Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiProxy 7.0.10 CLI Reference
    7.0.10
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.0.19
    7.0.18
    7.0.17
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    2.0.13
    2.0.12
    2.0.0
    1.2.4

    config firewall vip

    config firewall vip

    Configure virtual IP for IPv4.

    config firewall vip
    Description: Configure virtual IP for IPv4.
    edit <name>
        set id {integer}
        set uuid {uuid}
        set comment {var-string}
        set type [static-nat|access-proxy]
        set extip {user}
        set mappedip <range1>, <range2>, ...
        set extintf {string}
        set arp-reply [disable|enable]
        set server-type [http|https|...]
        set http-redirect [enable|disable]
        set portforward [disable|enable]
        set status [disable|enable]
        set protocol [tcp|udp|...]
        set extport {user}
        set mappedport {user}
        set gratuitous-arp-interval {integer}
        set ssl-certificate {string}
        set ssl-dh-bits [768|1024|...]
        set ssl-algorithm [high|medium|...]
        set ssl-pfs [require|deny|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set color {integer}
    next
end

    config firewall vip

    Parameter

    Description

    Type

    Size

    Default

    id

    Custom defined ID.

    integer

    Minimum value: 0 Maximum value: 65535

    0

    uuid

    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

    uuid

    Not Specified

    00000000-0000-0000-0000-000000000000

    comment

    Comment.

    var-string

    Maximum length: 255

    type

    Configure between a static NAT and access proxy VIP.

    option

    -

    static-nat

    Option

    Description

    static-nat

    Static NAT.

    access-proxy

    Access proxy.

    extip

    IP address or address range on the external interface that you want to map to an address or address range on the destination network.

    user

    Not Specified

    mappedip <range>

    IP address or address range on the destination network to which the external IP address is mapped.

    Mapped IP range.

    string

    Maximum length: 79

    extintf

    Interface connected to the source network that receives the packets that will be forwarded to the destination network.

    string

    Maximum length: 35

    arp-reply

    Enable to respond to ARP requests for this virtual IP address. Enabled by default.

    option

    -

    enable

    Option

    Description

    disable

    Disable ARP reply.

    enable

    Enable ARP reply.

    server-type

    Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

    option

    -

    Option

    Description

    http

    HTTP.

    https

    HTTPS.

    imaps

    IMAPS.

    pop3s

    POP3S.

    smtps

    SMTPS.

    ssl

    SSL.

    tcp

    TCP.

    udp

    UDP.

    ip

    IP.

    http-redirect

    Enable/disable redirection of HTTP to HTTPS.

    option

    -

    disable

    Option

    Description

    enable

    Enable redirection of HTTP to HTTPS.

    disable

    Disable redirection of HTTP to HTTPS.

    portforward

    Enable/disable port forwarding.

    option

    -

    disable

    Option

    Description

    disable

    Disable port forward.

    enable

    Enable port forward.

    status

    Enable/disable VIP.

    option

    -

    enable

    Option

    Description

    disable

    Disable the VIP.

    enable

    Enable the VIP.

    protocol

    Protocol to use when forwarding packets.

    option

    -

    tcp

    Option

    Description

    tcp

    TCP.

    udp

    UDP.

    sctp

    SCTP.

    icmp

    ICMP.

    extport

    Incoming port number range that you want to map to a port number range on the destination network.

    user

    Not Specified

    mappedport

    Port number range on the destination network to which the external port number range is mapped.

    user

    Not Specified

    gratuitous-arp-interval

    Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.

    integer

    Minimum value: 5 Maximum value: 8640000

    0

    ssl-certificate

    The name of the certificate to use for SSL handshake.

    string

    Maximum length: 35

    ssl-dh-bits

    Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

    option

    -

    2048

    Option

    Description

    768

    768-bit Diffie-Hellman prime.

    1024

    1024-bit Diffie-Hellman prime.

    1536

    1536-bit Diffie-Hellman prime.

    2048

    2048-bit Diffie-Hellman prime.

    3072

    3072-bit Diffie-Hellman prime.

