What’s new
 
What’s new
The FortiGate CLI Reference for FortiOS 5.2 is a dictionary of FortiOS CLI commands defining each command and its options, ranges, defaults and dependencies. The CLI Reference now includes FortiOS Carrier commands and future versions will include FortiGate Voice commands.
The table below lists the CLI commands and options in FortiOS 5.2 that have changed since the last major release of FortiOS.
Command
Change
edit <name_str>
 
config im
Option removed.
set block-botnet-connections
Option removed. See scan-botnet-connections.
set extended-utm-log
Field removed.
set scan-botnet-connections
New field. Enables monitoring or blocking of botnet communication.
config {http | https | ftp | ftps | imap | imaps | mapi | pop3 | pop3s | smb | smtp | smtps | nntp}
 
set emulator
New field. Disables Win32 emulator for faster throughput.
 
set drop-heuristic im
Option removed.
set drop-infected im
Option removed.
set store-heuristic im
Option removed.
set store-infected im
Option removed.
config antivirus service
Command removed. Fields moved to firewall profile-protocol-options.
edit <app_list_str>
 
set app-replacemsg
New field. Enables application replacement message.
set deep-app-inspection
New field. Enables deep application inspection.
config entries
edit <id_integer>
 
set block-audio
Field removed.
set block-encrypt
Field removed.
set block-file
Field removed.
set block-im
Field removed.
set block-long-chat
Field removed.
set block-photo
Field removed.
set im-no-content-summary
Field removed.
set imoversizechat
Field removed.
set log
Field removed.
config client-reputation profile
Renamed to config log threat‑weight.
config dlp sensor
 
edit <sensor_str>
 
set full-archive-proto aim icq msn yahoo
Options removed.
set summary-proto aim icq msn yahoo
Options removed.
config filter
edit <filter_str>
 
set proto aim icq msn yahoo
Options removed.
set name
set severity
Fields added.
edit <profile_name>
config forticlient-winmac-settings
 
set auto-vpn-when-off-net
set auto-vpn-name
New fields. Enable automatic connection to a VPN when the endpoint is not directly connected to the FortiGate network.
set client-log-when-on-net
New field. Enables client-based logging when on-net.
config extra-buffer-entries
New subcommand. Stores additional configuration if forticlient-advanced-cfg-buffer is full.
New command. Configures FortiExtender controller.
edit <name_str>
 
set type url
New option. Creates URL address for explicit proxy.
config firewall deep-inspection-options
Renamed to config firewall ssl-ssh-profile and re-organized.
New command. Configures policies for explicit proxy. This is now separate from other security policies.
edit <gtp_profile>
 
set gtpu-denied-log
New field. Enables logging of denied GTP-U packets.
set gtpu-forwarded-log
New field. Enables logging of forwarded GTP-U packets.
set gtpu-log-freq
New field. Sets logging rate in packets per log entry.
edit <policy_id>
 
set logtraffic
New field. Controls traffic logging.
edit <policy_id>
 
set logtraffic
New field. Controls traffic logging.
edit <name_str>
 
set http-max-redirects
New field. Sets maximum number of HTTP redirects allowed.
 
set captive-portal-exempt
New field. Exempts users of this policy from the interface captive portal.
set active-auth-method
Field moved to config firewall explicit-proxy-policy.
set identity-based
set identity-from
set fall-through-unauthenticated
set log-unmatched-traffic
set device-detection-portal
set email-collection-portal
set forticlient-compliance-enforcement-portal
set forticlient-compliance-devices
Fields removed.
set deep-inspection-options
Field renamed to ssl-ssh-profile.
set devices
set endpoint-compliance
set groups
set users
Fields moved from config identity‑based‑policy.
config identity-based policy
Subcommand removed.
set ssl-ssh-profile
Field renamed from deep-inspection-options. The only profiles now are certificate-inspection and deep‑inspection.
set sslvpn-auth
set sslvpn-ccert
set sslvpn-cipher
set sso-auth-method
Fields removed.
set transparent
New field. Enables transparent web-proxy .
set vlan-cos-fwd
set vlan-cos-rev
New fields. Set VLAN user priority for forward and reverse direction.
edit <index_int>
 
set permit-any-host
New field. Enables “hairpinning”.
edit <name_str>
 
set deep-inspection-options
Field renamed to ssl-ssh-profile.
set ssl-ssh-profile
Field renamed from deep-inspection-options.
Profiles now only certificate-inspection and deep‑inspection.
config ssl
 
