Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config system csf

    config system csf

    Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

    config system csf
    Description: Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
    set accept-auth-by-cert [disable|enable]
    set authorization-request-type [serial|certificate]
    set autoclear-removed-shared-objects [enable|disable]
    set certificate {string}
    set configuration-sync [default|local]
    set downstream-access [enable|disable]
    set downstream-accprofile {string}
    config fabric-connector
        Description: Fabric connector configuration.
        edit <serial>
            set accprofile {string}
            set configuration-write-access [enable|disable]
            set vdom <name1>, <name2>, ...
        next
    end
    config fabric-datasource-exemption
        Description: Disable the fabric datasource check on the tables when synchronizing them.
        edit <name>
            set status [enable|disable]
        next
    end
    set fabric-object-change-auto-cascade [enable|disable]
    set fabric-object-unification [default|local]
    set fabric-workers {integer}
    set file-mgmt [enable|disable]
    set file-quota {integer}
    set file-quota-warning {integer}
    set forticloud-account-enforcement [enable|disable]
    set group-name {string}
    set group-password {password}
    set legacy-authentication [disable|enable]
    set log-unification [disable|enable]
    set saml-configuration-sync [default|local]
    config shared-objects
        Description: Fabric-wide objects shared by non-root nodes.
        edit <name>
            config objects
                Description: CMDB table entries.
                edit <pathname>
                    config keys
                        Description: Keys of CMDB table entries.
                        edit <name>
                        next
                    end
                next
            end
            set trusted-list-entry {string}
        next
    end
    set source-ip {ipv4-address}
    set status [enable|disable]
    config trusted-list
        Description: Pre-authorized and blocked security fabric nodes.
        edit <name>
            set action [accept|deny]
            set ca {string}
            set ca-fingerprint {string}
            set cn {string}
            set index {integer}
            set role [downstream|upstream]
        next
    end
    set uid {string}
    set upload-shared-objects [enable|disable]
    set upstream {string}
    set upstream-interface {string}
    set upstream-interface-select-method [auto|sdwan|...]
    set upstream-port {integer}
end

    config system csf

    Parameter

    Description

    Type

    Size

    Default

    accept-auth-by-cert

    Accept connections with unknown certificates and ask admin for approval.

    option

    -

    enable

    Option

    Description

    disable

    Do not accept SSL connections with unknown certificates.

    enable

    Accept SSL connections without automatic certificate verification.

    authorization-request-type

    Authorization request type.

    option

    -

    certificate **

    Option

    Description

    serial

    Request verification by serial number.

    certificate

    Request verification by certificate.

    autoclear-removed-shared-objects *

    Control system behavior for deleted shared objects.

    option

    -

    enable

    Option

    Description

    enable

    Enable automatic clearing of configuration related to deleted shared objects.

    disable

    Disable automatic clearing of configuration related to deleted shared objects.

    certificate

    Certificate.

    string

    Maximum length: 35

    Fortinet_Factory **

    configuration-sync

    Configuration sync mode.

    option

    -

    default

    Option

    Description

    default

    Synchronize configuration for IPAM, FortiAnalyzer, FortiSandbox, and Central Management to root node.

    local

    Do not synchronize configuration with root node.

    downstream-access

    Enable/disable downstream device access to this device's configuration and data.

    option

    -

    disable

    Option

    Description

    enable

    Enable downstream device access to this device's configuration and data.

    disable

    Disable downstream device access to this device's configuration and data.

    downstream-accprofile

    Default access profile for requests from downstream devices.

    string

    Maximum length: 35

    fabric-object-change-auto-cascade *

    Enable/disable the cascade mode for fabric objects datasource check.

    option

    -

    disable

    Option

    Description

    enable

    Enable the fabric datasource check cascade mode. This will change all related datasource to be a fabric-enabled object when setting an entry to fabric-enabled.

    disable

    Disable the fabric datasource check cascade mode. This will no longer change all related datasource to be a fabric-enabled object when setting an entry to fabric-enabled.

    fabric-object-unification

    Fabric CMDB Object Unification.

    option

    -

    default

    Option

    Description

    default

    Global CMDB objects will be synchronized in Security Fabric.

    local

    Global CMDB objects will not be synchronized to and from this device.

    fabric-workers

    Number of worker processes for Security Fabric daemon.

    integer

    Minimum value: 1 Maximum value: 4

    2

    file-mgmt

    Enable/disable Security Fabric daemon file management.

    option

    -

    enable

    Option

    Description

    enable

    Enable daemon file management.

    disable

    Disable daemon file management.

    file-quota

    Maximum amount of memory that can be used by the daemon files (in bytes).

