Fortinet white logo
Fortinet white logo

CLI Reference

webfilter profile

Configure Web filter profiles.

  config webfilter profile
      Description: Configure Web filter profiles.
      edit <name>
          set comment {var-string}
          set feature-set [flow|proxy]
          set replacemsg-group {string}
          set options {option1}, {option2}, ...
          config file-filter
              Description: File filter.
              set status [enable|disable]
              set log [enable|disable]
              set scan-archive-contents [enable|disable]
              config entries
                  Description: File filter entries.
                  edit <filter>
                      set comment {var-string}
                      set protocol {option1}, {option2}, ...
                      set action [log|block]
                      set direction [incoming|outgoing|...]
                      set password-protected [yes|any]
                      set file-type <name1>, <name2>, ...
                  next
              end
          end
          set https-replacemsg [enable|disable]
          set ovrd-perm {option1}, {option2}, ...
          set post-action [normal|block]
          config override
              Description: Web Filter override settings.
              set ovrd-cookie [allow|deny]
              set ovrd-scope [user|user-group|...]
              set profile-type [list|radius]
              set ovrd-dur-mode [constant|ask]
              set ovrd-dur {user}
              set profile-attribute [User-Name|NAS-IP-Address|...]
              set ovrd-user-group <name1>, <name2>, ...
              set profile <name1>, <name2>, ...
          end
          config web
              Description: Web content filtering settings.
              set bword-threshold {integer}
              set bword-table {integer}
              set urlfilter-table {integer}
              set content-header-list {integer}
              set blacklist [enable|disable]
              set whitelist {option1}, {option2}, ...
              set safe-search {option1}, {option2}, ...
              set youtube-restrict [none|strict|...]
              set log-search [enable|disable]
              set keyword-match <pattern1>, <pattern2>, ...
          end
          set youtube-channel-status [disable|blacklist|...]
          config youtube-channel-filter
              Description: YouTube channel filter.
              edit <id>
                  set channel-id {string}
                  set comment {var-string}
              next
          end
          config ftgd-wf
              Description: FortiGuard Web Filter settings.
              set options {option1}, {option2}, ...
              set exempt-quota {user}
              set ovrd {user}
              config filters
                  Description: FortiGuard filters.
                  edit <id>
                      set category {integer}
                      set action [block|authenticate|...]
                      set warn-duration {user}
                      set auth-usr-grp <name1>, <name2>, ...
                      set log [enable|disable]
                      set override-replacemsg {string}
                      set warning-prompt [per-domain|per-category]
                      set warning-duration-type [session|timeout]
                  next
              end
              config quota
                  Description: FortiGuard traffic quota settings.
                  edit <id>
                      set category {user}
                      set type [time|traffic]
                      set unit [B|KB|...]
                      set value {integer}
                      set duration {user}
                      set override-replacemsg {string}
                  next
              end
              set max-quota-timeout {integer}
              set rate-image-urls [disable|enable]
              set rate-javascript-urls [disable|enable]
              set rate-css-urls [disable|enable]
              set rate-crl-urls [disable|enable]
          end
          config antiphish
              Description: AntiPhishing profile.
              set status [enable|disable]
              set domain-controller {string}
              set default-action [exempt|log|...]
              set check-uri [enable|disable]
              set check-basic-auth [enable|disable]
              set max-body-len {integer}
              config inspection-entries
                  Description: AntiPhishing entries.
                  edit <name>
                      set fortiguard-category {user}
                      set action [exempt|log|...]
                  next
              end
              config custom-patterns
                  Description: Custom username and password regex patterns.
                  edit <pattern>
                      set category [username|password]
                  next
              end
          end
          set wisp [enable|disable]
          set wisp-servers <name1>, <name2>, ...
          set wisp-algorithm [primary-secondary|round-robin|...]
          set log-all-url [enable|disable]
          set web-content-log [enable|disable]
          set web-filter-activex-log [enable|disable]
          set web-filter-command-block-log [enable|disable]
          set web-filter-cookie-log [enable|disable]
          set web-filter-applet-log [enable|disable]
          set web-filter-jscript-log [enable|disable]
          set web-filter-js-log [enable|disable]
          set web-filter-vbs-log [enable|disable]
          set web-filter-unknown-log [enable|disable]
          set web-filter-referer-log [enable|disable]
          set web-filter-cookie-removal-log [enable|disable]
          set web-url-log [enable|disable]
          set web-invalid-domain-log [enable|disable]
          set web-ftgd-err-log [enable|disable]
          set web-ftgd-quota-usage [enable|disable]
          set extended-log [enable|disable]
          set web-extended-all-action-log [enable|disable]
          set web-antiphishing-log [enable|disable]
      next
  end

