Fortinet black logo

CLI Reference

config system global

config system global

Use this command to manage system settings.

Before you begin:

  • You must have read-write permission for system settings.

Syntax

config system global

set admin-idle-timeout <integer>

set config-sync {enable|disable}

set default-certificate <certname>

set hardware-ssl {enable|disable}

set hostname <string>

set language {english|chinese-simplified}

set port-http <integer>

set port-https <integer>

set port-ssh <integer>

set port-telnet <integer>

set share-ip-address {enable|disable}

set snat-match-local-traffics {enable|disable}

set ipvs-fullnat-min-port <integer>

set ipvs-fullnat-max-port <integer>

set snat-min-port <integer>

set snat-max-port <integer>

set socket-min-port <integer>

set socket-max-port <integer>

set ssh-cbc-cipher {enable|disable}

set ssh-hmac-md5 {enable|disable}

set vdom-admin {enable|disable}

set pre-login-banner {enable|disable}

set sync-slb-statistics {enable|disable}

set glsb-ca-verify {enable|disable}

set shell-access {enable|disable}

set shell-username <username>

set shell-password <password>

set shell-timeout <integer>

end

admin-idle-timeout

Log out an idle administrator session. The default is 30 minutes.

config-sync

Enable/disable the configuration synchronization feature. This feature is related to the execute config-sync command, not HA synchronization. Disabled by default.

default-certificate

The default is Factory.

hardware-ssl

Enable/disable hardware SSL acceleration. The setting has no effect on FortiADC-VM.

hostname

You can configure a hostname to facilitate system management. If you use SNMP, for example, the SNMP system name is derived from the configured hostname.

The hostname can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters.

The System Information widget and the get system status CLI command display the full hostname. If the hostname is longer than 16 characters, the name is truncated and ends with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

language

English or Simplified Chinese.

port-http

Specify the port for the HTTP service. Usually, HTTP uses port 80.

port-https

Specify the port for the HTTPS service. Usually, HTTPS uses port 443.

port-ssh

Specify the port for the SSH service. Usually, SSH uses port 22.

port-telnet

Specify the port for the Telnet service. Usually, Telnet uses port 25.

share-ip-address

Enable this option to share NAT IP pools/addresses between L4, L7 virtual servers, and SNAT policy.

Once enabled, SNAT across the firewall, L4 VS and L7 VS can use the same IP address, but with different port ranges that can be customized.

snat-match-local-traffics

If share-ip-address is enabled, snat-match-local-traffics becomes configurable.

Enable/disable the SNAT rule to match with the local traffic.

ipvs-fullnat-min-port

If share-ip-address is enabled, ipvs-fullnat-min-port becomes configurable.

Specify the L4 VS FULLNAT port range minimum.

ipvs-fullnat-max-port

If share-ip-address is enabled, ipvs-fullnat-max-port becomes configurable.

Specify the L4 VS FULLNAT port range maximum.

snat-min-port

If share-ip-address is enabled, snat-min-port becomes configurable.

Specify the SNAT port range minimum.

snat-max-port

If share-ip-address is enabled, snat-max-port becomes configurable.

Specify the SNAT port rang maximum.

socket-min-port

If share-ip-address is enabled, socket-min-port becomes configurable.

Specify the L7 VS port range minimum.

socket-max-port

If share-ip-address is enabled, socket-max-port becomes configurable.

Specify the L7 VS port range maximum.

ssh-cbc-cipher

Disabled by default. Enable if you want to use this cipher.

ssh-hmac-md5

Disabled by default. Enable if you want to use this cipher.

vdom-admin

Enables the virtual domain feature.

pre-login-banner

Enables the pre-login banner feature.

sync-slb-statistics

Enable/disable the statistic data between the SLB and GLB.

glsb-ca-verify

Enable/disable root CA verification between the LICD and GICD.

Once enabled, the root CA will be verified for both incoming server connections and outgoing servers.

Note: This is enabled by default for FortiADC 7.0.0.

shell-access

Enable/disable the shell access. This is disabled by default.

shell-username

Specify the username to login to the shell.

shell-password

Specify the password to access the shell.

shell-timeout

The expire time, in minutes, after the shell access is enabled. (Range: 1-1200 minutes).

Example

FortiADC-VM # get system global
				default-certificate           : Factory
				hostname                      : FortiADC-VM
				vdom-admin                    : disable
				admin-idle-timeout            : 480
				port-http                     : 80
				port-https                    : 443
				port-ssh                      : 22
				port-telnet                   : 23
				share-ip-address	      : enable
				snat-match-local-traffics     : enable
				ipvs-fullnat-min-port	      : 5000
				ipvs-fullnat-max-port	      : 21846
				snat-min-port		      : 21847
				snat-max-port		      : 43690
				socket-min-port		      : 43691
				socket-max-port		      : 65535
				language                      : english
				hardware-ssl                  : enable
				gui-system                    : enable
				gui-router                    : enable
				gui-log                       : enable
				ssh-cbc-cipher                : disable
				ssh-hmac-md5                  : disable
				config-sync-enable            : disable
				pre-login-banner              : enable
				sync-slb-statistics	      : enable
				gslb-ca-verify		      : enable
				shell-access		      : enable
				shell-username		      : user
				shell-password		      : 123456
				shell-expire-time	      : 10

config system global

Use this command to manage system settings.

