Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config system fabric-vpn

    config system fabric-vpn

    Setup for self orchestrated fabric auto discovery VPN.

    config system fabric-vpn
    Description: Setup for self orchestrated fabric auto discovery VPN.
    config advertised-subnets
        Description: Local advertised subnets.
        edit <id>
            set access [inbound|bidirectional]
            set bgp-network {integer}
            set firewall-address {string}
            set policies {integer}
            set prefix {ipv4-classnet}
        next
    end
    set bgp-as {user}
    set branch-name {string}
    set health-checks {string}
    set loopback-address-block {ipv4-classnet-any}
    set loopback-address-block-ipam {string}
    set loopback-advertised-subnet {integer}
    set loopback-interface {string}
    config overlays
        Description: Local overlay interfaces table.
        edit <name>
            set bgp-neighbor {string}
            set bgp-neighbor-group {string}
            set bgp-neighbor-range {integer}
            set bgp-network {integer}
            set interface {string}
            set ipsec-network-id {integer}
            set ipsec-phase1 {string}
            set overlay-policy {integer}
            set overlay-tunnel-block {ipv4-classnet-any}
            set overlay-tunnel-block-ipam {string}
            set remote-gw {ipv4-address-any}
            set route-policy {integer}
            set sdwan-member {integer}
        next
    end
    set policy-rule [health-check|manual|...]
    set psksecret {password-3}
    set sdwan-zone {string}
    set status [enable|disable]
    set sync-mode [enable|disable]
    set vpn-role [hub|spoke]
end

    config system fabric-vpn

    Parameter

    Description

    Type

    Size

    Default

    bgp-as

    BGP Router AS number, asplain/asdot/asdot+ format.

    user

    Not Specified

    branch-name

    Branch name.

    string

    Maximum length: 35

    health-checks

    Underlying health checks.

    string

    Maximum length: 35

    loopback-address-block

    IPv4 address and subnet mask for hub's loopback address, syntax: X.X.X.X/24.

    ipv4-classnet-any **

    Not Specified

    0.0.0.0 0.0.0.0

    loopback-address-block-ipam *

    IPAM firewall address that will be used for hub's loopback address.

    string

    Maximum length: 79

    loopback-advertised-subnet

    Loopback advertised subnet reference.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    loopback-interface

    Loopback interface.

    string

    Maximum length: 15

    policy-rule

    Policy creation rule.

    option

    -

    fabric **

    Option

    Description

    health-check

    Only create health check policy automatically (Fabric policies are not enforced).

    manual

    All policies will be created manually (Fabric policies are not enforced).

    auto

    Automatically create allow all policies matching subnet access (Fabric policies are not enforced).

    fabric

    Use fabric policies for automatic policy creation (Health check policies are automatically enforced).

    psksecret

    Pre-shared secret for ADVPN.

    password-3

    Not Specified

    sdwan-zone

    Reference to created SD-WAN zone.

    string

    Maximum length: 35

    status

    Enable/disable Fabric VPN.

    option

    -

    disable

    Option

    Description

    enable

    Enable Fabric VPN.

    disable

    Disable Fabric VPN.

    sync-mode

    Setting synchronized by fabric or manual.

    option

    -

    enable

    Option

    Description

    enable

    Enable fabric led configuration synchronization.

    disable

    Disable fabric led configuration synchronization.

    vpn-role

    Fabric VPN role.

    option

    -

    hub

    Option

    Description

    hub

    VPN hub.

    spoke

    VPN spoke.

    * This parameter may not exist in some models.

    ** Values may differ between models.

    config advertised-subnets

    Parameter

    Description

    Type

    Size

    Default

    access

    Access policy direction.

    option

    -

    inbound

    Option

    Description

    inbound

    Allow inbound traffic to subnet.

    bidirectional

    Allow inbound and outbound traffic to subnet.

    bgp-network

    Underlying BGP network.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    firewall-address

    Underlying firewall address.

    string

    Maximum length: 79

    id

    ID.

    integer

    Minimum value: 0 Maximum value: 4294967294

    0

    policies

    Underlying policies.

    integer

    Minimum value: 0 Maximum value: 4294967295

    prefix

    Network prefix.

    ipv4-classnet

    Not Specified

    0.0.0.0 0.0.0.0

    config overlays

    Parameter

    Description

    Type

    Size

    Default

    bgp-neighbor

    Underlying BGP neighbor entry.

    string

    Maximum length: 45

    bgp-neighbor-group

    Underlying BGP neighbor group entry.

    string

    Maximum length: 45

    bgp-neighbor-range

    Underlying BGP neighbor range entry.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    bgp-network

    Underlying BGP network.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    interface

    Underlying interface name.

    string

    Maximum length: 15

    ipsec-network-id

    VPN gateway network ID.

    integer

    Minimum value: 0 Maximum value: 255

    0

    ipsec-phase1

    IPsec interface.

    string

    Maximum length: 35

    name

    Overlay name.

    string

    Maximum length: 79

    overlay-policy

    The overlay policy to allow ADVPN thru traffic.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    overlay-tunnel-block

    IPv4 address and subnet mask for the overlay tunnel , syntax: X.X.X.X/24.

    ipv4-classnet-any **

    Not Specified

    0.0.0.0 0.0.0.0

    overlay-tunnel-block-ipam *

    Source for the overlay tunnel, obtained from the firewall addresses managed by IPAM

    string

    Maximum length: 79

    remote-gw

    IP address of the hub gateway (Set by hub).

    ipv4-address-any

    Not Specified

    0.0.0.0

    route-policy

    Underlying router policy.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    sdwan-member

    Reference to SD-WAN member entry.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    * This parameter may not exist in some models.