config webfilter profile

Parameter Name Description Type Size
comment Optional comments. var-string Maximum length: 255
feature-set Flow/proxy feature set.
flow: Flow feature set.
proxy: Proxy feature set.
option -
replacemsg-group Replacement message group. string Maximum length: 35
options Options.
activexfilter: ActiveX filter.
cookiefilter: Cookie filter.
javafilter: Java applet filter.
block-invalid-url: Block sessions contained an invalid domain name.
jscript: Javascript block.
js: JS block.
vbs: VB script block.
unknown: Unknown script block.
intrinsic: Intrinsic script block.
wf-referer: Referring block.
wf-cookie: Cookie block.
per-user-bwl: Per-user black/white list filter
option -
https-replacemsg Enable replacement messages for HTTPS.
enable: Enable setting.
disable: Disable setting.
option -
ovrd-perm Permitted override types.
bannedword-override: Banned word override.
urlfilter-override: URL filter override.
fortiguard-wf-override: FortiGuard Web Filter override.
contenttype-check-override: Content-type header override.
option -
post-action Action taken for HTTP POST traffic.
normal: Normal, POST requests are allowed.
block: POST requests are blocked.
option -
youtube-channel-status YouTube channel filter status.
disable: Disable YouTube channel filter.
blacklist: Block matches.
whitelist: Allow matches.
option -
wisp Enable/disable web proxy WISP.
enable: Enable web proxy WISP.
disable: Disable web proxy WISP.
option -
wisp-servers <name> WISP servers.
Server name.
string Maximum length: 79
wisp-algorithm WISP server selection algorithm.
primary-secondary: Select the first healthy server in order.
round-robin: Select the next healthy server.
auto-learning: Select the lightest loading healthy server.
option -
log-all-url Enable/disable logging all URLs visited.
enable: Enable setting.
disable: Disable setting.
option -
web-content-log Enable/disable logging logging blocked web content.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-activex-log Enable/disable logging ActiveX.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-command-block-log Enable/disable logging blocked commands.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-cookie-log Enable/disable logging cookie filtering.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-applet-log Enable/disable logging Java applets.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-jscript-log Enable/disable logging JScripts.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-js-log Enable/disable logging Java scripts.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-vbs-log Enable/disable logging VBS scripts.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-unknown-log Enable/disable logging unknown scripts.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-referer-log Enable/disable logging referrers.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-cookie-removal-log Enable/disable logging blocked cookies.
enable: Enable setting.
disable: Disable setting.
option -
web-url-log Enable/disable logging URL filtering.
enable: Enable setting.
disable: Disable setting.
option -
web-invalid-domain-log Enable/disable logging invalid domain names.
enable: Enable setting.
disable: Disable setting.
option -
web-ftgd-err-log Enable/disable logging rating errors.
enable: Enable setting.
disable: Disable setting.
option -
web-ftgd-quota-usage Enable/disable logging daily quota usage.
enable: Enable setting.
disable: Disable setting.
option -
extended-log Enable/disable extended logging for web filtering.
enable: Enable setting.
disable: Disable setting.
option -
web-extended-all-action-log Enable/disable extended any filter action logging for web filtering.
enable: Enable setting.
disable: Disable setting.
option -
web-antiphishing-log Enable/disable logging of AntiPhishing checks.
enable: Enable setting.
disable: Disable setting.
option -

config file-filter

Parameter Name Description Type Size
status Enable/disable file filter.
enable: Enable file filter.
disable: Disable file filter.
option -
log Enable/disable file filter logging.
enable: Enable file filter logging.
disable: Disable file filter logging.
option -
scan-archive-contents Enable/disable file filter archive contents scan.
enable: Enable file filter archive contents scan.
disable: Disable file filter archive contents scan.
option -

