CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
credential-store
- credential-store domain-controller
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control fctems
extender-controller
- extender-controller dataplan
- extender-controller extender
file-filter
- file-filter profile
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall city
- firewall country
- firewall decrypted-traffic-mirror
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-append
- firewall internet-service-botnet
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall internet-service-ipbl-reason
- firewall internet-service-ipbl-vendor
- firewall internet-service-list
- firewall internet-service-name
- firewall internet-service-owner
- firewall internet-service-reputation
- firewall internet-service-sld
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall region
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vendor-mac
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
- ips view-map
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller global
- switch-controller initial-config template
- switch-controller initial-config vlans
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller mac-policy
- switch-controller managed-switch
- switch-controller nac-device
- switch-controller nac-settings
- switch-controller port-policy
- switch-controller ptp policy
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy local-access
- switch-controller snmp-community
- switch-controller snmp-user
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-profile
- switch-controller system
- switch-controller traffic-policy
- switch-controller virtual-port-pool
- switch-controller vlan-policy
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geneve
- system geoip-country
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system sdwan
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system standalone-cluster
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wire-pair
- system vne-tunnel
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user nac-policy
- user password-policy
- user peer
- user peergrp
- user pop3
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller access-control-list
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller apcfg-profile
- wireless-controller arrp-profile
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller mpsk-profile
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.4.3 CLI Reference

vpn ocvpn

6.4.3

Copy Link

Copy Doc ID ee639a69-14f9-11eb-96b9-00505692583a:372620

Configure Overlay Controller VPN settings.

  config vpn ocvpn
      Description: Configure Overlay Controller VPN settings.
      set status [enable|disable]
      set role [spoke|primary-hub|...]
      set multipath [enable|disable]
      set sdwan [enable|disable]
      set wan-interface <name1>, <name2>, ...
      set ip-allocation-block {ipv4-classnet-any}
      config overlays
          Description: Network overlays to register with Overlay Controller VPN service.
          edit <overlay-name>
              set inter-overlay [allow|deny]
              set assign-ip [enable|disable]
              set ipv4-start-ip {ipv4-address}
              set ipv4-end-ip {ipv4-address}
              config subnets
                  Description: Internal subnets to register with OCVPN service.
                  edit <id>
                      set type [subnet|interface]
                      set subnet {ipv4-classnet-any}
                      set interface {string}
                  next
              end
          next
      end
      config forticlient-access
          Description: Configure FortiClient settings.
          set status [enable|disable]
          set psksecret {password-3}
          config auth-groups
              Description: FortiClient user authentication groups.
              edit <name>
                  set auth-group {string}
                  set overlays <overlay-name1>, <overlay-name2>, ...
              next
          end
      end
      set auto-discovery [enable|disable]
      set poll-interval {integer}
      set eap [enable|disable]
      set eap-users {string}
      set nat [enable|disable]
  end

config vpn ocvpn

Parameter Name	Description	Type	Size
status	Enable/disable Overlay Controller cloud assisted VPN. enable: Enable Overlay Controller VPN. disable: Disable Overlay Controller VPN.	option	-
role	Set device role. spoke: Register device as static spoke. primary-hub: Register device as primary hub. secondary-hub: Register device as secondary hub.	option	-
multipath	Enable/disable multipath redundancy. enable: Enable multipath redundancy. disable: Disable multipath redundancy.	option	-
sdwan	Enable/disable adding OCVPN tunnels to SDWAN. enable: Enable adding OCVPN tunnels to SDWAN. disable: Disable adding OCVPN tunnels to SDWAN.	option	-
wan-interface `<name>`	FortiGate WAN interfaces to use with OCVPN. Interface name.	string	Maximum length: 79
ip-allocation-block	Class B subnet reserved for private IP address assignment.	ipv4-classnet-any	Not Specified
auto-discovery	Enable/disable auto-discovery shortcuts. enable: Enable ADVPN auto-discovery shortcuts. disable: Disable ADVPN auto-discovery shortcuts.	option	-
poll-interval	Overlay Controller VPN polling interval.	integer	Minimum value: 30 Maximum value: 120
eap	Enable/disable EAP client authentication. enable: Enable EAP client authentication. disable: Disable EAP client authentication.	option	-
eap-users	EAP authentication user group.	string	Maximum length: 35
nat	Enable/disable inter-overlay source NAT. enable: Enable inter-overlay source NAT. disable: Disable inter-overlay source NAT.	option	-

config overlays

Parameter Name	Description	Type	Size
inter-overlay	Allow or deny traffic from other overlays. allow: Allow traffic from other overlays. deny: Deny traffic from other overlays.	option	-
assign-ip	Enable/disable mode-cfg address assignment. enable: Enable client IPv4 address assignment. disable: Disable client IPv4 address assignment.	option	-
ipv4-start-ip	Start of IPv4 range.	ipv4-address	Not Specified
ipv4-end-ip	End of IPv4 range.	ipv4-address	Not Specified

