Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.0
    6.0.4
    6.0.3
    6.0.1
    6.0.0

    cloud-api policy

    cloud-api policy

    Use this command to configure Microsoft 365 and Google Workspace scan policies. You must have domain administrator privileges to access Microsoft 365 or Google Workspace.

    Syntax

    config cloud-api policy

    edit <policy_index>

    [set comment "<comment_str>"]

    set status {enable | disable}

    set account <account_name>

    set source-type {geoip-group | ip-address | ip-group}

    set source-ip-address {<client_ipv4mask> | <client_ipv6mask>}

    set source-ip-group <ip-group_name>

    set source-geoip-group <geoip-group_name>

    set sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard}

    set sender-name <username_str>

    set sender-domain <sender_fqdn>

    set sender-ad-group-attr {custom | displayname | mail}

    set sender-ad-group-attr-name <attribute-name_str>

    set sender-ad-group-attr-value <attribute-value_str>

    set sender-email-group <group_name>

    set sender-ldap-profile <profile_name>

    set sender-pattern-regex <sender_pattern>

    set recipient-type {ad-group | email-group | ldap-group | regex | wildcard}

    set recipient-name <username_str>

    set recipient-domain <recipient_fqdn>

    set recipient-ad-group-attr {custom | displayname | mail}

    set recipient-ad-group-attr-name <attribute-name_str>

    set recipient-ad-group-attr-value <attribute-value_str>

    set recipient-email-group <group_name>

    set recipient-ldap-profile <profile_name>

    set recipient-pattern-regex <recipient_pattern>

    set profile-antispam <profile_name>

    set profile-antivirus <profile_name>

    set profile-content <profile_name>

    set profile-dlp <profile_name>

    end

    Variable

    Description

    Default

    <policy_index>

    Enter an index number for the policy in the table.

    account <account_name>

    Select which Microsoft 365, Microsoft Exchange, or Google Workspace account to use for the scan's cloud API connection.

    comment "<comment_str>"

    Enter a description or comment.

    profile-antispam <profile_name> Select which antispam profile this policy will apply.

    profile-antivirus <profile_name> Select which antivirus profile this policy will apply.

    profile-content <profile_name> Select which content profile this policy will apply.

    profile-dlp <profile_name> Select which DLP profile this policy will apply.

    recipient-ad-group-attr {custom | displayname | mail}

    Select which attribute contains email addresses in your Microsoft Azure Entra ID (formerly Active Directory) directory schema, either:

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group.

    displayname

    recipient-ad-group-attr-name <attribute-name_str>

    Enter the name of the custom attribute.

    This setting is available only if recipient-ad-group-attr {custom | displayname | mail} is custom.

    recipient-ad-group-attr-value <attribute-value_str>

    Enter the attribute value that will match this policy.

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group.

    recipient-domain <recipient_fqdn> Enter the domain part of the recipient email address.

    *

    recipient-email-group <group_name>

    Select an email address group.

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is email-group.

    recipient-ldap-profile <profile_name>

    Select an LDAP profile.

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ldap-group.

    recipient-name <username_str>

    Depending on how you chose to define matching email addresses, enter either the:

    • Local part (username) of the email address, or a wild card pattern.

      Wild card patterns allow you to match multiple email addresses. An asterisk (*) matches one or more characters; a question mark (?) matches any one character.

    • Group's full or partial membership attribute value, as it appears in your LDAP directory.

      Depending on the schema and group-relative-name {enable | disable}, the format is either:

      • admins

      • cn=admins,ou=Groups,dc=example,dc=com

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is wildcard or ldap-group.

    *

    recipient-pattern-regex <recipient_pattern>

    Enter a regular expression that matches only email addresses that this policy should apply to.

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is regex.

    To test and validate the regular expression, you can use the FortiMail GUI. See also regular expression syntax and examples in the FortiMail Administration Guide.

    recipient-type {ad-group | email-group | ldap-group | regex | wildcard}

    Select how you want to define the recipient email addresses that match this policy, either:

    wildcard

    sender-ad-group-attr {custom | displayname | mail}

    Select which attribute contains email addresses in your Microsoft Azure Entra ID (formerly Active Directory) directory schema, either:

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group.

    displayname

    sender-ad-group-attr-name <attribute-name_str>

    Enter the name of the custom attribute.

    This setting is available only if sender-ad-group-attr {custom | displayname | mail} is custom.

    sender-ad-group-attr-value <attribute-value_str>

    Enter the attribute value that will match this policy.