config entries

Parameter Name Description Type Size
comment Comment. var-string Maximum length: 255
protocol Protocols to apply with.
http: Enable/disable HTTP.
ftp: Enable/disable FTP.
option -
action Action taken for matched file.
log: Allow the content and write a log message.
block: Block the content and write a log message.
option -
direction Match files transmitted in the session's originating or reply direction.
incoming: Match files transmitted in the session's originating direction.
outgoing: Match files transmitted in the session's reply direction.
any: Match files transmitted in the session's originating and reply direction.
option -
password-protected Match password-protected files.
yes: Match only password-protected files.
any: Match any file.
option -
file-type <name> Select file type.
File type name.
string Maximum length: 39

config override

Parameter Name Description Type Size
ovrd-cookie Allow/deny browser-based (cookie) overrides.
allow: Allow browser-based (cookie) override.
deny: Deny browser-based (cookie) override.
option -
ovrd-scope Override scope.
user: Override for the user.
user-group: Override for the user's group.
ip: Override for the initiating IP.
browser: Create browser-based (cookie) override.
ask: Prompt for scope when initiating an override.
option -
profile-type Override profile type.
list: Profile chosen from list.
radius: Profile determined by RADIUS server.
option -
ovrd-dur-mode Override duration mode.
constant: Constant mode.
ask: Prompt for duration when initiating an override.
option -
ovrd-dur Override duration. user Not Specified
profile-attribute Profile attribute to retrieve from the RADIUS server.
User-Name: Use this attribute.
NAS-IP-Address: Use this attribute.
Framed-IP-Address: Use this attribute.
Framed-IP-Netmask: Use this attribute.
Filter-Id: Use this attribute.
Login-IP-Host: Use this attribute.
Reply-Message: Use this attribute.
Callback-Number: Use this attribute.
Callback-Id: Use this attribute.
Framed-Route: Use this attribute.
Framed-IPX-Network: Use this attribute.
Class: Use this attribute.
Called-Station-Id: Use this attribute.
Calling-Station-Id: Use this attribute.
NAS-Identifier: Use this attribute.
Proxy-State: Use this attribute.
Login-LAT-Service: Use this attribute.
Login-LAT-Node: Use this attribute.
Login-LAT-Group: Use this attribute.
Framed-AppleTalk-Zone: Use this attribute.
Acct-Session-Id: Use this attribute.
Acct-Multi-Session-Id: Use this attribute.
option -
ovrd-user-group <name> User groups with permission to use the override.
User group name.
string Maximum length: 79
profile <name> Web filter profile with permission to create overrides.
Web profile.
string Maximum length: 79

config web

Parameter Name Description Type Size
bword-threshold Banned word score threshold. integer Minimum value: 0 Maximum value: 2147483647
bword-table Banned word table ID. integer Minimum value: 0 Maximum value: 4294967295
urlfilter-table URL filter table ID. integer Minimum value: 0 Maximum value: 4294967295
content-header-list Content header list. integer Minimum value: 0 Maximum value: 4294967295
blacklist Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
enable: Enable setting.
disable: Disable setting.
option -
whitelist FortiGuard whitelist settings.
exempt-av: Exempt antivirus.
exempt-webcontent: Exempt web content.
exempt-activex-java-cookie: Exempt ActiveX-JAVA-Cookie.
exempt-dlp: Exempt DLP.
exempt-rangeblock: Exempt RangeBlock.
extended-log-others: Support extended log.
option -
safe-search Safe search type.
url: Insert safe search string into URL.
header: Insert safe search header.
option -
youtube-restrict YouTube EDU filter level.
none: Full access for YouTube.
strict: Strict access for YouTube.
moderate: Moderate access for YouTube.
option -
log-search Enable/disable logging all search phrases.
enable: Enable setting.
disable: Disable setting.
option -
keyword-match <pattern> Search keywords to log when match is found.
Pattern/keyword to search for.
string Maximum length: 79

config youtube-channel-filter

Parameter Name Description Type Size
channel-id YouTube channel ID to be filtered. string Maximum length: 255
comment Comment. var-string Maximum length: 255