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    file-quota-warning

    Warn when the set percentage of quota has been used.

    integer

    Minimum value: 1 Maximum value: 99

    90

    forticloud-account-enforcement

    Fabric FortiCloud account unification.

    option

    -

    enable

    Option

    Description

    enable

    Enable FortiCloud account ID matching for Security Fabric.

    disable

    Disable FortiCloud accound ID matching for Security Fabric.

    group-name

    Security Fabric group name. All FortiGates in a Security Fabric must have the same group name.

    string

    Maximum length: 35

    group-password

    Security Fabric group password. For legacy authentication, fabric members must have the same group password.

    password

    Not Specified

    legacy-authentication

    Enable/disable legacy authentication.

    option

    -

    disable

    Option

    Description

    disable

    Do not accept legacy authentication requests.

    enable

    Accept legacy authentication requests.

    log-unification

    Enable/disable broadcast of discovery messages for log unification.

    option

    -

    enable

    Option

    Description

    disable

    Disable broadcast of discovery messages for log unification.

    enable

    Enable broadcast of discovery messages for log unification.

    saml-configuration-sync

    SAML setting configuration synchronization.

    option

    -

    default

    Option

    Description

    default

    SAML setting for fabric members is created by fabric root.

    local

    Do not apply SAML configuration generated by root.

    source-ip

    Source IP address for communication with the upstream FortiGate.

    ipv4-address

    Not Specified

    0.0.0.0

    status

    Enable/disable Security Fabric.

    option

    -

    disable

    Option

    Description

    enable

    Enable Security Fabric.

    disable

    Disable Security Fabric.

    uid

    Unique ID of the current CSF node

    string

    Maximum length: 35

    upload-shared-objects *

    Configure uploading shared objects entries to the tree.

    option

    -

    enable

    Option

    Description

    enable

    Enable sharing objects referenced in shared-object table within the fabric tree.

    disable

    Disable sharing objects referenced in shared-object table within the fabric tree.

    upstream

    IP/FQDN of the FortiGate upstream from this FortiGate in the Security Fabric.

    string

    Maximum length: 255

    upstream-interface

    Specify outgoing interface to reach server.

    string

    Maximum length: 15

    upstream-interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    auto

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    upstream-port

    The port number to use to communicate with the FortiGate upstream from this FortiGate in the Security Fabric (default = 8013).

    integer

    Minimum value: 1 Maximum value: 65535

    8013

    * This parameter may not exist in some models.

    ** Values may differ between models.

    config fabric-connector

    Parameter

    Description

    Type

    Size

    Default

    accprofile

    Override access profile.

    string

    Maximum length: 35

    configuration-write-access

    Enable/disable downstream device write access to configuration.

    option

    -

    disable

    Option

    Description

    enable

    Enable downstream device write access to configuration.

    disable

    Disable downstream device write access to configuration.

    serial

    Serial.

    string

    Maximum length: 19

    vdom <name>

    Virtual domains that the connector has access to. If none are set, the connector will only have access to the VDOM that it joins the Security Fabric through.

    Virtual domain name.

    string

    Maximum length: 79

    config fabric-datasource-exemption

    Parameter

    Description

    Type

    Size

    Default

    name

    Name.

    string

    Maximum length: 255

    status

    Enable/disable the fabric datasource check on the target table.

    option

    -

    disable

    Option

    Description

    enable

    Enable fabric datasource check bypass on the table.

    disable

    Disable fabric datasource check bypass on the table.

    config shared-objects

    Parameter

    Description

    Type

    Size

    Default

    name

    UID of the source device.

    string

    Maximum length: 35

    trusted-list-entry

    Trusted list entry name.

    string

    Maximum length: 35

    config objects

    Parameter

    Description

    Type

    Size

    Default

    pathname

    CMDB path and object name.

    string

    Maximum length: 192

    config keys

    Parameter

    Description

    Type

    Size

    Default

    name

    key.

    string

    Maximum length: 79

    config trusted-list

    Parameter

    Description

    Type

    Size

    Default

    action

    Security fabric authorization action.

    option

    -

    accept

    Option

    Description

    accept

    Accept authorization request.

    deny

    Deny authorization request.

    ca *

    Name of a CA on the downstream's certificat chain.

    string

    Maximum length: 79

    ca-fingerprint *

    SHA512 fingerprint of a CA on the downstream's certificate chain.

    string

    Maximum length: 191

    cn *

    Certificate CNs used by HA members.

    string

    Maximum length: 64

    index

    Index of the downstream in tree.

    integer

    Minimum value: 1 Maximum value: 1025 **

    0

    name

    Name.

    string

    Maximum length: 35

    role *

    Device role to this member.

    option

    -

    downstream

    Option

    Description

    downstream

    Downstream device (client).

    upstream

    Upstream device (server).

    * This parameter may not exist in some models.

