Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

system global

Use this command to configure global settings that affect FortiGate systems and configurations.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.3.

Command Description

set dnsproxy-worker-count <CPUs>

Set the number of CPUs that the DNS proxy process runs on. The default value is 2.

This command applies only to FortiGate devices with multiple CPUs.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set proxy-auth-timeout <minutes>

Unit of measurement has changed from seconds to minutes (with a new default of 10) in order to avoid repeat user authentication and ldap queries.

set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the global minimum SSL version that can be used by all SSL implementations on this FortiGate. You can override this minimum version for individual configurations.

The default value is TLSv1-2.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description
N/A

Security Profiles can now be configured globally across multiple VDOMs.

See the vdom-admin {enable | disable} entry below for more information.

set fortiguard-audit-result-submission {enable | disable}

Option has been removed and replaced with security-rating-result-submission (see table entry below).

set security-rating-result-submission {enable | disable}

set security-rating-run-on-schedule {enable | disable}

Enable or disable Security Rating results to be sent to FortiGuard, and enable (by default) or disable scheduled runs of Security Rating.

When schedule is enabled, Security Rating is run every four hours, or every one hour if a config change occurs.

set multi-factor-authentication {optional | mandatory}

Support for a global option to enforce all login methods to require an additional authentication factor, in order to comply with PCI 3.2.

Corrected the help text description.

set wad-source-affinity {enable | disable}

Modifies the wad-worker balancing algorithm to also use the source port in addition to source IP when distributing the client to a specific WAD daemon. With this in place, even the connections from one IP address will be balanced over all the WAD processes.
Attributes updated to allow 0 as the minimum value.

set virtual-server-count <integer>

Removed for FortiOS 6.0.

set virtual-server-hardware-acceleration {disable | enable}

Removed for FortiOS 6.0.

set proxy-re-authentication-mode {session | traffic | absolute}

Determine whether users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

set proxy-auth-lifetime {enable | disable}

set proxy-auth-lifetime-timeout <minutes>

Enable or disable (by default) authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Once enabled, set the lifetime timeout in minutes. Set the range between 5-65535. The default is set to 480 (or 8 hours).

The timeout option is only available when proxy-auth-lifetime is set to enable. Once enabled, set the timeout in minutes for authenticated users.

set admin-restrict-local {enable | disable}

Enable or disable (by default) local administrator restriction options. Whenever any remote servers (TACACS, LDAP, or RADIUS) are up and running, any local admin authentication will be blocked. Local admins will be allowed access only if there are no remote servers detected.