config ftgd-wf

Parameter Name Description Type Size
options Options for FortiGuard Web Filter.
error-allow: Allow web pages with a rating error to pass through.
rate-server-ip: Rate the server IP in addition to the domain name.
connect-request-bypass: Bypass connection which has CONNECT request.
ftgd-disable: Disable FortiGuard scanning.
option -
exempt-quota Do not stop quota for these categories. user Not Specified
ovrd Allow web filter profile overrides. user Not Specified
max-quota-timeout Maximum FortiGuard quota used by single page view in seconds (excludes streams). integer Minimum value: 1 Maximum value: 86400
rate-image-urls Enable/disable rating images by URL.
disable: Disable rating images by URL (blocked images are replaced with blanks).
enable: Enable rating images by URL (blocked images are replaced with blanks).
option -
rate-javascript-urls Enable/disable rating JavaScript by URL.
disable: Disable rating JavaScript by URL.
enable: Enable rating JavaScript by URL.
option -
rate-css-urls Enable/disable rating CSS by URL.
disable: Disable rating CSS by URL.
enable: Enable rating CSS by URL.
option -
rate-crl-urls Enable/disable rating CRL by URL.
disable: Disable rating CRL by URL.
enable: Enable rating CRL by URL.
option -

config filters

Parameter Name Description Type Size
category Categories and groups the filter examines. integer Minimum value: 0 Maximum value: 255
action Action to take for matches.
block: Block access.
authenticate: Authenticate user before allowing access.
monitor: Allow access while logging the action.
warning: Allow access after warning the user.
option -
warn-duration Duration of warnings. user Not Specified
auth-usr-grp <name> Groups with permission to authenticate.
User group name.
string Maximum length: 79
log Enable/disable logging.
enable: Enable setting.
disable: Disable setting.
option -
override-replacemsg Override replacement message. string Maximum length: 28
warning-prompt Warning prompts in each category or each domain.
per-domain: Per-domain warnings.
per-category: Per-category warnings.
option -
warning-duration-type Re-display warning after closing browser or after a timeout.
session: After session ends.
timeout: After timeout occurs.
option -

config quota

Parameter Name Description Type Size
category FortiGuard categories to apply quota to (category action must be set to monitor). user Not Specified
type Quota type.
time: Use a time-based quota.
traffic: Use a traffic-based quota.
option -
unit Traffic quota unit of measurement.
B: Quota in bytes.
KB: Quota in kilobytes.
MB: Quota in megabytes.
GB: Quota in gigabytes.
option -
value Traffic quota value. integer Minimum value: 1 Maximum value: 4294967295
duration Duration of quota. user Not Specified
override-replacemsg Override replacement message. string Maximum length: 28

config antiphish

Parameter Name Description Type Size
status Toggle AntiPhishing functionality.
enable: Enable AntiPhishing functionality.
disable: Disable AntiPhishing functionality.
option -
domain-controller Domain for which to verify received credentials against. string Maximum length: 63
default-action Action to be taken when there is no matching rule.
exempt: Exempt requests from matching.
log: Log all matched requests.
block: Block all matched requests.
option -
check-uri Enable/disable checking of GET URI parameters for known credentials.
enable: Enable checking of GET URI for username and password fields.
disable: Disable checking of GET URI for username and password fields.
option -
check-basic-auth Enable/disable checking of HTTP Basic Auth field for known credentials.
enable: Enable checking of HTTP Basic Auth field for known credentials.
disable: Disable checking of HTTP Basic Auth field for known credentials.
option -
max-body-len Maximum size of a POST body to check for credentials. integer Minimum value: 0 Maximum value: 4294967295

config inspection-entries

Parameter Name Description Type Size
fortiguard-category FortiGuard category to match. user Not Specified
action Action to be taken upon an AntiPhishing match.
exempt: Exempt requests from matching.
log: Log all matched requests.
block: Block all matched requests.
option -

config custom-patterns

Parameter Name Description Type Size
category Category that the pattern matches.
username: Pattern matches username fields.
password: Pattern matches password fields.
option -

webfilter profile

Configure Web filter profiles.

