config system settings

Configure VDOM settings.

config system settings

Description: Configure VDOM settings.

set comments {var-string}

set opmode [nat|transparent]

set ngfw-mode [profile-based|policy-based]

set implicit-allow-dns [enable|disable]

set consolidated-firewall-mode [enable|disable]

set http-external-dest [fortiweb|forticache]

set firewall-session-dirty [check-all|check-new|...]

set manageip {user}

set gateway {ipv4-address}

set ip {ipv4-classnet-host}

set manageip6 {ipv6-prefix}

set gateway6 {ipv6-address}

set ip6 {ipv6-prefix}

set device {string}

set bfd [enable|disable]

set bfd-desired-min-tx {integer}

set bfd-required-min-rx {integer}

set bfd-detect-mult {integer}

set bfd-dont-enforce-src-port [enable|disable]

set utf8-spam-tagging [enable|disable]

set wccp-cache-engine [enable|disable]

set vpn-stats-log {option1}, {option2}, ...

set vpn-stats-period {integer}

set v4-ecmp-mode [source-ip-based|weight-based|...]

set mac-ttl {integer}

set fw-session-hairpin [enable|disable]

set prp-trailer-action [enable|disable]

set snat-hairpin-traffic [enable|disable]

set dhcp-proxy [enable|disable]

set dhcp-proxy-interface-select-method [auto|sdwan|...]

set dhcp-proxy-interface {string}

set dhcp-server-ip {user}

set dhcp6-server-ip {user}

set central-nat [enable|disable]

set gui-default-policy-columns <name1>, <name2>, ...

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set link-down-access [enable|disable]

set auxiliary-session [enable|disable]

set asymroute [enable|disable]

set asymroute-icmp [enable|disable]

set tcp-session-without-syn [enable|disable]

set ses-denied-traffic [enable|disable]

set strict-src-check [enable|disable]

set allow-linkdown-path [enable|disable]

set asymroute6 [enable|disable]

set asymroute6-icmp [enable|disable]

set sctp-session-without-init [enable|disable]

set sip-expectation [enable|disable]

set sip-nat-trace [enable|disable]

set status [enable|disable]

set sip-tcp-port {integer}

set sip-udp-port {integer}

set sip-ssl-port {integer}

set sccp-port {integer}

set multicast-forward [enable|disable]

set multicast-ttl-notchange [enable|disable]

set multicast-skip-policy [enable|disable]

set allow-subnet-overlap [enable|disable]

set deny-tcp-with-icmp [enable|disable]

set ecmp-max-paths {integer}

set discovered-device-timeout {integer}

set email-portal-check-dns [disable|enable]

set default-voip-alg-mode [proxy-based|kernel-helper-based]

set gui-icap [enable|disable]

set gui-nat46-64 [enable|disable]

set gui-implicit-policy [enable|disable]

set gui-dns-database [enable|disable]

set gui-load-balance [enable|disable]

set gui-multicast-policy [enable|disable]

set gui-dos-policy [enable|disable]

set gui-object-colors [enable|disable]

set gui-replacement-message-groups [enable|disable]

set gui-voip-profile [enable|disable]

set gui-ap-profile [enable|disable]

set gui-dynamic-profile-display [enable|disable]

set gui-local-in-policy [enable|disable]

set gui-local-reports [enable|disable]

set gui-wanopt-cache [enable|disable]

set gui-explicit-proxy [enable|disable]

set gui-dynamic-routing [enable|disable]

set gui-sslvpn-personal-bookmarks [enable|disable]

set gui-sslvpn-realms [enable|disable]

set gui-policy-based-ipsec [enable|disable]

set gui-threat-weight [enable|disable]

set gui-multiple-utm-profiles [enable|disable]

set gui-spamfilter [enable|disable]

set gui-application-control [enable|disable]

set gui-ips [enable|disable]

set gui-endpoint-control [enable|disable]

set gui-endpoint-control-advanced [enable|disable]

set gui-dhcp-advanced [enable|disable]

set gui-vpn [enable|disable]

set gui-wireless-controller [enable|disable]

set gui-switch-controller [enable|disable]

set gui-fortiap-split-tunneling [enable|disable]

set gui-webfilter-advanced [enable|disable]

set gui-traffic-shaping [enable|disable]

set gui-wan-load-balancing [enable|disable]

set gui-antivirus [enable|disable]

set gui-webfilter [enable|disable]

set gui-dnsfilter [enable|disable]

set gui-waf-profile [enable|disable]

set gui-fortiextender-controller [enable|disable]

set gui-advanced-policy [enable|disable]

set gui-allow-unnamed-policy [enable|disable]

set gui-email-collection [enable|disable]

set gui-domain-ip-reputation [enable|disable]

set gui-multiple-interface-policy [enable|disable]

set gui-per-policy-disclaimer [enable|disable]

set ike-session-resume [enable|disable]

set ike-quick-crash-detect [enable|disable]

set ike-dn-format [with-space|no-space]

set block-land-attack [disable|enable]

end

config system settings

Parameter name

Description

Type

Size

comments

VDOM comments.

var-string

Maximum length: 255

opmode

Firewall operation mode (NAT or Transparent).

option

-

 

Option

Description

nat

Change to NAT mode.

transparent

Change to transparent mode.

ngfw-mode

Next Generation Firewall (NGFW) mode.

option

-

 

Option

Description

profile-based

Application and web-filtering are configured using profiles applied to policy entries.

policy-based

Application and web-filtering are configured as policy match conditions.

implicit-allow-dns

Enable/disable implicitly allowing DNS traffic.

option

-

 

Option

Description

enable

Enable implicitly allowing DNS traffic.

disable

Disable implicitly allowing DNS traffic.