set disk-usage {log | wanopt}

This option has been removed, but a similar option can be set under system storage.
config system global
    set language {option}   GUI display language.
            english     English.
            french      French.
            spanish     Spanish.
            portuguese  Portuguese.
            japanese    Japanese.
            trach       Traditional Chinese.
            simch       Simplified Chinese.
            korean      Korean.
    set gui-ipv6 {enable | disable}   Enable/disable IPv6 settings on the GUI.
    set gui-certificates {enable | disable}   Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
    set gui-custom-language {enable | disable}   Enable/disable custom languages in GUI.
    set gui-wireless-opensecurity {enable | disable}   Enable/disable wireless open security option on the GUI.
    set gui-display-hostname {enable | disable}   Enable/disable displaying the FortiGate's hostname on the GUI login page.
    set gui-lines-per-page {integer}   Number of lines to display per page for web administration. range[20-1000]
    set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2}   Allowed TLS versions for web administration.
            tlsv1-0  TLS 1.0.
            tlsv1-1  TLS 1.1.
            tlsv1-2  TLS 1.2.
    set admintimeout {integer}   Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure. range[1-480]
    set admin-console-timeout {integer}   Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout. range[15-300]
    set ssd-trim-freq {option}   How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
            never    Never Run SSD Trim.
            hourly   Run SSD Trim Hourly.
            daily    Run SSD Trim Daily.
            weekly   Run SSD Trim Weekly.
            monthly  Run SSD Trim Monthly.
    set ssd-trim-hour {integer}   Hour of the day on which to run SSD Trim (0 - 23, default = 1). range[0-23]
    set ssd-trim-min {integer}   Minute of the hour on which to run SSD Trim (0 - 59, 60 for random). range[0-60]
    set ssd-trim-weekday {option}   Day of week to run SSD Trim.
            sunday     Sunday
            monday     Monday
            tuesday    Tuesday
            wednesday  Wednesday
            thursday   Thursday
            friday     Friday
            saturday   Saturday
    set ssd-trim-date {integer}   Date within a month to run ssd trim. range[1-31]
    set admin-concurrent {enable | disable}   Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
    set admin-lockout-threshold {integer}   Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration. range[1-10]
    set admin-lockout-duration {integer}   Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts. range[1-2147483647]
    set refresh {integer}   Statistics refresh interval in GUI. range[0-4294967295]
    set interval {integer}   Dead gateway detection interval. range[0-4294967295]
    set failtime {integer}   Fail-time for server lost. range[0-4294967295]
    set daily-restart {enable | disable}   Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
    set restart-time {string}   Daily restart time (hh:mm).
    set radius-port {integer}   RADIUS service port number. range[1-65535]
    set admin-login-max {integer}   Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100) range[1-100]
    set remoteauthtimeout {integer}   Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout). range[1-300]
    set ldapconntimeout {integer}   Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500). range[1-300000]
    set batch-cmdb {enable | disable}   Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
    set max-dlpstat-memory {integer}   Maximum DLP stat memory (0 - 4294967295).
    set multi-factor-authentication {optional | mandatory}   Enforce all login methods to require an additional authentication factor (default = optional).
            optional   Do not enforce all login methods to require an additional authentication factor (controlled by user settings).
            mandatory  Enforce all login methods to require an additional authentication factor.
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}   Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
            SSLv3    SSLv3.
            TLSv1    TLSv1.
            TLSv1-1  TLSv1.1.
            TLSv1-2  TLSv1.2.
    set dst {enable | disable}   Enable/disable daylight saving time.
    set timezone {option}   Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
            01  (GMT-11:00) Midway Island, Samoa
            02  (GMT-10:00) Hawaii
            03  (GMT-9:00) Alaska
            04  (GMT-8:00) Pacific Time (US & Canada)
            05  (GMT-7:00) Arizona
            81  (GMT-7:00) Baja California Sur, Chihuahua
            06  (GMT-7:00) Mountain Time (US & Canada)
            07  (GMT-6:00) Central America
            08  (GMT-6:00) Central Time (US & Canada)
            09  (GMT-6:00) Mexico City
            10  (GMT-6:00) Saskatchewan
            11  (GMT-5:00) Bogota, Lima,Quito
            12  (GMT-5:00) Eastern Time (US & Canada)
            13  (GMT-5:00) Indiana (East)
            74  (GMT-4:00) Caracas
            14  (GMT-4:00) Atlantic Time (Canada)
            77  (GMT-4:00) Georgetown
            15  (GMT-4:00) La Paz
            87  (GMT-4:00) Paraguay
            16  (GMT-3:00) Santiago
            17  (GMT-3:30) Newfoundland
            18  (GMT-3:00) Brasilia
            19  (GMT-3:00) Buenos Aires
            20  (GMT-3:00) Nuuk (Greenland)
            75  (GMT-3:00) Uruguay
            21  (GMT-2:00) Mid-Atlantic
            22  (GMT-1:00) Azores
            23  (GMT-1:00) Cape Verde Is.
            24  (GMT) Monrovia
            80  (GMT) Greenwich Mean Time
            79  (GMT) Casablanca
            25  (GMT) Dublin, Edinburgh, Lisbon, London
            26  (GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
            27  (GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
            28  (GMT+1:00) Brussels, Copenhagen, Madrid, Paris
            78  (GMT+1:00) Namibia
            29  (GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb
            30  (GMT+1:00) West Central Africa
            31  (GMT+2:00) Athens, Sofia, Vilnius
            32  (GMT+2:00) Bucharest
            33  (GMT+2:00) Cairo
            34  (GMT+2:00) Harare, Pretoria
            35  (GMT+2:00) Helsinki, Riga, Tallinn
            36  (GMT+2:00) Jerusalem
            37  (GMT+3:00) Baghdad
            38  (GMT+3:00) Kuwait, Riyadh
            83  (GMT+3:00) Moscow
            84  (GMT+3:00) Minsk
            40  (GMT+3:00) Nairobi
            85  (GMT+3:00) Istanbul
            41  (GMT+3:30) Tehran
            42  (GMT+4:00) Abu Dhabi, Muscat
            43  (GMT+4:00) Baku
            39  (GMT+3:00) St. Petersburg, Volgograd
            44  (GMT+4:30) Kabul
            46  (GMT+5:00) Islamabad, Karachi, Tashkent
            47  (GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi
            51  (GMT+5:30) Sri Jayawardenepara
            48  (GMT+5:45) Kathmandu
            45  (GMT+5:00) Ekaterinburg
            49  (GMT+6:00) Almaty, Novosibirsk
            50  (GMT+6:00) Astana, Dhaka
            52  (GMT+6:30) Rangoon
            53  (GMT+7:00) Bangkok, Hanoi, Jakarta
            54  (GMT+7:00) Krasnoyarsk
            55  (GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk
            56  (GMT+8:00) Ulaan Bataar
            57  (GMT+8:00) Kuala Lumpur, Singapore
            58  (GMT+8:00) Perth
            59  (GMT+8:00) Taipei
            60  (GMT+9:00) Osaka, Sapporo, Tokyo, Seoul
            62  (GMT+9:30) Adelaide
            63  (GMT+9:30) Darwin
            61  (GMT+9:00) Yakutsk
            64  (GMT+10:00) Brisbane
            65  (GMT+10:00) Canberra, Melbourne, Sydney
            66  (GMT+10:00) Guam, Port Moresby
            67  (GMT+10:00) Hobart
            68  (GMT+10:00) Vladivostok
            69  (GMT+10:00) Magadan
            70  (GMT+11:00) Solomon Is., New Caledonia
            71  (GMT+12:00) Auckland, Wellington
            72  (GMT+12:00) Fiji, Kamchatka, Marshall Is.
            00  (GMT+12:00) Eniwetok, Kwajalein
            82  (GMT+12:45) Chatham Islands
            73  (GMT+13:00) Nuku'alofa
            86  (GMT+13:00) Samoa
            76  (GMT+14:00) Kiritimati
    set traffic-priority {tos | dscp}   Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
            tos   IP TOS.
            dscp  DSCP (DiffServ) DS.
    set traffic-priority-level {low | medium | high}   Default system-wide level of priority for traffic prioritization.
            low     Low priority.
            medium  Medium priority.
            high    High priority.
    set anti-replay {disable | loose | strict}   Level of checking for packet replay and TCP sequence checking.
            disable  Disable anti-replay check.
            loose    Loose anti-replay check.
            strict   Strict anti-replay check.
    set send-pmtu-icmp {enable | disable}   Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
    set honor-df {enable | disable}   Enable/disable honoring of Don't-Fragment (DF) flag.
    set revision-image-auto-backup {enable | disable}   Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
    set revision-backup-on-logout {enable | disable}   Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
    set management-vdom {string}   Management virtual domain name. size[31] - datasource(s): system.vdom.name
    set hostname {string}   FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters. size[35]
    set alias {string}   Alias for your FortiGate unit. size[35]
    set strong-crypto {enable | disable}   Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
    set ssh-cbc-cipher {enable | disable}   Enable/disable CBC cipher for SSH access.
    set ssh-hmac-md5 {enable | disable}   Enable/disable HMAC-MD5 for SSH access.
    set ssh-kex-sha1 {enable | disable}   Enable/disable SHA1 key exchange for SSH access.
    set ssl-static-key-ciphers {enable | disable}   Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
    set snat-route-change {enable | disable}   Enable/disable the ability to change the static NAT route.
    set cli-audit-log {enable | disable}   Enable/disable CLI audit log.
    set dh-params {option}   Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
            1024  1024 bits.
            1536  1536 bits.
            2048  2048 bits.
            3072  3072 bits.
            4096  4096 bits.
            6144  6144 bits.
            8192  8192 bits.
    set fds-statistics {enable | disable}   Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
    set fds-statistics-period {integer}   FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60). range[1-1440]
    set multicast-forward {enable | disable}   Enable/disable multicast forwarding.
    set mc-ttl-notchange {enable | disable}   Enable/disable no modification of multicast TTL.
    set asymroute {enable | disable}   Enable/disable asymmetric route.
    set tcp-option {enable | disable}   Enable SACK, timestamp and MSS TCP options.
    set lldp-transmission {enable | disable}   Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
    set proxy-auth-timeout {integer}   Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10). range[1-300]
    set proxy-re-authentication-mode {session | traffic | absolute}   Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
            session   Proxy re-authentication timeout begins at the closure of the session.
            traffic   Proxy re-authentication timeout begins after traffic has not been received.
            absolute  Proxy re-authentication timeout begins when the user was first created.
    set proxy-auth-lifetime {enable | disable}   Enable/disable authenticated users lifetime control.  This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
    set proxy-auth-lifetime-timeout {integer}   Lifetime timeout in minutes for authenticated users (5  - 65535 min, default=480 (8 hours)). range[5-65535]
    set sys-perf-log-interval {integer}   Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled). range[0-15]
    set check-protocol-header {loose | strict}   Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
            loose   Check protocol header loosely.
            strict  Check protocol header strictly.
    set vip-arp-range {unlimited | restricted}   Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
            unlimited   Send ARPs for all addresses in VIP range.
            restricted  Send ARPs for the first 8192 addresses in VIP range.
    set reset-sessionless-tcp {enable | disable}   Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
    set allow-traffic-redirect {enable | disable}   Disable to allow traffic to be routed back on a different interface.
    set strict-dirty-session-check {enable | disable}   Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
    set tcp-halfclose-timer {integer}   Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120). range[1-86400]
    set tcp-halfopen-timer {integer}   Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10). range[1-86400]
    set tcp-timewait-timer {integer}   Length of the TCP TIME-WAIT state in seconds. range[0-300]
    set udp-idle-timer {integer}   UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60). range[1-86400]
    set block-session-timer {integer}   Duration in seconds for blocked sessions (1 - 300 sec  (5 minutes), default = 30). range[1-300]
    set ip-src-port-range {string}   IP source port range used for traffic originating from the FortiGate unit.
    set pre-login-banner {enable | disable}   Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
    set post-login-banner {disable | enable}   Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
    set tftp {enable | disable}   Enable/disable TFTP.
    set av-failopen {pass | off | one-shot}   Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
            pass      Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.
            off       Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
            one-shot  Bypass the antivirus system when memory is low.
    set av-failopen-session {enable | disable}   When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
    set memory-use-threshold-extreme {integer}   Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95). range[70-97]
    set memory-use-threshold-red {integer}   Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88). range[70-97]
    set memory-use-threshold-green {integer}   Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82). range[70-97]
    set cpu-use-threshold {integer}   Threshold at which CPU usage is reported. (% of total CPU, default = 90). range[50-99]
    set check-reset-range {strict | disable}   Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
            strict   Check RST range strictly.
            disable  Disable RST range check.
    set vdom-admin {enable | disable}   Enable/disable support for multiple virtual domains (VDOMs).
    set long-vdom-name {enable | disable}   Enable/disable long VDOM name support.
    set admin-port {integer}   Administrative access port for HTTP. (1 - 65535, default = 80). range[1-65535]
    set admin-sport {integer}   Administrative access port for HTTPS. (1 - 65535, default = 443). range[1-65535]
    set admin-https-redirect {enable | disable}   Enable/disable redirection of HTTP administration access to HTTPS.
    set admin-hsts-max-age {integer}   HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0. range[0-2147483647]
    set admin-ssh-password {enable | disable}   Enable/disable password authentication for SSH admin access.
    set admin-restrict-local {enable | disable}   Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
    set admin-ssh-port {integer}   Administrative access port for SSH. (1 - 65535, default = 22). range[1-65535]
    set admin-ssh-grace-time {integer}   Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120). range[10-3600]
    set admin-ssh-v1 {enable | disable}   Enable/disable SSH v1 compatibility.
    set admin-telnet-port {integer}   Administrative access port for TELNET. (1 - 65535, default = 23). range[1-65535]
    set admin-maintainer {enable | disable}   Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
    set admin-server-cert {string}   Server certificate that the FortiGate uses for HTTPS administrative connections. size[35] - datasource(s): certificate.local.name
    set user-server-cert {string}   Certificate to use for https user authentication. size[35] - datasource(s): certificate.local.name
    set admin-https-pki-required {enable | disable}   Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
    set wifi-certificate {string}   Certificate to use for WiFi authentication. size[35] - datasource(s): certificate.local.name
    set wifi-ca-certificate {string}   CA certificate that verifies the WiFi certificate. size[35] - datasource(s): certificate.ca.name
    set auth-http-port {integer}   User authentication HTTP port. (1 - 65535, default = 80). range[1-65535]
    set auth-https-port {integer}   User authentication HTTPS port. (1 - 65535, default = 443). range[1-65535]
    set auth-keepalive {enable | disable}   Enable to prevent user authentication sessions from timing out when idle.
    set policy-auth-concurrent {integer}   Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit). range[0-100]
    set auth-session-limit {block-new | logout-inactive}   Action to take when the number of allowed user authenticated sessions is reached.
            block-new        Block new user authentication attempts.
            logout-inactive  Logout the most inactive user authenticated sessions.
    set auth-cert {string}   Server certificate that the FortiGate uses for HTTPS firewall authentication connections. size[35] - datasource(s): certificate.local.name
    set clt-cert-req {enable | disable}   Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
    set fortiservice-port {integer}   FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port. range[1-65535]
    set endpoint-control-portal-port {integer}   Endpoint control portal port (1 - 65535). range[1-65535]
    set endpoint-control-fds-access {enable | disable}   Enable/disable access to the FortiGuard network for non-compliant endpoints.
    set tp-mc-skip-policy {enable | disable}   Enable/disable skip policy check and allow multicast through.
    set cfg-save {automatic | manual | revert}   Configuration file save mode for CLI changes.
            automatic  Automatically save config.
            manual     Manually save config.
            revert     Manually save config and revert the config when timeout.
    set cfg-revert-timeout {integer}   Time-out for reverting to the last saved configuration. range[10-4294967295]
    set reboot-upon-config-restore {enable | disable}   Enable/disable reboot of system upon restoring configuration.
    set admin-scp {enable | disable}   Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
    set security-rating-result-submission {enable | disable}   Enable/disable the submission of Security Rating results to FortiGuard.
    set security-rating-run-on-schedule {enable | disable}   Enable/disable scheduled runs of Security Rating.
    set wireless-controller {enable | disable}   Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
    set wireless-controller-port {integer}   Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246). range[1024-49150]
    set fortiextender-data-port {integer}   FortiExtender data port (1024 - 49150, default = 25246). range[1024-49150]
    set fortiextender {enable | disable}   Enable/disable FortiExtender.
    set fortiextender-vlan-mode {enable | disable}   Enable/disable FortiExtender VLAN mode.
    set switch-controller {disable | enable}   Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
    set switch-controller-reserved-network {ipv4 classnet}   Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
    set dnsproxy-worker-count {integer}   DNS proxy worker count. range[1-64]
    set proxy-worker-count {integer}   Proxy worker count. range[0-64]
    set scanunit-count {integer}   Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. range[0-64]
    set proxy-kxp-hardware-acceleration {disable | enable}   Enable/disable using the content processor to accelerate KXP traffic.
    set proxy-cipher-hardware-acceleration {disable | enable}   Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic.
    set fgd-alert-subscription {option}   Type of alert to retrieve from FortiGuard.
            advisory          Retrieve FortiGuard advisories, report and news alerts.
            latest-threat     Retrieve latest FortiGuard threats alerts.
            latest-virus      Retrieve latest FortiGuard virus alerts.
            latest-attack     Retrieve latest FortiGuard attack alerts.
            new-antivirus-db  Retrieve FortiGuard AV database release alerts.
            new-attack-db     Retrieve FortiGuard IPS database release alerts.
    set ipsec-hmac-offload {enable | disable}   Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
    set ipv6-accept-dad {integer}   Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD). range[0-2]
    set ipv6-allow-anycast-probe {enable | disable}   Enable/disable IPv6 address probe through Anycast.
    set csr-ca-attribute {enable | disable}   Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
    set wimax-4g-usb {enable | disable}   Enable/disable comparability with WiMAX 4G USB devices.
    set cert-chain-max {integer}   Maximum number of certificates that can be traversed in a certificate chain. range[1-2147483647]
    set sslvpn-max-worker-count {integer}   Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model. range[0-64]
    set sslvpn-kxp-hardware-acceleration {enable | disable}   Enable/disable SSL VPN KXP hardware acceleration.
    set sslvpn-cipher-hardware-acceleration {enable | disable}   Enable/disable SSL VPN hardware acceleration.
    set sslvpn-plugin-version-check {enable | disable}   Enable/disable checking browser's plugin version by SSL VPN.
    set two-factor-ftk-expiry {integer}   FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60). range[60-600]
    set two-factor-email-expiry {integer}   Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60). range[30-300]
    set two-factor-sms-expiry {integer}   SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60). range[30-300]
    set two-factor-fac-expiry {integer}   FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60). range[10-3600]
    set two-factor-ftm-expiry {integer}   FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72). range[1-168]
    set per-user-bwl {enable | disable}   Enable/disable per-user black/white list filter.
    set virtual-server-count {integer}   Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs. range[0-64]
    set virtual-server-hardware-acceleration {disable | enable}   Enable/disable virtual server hardware acceleration.
    set wad-worker-count {integer}   Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit. range[0-64]
    set wad-csvc-cs-count {integer}   Number of concurrent WAD-cache-service object-cache processes. range[1-1]
    set wad-csvc-db-count {integer}   Number of concurrent WAD-cache-service byte-cache processes. range[0-64]
    set wad-source-affinity {disable | enable}   Enable/disable dispatching traffic to WAD workers based on source affinity.
    set login-timestamp {enable | disable}   Enable/disable login time recording.
    set miglogd-children {integer}   Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed. range[0-15]
    set special-file-23-support {disable | enable}   Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
    set log-uuid {disable | policy-only | extended}   Whether UUIDs are added to traffic logs. You can disable UUIDs, add firewall policy UUIDs to traffic logs, or add all UUIDs to traffic logs.
            disable      Disable UUID in traffic log
            policy-only  Enable only policy UUID in traffic log.
            extended     Enable all UUIDs in traffic log.
    set log-ssl-connection {enable | disable}   Enable/disable logging of SSL connection events.
    set arp-max-entry {integer}   Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072). range[131072-2147483647]
    set av-affinity {string}   Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). size[79]
    set wad-affinity {string}   Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). size[79]
    set ips-affinity {string}   Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). size[79]
    set miglog-affinity {string}   Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx). size[19]
    set ndp-max-entry {integer}   Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries). range[65536-2147483647]
    set br-fdb-max-entry {integer}   Maximum number of bridge forwarding database (FDB) entries. range[8192-2147483647]
    set max-route-cache-size {integer}   Maximum number of IP route cache entries (0 - 2147483647). range[0-2147483647]
    set ipsec-asic-offload {enable | disable}   Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
    set ipsec-soft-dec-async {enable | disable}   Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
    set device-idle-timeout {integer}   Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300). range[30-31536000]
    set device-identification-active-scan-delay {integer}   Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90). range[20-3600]
    set compliance-check {enable | disable}   Enable/disable global PCI DSS compliance check.
    set compliance-check-time {time}   Time of day to run scheduled PCI DSS compliance checks.
    set gui-device-latitude {string}   Add the latitude of the location of this FortiGate to position it on the Threat Map. size[19]
    set gui-device-longitude {string}   Add the longitude of the location of this FortiGate to position it on the Threat Map. size[19]
    set private-data-encryption {disable | enable}   Enable/disable private data encryption using an AES 128-bit key.
    set auto-auth-extension-device {enable | disable}   Enable/disable automatic authorization of dedicated Fortinet extension devices.
    set gui-theme {option}   Color scheme for the administration GUI.
            green      Green theme.
            red        Red theme.
            blue       Light blue theme.
            melongene  Melongene theme (eggplant color).
            mariner    Mariner theme (dark blue color).
    set gui-date-format {option}   Default date format used throughout GUI.
            yyyy/MM/dd  Year/Month/Day.
            dd/MM/yyyy  Day/Month/Year.
            MM/dd/yyyy  Month/Day/Year.
            yyyy-MM-dd  Year-Month-Day.
            dd-MM-yyyy  Day-Month-Year.
            MM-dd-yyyy  Month-Day-Year.
    set igmp-state-limit {integer}   Maximum number of IGMP memberships (96 - 64000, default = 3200). range[96-128000]
end

Additional information

The following section is for those options that require additional explanation.

admin-concurrent {enable | disable}

Enable/disable to allow concurrent administrator logins. Default is enable. Use policy-auth-concurrent for firewall authenticated users.

admin-console-timeout <secs_int>

Specify a console login timeout that overrides the admintimeout value. Range:  15 - 300 seconds (15 seconds to 5 minutes). Zero value disables the timeout. Default is 0.

admin-https-pki-required {enable | disable}

Specify admin login method for HTTPS login. Default is disable.

  • enable:  allows admin user to log in by providing a valid certificate if PKI is enabled for HTTPS administrative access.
  • disable:  allows admin users to log in by providing a valid certificate or password.

admin-https-redirect {enable | disable}

Enable/disable redirection of HTTP administration access to HTTPS. Not available on low-crypto FortiGates. Default is disable.

admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2}

Specify allowed SSL/TLS versions for web administration. Default is tlsv1-1 tlsv1-2.

admin-lockout-duration <time_int>

Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout. Default is 60.

admin-lockout-threshold <failed_int>

Set the number of failed attempts before the account is locked out for the admin-lockout-duration. Default is . Default is 3.

admin-login-max <int>

Set the maximum number administrators who can be logged in at same time. Range: 1 - 100. Default is 80.

admin-maintainer {enable | disable}

Enable/disable hidden maintainer user login. Default is enable. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.

admin-port <port_number>

Specify the administrative access port for HTTP. Range:  1 - 65535. Default is 80.

admin-scp {enable | disable}

Enable/disable the ability to backup and restore the FortiGate configuration and install firmware upgrades using Secure Copy Protocol (SCP).

