Fortinet white logo
Fortinet white logo

CLI Reference

global

global

Use this command to configure global settings that affect miscellaneous FortiAnalyzer features.

Syntax

config system global

set admin-lockout-duration <integer>

set admin-lockout-threshold <integer>

set adom-mode {advanced | normal}

set adom-select {enable | disable}

set adom-status {enable | disable}

set backup-compression {high | low | none | normal}

set backup-to-subfolders {enable | disable}

set clone-name-option {default | keep}

set clt-cert-req {enable | disable}

set console-output {more | standard}

set contentpack-fgt-install {enable | disable}

set country-flag {enable | disable}

set create-revision {enable | disable}

set daylightsavetime {enable | disable}

set default-logview-auto-completion {enable | disable}

set default-search-mode {advanced | filter-based}

set detect-unregistered-log-device {enable | disable}

set device-view-mode {regular | tree}

set disable-module {fortiview-noc |siem | soc}

set enc-algorithm {custom | high | medium | low}

set fgfm-ca-cert <certificate>

set fgfm-local-cert <certificate>

set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}

set fmg-status {enable | disable}

set fortirecorder-disk-quota <integer>

set gui-curl-timeout <integer>

set gui-polling-interval <integer>

set ha-member-auto-grouping {enable | disable}

set hostname <string>

set language {english | japanese | simch | trach}

set latitude <string>

set ldap-cache-timeout <integer>

set ldapconntimeout <integer>

set lock-preempt {enable | disable}

set log-checksum {md5 | md5-auth | none}

set log-forward-cache-size <integer>

set log-mode {analyzer | collector}

set longitude <string>

set max-aggregation-tasks <integer>

set max-log-forward <integer>

set max-running-reports <integer>

set multiple-steps-upgrade-in-autolink {enable | disable}

set no-copy-permission-check {enable | disable}

set normalized-intf-zone-only {enable | disable}

set object-revision-db-max <integer>

set object-revision-mandatory-note {enable | disable}

set object-revision-object-max <integer>

set object-revision-status {enable | disable}

set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}

set policy-object-icon {enable | disable}

set policy-object-in-dual-pane {enable | disable}

set pre-login-banner {enable | disable}

set pre-login-banner-message <string>

set private-data-encryption {enable | disable}

set remoteauthtimeout <integer>

set search-all-adoms {enable | disable}

set ssh-enc-algo {3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com arcfour arcfour128 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com rijndael-cbc@lysator.liu.se}

set ssh-hostkey-algo {ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa}

set ssh-kex-algo {curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521}

set ssh-mac-algo {hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-ripemd160 hmac-ripemd160-etm@openssh.com hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-64@openssh.com}

set ssh-strong-crypto {enable | disable}

config ssl-cipher-suites

edit <priority>

set cipher <string>

set version {tls1.2-or-below | tls1.3}

end

set ssl-low-encryption {enable | disable}

set ssl-protocol {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3}

set ssl-static-key-ciphers {enable | disable}

set table-entry-blink {enable | disable}

set task-list-size <integer>

set tftp

set timezone <integer>

set tunnel-mtu <integer>

set usg {enable | disable}

set webservice-proto {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3 | sslv2}

set workflow-max-sessions <integer>

end

Variable

Description

admin-lockout-duration <integer>

Set the lockout duration for FortiAnalyzer administration, in seconds (default = 60).

admin-lockout-threshold <integer>

Set the lockout threshold for FortiAnalyzer administration (1 - 10, default = 3).

adom-mode {advanced | normal}

Set the ADOM mode (default = normal).

adom-select {enable | disable}

Enable/disable a pop-up window that allows administrators to select an ADOM after logging in (default = enable).

adom-status {enable | disable}

Enable/disable administrative domains (default = disable).

backup-compression {high | low | none | normal}

Set the backup compression level: high (slowest), low (fastest), none, or normal (default).

backup-to-subfolders {enable | disable}

Enable/disable the creation of subfolders on server for backup storage (default = disable).

clone-name-option {default | keep}

Set the cloned object name option:

  • default: Add a Clone of prefix to the name.
  • keep: Keep the original name for the user to edit.

clt-cert-req {enable | disable}

Enable/disable requiring a client certificate for GUI login (default = disable).

When both clt-cert-req and admin-https-pki-required are enabled, only PKI administrators can connect to the GUI.

console-output {more | standard}

Select how the output is displayed on the console (default = standard).

