Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.2.3 Administration Guide
    7.2.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Script syntax

    Script syntax

    Most script syntax is the same as that used by FortiOS. For information see the FortiOS CLI Reference, available in the Fortinet Document Library.

    Some special syntax is required by the FortiManager to run CLI scripts on devices.

    Syntax applicable for address and address6

    config firewall address

    edit xxxx

    ...regular FOS command here...

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set subnet x.x.x.x x.x.x.x

    next

    end

    Syntax applicable for ippool and ippool6

    config firewall ippool

    edit xxxx

    ...regular FOS command here...

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set startip x.x.x.x

    set endip x.x.x.x

    next

    end

    Syntax applicable for vip, vip6, vip46, and vip64

    config firewall vip

    edit xxxx

    ...regular FOS command here...

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set extintf "any"

    set extip x.x.x.x-x.x.x.x

    set mappedip x.x.x.x-x.x.x.x

    set arp-reply enable|disable

    next

    end

    Syntax applicable for dynamic zone

    config dynamic interface

    edit xxxx

    set single-intf disable

    set default-mapping enable|disable

    set defmap-intf xxxx

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set local-intf xxxx

    set intrazone-deny enable|disable

    next

    end

    next

    end

    Syntax applicable for dynamic interface

    config dynamic interface

    edit xxxx

    set single-intf enable

    set default-mapping enable|disable

    set defmap-intf xxxx

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set local-intf xxxx

    set intrazone-deny enable|disable

    next

    end

    next

    end

    Syntax applicable for dynamic multicast interface

    config dynamic multicast interface

    edit xxx

    set description xxx

    config dynamic_mapping

    edit "fgtname"-"vdom"

    set local-intf xxx

    next

    end

    next

    end

    Syntax applicable for local certificate (dynamic mapping)

    config dynamic certificate local

    edit xxxx

    config dynamic_mapping

    edit "<dev_name>"-"global"

    set local-cert xxxx

    next

    end

    Syntax applicable for vpn tunnel

    config dynamic vpntunnel

    edit xxxx

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set local-ipsec "<tunnel_name>"

    next

    end

    Syntax applicable for vpn console table

    config vpnmgr vpntable

    edit xxxx

    set topology star|meshed|dial

    set psk-auto-generate enable|disable

    set psksecret xxxx

    set ike1proposal 3des-sha1 3des-md5 ...

    set ike1dhgroup XXXX

    set ike1keylifesec 28800

    set ike1mode aggressive|main

    set ike1dpd enable|disable

    set ike1nattraversal enable|disable

    set ike1natkeepalive 10

    set ike2proposal 3des-sha1 3des-md5

    set ike2dhgroup 5

    set ike2keylifetype seconds|kbyte|both

    set ike2keylifesec 1800

    set ike2keylifekbs 5120

    set ike2keepalive enable|disable

    set replay enable|disable

    set pfs enable|disable

    set ike2autonego enable|disable

    set fcc-enforcement enable|disable

    set localid-type auto|fqdn|user-fqdn|keyid|addressasn1dn

    set authmethod psk|signature

    set inter-vdom enable|disable

    set certificate XXXX

    next

    end

    Syntax applicable for vpn console node

    config vpnmgr node

    edit "1"

    set vpntable "<table_name>"

    set role hub|spoke

    set iface xxxx

    set hub_iface xxxx

    set automatic_routing enable|disable

    set extgw_p2_per_net enable|disable

    set banner xxxx

    set route-overlap use-old|use-new|allow

    set dns-mode manual|auto

    set domain xxxx

    set local-gw x.x.x.x

    set unity-support enable|disable

    set xauthtype disable|client|pap|chap|auto

    set authusr xxxx

    set authpasswd xxxx

    set authusrgrp xxxx

    set public-ip x.x.x.x

    config protected_subnet

    edit 1

    set addr xxxx xxxx ...

    next

    end

    Syntax applicable for setting installation target on policy package

    config firewall policy

    edit x

    ...regular policy command here...

    set _scope "<dev_name>"-"<vdom_name>"

    next

    end

    Syntax applicable for global policy

    config global header policy

    ...regular policy command here...

    end

    config global footer policy

    ...regular policy command here...

    end

    Previous
    Next

    Script syntax

    Script syntax

    Most script syntax is the same as that used by FortiOS. For information see the FortiOS CLI Reference, available in the Fortinet Document Library.