  config webfilter profile
      Description: Configure Web filter profiles.
      edit <name>
          set comment {var-string}
          set feature-set [flow|proxy]
          set replacemsg-group {string}
          set options {option1}, {option2}, ...
          config file-filter
              Description: File filter.
              set status [enable|disable]
              set log [enable|disable]
              set scan-archive-contents [enable|disable]
              config entries
                  Description: File filter entries.
                  edit <filter>
                      set comment {var-string}
                      set protocol {option1}, {option2}, ...
                      set action [log|block]
                      set direction [incoming|outgoing|...]
                      set password-protected [yes|any]
                      set file-type <name1>, <name2>, ...
                  next
              end
          end
          set https-replacemsg [enable|disable]
          set ovrd-perm {option1}, {option2}, ...
          set post-action [normal|block]
          config override
              Description: Web Filter override settings.
              set ovrd-cookie [allow|deny]
              set ovrd-scope [user|user-group|...]
              set profile-type [list|radius]
              set ovrd-dur-mode [constant|ask]
              set ovrd-dur {user}
              set profile-attribute [User-Name|NAS-IP-Address|...]
              set ovrd-user-group <name1>, <name2>, ...
              set profile <name1>, <name2>, ...
          end
          config web
              Description: Web content filtering settings.
              set bword-threshold {integer}
              set bword-table {integer}
              set urlfilter-table {integer}
              set content-header-list {integer}
              set blacklist [enable|disable]
              set whitelist {option1}, {option2}, ...
              set safe-search {option1}, {option2}, ...
              set youtube-restrict [none|strict|...]
              set log-search [enable|disable]
              set keyword-match <pattern1>, <pattern2>, ...
          end
          set youtube-channel-status [disable|blacklist|...]
          config youtube-channel-filter
              Description: YouTube channel filter.
              edit <id>
                  set channel-id {string}
                  set comment {var-string}
              next
          end
          config ftgd-wf
              Description: FortiGuard Web Filter settings.
              set options {option1}, {option2}, ...
              set exempt-quota {user}
              set ovrd {user}
              config filters
                  Description: FortiGuard filters.
                  edit <id>
                      set category {integer}
                      set action [block|authenticate|...]
                      set warn-duration {user}
                      set auth-usr-grp <name1>, <name2>, ...
                      set log [enable|disable]
                      set override-replacemsg {string}
                      set warning-prompt [per-domain|per-category]
                      set warning-duration-type [session|timeout]
                  next
              end
              config quota
                  Description: FortiGuard traffic quota settings.
                  edit <id>
                      set category {user}
                      set type [time|traffic]
                      set unit [B|KB|...]
                      set value {integer}
                      set duration {user}
                      set override-replacemsg {string}
                  next
              end
              set max-quota-timeout {integer}
              set rate-image-urls [disable|enable]
              set rate-javascript-urls [disable|enable]
              set rate-css-urls [disable|enable]
              set rate-crl-urls [disable|enable]
          end
          config antiphish
              Description: AntiPhishing profile.
              set status [enable|disable]
              set domain-controller {string}
              set default-action [exempt|log|...]
              set check-uri [enable|disable]
              set check-basic-auth [enable|disable]
              set max-body-len {integer}
              config inspection-entries
                  Description: AntiPhishing entries.
                  edit <name>
                      set fortiguard-category {user}
                      set action [exempt|log|...]
                  next
              end
              config custom-patterns
                  Description: Custom username and password regex patterns.
                  edit <pattern>
                      set category [username|password]
                  next
              end
          end
          set wisp [enable|disable]
          set wisp-servers <name1>, <name2>, ...
          set wisp-algorithm [primary-secondary|round-robin|...]
          set log-all-url [enable|disable]
          set web-content-log [enable|disable]
          set web-filter-activex-log [enable|disable]
          set web-filter-command-block-log [enable|disable]
          set web-filter-cookie-log [enable|disable]
          set web-filter-applet-log [enable|disable]
          set web-filter-jscript-log [enable|disable]
          set web-filter-js-log [enable|disable]
          set web-filter-vbs-log [enable|disable]
          set web-filter-unknown-log [enable|disable]
          set web-filter-referer-log [enable|disable]
          set web-filter-cookie-removal-log [enable|disable]
          set web-url-log [enable|disable]
          set web-invalid-domain-log [enable|disable]
          set web-ftgd-err-log [enable|disable]
          set web-ftgd-quota-usage [enable|disable]
          set extended-log [enable|disable]
          set web-extended-all-action-log [enable|disable]
          set web-antiphishing-log [enable|disable]
      next
  end

