Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

system settings

Use this command to change settings that are for each VDOM, such as the operating mode and default gateway.

When you change the opmode of the VDOM, there are fields that are visible, depending on which opmode you are changing to. The fields are visible only after you set the opmode and before you commit the changes with either end or next. If you do not set these fields, the opmode change will fail.

Field associated with each opmode
Change from NAT to Transparent mode Change from Transparent to NAT mode
set gateway <gw_ipv4> set device <interface_name>
set manageip <manage_ipv4> set gateway <gw_ipv4>
set ip <address_ipv4>

The system settings command differs from system global, where system global fields apply to the entire FortiGate unit and system settings fields apply to the current VDOM only, or the entire FortiGate unit if VDOMs are not enabled.

Bidirectional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other and if a timer runs out on a connection, the router is declared down. BFD then communicates this information to the routing protocol and the routing information is updated. BFD support was added in FortiOS version 3.0 MR4, and can be configured only through the CLI.

Note: When asymmetric routing is enabled using the asymroute field, the FortiGate unit can no longer perform stateful inspection.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.3.

Command Description

set allow-linkdown-path {disable | enable}

Enable or disable whether BGP uses an alternative (link-down) route when attempting to reach a neighbor from an IPsec tunnel while the link is down.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set link-down-access {enable | disable}

Allow or block link down access traffic per VDOM. When enabled (by default), access is still permitted for replies to PING, SSH, and Telnet. When disabled, no access is allowed.

set sip-helper {disable | enable}

Set to disable by default.

set implicit-allow-dns {disable | enable}

Enable or disable the creation of an implicit policy to allow DNS traffic. Some Application Control profiles depend on allowing DNS traffic. If DNS traffic is not allowed, the Application Control profile may not work properly. Enabling the implicit-allow-dns option adds an implicit policy to allow the DNS traffic.

This option can be enabled per VDOM.