config subnets

Parameter Name	Description	Type	Size
type	Subnet type. subnet: Configure participating subnet IP and mask. interface: Configure participating LAN interface.	option	-
subnet	IPv4 address and subnet mask.	ipv4-classnet-any	Not Specified
interface	LAN interface.	string	Maximum length: 15

config forticlient-access

Parameter Name	Description	Type	Size
status	Enable/disable FortiClient to access OCVPN networks. enable: Enable FortiClient access to OCVPN overlays. disable: Disable FortiClient access to OCVPN overlays.	option	-
psksecret	Pre-shared secret for FortiClient PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).	password-3	Not Specified

config auth-groups

Parameter Name	Description	Type	Size
auth-group	Authentication user group for FortiClient access.	string	Maximum length: 35
overlays `<overlay-name>`	OCVPN overlays to allow access to. Overlay name.	string	Maximum length: 79

Configure Overlay Controller VPN settings.

config vpn ocvpn Description: Configure Overlay Controller VPN settings. set status [enable|disable] set role [spoke|primary-hub|...] set multipath [enable|disable] set sdwan [enable|disable] set wan-interface <name1>, <name2>, ... set ip-allocation-block {ipv4-classnet-any} config overlays Description: Network overlays to register with Overlay Controller VPN service. edit <overlay-name> set inter-overlay [allow|deny] set assign-ip [enable|disable] set ipv4-start-ip {ipv4-address} set ipv4-end-ip {ipv4-address} config subnets Description: Internal subnets to register with OCVPN service. edit <id> set type [subnet|interface] set subnet {ipv4-classnet-any} set interface {string} next end next end config forticlient-access Description: Configure FortiClient settings. set status [enable|disable] set psksecret {password-3} config auth-groups Description: FortiClient user authentication groups. edit <name> set auth-group {string} set overlays <overlay-name1>, <overlay-name2>, ... next end end set auto-discovery [enable|disable] set poll-interval {integer} set eap [enable|disable] set eap-users {string} set nat [enable|disable] end

config vpn ocvpn

Parameter Name

Description

Type

Size

status

Enable/disable Overlay Controller cloud assisted VPN.
enable: Enable Overlay Controller VPN.
disable: Disable Overlay Controller VPN.

option

role

Set device role.
spoke: Register device as static spoke.
primary-hub: Register device as primary hub.
secondary-hub: Register device as secondary hub.

option

multipath

Enable/disable multipath redundancy.
enable: Enable multipath redundancy.
disable: Disable multipath redundancy.

option

sdwan

Enable/disable adding OCVPN tunnels to SDWAN.
enable: Enable adding OCVPN tunnels to SDWAN.
disable: Disable adding OCVPN tunnels to SDWAN.

option

wan-interface <name>

FortiGate WAN interfaces to use with OCVPN.
Interface name.

string

Maximum length: 79

ip-allocation-block

Class B subnet reserved for private IP address assignment.

ipv4-classnet-any

Not Specified

auto-discovery

Enable/disable auto-discovery shortcuts.
enable: Enable ADVPN auto-discovery shortcuts.
disable: Disable ADVPN auto-discovery shortcuts.

option

poll-interval

Overlay Controller VPN polling interval.

integer

Minimum value: 30 Maximum value: 120

eap

Enable/disable EAP client authentication.
enable: Enable EAP client authentication.
disable: Disable EAP client authentication.

option

eap-users

EAP authentication user group.

string

Maximum length: 35

nat

Enable/disable inter-overlay source NAT.
enable: Enable inter-overlay source NAT.
disable: Disable inter-overlay source NAT.

option

config overlays

Parameter Name

Description

Type

Size

inter-overlay

Allow or deny traffic from other overlays.
allow: Allow traffic from other overlays.
deny: Deny traffic from other overlays.

option

assign-ip

Enable/disable mode-cfg address assignment.
enable: Enable client IPv4 address assignment.
disable: Disable client IPv4 address assignment.

option

ipv4-start-ip

Start of IPv4 range.

ipv4-address

Not Specified

ipv4-end-ip

End of IPv4 range.

ipv4-address

Not Specified

Parameter Name

Description

Type

Size

type

Subnet type.
subnet: Configure participating subnet IP and mask.
interface: Configure participating LAN interface.

option

subnet

IPv4 address and subnet mask.

ipv4-classnet-any

Not Specified

interface

LAN interface.

string

Maximum length: 15

config forticlient-access

Parameter Name

Description

Type

Size

status

Enable/disable FortiClient to access OCVPN networks.
enable: Enable FortiClient access to OCVPN overlays.
disable: Disable FortiClient access to OCVPN overlays.

option

psksecret

Pre-shared secret for FortiClient PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

password-3

Not Specified

config auth-groups

Parameter Name

Description

Type

Size

auth-group

Authentication user group for FortiClient access.

string

Maximum length: 35

overlays <overlay-name>

OCVPN overlays to allow access to.
Overlay name.

string

Maximum length: 79