To use SCP, on the FortiGate you must enable SCP  and enable SSH administrative acces on an interfacee. Then from a management PC runing SCP client software, you can enter SCP commands to backup and restore configuration files and upgrade FortiOS firmware. The SCP commands must include

note icon The SCP commands must use a FortiGate administrator account with the super_admin access profile. When entering SCP commands from a management PC, use sys_conf as the configuration file name.

For more information, see How to download/upload a FortiGate configuration file using secure file copy (SCP).

Examples

On a PC running linux, use the following command to backup the FortiGate configuration file to ~/config. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

scp admin@172.20.120.171:fgt-config ~/config

Enter the admin password when prompted.

On a PC running Windows, use the following command to backup the FortiGate configuration file to c:\config. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

pscp admin@172.20.120.171:fgt-config c:\config

Enter the admin password when prompted.

On a PC running linux, use the following command to restore the FortiGate configuration using a file named backup-nov2018. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

scp backup-nov2018 admin@172.20.120.171:fgt-restore-config

Enter the admin password when prompted.

On a PC running Windows, use the following command to restore the FortiGate configuration using a file named backup-nov2018.txt. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

pscp backup-nov2018.txt admin@172.20.120.171:fgt-restore-config

Enter the admin password when prompted.

On a PC running linux, use the following command to upgrade the FortiGate firmware using a firmware image file named fgt-image-v6.0.3.out. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

scp fgt-image-v6.0.3.out admin@172.20.120.171:fgt-image

Enter the admin password when prompted.

On a PC running WIndows, use the following command to upgrade the FortiGate firmware using a firmware image file named fgt-image-v6.0.3.out. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

pscp fgt-image-v6.0.3.out admin@172.20.120.171:fgt-image

Enter the admin password when prompted.

admin-server-cert {self-sign | <certificate>}

Identify the admin HTTPS server certificate to use. Default is self-sign.

admin-sport <port_number>

Specify the administrative access port for HTTPS. Range:  1 - 65535. Default is 443.

admin-ssh-grace-time <time_int>

Specify the maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating. Range: 10 - 3600 seconds (10 seconds to one hour). Default is 120.

admin-ssh-password {enable | disable}

Enable/disable password authentication for SSH admin access. Default is enable.

admin-ssh-port <port_number>

Specify the administrative access port for SSH. Range:  1 - 65535. Default is 22.

admin-ssh-v1 {enable | disable}

Enable/disable Secure Shell (SSH) version 1 compatibility. Default is disable.

admin-telnet-port <port_number>

Specify the administrative access port for TELNET. Range: 1 - 65535. Default is 23.

admintimeout <admin_timeout_minutes>

Specify the number of minutes before an idle administrator times out. The maximum admintimeout interval is 480 minutes (8 hours). Default is 5. To improve security keep the idle timeout at the default value.

alias <alias_str>

Identify an alias for your FortiGate unit.

allow-traffic-redirect {enable | disable}

Enable/ disable allow traffic redirect. Default is enable. Under some conditions, it is undesirable to have traffic routed back on the same interface. In that case, set allow-traffic-redirect to disable.

anti-replay {disable | loose | strict}

Specify the level of checking for packet replay and TCP sequence checking (or TCP Sequence number checking). Default is strict. FortiGate units use TCP sequence checking to make sure that a packet is part of a TCP session. By default, if a packet is received with sequence numbers that fall out of the expected range, the FortiGate unit drops the packet. This is normally a desired behavior, since it means that the packet is invalid. But in some cases you may want to configure different levels of anti-replay checking if some of your network equipment uses non-RFC methods when sending packets.

  • disable:  no anti-replay protection.
  • loose:  perform packet sequence checking and ICMP anti-replay checking with the following criteria:
  • the SYN, FIN, and RST bit can not appear in the same packet.
  • the FortiGate unit does not allow more than 1 ICMP error packet to go through the FortiGate unit before it receives a normal TCP or UDP packet.
  • If the FortiGate unit receives an RST packet, and check-reset-range is set to strict the FortiGate unit checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
  • strict:  performs all of the loose checking but for each new session also checks to determine of the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value for each new session. Strict anti-replay checking can also help prevent SYN flooding.

If any packet fails a check it is dropped. If loginvalid-packet is set to enable, a log message is written for each packet that fails a check.

arp-max-entry <int>

Specify the maximum number of dynamically learned MAC addresses that can be added to the ARP table. Range:  131072 - 2147483647. If set to 0, kernel holds 131072 entries. Default is 0.

auth-cert <cert-name>

Identify the HTTPS server certificate for policy authentication. Default is self-sign. Self-sign is the built-in certificate but others will be listed as you add them.

auth-http-port <http_port>

Set the HTTP authentication port. Range: 1 - 65535. Default is 1000.

auth-https-port <https_port>

Set the HTTPS authentication port. Range: 1 - 65535. Default is 1003.

auth-keepalive {enable | disable}

Enable to extend the session's authentication time to prevent an idle timeout. Default is disable.

auto-auth-extension-device {enable | disable}

Enable/disable automatic authorization of dedicated Fortinet extension device globally. Default is enable.

av-failopen {off | one-shot | pass}

Set the action to take if the unit is running low on memory or the proxy connection limit has been reached. Default is pass.

  • off:  stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
  • one-shot:  bypass the antivirus system when memory is low. You must enter off or pass to restart antivirus scanning.
  • pass:  bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.

av-failopen-session {enable | disable}

When enabled and a protocol's proxy runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Default is disable.

batch-cmdb {enable | disable}

Enable/disable batch mode to execute in CMDB server. Batch mode is used to enter a series of commands that will execute as a group once they are loaded. Default is enable.

block-session-timer <int>

Set the time duration in seconds for blocked or denied sessions to remain in the session table. Range:  1 - 300 seconds (1 second to 5 minutes).  Default is 30.

For this option to be effective, enable the sess-denied-traffic system setting (see ses-denied-traffic {enable | disable} for details). Keeping denied sessions in the session table longer can reduce CPU usage. However, each session in the session table uses sytem memory. So you may want to adjust this timer for optimum performance.

br-fdb-max-entry <int>

Specify the maximum number of bridge forwarding database (FDB) entries. Used when operating in Transparent mode, the FDB (or MAC) table is used by a Layer 2 device (switch/bride) to store MAC addresses that have been learned and the ports that each MAC address was learned on. If the FDB has a large number of entries, performance may be impacted. Range:  8192 - 2147483647. If set to 0, kernel holds 8192 entries. Default is 0.

cert-chain-max <int>

Set the maximum number of certificates that can be traversed in a certificate chain. The list of certificates, from the root certificate to the end-user certificate, represents the certificate chain. Default is 8.

cfg-save {automatic | manual | revert}

Specify the configuration file save mode for changes made using the CLI. Default is automatic.

  • automatic:  automatically save the configuration after every change.
  • manual:  manually save the configuration using the execute cfg save command.
  • revert:  manually save the current configuration and then revert to that saved configuration after cfg-revert-timeout expires.

Switching to automatic mode disconnects your session. This command is used as part of the runtime-only configuration mode.

check-protocol-header {loose | strict}

Select the level of checking performed on protocol headers. Default is loose.

  • loose:  the FortiGate unit performs basic header checking to verify that a packet is part of a session and should be processed. Basic header checking includes verifying that the layer- 4 protocol header length, the IP header length, the IP version, the IP checksum, IP options are correct, etc.
  • strict:  the FortiGate unit does the same checking as above plus it verifies that ESP packets have the correct sequence number, SPI, and data length. Note: this setting disables hardware acceleration.

If the packet fails header checking it is dropped by the FortiGate unit and logged if log-invalid-packet is enabled.

check-reset-range {disable | strict}

Configure ICMP error message verification. Default is disable.

  • disable:  the FortiGate unit does not validate ICMP error messages.
  • strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) |TCP(C,D) header and if FortiOS can locate the A:C->B:D session, it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range, then the ICMP packet is dropped. If log-invalid-packet is enabled, the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets

cli-audit-log {enable | disable}

Enable/disable CLI audit log. Default is disable.

clt-cert-req {enable | disable}

Enable/disable requirement for a client certificate before administrator logs in via GUI using HTTPS. Default is disable.

compliance-check {enable | disable}

Enable/disable global PCI DSS compliance check. Default is enable.

compliance-check-time <HH:MM:SS>

Specify the PCI DSS compliance check time. Default is 00:00:00 .

csr-ca-attribute {enable | disable}

Enable/disable the use of CA attribute in your certificate. Some CA servers reject CSRs that have the CA attribute. Default is enable.

daily restart {enable | disable}

Enable/disable daily restart of FortiGate unit. Default is disable. The time of the restart is controlled by restart-time.

device-identification-active-scan-delay <int>

Indicate how many seconds to passively scan a device before performing an active scan. Range: 20 - 3600 seconds (20 seconds to 1 hour). Default is 90.

device-idle-timeout <int>

Specify time in seconds that a device must be idle in order to automatically log user out. Range: 30 - 31536000 seconds (30 seconds to 1 year). Default is 300.

dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

Minimum size, in bits, of the prime number used in Diffie-Hellman key exchange for HTTPS/SSH protocols. Default is 2048.

disk-usage {log | wanopt}

Specify whether to use hard disk or WAN Optimization for logging. Default is log.

dnsproxy-worker-count

Set the number of CPUs that the DNS proxy process runs on. This enables you to improve DNS proxy performance on FortiGate units with multiple CPUs. The range of CPU values is 1 to the number of CPUs available on the FortiGate device. The default value is 2.

This command applies to FortiGate units with multiple CPUs.

dst {enable | disable}

Enable/disable daylight saving time. Default is enable.

endpoint-control-fds-access {enable | disable}

Enable/disable access to FortiGuard network for non-compliant endpoints. Default is enable.

endpoint-control-portal-port

Specify the endpoint control portal port. Range: 1 - 65535. Default is 8009.

proxy-auth-timeout <minutes>

Specify authentication timeout in minutes for idle sessions in explicit web proxy. Default is 10.

fds-statistics {enable | disable}

Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. Default is enable.

fds-statistics-period <int>

Indicate the FortiGuard statistics update period in minutes. Range:  1 - 1440 minutes (1 minute to 24 hours). Default is 60.

fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attack | new-antivirus-db | new-attack-db}

Specify the type of alert to retrieve from FortiGuard.

  • advisory: retrieves FortiGuard advisories, report, and news alerts.
  • latest-threat:  retrieves latest FortiGuard threat alerts.
  • latest-virus:  retrieves latest FortiGuard virus alerts.
  • latest-attack:  retrieves latest FortiGuard attack alerts.
  • new-antivirus-db:  retrieves latest FortiGuard antivirus database release alerts.
  • new attack-db:  retrieves latest FortiGuard IPS database release  alerts.

fortiextender {enable | disable}

Enable/disable FortiExtender controller. Default is disable.

fortiextender-data-port <port_int>

Specify Fortiextender controller data port. Range: 1024 - 49150. Default is 25246.

fortiservice-port <port_int>

Specify the FortiService port number. Default is 8013.

gui-certificates {enable | disable}

Enable/disable certificate configuration in GUI. Default is enable.

gui-custom-language {enable | disable}

Enable/disable custom languages in GUI. Default is disable.

gui-device-latitude <string>

Identify the latitude coordinate of your FortiGate.

gui-device-longitude <string>

Identify the longitude coordinate of your FortiGate.

gui-display-hostname {enable | disable}

Enable/disable display of hostname on GUI login page. Default is disable.

gui-ipv6 {enable | disable}

Enable/disable IPv6 settings in GUI. Default is disable.

gui-lines-per-page <gui_lines>

Specify number of lines to display per page for web administration. Default is 50.

gui-theme {green | red | blue | melongene | mariner}

Select color scheme to use for the administration GUI. Default is green.

gui-wireless-opensecurity {enable | disable}

Enable/disable wireless open security option in GUI. Default is disable.

honor-df {enable | disable}

Enable/disable honoring of Don't-Fragment (DF) flag. The DF flag instructs routers that would normally fragment a packet that is too large for a link's MTU (and potentially deliver it out of order due to that fragmentation) to instead drop the packet and return an ICMP Fragmentation Needed packet, allowing the sending host to account for the lower MTU on the path to the destination host. Default is enable.

hostname <unithostname>

Specify FortiGate unit hostname. Default is FortiGate serial number.

A hostname can only include letters, numbers, hyphens, and underlines. No spaces allowed.