config system settings
    set comments {string}   VDOM comments. size[255]
    set opmode {nat | transparent}   Firewall operation mode (NAT or Transparent).
            nat          Change to NAT mode.
            transparent  Change to transparent mode.
    set inspection-mode {proxy | flow}   Inspection mode (proxy-based or flow-based).
            proxy  Proxy-based inspection.
            flow   Flow-based inspection.
    set ngfw-mode {profile-based | policy-based}   Next Generation Firewall (NGFW) mode.
            profile-based  Application and web-filtering are configured using profiles applied to policy entries.
            policy-based   Application and web-filtering are configured as policy match conditions.
    set implicit-allow-dns {enable | disable}   Enable/disable implicitly allowing DNS traffic.
    set ssl-ssh-profile {string}   Profile for SSL/SSH inspection. size[35] - datasource(s): firewall.ssl-ssh-profile.name
    set http-external-dest {fortiweb | forticache}   Offload HTTP traffic to FortiWeb or FortiCache.
            fortiweb    Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.
            forticache  Offload HTTP traffic to FortiCache for external web caching and WAN optimization.
    set firewall-session-dirty {check-all | check-new | check-policy-option}   Select how to manage sessions affected by firewall policy configuration changes.
            check-all            All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.
            check-new            Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.
            check-policy-option  Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.
    set manageip {string}   Transparent mode IPv4 management IP address and netmask.
    set gateway {ipv4 address}   Transparent mode IPv4 default gateway IP address.
    set ip {ipv4 classnet host}   IP address and netmask.
    set manageip6 {ipv6 prefix}   Transparent mode IPv6 management IP address and netmask.
    set gateway6 {ipv6 address}   Transparent mode IPv4 default gateway IP address.
    set ip6 {ipv6 prefix}   IPv6 address prefix for NAT mode.
    set device {string}   Interface to use for management access for NAT mode. size[35] - datasource(s): system.interface.name
    set bfd {enable | disable}   Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
    set bfd-desired-min-tx {integer}   BFD desired minimal transmit interval (1 - 100000 ms, default = 50). range[1-100000]
    set bfd-required-min-rx {integer}   BFD required minimal receive interval (1 - 100000 ms, default = 50). range[1-100000]
    set bfd-detect-mult {integer}   BFD detection multiplier (1 - 50, default = 3). range[1-50]
    set bfd-dont-enforce-src-port {enable | disable}   Enable to not enforce verifying the source port of BFD Packets.
    set utf8-spam-tagging {enable | disable}   Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
    set wccp-cache-engine {enable | disable}   Enable/disable WCCP cache engine.
    set vpn-stats-log {ipsec | pptp | l2tp | ssl}   Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
            ipsec  IPsec.
            pptp   PPTP.
            l2tp   L2TP.
            ssl    SSL.
    set vpn-stats-period {integer}   Period to send VPN log statistics (60 - 86400 sec). range[60-86400]
    set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based}   IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
            source-ip-based       Select next hop based on source IP.
            weight-based          Select next hop based on weight.
            usage-based           Select next hop based on usage.
            source-dest-ip-based  Select next hop based on both source and destination IPs.
    set mac-ttl {integer}   Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300). range[300-8640000]
    set fw-session-hairpin {enable | disable}   Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
    set prp-trailer-action {enable | disable}   Enable/disable action to take on PRP trailer.
    set snat-hairpin-traffic {enable | disable}   Enable/disable source NAT (SNAT) for hairpin traffic.
    set dhcp-proxy {enable | disable}   Enable/disable the DHCP Proxy.
    set dhcp-server-ip {string}   DHCP Server IPv4 address.
    set dhcp6-server-ip {string}   DHCPv6 server IPv6 address.
    set central-nat {enable | disable}   Enable/disable central NAT.
    config gui-default-policy-columns
        edit {name}
        # Default columns to display for policy lists on GUI.
            set name {string}   Select column name. size[64]
        next
    set lldp-transmission {enable | disable | global}   Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM.
    set link-down-access {enable | disable}   Enable/disable link down access traffic.
    set asymroute {enable | disable}   Enable/disable IPv4 asymmetric routing.
    set asymroute-icmp {enable | disable}   Enable/disable ICMP asymmetric routing.
    set tcp-session-without-syn {enable | disable}   Enable/disable allowing TCP session without SYN flags.
    set ses-denied-traffic {enable | disable}   Enable/disable including denied session in the session table.
    set strict-src-check {enable | disable}   Enable/disable strict source verification.
    set allow-linkdown-path {enable | disable}   Enable/disable link down path.
    set asymroute6 {enable | disable}   Enable/disable asymmetric IPv6 routing.
    set asymroute6-icmp {enable | disable}   Enable/disable asymmetric ICMPv6 routing.
    set sip-helper {enable | disable}   Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG).
    set sip-nat-trace {enable | disable}   Enable/disable recording the original SIP source IP address when NAT is used.
    set status {enable | disable}   Enable/disable this VDOM.
    set sip-tcp-port {integer}   TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). range[1-65535]
    set sip-udp-port {integer}   UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). range[1-65535]
    set sip-ssl-port {integer}   TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061). range[0-65535]
    set sccp-port {integer}   TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000). range[0-65535]
    set multicast-forward {enable | disable}   Enable/disable multicast forwarding.
    set multicast-ttl-notchange {enable | disable}   Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
    set multicast-skip-policy {enable | disable}   Enable/disable allowing multicast traffic through the FortiGate without a policy check.
    set allow-subnet-overlap {enable | disable}   Enable/disable allowing interface subnets to use overlapping IP addresses.
    set deny-tcp-with-icmp {enable | disable}   Enable/disable denying TCP by sending an ICMP communication prohibited packet.
    set ecmp-max-paths {integer}   Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255). range[1-255]
    set discovered-device-timeout {integer}   Timeout for discovered devices (1 - 365 days, default = 28). range[1-365]
    set email-portal-check-dns {disable | enable}   Enable/disable using DNS to validate email addresses collected by a captive portal.
    set default-voip-alg-mode {proxy-based | kernel-helper-based}   Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
            proxy-based          Use a default proxy-based VoIP ALG.
            kernel-helper-based  Use the SIP session helper.
    set gui-icap {enable | disable}   Enable/disable ICAP on the GUI.
    set gui-nat46-64 {enable | disable}   Enable/disable NAT46 and NAT64 settings on the GUI.
    set gui-implicit-policy {enable | disable}   Enable/disable implicit firewall policies on the GUI.
    set gui-dns-database {enable | disable}   Enable/disable DNS database settings on the GUI.
    set gui-load-balance {enable | disable}   Enable/disable server load balancing on the GUI.
    set gui-multicast-policy {enable | disable}   Enable/disable multicast firewall policies on the GUI.
    set gui-dos-policy {enable | disable}   Enable/disable DoS policies on the GUI.
    set gui-object-colors {enable | disable}   Enable/disable object colors on the GUI.
    set gui-replacement-message-groups {enable | disable}   Enable/disable replacement message groups on the GUI.
    set gui-voip-profile {enable | disable}   Enable/disable VoIP profiles on the GUI.
    set gui-ap-profile {enable | disable}   Enable/disable FortiAP profiles on the GUI.
    set gui-dynamic-profile-display {enable | disable}   Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
    set gui-local-in-policy {enable | disable}   Enable/disable Local-In policies on the GUI.
    set gui-local-reports {enable | disable}   Enable/disable local reports on the GUI.
    set gui-wanopt-cache {enable | disable}   Enable/disable WAN Optimization and Web Caching on the GUI.
    set gui-explicit-proxy {enable | disable}   Enable/disable the explicit proxy on the GUI.
    set gui-dynamic-routing {enable | disable}   Enable/disable dynamic routing on the GUI.
    set gui-dlp {enable | disable}   Enable/disable DLP on the GUI.
    set gui-sslvpn-personal-bookmarks {enable | disable}   Enable/disable SSL-VPN personal bookmark management on the GUI.
    set gui-sslvpn-realms {enable | disable}   Enable/disable SSL-VPN realms on the GUI.
    set gui-policy-based-ipsec {enable | disable}   Enable/disable policy-based IPsec VPN on the GUI.
    set gui-threat-weight {enable | disable}   Enable/disable threat weight on the GUI.
    set gui-multiple-utm-profiles {enable | disable}   Enable/disable multiple UTM profiles on the GUI.
    set gui-spamfilter {enable | disable}   Enable/disable Antispam on the GUI.
    set gui-application-control {enable | disable}   Enable/disable application control on the GUI.
    set gui-ips {enable | disable}   Enable/disable IPS on the GUI.
    set gui-endpoint-control {enable | disable}   Enable/disable endpoint control on the GUI.
    set gui-endpoint-control-advanced {enable | disable}   Enable/disable advanced endpoint control options on the GUI.
    set gui-dhcp-advanced {enable | disable}   Enable/disable advanced DHCP options on the GUI.
    set gui-vpn {enable | disable}   Enable/disable VPN tunnels on the GUI.
    set gui-wireless-controller {enable | disable}   Enable/disable the wireless controller on the GUI.
    set gui-switch-controller {enable | disable}   Enable/disable the switch controller on the GUI.
    set gui-fortiap-split-tunneling {enable | disable}   Enable/disable FortiAP split tunneling on the GUI.
    set gui-webfilter-advanced {enable | disable}   Enable/disable advanced web filtering on the GUI.
    set gui-traffic-shaping {enable | disable}   Enable/disable traffic shaping on the GUI.
    set gui-wan-load-balancing {enable | disable}   Enable/disable SD-WAN on the GUI.
    set gui-antivirus {enable | disable}   Enable/disable AntiVirus on the GUI.
    set gui-webfilter {enable | disable}   Enable/disable Web filtering on the GUI.
    set gui-dnsfilter {enable | disable}   Enable/disable DNS Filtering on the GUI.
    set gui-waf-profile {enable | disable}   Enable/disable Web Application Firewall on the GUI.
    set gui-fortiextender-controller {enable | disable}   Enable/disable FortiExtender on the GUI.
    set gui-advanced-policy {enable | disable}   Enable/disable advanced policy configuration on the GUI.
    set gui-allow-unnamed-policy {enable | disable}   Enable/disable the requirement for policy naming on the GUI.
    set gui-email-collection {enable | disable}   Enable/disable email collection on the GUI.
    set gui-domain-ip-reputation {enable | disable}   Enable/disable Domain and IP Reputation on the GUI.
    set gui-multiple-interface-policy {enable | disable}   Enable/disable adding multiple interfaces to a policy on the GUI.
    set gui-policy-learning {enable | disable}   Enable/disable firewall policy learning mode on the GUI.
    set compliance-check {enable | disable}   Enable/disable PCI DSS compliance checking.
    set ike-session-resume {enable | disable}   Enable/disable IKEv2 session resumption (RFC 5723).
    set ike-quick-crash-detect {enable | disable}   Enable/disable IKE quick crash detection (RFC 6290).
    set ike-dn-format {with-space | no-space}   Configure IKE ASN.1 Distinguished Name format conventions.
            with-space  Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.
            no-space    Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.
    set block-land-attack {disable | enable}   Enable/disable blocking of land attacks.
end