    ** Values may differ between models.

    Previous
    Next

    config system csf

    config system csf

    Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

    config system csf
    Description: Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.
    set accept-auth-by-cert [disable|enable]
    set authorization-request-type [serial|certificate]
    set autoclear-removed-shared-objects [enable|disable]
    set certificate {string}
    set configuration-sync [default|local]
    set downstream-access [enable|disable]
    set downstream-accprofile {string}
    config fabric-connector
        Description: Fabric connector configuration.
        edit <serial>
            set accprofile {string}
            set configuration-write-access [enable|disable]
            set vdom <name1>, <name2>, ...
        next
    end
    config fabric-datasource-exemption
        Description: Disable the fabric datasource check on the tables when synchronizing them.
        edit <name>
            set status [enable|disable]
        next
    end
    set fabric-object-change-auto-cascade [enable|disable]
    set fabric-object-unification [default|local]
    set fabric-workers {integer}
    set file-mgmt [enable|disable]
    set file-quota {integer}
    set file-quota-warning {integer}
    set forticloud-account-enforcement [enable|disable]
    set group-name {string}
    set group-password {password}
    set legacy-authentication [disable|enable]
    set log-unification [disable|enable]
    set saml-configuration-sync [default|local]
    config shared-objects
        Description: Fabric-wide objects shared by non-root nodes.
        edit <name>
            config objects
                Description: CMDB table entries.
                edit <pathname>
                    config keys
                        Description: Keys of CMDB table entries.
                        edit <name>
                        next
                    end
                next
            end
            set trusted-list-entry {string}
        next
    end
    set source-ip {ipv4-address}
    set status [enable|disable]
    config trusted-list
        Description: Pre-authorized and blocked security fabric nodes.
        edit <name>
            set action [accept|deny]
            set ca {string}
            set ca-fingerprint {string}
            set cn {string}
            set index {integer}
            set role [downstream|upstream]
        next
    end
    set uid {string}
    set upload-shared-objects [enable|disable]
    set upstream {string}
    set upstream-interface {string}
    set upstream-interface-select-method [auto|sdwan|...]
    set upstream-port {integer}
end

    config system csf

    Parameter

    Description

    Type

    Size

    Default

    accept-auth-by-cert

    Accept connections with unknown certificates and ask admin for approval.

    option

    -

    enable

    Option

    Description

    disable

    Do not accept SSL connections with unknown certificates.

    enable

    Accept SSL connections without automatic certificate verification.

    authorization-request-type

    Authorization request type.

    option

    -

    certificate **

    Option

    Description

    serial

    Request verification by serial number.

    certificate

    Request verification by certificate.

    autoclear-removed-shared-objects *

    Control system behavior for deleted shared objects.

    option

    -

    enable

    Option

    Description

    enable

    Enable automatic clearing of configuration related to deleted shared objects.

    disable

    Disable automatic clearing of configuration related to deleted shared objects.

    certificate

    Certificate.

    string

    Maximum length: 35

    Fortinet_Factory **

    configuration-sync

    Configuration sync mode.

    option

    -

    default

    Option

    Description

    default

    Synchronize configuration for IPAM, FortiAnalyzer, FortiSandbox, and Central Management to root node.

    local

    Do not synchronize configuration with root node.

    downstream-access

    Enable/disable downstream device access to this device's configuration and data.

    option

    -

    disable

    Option

    Description

    enable

    Enable downstream device access to this device's configuration and data.

    disable

    Disable downstream device access to this device's configuration and data.

    downstream-accprofile

    Default access profile for requests from downstream devices.

    string

    Maximum length: 35

    fabric-object-change-auto-cascade *

    Enable/disable the cascade mode for fabric objects datasource check.

    option

    -

    disable

    Option

    Description

    enable

    Enable the fabric datasource check cascade mode. This will change all related datasource to be a fabric-enabled object when setting an entry to fabric-enabled.

    disable

    Disable the fabric datasource check cascade mode. This will no longer change all related datasource to be a fabric-enabled object when setting an entry to fabric-enabled.

    fabric-object-unification

    Fabric CMDB Object Unification.

    option

    -

    default

    Option

    Description

    default

    Global CMDB objects will be synchronized in Security Fabric.

    local

    Global CMDB objects will not be synchronized to and from this device.

    fabric-workers

    Number of worker processes for Security Fabric daemon.

    integer

    Minimum value: 1 Maximum value: 4

    2

    file-mgmt

    Enable/disable Security Fabric daemon file management.

    option

    -

    enable

    Option

    Description

    enable

    Enable daemon file management.

    disable

    Disable daemon file management.

    file-quota

    Maximum amount of memory that can be used by the daemon files (in bytes).

