Forticache 4.2.1 CLI Reference 7 Fortinet Technologies Inc

FortiCache - CLI Reference

Version 4.2.1 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com

FORTINET VIDEO GUIDE http://video.fortinet.com

FORTINET BLOG https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

FORTIGATE COOKBOOK http://cookbook.fortinet.com

FORTINET TRAINING SERVICES http://www.fortinet.com/training

FORTIGUARD CENTER http://www.fortiguard.com

FORTICAST http://forticast.fortinet.com

END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK

Email: [email protected]

5/31/2017

FortiCache - CLI Reference

Revision 1 TABLE OF CONTENTS

Introduction 7 antivirus 8 heuristic 8 profile 8 config {http | ftp} 8 config nac-quar 9 settings 10 dlp 11 filepattern 11 config entries 11 fp-sensitivity 12 sensor 13 config filter 13 replacemsg-group 14 firewall 16 address | address6 16 addgrp | addgrp6 18 ippool 19 policy 20 config identity-based-policy 20 profile-group 27 profile-protocol-options 27 config http 27 config ftp 30 config rtmp 31 schedule {group | onetime | recurring} 31 service {category | custom | group} 34 socks-authentication 40 ssl {exemption | setting} 41 ssl-ssh-profile 42 gui 46 console 46 icap 47 profile 47 server 48 image-analyzer 49 profile 49 log 51 custom-field 51 disk {filter | setting} 51 eventfilter 55 {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting 56 gui-display 58 memory {filter | global-setting | setting} 58 setting 60 {syslogd | syslogd2 | syslogd3} {filter | setting} 61 webtrends 63 router 65 static | static6 65 system 67 accprofile 67 admin 70 auto-install 71 autoupdate {push-update | schedule | tunneling} 72 console 74 custom-language 74 dns 75 dns-database 76 email-server 78 fortiguard 79 fsso-polling 81 global 81 ha 91 interface 93 ntp 98 object-tag 99 password-policy 99 replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy} 100 replacemsg-group 104 replacemsg-image 110 settings 111 snmp {community | sysinfo | user} 112 storage 116 wccp 117 zone 118 user 119 adgrp 119 fsso 119 fsso-polling 120 group 121 config guest 121 group-type {firewall | fsso-service | rsso | guest} 121 authtimeout 122 sso-attribute-value 122 auth-concurrent-override {enable | disable} 122 auth-concurrent-value 122 http-digest-realm 122 member 122 user-id {email | auto-generate | specify} 122 password {auto-generate | specify | disable} 122 user-name {disable | enable} 123 sponsor {optional | mandatory | disabled} 123 company {optional | mandatory | disabled} 123 email {disable | enable} 123 mobile-phone {disable | enable} 123 expire-type {immediately | first-successful-login} 123 expire 123 max-accounts 123 multiple-guest-add {disable | enable} 124 krb-keytab 124 ldap 124 local 126 password-policy 128 radius 128 setting 131 tacacs+ 133 vpn 135 certificate {ca | crl | local | ocsp-server | remote | setting} 135 wanopt 138 auth-group 138 cache-service 139 content-delivery-network-rule 140 peer 143 profile 144 settings 146 ssl-server 146 storage 148 webcache 148 web-proxy 151 debug-url 151 explicit 151 forward-server 154 forward-server-group 155 global 156 profile 157 url-match 158 webfilter 159 content 159 content-header 160 fortiguard 161 ftgd-local-cat 162 ftgd-local-rating 162 override 163 profile 164 search-engine 170 urlfilter 170 Appendix A: Replacement message tags 172 Introduction

Introduction

This document describes FortiCache 4.2.1 commands used to configure and manage a FortiCache from the command line interface (CLI).

This document contains all potential config commands as well as a Replacement message tags appendix.

For the purposes of this guide, a FortiCache 1000D was used; this is an important distinction as not all commands, entries, or available settings are available on all models.

If in doubt, use the question mark (?) at any time to verify available commands and options.

FortiCache 4.2.1 CLI Reference 7 Fortinet Technologies Inc. antivirus

Use config antivirus to configure the following AntiVirus related options:

heuristic profile settings heuristic

Use this command to configure the global heuristic options used for virus scanning. mode {pass | block | disable}

Mode to use for heuristics. The following options are available:

l pass: Enable heuristics but pass any detected files.

l block: Enable heuristics and block any detected files.

l disable: Turn off heuristics (set by default). profile

Use this command to create and edit AntiVirus profiles that can be applied to firewall policies. config {http | ftp}

Use this configuration method to define how this profile handles the specific protocols HTTP and FTP.

options {scan | avmonitor | avquery}

Action to take for traffic using this protocol:

l scan:Scan files transferred over this protocol for viruses.

l avmonitor: Log detected viruses, but allow them through the firewall without modification.

l avquery: Use the FortiGuard AV Query service.

archive-block {encrypted | corrupted | multipart | nested | mailbomb | unhandled}

Types of archive to block:

l encrypted: Block encrypted archives.

l corrupted: Block corrupted archives.

l multipart: Block multipart archives.

l nested: Block nested archives.

8 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. antivirus profile

l mailbomb: Block mail bomb archives.

l unhandled: Block unhandled archives.

archive-log {encrypted | corrupted | multipart | nested | mailbomb | unhandled}

Types of archive to log:

l encrypted: Log encrypted archives.

l corrupted: Log corrupted archives.

l multipart: Log multipart archives.

l nested: Log nested archives.

l mailbomb: Log mail bomb archives.

l unhandled: Log archives.

emulator {enable | disable}

Enable (by default) or disable the virus emulator. This is used in the detection of malware, and can help improve throughput. config nac-quar

Use this configuration method to define Network Access Control (NAC) quarantine virus scanning options.

infected {none | quar-src-ip}

Select to quarantine infected hosts to a banned-user list:

l none: No action is taken (set by default).

l quar-src-ip: Quarantine all traffic from the source IP.

log {enable | disable}

Enable or disable (by default) logging for NAC quarantine. comment

Optional comments. replacemsg-group

Name of the replacement message group to assign to this profile.

To create replacement message groups, see replacemsg-group. av-virus-log {enable | disable}

Enable (by default) or disable logging for virus scanning. av-block-log {enable | disable}

Enable (by default) or disable logging for virus file blocking.

FortiCache 4.2.1 CLI Reference 9 Fortinet Technologies Inc. settings antivirus settings

Use this command to configure grayware detection as part of virus scanning. grayware {enable | disable}

Enable or disable (by default) detection of grayware, malicious software that conceivably falls in the "gray area" between normal software and viruses.

10 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. dlp

Use config dlp to configure the following Data Leak Prevention (DLP) related options:

filepattern fp-sensitivity sensor filepattern

Use this command to create and edit file patterns used for DLP file blocking and to set which protocols to check for files to block. config entries

Use this configuration method to define specific filters based on pattern, type, and file type.

filter-type {pattern | type}

Filter filter detection setting:

l pattern: Examine files by their names only (set by default). For example, if you set filter-type to pattern, and the pattern is *.zip, all files ending in .zip will trigger this file filter. Note that even files ending in .zip that are not actually ZIP archives will trigger this filter.

l type: Examine files by their type. Once set, use the file-type entry (see below) to determine the file-types to be filtered.

file-type

Note: This entry is only available when filter-type is set to type.

Select the file-type to be filtered. Note that unlike the file pattern filter, this filter will examine the file contents to determine what type of file it is; neither the file name nor extension is used.

Note that two of the available options are not file types: ignored and unknown.

Enter unknown (set by default) to configure a rule affecting every file format that the filter does not recognize. Unknown includes every file format not available in this command.

Enter ignored to configure a rule affecting traffic that is typically not scanned, primarily streaming audio and video.

File types

7z elf activemime

arj exe jpeg

FortiCache 4.2.1 CLI Reference 11 Fortinet Technologies Inc. fp-sensitivity dlp

File types

cab hta gif

lzh html tiff

rar jad png

tar class bmp

zip cod ignored

bzip javascript unknown

gzip msoffice mpeg

bzip2 msofficex mov

xz fsg mp3

bat upx wma

msc petite wav

uue aspack pdf

mime prc avi

base64 sis rm

binhex hlp torrent name

Name for the file pattern header list. comment

Optional comments. fp-sensitivity

Use this command to define fingerprinting DLP sensitivity levels that can be applied to document sources and DLP rules.

There are no configurable entries within this command, except the name. The names can be used as labels to describe DLP rules. These can be referenced in fp-sensitivity , under config filter.

12 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. dlp sensor sensor

Use this command to create and edit DLP sensors, including action, archive, and severity for each rule or compound rule. config filter

Use this configuration method to define DLP filters.

name

Name of the filter.

severity {info | low | medium | high | critical}

Event severity (medium by default).

type {file | message}

Either check the content of email messages or the content of downloaded files, or files attached to emails (file by default).

proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}

Note: The http-get and ftp entries are not available when type is set to message; all options are available when type is set to file.

The protocols for the sensor to detect: SMTP, POP3, IMAP, HTTP GET, HTTP POST, FTP, NNTP, and MAPI.

filter-by {credit-card | ssn | regexp | file-type | file-size | watermark | encrypted}

Note: The file-type, file-size, watermark, and encrypted entries are not available when type is set to message; all options are available when type is set to file.

Filter method for the sensor:

l credit-card: Sensor that logs traffic (both files and messages) containing credit card numbers in the formats used by American Express, MasterCard, and Visa (set by default).

l ssn: Sensor that logs traffic containing Social Security numbers, with the exception of WebEx invitation emails.

l regexp: Sensor that searches for specific text pattern matches. Regular expressions are text patterns consisting of special characters (or metacharacters) and are used to match against text strings. Once enabled, use the regexp entry (see below) to specify the regular expressions to filter by.

l file-type: Sensor that filters by file type.Once enabled, use the file-type entry (see below) to specify the file type to filter by.

l file-size: Sensor that filters by file size. Once enabled, use the file-size entry (see below) to specify the file size to filter by.

l watermark: Sensor that filters for defined file watermarks. Once enabled, use the company-identifier and fp- sensitivity entries (see below) to specify watermark filter options.

l encrypted: Sensor that filters for encrypted files.

FortiCache 4.2.1 CLI Reference 13 Fortinet Technologies Inc. sensor dlp

regexp

Note: This entry is only available when filter-by is set to regexp.

Enter the regular expression characters for the sensor to use for filtering. The regular expression library used by Fortinet is a variation of the Perl Compatible Regular Expressions (PCRE) library.

file-type

Note: This entry is only available when filter-by is set to file-type.

Enter the file types for the sensor to use for filtering.

file-size

Note: This entry is only available when filter-by is set to file-size.

File size in kB. Files that exceed this file size will match the filter.

company-identifier

Note: This entry is only available when filter-by is set to watermark.

Company name, or identifier, for watermarking.

fp-sensitivity

Note: This entry is only available when filter-by is set to watermark.

Name of the fingerprinting DLP sensitivity levels that can be applied to document sources and DLP rules. To create these sensitivity level labels, see fp-sensitivity.

action {none | log-only | block | quarantine-ip}

Action to take when the filter makes a detection (none by default):

l none: No action taken (set by default).

l log-only: Only logs the leak.

l block: Blocks the message.

l quarantine-ip: Quarantines all traffic from the IP address. comment

Optional comments. replacemsg-group

Name of the replacement message group to assign to this sensor.

To create replacement message groups, see replacemsg-group. dlp-log {enable | disable}

Enable (by default) or disable logging for DLP.

14 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. dlp sensor

nac-quar-log {enable | disable}

Enable or disable (by default) logging for NAC quarantine creation. options {strict-file}

Optionally set this entry to strict-file (not set by default). This is required for file filtering to function when the URL contains a ? special character.

For example, a file pattern configured to block *.exe will block file.exe URLs, however a URL such as www.example.com/download?filename=file.exe will not be blocked unless strict-file is specified. summary-proto {smtp | pop3 | imap | http-get | http-post | ftp | nntp | mapi}

Enter the protocols to always log summary.

FortiCache 4.2.1 CLI Reference 15 Fortinet Technologies Inc. firewall

Use config firewall to configure the following firewall related options:

address | address6 addgrp | addgrp6 ippool policy profile-group profile-protocol-options schedule {group | onetime | recurring} service {category | custom | group} socks-authentication ssl {exemption | setting} ssl-ssh-profile address | address6

Use these commands to create and edit IPv4 and IPv6 firewall addresses, and define their type and subnet netmasks.

An IPv4 firewall address is a set of one or more IP addresses, represented as a domain name, an IP address, and subnet mask, or an IP address range. An IPv6 firewall address is an IPv6 6-to-4 address prefix.

Each firewall address has a Universally Unique Identifier (UUID) that is automatically assigned. To view it, use the command get firewall address or get firewall address6 and look for the uuid field. subnet

Note: This entry is only available for address and when type is set to ipmask.

IP address and subnet mask. This can be entered in two different formats: dotted decimal format and separated by a space, or in Classless Inter-Domain Routing (CIDR) format with no separation (as shown in the examples below, respectively):

l 172.168.2.5 255.255.255.255

l 172.168.2.5/35 type {ipmask | iprange | fqdn | wildcard | url | ipprefix}

Note: Only the ipprefix and iprange entries are available for address6.

Type of firewall address:

l ipmask: IP/netmask (set by default for address). Once enabled, use the subnet entry (see above) to set the IP and netmask.

l iprange: IP address range. Once enabled, use the start-ip and end-ip entries (see below) to set the IP range.

16 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. firewall address | address6

l fqdn: Fully qualified domain name (FQDN). Once enabled, use the fqdn and cache-ttl entries (see below) to set FQDN options.

l wildcard: IP/wildcard-netmask. Once enabled, use the wildcard entry (see below) to set the IP and wildcard netmask.

l url: URL pattern (only applies to the explicit web proxy). Once enabled, use the url entry (see below) to set the URL pattern.

l ipprefix: IP/prefix (set by default for address6). Once enabled, use the ip6 entry (see below) to set the IPv6 address prefix. ip6

Note: This entry is only available for address6 and when type is set to ipprefix.

IPv6 address prefix in the following format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx visibility {enable | disable}

Note: This entry is only available for address6.

Enable (by default) or disable visibility/availability of this address in firewall policy address selection. color

Note: This entry is only available for address6.

Icon color to use in the web-based manager. Assign a color-code from 0-32 (see below).

Note that entering 0 sets the default, color 1.

1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

category

Assign this service to a service category.

protocol {TCP/UDP/SCTP | ICMP | ICMP6 | IP} {HTTP | FTP | CONNECT | SOCKS-TCP | SOCKS-UDP | ALL}

Note: The protocols available depend on whether explicit-web-proxy is set to enable or disable (see lists below).

Protocol used by this service. When explicit-web-proxy is set to disable, the following protocols are available:

l TCP/UDP/SCTP (set by default)

l ICMP

l ICMP6

l IP When explicit-web-proxy is set to enable, the following protocols are available:

l HTTP

l FTP

l CONNECT

l SOCKS-TCP

l SOCKS-UDP

l ALL (set by default)

36 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. firewall service {category | custom | group}

iprange

Note: This entry is not available when protocol is set to either ICMP, ICMP6, or IP.

IP address or address range for this service. Enter a hyphen (-) inbetween the addresses if you wish to enter an address range.

fqdn

Note: This entry is not available when protocol is set to either ICMP, ICMP6, or IP.

Fully qualified domain name (FQDN) for this service.

tcp-portrange

Note: This entry is not available when protocol is set to either ICMP, ICMP6, or IP.

Destination and source port ranges for TCP services in the following format:

-:-

For example: 100-150:1100-1150

When setting this option, bear in mind the following:

l If the destination port range can be any port, enter 0-65535.

l If the destination and/or source is a single port, enter a single number for each.

l If the source port range can be any port, no entry is required.

l To enter multiple port ranges, separate each range with a space. This can be done up to a maximum of 16 port ranges.

udp-portrange

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set to TCP/UDP/SCTP.

Destination and source port ranges for UDP services. See tcp-portrange above for formatting considerations.

sctp-portrange

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set to TCP/UDP/SCTP.

Destination and source port ranges for SCTP services. See tcp-portrange above for formatting considerations.

tcp-halfclose-timer

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set to TCP/UDP/SCTP.

Period of time in seconds the FortiCache waits before it closes a session after one peer has sent a FIN packet, but the other has not responded. Set the value between 1-86400 (or one second to one day). Enter 0 (set by default) to use the global setting defined in global.

FortiCache 4.2.1 CLI Reference 37 Fortinet Technologies Inc. service {category | custom | group} firewall

tcp-halfopen-timer

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set to TCP/UDP/SCTP.

Period of time in seconds the FortiCache waits before it closes a session after one peer has sent an open session packet, but the other has not responded. Set the value between 1-86400 (or one second to one day). Enter 0 (set by default) to use the global setting defined in global.

tcp-timewait-timer

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set to TCP/UDP/SCTP.

Duration of the TCP TIME-WAIT state in seconds, a state which represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request (for more information, see RFC 793).

Set the value between 1-300 (or one second to five minutes). Enter 0 (set by default) to use the global setting defined in global.

Note that a smaller value means terminated sessions can be closed faster, meaning more new sessions can be opened before the session limit is reached.

udp-idle-timer

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set to TCP/UDP/SCTP.

Period of time in seconds before an idle UDP connection times out. Set the value between 1-86400 (or one second to one day). Enter 0 (set by default) to use the global setting defined in global.

session-ttl

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set to TCP/UDP/SCTP.

Period of time in seconds before the session times out. Set the value between 300-604800 (or five minutes to one week). Enter 0 (set by default) to use either the per-policy or per-VDOM session-ttl, as applicable.

check-reset-range {disable | strict | default}

Note: This entry is only available when explicit-web-proxy is set to disable and protocol is set to TCP/UDP/SCTP.

ICMP error message verification method:

l disable: ICMP error messages are not validated.

l strict: If an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header is received, then if the A:C- >B:D session can be located, it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If log- invalid-packet is enabled (see setting), logs will show that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.

l default: Global setting defined in global is used (set by default).

38 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. firewall service {category | custom | group}

icmptype

Note: This entry is only available when protocol is set to either ICMP or ICMP6.

ICMP type number. Set the value between 0-255. To view all the ICMP types and code numbers, go to the Internet Assigned Numbers Authority (IANA) Protocol Registry and see ICMP Type Numbers.

protocol-number

Note: This entry is only available when protocol is set to IP.

IP protocol number for an IP service. Set the value between 0-254. To view all the protocol numbers, go to the Internet Assigned Numbers Authority (IANA) Protocol Registry and see Assigned Internet Protocol Numbers.

comment

Optional comments.

color

Icon color to use in the web-based manager. Assign a color-code from 0-32 (see below).

Note that entering 0 sets the default, color 1.

1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

visibility {enable | disable}

Enable (by default) or disable visibility/availability of this service in firewall policy service selection. group

Use this command to create new and edit predefined firewall service groups.

The following predefined groups are available for editing:

l Email Access

l Exchange Server

l Web Access

l Windows AD

FortiCache 4.2.1 CLI Reference 39 Fortinet Technologies Inc. socks-authentication firewall

member

Names of firewall services to add to this service group. To add more than one member, separate each entry with a space.

explicit-proxy {enable | disable}

Enable or disable (by default) this service group as explicit web proxy services. This service group will be available to explicit proxy firewall policies but not to regular firewall policies.

comment

Optional comments.

color

Icon color to use in the web-based manager. Assign a color-code from 0-32 (see below).

Note that entering 0 sets the default, color 1.

1 5 9 13 17 21 25 29

2 6 10 14 18 22 26 30

3 7 11 15 19 23 27 31

4 8 12 16 20 24 28 32

socks-authentication

Use this command to create and edit Socket Secure (SOCKS) authentication options. Authentication takes place first, then once the destination is obtained, a policy match is implemented, to which the authenticated credentials are used to perform authorization. proxy

Explicit web proxy to add for SOCKS authentication. While there is no default, the default choice is web-proxy. srcaddr

Name of an address for the policy. action {no-auth | auth}

Policy action:

40 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. firewall ssl {exemption | setting}

l no-auth: Deny authentication to traffic that matches the policy (set by default).

l auth: Grant authentication to traffic that matches the policy. ip-based {enable | disable}

Enable or disable (by default) IP address-based authentication. active-auth-method {active | kerberos}

SOCKS active authentication method:

l basic: Basic HTTP authentication.

l kerberos: Kerberos authentication. sso-auth-method {fsso | rsso}

Note: This entry is only available when ip-based is set to enable.

SOCKS passive Single Sign-on (SSO) authentication method:

l fsso: Fortinet SSO (FSSO) authentication.

l rsso: RADIUS SSO (RSSO) authentication. ssl {exemption | setting}

The ssl command is divided into two configurable options: create and edit ssl exemption lists of domains and configure ssl proxy settings. exemption

Use this command to create lists of domains that are exempted from SSL inspection.