Additional information

The following section is for those options that require additional explanation.

allow-linkdown-path {enable | disable}

Enable (default) or disable whether BGP uses an alternative (link-down) route when attempting to reach a neighbor from an IPsec tunnel while the link is down.

While enabled, this option allows BGP to use an alternative route when the destination link is down.

allow-subnet-overlap {enable | disable}

Enable or disable (default) limited support for interface and VLAN subinterface IP address overlap for this VDOM. Use this command to enable limited support for overlapping IP addresses in an existing network configuration.

This command is for advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping.

asymroute {enable | disable}

Enable or disable (default) IPv4 asymmetric routing on your FortiGate unit, or this VDOM if you have VDOMs enabled.

This command should only be used as a temporary check to troubleshoot a network. It is not intended to be enabled permanently. When it is enabled, many security features on your FortiGate unit are not enabled.

Enabling asymmetric routing disables stateful inspection. Your FortiGate unit can only perform stateless inspection in this state.

asymroute6 {enable | disable}

Enable or disable (default) IPv6 asymmetric routing on your FortiGate unit, or this VDOM if you have VDOMs enabled.

bfd {enable | disable}

Enable or disable (default) bidirectional forwarding detection (BFD) on your FortiGate unit, or this VDOM if you have VDOMs enabled. BFD can be used with OSPF and BGP configurations, and overridden on a per interface basis.

bfd-desired-min-tx <milliseconds>

Enter the preferred minimum transmit interval for BFD packets. If possible, this will be the minimum used. This variable is available only when BFD is enabled.

Possible values: 1 to 100000 milliseconds. The default value is 50.

bfd-detect-mult <multiplier>

Enter the BFD detection multiplier.

Possible values: 1 to 50. The default value is 3.

bfd-dont-enforce-src-port {enable | disable}

Enable or disable (default) whether the BFD source port is enforced. Set this to enable to not enforce the BFD source port.

bfd-required-min-rx <milliseconds>

Enter the required minimum receive interval for BFD packets. The FortiGate unit will not transmit BFD packets at a slower rate than this. This variable is available only when BFD is enabled.

Possible values: 1 to 100000 milliseconds. The default value is 50.

default-voip-alg-mode {proxy‑based | kernel‑helper‑based}

Set the default SIP behavior for VoIP.

  • proxy-based (default): VoIP traffic goes to proxy SIP ALG and the default VoIP profile applies
  • kernel-helper-based: VoIP traffic is handled by the kernel SIP helper. If the SIP helper does not exist in system, no SIP processing occurs.

If an explicit VoIP profile is defined in the policy, VoIP traffic is redirected to proxy SIP ALG, regardless of the default-voip-alg-mode setting.

deny-tcp-with-icmp {enable | disable}

Enable or disable (default) whether to deny TCP by sending an ICMP Communication Prohibited packet. Set this to enable to deny TCP by sending an ICMP Communication Prohibited packet. Firewall policies will enable send‑deny‑packet.

device <interface_name>

Enter the interface to use for management access. This is the interface that ip applies to.

This field is visible only after you change opmode from transparent to nat, before you commit the change.

The limit is 25 characters.

dhcp-proxy {enable | disable}

Enable or disable (default) DHCP proxy. This is required for IPsec VPN with mode-cfg to use DHCP to assign VPN client IP addresses.

dhcp-server-ip <IP_address1 IP_address2...>

Enter up to eight IPv4 DHCP server IP addresses. This is available when dhcp-proxy is enabled.

dhcp6-server-ip <IP_address1 IP_address2...>

Enter up to eight IPv6 DHCP server IP addresses. This is available when dhcp-proxy is enabled.

discovered-device-timeout <days>

Enter the timeout for discovered devices.

Possible values: 1 to 365 days. The default is 28.

ecmp-max-paths <maximum_routes>

Enter the maximum number of routes allowed to be included in an ECMP configuration. Set this to 1 to disable ECMP routing.

ECMP routes have the same distance and the same priority, and can be used in load balancing.

Possible values: 1 to 255. The default value is 10.

email-portal-check-dns {enable | disable}

Enable (default) or disable whether the email collection portal verifies that the domain name part of an email address can be resolved using a DNS lookup.

firewall-session-dirty {check‑all | check‑new | check‑policy‑option}

Select how changes to a firewall policy are managed.

  • check‑all (default): Flushes all current sessions and re-evaluates them
  • check‑new: Keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.
  • check‑policy‑option: Uses the option selected in the firewall-session-dirty field of the firewall policy. See the firewall {policy | policy6} command.

gateway <IPv4_address>

Enter the default gateway IP address.