    Some special syntax is required by the FortiManager to run CLI scripts on devices.

    Syntax applicable for address and address6

    config firewall address

    edit xxxx

    ...regular FOS command here...

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set subnet x.x.x.x x.x.x.x

    next

    end

    Syntax applicable for ippool and ippool6

    config firewall ippool

    edit xxxx

    ...regular FOS command here...

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set startip x.x.x.x

    set endip x.x.x.x

    next

    end

    Syntax applicable for vip, vip6, vip46, and vip64

    config firewall vip

    edit xxxx

    ...regular FOS command here...

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set extintf "any"

    set extip x.x.x.x-x.x.x.x

    set mappedip x.x.x.x-x.x.x.x

    set arp-reply enable|disable

    next

    end

    Syntax applicable for dynamic zone

    config dynamic interface

    edit xxxx

    set single-intf disable

    set default-mapping enable|disable

    set defmap-intf xxxx

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set local-intf xxxx

    set intrazone-deny enable|disable

    next

    end

    next

    end

    Syntax applicable for dynamic interface

    config dynamic interface

    edit xxxx

    set single-intf enable

    set default-mapping enable|disable

    set defmap-intf xxxx

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set local-intf xxxx

    set intrazone-deny enable|disable

    next

    end

    next

    end

    Syntax applicable for dynamic multicast interface

    config dynamic multicast interface

    edit xxx

    set description xxx

    config dynamic_mapping

    edit "fgtname"-"vdom"

    set local-intf xxx

    next

    end

    next

    end

    Syntax applicable for local certificate (dynamic mapping)

    config dynamic certificate local

    edit xxxx

    config dynamic_mapping

    edit "<dev_name>"-"global"

    set local-cert xxxx

    next

    end

    Syntax applicable for vpn tunnel

    config dynamic vpntunnel

    edit xxxx

    config dynamic_mapping

    edit "<dev_name>"-"<vdom_name>"

    set local-ipsec "<tunnel_name>"

    next

    end

    Syntax applicable for vpn console table

    config vpnmgr vpntable

    edit xxxx

    set topology star|meshed|dial

    set psk-auto-generate enable|disable

    set psksecret xxxx

    set ike1proposal 3des-sha1 3des-md5 ...

    set ike1dhgroup XXXX

    set ike1keylifesec 28800

    set ike1mode aggressive|main

    set ike1dpd enable|disable

    set ike1nattraversal enable|disable

    set ike1natkeepalive 10

    set ike2proposal 3des-sha1 3des-md5

    set ike2dhgroup 5

    set ike2keylifetype seconds|kbyte|both

    set ike2keylifesec 1800

    set ike2keylifekbs 5120

    set ike2keepalive enable|disable

    set replay enable|disable

    set pfs enable|disable

    set ike2autonego enable|disable

    set fcc-enforcement enable|disable

    set localid-type auto|fqdn|user-fqdn|keyid|addressasn1dn

    set authmethod psk|signature

    set inter-vdom enable|disable

    set certificate XXXX

    next

    end

    Syntax applicable for vpn console node

    config vpnmgr node

    edit "1"

    set vpntable "<table_name>"

    set role hub|spoke

    set iface xxxx

    set hub_iface xxxx

    set automatic_routing enable|disable

    set extgw_p2_per_net enable|disable

    set banner xxxx

    set route-overlap use-old|use-new|allow

    set dns-mode manual|auto

    set domain xxxx

    set local-gw x.x.x.x

    set unity-support enable|disable

    set xauthtype disable|client|pap|chap|auto

    set authusr xxxx

    set authpasswd xxxx

    set authusrgrp xxxx

    set public-ip x.x.x.x

    config protected_subnet

    edit 1

    set addr xxxx xxxx ...

    next

    end

    Syntax applicable for setting installation target on policy package

    config firewall policy

    edit x

    ...regular policy command here...

    set _scope "<dev_name>"-"<vdom_name>"

    next

    end

    Syntax applicable for global policy

    config global header policy

    ...regular policy command here...

    end

    config global footer policy

    ...regular policy command here...

    end

    Previous
    Next