The following predefined exemptions, along with their domain addresses, are already available by default:

l Android update: *.client.google.com

l Apple Update 1: swscan.apple.com

l Apple Update 2: swquery.apple.com

l Apple Update 3: swdownload.apple.com

l Apple Update 4: swcdn.apple.com

l Microsoft Update 1: *.windowsupdate.microsoft.com

l Microsoft Update 2: update.microsoft.com

l Microsoft Update 3: windowsupdate.com

l Microsoft Update 4: *.download.windowsupdate.com

l Microsoft Update 5: download.microsoft.com

l Microsoft Update 6: test.stats.update.microsoft.com

l Microsoft Update 7: ntservicepack.microsoft.com

l Skype Message: msg.skype.com

FortiCache 4.2.1 CLI Reference 41 Fortinet Technologies Inc. ssl-ssh-profile firewall

address

Domain name address to be exempted from SSL inspection. setting

Use this command to configure SSL proxy settings which can be applied to antivirus scanning, web filtering, spam filtering, DLP, and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic. For more information, see profile-protocol-options

proxy-connect-timeout

Period of time in seconds before an internal connection is made to the appropriate proxy process. Set the value between 1-60 (or one second to one minute). The default is set to 30.

ssl-dh-bits {768 | 1024 | 1536 | 2048}

Size of Diffie-Hellman prime used in DHE_RSA negotiation: 768-bit, 1024-bit (by default), 1536-bit, or 2048-bit DH prime.

ssl-send-empty-frags {enable | disable}

Enable (by default) or disable sending empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).

no-matching-cipher-action {bypass | drop}

Bypass (by default) or drop the connection when an unsupported cipher is being used by the server.

cert-cache-capacity

Capacity of the host certificate cache. Set the range between 0-500. The default is set to 200.

cert-cache-timeout

Time limit in minutes to keep the certificate cache. Set the value between 1-120 (or one minute to two hours). The default is set to 10.

session-cache-capacity

Capacity of the SSL session cache. Set the value between 0-1000. The default is set to 500.

session-cache-timeout

Time limit in minutes to keep SSL session state. Set the value between 1-60 (or one minute to one hour). The default is set to 20. ssl-ssh-profile

Use this command to create and edit SSL deep inspection profiles for firewall policies. Deep inspection profiles determine how UTM functionality identifies secure content protocols such as HTTPS, FTPS, and SMTPS.

42 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. firewall ssl-ssh-profile

Client comforting options are controlled by the corresponding nonsecure protocol options in profile-protocol- options.

The following predefined profiles are already available by default:

l certificate-inspection

l deep-inspection config https

Use this configuration method to configure SSL protocol options.

ports

Ports to scan for HTTPS traffic. To enter multiple ports, separate each entry with a space. Set the value between 1-65535. The default is set to 443.

status {disable | certificate-inspection | deep-inspection}

Inspection method:

l disable: Inspection is disabled.

l certificate-inspection: Inspect SSL handshake only.

l deep-inspection: Full SSL inspection (set by default).

client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the SSL handshake: bypass (set by default), inspect, or block.

Note that SSL sessions using client-certificates will bypass the SSL inspection by default. This command offers the option to inspect or block that traffic.

unsupported-ssl {bypass | block}

Action to take by the SSL proxy for undecryptable SSL sessions: bypass (set by default) or block.

allow-invalid-server-cert {enable | disable}

Enable or disable (by default) allowing SSL sessions whose server certificate validation failed.

ssl-ca-list {enable | disable}

Enable or disable (by default) verification of SSL session server certificate against stored CA certificate list.

common-ssl-exemption {enable | disable}

Enable or disable (by default) common SSL exemption. config ssl-exempt

Use this configuration method to configure servers that are exempt from SSL inspection.

FortiCache 4.2.1 CLI Reference 43 Fortinet Technologies Inc. ssl-ssh-profile firewall

The following predefined exemptions, along with their FortiGuard web category and category ID, are already available by default:

l 1: This entry has an assigned fortiguard-category of 31, corresponding to Finance and Banking.

l 2: This entry has an assigned fortiguard-category of 33, corresponding to Health and Wellness.

l 3: This entry has an assigned fortiguard-category of 87, corresponding to Personal Privacy. These are the default web categories assigned when creating a new SSL Inspection Profile.

type {fortiguard-category | address | address6}

SSL exemption type:

l fortiguard-category: FortiGuard web categories (set by default).

l address4: IPv4 address.

l address6: IPv6 address.

fortiguard-category

Note: This entry is only available when type is set to fortiguard-category.

Category ID that corresponds to a FortiGuard web category. To view the full list of categories, enter set fortiguard-category ?.

address

Note: This entry is only available when type is set to address.

IPv4 address to exempt.

address6

Note: This entry is only available when type is set to address6.

IPv6 address to exempt. config ssl-server

Use this configuration method to configure SSL server settings for use with secure protocols: HTTPS, SMTPS, POP3S, IMAPS, and FTPS.

SSL sessions that use client-certificates bypass the SSL inspection by default. The commands below offer the option to inspect or block that traffic per protocol.

IP address of the SSL server.

https-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the HTTPS client handshake: bypass (set by default), inspect, or block.

44 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. firewall ssl-ssh-profile

smtps-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the SMTPS client handshake: bypass (set by default), inspect, or block.

pop3s-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the POP3S client handshake: bypass (set by default), inspect, or block.

imaps-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the IMAPS client handshake: bypass (set by default), inspect, or block.

ftps-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the FTPS client handshake: bypass (set by default), inspect, or block.

ssl-other-client-cert-request {bypass | inspect | block}

Action to take by the SSL proxy when the client certificate request fails during the client handshake for SSL protocols other than those available above: bypass (set by default), inspect, or block. comment

Optional comments. server-cert-mode {re-sign | replace}

Either re-sign (set by default) or replace the server's certificate. caname

Name of a CA certificate used by SSL content scanning and inspection for establishing encrypted SSL sessions. The default is set to Fortinet_CA_SSLProxy. certname

Name of a server certifcate used by SSL inspection. The default is set to Fortinet_SSLProxy. ssl-invalid-server-cert-log {enable | disable}

Enable or disable (by default) logging of invalid SSL server certificates.

FortiCache 4.2.1 CLI Reference 45 Fortinet Technologies Inc. gui

Use config gui to configure the following GUI related options:

console console

This command stores a base-64 encoded file that contains the configuration of the System > Dashboard > Status web-based manager page. preferences

Base64-encoded file to upload containing the commands to set up the web-based manager CLI console on the FortiCache unit.

46 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. icap

Use config icap to configure the following Internet Content Adaptation Protocol (ICAP) related options:

profile server profile

Use this command to create and edit ICAP profiles that reference ICAP servers. To create and edit ICAP servers, see server. replacemsg-group

Name of a replacement message group to assign to this profile. request {enable | disable}

Enable or disable (by default) sending requests to an ICAP server. response {enable | disable}

Enable or disable (by default) sending HTTP responses to an ICAP server. streaming-content-bypass {enable | disable}

Enable or disable (by default) bypassing the ICAP server for streaming content. request-server

Note: This entry is only available when request is set to enable.

Name of ICAP server to use for HTTP requests. request-failure {error | bypass}

Note: This entry is only available when request is set to enable.

Action to take if the ICAP server cannot be contacted when processing an HTTP request. request-path

Note: This entry is only available when request is set to enable.

Path component of the ICAP URI that identifies the HTTP request processing service.

FortiCache 4.2.1 CLI Reference 47 Fortinet Technologies Inc. server icap

response-server

Note: This entry is only available when response is set to enable.

Name of ICAP server to use for HTTP responses. response-failure {error | bypass}

Note: This entry is only available when response is set to enable.

Action to take if the ICAP server cannot be contacted when processing an HTTP response. response-path

Note: This entry is only available when response is set to enable.

Path component of the ICAP URI that identifies the HTTP response processing service. server

Delete this text and replace it with your own content. ip-version {4 | 6}

Either IPv4 (by default) or IPv6 addressing. ip-address

Note: This entry is only available when ip-version is set to 4.

ICAP server IPv4 address. ip6-address

Note: This entry is only available when ip-version is set to 6.

ICAP server IPv6 address. port

ICAP server port number. Set the value between 1-65535. The default is set to 1344. max-connections

Maximum permitted number of concurrent connections to the ICAP server. Set the value between 1-65535. The default is set to 100.

48 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. image-analyzer

Use config image-analyzer to configure the following image/content analysis related options:

profile profile

Use this command to create and edit Content Analysis profiles for image analysis of adult-content. Note that the default settings provide a good balance, but may require adjustment. comment

Optional comments. image-score-threshold

Image score threshold. If an image scores higher than this threshold, the image will either be passed or blocked, depending on what rating-err-action is set to (see below). Set the value between 0-10000. The default is set to 600.

Note that raising the threshold beyond the default value may increase the number of false positive results, where legitimate images may be blocked. Conversely, if the threshold is too low, explicit images may be allowed. image-skip-size

Image skip size in kilobytes. Any images this size will be skipped by the image scan unit. Set the value between 1- 2048. The default is set to 1.

Note that images that are too small are difficult to scan and are more likely to be rated incorrectly by the image scan engine. image-rating-sensitivity

Image rating sensitivity. Set the value between 0-100. The default is set to 75.

Note that raising the sensitivity beyond the default value may increase the number of false positive results, where legitimate images may be blocked. Conversely, if the sensitivty is too low, explicit images may be allowed. rating-err-action {block | pass}

Action to take when an image exceeds the rating threshold: block or pass (by default) the image. replace-image-action {no-resize | resize}

Action to take when a replacement image will be displayed in place of explicit images:

FortiCache 4.2.1 CLI Reference 49 Fortinet Technologies Inc. profile image-analyzer

l no-resize: Leave the replacement image at its default size (by default).

l resize: Re-size the replacement image to match the size of the original image. replace-image

Specify replacement image.

50 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. log

Use config log to configure the following logging related options:

custom-field disk {filter | setting} eventfilter {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting gui-display memory {filter | global-setting | setting} setting {syslogd | syslogd2 | syslogd3} {filter | setting} webtrends custom-field

Use this command to customize the log fields with a name and/or a value, which will appear in the log message. name

Name to identify the log. All alphanumeric characters and the underscore (_) symbol are permitted, however no other special characters. The name cannot exceed 16 characters. value

Firewall policy number to associate a firewall policy with the logs. disk {filter | setting}

The disk command is divided into two configurable options: create and edit types of log messages sent to the disk log, and configure log settings for logging to the local disk. filter

Use this command to define the types of log messages sent to the disk log.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Logging severity level:

l emergency: The system is unusable.

l alert: Immediate action is required.

l critical: Functionality is affected.

FortiCache 4.2.1 CLI Reference 51 Fortinet Technologies Inc. disk {filter | setting} log

l error: Functionality is probably affected, due to a false condition.

l warning: Functionality might be affected.

l notification: Information about normal events.

l information: General information about system operations (set by default).

l debug: Information used for diagnosing or debugging. As shown, the order they appear in corelates to their severity in descending order. In light of this, the FortiCache will log all messages at and above the logging-severity level you select. For example, if you select error, the FortiCache will log error, critical, alert, and emergency level messages.

forward-traffic {enable | disable}

Enable (by default) or disable logging of forwarded traffic messages.

local-traffic {enable | disable}

Enable (by default) or disable logging of local-in or local-out traffic messages.

dlp-archive {enable | disable}

Enable (by default) or disable logging of DLP content archive events. setting

Use this command to define log settings for logging to the local disk.

status {enable | disable}

Enable or disable (by default) logging to the local disk.

ips-archive {enable | disable}

Note: This entry is only available when status is set to enable.

Enable (by default) or disable IPS packet archive logs.

max-log-file-size

Note: This entry is only available when status is set to enable.

Maximum log file size in megabytes that is saved to the local disk. When this limit is reached, the FortiCache saves the current log file and starts a new active log file. Set the range between 1-1024. The default is set to 100.

storage

Note: This entry is only available when status is set to enable.

Name for the storage log file.

max-policy-packet-capture-size

Maximum packet capture size for firewall policies in megabytes. The default is set to 10. Set to 0 for unlimited.

52 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. log disk {filter | setting}

roll-schedule {daily | weekly}

Note: This entry is only available when status is set to enable.

Frequency of log rolling. The FortiCache will roll the log event on a daily (by default) or weekly basis, so long as the maximum size has not been reached.

roll-time

Note: This entry is only available when status is set to enable.

Time of day that the FortiCache saves the current log file and starts a new active log file in the format hh:mm. The default is set to 00:00.

diskfull {overwrite | nolog}

Note: This entry is only available when status is set to enable.

Action to take when the local disk is full:

l overwrite: Overwrite the oldest log (set by default).

l nolog: Stop logging.

log-quota

Disk space allocated for disk logging in megabytes. The default is set to 0.

dlp-archive-quota

Disk space allocated for DLP logs in megabytes. The default is set to 0.

maximum-log-age

Maximum age for logs in days; logs older than this value are purged. The default is set to 7.

upload {enable | disable}

Note: This entry is only available when status is set to enable.

Enable or disable (by default) uploading files to a remote FTP directory. Once enabled, use the various upload- related entries below to configure information required to connect to the FTP server.

upload-destination {ftp-server}

Note: This entry is only available when upload is set to enable.

Upload destination; ftp-server (set by default) is the only available option.

uploadip

Note: This entry is only available when upload is set to enable.

IP address of the FTP server.

uploadport

Note: This entry is only available when upload is set to enable.

FortiCache 4.2.1 CLI Reference 53 Fortinet Technologies Inc. disk {filter | setting} log

Port number used by the FTP server. The default is set to the standard FTP port, 21.

source-ip

Note: This entry is only available when upload is set to enable.

Source IP address of the disk log uploading.

uploaduser

Note: This entry is only available when upload is set to enable.

User account for uploading to the FTP server.

uploadpass

Note: This entry is only available when upload is set to enable.

Password required to connect to the FTP server.

uploaddir

Note: This entry is only available when upload is set to enable.

Name of the path on the FTP server where the log files will be transferred to. If you do not specify a remote directory, the log files are uploaded to the root directory of the FTP server.

uploadtype {traffic | event | virus | ... }

Note: This entry is only available when upload is set to enable.

Log files to upload to the FTP server:

l traffic: Upload traffic log.

l event: Upload event log.

l virus: Upload anti-virus log.

l webfilter: Upload web filter log.

l IPS: Upload IPS log.

l spamfilter: Upload spam filter log.

l dlp-archive: Upload content log and archive.

l anomaly: Upload anomaly log.

l voip: Upload VoIP log.

l dlp: Upload DLP log.

l app-ctrl: Upload application control log.

uploadzip {enable | disable}

Note: This entry is only available when upload is set to enable.

Enable to compress the log files after uploading to the FTP server. If disabled (by default), the log files are uploaded to the FTP server in plain text format.

uploadsched {enable | disable}

Note: This entry is only available when upload is set to enable.

54 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. log eventfilter

Enable to upload logs at a specific time of the day. If disabled (by default), the FortiCache uploads the logs when the logs are rolled. Once enabled, use the uploadtime entry to specify the time of day for logs to be uploaded.

uploadtime

Note: This entry is only available when upload is set to enable.

Time of day (hour only) when the FortiCache uploads the logs. Set the value between 0-23. The default is set to 0 (or midnight).

upload-delete-files {enable | disable}

Note: This entry is only available when upload is set to enable.

Enable (by default) or disable the removal of log files once the FortiCache has uploaded the log file to the FTP server.

full-first-warning-threshold

First warning as a percentage before reaching the traffic log threshold. Set the value between 1-98. The default is set to 75.

full-second-warning-threshold

Second warning as a percentage before reaching the traffic log threshold. Set the value between 2-99. The default is set to 90.

full-final-warning-threshold

Final warning as a percentage before reaching the traffic log threshold. Set the value between 3-100. The default is set to 95. eventfilter

Use this command to configure event logging.

Note: The event entry must be enabled for all other entries in this command to be available. event {enable | disable}

Enable (by default) or disable logging of event messages. system {enable | disable}

Enable (by default) or disable logging of system activity messages. user {enable | disable}

Enable (by default) or disable logging of user authentication and activity messages.

FortiCache 4.2.1 CLI Reference 55 Fortinet Technologies Inc. {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting log

router {enable | disable}

Enable (by default) or disable logging of router activity messages. wan-opt {enable | disable}

Enable (by default) or disable logging of WAN optimization messages. endpoint {enable | disable}

Enable (by default) or disable logging of endpoint control messages. ha {enable | disable}

Enable (by default) or disable logging of HA events.

{fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

Use these commands to configure the FortiCache to send log files to up to a maximum of three FortiAnalyzers for maximum failover protection of log data.

Note: The status entry must be enabled for all other entries in this command to be available. status {enable | disable}

Enable or disable (by default) communication with the FortiAnalyzer. ips-archive {enable | disable}

Enable (by default) or disable IPS packet archive. server

IP address of the FortiAnalyzer. enc-algorithm {default | high | low | disable}

Encryption-strength for communications between the FortiCache and FortiAnalyzer:

l default: SSL with high-strength algorithms and the following medium-strength 128-bit key length algorithms: RC4- SHA, RC4-MD5, and RC4-MD (set by default).

l high: SSL with 128-bit and the following larger key length algorithms: DHE-RSA-AES256-SHA, AES256-SHA, EDH- RSA-DES-CBC3-SHA, DES-CBC3-SHA, DES-CBC3-MD5, DHE-RSA-AES128-SHA, and AES128-SHA.

l low: SSL with the following 64-bit or 56-bit key length algorithms without export restrictions: EDH-RSA-DES-CDBC- SHA, DES-CBC-SHA, and DES-CBC-MD5.

l disable: Disable the use of SSL.

56 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. log {fortianalyzer | fortianalyzer2 | fortianalyzer3} setting

localid

Identifier up to a maximum of 64 characters. You must use the same identifier on both the FortiCache and the FortiAnalyzer. conn-timeout

Period of time in seconds before the FortiAnalyzer connection times out. The default is set to 10. monitor-keepalive-period

Period of time in seconds between OFTP keepalive transmissions. Set the range between 1-120. The default is set to 5. monitor-failure-retry-period

Period of time in seconds between connection retries. The default is set to 5. source-ip

Source IP address of the FortiAnalyzer. upload-option {store-and-upload | realtime}

Method for how logs are uploaded to the FortiAnalyzer:

l store-and-upload: Log to hard disk, then upload on the schedule defined by the upload-interval, upload-day, and upload-time entries (see below).

l realtime: Send logs directly to the FortiAnalyzer (set by default). Note that store-and-upload requires disk logging to be enabled. upload-interval {daily | weekly | monthly}

Note: This entry is only available when upload-option is set to store-and-upload.

Frequency of log uploads, either on a daily (set by default), weekly, or monthly basis. upload-day

Note: This entry is only available when upload-option is set to store-and-upload.

Day of the week or month to upload logs:

l If upload-interval is set to weekly, enter the days of the week for log uploads (between monday-sunday).

l If upload-interval is set to monthly, enter the dates of the month for log uploads (between 1-31). upload-time

Note: This entry is only available when upload-option is set to store-and-upload.

FortiCache 4.2.1 CLI Reference 57 Fortinet Technologies Inc. gui-display log

Time of day for log uploads in the format hh:mm. The default is set to 00:59. reliable {enable | disable}

Enable or disable (by default) logging to a syslog server using TCP, ensuring a more reliable connection setup and transmission of data. gui-display

Use this command to configure how logs are displayed in the web-based manager. resolve-hosts {enable | disable}

Enable (by default) or disable resolving IP addresses to hostnames using reverse-DNS lookup. resolve-apps {enable | disable}

Enable (by default) or disable resolving unknown applications using the remote application database. fortiview-unscanned-apps {enable | disable}

Enable or disable (by default) includion of unscanned traffic in FortiView application charts. fortiview-local-traffic {enable | disable}

Enable or disable (by default) inclusion of local-in traffic in FortiView relatime charts. location {memory | disk | fortianalyzer | fortiguard}

Location from which to display logs: memory (by default), disk, FortiAnalyzer, or FortiGuard. memory {filter | global-setting | setting}

The memory command is divided into three configurable options: configure log settings for logging to memory, logging threshold warnings, and other memory settings. filter

Use this command to configure log settings for logging to memory.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Logging severity level:

l emergency: The system is unusable.

l alert: Immediate action is required.

58 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. log memory {filter | global-setting | setting}

l critical: Functionality is affected.

l error: Functionality is probably affected, due to a false condition.

l warning: Functionality might be affected.

l notification: Information about normal events.

l information: General information about system operations (set by default).

forward-traffic {enable | disable}

Enable (by default) or disable logging of forwarded traffic messages.

local-traffic {enable | disable}

Enable (by default) or disable logging of local-in or local-out traffic messages. global-setting

Use this command to configure log threshold warnings and maximum buffer lines for the FortiCache's system memory.

max-size

Maximum size of the memory buffer log in bytes. Set the value between 65536-2796189 (or 65kB to nearly 2.8MB). The default is set to 98304.

full-first-warning-threshold

First warning as a percentage before reaching the traffic log threshold. Set the value between 1-98. The default is set to 75.

full-second-warning-threshold

Second warning as a percentage before reaching the traffic log threshold. Set the value between 2-99. The default is set to 90.

full-final-warning-threshold

Final warning as a percentage before reaching the traffic log threshold. Set the value between 3-100. The default is set to 95. setting

Use this command to configure further log settings for logging to the FortiCache system memory.

The FortiCache's system memory has a limited capacity and only displays the most recent log entries. Traffic logs are not stored in the memory buffer, due to the high volume of traffic information.

After all available memory is used, by default, the FortiCache begins to overwrite the oldest messages. All log entries are deleted when the FortiCache restarts.

FortiCache 4.2.1 CLI Reference 59 Fortinet Technologies Inc. setting log

status {enable | disable}

Enable or disable (by default) logging to the FortiCache system memory.

diskfull

Action to take when the memory reaches is capacity; overwrite (set by default) is the only available option, whereby the FortiCache will begin overwriting the oldest file. setting

Use this command to configure geenral logging settings. resolve-ip {enable | disable}

Enable or disable (by default) resolving IP address in traffic log to domain name (if possible). resolve-port {enable | disable}

Enable (by default) or disable resolving port number in traffic log to service name (if possible). log-user-in-upper {enable | disable}

Enable or disable (by default) collecting log with the user-in-upper.

{fwpolicy-implicit-log | fwpolicy6-implicit-log} {enable | disable}

Enable or disable (by default) collecting firewall implicit IPv4 or IPv6 policy log. log-invalid-packet {enable | disable}

Enable or disable (by default) International Computer Security Association (ICSA) compliant logs.

