Module fortigate ¶

attribute fortigate::common::enable_disable_t? allow_routing=null¶: Enable/disable use of this address in the static route configuration. enable:Enable use of this address in the static route configuration. disable:Disable use of this address in the static route configuration.

attribute fortigate::firewall_address::associated_interface? associated_interface=null¶: Network interface associated with address.

attribute fortigate::firewall_address::cache_ttl? cache_ttl=null¶: Defines the minimal TTL of individual IP addresses in FQDN cache measured in seconds.

attribute fortigate::firewall_address::clearpass_spt? clearpass_spt=null¶: SPT (System Posture Token) value. unknown:UNKNOWN. healthy:HEALTHY. quarantine:QUARANTINE. checkup:CHECKUP. transient:TRANSIENT. infected:INFECTED.

attribute fortigate::firewall_address::color? color=null¶: Color of icon on the GUI.

attribute fortigate::firewall_address::comment? comment=null¶: Comment.

attribute fortigate::firewall_address::country? country=null¶: IP addresses associated to a specific country.

attribute string? end_ip=null¶: Final IP address (inclusive) in the range for the address.

attribute fortigate::firewall_address::epg_name? epg_name=null¶: Endpoint group name.

attribute fortigate::common::enable_disable_t? fabric_object=null¶: Security Fabric global object setting. enable:Object is set as a security fabric-wide global object. disable:Object is local to this security fabric member.

attribute fortigate::firewall_address::filter? filter=null¶: Match criteria filter.

attribute fortigate::firewall_address::fqdn? fqdn=null¶: Fully Qualified Domain Name address.

attribute fortigate::firewall_address::interface? interface=null¶: Name of interface whose IP address is to be used.

attribute fortigate::common::name_t name¶: Address name.

attribute fortigate::common::enable_disable_t? node_ip_only=null¶: Enable/disable collection of node addresses only in Kubernetes. enable:Enable collection of node addresses only in Kubernetes. disable:Disable collection of node addresses only in Kubernetes.

attribute fortigate::firewall_address::obj_id? obj_id=null¶: Object ID for NSX.

attribute fortigate::firewall_address::obj_tag? obj_tag=null¶: Tag of dynamic address object.

attribute fortigate::firewall_address::obj_type? obj_type=null¶: Object type. ip:IP address. mac:MAC address

attribute fortigate::firewall_address::organization? organization=null¶: Organization domain name (Syntax: organization/domain).

attribute fortigate::firewall_address::policy_group? policy_group=null¶: Policy group name.

attribute fortigate::firewall_address::sdn? sdn=null¶: SDN.

attribute fortigate::firewall_address::sdn_addr_type? sdn_addr_type=null¶: Type of addresses to collect. private:Collect private addresses only. public:Collect public addresses only. all:Collect both public and private addresses.

attribute fortigate::firewall_address::sdn_tag? sdn_tag=null¶: SDN Tag.

attribute string? start_ip=null¶: First IP address (inclusive) in the range for the address.

attribute fortigate::firewall_address::sub_type? sub_type=null¶: Sub-type of address. sdn:SDN address. clearpass-spt:ClearPass SPT (System Posture Token) address. fsso:FSSO address. ems-tag:FortiClient EMS tag. fortivoice-tag:FortiVoice tag. fortinac-tag:FortiNAC tag. fortipolicy-tag:FortiPolicy tag. swc-tag:Switch Controller NAC policy tag.

attribute string? subnet=null¶: IP address and subnet mask of address.

attribute fortigate::firewall_address::subnet_name? subnet_name=null¶: Subnet name.

attribute fortigate::firewall_address::tag_detection_level? tag_detection_level=null¶: Tag detection level of dynamic address object.

attribute fortigate::firewall_address::tag_type? tag_type=null¶: Tag type of dynamic address object.

attribute fortigate::firewall_address::tenant? tenant=null¶: Tenant.

attribute fortigate::firewall_address::type? type=null¶: Type of address. ipmask:Standard IPv4 address with subnet mask. iprange:Range of IPv4 addresses between two specified addresses (inclusive). fqdn:Fully Qualified Domain Name address. geography:IP addresses from a specified country. wildcard:Standard IPv4 using a wildcard subnet mask. dynamic:Dynamic address object. interface-subnet:IP and subnet of interface. mac:Range of MAC addresses.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

attribute string? wildcard=null¶: IP address and wildcard netmask.

attribute fortigate::firewall_address::wildcard_fqdn? wildcard_fqdn=null¶: Fully Qualified Domain Name with wildcard characters. :rel fsso_group: :rel list: :rel macaddr: :rel tagging:

relation fortigate::firewall_address::FssoGroup fsso_group [0:*]¶: other end: fortigate::firewall_address::FssoGroup._parent [1]

relation fortigate::firewall_address::List list [0:*]¶: other end: fortigate::firewall_address::List._parent [1]

relation fortigate::firewall_address::Macaddr macaddr [0:*]¶: other end: fortigate::firewall_address::Macaddr._parent [1]

relation fortigate::firewall_address::Tagging tagging [0:*]¶: other end: fortigate::firewall_address::Tagging._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::Address6¶

attribute fortigate::firewall_address6::cache_ttl? cache_ttl=null¶: Minimal TTL of individual IPv6 addresses in FQDN cache.

attribute fortigate::firewall_address6::color? color=null¶: Integer value to determine the color of the icon in the GUI (range 1 to 32, default = 0, which sets the value to 1).

attribute fortigate::firewall_address6::comment? comment=null¶: Comment.

attribute fortigate::firewall_address6::country? country=null¶: IPv6 addresses associated to a specific country.

attribute string? end_ip=null¶: Final IP address (inclusive) in the range for the address (format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

attribute fortigate::firewall_address6::epg_name? epg_name=null¶: Endpoint group name.

attribute fortigate::common::enable_disable_t? fabric_object=null¶: Security Fabric global object setting. enable:Object is set as a security fabric-wide global object. disable:Object is local to this security fabric member.

attribute fortigate::firewall_address6::fqdn? fqdn=null¶: Fully qualified domain name.

attribute string? host=null¶: Host Address.

attribute fortigate::firewall_address6::host_type? host_type=null¶: Host type. any:Wildcard. specific:Specific host address.

attribute string? ip6=null¶: IPv6 address prefix (format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/xxx).

attribute fortigate::common::name_t name¶: Address name.

attribute fortigate::firewall_address6::obj_id? obj_id=null¶: Object ID for NSX.

attribute fortigate::firewall_address6::sdn? sdn=null¶: SDN.

attribute fortigate::firewall_address6::sdn_tag? sdn_tag=null¶: SDN Tag.

attribute string? start_ip=null¶: First IP address (inclusive) in the range for the address (format: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx).

attribute fortigate::firewall_address6::template? template=null¶: IPv6 address template.

attribute fortigate::firewall_address6::tenant? tenant=null¶: Tenant.

attribute fortigate::firewall_address6::type? type=null¶: Type of IPv6 address object (default = ipprefix). ipprefix:Uses the IP prefix to define a range of IPv6 addresses. iprange:Range of IPv6 addresses between two specified addresses (inclusive). fqdn:Fully qualified domain name. geography:IPv6 addresses from a specified country. dynamic:Dynamic address object for SDN. template:Template. mac:Range of MAC addresses.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset). :rel list: :rel macaddr: :rel subnet_segment: :rel tagging:

relation fortigate::firewall_address6::List list [0:*]¶: other end: fortigate::firewall_address6::List._parent [1]

relation fortigate::firewall_address6::Macaddr macaddr [0:*]¶: other end: fortigate::firewall_address6::Macaddr._parent [1]

relation fortigate::firewall_address6::SubnetSegment subnet_segment [0:*]¶: other end: fortigate::firewall_address6::SubnetSegment._parent [1]

relation fortigate::firewall_address6::Tagging tagging [0:*]¶: other end: fortigate::firewall_address6::Tagging._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::AddressGroup¶

attribute fortigate::common::enable_disable_t? allow_routing=null¶: Enable/disable use of this group in the static route configuration. enable:Enable use of this group in the static route configuration. disable:Disable use of this group in the static route configuration.

attribute fortigate::firewall_addrgrp::category? category=null¶: Address group category. default:Default address group category (cannot be used as ztna-ems-tag/ztna-geo-tag in policy). ztna-ems-tag:Members must be ztna-ems-tag group or ems-tag address, can be used as ztna-ems-tag in policy. ztna-geo-tag:Members must be ztna-geo-tag group or geographic address, can be used as ztna-geo-tag in policy.

attribute fortigate::firewall_addrgrp::color? color=null¶: Color of icon on the GUI.

attribute fortigate::firewall_addrgrp::comment? comment=null¶: Comment.

attribute fortigate::common::enable_disable_t? exclude=null¶: Enable/disable address exclusion. enable:Enable address exclusion. disable:Disable address exclusion.

attribute fortigate::common::enable_disable_t? fabric_object=null¶: Security Fabric global object setting. enable:Object is set as a security fabric-wide global object. disable:Object is local to this security fabric member.

attribute fortigate::common::name_t name¶: Address group name.

attribute fortigate::firewall_addrgrp::type? type=null¶: Address group type. default:Default address group type (address may belong to multiple groups). folder:Address folder group (members may not belong to any other group).

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset). :rel exclude_member: :rel member: :rel tagging:

relation fortigate::firewall_addrgrp::ExcludeMember exclude_member [0:*]¶: other end: fortigate::firewall_addrgrp::ExcludeMember._parent [1]

relation fortigate::firewall_addrgrp::Member member [0:*]¶: other end: fortigate::firewall_addrgrp::Member._parent [1]

relation fortigate::firewall_addrgrp::Tagging tagging [0:*]¶: other end: fortigate::firewall_addrgrp::Tagging._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::AddressGroup6¶

attribute fortigate::firewall_addrgrp6::color? color=null¶: Integer value to determine the color of the icon in the GUI (1 - 32, default = 0, which sets the value to 1).

attribute fortigate::firewall_addrgrp6::comment? comment=null¶: Comment.

attribute fortigate::common::enable_disable_t? fabric_object=null¶: Security Fabric global object setting. enable:Object is set as a security fabric-wide global object. disable:Object is local to this security fabric member.

attribute fortigate::common::name_t name¶: IPv6 address group name.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset). :rel member: :rel tagging:

relation fortigate::firewall_addrgrp6::Member member [0:*]¶: other end: fortigate::firewall_addrgrp6::Member._parent [1]

relation fortigate::firewall_addrgrp6::Tagging tagging [0:*]¶: other end: fortigate::firewall_addrgrp6::Tagging._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::BGP¶

attribute fortigate::common::enable_disable_t? additional_path=null¶: Enable/disable selection of BGP IPv4 additional paths. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? additional_path6=null¶: Enable/disable selection of BGP IPv6 additional paths. enable:Enable setting. disable:Disable setting.

attribute fortigate::router_bgp::additional_path_select? additional_path_select=null¶: Number of additional paths to be selected for each IPv4 NLRI.

attribute fortigate::router_bgp::additional_path_select6? additional_path_select6=null¶: Number of additional paths to be selected for each IPv6 NLRI.

attribute fortigate::router_bgp::additional_path_select_vpnv4? additional_path_select_vpnv4=null¶: Number of additional paths to be selected for each VPNv4 NLRI.

attribute fortigate::common::enable_disable_t? additional_path_vpnv4=null¶: Enable/disable selection of BGP VPNv4 additional paths. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? always_compare_med=null¶: Enable/disable always compare MED. enable:Enable setting. disable:Disable setting.

attribute string asn¶: Router AS number, asplain/asdot/asdot+ format, 0 to disable BGP.

attribute fortigate::common::enable_disable_t? bestpath_as_path_ignore=null¶: Enable/disable ignore AS path. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? bestpath_cmp_confed_aspath=null¶: Enable/disable compare federation AS path length. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? bestpath_cmp_routerid=null¶: Enable/disable compare router ID for identical EBGP paths. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? bestpath_med_confed=null¶: Enable/disable compare MED among confederation paths. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? bestpath_med_missing_as_worst=null¶: Enable/disable treat missing MED as least preferred. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? client_to_client_reflection=null¶: Enable/disable client-to-client route reflection. enable:Enable setting. disable:Disable setting.

attribute string? cluster_id=null¶: Route reflector cluster ID.

attribute fortigate::router_bgp::confederation_identifier? confederation_identifier=null¶: Confederation identifier.

attribute fortigate::common::enable_disable_t? dampening=null¶: Enable/disable route-flap dampening. enable:Enable setting. disable:Disable setting.

attribute fortigate::router_bgp::dampening_max_suppress_time? dampening_max_suppress_time=null¶: Maximum minutes a route can be suppressed.

attribute fortigate::router_bgp::dampening_reachability_half_life? dampening_reachability_half_life=null¶: Reachability half-life time for penalty (min).

attribute fortigate::router_bgp::dampening_reuse? dampening_reuse=null¶: Threshold to reuse routes.

attribute fortigate::router_bgp::dampening_route_map? dampening_route_map=null¶: Criteria for dampening.

attribute fortigate::router_bgp::dampening_suppress? dampening_suppress=null¶: Threshold to suppress routes.

attribute fortigate::router_bgp::dampening_unreachability_half_life? dampening_unreachability_half_life=null¶: Unreachability half-life time for penalty (min).

attribute fortigate::router_bgp::default_local_preference? default_local_preference=null¶: Default local preference.

attribute fortigate::common::enable_disable_t? deterministic_med=null¶: Enable/disable enforce deterministic comparison of MED. enable:Enable setting. disable:Disable setting.

attribute fortigate::router_bgp::distance_external? distance_external=null¶: Distance for routes external to the AS.

attribute fortigate::router_bgp::distance_internal? distance_internal=null¶: Distance for routes internal to the AS.

attribute fortigate::router_bgp::distance_local? distance_local=null¶: Distance for routes local to the AS.

attribute fortigate::common::enable_disable_t? ebgp_multipath=null¶: Enable/disable EBGP multi-path. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? enforce_first_as=null¶: Enable/disable enforce first AS for EBGP routes. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? fast_external_failover=null¶: Enable/disable reset peer BGP session if link goes down. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? graceful_end_on_timer=null¶: Enable/disable to exit graceful restart on timer only. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? graceful_restart=null¶: Enable/disable BGP graceful restart capabilities. enable:Enable setting. disable:Disable setting.

attribute fortigate::router_bgp::graceful_restart_time? graceful_restart_time=null¶: Time needed for neighbors to restart (sec).

attribute fortigate::router_bgp::graceful_stalepath_time? graceful_stalepath_time=null¶: Time to hold stale paths of restarting neighbor (sec).

attribute fortigate::router_bgp::graceful_update_delay? graceful_update_delay=null¶: Route advertisement/selection delay after restart (sec).

attribute fortigate::router_bgp::holdtime_timer? holdtime_timer=null¶: Number of seconds to mark peer as dead.

attribute fortigate::common::enable_disable_t? ibgp_multipath=null¶: Enable/disable IBGP multi-path. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? ignore_optional_capability=null¶: Do not send unknown optional capability notification message. enable:Enable setting. disable:Disable setting.

attribute fortigate::router_bgp::keepalive_timer? keepalive_timer=null¶: Frequency to send keep alive requests.

attribute fortigate::common::enable_disable_t? log_neighbour_changes=null¶: Log BGP neighbor changes. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? multipath_recursive_distance=null¶: Enable/disable use of recursive distance to select multipath. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? network_import_check=null¶: Enable/disable ensure BGP network route exists in IGP. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? recursive_inherit_priority=null¶: Enable/disable priority inheritance for recursive resolution. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? recursive_next_hop=null¶: Enable/disable recursive resolution of next-hop using BGP route. enable:Enable setting. disable:Disable setting.

attribute string? router_id=null¶: Router ID.

attribute fortigate::router_bgp::scan_time? scan_time=null¶: Background scanner interval (sec), 0 to disable it.

attribute fortigate::common::enable_disable_t? synchronization=null¶: Enable/disable only advertise routes from iBGP if routes present in an IGP. enable:Enable setting. disable:Disable setting.

attribute fortigate::router_bgp::tag_resolve_mode? tag_resolve_mode=null¶: Configure tag-match mode. Resolves BGP routes with other routes containing the same tag. disable:Disable tag-match mode. preferred:Use tag-match if a BGP route resolution with another route containing the same tag is successful. merge:Merge tag-match with best-match if they are using different routes. The result will exclude the next hops of tag-match whose interfaces have appeared in best-match. :rel admin_distance: :rel aggregate_address: :rel aggregate_address6: :rel confederation_peers: :rel neighbor: :rel neighbor_group: :rel neighbor_range: :rel neighbor_range6: :rel network: :rel network6: :rel redistribute: :rel redistribute6: :rel vrf: :rel vrf6:

relation fortigate::router_bgp::AdminDistance admin_distance [0:*]¶: other end: fortigate::router_bgp::AdminDistance._parent [1]

relation fortigate::router_bgp::AggregateAddress aggregate_address [0:*]¶: other end: fortigate::router_bgp::AggregateAddress._parent [1]

relation fortigate::router_bgp::AggregateAddress6 aggregate_address6 [0:*]¶: other end: fortigate::router_bgp::AggregateAddress6._parent [1]

relation fortigate::router_bgp::ConfederationPeers confederation_peers [0:*]¶: other end: fortigate::router_bgp::ConfederationPeers._parent [1]

relation fortigate::router_bgp::Neighbor neighbor [0:*]¶: other end: fortigate::router_bgp::Neighbor._parent [1]

relation fortigate::router_bgp::NeighborGroup neighbor_group [0:*]¶: other end: fortigate::router_bgp::NeighborGroup._parent [1]

relation fortigate::router_bgp::NeighborRange neighbor_range [0:*]¶: other end: fortigate::router_bgp::NeighborRange._parent [1]

relation fortigate::router_bgp::NeighborRange6 neighbor_range6 [0:*]¶: other end: fortigate::router_bgp::NeighborRange6._parent [1]

relation fortigate::router_bgp::Network network [0:*]¶: other end: fortigate::router_bgp::Network._parent [1]

relation fortigate::router_bgp::Network6 network6 [0:*]¶: other end: fortigate::router_bgp::Network6._parent [1]

relation fortigate::router_bgp::Redistribute redistribute [0:*]¶: other end: fortigate::router_bgp::Redistribute._parent [1]

relation fortigate::router_bgp::Redistribute6 redistribute6 [0:*]¶: other end: fortigate::router_bgp::Redistribute6._parent [1]

relation fortigate::router_bgp::Vrf vrf [0:*]¶: other end: fortigate::router_bgp::Vrf._parent [1]

relation fortigate::router_bgp::Vrf6 vrf6 [0:*]¶: other end: fortigate::router_bgp::Vrf6._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::DosPolicy¶

attribute fortigate::firewall__dos_policy::comments? comments=null¶: Comment.

attribute fortigate::firewall__dos_policy::interface? interface=null¶: Incoming interface name from available interfaces.

attribute fortigate::firewall__dos_policy::name? name=null¶: Policy name.

attribute fortigate::firewall__dos_policy::policyid policyid¶: Policy ID.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this policy. enable:Enable this policy. disable:Disable this policy. :rel anomaly: :rel dstaddr: :rel service: :rel srcaddr:

relation fortigate::firewall__dos_policy::Anomaly anomaly [0:*]¶: other end: fortigate::firewall__dos_policy::Anomaly._parent [1]

relation fortigate::firewall__dos_policy::Dstaddr dstaddr [0:*]¶: other end: fortigate::firewall__dos_policy::Dstaddr._parent [1]

relation fortigate::firewall__dos_policy::Service service [0:*]¶: other end: fortigate::firewall__dos_policy::Service._parent [1]

relation fortigate::firewall__dos_policy::Srcaddr srcaddr [0:*]¶: other end: fortigate::firewall__dos_policy::Srcaddr._parent [1]

relation fortigate::base::DosPolicyRange parent [0:1]¶: other end: fortigate::base::DosPolicyRange.policies [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_parent_policyid_consistency constraint true

entity fortigate::DosPolicy6¶

attribute fortigate::firewall__dos_policy6::comments? comments=null¶: Comment.

attribute fortigate::firewall__dos_policy6::interface? interface=null¶: Incoming interface name from available interfaces.

attribute fortigate::firewall__dos_policy6::name? name=null¶: Policy name.

attribute fortigate::firewall__dos_policy6::policyid policyid¶: Policy ID.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this policy. enable:Enable this policy. disable:Disable this policy. :rel anomaly: :rel dstaddr: :rel service: :rel srcaddr:

relation fortigate::firewall__dos_policy6::Anomaly anomaly [0:*]¶: other end: fortigate::firewall__dos_policy6::Anomaly._parent [1]

relation fortigate::firewall__dos_policy6::Dstaddr dstaddr [0:*]¶: other end: fortigate::firewall__dos_policy6::Dstaddr._parent [1]

relation fortigate::firewall__dos_policy6::Service service [0:*]¶: other end: fortigate::firewall__dos_policy6::Service._parent [1]

relation fortigate::firewall__dos_policy6::Srcaddr srcaddr [0:*]¶: other end: fortigate::firewall__dos_policy6::Srcaddr._parent [1]

relation fortigate::base::DosPolicy6Range parent [0:1]¶: other end: fortigate::base::DosPolicy6Range.policies [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_parent_policyid_consistency constraint true

entity fortigate::Interface¶

attribute fortigate::system_interface::ac_name? ac_name=null¶: PPPoE server name.

attribute fortigate::system_interface::aggregate? aggregate=null¶: Aggregate interface.

attribute fortigate::system_interface::aggregate_type? aggregate_type=null¶: Type of aggregation. physical:Physical interface aggregation. vxlan:VXLAN interface aggregation.

attribute fortigate::system_interface::algorithm? algorithm=null¶: Frame distribution algorithm. L2:Use layer 2 address for distribution. L3:Use layer 3 address for distribution. L4:Use layer 4 information for distribution. Source-MAC:Use source MAC address for distribution.

attribute fortigate::system_interface::alias? alias=null¶: Alias will be displayed with the interface name to make it easier to distinguish.

attribute fortigate::system_interface::allowaccess[]? allowaccess=null¶: Permitted types of management access to this interface. ping:PING access. https:HTTPS access. ssh:SSH access. snmp:SNMP access. http:HTTP access. telnet:TELNET access. fgfm:FortiManager access. radius-acct:RADIUS accounting access. probe-response:Probe access. fabric:Security Fabric access. ftm:FTM access. speed-test:Speed test access.

attribute fortigate::common::enable_disable_t? ap_discover=null¶: Enable/disable automatic registration of unknown FortiAP devices. enable:Enable automatic registration of unknown FortiAP devices. disable:Disable automatic registration of unknown FortiAP devices.

attribute fortigate::common::enable_disable_t? arpforward=null¶: Enable/disable ARP forwarding. enable:Enable ARP forwarding. disable:Disable ARP forwarding.

attribute fortigate::system_interface::auth_cert? auth_cert=null¶: HTTPS server certificate.

attribute fortigate::system_interface::auth_portal_addr? auth_portal_addr=null¶: Address of captive portal.

attribute fortigate::system_interface::auth_type? auth_type=null¶: PPP authentication type to use. auto:Automatically choose authentication. pap:PAP authentication. chap:CHAP authentication. mschapv1:MS-CHAPv1 authentication. mschapv2:MS-CHAPv2 authentication.

attribute fortigate::common::enable_disable_t? auto_auth_extension_device=null¶: Enable/disable automatic authorization of dedicated Fortinet extension device on this interface. enable:Enable automatic authorization of dedicated Fortinet extension device on this interface. disable:Disable automatic authorization of dedicated Fortinet extension device on this interface.

