config firewall profile-protocol-options

Configure protocol options.

config firewall profile-protocol-options

Description: Configure protocol options.

edit <name>

set comment {var-string}

set replacemsg-group {string}

set oversize-log [disable|enable]

set switching-protocols-log [disable|enable]

config http

Description: Configure HTTP protocol options.

set ports {integer}

set status [enable|disable]

set inspect-all [enable|disable]

set proxy-after-tcp-handshake [enable|disable]

set options {option1}, {option2}, ...

set comfort-interval {integer}

set comfort-amount {integer}

set range-block [disable|enable]

set strip-x-forwarded-for [disable|enable]

set post-lang {option1}, {option2}, ...

set streaming-content-bypass [enable|disable]

set switching-protocols [bypass|block]

set unknown-http-version [reject|tunnel|...]

set tunnel-non-http [enable|disable]

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set stream-based-uncompressed-limit {integer}

set scan-bzip2 [enable|disable]

set block-page-status-code {integer}

set retry-count {integer}

set tcp-window-type [system|static|...]

set tcp-window-minimum {integer}

set tcp-window-maximum {integer}

set tcp-window-size {integer}

set ssl-offloaded [no|yes]

end

config ftp

Description: Configure FTP protocol options.

set ports {integer}

set status [enable|disable]

set inspect-all [enable|disable]

set options {option1}, {option2}, ...

set comfort-interval {integer}

set comfort-amount {integer}

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set stream-based-uncompressed-limit {integer}

set scan-bzip2 [enable|disable]

set tcp-window-type [system|static|...]

set tcp-window-minimum {integer}

set tcp-window-maximum {integer}

set tcp-window-size {integer}

set ssl-offloaded [no|yes]

end

config imap

Description: Configure IMAP protocol options.

set ports {integer}

set status [enable|disable]

set inspect-all [enable|disable]

set proxy-after-tcp-handshake [enable|disable]

set options {option1}, {option2}, ...

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set scan-bzip2 [enable|disable]

set ssl-offloaded [no|yes]

end

config mapi

Description: Configure MAPI protocol options.

set ports {integer}

set status [enable|disable]

set options {option1}, {option2}, ...

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set scan-bzip2 [enable|disable]

end

config pop3

Description: Configure POP3 protocol options.

set ports {integer}

set status [enable|disable]

set inspect-all [enable|disable]

set proxy-after-tcp-handshake [enable|disable]

set options {option1}, {option2}, ...

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set scan-bzip2 [enable|disable]

set ssl-offloaded [no|yes]

end

config smtp

Description: Configure SMTP protocol options.

set ports {integer}

set status [enable|disable]

set inspect-all [enable|disable]

set proxy-after-tcp-handshake [enable|disable]

set options {option1}, {option2}, ...

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set scan-bzip2 [enable|disable]

set server-busy [enable|disable]

set ssl-offloaded [no|yes]

end

config nntp

Description: Configure NNTP protocol options.

set ports {integer}

set status [enable|disable]

set inspect-all [enable|disable]

set proxy-after-tcp-handshake [enable|disable]

set options {option1}, {option2}, ...

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set scan-bzip2 [enable|disable]

end

config ssh

Description: Configure SFTP and SCP protocol options.

set options {option1}, {option2}, ...

set comfort-interval {integer}

set comfort-amount {integer}

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set stream-based-uncompressed-limit {integer}

set scan-bzip2 [enable|disable]

set tcp-window-type [system|static|...]

set tcp-window-minimum {integer}

set tcp-window-maximum {integer}

set tcp-window-size {integer}

set ssl-offloaded [no|yes]

end

config dns

Description: Configure DNS protocol options.

set ports {integer}

set status [enable|disable]

end

config cifs

Description: Configure CIFS protocol options.

set ports {integer}

set status [enable|disable]

set options {option1}, {option2}, ...

set oversize-limit {integer}

set uncompressed-oversize-limit {integer}

set uncompressed-nest-limit {integer}

set scan-bzip2 [enable|disable]

set tcp-window-type [system|static|...]

set tcp-window-minimum {integer}

set tcp-window-maximum {integer}

set tcp-window-size {integer}

set server-credential-type [none|credential-replication|...]

set domain-controller {string}

config server-keytab

Description: Server keytab.

edit <principal>

set keytab {string}

next

end

end

config mail-signature

Description: Configure Mail signature.