set inspect-all
Field values are now disable, certificate-inspection, and deep‑inspection.
config https
 
set status
Field values are now disable, certificate-inspection, and deep‑inspection.
edit <name_str>
 
config dns
 
set options no-content-summary
Option removed.
config ftp
 
set scan-bzip2
set uncompressed-nest-limit
set uncompressed-oversize-limit
Fields moved from config antivirus service.
set options no-content-summary
Option removed.
config http
 
set streaming-content-bypass
New field. Controls scanning bypass for streaming content types.
set options no-content-summary
Option removed.
set block-page-status-code
set scan-bzip2
set uncompressed-nest-limit
set uncompressed-oversize-limit
Fields moved from config antivirus service.
config im
Subcommand removed.
config imap
 
set options no-content-summary
Option removed.
set scan-bzip2
set uncompressed-nest-limit
set uncompressed-oversize-limit
Fields moved from config antivirus service.
config mapi
 
set options no-content-summary
Option removed.
set scan-bzip2
set uncompressed-nest-limit
set uncompressed-oversize-limit
Fields moved from config antivirus service.
config nntp
 
set options no-content-summary
Option removed.
set scan-bzip2
set uncompressed-nest-limit
set uncompressed-oversize-limit
Fields moved from config antivirus service.
config pop3
 
set options no-content-summary
Option removed.
set scan-bzip2
set uncompressed-nest-limit
set uncompressed-oversize-limit
Fields moved from config antivirus service.
config smtp
 
set options no-content-summary
Option removed.
set scan-bzip2
set uncompressed-nest-limit
set uncompressed-oversize-limit
Fields moved from config antivirus service.
config firewall sniff-interface-policy
config firewall sniff-interface-policy6
Commands removed. Use config firewall sniffer
Renamed and re-organized from config firewall deep‑inspection‑options.
edit <name_str>
 
set dns-mapping-ttl
New field. Sets TTL for DNS response.
set http-ip-header-name
New field. Sets X-Forwarded-For substitute IP header.
set protocol icmp
New option. Supports ICMP.
set type dns-translation
New option.
config imp2p
Commands removed.
config ips global
 
set cp-accel-mode
New field. Sets Content Processor mode.
set deep-app-insp-db-limit
set deep-app-insp-timeout
New fields. Set application inspection database entries limit and timeout for inactive entries.
set fail-open
Default changed to disable.
set hardware-accel-mode
Field removed. See cp-accel-mode and np-accel-mode.
set intelligent-mode
New field. Enables IPS automatic scan mode.
set ips-reserve-cpu
New field. Enables IPS daemon use of non-predefined CPUs.
set np-accel-mode
New field. Sets Network Processor mode.
config ips sensor
edit <sensor_str>
 
set log
Field removed.
set log-attack-context
New field. Enables logging of attack context details.
 
set report
Field removed. Use config report setting.
 
set admin
set dns
Fields removed. See log filter.
set endpoint
New field. Enables logging of endpoint control messages.
set gtp
New field. Enables logging of GTP control messages (FortiCarrier only).
set ha
New field. Enables logging of HA event messages.
set router
New field. Enables logging of router activity messages.
set utm
Field removed.
 
set fortiview-local-traffic
New field. Enables inclusion of local-in traffic in FortiView charts.
set fortiview-unscanned-apps
New field. Enables inclusion of unscanned traffic in FortiView charts.
 
set uuid
Field moved. See log-uuid in config system global.
config web
edit <webentry_ID>
Command renamed from config client‑reputation profile.
set group
Field renamed to category.
set category
Field renamed from group.
New command. Sets reporting values.
config router bgp
 
config neighbor
 
edit <neighbor_address_ipv4>
 
config conditional-advertise
New subcommand. Configures conditional advertisement.
config router gwdetect
Command removed. Use system link-monitor.
config ospf-interface
edit <ospf_interface_name>
 
set hello-multiplier
New field, Sets the number of hello packets to send within the dead interval.
edit <profile-name>
set loggrp-permission custom
config loggrp-permission
 
set threat-weight
New field. Sets threat-weight log access.
edit <name_str>
 
set guest-lang <lang_name>
New field. Sets guest admin language.
set ssh-certificate
New field. Selects certificate for PKI authentication.
config system bug-report
Command removed.
 
set fmg-source-ip6
New field. Specifies IPv6 source address to use when connecting to FortiManager.
set fortimanager-fds-override
Field removed.
set include-default-servers
New field. Disables inclusion of public FortiGuard servers in the override server list.
 