config webfilter profile

Parameter Name Description Type Size
comment Optional comments. var-string Maximum length: 255
feature-set Flow/proxy feature set.
flow: Flow feature set.
proxy: Proxy feature set.
option -
replacemsg-group Replacement message group. string Maximum length: 35
options Options.
activexfilter: ActiveX filter.
cookiefilter: Cookie filter.
javafilter: Java applet filter.
block-invalid-url: Block sessions contained an invalid domain name.
jscript: Javascript block.
js: JS block.
vbs: VB script block.
unknown: Unknown script block.
intrinsic: Intrinsic script block.
wf-referer: Referring block.
wf-cookie: Cookie block.
per-user-bwl: Per-user black/white list filter
option -
https-replacemsg Enable replacement messages for HTTPS.
enable: Enable setting.
disable: Disable setting.
option -
ovrd-perm Permitted override types.
bannedword-override: Banned word override.
urlfilter-override: URL filter override.
fortiguard-wf-override: FortiGuard Web Filter override.
contenttype-check-override: Content-type header override.
option -
post-action Action taken for HTTP POST traffic.
normal: Normal, POST requests are allowed.
block: POST requests are blocked.
option -
youtube-channel-status YouTube channel filter status.
disable: Disable YouTube channel filter.
blacklist: Block matches.
whitelist: Allow matches.
option -
wisp Enable/disable web proxy WISP.
enable: Enable web proxy WISP.
disable: Disable web proxy WISP.
option -
wisp-servers <name> WISP servers.
Server name.
string Maximum length: 79
wisp-algorithm WISP server selection algorithm.
primary-secondary: Select the first healthy server in order.
round-robin: Select the next healthy server.
auto-learning: Select the lightest loading healthy server.
option -
log-all-url Enable/disable logging all URLs visited.
enable: Enable setting.
disable: Disable setting.
option -
web-content-log Enable/disable logging logging blocked web content.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-activex-log Enable/disable logging ActiveX.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-command-block-log Enable/disable logging blocked commands.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-cookie-log Enable/disable logging cookie filtering.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-applet-log Enable/disable logging Java applets.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-jscript-log Enable/disable logging JScripts.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-js-log Enable/disable logging Java scripts.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-vbs-log Enable/disable logging VBS scripts.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-unknown-log Enable/disable logging unknown scripts.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-referer-log Enable/disable logging referrers.
enable: Enable setting.
disable: Disable setting.
option -
web-filter-cookie-removal-log Enable/disable logging blocked cookies.
enable: Enable setting.
disable: Disable setting.
option -
web-url-log Enable/disable logging URL filtering.
enable: Enable setting.
disable: Disable setting.
option -
web-invalid-domain-log Enable/disable logging invalid domain names.
enable: Enable setting.
disable: Disable setting.
option -
web-ftgd-err-log Enable/disable logging rating errors.
enable: Enable setting.
disable: Disable setting.
option -
web-ftgd-quota-usage Enable/disable logging daily quota usage.
enable: Enable setting.
disable: Disable setting.
option -
extended-log Enable/disable extended logging for web filtering.
enable: Enable setting.
disable: Disable setting.
option -
web-extended-all-action-log Enable/disable extended any filter action logging for web filtering.
enable: Enable setting.
disable: Disable setting.
option -
web-antiphishing-log Enable/disable logging of AntiPhishing checks.
enable: Enable setting.
disable: Disable setting.
option -

config file-filter

Parameter Name Description Type Size
status Enable/disable file filter.
enable: Enable file filter.
disable: Disable file filter.
option -
log Enable/disable file filter logging.
enable: Enable file filter logging.
disable: Disable file filter logging.
option -
scan-archive-contents Enable/disable file filter archive contents scan.
enable: Enable file filter archive contents scan.
disable: Disable file filter archive contents scan.
option -