attribute fortigate::system_interface::bandwidth_measure_time? bandwidth_measure_time=null¶: Bandwidth measure time.

attribute fortigate::system_interface::bfd? bfd=null¶: Bidirectional Forwarding Detection (BFD) settings. global:BFD behavior of this interface will be based on global configuration. enable:Enable BFD on this interface and ignore global configuration. disable:Disable BFD on this interface and ignore global configuration.

attribute fortigate::system_interface::bfd_desired_min_tx? bfd_desired_min_tx=null¶: BFD desired minimal transmit interval.

attribute fortigate::system_interface::bfd_detect_mult? bfd_detect_mult=null¶: BFD detection multiplier.

attribute fortigate::system_interface::bfd_required_min_rx? bfd_required_min_rx=null¶: BFD required minimal receive interval.

attribute fortigate::common::enable_disable_t? broadcast_forward=null¶: Enable/disable broadcast forwarding. enable:Enable broadcast forwarding. disable:Disable broadcast forwarding.

attribute fortigate::system_interface::cli_conn_status? cli_conn_status=null¶: CLI connection status.

attribute fortigate::system_interface::color? color=null¶: Color of icon on the GUI.

attribute fortigate::system_interface::dedicated_to? dedicated_to=null¶: Configure interface for single purpose. none:Interface not dedicated for any purpose. management:Dedicate this interface for management purposes only.

attribute fortigate::common::enable_disable_t? defaultgw=null¶: Enable to get the gateway IP from the DHCP or PPPoE server. enable:Enable default gateway. disable:Disable default gateway.

attribute fortigate::system_interface::description? description=null¶: Description.

attribute fortigate::system_interface::detected_peer_mtu? detected_peer_mtu=null¶: MTU of detected peer (0 - 4294967295).

attribute fortigate::system_interface::detectprotocol? detectprotocol=null¶: Protocols used to detect the server. ping:PING. tcp-echo:TCP echo. udp-echo:UDP echo.

attribute string? detectserver=null¶: Gateway’s ping server for this IP.

attribute fortigate::common::enable_disable_t? device_identification=null¶: Enable/disable passively gathering of device identity information about the devices on the network connected to this interface. enable:Enable passive gathering of identity information about hosts. disable:Disable passive gathering of identity information about hosts.

attribute fortigate::common::enable_disable_t? device_user_identification=null¶: Enable/disable passive gathering of user identity information about users on this interface. enable:Enable passive gathering of user identity information about users. disable:Disable passive gathering of user identity information about users.

attribute fortigate::system_interface::devindex? devindex=null¶: Device Index.

attribute fortigate::common::enable_disable_t? dhcp_classless_route_addition=null¶: Enable/disable addition of classless static routes retrieved from DHCP server. enable:Enable addition of classless static routes retrieved from DHCP server. disable:Disable addition of classless static routes retrieved from DHCP server.

attribute fortigate::system_interface::dhcp_client_identifier? dhcp_client_identifier=null¶: DHCP client identifier.

attribute fortigate::common::enable_disable_t? dhcp_relay_agent_option=null¶: Enable/disable DHCP relay agent option. enable:Enable DHCP relay agent option. disable:Disable DHCP relay agent option.

attribute fortigate::system_interface::dhcp_relay_interface? dhcp_relay_interface=null¶: Specify outgoing interface to reach server.

attribute fortigate::system_interface::dhcp_relay_interface_select_method? dhcp_relay_interface_select_method=null¶: Specify how to select outgoing interface to reach server. auto:Set outgoing interface automatically. sdwan:Set outgoing interface by SD-WAN or policy routing rules. specify:Set outgoing interface manually.

attribute string? dhcp_relay_ip=null¶: DHCP relay IP address.

attribute string? dhcp_relay_link_selection=null¶: DHCP relay link selection.

attribute fortigate::common::enable_disable_t? dhcp_relay_request_all_server=null¶: Enable/disable sending of DHCP requests to all servers. disable:Send DHCP requests only to a matching server. enable:Send DHCP requests to all servers.

attribute fortigate::common::enable_disable_t? dhcp_relay_service=null¶: Enable/disable allowing this interface to act as a DHCP relay. disable:None. enable:DHCP relay agent.

attribute fortigate::system_interface::dhcp_relay_type? dhcp_relay_type=null¶: DHCP relay type (regular or IPsec). regular:Regular DHCP relay. ipsec:DHCP relay for IPsec.

attribute fortigate::system_interface::dhcp_renew_time? dhcp_renew_time=null¶: DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.

attribute fortigate::system_interface::disc_retry_timeout? disc_retry_timeout=null¶: Time in seconds to wait before retrying to start a PPPoE discovery, 0 means no timeout.

attribute fortigate::system_interface::disconnect_threshold? disconnect_threshold=null¶: Time in milliseconds to wait before sending a notification that this interface is down or disconnected.

attribute fortigate::system_interface::distance? distance=null¶: Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.

attribute fortigate::common::enable_disable_t? dns_server_override=null¶: Enable/disable use DNS acquired by DHCP or PPPoE. enable:Use DNS acquired by DHCP or PPPoE. disable:No not use DNS acquired by DHCP or PPPoE.

attribute fortigate::system_interface::dns_server_protocol? dns_server_protocol=null¶: DNS transport protocols. cleartext:DNS over UDP/53, DNS over TCP/53. dot:DNS over TLS/853. doh:DNS over HTTPS/443.

attribute fortigate::common::enable_disable_t? drop_fragment=null¶: Enable/disable drop fragment packets. enable:Enable/disable drop fragment packets. disable:Do not drop fragment packets.

attribute fortigate::common::enable_disable_t? drop_overlapped_fragment=null¶: Enable/disable drop overlapped fragment packets. enable:Enable drop of overlapped fragment packets. disable:Disable drop of overlapped fragment packets.

attribute fortigate::common::name_t? eap_ca_cert=null¶: EAP CA certificate name.

attribute fortigate::system_interface::eap_identity? eap_identity=null¶: EAP identity.

attribute fortigate::system_interface::eap_method? eap_method=null¶: EAP method. tls:TLS. peap:PEAP.

attribute string? eap_password=null¶: EAP password.

attribute fortigate::common::enable_disable_t? eap_supplicant=null¶: Enable/disable EAP-Supplicant. enable:Enable EAP Supplicant. disable:Disable EAP Supplicant.

attribute fortigate::system_interface::eap_user_cert? eap_user_cert=null¶: EAP user certificate name.

attribute fortigate::system_interface::egress_shaping_profile? egress_shaping_profile=null¶: Outgoing traffic shaping profile.

attribute fortigate::system_interface::estimated_downstream_bandwidth? estimated_downstream_bandwidth=null¶: Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.

attribute fortigate::system_interface::estimated_upstream_bandwidth? estimated_upstream_bandwidth=null¶: Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.

attribute fortigate::common::enable_disable_t? explicit_ftp_proxy=null¶: Enable/disable the explicit FTP proxy on this interface. enable:Enable explicit FTP proxy on this interface. disable:Disable explicit FTP proxy on this interface.

attribute fortigate::common::enable_disable_t? explicit_web_proxy=null¶: Enable/disable the explicit web proxy on this interface. enable:Enable explicit Web proxy on this interface. disable:Disable explicit Web proxy on this interface.

attribute fortigate::common::enable_disable_t? external=null¶: Enable/disable identifying the interface as an external interface (which usually means it’s connected to the Internet). enable:Enable identifying the interface as an external interface. disable:Disable identifying the interface as an external interface.

attribute fortigate::system_interface::fail_action_on_extender? fail_action_on_extender=null¶: Action on FortiExtender when interface fail. soft-restart:Soft-restart-on-extender. hard-restart:Hard-restart-on-extender. reboot:Reboot-on-extender.

attribute fortigate::system_interface::fail_alert_method? fail_alert_method=null¶: Select link-failed-signal or link-down method to alert about a failed link. link-failed-signal:Link-failed-signal. link-down:Link-down.

attribute fortigate::common::enable_disable_t? fail_detect=null¶: Enable/disable fail detection features for this interface. enable:Enable interface failed option status. disable:Disable interface failed option status.

attribute fortigate::system_interface::fail_detect_option? fail_detect_option=null¶: Options for detecting that this interface has failed. detectserver:Use a ping server to determine if the interface has failed. link-down:Use port detection to determine if the interface has failed.

attribute fortigate::common::enable_disable_t? fortilink=null¶: Enable FortiLink to dedicate this interface to manage other Fortinet devices. enable:Enable FortiLink to dedicated interface for managing FortiSwitch devices. disable:Disable FortiLink to dedicated interface for managing FortiSwitch devices.

attribute fortigate::system_interface::fortilink_backup_link? fortilink_backup_link=null¶: FortiLink split interface backup link.

attribute fortigate::system_interface::fortilink_neighbor_detect? fortilink_neighbor_detect=null¶: Protocol for FortiGate neighbor discovery. lldp:Detect FortiLink neighbors using LLDP protocol. fortilink:Detect FortiLink neighbors using FortiLink protocol.

attribute fortigate::common::enable_disable_t? fortilink_split_interface=null¶: Enable/disable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy. enable:Enable FortiLink split interface to connect member link to different FortiSwitch in stack for uplink redundancy. disable:Disable FortiLink split interface.

attribute fortigate::system_interface::forward_domain? forward_domain=null¶: Transparent mode forward domain.

attribute fortigate::common::enable_disable_t? gwdetect=null¶: Enable/disable detect gateway alive for first. enable:Enable detect gateway alive for first. disable:Disable detect gateway alive for first.

attribute fortigate::system_interface::ha_priority? ha_priority=null¶: HA election priority for the PING server.

attribute fortigate::common::enable_disable_t? icmp_accept_redirect=null¶: Enable/disable ICMP accept redirect. enable:Enable ICMP accept redirect. disable:Disable ICMP accept redirect.

attribute fortigate::common::enable_disable_t? icmp_send_redirect=null¶: Enable/disable sending of ICMP redirects. enable:Enable sending of ICMP redirects. disable:Disable sending of ICMP redirects.

attribute fortigate::common::enable_disable_t? ident_accept=null¶: Enable/disable authentication for this interface. enable:Enable determining a user’s identity from packet identification. disable:Disable determining a user’s identity from packet identification.

attribute fortigate::system_interface::idle_timeout? idle_timeout=null¶: PPPoE auto disconnect after idle timeout seconds, 0 means no timeout.

attribute fortigate::system_interface::ike_saml_server? ike_saml_server=null¶: Configure IKE authentication SAML server.

attribute fortigate::system_interface::inbandwidth? inbandwidth=null¶: Bandwidth limit for incoming traffic (0 - 80000000 kbps), 0 means unlimited.

attribute fortigate::system_interface::ingress_shaping_profile? ingress_shaping_profile=null¶: Incoming traffic shaping profile.

attribute fortigate::system_interface::ingress_spillover_threshold? ingress_spillover_threshold=null¶: Ingress Spillover threshold (0 - 16776000 kbps), 0 means unlimited.

attribute fortigate::system_interface::interface? interface=null¶: Interface name.

attribute fortigate::system_interface::internal? internal=null¶: Implicitly created.

attribute string? ip=null¶: Interface IPv4 address and subnet mask, syntax: X.X.X.X/24.

attribute fortigate::common::enable_disable_t? ip_managed_by_fortiipam=null¶: Enable/disable automatic IP address assignment of this interface by FortiIPAM. enable:Enable automatic IP address assignment of this interface by FortiIPAM. disable:Disable automatic IP address assignment of this interface by FortiIPAM.

attribute fortigate::common::enable_disable_t? ipmac=null¶: Enable/disable IP/MAC binding. enable:Enable IP/MAC binding. disable:Disable IP/MAC binding.

attribute fortigate::common::enable_disable_t? ips_sniffer_mode=null¶: Enable/disable the use of this interface as a one-armed sniffer. enable:Enable IPS sniffer mode. disable:Disable IPS sniffer mode.

attribute string? ipunnumbered=null¶: Unnumbered IP used for PPPoE interfaces for which no unique local address is provided.

attribute fortigate::common::enable_disable_t? l2forward=null¶: Enable/disable l2 forwarding. enable:Enable L2 forwarding. disable:Disable L2 forwarding.

attribute fortigate::common::enable_disable_t? l2tp_client=null¶: Enable/disable this interface as a Layer 2 Tunnelling Protocol (L2TP) client. enable:Enable L2TP client. disable:Disable L2TP client.

attribute fortigate::common::enable_disable_t? lacp_ha_secondary=null¶: LACP HA secondary member. enable:Allow HA secondary member to send/receive LACP messages. disable:Block HA secondary member from sending/receiving LACP messages.

attribute fortigate::system_interface::lacp_mode? lacp_mode=null¶: LACP mode. static:Use static aggregation, do not send and ignore any LACP messages. passive:Passively use LACP to negotiate 802.3ad aggregation. active:Actively use LACP to negotiate 802.3ad aggregation.

attribute fortigate::system_interface::lacp_speed? lacp_speed=null¶: How often the interface sends LACP messages. slow:Send LACP message every 30 seconds. fast:Send LACP message every second.

attribute fortigate::system_interface::lcp_echo_interval? lcp_echo_interval=null¶: Time in seconds between PPPoE Link Control Protocol (LCP) echo requests.

attribute fortigate::system_interface::lcp_max_echo_fails? lcp_max_echo_fails=null¶: Maximum missed LCP echo messages before disconnect.

attribute fortigate::system_interface::link_up_delay? link_up_delay=null¶: Number of milliseconds to wait before considering a link is up.

attribute fortigate::system_interface::lldp_network_policy? lldp_network_policy=null¶: LLDP-MED network policy profile.

attribute fortigate::system_interface::lldp_reception? lldp_reception=null¶: Enable/disable Link Layer Discovery Protocol (LLDP) reception. enable:Enable reception of Link Layer Discovery Protocol (LLDP). disable:Disable reception of Link Layer Discovery Protocol (LLDP). vdom:Use VDOM Link Layer Discovery Protocol (LLDP) reception configuration setting.

attribute fortigate::system_interface::lldp_transmission? lldp_transmission=null¶: Enable/disable Link Layer Discovery Protocol (LLDP) transmission. enable:Enable transmission of Link Layer Discovery Protocol (LLDP). disable:Disable transmission of Link Layer Discovery Protocol (LLDP). vdom:Use VDOM Link Layer Discovery Protocol (LLDP) transmission configuration setting.

attribute string? macaddr=null¶: Change the interface’s MAC address.

attribute fortigate::system_interface::managed_subnetwork_size? managed_subnetwork_size=null¶: Number of IP addresses to be allocated by FortiIPAM and used by this FortiGate unit’s DHCP server settings. 32:Allocate a subnet with 32 IP addresses. 64:Allocate a subnet with 64 IP addresses. 128:Allocate a subnet with 128 IP addresses. 256:Allocate a subnet with 256 IP addresses. 512:Allocate a subnet with 512 IP addresses. 1024:Allocate a subnet with 1024 IP addresses. 2048:Allocate a subnet with 2048 IP addresses. 4096:Allocate a subnet with 4096 IP addresses. 8192:Allocate a subnet with 8192 IP addresses. 16384:Allocate a subnet with 16384 IP addresses. 32768:Allocate a subnet with 32768 IP addresses. 65536:Allocate a subnet with 65536 IP addresses.

attribute string? management_ip=null¶: High Availability in-band management IP address of this interface.

attribute fortigate::system_interface::measured_downstream_bandwidth? measured_downstream_bandwidth=null¶: Measured downstream bandwidth (kbps).

attribute fortigate::system_interface::measured_upstream_bandwidth? measured_upstream_bandwidth=null¶: Measured upstream bandwidth (kbps).

attribute fortigate::system_interface::min_links? min_links=null¶: Minimum number of aggregated ports that must be up.

attribute fortigate::system_interface::min_links_down? min_links_down=null¶: Action to take when less than the configured minimum number of links are active. operational:Set the aggregate operationally down. administrative:Set the aggregate administratively down.

attribute fortigate::system_interface::mode? mode=null¶: Addressing mode (static, DHCP, PPPoE). static:Static setting. dhcp:External DHCP client mode. pppoe:External PPPoE mode.

attribute fortigate::common::enable_disable_t? monitor_bandwidth=null¶: Enable monitoring bandwidth on this interface. enable:Enable monitoring bandwidth on this interface. disable:Disable monitoring bandwidth on this interface.

attribute fortigate::system_interface::mtu? mtu=null¶: MTU value for this interface.

attribute fortigate::common::enable_disable_t? mtu_override=null¶: Enable to set a custom MTU for this interface. enable:Override default MTU. disable:Use default MTU.

attribute fortigate::system_interface::name name¶: Name.

attribute fortigate::common::enable_disable_t? ndiscforward=null¶: Enable/disable NDISC forwarding. enable:Enable NDISC forwarding. disable:Disable NDISC forwarding.

attribute fortigate::common::enable_disable_t? netbios_forward=null¶: Enable/disable NETBIOS forwarding. disable:Disable NETBIOS forwarding. enable:Enable NETBIOS forwarding.

attribute fortigate::system_interface::netflow_sampler? netflow_sampler=null¶: Enable/disable NetFlow on this interface and set the data that NetFlow collects (rx, tx, or both). disable:Disable NetFlow protocol on this interface. tx:Monitor transmitted traffic on this interface. rx:Monitor received traffic on this interface. both:Monitor transmitted/received traffic on this interface.

attribute fortigate::system_interface::outbandwidth? outbandwidth=null¶: Bandwidth limit for outgoing traffic (0 - 80000000 kbps).

attribute fortigate::system_interface::padt_retry_timeout? padt_retry_timeout=null¶: PPPoE Active Discovery Terminate (PADT) used to terminate sessions after an idle time.

attribute string? password=null¶: PPPoE account’s password.

attribute string? physical=null¶: Print physical interface information.

attribute fortigate::system_interface::ping_serv_status? ping_serv_status=null¶: PING server status.

attribute fortigate::system_interface::polling_interval? polling_interval=null¶: sFlow polling interval in seconds (1 - 255).

attribute fortigate::common::enable_disable_t? pppoe_unnumbered_negotiate=null¶: Enable/disable PPPoE unnumbered negotiation. enable:Enable IP address negotiating for unnumbered. disable:Disable IP address negotiating for unnumbered.

attribute fortigate::system_interface::pptp_auth_type? pptp_auth_type=null¶: PPTP authentication type. auto:Automatically choose authentication. pap:PAP authentication. chap:CHAP authentication. mschapv1:MS-CHAPv1 authentication. mschapv2:MS-CHAPv2 authentication.

attribute fortigate::common::enable_disable_t? pptp_client=null¶: Enable/disable PPTP client. enable:Enable PPTP client. disable:Disable PPTP client.

attribute string? pptp_password=null¶: PPTP password.

attribute string? pptp_server_ip=null¶: PPTP server IP address.

attribute fortigate::system_interface::pptp_timeout? pptp_timeout=null¶: Idle timer in minutes (0 for disabled).

attribute fortigate::system_interface::pptp_user? pptp_user=null¶: PPTP user name.

attribute fortigate::common::enable_disable_t? preserve_session_route=null¶: Enable/disable preservation of session route when dirty. enable:Enable preservation of session route when dirty. disable:Disable preservation of session route when dirty.

attribute fortigate::system_interface::priority? priority=null¶: Priority of learned routes.

attribute fortigate::common::enable_disable_t? priority_override=null¶: Enable/disable fail back to higher priority port once recovered. enable:Enable fail back to higher priority port once recovered. disable:Disable fail back to higher priority port once recovered.

attribute fortigate::common::enable_disable_t? proxy_captive_portal=null¶: Enable/disable proxy captive portal on this interface. enable:Enable proxy captive portal on this interface. disable:Disable proxy captive portal on this interface.

attribute fortigate::system_interface::reachable_time? reachable_time=null¶: IPv4 reachable time in milliseconds (30000 - 3600000, default = 30000).

attribute fortigate::system_interface::redundant_interface? redundant_interface=null¶: Redundant interface.

attribute string? remote_ip=null¶: Remote IP address of tunnel.

attribute fortigate::system_interface::replacemsg_override_group? replacemsg_override_group=null¶: Replacement message override group.

attribute fortigate::system_interface::role? role=null¶: Interface role. lan:Connected to local network of endpoints. wan:Connected to Internet. dmz:Connected to server zone. undefined:Interface has no specific role.

attribute fortigate::system_interface::sample_direction? sample_direction=null¶: Data that NetFlow collects (rx, tx, or both). tx:Monitor transmitted traffic on this interface. rx:Monitor received traffic on this interface. both:Monitor transmitted/received traffic on this interface.

attribute fortigate::system_interface::sample_rate? sample_rate=null¶: sFlow sample rate (10 - 99999).

attribute fortigate::common::enable_disable_t? secondary_ip=null¶: Enable/disable adding a secondary IP to this interface. enable:Enable secondary IP. disable:Disable secondary IP.

attribute fortigate::system_interface::security_8021x_dynamic_vlan_id? security_8021x_dynamic_vlan_id=null¶: VLAN ID for virtual switch.

attribute fortigate::system_interface::security_8021x_master? security_8021x_master=null¶: 802.1X master virtual-switch.

attribute fortigate::system_interface::security_8021x_mode? security_8021x_mode=null¶: 802.1X mode. default:802.1X default mode. dynamic-vlan:802.1X dynamic VLAN (master) mode. fallback:802.1X fallback (master) mode. slave:802.1X slave mode.

attribute fortigate::system_interface::security_exempt_list? security_exempt_list=null¶: Name of security-exempt-list.

attribute fortigate::system_interface::security_external_logout? security_external_logout=null¶: URL of external authentication logout server.

attribute fortigate::system_interface::security_external_web? security_external_web=null¶: URL of external authentication web server.

attribute fortigate::system_interface::security_mac_auth_bypass? security_mac_auth_bypass=null¶: Enable/disable MAC authentication bypass. mac-auth-only:Enable MAC authentication bypass without EAP. enable:Enable MAC authentication bypass. disable:Disable MAC authentication bypass.

attribute fortigate::system_interface::security_mode? security_mode=null¶: Turn on captive portal authentication for this interface. none:No security option. captive-portal:Captive portal authentication. 802.1X:802.1X port-based authentication.

attribute fortigate::system_interface::security_redirect_url? security_redirect_url=null¶: URL redirection after disclaimer/authentication.

attribute fortigate::system_interface::service_name? service_name=null¶: PPPoE service name.

attribute fortigate::common::enable_disable_t? sflow_sampler=null¶: Enable/disable sFlow on this interface. enable:Enable sFlow protocol on this interface. disable:Disable sFlow protocol on this interface.

attribute fortigate::system_interface::snmp_index? snmp_index=null¶: Permanent SNMP Index of the interface.

attribute fortigate::system_interface::speed? speed=null¶: Interface speed. The default setting and the options available depend on the interface hardware. auto:Automatically adjust speed. 10full:10M full-duplex. 10half:10M half-duplex. 100full:100M full-duplex. 100half:100M half-duplex. 1000full:1000M full-duplex. 1000auto:1000M auto adjust.

attribute fortigate::system_interface::spillover_threshold? spillover_threshold=null¶: Egress Spillover threshold (0 - 16776000 kbps), 0 means unlimited.

attribute fortigate::common::enable_disable_t? src_check=null¶: Enable/disable source IP check. enable:Enable source IP check. disable:Disable source IP check.

attribute fortigate::system_interface::status? status=null¶: Bring the interface up or shut the interface down. up:Bring the interface up. down:Shut the interface down.

attribute fortigate::common::enable_disable_t? stp=null¶: Enable/disable STP. disable:Disable STP. enable:Enable STP.