set status [disable|enable]

set signature {string}

end

set rpc-over-http [enable|disable]

next

end

config firewall profile-protocol-options

Parameter

Description

Type

Size

Default

comment

Optional comments.

var-string

Maximum length: 255

replacemsg-group

Name of the replacement message group to be used

string

Maximum length: 35

oversize-log

Enable/disable logging for antivirus oversize file blocking.

option

-

disable

 

Option

Description

disable

Disable logging for antivirus oversize file blocking.

enable

Enable logging for antivirus oversize file blocking.

switching-protocols-log

Enable/disable logging for HTTP/HTTPS switching protocols.

option

-

disable

 

Option

Description

disable

Disable logging for HTTP/HTTPS switching protocols.

enable

Enable logging for HTTP/HTTPS switching protocols.

rpc-over-http

Enable/disable inspection of RPC over HTTP.

option

-

disable

 

Option

Description

enable

Enable inspection of RPC over HTTP.

disable

Disable inspection of RPC over HTTP.

config http

Parameter

Description

Type

Size

Default

ports

Ports to scan for content .

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

 

Option

Description

clientcomfort

Prevent client timeout.

servercomfort

Prevent server timeout.

oversize

Block oversized file/email.

chunkedbypass

Bypass chunked transfer encoded sites.

comfort-interval

Period of time between start, or last transmission, and the next client comfort transmission of data .

integer

Minimum value: 1 Maximum value: 900

10

comfort-amount

Amount of data to send in a transmission for client comforting .

integer

Minimum value: 1 Maximum value: 65535

1

range-block

Enable/disable blocking of partial downloads.

option

-

disable

 

Option

Description

disable

Disable range header blocking (allow partial file downloads)

enable

Enable range header blocking (treat all partial file downloads as full file download)

strip-x-forwarded-for

Enable/disable stripping of HTTP X-Forwarded-For header.

option

-

disable

 

Option

Description

disable

Disable changing of HTTP X-Forwarded-For header.

enable

Enable replacement of X-Forwarded-For value with 1.1.1.1.

post-lang

ID codes for character sets to be used to convert to UTF-8 for banned words and DLP on HTTP posts (maximum of 5 character sets).

option

-

 

Option

Description

jisx0201

Japanese Industrial Standard 0201.

jisx0208

Japanese Industrial Standard 0208.

jisx0212

Japanese Industrial Standard 0212.

gb2312

Guojia Biaozhun 2312 (simplified Chinese).

ksc5601-ex

Wansung Korean standard 5601.

euc-jp

Extended Unicode Japanese.

sjis

Shift Japanese Industrial Standard.

iso2022-jp

ISO 2022 Japanese.

iso2022-jp-1

ISO 2022-1 Japanese.

iso2022-jp-2

ISO 2022-2 Japanese.

euc-cn

Extended Unicode Chinese.

ces-gbk

Extended GB2312 (simplified Chinese).

hz

Hanzi simplified Chinese.

ces-big5

Big-5 traditional Chinese.

euc-kr

Extended Unicode Korean.

iso2022-jp-3

ISO 2022-3 Japanese.

iso8859-1

ISO 8859 Part 1 (Western European).

tis620

Thai Industrial Standard 620.

cp874

Code Page 874 (Thai).

cp1252

Code Page 1252 (Western European Latin).

cp1251

Code Page 1251 (Cyrillic).

streaming-content-bypass

Enable/disable bypassing of streaming content from buffering.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

switching-protocols

Bypass from scanning, or block a connection that attempts to switch protocol.

option

-

bypass

 

Option

Description

bypass

Bypass connections when switching protocols.

block

Block connections when switching protocols.

unknown-http-version

How to handle HTTP sessions that do not comply with HTTP 0.9, 1.0, or 1.1.

option

-

reject

 

Option

Description

reject

Reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

tunnel

Pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

best-effort

Assume all HTTP sessions comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, it may not parse correctly and the connection may be lost.

tunnel-non-http

Configure how to process non-HTTP traffic when a profile configured for HTTP traffic accepts a non-HTTP session. Can occur if an application sends non-HTTP traffic using an HTTP destination port.

option

-

disable

 

Option

Description

enable

Pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied.

disable

Drop or tear down non-HTTP sessions accepted by the profile.

oversize-limit

Maximum in-memory file size that can be scanned .

integer

Minimum value: 1 Maximum value: 383 **

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned .

integer

Minimum value: 0 Maximum value: 383 **

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned .

integer

Minimum value: 2 Maximum value: 100

12

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned .

integer

Minimum value: 0 Maximum value: 4294967295

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

block-page-status-code

Code number returned for blocked HTTP pages .

integer

Minimum value: 100 Maximum value: 599

403

retry-count

Number of attempts to retry HTTP connection .

integer

Minimum value: 0 Maximum value: 100

0

tcp-window-type

TCP window type to use for this protocol.

option

-

system

 

Option

Description

system

Use system default TCP window size for this protocol (default).