Before you begin:

  • You must have read-write permission for system settings.

Syntax

config system global

set admin-idle-timeout <integer>

set config-sync {enable|disable}

set default-certificate <certname>

set hardware-ssl {enable|disable}

set hostname <string>

set language {english|chinese-simplified}

set port-http <integer>

set port-https <integer>

set port-ssh <integer>

set port-telnet <integer>

set share-ip-address {enable|disable}

set snat-match-local-traffics {enable|disable}

set ipvs-fullnat-min-port <integer>

set ipvs-fullnat-max-port <integer>

set snat-min-port <integer>

set snat-max-port <integer>

set socket-min-port <integer>

set socket-max-port <integer>

set ssh-cbc-cipher {enable|disable}

set ssh-hmac-md5 {enable|disable}

set vdom-admin {enable|disable}

set pre-login-banner {enable|disable}

set sync-slb-statistics {enable|disable}

set glsb-ca-verify {enable|disable}

set shell-access {enable|disable}

set shell-username <username>

set shell-password <password>

set shell-timeout <integer>

end

admin-idle-timeout

Log out an idle administrator session. The default is 30 minutes.

config-sync

Enable/disable the configuration synchronization feature. This feature is related to the execute config-sync command, not HA synchronization. Disabled by default.

default-certificate

The default is Factory.

hardware-ssl

Enable/disable hardware SSL acceleration. The setting has no effect on FortiADC-VM.

hostname

You can configure a hostname to facilitate system management. If you use SNMP, for example, the SNMP system name is derived from the configured hostname.

The hostname can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters.

The System Information widget and the get system status CLI command display the full hostname. If the hostname is longer than 16 characters, the name is truncated and ends with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

language

English or Simplified Chinese.

port-http

Specify the port for the HTTP service. Usually, HTTP uses port 80.

port-https

Specify the port for the HTTPS service. Usually, HTTPS uses port 443.

port-ssh

Specify the port for the SSH service. Usually, SSH uses port 22.

port-telnet

Specify the port for the Telnet service. Usually, Telnet uses port 25.

share-ip-address

Enable this option to share NAT IP pools/addresses between L4, L7 virtual servers, and SNAT policy.

Once enabled, SNAT across the firewall, L4 VS and L7 VS can use the same IP address, but with different port ranges that can be customized.

snat-match-local-traffics

If share-ip-address is enabled, snat-match-local-traffics becomes configurable.

Enable/disable the SNAT rule to match with the local traffic.

ipvs-fullnat-min-port

If share-ip-address is enabled, ipvs-fullnat-min-port becomes configurable.

Specify the L4 VS FULLNAT port range minimum.

ipvs-fullnat-max-port

If share-ip-address is enabled, ipvs-fullnat-max-port becomes configurable.

Specify the L4 VS FULLNAT port range maximum.

snat-min-port

If share-ip-address is enabled, snat-min-port becomes configurable.

Specify the SNAT port range minimum.

snat-max-port

If share-ip-address is enabled, snat-max-port becomes configurable.

Specify the SNAT port rang maximum.

socket-min-port

If share-ip-address is enabled, socket-min-port becomes configurable.

Specify the L7 VS port range minimum.

socket-max-port

If share-ip-address is enabled, socket-max-port becomes configurable.

Specify the L7 VS port range maximum.

ssh-cbc-cipher

Disabled by default. Enable if you want to use this cipher.

ssh-hmac-md5

Disabled by default. Enable if you want to use this cipher.

vdom-admin

Enables the virtual domain feature.

pre-login-banner

Enables the pre-login banner feature.

sync-slb-statistics

Enable/disable the statistic data between the SLB and GLB.

glsb-ca-verify

Enable/disable root CA verification between the LICD and GICD.

Once enabled, the root CA will be verified for both incoming server connections and outgoing servers.

Note: This is enabled by default for FortiADC 7.0.0.

shell-access

Enable/disable the shell access. This is disabled by default.

shell-username

Specify the username to login to the shell.

shell-password

Specify the password to access the shell.

shell-timeout

The expire time, in minutes, after the shell access is enabled. (Range: 1-1200 minutes).

Example

FortiADC-VM # get system global
				default-certificate           : Factory
				hostname                      : FortiADC-VM
				vdom-admin                    : disable
				admin-idle-timeout            : 480
				port-http                     : 80
				port-https                    : 443
				port-ssh                      : 22
				port-telnet                   : 23
				share-ip-address	      : enable
				snat-match-local-traffics     : enable
				ipvs-fullnat-min-port	      : 5000
				ipvs-fullnat-max-port	      : 21846
				snat-min-port		      : 21847
				snat-max-port		      : 43690
				socket-min-port		      : 43691
				socket-max-port		      : 65535
				language                      : english
				hardware-ssl                  : enable
				gui-system                    : enable
				gui-router                    : enable
				gui-log                       : enable
				ssh-cbc-cipher                : disable
				ssh-hmac-md5                  : disable
				config-sync-enable            : disable
				pre-login-banner              : enable
				sync-slb-statistics	      : enable
				gslb-ca-verify		      : enable
				shell-access		      : enable
				shell-username		      : user
				shell-password		      : 123456
				shell-expire-time	      : 10