attribute fortigate::system_interface::stp_ha_secondary? stp_ha_secondary=null¶: Control STP behavior on HA secondary. disable:Disable STP negotiation on HA secondary. enable:Enable STP negotiation on HA secondary. priority-adjust:Enable STP negotiation on HA secondary and make priority lower than HA primary.

attribute fortigate::common::enable_disable_t? stpforward=null¶: Enable/disable STP forwarding. enable:Enable STP forwarding. disable:Disable STP forwarding.

attribute fortigate::system_interface::stpforward_mode? stpforward_mode=null¶: Configure STP forwarding mode. rpl-all-ext-id:Replace all extension IDs (root, bridge). rpl-bridge-ext-id:Replace the bridge extension ID only. rpl-nothing:Replace nothing.

attribute fortigate::common::enable_disable_t? subst=null¶: Enable to always send packets from this interface to a destination MAC address. enable:Send packets from this interface. disable:Do not send packets from this interface.

attribute string? substitute_dst_mac=null¶: Destination MAC address that all packets are sent to from this interface.

attribute fortigate::system_interface::swc_first_create? swc_first_create=null¶: Initial create for switch-controller VLANs.

attribute fortigate::system_interface::swc_vlan? swc_vlan=null¶: Creation status for switch-controller VLANs.

attribute fortigate::system_interface::switch? switch=null¶: Contained in switch.

attribute fortigate::common::enable_disable_t? switch_controller_access_vlan=null¶: Block FortiSwitch port-to-port traffic. enable:Block FortiSwitch port-to-port traffic on the VLAN, only permitting traffic to and from the FortiGate. disable:Allow normal VLAN traffic.

attribute fortigate::common::enable_disable_t? switch_controller_arp_inspection=null¶: Enable/disable FortiSwitch ARP inspection. enable:Enable ARP inspection for FortiSwitch devices. disable:Disable ARP inspection for FortiSwitch devices.

attribute fortigate::common::enable_disable_t? switch_controller_dhcp_snooping=null¶: Switch controller DHCP snooping. enable:Enable DHCP snooping for FortiSwitch devices. disable:Disable DHCP snooping for FortiSwitch devices.

attribute fortigate::common::enable_disable_t? switch_controller_dhcp_snooping_option82=null¶: Switch controller DHCP snooping option82. enable:Enable DHCP snooping insert option82 for FortiSwitch devices. disable:Disable DHCP snooping insert option82 for FortiSwitch devices.

attribute fortigate::common::enable_disable_t? switch_controller_dhcp_snooping_verify_mac=null¶: Switch controller DHCP snooping verify MAC. enable:Enable DHCP snooping verify source MAC for FortiSwitch devices. disable:Disable DHCP snooping verify source MAC for FortiSwitch devices.

attribute fortigate::system_interface::switch_controller_dynamic? switch_controller_dynamic=null¶: Integrated FortiLink settings for managed FortiSwitch.

attribute fortigate::system_interface::switch_controller_feature? switch_controller_feature=null¶: Interface’s purpose when assigning traffic (read only). none:VLAN for generic purpose. default-vlan:Default VLAN (native) assigned to all switch ports upon discovery. quarantine:VLAN for quarantined traffic. rspan:VLAN for RSPAN/ERSPAN mirrored traffic. voice:VLAN dedicated for voice devices. video:VLAN dedicated for camera devices. nac:VLAN dedicated for NAC onboarding devices. nac-segment:VLAN dedicated for NAC segment devices.

attribute fortigate::common::enable_disable_t? switch_controller_igmp_snooping=null¶: Switch controller IGMP snooping. enable:Enable IGMP snooping. disable:Disable IGMP snooping.

attribute fortigate::common::enable_disable_t? switch_controller_igmp_snooping_fast_leave=null¶: Switch controller IGMP snooping fast-leave. enable:Enable IGMP snooping fast-leave. disable:Disable IGMP snooping fast-leave.

attribute fortigate::common::enable_disable_t? switch_controller_igmp_snooping_proxy=null¶: Switch controller IGMP snooping proxy. enable:Enable IGMP snooping proxy. disable:Disable IGMP snooping proxy.

attribute fortigate::common::enable_disable_t? switch_controller_iot_scanning=null¶: Enable/disable managed FortiSwitch IoT scanning. enable:Enable IoT scanning for managed FortiSwitch devices. disable:Disable IoT scanning for managed FortiSwitch devices.

attribute fortigate::system_interface::switch_controller_learning_limit? switch_controller_learning_limit=null¶: Limit the number of dynamic MAC addresses on this VLAN (1 - 128, 0 = no limit, default).

attribute fortigate::system_interface::switch_controller_mgmt_vlan? switch_controller_mgmt_vlan=null¶: VLAN to use for FortiLink management purposes.

attribute fortigate::system_interface::switch_controller_nac? switch_controller_nac=null¶: Integrated FortiLink settings for managed FortiSwitch.

attribute fortigate::common::enable_disable_t? switch_controller_netflow_collect=null¶: NetFlow collection and processing. disable:Disable NetFlow collection. enable:Enable NetFlow collection.

attribute fortigate::common::enable_disable_t? switch_controller_rspan_mode=null¶: Stop Layer2 MAC learning and interception of BPDUs and other packets on this interface. disable:Disable RSPAN passthrough mode on this VLAN interface. enable:Enable RSPAN passthrough mode on this VLAN interface.

attribute fortigate::system_interface::switch_controller_source_ip? switch_controller_source_ip=null¶: Source IP address used in FortiLink over L3 connections. outbound:Source IP address is that of the outbound interface. fixed:Source IP address is that of the FortiLink interface.

attribute fortigate::system_interface::switch_controller_traffic_policy? switch_controller_traffic_policy=null¶: Switch controller traffic policy for the VLAN.

attribute string? system_id=null¶: Define a system ID for the aggregate interface.

attribute fortigate::system_interface::system_id_type? system_id_type=null¶: Method in which system ID is generated. auto:Use the MAC address of the first member. user:User-defined system ID.

attribute fortigate::system_interface::tcp_mss? tcp_mss=null¶: TCP maximum segment size. 0 means do not change segment size.

attribute string? trust_ip6_1=null¶: Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

attribute string? trust_ip6_2=null¶: Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

attribute string? trust_ip6_3=null¶: Trusted IPv6 host for dedicated management traffic (::/0 for all hosts).

attribute string? trust_ip_1=null¶: Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

attribute string? trust_ip_2=null¶: Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

attribute string? trust_ip_3=null¶: Trusted host for dedicated management traffic (0.0.0.0/24 for all hosts).

attribute fortigate::system_interface::type? type=null¶: Interface type. physical:Physical interface. vlan:VLAN interface. aggregate:Aggregate interface. redundant:Redundant interface. tunnel:Tunnel interface. vdom-link:VDOM link interface. loopback:Loopback interface. switch:Software switch interface. hard-switch:Hardware switch interface. vap-switch:VAP interface. wl-mesh:WLAN mesh interface. fext-wan:FortiExtender interface. vxlan:VXLAN interface. geneve:GENEVE interface. hdlc:T1/E1 interface. switch-vlan:Switch VLAN interface. emac-vlan:EMAC VLAN interface. ssl:SSL VPN client interface. lan-extension:LAN extension interface.

attribute fortigate::system_interface::username? username=null¶: Username of the PPPoE account, provided by your ISP.

attribute string vdom¶: Interface is in this virtual domain (VDOM).

attribute fortigate::system_interface::vindex? vindex=null¶: Switch control interface VLAN ID.

attribute fortigate::system_interface::vlan_protocol? vlan_protocol=null¶: Ethernet protocol of VLAN. 8021q:IEEE 802.1Q. 8021ad:IEEE 802.1AD.

attribute fortigate::common::enable_disable_t? vlanforward=null¶: Enable/disable traffic forwarding between VLANs on this interface. enable:Enable traffic forwarding. disable:Disable traffic forwarding.

attribute fortigate::system_interface::vlanid? vlanid=null¶: VLAN ID (1 - 4094).

attribute fortigate::system_interface::vrf? vrf=null¶: Virtual Routing Forwarding ID.

attribute fortigate::common::enable_disable_t? vrrp_virtual_mac=null¶: Enable/disable use of virtual MAC for VRRP. enable:Enable use of virtual MAC for VRRP. disable:Disable use of virtual MAC for VRRP.

attribute fortigate::common::enable_disable_t? wccp=null¶: Enable/disable WCCP on this interface. Used for encapsulated WCCP communication between WCCP clients and servers. enable:Enable WCCP protocol on this interface. disable:Disable WCCP protocol on this interface.

attribute fortigate::system_interface::weight? weight=null¶: Default weight for static routes (if route has no weight configured).

attribute string? wins_ip=null¶: WINS server IP. :rel client_options: :rel dhcp_snooping_server_list: :rel fail_alert_interfaces: :rel ipv6: :rel l2tp_client_settings: :rel member: :rel secondaryip: :rel security_groups: :rel tagging: :rel vrrp:

relation fortigate::system_interface::ClientOptions client_options [0:*]¶: other end: fortigate::system_interface::ClientOptions._parent [1]

relation fortigate::system_interface::DhcpSnoopingServerList dhcp_snooping_server_list [0:*]¶: other end: fortigate::system_interface::DhcpSnoopingServerList._parent [1]

relation fortigate::system_interface::FailAlertInterfaces fail_alert_interfaces [0:*]¶: other end: fortigate::system_interface::FailAlertInterfaces._parent [1]

relation fortigate::system_interface::Ipv6 ipv6 [0:*]¶: other end: fortigate::system_interface::Ipv6._parent [1]

relation fortigate::system_interface::L2tpClientSettings l2tp_client_settings [0:*]¶: other end: fortigate::system_interface::L2tpClientSettings._parent [1]

relation fortigate::system_interface::Member member [0:*]¶: other end: fortigate::system_interface::Member._parent [1]

relation fortigate::system_interface::Secondaryip secondaryip [0:*]¶: other end: fortigate::system_interface::Secondaryip._parent [1]

relation fortigate::system_interface::SecurityGroups security_groups [0:*]¶: other end: fortigate::system_interface::SecurityGroups._parent [1]

relation fortigate::system_interface::Tagging tagging [0:*]¶: other end: fortigate::system_interface::Tagging._parent [1]

relation fortigate::system_interface::Vrrp vrrp [0:*]¶: other end: fortigate::system_interface::Vrrp._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::IpSecPhase1Interface¶

Parents: fortigate::base::VdomResource, fortigate::base::SecretResource

attribute fortigate::common::enable_disable_t? acct_verify=null¶: Enable/disable verification of RADIUS accounting record. enable:Enable verification of RADIUS accounting record. disable:Disable verification of RADIUS accounting record.

attribute fortigate::common::enable_disable_t? add_gw_route=null¶: Enable/disable automatically add a route to the remote gateway. enable:Automatically add a route to the remote gateway. disable:Do not automatically add a route to the remote gateway.

attribute fortigate::common::enable_disable_t? add_route=null¶: Enable/disable control addition of a route to peer destination selector. disable:Do not add a route to destination of peer selector. enable:Add route to destination of peer selector.

attribute fortigate::common::enable_disable_t? aggregate_member=null¶: Enable/disable use as an aggregate member. enable:Enable use as an aggregate member. disable:Disable use as an aggregate member.

attribute fortigate::vpn_ipsec_phase1_interface::aggregate_weight? aggregate_weight=null¶: Link weight for aggregate.

attribute fortigate::common::enable_disable_t? assign_ip=null¶: Enable/disable assignment of IP to IPsec interface via configuration method. disable:Do not assign an IP address to the IPsec interface. enable:Assign an IP address to the IPsec interface.

attribute fortigate::vpn_ipsec_phase1_interface::assign_ip_from? assign_ip_from=null¶: Method by which the IP address will be assigned. range:Assign IP address from locally defined range. usrgrp:Assign IP address via user group. dhcp:Assign IP address via DHCP. name:Assign IP address from firewall address or group.

attribute fortigate::vpn_ipsec_phase1_interface::authmethod? authmethod=null¶: Authentication method. psk:PSK authentication method. signature:Signature authentication method.

attribute fortigate::vpn_ipsec_phase1_interface::authmethod_remote? authmethod_remote=null¶: Authentication method (remote side). psk:PSK authentication method. signature:Signature authentication method.

attribute string? authpasswd=null¶: XAuth password (max 35 characters).

attribute fortigate::vpn_ipsec_phase1_interface::authusr? authusr=null¶: XAuth user name.

attribute fortigate::vpn_ipsec_phase1_interface::authusrgrp? authusrgrp=null¶: Authentication user group.

attribute fortigate::vpn_ipsec_phase1_interface::auto_discovery_crossover? auto_discovery_crossover=null¶: Allow/block set-up of short-cut tunnels between different network IDs. allow:Allow set-up of short-cut tunnels between different network IDs. block:Block set-up of short-cut tunnels between different network IDs.

attribute fortigate::common::enable_disable_t? auto_discovery_forwarder=null¶: Enable/disable forwarding auto-discovery short-cut messages. enable:Enable forwarding auto-discovery short-cut messages. disable:Disable forwarding auto-discovery short-cut messages.

attribute fortigate::vpn_ipsec_phase1_interface::auto_discovery_offer_interval? auto_discovery_offer_interval=null¶: Interval between shortcut offer messages in seconds (1 - 300, default = 5).

attribute fortigate::common::enable_disable_t? auto_discovery_psk=null¶: Enable/disable use of pre-shared secrets for authentication of auto-discovery tunnels. enable:Enable use of pre-shared-secret authentication for auto-discovery tunnels. disable:Disable use of authentication defined by ‘authmethod’ for auto-discovery tunnels.

attribute fortigate::common::enable_disable_t? auto_discovery_receiver=null¶: Enable/disable accepting auto-discovery short-cut messages. enable:Enable receiving auto-discovery short-cut messages. disable:Disable receiving auto-discovery short-cut messages.

attribute fortigate::common::enable_disable_t? auto_discovery_sender=null¶: Enable/disable sending auto-discovery short-cut messages. enable:Enable sending auto-discovery short-cut messages. disable:Disable sending auto-discovery short-cut messages.

attribute fortigate::vpn_ipsec_phase1_interface::auto_discovery_shortcuts? auto_discovery_shortcuts=null¶: Control deletion of child short-cut tunnels when the parent tunnel goes down. independent:Short-cut tunnels remain up if the parent tunnel goes down. dependent:Short-cut tunnels are brought down if the parent tunnel goes down.

attribute fortigate::common::enable_disable_t? auto_negotiate=null¶: Enable/disable automatic initiation of IKE SA negotiation. enable:Enable automatic initiation of IKE SA negotiation. disable:Disable automatic initiation of IKE SA negotiation.

attribute fortigate::vpn_ipsec_phase1_interface::banner? banner=null¶: Message that unity client should display after connecting.

attribute fortigate::common::enable_disable_t? cert_id_validation=null¶: Enable/disable cross validation of peer ID and the identity in the peer’s certificate as specified in RFC 4945. enable:Enable cross validation of peer ID and the identity in the peer’s certificate as specified in RFC 4945. disable:Disable cross validation of peer ID and the identity in the peer’s certificate as specified in RFC 4945.

attribute fortigate::common::enable_disable_t? childless_ike=null¶: Enable/disable childless IKEv2 initiation (RFC 6023). enable:Enable childless IKEv2 initiation (RFC 6023). disable:Disable childless IKEv2 initiation (RFC 6023).

attribute fortigate::common::enable_disable_t? client_auto_negotiate=null¶: Enable/disable allowing the VPN client to bring up the tunnel when there is no traffic. disable:Disable allowing the VPN client to bring up the tunnel when there is no traffic. enable:Enable allowing the VPN client to bring up the tunnel when there is no traffic.

attribute fortigate::common::enable_disable_t? client_keep_alive=null¶: Enable/disable allowing the VPN client to keep the tunnel up when there is no traffic. disable:Disable allowing the VPN client to keep the tunnel up when there is no traffic. enable:Enable allowing the VPN client to keep the tunnel up when there is no traffic.

attribute fortigate::vpn_ipsec_phase1_interface::comments? comments=null¶: Comment.

attribute string? default_gw=null¶: IPv4 address of default route gateway to use for traffic exiting the interface.

attribute fortigate::vpn_ipsec_phase1_interface::default_gw_priority? default_gw_priority=null¶: Priority for default gateway route. A higher priority number signifies a less preferred route.

attribute fortigate::vpn_ipsec_phase1_interface::dev_id? dev_id=null¶: Device ID carried by the device ID notification.

attribute fortigate::common::enable_disable_t? dev_id_notification=null¶: Enable/disable device ID notification. disable:Disable device ID notification. enable:Enable device ID notification.

attribute string? dhcp6_ra_linkaddr=null¶: Relay agent IPv6 link address to use in DHCP6 requests.

attribute string? dhcp_ra_giaddr=null¶: Relay agent gateway IP address to use in the giaddr field of DHCP requests.

attribute fortigate::vpn_ipsec_phase1_interface::dhgrp? dhgrp=null¶: DH group. 1:DH Group 1. 2:DH Group 2. 5:DH Group 5. 14:DH Group 14. 15:DH Group 15. 16:DH Group 16. 17:DH Group 17. 18:DH Group 18. 19:DH Group 19. 20:DH Group 20. 21:DH Group 21. 27:DH Group 27. 28:DH Group 28. 29:DH Group 29. 30:DH Group 30. 31:DH Group 31. 32:DH Group 32.

attribute fortigate::common::enable_disable_t? digital_signature_auth=null¶: Enable/disable IKEv2 Digital Signature Authentication (RFC 7427). enable:Enable IKEv2 Digital Signature Authentication (RFC 7427). disable:Disable IKEv2 Digital Signature Authentication (RFC 7427).

attribute fortigate::vpn_ipsec_phase1_interface::distance? distance=null¶: Distance for routes added by IKE (1 - 255).

attribute fortigate::vpn_ipsec_phase1_interface::dns_mode? dns_mode=null¶: DNS server mode. manual:Manually configure DNS servers. auto:Use default DNS servers.

attribute fortigate::vpn_ipsec_phase1_interface::domain? domain=null¶: Instruct unity clients about the single default DNS domain.

attribute fortigate::vpn_ipsec_phase1_interface::dpd? dpd=null¶: Dead Peer Detection mode. disable:Disable Dead Peer Detection. on-idle:Trigger Dead Peer Detection when IPsec is idle. on-demand:Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

attribute fortigate::vpn_ipsec_phase1_interface::dpd_retrycount? dpd_retrycount=null¶: Number of DPD retry attempts.

attribute string? dpd_retryinterval=null¶: DPD retry interval.

attribute fortigate::common::enable_disable_t? eap=null¶: Enable/disable IKEv2 EAP authentication. enable:Enable IKEv2 EAP authentication. disable:Disable IKEv2 EAP authentication.

attribute fortigate::vpn_ipsec_phase1_interface::eap_exclude_peergrp? eap_exclude_peergrp=null¶: Peer group excluded from EAP authentication.

attribute fortigate::vpn_ipsec_phase1_interface::eap_identity? eap_identity=null¶: IKEv2 EAP peer identity type. use-id-payload:Use IKEv2 IDi payload to resolve peer identity. send-request:Use EAP identity request to resolve peer identity.

attribute string? encap_local_gw4=null¶: Local IPv4 address of GRE/VXLAN tunnel.

attribute string? encap_local_gw6=null¶: Local IPv6 address of GRE/VXLAN tunnel.

attribute string? encap_remote_gw4=null¶: Remote IPv4 address of GRE/VXLAN tunnel.

attribute string? encap_remote_gw6=null¶: Remote IPv6 address of GRE/VXLAN tunnel.

attribute fortigate::vpn_ipsec_phase1_interface::encapsulation? encapsulation=null¶: Enable/disable GRE/VXLAN/VPNID encapsulation. none:No additional encapsulation. gre:GRE encapsulation. vxlan:VXLAN encapsulation. vpn-id-ipip:VPN ID with IPIP encapsulation.

attribute fortigate::vpn_ipsec_phase1_interface::encapsulation_address? encapsulation_address=null¶: Source for GRE/VXLAN tunnel address. ike:Use IKE/IPsec gateway addresses. ipv4:Specify separate GRE/VXLAN tunnel address. ipv6:Specify separate GRE/VXLAN tunnel address.

attribute fortigate::vpn_ipsec_phase1_interface::enforce_unique_id? enforce_unique_id=null¶: Enable/disable peer ID uniqueness check. disable:Disable peer ID uniqueness enforcement. keep-new:Enforce peer ID uniqueness, keep new connection if collision found. keep-old:Enforce peer ID uniqueness, keep old connection if collision found.

attribute fortigate::common::enable_disable_t? exchange_fgt_device_id=null¶: Enable/disable device identifier exchange with peer FortiGate units for use of VPN monitor data by FortiManager. enable:Enable exchange of FortiGate device identifier. disable:Disable exchange of FortiGate device identifier.

attribute fortigate::common::enable_disable_t? exchange_interface_ip=null¶: Enable/disable exchange of IPsec interface IP address. enable:Enable exchange of IPsec interface IP address. disable:Disable exchange of IPsec interface IP address.

attribute string? exchange_ip_addr4=null¶: IPv4 address to exchange with peers.

attribute string? exchange_ip_addr6=null¶: IPv6 address to exchange with peers.

attribute fortigate::vpn_ipsec_phase1_interface::fec_base? fec_base=null¶: Number of base Forward Error Correction packets (1 - 20).

attribute fortigate::vpn_ipsec_phase1_interface::fec_codec? fec_codec=null¶: Forward Error Correction encoding/decoding algorithm. rs:Reed-Solomon FEC algorithm. xor:XOR FEC algorithm.

attribute fortigate::common::enable_disable_t? fec_egress=null¶: Enable/disable Forward Error Correction for egress IPsec traffic. enable:Enable Forward Error Correction for egress IPsec traffic. disable:Disable Forward Error Correction for egress IPsec traffic.

attribute fortigate::vpn_ipsec_phase1_interface::fec_health_check? fec_health_check=null¶: SD-WAN health check.

attribute fortigate::common::enable_disable_t? fec_ingress=null¶: Enable/disable Forward Error Correction for ingress IPsec traffic. enable:Enable Forward Error Correction for ingress IPsec traffic. disable:Disable Forward Error Correction for ingress IPsec traffic.

attribute fortigate::vpn_ipsec_phase1_interface::fec_mapping_profile? fec_mapping_profile=null¶: Forward Error Correction (FEC) mapping profile.

attribute fortigate::vpn_ipsec_phase1_interface::fec_receive_timeout? fec_receive_timeout=null¶: Timeout in milliseconds before dropping Forward Error Correction packets (1 - 1000).

attribute fortigate::vpn_ipsec_phase1_interface::fec_redundant? fec_redundant=null¶: Number of redundant Forward Error Correction packets (1 - 5 for reed-solomon, 1 for xor).

attribute fortigate::vpn_ipsec_phase1_interface::fec_send_timeout? fec_send_timeout=null¶: Timeout in milliseconds before sending Forward Error Correction packets (1 - 1000).

attribute fortigate::common::enable_disable_t? fgsp_sync=null¶: Enable/disable IPsec syncing of tunnels for FGSP IPsec. enable:Enable IPsec syncing of tunnels to other cluster members. disable:Disable IPsec syncing of tunnels to other cluster members.

attribute fortigate::common::enable_disable_t? forticlient_enforcement=null¶: Enable/disable FortiClient enforcement. enable:Enable FortiClient enforcement. disable:Disable FortiClient enforcement.

attribute fortigate::common::enable_disable_t? fragmentation=null¶: Enable/disable fragment IKE message on re-transmission. enable:Enable intra-IKE fragmentation support on re-transmission. disable:Disable intra-IKE fragmentation support.