Independent of traffic log settings, traffic log entries are generated:

l for all ICMP packets,

l for all dropped, invalid IP packets,

l and for session start and on session deletion. This setting is not rate limited. Note that a large volume of invalid packets can dramatically increase the number of log entries, affecting overall performance. local-in-allow {enable | disable}

Enable (by default) or disable collecting local-in policy accepted log. local-in-deny-unicast {enable | disable}

Enable (by default) or disable collecting local-in policy dropped unicast log.

60 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. log {syslogd | syslogd2 | syslogd3} {filter | setting}

local-in-deny-broadcast {enable | disable}

Enable or disable (by default) collecting local-in policy dropped broadcast log. local-out {enable | disable}

Enable (by default) or disable collecting local-out log. daemon-log {enable | disable}

Enable or disable (by default) collecting daemon log. neighbor-event {enable | disable}

Enable or disable (by default) collecting neighbor-event log (ARP and IPv6 neighbor discovery events). brief-traffic-format {enable | disable}

Enable or disable (by default) using brief format for traffic log. user-anonymize {enable | disable}

Enable or disable (by default) replacing user name with “anonymous” in logs.

{syslogd | syslogd2 | syslogd3} {filter | setting}

Use these commands to configure the FortiCache to send log files to up to a maximum of three syslog servers. The syslogd commands are divided into two configurable options to configure filters and log settings for logging to a remote syslog server. filter

Use this command to configure log settings for logging to a syslog server.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Logging severity level:

l emergency: The system is unusable.

l alert: Immediate action is required.

l critical: Functionality is affected.

l error: Functionality is probably affected, due to a false condition.

l warning: Functionality might be affected.

l notification: Information about normal events.

l information: General information about system operations (set by default).

l debug: Information used for diagnosing or debugging.

FortiCache 4.2.1 CLI Reference 61 Fortinet Technologies Inc. {syslogd | syslogd2 | syslogd3} {filter | setting} log

As shown, the order they appear in corelates to their severity in descending order. In light of this, the FortiCache will log all messages at and above the logging-severity level you select. For example, if you select error, the FortiCache will log error, critical, alert, and emergency level messages.

forward-traffic {enable | disable}

Enable (by default) or disable logging of forwarded traffic messages.

local-traffic {enable | disable}

Enable (by default) or disable logging of local-in or local-out traffic messages. setting

Use this command to configure further log settings for logging to a remote syslog server.

Note: The status entry must be enabled for all other entries in this command to be available.

status {enable | disable}

Enable or disable (by default) logging to a remote syslog server.

server

IP address of the syslog server. Note that the host names must comply with RFC 1035.

reliable {enable | disable}

Enable or disable (by default) reliable delivery of syslog messages to the syslog server. Reliable syslog protects log information through authentication and data encryption and ensures that the log messages are reliably delivered in the correct order.

For more information about reliable delivery for syslog, see RFC 3195.

port

Port number for communication with the syslog server. The default is set to 514.

csv {enable | disable}

Enable or disable (by default) producing the log in Comma Separated Value (CSV) format. If disabled, the FortiCache will produce plain text files.

facility {kernel | user | mail | ... }

Facility type. This value identifies the source of the log message to syslog. Changing the facility can help top distinguish log messages from different FortiCaches. Available facility types are shown below:

Facility types

kernel: Kernel messages cron: Clock daemon

user: Random user-level messages authpriv: Security/authorization messages (private)

62 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. log webtrends

Facility types

mail: Mail system ftp: FTP daemon

daemon: System daemons ntp: NTP daemon

auth: Security/authorization messages audit: Log audit

syslog: Messages generated internally by syslog alert: Log alert

lpr: Line printer subsystem clock: Clock daemon

news: Network news subsystem local0 - local7: Reserved for local use

uucp: Network news subsystem

source-ip

Source IP address for the syslog server. webtrends

The webtrends command is divided into two configurable options to configure log settings for logging to a remote computer running a NetIQ WebTrends firewall reporting server. filter

Use this command to configure log settings for logging to WebTrends.

severity {emergency | alert | critical | error | warning | notification | information | debug}

Logging severity level:

l emergency: The system is unusable.

l alert: Immediate action is required.

l critical: Functionality is affected.

l error: Functionality is probably affected, due to a false condition.

l warning: Functionality might be affected.

l notification: Information about normal events.

l information: General information about system operations (set by default).

forward-traffic {enable | disable}

Enable (by default) or disable logging of forwarded traffic messages.

FortiCache 4.2.1 CLI Reference 63 Fortinet Technologies Inc. webtrends log

local-traffic {enable | disable}

Enable (by default) or disable logging of local-in or local-out traffic messages. setting

Use this command to configure further log settings for logging to WebTrends.

status {enable | disable}

Enable or disable (by default) logging to the WebTrends server.

server

IP address of the WebTrends server.

64 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. router

Use config router to configure the following router related options:

static | static6 static | static6

Use these commands to create and edit static routes for both IPv4 and IPv6 traffic.

Note that all entries are available for both static and static6 commands except the following:

l weight

l blackhole

l dynamic-gateway dst

Destination address and network mask for this route. gateway

Note: This entry is only available when blackhole is set to disable.

Address of the next-hop router to which traffic is forwarded. distance

Administrative distance for the route which may influence route preference in the FortiCache routing table. Set the value between 1-255. The default is set to 10. weight

Weight for the static routes. More traffic is directed to routes with higher weight values. Set the value between 0- 255. The default is set to 0. priority

Note: This entry is only available when blackhole is set to disable.

Priority for the static routes. The administrative priority value is used to resolve ties in route selection. Lower priority routes are preferred routes. Set the value between 0-4294967295. The default is set to 0.

In the case where both routes have the same priority, such as equal cost multi-path (ECMP), the IP source hash (based on the pre-NATed IP address) for the routes will be used to determine which route is selected.

FortiCache 4.2.1 CLI Reference 65 Fortinet Technologies Inc. static | static6 router

device

Note: This entry is only available when blackhole is set to disable.

Name of the FortiCache unit interface through which to route traffic. Enter set device ? to view the full list of interfaces. comment

Optional comments. blackhole {enable | disable}

Enable or disable (by default) dropping all packets that match this route. This route is advertised to neighbors through dynamic routing protocols as any other static route. dynamic-gateway {enable | disable}

Note: This entry is only available when blackhole is set to disable.

Enable or disable (by default) the dynamic-gateway feature. When enabled, dynamic-gateway hides the gateway variable for a dynamic interface, such as a DHCP or PPPoE interface. When the interface connects or disconnects, the corresponding routing entries are updated to reflect the change.

66 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system

Use config system to configure the following system related options:

accprofile admin auto-install autoupdate {push-update | schedule | tunneling} console custom-language dns dns-database email-server fortiguard fsso-polling global ha interface ntp object-tag password-policy replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy} replacemsg-group replacemsg-image settings snmp {community | sysinfo | user} storage wccp zone accprofile

Use this command to edit settings that can deny access, allow read only, or allow both read and write access to FortiCache features. config fwgrp-permission

Note: This configuration method is only available when fwgrp is set to custom.

policy {none | read | read-write}

Level of administrator access to firewall policies. The default is set to none.

FortiCache 4.2.1 CLI Reference 67 Fortinet Technologies Inc. accprofile system

address {none | read | read-write}

Level of administrator access to firewall addresses. The default is set to none.

service {none | read | read-write}

Level of administrator access to firewall service definitions. The default is set to none.

schedule {none | read | read-write}

Level of administrator access to firewall schedules. The default is set to none.

others {none | read | read-write}

Level of administrator access to virtual IP configurations. The default is set to none. loggrp-permission

Note: This configuration method is only available when loggrp is set to custom.

config {none | read | read-write}

Level of administrator access to the logging configuration. The default is set to none.

data-access {none | read | read-write}

Level of administrator access to the log data. The default is set to none.

report-access {none | read | read-write}

Level of administrator access to report data. The default is set to none.

threat-weight {none | read | read-write}

Level of administrator access to threat-weight data. The default is set to none. utmgrp-permission

Note: This configuration method is only available when utmgrp is set to custom.

antivirus {none | read | read-write}

Level of administrator access to antivirus configuration data. The default is set to none.

webfilter {none | read | read-write}

Level of administrator access to web filter data. The default is set to none.

data-loss-prevention {none | read | read-write}

Level of administrator access to DLP data. The default is set to none.

68 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system accprofile

icap {none | read | read-write}

Level of administrator access to the Internet Content Adaptation Protocol (ICAP) configuration. The default is set to none.

image-analyzer {none | read | read-write}

Level of administrator access to content analysis data. The default is set to none. scope {vdom | global}

Administrator access scope: a single VDOM (set by default) or Global. comments

Optional comments. mntgrp {none | read | read-write}

Level of administrator access to maintenance commands, including resetting to factory defaults, formatting log disk, reboot, restore, and shut down. The default is set to none. admingrp {none | read | read-write}

Level of administrator access to administrator accounts and access profiles. The default is set to none. updategrp {none | read | read-write}

Level of administrator access to FortiGuard antivirus and IPS updates (both manual and automatic). The default is set to none. authgrp {none | read | read-write}

Level of administrator access to user authentication, including local users, RADIUS and LDAP servers, and user groups. The default is set to none. sysgrp {none | read | read-write}

Level of administrator access to system configuration except accprofile, admin, and autoupdate. The default is set to none. netgrp {none | read | read-write}

Level of administrator access to the network configuration, including interfaces, DHCP servers, and zones. The default is set to none.

FortiCache 4.2.1 CLI Reference 69 Fortinet Technologies Inc. admin system

loggrp {none | read | read-write | custom}

Level of administrator access to the log and report configuration including log settings, viewing logs and alert email settings. The default is set to none. routegrp {none | read | read-write}

Level of administrator access to the router configuration. The default is set to none. fwgrp {none | read | read-write | custom}

Level of administrator access to the firewall configuration. The default is set to none. vpngrp {none | read | read-write}

Level of administrator access to the VPN configuration. The default is set to none. utmgrp {none | read | read-write | custom}

Level of administrator access to the UTM configuration. The default is set to none. wanoptgrp {none | read | read-write}

Level of administrator access to the WAN optimization configuration. The default is set to none. admin

Use this command to create and edit administrator accounts. remote-auth {enable | disable}

Enable or disable (by default) authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server. password

Password for this administrator, up to a maximum of 64 characters. peer-auth {enable | disable}

Enable or disable (by default) peer certificate authentication for HTTPS admin access.

{trusthost1 | trusthost2 | trusthost3 ... trusthost10}

IPv4 address or subnet address and netmask from which the administrator can connect to the FortiCache.

70 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system auto-install

If you want the administrator to be able to access the FortiGate unit from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.

{ip6-trusthost1 | ip6-trusthost2 | ip6-trusthost3 ... ip6-trusthost10}

IPv6 address or subnet address and netmask from which the administrator can connect to the FortiCache.

If you want the administrator to be able to access the FortiGate unit from any address, set the trusted hosts to ::/0. accprofile

Name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiCache features. comments

Optional comments.

{ssh-public-key1 | ssh-public-key2 | ssh-public-key3}

Public keys for up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

Enter the public keys in the format of:

is ssh-dss for a DSA key or ssh-rsa for an RSA key. is the public key string of the SSH client. ssh-certificate

Certificate to use for PKI authentication of the administrator. schedule

Configuration name of the restrict-times that an administrator can log in (as defined in schedule {group | onetime | recurring}). guest-auth {enable | disable}

Enable or disable (by default) guest authentication. auto-install

Use this command to configure automatic installation of firmware and system configuration from a USB disk when the FortiCache restarts. This command is only available for units that have a USB disk connection.

FortiCache 4.2.1 CLI Reference 71 Fortinet Technologies Inc. autoupdate {push-update | schedule | tunneling} system

If you set both configuration and firmware image update, both occur on the same reboot. The FortiCache will not reload a firmware or configuration file that is already loaded.

Third-party USB disks are supported, however the USB disk must be formatted as a FAT16 drive. No other partition type is supported. auto-install-config {enable | disable}

Enable or disable (by default) automatic loading of the system configuration from a USB disk on the next reboot. auto-install-image {enable | disable}

Enable or disable (by default) automatic installation of firmware from a USB disk on the next reboot. default-config-file

Name of the configuration file on the USB disk. The default is set to fgt_system.conf. default-image-file

Name of the image file on the USB disk. The default is set to image.out. autoupdate {push-update | schedule | tunneling}

The autoupdate command is divided into three configurable options: configure push updates, schedule FortiGuard Distribution Network (FDN) updates, and configure ther FortiCache to use a proxy server to connect to the FDN. push-update

Use this command to configure push updates in order to provide the fastest possible response to critical situations such as software exploits or viruses. The FortiCache must be registered in order to receive push notifications.

When you configure the FortiCache to allow push updates, the FortiCache sends a SETUP message to the FDN. The next time an update is released, the FDN notifies all FortiCache units that are configured for push updates that a new update is available. Within 60 seconds of receiving a push notification, the FortiCache unit requests an update from the FDN.

You can also configure push IP addresses and port overrides. If the FDN must connect to the FortiCache through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update override configuration.

You cannot receive push updates through a NAT device if the external IP address of the NAT device is dynamic (e.g. PPPoE or DHCP).

72 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system autoupdate {push-update | schedule | tunneling}

status {enable | disable}

Enable or disable (by default) FDN push updates.

override {enable | disable}

Enable or disable (by default) the override of push updates. Set to enable if the FortiCache connects to the FDN through a NAT device.

address

External IP address that the FDN connects to if you want to enable push override. This is the address of the external interface of your NAT device.

port

Port number that the FDN connects to. Set the value between 0-65535. The default is set to 9443. schedule

Use this command to schedule FDN updates at regular intervals throughout the day, once a day, or once a week.

status {enable | disable}

Enable (by default) or disable scheduled updates.

frequency {every | daily | weekly}

Frequency at which the FortiCache checks for updates:

l every: Check for updates periodically. Once set, use the time entry to set the hourly time interval to wait between updates.

l daily: Check for updates once a day. Once set, use the time entry to set the time of the day to check for updates.

l weekly: Check for updates once a week. Once set, use the day entry to set the day of the week, and use the time entry to set the time of the day you selected, to check for updates.

time

Time of the scheduled update in the format hh:mm.

Note that both the hours and minutes can be entered within the expected ranges, except you can also set minutes to 60 for a random time within one hour or 240 for a random time within four hours to check for updates. The default is set to 01:240. tunneling

Use this command to configure the FortiCache to use a proxy server to connect to the FDN. You must enable tunneling, add the IP address and port, and add the user name and password (if authentication is required) to connect to the proxy server.

status {enable | disable}

Enable or disable (by default) tunneling.

FortiCache 4.2.1 CLI Reference 73 Fortinet Technologies Inc. console system

address

IP address or FQDN of the proxy server.

port

Port number used to connect to the proxy server.

username

Username used to connect to the proxy server.

password

User's password used to connect to the proxy server. console

Use this command to configure console command settings, including its mode, the number of lines the console can display, and the baud rate, the rate at which information is transferred in a communication channel (e.g. a baud rate of 9600 means the console is capable of transferring a maximum of 9,600 bps). mode {batch | line}

Console mode: batch or line (set by default). This is only used for autotesting. baudrate {9600 | 19200 | 38400 | 57600 | 115200}

Baud rate of the command console: 9,600 (set by default), 19,200, 38,400, 57,600, or 115,200 bps. output {standard | more}

Console output style upon entering the show or get commands:

l standard: No pause.

l more: Pause after each screen is full, resuming on a keypress (set by default). login {enable | disable}

Enable (by default) or disable logon via console. fortiexplorer {enable | disable}

Enable (by default) or disable FortiExplorer access. custom-language

Use this command to create and edit the display language by customizing the content of language files.

74 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system dns

By default, the content of the predefined language options (listed below) is provided by Fortinet. The following predefined language profiles are already available for editing by default:

l GB2312: Simplified Chinese. Using the Guojia Biaozhun (GB), or "national standard" in Chinese, is the registered character set of the People’s Republic of China used for Simplified Chinese characters.

l big5: Traditional Chinese. Big5, or Big-5, is a Chinese character encoding method used in Taiwan, Hong Kong, and Macau for Traditional Chinese characters.

l en: English, using the English character set (Caribbean).

l euc-kr: Korean. The Extended Unix Code (EUC) is a character encoding system used for Japanese, Korean, and Simplified Chinese. This featured option is specifically for Korean.

l fr: French, using the French character set (Standard).

l pg: Portuguese, using the Proto-Germanic (PG), also called Common Germanic, character set.

l sp: Spanish, using the Spanish character set.

l x-sjis: Japanese. The Shift Japanese Industrial Standards (SJIS) is a Japanese character encoding method. filename

Filename path, up to a maximum of 64 characters. comments

Optional comments. dns

Use this command to configure DNS server addresses which are used for several FortiCache functions, including sending email alerts and URL blocking.

{primary | secondary}

IPv4 primary and/or secondary DNS server IP address. domain

Optional local domain name.

{ip6-primary | ip6-secondary}

IPv6 primary and/or secondary DNS server IP address. dns-cache-limit

Maximum number of entries in the DNS cache. The default is se to 5000.

FortiCache 4.2.1 CLI Reference 75 Fortinet Technologies Inc. dns-database system

dns-cache-ttl

Period of time in seconds that the DNS cache retains information. Set the value between 60-86400 (or one minute to one day). The default is set to 1800. cache-notfound-responses {enable | disable}

Enable or disable (by default) caching NOTFOUND responses from the DNS server. source-ip

Source IP address for communication with the DNS server. dns-database

Use this command to configure the FortiCache DNS database so that DNS lookups from an internal network are resolved by the DNS database. The database is managed by adding zones, with each zone assigned its own domain name and entries added with host names and IP addresses. config dns-entry

Use this configuration method to determine the entry-type and other settings.

status {enable | disable}

Enable (by default) or disable the DNS entry.

type {A | NS | CNAME | MX | AAAA | PTR | PTR_V6}

DNS entry type:

l A: Host; an IPv4 address (set by default).

l NS: Name server.

l CNAME: Canonical name.

l MX: Mail exchange.

l AAAA: IPv6 host.

l PTR: Pointer.

l PTR_V6: IPv6 pointer.

ttl

Optional entry-specific setting to override the zone's time-to-live value in seconds. Set to 0 (by default) to use the zone's ttl value.

preference

Note: This entry is only available when type is set to MX.

Preference level. Set the value between 0-65535 (0 is the highest preference).

76 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system dns-database

Note: This entry is only available when type is set to either A or PTR.

IPv4 address of the host.

ipv6

Note: This entry is only available when type is set to either AAAA or PTR_V6.

IPv6 address of the host.

hostname

Name of the host.

canonical-name

Note: This entry is only available when type is set to CNAME.

Canonical name of the host. status {enable | disable}

Enable (by default) or disable the DNS zone. domain

Domain name of the DNS zone, used when matching lookup DNS queries. allow-transfer

DNS zone transfer IP address list. type {master | slave}

Zone type:

l master: Manages entries directly (set by default).

l slave: Imports entries from outside source. view {shadow | public}

Type of view for the zone:

l shadow: To service internal clients (set by default).

l public: To service public clients. primary-name

Domain name of the default DNS server for the zone.The default is set to dns.

FortiCache 4.2.1 CLI Reference 77 Fortinet Technologies Inc. email-server system

contact

Email address of the administrator for the zone. If the email address is in this zone, you may only enter the username-portion of the email address. The default is set to hostmaster. ttl

Period of time in seconds for packet time-to-live. The default is set to 86400 (or one day). authoritative {enable | disable}

Enable (by default) or disable declaring this zone as an authoritative zone. forwarder

IP address of the DNS zone forwarder. source-ip

Source IP address to use when forwarding to the DNS server. email-server

Use this command to configure the FortiCache to access an SMTP server to send alert emails. type {custom}

Email server type; custom (set by default) is the only available option. reply-to

Optional setting to specify the reply-to email address. server

Hostname or IP address of the SMTP server. If entering a hostname, use the format smtp.domain.com. port

Port number used to connect to the SMTP server. The default is set to the standard SMTP port, 25.

{source-ip | source-ip6}

SMTP server's source IPv4 or IPv6 address.

78 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system fortiguard

authenticate {enable | disable}

Enable or disable (by default) SMTP authentication if the FortiCache is required to authenticate before using the SMTP server. username

Note: This entry is only available when authenticate is set to enable.

Username for the SMTP server that the FortiCache will send email alerts. password

Note: This entry is only available when authenticate is set to enable.

Password that the FortiCache needs to access the SMTP server. security {none | starttls | smtps}

Security profile to use for email: none (set by default), STARTTLS, or SMTPS. fortiguard

Use this command to configure communications with the FortiGuard Distribution Network (FDN) for FortiGuard subscription services, including:

l FortiGuard AntiVirus (AV) and IPS

l FortiGuard Web Filtering and Antispam

l FortiGuard Analysis and Management Service

l FortiGuard DNS-based web filtering If the FortiCache is unable to connect to the FDN, verify connectivity on required ports. For a list of required ports, see the Fortinet Communication Ports and Protocols guide. port {53 | 8888}

Port number used for rating queries to the FortiGuard Web Filtering or FortiGuard Antispam service. The default is set to 53. load-balance-servers

Number of FortiGuard servers to connect to. Set the value between 1-266. The default is set to 1. avquery-force-off {enable | disable}

Enable or disable (by default) stopping FortiGuard AV query service on the FortiCache.

FortiCache 4.2.1 CLI Reference 79 Fortinet Technologies Inc. fortiguard system

avquery-cache {enable | disable}

Enable (by default) or disable caching of FortiGuard AV query results.

Enabling the cache can improve performance because the FortiCache does not need to access the FDN each time the same IP address or URL appears as the source of an email. When the cache is full, the oldest cache entry is replaced. avquery-cache-ttl

Period of time in seconds for AV cache entry time-to-live. Set the value between 300-86400 (or five minutes to one day). The default is set to 1800 (or 30 minutes).

