Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    6.2.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    application list

    Configure application control lists.

      config application list
      Description: Configure application control lists.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set extended-log [enable|disable]
          set other-application-action [pass|block]
          set app-replacemsg [disable|enable]
          set other-application-log [disable|enable]
          set enforce-default-app-port [disable|enable]
          set force-inclusion-ssl-di-sigs [disable|enable]
          set unknown-application-action [pass|block]
          set unknown-application-log [disable|enable]
          set p2p-black-list {option1}, {option2}, ...
          set deep-app-inspection [disable|enable]
          set options {option1}, {option2}, ...
          config entries
              Description: Application list entries.
              edit <id>
                  set risk <level1>, <level2>, ...
                  set category <id1>, <id2>, ...
                  set sub-category <id1>, <id2>, ...
                  set application <id1>, <id2>, ...
                  set protocols {user}
                  set vendor {user}
                  set technology {user}
                  set behavior {user}
                  set popularity {option1}, {option2}, ...
                  config parameters
                      Description: Application parameters.
                      edit <id>
                          set value {string}
                      next
                  end
                  set action [pass|block|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  set session-ttl {integer}
                  set shaper {string}
                  set shaper-reverse {string}
                  set per-ip-shaper {string}
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
          set control-default-network-services [disable|enable]
          config default-network-services
              Description: Default network service entries.
              edit <id>
                  set port {integer}
                  set services {option1}, {option2}, ...
                  set violation-action [pass|monitor|...]
              next
          end
      next
  end

    config application list

    Parameter Name Description Type Size
    comment comments var-string Maximum length: 255
    replacemsg-group Replacement message group. string Maximum length: 35
    extended-log Enable/disable extended logging.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    other-application-action Action for other applications.
    pass: Allow sessions matching an application in this application list.
    block: Block sessions matching an application in this application list.
    		 option -
    app-replacemsg Enable/disable replacement messages for blocked applications.
    disable: Disable replacement messages for blocked applications.
    enable: Enable replacement messages for blocked applications.
    		 option -
    other-application-log Enable/disable logging for other applications.
    disable: Disable logging for other applications.
    enable: Enable logging for other applications.
    		 option -
    enforce-default-app-port Enable/disable default application port enforcement for allowed applications.
    disable: Disable default application port enforcement.
    enable: Enable default application port enforcement.
    		 option -
    force-inclusion-ssl-di-sigs Enable/disable forced inclusion of SSL deep inspection signatures.
    disable: Disable forced inclusion of signatures which normally require SSL deep inspection.
    enable: Enable forced inclusion of signatures which normally require SSL deep inspection.
    		 option -
    unknown-application-action Pass or block traffic from unknown applications.
    pass: Pass or allow unknown applications.
    block: Drop or block unknown applications.
    		 option -
    unknown-application-log Enable/disable logging for unknown applications.
    disable: Disable logging for unknown applications.
    enable: Enable logging for unknown applications.
    		 option -
    p2p-black-list P2P applications to be black listed.
    skype: Skype.
    edonkey: Edonkey.
    bittorrent: Bit torrent.
    		 option -
    deep-app-inspection Enable/disable deep application inspection.
    disable: Disable deep application inspection.
    enable: Enable deep application inspection.
    		 option -
    options Basic application protocol signatures allowed by default.
    allow-dns: Allow DNS.
    allow-icmp: Allow ICMP.
    allow-http: Allow generic HTTP web browsing.
    allow-ssl: Allow generic SSL communication.
    allow-quic: Allow QUIC.
    		 option -
    control-default-network-services Enable/disable enforcement of protocols over selected ports.
    disable: Disable protocol enforcement over selected ports.
    enable: Enable protocol enforcement over selected ports.
    		 option -