set fortiexplorer
New field. Disables FortiExplorer access.
New command. Part of custom language configuration for guest admins and SSL VPN portals.
edit <server_index_int>
 
set forticlient-on-net-status
New field. Enables sending FortiGate serial number to endpoint devices to check on-net status.
New command. Sets priority for DSCP traffic prioritization.
 
set auto-join-forticloud
New field. Disables joining FortiCloud automatically.
set source-ip
New field. Sets source IP address for communication with FortiGuard.
 
set admin-https-ssl-versions
New field. Sets the accepted versions of SLL/TLS.
set admin-login-max
New field. Sets maximum number of logged-in administrators.
set auth-policy-exact-match
Field removed.
set arp-max-entry
New field. Sets maximum number of dynamically learned MAC addresses that can be added to the ARP table.
set br-fdb-max-entry
New field. Sets maximum number of bridge forwarding database entries.
set fortiextender
set fortiextender-data-port
New commands. Enable and configure FortiExtender controller.
set gui-client-reputation
Field renamed to gui-threat-weight.
set gui-custom-language
New field. Enables custom language configuration in the web-based manager.
set gui-threat-weight
Field renamed from gui-client-reputation.
set gui-traffic-shaping
New field. Enables traffic shaping configuration in the web-based manager.
set honor-df
New field. Disables honoring DF bit.
set lldp-transmission
New field. Enables Link Layer Discovery Protocol (LLDP) globally.
set log-uuid
Field renamed from uuid in config log setting.
set ndp-max-entry
New field. Sets the maximum number of Neighbor Discovery Protocol (NDP) table entries.
set ssh-cbc-cipher
New field. Disables CBC cipher for SSH access.
set ssh-hmac-md5
New field. Disables HMAC-MD5 for SSH access.
set sslvpn-plugin-version-check
New field. Disables checking plugin version check.
set sys-perf-log-interval
New field. Set performance statistics logging interval.
set tos-based-priority
Field removed. Use traffic-priority and traffic-priority-level.
set traffic-priority
set traffic-priority-level
New fields. Choose between TOS and DSCP and select priority level. Replaces tos-based-priority.
set use-usb-wan
set usb-wan-auth-type
set usb-wan-extra-init
set usb-wan-passwd
set usb-wan-username
Fields removed and replaced by system lte-modem in v5.2.2.
set virtual-switch-vlan
New field. Enables virtual switch VLAN feature.
set wad-worker-count
New field. Sets number of explicit proxy WAD processes.
config system ha
 
set ha-mgmt-interface-gateway6
New field. Specifies IPv6 management interface gateway address.
set ha-direct
New field. Enables sending logs directly from ha-mgmt-intf in HA mode.
set override-wait-time
New field. Applies a delay to override operation.
edit <interface_name>
 
set link-up-delay
New field. Sets time to wait before considering aggregate/redundant interface up.
set lldp-transmission
New field. Enables Link Layer Discovery Protocol (LLDP) for this interface.
set log
Field removed.
set min-links
set min-links-down
New fields. Set minimum number of working members for an aggregrate interface and whether an interface taken down for too few members or only operationally.
set priority-override
New field. Disables fallback to higher priority interface once recovered.
set security-exempt-list
New field. Specifies list of devices or addresses that will bypass the captive portal.
set security-external-web
New field. Specifies external authentication web server.
set security-redirect-url
New field. Specifies a URL for redirection after captive portal authentication.
set stpforward‑mode rpl‑nothing
New option.
set trunk
New field. Enables trunk on interface.
config vrrp
edit <vrid_int>
 
set vrgrp <grp_int>
New field. Specifies VRRP group.
New command. Configures Link Health Monitor.
New command. Configures an LTE/WIMAX modem.
 
set dont-send-CR1
set dont-send-CR2
set dont-send-CR3
New fields. Suppress sending of <CR> character during logon to PPP service. This is required by some service providers.
New command. Configures sending data to a NetFlow collector.
config system npu
 
set dedicated-management-cpu
New field. Enables dedication of CPU #0 to management tasks.
set np6-cps-optimization-mode
New field. Enables NP6 CPS optimization mode.
config system server-probe
Command removed, Use system link-monitor.
 