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group.

    sender-domain <sender_fqdn> Enter the domain part of the sender email address.

    *

    sender-email-group <group_name>

    Select an email group.

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is email-group.

    sender-ldap-profile <profile_name>

    Select an LDAP profile.

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ldap-group.

    sender-name <username_str>

    Depending on how you chose to define matching email addresses, enter either the:

    • Local part (username) of the email address, or a wild card pattern.

      Wild card patterns allow you to match multiple email addresses. An asterisk (*) matches one or more characters; a question mark (?) matches any one character.

    • Group's full or partial membership attribute value, as it appears in your LDAP directory.

      Depending on the schema and group-relative-name {enable | disable}, the format is either:

      • admins

      • cn=admins,ou=Groups,dc=example,dc=com

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is wildcard or ldap-group.

    *

    sender-pattern-regex <sender_pattern>

    Enter a regular expression that matches only email addresses that this policy should apply to.

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is regex.

    To test and validate the regular expression, you can use the FortiMail GUI. See also regular expression syntax and examples in the FortiMail Administration Guide.

    sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard}

    Select how you want to define the sender email addresses that match this policy, either:

    wildcard
    source-ip-address {<client_ipv4mask> | <client_ipv6mask>}

    Enter the SMTP client IP address and netmask.

    To match all clients, enter 0.0.0.0/0.

    This setting is available only if source-type {geoip-group | ip-address | ip-group} is ip-address.

    0.0.0.0/0

    source-ip-group <ip-group_name>

    Select which IP address group to use.

    This setting is available only if source-type {geoip-group | ip-address | ip-group} is ip-group.

    source-geoip-group <geoip-group_name>

    Select which GeoIP group to use.

    This setting is available only if source-type {geoip-group | ip-address | ip-group} is geoip-group.

    source-type {geoip-group | ip-address | ip-group}

    Select how you want to define the source IP addresses of SMTP clients that will match this policy, either:

    ip-address
    status {enable | disable} Enable or disable the policy.

    disable

    Related topics

    cloud-api account

    domain

    cloud-api profile antispam

    cloud-api profile antivirus

    cloud-api profile content

    cloud-api profile dlp

    profile geoip-group

    profile ip-address-group

    profile ldap

    Previous
    Next

    cloud-api policy

    cloud-api policy

    Use this command to configure Microsoft 365 and Google Workspace scan policies. You must have domain administrator privileges to access Microsoft 365 or Google Workspace.

    Syntax

    config cloud-api policy

    edit <policy_index>

    [set comment "<comment_str>"]

    set status {enable | disable}

    set account <account_name>

    set source-type {geoip-group | ip-address | ip-group}

    set source-ip-address {<client_ipv4mask> | <client_ipv6mask>}

    set source-ip-group <ip-group_name>

    set source-geoip-group <geoip-group_name>

    set sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard}

    set sender-name <username_str>

    set sender-domain <sender_fqdn>

    set sender-ad-group-attr {custom | displayname | mail}

    set sender-ad-group-attr-name <attribute-name_str>

    set sender-ad-group-attr-value <attribute-value_str>

    set sender-email-group <group_name>

    set sender-ldap-profile <profile_name>

    set sender-pattern-regex <sender_pattern>

    set recipient-type {ad-group | email-group | ldap-group | regex | wildcard}

    set recipient-name <username_str>

    set recipient-domain <recipient_fqdn>

    set recipient-ad-group-attr {custom | displayname | mail}

    set recipient-ad-group-attr-name <attribute-name_str>

    set recipient-ad-group-attr-value <attribute-value_str>

    set recipient-email-group <group_name>

    set recipient-ldap-profile <profile_name>

    set recipient-pattern-regex <recipient_pattern>

    set profile-antispam <profile_name>

    set profile-antivirus <profile_name>

    set profile-content <profile_name>

    set profile-dlp <profile_name>

    end

    Variable

    Description

    Default

    <policy_index>

    Enter an index number for the policy in the table.

    account <account_name>

    Select which Microsoft 365, Microsoft Exchange, or Google Workspace account to use for the scan's cloud API connection.

    comment "<comment_str>"

    Enter a description or comment.

    profile-antispam <profile_name> Select which antispam profile this policy will apply.

    profile-antivirus <profile_name> Select which antivirus profile this policy will apply.

    profile-content <profile_name> Select which content profile this policy will apply.

    profile-dlp <profile_name> Select which DLP profile this policy will apply.

    recipient-ad-group-attr {custom | displayname | mail}

    Select which attribute contains email addresses in your Microsoft Azure Entra ID (formerly Active Directory) directory schema, either:

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group.

    displayname

    recipient-ad-group-attr-name <attribute-name_str>

    Enter the name of the custom attribute.