attribute fortigate::vpn_ipsec_phase1_interface::fragmentation_mtu? fragmentation_mtu=null¶: IKE fragmentation MTU (500 - 16000).

attribute fortigate::common::enable_disable_t? group_authentication=null¶: Enable/disable IKEv2 IDi group authentication. enable:Enable IKEv2 IDi group authentication. disable:Disable IKEv2 IDi group authentication.

attribute string? group_authentication_secret=null¶: Password for IKEv2 ID group authentication. ASCII string or hexadecimal indicated by a leading 0x.

attribute fortigate::common::enable_disable_t? ha_sync_esp_seqno=null¶: Enable/disable sequence number jump ahead for IPsec HA. enable:Enable HA syncing of ESP sequence numbers. disable:Disable HA syncing of ESP sequence numbers.

attribute fortigate::common::enable_disable_t? idle_timeout=null¶: Enable/disable IPsec tunnel idle timeout. enable:Enable IPsec tunnel idle timeout. disable:Disable IPsec tunnel idle timeout.

attribute fortigate::vpn_ipsec_phase1_interface::idle_timeoutinterval? idle_timeoutinterval=null¶: IPsec tunnel idle timeout in minutes (5 - 43200).

attribute fortigate::vpn_ipsec_phase1_interface::ike_version? ike_version=null¶: IKE protocol version. 1:Use IKEv1 protocol. 2:Use IKEv2 protocol.

attribute fortigate::common::enable_disable_t? inbound_dscp_copy=null¶: Enable/disable copy the dscp in the ESP header to the inner IP Header. enable:Enable copy the dscp in the ESP header to the inner IP Header. disable:Disable copy the dscp in the ESP header to the inner IP Header.

attribute fortigate::common::enable_disable_t? include_local_lan=null¶: Enable/disable allow local LAN access on unity clients. disable:Disable local LAN access on Unity clients. enable:Enable local LAN access on Unity clients.

attribute fortigate::vpn_ipsec_phase1_interface::interface? interface=null¶: Local physical, aggregate, or VLAN outgoing interface.

attribute fortigate::vpn_ipsec_phase1_interface::ip_delay_interval? ip_delay_interval=null¶: IP address reuse delay interval in seconds (0 - 28800).

attribute fortigate::vpn_ipsec_phase1_interface::ip_fragmentation? ip_fragmentation=null¶: Determine whether IP packets are fragmented before or after IPsec encapsulation. pre-encapsulation:Fragment before IPsec encapsulation. post-encapsulation:Fragment after IPsec encapsulation (RFC compliant).

attribute fortigate::vpn_ipsec_phase1_interface::ip_version? ip_version=null¶: IP version to use for VPN interface. 4:Use IPv4 addressing for gateways. 6:Use IPv6 addressing for gateways.

attribute string? ipv4_dns_server1=null¶: IPv4 DNS server 1.

attribute string? ipv4_dns_server2=null¶: IPv4 DNS server 2.

attribute string? ipv4_dns_server3=null¶: IPv4 DNS server 3.

attribute string? ipv4_end_ip=null¶: End of IPv4 range.

attribute fortigate::common::name_t? ipv4_name=null¶: IPv4 address name.

attribute string? ipv4_netmask=null¶: IPv4 Netmask.

attribute fortigate::common::name_t? ipv4_split_exclude=null¶: IPv4 subnets that should not be sent over the IPsec tunnel.

attribute fortigate::common::name_t? ipv4_split_include=null¶: IPv4 split-include subnets.

attribute string? ipv4_start_ip=null¶: Start of IPv4 range.

attribute string? ipv4_wins_server1=null¶: WINS server 1.

attribute string? ipv4_wins_server2=null¶: WINS server 2.

attribute string? ipv6_dns_server1=null¶: IPv6 DNS server 1.

attribute string? ipv6_dns_server2=null¶: IPv6 DNS server 2.

attribute string? ipv6_dns_server3=null¶: IPv6 DNS server 3.

attribute string? ipv6_end_ip=null¶: End of IPv6 range.

attribute fortigate::common::name_t? ipv6_name=null¶: IPv6 address name.

attribute fortigate::vpn_ipsec_phase1_interface::ipv6_prefix? ipv6_prefix=null¶: IPv6 prefix.

attribute fortigate::common::name_t? ipv6_split_exclude=null¶: IPv6 subnets that should not be sent over the IPsec tunnel.

attribute fortigate::common::name_t? ipv6_split_include=null¶: IPv6 split-include subnets.

attribute string? ipv6_start_ip=null¶: Start of IPv6 range.

attribute fortigate::vpn_ipsec_phase1_interface::keepalive? keepalive=null¶: NAT-T keep alive interval.

attribute fortigate::vpn_ipsec_phase1_interface::keylife? keylife=null¶: Time to wait in seconds before phase 1 encryption key expires.

attribute fortigate::vpn_ipsec_phase1_interface::link_cost? link_cost=null¶: VPN tunnel underlay link cost.

attribute string? local_gw=null¶: IPv4 address of the local gateway’s external interface.

attribute string? local_gw6=null¶: IPv6 address of the local gateway’s external interface.

attribute fortigate::vpn_ipsec_phase1_interface::localid? localid=null¶: Local ID.

attribute fortigate::vpn_ipsec_phase1_interface::localid_type? localid_type=null¶: Local ID type. auto:Select ID type automatically. fqdn:Use fully qualified domain name. user-fqdn:Use user fully qualified domain name. keyid:Use key-id string. address:Use local IP address. asn1dn:Use ASN.1 distinguished name.

attribute fortigate::common::enable_disable_t? loopback_asymroute=null¶: Enable/disable asymmetric routing for IKE traffic on loopback interface. enable:Allow ingress/egress IKE traffic to be routed over different interfaces. disable:Ingress/egress IKE traffic must be routed over the same interface.

attribute fortigate::vpn_ipsec_phase1_interface::mesh_selector_type? mesh_selector_type=null¶: Add selectors containing subsets of the configuration depending on traffic. disable:Disable. subnet:Enable addition of matching subnet selector. host:Enable addition of host to host selector.

attribute fortigate::vpn_ipsec_phase1_interface::mode? mode=null¶: The ID protection mode used to establish a secure channel. aggressive:Aggressive mode. main:Main mode.

attribute fortigate::common::enable_disable_t? mode_cfg=null¶: Enable/disable configuration method. disable:Disable Configuration Method. enable:Enable Configuration Method.

attribute fortigate::common::enable_disable_t? mode_cfg_allow_client_selector=null¶: Enable/disable mode-cfg client to use custom phase2 selectors. disable:Mode-cfg client to use wildcard selectors. enable:Mode-cfg client to use custom selectors.

attribute fortigate::vpn_ipsec_phase1_interface::monitor? monitor=null¶: IPsec interface as backup for primary interface.

attribute fortigate::vpn_ipsec_phase1_interface::monitor_hold_down_delay? monitor_hold_down_delay=null¶: Time to wait in seconds before recovery once primary re-establishes.

attribute string? monitor_hold_down_time=null¶: Time of day at which to fail back to primary after it re-establishes.

attribute fortigate::vpn_ipsec_phase1_interface::monitor_hold_down_type? monitor_hold_down_type=null¶: Recovery time method when primary interface re-establishes. immediate:Fail back immediately after primary recovers. delay:Number of seconds to delay fail back after primary recovers. time:Specify a time at which to fail back after primary recovers.

attribute fortigate::vpn_ipsec_phase1_interface::monitor_hold_down_weekday? monitor_hold_down_weekday=null¶: Day of the week to recover once primary re-establishes. everyday:Every Day. sunday:Sunday. monday:Monday. tuesday:Tuesday. wednesday:Wednesday. thursday:Thursday. friday:Friday. saturday:Saturday.

attribute fortigate::vpn_ipsec_phase1_interface::name name¶: IPsec remote gateway name.

attribute fortigate::vpn_ipsec_phase1_interface::nattraversal? nattraversal=null¶: Enable/disable NAT traversal. enable:Enable IPsec NAT traversal. disable:Disable IPsec NAT traversal. forced:Force IPsec NAT traversal on.

attribute fortigate::vpn_ipsec_phase1_interface::negotiate_timeout? negotiate_timeout=null¶: IKE SA negotiation timeout in seconds (1 - 300).

attribute fortigate::common::enable_disable_t? net_device=null¶: Enable/disable kernel device creation. enable:Create a kernel device for every tunnel. disable:Do not create a kernel device for tunnels.

attribute fortigate::vpn_ipsec_phase1_interface::network_id? network_id=null¶: VPN gateway network ID.

attribute fortigate::common::enable_disable_t? network_overlay=null¶: Enable/disable network overlays. disable:Disable network overlays. enable:Enable network overlays.

attribute fortigate::common::enable_disable_t? npu_offload=null¶: Enable/disable offloading NPU. enable:Enable NPU offloading. disable:Disable NPU offloading.

attribute fortigate::common::enable_disable_t? passive_mode=null¶: Enable/disable IPsec passive mode for static tunnels. enable:Enable IPsec passive mode. disable:Disable IPsec passive mode.

attribute fortigate::vpn_ipsec_phase1_interface::peer? peer=null¶: Accept this peer certificate.

attribute fortigate::vpn_ipsec_phase1_interface::peergrp? peergrp=null¶: Accept this peer certificate group.

attribute fortigate::vpn_ipsec_phase1_interface::peerid? peerid=null¶: Accept this peer identity.

attribute fortigate::vpn_ipsec_phase1_interface::peertype? peertype=null¶: Accept this peer type. any:Accept any peer ID. one:Accept this peer ID. dialup:Accept peer ID in dialup group. peer:Accept this peer certificate. peergrp:Accept this peer certificate group.

attribute fortigate::vpn_ipsec_phase1_interface::ppk? ppk=null¶: Enable/disable IKEv2 Postquantum Preshared Key (PPK). disable:Disable use of IKEv2 Postquantum Preshared Key (PPK). allow:Allow, but do not require, use of IKEv2 Postquantum Preshared Key (PPK). require:Require use of IKEv2 Postquantum Preshared Key (PPK).

attribute fortigate::vpn_ipsec_phase1_interface::ppk_identity? ppk_identity=null¶: IKEv2 Postquantum Preshared Key Identity.

attribute string? ppk_secret=null¶: IKEv2 Postquantum Preshared Key (ASCII string or hexadecimal encoded with a leading 0x).

attribute fortigate::vpn_ipsec_phase1_interface::priority? priority=null¶: Priority for routes added by IKE (1 - 65535).

attribute fortigate::vpn_ipsec_phase1_interface::proposal? proposal=null¶: Phase1 proposal. des-md5:des-md5 des-sha1:des-sha1 des-sha256:des-sha256 des-sha384:des-sha384 des-sha512:des-sha512 3des-md5:3des-md5 3des-sha1:3des-sha1 3des-sha256:3des-sha256 3des-sha384:3des-sha384 3des-sha512:3des-sha512 aes128-md5:aes128-md5 aes128-sha1:aes128-sha1 aes128-sha256:aes128-sha256 aes128-sha384:aes128-sha384 aes128-sha512:aes128-sha512 aes128gcm-prfsha1:aes128gcm-prfsha1 aes128gcm-prfsha256:aes128gcm-prfsha256 aes128gcm-prfsha384:aes128gcm-prfsha384 aes128gcm-prfsha512:aes128gcm-prfsha512 aes192-md5:aes192-md5 aes192-sha1:aes192-sha1 aes192-sha256:aes192-sha256 aes192-sha384:aes192-sha384 aes192-sha512:aes192-sha512 aes256-md5:aes256-md5 aes256-sha1:aes256-sha1 aes256-sha256:aes256-sha256 aes256-sha384:aes256-sha384 aes256-sha512:aes256-sha512 aes256gcm-prfsha1:aes256gcm-prfsha1 aes256gcm-prfsha256:aes256gcm-prfsha256 aes256gcm-prfsha384:aes256gcm-prfsha384 aes256gcm-prfsha512:aes256gcm-prfsha512 chacha20poly1305-prfsha1:chacha20poly1305-prfsha1 chacha20poly1305-prfsha256:chacha20poly1305-prfsha256 chacha20poly1305-prfsha384:chacha20poly1305-prfsha384 chacha20poly1305-prfsha512:chacha20poly1305-prfsha512 aria128-md5:aria128-md5 aria128-sha1:aria128-sha1 aria128-sha256:aria128-sha256 aria128-sha384:aria128-sha384 aria128-sha512:aria128-sha512 aria192-md5:aria192-md5 aria192-sha1:aria192-sha1 aria192-sha256:aria192-sha256 aria192-sha384:aria192-sha384 aria192-sha512:aria192-sha512 aria256-md5:aria256-md5 aria256-sha1:aria256-sha1 aria256-sha256:aria256-sha256 aria256-sha384:aria256-sha384 aria256-sha512:aria256-sha512 seed-md5:seed-md5 seed-sha1:seed-sha1 seed-sha256:seed-sha256 seed-sha384:seed-sha384 seed-sha512:seed-sha512

attribute string? psksecret=null¶: Pre-shared secret for PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

attribute string? psksecret_remote=null¶: Pre-shared secret for remote side PSK authentication (ASCII string or hexadecimal encoded with a leading 0x).

attribute fortigate::common::enable_disable_t? reauth=null¶: Enable/disable re-authentication upon IKE SA lifetime expiration. disable:Disable IKE SA re-authentication. enable:Enable IKE SA re-authentication.

attribute fortigate::common::enable_disable_t? rekey=null¶: Enable/disable phase1 rekey. enable:Enable phase1 rekey. disable:Disable phase1 rekey.

attribute string? remote_gw=null¶: IPv4 address of the remote gateway’s external interface.

attribute string? remote_gw6=null¶: IPv6 address of the remote gateway’s external interface.

attribute fortigate::vpn_ipsec_phase1_interface::remotegw_ddns? remotegw_ddns=null¶: Domain name of remote gateway. For example, name.ddns.com.

attribute fortigate::vpn_ipsec_phase1_interface::rsa_signature_format? rsa_signature_format=null¶: Digital Signature Authentication RSA signature format. pkcs1:RSASSA PKCS#1 v1.5. pss:RSASSA Probabilistic Signature Scheme (PSS).

attribute fortigate::common::enable_disable_t? rsa_signature_hash_override=null¶: Enable/disable IKEv2 RSA signature hash algorithm override. enable:Enable IKEv2 RSA signature hash algorithm override. disable:Disable IKEv2 RSA signature hash algorithm override.

attribute fortigate::common::enable_disable_t? save_password=null¶: Enable/disable saving XAuth username and password on VPN clients. disable:Disable saving XAuth username and password on VPN clients. enable:Enable saving XAuth username and password on VPN clients.

attribute fortigate::common::enable_disable_t? send_cert_chain=null¶: Enable/disable sending certificate chain. enable:Enable sending certificate chain. disable:Disable sending certificate chain.

attribute fortigate::vpn_ipsec_phase1_interface::signature_hash_alg? signature_hash_alg=null¶: Digital Signature Authentication hash algorithms. sha1:SHA1. sha2-256:SHA2-256. sha2-384:SHA2-384. sha2-512:SHA2-512.

attribute fortigate::common::name_t? split_include_service=null¶: Split-include services.

attribute fortigate::vpn_ipsec_phase1_interface::suite_b? suite_b=null¶: Use Suite-B. disable:Do not use UI suite. suite-b-gcm-128:Use Suite-B-GCM-128. suite-b-gcm-256:Use Suite-B-GCM-256.

attribute fortigate::vpn_ipsec_phase1_interface::type? type=null¶: Remote gateway type. static:Remote VPN gateway has fixed IP address. dynamic:Remote VPN gateway has dynamic IP address. ddns:Remote VPN gateway has dynamic IP address and is a dynamic DNS client.

attribute fortigate::common::enable_disable_t? unity_support=null¶: Enable/disable support for Cisco UNITY Configuration Method extensions. disable:Disable Cisco Unity Configuration Method Extensions. enable:Enable Cisco Unity Configuration Method Extensions.

attribute fortigate::vpn_ipsec_phase1_interface::usrgrp? usrgrp=null¶: User group name for dialup peers.

attribute fortigate::vpn_ipsec_phase1_interface::vni? vni=null¶: VNI of VXLAN tunnel.

attribute fortigate::vpn_ipsec_phase1_interface::wizard_type? wizard_type=null¶: GUI VPN Wizard Type. custom:Custom VPN configuration. dialup-forticlient:Dial Up - FortiClient Windows, Mac and Android. dialup-ios:Dial Up - iPhone / iPad Native IPsec Client. dialup-android:Dial Up - Android Native IPsec Client. dialup-windows:Dial Up - Windows Native IPsec Client. dialup-cisco:Dial Up - Cisco IPsec Client. static-fortigate:Site to Site - FortiGate. dialup-fortigate:Dial Up - FortiGate. static-cisco:Site to Site - Cisco. dialup-cisco-fw:Dialup Up - Cisco Firewall. simplified-static-fortigate:Site to Site - FortiGate (SD-WAN). hub-fortigate-auto-discovery:Hub role in a Hub-and-Spoke auto-discovery VPN. spoke-fortigate-auto-discovery:Spoke role in a Hub-and-Spoke auto-discovery VPN.

attribute fortigate::vpn_ipsec_phase1_interface::xauthtype? xauthtype=null¶: XAuth type. disable:Disable. client:Enable as client. pap:Enable as server PAP. chap:Enable as server CHAP. auto:Enable as server auto. :rel backup_gateway: :rel certificate: :rel ipv4_exclude_range: :rel ipv6_exclude_range:

relation fortigate::vpn_ipsec_phase1_interface::BackupGateway backup_gateway [0:*]¶: other end: fortigate::vpn_ipsec_phase1_interface::BackupGateway._parent [1]

relation fortigate::vpn_ipsec_phase1_interface::Certificate certificate [0:*]¶: other end: fortigate::vpn_ipsec_phase1_interface::Certificate._parent [1]

relation fortigate::vpn_ipsec_phase1_interface::Ipv4ExcludeRange ipv4_exclude_range [0:*]¶: other end: fortigate::vpn_ipsec_phase1_interface::Ipv4ExcludeRange._parent [1]

relation fortigate::vpn_ipsec_phase1_interface::Ipv6ExcludeRange ipv6_exclude_range [0:*]¶: other end: fortigate::vpn_ipsec_phase1_interface::Ipv6ExcludeRange._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::IpSecPhase2Interface¶

attribute fortigate::vpn_ipsec_phase2_interface::add_route? add_route=null¶: Enable/disable automatic route addition. phase1:Add route according to phase1 add-route setting. enable:Add route for remote proxy ID. disable:Do not add route for remote proxy ID.

attribute fortigate::vpn_ipsec_phase2_interface::auto_discovery_forwarder? auto_discovery_forwarder=null¶: Enable/disable forwarding short-cut messages. phase1:Forward short-cut messages according to the phase1 auto-discovery-forwarder setting. enable:Enable forwarding auto-discovery short-cut messages. disable:Disable forwarding auto-discovery short-cut messages.

attribute fortigate::vpn_ipsec_phase2_interface::auto_discovery_sender? auto_discovery_sender=null¶: Enable/disable sending short-cut messages. phase1:Send short-cut messages according to the phase1 auto-discovery-sender setting. enable:Enable sending auto-discovery short-cut messages. disable:Disable sending auto-discovery short-cut messages.

attribute fortigate::common::enable_disable_t? auto_negotiate=null¶: Enable/disable IPsec SA auto-negotiation. enable:Enable setting. disable:Disable setting.

attribute fortigate::vpn_ipsec_phase2_interface::comments? comments=null¶: Comment.

attribute fortigate::common::enable_disable_t? dhcp_ipsec=null¶: Enable/disable DHCP-IPsec. enable:Enable setting. disable:Disable setting.

attribute fortigate::vpn_ipsec_phase2_interface::dhgrp? dhgrp=null¶: Phase2 DH group. 1:DH Group 1. 2:DH Group 2. 5:DH Group 5. 14:DH Group 14. 15:DH Group 15. 16:DH Group 16. 17:DH Group 17. 18:DH Group 18. 19:DH Group 19. 20:DH Group 20. 21:DH Group 21. 27:DH Group 27. 28:DH Group 28. 29:DH Group 29. 30:DH Group 30. 31:DH Group 31. 32:DH Group 32.

attribute fortigate::common::enable_disable_t? diffserv=null¶: Enable/disable applying DSCP value to the IPsec tunnel outer IP header. enable:Enable setting. disable:Disable setting.

attribute string? diffservcode=null¶: DSCP value to be applied to the IPsec tunnel outer IP header.

attribute fortigate::vpn_ipsec_phase2_interface::dst_addr_type? dst_addr_type=null¶: Remote proxy ID type. subnet:IPv4 subnet. range:IPv4 range. ip:IPv4 IP. name:IPv4 firewall address or group name. subnet6:IPv6 subnet. range6:IPv6 range. ip6:IPv6 IP. name6:IPv6 firewall address or group name.

attribute string? dst_end_ip=null¶: Remote proxy ID IPv4 end.

attribute string? dst_end_ip6=null¶: Remote proxy ID IPv6 end.

attribute fortigate::common::name_t? dst_name=null¶: Remote proxy ID name.

attribute fortigate::common::name_t? dst_name6=null¶: Remote proxy ID name.

attribute fortigate::vpn_ipsec_phase2_interface::dst_port? dst_port=null¶: Quick mode destination port (1 - 65535 or 0 for all).

attribute string? dst_start_ip=null¶: Remote proxy ID IPv4 start.

attribute string? dst_start_ip6=null¶: Remote proxy ID IPv6 start.

attribute string? dst_subnet=null¶: Remote proxy ID IPv4 subnet.

attribute string? dst_subnet6=null¶: Remote proxy ID IPv6 subnet.

attribute fortigate::vpn_ipsec_phase2_interface::encapsulation? encapsulation=null¶: ESP encapsulation mode. tunnel-mode:Use tunnel mode encapsulation. transport-mode:Use transport mode encapsulation.

attribute fortigate::vpn_ipsec_phase2_interface::inbound_dscp_copy? inbound_dscp_copy=null¶: Enable/disable copying of the DSCP in the ESP header to the inner IP header. phase1:copy the DCSP in the ESP header to the inner IP Header according to the phase1 inbound_dscp_copy setting. enable:Enable copying of the DSCP in the ESP header to the inner IP header. disable:Disable copying of the DSCP in the ESP header to the inner IP header.

attribute fortigate::common::enable_disable_t? initiator_ts_narrow=null¶: Enable/disable traffic selector narrowing for IKEv2 initiator. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? ipv4_df=null¶: Enable/disable setting and resetting of IPv4 ‘Don’t Fragment’ bit. enable:Set IPv4 DF the same as original packet. disable:Reset IPv4 DF.

attribute fortigate::common::enable_disable_t? keepalive=null¶: Enable/disable keep alive. enable:Enable setting. disable:Disable setting.

attribute fortigate::vpn_ipsec_phase2_interface::keylife_type? keylife_type=null¶: Keylife type. seconds:Key life in seconds. kbs:Key life in kilobytes. both:Key life both.

attribute fortigate::vpn_ipsec_phase2_interface::keylifekbs? keylifekbs=null¶: Phase2 key life in number of kilobytes of traffic (5120 - 4294967295).

attribute fortigate::vpn_ipsec_phase2_interface::keylifeseconds? keylifeseconds=null¶: Phase2 key life in time in seconds (120 - 172800).

attribute fortigate::common::enable_disable_t? l2tp=null¶: Enable/disable L2TP over IPsec. enable:Enable L2TP over IPsec. disable:Disable L2TP over IPsec.

attribute fortigate::vpn_ipsec_phase2_interface::name name¶: IPsec tunnel name.