Select more to pause the output at each full screen until keypress. Select standard for continuous output without pauses.

contentpack-fgt-install {enable | disable}

Enable/disable auto outbreak auto install for FortiGate ADOMs (default = disable).

country-flag {enable | disable}

Enable/disable a country flag icon beside an IP address (default = enable).

create-revision {enable | disable}

Enable/disable create revision by default (default = disable).

daylightsavetime {enable | disable}

Enable/disable daylight saving time (default = enable).

If you enable daylight saving time, the FortiAnalyzer unit automatically adjusts the system time when daylight saving time begins or ends.

default-logview-auto-completion {enable | disable}

Enable/disable log view filter auto-completion (default = enable).

default-search-mode {advanced | filter-based}

Set the default search mode of log view (default = filter-based).

detect-unregistered-log-device {enable | disable}

Enable/disable unregistered log device detection (default = enable).

device-view-mode {regular | tree}

Set the devices/groups view mode (default = regular).

disable-module {fortiview-noc | siem | soc}

Disable module list (default = fortirecorder ai).

enc-algorithm {custom | high | medium | low}

Set SSL communication encryption algorithms:

  • custom: SSL communication using custom encryption algorithms.
  • high: SSL communication using high encryption algorithms (default).
  • medium: SSL communication using high and medium encryption algorithms.
  • low: SSL communication using all available encryption algorithms.

fgfm-ca-cert <certificate>

Set the extra FGFM CA certificates ("" = default certificate will be used).

fgfm-local-cert <certificate>

Set the FGFM local certificate ("" = default certificate will be used).

fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}

Set the lowest SSL protocols for fgfmsd (default = tlsv1.2).

fmg-status {enable | disable}

Disable FortiManager status.

If FortiManager features are enabled in FortiAnalyzer before upgrading to 6.2, it will continue to be available after upgrading, and can be disabled with this variable.

This variable is only available on some hardware-based FortiAnalyzer devices.

fortirecorder-disk-quota <integer>

Set the disk quota for FortiRecorder, in megabytes (maximum = 8011, default = 3072).

This option is only available on hardware devices that support FortiRecorder.

gui-curl-timeout <integer>

Set the GUI cURL timeout in seconds (5-300 default = 30).

gui-polling-interval <integer>

Set the GUI polling interval in seconds (1-288000, default = 5).

ha-member-auto-grouping {enable | disable}

Enable/disable automatically grouping HA members when the group name is unique in your network (default = enable).

hostname <string>

FortiAnalyzer host name.

language {english | japanese | simch | spanish | trach}

GUI language:

  • english: English (default)
  • japanese: Japanese
  • simch: Simplified Chinese
  • spanish: Spanish
  • trach: Traditional Chinese

latitude <string>

Set the FortiAnalyzer device's latitude.

ldap-cache-timeout <integer>

LDAP cache timeout, in seconds (default =86400).

ldapconntimeout <integer>

LDAP connection timeout, in milliseconds (default = 60000).

lock-preempt {enable | disable}

Enable/disable the ADOM lock override (default = disable).

log-checksum {md5 | md5-auth | none}

Record log file hash value, timestamp, and authentication code at transmission or rolling:

  • md5: Record log file’s MD5 hash value only.
  • md5-auth: Record log file’s MD5 hash value and authentication code.
  • none: Do not record the log file checksum (default).

log-forward-cache-size <integer>

Set the log forwarding disk cache size, in gigabytes (default = 30).

log-mode {analyzer | collector}

Set the log system operation mode (default = analyzer).

longitude <string>

Set the FortiAnalyzer device's longitude.

max-aggregation-tasks <integer>

Set the maximum number of concurrent tasks of a log aggregation session (1 - 10, default = 0).

max-log-forward <integer>

Set the maximum log forwarding and aggregation number (5 - 20).

max-running-reports <integer>

Maximum running reports number (1 - 10, default = 1).

multiple-steps-upgrade-in-autolink {enable | disable}

Enable/disable multiple steps upgrade in an autolink process (default = disable).

no-copy-permission-check {enable | disable}

Do not perform permission check to block object changes in different adom during copy and install (default = disable).

normalized-intf-zone-only {enable | disable}

Allow the normalized interface to be zone only (default = disable).

object-revision-db-max <integer>

Maximum revisions for a single database (10000 - 1000000, default = 100000).

object-revision-mandatory-note {enable | disable}

Enable/disable mandatory note when creating a revision (default = enable).

object-revision-object-max <integer>

Set the maximum revisions for a single object (10 - 1000, default = 100).

object-revision-status {enable | disable}

Enable/disable creating revisions when modifying objects (default = enable).

oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}

Set the lowest SSL protocols for oftpd (default = tlsv1.2).