set default-voip-alg-mode
New field. Selects default SIP behavior for VOIP.
set dhcp-proxy
New field. Enables DHCP proxy.
set dhcp6-server-ip
New field. Specifies IPv6 DHCP server IP addresses.
set lldp-transmission
New field. Enables Link Layer Discovery Protocol (LLDP) in this VDOM.
set per-ip-bandwidth
Field removed.
set v4-ecmp-mode source-dest-ip-based
New option. Selects next hop based on both source and destination IPs.
edit <username>
 
set priv-proto aes256
New option. Selects AES-256 encryption.
edit <storage_name>
 
set device
set size
New fields for storage device name and size.
edit <vswitch_name>
 
set vlan
New field. Sets VLAN for switch.
New command. Configures virtual WAN links.
config user group
edit <groupname>
 
set max-accounts
New field. Limits the number of guest accounts.
config user pop3
New command. Configures users who authenticate on a POP3 server.
edit <server_name>
 
set timeout
New field. Sets RADIUS authenticatio timeout.
set acct-interim-interval
New field. Sets interval between each accounting interim update message.
New command. Configures exempt lists for captive portals.
edit <cert_name>
 
set ike‑localid
set ike‑localid-type
New fields. Defines local IDs for certificates.
edit <gateway_name>
 
set acct-verify
New field. Enables EAP authentication in IKEv2 to require accounting message from RADIUS server.
set authmethod rsa-signature
Field renamed to signature.
set authmethod signature
Field rename from rsa-signature.
set certificate
Field renamed from rsa-certificate.
set dhgrp
New options: DH Groups 19, 20, 21.
set eap
set eap-identity
New fields. Configure EAP authentication in IKEv2.
set rsa-certificate
Field renamed to certificate.
edit <gateway_name>
 
set acct-verify
New field. Enables VPN to require accounting message from RADIUS server for EAP authentication in IKEv2.
set assign-ip-from dhcp
New option. Use remote DHCP server to assign client address with IKE mode config.
set authmethod rsa-signature
Option renamed to signature.
set authmethod signature
Option renamed from rsa-signature.
set backup-gateway
New field. Specifies backup gateways for IKE mode‑cfg dialup VPNs.
set certificate
Field renamed from rsa-certificate.
set dhgrp
New options: DH Groups 19, 20, 21.
set eap
set eap-identity
New fields. Configure EAP authentication in IKEv2.
set mesh-selector-type
New field. Enables dynamic selectors.
set rsa-certificate
Field renamed to certificate.
edit <gateway_name>
 
set dhgrp
New options: DH Groups 19, 20, 21.
edit <gateway_name>
 
set dhgrp
New options: DH Groups 19, 20, 21.
 
set allow-ssl-big-buffer
Field renamed to ssl-big-buffer.
set allow-ssl-client-renegotiation
Field renamed to ssl-client-renegotiation.
set allow-ssl-insert-empty-fragment
Field renamed to ssl-insert-empty-fragment.
set allow-unsafe-legacy-renegotiation
Field renamed to unsafe-legacy-renegotiation.
set auto-tunnel-policy
Field removed. No longer relevant due to other SSL VPN changes.
set default-portal
New field. Selects default SSL VPN portal.
set source-address
set source-address6
New field. Optionally limits client source address.
set source-address-negate
set source-address6-negate
New field. Inverts source-address selection.
set source-interface
New field. Sets port on which FortiGate listens for SSL VPN clients.
set ssl-big-buffer
Field renamed from allow-ssl-big-buffer.
set ssl-client-renegotiation
Field renamed from allow-ssl-client-renegotiation.
set ssl-insert-empty-fragment
Field renamed from allow-ssl-insert-empty-fragment.
set source-interface
New field. Specifies interfaces to listen on for clients.
set unsafe-legacy-renegotiation
Field renamed from allow-unsafe-legacy-renegotiation.
New field. Allows renegotiating clients to use a less-secure legacy method.
config authentication-rule
New subcommand. Defines who can authenticate to SSL VPN portals.
edit <portal_name>
 
set custom-lang
New field. Select custom language for web portal.
config vpn ssl web user
Command removed. Use config vpn ssl web user-bookmark.
New command. Configures SSL VPN user bookmarks.
 
set warn-auth-https
New field. Enables use of HTTPS for warning and authentication.
 
set extended-utm-log
Field removed.
config ftgd-wf
 
set exempt-ssl
Field removed. See config ssl-exempt in config firewall ssl-ssh-profile.
config entries
edit <url_str>
 
set rate-crl-urls
set rate-css-urls
set rate-image-urls
set rate-javascript-urls
New fields. Enables rating these items.
set web-proxy-profile
New field. Applies a web proxy profile to the header content during web filtering.
 