While the hostname can be longer than 24 characters, if it is longer than 24 characters it will be truncated by a "~". The trailing 3-characters preceded by the "~" truncation character and the first N-3 characters are shown. This shortened hostname will be displayed in the CLI, and other locations the hostname is used. Some models support hostnames up to 35 characters

ip-src-port-range <start_port>-<end_port>

Specify the IP source port range used for traffic originating from the FortiGate unit. Range:  1 - 65535. Default is 1024 - 25000. You can use this setting to avoid problems with networks that block some ports, such as FDN ports.

ips-affinity <string>

Affinity setting for IPS (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).

ipsec-asic-offload {enable | disable}

Enable/disable application-specific integrated circuit (ASIC) offload for IPsec VPN.  You can use this command to disable using ASIC offloading to accelerate IPsec Diffie-Hellman key exchange for IPsec ESP traffic. By default hardware offloading is used. For debugging purposes or other reasons you may want this function to be processed by software. Default is enable.

ipsec-hmac-offload {disable | enable}

Enable/disable offload keyed-hashing for message authentication (HMAC) to hardware for IPsec VPN. Default is enable.

ipv6-accept-dad {0 | 1 | 2}

Enable/disable acceptance of IPv6 DAD (Duplicate Address Detection).   0: Disable DAD; 1: Enable DAD (default); 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.

language <string>

Identify the GUI display language. set language ? lists available languages. trach  = Traditional Chinese. simch = Simplified Chinese. Default is english.

ldapconntimeout  <integer>

LDAP connection time-out in milliseconds. Range: 0 - 4294967295.

lldp-transmission {enable | disable}

Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Default is disable.

log-uuid {disable | policy-only | extended}

Universally Unique Identifier (UUID) log option. Default is policy-only.

login-timestamp {enable | disable}

Enable/disable login time recording. Default is disable.

management-vdom <domain>

Management virtual domain name. Default is root.

max-route-cache-size <int>

Specify the maximum number of IP route cache entries. Range:  0 - 2 147483647. Default is 0.

miglog-affinity

Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).

miglogd-children <int>

Specify the number of miglogd processes to run. A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased. If you are suffering from performance issues, you can alter the number of logging daemon child processes. Range: 0 - 15. Default is 0.

ndp-max-entry <int>

Specify the maximum number of Neighbor Discovery Protocol (NDP) table entries. Set to 65,536 or higher; if set to 0, kernel holds 65,536 entries. Default is 0. Specify the maximum number of Neighbor Discovery Protocol (NDP) table entries. Set to 65,536 or higher; if set to 0, kernel holds 65,536 entries. Default is 0.

optimize {antivirus}

DO NOT USE THIS COMMAND. It was originally added to early NP4 platforms but is no longer supported.

phase1-rekey {enable | disable}

Enable/disable rekeying between Internet Key Exchange (IKE) peers before the phase 1 keylife expires. Default is enable.

policy-auth-concurrent <limit_int>

Limit the number of concurrent logins from the same user. Range: 1 - 100. Default is 0 and means no limit.

post-login-banner {enable | disable}

Enable/disable to display the admin access disclaimer message after successful login. Default is disable.

pre-login-banner {enable | disable}

Enable/disable to display the admin access disclaimer prior to login. Default is disable.

private-data-encryption {enable | disable}

Enable/disable private data encryption using an AES 128-bit key. Default is disable.

proxy-cipher-hardware-acceleration {enable | disable}

Enable/disable use of content processor to encrypt or decrypt traffic. Default is enable.

proxy-kxp-hardware-acceleration {enable | disable}

Enable/disable use of content processor to encrypt or decrypt traffic. Default is enable.

proxy-worker-count <count_int>

Specify the number of proxy worker processes. Range: 0 - 8. Default is 4.

radius-port <radius_port>

Specify the port for RADIUS traffic. Default is 1812. If your RADIUS server is using port 1645, you can use the CLI to change the RADIUS port on your FortiGate unit.

reboot-upon-config-restore {enable | disable}

Enable/disable reboot of system when restoring configuration. Default is enable.

refresh <refresh_seconds>

Specify the Automatic Refresh Interval, in seconds, for GUI statistics. Range: 0-4294967295. Default is 0, or no automatic refresh.

registration-notification {enable | disable}

Enable/disable displaying the registration notification if the FortiGate is not registered. Default is enable.

remoteauthtimeout <timeout_sec>

Specify the number of seconds that the FortiGate unit waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. Range: 0-300 seconds, 0 means no timeout. Default is 5. To improve security keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops or several RADIUS requests are made, the default timeout of 5 seconds may not be long enough to receive a response.

reset-sessionless-tcp {enable | disable}

The reset-sessionless-tcp command determines what action the FortiGate unit performs if it receives a TCP packet but cannot find a corresponding session in its session table. This happens most often because the session has timed out. In most cases you should leave reset-sessionless-tcp set to disable (the default).  When this command is set to disable, the FortiGate unit silently drops the packet. The packet originator pdoes not know that the session has expired and might re-transmit the packet several times before attempting to start a new session. Enabling this option may help resolve issues with a problematic server, but it can make the FortiGate unit more vulnerable to denial of service attacks. If you enable reset-sessionless-tcp, the FortiGate unit sends a RESET packet to the packet originator. The packet originator ends the current session, but it can try to establish a new session. Available in NAT mode only. Default is disable.

revision-backup-on-logout {enable | disable}

Enable/disable back-up of the latest configuration revision when the administrator logs out of the CLI or GUI. Default is disable.

revision-image-auto-backup {enable | disable}

Enable/disable back-up of the latest configuration revision when firmware is upgraded. Default is disable.

scanunit-count <count_int>

Tune the number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. Recommended for advanced users.

send-pmtu-icmp {enable | disable}

Enable to send a path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Disabling this command will result in PMTUD packets being blocked. Default is enable.

snat-route-change {enable | disable}

Enable/disable static NAT route change. Default is disable.

special-file-23-support {enable | disable}

Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Default is disable.

ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the global minimum SSL version that can be used by all SSL implementations on this FortiGate. You can override this minimum version for individual configurations. The default value is TLSv1-2.

sslvpn-cipher-hardware-acceleration {enable | disable}

Enable/disable SSL VPN hardware acceleration.

sslvpn-kxp-hardware-acceleration {enable | disable}

Enable/disable SSL VPN KXP hardware acceleration.

sslvpn-max-worker-count <count_int>

Specify the maximum number of SSL VPN processes. The upper limit for setting this value is the number of CPUs and depends on the model.

sslvpn-plugin-version-check {enable | disable}

Enable/disable checking browser's plugin version. Default is enable.

strict-dirty-session-check {enable | disable}

Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Default is enable.

strong-crypto {enable | disable}

Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta). In addition, some low-crypto options are not available. Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption. Default is enable.

switch-controller {enable | disable}

Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Default is disable.

switch-controller-reserved-network <ipv4mask>

Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled. Default: 169.254.0.0 255.255.0.0

syncinterval <ntpsync_minutes>

Specify how often, in minutes, the FortiGate unit should synchronize its time with the Network Time Protocol (NTP) server. Range: 1 - 1440 minutes (1 day). Setting to 0 disables time synchronization. Default is 0.

sys-perf-log-interval <int>

Set the time in minutes between updates of performance statistics logging. Range: 1 - 15 minutes. 0 disables performance logging. Default is 5.

tcp-halfclose-timer <seconds>

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. Range:  1 - 86400 seconds (1 day). Default is 120.

tcp-halfopen-timer <seconds>

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded.Range:  1 - 86400 seconds (1 day). Default is 10.

tcp-option {enable | disable}

Enable SACK, timestamp and MSS TCP options. For normal operation, tcp-option should be enabled. Disable for performance testing or, in rare cases, where it impairs performance. Default is enable.

tcp-timewait-timer <seconds_int>

Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”. Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached. Range: 0 - 300 seconds. Default is 1.

timezone <timezone_number>

The number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them. Default is 00, which is equivalent to GMT +12.

tp-mc-skip-policy {enable | disable}

Enable to allow skipping of the policy check, and to enable multicast traffic through. Default is disable. Multicasting (also called IP multicasting) is a technique for one-to-many and many-to-many real-time communication over an IP infrastructure in a network. Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers. can be used to send data to many receivers simultaneously while conserving bandwidth and reducing network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way data transmission for news feeds, financial information, and so on.

traffic-priority {tos | dscp}

Select Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Default is tos. For more information, see the Handbook's discussion of best practices for ToS and DSCP traffic mapping.

traffic-priority-level {low | medium | high}

Select the default system-wide level of priority for traffic prioritization. This determines the priority of traffic for scheduling, typically set on a per service type level. For more information, see system tos-based-priority  or system dscp-based-priority or the Traffic Shaping chapter in the Handbook. Default is medium.

two-factor-email-expiry <seconds_int>

Set the timeout period for email-based two-factor authentication. Two-factor email authentication sends a randomly generated six-digit numeric code to a specified email address. The recipient must enter that code when prompted and that code is only valid for the time period set by this command. Range:  30 - 300 seconds (5 minutes). Default is 60.

two-factor-fac-expiry <seconds_int>

Set the timeout period for FortiAuthenticator token authentication. A FortiAuthenticator provides RADIUS, LDAP and 802.1X wireless authentication, certificate management, and Fortinet Single Sign-on (FSSO). FortiAuthenticator is compatible with FortiToken to provide two-factor authentication with multiple FortiGates and third party devices. Range:  10 - 3600 seconds (1 hour). Default is 60.

two-factor-ftk-expiry <seconds_int>

Set the timeout period for FortiToken authentication. Range:  60 - 600 seconds (10 minutes). Default is 60. FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s username and password as two-factor authentication. The code displayed changes at the end of the timeout period set by this command.

two-factor-ftm-expiry <hours_int>

Set the timeout period for FortiToken Mobile provision. Range: 1 - 168 hours (7 days). Default is 72. FortiToken Mobile performs much the same function as the FortiToken except the physical device is replaced by a mobile phone application and the timeout period is set in hours, not seconds.

two-factor-sms-expiry <seconds_int>

Set the timeout period for SMS-based two-factor authentication. Range 30 - 300 seconds. Default is 60. SMS two-factor authentication sends the token code in an SMS text message to the mobile device indicated when this user attempts to logon. This token code is valid only for the time period set by this command. SMS two-factor authentication has the benefit of not requiring email service before logging on. A potential issue is if the mobile service provider does not send the SMS text message before the life of the token expires.

udp-idle-timer <seconds>

Enter the number of seconds before an idle UDP connection times out. This command can be useful in managing unit CPU and memory resources. Range: 1 - 86400 seconds (1 day). Default is 180.

user-server-cert <cert_name>

Select the certificate to use for https user authentication. Default setting is Fortinet_Factory, if available, otherwise self-sign.

vdom-admin {enable | disable}

Enable/disable configuration of multiple virtual domains. Default is disable.

Once VDOMs are enabled, Security Profiles can be configured globally across multiple VDOMs. In many VDOM environments, some or all profiles may be commonly-shared, for example an MSSP with "parental controls" configured will most likely have the same Web Filtering and Application Control profiles per VDOM.

Configure Global profiles under the following config global commands:

  • antivirus profile
  • application list
  • dlp sensor
  • ips sensor
  • webfilter profile

Note: The name for any global profile must start with "g-" for identification. Global profiles are available as read-only for VDOM-level administrators, and can only be edited or deleted from within the global settings.

Each security feature has at least one default global profile, available for all VDOMs.

vip-arp-range {restricted |unlimited}

vip-arp-range controls the number of Address Resolution Protocol (ARP) packets the FortiGate unit sends for a Virtual IP (VIP) address range. Default is restricted.

  • restricted:  the FortiGate unit sends ARP packets for only the first 8192 addresses in a VIP range.
  • unlimited:  the FortiGate unit sends ARP packets for every address in the VIP range.

wad-worker-count <int>

Set the number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy and web caching is handled by all of the CPU cores in a FortiGate unit. You can use the wad-worker-count command to change the number of CPU cores that are used. Range: 0 to the number of CPU cores.

wifi-ca-certificate <ca_cert-name>

Select the CA certificate that verifies the WiFi certificate.

wifi-certificate <cert-name>

Select the certificate to use for WiFi authentication.

wimax-4g-usb {enable | disable}

Enable/disable access to a Worldwide Interoperability for Microwave Access (WiMAX) 4G USB device. FortiGate units support the use of wireless, 3G and 4G modems connected using the USB port or, if available, the express card slot. Modem access provides either primary or secondary (redundant) access to the Internet. For FortiGate units that do not include an internal modem (those units with an “M” designation), the modem interface will not appear in the web-based manager until enabled in the CLI. Default is disable.

wireless-controller {enable | disable}

Enable/disable the wireless (WiFi) daemon. Default is enable.

wireless-controller-port <port_int>

Select the port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one. Range: 1024 - 49150. Default is 5246.

system global

Use this command to configure global settings that affect FortiGate systems and configurations.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.3.

Command Description

set dnsproxy-worker-count <CPUs>

Set the number of CPUs that the DNS proxy process runs on. The default value is 2.