policy-object-icon {enable | disable}

Enable/disable show icons of policy objects (default= disable).

policy-object-in-dual-pane {enable | disable}

Enable/disable show policies and objects in dual pane (default= disable).

pre-login-banner {enable | disable}

Enable/disable pre-login banner (default= disable).

pre-login-banner-message <string>

Set the pre-login banner message.

private-data-encryption {enable | disable}

Enable/disable private data encryption using an AES 128 bit key (default = disable).

remoteauthtimeout <integer>

Remote authentication (RADIUS/LDAP) timeout, in seconds (default = 10).

search-all-adoms {enable | disable}

Enable/disable search all ADOMs for where-used queries (default= disable).

set ssh-enc-algo {3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com arcfour arcfour128 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com rijndael-cbc@lysator.liu.se}

Select one or more SSH ciphers.

  • aes256-ctr

  • aes256-gcm@openssh.com

  • chacha20-poly1305@openssh.com

Note that the following are only available when ssh-strong-crypto is set to disable:

  • 3des-cbc

  • aes128-cbc

  • aes128-ctr

  • aes128-gcm@openssh.com

  • aes192-cbc

  • aes192-ctr

  • aes256-cbc

  • arcfour

  • arcfour128

  • arcfour256

  • blowfish-cbc

  • cast128-cbc

  • rijndael-cbc@lysator.liu.se

Default = chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com

set ssh-hostkey-algo {ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa}

Select one or more SSH hostkey algorithms.

  • ecdsa-sha2-nistp521

  • rsa-sha2-256

  • rsa-sha2-512

  • ssh-ed25519

  • ssh-rsa (only available when ssh-strong-crypto is set to disable)

Default = ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519

set ssh-kex-algo {curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521}

Select one or more SSH kex algorithms.

  • curve25519-sha256@libssh.org

  • diffie-hellman-group-exchange-sha1 (only available when ssh-strong-crypto is set to disable)

  • diffie-hellman-group-exchange-sha256

  • diffie-hellman-group14-sha1 (only available when ssh-strong-crypto is set to disable)

  • diffie-hellman-group14-sha256

  • diffie-hellman-group16-sha512

  • diffie-hellman-group18-sha512

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

Default = diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

set ssh-mac-algo {hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-ripemd160 hmac-ripemd160-etm@openssh.com hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-64@openssh.com}

Select one or more SSH MAC algorithms.

  • hmac-sha2-256

  • hmac-sha2-256-etm@openssh.com

  • hmac-sha2-512

  • hmac-sha2-512-etm@openssh.com

Note that the following are only available when ssh-strong-crypto is set to disable:

  • hmac-md5

  • hmac-md5-96

  • hmac-md5-96-etm@openssh.com

  • hmac-md5-etm@openssh.com

  • hmac-ripemd160

  • hmac-ripemd160-etm@openssh.com

  • hmac-ripemd160@openssh.com

  • hmac-sha1

  • hmac-sha1-etm@openssh.com

  • umac-128-etm@openssh.com

  • umac-128@openssh.com

  • umac-64-etm@openssh.com

  • umac-64@openssh.com

Default = hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com

set ssh-strong-crypto {enable | disable}

Only allow strong ciphers for SSH when enabled (default = enable).

ssl-low-encryption {enable | disable}

Enable/disable SSL low-grade (40-bit) encryption (default= disable).

ssl-protocol {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3}

Set the SSL protocols (default = tlsv1.3 tlsv1.2).

ssl-static-key-ciphers {enable | disable}

Enable/disable SSL static key ciphers (default = enable).

table-entry-blink {enable | disable}

Enable/disable table entry blink in the GUI (default = enable).

task-list-size <integer>

Set the maximum number of completed tasks to keep (default = 2000).

tftp

timezone <integer>

The time zone for the FortiManager unit (default = Pacific Time). See Time zones.

tunnel-mtu <integer>

Set the maximum transportation unit (68 - 9000, default = 1500).

usg {enable | disable}

Enable/disable contacting only FortiGuard servers in the USA (default = enable).

webservice-proto {tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3 | sslv2}

Web Service connection (default = tlsv1.3 tlsv1.2).

workflow-max-sessions <integer>

This variable does not function on FortiAnalyzer.

ssl-cipher-suites

Configure the ssl-cipher-suites table to enforce the user specified preferred cipher order in the incoming SSL connections.

Note: This command is only available if enc-algorithm is set to custom.

Variables for config ssl-cipher-suites subcommad:

<priority>

Set the order of the ciphers in the ssl-cipher-suites table.

cipher <string>

Enter the SSL cipher name from the list.

version {tls1.2-or-below | tls1.3}

Set the SSL/TLS version the cipher suite can be used with (default = tls1.2-or-below).