This field is visible only after you change opmode from nat to transparent or from transparent to nat, before you commit the change.

gateway6 <IPv6_address>

Enter the default gateway IPv6 address.

This field is visible only after you change opmode from nat to transparent or from transparent to nat, before you commit the change.

gui-default-policy-columns

Optionally, override the web-based manager’s default displayed column set for firewall policies.

name <column_list>

Specify a list of column names that you want displayed, separated by spaces and in order from left to right. The column options are #, policyid, srcintf, dstintf, srcaddr, dstaddr, schedule, service, action, logtraffic, nat, status, authentication, count, profile, vpntunnel, and comments.

inspection-mode {proxy | flow]

Set proxy-based (default) or flow-based inspection.

ip <IPv4_address>

Enter the IP address to use after switching to nat mode.

This field is visible only after you change opmode from transparent to nat, before you commit the change.

ip6 <IPv6_address>

Enter the IPv6 address to use after switching to nat mode.

This field is visible only after you change opmode from transparent to nat, before you commit the change.

lldp-transmission {enable | disable | global}

Enable or disable Link Layer Discovery Protocol (LLDP) for this VDOM, or apply a global setting specified by lldp-transmission in system global.

The default value is global.

mac-ttl <seconds>

Set the duration of MAC addresses during transparent mode.

Possible values: 300 to 8640000 seconds (8640000 is 100 days). The default value is 300.

manageip <IPv4_address>

Set the IP address and netmask of the Transparent mode management interface. You must set this when you change opmode from nat to transparent.

manageip6 <IPv6_prefix>

Set the IPv6 management address prefix for Transparent mode.

multicast-forward {enable | disable}

Enable (default) or disable multicast forwarding. If you set this to enable, any multicast IP packets where the TTL is 2 or higher are forwarded to all interfaces and VLAN interfaces, except the receiving interface. The TTL in the IP header will be reduced by 1.

When multiple VDOMs are configured, this option is available within each VDOM.

multicast-ttl-notchange {enable | disable}

Enable or disable (default) whether multicast forwarding reduces the TTL in the IP header. Set this to enable to prevent multicast forwarding from reducing the TTL in the IP header. Set this to disable to use normal multicast forwading behavior.

In multiple VDOM mode, this option is only available within VDOMs and is not available at a global level.

opmode {nat | transparent}

Enter the required operating mode.

If you change opmode from nat to transparent, you must set manageip and gateway.

If you change opmode from transparent to nat, you must set device, ip, gateway-device and gateway.

The default value is nat.

sccp-port <port_number>

Enter the port number of the TCP port to use to monitor Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.

Possible values: 1 to 65535. The default value is 2000.

ses-denied-traffic {enable | disable}

Enable or disable (default) whether denied sessions are added to the session table. Enable this option to add denied sessions to the session table. For optimum performance, you may need to adjust the global block-session-timer (see block-session-timer <int>).

Blocking the packets of a denied session can take more CPU processing resources than passing the traffic through. By putting denied sessions in the session table, they can be kept track of in the same way that allowed session are so that the FortiGate unit does not have to reassess whether or not to deny each of the packets on an individual basis. If the session is denied, all packets of that session are also denied.

The ses-denied-traffic and block-session-timer are not effective at blocking denial of service attacks.

sip-helper {enable | disable}

Enable or disable (default) the SIP session helper. The SIP session helper will process SIP sessions unless the SIP sessions are accepted by the SIP ALG.

sip-nat-trace {enable | disable}

Enable (default) or disable whether the original IP address of the phone is recorded.

sip-ssl-port <port_number>

Enter the port number that the SIP proxy monitors for SIP traffic.

Possible values: 1 to 65535. The default value is 5061.

sip-tcp-port <<port_number1> [<port_number2>]>

Enter one or two port numbers that the SIP ALG monitors for SIP TCP sessions.

Possible values: 1 to 65535. The default value is 5060.

sip-udp-port <port_number>

Enter the port number that the SIP ALG monitors for SIP UDP sessions.

Possible values: 1 to 65535. The default value is 5060.

status {enable | disable}

Disable or enable (default) this VDOM.

Disabled VDOMs keep all their configuration, but the resources of the VDOM are not accessible. To leave VDOM mode, all disabled VDOMs must be deleted and only the root VDOM can be configured.

The command is available only when VDOMs are enabled.

strict-src-check {enable | disable}

Enable or disable (default) whether packets from a source IP range are refused if there is a specific route in the routing table for the network (RFC 3704). Set to enable to refuse packets that meet this criteria.

utf8-spam-tagging {enable | disable}

Enable (default) or disable whether spam tags are converted to UTF-8 for better non-ASCII character support.

v4-ecmp-mode {source‑ip‑based | usage‑based | weight‑based | source-dest-ip-based}

Set the ECMP route failover and load balance method, which controls how the FortiGate unit assigns a route to a session when multiple equal-cost routes to the sessions’s destination are available.

  • source-ip-based (default): The FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. No other settings can be configured to support source IP load balancing.
  • weight-based: The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights. Use the weight field of the config router static command to add weights to static routes. See the router static command.
  • usage-based: The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are. After you select usage-based, use the spillover-threshold field of the config system interface command to add spillover thresholds to interfaces added to ECMP routes. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. See the system interface command.
  • source-dest-ip-based: Selects the next hop based on both source and destination IP addresses.

vpn-stats-log {ipsec | l2tp | pptp | ssl}

Enable periodic VPN log statistics for one or more types of VPN.

vpn-stats-period <seconds>

Enter the interval, in seconds, for the vpn-stats-log to collect statistics.

Possible values: 60 to 86400 seconds.

wccp-cache-engine {enable | disable}

Enable or disable (default) whether the FortiGate unit operates as a WCCP cache engine. Use the config system wccp command to configure WCCP cache engine settings.

system settings

Use this command to change settings that are for each VDOM, such as the operating mode and default gateway.