    4096

    4096-bit Diffie-Hellman prime.

    ssl-algorithm

    Permitted encryption algorithms for SSL sessions according to encryption strength.

    option

    -

    low

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    custom

    Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

    ssl-pfs

    Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

    option

    -

    require

    Option

    Description

    require

    Allow only Diffie-Hellman cipher-suites, so PFS is applied.

    deny

    Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

    allow

    Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

    ssl-min-version

    Lowest SSL/TLS version acceptable from a client.

    option

    -

    ssl-3.0

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    ssl-max-version

    Highest SSL/TLS version acceptable from a client.

    option

    -

    tls-1.2

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    color

    Color of icon on the GUI.

    integer

    Minimum value: 0 Maximum value: 32

    0
    Previous
    Next

    config firewall vip

    config firewall vip

    Configure virtual IP for IPv4.

    config firewall vip
    Description: Configure virtual IP for IPv4.
    edit <name>
        set id {integer}
        set uuid {uuid}
        set comment {var-string}
        set type [static-nat|access-proxy]
        set extip {user}
        set mappedip <range1>, <range2>, ...
        set extintf {string}
        set arp-reply [disable|enable]
        set server-type [http|https|...]
        set http-redirect [enable|disable]
        set portforward [disable|enable]
        set status [disable|enable]
        set protocol [tcp|udp|...]
        set extport {user}
        set mappedport {user}
        set gratuitous-arp-interval {integer}
        set ssl-certificate {string}
        set ssl-dh-bits [768|1024|...]
        set ssl-algorithm [high|medium|...]
        set ssl-pfs [require|deny|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set color {integer}
    next
end

    config firewall vip

    Parameter

    Description

    Type

    Size

    Default

    id

    Custom defined ID.

    integer

    Minimum value: 0 Maximum value: 65535

    0

    uuid

    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

    uuid

    Not Specified

    00000000-0000-0000-0000-000000000000

    comment

    Comment.

    var-string

    Maximum length: 255

    type

    Configure between a static NAT and access proxy VIP.

    option

    -

    static-nat

    Option

    Description

    static-nat

    Static NAT.

    access-proxy

    Access proxy.

    extip

    IP address or address range on the external interface that you want to map to an address or address range on the destination network.

    user

    Not Specified

    mappedip <range>

    IP address or address range on the destination network to which the external IP address is mapped.

    Mapped IP range.

    string

    Maximum length: 79

    extintf

    Interface connected to the source network that receives the packets that will be forwarded to the destination network.

    string

    Maximum length: 35

    arp-reply

    Enable to respond to ARP requests for this virtual IP address. Enabled by default.

    option

    -

    enable

    Option

    Description

    disable

    Disable ARP reply.

    enable

    Enable ARP reply.

    server-type

    Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

    option

    -

    Option

    Description

    http

    HTTP.

    https

    HTTPS.

    imaps

    IMAPS.

    pop3s

    POP3S.

    smtps

    SMTPS.

    ssl

    SSL.

    tcp

    TCP.

    udp

    UDP.

    ip

    IP.

    http-redirect

    Enable/disable redirection of HTTP to HTTPS.

    option

    -

    disable

    Option

    Description

    enable

    Enable redirection of HTTP to HTTPS.

    disable

    Disable redirection of HTTP to HTTPS.

    portforward

    Enable/disable port forwarding.

    option

    -

    disable

    Option

    Description

    disable

    Disable port forward.

    enable

    Enable port forward.

    status

    Enable/disable VIP.

    option

    -

    enable

    Option

    Description

    disable

    Disable the VIP.

    enable

    Enable the VIP.

    protocol

    Protocol to use when forwarding packets.

    option

    -

    tcp

    Option

    Description

    tcp

    TCP.

    udp

    UDP.

    sctp

    SCTP.

    icmp

    ICMP.

    extport

    Incoming port number range that you want to map to a port number range on the destination network.

    user

    Not Specified

    mappedport

    Port number range on the destination network to which the external port number range is mapped.

    user

    Not Specified

    gratuitous-arp-interval

    Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.

    integer

    Minimum value: 5 Maximum value: 8640000

    0

    ssl-certificate

    The name of the certificate to use for SSL handshake.

    string

    Maximum length: 35

    ssl-dh-bits

    Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

    option

    -

    2048

    Option

    Description

    768

    768-bit Diffie-Hellman prime.

    1024

    1024-bit Diffie-Hellman prime.

    1536

    1536-bit Diffie-Hellman prime.

    2048

    2048-bit Diffie-Hellman prime.

    3072

    3072-bit Diffie-Hellman prime.

    4096

    4096-bit Diffie-Hellman prime.

    ssl-algorithm

    Permitted encryption algorithms for SSL sessions according to encryption strength.

    option

    -

    low

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    custom

    Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

    ssl-pfs

    Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

    option

    -

    require

    Option

    Description

    require

    Allow only Diffie-Hellman cipher-suites, so PFS is applied.

    deny

    Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

    allow

    Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

    ssl-min-version

    Lowest SSL/TLS version acceptable from a client.

    option

    -

    ssl-3.0

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    ssl-max-version

    Highest SSL/TLS version acceptable from a client.

    option

    -

    tls-1.2

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    color

    Color of icon on the GUI.

    integer

    Minimum value: 0 Maximum value: 32

    0
    Previous
    Next