Example

The following command turns on daylight saving time, sets the FortiAnalyzer unit name to FMG3k, and chooses the Eastern time zone for US & Canada.

config system global

set daylightsavetime enable

set hostname FMG3k

set timezone 12

end

Time zones

Integer

Time zone

Integer

Time zone

00

(GMT-12:00) Eniwetak, Kwajalein

40

(GMT+3:00) Nairobi

01

(GMT-11:00) Midway Island, Samoa

41

(GMT+3:30) Tehran

02

(GMT-10:00) Hawaii

42

(GMT+4:00) Abu Dhabi, Muscat

03

(GMT-9:00) Alaska

43

(GMT+4:00) Baku

04

(GMT-8:00) Pacific Time (US & Canada)

44

(GMT+4:30) Kabul

05

(GMT-7:00) Arizona

45

(GMT+5:00) Ekaterinburg

06

(GMT-7:00) Mountain Time (US & Canada)

46

(GMT+5:00) Islamabad, Karachi,Tashkent

07

(GMT-6:00) Central America

47

(GMT+5:30) Calcutta, Chennai, Mumbai, New Delhi

08

(GMT-6:00) Central Time (US & Canada)

48

(GMT+5:45) Kathmandu

09

(GMT-6:00) Mexico City

49

(GMT+6:00) Almaty, Novosibirsk

10

(GMT-6:00) Saskatchewan

50

(GMT+6:00) Astana, Dhaka

11

(GMT-5:00) Bogota, Lima, Quito

51

(GMT+6:00) Sri Jayawardenapura

12

(GMT-5:00) Eastern Time (US & Canada)

52

(GMT+6:30) Rangoon

13

(GMT-5:00) Indiana (East)

53

(GMT+7:00) Bangkok, Hanoi, Jakarta

14

(GMT-4:00) Atlantic Time (Canada)

54

(GMT+7:00) Krasnoyarsk

15

(GMT-4:00) La Paz

55

(GMT+8:00) Beijing,ChongQing, HongKong,Urumqi

16

(GMT-4:00) Santiago

56

(GMT+8:00) Irkutsk, Ulaanbaatar

17

(GMT-3:30) Newfoundland

57

(GMT+8:00) Kuala Lumpur, Singapore

18

(GMT-3:00) Brasilia

58

(GMT+8:00) Perth

19

(GMT-3:00) Buenos Aires, Georgetown

59

(GMT+8:00) Taipei

20

(GMT-3:00) Nuuk (Greenland)

60

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

21

(GMT-2:00) Mid-Atlantic

61

(GMT+9:00) Yakutsk

22

(GMT-1:00) Azores

62

(GMT+9:30) Adelaide

23

(GMT-1:00) Cape Verde Is

63

(GMT+9:30) Darwin

24

(GMT) Casablanca, Monrovia

64

(GMT+10:00) Brisbane

25

(GMT) Greenwich Mean Time:Dublin, Edinburgh, Lisbon, London

65

(GMT+10:00) Canberra, Melbourne, Sydney

26

(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

66

(GMT+10:00) Guam, Port Moresby

27

(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

67

(GMT+10:00) Hobart

28

(GMT+1:00) Brussels, Copenhagen, Madrid, Paris

68

(GMT+10:00) Vladivostok

29

(GMT+1:00) Sarajevo, Skopje, Sofija, Vilnius, Warsaw, Zagreb

69

(GMT+11:00) Magadan

30

(GMT+1:00) West Central Africa

70

(GMT+11:00) Solomon Is., New Caledonia

31

(GMT+2:00) Athens, Istanbul, Minsk

71

(GMT+12:00) Auckland, Wellington

32

(GMT+2:00) Bucharest

72

(GMT+12:00) Fiji, Kamchatka, Marshall Is

33

(GMT+2:00) Cairo

73

(GMT+13:00) Nuku'alofa

34

(GMT+2:00) Harare, Pretoria

74

(GMT-4:30) Caracas

35

(GMT+2:00) Helsinki, Riga,Tallinn

75

(GMT+1:00) Namibia

36

(GMT+2:00) Jerusalem

76

(GMT-5:00) Brazil-Acre)

37

(GMT+3:00) Baghdad

77

(GMT-4:00) Brazil-West

38

(GMT+3:00) Kuwait, Riyadh

78

(GMT-3:00) Brazil-East

39

(GMT+3:00) Moscow, St.Petersburg, Volgograd

79

(GMT-2:00) Brazil-DeNoronha

global

global

Use this command to configure global settings that affect miscellaneous FortiAnalyzer features.

