Fortinet white logo
Fortinet white logo

CLI Reference

config firewall sniffer

config firewall sniffer

Configure sniffer.

config firewall sniffer
    Description: Configure sniffer.
    edit <id>
        config anomaly
            Description: Configuration method to edit Denial of Service (DoS) anomaly settings.
            edit <name>
                set status [disable|enable]
                set log [enable|disable]
                set action [pass|block]
                set quarantine [none|attacker]
                set quarantine-expiry {user}
                set quarantine-log [disable|enable]
                set threshold {integer}
                set threshold(default) {integer}
            next
        end
        set application-list {string}
        set application-list-status [enable|disable]
        set av-profile {string}
        set av-profile-status [enable|disable]
        set dlp-profile {string}
        set dlp-profile-status [enable|disable]
        set dsri [enable|disable]
        set emailfilter-profile {string}
        set emailfilter-profile-status [enable|disable]
        set file-filter-profile {string}
        set file-filter-profile-status [enable|disable]
        set host {string}
        set interface {string}
        set ip-threatfeed <name1>, <name2>, ...
        set ip-threatfeed-status [enable|disable]
        set ips-dos-status [enable|disable]
        set ips-sensor {string}
        set ips-sensor-status [enable|disable]
        set ipv6 [enable|disable]
        set logtraffic [all|utm|...]
        set non-ip [enable|disable]
        set port {string}
        set protocol {string}
        set status [enable|disable]
        set vlan {string}
        set webfilter-profile {string}
        set webfilter-profile-status [enable|disable]
    next
end

config firewall sniffer

Parameter

Description

Type

Size

Default

application-list

Name of an existing application list.

string

Maximum length: 35

application-list-status

Enable/disable application control profile.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

av-profile

Name of an existing antivirus profile.

string

Maximum length: 35

av-profile-status

Enable/disable antivirus profile.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

dlp-profile

Name of an existing DLP profile.

string

Maximum length: 35

dlp-profile-status

Enable/disable DLP profile.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

dsri

Enable/disable DSRI.

option

-

disable

Option

Description

enable

Enable DSRI.

disable

Disable DSRI.

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

emailfilter-profile-status

Enable/disable emailfilter.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

file-filter-profile-status

Enable/disable file filter.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

host

Hosts to filter for in sniffer traffic.

string

Maximum length: 63

id

Sniffer ID.

integer

Minimum value: 0 Maximum value: 9999

0

interface

Interface name that traffic sniffing will take place on.

string

Maximum length: 35

ip-threatfeed <name>

Name of an existing IP threat feed.

Threat feed name.

string

Maximum length: 79

ip-threatfeed-status

Enable/disable IP threat feed.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ips-dos-status

Enable/disable IPS DoS anomaly detection.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

ips-sensor-status

Enable/disable IPS sensor.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6

Enable/disable sniffing IPv6 packets.

option

-

disable

Option

Description

enable

Enable sniffer for IPv6 packets.

disable

Disable sniffer for IPv6 packets.

logtraffic

Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

non-ip

Enable/disable sniffing non-IP packets.

option

-

disable

Option

Description

enable

Enable sniffer for non-IP packets.

disable

Disable sniffer for non-IP packets.

port

Ports to sniff.

string

Maximum length: 63

protocol

Integer value for the protocol type as defined by IANA.

string

Maximum length: 63

status

Enable/disable the active status of the sniffer.

option

-

enable

Option

Description

enable

Enable sniffer status.

disable

Disable sniffer status.

vlan

List of VLANs to sniff.

string

Maximum length: 63

webfilter-profile

Name of an existing web filter profile.

string

Maximum length: 35

webfilter-profile-status

Enable/disable web filter profile.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

config anomaly

Parameter

Description

Type

Size

Default

name

Anomaly name.

string

Maximum length: 63

status

Enable/disable this anomaly.

option

-

disable

Option

Description

disable

Disable this status.

enable

Enable this status.

log

Enable/disable anomaly logging.

option

-

disable

Option

Description

enable

Enable anomaly logging.

disable

Disable anomaly logging.

action

Action taken when the threshold is reached.

option

-

pass

Option

Description

pass

Allow traffic but record a log message if logging is enabled.

block

Block traffic if this anomaly is found.

quarantine

Quarantine method.

option

-

none

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine.. Requires quarantine set to attacker.

user

Not Specified

5m

quarantine-log

Enable/disable quarantine logging.

option

-

enable

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

threshold

Anomaly threshold. Number of detected instances (packets per second or concurrent session number) that triggers the anomaly action.

integer

Minimum value: 1 Maximum value: 2147483647

0

threshold(default)

Number of detected instances. Note that each anomaly has a different threshold value assigned to it.

integer

Minimum value: 0 Maximum value: 4294967295

0

config firewall sniffer

config firewall sniffer

Configure sniffer.