    config entries

    Parameter Name Description Type Size
    risk <level> Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
    Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).    		 integer Minimum value: 0 Maximum value: 4294967295
    category <id> Category ID list.
    Application category ID.    		 integer Minimum value: 0 Maximum value: 4294967295
    sub-category <id> Application Sub-category ID list.
    Application sub-category ID.    		 integer Minimum value: 0 Maximum value: 4294967295
    application <id> ID of allowed applications.
    Application IDs.    		 integer Minimum value: 0 Maximum value: 4294967295
    protocols Application protocol filter. user Not Specified
    vendor Application vendor filter. user Not Specified
    technology Application technology filter. user Not Specified
    behavior Application behavior filter. user Not Specified
    popularity Application popularity filter (1 - 5, from least to most popular).
    1: Popularity level 1.
    2: Popularity level 2.
    3: Popularity level 3.
    4: Popularity level 4.
    5: Popularity level 5.
    		 option -
    action Pass or block traffic, or reset connection for traffic from this application.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    		 option -
    log Enable/disable logging for this application list.
    disable: Disable logging.
    enable: Enable logging.
    		 option -
    log-packet Enable/disable packet logging.
    disable: Disable packet logging.
    enable: Enable packet logging.
    		 option -
    rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
    rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
    rate-mode Rate limit mode.
    periodical: Allow configured number of packets every rate-duration.
    continuous: Block packets once the rate is reached.
    		 option -
    rate-track Track the packet protocol field.
    none: none
    src-ip: Source IP.
    dest-ip: Destination IP.
    dhcp-client-mac: DHCP client.
    dns-domain: DNS domain.
    		 option -
    session-ttl Session TTL (0 = default). integer Minimum value: 0 Maximum value: 4294967295
    shaper Traffic shaper. string Maximum length: 35
    shaper-reverse Reverse traffic shaper. string Maximum length: 35
    per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
    quarantine Quarantine method.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
    quarantine-log Enable/disable quarantine logging.
    disable: Disable quarantine logging.
    enable: Enable quarantine logging.
    		 option -

    config parameters

    Parameter Name Description Type Size
    value Parameter value. string Maximum length: 63

    config default-network-services

    Parameter Name Description Type Size
    port Port number. integer Minimum value: 0 Maximum value: 65535
    services Network protocols.
    http: HTTP.
    ssh: SSH.
    telnet: TELNET.
    ftp: FTP.
    dns: DNS.
    smtp: SMTP.
    pop3: POP3.
    imap: IMAP.
    snmp: SNMP.
    nntp: NNTP.
    https: HTTPS.
    		 option -
    violation-action Action for protocols not white listed under selected port.
    pass: Allow protocols not white listed under selected port.
    monitor: Monitor protocols not white listed under selected port.
    block: Block protocols not white listed under selected port.
    		 option -
    Previous
    Next

    application list

    Configure application control lists.

      config application list
      Description: Configure application control lists.
      edit <name>
          set comment {var-string}
          set replacemsg-group {string}
          set extended-log [enable|disable]
          set other-application-action [pass|block]
          set app-replacemsg [disable|enable]
          set other-application-log [disable|enable]
          set enforce-default-app-port [disable|enable]
          set force-inclusion-ssl-di-sigs [disable|enable]
          set unknown-application-action [pass|block]
          set unknown-application-log [disable|enable]
          set p2p-black-list {option1}, {option2}, ...
          set deep-app-inspection [disable|enable]
          set options {option1}, {option2}, ...
          config entries
              Description: Application list entries.
              edit <id>
                  set risk <level1>, <level2>, ...
                  set category <id1>, <id2>, ...
                  set sub-category <id1>, <id2>, ...
                  set application <id1>, <id2>, ...
                  set protocols {user}
                  set vendor {user}
                  set technology {user}
                  set behavior {user}
                  set popularity {option1}, {option2}, ...
                  config parameters
                      Description: Application parameters.
                      edit <id>
                          set value {string}
                      next
                  end
                  set action [pass|block|...]
                  set log [disable|enable]
                  set log-packet [disable|enable]
                  set rate-count {integer}
                  set rate-duration {integer}
                  set rate-mode [periodical|continuous]
                  set rate-track [none|src-ip|...]
                  set session-ttl {integer}
                  set shaper {string}
                  set shaper-reverse {string}
                  set per-ip-shaper {string}
                  set quarantine [none|attacker]
                  set quarantine-expiry {user}
                  set quarantine-log [disable|enable]
              next
          end
          set control-default-network-services [disable|enable]
          config default-network-services
              Description: Default network service entries.
              edit <id>
                  set port {integer}
                  set services {option1}, {option2}, ...
                  set violation-action [pass|monitor|...]
              next
          end
      next
  end