Syntax

config system global

set admin-lockout-duration <integer>

set admin-lockout-threshold <integer>

set adom-mode {advanced | normal}

set adom-select {enable | disable}

set adom-status {enable | disable}

set backup-compression {high | low | none | normal}

set backup-to-subfolders {enable | disable}

set clone-name-option {default | keep}

set clt-cert-req {enable | disable}

set console-output {more | standard}

set contentpack-fgt-install {enable | disable}

set country-flag {enable | disable}

set create-revision {enable | disable}

set daylightsavetime {enable | disable}

set default-logview-auto-completion {enable | disable}

set default-search-mode {advanced | filter-based}

set detect-unregistered-log-device {enable | disable}

set device-view-mode {regular | tree}

set disable-module {fortiview-noc |siem | soc}

set enc-algorithm {custom | high | medium | low}

set fgfm-ca-cert <certificate>

set fgfm-local-cert <certificate>

set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}

set fmg-status {enable | disable}

set fortirecorder-disk-quota <integer>

set gui-curl-timeout <integer>

set gui-polling-interval <integer>

set ha-member-auto-grouping {enable | disable}

set hostname <string>

set language {english | japanese | simch | trach}

set latitude <string>

set ldap-cache-timeout <integer>

set ldapconntimeout <integer>

set lock-preempt {enable | disable}

set log-checksum {md5 | md5-auth | none}

set log-forward-cache-size <integer>

set log-mode {analyzer | collector}

set longitude <string>

set max-aggregation-tasks <integer>

set max-log-forward <integer>

set max-running-reports <integer>

set multiple-steps-upgrade-in-autolink {enable | disable}

set no-copy-permission-check {enable | disable}

set normalized-intf-zone-only {enable | disable}

set object-revision-db-max <integer>

set object-revision-mandatory-note {enable | disable}

set object-revision-object-max <integer>

set object-revision-status {enable | disable}

set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}

set policy-object-icon {enable | disable}

set policy-object-in-dual-pane {enable | disable}

set pre-login-banner {enable | disable}

set pre-login-banner-message <string>

set private-data-encryption {enable | disable}

set remoteauthtimeout <integer>

set search-all-adoms {enable | disable}

set ssh-enc-algo {3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com arcfour arcfour128 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com rijndael-cbc@lysator.liu.se}

set ssh-hostkey-algo {ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa}

set ssh-kex-algo {curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521}

set ssh-mac-algo {hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-ripemd160 hmac-ripemd160-etm@openssh.com hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-64@openssh.com}

set ssh-strong-crypto {enable | disable}

config ssl-cipher-suites

edit <priority>

set cipher <string>

set version {tls1.2-or-below | tls1.3}

end

set ssl-low-encryption {enable | disable}

set ssl-protocol {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3}

set ssl-static-key-ciphers {enable | disable}

set table-entry-blink {enable | disable}

set task-list-size <integer>

set tftp

set timezone <integer>

set tunnel-mtu <integer>

set usg {enable | disable}

set webservice-proto {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3 | sslv2}

set workflow-max-sessions <integer>

end

Variable

Description

admin-lockout-duration <integer>

Set the lockout duration for FortiAnalyzer administration, in seconds (default = 60).

admin-lockout-threshold <integer>

Set the lockout threshold for FortiAnalyzer administration (1 - 10, default = 3).

adom-mode {advanced | normal}

Set the ADOM mode (default = normal).

adom-select {enable | disable}

Enable/disable a pop-up window that allows administrators to select an ADOM after logging in (default = enable).

adom-status {enable | disable}

Enable/disable administrative domains (default = disable).

backup-compression {high | low | none | normal}

Set the backup compression level: high (slowest), low (fastest), none, or normal (default).

backup-to-subfolders {enable | disable}

Enable/disable the creation of subfolders on server for backup storage (default = disable).

clone-name-option {default | keep}

Set the cloned object name option:

  • default: Add a Clone of prefix to the name.
  • keep: Keep the original name for the user to edit.

clt-cert-req {enable | disable}

Enable/disable requiring a client certificate for GUI login (default = disable).

When both clt-cert-req and admin-https-pki-required are enabled, only PKI administrators can connect to the GUI.

console-output {more | standard}

Select how the output is displayed on the console (default = standard).