This command applies only to FortiGate devices with multiple CPUs.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set proxy-auth-timeout <minutes>

Unit of measurement has changed from seconds to minutes (with a new default of 10) in order to avoid repeat user authentication and ldap queries.

set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the global minimum SSL version that can be used by all SSL implementations on this FortiGate. You can override this minimum version for individual configurations.

The default value is TLSv1-2.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description
N/A

Security Profiles can now be configured globally across multiple VDOMs.

See the vdom-admin {enable | disable} entry below for more information.

set fortiguard-audit-result-submission {enable | disable}

Option has been removed and replaced with security-rating-result-submission (see table entry below).

set security-rating-result-submission {enable | disable}

set security-rating-run-on-schedule {enable | disable}

Enable or disable Security Rating results to be sent to FortiGuard, and enable (by default) or disable scheduled runs of Security Rating.

When schedule is enabled, Security Rating is run every four hours, or every one hour if a config change occurs.

set multi-factor-authentication {optional | mandatory}

Support for a global option to enforce all login methods to require an additional authentication factor, in order to comply with PCI 3.2.

Corrected the help text description.

set wad-source-affinity {enable | disable}

Modifies the wad-worker balancing algorithm to also use the source port in addition to source IP when distributing the client to a specific WAD daemon. With this in place, even the connections from one IP address will be balanced over all the WAD processes.
Attributes updated to allow 0 as the minimum value.

set virtual-server-count <integer>

Removed for FortiOS 6.0.

set virtual-server-hardware-acceleration {disable | enable}

Removed for FortiOS 6.0.

set proxy-re-authentication-mode {session | traffic | absolute}

Determine whether users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

set proxy-auth-lifetime {enable | disable}

set proxy-auth-lifetime-timeout <minutes>

Enable or disable (by default) authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Once enabled, set the lifetime timeout in minutes. Set the range between 5-65535. The default is set to 480 (or 8 hours).

The timeout option is only available when proxy-auth-lifetime is set to enable. Once enabled, set the timeout in minutes for authenticated users.

set admin-restrict-local {enable | disable}

Enable or disable (by default) local administrator restriction options. Whenever any remote servers (TACACS, LDAP, or RADIUS) are up and running, any local admin authentication will be blocked. Local admins will be allowed access only if there are no remote servers detected.

