0 Maximum value: 65535

0

rate-duration

Duration (sec) of the rate.

integer

Minimum value: 1 Maximum value: 65535

60

rate-mode

Rate limit mode.

option

-

continuous

 

Option

Description

periodical

Allow configured number of packets every rate-duration.

continuous

Block packets once the rate is reached.

rate-track

Track the packet protocol field.

option

-

none

 

Option

Description

none

none

src-ip

Source IP.

dest-ip

Destination IP.

dhcp-client-mac

DHCP client.

dns-domain

DNS domain.

session-ttl

Session TTL (0 = default).

integer

Minimum value: 0 Maximum value: 4294967295

0

shaper

Traffic shaper.

string

Maximum length: 35

shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

quarantine

Quarantine method.

option

-

none

 

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.

user

Not Specified

5m

quarantine-log

Enable/disable quarantine logging.

option

-

enable

 

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

config members

Parameter

Description

Type

Size

Default

name

Parameter name.

string

Maximum length: 31

value

Parameter value.

string

Maximum length: 199

config default-network-services

Parameter

Description

Type

Size

Default

port

Port number.

integer

Minimum value: 0 Maximum value: 65535

0

services

Network protocols.

option

-

 

Option

Description

http

HTTP.

ssh

SSH.

telnet

TELNET.

ftp

FTP.

dns

DNS.

smtp

SMTP.

pop3

POP3.

imap

IMAP.

snmp

SNMP.

nntp

NNTP.

https

HTTPS.

violation-action

Action for protocols not white listed under selected port.

option

-

block

 

Option

Description

pass

Allow protocols not white listed under selected port.

monitor

Monitor protocols not white listed under selected port.

block

Block protocols not white listed under selected port.

config application list

Configure application control lists.

config application list

Description: Configure application control lists.

edit <name>

set comment {var-string}

set replacemsg-group {string}

set extended-log [enable|disable]

set other-application-action [pass|block]

set app-replacemsg [disable|enable]

set other-application-log [disable|enable]

set enforce-default-app-port [disable|enable]

set force-inclusion-ssl-di-sigs [disable|enable]

set unknown-application-action [pass|block]

set unknown-application-log [disable|enable]

set p2p-black-list {option1}, {option2}, ...

set deep-app-inspection [disable|enable]

set options {option1}, {option2}, ...

config entries

Description: Application list entries.

edit <id>

set risk <level1>, <level2>, ...

set category <id1>, <id2>, ...

set application <id1>, <id2>, ...

set protocols {user}

set vendor {user}

set technology {user}

set behavior {user}

set popularity {option1}, {option2}, ...

set exclusion <id1>, <id2>, ...

config parameters

Description: Application parameters.

edit <id>

config members

Description: Parameter tuple members.

edit <id>

set name {string}

set value {string}

next

end

next

end

set action [pass|block|...]

set log [disable|enable]

set log-packet [disable|enable]

set rate-count {integer}

set rate-duration {integer}

set rate-mode [periodical|continuous]

set rate-track [none|src-ip|...]

set session-ttl {integer}

set shaper {string}

set shaper-reverse {string}

set per-ip-shaper {string}

set quarantine [none|attacker]

set quarantine-expiry {user}

set quarantine-log [disable|enable]

next

end

set control-default-network-services [disable|enable]

config default-network-services

Description: Default network service entries.

edit <id>

set port {integer}

set services {option1}, {option2}, ...

set violation-action [pass|monitor|...]

next

end

next

end

config application list

Parameter

Description

Type

Size

Default

comment

comments

var-string

Maximum length: 255

replacemsg-group

Replacement message group.

string

Maximum length: 35

extended-log

Enable/disable extended logging.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

other-application-action

Action for other applications.

option

-

pass

 

Option

Description

pass

Allow sessions matching an application in this application list.

block

Block sessions matching an application in this application list.

app-replacemsg

Enable/disable replacement messages for blocked applications.

option

-

enable

 

Option

Description

disable

Disable replacement messages for blocked applications.

enable

Enable replacement messages for blocked applications.

other-application-log

Enable/disable logging for other applications.

option

-

disable

 

Option

Description

disable

Disable logging for other applications.

enable

Enable logging for other applications.

enforce-default-app-port

Enable/disable default application port enforcement for allowed applications.

option

-

disable

 

Option

Description

disable

Disable default application port enforcement.

enable

Enable default application port enforcement.

force-inclusion-ssl-di-sigs

Enable/disable forced inclusion of SSL deep inspection signatures.

option

-

disable

 

Option

Description

disable

Disable forced inclusion of signatures which normally require SSL deep inspection.

enable

Enable forced inclusion of signatures which normally require SSL deep inspection.

unknown-application-action

Pass or block traffic from unknown applications.

option

-

pass

 

Option

Description

pass

Pass or allow unknown applications.

block

Drop or block unknown applications.

unknown-application-log

Enable/disable logging for unknown applications.

option

-

disable

 

Option

Description

disable

Disable logging for unknown applications.

enable

Enable logging for unknown applications.

p2p-black-list

P2P applications to be black listed.

option

-

 

Option

Description

skype

Skype.

edonkey

Edonkey.

bittorrent

Bit torrent.

deep-app-inspection

Enable/disable deep application inspection.

option

-

enable

 

Option

Description

disable

Disable deep application inspection.

enable

Enable deep application inspection.

options

Basic application protocol signatures allowed by default.

option

-

allow-dns

 

Option

Description

allow-dns

Allow DNS.

allow-icmp

Allow ICMP.

allow-http

Allow generic HTTP web browsing.

allow-ssl

Allow generic SSL communication.

allow-quic

Allow QUIC.

control-default-network-services

Enable/disable enforcement of protocols over selected ports.

option

-

disable

 

Option

Description

disable

Disable protocol enforcement over selected ports.

enable

Enable protocol enforcement over selected ports.

config entries

Parameter

Description

Type

Size

Default

risk <level>

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).

integer

Minimum value: 0 Maximum value: 4294967295

0

category <id>

Category ID list.

Application category ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

application <id>

ID of allowed applications.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

0

protocols

Application protocol filter.

user

Not Specified

all

vendor

Application vendor filter.

user

Not Specified

all

technology

Application technology filter.

user

Not Specified

all

behavior

Application behavior filter.

user

Not Specified

all

popularity

Application popularity filter (1 - 5, from least to most popular).

option

-

1 2 3 4 5

 

Option

Description

1

Popularity level 1.

2

Popularity level 2.

3

Popularity level 3.

4

Popularity level 4.

5

Popularity level 5.

exclusion <id>

ID of excluded applications.

Excluded application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

0

action

Pass or block traffic, or reset connection for traffic from this application.

option

-

block

 

Option

Description

pass

Pass or allow matching traffic.

block

Block or drop matching traffic.

reset

Reset sessions for matching traffic.

log

Enable/disable logging for this application list.

option

-

enable

 

Option

Description

disable

Disable logging.

enable

Enable logging.

log-packet

Enable/disable packet logging.

option

-

disable

 

Option

Description

disable

Disable packet logging.

enable

Enable packet logging.

rate-count

Count of the rate.

integer

Minimum value: 0 Maximum value: 65535

0

rate-duration

Duration (sec) of the rate.

integer

Minimum value: 1 Maximum value: 65535

60

rate-mode

Rate limit mode.

option

-

continuous

 

Option

Description

periodical

Allow configured number of packets every rate-duration.

continuous

Block packets once the rate is reached.

rate-track

Track the packet protocol field.