    ** Values may differ between models.

    Previous
    Next

    config system fabric-vpn

    config system fabric-vpn

    Setup for self orchestrated fabric auto discovery VPN.

    config system fabric-vpn
    Description: Setup for self orchestrated fabric auto discovery VPN.
    config advertised-subnets
        Description: Local advertised subnets.
        edit <id>
            set access [inbound|bidirectional]
            set bgp-network {integer}
            set firewall-address {string}
            set policies {integer}
            set prefix {ipv4-classnet}
        next
    end
    set bgp-as {user}
    set branch-name {string}
    set health-checks {string}
    set loopback-address-block {ipv4-classnet-any}
    set loopback-address-block-ipam {string}
    set loopback-advertised-subnet {integer}
    set loopback-interface {string}
    config overlays
        Description: Local overlay interfaces table.
        edit <name>
            set bgp-neighbor {string}
            set bgp-neighbor-group {string}
            set bgp-neighbor-range {integer}
            set bgp-network {integer}
            set interface {string}
            set ipsec-network-id {integer}
            set ipsec-phase1 {string}
            set overlay-policy {integer}
            set overlay-tunnel-block {ipv4-classnet-any}
            set overlay-tunnel-block-ipam {string}
            set remote-gw {ipv4-address-any}
            set route-policy {integer}
            set sdwan-member {integer}
        next
    end
    set policy-rule [health-check|manual|...]
    set psksecret {password-3}
    set sdwan-zone {string}
    set status [enable|disable]
    set sync-mode [enable|disable]
    set vpn-role [hub|spoke]
end

    config system fabric-vpn

    Parameter

    Description

    Type

    Size

    Default

    bgp-as

    BGP Router AS number, asplain/asdot/asdot+ format.

    user

    Not Specified

    branch-name

    Branch name.

    string

    Maximum length: 35

    health-checks

    Underlying health checks.

    string

    Maximum length: 35

    loopback-address-block

    IPv4 address and subnet mask for hub's loopback address, syntax: X.X.X.X/24.

    ipv4-classnet-any **

    Not Specified

    0.0.0.0 0.0.0.0

    loopback-address-block-ipam *

    IPAM firewall address that will be used for hub's loopback address.

    string

    Maximum length: 79

    loopback-advertised-subnet

    Loopback advertised subnet reference.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    loopback-interface

    Loopback interface.

    string

    Maximum length: 15

    policy-rule

    Policy creation rule.

    option

    -

    fabric **

    Option

    Description

    health-check

    Only create health check policy automatically (Fabric policies are not enforced).

    manual

    All policies will be created manually (Fabric policies are not enforced).

    auto

    Automatically create allow all policies matching subnet access (Fabric policies are not enforced).

    fabric

    Use fabric policies for automatic policy creation (Health check policies are automatically enforced).

    psksecret

    Pre-shared secret for ADVPN.

    password-3

    Not Specified

    sdwan-zone

    Reference to created SD-WAN zone.

    string

    Maximum length: 35

    status

    Enable/disable Fabric VPN.

    option

    -

    disable

    Option

    Description

    enable

    Enable Fabric VPN.

    disable

    Disable Fabric VPN.

    sync-mode

    Setting synchronized by fabric or manual.

    option

    -

    enable

    Option

    Description

    enable

    Enable fabric led configuration synchronization.

    disable

    Disable fabric led configuration synchronization.

    vpn-role

    Fabric VPN role.

    option

    -

    hub

    Option

    Description

    hub

    VPN hub.

    spoke

    VPN spoke.

    * This parameter may not exist in some models.

    ** Values may differ between models.

    config advertised-subnets

    Parameter

    Description

    Type

    Size

    Default

    access

    Access policy direction.

    option

    -

    inbound

    Option

    Description

    inbound

    Allow inbound traffic to subnet.

    bidirectional

    Allow inbound and outbound traffic to subnet.

    bgp-network

    Underlying BGP network.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    firewall-address

    Underlying firewall address.

    string

    Maximum length: 79

    id

    ID.

    integer

    Minimum value: 0 Maximum value: 4294967294

    0

    policies

    Underlying policies.

    integer

    Minimum value: 0 Maximum value: 4294967295

    prefix

    Network prefix.

    ipv4-classnet

    Not Specified

    0.0.0.0 0.0.0.0

    config overlays

    Parameter

    Description

    Type

    Size

    Default

    bgp-neighbor

    Underlying BGP neighbor entry.

    string

    Maximum length: 45

    bgp-neighbor-group

    Underlying BGP neighbor group entry.

    string

    Maximum length: 45

    bgp-neighbor-range

    Underlying BGP neighbor range entry.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    bgp-network

    Underlying BGP network.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    interface

    Underlying interface name.

    string

    Maximum length: 15

    ipsec-network-id

    VPN gateway network ID.

    integer

    Minimum value: 0 Maximum value: 255

    0

    ipsec-phase1

    IPsec interface.

    string

    Maximum length: 35

    name

    Overlay name.

    string

    Maximum length: 79

    overlay-policy

    The overlay policy to allow ADVPN thru traffic.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    overlay-tunnel-block

    IPv4 address and subnet mask for the overlay tunnel , syntax: X.X.X.X/24.

    ipv4-classnet-any **

    Not Specified

    0.0.0.0 0.0.0.0

    overlay-tunnel-block-ipam *

    Source for the overlay tunnel, obtained from the firewall addresses managed by IPAM

    string

    Maximum length: 79

    remote-gw

    IP address of the hub gateway (Set by hub).

    ipv4-address-any

    Not Specified

    0.0.0.0

    route-policy

    Underlying router policy.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    sdwan-member

    Reference to SD-WAN member entry.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    * This parameter may not exist in some models.

    ** Values may differ between models.

    Previous
    Next