When the TTL expires, the cache entry is removed, requiring the FortiCache to query the FDN the next time that item occurs in scanned traffic. avquery-cache-mpercent

Maximum percentage of memory to be used for FortiGuard AV query caching. Set the value between 1-15. The default is set to 2. avquery-timeout

Period of time in seconds for the FortiGuard AV service query timeout. Set the value between 1-30. The default is set to 7. webfilter-force-off {enable | disable}

Enable or disable (by default) the FortiGuard Web Filter service. webfilter-cache {enable | disable}

Enable (by default) or disable caching of FortiGuard Web Filtering query results, including category ratings for URLs.

Enabling the cache can improve performance because the FortiCache does not need to access the FDN each time the same IP address or URL is requested. When the cache is full, the oldest cache entry is replaced. webfilter-cache-ttl

Period of time in seconds for Web Filtering cache entry time-to-live. Set the value between 300-86400 (or five minutes to one day). The default is set to 3600 (or one hour). webfilter-timeout

Period of time in seconds for the FortiGuard Web Filtering query timeout. Set the value between 1-30. The default is set to 15.

80 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system fsso-polling

webfilter-sdns-server-ip

IP address of the DNS server, used for DNS-based web filtering. webfilter-sdns-server-port

Port number of the DNS server, used for DNS-based web filtering. The default is set to 53. source-ip

Source IP address used to communicate with the FortiGuard servers. ddns-server-ip

IP address of the FortiDDNS service. ddns-server-port

Port number used for the FortiDDNS service. The default is set to 443. fsso-polling

Use this command to configure Fortinet Single Sign-On (FSSO) polling server settings. status {enable | disable}

Enable (by default) or disable FSSO Polling Mode status. listening-port

Listening port to accept clients. Set the value between 1-65535. The defautl is set to 8000. authentication {enable | disable}

Enable or disable (by default) FSSO Agent Authentication status. auth-password

Note: This entry is only available when authentication is set to enable.

Authentication password used to connect to the FSSO Agent. global

Use this command to configure global settings that affect various FortiCache systems and configurations.

FortiCache 4.2.1 CLI Reference 81 Fortinet Technologies Inc. global system

admin-concurrent {enable | disable}

Enable (by default) or disable concurrent administrator logins. If disabled, concurrent access from the same admin user name is permitted but restricted to different IP addresses.

Use the policy-auth-concurrent entry below for firewall authenticated users. admin-console-timeout

Period of time in seconds for the console login timeout. Set the value between 15-300 (or 15 seconds to five minutes). The default is set to 0.

Note that this timeout value overrides the value specified in the admintimeout entry below. admin-https-pki-required {enable | disable}

Enable to allow users to login with a valid certificate if PKI is enabled for HTTPS administrative access. Disable (by default) to allow admin users to log in by providing a valid certificate or password. admin-https-redirect {enable | disable}

Enable (by default) or disable redirection of HTTP administrative access to HTTPS. admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2 | sslv3}

Permitted versions of SSL/TLS:

l tlsv1-0: TLS 1.0.

l tlsv1-1: TLS 1.1 (set by default).

l tlsv1-2: TLS 1.2 (set by default).

l sslv3: SSLv3. admin-lockout-duration

Duration of time in seconds that the administration account remains on lockout for the firewall. Repeated failed login attempts will enable the lockout. The default is set to 60 (or one minute).

Once set, use the admin-lockout-threshold entry below to set the number of failed attempts that will trigger the lockout. admin-lockout-threshold

Number of failed login attempts to trigger the administrative account lockout. The lockout will last for as long as the value indicates in the admin-lockout-duration entry above. Set the value between 1-10. The default is set to 3.

82 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system global

admin-login-max

Maximum number of administrators who can log in at the same time. Set the value between 1-100. The default is set to 100. admin-maintainer {enable | disable}

Enable (by default) or disable the hidden "maintainer" user login, used for password recovery.

When enabled, the maintainer account can log in from the console after a hard reboot (power off followed by power on), using the password "bcpb" followed by the FortiCache unit's serial number (e.g. bcpbFCH1AB2C34567890). Note that you have a limited time to complete this login. admin-port

Port number used for HTTP administrative access. Set the value between 1-65535. The default is set to 80. admin-scp {enable | disable}

Enable or disable (by default) allowing the system configuration to be downloaded by the Secure Copy Protocol (SCP). admin-server-cert

Administrator HTTPS server certificate to use. The default is set to self-sign. admin-sport

Port number used for HTTPS administrative access. Set the value between 1-65535. The default is set to 443. admin-ssh-grace-time

Maximum period of time in seconds permitted between making an SSH connection to the FortiCache and successfully authenticating. Set the value between 10-3600 (or ten seconds to one hour). The default is set to 120 (or two minutes). admin-ssh-port

Port number used for SSH administrative access. Set the value between 1-65535. The default is set to 22. admin-ssh-v1 {enable | disable}

Enable or disable (by default) compatibility with SSH v1.0. admin-telnet-port

Port number used for telnet administrative access. Set the value between 1-65535. The default is set to 23.

FortiCache 4.2.1 CLI Reference 83 Fortinet Technologies Inc. global system

admintimeout

Period of time in minutes before an idle administrator times out. Set the value between 1-480 (or one minute to eight hours). The default is set to 480.

For improved security, keep the idle timeout at a lower value. arp-max-entry

Maximum number of dynamically learned MAC addresses that can be added to the ARP table. Set the value between 131072-2147483647. The default is set to 131072. If set to 0, kernel holds the default number of entries. auth-cert

HTTPS server certificate to use for policy authentication. The default is set to self-sign. auth-http-port

Port number used for HTTP authentication. Set the value between 1-65535. The default is set to 1000. auth-https-port

Port number used for HTTPS authentication. Set the value between 1-65535. The default is set to 1003. auth-keepalive {enable | disable}

Enable or disable (by default) extending the authentication time of the session through periodic traffic to prevent and idle timeout. batch-cmdb {enable | disable}

Enable (by default) or disable batch mode, used to enter a series of commands, and executing the commands as a group once they are loaded. cert-chain-max

Maximum depth for a certificate chain. The default is set to 8. cfg-revert-timeout

Note: This entry is only available when cfg-save is set to revert.

Period of time in seconds before an idle timeout occurs and the FortiCache reverts back to the last saved configuration. The default is set to 600 (or ten minutes). cfg-save {automatic | manual | revert}

Method for saving the FortiCache system configuration and enter into runtime-only configuration mode:

84 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system global

l automatic: Automatically save the configuration after every change (set by default).

l manual: Manually save the configuration by entering the execute cfg save command.

l revert: Manually save the current configuration and then revert to the saved configuration after cfg-revert-timeout expires. clt-cert-req {enable | disable}

Enable or disable (by default) requiring a client certificate before an administrator logs on to the web-based manager using HTTPS. conntrack

Maximum number of connection tracking (or conntrack), a table that stores information about all connections to and from the FortiCache, such as source and destination IP address, port number pairs (or socket pairs), protocol types, connection state, and timeouts. Set the value between 60000-5000000. The default is set to 1600000. csr-ca-attribute {enable | disable}

Enable (by default) or disable using the CA attribute in your certificate. Note that some CA servers reject CSRs that have the CA attribute. daily-restart {enable | disable}

Enable or disable (by default) restarting the FortiCache every day. Once enabled, use the restart-time entry to specify the time of the restart. dst {enable | disable}

Enable (by default) or disable daylight saving time. When enabled, the FortiCache automatically adjusts the system time accordingly between daylight saving time and standard time. explicit-proxy-auth-timeout

Period of time in seconds before idle explicit web proxy sessions timeout. Set the value between 1-600 (or one second to ten minutes). The default is set to 300 (or five minutes). fds-statistics {enable | disable}

Enable (by default) or disable AV/IPS signature reporting. fds-statistics-period

Period of time in minutes to be covered in the FDS report. Set the value between 1-1440 (or one minute to one day). The default is set to 60 (or one hour).

FortiCache 4.2.1 CLI Reference 85 Fortinet Technologies Inc. global system

fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attack | new-antivirus-db | new-attack-db}

Kinds of alerts to receive from FortiGuard:

l advisory: FortiGuard advisories; reports and new alerts (set by default).

l latest-threat: Latest FortiGuard threat alerts (set by default).

l latest-virus: Latest FortiGuard virus alerts.

l latest-attack: Latest FortiGuard attack alerts.

l new-antivirus-db: FortiGuard AV database release alerts.

l new-attack-db: FortiGuard IPS database release alerts. gui-antivirus {enable | disable | flow-only}

Enable (by default) or disable AntiVirus profiles in the web-based manager, or only show them while in Flow mode. gui-certificates {enable | disable}

Enable (by default) or disable certificate configuration in the web-based manager. gui-custom-language {enable | disable}

Enable or disable (by default) custom language configuration in the web-based manager. gui-dlp {enable | disable}

Enable (by default) or disable Data Leak Prevention (DLP) in the web-based manager. gui-dns-database {enable | disable}

Enable (by default) or disable the DNS database menu in the web-based manager. gui-explicit-proxy {enable | disable}

Enable (by default) or disable Explicit Proxy options in the web-based manager. gui-icap {enable | disable}

Enable (by default) or disable ICAP configuration options in the web-based manager. gui-implicit-policy {enable | disable}

Enable (by default) or disable implicit firewall policy configuration options in the web-based manager. gui-lines-per-page

Number of lines displayed on table lists per page. Set the value between 20-1000. The default is set to 50.

86 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system global

gui-multiple-utm-profiles {enable | disable}

Enable (by default) or disable the display of UTM profiles in the web-based manager. gui-replacement-message-groups {enable | disable}

Enable or disable (by default) the Replacement Message Groups feature in the web-based manager. gui-utm-monitors {enable | disable}

Enable or disable (by default) UTM monitors in the web-based manager. gui-wan-load-balancing {enable | disable}

Enable (by default) or disable the WAN load-balancing feature in the web-based manager. gui-wanopt-cache {enable | disable}

Enable (by default) or disable the WAN optimization configuration options in the web-based manager. gui-webfilter {enable | disable | flow-based}

Enable (by default) or disable Web Filter profiles in the web-based manager, or only show them while in Flow mode. gui-webfilter-advanced {enable | disable}

Enable or disable (by default) advanced Web Filter configuration options in the web-based manager. hostname

Name to identify the FortiCache that can only consist of letters, numbers, hyphens, and underscores; no spaces are allowed. The default is set to the FortiCache's unique serial number.

While the hostname can be longer than 24 characters, if it is longer than 24 characters it will be truncated with a ~ symbol. The trailing three characters preceded by the ~ truncation character and the first N-3 characters are shown. This shortened hostname will be displayed in the CLI, and any other locations that the hostname is used. Some models support hostnames of up to 35 characters. http-obfuscate {none | modified | header-only | no-error}

Level at which the identity of the FortiCache web server is hidden/obfuscated in the browser address field, including URLs provided via SSL VPN bookmarks (web mode only):

l none: Web server's identity is not hidden.

l modified: Modified error responses are provided (set by default).

l header-only: HTTP server banner is hidden.

l no-error: Suppresses error resonses.

FortiCache 4.2.1 CLI Reference 87 Fortinet Technologies Inc. global system

http-view {enable | disable}

Enable or disable (by default) logging and display of HTTP/S cache traffic. ip-src-port-range

IP source port range used for traffic originating from the FortiCache. Set the lower and upper range limits between 1-65535 inclusive, with a hyphen separating the lowest and highest values. The default is set to 1024- 25000. ipv6-accept-dad {0 | 1 | 2 }

IPv6 Duplicate Address Dedection (DAD) operation:

l 0: Disable DAD.

l 1: Enable DAD (set by default).

l 2: Enable DAD and disable IPv6 operation if MAC-based duplicate link-local address has been found. language {english | french | spanish | portuguese | japanese | trach | simch | korean}

Display language used in the web-based manager: English (set by default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. ldapconntimeout

LDAP connection timeout in milliseconds. Set the value between 0-4294967295 (or no timeout to just under 50 days). The default is set to 500 (or half a second). login-timestamp {enable | disable}

Enable or disable (by default) logging of login timestamps. max-dlpstat-memory

Memory limit as a percentage for the DLP stat daemon. Set the value between 1-15. The default is set to 5. miglogd-children

Maximum number of miglogd child (a logging daemon) processes to run at a time. Set the value between 0-15. The default is set to 0. ndp-max-entry

Maximum number of Neighbor Discovery Protocol (NDP) table entries. Set the value to 65536 or higher. The default is set to 0, whereby the kernel holds 65,536 entries.

88 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system global

policy-auth-concurrent

Maximum limit of concurrent logins for the same user. Set the value between 0-100. The default is set to 0.

Use the admin-concurrent entry above for admin accounts. post-login-banner {enable | disable}

Enable or disable (by default) the display of the administrator access disclaimer message after successful logon.

To set the disclaimer message, see admin {post_admin-disclaimer-text | pre_admin-disclaimer-text}. pre-login-banner {enable | disable}

Enable or disable (by default) the display of the administrator access disclaimer message prior to logon.

To set the disclaimer message, see admin {post_admin-disclaimer-text | pre_admin-disclaimer-text}. radius-port

Port number for RADIUS traffic. Set the value between 1-65535. The default is set to the standard RADIUS port, 1812. refresh

Interval of time in seconds for the System Status Monitor to automatically refresh. The default is set to 0. registration-notification {enable | disable}

Enable (by default) or disable displaying the registration notification in the web-based manager if the FortiCache is not registered. remoteauthtimeout

Period of time in seconds that the FortiCache waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. Set the value between 0-300 (or no timeout to five minutes). The default is set to 5.

Note that, to improve security, it's recommended to keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops, or several RADIUS requests are made, the default timeout may not be long enough to receive a response. restart-time

Note: This entry is only available when daily-restart is set to enable.

Time of day that the FortiCache carries out its daily restart in the format hh:mm. The default is set to 00:00.

FortiCache 4.2.1 CLI Reference 89 Fortinet Technologies Inc. global system

scanunit-count

Number of scanunit processes the FortiCache undergoes. The range and default value depend on the model; a FortiCache 1000D, for example, can be set between 1-4, with the default set to 3. This command is recommended for advanced users. service-expire-notification {enable | disable}

Enable (by default) or disable displaying a notification on the web-based manager 30 days before the FortiCache's support contract expires. session-timeout

Period of time in seconds for a session timeout. Set the value between 600-432000 (or ten minutes to five days). The default is set to 3600 (or one hour). special-file-23-support {enable | disable}

Enable or disable (by default) IPS detection of Hibun format files in DLP. Hibun formatted files are specially encrypted corporate data designed to protect against unauthorized access. ssh-cbc-cipher {enable | disable}

Note: This entry is only available when strong-crypto is set to disable.

Enable (by default) or disable the use of CBC-cipher for SSH access. ssh-hmac-md5 {enable | disable}

Note: This entry is only available when strong-crypto is set to disable.

Enable (by default) or disable the use of HMAC-MD5 for SSH access. strong-crypto {enable | disable}

Enable or disable (by default) the use of strong encryption (i.e. only allow strong ciphers, such as AES, TLS, and 3DES, and digest such as SHA1) for HTTPS/SSH administrator access. sys-perf-log-interval

Period of time in minutes before performance statistics logging occurs. Set the value between 0-15, where 0 disables the option. The default is set to 5. tcp-option {enable | disable}

Enable (by default) or disable SACK, timestamp, and MSS TCP options. Disable only for performance testing, or in rare cases where it impairs performance.

90 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system ha

timezone {00 | 01 | 02 | ... }

Number corresponding to one of 86 available timezones; many options have the same numerical time over or under GMT, but are specific to certain cities or regions. The default is set to 04, or (GMT-8:00)Pacific Time (US&Canada).

To see the full list of available timezones, enter set timezone ?. traffic-priority {tos | dscp}

Either type of service TOS (set by default) or differentiated services code point (DSCP) for traffic prioritization. traffic-priority-level {low | medium | high}

Level of priority for traffic prioritization, determining the priority of traffic for scheduling, typically set on a per service type level: low, medium (set by default), or high. user-server-cert

Name of a certificate used for HTTPS user authentication. The default is set to self-sign. wad-csvc-cs-count

Maximum number of concurrent WAD-cache-service object-cache processes. The range and default value depend on the model; a FortiCache 1000D, for example, can only be set to 1. wad-csvc-db-count

Maximum number of concurrent WAD-cache-service byte-cache processes. The range and default value depend on the model; a FortiCache 1000D, for example, can be set between 1-4, with a default set to 1. wad-worker-count

Maximum number of concurrent explicit proxy WAD workers. The range and default value depend on the model; a FortiCache 1000D, for example, can be set between 1-4, with the default set to 2. ha

Use this command to configure high availability (HA) and virtual clustering. group-id

HA group ID. Set the value between 0-255. The default is set to 0.

Changing the group ID changes the cluster virtual MAC address. Note that all members of the HA cluster must have the same group ID.

FortiCache 4.2.1 CLI Reference 91 Fortinet Technologies Inc. ha system

group-name

HA group name, up to a maximum of 32 characters.

This entry can be unset if mode is set to standard. Note that all members of the HA cluster must have the same group name. mode {standalone | a-a}

HA mode:

l standalone: Disable HA (set by default).

l a-a: Create an Active-Active cluster. password

Password for the HA cluster, up to a maximum of 15 characters. The password must be the same for all cluster units. hbdev

Heartbeat interfaces and their heartbeat priorities. The heartbeat interface with the highest priority processes all heartbeat traffic. If two or more heartbeat interfaces have the same priority, the heartbeat interface with the lowest hash map order value processes all heartbeat traffic.

By default two interfaces are configured to be heartbeat interfaces and the priority for both these interfaces is set to 50. Set the heartbeat interface priority value between 0-512. The default is set to "port4" 50 "port3" 50. sync-config {enable | disable}

Enable (by default) or disable automatic synhronization of primary unit configuration changes to all cluster units. encryption {enable | disable}

Enable or disable (by default) HA heartbeat message encryption using AES-128 for encryption and SHA1 for authentication. authentication {enable | disable}

Enable or disable (by default) HA heartbeat message authentication using SHA1. hb-interval

Heartbeat interval in milliseconds between sending heartbeat packets. Set the value between 1-20 (100*milliseconds), for example, an hb-interval of 2 (set by default) means a heartbeat packet is sent every 200 milliseconds.

92 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system interface

hb-lost-threshold

Lost heartbeat threshold (i.e. the number of consecutive heartbeat packets that are not received) from another cluster unit) before assuming that the cluster unit has failed. Set the value between 1-60. The default is set to 6. helo-holddown

Hello state hold-down time in seconds that a cluster unit waits before changing from a hello state to a work state. Set the value between 5-300 (or five seconds to five minutes). The default is set to 20. uninterruptible-upgrade {enable | disable}

Enable (by default) or disable upgrading the cluster without interrupting cluster traffic processing.

When enabled, traffic processing is not interrupted during a normal firmware upgrade. This process can, however, take some time and may reduce the capacity of the cluster for a short time.

When disabled, traffic processing is interrupted as expected during a normal firmware upgrade. override {enable | disable}

Enable or disable (by default) forcing the cluster to renegotiate and select a new primary unit every time a cluster unit leaves or joins a cluster, changes status within a cluster, or every time the HA configuration of a cluster unit changes. priority

Device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the cluster unit with the highest device priority becomes the primary unit. Set the value between 0-255. The default is set to 128. interface

Use this command to create and edit physical interfaces and configure IPv6 address settings.

An interface’s IPv6 address can be included in a Multicast Listener Discovery (MLD) report. By default, the FortiCache includes no addresses in the MLD report. For more information, see the ip6-send-adv entry below. config secondaryip

Note: This configuration method is only available when secondary-IP is set to enable.

Use this configuration method to configure a secondary IP for this interface.

Interface's secondary IP address and netmask.

FortiCache 4.2.1 CLI Reference 93 Fortinet Technologies Inc. interface system

allowaccess {ping | https | ssh | snmp | http | telnet | radius-acct | fgfm}

Management access types permitted on this interface. To enter multiple types, separate each entry with a space: PING, HTTPS, SSH, SNMP, HTTP, TELNET, RADIUS Accounting, and/or FortiManager management access. config ipv6

Use this configuration method to configure various IPv6 settings.

config ip6-extra-addr

Use this configuration method to configure extra IPv6 address prefixes of the interface.

ip6-mode {static | dhcp}

Either static (set by default) or DHCP-assigned address for this interface in IPv6 operation.

ip6-address

Interface IPv6 address and netmask.

ip6-allowaccess {ping | https | ssh | snmp | http | telnet | fgfm | capwap}

Management access types permitted on this IPv6 interface. To enter multiple types, separate each entry with a space: PING, HTTPS, SSH, SNMP, HTTP, TELNET, FortiManager management, and/or CAPWAP access.

ip6-send-adv {enable | disable}

Enable or disable (by default) the flag indicating whether or not to send periodic router advertisements and to respond to router solicitations.

When enabled, this interface’s address will be added to all-routers group (FF02::02) and be included in an MLD report. If no interfaces on the FortiCache have ip6-send-adv enabled, FortiCache will only listen to the all-hosts group (FF02::01), which is explicitly excluded from MLD reports (according to section 5 of RFC 2710).

ip6-reachable-time

Period of time in milliseconds to be added to the reachable time field in the router advertisements. Set the value between 0-3600000 (or no time to one hour). The default is set to 0.

ip6-retrans-time

Period of time in milliseconds to be added to the Retrans Timer field in the router advertisements. The default is set to 0.

ip6-hop-limit

Hop limit to be added to the Cur Hop Limit field in the router advertisements sent out this interface. The default is set to 0.

autoconf {enable | disable}

Enable or disable (by default) automatic configuration of the IPv6 address.

94 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system interface

vdom {root}

Note: This entry is only available when creating a new interface entry.