Select more to pause the output at each full screen until keypress. Select standard for continuous output without pauses.

contentpack-fgt-install {enable | disable}

Enable/disable auto outbreak auto install for FortiGate ADOMs (default = disable).

country-flag {enable | disable}

Enable/disable a country flag icon beside an IP address (default = enable).

create-revision {enable | disable}

Enable/disable create revision by default (default = disable).

daylightsavetime {enable | disable}

Enable/disable daylight saving time (default = enable).

If you enable daylight saving time, the FortiAnalyzer unit automatically adjusts the system time when daylight saving time begins or ends.

default-logview-auto-completion {enable | disable}

Enable/disable log view filter auto-completion (default = enable).

default-search-mode {advanced | filter-based}

Set the default search mode of log view (default = filter-based).

detect-unregistered-log-device {enable | disable}

Enable/disable unregistered log device detection (default = enable).

device-view-mode {regular | tree}

Set the devices/groups view mode (default = regular).

disable-module {fortiview-noc | siem | soc}

Disable module list (default = fortirecorder ai).

enc-algorithm {custom | high | medium | low}

Set SSL communication encryption algorithms:

  • custom: SSL communication using custom encryption algorithms.
  • high: SSL communication using high encryption algorithms (default).
  • medium: SSL communication using high and medium encryption algorithms.
  • low: SSL communication using all available encryption algorithms.

fgfm-ca-cert <certificate>

Set the extra FGFM CA certificates ("" = default certificate will be used).

fgfm-local-cert <certificate>

Set the FGFM local certificate ("" = default certificate will be used).

fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}

Set the lowest SSL protocols for fgfmsd (default = tlsv1.2).

fmg-status {enable | disable}

Disable FortiManager status.

If FortiManager features are enabled in FortiAnalyzer before upgrading to 6.2, it will continue to be available after upgrading, and can be disabled with this variable.

This variable is only available on some hardware-based FortiAnalyzer devices.

fortirecorder-disk-quota <integer>

Set the disk quota for FortiRecorder, in megabytes (maximum = 8011, default = 3072).

This option is only available on hardware devices that support FortiRecorder.

gui-curl-timeout <integer>

Set the GUI cURL timeout in seconds (5-300 default = 30).

gui-polling-interval <integer>

Set the GUI polling interval in seconds (1-288000, default = 5).

ha-member-auto-grouping {enable | disable}

Enable/disable automatically grouping HA members when the group name is unique in your network (default = enable).

hostname <string>

FortiAnalyzer host name.

language {english | japanese | simch | spanish | trach}

GUI language:

  • english: English (default)
  • japanese: Japanese
  • simch: Simplified Chinese
  • spanish: Spanish
  • trach: Traditional Chinese

latitude <string>

Set the FortiAnalyzer device's latitude.

ldap-cache-timeout <integer>

LDAP cache timeout, in seconds (default =86400).

ldapconntimeout <integer>

LDAP connection timeout, in milliseconds (default = 60000).

lock-preempt {enable | disable}

Enable/disable the ADOM lock override (default = disable).

log-checksum {md5 | md5-auth | none}

Record log file hash value, timestamp, and authentication code at transmission or rolling:

  • md5: Record log file’s MD5 hash value only.
  • md5-auth: Record log file’s MD5 hash value and authentication code.
  • none: Do not record the log file checksum (default).

log-forward-cache-size <integer>

Set the log forwarding disk cache size, in gigabytes (default = 30).

log-mode {analyzer | collector}

Set the log system operation mode (default = analyzer).

longitude <string>

Set the FortiAnalyzer device's longitude.

max-aggregation-tasks <integer>

Set the maximum number of concurrent tasks of a log aggregation session (1 - 10, default = 0).

max-log-forward <integer>

Set the maximum log forwarding and aggregation number (5 - 20).

max-running-reports <integer>

Maximum running reports number (1 - 10, default = 1).

multiple-steps-upgrade-in-autolink {enable | disable}

Enable/disable multiple steps upgrade in an autolink process (default = disable).

no-copy-permission-check {enable | disable}

Do not perform permission check to block object changes in different adom during copy and install (default = disable).

normalized-intf-zone-only {enable | disable}

Allow the normalized interface to be zone only (default = disable).

object-revision-db-max <integer>

Maximum revisions for a single database (10000 - 1000000, default = 100000).

object-revision-mandatory-note {enable | disable}

Enable/disable mandatory note when creating a revision (default = enable).

object-revision-object-max <integer>

Set the maximum revisions for a single object (10 - 1000, default = 100).

object-revision-status {enable | disable}

Enable/disable creating revisions when modifying objects (default = enable).

oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}

Set the lowest SSL protocols for oftpd (default = tlsv1.2).

policy-object-icon {enable | disable}

Enable/disable show icons of policy objects (default= disable).