set disk-usage {log | wanopt}

This option has been removed, but a similar option can be set under system storage.
config system global
    set language {option}   GUI display language.
            english     English.
            french      French.
            spanish     Spanish.
            portuguese  Portuguese.
            japanese    Japanese.
            trach       Traditional Chinese.
            simch       Simplified Chinese.
            korean      Korean.
    set gui-ipv6 {enable | disable}   Enable/disable IPv6 settings on the GUI.
    set gui-certificates {enable | disable}   Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
    set gui-custom-language {enable | disable}   Enable/disable custom languages in GUI.
    set gui-wireless-opensecurity {enable | disable}   Enable/disable wireless open security option on the GUI.
    set gui-display-hostname {enable | disable}   Enable/disable displaying the FortiGate's hostname on the GUI login page.
    set gui-lines-per-page {integer}   Number of lines to display per page for web administration. range[20-1000]
    set admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2}   Allowed TLS versions for web administration.
            tlsv1-0  TLS 1.0.
            tlsv1-1  TLS 1.1.
            tlsv1-2  TLS 1.2.
    set admintimeout {integer}   Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure. range[1-480]
    set admin-console-timeout {integer}   Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout. range[15-300]
    set ssd-trim-freq {option}   How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
            never    Never Run SSD Trim.
            hourly   Run SSD Trim Hourly.
            daily    Run SSD Trim Daily.
            weekly   Run SSD Trim Weekly.
            monthly  Run SSD Trim Monthly.
    set ssd-trim-hour {integer}   Hour of the day on which to run SSD Trim (0 - 23, default = 1). range[0-23]
    set ssd-trim-min {integer}   Minute of the hour on which to run SSD Trim (0 - 59, 60 for random). range[0-60]
    set ssd-trim-weekday {option}   Day of week to run SSD Trim.
            sunday     Sunday
            monday     Monday
            tuesday    Tuesday
            wednesday  Wednesday
            thursday   Thursday
            friday     Friday
            saturday   Saturday
    set ssd-trim-date {integer}   Date within a month to run ssd trim. range[1-31]
    set admin-concurrent {enable | disable}   Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
    set admin-lockout-threshold {integer}   Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration. range[1-10]
    set admin-lockout-duration {integer}   Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts. range[1-2147483647]
    set refresh {integer}   Statistics refresh interval in GUI. range[0-4294967295]
    set interval {integer}   Dead gateway detection interval. range[0-4294967295]
    set failtime {integer}   Fail-time for server lost. range[0-4294967295]
    set daily-restart {enable | disable}   Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
    set restart-time {string}   Daily restart time (hh:mm).
    set radius-port {integer}   RADIUS service port number. range[1-65535]
    set admin-login-max {integer}   Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100) range[1-100]
    set remoteauthtimeout {integer}   Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout). range[1-300]
    set ldapconntimeout {integer}   Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500). range[1-300000]
    set batch-cmdb {enable | disable}   Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
    set max-dlpstat-memory {integer}   Maximum DLP stat memory (0 - 4294967295).
    set multi-factor-authentication {optional | mandatory}   Enforce all login methods to require an additional authentication factor (default = optional).
            optional   Do not enforce all login methods to require an additional authentication factor (controlled by user settings).
            mandatory  Enforce all login methods to require an additional authentication factor.
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}   Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
            SSLv3    SSLv3.
            TLSv1    TLSv1.
            TLSv1-1  TLSv1.1.
            TLSv1-2  TLSv1.2.
    set dst {enable | disable}   Enable/disable daylight saving time.
    set timezone {option}   Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
            01  (GMT-11:00) Midway Island, Samoa
            02  (GMT-10:00) Hawaii
            03  (GMT-9:00) Alaska
            04  (GMT-8:00) Pacific Time (US & Canada)
            05  (GMT-7:00) Arizona
            81  (GMT-7:00) Baja California Sur, Chihuahua
            06  (GMT-7:00) Mountain Time (US & Canada)
            07  (GMT-6:00) Central America
            08  (GMT-6:00) Central Time (US & Canada)
            09  (GMT-6:00) Mexico City
            10  (GMT-6:00) Saskatchewan
            11  (GMT-5:00) Bogota, Lima,Quito
            12  (GMT-5:00) Eastern Time (US & Canada)
            13  (GMT-5:00) Indiana (East)
            74  (GMT-4:00) Caracas
            14  (GMT-4:00) Atlantic Time (Canada)
            77  (GMT-4:00) Georgetown
            15  (GMT-4:00) La Paz
            87  (GMT-4:00) Paraguay
            16  (GMT-3:00) Santiago
            17  (GMT-3:30) Newfoundland
            18  (GMT-3:00) Brasilia
            19  (GMT-3:00) Buenos Aires
            20  (GMT-3:00) Nuuk (Greenland)
            75  (GMT-3:00) Uruguay
            21  (GMT-2:00) Mid-Atlantic
            22  (GMT-1:00) Azores
            23  (GMT-1:00) Cape Verde Is.
            24  (GMT) Monrovia
            80  (GMT) Greenwich Mean Time
            79  (GMT) Casablanca
            25  (GMT) Dublin, Edinburgh, Lisbon, London
            26  (GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
            27  (GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
            28  (GMT+1:00) Brussels, Copenhagen, Madrid, Paris
            78  (GMT+1:00) Namibia
            29  (GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb
            30  (GMT+1:00) West Central Africa
            31  (GMT+2:00) Athens, Sofia, Vilnius
            32  (GMT+2:00) Bucharest
            33  (GMT+2:00) Cairo
            34  (GMT+2:00) Harare, Pretoria
            35  (GMT+2:00) Helsinki, Riga, Tallinn
            36  (GMT+2:00) Jerusalem
            37  (GMT+3:00) Baghdad
            38  (GMT+3:00) Kuwait, Riyadh
            83  (GMT+3:00) Moscow
            84  (GMT+3:00) Minsk
            40  (GMT+3:00) Nairobi
            85  (GMT+3:00) Istanbul
            41  (GMT+3:30) Tehran
            42  (GMT+4:00) Abu Dhabi, Muscat
            43  (GMT+4:00) Baku
            39  (GMT+3:00) St. Petersburg, Volgograd
            44  (GMT+4:30) Kabul
            46  (GMT+5:00) Islamabad, Karachi, Tashkent
            47  (GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi
            51  (GMT+5:30) Sri Jayawardenepara
            48  (GMT+5:45) Kathmandu
            45  (GMT+5:00) Ekaterinburg
            49  (GMT+6:00) Almaty, Novosibirsk
            50  (GMT+6:00) Astana, Dhaka
            52  (GMT+6:30) Rangoon
            53  (GMT+7:00) Bangkok, Hanoi, Jakarta
            54  (GMT+7:00) Krasnoyarsk
            55  (GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk
            56  (GMT+8:00) Ulaan Bataar
            57  (GMT+8:00) Kuala Lumpur, Singapore
            58  (GMT+8:00) Perth
            59  (GMT+8:00) Taipei
            60  (GMT+9:00) Osaka, Sapporo, Tokyo, Seoul
            62  (GMT+9:30) Adelaide
            63  (GMT+9:30) Darwin
            61  (GMT+9:00) Yakutsk
            64  (GMT+10:00) Brisbane
            65  (GMT+10:00) Canberra, Melbourne, Sydney
            66  (GMT+10:00) Guam, Port Moresby
            67  (GMT+10:00) Hobart
            68  (GMT+10:00) Vladivostok
            69  (GMT+10:00) Magadan
            70  (GMT+11:00) Solomon Is., New Caledonia
            71  (GMT+12:00) Auckland, Wellington
            72  (GMT+12:00) Fiji, Kamchatka, Marshall Is.
            00  (GMT+12:00) Eniwetok, Kwajalein
            82  (GMT+12:45) Chatham Islands
            73  (GMT+13:00) Nuku'alofa
            86  (GMT+13:00) Samoa
            76  (GMT+14:00) Kiritimati
    set traffic-priority {tos | dscp}   Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
            tos   IP TOS.
            dscp  DSCP (DiffServ) DS.
    set traffic-priority-level {low | medium | high}   Default system-wide level of priority for traffic prioritization.
            low     Low priority.
            medium  Medium priority.
            high    High priority.
    set anti-replay {disable | loose | strict}   Level of checking for packet replay and TCP sequence checking.
            disable  Disable anti-replay check.
            loose    Loose anti-replay check.
            strict   Strict anti-replay check.
    set send-pmtu-icmp {enable | disable}   Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
    set honor-df {enable | disable}   Enable/disable honoring of Don't-Fragment (DF) flag.
    set revision-image-auto-backup {enable | disable}   Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
    set revision-backup-on-logout {enable | disable}   Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
    set management-vdom {string}   Management virtual domain name. size[31] - datasource(s): system.vdom.name
    set hostname {string}   FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters. size[35]
    set alias {string}   Alias for your FortiGate unit. size[35]
    set strong-crypto {enable | disable}   Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
    set ssh-cbc-cipher {enable | disable}   Enable/disable CBC cipher for SSH access.
    set ssh-hmac-md5 {enable | disable}   Enable/disable HMAC-MD5 for SSH access.
    set ssh-kex-sha1 {enable | disable}   Enable/disable SHA1 key exchange for SSH access.
    set ssl-static-key-ciphers {enable | disable}   Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
    set snat-route-change {enable | disable}   Enable/disable the ability to change the static NAT route.
    set cli-audit-log {enable | disable}   Enable/disable CLI audit log.
    set dh-params {option}   Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
            1024  1024 bits.
            1536  1536 bits.
            2048  2048 bits.
            3072  3072 bits.
            4096  4096 bits.
            6144  6144 bits.
            8192  8192 bits.
    set fds-statistics {enable | disable}   Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
    set fds-statistics-period {integer}   FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60). range[1-1440]
    set multicast-forward {enable | disable}   Enable/disable multicast forwarding.
    set mc-ttl-notchange {enable | disable}   Enable/disable no modification of multicast TTL.
    set asymroute {enable | disable}   Enable/disable asymmetric route.
    set tcp-option {enable | disable}   Enable SACK, timestamp and MSS TCP options.
    set lldp-transmission {enable | disable}   Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
    set proxy-auth-timeout {integer}   Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10). range[1-300]
    set proxy-re-authentication-mode {session | traffic | absolute}   Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
            session   Proxy re-authentication timeout begins at the closure of the session.
            traffic   Proxy re-authentication timeout begins after traffic has not been received.
            absolute  Proxy re-authentication timeout begins when the user was first created.
    set proxy-auth-lifetime {enable | disable}   Enable/disable authenticated users lifetime control.  This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
    set proxy-auth-lifetime-timeout {integer}   Lifetime timeout in minutes for authenticated users (5  - 65535 min, default=480 (8 hours)). range[5-65535]
    set sys-perf-log-interval {integer}   Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled). range[0-15]
    set check-protocol-header {loose | strict}   Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
            loose   Check protocol header loosely.
            strict  Check protocol header strictly.
    set vip-arp-range {unlimited | restricted}   Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
            unlimited   Send ARPs for all addresses in VIP range.
            restricted  Send ARPs for the first 8192 addresses in VIP range.
    set reset-sessionless-tcp {enable | disable}   Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
    set allow-traffic-redirect {enable | disable}   Disable to allow traffic to be routed back on a different interface.
    set strict-dirty-session-check {enable | disable}   Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
    set tcp-halfclose-timer {integer}   Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120). range[1-86400]
    set tcp-halfopen-timer {integer}   Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10). range[1-86400]
    set tcp-timewait-timer {integer}   Length of the TCP TIME-WAIT state in seconds. range[0-300]
    set udp-idle-timer {integer}   UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60). range[1-86400]
    set block-session-timer {integer}   Duration in seconds for blocked sessions (1 - 300 sec  (5 minutes), default = 30). range[1-300]
    set ip-src-port-range {string}   IP source port range used for traffic originating from the FortiGate unit.
    set pre-login-banner {enable | disable}   Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
    set post-login-banner {disable | enable}   Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
    set tftp {enable | disable}   Enable/disable TFTP.
    set av-failopen {pass | off | one-shot}   Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
            pass      Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.
            off       Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
            one-shot  Bypass the antivirus system when memory is low.
    set av-failopen-session {enable | disable}   When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
    set memory-use-threshold-extreme {integer}   Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95). range[70-97]
    set memory-use-threshold-red {integer}   Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88). range[70-97]
    set memory-use-threshold-green {integer}   Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82). range[70-97]
    set cpu-use-threshold {integer}   Threshold at which CPU usage is reported. (% of total CPU, default = 90). range[50-99]
    set check-reset-range {strict | disable}   Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
            strict   Check RST range strictly.
            disable  Disable RST range check.
    set vdom-admin {enable | disable}   Enable/disable support for multiple virtual domains (VDOMs).
    set long-vdom-name {enable | disable}   Enable/disable long VDOM name support.
    set admin-port {integer}   Administrative access port for HTTP. (1 - 65535, default = 80). range[1-65535]
    set admin-sport {integer}   Administrative access port for HTTPS. (1 - 65535, default = 443). range[1-65535]
    set admin-https-redirect {enable | disable}   Enable/disable redirection of HTTP administration access to HTTPS.
    set admin-hsts-max-age {integer}   HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0. range[0-2147483647]
    set admin-ssh-password {enable | disable}   Enable/disable password authentication for SSH admin access.
    set admin-restrict-local {enable | disable}   Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
    set admin-ssh-port {integer}   Administrative access port for SSH. (1 - 65535, default = 22). range[1-65535]
    set admin-ssh-grace-time {integer}   Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120). range[10-3600]
    set admin-ssh-v1 {enable | disable}   Enable/disable SSH v1 compatibility.
    set admin-telnet-port {integer}   Administrative access port for TELNET. (1 - 65535, default = 23). range[1-65535]
    set admin-maintainer {enable | disable}   Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
    set admin-server-cert {string}   Server certificate that the FortiGate uses for HTTPS administrative connections. size[35] - datasource(s): certificate.local.name
    set user-server-cert {string}   Certificate to use for https user authentication. size[35] - datasource(s): certificate.local.name
    set admin-https-pki-required {enable | disable}   Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
    set wifi-certificate {string}   Certificate to use for WiFi authentication. size[35] - datasource(s): certificate.local.name
    set wifi-ca-certificate {string}   CA certificate that verifies the WiFi certificate. size[35] - datasource(s): certificate.ca.name
    set auth-http-port {integer}   User authentication HTTP port. (1 - 65535, default = 80). range[1-65535]
    set auth-https-port {integer}   User authentication HTTPS port. (1 - 65535, default = 443). range[1-65535]
    set auth-keepalive {enable | disable}   Enable to prevent user authentication sessions from timing out when idle.
    set policy-auth-concurrent {integer}   Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit). range[0-100]
    set auth-session-limit {block-new | logout-inactive}   Action to take when the number of allowed user authenticated sessions is reached.
            block-new        Block new user authentication attempts.
            logout-inactive  Logout the most inactive user authenticated sessions.
    set auth-cert {string}   Server certificate that the FortiGate uses for HTTPS firewall authentication connections. size[35] - datasource(s): certificate.local.name
    set clt-cert-req {enable | disable}   Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
    set fortiservice-port {integer}   FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port. range[1-65535]
    set endpoint-control-portal-port {integer}   Endpoint control portal port (1 - 65535). range[1-65535]
    set endpoint-control-fds-access {enable | disable}   Enable/disable access to the FortiGuard network for non-compliant endpoints.
    set tp-mc-skip-policy {enable | disable}   Enable/disable skip policy check and allow multicast through.
    set cfg-save {automatic | manual | revert}   Configuration file save mode for CLI changes.
            automatic  Automatically save config.
            manual     Manually save config.
            revert     Manually save config and revert the config when timeout.
    set cfg-revert-timeout {integer}   Time-out for reverting to the last saved configuration. range[10-4294967295]
    set reboot-upon-config-restore {enable | disable}   Enable/disable reboot of system upon restoring configuration.
    set admin-scp {enable | disable}   Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
    set security-rating-result-submission {enable | disable}   Enable/disable the submission of Security Rating results to FortiGuard.
    set security-rating-run-on-schedule {enable | disable}   Enable/disable scheduled runs of Security Rating.
    set wireless-controller {enable | disable}   Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
    set wireless-controller-port {integer}   Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246). range[1024-49150]
    set fortiextender-data-port {integer}   FortiExtender data port (1024 - 49150, default = 25246). range[1024-49150]
    set fortiextender {enable | disable}   Enable/disable FortiExtender.
    set fortiextender-vlan-mode {enable | disable}   Enable/disable FortiExtender VLAN mode.
    set switch-controller {disable | enable}   Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
    set switch-controller-reserved-network {ipv4 classnet}   Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
    set dnsproxy-worker-count {integer}   DNS proxy worker count. range[1-64]
    set proxy-worker-count {integer}   Proxy worker count. range[0-64]
    set scanunit-count {integer}   Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. range[0-64]
    set proxy-kxp-hardware-acceleration {disable | enable}   Enable/disable using the content processor to accelerate KXP traffic.
    set proxy-cipher-hardware-acceleration {disable | enable}   Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic.
    set fgd-alert-subscription {option}   Type of alert to retrieve from FortiGuard.
            advisory          Retrieve FortiGuard advisories, report and news alerts.
            latest-threat     Retrieve latest FortiGuard threats alerts.
            latest-virus      Retrieve latest FortiGuard virus alerts.
            latest-attack     Retrieve latest FortiGuard attack alerts.
            new-antivirus-db  Retrieve FortiGuard AV database release alerts.
            new-attack-db     Retrieve FortiGuard IPS database release alerts.
    set ipsec-hmac-offload {enable | disable}   Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
    set ipv6-accept-dad {integer}   Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD). range[0-2]
    set ipv6-allow-anycast-probe {enable | disable}   Enable/disable IPv6 address probe through Anycast.
    set csr-ca-attribute {enable | disable}   Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
    set wimax-4g-usb {enable | disable}   Enable/disable comparability with WiMAX 4G USB devices.
    set cert-chain-max {integer}   Maximum number of certificates that can be traversed in a certificate chain. range[1-2147483647]
    set sslvpn-max-worker-count {integer}   Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model. range[0-64]
    set sslvpn-kxp-hardware-acceleration {enable | disable}   Enable/disable SSL VPN KXP hardware acceleration.
    set sslvpn-cipher-hardware-acceleration {enable | disable}   Enable/disable SSL VPN hardware acceleration.
    set sslvpn-plugin-version-check {enable | disable}   Enable/disable checking browser's plugin version by SSL VPN.
    set two-factor-ftk-expiry {integer}   FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60). range[60-600]
    set two-factor-email-expiry {integer}   Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60). range[30-300]
    set two-factor-sms-expiry {integer}   SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60). range[30-300]
    set two-factor-fac-expiry {integer}   FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60). range[10-3600]
    set two-factor-ftm-expiry {integer}   FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72). range[1-168]
    set per-user-bwl {enable | disable}   Enable/disable per-user black/white list filter.
    set virtual-server-count {integer}   Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs. range[0-64]
    set virtual-server-hardware-acceleration {disable | enable}   Enable/disable virtual server hardware acceleration.
    set wad-worker-count {integer}   Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit. range[0-64]
    set wad-csvc-cs-count {integer}   Number of concurrent WAD-cache-service object-cache processes. range[1-1]
    set wad-csvc-db-count {integer}   Number of concurrent WAD-cache-service byte-cache processes. range[0-64]
    set wad-source-affinity {disable | enable}   Enable/disable dispatching traffic to WAD workers based on source affinity.
    set login-timestamp {enable | disable}   Enable/disable login time recording.
    set miglogd-children {integer}   Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed. range[0-15]
    set special-file-23-support {disable | enable}   Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
    set log-uuid {disable | policy-only | extended}   Whether UUIDs are added to traffic logs. You can disable UUIDs, add firewall policy UUIDs to traffic logs, or add all UUIDs to traffic logs.
            disable      Disable UUID in traffic log
            policy-only  Enable only policy UUID in traffic log.
            extended     Enable all UUIDs in traffic log.
    set log-ssl-connection {enable | disable}   Enable/disable logging of SSL connection events.
    set arp-max-entry {integer}   Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072). range[131072-2147483647]
    set av-affinity {string}   Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). size[79]
    set wad-affinity {string}   Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). size[79]
    set ips-affinity {string}   Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). size[79]
    set miglog-affinity {string}   Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx). size[19]
    set ndp-max-entry {integer}   Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries). range[65536-2147483647]
    set br-fdb-max-entry {integer}   Maximum number of bridge forwarding database (FDB) entries. range[8192-2147483647]
    set max-route-cache-size {integer}   Maximum number of IP route cache entries (0 - 2147483647). range[0-2147483647]
    set ipsec-asic-offload {enable | disable}   Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
    set ipsec-soft-dec-async {enable | disable}   Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
    set device-idle-timeout {integer}   Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300). range[30-31536000]
    set device-identification-active-scan-delay {integer}   Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90). range[20-3600]
    set compliance-check {enable | disable}   Enable/disable global PCI DSS compliance check.
    set compliance-check-time {time}   Time of day to run scheduled PCI DSS compliance checks.
    set gui-device-latitude {string}   Add the latitude of the location of this FortiGate to position it on the Threat Map. size[19]
    set gui-device-longitude {string}   Add the longitude of the location of this FortiGate to position it on the Threat Map. size[19]
    set private-data-encryption {disable | enable}   Enable/disable private data encryption using an AES 128-bit key.
    set auto-auth-extension-device {enable | disable}   Enable/disable automatic authorization of dedicated Fortinet extension devices.
    set gui-theme {option}   Color scheme for the administration GUI.
            green      Green theme.
            red        Red theme.
            blue       Light blue theme.
            melongene  Melongene theme (eggplant color).
            mariner    Mariner theme (dark blue color).
    set gui-date-format {option}   Default date format used throughout GUI.
            yyyy/MM/dd  Year/Month/Day.
            dd/MM/yyyy  Day/Month/Year.
            MM/dd/yyyy  Month/Day/Year.
            yyyy-MM-dd  Year-Month-Day.
            dd-MM-yyyy  Day-Month-Year.
            MM-dd-yyyy  Month-Day-Year.
    set igmp-state-limit {integer}   Maximum number of IGMP memberships (96 - 64000, default = 3200). range[96-128000]
end

Additional information

The following section is for those options that require additional explanation.

admin-concurrent {enable | disable}

Enable/disable to allow concurrent administrator logins. Default is enable. Use policy-auth-concurrent for firewall authenticated users.

admin-console-timeout <secs_int>

Specify a console login timeout that overrides the admintimeout value. Range:  15 - 300 seconds (15 seconds to 5 minutes). Zero value disables the timeout. Default is 0.

admin-https-pki-required {enable | disable}

Specify admin login method for HTTPS login. Default is disable.

  • enable:  allows admin user to log in by providing a valid certificate if PKI is enabled for HTTPS administrative access.
  • disable:  allows admin users to log in by providing a valid certificate or password.

admin-https-redirect {enable | disable}

Enable/disable redirection of HTTP administration access to HTTPS. Not available on low-crypto FortiGates. Default is disable.

admin-https-ssl-versions {tlsv1-0 | tlsv1-1 | tlsv1-2}

Specify allowed SSL/TLS versions for web administration. Default is tlsv1-1 tlsv1-2.

admin-lockout-duration <time_int>

Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout. Default is 60.

admin-lockout-threshold <failed_int>

Set the number of failed attempts before the account is locked out for the admin-lockout-duration. Default is . Default is 3.

admin-login-max <int>

Set the maximum number administrators who can be logged in at same time. Range: 1 - 100. Default is 80.

admin-maintainer {enable | disable}

Enable/disable hidden maintainer user login. Default is enable. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.

admin-port <port_number>

Specify the administrative access port for HTTP. Range:  1 - 65535. Default is 80.

admin-scp {enable | disable}

Enable/disable the ability to backup and restore the FortiGate configuration and install firmware upgrades using Secure Copy Protocol (SCP).