When you change the opmode of the VDOM, there are fields that are visible, depending on which opmode you are changing to. The fields are visible only after you set the opmode and before you commit the changes with either end or next. If you do not set these fields, the opmode change will fail.

Field associated with each opmode
Change from NAT to Transparent mode Change from Transparent to NAT mode
set gateway <gw_ipv4> set device <interface_name>
set manageip <manage_ipv4> set gateway <gw_ipv4>
set ip <address_ipv4>

The system settings command differs from system global, where system global fields apply to the entire FortiGate unit and system settings fields apply to the current VDOM only, or the entire FortiGate unit if VDOMs are not enabled.

Bidirectional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other and if a timer runs out on a connection, the router is declared down. BFD then communicates this information to the routing protocol and the routing information is updated. BFD support was added in FortiOS version 3.0 MR4, and can be configured only through the CLI.

Note: When asymmetric routing is enabled using the asymroute field, the FortiGate unit can no longer perform stateful inspection.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.3.

Command Description

set allow-linkdown-path {disable | enable}

Enable or disable whether BGP uses an alternative (link-down) route when attempting to reach a neighbor from an IPsec tunnel while the link is down.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set link-down-access {enable | disable}

Allow or block link down access traffic per VDOM. When enabled (by default), access is still permitted for replies to PING, SSH, and Telnet. When disabled, no access is allowed.

set sip-helper {disable | enable}

Set to disable by default.

set implicit-allow-dns {disable | enable}

Enable or disable the creation of an implicit policy to allow DNS traffic. Some Application Control profiles depend on allowing DNS traffic. If DNS traffic is not allowed, the Application Control profile may not work properly. Enabling the implicit-allow-dns option adds an implicit policy to allow the DNS traffic.

This option can be enabled per VDOM.