VDOM for this interface; root (set by default) is the only available option, as FortiCache doesn't support multiple VDOMs. mode {static}

Connection mode for this interface; static (set by default), a static IP address for the interface, is the only available option. ip

IP address and netmask for the interface. The IP address cannot be on the same subnet as any other Forticache interface. allowaccess {ping | https | ssh | snmp | http | telnet | radius-acct | fgfm}

Note: This entry is only available when editing a preexisting physical interface.

MAC address of this interface, in the format xx:xx:xx:xx:xx:xx. speed {auto | 10full | 10half | 100full | 100half | 1000full | 1000half | 1000auto}

Note: This entry is only available when editing a preexisting physical interface.

Interface speed in megabits per second, depending on your FortiCache model; a FortiCache 1000D, for example, has the following available speeds:

l auto: Automatically adjusts speed accordingly.

l 10full: 10 Mbps, full duplex.

l 10half: 10 Mbps, half duplex.

l 100full: 100 Mbps, full duplex.

l 100half: 100 Mbps, half duplex.

l 1000full: 1000 Mbps, full duplex.

l 1000half: 1000 Mbps, half duplex.

l 1000auto: 1000 Mbps, auto adjust. status {up | down}

Start (up; set by default) or stop the interface. If down, the interface stops accepting or sending packets.

FortiCache 4.2.1 CLI Reference 95 Fortinet Technologies Inc. interface system

type {aggregate | redundant | loopback | physical}

Note: The physical option for this entry is only available when editing a preexisting physical interface; in addition, when editing a preexisting interface, physical is the only available option.

Interface type.

Note that, when type is set to loopback, the only other available entries are as follows: ip, allowaccess, status, type, explicit-web-proxy, description, alias, snmp-index, and secondary-IP. dedicated-to {none | management}

Note: This entry is only available when editing a preexisting physical interface that is not already in use.

Determine whether this port is dedicated to unit management or not. The default is set to none. mtu-override {enable | disable}

Note: This entry is only available when editing a preexisting physical interface, or when type is set to aggregate or redundant.

Enable or disable (by default) configuring custom maximum transmission unit (MTU) size. mtu

Note: This entry is only available when mtu-override is set to enable.

Custom MTU size in bytes. Ideally, this value should be set to the size of the smallest MTU of all the network between the FortiCache and the packet destination. wccp {enable | disable}

Enable or disable (by default) Web Cache Communication Protocol (WCCP) on this interface. explicit-web-proxy {enable | disable}

Enable or disable (by default) explicit Web proxy on this interface. weight

Default weight for static routes on this interface. Set the value between 0-255. The default is set to 0. member

Note: This entry is only available when creating a new interface entry.

List of physical interfaces that are part of an aggregate or redundant group. An interface is available to be part of such a group only if:

l it is a physical interface,

l it is not already part of an aggregated or redundant interface,

96 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system interface

l it has no defined IP address and is not configured for DHCP or PPPoE,

l it has no DHCP server or relay configured on it,

l it does not have any VLAN subinterfaces,

l it is not referenced in any firewall policy,

l and it is not an HA heartbeat device or monitored by HA. Note that the order you specify the interfaces in the member list is the order they will become active in the redundant group. lacp-mode {static | passive | active}

Note: This entry is only available when type is set to aggregate.

Link Aggregation Control Protocol (LACP) mode:

l static: Use static aggregation; do not send LACP messages, and ignore any LACP messages.

l passive: Passively use LACP to negotiate 802.3ad aggregation.

l active: Actively use LACP to negotiate 802.3ad aggregation (set by default). lacp-ha-slave {enable | disable}

Note: This entry is only available when type is set to aggregate.

Enable (by default) or disable the HA slave's ability to send and/or receive LACP messages. lacp-speed {slow | fast}

Note: This entry is only available when type is set to aggregate.

Frequency at which LACP messages are sent:

l slow: Send LACP messages every 30 seconds (set by default).

l fast: Send LACP messages every second. algorithm {L2 | L3 | L4}

Note: This entry is only available when type is set to aggregate.

Frame distribution algorithm:

l L2: Use layer 2 address for distribution.

l L3: Use layer 3 address for distribution.

l L4: Use layer 4 information for distribution (set by default). description

Optional description.

FortiCache 4.2.1 CLI Reference 97 Fortinet Technologies Inc. ntp system

alias

Alias name for this interface, to make it easier to distinguish between other interfaces, up to a maximum of 25 characters. snmp-index

Optional index number of this interface for SNMP purposes. secondary-IP {enable | disable}

Enable or disable (by default) the configuration method for adding a secondary IP address to this interface (see config secondaryip above). ntp

Use this command to configure Network Time Protocol (NTP) servers. config ntpserver

Note: This configuration method is only available when type is set to custom.

server

IPv4 address or host name for the NTP server. You can also add an IPv4 address and hostname in the format 1.1.1.1/abcd.

ntpv3 {enable | disable}

Enable or disable (by default) the use of NTPv3 protocol instead of NTPv4. ntpsync {enable | disable}

Enable (by default) or disable synchronizing the FortiCache's syetm time with the NTP server. type {fortiguard | custom}

Type of NTP server: FortiGuard (set by default) or a custom NTP server. syncinterval

Period of time in minutes between contacting NTP server to synchronize the time. Set the value between 1-1440 (or one minute to one day). The default is set to 60 (or one hour). source-ip

Source IP address for communications to the NTP server.

98 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system object-tag object-tag

Use this command to create object tags.

There are no configurable entries within this command, except the name of the object tag. password-policy

Use this command to configure password policy settings, allowing for higher security requirements of administrators regarding their passwords and IPsec VPN pre-shared keys.

Note: By default, the only option available to begin with is status. All other options in this command only become available when status is set to enable. status {enable | disable}

Enable or disable (by default) password policy settings. apply-to {admin-password | ipsec-prehsared-key}

Determine whether the password policy applies to administrator passwords (set by default) or IPsec preshared keys. minimum-length

Minimum character-length of password. Set the value between 8-128. The default is set to 8. min-lower-case-letter

Minimum lower-case characters required for password. Set the value between 0-128. The default is set to 0. min-upper-case-letter

Minimum upper-case characters required for password. Set the value between 0-128. The default is set to 0. min-non-alphanumeric

Minimum non-alphanumeric characters required for password. Set the value between 0-128. The default is set to 0. min-number

Minimum numeric characters required for password. Set the value between 0-128. The default is set to 0.

FortiCache 4.2.1 CLI Reference 99 Fortinet Technologies Inc. replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy} system

change-4-characters {enable | disable}

Enable or disable (by default) requiring the new password to differ from the old password by four or more characters. expire-status {enable | disable}

Enable or disable (by default) password expiration. Once enabled, use the expire-day entry to set the number of days an administrator user's password will remain valid before it expires. expire-day

Note: This entry is only available when expire-status is set to enable.

Number of days before an administrator user's password will expire. Set the value between 1-999 (or one day to over 32 months). The default is set to 90 (or approximately three months). replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy}

The replacemsg command is divided into nine configurable options; configure replacement messages for:

l administration disclaimer pages,

l alert mail text messages with HTTP headers,

l user authentication login pages,

l web pages that FortiGuard web filtering may block,

l FTP clients when a file contains a virus in an FTP session,

l AntiVirus blocked HTTP session pages,

l NAC quarantine pages (for DLP, DoS, IPS, and detected viruses),

l when data leaks occur or viruses are detected,

l and web proxy user authentication failures and HTTP errors. To view available replacement message tags that can be added to the various messages shown below, see Appendix A: Replacement message tags. admin {post_admin-disclaimer-text | pre_admin-disclaimer-text}

Use this command to configure administration disclaimer page replacement messages.

For the FortiCache to display the Administration Login disclaimer whenever an administrator logs into the FortiCache's web-based manager, enter the following: config system global set pre-login-banner set post-login-banner end This disclaimer contains the text of the Login Disclaimer replacement message, as well as Accept and Decline options. The administrator must select Accept to login.

100 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy}

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html. alertmail {alertmail-block | alertmail-crit-event | alertmail-disk-full | ... }

Use this command to configure the alert email messages sent to administrators.

To see the full list of available alertmail replacement messages to edit, enter config system replacemsg alertmail ?.

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html. auth {auth-block-notification-page | auth-cert-passwd-page | auth-challenge-page | ... }

Use this command to configure user authentication HTML page replacement messages.

To see the full list of available auth replacement messages to edit, enter config system replacemsg auth ?.

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html. fortiguard-wf {ftgd-block | ftgd-ovrd | ftgd-quota | ... }

Use this command to configure FortiGuard Web Filtering blocked-page replacement messages.

FortiCache 4.2.1 CLI Reference 101 Fortinet Technologies Inc. replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy} system

To see the full list of available fortiguard replacement messages to edit, enter config system replacemsg fortiguard ?.

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html. ftp {ftp-dl-archive-block | ftp-dl-blocked | ftp-dl-dlp-ban | ... }

Use this command to configure FTP session-related replacement messages.

To see the full list of available ftp replacement messages to edit, enter config system replacemsg ftp ?.

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html. http {bannedword | http-archive-block | http-block | ... }

Use this command to configure HTTP session-related replacement messages.

To see the full list of available http replacement messages to edit, enter config system replacemsg http ?.

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html. nac-quar {nac-quar-admin | nac-quar-dlp | nac-quar-dos | ... }

Use this command to configure NAC quarantine page replacement messages.

102 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system replacemsg {admin | alertmail | auth | fortiguard-wf | ftp | http | nac-quar | utm | webproxy}

To see the full list of available nac-quar replacement messages to edit, enter config system replacemsg nac- quar ?.

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html. utm {appblk-html | dlp-html | dlp-text | ... }

Use this command to configure blocked item (due to data leaks or detected viruses) replacement messages.

To see the full list of available utm replacement messages to edit, enter config system replacemsg utm ?.

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html. webproxy {auth-authorization-fail | auth-challenge | auth-ip-blackout | ... }

Use this command to configure failed user authentication and HTTP error page replacement messages.

To see the full list of available webproxy replacement messages to edit, enter config system replacemsg webproxy ?.

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none (set by default), http, or 8bit.

format {none | text | html}

Format of the message: none, text (set by default), or html.

FortiCache 4.2.1 CLI Reference 103 Fortinet Technologies Inc. replacemsg-group system replacemsg-group

Use this command to create and edit replacement message profiles to be applied to specific users or user groups.

The following replacement message categories can be customized in groups when group-type is set to auth:

l webproxy

l auth The following replacement message categories can be customized in groups when group-type is set to utm:

l http

l webproxy

l fortiguard-wf

l alertmail

l admin

l nac-quar

l utm

l custom-message

l ftp Note: Despite webproxy being available for both group-types, the two configure different message types. config webproxy

Note: The message types found in this configuration method are only available when group-type is set to auth.

Use this configuration method to configure the message types defined for web proxy messages.

The following message types can be edited:

l deny

l user-limit

l auth-challenge

l auth-login-fail

l auth-authorization-fail

l http-err

l auth-ip-blackout

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html.

104 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system replacemsg-group

config auth

Note: This configuration method is only available when group-type is set to auth.

Use this configuration method to configure the message types defined for authentication messages.

The following message types can be edited:

l auth-disclaimer-page-1 l auth-password-page

l auth-disclaimer-page-2 l auth-fortitoken-page

l auth-disclaimer-page-3 l auth-next-fortitoken-page

l auth-reject-page l auth-email-token-page

l auth-login-page l auth-sms-token-page

l auth-login-failed-page l auth-email-harvesting-page

l auth-token-login-page l auth-email-failed-page

l auth-token-login-failed-page l auth-cert-passwd-page

l auth-success-msg l auth-guest-print-page

l auth-challenge-page l auth-guest-email-page

l auth-keepalive-page l auth-success-page

l auth-portal-page l auth-block-notification-page

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html. config http

Note: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for HTTP messages.

The following message types can be edited:

FortiCache 4.2.1 CLI Reference 105 Fortinet Technologies Inc. replacemsg-group system

l bannedword l http-contenttypeblock

l url-block l https-invalid-cert-block

l urlfilter-err l http-client-block

l infcache-block l http-client-filesize

l http-block l http-client-bannedword

l http-filesize l http-post-block

l http-dlp-ban l http-client-archive-block

l http-archive-block l switching-protocols-block

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html. config webproxy

Note: The message types found in this configuration method are only available when group-type is set to utm.

Use this configuration method to configure the message types defined for web proxy messages.

The following message types can be edited:

l bannedword l http-contenttypeblock

l url-block l https-invalid-cert-block

l urlfilter-err l http-client-block

l infcache-block l http-client-filesize

l http-block l http-client-bannedword

l http-filesize l http-post-block

l http-dlp-ban l http-client-archive-block

l http-archive-block l switching-protocols-block

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html.

106 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system replacemsg-group

config fortiguard-wf

Note: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for FortiGuard web filtering messages.

The following message types can be edited:

l ftgd-block

l ftgd-err

l ftgd-ovrd

l ftgd-quota

l ftgd-warning

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html. config alertmail

Note: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for alert mail messages.

The following message types can be edited:

l alertmail-virus

l alertmail-block

l alertmail-nids-event

l alertmail-crit-event

l alertmail-disk-full

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html.

FortiCache 4.2.1 CLI Reference 107 Fortinet Technologies Inc. replacemsg-group system

config admin

Note: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for administration messages.

The following message types can be edited:

l pre_admin-disclaimer-text

l post_admin-disclaimer-text

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html. config nac-quar

Note: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for NAC quarantine messages.

The following message types can be edited:

l nac-quar-virus

l nac-quar-dos

l nac-quar-ips

l nac-quar-dlp

l nac-quar-admin

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html. config utm

Note: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for UTM messages.

108 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system replacemsg-group

The following message types can be edited:

l virus-html

l virus-text

l dlp-html

l dlp-text

l appblk-html

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html. config custom-message

Note: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message type defined for custom messages.

The following message type can be edited:

l msg-type

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html. config ftp

Note: This configuration method is only available when group-type is set to utm.

Use this configuration method to configure the message types defined for FTP messages.

The following message types can be edited:

l ftp-dl-blocked

l ftp-dl-filesize

l ftp-dl-dlp-ban

FortiCache 4.2.1 CLI Reference 109 Fortinet Technologies Inc. replacemsg-image system

l ftp-explicit-banner

l ftp-dl-archive-block

buffer

New replacement message to replace the current message, up to a maximum of 8,192 characters.

header {none | http | 8bit}

Format of the message header: none, http, or 8bit.

format {none | text | html}

Format of the message: none, text, or html. comment

Optional comments. group-type {utm | auth}

Type of replacement message group this group is:

l auth: For use with authentication pages in firewall policies (set by default).

l utm: For use with UTM settings in firewall policies. replacemsg-image

Use this command to create and edit images to be used in HTTP replacement messages. Note that both entries available (image-type and image-base64) must be set for a valid entry.

The following predefined images are available for editing:

l logo_fguard_wf

l logo_fnet

l logo_fw_auth

l logo_v2_fguard_app

l logo_v2_fguard_wf

l logo_v2_fnet image-type {gif | jpg | tiff | png}

Format of the image: GIF, JPG, TIFF, or PNG. image-base64

Image in base64 encoding.

110 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system settings settings

Use this command to configure settings that affect various FortiCache features such as operating mode and default gateway. opmode {nat | transparent}

Operation mode: NAT (set by default) or transparent. firewall-session-dirty {check-all | check-new | check-policy-option}

Method for managing changes to firewall policies:

l check-all: Flush all current sessions and re-evaluate them (set by default).

l check-new: Keep existing sessions and apply policy change to new sessions only (this can lead to reduced CPU load and the possibility of packet loss).

l check-policy-option: Use the option selected in the firewall policy.

{manageip | manageip6}

Note: These entries are only available when opmode is changed from nat to transparent before you commit the change by entering end or next.

IPv4/IPv6 IP address and netmask of the Transparent mode management interface.

{gateway | gateway6}

Note: These entries are only available when opmode is changed from nat to transparent, or vice-versa, before you commit the change by entering end or next.

Default gateway IPv4/IPv6 address.

{ip | ip6}

Note: These entries are only available when opmode is changed from transparent to nat before you commit the change by entering end or next.

IPv4/IPv6 IP address. device

Note: This entry is only available when opmode is changed from transparent to nat before you commit the change by entering end or next.

Interface, or port, for management access; this is the interface to which the ip entry above applies. bypass {off | powerup | powerdown | both}

Bypass interface mode:

FortiCache 4.2.1 CLI Reference 111 Fortinet Technologies Inc. snmp {community | sysinfo | user} system

l off: Disable bypass (set by default).

l powerup: Bypass when power is up.

l powerdown: Bypass when power is down.

l both: Bypass regardless of power status. wccp-cache-engine {enable | disable}

Note: This entry is only available when opmode is changed from nat to transparent, or vice-versa, before you commit the change by entering end or next.

Enable or disable (by default) the FortiCache to operate as a WCCP cache engine. Once enabled, use the config system wccp command to configure WCCP cache engine settings.

Conversely, if disabled, the FortiCache will operate as a WCCP router. gui-default-policy-columns

Default columns to display for firewall policy list in the web-based manager. To view the full list of columns, enter set gui-default-policy-columns ?. snmp {community | sysinfo | user}

The snmp command is divided into three configurable options: create and edit SNMP communities, enter basic system information used by the SNMP agent, and create and edit SNMP users. community

Use this command to configure SNMP communities so that SNMP managers can connect to the FortiCache to view system information and receive SNMP traps. SNMP traps are triggered when system events happen such as when AntiVirus checking is bypassed, or when the log disk is almost full.

config {hosts | hosts6}

Use this configuration method to configure IPv4 and/or IPv6 hosts.

{source-ip | source-ip6}

IPv4 or IPv6 source IP address for SNMP traps sent by the FortiCache.

{ip | ipv6}

IPv4 or IPv6 IP address of the SNMP manager.

interface

Note: This entry is only available when ha-direct is set to disable.

Interface, or port, to which the SNMP manager connects. The default is set to any.

112 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system snmp {community | sysinfo | user}

ha-direct {enable | disable}

Enable or disable (by default) direct management of cluster members.

host-type {any | query | trap}

Permitted actions for this host, depending upon the type:

l any: Any SMTP action (set by default).

l query: Make queries only.

l trap: Receive traps only.

name

SNMP community name.

status {enable | disable}

Enable (by default) or disable the SNMP community.

query-v1-status {enable | disable}

Enable (by default) or disable SNMP v1 queries for this SNMP community.

query-v1-port

SNMP v1 query port number used for SNMP manager queries. The default is set to 161.

query-v2c-status {enable | disable}

Enable (by default) or disable SNMP v2c queries for this SNMP community.

query-v2c-port

SNMP v2c query port number used for SNMP manager queries. The default is set to 161.

trap-v1-status {enable | disable}

Enable (by default) or disable SNMP v1 traps for this SNMP community.

trap-v1-lport

SNMP v1 local port number used for sending traps to the SNMP managers. The defautl is set to 162.

trap-v1-rport

SNMP v1 remote port number used for sending traps to the SNMP managers. The defautl is set to 162.

trap-v2c-status {enable | disable}

Enable (by default) or disable SNMP v2c traps for this SNMP community.

trap-v2c-lport

SNMP v2c local port number used for sending traps to the SNMP managers. The defautl is set to 162.

FortiCache 4.2.1 CLI Reference 113 Fortinet Technologies Inc. snmp {community | sysinfo | user} system

trap-v2c-rport

SNMP v2c remote port number used for sending traps to the SNMP managers. The defautl is set to 162.

events {cpu-high | mem-low | log-full | ... }

Events for which the FortiCache should send traps to the SNMP managers in this community. To enter multiple events, separate each entry with a space.

To view the the full list of events, enter set events ?. sysinfo

Use this command to configure basic system information used by the SNMP agent. When your SNMP manager receives traps from the FortiCache, you will know which unit sent the information through the following identifying information.

status {enable | disable}

Enable or disable (by default) the FortiCache SNMP agent.

engine-id

Optional unique SNMP engine identifier, or snmpEngineID, up to a maximum of 24 characters. This value is included in each message sent to or from the SNMP engine. The snmpEngineID is made up of two parts:

1. Fortinet prefix of 0x8000304404 (not set in this command). 2. Engine-id string, 24 character maximum length, as defined in this entry.

description

Optional description.

contact-info

Contact information for the person responsible for this FortiCache, up to a maximum of 35 characters.

location

Physical location description of the FortiCache unit, up to a maximum of 35 characters. Note that XSS vulnerability checking is disabled, so XSS characters such as brackets, "(" and ")", are permitted.

trap-high-cpu-threshold

Percentage of CPU used that will trigger the threshold SNMP trap for the high-cpu. This feature prevents frequent and unnecessary traps. The default is set to 80.

trap-low-memory-threshold

Percentage of memory used that will be the threshold SNMP trap for the low-memory. The default is set to 80.

trap-log-full-threshold

Percentage of disk space used that will trigger the threshold SNMP trap for the log-full. The default is set to 90.

114 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system snmp {community | sysinfo | user}

user

Use this command to configure an SNMP user including which SNMP events the user wants to be notified about, which hosts will be notified, and, if queries are enabled, which port to listen to for them.

queries {enable | disable}

Enable (by default) or disable SNMP v3 queries for this user. Queries are used to determine the status of SNMP variables.

query-port

Port number used for SNMP v3 queries. If multiple versions of SNMP are being supported, each version should listen on a different port. The default is set to 161.

{notify-hosts | notify-hosts6}

IPv4 or IPv6 IP addresses to send SNMP notifications (SNMP traps) to when events occur. To enter multiple notification hosts, separate each entry with a space.

{source-ip | source-ipv6}

Optional IPv4 or IPv6 source IP address to use in traps.

ha-direct {enable | disable}

Enable or disable (by default) direct management of cluster members.

events {cpu-high | mem-low | log-full | ... }

Events for which the FortiCache should send traps to the SNMP managers in this community. To enter multiple events, separate each entry with a space.