    This setting is available only if recipient-ad-group-attr {custom | displayname | mail} is custom.

    recipient-ad-group-attr-value <attribute-value_str>

    Enter the attribute value that will match this policy.

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ad-group.

    recipient-domain <recipient_fqdn> Enter the domain part of the recipient email address.

    *

    recipient-email-group <group_name>

    Select an email address group.

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is email-group.

    recipient-ldap-profile <profile_name>

    Select an LDAP profile.

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is ldap-group.

    recipient-name <username_str>

    Depending on how you chose to define matching email addresses, enter either the:

    • Local part (username) of the email address, or a wild card pattern.

      Wild card patterns allow you to match multiple email addresses. An asterisk (*) matches one or more characters; a question mark (?) matches any one character.

    • Group's full or partial membership attribute value, as it appears in your LDAP directory.

      Depending on the schema and group-relative-name {enable | disable}, the format is either:

      • admins

      • cn=admins,ou=Groups,dc=example,dc=com

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is wildcard or ldap-group.

    *

    recipient-pattern-regex <recipient_pattern>

    Enter a regular expression that matches only email addresses that this policy should apply to.

    This setting is available only if recipient-type {ad-group | email-group | ldap-group | regex | wildcard} is regex.

    To test and validate the regular expression, you can use the FortiMail GUI. See also regular expression syntax and examples in the FortiMail Administration Guide.

    recipient-type {ad-group | email-group | ldap-group | regex | wildcard}

    Select how you want to define the recipient email addresses that match this policy, either:

    wildcard

    sender-ad-group-attr {custom | displayname | mail}

    Select which attribute contains email addresses in your Microsoft Azure Entra ID (formerly Active Directory) directory schema, either:

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group.

    displayname

    sender-ad-group-attr-name <attribute-name_str>

    Enter the name of the custom attribute.

    This setting is available only if sender-ad-group-attr {custom | displayname | mail} is custom.

    sender-ad-group-attr-value <attribute-value_str>

    Enter the attribute value that will match this policy.

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ad-group.

    sender-domain <sender_fqdn> Enter the domain part of the sender email address.

    *

    sender-email-group <group_name>

    Select an email group.

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is email-group.

    sender-ldap-profile <profile_name>

    Select an LDAP profile.

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is ldap-group.

    sender-name <username_str>

    Depending on how you chose to define matching email addresses, enter either the:

    • Local part (username) of the email address, or a wild card pattern.

      Wild card patterns allow you to match multiple email addresses. An asterisk (*) matches one or more characters; a question mark (?) matches any one character.

    • Group's full or partial membership attribute value, as it appears in your LDAP directory.

      Depending on the schema and group-relative-name {enable | disable}, the format is either:

      • admins

      • cn=admins,ou=Groups,dc=example,dc=com

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is wildcard or ldap-group.

    *

    sender-pattern-regex <sender_pattern>

    Enter a regular expression that matches only email addresses that this policy should apply to.

    This setting is available only if sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard} is regex.

    To test and validate the regular expression, you can use the FortiMail GUI. See also regular expression syntax and examples in the FortiMail Administration Guide.

    sender-type {ad-group | email-group | external | internal | ldap-group | regex | wildcard}

    Select how you want to define the sender email addresses that match this policy, either:

    wildcard
    source-ip-address {<client_ipv4mask> | <client_ipv6mask>}

    Enter the SMTP client IP address and netmask.

    To match all clients, enter 0.0.0.0/0.

    This setting is available only if source-type {geoip-group | ip-address | ip-group} is ip-address.

    0.0.0.0/0

    source-ip-group <ip-group_name>

    Select which IP address group to use.

    This setting is available only if source-type {geoip-group | ip-address | ip-group} is ip-group.

    source-geoip-group <geoip-group_name>

    Select which GeoIP group to use.

    This setting is available only if source-type {geoip-group | ip-address | ip-group} is geoip-group.

    source-type {geoip-group | ip-address | ip-group}

    Select how you want to define the source IP addresses of SMTP clients that will match this policy, either:

    ip-address
    status {enable | disable} Enable or disable the policy.

    disable

    Related topics

    cloud-api account

    domain

    cloud-api profile antispam

    cloud-api profile antivirus

    cloud-api profile content

    cloud-api profile dlp

    profile geoip-group

    profile ip-address-group

    profile ldap

    Previous
    Next