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    file-quota-warning

    Warn when the set percentage of quota has been used.

    integer

    Minimum value: 1 Maximum value: 99

    90

    forticloud-account-enforcement

    Fabric FortiCloud account unification.

    option

    -

    enable

    Option

    Description

    enable

    Enable FortiCloud account ID matching for Security Fabric.

    disable

    Disable FortiCloud accound ID matching for Security Fabric.

    group-name

    Security Fabric group name. All FortiGates in a Security Fabric must have the same group name.

    string

    Maximum length: 35

    group-password

    Security Fabric group password. For legacy authentication, fabric members must have the same group password.

    password

    Not Specified

    legacy-authentication

    Enable/disable legacy authentication.

    option

    -

    disable

    Option

    Description

    disable

    Do not accept legacy authentication requests.

    enable

    Accept legacy authentication requests.

    log-unification

    Enable/disable broadcast of discovery messages for log unification.

    option

    -

    enable

    Option

    Description

    disable

    Disable broadcast of discovery messages for log unification.

    enable

    Enable broadcast of discovery messages for log unification.

    saml-configuration-sync

    SAML setting configuration synchronization.

    option

    -

    default

    Option

    Description

    default

    SAML setting for fabric members is created by fabric root.

    local

    Do not apply SAML configuration generated by root.

    source-ip

    Source IP address for communication with the upstream FortiGate.

    ipv4-address

    Not Specified

    0.0.0.0

    status

    Enable/disable Security Fabric.

    option

    -

    disable

    Option

    Description

    enable

    Enable Security Fabric.

    disable

    Disable Security Fabric.

    uid

    Unique ID of the current CSF node

    string

    Maximum length: 35

    upload-shared-objects *

    Configure uploading shared objects entries to the tree.

    option

    -

    enable

    Option

    Description

    enable

    Enable sharing objects referenced in shared-object table within the fabric tree.

    disable

    Disable sharing objects referenced in shared-object table within the fabric tree.

    upstream

    IP/FQDN of the FortiGate upstream from this FortiGate in the Security Fabric.

    string

    Maximum length: 255

    upstream-interface

    Specify outgoing interface to reach server.

    string

    Maximum length: 15

    upstream-interface-select-method

    Specify how to select outgoing interface to reach server.

    option

    -

    auto

    Option

    Description

    auto

    Set outgoing interface automatically.

    sdwan

    Set outgoing interface by SD-WAN or policy routing rules.

    specify

    Set outgoing interface manually.

    upstream-port

    The port number to use to communicate with the FortiGate upstream from this FortiGate in the Security Fabric (default = 8013).

    integer

    Minimum value: 1 Maximum value: 65535

    8013

    * This parameter may not exist in some models.

    ** Values may differ between models.

    config fabric-connector

    Parameter

    Description

    Type

    Size

    Default

    accprofile

    Override access profile.

    string

    Maximum length: 35

    configuration-write-access

    Enable/disable downstream device write access to configuration.

    option

    -

    disable

    Option

    Description

    enable

    Enable downstream device write access to configuration.

    disable

    Disable downstream device write access to configuration.

    serial

    Serial.

    string

    Maximum length: 19

    vdom <name>

    Virtual domains that the connector has access to. If none are set, the connector will only have access to the VDOM that it joins the Security Fabric through.

    Virtual domain name.

    string

    Maximum length: 79

    config fabric-datasource-exemption

    Parameter

    Description

    Type

    Size

    Default

    name

    Name.

    string

    Maximum length: 255

    status

    Enable/disable the fabric datasource check on the target table.

    option

    -

    disable

    Option

    Description

    enable

    Enable fabric datasource check bypass on the table.

    disable

    Disable fabric datasource check bypass on the table.

    config shared-objects

    Parameter

    Description

    Type

    Size

    Default

    name

    UID of the source device.

    string

    Maximum length: 35

    trusted-list-entry

    Trusted list entry name.

    string

    Maximum length: 35

    config objects

    Parameter

    Description

    Type

    Size

    Default

    pathname

    CMDB path and object name.

    string

    Maximum length: 192

    config keys

    Parameter

    Description

    Type

    Size

    Default

    name

    key.

    string

    Maximum length: 79

    config trusted-list

    Parameter

    Description

    Type

    Size

    Default

    action

    Security fabric authorization action.

    option

    -

    accept

    Option

    Description

    accept

    Accept authorization request.

    deny

    Deny authorization request.

    ca *

    Name of a CA on the downstream's certificat chain.

    string

    Maximum length: 79

    ca-fingerprint *

    SHA512 fingerprint of a CA on the downstream's certificate chain.

    string

    Maximum length: 191

    cn *

    Certificate CNs used by HA members.

    string

    Maximum length: 64

    index

    Index of the downstream in tree.

    integer

    Minimum value: 1 Maximum value: 1025 **

    0

    name

    Name.

    string

    Maximum length: 35

    role *

    Device role to this member.

    option

    -

    downstream

    Option

    Description

    downstream

    Downstream device (client).

    upstream

    Upstream device (server).

    * This parameter may not exist in some models.

    ** Values may differ between models.

    Previous
    Next