To view the the full list of events, enter set events ?.

security-level {no-auth-no-priv | auth-no-priv | auth-priv}

Security level:

l no-auth-no-priv: No authentication or privacy (set by default).

l auth-no-priv: Authentication but no privacy.

l auth-priv: Authentication and privacy.

auth-proto {md5 | sha}

Note: This entry is only available when security-level is set to either auth-no-priv and auth-priv.

Authentication protocol:

l md5: HMAC-MD5-96 authentication protocol.

l sha: HMAC-SHA-96 authentication protocol (set by default).

auth-pwd

Note: This entry is only available when security-level is set to either auth-no-priv and auth-priv.

FortiCache 4.2.1 CLI Reference 115 Fortinet Technologies Inc. storage system

Authentication key, up to a maximum of 32 characters.

priv-proto {aes | des | aes256}

Note: This entry is only available when security-level is set to auth-priv.

Privacy encryption protocol:

l aes: CFB128-AES-128 symmetric encryption protocol (set by default).

l des: CBC-DES symmetric encryption protocol.

l aes256: CFB128-AES-256 symmetric encryption protocol.

priv-pwd

Note: This entry is only available when security-level is set to auth-priv.

Privacy encryption key, up to a maximum of 32 characters. storage

Use this command to view local disk storage settings.

There are no configurable entries within this command, however you can use get to view the FortiCache's partitions and related information. To edit the disks and their partitions, use the web-based manager.

To format the disks, the reference number for the disk you wish to edit must be known.

Note that formatting storage disks will erase all data on them and require the FortiCache to reboot.

To list all the disks and view their reference numbers, enter the following command (the following is an example- output): execute disk list

Disk HD1 ref: 255 1.8TB1863.0GB type: ASM-S08 [ATA TOSHIBA MG03ACA2] dev: /dev/sda partition ref: 1 522.6GB, N/A free mounted: Y label: 51E5704F595F257F dev: /dev/sda1 partition ref: 2 531.0GB, N/A free mounted: N label: dev: /dev/sda2 partition ref: 3 707.9GB, N/A free mounted: N label: dev: /dev/sda3

Disk HD2 ref: 16 1.8TB1863.0GB type: ASM-S08 [ATA TOSHIBA MG03ACA2] dev: /dev/sdb partition ref: 17 522.6GB, N/A free mounted: Y label: 5C1E39A15B5D99B6 dev: /dev/sdb1 partition ref: 18 531.0GB, N/A free mounted: N label: dev: /dev/sdb2 partition ref: 19 707.9GB, N/A free mounted: N label: dev: /dev/sdb3

Disk HD3 ref: 32 1.8TB1863.0GB type: ASM-S08 [ATA TOSHIBA MG03ACA2] dev: /dev/sdc partition ref: 33 522.6GB, N/A free mounted: Y label: 052B6FF20FD65D60 dev: /dev/sdc1 partition ref: 34 531.0GB, N/A free mounted: N label: dev: /dev/sdc2 partition ref: 35 707.9GB, N/A free mounted: N label: dev: /dev/sdc3

Disk HD4 ref: 48 1.8TB1863.0GB type: ASM-S08 [ATA TOSHIBA MG03ACA2] dev: /dev/sdd partition ref: 49 522.6GB, N/A free mounted: Y label: 4092229C66B548A0 dev: /dev/sdd1 partition ref: 50 531.0GB, N/A free mounted: N label: dev: /dev/sdd2

116 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. system wccp

partition ref: 51 707.9GB, N/A free mounted: N label: dev: /dev/sdd3 In the example shown above, disks 1, 2, 3, and 4 are assigned reference numbers 255, 16, 32, and 48 (respectively).

To format a disk enter the following command (the following example uses disk 2 with its reference number of 16): execute disk format 16

Request format for: 16 (device=/dev/sdb) Formatting this storage will erase all data on it, including WanOpt caches; This action requires the unit to reboot. Do you want to continue? (y/n) y

Performing format on the requested disk(s) and rebooting, please wait...

FortiCache # Formatting the disk... DEBUG: received request /dev/sdb 1 30 30 40 Received Partitioning request for device=/dev/sdb wanopt_req=1 pct[0]=30, pct[1]=30, pct [2]=40. Partitioning and formatting /dev/sdb ... Sending request for partno=0 start=63 stop=5282160 Sending request for partno=1 start=5282161 stop=10564320 Sending request for partno=2 start=10564321 stop=17607239 done

wccp

Use this command to configure settings for Web Cache Communication Protocol (WCCP). cache-id

IP address of the cache engine. group-address

IP multicast address used by the cache routers. The default is set to 0.0.0.0, whereby the FortiCache ignores multicast WCCP traffic. Otherwise, set the value between 224.0.0.0-239.255.255.255. router-list

IP addresses of one or more WCCP routers that can communicate with a WCCP cache engine. To enter multiple addresses, separate each entry with a space. authentication {enable | disable}

Enable or disable (by default) using MD5 authentication for the WCCP configuration.

FortiCache 4.2.1 CLI Reference 117 Fortinet Technologies Inc. zone system

password

Note: This entry is only available when authentication is set to enable.

Authentication password, up to a maximum of eight characters. cache-engine-method {GRE | L2}

Method that traffic is forwarded to route or returned to cache engine:

l GRE: GRE encapsulation (set by default).

l L2: L2 rewrite. service-type {auto | standard | dynamic}

WCCP service type used by the cache server: automatic (set by default), standard, or dynamic service. assignment-weight

Assignment weight for the WCCP cache engine. Set the value between 0-255. The default is set to 0. assignment-bucket-format {wccp-v2 | cisco-implementation}

Assignment bucket format for the WCCP cache engine: WCCP-v2, or Cisco bucket format (set by default). zone

Use this command to create and edit zones, grouping related interfaces that can help simplify policy creation by configuring policies for connections to and from a zone, rather than to and from each interface. intrazone {allow | deny}

Allow or deny (by default) traffic routing between different interfaces within the same zone. interface

Interface to be added to this zone. Note that you cannot add an interface that already belongs to another zone, or if firewall policies are defined for it.

118 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. user

Use config user to configure the following user related options:

adgrp fsso fsso-polling group krb-keytab ldap local password-policy radius setting tacacs+ adgrp

Use this command to configure Fortinet Single Sign-On (FSSO) groups. server-name

Name of the FSSO agent. polling-id

FSSO polling ID. The default is set to 0. fsso

Use this command to create and edit up to five FSSO collector agents as part of a redundant configuration so that, if the first agent fails, the FortiCache can attempt to connect to the next agent in the list.

Note that each server, port, and password entry corresponds to their specific numeric-counterparts, and no other.

{server | server2 | server3 | server4 | server5}

Domain name or IP address for each collector agent, up to a maximum of 63 characters.

{port | port2 | port3 | port4 | port5}

Port number used for communication with FortiCache and each collector agent. The default is set to 8000.

FortiCache 4.2.1 CLI Reference 119 Fortinet Technologies Inc. fsso-polling user

{password | password2 | password3 | password4 | password5}

Password for each collector agent. ldap-server

Name of the LDAP server to be used to access the Directory Service. source-ip

Source IP address for communications to the FSSO server. fsso-polling

Use this command to configure polling of servers for FSSO. config adgrp

Use this configuration method to simply specify the Windows AD group name for which FSSO polling will be conducted. status {enable | disable}

Enable (by default) or disable FSSO polling. server

IP address or AD server name. default-domain

Default domain name of this server. port

Server port number. Set the value between 0-65535. The default is set to 0. user

User account name for the AD server. password

Password used to connect to the AD server.

120 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. user group

ldap-server

Name of the LDAP server for groups and user names. logon-history

Length of logon history. Set the value between 1-48 (or one hour to two days), or enter 0 to keep logon history forever. The default is se to 8. polling-frequency

Frequency in seconds at which polling occurs. Set the value between 1-30. The default is set to 10. group

Use this command to create and edit user groups. config match

Note: This configuration method is only available when group-type is set to firewall.

Use this configuration method to .

server-name

Name of the remote authentication server.

group-name

Name of the matching group on the remote authentication server. config guest

Note: This configuration method is not configurable here; all guest user related entries can be configured when group-type is set to guest (see entries below). group-type {firewall | fsso-service | rsso | guest}

Group type, that in turn determines the user type:

l firewall: Users defined in the user local, user ldap, or user radius commands (set by default).

l fsso-service: SSO users.

l rsso: RSSO users.

l guest: Guest users.

FortiCache 4.2.1 CLI Reference 121 Fortinet Technologies Inc. group user

authtimeout

Period of time in minutes an authentication timeout for this user group lasts for. Set the value between 0-1440 (or global timeout value to one day). The default is set to 0. sso-attribute-value

Note: This entry is only available when group-type is set to rsso.

Name of the RADIUS user group this user group represents. auth-concurrent-override {enable | disable}

Note: This entry is only available when group-type is set to either firewall or guest.

Enable or disable (by default) overriding the entry in config system global, policy-auth-concurrent. auth-concurrent-value

Note: This entry is only available when auth-concurrent-override is set to enable.

Maximum limit of concurrent logins for the same user. Set the value between 0-100. The default is set to 0, whereby there is no limit. http-digest-realm

Note: This entry is not available when group-type is set to rsso.

Realm attribute for MD5-digest authentication. member

Note: This entry is only available when group-type is set to either firewall or fsso-service.

Namse of users, peers, LDAP servers, or RADIUS servers to add to the user group. To enter multiple names, separate each entry with a space. user-id {email | auto-generate | specify}

Note: This entry is only available when group-type is set to guest.

Source of the guest user ID: use the guest's email address (set by default), automatically generate a random user ID, or specify a user ID. password {auto-generate | specify | disable}

Note: This entry is only available when group-type is set to guest.

Source of the guest user ID: automatically generate a random user ID (set by default), specify a user ID, or disable the requirement of a password.

122 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. user group

user-name {disable | enable}

Note: This entry is only available when group-type is set to guest.

Enable or disable (by default) guest user name entry. sponsor {optional | mandatory | disabled}

Note: This entry is only available when group-type is set to guest.

Sponsor field in the web-based manager Guest Management form: present but optional (set by default), mandatory, or disabled. company {optional | mandatory | disabled}

Note: This entry is only available when group-type is set to guest.

Company field in the web-based manager Guest Management form: present but optional (set by default), mandatory, or disabled. email {disable | enable}

Note: This entry is only available when group-type is set to guest.

Enable (by default) or disable the Email field in the web-based manager Guest Management form. mobile-phone {disable | enable}

Note: This entry is only available when group-type is set to guest.

Enable or disable (by default) the Mobile Phone Number field in the web-based manager Guest Management form expire-type {immediately | first-successful-login}

Note: This entry is only available when group-type is set to guest.

When expiry time countdown begins: immediately (set by default) or after the user's first successful login. expire

Note: This entry is only available when group-type is set to guest.

Period of time in seconds before the user account expires. Set the value between 1-31536000 (or one second to one year). The default is set to 14400 (or four hours) max-accounts

Note: This entry is only available when group-type is set to guest.

Maximum limit of accounts permitted. The default is set to 0, whereby there is no limit.

FortiCache 4.2.1 CLI Reference 123 Fortinet Technologies Inc. krb-keytab user

multiple-guest-add {disable | enable}

Note: This entry is only available when group-type is set to guest.

Enable or disable (by default) the Multiple Guest Add option in the web-based manager User Group form. krb-keytab

Use this command to configure Kerberos keytab entries.

Keytab files are used to authenticate to various remote systems using Kerberos without entering a password, and without requiring human interaction or access to password stored in a plain-text file. The script is then able to use the acquired credentials to access files stored on a remote system. principal

Kerberos server principal (e.g. HTTP/[email protected]). ldap-server

Name of the LDAP server. keytab

Keytab file, that's base64 coded, containing a pre-shared key. ldap

Use this command to create and edit the definition of an LDAP server for user authentication.

LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. Note that, with PPTP, L2TP, and IPSec VPN, Packet Authentication Protocol (PAP) is supported, while Challenge Handshake Authentication Protocol (CHAP) is not. server

IP address or domain name of the primary LDAP server. secondary-server

Second IP address or domain name of the LDAP server. tertiary-server

Third IP address or domain name of the LDAP server.

124 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. user ldap

source-ip

Optional source IP address to use for LDAP requests. cnid

Common name identifier (CNID) for the LDAP server, up to a maximum of 20 characters. The default is set to cn, which is the CNID for most LDAP servers. In light of this, note that some servers use other common name identifiers, such as uid. dn

Note: You must provide a dn value if type is set to simple.

Distinguished name (DN) used to lookup entries on the LDAP server, up to a maximum of 512 characters. It reflects the hierarchy of LDAP database object classes above the CNID. type {simple | anonymous | regular}

Authentication type for LDAP searches:

l simple: Simple password authentication without search (set by default).

l anonymous: Bind using anonymous user search.

l regular: Bind using username, password, and then search. Use simple if the user records are all under one DN that you know. If the users are under more than one DN, use anonymous or regular, which can search the entire LDAP database for the required user name.

If your LDAP server requires authentication to perform searches, use regular, and provide values for username and password (see entries below). username

Note: This entry is only available when type is set to regular.

User name for regular LDAP authentication. password

Note: This entry is only available when type is set to regular.

User's password for regular LDAP authentication. group-member-check {user-attr | group-object}

Method used for group membership checking: user attribute (set by default), or group object. secure {disable | starttls | ldaps}

Port to be used in authentication:

FortiCache 4.2.1 CLI Reference 125 Fortinet Technologies Inc. local user

l disable: No SSL; port 389 (set by default).

l starttls: Use StartTLS; port 389.

l ldaps: Use LDAPS; port 636. ca-cert

Note: This entry is only available when secure is either set to starttls or ldaps.

Certificate authority (CA) certificate used for user authentication. The CA certificate will be used by the LDAP library to validate the public certificate provided by the LDAP server. port

Note: This entry changes to 636 when secure is set to ldaps. It will also change back to its default value of 389 when secure is set back to either disable or starttls.

Port number for communication with the LDAP server. The default is set to the standard LDAP port, 389. password-expiry-warning {enable | disable}

Enable or disable (by default) password expiry warnings. password-renewal {enable | disable}

Enable or disable (by default) online password renewals. member-attr

Group attribute for user authentication. The default is set to memberOf. search-type {nested}

Retrieve the complete nested-user-group chain information of a user in a particular Microsoft AD domain; nested (set by default) is the only available option. local

Use this command to create and edit local users and configure user authentication. status {enable | disable}

Enable (by default) or disable the local user to authenticate with FortiCache. type {password | radius | tacacs+ | ldap}

User authentication type:

126 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. user local

passwd

Note: This entry is only available when type is set to password.

User's password with which to authenticate. passwd-policy

Note: This entry is only available when type is set to password.

Name of a password policy to apply to this user and their password. To create a password policy, see config user password-policy. passwd-time

Note: This entry is only available when type is set to password.

Start time and date of the last password update in the format yyyy-mm-dd hh:mm:ss. The default is set to 0000- 00-00 00:00:00. radius-server

Note: This entry is only available when type is set to radius.

Name of the RADIUS server with which the user must authenticate. A RADIUS server must have already been added to the list of RADIUS servers; see config user radius for more information. tacacs+-server

Note: This entry is only available when type is set to tacacs+.

Name of the TACACS+ server with which the user must authenticate. A TACACCS+ server must have already been added to the list of TACACS+ servers; see config user tacacs+ for more information. ldap-server

Note: This entry is only available when type is set to ldap.

Name of the LDAP server with which the user must authenticate. A LDAP server must have already been added to the list of LDAP servers; see config user ldap for more information. authtimeout

0-1440`0 uses global workstation

Note: This entry is only available when type is set to ldap.

Name of a remote user workstation, if you wish to permit the user to authenticate only from a particular workstation.

FortiCache 4.2.1 CLI Reference 127 Fortinet Technologies Inc. password-policy user

auth-concurrent-override {enable | disable}

Enable or disable (by default) overriding the entry in config system global, policy-auth-concurrent. auth-concurrent-value

Note: This entry is only available when auth-concurrent-override is set to enable.

Maximum limit of concurrent logins for the same user. Set the value between 0-100. The default is set to 0, whereby there is no limit. password-policy

Use this command to define password policies that set user password expiry and provide expiry warnings. expire-days

Number of days before password expiry. Set the value between 0-999 (or no expiry to almost 33 months). The default is set to 180 (or almost six months). warn-days

Number of days prior to password expiry that an expiry warning is provided. Set the value between 0-30 (or no warning to approx. one month). The default is set to 15. radius

Use this command to create and edit information used for RADIUS authentication.

To reduce repetition, the following entries are not available when rsso is set to enable:

l server

l secret

l nas-ip

l acct-interim-interval

l radius-port

l auth-type

l source-ip Likewise, all SSO-related entries below are only available when rsso is set to enable. server

IP address or domain name of the RADIUS server.

128 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. user radius

secret

Password for the RADIUS server, up to a maximum of 16 characters. timeout

Period of time in seconds between resending authentication requests. Set the value between 0-300 (or no timeout to five minutes). The default is set to 5.

These requests occur during the remoteuathtimeout period set in config system global. nas-ip

IP address used as the NAS-IP-Address and Called-Station-ID attributes in RADIUS access requests. acct-interim-interval

Period of time in seconds between each accounting interim update message. Set the value between 600-86400 (or ten minutes to one day). The default is set to 0. radius-port

Port number used for communication with the RADIUS server. The default is set to 0. Note that the standard RADIUS port is 1812. h3c-compatibility {enable | disable}

Enable or disable (by default) compatibility with the H3C Intelligent Management Platform (IMC) server. The supplicant requests 802.1X authentication and then sends a second phase security check request to the H3C IMC server. rsso-radius-server-port

Port number used by the RADIUS accounting server for sending Start and Stop RADIUS records.The default is set to 1813. rsso-radius-response {enable | disable}

Enable or disable (by default) sending responses after receiving RADIUS Start and Stop records. This setting may be required by your accounting system. rsso-validate-request-secret {enable | disable}

Enable or disable (by default) verifying that the RADIUS secret matches the RADIUS secret in the Start or End record. rsso-secret

RADIUS secret used by the RADIUS accounting server.

FortiCache 4.2.1 CLI Reference 129 Fortinet Technologies Inc. radius user

rsso-endpoint-attribute

Name of the RADIUS attribute that contains the end point identifier in order to extract the user end point identifier from the RADIUS Start record. The default is set to Calling-Station-Id.

To view the full list of attributes, enter set rsso-endpoint-attribute ?. rsso-endpoint-block-attribute

Name of the RADIUS attribute that can be used to block a user. If set to Block, all traffic from the user's IP address will be blocked. The default is set to Calling-Station-Id.

To view the full list of attributes, enter set rsso-endpoint-block-attribute ?. sso-attribute

Name of the RADIUS attribute that contains the profile group name in order to extract a profile group from the RADIUS Start record. The default is set to Class.

To view the full list of attributes, enter set sso-attribute ?. sso-attribute-key

Profile key, if the profile attribute contains more data than just the profile group name, up to a maximum of 36 characters. The profile key always comes directly before the profile group name in the profile attribute. For example, the class attribute could include: profile=, where is the name of the profile group. rsso-context-timeout

Period of time in seconds before a user (that's been added to a "user context list" of logged-on users) is logged off, so long as there has been no communication from the user end point. The default is set to 28800 (or eight hours).

The other way a user can be logged off is when the FortiCache receives a RADIUS Stop record for the user's end point. Therefore, this timeout is only necessary if RADIUS Stop records aren't received, however it's recommended to use this timeout in case a Stop record is missed. rsso-log-period

Period of time in seconds that group-event log messages for dynamic profile events are generated. For example, if set to 30 seconds, groups of event log messages are generated every 30 seconds inetad of generating event log messages continously. The default is set to 0, whereby all event log messages are generated in real time. rsso-log-flags {protocol-error | profile-missing | accounting-stop-missed | accounting- event | endpoint-block | radiusd-other | none}

Options to configure event log messages for RSSO events. To enter multiple flags, separate each entry with a space. By default, all are selected except none (see below):

130 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. user setting

l protocol-error: Write an event log message if RADIUS protocol errors occur. For example, when a RADIUS record contains a RADIUS secret that does not match the one added to the dynamic profile.

l profile-missing: Write an event log message whenever a group name cannot be found in a RADIUS Start message that matches the name of an RSSO user group in the FortiCache.

l acounting-stop-missed: Write an event log message whenever a user context entry timeout expires (see rsso- context-timeout above), indicating that an entry was removed from the user context list without receiving a RADIUS Stop message.

l accounting-event: Write an event log message when unexpected information is found in a RADIUS record. For example, if a RADIUS record contains more than the expected number of addresses.

l endpoint-block: Write an event log message whenever a user is blocked because the attribute specified in the rsso-endpoint-block-attribute entry is set to Block.

l radiusd-other: Write event log messages for other events. For example, write a log message if the memory limit for the user context list is reached and the oldest entries in the table have been dropped. The event is described in the log message.

l none: Disable logging of RSSO events. rsso-flush-ip-session {enable | disable}

Enable or disable (by default) flushing user IP sessions on RADIUS accounting Stop messages. auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}

Authentication method for this RADIUS server: auto (set by default), MS-CHAPv2, CHAP, and PAP.

Note that auto uses all three methods together. source-ip

Source IP address for communicating with the RADIUS server. rsso {enable | disable}

Enable or disable (by default) configurable options for the RSSO agent. Once enabled, all other RSSO-related entries will become available (see above). In addition, FortiCache will accept connections on the port-value entered in the rsso-radius-server-port entry. setting

Use this command to configure user settings, including firewall user authentication timeout and protocol support for firewall policy authentication. config auth-ports

Use this configuration method to configure non-standard ports for authentication.

type {http | https | ftp | telnet}

Protocol to use with the authentication port: HTTP (set by default), HTPPS, FTP, or TELNET.