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

 

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

** Values may differ between models.

config ftp

Parameter

Description

Type

Size

Default

ports

Ports to scan for content .

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

 

Option

Description

clientcomfort

Prevent client timeout.

oversize

Block oversized file/email.

splice

Enable splice mode.

bypass-rest-command

Bypass REST command.

bypass-mode-command

Bypass MODE command.

comfort-interval

Period of time between start, or last transmission, and the next client comfort transmission of data .

integer

Minimum value: 1 Maximum value: 900

10

comfort-amount

Amount of data to send in a transmission for client comforting .

integer

Minimum value: 1 Maximum value: 65535

1

oversize-limit

Maximum in-memory file size that can be scanned .

integer

Minimum value: 1 Maximum value: 383 **

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned .

integer

Minimum value: 0 Maximum value: 383 **

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned .

integer

Minimum value: 2 Maximum value: 100

12

stream-based-uncompressed-limit

Maximum stream-based uncompressed data size that will be scanned .

integer

Minimum value: 0 Maximum value: 4294967295

0

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-window-type

TCP window type to use for this protocol.

option

-

system

 

Option

Description

system

Use system default TCP window size for this protocol (default).

static

Manually specify TCP window size.

dynamic

Vary TCP window size based on available memory and within limits of tcp-window-minimum and tcp-window-maximum.

tcp-window-minimum

Minimum dynamic TCP window size.

integer

Minimum value: 65536 Maximum value: 1048576

131072

tcp-window-maximum

Maximum dynamic TCP window size.

integer

Minimum value: 1048576 Maximum value: 33554432

8388608

tcp-window-size

Set TCP static window size.

integer

Minimum value: 65536 Maximum value: 33554432

262144

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

 

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

** Values may differ between models.

config imap

Parameter

Description

Type

Size

Default

ports

Ports to scan for content .

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

 

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized file/email.

oversize-limit

Maximum in-memory file size that can be scanned .

integer

Minimum value: 1 Maximum value: 383 **

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned .

integer

Minimum value: 0 Maximum value: 383 **

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned .

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

 

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

** Values may differ between models.

config mapi

Parameter

Description

Type

Size

Default

ports

Ports to scan for content .

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

 

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized file/email.

oversize-limit

Maximum in-memory file size that can be scanned .

integer

Minimum value: 1 Maximum value: 383 **

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned .

integer

Minimum value: 0 Maximum value: 383 **

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned .

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

** Values may differ between models.

config pop3

Parameter

Description

Type

Size

Default

ports

Ports to scan for content .

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

inspect-all

Enable/disable the inspection of all ports for the protocol.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

options

One or more options that can be applied to the session.

option

-

 

Option

Description

fragmail

Pass fragmented email.

oversize

Block oversized file/email.

oversize-limit

Maximum in-memory file size that can be scanned .

integer

Minimum value: 1 Maximum value: 383 **

10

uncompressed-oversize-limit

Maximum in-memory uncompressed file size that can be scanned .

integer

Minimum value: 0 Maximum value: 383 **

10

uncompressed-nest-limit

Maximum nested levels of compression that can be uncompressed and scanned .

integer

Minimum value: 2 Maximum value: 100

12

scan-bzip2

Enable/disable scanning of BZip2 compressed files.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ssl-offloaded

SSL decryption and encryption performed by an external device.

option

-

no

 

Option

Description

no

SSL decryption and encryption performed by FortiGate when deep-inspection is enabled.

yes

SSL decryption and encryption performed by an external device.

** Values may differ between models.

config smtp

Parameter

Description

Type

Size

Default

ports

Ports to scan for content .

integer

Minimum value: 1 Maximum value: 65535

status

Enable/disable the active status of scanning for this protocol.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

inspect-all