config entries

Parameter Name Description Type Size
comment Comment. var-string Maximum length: 255
protocol Protocols to apply with.
http: Enable/disable HTTP.
ftp: Enable/disable FTP.
option -
action Action taken for matched file.
log: Allow the content and write a log message.
block: Block the content and write a log message.
option -
direction Match files transmitted in the session's originating or reply direction.
incoming: Match files transmitted in the session's originating direction.
outgoing: Match files transmitted in the session's reply direction.
any: Match files transmitted in the session's originating and reply direction.
option -
password-protected Match password-protected files.
yes: Match only password-protected files.
any: Match any file.
option -
file-type <name> Select file type.
File type name.
string Maximum length: 39

config override

Parameter Name Description Type Size
ovrd-cookie Allow/deny browser-based (cookie) overrides.
allow: Allow browser-based (cookie) override.
deny: Deny browser-based (cookie) override.
option -
ovrd-scope Override scope.
user: Override for the user.
user-group: Override for the user's group.
ip: Override for the initiating IP.
browser: Create browser-based (cookie) override.
ask: Prompt for scope when initiating an override.
option -
profile-type Override profile type.
list: Profile chosen from list.
radius: Profile determined by RADIUS server.
option -
ovrd-dur-mode Override duration mode.
constant: Constant mode.
ask: Prompt for duration when initiating an override.
option -
ovrd-dur Override duration. user Not Specified
profile-attribute Profile attribute to retrieve from the RADIUS server.
User-Name: Use this attribute.
NAS-IP-Address: Use this attribute.
Framed-IP-Address: Use this attribute.
Framed-IP-Netmask: Use this attribute.
Filter-Id: Use this attribute.
Login-IP-Host: Use this attribute.
Reply-Message: Use this attribute.
Callback-Number: Use this attribute.
Callback-Id: Use this attribute.
Framed-Route: Use this attribute.
Framed-IPX-Network: Use this attribute.
Class: Use this attribute.
Called-Station-Id: Use this attribute.
Calling-Station-Id: Use this attribute.
NAS-Identifier: Use this attribute.
Proxy-State: Use this attribute.
Login-LAT-Service: Use this attribute.
Login-LAT-Node: Use this attribute.
Login-LAT-Group: Use this attribute.
Framed-AppleTalk-Zone: Use this attribute.
Acct-Session-Id: Use this attribute.
Acct-Multi-Session-Id: Use this attribute.
option -
ovrd-user-group <name> User groups with permission to use the override.
User group name.
string Maximum length: 79
profile <name> Web filter profile with permission to create overrides.
Web profile.
string Maximum length: 79

config web

Parameter Name Description Type Size
bword-threshold Banned word score threshold. integer Minimum value: 0 Maximum value: 2147483647
bword-table Banned word table ID. integer Minimum value: 0 Maximum value: 4294967295
urlfilter-table URL filter table ID. integer Minimum value: 0 Maximum value: 4294967295
content-header-list Content header list. integer Minimum value: 0 Maximum value: 4294967295
blacklist Enable/disable automatic addition of URLs detected by FortiSandbox to blacklist.
enable: Enable setting.
disable: Disable setting.
option -
whitelist FortiGuard whitelist settings.
exempt-av: Exempt antivirus.
exempt-webcontent: Exempt web content.
exempt-activex-java-cookie: Exempt ActiveX-JAVA-Cookie.
exempt-dlp: Exempt DLP.
exempt-rangeblock: Exempt RangeBlock.
extended-log-others: Support extended log.
option -
safe-search Safe search type.
url: Insert safe search string into URL.
header: Insert safe search header.
option -
youtube-restrict YouTube EDU filter level.
none: Full access for YouTube.
strict: Strict access for YouTube.
moderate: Moderate access for YouTube.
option -
log-search Enable/disable logging all search phrases.
enable: Enable setting.
disable: Disable setting.
option -
keyword-match <pattern> Search keywords to log when match is found.
Pattern/keyword to search for.
string Maximum length: 79