FortiCache 4.2.1 CLI Reference 131 Fortinet Technologies Inc. setting user

port

Port number to use for authentication. Set the value between 1-65535. The default is set to 1024. auth-type {http | https | ftp | telnet}

Protocol to use with the authentication port: HTTP, HTPPS, FTP, or TELNET; by default, all four are selected. auth-cert

HTTPS server certificate to use for policy authentication. To see the full list of available certificates, enter set auth-cert ?. auth-ca-cert

CA certificate used for user authentication. auth-secure-http {enable | disable}

Enable or disable (by default) redirecting HTTP user authentication to HTTPS. auth-http-basic {enable | disable}

Enable or disable (by default) support for HTTP basic authentication for identity-based firewall policies. HTTP basic authentication usually causes a browser to display a pop-up authentication window instead of displaying an authentication web page. Some basic web browsers (e.g. web browsers on mobile devices) may only support HTTP basic authentication. auth-multi-group {enable | disable}

Enable (by default) or disable multiple user group firewall authentication. This can be disabled if the Active Directory structure is setup such that users belong to only one group. auth-timeout

Period of time in minutes before the user is required to authenticate again. Set the value between 1-1440 (or one minute to one day). The default is set to 5. auth-timeout-type {idle-timeout | hard-timeout | new-session}

Type of authentication timeout:

l idle-timeout: Applies only to idle sessions (set by default).

l hard-timeout: Applies to all sessions.

l new-session: Applies only to new sessions. radius-ses-timeout-act {hard-timeout | ignore-timeout}

RADIUS timeout option:

132 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. user tacacs+

l hard-timeout: Use RADIUS timeout (set by default).

l ignore-timeout: Ignore RADIUS timeout. auth-blackout-time

Period of time in seconds that an authentication blackout lasts for. This occurs when a firewall authentication attempt fails five times within one minute, resulting in the source IP address of the attempts being denied access. Set the value between 0-3600 (or no blackout to one hour). The default is set to 0. auth-invalid-max

Maximum number of failed authentication attempts before the client is blocked. Set the value between 1-100. The default is set to 5. auth-lockout-threshold

Maximum number of login attempts before the login lockout is triggered (see auth-lockout-duration below). Set the value between 1-10. The default is set to 3. auth-lockout-duration

Period of time seconds that the login lockout lasts for. The default is set to 0. tacacs+

Use this command to create and edit information used for Terminal Access Controller Access-Control System (TACACS+) authentication. server

IP address or domain name of the primary TACACS+ server. secondary-server

Second IP address or domain name of the TACACS+ server. tertiary-server

Third IP address or domain name of the TACACS+ server. port

Port number for communication with the LDAP server. The default is set to the standard TACACS+ port, 49. key

Password key to access the primary TACACS+ server, up to a maximum of 16 characters.

FortiCache 4.2.1 CLI Reference 133 Fortinet Technologies Inc. tacacs+ user

secondary-key

Password key to access the second TACACS+ server, up to a maximum of 16 characters. tertiary-server

Password key to access the third TACACS+ server, up to a maximum of 16 characters. authen-type {mschap | chap | pap | ascii | auto}

Protocol to use for this TACACS+ server: MSCHAP, CHAP, PAP, ASCII, auto (set by default).

Note that auto uses PAP, MS-CHAPv2, and CHAP. authorization {enable | disable}

Enable or disable (by default) TACACS+ authorization. source-ip

Source IP address for communicating with the TACACS+ server.

134 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. vpn

Use config vpn to configure the following VPN related options:

certificate {ca | crl | local | ocsp-server | remote | setting} certificate {ca | crl | local | ocsp-server | remote | setting}

The certificate command is divided into six configurable options: install CA root certificates, CRLs, and local certificates, set the revocation server for an Online Certificate Status Protocol (OCSP) server certificate, install remote certificates, and set options for obtaining certificates by OCSP. ca

Use this command to install CA root certificates. When a CA processes your CSR, it sends you the CA certificate, the signed local certificate, and the CRL.

The CA certificate can update automatically from a Simple Certificate Enrollment Protocol (SCEP) server.

CA certificate in base64 encoded PEM format.

scep-url

URL of the SCEP server.

source-ip

Source IP address that can be used to verify that the request is sent from the expected IP. crl

Use this command to install a CRL. When a CA processes your CSR, it sends you the CA certificate, the signed local certificate, and the CRL.

crl

CRL in PEM format.

ldap-server

Name of the LDAP server, as set in config user ldap.

http-url

URL of an HTTP server used for automatic CRL certificate updates, beginning with either http:// or https://.

FortiCache 4.2.1 CLI Reference 135 Fortinet Technologies Inc. certificate {ca | crl | local | ocsp-server | remote | setting} vpn

scep-url

URL of the SCEP server used for automatic CRL certificate updates, beginning with either http:// or https://.

scep-cert

Local certificate used for SCEP communication for CRL auto-update. The default is set to Fortinet_Firmware.

update-interval

Period of time in seconds before the FortiCache checks for an updated CRL. The default is set to 0, whereby the CRL will only be updated when it expires.

source-ip

Source IP address that can be used to verify that the request is sent from the expected IP. local

Use this command to install local certificates.

password

Password in PEM format.

comments

Optional comments.

private-key

Private key in PEM format.

state

CSR state.

scep-url

URL of the SCEP server.

source-ip

Source IP address that can be used to verify that the request is sent from the expected IP.

ike-localid-type {asn1dn | fqdn}

Local ID type: use ASN.1 DN ID (set by default) or FQDN. ocsp-server

Use this command to specify the revocation for an OCSP server certificate. You can also specify the action to take if the server is not available.

136 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. vpn certificate {ca | crl | local | ocsp-server | remote | setting}

url

URL of the OCSP server.

cert

OCSP server public certificate.

secondary-url

URL of the second OCSP server.

secondary-cert

Second OCSP server public certificate.

unavail-action {revoke | ignore}

Action to take on client certification when the OCSP server is unreachable: revoke (set by default) or ignore.

source-ip

Source IP address that can be used to verify that the request is sent from the expected IP. remote

Use this command to install remote certificates, public certificates without a private key that are used as OCSP server certificates.

To view all information about the certificate, enter the get command.

remote

Description of the remote certificate. setting

Use this command to enable receiving certificates by OCSP.

ocsp-status {enable | disable}

Enable or disable (by default) obtaining certificates using OCSP.

ocsp-default-server

Name of the default OCSP server (i.e. one of the servers defined in vpn certificate ocsp-server above).

check-ca-start {enable | disable}

Enable (by default) or disable checking the certificate and failing authentication if the CA certificate is not found.

FortiCache 4.2.1 CLI Reference 137 Fortinet Technologies Inc. wanopt

Use config wanopt to configure the following WAN Optimization related options:

auth-group cache-service content-delivery-network-rule peer profile settings ssl-server storage webcache auth-group

Use this command to configure WAN optimization authentication groups. Add authentication groups to support authentication and secure tunneling between WAN optimization peers. auth-method {cert | psk}

Authentication method for the group: using a certificate (set by default) or using a preshared key. cert

Note: This entry is only available when auth-method is set to cert.

Local certificate to be used by the peers in this group. To add a local certificate, see config vpn certificate local. psk

Note: This entry is only available when auth-method is set to psk.

Pre-shared key to be used for this group. peer-accept {any | defined | one}

Determine which peers may use the authentication group:

l any: Authentication group can be used for any peer (set by default).

l defined: Authentication group can be used for only the users added to the FortiCache.

l one: Authentication group can be used for just one peer. Once set, use the peer entry below to specify the peer. peer

Note: This entry is only available when peer-accept is set to one.

138 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. wanopt cache-service

Name of the peer to add to this authentication group. The peer must have already been added to the FortiCache using the config wanopt peer command. cache-service

Use this command to designate cache-services for WAN optimization and web cache. config dst-peer

Use this configuration method to .

auth-type

Authentication type for the destination peer. The default is set to 0.

encode-type

Encode type for the destination peer. The default is set to 0.

priority

Priority for the destination peer. The default is set to 1.

Cluster IP address of the destination peer device. config src-peer

Use this configuration method to .

auth-type

Authentication type for the source peer. The default is set to 0.

encode-type

Encode type for the source peer. The default is set to 0.

priority

Priority for the source peer. The default is set to 1.

Cluster IP address of the source peer device. prefer-senario {balance | prefer-speed | prefer-cache}

Caching preference:

FortiCache 4.2.1 CLI Reference 139 Fortinet Technologies Inc. content-delivery-network-rule wanopt

l balance: Balance between speed and cache-hit-ratio (set by default).

l prefer-speed: Prefer high response speed with more cache bypassing.

l prefer-cache: Prefer high hit-ratio with lower response speed. collaboration {enable | disable}

Enable or disable (by default) cache-collaboration. device-id

Device ID of this device. The default is set to default_dev_id. acceptable-connections {any | peers}

Determine how the device accepts collaboration-connections:

l any: Accept any cache-collaboration connection (set by default).

l peers: Only accept connections that are already configured in src-peers (see entry above). content-delivery-network-rule

Use this command to configure various WAN optimization Content Delivery Network (CDN) rules, allowing content to be served at high availability and increased performance.

The following rules are already available by default:

update://windowsupdate/ vcache://llnwd/

vcache:// vcache://maker.tv/

vcache://2mdn-ads/ vcache://metacafe/

vcache://amazonaws-ads/ vcache://ms-ads/

vcache://aol/ vcache://ooyala/

vcache://break/ vcache://pornhub/

vcache://cbc/ vcache://redtube/

vcache://clipfish/ vcache://serving-sys-ads/

vcache://cnn/ vcache://stupidvideos/

vcache://dailymotion/ vcache://tube8/

vcache://discovery/ vcache://tudou/

140 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. wanopt content-delivery-network-rule

vcache://edgesuite-ads/ vcache://vevo/

vcache://eyereturn-ads/ vcache://vimeo/

vcache://eyewonder-ads/ vcache://xtube/

vcache://foxnews/ vcache://yahoo/

vcache://googlevideo/ vcache://youku/

vcache://gorillanation-ads/ vcache://youporn/

vcache://howcast/ vcache://youtube/

vcache://liveleak vcache://yumenetworks-ads/ config rules

Use this configuration method to create and edit existing WAN optimization CDN rules.

config match-entries

Use this configuration method to create and edit rule match entries.

target {path | parameter | referrer | youtube-map | youtube-id}

Option from the HTTP header or URL to match:

l path: Entire URL path (set by default).

l parameter: URL parameters.

l referrer: Referrer from HTTP header.

l youtube-map: YouTube Content ID collection.

l youtube-id: YouTube Content ID.

pattern

Referrer or URL pattern.

config skip-entries

Use this configuration method to create and edit rule skip entries.

target {path | parameter | referrer | youtube-map | youtube-id}

Option from the HTTP header or URL to match:

l path: Entire URL path (set by default).

l parameter: URL parameters.

l referrer: Referrer from HTTP header.

l youtube-map: YouTube Content ID collection.

l youtube-id: YouTube Content ID.

FortiCache 4.2.1 CLI Reference 141 Fortinet Technologies Inc. content-delivery-network-rule wanopt

pattern

Referrer or URL pattern.

config content-id

Use this configuration method to .

target {path | parameter | referrer | youtube-map | youtube-id | hls-manifest | hls-fragment}

Option from the HTTP header or URL to match:

l path: Entire URL path (set by default).

l parameter: URL parameters.

l referrer: Referrer from HTTP header.

l youtube-map: YouTube Content ID collection.

l youtube-id: YouTube Content ID.

l hls-manifest: HTTP Live Streaming (HLS) manifest.

l hls-fragment: HLS fragment.

start-str

Text string from which to start search.

start-skip

Number of characters in the URL to skip after start-str has been matched. The default is set to 0.

start-direction {forward | backward}

Search direction from start-str match: forward (set by default) or backward.

end-str

Text string from which to end search.

end-skip

Number of characters in the URL to skip after end-str has been matched. The default is set to 0.

end-direction {forward | backward}

Search direction from end-str match: forward (set by default) or backward.

range-str

Name of Content ID within the start and end strings.

match-mode {all | any}

Criteria the FortiCache must match in order to collect content ID:

l all: Must match all the match entries (set by default).

l any: Must match any of the match entries.

skip-rule-mode {all | any}

Criteria the FortiCache will use to skip rules:

142 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. wanopt peer

l all: Must match all skip entries (set by default).

l any: Must match any of the skip entries. comment

Optional comments. status {enable | disable}

Enable (by default) or disable WAN optimization CDN rules. host-domain-name-suffix

Suffix of the FQDN (e.g. example.com). category {vcache | youtube}

CDN rule category: Vcache CDN (set by default) or YouTube CDN. request-cache-control {enable | disable}

Enable or disable (by default) HTTP request cache control. response-cache-control {enable | disable}

Enable or disable (by default) HTTP response cache control. updateserver {enable | disable}

Enable or disable (by default) updating the server. peer

Use this command to create and edit WAN optimization peers for the FortiCache to identify itself in order to form WAN optimization tunnels with other local FortiCache units.

To add the local host ID to a FortiCache, use the config wanopt settings command. ip

IP address of the interface that the remote FortiCache will use to connect to the local FortiCache.

FortiCache 4.2.1 CLI Reference 143 Fortinet Technologies Inc. profile wanopt profile

Use this command to create and edit WAN optimization profiles, where traffic can be optimized. It's important to note that no traffic will be processed without first being accepted by a firewall policy. All sessions accepted by a firewall policy that also match a WAN optimization profile are processed by WAN optimization.

WAN optimization profiles must be added at each end of the tunnel. Firewall policies use the specified WAN optimization profile to determine how to optimize the traffic over the WAN. config {http | cifs | mapi | ftp | tcp}

Use these configuration methods to configure different WAN optimization profiles for each available protocol: HTTP, CIFS, MAPI, FTP, and TCP.

status {enable | disable}

Enable or disable (by default) thhe profile.

secure-tunnel {enable | disable}

Enable or disable (by default) encrypting and securing the traffic in the WAN optimization tunnel, where FortiASIC acceleration is used to accelerate SSL decryption and encryption of the secure tunnel. The secure tunnel uses the same TCP port as a non-secure tunnel (TCP port 7810).

byte-caching {enable | disable}

Note: *This entry is set to enable by default for all protocols except tcp.

Enable (by default*) or disable WAN optimization byte caching for the traffic accepted by this profile. Byte caching is a WAN optimization technique that reduces the amount of data that has to be transmitted across a WAN by caching file data to serve it later as required.

byte-caching-opt {mem-only | mem-disk}

Note: This entry is only available when configuring tcp.

Determine whether byte-caching optimization uses memory only (set by default) or both memory and the disk.

prefer-chunking {dynamic | fix}

Note: This entry is only available when configuring http, cifs, and ftp.

Chunking preference:

l dynamic: Dynamic data chunking, helps to detect persistent data chunks in a changed file or in an embedded unknown protocol.

l fix: Fixed data chunking (set by default). Note that TCP and MAPI do not have this entry. For TCP, if byte-caching-opt is set to mem-disk, its chunking algorithm will be dynamic. For MAPI, only dynamic is used.

tunnel-sharing {private | shared | express-shared}

Tunnel sharing mode for this tunnel:

144 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. wanopt profile

l private: For profiles that accept aggressive protocols such as HTTP and FTP, so they do not share tunnels with less-aggressive protocols (set by default).

l shared: For profiles that accept non-aggressive and non-interactive protocols.

l express-shared: For profiles that accept interactive protocols, such as Telnet.

log-traffic {enable | disable}

Enable (by default) or disable traffic logging.

port

Port number or port range for the profile. Only packets whose destination port number matches this port number or port number range will be accepted by and subject to this profile.

The default value depends on the protocol being configured: http is set to 80, cifs is set to 445, mapi is set to 135, ftp is set to 21, and tcp is set to 1-65535.

ssl {enable | disable}

Note: This entry is only available when configuring http and tcp.

Enable or disable (by default) applying SSL offloading for HTTPS traffic from one or more HTTP servers. If set to enable, you must add an SSL server for each HTTP server that you want to offload SSL encryption/decryption for. To do this, see config wanopt ssl-server.

unknown-http-version {reject | tunnel | best-effort}

Note: This entry is only available when configuring http.

Determine how the profile handles HTTP traffic that does not comply with HTTP 0.9, 1.0, or 1.1:

l reject: Drops HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.

l tunnel: Passes HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied to this HTTP traffic (set by default).

l best-effort: Assumes all HTTP sessions accepted by the profile comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, WAN optimization may not parse it correctly. As a result, sessions may stop being forwarded, whereby the session and connection may be lost.

tunnel-non-http {enable | disable}

Note: This entry is only available when configuring http.

Determine how to process non-HTTP traffic when a profile configured to accept and optimize HTTP traffic accepts a non-HTTP session. This can occur if an application sends non-HTTP traffic using an HTTP destination port.

Enable to pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied to non-HTTP sessions. Disable (by default) to drop non-HTTP sessions accepted by the profile. transparent {enable | disable}

Enable (by default) or disable Transparent mode.

FortiCache 4.2.1 CLI Reference 145 Fortinet Technologies Inc. settings wanopt

comments

Optional comments. auth-group

Peer authentication group to add to the profile. To create peer authentication groups, use the config wanopt auth- group command. settings

Use this command to create and edit the WAN optimization local host ID and enable traffic logging for WAN optimization and WAN optimization web caching sessions. host-id

Local host ID. Note that WAN optimization can only be performed with other FortiCaches that have this local host ID in their peer list. tunnel-ssl-algorithm {high | medium | low}

Encryption strength accepted for SSL tunnel negotiation:

l high: Allows AES and 3DES.

l medium: Allows AES, 3DES, and RC4 (set by default).

l low: Allows AES, 3DES, RC4, and DES. auto-detect-algorithm {simple | diff-req-resp}

Auto-detection algorithms used in tunnel negotiation:

l simple: Uses the same TCP option value in SYN/SYNACK packets (set by default).

l diff-req-resp: Uses different TCP option value in SYN/SYNACK packets to avoid false positive detection. ssl-server

Use this command to create and edit one or more SSL servers to support WAN optimization SSL offloading. WAN optimization supports SSL encryption/decryption offloading for HTTP servers. You enable WAN optimization SSL offloading by enabling the ssl field in a WAN optimization profile; see config wanopt profile for more information. ip

IP address for the SSL server. This IP address should be the same as the IP address of the HTTP server that this SSL server will be offloading for.

146 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. wanopt ssl-server

When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination IP address of the session is matched with this IP address to select the SSL server configuration to use. port

Port number to be used by the SSL server; typically this would be set to port 443 for an HTTPS server. The default is set to 0. ssl-mode {half | full}

Determine whether the SSL server should operate in half mode or full mode (set by default). Half mode offloads SSL from the backend server to the server-side FortiCache unit. ssl-cert

Local certificate to be used for this SSL server. ssl-dh-bits {768 | 1024 | 1536 | 2048}

Diffie-Hellman (DH) prime size to be used in DHE_RSA negotiation. The default is set to 1024. ssl-algorithm {high | medium | low}

Determine the permitted encryption algorithms for SSL sessions according to strength:

l high: AES and 3DES.

l medium: AES, 3DES, and RC4 (set by default).

l low: AES, 3DES, RC4, and DES. ssl-client-renegotiation {allow | deny | secure}

Status of client renegotiation:

l allow: Allows client renegotiation (set by default).

l deny: Aborts any SSL connection that attempts to renegotiate.

l secure: Rejects any SSL connection that does not offer a Secure Renegotiation Indication (for more information, see RFC 5746). ssl-min-version {ssl-3.0 | tls-1.0}

Lowest or oldest SSL/TLS version to offer when negotiating. The default is set to ssl-3.0; note that TLS 1.0 is more secure than SSL 3.0. ssl-max-version {ssl-3.0 | tls-1.0}

Highest or newest SSL/TLS version to offer when negotiating. The default is set to tls-1.0; note that TLS 1.0 is more secure than SSL 3.0.

FortiCache 4.2.1 CLI Reference 147 Fortinet Technologies Inc. storage wanopt

ssl-send-empty-frags {enable | disable}

Enable (by default) or disable sending empty fragments before sending the actual payload. Sending empty fragments is a technique used to avoid cipher-block chaining (CBC) plaintext attacks if the initiation vector (IV) is known (also called the CBC IV).

Note that some SSL implementations are not compatible with sending empty fragments; if required by your SSL implementation, set ssl-send-empty-frags to disable. storage

Use this command to edit the usage-types for WAN optimization storage disks. usage_type {wanopt_only | webcache_only | wanopt_webcache}

Usage-type for this storage disk: WAN optimization, web cache, or both WAN optimization and web cache (set by default). status {enable | disable}

Enable (by default) or disable WAN optimization storage of this disk. webcache

Use this command to determine how the WAn optimization web cache operates. In most cases the default settings are acceptable, however you may want to change these settings to improve performance or optimize the cache for your configuration. max-object-size

Maximum size of objects to cache in kB. Set the value between 1-2147483 (or 1kB to just over 2GB). The default is set to 512000 (or 512MB).

Note that all objects retrieved that exceed the maximum size are still delivered to the client, but are not stored in the web cache. neg-resp-time

Period of time in minutes to cache negative responses. The default is set to 0, whereby no negative responses are cached. fresh-factor

Fresh factor as a percentage. For cached objects that have no expiry time, the web cache periodically checks the server to see if the object has expired; the higher the fresh factor, the less often the checks occur. Set the value between 1-100. The default is set to 100.