set add-header-client-ip
set add-header-via
set add-header-x-forwarded-for
set add-header-front-end-https
Fields removed. Use web-proxy profile command.
New command. Defines header actions.
 
set account-id
New field. Sets FortiCloud account ID.
 
set sta-capability-interval
New field. Sets interval between station capability information reports.
set sta-stats-interval
New field. Sets interval between station statistics reports.
edit <vap_name>
 
set acct-interim-interval
New field. Enables RADIUS accounting information and sets interval for sending it.
set broadcast-suppression arp-known arp-unknown arp-reply dhcp-up dhcp-down netbios-ns netbios-ds ipv6
New options. Suppress several types of broadcast packets.
set external-web
New field. Sets URL for authentication web server.
set multicast-rate
New field. Sets data rate for multicasts.
set portal-type
New field. Chooses authentication, disclaimer, and email collection roles for captive portal.
set probe-resp-suppression
set probe-resp-threshold
New fields. Enable a signal threshold below which WiFi clients are ignored.
set security wpa-personal+captive-portal
set security wpa-only-personal+captive-portal
set security wpa2-only-personal+captive-portal
New options. Enable WPA/WPA2-Personal with captive portal.
set security-exempt-list
New field. Optionally exempts users from authentication using a list defined in config user security-exempt-list.
set security-redirect-url
New field. Optionally specifies URL for user redirection after successful captive portal authentication.
set split-tunneling
New field. Enables split tunneling so that traffic local to AP is not routed through WiFi controller.
 
edit <wids-profile_name>
 
set ap-scan
set ap-bgscan-*
set ap-fgscan-*
set rogue-scan
Fields moved from config wireless-controller wtp-profile
edit <wtp-id>
 
set split-tunneling-acl-local-ap-subnet
New field. Enables split tunneling so that traffic local to AP is not routed through WiFi controller.
set wtp-mode
New field. Selects Normal or Remote AP mode.
config split-tunneling-acl
New subcommand. Defines destinations for split tunneling.
edit <name_string>
 
set split-tunneling-acl-local-ap-subnet
New field. Enables split tunneling so that traffic local to AP is not routed through WiFi controller.
config lbs
New subcommand. Configures location-based services.
config radio-1 or config radio-2
 
set amsdu
New field. Enables AMSDU support.
set ap-handoff
New field. Enables handoff of clients to other APs.
set ap-sniffer-addr
set ap-sniffer-bufsize
set ap-sniffer-chan
set ap-sniffer-ctl
set ap-sniffer-data
set ap-sniffer-mgmt-beacon
set ap-sniffer-mgmt-probe
set ap-sniffer-mgmt-other
New fields. Configures AP sniffer features.
set ap-scan
set ap-bgscan-*
set ap-fgscan-*
set rogue-scan
Fields moved to config wireless-controller wids-profile
set band 802.11ac
set band 802.11ac,n-only
set band 802.11ac-only
New 802.11ac-related options for band.
set coexistence
New field. Enables HT20/HT40 coexistence.
set channel-bonding
Changed field. Now sets channel width (20, 40, or 80 MHZ).
set frequency-handoff
New field. Enables handoff of clients to other channels.
set led-state
New field, Disables LED indicators on FortiAP.
set mode sniffer
Option replaces monitor.
set power-level
New field. Sets radio power level.
set powersave-optimize
New field. Enables power-saving options.
set spectrum-analysis
New field. Enables spectrum analysis.
set station-locate
Field moved to subcommand config lbs.
config split-tunneling-acl
New subcommand. Defines destinations for split tunneling.
execute backup disk alllogs usb
execute backup disk log usb
New commands. Back up logs to USB drive.
New command. Performs a disk check.
New command. Backs up all logs, index files, and report databases.
New command. Downgrades log format prior to firmware downgrade.
New command. Restores logs, index files, and report databases from a backup file.
New command. Shifts log times. For use with execute log backup and execute log restore.
New command. Imports a custom language file from a TFTP server.
New option. Generates elliptic curve certificate request.
New option. Generates default CA certificate used by SSL Inspection.
New option. Generates default server key used by SSL Inspection.
New command. Joins unit to FortiCloud account.
New command. Tests FortiCloud connection.
New command. Displays UTM log entries for traffic logs.
execute log-report reset
Command removed.
execute restore ase
Command removed. There is now no independent anti-spam engine.
execute update-ase
Command removed. There is now no independent anti-spam engine.
New command. Downloads FortiGuard server list.
New command. Displays FortiExtender modem status.
New command. Displays FortiExtender system information.
New command. Displays information about WiFi clients.