config firewall sniffer
    Description: Configure sniffer.
    edit <id>
        config anomaly
            Description: Configuration method to edit Denial of Service (DoS) anomaly settings.
            edit <name>
                set status [disable|enable]
                set log [enable|disable]
                set action [pass|block]
                set quarantine [none|attacker]
                set quarantine-expiry {user}
                set quarantine-log [disable|enable]
                set threshold {integer}
                set threshold(default) {integer}
            next
        end
        set application-list {string}
        set application-list-status [enable|disable]
        set av-profile {string}
        set av-profile-status [enable|disable]
        set dlp-profile {string}
        set dlp-profile-status [enable|disable]
        set dsri [enable|disable]
        set emailfilter-profile {string}
        set emailfilter-profile-status [enable|disable]
        set file-filter-profile {string}
        set file-filter-profile-status [enable|disable]
        set host {string}
        set interface {string}
        set ip-threatfeed <name1>, <name2>, ...
        set ip-threatfeed-status [enable|disable]
        set ips-dos-status [enable|disable]
        set ips-sensor {string}
        set ips-sensor-status [enable|disable]
        set ipv6 [enable|disable]
        set logtraffic [all|utm|...]
        set non-ip [enable|disable]
        set port {string}
        set protocol {string}
        set status [enable|disable]
        set vlan {string}
        set webfilter-profile {string}
        set webfilter-profile-status [enable|disable]
    next
end

config firewall sniffer

Parameter

Description

Type

Size

Default

application-list

Name of an existing application list.

string

Maximum length: 35

application-list-status

Enable/disable application control profile.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

av-profile

Name of an existing antivirus profile.

string

Maximum length: 35

av-profile-status

Enable/disable antivirus profile.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

dlp-profile

Name of an existing DLP profile.

string

Maximum length: 35

dlp-profile-status

Enable/disable DLP profile.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

dsri

Enable/disable DSRI.

option

-

disable

Option

Description

enable

Enable DSRI.

disable

Disable DSRI.

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

emailfilter-profile-status

Enable/disable emailfilter.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

file-filter-profile-status

Enable/disable file filter.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

host

Hosts to filter for in sniffer traffic.

string

Maximum length: 63

id

Sniffer ID.

integer

Minimum value: 0 Maximum value: 9999

0

interface

Interface name that traffic sniffing will take place on.

string

Maximum length: 35

ip-threatfeed <name>

Name of an existing IP threat feed.

Threat feed name.

string

Maximum length: 79

ip-threatfeed-status

Enable/disable IP threat feed.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ips-dos-status

Enable/disable IPS DoS anomaly detection.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

ips-sensor-status

Enable/disable IPS sensor.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ipv6

Enable/disable sniffing IPv6 packets.

option

-

disable

Option

Description

enable

Enable sniffer for IPv6 packets.

disable

Disable sniffer for IPv6 packets.

logtraffic

Either log all sessions, only sessions that have a security profile applied, or disable all logging for this policy.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

non-ip

Enable/disable sniffing non-IP packets.

option

-

disable

Option

Description

enable

Enable sniffer for non-IP packets.

disable

Disable sniffer for non-IP packets.

port

Ports to sniff.

string

Maximum length: 63

protocol

Integer value for the protocol type as defined by IANA.

string

Maximum length: 63

status

Enable/disable the active status of the sniffer.

option

-

enable

Option

Description

enable

Enable sniffer status.

disable

Disable sniffer status.

vlan

List of VLANs to sniff.

string

Maximum length: 63

webfilter-profile

Name of an existing web filter profile.

string

Maximum length: 35

webfilter-profile-status

Enable/disable web filter profile.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

config anomaly

Parameter

Description

Type

Size

Default

name

Anomaly name.

string

Maximum length: 63

status

Enable/disable this anomaly.

option

-

disable

Option

Description

disable

Disable this status.

enable

Enable this status.

log

Enable/disable anomaly logging.

option

-

disable

Option

Description

enable

Enable anomaly logging.

disable

Disable anomaly logging.

action

Action taken when the threshold is reached.

option

-

pass

Option

Description

pass

Allow traffic but record a log message if logging is enabled.

block

Block traffic if this anomaly is found.

quarantine

Quarantine method.

option

-

none

Option

Description

none

Quarantine is disabled.

attacker

Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.

quarantine-expiry

Duration of quarantine.. Requires quarantine set to attacker.

user

Not Specified

5m

quarantine-log

Enable/disable quarantine logging.

option

-

enable

Option

Description

disable

Disable quarantine logging.

enable

Enable quarantine logging.

threshold

Anomaly threshold. Number of detected instances (packets per second or concurrent session number) that triggers the anomaly action.

integer

Minimum value: 1 Maximum value: 2147483647

0

threshold(default)

Number of detected instances. Note that each anomaly has a different threshold value assigned to it.

integer

Minimum value: 0 Maximum value: 4294967295

0