148 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. wanopt webcache

max-ttl

Maximum time-to-live in minutes, or the maximum amount of time an object can stay in the web cache without checking to see if it has expired on the server. Set the value between 1-5256000 (or one minute to ten years). The default is set to 7200 (or five days). min-ttl

Minimum time-to-live in minutes, or the minimum amount of time an object can stay in the web cache without checking to see if it has expired on the server. Set the value between 1-5256000 (or one minute to ten years). The default is set to 5. default-ttl

Default expiry time for objects that do not have any expiry time set by the wenb server. Set the value between 1- 5256000 (or one minute to ten years). The default is set to 1440 (or one day). ignore-ims {enable | disable}

By default, the time specified by the if-modified-since (IMS) header in the client's conditional request is greater than the last modified time of the object in the cache, it is a strong indication that the copy in the cache is stale. If so, HTTP does a conditional GET to the Overlay Caching Scheme (OCS), based on the last modified time of the cached object. Enable ignore-ims to override this behavior. The default is set to disable. ignore-conditional {enable | disable}

Enable or disable (by default) controlling the behaviour of cache-control header values. HTTP 1.1 provides additional controls to the client over the behaviour of caches concerning the staleness of the object. ignore-pnc {enable | disable}

Enable or disable (by default) ignoring pragma-no-cache (PNC) header requests, resulting in increased performance and a decrease in server-side bandwidth utilization. ignore-ie-reload {enable | disable}

Enable (by default) or disable ignoring the PNC interpretation of Internet Explorer Accept: / headers upon refresh. cache-expired {enable | disable}

Enable or disable (by default) the caching of type-1 objects that are already expired at the time of acquisition, so long as all other conditions are met to make the object cachable. cache-cookie {enable | disable}

Enable or disable (by default) caching of cookies. Typically an HTTP response with a cookie contains data for a specific user, so it's recommended to not enable cookie caching.

FortiCache 4.2.1 CLI Reference 149 Fortinet Technologies Inc. webcache wanopt

reval-pnc {enable | disable}

The PNC header in a client's request can affect efficiency from a bandwidth gain perspective. If you do not want to completely ignore PNC in client requests, you can lower the impact of the PNC by enabling reval-pnc. As a result, a client's non-conditional PNC-GET request results in a conditional GET request sent to the OCS if the object is already in the cache. This gives the OCS a chance to return the 304 Not Modified response, consuming less server-side bandwidth, because it has not been forced to return full content even though the contents have not actually changed.

The default is set to disable. Note that most download managers make byte-range requests with a PNC header. To serve such requests from the cache, it is recommended to set reval-pnc to enable. always-revalidate {enable | disable}

Enable or disable (by default) revalidation of requested cached objects with content on the server before serving it to the client. cache-by-default {enable | disable}

Enable or disable (by default) caching of content lacking an explicit caching policy from the server. host-validate {enable | disable}

Enable or disable (by default) validating Host: with the original server IP. ssl_algorithm {high | medium | low}

Determine the permitted encryption algorithms for SSL sessions according to strength:

l high: AES and 3DES.

l medium: AES, 3DES, and RC4 (set by default).

l low: AES, 3DES, RC4, and DES.

150 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. web-proxy

Use config web-proxy to configure the following web proxy related options:

debug-url explicit forward-server forward-server-group global profile url-match debug-url

Use this command to configure debug URL addresses. url-pattern

URL exemption pattern/address. status {enable | disable}

Enable (by default) or disable this URL exemption. exact {enable | disable}

Enable (by default) or disable matching the exact URL path. explicit

Use this command to configure explicit web proxy options, including the TCP port used by the explicit proxy. status {enable | disable}

Enable or disable (by default) the explicit web proxy for HTTP and HTTPS sessions. interface

Name of the interface.

FortiCache 4.2.1 CLI Reference 151 Fortinet Technologies Inc. explicit web-proxy

ftp-over-http {enable | disable}

Enable or disable (by default) FTP-over-HTTP, where the explicit proxy proxies FTP sessions sent from a web browser. Note that the explicit proxy only supports FTP with a web browser and not with a standalone FTP client. socks {enable | disable}

Enable or disable (by default) the explicit proxy to proxy SOCKS sessions sent from a web browser. http-incoming-port

Port number that HTTP traffic from client web browsers will use to connect to the explicit proxy. Note that explicit proxy users must configure their web browser’s HTTP proxy settings to use this port. The default is set to 8080. https-incoming-port

Port number that HTTPS traffic from client web browsers will use to connect to the explicit proxy. Note that explicit proxy users must configure their web browser’s HTTPS proxy settings to use this port. The default is set to 0, whereby it uses the same port as HTTP. incoming-ip

Incoming IPv4 IP address of a FortiCache interface that should accept sessions for the explicit web proxy. Entering an IP address restricts the explicit web proxy to only accept sessions from this particular interface. ipv6-status {enable | disable}

Enable or disable (by default) IPv6 web-proxy destination in policy. incoming-ip6

Note: This entry is only available when both status and ipv6-status are set to enable.

Incoming IPv6 IP address of a FortiCache interface that should accept sessions for the explicit web proxy. Entering an IP address restricts the explicit web proxy to only accept sessions from this particular interface. strict-guest {enable | disable}

Enable or disable (by default) strict guest user check in explicit proxy. pref-dns-result {ipv4 | ipv6}

Note: This entry is only available when both status and ipv6-status are set to enable.

Either IPv4 (set by default) or IPv6 DNS results preference. unknown-http-version {reject | best-effort}

Action to take when the proxy server must handle an unknown HTTP version request or message:

152 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. web-proxy explicit

l reject: Treats unknown HTTP traffic as malformed and drops it (set by default).

l best-effort: Attempts to handle the HTTP traffic as best as it can. realm

Name of an authentication realm to identify the explicit web proxy, up to a maximum of 63 characters. Enclose the realm's name in quotes if the it includes spaces. Only alphanumeric characters are permitted; no special characters. The default is set to default. sec-default-action {accept | deny}

Action to take if no explicit web proxy firewall policies have been created:

l accept: Accept the session.

l deny: Deny the session (set by default). To add firewall policies for the explicit web proxy, create a firewall policy and set the source interface to web-proxy under config firewall policy. https-replacement-message {enable | disable}

Enable (by default) or disable returning replacement messages for SSL requests by default. message-upon-server-error {enable | disable}

Enable (by default) or disable returning replacement messages upon server error detection. pac-file-server-status {enable | disable}

Enable or disable (by default) support for proxy auto-config (PAC). Once enabled, you can configure a PAC file on the FortiCache and distribute the URL of this file to your web browser users. These users can enter this URL as an automatic proxy configuration URL and their browsers will automatically download proxy configuration settings.

Note that you can view the pac-file-url by entering get. This value is determined by the FortiCache's IP address, the incoming port for HTTP, and the pac-file-name (see the default example below): http://:8080/proxy.pac pac-file-server-port

Note: This entry is only available when pac-file-server-status is set to enable.

Port number that PAC traffic from client web browsers use to connect to the explicit proxy. Note that explicit proxy users must configure their web browser’s PAC proxy settings to use this port. The default is set to 0, whereby it uses the same port as HTTP. pac-file-name

Note: This entry is only available when pac-file-server-status is set to enable.

Name of the PAC file. The default is set to proxy.pac.

FortiCache 4.2.1 CLI Reference 153 Fortinet Technologies Inc. forward-server web-proxy

pac-file-data

Note: This entry is only available when pac-file-server-status is set to enable.

Contents of the PAC file made available from the explicit proxy server for PAC support. Enclose the PAC file text in quotes. You can also copy the contents of a PAC text file and paste the contents into the CLI using this option. Enter the command, followed by two sets of quotes, and paste the file content within the quotes.

The maximum PAC file size is 8192 bytes. You can use any PAC file syntax that is supported by your users’s browsers. ssl-algorithm {high | medium | low}

Determine the permitted encryption algorithms for SSL sessions according to strength:

l high: AES and 3DES.

l medium: AES, 3DES, and RC4 (set by default).

l low: AES, 3DES, RC4, and DES. forward-server

Use this command to support explicit web proxy forwarding, also called proxy chaining. ip

Note: This entry is only available when addr-type is set to ip.

IP address of the forwarding proxy server. fqdn

Note: This entry is only available when addr-type is set to fqdn.

FQDN of the forwarding web proxy server. addr-type {ip | fqdn}

Proxy address type: IP (set by default) or FQDN. port

Port number that the forwarding web proxy server uses to receive HTTP sessions. The default is set to 3128. healthcheck {enable | disable}

Enable or disable (by default) proxy server health check. Health checking attempts to connect to a web server to make sure that the remote forwarding server is operating.

154 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. web-proxy forward-server-group

monitor

Note: This entry is only available when healthcheck is set to enable.

URL to use for health check monitoring. This would be a URL that the web proxy would attempt to connect to through the forwarding server. If the web proxy can’t connect to this URL it assumes the forwarding server is down. The default is set to http://www.google.com. server-down-option {block | pass}

Action to take when the forwarding proxy server is down:

l block: Block sessions until the server comes back up (set by default).

l pass: Allow sessions to connect to their destination. comment

Optional comments. forward-server-group

Use this command to configure a load-balanced group of web proxy forward servers. config server-list

Use this configuration method to configure weight load balancing for this server.

weight

Note: This entry is only available if ldb-method is set to enable prior to entering this configuration method.

Weight of this server for load balancing. Set the value between 1-100. The default is set to 10. affinity {enable | disable}

Enable (by default) or disable attaching the source-ip's traffic to assigned forward-server until the forward- server-affinity-timeout is reached (see config web-proxy global). ldb-method {weighted | least-session}

Load-balancing method:

l weighted: Distribute to server based on weight (set by default).

l least-session: Distribute to server with lowest session-count. group-down-option {block | pass}

Action to take if all forward servers are down: block traffic (set by default) or pass traffic through.

FortiCache 4.2.1 CLI Reference 155 Fortinet Technologies Inc. global web-proxy global

Use this command to configure settings that control how the web proxy functions and handles web traffic. In most cases you should not have to change the default settings of this command.. proxy-fqdn

FQDN for the proxy; the domain that clients connect to. The default is set to default.fqdn. max-request-length

Maximum length of the HTTP request line in kB. Set the value between 2-64. The default is set to 4. max-message-length

Maximum length of the HTTP message (not including body) in kB. Set the value between 16-256. The default is set to 32. strict-web-check {enable | disable}

Enable or disable (by default) strict web checking. If enabled, web sites that send incorrect headers that do not conform to HTTP 1.1 are blocked. If disabled, websites that send the incorrect headers are allowed and cached. forward-proxy-auth {enable | disable}

Enable or disable (by default) forwarding proxy authentication headers. tunnel-non-http {enable | disable}

Enable (by default) or disable allowing non-HTTP traffic. unknown-http-version {reject | tunnel | best-effort}

Action to take if the HTTP version is unknown:

l reject: Reject the traffic.

l tunnel: Tunnel the traffic.

l best-effort: Proceed with best-effort (set by default). forward-server-affinity-timeout

Period of time in minutes that the source-ip's traffic will remain attached to the assigned forward-server. Set the value between 6-60 (or six minutes to one hour). The default is set to 30. webproxy-profile

Name of the web proxy profile to use when there are no matching policies.

156 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. web-proxy profile

explicit-outgoing-ip

Outgoing HTTP requests by the explicit web proxy will leave this IP. Note that an interface must have this IPv4 IP address. explicit-outgoing-ip6

Outgoing HTTP requests by the explicit web proxy will leave this IP. Note that an interface must have this IPv6 IP address. profile

Use this command to configure web proxy profiles that control how the web proxy functions and handles web traffic. config headers

Use this configuration method to create and edit headers and add actions.

name

HTTP forwarded header name.

action {add-to-request | add-to-response | remove-from-request | remove-from-response}

Header action. The default is set to add-to-request.

content

Header content. header-client-ip {pass | add | remove}

Action to take on client IP header in forwarded requests. The default is se to pass. header-via-request {pass | add | remove}

Action to take on via-request header in forwarded requests. The default is se to pass. header-via-response {pass | add | remove}

Action to take on via-response header in forwarded requests. The default is se to pass. header-x-forwarded-for {pass | add | remove}

Action to take on x-forwarded-for header in forwarded requests. The default is se to pass.

FortiCache 4.2.1 CLI Reference 157 Fortinet Technologies Inc. url-match web-proxy

header-front-end-https {pass | add | remove}

Action to take on front-end-https header in forwarded requests. The default is se to pass. url-match

Use this command to define URLs for forward-matching or cache exemption. status {enable | disable}

Enable (by default) or disable per-URL pattern web proxy forwarding and cache exemptions. url-pattern

URL pattern. forward-server

Name of the forward server. cache-exemption {enable | disable}

Enable or disable (by default) cache exemption, whereby this URL pattern will be exempted from caching. comment

Optional comments.

158 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. webfilter

Use config webfilter to configure the following web filter related options:

content content-header fortiguard ftgd-local-cat ftgd-local-rating override profile search-engine urlfilter content

Use this command to control web content by blocking or exempting words, phrases, or patterns. Each time a block match is found, values assigned to the pattern are totalled. If a user-defined threshold value is exceeded, the web page is blocked.

When a single word is entered, web pages are checked for that word. Add phrases by enclosing the phrase in ‘single quotes’.

When a phrase is entered, web pages are checked for any word in the phrase. Add exact phrases by enclosing the phrases in “quotation marks”.

Create patterns using wildcards or Perl regular expressions.

Note: Perl regular expression patterns are case sensitive for web content filtering. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i blocks all instances of bad language, regardless of case. Wildcard patterns are not case sensitive. config entries

Use this configuration method to configure specific options such as language, score, and action to take when a match occurs.

pattern-type {wildcard | regexp}

Pattern type for the content: perl regular expression or wildcard (set by default).

status {enable | disable}

Enable or disable (by default) the content entry.

FortiCache 4.2.1 CLI Reference 159 Fortinet Technologies Inc. content-header webfilter

lang {western | simch | trach | japanese | korean | french | thai | spanish | cyrillic}

Language character set used for the content: Western (American-English; set by default), Simplified Chinese, Traditional Chinese, Japanese, Korean, French, Thai, Spanish, or Cyrillic.

score

Numerical weighting applied to the content which is used to add up to a total for a web page's overall score; if the total is greater than the bwordthreshold entry (see config webfilter profile), the page is processed according to the banned word options set in the web filter profile. The score for banned content is counted once even if it appears multiple times on the web page. The default is set to 10.

action {block | exempt}

Determine whether to block (set by default) or exempt the web page if the pattern matches.

If the pattern matches and is blocked, the score is added to the total for the web page. The page is blocked if the total score of the web page exceeds the web content block threshold defined in the web filter profile.

If the pattern matches and is exempted, the web page will not be blocked even if there are matching block entries. name

Name of the banned word list. comment

Optional comments. content-header

Use this command to filter web content according to the MIME content header. You can use this feature to broadly block content by type, but it is also useful to exempt audio and video streaming files from antivirus scanning, as scanning these file types can be problematic. config entries

Use this configuration method to create and edit pattern match entries.

action {block | allow | exempt}

Action to take when a pattern match occurs:

l block: If the pattern matches, block the content.

l allow: If the pattern matches, permit the content.(set by default).

l exempt: If the pattern matches, exempt the content from antivirus scanning.

category {1 | 2 | 3 | ... }

FortiGuard category to match. To enter multiple categories, separate each entry with a space.

160 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. webfilter fortiguard

To see the full list of available categories, enter set category ?. name

Name of the content header list. comment

Optional comments. fortiguard

Use this command to enable web filtering by specific categories using FortiGuard web URL filtering. cache-mode {ttl | db-ver}

Cache entry expiration mode:

l ttl: Cache entries are deleted after a number of seconds determined by the cache-ttl value (see config system fortiguard) (set by default).

l db-ver: Cache entries are kept until the FortiGuard database changes, or until newer cache entries forice the removal of older ones. cache-prefix-match {enable | disable}

Enable (by default) or disable prefix matching. cache-mem-percent

Maximum percentage of memory the cache will use. Set the value between 1-15. The default is set to 2. ovrd-auth-port-http

Port number to use for FortiGuard web filter HTTP override authentication. The default is set to 8008. ovrd-auth-port-https

Port number to use for FortiGuard web filter HTTPS override authentication. The default is set to 8010. ovrd-auth-port-warning

Port number to use for FortiGuard web filter warning override authentication. The default is set to 8020. ovrd-auth-https {enable | disable}

Enable (by default) or disable using HTTPS for override authentication.

FortiCache 4.2.1 CLI Reference 161 Fortinet Technologies Inc. ftgd-local-cat webfilter

warn-auth-https {enable | disable}

Enable (by default) or disable using HTTPS for warning and authentication. close-ports {enable | disable}

Enable or disable (by default) closing ports used for HTTP and/or HTTPS authentication. Enabling this entry also disables user overrides. request-packet-size-limit

Maximum packet size in bytes. This can be useful as, in some cases, FortiGuard request packets may be dropped due to IP fragmentation. Set the value between 576-10000 (or 576 bytes to 10kB). The default is set to 0, which actually uses the default size of 1,100 bytes. ovrd-auth-hostname

Host name to use for FortiGuard web filter HTTPS override authentication. ovrd-auth-cert

Certificate name to use for FortiGuard web filter HTTPS override authentication. The default is set to Fortinet_ Firmware. ftgd-local-cat

Use this command to add local categories to the global URL category list. The categories defined here appear in the global URL category list when configuring a web filter profile. Users can rate URLs based on the local categories. id

Local category unique ID number. The default is set to 140. ftgd-local-rating

Use this command to rate URLs using local categories. Users can create user-defined categories then specify the URLs that belong to the category. This allows users to block groups of web sites on a per profile basis. The user can also specify whether the local rating is used in conjunction with the FortiGuard rating or is used as an override. status {enable | disable}

Enable (by default) or disable the local rating.

162 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. webfilter override

rating {1 | 2 | 3 | ... }

Categories and/or groups. To enter multiple codes, separate each entry with a space.

To view the full list of codes and categories, enter set rating ?. override

Use this command to configure FortiGuard web filter administrative overrides. status {enable | disable}

Enable or disable (by default) the override rule. scope {user | user-group | ip | ip6}

Scope of the override rule. The default is set to user. user

Note: This entry is only available when scope is set to user.

Name of the user that the override rule applies. user-group

Note: This entry is only available when scope is set to user-group.

Name of the user group that the override rule applies. ip

Note: This entry is only available when scope is set to ip.

IPv4 IP address that the override rule applies. old-profile

Name of the web filter profile that the override rule applies. Note that this entry and the new-profile entry cannot be set to the same profile. new-profile

Name of the new web filter profile that the override rule applies. Note that this entry and the old-profile entry cannot be set to the same profile.

FortiCache 4.2.1 CLI Reference 163 Fortinet Technologies Inc. profile webfilter

ip6

Note: This entry is only available when scope is set to ip6.

IPv6 IP address that the override rule applies. expires

Date and time the override expires in the format yyyy/mm/dd hh:mm:ss. Set the value between five minutes from now to 365 days in the future. initiator

Initiating user of the override; admin (set by default) is the only available option. profile

Use this command to configure UTM FortiGuard web filtering profiles for firewall policies. config override

Use this configuration method to configure web filtering overrides.

ovrd-scope {user | user-group | ip | ask}

Scope of the web filtering override: either override for the user (set by default), for a user group, for the initiating IP address, or ask for scope when initiating an override.

profile-type {list | radius}

Profile type: If the override profile is chosen from a list, set to list (set by default). If the profile is determined by a RADIUS server, set to radius.

ovrd-dur-mode {constant | ask}

FortiGuard web filtering duration type:

l constant: as specified in the max-quota-timeout entry under config ftgd-wf (set by default).

l ask: Ask for duration when initiating override.

ovrd-dur

FortiGuard web filtering override duration in days, hours, and minutes, in any order. For example, 200d12h45m for 200 days, 12 hours, and 45 minutes. Set the value up to a maximum of 364d23h59m. The default is set to 15m.

profile-attribute

Note: This entry is only available when profile-type is set to radius.

Name of the profile attribute to retrieve from the RADIUS server. The default is set to Login-LAT-Service.

164 FortiCache 4.2.1 CLI Reference Fortinet Technologies Inc. webfilter profile

ovrd-user-group

Names of user groups that can be used for FortiGuard web filter overrides. To enter multiple groups, separate each entry with a space.

profile

Note: This entry is only available when profile-type is set to list.

Name of the web profile. config web

Use this configuration method to specify the web content filtering the web URL filtering lists to use with the web filtering profile and set other configuration setting such as the web content filter threshold.

bword-threshold

If the combined scores of the web content filter patterns appearing in a web page exceed the threshold value, the web page is blocked. Set the value between 0-2147483647. The default is set to 10.

bword-table

Name of the web content filter list to use with the web filtering profile. The default is set to 0.

urlfilter-table

Name of the URL filter list to use with the web filtering profile. The default is set to 0.

content-header-list

Content header list. The default is set to 0.

safe-search {url | header}

Determine whether safe search is based on the request URL or the header.

youtube-edu-filter-id

Note: This entry is only available when safe-search is set to header.

Account ID for the YouTube Education Filter.

log-search {enable | disable}

Enable or disable (by default) logging of all search phrases.

keyword-match

Search keywords to log. config ftgd-wf

Use this configuration method to configure FortiGuard web filtering options.

FortiCache 4.2.1 CLI Reference 165 Fortinet Technologies Inc. profile webfilter

config filters

Use this configuration method to .

category {1 | 2 | 3 | ... }

Categories and groups the filter will examine. To enter multiple categories and groups, separate each entry with a space. The default is set to 0.

action {block | authenticate | monitor | warning}

Action to take for matches:

l block: Prevent the user from loading the web page.

l authenticate: Permit authenticated users to load the web page.

l monitor: Permit the user to load the web page but log the action (set by default).

l warning: Require that the user acknowledge a warning before they can proceed.

log {enable | disable}

Enable (by default) or disable logging for this filter.

config quota

Use this configuration method to configure FortiGuard quotas.