    config application list

    Parameter Name Description Type Size
    comment comments var-string Maximum length: 255
    replacemsg-group Replacement message group. string Maximum length: 35
    extended-log Enable/disable extended logging.
    enable: Enable setting.
    disable: Disable setting.
    		 option -
    other-application-action Action for other applications.
    pass: Allow sessions matching an application in this application list.
    block: Block sessions matching an application in this application list.
    		 option -
    app-replacemsg Enable/disable replacement messages for blocked applications.
    disable: Disable replacement messages for blocked applications.
    enable: Enable replacement messages for blocked applications.
    		 option -
    other-application-log Enable/disable logging for other applications.
    disable: Disable logging for other applications.
    enable: Enable logging for other applications.
    		 option -
    enforce-default-app-port Enable/disable default application port enforcement for allowed applications.
    disable: Disable default application port enforcement.
    enable: Enable default application port enforcement.
    		 option -
    force-inclusion-ssl-di-sigs Enable/disable forced inclusion of SSL deep inspection signatures.
    disable: Disable forced inclusion of signatures which normally require SSL deep inspection.
    enable: Enable forced inclusion of signatures which normally require SSL deep inspection.
    		 option -
    unknown-application-action Pass or block traffic from unknown applications.
    pass: Pass or allow unknown applications.
    block: Drop or block unknown applications.
    		 option -
    unknown-application-log Enable/disable logging for unknown applications.
    disable: Disable logging for unknown applications.
    enable: Enable logging for unknown applications.
    		 option -
    p2p-black-list P2P applications to be black listed.
    skype: Skype.
    edonkey: Edonkey.
    bittorrent: Bit torrent.
    		 option -
    deep-app-inspection Enable/disable deep application inspection.
    disable: Disable deep application inspection.
    enable: Enable deep application inspection.
    		 option -
    options Basic application protocol signatures allowed by default.
    allow-dns: Allow DNS.
    allow-icmp: Allow ICMP.
    allow-http: Allow generic HTTP web browsing.
    allow-ssl: Allow generic SSL communication.
    allow-quic: Allow QUIC.
    		 option -
    control-default-network-services Enable/disable enforcement of protocols over selected ports.
    disable: Disable protocol enforcement over selected ports.
    enable: Enable protocol enforcement over selected ports.
    		 option -

    config entries

    Parameter Name Description Type Size
    risk <level> Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).
    Risk, or impact, of allowing traffic from this application to occur (1 - 5; Low, Elevated, Medium, High, and Critical).    		 integer Minimum value: 0 Maximum value: 4294967295
    category <id> Category ID list.
    Application category ID.    		 integer Minimum value: 0 Maximum value: 4294967295
    sub-category <id> Application Sub-category ID list.
    Application sub-category ID.    		 integer Minimum value: 0 Maximum value: 4294967295
    application <id> ID of allowed applications.
    Application IDs.    		 integer Minimum value: 0 Maximum value: 4294967295
    protocols Application protocol filter. user Not Specified
    vendor Application vendor filter. user Not Specified
    technology Application technology filter. user Not Specified
    behavior Application behavior filter. user Not Specified
    popularity Application popularity filter (1 - 5, from least to most popular).
    1: Popularity level 1.
    2: Popularity level 2.
    3: Popularity level 3.
    4: Popularity level 4.
    5: Popularity level 5.
    		 option -
    action Pass or block traffic, or reset connection for traffic from this application.
    pass: Pass or allow matching traffic.
    block: Block or drop matching traffic.
    reset: Reset sessions for matching traffic.
    		 option -
    log Enable/disable logging for this application list.
    disable: Disable logging.
    enable: Enable logging.
    		 option -
    log-packet Enable/disable packet logging.
    disable: Disable packet logging.
    enable: Enable packet logging.
    		 option -
    rate-count Count of the rate. integer Minimum value: 0 Maximum value: 65535
    rate-duration Duration (sec) of the rate. integer Minimum value: 1 Maximum value: 65535
    rate-mode Rate limit mode.
    periodical: Allow configured number of packets every rate-duration.
    continuous: Block packets once the rate is reached.
    		 option -
    rate-track Track the packet protocol field.
    none: none
    src-ip: Source IP.
    dest-ip: Destination IP.
    dhcp-client-mac: DHCP client.
    dns-domain: DNS domain.
    		 option -
    session-ttl Session TTL (0 = default). integer Minimum value: 0 Maximum value: 4294967295
    shaper Traffic shaper. string Maximum length: 35
    shaper-reverse Reverse traffic shaper. string Maximum length: 35
    per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
    quarantine Quarantine method.
    none: Quarantine is disabled.
    attacker: Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
    		 option -
    quarantine-expiry Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. user Not Specified
    quarantine-log Enable/disable quarantine logging.
    disable: Disable quarantine logging.
    enable: Enable quarantine logging.
    		 option -

    config parameters

    Parameter Name Description Type Size
    value Parameter value. string Maximum length: 63

    config default-network-services

    Parameter Name Description Type Size
    port Port number. integer Minimum value: 0 Maximum value: 65535
    services Network protocols.
    http: HTTP.
    ssh: SSH.
    telnet: TELNET.
    ftp: FTP.
    dns: DNS.
    smtp: SMTP.
    pop3: POP3.
    imap: IMAP.
    snmp: SNMP.
    nntp: NNTP.
    https: HTTPS.
    		 option -
    violation-action Action for protocols not white listed under selected port.
    pass: Allow protocols not white listed under selected port.
    monitor: Monitor protocols not white listed under selected port.
    block: Block protocols not white listed under selected port.
    		 option -
    Previous
    Next