config system settings
    set comments {string}   VDOM comments. size[255]
    set opmode {nat | transparent}   Firewall operation mode (NAT or Transparent).
            nat          Change to NAT mode.
            transparent  Change to transparent mode.
    set inspection-mode {proxy | flow}   Inspection mode (proxy-based or flow-based).
            proxy  Proxy-based inspection.
            flow   Flow-based inspection.
    set ngfw-mode {profile-based | policy-based}   Next Generation Firewall (NGFW) mode.
            profile-based  Application and web-filtering are configured using profiles applied to policy entries.
            policy-based   Application and web-filtering are configured as policy match conditions.
    set implicit-allow-dns {enable | disable}   Enable/disable implicitly allowing DNS traffic.
    set ssl-ssh-profile {string}   Profile for SSL/SSH inspection. size[35] - datasource(s): firewall.ssl-ssh-profile.name
    set http-external-dest {fortiweb | forticache}   Offload HTTP traffic to FortiWeb or FortiCache.
            fortiweb    Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.
            forticache  Offload HTTP traffic to FortiCache for external web caching and WAN optimization.
    set firewall-session-dirty {check-all | check-new | check-policy-option}   Select how to manage sessions affected by firewall policy configuration changes.
            check-all            All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.
            check-new            Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.
            check-policy-option  Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.
    set manageip {string}   Transparent mode IPv4 management IP address and netmask.
    set gateway {ipv4 address}   Transparent mode IPv4 default gateway IP address.
    set ip {ipv4 classnet host}   IP address and netmask.
    set manageip6 {ipv6 prefix}   Transparent mode IPv6 management IP address and netmask.
    set gateway6 {ipv6 address}   Transparent mode IPv4 default gateway IP address.
    set ip6 {ipv6 prefix}   IPv6 address prefix for NAT mode.
    set device {string}   Interface to use for management access for NAT mode. size[35] - datasource(s): system.interface.name
    set bfd {enable | disable}   Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
    set bfd-desired-min-tx {integer}   BFD desired minimal transmit interval (1 - 100000 ms, default = 50). range[1-100000]
    set bfd-required-min-rx {integer}   BFD required minimal receive interval (1 - 100000 ms, default = 50). range[1-100000]
    set bfd-detect-mult {integer}   BFD detection multiplier (1 - 50, default = 3). range[1-50]
    set bfd-dont-enforce-src-port {enable | disable}   Enable to not enforce verifying the source port of BFD Packets.
    set utf8-spam-tagging {enable | disable}   Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
    set wccp-cache-engine {enable | disable}   Enable/disable WCCP cache engine.
    set vpn-stats-log {ipsec | pptp | l2tp | ssl}   Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
            ipsec  IPsec.
            pptp   PPTP.
            l2tp   L2TP.
            ssl    SSL.
    set vpn-stats-period {integer}   Period to send VPN log statistics (60 - 86400 sec). range[60-86400]
    set v4-ecmp-mode {source-ip-based | weight-based | usage-based | source-dest-ip-based}   IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
            source-ip-based       Select next hop based on source IP.
            weight-based          Select next hop based on weight.
            usage-based           Select next hop based on usage.
            source-dest-ip-based  Select next hop based on both source and destination IPs.
    set mac-ttl {integer}   Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300). range[300-8640000]
    set fw-session-hairpin {enable | disable}   Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
    set prp-trailer-action {enable | disable}   Enable/disable action to take on PRP trailer.
    set snat-hairpin-traffic {enable | disable}   Enable/disable source NAT (SNAT) for hairpin traffic.
    set dhcp-proxy {enable | disable}   Enable/disable the DHCP Proxy.
    set dhcp-server-ip {string}   DHCP Server IPv4 address.
    set dhcp6-server-ip {string}   DHCPv6 server IPv6 address.
    set central-nat {enable | disable}   Enable/disable central NAT.
    config gui-default-policy-columns
        edit {name}
        # Default columns to display for policy lists on GUI.
            set name {string}   Select column name. size[64]
        next
    set lldp-transmission {enable | disable | global}   Enable/disable Link Layer Discovery Protocol (LLDP) for this VDOM or apply global settings to this VDOM.
    set link-down-access {enable | disable}   Enable/disable link down access traffic.
    set asymroute {enable | disable}   Enable/disable IPv4 asymmetric routing.
    set asymroute-icmp {enable | disable}   Enable/disable ICMP asymmetric routing.
    set tcp-session-without-syn {enable | disable}   Enable/disable allowing TCP session without SYN flags.
    set ses-denied-traffic {enable | disable}   Enable/disable including denied session in the session table.
    set strict-src-check {enable | disable}   Enable/disable strict source verification.
    set allow-linkdown-path {enable | disable}   Enable/disable link down path.
    set asymroute6 {enable | disable}   Enable/disable asymmetric IPv6 routing.
    set asymroute6-icmp {enable | disable}   Enable/disable asymmetric ICMPv6 routing.
    set sip-helper {enable | disable}   Enable/disable the SIP session helper to process SIP sessions unless SIP sessions are accepted by the SIP application layer gateway (ALG).
    set sip-nat-trace {enable | disable}   Enable/disable recording the original SIP source IP address when NAT is used.
    set status {enable | disable}   Enable/disable this VDOM.
    set sip-tcp-port {integer}   TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). range[1-65535]
    set sip-udp-port {integer}   UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). range[1-65535]
    set sip-ssl-port {integer}   TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061). range[0-65535]
    set sccp-port {integer}   TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000). range[0-65535]
    set multicast-forward {enable | disable}   Enable/disable multicast forwarding.
    set multicast-ttl-notchange {enable | disable}   Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
    set multicast-skip-policy {enable | disable}   Enable/disable allowing multicast traffic through the FortiGate without a policy check.
    set allow-subnet-overlap {enable | disable}   Enable/disable allowing interface subnets to use overlapping IP addresses.
    set deny-tcp-with-icmp {enable | disable}   Enable/disable denying TCP by sending an ICMP communication prohibited packet.
    set ecmp-max-paths {integer}   Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255). range[1-255]
    set discovered-device-timeout {integer}   Timeout for discovered devices (1 - 365 days, default = 28). range[1-365]
    set email-portal-check-dns {disable | enable}   Enable/disable using DNS to validate email addresses collected by a captive portal.
    set default-voip-alg-mode {proxy-based | kernel-helper-based}   Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
            proxy-based          Use a default proxy-based VoIP ALG.
            kernel-helper-based  Use the SIP session helper.
    set gui-icap {enable | disable}   Enable/disable ICAP on the GUI.
    set gui-nat46-64 {enable | disable}   Enable/disable NAT46 and NAT64 settings on the GUI.
    set gui-implicit-policy {enable | disable}   Enable/disable implicit firewall policies on the GUI.
    set gui-dns-database {enable | disable}   Enable/disable DNS database settings on the GUI.
    set gui-load-balance {enable | disable}   Enable/disable server load balancing on the GUI.
    set gui-multicast-policy {enable | disable}   Enable/disable multicast firewall policies on the GUI.
    set gui-dos-policy {enable | disable}   Enable/disable DoS policies on the GUI.
    set gui-object-colors {enable | disable}   Enable/disable object colors on the GUI.
    set gui-replacement-message-groups {enable | disable}   Enable/disable replacement message groups on the GUI.
    set gui-voip-profile {enable | disable}   Enable/disable VoIP profiles on the GUI.
    set gui-ap-profile {enable | disable}   Enable/disable FortiAP profiles on the GUI.
    set gui-dynamic-profile-display {enable | disable}   Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
    set gui-local-in-policy {enable | disable}   Enable/disable Local-In policies on the GUI.
    set gui-local-reports {enable | disable}   Enable/disable local reports on the GUI.
    set gui-wanopt-cache {enable | disable}   Enable/disable WAN Optimization and Web Caching on the GUI.
    set gui-explicit-proxy {enable | disable}   Enable/disable the explicit proxy on the GUI.
    set gui-dynamic-routing {enable | disable}   Enable/disable dynamic routing on the GUI.
    set gui-dlp {enable | disable}   Enable/disable DLP on the GUI.
    set gui-sslvpn-personal-bookmarks {enable | disable}   Enable/disable SSL-VPN personal bookmark management on the GUI.
    set gui-sslvpn-realms {enable | disable}   Enable/disable SSL-VPN realms on the GUI.
    set gui-policy-based-ipsec {enable | disable}   Enable/disable policy-based IPsec VPN on the GUI.
    set gui-threat-weight {enable | disable}   Enable/disable threat weight on the GUI.
    set gui-multiple-utm-profiles {enable | disable}   Enable/disable multiple UTM profiles on the GUI.
    set gui-spamfilter {enable | disable}   Enable/disable Antispam on the GUI.
    set gui-application-control {enable | disable}   Enable/disable application control on the GUI.
    set gui-ips {enable | disable}   Enable/disable IPS on the GUI.
    set gui-endpoint-control {enable | disable}   Enable/disable endpoint control on the GUI.
    set gui-endpoint-control-advanced {enable | disable}   Enable/disable advanced endpoint control options on the GUI.
    set gui-dhcp-advanced {enable | disable}   Enable/disable advanced DHCP options on the GUI.
    set gui-vpn {enable | disable}   Enable/disable VPN tunnels on the GUI.
    set gui-wireless-controller {enable | disable}   Enable/disable the wireless controller on the GUI.
    set gui-switch-controller {enable | disable}   Enable/disable the switch controller on the GUI.
    set gui-fortiap-split-tunneling {enable | disable}   Enable/disable FortiAP split tunneling on the GUI.
    set gui-webfilter-advanced {enable | disable}   Enable/disable advanced web filtering on the GUI.
    set gui-traffic-shaping {enable | disable}   Enable/disable traffic shaping on the GUI.
    set gui-wan-load-balancing {enable | disable}   Enable/disable SD-WAN on the GUI.
    set gui-antivirus {enable | disable}   Enable/disable AntiVirus on the GUI.
    set gui-webfilter {enable | disable}   Enable/disable Web filtering on the GUI.
    set gui-dnsfilter {enable | disable}   Enable/disable DNS Filtering on the GUI.
    set gui-waf-profile {enable | disable}   Enable/disable Web Application Firewall on the GUI.
    set gui-fortiextender-controller {enable | disable}   Enable/disable FortiExtender on the GUI.
    set gui-advanced-policy {enable | disable}   Enable/disable advanced policy configuration on the GUI.
    set gui-allow-unnamed-policy {enable | disable}   Enable/disable the requirement for policy naming on the GUI.
    set gui-email-collection {enable | disable}   Enable/disable email collection on the GUI.
    set gui-domain-ip-reputation {enable | disable}   Enable/disable Domain and IP Reputation on the GUI.
    set gui-multiple-interface-policy {enable | disable}   Enable/disable adding multiple interfaces to a policy on the GUI.
    set gui-policy-learning {enable | disable}   Enable/disable firewall policy learning mode on the GUI.
    set compliance-check {enable | disable}   Enable/disable PCI DSS compliance checking.
    set ike-session-resume {enable | disable}   Enable/disable IKEv2 session resumption (RFC 5723).
    set ike-quick-crash-detect {enable | disable}   Enable/disable IKE quick crash detection (RFC 6290).
    set ike-dn-format {with-space | no-space}   Configure IKE ASN.1 Distinguished Name format conventions.
            with-space  Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.
            no-space    Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.
    set block-land-attack {disable | enable}   Enable/disable blocking of land attacks.
end