To use SCP, on the FortiGate you must enable SCP  and enable SSH administrative acces on an interfacee. Then from a management PC runing SCP client software, you can enter SCP commands to backup and restore configuration files and upgrade FortiOS firmware. The SCP commands must include

note icon The SCP commands must use a FortiGate administrator account with the super_admin access profile. When entering SCP commands from a management PC, use sys_conf as the configuration file name.

For more information, see How to download/upload a FortiGate configuration file using secure file copy (SCP).

Examples

On a PC running linux, use the following command to backup the FortiGate configuration file to ~/config. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

scp admin@172.20.120.171:fgt-config ~/config

Enter the admin password when prompted.

On a PC running Windows, use the following command to backup the FortiGate configuration file to c:\config. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

pscp admin@172.20.120.171:fgt-config c:\config

Enter the admin password when prompted.

On a PC running linux, use the following command to restore the FortiGate configuration using a file named backup-nov2018. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

scp backup-nov2018 admin@172.20.120.171:fgt-restore-config

Enter the admin password when prompted.

On a PC running Windows, use the following command to restore the FortiGate configuration using a file named backup-nov2018.txt. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

pscp backup-nov2018.txt admin@172.20.120.171:fgt-restore-config

Enter the admin password when prompted.

On a PC running linux, use the following command to upgrade the FortiGate firmware using a firmware image file named fgt-image-v6.0.3.out. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

scp fgt-image-v6.0.3.out admin@172.20.120.171:fgt-image

Enter the admin password when prompted.

On a PC running WIndows, use the following command to upgrade the FortiGate firmware using a firmware image file named fgt-image-v6.0.3.out. This command uses the FortiGate admin administrator account and connects to a FortiGate interface with IP address 172.20.120.171.

pscp fgt-image-v6.0.3.out admin@172.20.120.171:fgt-image

Enter the admin password when prompted.

admin-server-cert {self-sign | <certificate>}

Identify the admin HTTPS server certificate to use. Default is self-sign.

admin-sport <port_number>

Specify the administrative access port for HTTPS. Range:  1 - 65535. Default is 443.

admin-ssh-grace-time <time_int>

Specify the maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating. Range: 10 - 3600 seconds (10 seconds to one hour). Default is 120.

admin-ssh-password {enable | disable}

Enable/disable password authentication for SSH admin access. Default is enable.

admin-ssh-port <port_number>

Specify the administrative access port for SSH. Range:  1 - 65535. Default is 22.

admin-ssh-v1 {enable | disable}

Enable/disable Secure Shell (SSH) version 1 compatibility. Default is disable.

admin-telnet-port <port_number>

Specify the administrative access port for TELNET. Range: 1 - 65535. Default is 23.

admintimeout <admin_timeout_minutes>

Specify the number of minutes before an idle administrator times out. The maximum admintimeout interval is 480 minutes (8 hours). Default is 5. To improve security keep the idle timeout at the default value.

alias <alias_str>

Identify an alias for your FortiGate unit.

allow-traffic-redirect {enable | disable}

Enable/ disable allow traffic redirect. Default is enable. Under some conditions, it is undesirable to have traffic routed back on the same interface. In that case, set allow-traffic-redirect to disable.

anti-replay {disable | loose | strict}

Specify the level of checking for packet replay and TCP sequence checking (or TCP Sequence number checking). Default is strict. FortiGate units use TCP sequence checking to make sure that a packet is part of a TCP session. By default, if a packet is received with sequence numbers that fall out of the expected range, the FortiGate unit drops the packet. This is normally a desired behavior, since it means that the packet is invalid. But in some cases you may want to configure different levels of anti-replay checking if some of your network equipment uses non-RFC methods when sending packets.

  • disable:  no anti-replay protection.
  • loose:  perform packet sequence checking and ICMP anti-replay checking with the following criteria:
  • the SYN, FIN, and RST bit can not appear in the same packet.
  • the FortiGate unit does not allow more than 1 ICMP error packet to go through the FortiGate unit before it receives a normal TCP or UDP packet.
  • If the FortiGate unit receives an RST packet, and check-reset-range is set to strict the FortiGate unit checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
  • strict:  performs all of the loose checking but for each new session also checks to determine of the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value for each new session. Strict anti-replay checking can also help prevent SYN flooding.

If any packet fails a check it is dropped. If loginvalid-packet is set to enable, a log message is written for each packet that fails a check.

arp-max-entry <int>

Specify the maximum number of dynamically learned MAC addresses that can be added to the ARP table. Range:  131072 - 2147483647. If set to 0, kernel holds 131072 entries. Default is 0.

auth-cert <cert-name>

Identify the HTTPS server certificate for policy authentication. Default is self-sign. Self-sign is the built-in certificate but others will be listed as you add them.

auth-http-port <http_port>

Set the HTTP authentication port. Range: 1 - 65535. Default is 1000.

auth-https-port <https_port>

Set the HTTPS authentication port. Range: 1 - 65535. Default is 1003.

auth-keepalive {enable | disable}

Enable to extend the session's authentication time to prevent an idle timeout. Default is disable.

auto-auth-extension-device {enable | disable}

Enable/disable automatic authorization of dedicated Fortinet extension device globally. Default is enable.

av-failopen {off | one-shot | pass}

Set the action to take if the unit is running low on memory or the proxy connection limit has been reached. Default is pass.

  • off:  stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
  • one-shot:  bypass the antivirus system when memory is low. You must enter off or pass to restart antivirus scanning.
  • pass:  bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.

av-failopen-session {enable | disable}

When enabled and a protocol's proxy runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Default is disable.

batch-cmdb {enable | disable}

Enable/disable batch mode to execute in CMDB server. Batch mode is used to enter a series of commands that will execute as a group once they are loaded. Default is enable.

block-session-timer <int>

Set the time duration in seconds for blocked or denied sessions to remain in the session table. Range:  1 - 300 seconds (1 second to 5 minutes).  Default is 30.

For this option to be effective, enable the sess-denied-traffic system setting (see ses-denied-traffic {enable | disable} for details). Keeping denied sessions in the session table longer can reduce CPU usage. However, each session in the session table uses sytem memory. So you may want to adjust this timer for optimum performance.

br-fdb-max-entry <int>

Specify the maximum number of bridge forwarding database (FDB) entries. Used when operating in Transparent mode, the FDB (or MAC) table is used by a Layer 2 device (switch/bride) to store MAC addresses that have been learned and the ports that each MAC address was learned on. If the FDB has a large number of entries, performance may be impacted. Range:  8192 - 2147483647. If set to 0, kernel holds 8192 entries. Default is 0.

cert-chain-max <int>

Set the maximum number of certificates that can be traversed in a certificate chain. The list of certificates, from the root certificate to the end-user certificate, represents the certificate chain. Default is 8.

cfg-save {automatic | manual | revert}

Specify the configuration file save mode for changes made using the CLI. Default is automatic.

  • automatic:  automatically save the configuration after every change.
  • manual:  manually save the configuration using the execute cfg save command.
  • revert:  manually save the current configuration and then revert to that saved configuration after cfg-revert-timeout expires.

Switching to automatic mode disconnects your session. This command is used as part of the runtime-only configuration mode.

check-protocol-header {loose | strict}

Select the level of checking performed on protocol headers. Default is loose.

  • loose:  the FortiGate unit performs basic header checking to verify that a packet is part of a session and should be processed. Basic header checking includes verifying that the layer- 4 protocol header length, the IP header length, the IP version, the IP checksum, IP options are correct, etc.
  • strict:  the FortiGate unit does the same checking as above plus it verifies that ESP packets have the correct sequence number, SPI, and data length. Note: this setting disables hardware acceleration.

If the packet fails header checking it is dropped by the FortiGate unit and logged if log-invalid-packet is enabled.

check-reset-range {disable | strict}

Configure ICMP error message verification. Default is disable.

  • disable:  the FortiGate unit does not validate ICMP error messages.
  • strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) |TCP(C,D) header and if FortiOS can locate the A:C->B:D session, it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range, then the ICMP packet is dropped. If log-invalid-packet is enabled, the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets

cli-audit-log {enable | disable}

Enable/disable CLI audit log. Default is disable.

clt-cert-req {enable | disable}

Enable/disable requirement for a client certificate before administrator logs in via GUI using HTTPS. Default is disable.

compliance-check {enable | disable}

Enable/disable global PCI DSS compliance check. Default is enable.

compliance-check-time <HH:MM:SS>

Specify the PCI DSS compliance check time. Default is 00:00:00 .

csr-ca-attribute {enable | disable}

Enable/disable the use of CA attribute in your certificate. Some CA servers reject CSRs that have the CA attribute. Default is enable.

daily restart {enable | disable}

Enable/disable daily restart of FortiGate unit. Default is disable. The time of the restart is controlled by restart-time.

device-identification-active-scan-delay <int>

Indicate how many seconds to passively scan a device before performing an active scan. Range: 20 - 3600 seconds (20 seconds to 1 hour). Default is 90.

device-idle-timeout <int>

Specify time in seconds that a device must be idle in order to automatically log user out. Range: 30 - 31536000 seconds (30 seconds to 1 year). Default is 300.

dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

Minimum size, in bits, of the prime number used in Diffie-Hellman key exchange for HTTPS/SSH protocols. Default is 2048.

disk-usage {log | wanopt}

Specify whether to use hard disk or WAN Optimization for logging. Default is log.

dnsproxy-worker-count

Set the number of CPUs that the DNS proxy process runs on. This enables you to improve DNS proxy performance on FortiGate units with multiple CPUs. The range of CPU values is 1 to the number of CPUs available on the FortiGate device. The default value is 2.

This command applies to FortiGate units with multiple CPUs.

dst {enable | disable}

Enable/disable daylight saving time. Default is enable.

endpoint-control-fds-access {enable | disable}

Enable/disable access to FortiGuard network for non-compliant endpoints. Default is enable.

endpoint-control-portal-port

Specify the endpoint control portal port. Range: 1 - 65535. Default is 8009.

proxy-auth-timeout <minutes>

Specify authentication timeout in minutes for idle sessions in explicit web proxy. Default is 10.

fds-statistics {enable | disable}

Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. Default is enable.

fds-statistics-period <int>

Indicate the FortiGuard statistics update period in minutes. Range:  1 - 1440 minutes (1 minute to 24 hours). Default is 60.

fgd-alert-subscription {advisory | latest-threat | latest-virus | latest-attack | new-antivirus-db | new-attack-db}

Specify the type of alert to retrieve from FortiGuard.

  • advisory: retrieves FortiGuard advisories, report, and news alerts.
  • latest-threat:  retrieves latest FortiGuard threat alerts.
  • latest-virus:  retrieves latest FortiGuard virus alerts.
  • latest-attack:  retrieves latest FortiGuard attack alerts.
  • new-antivirus-db:  retrieves latest FortiGuard antivirus database release alerts.
  • new attack-db:  retrieves latest FortiGuard IPS database release  alerts.

fortiextender {enable | disable}

Enable/disable FortiExtender controller. Default is disable.

fortiextender-data-port <port_int>

Specify Fortiextender controller data port. Range: 1024 - 49150. Default is 25246.

fortiservice-port <port_int>

Specify the FortiService port number. Default is 8013.

gui-certificates {enable | disable}

Enable/disable certificate configuration in GUI. Default is enable.

gui-custom-language {enable | disable}

Enable/disable custom languages in GUI. Default is disable.

gui-device-latitude <string>

Identify the latitude coordinate of your FortiGate.

gui-device-longitude <string>

Identify the longitude coordinate of your FortiGate.

gui-display-hostname {enable | disable}

Enable/disable display of hostname on GUI login page. Default is disable.

gui-ipv6 {enable | disable}

Enable/disable IPv6 settings in GUI. Default is disable.

gui-lines-per-page <gui_lines>

Specify number of lines to display per page for web administration. Default is 50.

gui-theme {green | red | blue | melongene | mariner}

Select color scheme to use for the administration GUI. Default is green.

gui-wireless-opensecurity {enable | disable}

Enable/disable wireless open security option in GUI. Default is disable.

honor-df {enable | disable}

Enable/disable honoring of Don't-Fragment (DF) flag. The DF flag instructs routers that would normally fragment a packet that is too large for a link's MTU (and potentially deliver it out of order due to that fragmentation) to instead drop the packet and return an ICMP Fragmentation Needed packet, allowing the sending host to account for the lower MTU on the path to the destination host. Default is enable.

hostname <unithostname>

Specify FortiGate unit hostname. Default is FortiGate serial number.

A hostname can only include letters, numbers, hyphens, and underlines. No spaces allowed.