config youtube-channel-filter

Parameter Name Description Type Size
channel-id YouTube channel ID to be filtered. string Maximum length: 255
comment Comment. var-string Maximum length: 255

config ftgd-wf

Parameter Name Description Type Size
options Options for FortiGuard Web Filter.
error-allow: Allow web pages with a rating error to pass through.
rate-server-ip: Rate the server IP in addition to the domain name.
connect-request-bypass: Bypass connection which has CONNECT request.
ftgd-disable: Disable FortiGuard scanning.
option -
exempt-quota Do not stop quota for these categories. user Not Specified
ovrd Allow web filter profile overrides. user Not Specified
max-quota-timeout Maximum FortiGuard quota used by single page view in seconds (excludes streams). integer Minimum value: 1 Maximum value: 86400
rate-image-urls Enable/disable rating images by URL.
disable: Disable rating images by URL (blocked images are replaced with blanks).
enable: Enable rating images by URL (blocked images are replaced with blanks).
option -
rate-javascript-urls Enable/disable rating JavaScript by URL.
disable: Disable rating JavaScript by URL.
enable: Enable rating JavaScript by URL.
option -
rate-css-urls Enable/disable rating CSS by URL.
disable: Disable rating CSS by URL.
enable: Enable rating CSS by URL.
option -
rate-crl-urls Enable/disable rating CRL by URL.
disable: Disable rating CRL by URL.
enable: Enable rating CRL by URL.
option -

config filters

Parameter Name Description Type Size
category Categories and groups the filter examines. integer Minimum value: 0 Maximum value: 255
action Action to take for matches.
block: Block access.
authenticate: Authenticate user before allowing access.
monitor: Allow access while logging the action.
warning: Allow access after warning the user.
option -
warn-duration Duration of warnings. user Not Specified
auth-usr-grp <name> Groups with permission to authenticate.
User group name.
string Maximum length: 79
log Enable/disable logging.
enable: Enable setting.
disable: Disable setting.
option -
override-replacemsg Override replacement message. string Maximum length: 28
warning-prompt Warning prompts in each category or each domain.
per-domain: Per-domain warnings.
per-category: Per-category warnings.
option -
warning-duration-type Re-display warning after closing browser or after a timeout.
session: After session ends.
timeout: After timeout occurs.
option -

config quota

Parameter Name Description Type Size
category FortiGuard categories to apply quota to (category action must be set to monitor). user Not Specified
type Quota type.
time: Use a time-based quota.
traffic: Use a traffic-based quota.
option -
unit Traffic quota unit of measurement.
B: Quota in bytes.
KB: Quota in kilobytes.
MB: Quota in megabytes.
GB: Quota in gigabytes.
option -
value Traffic quota value. integer Minimum value: 1 Maximum value: 4294967295
duration Duration of quota. user Not Specified
override-replacemsg Override replacement message. string Maximum length: 28

config antiphish

Parameter Name Description Type Size
status Toggle AntiPhishing functionality.
enable: Enable AntiPhishing functionality.
disable: Disable AntiPhishing functionality.
option -
domain-controller Domain for which to verify received credentials against. string Maximum length: 63
default-action Action to be taken when there is no matching rule.
exempt: Exempt requests from matching.
log: Log all matched requests.
block: Block all matched requests.
option -
check-uri Enable/disable checking of GET URI parameters for known credentials.
enable: Enable checking of GET URI for username and password fields.
disable: Disable checking of GET URI for username and password fields.
option -
check-basic-auth Enable/disable checking of HTTP Basic Auth field for known credentials.
enable: Enable checking of HTTP Basic Auth field for known credentials.
disable: Disable checking of HTTP Basic Auth field for known credentials.
option -
max-body-len Maximum size of a POST body to check for credentials. integer Minimum value: 0 Maximum value: 4294967295

config inspection-entries

Parameter Name Description Type Size
fortiguard-category FortiGuard category to match. user Not Specified
action Action to be taken upon an AntiPhishing match.
exempt: Exempt requests from matching.
log: Log all matched requests.
block: Block all matched requests.
option -

config custom-patterns

Parameter Name Description Type Size
category Category that the pattern matches.
username: Pattern matches username fields.
password: Pattern matches password fields.
option -