attribute fortigate::common::enable_disable_t? pfs=null¶: Enable/disable PFS feature. enable:Enable setting. disable:Disable setting.

attribute fortigate::vpn_ipsec_phase2_interface::phase1name? phase1name=null¶: Phase 1 determines the options required for phase 2.

attribute fortigate::vpn_ipsec_phase2_interface::proposal? proposal=null¶: Phase2 proposal. null-md5:null-md5 null-sha1:null-sha1 null-sha256:null-sha256 null-sha384:null-sha384 null-sha512:null-sha512 des-null:des-null des-md5:des-md5 des-sha1:des-sha1 des-sha256:des-sha256 des-sha384:des-sha384 des-sha512:des-sha512 3des-null:3des-null 3des-md5:3des-md5 3des-sha1:3des-sha1 3des-sha256:3des-sha256 3des-sha384:3des-sha384 3des-sha512:3des-sha512 aes128-null:aes128-null aes128-md5:aes128-md5 aes128-sha1:aes128-sha1 aes128-sha256:aes128-sha256 aes128-sha384:aes128-sha384 aes128-sha512:aes128-sha512 aes128gcm:aes128gcm aes192-null:aes192-null aes192-md5:aes192-md5 aes192-sha1:aes192-sha1 aes192-sha256:aes192-sha256 aes192-sha384:aes192-sha384 aes192-sha512:aes192-sha512 aes256-null:aes256-null aes256-md5:aes256-md5 aes256-sha1:aes256-sha1 aes256-sha256:aes256-sha256 aes256-sha384:aes256-sha384 aes256-sha512:aes256-sha512 aes256gcm:aes256gcm chacha20poly1305:chacha20poly1305 aria128-null:aria128-null aria128-md5:aria128-md5 aria128-sha1:aria128-sha1 aria128-sha256:aria128-sha256 aria128-sha384:aria128-sha384 aria128-sha512:aria128-sha512 aria192-null:aria192-null aria192-md5:aria192-md5 aria192-sha1:aria192-sha1 aria192-sha256:aria192-sha256 aria192-sha384:aria192-sha384 aria192-sha512:aria192-sha512 aria256-null:aria256-null aria256-md5:aria256-md5 aria256-sha1:aria256-sha1 aria256-sha256:aria256-sha256 aria256-sha384:aria256-sha384 aria256-sha512:aria256-sha512 seed-null:seed-null seed-md5:seed-md5 seed-sha1:seed-sha1 seed-sha256:seed-sha256 seed-sha384:seed-sha384 seed-sha512:seed-sha512

attribute fortigate::vpn_ipsec_phase2_interface::protocol? protocol=null¶: Quick mode protocol selector (1 - 255 or 0 for all).

attribute fortigate::common::enable_disable_t? replay=null¶: Enable/disable replay detection. enable:Enable setting. disable:Disable setting.

attribute fortigate::vpn_ipsec_phase2_interface::route_overlap? route_overlap=null¶: Action for overlapping routes. use-old:Use the old route and do not add the new route. use-new:Delete the old route and add the new route. allow:Allow overlapping routes.

attribute fortigate::common::enable_disable_t? single_source=null¶: Enable/disable single source IP restriction. enable:Only single source IP will be accepted. disable:Source IP range will be accepted.

attribute fortigate::vpn_ipsec_phase2_interface::src_addr_type? src_addr_type=null¶: Local proxy ID type. subnet:IPv4 subnet. range:IPv4 range. ip:IPv4 IP. name:IPv4 firewall address or group name. subnet6:IPv6 subnet. range6:IPv6 range. ip6:IPv6 IP. name6:IPv6 firewall address or group name.

attribute string? src_end_ip=null¶: Local proxy ID end.

attribute string? src_end_ip6=null¶: Local proxy ID IPv6 end.

attribute fortigate::common::name_t? src_name=null¶: Local proxy ID name.

attribute fortigate::common::name_t? src_name6=null¶: Local proxy ID name.

attribute fortigate::vpn_ipsec_phase2_interface::src_port? src_port=null¶: Quick mode source port (1 - 65535 or 0 for all).

attribute string? src_start_ip=null¶: Local proxy ID start.

attribute string? src_start_ip6=null¶: Local proxy ID IPv6 start.

attribute string? src_subnet=null¶: Local proxy ID subnet.

attribute string? src_subnet6=null¶: Local proxy ID IPv6 subnet.

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::Licence¶

Parents: fortigate::base::BaseResource

attribute string? proxy_url=null¶: HTTP proxy URL in the form: http://user:pass@proxyip:proxyport.

attribute string token¶: VM license token.

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::LocalInPolicy¶

attribute fortigate::firewall_local_in_policy::action? action=null¶: Action performed on traffic matching the policy (default = deny). accept:Allow traffic matching this policy. deny:Deny or block traffic matching this policy.

attribute fortigate::firewall_local_in_policy::comments? comments=null¶: Comment.

attribute fortigate::common::enable_disable_t? dstaddr_negate=null¶: When enabled dstaddr specifies what the destination address must NOT be. enable:Enable destination address negate. disable:Disable destination address negate.

attribute fortigate::common::enable_disable_t? ha_mgmt_intf_only=null¶: Enable/disable dedicating the HA management interface only for local-in policy. enable:Enable dedicating HA management interface only for local-in policy. disable:Disable dedicating HA management interface only for local-in policy.

attribute fortigate::firewall_local_in_policy::intf? intf=null¶: Incoming interface name from available options.

attribute fortigate::firewall_local_in_policy::policyid policyid¶: User defined local in policy ID.

attribute fortigate::firewall_local_in_policy::schedule? schedule=null¶: Schedule object from available options.

attribute fortigate::common::enable_disable_t? service_negate=null¶: When enabled service specifies what the service must NOT be. enable:Enable negated service match. disable:Disable negated service match.

attribute fortigate::common::enable_disable_t? srcaddr_negate=null¶: When enabled srcaddr specifies what the source address must NOT be. enable:Enable source address negate. disable:Disable source address negate.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this local-in policy. enable:Enable this local-in policy. disable:Disable this local-in policy.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

attribute fortigate::common::enable_disable_t? virtual_patch=null¶: Enable/disable virtual patching. enable:Enable virtual patching. disable:Disable virtual patching. :rel dstaddr: :rel service: :rel srcaddr:

relation fortigate::firewall_local_in_policy::Dstaddr dstaddr [0:*]¶: other end: fortigate::firewall_local_in_policy::Dstaddr._parent [1]

relation fortigate::firewall_local_in_policy::Service service [0:*]¶: other end: fortigate::firewall_local_in_policy::Service._parent [1]

relation fortigate::firewall_local_in_policy::Srcaddr srcaddr [0:*]¶: other end: fortigate::firewall_local_in_policy::Srcaddr._parent [1]

relation fortigate::base::LocalInPolicyRange parent [0:1]¶: other end: fortigate::base::LocalInPolicyRange.policies [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_parent_policyid_consistency constraint true

entity fortigate::LocalInPolicy6¶

attribute fortigate::firewall_local_in_policy6::action? action=null¶: Action performed on traffic matching the policy (default = deny). accept:Allow local-in traffic matching this policy. deny:Deny or block local-in traffic matching this policy.

attribute fortigate::firewall_local_in_policy6::comments? comments=null¶: Comment.

attribute fortigate::common::enable_disable_t? dstaddr_negate=null¶: When enabled dstaddr specifies what the destination address must NOT be. enable:Enable destination address negate. disable:Disable destination address negate.

attribute fortigate::firewall_local_in_policy6::intf? intf=null¶: Incoming interface name from available options.

attribute fortigate::firewall_local_in_policy6::policyid policyid¶: User defined local in policy ID.

attribute fortigate::firewall_local_in_policy6::schedule? schedule=null¶: Schedule object from available options.

attribute fortigate::common::enable_disable_t? service_negate=null¶: When enabled service specifies what the service must NOT be. enable:Enable negated service match. disable:Disable negated service match.

attribute fortigate::common::enable_disable_t? srcaddr_negate=null¶: When enabled srcaddr specifies what the source address must NOT be. enable:Enable source address negate. disable:Disable source address negate.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this local-in policy. enable:Enable this local-in policy. disable:Disable this local-in policy.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

attribute fortigate::common::enable_disable_t? virtual_patch=null¶: Enable/disable the virtual patching feature. enable:Enable setting. disable:Disable setting. :rel dstaddr: :rel service: :rel srcaddr:

relation fortigate::firewall_local_in_policy6::Dstaddr dstaddr [0:*]¶: other end: fortigate::firewall_local_in_policy6::Dstaddr._parent [1]

relation fortigate::firewall_local_in_policy6::Service service [0:*]¶: other end: fortigate::firewall_local_in_policy6::Service._parent [1]

relation fortigate::firewall_local_in_policy6::Srcaddr srcaddr [0:*]¶: other end: fortigate::firewall_local_in_policy6::Srcaddr._parent [1]

relation fortigate::base::LocalInPolicy6Range parent [0:1]¶: other end: fortigate::base::LocalInPolicy6Range.policies [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_parent_policyid_consistency constraint true

entity fortigate::MulticastPolicy¶

attribute fortigate::firewall_multicast_policy::action? action=null¶: Accept or deny traffic matching the policy. accept:Accept traffic matching the policy. deny:Deny or block traffic matching the policy.

attribute fortigate::common::enable_disable_t? auto_asic_offload=null¶: Enable/disable offloading policy traffic for hardware acceleration. enable:Enable hardware acceleration offloading. disable:Disable offloading for hardware acceleration.

attribute fortigate::firewall_multicast_policy::comments? comments=null¶: Comment.

attribute string? dnat=null¶: IPv4 DNAT address used for multicast destination addresses.

attribute fortigate::firewall_multicast_policy::dstintf? dstintf=null¶: Destination interface name.

attribute fortigate::firewall_multicast_policy::end_port? end_port=null¶: Integer value for ending TCP/UDP/SCTP destination port in range (1 - 65535, default = 1).

attribute fortigate::firewall_multicast_policy::id id¶: Policy ID ((0 - 4294967294).

attribute fortigate::common::enable_disable_t? logtraffic=null¶: Enable/disable logging traffic accepted by this policy. enable:Enable logging traffic accepted by this policy. disable:Disable logging traffic accepted by this policy.

attribute fortigate::firewall_multicast_policy::name? name=null¶: Policy name.

attribute fortigate::firewall_multicast_policy::protocol? protocol=null¶: Integer value for the protocol type as defined by IANA (0 - 255, default = 0).

attribute fortigate::common::enable_disable_t? snat=null¶: Enable/disable substitution of the outgoing interface IP address for the original source IP address (called source NAT or SNAT). enable:Enable source NAT. disable:Disable source NAT.

attribute string? snat_ip=null¶: IPv4 address to be used as the source address for NATed traffic.

attribute fortigate::firewall_multicast_policy::srcintf? srcintf=null¶: Source interface name.

attribute fortigate::firewall_multicast_policy::start_port? start_port=null¶: Integer value for starting TCP/UDP/SCTP destination port in range (1 - 65535, default = 1).

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this policy. enable:Enable this policy. disable:Disable this policy.

attribute fortigate::firewall_multicast_policy::traffic_shaper? traffic_shaper=null¶: Traffic shaper to apply to traffic forwarded by the multicast policy.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset). :rel dstaddr: :rel srcaddr:

relation fortigate::firewall_multicast_policy::Dstaddr dstaddr [0:*]¶: other end: fortigate::firewall_multicast_policy::Dstaddr._parent [1]

relation fortigate::firewall_multicast_policy::Srcaddr srcaddr [0:*]¶: other end: fortigate::firewall_multicast_policy::Srcaddr._parent [1]

relation fortigate::base::MulticastPolicyRange parent [0:1]¶: other end: fortigate::base::MulticastPolicyRange.policies [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_parent_id_consistency constraint true

entity fortigate::MulticastPolicy6¶

attribute fortigate::firewall_multicast_policy6::action? action=null¶: Accept or deny traffic matching the policy. accept:Accept. deny:Deny.

attribute fortigate::common::enable_disable_t? auto_asic_offload=null¶: Enable/disable offloading policy traffic for hardware acceleration. enable:Enable offloading policy traffic for hardware acceleration. disable:Disable offloading policy traffic for hardware acceleration.

attribute fortigate::firewall_multicast_policy6::comments? comments=null¶: Comment.

attribute fortigate::firewall_multicast_policy6::dstintf? dstintf=null¶: IPv6 destination interface name.

attribute fortigate::firewall_multicast_policy6::end_port? end_port=null¶: Integer value for ending TCP/UDP/SCTP destination port in range (1 - 65535, default = 65535).

attribute fortigate::firewall_multicast_policy6::id id¶: Policy ID (0 - 4294967294).

attribute fortigate::common::enable_disable_t? logtraffic=null¶: Enable/disable logging traffic accepted by this policy. enable:Enable logging traffic accepted by this policy. disable:Disable logging traffic accepted by this policy.

attribute fortigate::firewall_multicast_policy6::name? name=null¶: Policy name.

attribute fortigate::firewall_multicast_policy6::protocol? protocol=null¶: Integer value for the protocol type as defined by IANA (0 - 255, default = 0).

attribute fortigate::firewall_multicast_policy6::srcintf? srcintf=null¶: IPv6 source interface name.

attribute fortigate::firewall_multicast_policy6::start_port? start_port=null¶: Integer value for starting TCP/UDP/SCTP destination port in range (1 - 65535, default = 1).

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this policy. enable:Enable this policy. disable:Disable this policy.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset). :rel dstaddr: :rel srcaddr:

relation fortigate::firewall_multicast_policy6::Dstaddr dstaddr [0:*]¶: other end: fortigate::firewall_multicast_policy6::Dstaddr._parent [1]

relation fortigate::firewall_multicast_policy6::Srcaddr srcaddr [0:*]¶: other end: fortigate::firewall_multicast_policy6::Srcaddr._parent [1]

relation fortigate::base::MulticastPolicy6Range parent [0:1]¶: other end: fortigate::base::MulticastPolicy6Range.policies [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_parent_id_consistency constraint true

entity fortigate::Policy¶

attribute fortigate::firewall_policy::action? action=null¶: Policy action (accept/deny/ipsec). accept:Allows session that match the firewall policy. deny:Blocks sessions that match the firewall policy. ipsec:Firewall policy becomes a policy-based IPsec VPN policy.

attribute fortigate::common::enable_disable_t? anti_replay=null¶: Enable/disable anti-replay check. enable:Enable anti-replay check. disable:Disable anti-replay check.

attribute fortigate::firewall_policy::application_list? application_list=null¶: Name of an existing Application list.

attribute fortigate::firewall_policy::auth_cert? auth_cert=null¶: HTTPS server certificate for policy authentication.

attribute fortigate::common::enable_disable_t? auth_path=null¶: Enable/disable authentication-based routing. enable:Enable authentication-based routing. disable:Disable authentication-based routing.

attribute fortigate::firewall_policy::auth_redirect_addr? auth_redirect_addr=null¶: HTTP-to-HTTPS redirect address for firewall authentication.

attribute fortigate::common::enable_disable_t? auto_asic_offload=null¶: Enable/disable policy traffic ASIC offloading. enable:Enable auto ASIC offloading. disable:Disable ASIC offloading.

attribute fortigate::firewall_policy::av_profile? av_profile=null¶: Name of an existing Antivirus profile.

attribute fortigate::common::enable_disable_t? block_notification=null¶: Enable/disable block notification. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? captive_portal_exempt=null¶: Enable to exempt some users from the captive portal. enable:Enable exemption of captive portal. disable:Disable exemption of captive portal.

attribute fortigate::common::enable_disable_t? capture_packet=null¶: Enable/disable capture packets. enable:Enable capture packets. disable:Disable capture packets.

attribute fortigate::firewall_policy::cifs_profile? cifs_profile=null¶: Name of an existing CIFS profile.

attribute fortigate::firewall_policy::comments? comments=null¶: Comment.

attribute fortigate::firewall_policy::decrypted_traffic_mirror? decrypted_traffic_mirror=null¶: Decrypted traffic mirror.

attribute fortigate::common::enable_disable_t? delay_tcp_npu_session=null¶: Enable TCP NPU session delay to guarantee packet order of 3-way handshake. enable:Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake. disable:Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

attribute fortigate::common::enable_disable_t? diffserv_copy=null¶: Enable to copy packet’s DiffServ values from session’s original direction to its reply direction. enable:Enable DSCP copy. disable:Disable DSCP copy.

attribute fortigate::common::enable_disable_t? diffserv_forward=null¶: Enable to change packet’s DiffServ values to the specified diffservcode-forward value. enable:Enable setting forward (original) traffic Diffserv. disable:Disable setting forward (original) traffic Diffserv.

attribute fortigate::common::enable_disable_t? diffserv_reverse=null¶: Enable to change packet’s reverse (reply) DiffServ values to the specified diffservcode-rev value. enable:Enable setting reverse (reply) traffic DiffServ. disable:Disable setting reverse (reply) traffic DiffServ.

attribute string? diffservcode_forward=null¶: Change packet’s DiffServ to this value.

attribute string? diffservcode_rev=null¶: Change packet’s reverse (reply) DiffServ to this value.

attribute fortigate::common::enable_disable_t? disclaimer=null¶: Enable/disable user authentication disclaimer. enable:Enable user authentication disclaimer. disable:Disable user authentication disclaimer.

attribute fortigate::firewall_policy::dlp_profile? dlp_profile=null¶: Name of an existing DLP profile.

attribute fortigate::firewall_policy::dnsfilter_profile? dnsfilter_profile=null¶: Name of an existing DNS filter profile.

attribute fortigate::common::enable_disable_t? dsri=null¶: Enable DSRI to ignore HTTP server responses. enable:Enable DSRI. disable:Disable DSRI.

attribute fortigate::common::enable_disable_t? dstaddr6_negate=null¶: When enabled dstaddr6 specifies what the destination address must NOT be. enable:Enable IPv6 destination address negate. disable:Disable IPv6 destination address negate.

attribute fortigate::common::enable_disable_t? dstaddr_negate=null¶: When enabled dstaddr specifies what the destination address must NOT be. enable:Enable destination address negate. disable:Disable destination address negate.

attribute fortigate::common::enable_disable_t? dynamic_shaping=null¶: Enable/disable dynamic RADIUS defined traffic shaping. enable:Enable dynamic RADIUS defined traffic shaping. disable:Disable dynamic RADIUS defined traffic shaping.

attribute fortigate::common::enable_disable_t? email_collect=null¶: Enable/disable email collection. enable:Enable email collection. disable:Disable email collection.

attribute fortigate::firewall_policy::emailfilter_profile? emailfilter_profile=null¶: Name of an existing email filter profile.

attribute fortigate::common::enable_disable_t? fec=null¶: Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. enable:Enable Forward Error Correction. disable:Disable Forward Error Correction.

attribute fortigate::firewall_policy::file_filter_profile? file_filter_profile=null¶: Name of an existing file-filter profile.

attribute fortigate::firewall_policy::firewall_session_dirty? firewall_session_dirty=null¶: How to handle sessions if the configuration of this firewall policy changes. check-all:Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies. check-new:Continue to allow sessions already accepted by this policy.

attribute fortigate::common::enable_disable_t? fixedport=null¶: Enable to prevent source NAT from changing a session’s source port. enable:Enable setting. disable:Disable setting.

attribute fortigate::firewall_policy::fsso_agent_for_ntlm? fsso_agent_for_ntlm=null¶: FSSO agent to use for NTLM authentication.

attribute fortigate::common::enable_disable_t? geoip_anycast=null¶: Enable/disable recognition of anycast IP addresses using the geography IP database. enable:Enable recognition of anycast IP addresses using the geography IP database. disable:Disable recognition of anycast IP addresses using the geography IP database.

attribute fortigate::firewall_policy::geoip_match? geoip_match=null¶: Match geography address based either on its physical location or registered location. physical-location:Match geography address to its physical location using the geography IP database. registered-location:Match geography address to its registered location using the geography IP database.

attribute fortigate::common::enable_disable_t? http_policy_redirect=null¶: Redirect HTTP(S) traffic to matching transparent web proxy policy. enable:Enable HTTP(S) policy redirect. disable:Disable HTTP(S) policy redirect.

attribute fortigate::firewall_policy::icap_profile? icap_profile=null¶: Name of an existing ICAP profile.

attribute fortigate::firewall_policy::identity_based_route? identity_based_route=null¶: Name of identity-based routing rule.

attribute fortigate::common::enable_disable_t? inbound=null¶: Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. enable:Enable setting. disable:Disable setting.

attribute fortigate::firewall_policy::inspection_mode? inspection_mode=null¶: Policy inspection mode (Flow/proxy). Default is Flow mode. proxy:Proxy based inspection. flow:Flow based inspection.

attribute fortigate::common::enable_disable_t? internet_service=null¶: Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. enable:Enable use of Internet Services in policy. disable:Disable use of Internet Services in policy.

attribute fortigate::common::enable_disable_t? internet_service6=null¶: Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. enable:Enable use of IPv6 Internet Services in policy. disable:Disable use of IPv6 Internet Services in policy.

attribute fortigate::common::enable_disable_t? internet_service6_negate=null¶: When enabled internet-service6 specifies what the service must NOT be. enable:Enable negated IPv6 Internet Service match. disable:Disable negated IPv6 Internet Service match.

attribute fortigate::common::enable_disable_t? internet_service6_src=null¶: Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. enable:Enable use of IPv6 Internet Services source in policy. disable:Disable use of IPv6 Internet Services source in policy.

attribute fortigate::common::enable_disable_t? internet_service6_src_negate=null¶: When enabled internet-service6-src specifies what the service must NOT be. enable:Enable negated IPv6 Internet Service source match. disable:Disable negated IPv6 Internet Service source match.

attribute fortigate::common::enable_disable_t? internet_service_negate=null¶: When enabled internet-service specifies what the service must NOT be. enable:Enable negated Internet Service match. disable:Disable negated Internet Service match.

attribute fortigate::common::enable_disable_t? internet_service_src=null¶: Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. enable:Enable use of Internet Services source in policy. disable:Disable use of Internet Services source in policy.

attribute fortigate::common::enable_disable_t? internet_service_src_negate=null¶: When enabled internet-service-src specifies what the service must NOT be. enable:Enable negated Internet Service source match. disable:Disable negated Internet Service source match.

attribute fortigate::common::enable_disable_t? ippool=null¶: Enable to use IP Pools for source NAT. enable:Enable setting. disable:Disable setting.

attribute fortigate::firewall_policy::ips_sensor? ips_sensor=null¶: Name of an existing IPS sensor.

attribute fortigate::firewall_policy::ips_voip_filter? ips_voip_filter=null¶: Name of an existing VoIP (ips) profile.

attribute fortigate::firewall_policy::logtraffic? logtraffic=null¶: Enable or disable logging. Log all sessions or security profile sessions. all:Log all sessions accepted or denied by this policy. utm:Log traffic that has a security profile applied to it. disable:Disable all logging for this policy.

attribute fortigate::common::enable_disable_t? logtraffic_start=null¶: Record logs when a session starts. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? match_vip=null¶: Enable to match packets that have had their destination addresses changed by a VIP. enable:Match DNATed packet. disable:Do not match DNATed packet.

attribute fortigate::common::enable_disable_t? match_vip_only=null¶: Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. enable:Enable matching of only those packets that have had their destination addresses changed by a VIP. disable:Disable matching of only those packets that have had their destination addresses changed by a VIP.

attribute fortigate::firewall_policy::name? name=null¶: Policy name.

attribute fortigate::common::enable_disable_t? nat=null¶: Enable/disable source NAT. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? nat46=null¶: Enable/disable NAT46. enable:Enable NAT46. disable:Disable NAT46.