While the hostname can be longer than 24 characters, if it is longer than 24 characters it will be truncated by a "~". The trailing 3-characters preceded by the "~" truncation character and the first N-3 characters are shown. This shortened hostname will be displayed in the CLI, and other locations the hostname is used. Some models support hostnames up to 35 characters

ip-src-port-range <start_port>-<end_port>

Specify the IP source port range used for traffic originating from the FortiGate unit. Range:  1 - 65535. Default is 1024 - 25000. You can use this setting to avoid problems with networks that block some ports, such as FDN ports.

ips-affinity <string>

Affinity setting for IPS (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).

ipsec-asic-offload {enable | disable}

Enable/disable application-specific integrated circuit (ASIC) offload for IPsec VPN.  You can use this command to disable using ASIC offloading to accelerate IPsec Diffie-Hellman key exchange for IPsec ESP traffic. By default hardware offloading is used. For debugging purposes or other reasons you may want this function to be processed by software. Default is enable.

ipsec-hmac-offload {disable | enable}

Enable/disable offload keyed-hashing for message authentication (HMAC) to hardware for IPsec VPN. Default is enable.

ipv6-accept-dad {0 | 1 | 2}

Enable/disable acceptance of IPv6 DAD (Duplicate Address Detection).   0: Disable DAD; 1: Enable DAD (default); 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.

language <string>

Identify the GUI display language. set language ? lists available languages. trach  = Traditional Chinese. simch = Simplified Chinese. Default is english.

ldapconntimeout  <integer>

LDAP connection time-out in milliseconds. Range: 0 - 4294967295.

lldp-transmission {enable | disable}

Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Default is disable.

log-uuid {disable | policy-only | extended}

Universally Unique Identifier (UUID) log option. Default is policy-only.

login-timestamp {enable | disable}

Enable/disable login time recording. Default is disable.

management-vdom <domain>

Management virtual domain name. Default is root.

max-route-cache-size <int>

Specify the maximum number of IP route cache entries. Range:  0 - 2 147483647. Default is 0.

miglog-affinity

Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).

miglogd-children <int>

Specify the number of miglogd processes to run. A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased. If you are suffering from performance issues, you can alter the number of logging daemon child processes. Range: 0 - 15. Default is 0.

ndp-max-entry <int>

Specify the maximum number of Neighbor Discovery Protocol (NDP) table entries. Set to 65,536 or higher; if set to 0, kernel holds 65,536 entries. Default is 0. Specify the maximum number of Neighbor Discovery Protocol (NDP) table entries. Set to 65,536 or higher; if set to 0, kernel holds 65,536 entries. Default is 0.

optimize {antivirus}

DO NOT USE THIS COMMAND. It was originally added to early NP4 platforms but is no longer supported.

phase1-rekey {enable | disable}

Enable/disable rekeying between Internet Key Exchange (IKE) peers before the phase 1 keylife expires. Default is enable.

policy-auth-concurrent <limit_int>

Limit the number of concurrent logins from the same user. Range: 1 - 100. Default is 0 and means no limit.

post-login-banner {enable | disable}

Enable/disable to display the admin access disclaimer message after successful login. Default is disable.

pre-login-banner {enable | disable}

Enable/disable to display the admin access disclaimer prior to login. Default is disable.

private-data-encryption {enable | disable}

Enable/disable private data encryption using an AES 128-bit key. Default is disable.

proxy-cipher-hardware-acceleration {enable | disable}

Enable/disable use of content processor to encrypt or decrypt traffic. Default is enable.

proxy-kxp-hardware-acceleration {enable | disable}

Enable/disable use of content processor to encrypt or decrypt traffic. Default is enable.

proxy-worker-count <count_int>

Specify the number of proxy worker processes. Range: 0 - 8. Default is 4.

radius-port <radius_port>

Specify the port for RADIUS traffic. Default is 1812. If your RADIUS server is using port 1645, you can use the CLI to change the RADIUS port on your FortiGate unit.

reboot-upon-config-restore {enable | disable}

Enable/disable reboot of system when restoring configuration. Default is enable.

refresh <refresh_seconds>

Specify the Automatic Refresh Interval, in seconds, for GUI statistics. Range: 0-4294967295. Default is 0, or no automatic refresh.

registration-notification {enable | disable}

Enable/disable displaying the registration notification if the FortiGate is not registered. Default is enable.

remoteauthtimeout <timeout_sec>

Specify the number of seconds that the FortiGate unit waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. Range: 0-300 seconds, 0 means no timeout. Default is 5. To improve security keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops or several RADIUS requests are made, the default timeout of 5 seconds may not be long enough to receive a response.

reset-sessionless-tcp {enable | disable}

The reset-sessionless-tcp command determines what action the FortiGate unit performs if it receives a TCP packet but cannot find a corresponding session in its session table. This happens most often because the session has timed out. In most cases you should leave reset-sessionless-tcp set to disable (the default).  When this command is set to disable, the FortiGate unit silently drops the packet. The packet originator pdoes not know that the session has expired and might re-transmit the packet several times before attempting to start a new session. Enabling this option may help resolve issues with a problematic server, but it can make the FortiGate unit more vulnerable to denial of service attacks. If you enable reset-sessionless-tcp, the FortiGate unit sends a RESET packet to the packet originator. The packet originator ends the current session, but it can try to establish a new session. Available in NAT mode only. Default is disable.

revision-backup-on-logout {enable | disable}

Enable/disable back-up of the latest configuration revision when the administrator logs out of the CLI or GUI. Default is disable.

revision-image-auto-backup {enable | disable}

Enable/disable back-up of the latest configuration revision when firmware is upgraded. Default is disable.

scanunit-count <count_int>

Tune the number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. Recommended for advanced users.

send-pmtu-icmp {enable | disable}

Enable to send a path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Disabling this command will result in PMTUD packets being blocked. Default is enable.

snat-route-change {enable | disable}

Enable/disable static NAT route change. Default is disable.

special-file-23-support {enable | disable}

Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Default is disable.

ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2}

Set the global minimum SSL version that can be used by all SSL implementations on this FortiGate. You can override this minimum version for individual configurations. The default value is TLSv1-2.

sslvpn-cipher-hardware-acceleration {enable | disable}

Enable/disable SSL VPN hardware acceleration.

sslvpn-kxp-hardware-acceleration {enable | disable}

Enable/disable SSL VPN KXP hardware acceleration.

sslvpn-max-worker-count <count_int>

Specify the maximum number of SSL VPN processes. The upper limit for setting this value is the number of CPUs and depends on the model.

sslvpn-plugin-version-check {enable | disable}

Enable/disable checking browser's plugin version. Default is enable.

strict-dirty-session-check {enable | disable}

Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Default is enable.

strong-crypto {enable | disable}

Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access. When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta). In addition, some low-crypto options are not available. Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption. Default is enable.

switch-controller {enable | disable}

Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Default is disable.

switch-controller-reserved-network <ipv4mask>

Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled. Default: 169.254.0.0 255.255.0.0

syncinterval <ntpsync_minutes>

Specify how often, in minutes, the FortiGate unit should synchronize its time with the Network Time Protocol (NTP) server. Range: 1 - 1440 minutes (1 day). Setting to 0 disables time synchronization. Default is 0.

sys-perf-log-interval <int>

Set the time in minutes between updates of performance statistics logging. Range: 1 - 15 minutes. 0 disables performance logging. Default is 5.

tcp-halfclose-timer <seconds>

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. Range:  1 - 86400 seconds (1 day). Default is 120.

tcp-halfopen-timer <seconds>

Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded.Range:  1 - 86400 seconds (1 day). Default is 10.

tcp-option {enable | disable}

Enable SACK, timestamp and MSS TCP options. For normal operation, tcp-option should be enabled. Disable for performance testing or, in rare cases, where it impairs performance. Default is enable.

tcp-timewait-timer <seconds_int>

Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”. Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached. Range: 0 - 300 seconds. Default is 1.

timezone <timezone_number>

The number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them. Default is 00, which is equivalent to GMT +12.

tp-mc-skip-policy {enable | disable}

Enable to allow skipping of the policy check, and to enable multicast traffic through. Default is disable. Multicasting (also called IP multicasting) is a technique for one-to-many and many-to-many real-time communication over an IP infrastructure in a network. Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers. can be used to send data to many receivers simultaneously while conserving bandwidth and reducing network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way data transmission for news feeds, financial information, and so on.

traffic-priority {tos | dscp}

Select Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Default is tos. For more information, see the Handbook's discussion of best practices for ToS and DSCP traffic mapping.

traffic-priority-level {low | medium | high}

Select the default system-wide level of priority for traffic prioritization. This determines the priority of traffic for scheduling, typically set on a per service type level. For more information, see system tos-based-priority  or system dscp-based-priority or the Traffic Shaping chapter in the Handbook. Default is medium.

two-factor-email-expiry <seconds_int>

Set the timeout period for email-based two-factor authentication. Two-factor email authentication sends a randomly generated six-digit numeric code to a specified email address. The recipient must enter that code when prompted and that code is only valid for the time period set by this command. Range:  30 - 300 seconds (5 minutes). Default is 60.

two-factor-fac-expiry <seconds_int>

Set the timeout period for FortiAuthenticator token authentication. A FortiAuthenticator provides RADIUS, LDAP and 802.1X wireless authentication, certificate management, and Fortinet Single Sign-on (FSSO). FortiAuthenticator is compatible with FortiToken to provide two-factor authentication with multiple FortiGates and third party devices. Range:  10 - 3600 seconds (1 hour). Default is 60.

two-factor-ftk-expiry <seconds_int>

Set the timeout period for FortiToken authentication. Range:  60 - 600 seconds (10 minutes). Default is 60. FortiToken is a disconnected one-time password (OTP) generator. It is a small physical device with a button that when pressed displays a six digit authentication code. This code is entered with a user’s username and password as two-factor authentication. The code displayed changes at the end of the timeout period set by this command.

two-factor-ftm-expiry <hours_int>

Set the timeout period for FortiToken Mobile provision. Range: 1 - 168 hours (7 days). Default is 72. FortiToken Mobile performs much the same function as the FortiToken except the physical device is replaced by a mobile phone application and the timeout period is set in hours, not seconds.

two-factor-sms-expiry <seconds_int>

Set the timeout period for SMS-based two-factor authentication. Range 30 - 300 seconds. Default is 60. SMS two-factor authentication sends the token code in an SMS text message to the mobile device indicated when this user attempts to logon. This token code is valid only for the time period set by this command. SMS two-factor authentication has the benefit of not requiring email service before logging on. A potential issue is if the mobile service provider does not send the SMS text message before the life of the token expires.

udp-idle-timer <seconds>

Enter the number of seconds before an idle UDP connection times out. This command can be useful in managing unit CPU and memory resources. Range: 1 - 86400 seconds (1 day). Default is 180.

user-server-cert <cert_name>

Select the certificate to use for https user authentication. Default setting is Fortinet_Factory, if available, otherwise self-sign.

vdom-admin {enable | disable}

Enable/disable configuration of multiple virtual domains. Default is disable.

Once VDOMs are enabled, Security Profiles can be configured globally across multiple VDOMs. In many VDOM environments, some or all profiles may be commonly-shared, for example an MSSP with "parental controls" configured will most likely have the same Web Filtering and Application Control profiles per VDOM.

Configure Global profiles under the following config global commands:

  • antivirus profile
  • application list
  • dlp sensor
  • ips sensor
  • webfilter profile

Note: The name for any global profile must start with "g-" for identification. Global profiles are available as read-only for VDOM-level administrators, and can only be edited or deleted from within the global settings.

Each security feature has at least one default global profile, available for all VDOMs.

vip-arp-range {restricted |unlimited}

vip-arp-range controls the number of Address Resolution Protocol (ARP) packets the FortiGate unit sends for a Virtual IP (VIP) address range. Default is restricted.

  • restricted:  the FortiGate unit sends ARP packets for only the first 8192 addresses in a VIP range.
  • unlimited:  the FortiGate unit sends ARP packets for every address in the VIP range.

wad-worker-count <int>

Set the number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy and web caching is handled by all of the CPU cores in a FortiGate unit. You can use the wad-worker-count command to change the number of CPU cores that are used. Range: 0 to the number of CPU cores.

wifi-ca-certificate <ca_cert-name>

Select the CA certificate that verifies the WiFi certificate.

wifi-certificate <cert-name>

Select the certificate to use for WiFi authentication.

wimax-4g-usb {enable | disable}

Enable/disable access to a Worldwide Interoperability for Microwave Access (WiMAX) 4G USB device. FortiGate units support the use of wireless, 3G and 4G modems connected using the USB port or, if available, the express card slot. Modem access provides either primary or secondary (redundant) access to the Internet. For FortiGate units that do not include an internal modem (those units with an “M” designation), the modem interface will not appear in the web-based manager until enabled in the CLI. Default is disable.

wireless-controller {enable | disable}

Enable/disable the wireless (WiFi) daemon. Default is enable.

wireless-controller-port <port_int>

Select the port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one. Range: 1024 - 49150. Default is 5246.