policy-object-in-dual-pane {enable | disable}

Enable/disable show policies and objects in dual pane (default= disable).

pre-login-banner {enable | disable}

Enable/disable pre-login banner (default= disable).

pre-login-banner-message <string>

Set the pre-login banner message.

private-data-encryption {enable | disable}

Enable/disable private data encryption using an AES 128 bit key (default = disable).

remoteauthtimeout <integer>

Remote authentication (RADIUS/LDAP) timeout, in seconds (default = 10).

search-all-adoms {enable | disable}

Enable/disable search all ADOMs for where-used queries (default= disable).

set ssh-enc-algo {3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com arcfour arcfour128 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com rijndael-cbc@lysator.liu.se}

Select one or more SSH ciphers.

  • aes256-ctr

  • aes256-gcm@openssh.com

  • chacha20-poly1305@openssh.com

Note that the following are only available when ssh-strong-crypto is set to disable:

  • 3des-cbc

  • aes128-cbc

  • aes128-ctr

  • aes128-gcm@openssh.com

  • aes192-cbc

  • aes192-ctr

  • aes256-cbc

  • arcfour

  • arcfour128

  • arcfour256

  • blowfish-cbc

  • cast128-cbc

  • rijndael-cbc@lysator.liu.se

Default = chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com

set ssh-hostkey-algo {ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa}

Select one or more SSH hostkey algorithms.

  • ecdsa-sha2-nistp521

  • rsa-sha2-256

  • rsa-sha2-512

  • ssh-ed25519

  • ssh-rsa (only available when ssh-strong-crypto is set to disable)

Default = ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519

set ssh-kex-algo {curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521}

Select one or more SSH kex algorithms.

  • curve25519-sha256@libssh.org

  • diffie-hellman-group-exchange-sha1 (only available when ssh-strong-crypto is set to disable)

  • diffie-hellman-group-exchange-sha256

  • diffie-hellman-group14-sha1 (only available when ssh-strong-crypto is set to disable)

  • diffie-hellman-group14-sha256

  • diffie-hellman-group16-sha512

  • diffie-hellman-group18-sha512

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

Default = diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

set ssh-mac-algo {hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-ripemd160 hmac-ripemd160-etm@openssh.com hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-64@openssh.com}

Select one or more SSH MAC algorithms.

  • hmac-sha2-256

  • hmac-sha2-256-etm@openssh.com

  • hmac-sha2-512

  • hmac-sha2-512-etm@openssh.com

Note that the following are only available when ssh-strong-crypto is set to disable:

  • hmac-md5

  • hmac-md5-96

  • hmac-md5-96-etm@openssh.com

  • hmac-md5-etm@openssh.com

  • hmac-ripemd160

  • hmac-ripemd160-etm@openssh.com

  • hmac-ripemd160@openssh.com

  • hmac-sha1

  • hmac-sha1-etm@openssh.com

  • umac-128-etm@openssh.com

  • umac-128@openssh.com

  • umac-64-etm@openssh.com

  • umac-64@openssh.com

Default = hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com

set ssh-strong-crypto {enable | disable}

Only allow strong ciphers for SSH when enabled (default = enable).

ssl-low-encryption {enable | disable}

Enable/disable SSL low-grade (40-bit) encryption (default= disable).

ssl-protocol {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3}

Set the SSL protocols (default = tlsv1.3 tlsv1.2).

ssl-static-key-ciphers {enable | disable}

Enable/disable SSL static key ciphers (default = enable).

table-entry-blink {enable | disable}

Enable/disable table entry blink in the GUI (default = enable).

task-list-size <integer>

Set the maximum number of completed tasks to keep (default = 2000).

tftp

timezone <integer>

The time zone for the FortiManager unit (default = Pacific Time). See Time zones.

tunnel-mtu <integer>

Set the maximum transportation unit (68 - 9000, default = 1500).

usg {enable | disable}

Enable/disable contacting only FortiGuard servers in the USA (default = enable).

webservice-proto {tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3 | sslv2}

Web Service connection (default = tlsv1.3 tlsv1.2).

workflow-max-sessions <integer>

This variable does not function on FortiAnalyzer.

ssl-cipher-suites

Configure the ssl-cipher-suites table to enforce the user specified preferred cipher order in the incoming SSL connections.

Note: This command is only available if enc-algorithm is set to custom.

Variables for config ssl-cipher-suites subcommad:

<priority>

Set the order of the ciphers in the ssl-cipher-suites table.

cipher <string>

Enter the SSL cipher name from the list.

version {tls1.2-or-below | tls1.3}

Set the SSL/TLS version the cipher suite can be used with (default = tls1.2-or-below).