attribute fortigate::common::enable_disable_t? nat64=null¶: Enable/disable NAT64. enable:Enable NAT64. disable:Disable NAT64.

attribute fortigate::common::enable_disable_t? natinbound=null¶: Policy-based IPsec VPN: apply destination NAT to inbound traffic. enable:Enable setting. disable:Disable setting.

attribute string? natip=null¶: Policy-based IPsec VPN: source NAT IP address for outgoing traffic.

attribute fortigate::common::enable_disable_t? natoutbound=null¶: Policy-based IPsec VPN: apply source NAT to outbound traffic. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? np_acceleration=null¶: Enable/disable UTM Network Processor acceleration. enable:Enable UTM Network Processor acceleration. disable:Disable UTM Network Processor acceleration.

attribute fortigate::common::enable_disable_t? ntlm=null¶: Enable/disable NTLM authentication. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? ntlm_guest=null¶: Enable/disable NTLM guest user access. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? outbound=null¶: Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? passive_wan_health_measurement=null¶: Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. enable:Enable Passive WAN health measurement. disable:Disable Passive WAN health measurement.

attribute fortigate::firewall_policy::per_ip_shaper? per_ip_shaper=null¶: Per-IP traffic shaper.

attribute fortigate::common::enable_disable_t? permit_any_host=null¶: Accept UDP packets from any host. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? permit_stun_host=null¶: Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? policy_expiry=null¶: Enable/disable policy expiry. enable:Enable policy expiry. disable:Disable polcy expiry.

attribute string? policy_expiry_date=null¶: Policy expiry date (YYYY-MM-DD HH:MM:SS).

attribute string? policy_expiry_date_utc=null¶: Policy expiry date and time, in epoch format.

attribute fortigate::firewall_policy::policyid policyid¶: Policy ID (0 - 4294967294).

attribute fortigate::firewall_policy::profile_group? profile_group=null¶: Name of profile group.

attribute fortigate::firewall_policy::profile_protocol_options? profile_protocol_options=null¶: Name of an existing Protocol options profile.

attribute fortigate::firewall_policy::profile_type? profile_type=null¶: Determine whether the firewall policy allows security profile groups or single profiles only. single:Do not allow security profile groups. group:Allow security profile groups.

attribute fortigate::common::enable_disable_t? radius_mac_auth_bypass=null¶: Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. enable:Enable MAC authentication bypass. disable:Disable MAC authentication bypass.

attribute fortigate::firewall_policy::redirect_url? redirect_url=null¶: URL users are directed to after seeing and accepting the disclaimer or authenticating.

attribute fortigate::firewall_policy::replacemsg_override_group? replacemsg_override_group=null¶: Override the default replacement message group for this policy.

attribute fortigate::firewall_policy::reputation_direction? reputation_direction=null¶: Direction of the initial traffic for reputation to take effect. source:Check reputation for source address. destination:Check reputation for destination address.

attribute fortigate::firewall_policy::reputation_direction6? reputation_direction6=null¶: Direction of the initial traffic for IPv6 reputation to take effect. source:Check reputation for IPv6 source address. destination:Check reputation for IPv6 destination address.

attribute fortigate::firewall_policy::reputation_minimum? reputation_minimum=null¶: Minimum Reputation to take action.

attribute fortigate::firewall_policy::reputation_minimum6? reputation_minimum6=null¶: IPv6 Minimum Reputation to take action.

attribute fortigate::common::enable_disable_t? rtp_nat=null¶: Enable Real Time Protocol (RTP) NAT. disable:Disable setting. enable:Enable setting.

attribute fortigate::firewall_policy::schedule? schedule=null¶: Schedule name.

attribute fortigate::common::enable_disable_t? schedule_timeout=null¶: Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. enable:Enable schedule timeout. disable:Disable schedule timeout.

attribute fortigate::firewall_policy::sctp_filter_profile? sctp_filter_profile=null¶: Name of an existing SCTP filter profile.

attribute fortigate::common::enable_disable_t? send_deny_packet=null¶: Enable to send a reply when a session is denied or blocked by a firewall policy. disable:Disable deny-packet sending. enable:Enable deny-packet sending.

attribute fortigate::common::enable_disable_t? service_negate=null¶: When enabled service specifies what the service must NOT be. enable:Enable negated service match. disable:Disable negated service match.

attribute string? session_ttl=null¶: TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).

attribute fortigate::common::enable_disable_t? sgt_check=null¶: Enable/disable security group tags (SGT) check. enable:Enable SGT check. disable:Disable SGT check.

attribute fortigate::common::enable_disable_t? srcaddr6_negate=null¶: When enabled srcaddr6 specifies what the source address must NOT be. enable:Enable IPv6 source address negate. disable:Disable IPv6 source address negate.

attribute fortigate::common::enable_disable_t? srcaddr_negate=null¶: When enabled srcaddr specifies what the source address must NOT be. enable:Enable source address negate. disable:Disable source address negate.

attribute fortigate::firewall_policy::ssh_filter_profile? ssh_filter_profile=null¶: Name of an existing SSH filter profile.

attribute fortigate::common::enable_disable_t? ssh_policy_redirect=null¶: Redirect SSH traffic to matching transparent proxy policy. enable:Enable SSH policy redirect. disable:Disable SSH policy redirect.

attribute fortigate::firewall_policy::ssl_ssh_profile? ssl_ssh_profile=null¶: Name of an existing SSL SSH profile.

attribute fortigate::common::enable_disable_t? status=null¶: Enable or disable this policy. enable:Enable setting. disable:Disable setting.

attribute fortigate::firewall_policy::tcp_mss_receiver? tcp_mss_receiver=null¶: Receiver TCP maximum segment size (MSS).

attribute fortigate::firewall_policy::tcp_mss_sender? tcp_mss_sender=null¶: Sender TCP maximum segment size (MSS).

attribute fortigate::firewall_policy::tcp_session_without_syn? tcp_session_without_syn=null¶: Enable/disable creation of TCP session without SYN flag. all:Enable TCP session without SYN. data-only:Enable TCP session data only. disable:Disable TCP session without SYN.

attribute fortigate::common::enable_disable_t? timeout_send_rst=null¶: Enable/disable sending RST packets when TCP sessions expire. enable:Enable sending of RST packet upon TCP session expiration. disable:Disable sending of RST packet upon TCP session expiration.

attribute string? tos=null¶: ToS (Type of Service) value used for comparison.

attribute string? tos_mask=null¶: Non-zero bit positions are used for comparison while zero bit positions are ignored.

attribute fortigate::common::enable_disable_t? tos_negate=null¶: Enable negated TOS match. enable:Enable TOS match negate. disable:Disable TOS match negate.

attribute fortigate::firewall_policy::traffic_shaper? traffic_shaper=null¶: Traffic shaper.

attribute fortigate::firewall_policy::traffic_shaper_reverse? traffic_shaper_reverse=null¶: Reverse traffic shaper.

attribute fortigate::common::enable_disable_t? utm_status=null¶: Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. enable:Enable setting. disable:Disable setting.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

attribute fortigate::firewall_policy::videofilter_profile? videofilter_profile=null¶: Name of an existing VideoFilter profile.

attribute fortigate::firewall_policy::vlan_cos_fwd? vlan_cos_fwd=null¶: VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.

attribute fortigate::firewall_policy::vlan_cos_rev? vlan_cos_rev=null¶: VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.

attribute string? vlan_filter=null¶: VLAN ranges to allow

attribute fortigate::firewall_policy::voip_profile? voip_profile=null¶: Name of an existing VoIP (voipd) profile.

attribute fortigate::firewall_policy::vpntunnel? vpntunnel=null¶: Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

attribute fortigate::firewall_policy::waf_profile? waf_profile=null¶: Name of an existing Web application firewall profile.

attribute fortigate::common::enable_disable_t? wanopt=null¶: Enable/disable WAN optimization. enable:Enable setting. disable:Disable setting.

attribute fortigate::firewall_policy::wanopt_detection? wanopt_detection=null¶: WAN optimization auto-detection mode. active:Active WAN optimization peer auto-detection. passive:Passive WAN optimization peer auto-detection. off:Turn off WAN optimization peer auto-detection.

attribute fortigate::firewall_policy::wanopt_passive_opt? wanopt_passive_opt=null¶: WAN optimization passive mode options. This option decides what IP address will be used to connect server. default:Allow client side WAN opt peer to decide. transparent:Use address of client to connect to server. non-transparent:Use local FortiGate address to connect to server.

attribute fortigate::firewall_policy::wanopt_peer? wanopt_peer=null¶: WAN optimization peer.

attribute fortigate::firewall_policy::wanopt_profile? wanopt_profile=null¶: WAN optimization profile.

attribute fortigate::common::enable_disable_t? wccp=null¶: Enable/disable forwarding traffic matching this policy to a configured WCCP server. enable:Enable WCCP setting. disable:Disable WCCP setting.

attribute fortigate::common::enable_disable_t? webcache=null¶: Enable/disable web cache. enable:Enable setting. disable:Disable setting.

attribute fortigate::common::enable_disable_t? webcache_https=null¶: Enable/disable web cache for HTTPS. disable:Disable web cache for HTTPS. enable:Enable web cache for HTTPS.

attribute fortigate::firewall_policy::webfilter_profile? webfilter_profile=null¶: Name of an existing Web filter profile.

attribute fortigate::firewall_policy::webproxy_forward_server? webproxy_forward_server=null¶: Webproxy forward server name.

attribute fortigate::firewall_policy::webproxy_profile? webproxy_profile=null¶: Webproxy profile name.

attribute fortigate::common::enable_disable_t? ztna_device_ownership=null¶: Enable/disable zero trust device ownership. enable:Enable ZTNA device ownership check. disable:Disable ZTNA device ownership check.

attribute fortigate::common::enable_disable_t? ztna_policy_redirect=null¶: Redirect ZTNA traffic to matching Access-Proxy proxy-policy. enable:Enable ZTNA proxy-policy redirect. disable:Disable ZTNA proxy-policy redirect.

attribute fortigate::common::enable_disable_t? ztna_status=null¶: Enable/disable zero trust access. enable:Enable zero trust network access. disable:Disable zero trust network access.

attribute fortigate::firewall_policy::ztna_tags_match_logic? ztna_tags_match_logic=null¶: ZTNA tag matching logic. or:Match ZTNA tags using a logical OR operator. and:Match ZTNA tags using a logical AND operator. :rel custom_log_fields: :rel dstaddr: :rel dstaddr6: :rel dstintf: :rel fsso_groups: :rel groups: :rel internet_service6_custom: :rel internet_service6_custom_group: :rel internet_service6_group: :rel internet_service6_name: :rel internet_service6_src_custom: :rel internet_service6_src_custom_group: :rel internet_service6_src_group: :rel internet_service6_src_name: :rel internet_service_custom: :rel internet_service_custom_group: :rel internet_service_group: :rel internet_service_name: :rel internet_service_src_custom: :rel internet_service_src_custom_group: :rel internet_service_src_group: :rel internet_service_src_name: :rel network_service_dynamic: :rel network_service_src_dynamic: :rel ntlm_enabled_browsers: :rel poolname: :rel poolname6: :rel rtp_addr: :rel service: :rel sgt: :rel src_vendor_mac: :rel srcaddr: :rel srcaddr6: :rel srcintf: :rel users: :rel ztna_ems_tag: :rel ztna_geo_tag:

relation fortigate::firewall_policy::CustomLogFields custom_log_fields [0:*]¶: other end: fortigate::firewall_policy::CustomLogFields._parent [1]

relation fortigate::firewall_policy::Dstaddr dstaddr [0:*]¶: other end: fortigate::firewall_policy::Dstaddr._parent [1]

relation fortigate::firewall_policy::Dstaddr6 dstaddr6 [0:*]¶: other end: fortigate::firewall_policy::Dstaddr6._parent [1]

relation fortigate::firewall_policy::Dstintf dstintf [0:*]¶: other end: fortigate::firewall_policy::Dstintf._parent [1]

relation fortigate::firewall_policy::FssoGroups fsso_groups [0:*]¶: other end: fortigate::firewall_policy::FssoGroups._parent [1]

relation fortigate::firewall_policy::Groups groups [0:*]¶: other end: fortigate::firewall_policy::Groups._parent [1]

relation fortigate::firewall_policy::InternetService6Custom internet_service6_custom [0:*]¶: other end: fortigate::firewall_policy::InternetService6Custom._parent [1]

relation fortigate::firewall_policy::InternetService6CustomGroup internet_service6_custom_group [0:*]¶: other end: fortigate::firewall_policy::InternetService6CustomGroup._parent [1]

relation fortigate::firewall_policy::InternetService6Group internet_service6_group [0:*]¶: other end: fortigate::firewall_policy::InternetService6Group._parent [1]

relation fortigate::firewall_policy::InternetService6Name internet_service6_name [0:*]¶: other end: fortigate::firewall_policy::InternetService6Name._parent [1]

relation fortigate::firewall_policy::InternetService6SrcCustom internet_service6_src_custom [0:*]¶: other end: fortigate::firewall_policy::InternetService6SrcCustom._parent [1]

relation fortigate::firewall_policy::InternetService6SrcCustomGroup internet_service6_src_custom_group [0:*]¶: other end: fortigate::firewall_policy::InternetService6SrcCustomGroup._parent [1]

relation fortigate::firewall_policy::InternetService6SrcGroup internet_service6_src_group [0:*]¶: other end: fortigate::firewall_policy::InternetService6SrcGroup._parent [1]

relation fortigate::firewall_policy::InternetService6SrcName internet_service6_src_name [0:*]¶: other end: fortigate::firewall_policy::InternetService6SrcName._parent [1]

relation fortigate::firewall_policy::InternetServiceCustom internet_service_custom [0:*]¶: other end: fortigate::firewall_policy::InternetServiceCustom._parent [1]

relation fortigate::firewall_policy::InternetServiceCustomGroup internet_service_custom_group [0:*]¶: other end: fortigate::firewall_policy::InternetServiceCustomGroup._parent [1]

relation fortigate::firewall_policy::InternetServiceGroup internet_service_group [0:*]¶: other end: fortigate::firewall_policy::InternetServiceGroup._parent [1]

relation fortigate::firewall_policy::InternetServiceName internet_service_name [0:*]¶: other end: fortigate::firewall_policy::InternetServiceName._parent [1]

relation fortigate::firewall_policy::InternetServiceSrcCustom internet_service_src_custom [0:*]¶: other end: fortigate::firewall_policy::InternetServiceSrcCustom._parent [1]

relation fortigate::firewall_policy::InternetServiceSrcCustomGroup internet_service_src_custom_group [0:*]¶: other end: fortigate::firewall_policy::InternetServiceSrcCustomGroup._parent [1]

relation fortigate::firewall_policy::InternetServiceSrcGroup internet_service_src_group [0:*]¶: other end: fortigate::firewall_policy::InternetServiceSrcGroup._parent [1]

relation fortigate::firewall_policy::InternetServiceSrcName internet_service_src_name [0:*]¶: other end: fortigate::firewall_policy::InternetServiceSrcName._parent [1]

relation fortigate::firewall_policy::NetworkServiceDynamic network_service_dynamic [0:*]¶: other end: fortigate::firewall_policy::NetworkServiceDynamic._parent [1]

relation fortigate::firewall_policy::NetworkServiceSrcDynamic network_service_src_dynamic [0:*]¶: other end: fortigate::firewall_policy::NetworkServiceSrcDynamic._parent [1]

relation fortigate::firewall_policy::NtlmEnabledBrowsers ntlm_enabled_browsers [0:*]¶: other end: fortigate::firewall_policy::NtlmEnabledBrowsers._parent [1]

relation fortigate::firewall_policy::Poolname poolname [0:*]¶: other end: fortigate::firewall_policy::Poolname._parent [1]

relation fortigate::firewall_policy::Poolname6 poolname6 [0:*]¶: other end: fortigate::firewall_policy::Poolname6._parent [1]

relation fortigate::firewall_policy::RtpAddr rtp_addr [0:*]¶: other end: fortigate::firewall_policy::RtpAddr._parent [1]

relation fortigate::firewall_policy::Service service [0:*]¶: other end: fortigate::firewall_policy::Service._parent [1]

relation fortigate::firewall_policy::Sgt sgt [0:*]¶: other end: fortigate::firewall_policy::Sgt._parent [1]

relation fortigate::firewall_policy::SrcVendorMac src_vendor_mac [0:*]¶: other end: fortigate::firewall_policy::SrcVendorMac._parent [1]

relation fortigate::firewall_policy::Srcaddr srcaddr [0:*]¶: other end: fortigate::firewall_policy::Srcaddr._parent [1]

relation fortigate::firewall_policy::Srcaddr6 srcaddr6 [0:*]¶: other end: fortigate::firewall_policy::Srcaddr6._parent [1]

relation fortigate::firewall_policy::Srcintf srcintf [0:*]¶: other end: fortigate::firewall_policy::Srcintf._parent [1]

relation fortigate::firewall_policy::Users users [0:*]¶: other end: fortigate::firewall_policy::Users._parent [1]

relation fortigate::firewall_policy::ZtnaEmsTag ztna_ems_tag [0:*]¶: other end: fortigate::firewall_policy::ZtnaEmsTag._parent [1]

relation fortigate::firewall_policy::ZtnaGeoTag ztna_geo_tag [0:*]¶: other end: fortigate::firewall_policy::ZtnaGeoTag._parent [1]

relation fortigate::base::PolicyRange parent [0:1]¶: other end: fortigate::base::PolicyRange.policies [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_parent_policyid_consistency constraint true

entity fortigate::PrefixList¶

attribute fortigate::router_prefix_list::comments? comments=null¶: Comment.

attribute fortigate::router_prefix_list::name name¶: Name. :rel rule:

relation fortigate::router_prefix_list::Rule rule [0:*]¶: other end: fortigate::router_prefix_list::Rule._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::SDWan¶

attribute fortigate::system_sdwan::duplication_max_num? duplication_max_num=null¶: Maximum number of interface members a packet is duplicated in the SD-WAN zone (2 - 4, default = 2; if set to 3, the original packet plus 2 more copies are created).

attribute fortigate::common::enable_disable_t? fail_detect=null¶: Enable/disable SD-WAN Internet connection status checking (failure detection). enable:Enable status checking. disable:Disable status checking.

attribute fortigate::system_sdwan::load_balance_mode? load_balance_mode=null¶: Algorithm or mode to use for load balancing Internet traffic to SD-WAN members. source-ip-based:Source IP load balancing. All traffic from a source IP is sent to the same interface. weight-based:Weight-based load balancing. Interfaces with higher weights have higher priority and get more traffic. usage-based:Usage-based load balancing. All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spill-over limit new traffic is sent to the next interface. source-dest-ip-based:Source and destination IP load balancing. All traffic from a source IP to a destination IP is sent to the same interface. measured-volume-based:Volume-based load balancing. Traffic is load balanced based on traffic volume (in bytes). More traffic is sent to interfaces with higher volume ratios.

attribute fortigate::system_sdwan::neighbor_hold_boot_time? neighbor_hold_boot_time=null¶: Waiting period in seconds when switching from the primary neighbor to the secondary neighbor from the neighbor start. (0 - 10000000, default = 0).

attribute fortigate::common::enable_disable_t? neighbor_hold_down=null¶: Enable/disable hold switching from the secondary neighbor to the primary neighbor. enable:Enable hold switching from the secondary neighbor to the primary neighbor. disable:Disable hold switching from the secondary neighbor to the primary neighbor.

attribute fortigate::system_sdwan::neighbor_hold_down_time? neighbor_hold_down_time=null¶: Waiting period in seconds when switching from the secondary neighbor to the primary neighbor when hold-down is disabled. (0 - 10000000, default = 0).

attribute fortigate::common::enable_disable_t? speedtest_bypass_routing=null¶: Enable/disable bypass routing when speedtest on a SD-WAN member. disable:Disable SD-WAN. enable:Enable SD-WAN.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable SD-WAN. disable:Disable SD-WAN. enable:Enable SD-WAN. :rel duplication: :rel fail_alert_interfaces: :rel health_check: :rel members: :rel neighbor: :rel service: :rel zone:

relation fortigate::system_sdwan::Duplication duplication [0:*]¶: other end: fortigate::system_sdwan::Duplication._parent [1]

relation fortigate::system_sdwan::FailAlertInterfaces fail_alert_interfaces [0:*]¶: other end: fortigate::system_sdwan::FailAlertInterfaces._parent [1]

relation fortigate::system_sdwan::HealthCheck health_check [0:*]¶: other end: fortigate::system_sdwan::HealthCheck._parent [1]

relation fortigate::system_sdwan::Members members [0:*]¶: other end: fortigate::system_sdwan::Members._parent [1]

relation fortigate::system_sdwan::Neighbor neighbor [0:*]¶: other end: fortigate::system_sdwan::Neighbor._parent [1]

relation fortigate::system_sdwan::Service service [0:*]¶: other end: fortigate::system_sdwan::Service._parent [1]

relation fortigate::system_sdwan::Zone zone [0:*]¶: other end: fortigate::system_sdwan::Zone._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::Settings¶

attribute fortigate::common::enable_disable_t? allow_linkdown_path=null¶: Enable/disable link down path. enable:Allow link down path. disable:Do not allow link down path.

attribute fortigate::common::enable_disable_t? allow_subnet_overlap=null¶: Enable/disable allowing interface subnets to use overlapping IP addresses. enable:Enable overlapping subnets. disable:Disable overlapping subnets.

attribute fortigate::common::enable_disable_t? application_bandwidth_tracking=null¶: Enable/disable application bandwidth tracking. disable:Disable application bandwidth tracking. enable:Enable application bandwidth tracking.

attribute fortigate::common::enable_disable_t? asymroute=null¶: Enable/disable IPv4 asymmetric routing. enable:Enable IPv4 asymmetric routing. disable:Disable IPv4 asymmetric routing.

attribute fortigate::common::enable_disable_t? asymroute6=null¶: Enable/disable asymmetric IPv6 routing. enable:Enable asymmetric IPv6 routing. disable:Disable asymmetric IPv6 routing.

attribute fortigate::common::enable_disable_t? asymroute6_icmp=null¶: Enable/disable asymmetric ICMPv6 routing. enable:Enable asymmetric ICMPv6 routing. disable:Disable asymmetric ICMPv6 routing.

attribute fortigate::common::enable_disable_t? asymroute_icmp=null¶: Enable/disable ICMP asymmetric routing. enable:Enable ICMP asymmetric routing. disable:Disable ICMP asymmetric routing.

attribute fortigate::common::enable_disable_t? auxiliary_session=null¶: Enable/disable auxiliary session. enable:Enable auxiliary session for this VDOM. disable:Disable auxiliary session for this VDOM.

attribute fortigate::common::enable_disable_t? bfd=null¶: Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. enable:Enable Bi-directional Forwarding Detection (BFD) on all interfaces. disable:Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

attribute fortigate::system_settings::bfd_desired_min_tx? bfd_desired_min_tx=null¶: BFD desired minimal transmit interval (1 - 100000 ms, default = 250).

attribute fortigate::system_settings::bfd_detect_mult? bfd_detect_mult=null¶: BFD detection multiplier (1 - 50, default = 3).

attribute fortigate::common::enable_disable_t? bfd_dont_enforce_src_port=null¶: Enable to not enforce verifying the source port of BFD Packets. enable:Enable verifying the source port of BFD Packets. disable:Disable verifying the source port of BFD Packets.

attribute fortigate::system_settings::bfd_required_min_rx? bfd_required_min_rx=null¶: BFD required minimal receive interval (1 - 100000 ms, default = 250).