Additional information

The following section is for those options that require additional explanation.

allow-linkdown-path {enable | disable}

Enable (default) or disable whether BGP uses an alternative (link-down) route when attempting to reach a neighbor from an IPsec tunnel while the link is down.

While enabled, this option allows BGP to use an alternative route when the destination link is down.

allow-subnet-overlap {enable | disable}

Enable or disable (default) limited support for interface and VLAN subinterface IP address overlap for this VDOM. Use this command to enable limited support for overlapping IP addresses in an existing network configuration.

This command is for advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping.

asymroute {enable | disable}

Enable or disable (default) IPv4 asymmetric routing on your FortiGate unit, or this VDOM if you have VDOMs enabled.

This command should only be used as a temporary check to troubleshoot a network. It is not intended to be enabled permanently. When it is enabled, many security features on your FortiGate unit are not enabled.

Enabling asymmetric routing disables stateful inspection. Your FortiGate unit can only perform stateless inspection in this state.

asymroute6 {enable | disable}

Enable or disable (default) IPv6 asymmetric routing on your FortiGate unit, or this VDOM if you have VDOMs enabled.

bfd {enable | disable}

Enable or disable (default) bidirectional forwarding detection (BFD) on your FortiGate unit, or this VDOM if you have VDOMs enabled. BFD can be used with OSPF and BGP configurations, and overridden on a per interface basis.

bfd-desired-min-tx <milliseconds>

Enter the preferred minimum transmit interval for BFD packets. If possible, this will be the minimum used. This variable is available only when BFD is enabled.

Possible values: 1 to 100000 milliseconds. The default value is 50.

bfd-detect-mult <multiplier>

Enter the BFD detection multiplier.

Possible values: 1 to 50. The default value is 3.

bfd-dont-enforce-src-port {enable | disable}

Enable or disable (default) whether the BFD source port is enforced. Set this to enable to not enforce the BFD source port.

bfd-required-min-rx <milliseconds>

Enter the required minimum receive interval for BFD packets. The FortiGate unit will not transmit BFD packets at a slower rate than this. This variable is available only when BFD is enabled.

Possible values: 1 to 100000 milliseconds. The default value is 50.

default-voip-alg-mode {proxy‑based | kernel‑helper‑based}

Set the default SIP behavior for VoIP.

  • proxy-based (default): VoIP traffic goes to proxy SIP ALG and the default VoIP profile applies
  • kernel-helper-based: VoIP traffic is handled by the kernel SIP helper. If the SIP helper does not exist in system, no SIP processing occurs.

If an explicit VoIP profile is defined in the policy, VoIP traffic is redirected to proxy SIP ALG, regardless of the default-voip-alg-mode setting.

deny-tcp-with-icmp {enable | disable}

Enable or disable (default) whether to deny TCP by sending an ICMP Communication Prohibited packet. Set this to enable to deny TCP by sending an ICMP Communication Prohibited packet. Firewall policies will enable send‑deny‑packet.

device <interface_name>

Enter the interface to use for management access. This is the interface that ip applies to.

This field is visible only after you change opmode from transparent to nat, before you commit the change.

The limit is 25 characters.

dhcp-proxy {enable | disable}

Enable or disable (default) DHCP proxy. This is required for IPsec VPN with mode-cfg to use DHCP to assign VPN client IP addresses.

dhcp-server-ip <IP_address1 IP_address2...>

Enter up to eight IPv4 DHCP server IP addresses. This is available when dhcp-proxy is enabled.

dhcp6-server-ip <IP_address1 IP_address2...>

Enter up to eight IPv6 DHCP server IP addresses. This is available when dhcp-proxy is enabled.

discovered-device-timeout <days>

Enter the timeout for discovered devices.

Possible values: 1 to 365 days. The default is 28.

ecmp-max-paths <maximum_routes>

Enter the maximum number of routes allowed to be included in an ECMP configuration. Set this to 1 to disable ECMP routing.

ECMP routes have the same distance and the same priority, and can be used in load balancing.

Possible values: 1 to 255. The default value is 10.

email-portal-check-dns {enable | disable}

Enable (default) or disable whether the email collection portal verifies that the domain name part of an email address can be resolved using a DNS lookup.

firewall-session-dirty {check‑all | check‑new | check‑policy‑option}

Select how changes to a firewall policy are managed.

  • check‑all (default): Flushes all current sessions and re-evaluates them
  • check‑new: Keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.
  • check‑policy‑option: Uses the option selected in the firewall-session-dirty field of the firewall policy. See the firewall {policy | policy6} command.

gateway <IPv4_address>

Enter the default gateway IP address.