Example

The following command turns on daylight saving time, sets the FortiAnalyzer unit name to FMG3k, and chooses the Eastern time zone for US & Canada.

config system global

set daylightsavetime enable

set hostname FMG3k

set timezone 12

end

Time zones

Integer

Time zone

Integer

Time zone

00

(GMT-12:00) Eniwetak, Kwajalein

40

(GMT+3:00) Nairobi

01

(GMT-11:00) Midway Island, Samoa

41

(GMT+3:30) Tehran

02

(GMT-10:00) Hawaii

42

(GMT+4:00) Abu Dhabi, Muscat

03

(GMT-9:00) Alaska

43

(GMT+4:00) Baku

04

(GMT-8:00) Pacific Time (US & Canada)

44

(GMT+4:30) Kabul

05

(GMT-7:00) Arizona

45

(GMT+5:00) Ekaterinburg

06

(GMT-7:00) Mountain Time (US & Canada)

46

(GMT+5:00) Islamabad, Karachi,Tashkent

07

(GMT-6:00) Central America

47

(GMT+5:30) Calcutta, Chennai, Mumbai, New Delhi

08

(GMT-6:00) Central Time (US & Canada)

48

(GMT+5:45) Kathmandu

09

(GMT-6:00) Mexico City

49

(GMT+6:00) Almaty, Novosibirsk

10

(GMT-6:00) Saskatchewan

50

(GMT+6:00) Astana, Dhaka

11

(GMT-5:00) Bogota, Lima, Quito

51

(GMT+6:00) Sri Jayawardenapura

12

(GMT-5:00) Eastern Time (US & Canada)

52

(GMT+6:30) Rangoon

13

(GMT-5:00) Indiana (East)

53

(GMT+7:00) Bangkok, Hanoi, Jakarta

14

(GMT-4:00) Atlantic Time (Canada)

54

(GMT+7:00) Krasnoyarsk

15

(GMT-4:00) La Paz

55

(GMT+8:00) Beijing,ChongQing, HongKong,Urumqi

16

(GMT-4:00) Santiago

56

(GMT+8:00) Irkutsk, Ulaanbaatar

17

(GMT-3:30) Newfoundland

57

(GMT+8:00) Kuala Lumpur, Singapore

18

(GMT-3:00) Brasilia

58

(GMT+8:00) Perth

19

(GMT-3:00) Buenos Aires, Georgetown

59

(GMT+8:00) Taipei

20

(GMT-3:00) Nuuk (Greenland)

60

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

21

(GMT-2:00) Mid-Atlantic

61

(GMT+9:00) Yakutsk

22

(GMT-1:00) Azores

62

(GMT+9:30) Adelaide

23

(GMT-1:00) Cape Verde Is

63

(GMT+9:30) Darwin

24

(GMT) Casablanca, Monrovia

64

(GMT+10:00) Brisbane

25

(GMT) Greenwich Mean Time:Dublin, Edinburgh, Lisbon, London

65

(GMT+10:00) Canberra, Melbourne, Sydney

26

(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

66

(GMT+10:00) Guam, Port Moresby

27

(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

67

(GMT+10:00) Hobart

28

(GMT+1:00) Brussels, Copenhagen, Madrid, Paris

68

(GMT+10:00) Vladivostok

29

(GMT+1:00) Sarajevo, Skopje, Sofija, Vilnius, Warsaw, Zagreb

69

(GMT+11:00) Magadan

30

(GMT+1:00) West Central Africa

70

(GMT+11:00) Solomon Is., New Caledonia

31

(GMT+2:00) Athens, Istanbul, Minsk

71

(GMT+12:00) Auckland, Wellington

32

(GMT+2:00) Bucharest

72

(GMT+12:00) Fiji, Kamchatka, Marshall Is

33

(GMT+2:00) Cairo

73

(GMT+13:00) Nuku'alofa

34

(GMT+2:00) Harare, Pretoria

74

(GMT-4:30) Caracas

35

(GMT+2:00) Helsinki, Riga,Tallinn

75

(GMT+1:00) Namibia

36

(GMT+2:00) Jerusalem

76

(GMT-5:00) Brazil-Acre)

37

(GMT+3:00) Baghdad

77

(GMT-4:00) Brazil-West

38

(GMT+3:00) Kuwait, Riyadh

78

(GMT-3:00) Brazil-East

39

(GMT+3:00) Moscow, St.Petersburg, Volgograd

79

(GMT-2:00) Brazil-DeNoronha