attribute fortigate::common::enable_disable_t? block_land_attack=null¶: Enable/disable blocking of land attacks. disable:Do not block land attack. enable:Block land attack.

attribute fortigate::common::enable_disable_t? central_nat=null¶: Enable/disable central NAT. enable:Enable central NAT. disable:Disable central NAT.

attribute fortigate::system_settings::comments? comments=null¶: VDOM comments.

attribute fortigate::common::enable_disable_t? default_app_port_as_service=null¶: Enable/disable policy service enforcement based on application default ports. enable:Enable setting. disable:Disable setting.

attribute fortigate::system_settings::default_policy_expiry_days? default_policy_expiry_days=null¶: Default policy expiry in days (0 - 365 days, default = 30).

attribute fortigate::system_settings::default_voip_alg_mode? default_voip_alg_mode=null¶: Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn’t include a VoIP profile. proxy-based:Use a default proxy-based VoIP ALG. kernel-helper-based:Use the SIP session helper.

attribute fortigate::common::enable_disable_t? deny_tcp_with_icmp=null¶: Enable/disable denying TCP by sending an ICMP communication prohibited packet. enable:Deny TCP with ICMP. disable:Disable denying TCP with ICMP.

attribute fortigate::common::enable_disable_t? detect_unknown_esp=null¶: Enable/disable detection of unknown ESP packets (default = enable). enable:Enable detection of unknown ESP packets and drop the ESP packet if it’s unknown. disable:Disable detection of unknown ESP packets.

attribute fortigate::system_settings::device? device=null¶: Interface to use for management access for NAT mode.

attribute string? dhcp6_server_ip=null¶: DHCPv6 server IPv6 address.

attribute fortigate::common::enable_disable_t? dhcp_proxy=null¶: Enable/disable the DHCP Proxy. enable:Enable the DHCP proxy. disable:Disable the DHCP proxy.

attribute fortigate::system_settings::dhcp_proxy_interface? dhcp_proxy_interface=null¶: Specify outgoing interface to reach server.

attribute fortigate::system_settings::dhcp_proxy_interface_select_method? dhcp_proxy_interface_select_method=null¶: Specify how to select outgoing interface to reach server. auto:Set outgoing interface automatically. sdwan:Set outgoing interface by SD-WAN or policy routing rules. specify:Set outgoing interface manually.

attribute string? dhcp_server_ip=null¶: DHCP Server IPv4 address.

attribute fortigate::system_settings::discovered_device_timeout? discovered_device_timeout=null¶: Timeout for discovered devices (1 - 365 days, default = 28).

attribute fortigate::common::enable_disable_t? dyn_addr_session_check=null¶: Enable/disable dirty session check caused by dynamic address updates. enable:Enable dirty session check caused by dynamic address updates. disable:Disable dirty session check caused by dynamic address updates.

attribute fortigate::system_settings::ecmp_max_paths? ecmp_max_paths=null¶: Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255).

attribute fortigate::common::enable_disable_t? email_portal_check_dns=null¶: Enable/disable using DNS to validate email addresses collected by a captive portal. disable:Disable email address checking with DNS. enable:Enable email address checking with DNS.

attribute fortigate::common::enable_disable_t? ext_resource_session_check=null¶: Enable/disable dirty session check caused by external resource updates. enable:Enable dirty session check caused by external resource updates. disable:Disable dirty session check caused by external resource updates.

attribute fortigate::system_settings::firewall_session_dirty? firewall_session_dirty=null¶: Select how to manage sessions affected by firewall policy configuration changes. check-all:All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table. check-new:Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration. check-policy-option:Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.

attribute fortigate::common::enable_disable_t? fqdn_session_check=null¶: Enable/disable dirty session check caused by FQDN updates. enable:Enable dirty session check caused by FQDN updates. disable:Disable dirty session check caused by FQDN updates.

attribute fortigate::common::enable_disable_t? fw_session_hairpin=null¶: Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. enable:Perform a policy check every time. disable:Perform a policy check only the first time the session is received.

attribute string? gateway=null¶: Transparent mode IPv4 default gateway IP address.

attribute string? gateway6=null¶: Transparent mode IPv4 default gateway IP address.

attribute fortigate::common::enable_disable_t? gui_advanced_policy=null¶: Enable/disable advanced policy configuration on the GUI. enable:Enable advanced policy configuration on the GUI. disable:Disable advanced policy configuration on the GUI.

attribute fortigate::common::enable_disable_t? gui_advanced_wireless_features=null¶: Enable/disable advanced wireless features in GUI. enable:Enable advanced wireless features in GUI. disable:Disable advanced wireless features in GUI.

attribute fortigate::common::enable_disable_t? gui_allow_unnamed_policy=null¶: Enable/disable the requirement for policy naming on the GUI. enable:Enable the requirement for policy naming on the GUI. disable:Disable the requirement for policy naming on the GUI.

attribute fortigate::common::enable_disable_t? gui_antivirus=null¶: Enable/disable AntiVirus on the GUI. enable:Enable AntiVirus on the GUI. disable:Disable AntiVirus on the GUI.

attribute fortigate::common::enable_disable_t? gui_ap_profile=null¶: Enable/disable FortiAP profiles on the GUI. enable:Enable FortiAP profiles on the GUI. disable:Disable FortiAP profiles on the GUI.

attribute fortigate::common::enable_disable_t? gui_application_control=null¶: Enable/disable application control on the GUI. enable:Enable application control on the GUI. disable:Disable application control on the GUI.

attribute fortigate::common::enable_disable_t? gui_dhcp_advanced=null¶: Enable/disable advanced DHCP options on the GUI. enable:Enable advanced DHCP options on the GUI. disable:Disable advanced DHCP options on the GUI.

attribute fortigate::common::enable_disable_t? gui_dlp_profile=null¶: Enable/disable Data Leak Prevention on the GUI. enable:Enable Data Leak Prevention on the GUI. disable:Disable Data Leak Prevention on the GUI.

attribute fortigate::common::enable_disable_t? gui_dns_database=null¶: Enable/disable DNS database settings on the GUI. enable:Enable DNS database settings on the GUI. disable:Disable DNS database settings on the GUI.

attribute fortigate::common::enable_disable_t? gui_dnsfilter=null¶: Enable/disable DNS Filtering on the GUI. enable:Enable DNS Filtering on the GUI. disable:Disable DNS Filtering on the GUI.

attribute fortigate::common::enable_disable_t? gui_dos_policy=null¶: Enable/disable DoS policies on the GUI. enable:Enable DoS policies on the GUI. disable:Disable DoS policies on the GUI.

attribute fortigate::common::enable_disable_t? gui_dynamic_routing=null¶: Enable/disable dynamic routing on the GUI. enable:Enable dynamic routing on the GUI. disable:Disable dynamic routing on the GUI.

attribute fortigate::common::enable_disable_t? gui_email_collection=null¶: Enable/disable email collection on the GUI. enable:Enable email collection on the GUI. disable:Disable email collection on the GUI.

attribute fortigate::common::enable_disable_t? gui_endpoint_control=null¶: Enable/disable endpoint control on the GUI. enable:Enable endpoint control on the GUI. disable:Disable endpoint control on the GUI.

attribute fortigate::common::enable_disable_t? gui_endpoint_control_advanced=null¶: Enable/disable advanced endpoint control options on the GUI. enable:Enable advanced endpoint control options on the GUI. disable:Disable advanced endpoint control options on the GUI.

attribute fortigate::system_settings::gui_enforce_change_summary? gui_enforce_change_summary=null¶: Enforce change summaries for select tables in the GUI. disable:No change summary requirement. require:Change summary required. optional:Change summary optional.

attribute fortigate::common::enable_disable_t? gui_explicit_proxy=null¶: Enable/disable the explicit proxy on the GUI. enable:Enable the explicit proxy on the GUI. disable:Disable the explicit proxy on the GUI.

attribute fortigate::common::enable_disable_t? gui_file_filter=null¶: Enable/disable File-filter on the GUI. enable:Enable File-filter on the GUI. disable:Disable File-filter on the GUI.

attribute fortigate::common::enable_disable_t? gui_fortiap_split_tunneling=null¶: Enable/disable FortiAP split tunneling on the GUI. enable:Enable FortiAP split tunneling on the GUI. disable:Disable FortiAP split tunneling on the GUI.

attribute fortigate::common::enable_disable_t? gui_fortiextender_controller=null¶: Enable/disable FortiExtender on the GUI. enable:Enable FortiExtender on the GUI. disable:Disable FortiExtender on the GUI.

attribute fortigate::common::enable_disable_t? gui_icap=null¶: Enable/disable ICAP on the GUI. enable:Enable ICAP on the GUI. disable:Disable ICAP on the GUI.

attribute fortigate::common::enable_disable_t? gui_implicit_policy=null¶: Enable/disable implicit firewall policies on the GUI. enable:Enable implicit firewall policies on the GUI. disable:Disable implicit firewall policies on the GUI.

attribute fortigate::common::enable_disable_t? gui_ips=null¶: Enable/disable IPS on the GUI. enable:Enable IPS on the GUI. disable:Disable IPS on the GUI.

attribute fortigate::common::enable_disable_t? gui_load_balance=null¶: Enable/disable server load balancing on the GUI. enable:Enable server load balancing on the GUI. disable:Disable server load balancing on the GUI.

attribute fortigate::common::enable_disable_t? gui_local_in_policy=null¶: Enable/disable Local-In policies on the GUI. enable:Enable Local-In policies on the GUI. disable:Disable Local-In policies on the GUI.

attribute fortigate::common::enable_disable_t? gui_multicast_policy=null¶: Enable/disable multicast firewall policies on the GUI. enable:Enable multicast firewall policies on the GUI. disable:Disable multicast firewall policies on the GUI.

attribute fortigate::common::enable_disable_t? gui_multiple_interface_policy=null¶: Enable/disable adding multiple interfaces to a policy on the GUI. enable:Enable adding multiple interfaces to a policy on the GUI. disable:Disable adding multiple interfaces to a policy on the GUI.

attribute fortigate::common::enable_disable_t? gui_object_colors=null¶: Enable/disable object colors on the GUI. enable:Enable object colors on the GUI. disable:Disable object colors on the GUI.

attribute fortigate::common::enable_disable_t? gui_ot=null¶: Enable/disable Operational technology features on the GUI. enable:Enable Operational technology features on the GUI. disable:Disable Operational technology features on the GUI.

attribute fortigate::common::enable_disable_t? gui_policy_based_ipsec=null¶: Enable/disable policy-based IPsec VPN on the GUI. enable:Enable policy-based IPsec VPN on the GUI. disable:Disable policy-based IPsec VPN on the GUI.

attribute fortigate::common::enable_disable_t? gui_policy_disclaimer=null¶: Enable/disable policy disclaimer on the GUI. enable:Enable policy disclaimer on the GUI. disable:Disable policy disclaimer on the GUI.

attribute fortigate::common::enable_disable_t? gui_proxy_inspection=null¶: Enable/disable the proxy features on the GUI. enable:Enable the proxy features on the GUI. disable:Disable the proxy features on the GUI.

attribute fortigate::common::enable_disable_t? gui_security_profile_group=null¶: Enable/disable Security Profile Groups on the GUI. enable:Enable Security Profile Groups on the GUI. disable:Disable Security Profile Groups on the GUI.

attribute fortigate::common::enable_disable_t? gui_spamfilter=null¶: Enable/disable Antispam on the GUI. enable:Enable Antispam on the GUI. disable:Disable Antispam on the GUI.

attribute fortigate::common::enable_disable_t? gui_sslvpn_personal_bookmarks=null¶: Enable/disable SSL-VPN personal bookmark management on the GUI. enable:Enable SSL-VPN personal bookmark management on the GUI. disable:Disable SSL-VPN personal bookmark management on the GUI.

attribute fortigate::common::enable_disable_t? gui_sslvpn_realms=null¶: Enable/disable SSL-VPN realms on the GUI. enable:Enable SSL-VPN realms on the GUI. disable:Disable SSL-VPN realms on the GUI.

attribute fortigate::common::enable_disable_t? gui_switch_controller=null¶: Enable/disable the switch controller on the GUI. enable:Enable the switch controller on the GUI. disable:Disable the switch controller on the GUI.

attribute fortigate::common::enable_disable_t? gui_threat_weight=null¶: Enable/disable threat weight on the GUI. enable:Enable threat weight on the GUI. disable:Disable threat weight on the GUI.

attribute fortigate::common::enable_disable_t? gui_traffic_shaping=null¶: Enable/disable traffic shaping on the GUI. enable:Enable traffic shaping on the GUI. disable:Disable traffic shaping on the GUI.

attribute fortigate::common::enable_disable_t? gui_videofilter=null¶: Enable/disable Video filtering on the GUI. enable:Enable Video filtering on the GUI. disable:Disable Video filtering on the GUI.

attribute fortigate::common::enable_disable_t? gui_voip_profile=null¶: Enable/disable VoIP profiles on the GUI. enable:Enable VoIP profiles on the GUI. disable:Disable VoIP profiles on the GUI.

attribute fortigate::common::enable_disable_t? gui_vpn=null¶: Enable/disable VPN tunnels on the GUI. enable:Enable VPN tunnels on the GUI. disable:Disable VPN tunnels on the GUI.

attribute fortigate::common::enable_disable_t? gui_waf_profile=null¶: Enable/disable Web Application Firewall on the GUI. enable:Enable Web Application Firewall on the GUI. disable:Disable Web Application Firewall on the GUI.

attribute fortigate::common::enable_disable_t? gui_wan_load_balancing=null¶: Enable/disable SD-WAN on the GUI. enable:Enable SD-WAN on the GUI. disable:Disable SD-WAN on the GUI.

attribute fortigate::common::enable_disable_t? gui_wanopt_cache=null¶: Enable/disable WAN Optimization and Web Caching on the GUI. enable:Enable WAN Optimization and Web Caching on the GUI. disable:Disable WAN Optimization and Web Caching on the GUI.

attribute fortigate::common::enable_disable_t? gui_webfilter=null¶: Enable/disable Web filtering on the GUI. enable:Enable Web filtering on the GUI. disable:Disable Web filtering on the GUI.

attribute fortigate::common::enable_disable_t? gui_webfilter_advanced=null¶: Enable/disable advanced web filtering on the GUI. enable:Enable advanced web filtering on the GUI. disable:Disable advanced web filtering on the GUI.

attribute fortigate::common::enable_disable_t? gui_wireless_controller=null¶: Enable/disable the wireless controller on the GUI. enable:Enable the wireless controller on the GUI. disable:Disable the wireless controller on the GUI.

attribute fortigate::common::enable_disable_t? gui_ztna=null¶: Enable/disable Zero Trust Network Access features on the GUI. enable:Enable Zero Trust Network Access features on the GUI. disable:Disable Zero Trust Network Access features on the GUI.

attribute fortigate::common::enable_disable_t? h323_direct_model=null¶: Enable/disable H323 direct model. disable:Disable H323 direct model. enable:Enable H323 direct model.

attribute fortigate::system_settings::http_external_dest? http_external_dest=null¶: Offload HTTP traffic to FortiWeb or FortiCache. fortiweb:Offload HTTP traffic to FortiWeb for Web Application Firewall inspection. forticache:Offload HTTP traffic to FortiCache for external web caching and WAN optimization.

attribute fortigate::system_settings::ike_dn_format? ike_dn_format=null¶: Configure IKE ASN.1 Distinguished Name format conventions. with-space:Format IKE ASN.1 Distinguished Names with spaces between attribute names and values. no-space:Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.

attribute fortigate::common::enable_disable_t? ike_policy_route=null¶: Enable/disable IKE Policy Based Routing (PBR). enable:Enable IKE Policy Based Routing (PBR). disable:Disable IKE Policy Based Routing (PBR).

attribute fortigate::system_settings::ike_port? ike_port=null¶: UDP port for IKE/IPsec traffic (default 500).

attribute fortigate::common::enable_disable_t? ike_quick_crash_detect=null¶: Enable/disable IKE quick crash detection (RFC 6290). enable:Enable IKE quick crash detection (RFC 6290). disable:Disable IKE quick crash detection (RFC 6290).

attribute fortigate::common::enable_disable_t? ike_session_resume=null¶: Enable/disable IKEv2 session resumption (RFC 5723). enable:Enable IKEv2 session resumption (RFC 5723). disable:Disable IKEv2 session resumption (RFC 5723).

attribute fortigate::common::enable_disable_t? internet_service_database_cache=null¶: Enable/disable Internet Service database caching. disable:Disable Internet Service database caching. enable:Enable Internet Service database caching.

attribute string? ip=null¶: IP address and netmask.

attribute string? ip6=null¶: IPv6 address prefix for NAT mode.

attribute fortigate::system_settings::lan_extension_controller_addr? lan_extension_controller_addr=null¶: Controller IP address or FQDN to connect.

attribute fortigate::common::enable_disable_t? link_down_access=null¶: Enable/disable link down access traffic. enable:Allow link down access traffic. disable:Block link down access traffic.

attribute fortigate::system_settings::lldp_reception? lldp_reception=null¶: Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM. enable:Enable LLDP reception for this VDOM. disable:Disable LLDP reception for this VDOM. global:Use the global LLDP reception configuration for this VDOM.

attribute fortigate::system_settings::lldp_transmission? lldp_transmission=null¶: Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM. enable:Enable LLDP transmission for this VDOM. disable:Disable LLDP transmission for this VDOM. global:Use the global LLDP transmission configuration for this VDOM.

attribute string? location_id=null¶: Local location ID in the form of an IPv4 address.

attribute fortigate::system_settings::mac_ttl? mac_ttl=null¶: Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300).

attribute string? manageip=null¶: Transparent mode IPv4 management IP address and netmask.

attribute string? manageip6=null¶: Transparent mode IPv6 management IP address and netmask.

attribute fortigate::common::enable_disable_t? multicast_forward=null¶: Enable/disable multicast forwarding. enable:Enable multicast forwarding. disable:Disable multicast forwarding.

attribute fortigate::common::enable_disable_t? multicast_skip_policy=null¶: Enable/disable allowing multicast traffic through the FortiGate without a policy check. enable:Allowing multicast traffic through the FortiGate without creating a multicast firewall policy. disable:Require a multicast policy to allow multicast traffic to pass through the FortiGate.

attribute fortigate::common::enable_disable_t? multicast_ttl_notchange=null¶: Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. enable:The multicast TTL is not changed. disable:The multicast TTL may be changed.

attribute fortigate::common::enable_disable_t? nat46_force_ipv4_packet_forwarding=null¶: Enable/disable mandatory IPv4 packet forwarding in NAT46. enable:Enable mandatory IPv4 packet forwarding when IPv4 DF is set to 1. disable:Disable mandatory IPv4 packet forwarding when IPv4 DF is set to 1.

attribute fortigate::common::enable_disable_t? nat46_generate_ipv6_fragment_header=null¶: Enable/disable NAT46 IPv6 fragment header generation. enable:Enable NAT46 IPv6 fragment header generation. disable:Disable NAT46 IPv6 fragment header generation.

attribute fortigate::common::enable_disable_t? nat64_force_ipv6_packet_forwarding=null¶: Enable/disable mandatory IPv6 packet forwarding in NAT64. enable:Enable mandatory IPv6 packet forwarding disable:Disable mandatory IPv6 packet forwarding

attribute fortigate::system_settings::ngfw_mode? ngfw_mode=null¶: Next Generation Firewall (NGFW) mode. profile-based:Application and web-filtering are configured using profiles applied to policy entries. policy-based:Application and web-filtering are configured as policy match conditions.

attribute fortigate::system_settings::opmode? opmode=null¶: Firewall operation mode (NAT or Transparent). nat:Change to NAT mode. transparent:Change to transparent mode.

attribute fortigate::common::enable_disable_t? prp_trailer_action=null¶: Enable/disable action to take on PRP trailer. enable:Try to keep PRP trailer. disable:Trim PRP trailer.

attribute fortigate::system_settings::sccp_port? sccp_port=null¶: TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000).

attribute fortigate::common::enable_disable_t? sctp_session_without_init=null¶: Enable/disable SCTP session creation without SCTP INIT. enable:Enable SCTP session creation without SCTP INIT. disable:Disable SCTP session creation without SCTP INIT.

attribute fortigate::common::enable_disable_t? ses_denied_traffic=null¶: Enable/disable including denied session in the session table. enable:Include denied sessions in the session table. disable:Do not add denied sessions to the session table.

attribute fortigate::common::enable_disable_t? sip_expectation=null¶: Enable/disable the SIP kernel session helper to create an expectation for port 5060. enable:Allow SIP session helper to create an expectation for port 5060. disable:Prevent SIP session helper from creating an expectation for port 5060.

attribute fortigate::common::enable_disable_t? sip_nat_trace=null¶: Enable/disable recording the original SIP source IP address when NAT is used. enable:Record the original SIP source IP address when NAT is used. disable:Do not record the original SIP source IP address when NAT is used.

attribute fortigate::system_settings::sip_ssl_port? sip_ssl_port=null¶: TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061).

attribute fortigate::system_settings::sip_tcp_port? sip_tcp_port=null¶: TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).

attribute fortigate::system_settings::sip_udp_port? sip_udp_port=null¶: UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).

attribute fortigate::common::enable_disable_t? snat_hairpin_traffic=null¶: Enable/disable source NAT (SNAT) for hairpin traffic. enable:Enable SNAT for hairpin traffic. disable:Disable SNAT for hairpin traffic.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this VDOM. enable:Enable this VDOM. disable:Disable this VDOM.

attribute fortigate::common::enable_disable_t? strict_src_check=null¶: Enable/disable strict source verification. enable:Enable strict source verification. disable:Disable strict source verification.

attribute fortigate::common::enable_disable_t? tcp_session_without_syn=null¶: Enable/disable allowing TCP session without SYN flags. enable:Allow TCP session without SYN flags. disable:Do not allow TCP session without SYN flags.

attribute fortigate::common::enable_disable_t? utf8_spam_tagging=null¶: Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. enable:Convert antispam tags to UTF-8. disable:Do not convert antispam tags.

attribute fortigate::system_settings::v4_ecmp_mode? v4_ecmp_mode=null¶: IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. source-ip-based:Select next hop based on source IP. weight-based:Select next hop based on weight. usage-based:Select next hop based on usage. source-dest-ip-based:Select next hop based on both source and destination IPs.

attribute fortigate::system_settings::vdom_type? vdom_type=null¶: Vdom type (traffic, lan-extension or admin). traffic:Change to traffic VDOM lan-extension:Change to lan-extension VDOM admin:Change to admin VDOM

attribute fortigate::system_settings::vpn_stats_log? vpn_stats_log=null¶: Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. ipsec:IPsec. pptp:PPTP. l2tp:L2TP. ssl:SSL.

attribute fortigate::system_settings::vpn_stats_period? vpn_stats_period=null¶: Period to send VPN log statistics (0 or 60 - 86400 sec).

attribute fortigate::common::enable_disable_t? wccp_cache_engine=null¶: Enable/disable WCCP cache engine. enable:Enable WCCP cache engine. disable:Disable WCCP cache engine. :rel gui_default_policy_columns:

relation fortigate::system_settings::GuiDefaultPolicyColumns gui_default_policy_columns [0:*]¶: other end: fortigate::system_settings::GuiDefaultPolicyColumns._parent [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::ShapingPolicy¶

attribute fortigate::firewall_shaping_policy::class_id? class_id=null¶: Traffic class ID.

attribute fortigate::firewall_shaping_policy::comment? comment=null¶: Comments.

attribute fortigate::common::enable_disable_t? diffserv_forward=null¶: Enable to change packet’s DiffServ values to the specified diffservcode-forward value. enable:Enable setting forward (original) traffic DiffServ. disable:Disable setting forward (original) traffic DiffServ.