This field is visible only after you change opmode from nat to transparent or from transparent to nat, before you commit the change.

gateway6 <IPv6_address>

Enter the default gateway IPv6 address.

This field is visible only after you change opmode from nat to transparent or from transparent to nat, before you commit the change.

gui-default-policy-columns

Optionally, override the web-based manager’s default displayed column set for firewall policies.

name <column_list>

Specify a list of column names that you want displayed, separated by spaces and in order from left to right. The column options are #, policyid, srcintf, dstintf, srcaddr, dstaddr, schedule, service, action, logtraffic, nat, status, authentication, count, profile, vpntunnel, and comments.

inspection-mode {proxy | flow]

Set proxy-based (default) or flow-based inspection.

ip <IPv4_address>

Enter the IP address to use after switching to nat mode.

This field is visible only after you change opmode from transparent to nat, before you commit the change.

ip6 <IPv6_address>

Enter the IPv6 address to use after switching to nat mode.

This field is visible only after you change opmode from transparent to nat, before you commit the change.

lldp-transmission {enable | disable | global}

Enable or disable Link Layer Discovery Protocol (LLDP) for this VDOM, or apply a global setting specified by lldp-transmission in system global.

The default value is global.

mac-ttl <seconds>

Set the duration of MAC addresses during transparent mode.

Possible values: 300 to 8640000 seconds (8640000 is 100 days). The default value is 300.

manageip <IPv4_address>

Set the IP address and netmask of the Transparent mode management interface. You must set this when you change opmode from nat to transparent.

manageip6 <IPv6_prefix>

Set the IPv6 management address prefix for Transparent mode.

multicast-forward {enable | disable}

Enable (default) or disable multicast forwarding. If you set this to enable, any multicast IP packets where the TTL is 2 or higher are forwarded to all interfaces and VLAN interfaces, except the receiving interface. The TTL in the IP header will be reduced by 1.

When multiple VDOMs are configured, this option is available within each VDOM.

multicast-ttl-notchange {enable | disable}

Enable or disable (default) whether multicast forwarding reduces the TTL in the IP header. Set this to enable to prevent multicast forwarding from reducing the TTL in the IP header. Set this to disable to use normal multicast forwading behavior.

In multiple VDOM mode, this option is only available within VDOMs and is not available at a global level.

opmode {nat | transparent}

Enter the required operating mode.

If you change opmode from nat to transparent, you must set manageip and gateway.

If you change opmode from transparent to nat, you must set device, ip, gateway-device and gateway.

The default value is nat.

sccp-port <port_number>

Enter the port number of the TCP port to use to monitor Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.

Possible values: 1 to 65535. The default value is 2000.

ses-denied-traffic {enable | disable}

Enable or disable (default) whether denied sessions are added to the session table. Enable this option to add denied sessions to the session table. For optimum performance, you may need to adjust the global block-session-timer (see block-session-timer <int>).

Blocking the packets of a denied session can take more CPU processing resources than passing the traffic through. By putting denied sessions in the session table, they can be kept track of in the same way that allowed session are so that the FortiGate unit does not have to reassess whether or not to deny each of the packets on an individual basis. If the session is denied, all packets of that session are also denied.

The ses-denied-traffic and block-session-timer are not effective at blocking denial of service attacks.

sip-helper {enable | disable}

Enable or disable (default) the SIP session helper. The SIP session helper will process SIP sessions unless the SIP sessions are accepted by the SIP ALG.

sip-nat-trace {enable | disable}

Enable (default) or disable whether the original IP address of the phone is recorded.

sip-ssl-port <port_number>

Enter the port number that the SIP proxy monitors for SIP traffic.

Possible values: 1 to 65535. The default value is 5061.

sip-tcp-port <<port_number1> [<port_number2>]>

Enter one or two port numbers that the SIP ALG monitors for SIP TCP sessions.

Possible values: 1 to 65535. The default value is 5060.

sip-udp-port <port_number>

Enter the port number that the SIP ALG monitors for SIP UDP sessions.

Possible values: 1 to 65535. The default value is 5060.

status {enable | disable}

Disable or enable (default) this VDOM.

Disabled VDOMs keep all their configuration, but the resources of the VDOM are not accessible. To leave VDOM mode, all disabled VDOMs must be deleted and only the root VDOM can be configured.

The command is available only when VDOMs are enabled.

strict-src-check {enable | disable}

Enable or disable (default) whether packets from a source IP range are refused if there is a specific route in the routing table for the network (RFC 3704). Set to enable to refuse packets that meet this criteria.

utf8-spam-tagging {enable | disable}

Enable (default) or disable whether spam tags are converted to UTF-8 for better non-ASCII character support.

v4-ecmp-mode {source‑ip‑based | usage‑based | weight‑based | source-dest-ip-based}

Set the ECMP route failover and load balance method, which controls how the FortiGate unit assigns a route to a session when multiple equal-cost routes to the sessions’s destination are available.

  • source-ip-based (default): The FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. No other settings can be configured to support source IP load balancing.
  • weight-based: The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights. Use the weight field of the config router static command to add weights to static routes. See the router static command.
  • usage-based: The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are. After you select usage-based, use the spillover-threshold field of the config system interface command to add spillover thresholds to interfaces added to ECMP routes. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. See the system interface command.
  • source-dest-ip-based: Selects the next hop based on both source and destination IP addresses.

vpn-stats-log {ipsec | l2tp | pptp | ssl}

Enable periodic VPN log statistics for one or more types of VPN.

vpn-stats-period <seconds>

Enter the interval, in seconds, for the vpn-stats-log to collect statistics.

Possible values: 60 to 86400 seconds.

wccp-cache-engine {enable | disable}

Enable or disable (default) whether the FortiGate unit operates as a WCCP cache engine. Use the config system wccp command to configure WCCP cache engine settings.