attribute fortigate::common::enable_disable_t? diffserv_reverse=null¶: Enable to change packet’s reverse (reply) DiffServ values to the specified diffservcode-rev value. enable:Enable setting reverse (reply) traffic DiffServ. disable:Disable setting reverse (reply) traffic DiffServ.

attribute string? diffservcode_forward=null¶: Change packet’s DiffServ to this value.

attribute string? diffservcode_rev=null¶: Change packet’s reverse (reply) DiffServ to this value.

attribute fortigate::firewall_shaping_policy::id id¶: Shaping policy ID (0 - 4294967295).

attribute fortigate::common::enable_disable_t? internet_service=null¶: Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. enable:Enable use of Internet Service in shaping-policy. disable:Disable use of Internet Service in shaping-policy.

attribute fortigate::common::enable_disable_t? internet_service_src=null¶: Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. enable:Enable use of Internet Service source in shaping-policy. disable:Disable use of Internet Service source in shaping-policy.

attribute fortigate::firewall_shaping_policy::ip_version? ip_version=null¶: Apply this traffic shaping policy to IPv4 or IPv6 traffic. 4:Use IPv4 addressing for Configuration Method. 6:Use IPv6 addressing for Configuration Method.

attribute fortigate::firewall_shaping_policy::name? name=null¶: Shaping policy name.

attribute fortigate::firewall_shaping_policy::per_ip_shaper? per_ip_shaper=null¶: Per-IP traffic shaper to apply with this policy.

attribute fortigate::firewall_shaping_policy::schedule? schedule=null¶: Schedule name.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this traffic shaping policy. enable:Enable traffic shaping policy. disable:Disable traffic shaping policy.

attribute string? tos=null¶: ToS (Type of Service) value used for comparison.

attribute string? tos_mask=null¶: Non-zero bit positions are used for comparison while zero bit positions are ignored.

attribute fortigate::common::enable_disable_t? tos_negate=null¶: Enable negated TOS match. enable:Enable TOS match negate. disable:Disable TOS match negate.

attribute fortigate::firewall_shaping_policy::traffic_shaper? traffic_shaper=null¶: Traffic shaper to apply to traffic forwarded by the firewall policy.

attribute fortigate::firewall_shaping_policy::traffic_shaper_reverse? traffic_shaper_reverse=null¶: Traffic shaper to apply to response traffic received by the firewall policy.

attribute string? uuid=null¶: Universally Unique Identifier (UUID; automatically assigned but can be manually reset). :rel app_category: :rel app_group: :rel application: :rel dstaddr: :rel dstaddr6: :rel dstintf: :rel groups: :rel internet_service_custom: :rel internet_service_custom_group: :rel internet_service_group: :rel internet_service_name: :rel internet_service_src_custom: :rel internet_service_src_custom_group: :rel internet_service_src_group: :rel internet_service_src_name: :rel service: :rel srcaddr: :rel srcaddr6: :rel srcintf: :rel url_category: :rel users:

relation fortigate::firewall_shaping_policy::AppCategory app_category [0:*]¶: other end: fortigate::firewall_shaping_policy::AppCategory._parent [1]

relation fortigate::firewall_shaping_policy::AppGroup app_group [0:*]¶: other end: fortigate::firewall_shaping_policy::AppGroup._parent [1]

relation fortigate::firewall_shaping_policy::Application application [0:*]¶: other end: fortigate::firewall_shaping_policy::Application._parent [1]

relation fortigate::firewall_shaping_policy::Dstaddr dstaddr [0:*]¶: other end: fortigate::firewall_shaping_policy::Dstaddr._parent [1]

relation fortigate::firewall_shaping_policy::Dstaddr6 dstaddr6 [0:*]¶: other end: fortigate::firewall_shaping_policy::Dstaddr6._parent [1]

relation fortigate::firewall_shaping_policy::Dstintf dstintf [0:*]¶: other end: fortigate::firewall_shaping_policy::Dstintf._parent [1]

relation fortigate::firewall_shaping_policy::Groups groups [0:*]¶: other end: fortigate::firewall_shaping_policy::Groups._parent [1]

relation fortigate::firewall_shaping_policy::InternetServiceCustom internet_service_custom [0:*]¶: other end: fortigate::firewall_shaping_policy::InternetServiceCustom._parent [1]

relation fortigate::firewall_shaping_policy::InternetServiceCustomGroup internet_service_custom_group [0:*]¶: other end: fortigate::firewall_shaping_policy::InternetServiceCustomGroup._parent [1]

relation fortigate::firewall_shaping_policy::InternetServiceGroup internet_service_group [0:*]¶: other end: fortigate::firewall_shaping_policy::InternetServiceGroup._parent [1]

relation fortigate::firewall_shaping_policy::InternetServiceName internet_service_name [0:*]¶: other end: fortigate::firewall_shaping_policy::InternetServiceName._parent [1]

relation fortigate::firewall_shaping_policy::InternetServiceSrcCustom internet_service_src_custom [0:*]¶: other end: fortigate::firewall_shaping_policy::InternetServiceSrcCustom._parent [1]

relation fortigate::firewall_shaping_policy::InternetServiceSrcCustomGroup internet_service_src_custom_group [0:*]¶: other end: fortigate::firewall_shaping_policy::InternetServiceSrcCustomGroup._parent [1]

relation fortigate::firewall_shaping_policy::InternetServiceSrcGroup internet_service_src_group [0:*]¶: other end: fortigate::firewall_shaping_policy::InternetServiceSrcGroup._parent [1]

relation fortigate::firewall_shaping_policy::InternetServiceSrcName internet_service_src_name [0:*]¶: other end: fortigate::firewall_shaping_policy::InternetServiceSrcName._parent [1]

relation fortigate::firewall_shaping_policy::Service service [0:*]¶: other end: fortigate::firewall_shaping_policy::Service._parent [1]

relation fortigate::firewall_shaping_policy::Srcaddr srcaddr [0:*]¶: other end: fortigate::firewall_shaping_policy::Srcaddr._parent [1]

relation fortigate::firewall_shaping_policy::Srcaddr6 srcaddr6 [0:*]¶: other end: fortigate::firewall_shaping_policy::Srcaddr6._parent [1]

relation fortigate::firewall_shaping_policy::Srcintf srcintf [0:*]¶: other end: fortigate::firewall_shaping_policy::Srcintf._parent [1]

relation fortigate::firewall_shaping_policy::UrlCategory url_category [0:*]¶: other end: fortigate::firewall_shaping_policy::UrlCategory._parent [1]

relation fortigate::firewall_shaping_policy::Users users [0:*]¶: other end: fortigate::firewall_shaping_policy::Users._parent [1]

relation fortigate::base::ShapingPolicyRange parent [0:1]¶: other end: fortigate::base::ShapingPolicyRange.policies [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_parent_id_consistency constraint true

entity fortigate::Static¶

Parents: fortigate::base::StaticResource

attribute fortigate::common::enable_disable_t? bfd=null¶: Enable/disable Bidirectional Forwarding Detection (BFD). enable:Enable Bidirectional Forwarding Detection (BFD). disable:Disable Bidirectional Forwarding Detection (BFD).

attribute fortigate::common::enable_disable_t? blackhole=null¶: Enable/disable black hole. enable:Enable black hole. disable:Disable black hole.

attribute fortigate::router_static::comment? comment=null¶: Optional comments.

attribute fortigate::router_static::device? device=null¶: Gateway out interface or tunnel.

attribute fortigate::router_static::distance? distance=null¶: Administrative distance (1 - 255).

attribute string? dst=null¶: Destination IP and mask for this route.

attribute fortigate::common::name_t? dstaddr=null¶: Name of firewall address or address group.

attribute fortigate::common::enable_disable_t? dynamic_gateway=null¶: Enable use of dynamic gateway retrieved from a DHCP or PPP server. enable:Enable dynamic gateway. disable:Disable dynamic gateway.

attribute string? gateway=null¶: Gateway IP for this route.

attribute fortigate::router_static::internet_service? internet_service=null¶: Application ID in the Internet service database.

attribute fortigate::router_static::internet_service_custom? internet_service_custom=null¶: Application name in the Internet service custom database.

attribute fortigate::common::enable_disable_t? link_monitor_exempt=null¶: Enable/disable withdrawal of this static route when link monitor or health check is down. enable:Keep this static route when link monitor or health check is down. disable:Withdraw this static route when link monitor or health check is down. (default)

attribute fortigate::router_static::priority? priority=null¶: Administrative priority (1 - 65535).

attribute fortigate::router_static::seq_num seq_num¶: Sequence number.

attribute string? src=null¶: Source prefix for this route.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this static route. enable:Enable static route. disable:Disable static route.

attribute fortigate::router_static::tag? tag=null¶: Route tag.

attribute fortigate::router_static::vrf? vrf=null¶: Virtual Routing Forwarding ID.

attribute fortigate::router_static::weight? weight=null¶: Administrative weight (0 - 255). :rel sdwan_zone:

relation fortigate::router_static::SdwanZone sdwan_zone [0:*]¶: other end: fortigate::router_static::SdwanZone._parent [1]

relation fortigate::base::StaticRange parent [0:1]¶: other end: fortigate::base::StaticRange.routes [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_seq_num_consistency constraint true

entity fortigate::Static6¶

Parents: fortigate::base::StaticResource

attribute fortigate::common::enable_disable_t? bfd=null¶: Enable/disable Bidirectional Forwarding Detection (BFD). enable:Enable Bidirectional Forwarding Detection (BFD). disable:Disable Bidirectional Forwarding Detection (BFD).

attribute fortigate::common::enable_disable_t? blackhole=null¶: Enable/disable black hole. enable:Enable black hole. disable:Disable black hole.

attribute fortigate::router_static6::comment? comment=null¶: Optional comments.

attribute fortigate::router_static6::device? device=null¶: Gateway out interface or tunnel.

attribute fortigate::router_static6::devindex? devindex=null¶: Device index (0 - 4294967295).

attribute fortigate::router_static6::distance? distance=null¶: Administrative distance (1 - 255).

attribute string? dst=null¶: Destination IPv6 prefix.

attribute fortigate::common::name_t? dstaddr=null¶: Name of firewall address or address group.

attribute fortigate::common::enable_disable_t? dynamic_gateway=null¶: Enable use of dynamic gateway retrieved from Router Advertisement (RA). enable:Enable dynamic gateway. disable:Disable dynamic gateway.

attribute string? gateway=null¶: IPv6 address of the gateway.

attribute fortigate::common::enable_disable_t? link_monitor_exempt=null¶: Enable/disable withdrawal of this static route when link monitor or health check is down. enable:Keep this static route when link monitor or health check is down. disable:Withdraw this static route when link monitor or health check is down. (default)

attribute fortigate::router_static6::priority? priority=null¶: Administrative priority (1 - 65535).

attribute fortigate::router_static6::seq_num seq_num¶: Sequence number.

attribute fortigate::common::enable_disable_t? status=null¶: Enable/disable this static route. enable:Enable static route. disable:Disable static route.

attribute fortigate::router_static6::vrf? vrf=null¶: Virtual Routing Forwarding ID.

attribute fortigate::router_static6::weight? weight=null¶: Administrative weight (0 - 255). :rel sdwan_zone:

relation fortigate::router_static6::SdwanZone sdwan_zone [0:*]¶: other end: fortigate::router_static6::SdwanZone._parent [1]

relation fortigate::base::Static6Range parent [0:1]¶: other end: fortigate::base::Static6Range.routes [0:*]

The following implements statements select implementations for this entity:

std::none constraint true

fortigate::base::ensure_seq_num_consistency constraint true

entity fortigate::SystemAdmin¶

Parents: fortigate::base::BaseResource

attribute fortigate::system_admin::accprofile? accprofile=null¶: Access profile for this administrator. Access profiles control administrator access to FortiGate features.

attribute fortigate::common::enable_disable_t? accprofile_override=null¶: Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access. enable:Enable access profile override. disable:Disable access profile override.

attribute fortigate::common::enable_disable_t? allow_remove_admin_session=null¶: Enable/disable allow admin session to be removed by privileged admin users. enable:Enable allow-remove option. disable:Disable allow-remove option.

attribute fortigate::system_admin::comments? comments=null¶: Comment.

attribute fortigate::system_admin::email_to? email_to=null¶: This administrator’s email address.

attribute fortigate::common::enable_disable_t? force_password_change=null¶: Enable/disable force password change on next login. enable:Enable force password change on next login. disable:Disable force password change on next login.

attribute fortigate::system_admin::fortitoken? fortitoken=null¶: This administrator’s FortiToken serial number.

attribute fortigate::common::enable_disable_t? guest_auth=null¶: Enable/disable guest authentication. disable:Disable guest authentication. enable:Enable guest authentication.

attribute fortigate::system_admin::guest_lang? guest_lang=null¶: Guest management portal language.

attribute string? ip6_trusthost1=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost10=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost2=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost3=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost4=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost5=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost6=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost7=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost8=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? ip6_trusthost9=null¶: Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

attribute string? list=null¶: print admin list information

attribute fortigate::system_admin::name name¶: User name.

attribute string? password=null¶: Admin user password.

attribute string? password_expire=null¶: Password expire time.

attribute fortigate::common::enable_disable_t? peer_auth=null¶: Set to enable peer certificate authentication (for HTTPS admin access). enable:Enable peer. disable:Disable peer.

attribute fortigate::system_admin::peer_group? peer_group=null¶: Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

attribute fortigate::common::enable_disable_t? remote_auth=null¶: Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server. enable:Enable remote authentication. disable:Disable remote authentication.

attribute fortigate::system_admin::remote_group? remote_group=null¶: User group name used for remote auth.

attribute fortigate::system_admin::schedule? schedule=null¶: Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

attribute fortigate::system_admin::sms_custom_server? sms_custom_server=null¶: Custom SMS server to send SMS messages to.

attribute fortigate::system_admin::sms_phone? sms_phone=null¶: Phone number on which the administrator receives SMS messages.

attribute fortigate::system_admin::sms_server? sms_server=null¶: Send SMS messages using the FortiGuard SMS server or a custom server. fortiguard:Send SMS by FortiGuard. custom:Send SMS by custom server.

attribute fortigate::system_admin::ssh_certificate? ssh_certificate=null¶: Select the certificate to be used by the FortiGate for authentication with an SSH client.

attribute string? ssh_public_key1=null¶: Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

attribute string? ssh_public_key2=null¶: Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

attribute string? ssh_public_key3=null¶: Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

attribute string? status=null¶: print admin status information

attribute string? trusthost1=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost10=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost2=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost3=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost4=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost5=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost6=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost7=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost8=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute string? trusthost9=null¶: Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

attribute fortigate::system_admin::two_factor? two_factor=null¶: Enable/disable two-factor authentication. disable:Disable two-factor authentication. fortitoken:Use FortiToken or FortiToken mobile two-factor authentication. fortitoken-cloud:FortiToken Cloud Service. email:Send a two-factor authentication code to the configured email-to email address. sms:Send a two-factor authentication code to the configured sms-server and sms-phone.

attribute fortigate::system_admin::two_factor_authentication? two_factor_authentication=null¶: Authentication method by FortiToken Cloud. fortitoken:FortiToken authentication. email:Email one time password. sms:SMS one time password.

attribute fortigate::system_admin::two_factor_notification? two_factor_notification=null¶: Notification method for user activation by FortiToken Cloud. email:Email notification for activation code. sms:SMS notification for activation code.

attribute fortigate::common::enable_disable_t? vdom_override=null¶: Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access. enable:Enable VDOM override. disable:Disable VDOM override.

attribute fortigate::common::enable_disable_t? wildcard=null¶: Enable/disable wildcard RADIUS authentication. enable:Enable username wildcard. disable:Disable username wildcard. :rel guest_usergroups: :rel vdom:

relation fortigate::system_admin::GuestUsergroups guest_usergroups [0:*]¶: other end: fortigate::system_admin::GuestUsergroups._parent [1]

relation fortigate::system_admin::Vdom vdom [0:*]¶: other end: fortigate::system_admin::Vdom._parent [1]

relation fortigate::base::PasswordChange password_change [0:1]¶: other end: fortigate::base::PasswordChange.admin [1]

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::Vdom¶

attribute fortigate::system_vdom::flag? flag=null¶: Flag.

attribute fortigate::system_vdom::name name¶: VDOM name.

attribute fortigate::system_vdom::short_name? short_name=null¶: VDOM short name.

attribute fortigate::system_vdom::vcluster_id? vcluster_id=null¶: Virtual cluster ID (0 - 4294967295).

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::VdomLink¶

attribute fortigate::system_vdom_link::name name¶: VDOM link name (maximum = 11 characters).

attribute fortigate::system_vdom_link::type? type=null¶: VDOM link type: PPP or Ethernet. ppp:PPP VDOM link. ethernet:Ethernet VDOM link. npupair:NPU VDOM link.

attribute fortigate::system_vdom_link::vcluster? vcluster=null¶: Virtual cluster. vcluster1:Virtual cluster 1. vcluster2:Virtual cluster 2.

The following implements statements select implementations for this entity:

std::none constraint true

entity fortigate::base::Api¶

Parents: fortigate::base::SecretResource

Entity describing an instance of the fortigate api

attribute string? agent_name=null¶: An optional string to use as agent name for all api resources.

attribute string base_url¶: The base url to use to reach the api.

attribute string? token=null¶: The token to use to authenticate to the api.

attribute string? token_env_var=null¶: An environment variable containing the token to authenticate to the api.

attribute string? default_token_env_var=null¶: An environment variable containing the default token to authenticate to the api.

attribute std::positive_int timeout=10¶: The maximum duration a request can last before raising a timeout exception.

attribute string[] extra_urls=List()¶: Other URLs that can be used if the base one becomes unresponsive.

attribute bool auto_agent=true¶

relation std::AgentConfig agent_config [1]¶

relation fortigate::fortiflex::Entitlement entitlement [0:1]¶: other end: fortigate::fortiflex::Entitlement.fg_api [1]

The following implementations are defined for this entity:

fortigate::base::api_agent

The following implements statements select implementations for this entity:

fortigate::base::api_agent constraint true

entity fortigate::base::BasePolicyRange¶

Parents: fortigate::base::BaseRange

The following implementations are defined for this entity:

fortigate::base::ensure_policyid_policy_consistency

fortigate::base::ensure_id_policy_consistency

The following implements statements select implementations for this entity:

fortigate::base::ensure_policyid_policy_consistency constraint true

entity fortigate::base::BaseRange¶

Base entity managing a range of object instances of the fortigate api

attribute std::positive_int start_range¶: The start range where this entity should manage static route having a sequential number >= than this value (minimum = 1).

attribute std::positive_int end_range¶: The end range where this entity should manage static route having a sequential number <= than this value (maximum = 4294967295).

attribute bool co_managed=false¶: If it’s co-managed, this entity will not remove any resource that is not part of our desired state.

entity fortigate::base::BaseResource¶

Parents: std::PurgeableResource

Base entity for all resources. We also make sure that all resources in this module will have send_event=true by default to make them usable in an lsm service context.

attribute bool send_event=true¶

relation fortigate::base::Api api [1]¶

The following implementations are defined for this entity:

fortigate::fortiflex::wait_for_entitlement

The following implements statements select implementations for this entity:

constraint true

fortigate::fortiflex::wait_for_entitlement constraint true

entity fortigate::base::BaseStaticRange¶

Parents: fortigate::base::BaseRange

Base entity managing a range of Static instances of the fortigate api

The following implementations are defined for this entity:

fortigate::base::ensure_consistency

The following implements statements select implementations for this entity:

fortigate::base::ensure_consistency constraint true

entity fortigate::base::DosPolicy6Range¶

Entity managing a range of IPv6 DosPolicy instances of the fortigate api. All Dos policies should have their attribute ‘purged’ set to False. Only DosPolicy6Range is “allowed” to delete the managed policies once they do not longer appear in the ‘policies’ relation

relation fortigate::DosPolicy6 policies [0:*]¶: other end: fortigate::DosPolicy6.parent [0:1]

The following implements statements select implementations for this entity:

constraint true

entity fortigate::base::DosPolicyRange¶

Entity managing a range of IPv4 DosPolicy instances of the fortigate api. All Dos policies should have their attribute ‘purged’ set to False. Only DosPolicyRange is “allowed” to delete the managed policies once they do not longer appear in the ‘policies’ relation

relation fortigate::DosPolicy policies [0:*]¶: other end: fortigate::DosPolicy.parent [0:1]

The following implements statements select implementations for this entity:

constraint true

entity fortigate::base::LocalInPolicy6Range¶

Entity managing a range of IPv6 LocalInPolicy instances of the fortigate api. All LocalInPolic policies should have their attribute ‘purged’ set to False. Only LocalInPolicy6Range is “allowed” to delete the managed policies once they do not longer appear in the ‘policies’ relation

relation fortigate::LocalInPolicy6 policies [0:*]¶: other end: fortigate::LocalInPolicy6.parent [0:1]

The following implements statements select implementations for this entity:

constraint true

entity fortigate::base::LocalInPolicyRange¶

Entity managing a range of IPv4 LocalInPolicy instances of the fortigate api. All LocalInPolic policies should have their attribute ‘purged’ set to False. Only LocalInPolicyRange is “allowed” to delete the managed policies once they do not longer appear in the ‘policies’ relation

relation fortigate::LocalInPolicy policies [0:*]¶: other end: fortigate::LocalInPolicy.parent [0:1]

The following implements statements select implementations for this entity:

constraint true

entity fortigate::base::MulticastPolicy6Range¶

Entity managing a range of IPv6 MulticastPolicy instances of the fortigate api. All Multicast policies should have their attribute ‘purged’ set to False. Only MulticastPolicy6Range is “allowed” to delete the managed policies once they do not longer appear in the ‘policies’ relation

relation fortigate::MulticastPolicy6 policies [0:*]¶: other end: fortigate::MulticastPolicy6.parent [0:1]

The following implements statements select implementations for this entity:

fortigate::base::ensure_id_policy_consistency constraint true

entity fortigate::base::MulticastPolicyRange¶

Entity managing a range of IPv4 MulticastPolicy instances of the fortigate api. All Multicast policies should have their attribute ‘purged’ set to False. Only MulticastPolicyRange is “allowed” to delete the managed policies once they do not longer appear in the ‘policies’ relation

relation fortigate::MulticastPolicy policies [0:*]¶: other end: fortigate::MulticastPolicy.parent [0:1]

The following implements statements select implementations for this entity:

fortigate::base::ensure_id_policy_consistency constraint true

entity fortigate::base::PasswordChange¶

Parents: fortigate::base::SecretResource

The goal of this entity is to change the default credentials set in Fortigate for Admin / Admin guest accounts. The other administrators can rely on the password field in the fortigate::SystemAdmin entity.

attribute string old_password¶: The old password of Fortigate

attribute string? new_password=null¶: The new password in plaintext

attribute string? new_password_env_var=null¶: The new password through an environment variable

relation fortigate::SystemAdmin admin [1]¶: other end: fortigate::SystemAdmin.password_change [0:1]

The following implementations are defined for this entity:

fortigate::base::ensureNewPassword

The following implements statements select implementations for this entity:

fortigate::base::ensureNewPassword constraint true

entity fortigate::base::PolicyRange¶

Entity managing a range of IPv4/IPv6 Policy instances of the fortigate api. All policies should have their attribute ‘purged’ set to False. Only PolicyRange is “allowed” to delete the managed policies once they do not longer appear in the ‘policies’ relation

relation fortigate::Policy policies [0:*]¶: other end: fortigate::Policy.parent [0:1]

The following implements statements select implementations for this entity:

constraint true

entity fortigate::base::PolicyResource¶