consolidated-firewall-mode

Consolidated firewall mode.

option

-

 

Option

Description

enable

Enable consolidated firewall mode.

disable

Disable consolidated firewall mode.

http-external-dest

Offload HTTP traffic to FortiWeb or FortiCache.

option

-

 

Option

Description

fortiweb

Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.

forticache

Offload HTTP traffic to FortiCache for external web caching and WAN optimization.

firewall-session-dirty

Select how to manage sessions affected by firewall policy configuration changes.

option

-

 

Option

Description

check-all

All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.

check-new

Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.

check-policy-option

Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.

manageip

Transparent mode IPv4 management IP address and netmask.

user

Not Specified

gateway

Transparent mode IPv4 default gateway IP address.

ipv4-address

Not Specified

ip

IP address and netmask.

ipv4-classnet-host

Not Specified

manageip6

Transparent mode IPv6 management IP address and netmask.

ipv6-prefix

Not Specified

gateway6

Transparent mode IPv4 default gateway IP address.

ipv6-address

Not Specified

ip6

IPv6 address prefix for NAT mode.

ipv6-prefix

Not Specified

device

Interface to use for management access for NAT mode.

string

Maximum length: 35

bfd

Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.

option

-

 

Option

Description

enable

Enable Bi-directional Forwarding Detection (BFD) on all interfaces.

disable

Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

bfd-desired-min-tx

BFD desired minimal transmit interval (1 - 100000 ms, default = 50).

integer

Minimum value: 1 Maximum value: 100000

bfd-required-min-rx

BFD required minimal receive interval (1 - 100000 ms, default = 50).

integer

Minimum value: 1 Maximum value: 100000

bfd-detect-mult

BFD detection multiplier (1 - 50, default = 3).

integer

Minimum value: 1 Maximum value: 50

bfd-dont-enforce-src-port

Enable to not enforce verifying the source port of BFD Packets.

option

-

 

Option

Description

enable

Enable verifying the source port of BFD Packets.

disable

Disable verifying the source port of BFD Packets.

utf8-spam-tagging

Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.

option

-

 

Option

Description

enable

Convert antispam tags to UTF-8.

disable

Do not convert antispam tags.

wccp-cache-engine

Enable/disable WCCP cache engine.

option

-

 

Option

Description

enable

Enable WCCP cache engine.

disable

Disable WCCP cache engine.

vpn-stats-log

Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.

option

-

 

Option

Description

ipsec

IPsec.

pptp

PPTP.

l2tp

L2TP.

ssl

SSL.

vpn-stats-period

Period to send VPN log statistics (0 or 60 - 86400 sec).

integer

Minimum value: 0 Maximum value: 4294967295

v4-ecmp-mode

IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.

option

-

 

Option

Description

source-ip-based

Select next hop based on source IP.

weight-based

Select next hop based on weight.

usage-based

Select next hop based on usage.

source-dest-ip-based

Select next hop based on both source and destination IPs.

mac-ttl

Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300).

integer

Minimum value: 300 Maximum value: 8640000

fw-session-hairpin

Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.

option

-

 

Option

Description

enable

Perform a policy check every time.

disable

Perform a policy check only the first time the session is received.

prp-trailer-action

Enable/disable action to take on PRP trailer.

option

-

 

Option

Description

enable

Try to keep PRP trailer.

disable

Trim PRP trailer.

snat-hairpin-traffic

Enable/disable source NAT (SNAT) for hairpin traffic.

option

-

 

Option

Description

enable

Enable SNAT for hairpin traffic.

disable

Disable SNAT for hairpin traffic.

dhcp-proxy

Enable/disable the DHCP Proxy.

option

-

 

Option

Description

enable

Enable the DHCP proxy.

disable

Disable the DHCP proxy.

dhcp-proxy-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

 

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-proxy-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-server-ip

DHCP Server IPv4 address.

user

Not Specified

dhcp6-server-ip

DHCPv6 server IPv6 address.

user

Not Specified

central-nat

Enable/disable central NAT.

option

-

 

Option

Description

enable

Enable central NAT.

disable

Disable central NAT.

gui-default-policy-columns <name>

Default columns to display for policy lists on GUI.

Select column name.

string

Maximum length: 79

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.

option

-

 

Option

Description

enable

Enable LLDP reception for this VDOM.

disable

Disable LLDP reception for this VDOM.

global

Use the global LLDP reception configuration for this VDOM.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.

option

-

 

Option

Description

enable

Enable LLDP transmission for this VDOM.

disable

Disable LLDP transmission for this VDOM.

global

Use the global LLDP transmission configuration for this VDOM.

link-down-access

Enable/disable link down access traffic.

option

-

 

Option

Description

enable

Allow link down access traffic.

disable

Block link down access traffic.

auxiliary-session

Enable/disable auxiliary session.

option

-

 

Option

Description

enable

Enable auxiliary session for this VDOM.

disable

Disable auxiliary session for this VDOM.

asymroute

Enable/disable IPv4 asymmetric routing.

option

-

 

Option

Description

enable

Enable IPv4 asymmetric routing.

disable

Disable IPv4 asymmetric routing.

asymroute-icmp

Enable/disable ICMP asymmetric routing.

option

-

 

Option

Description

enable

Enable ICMP asymmetric routing.

disable

Disable ICMP asymmetric routing.

tcp-session-without-syn

Enable/disable allowing TCP session without SYN flags.

option

-

 

Option

Description

enable

Allow TCP session without SYN flags.

disable

Do not allow TCP session without SYN flags.

ses-denied-traffic

Enable/disable including denied session in the session table.

option

-

 

Option

Description

enable

Include denied sessions in the session table.

disable

Do not add denied sessions to the session table.

strict-src-check

Enable/disable strict source verification.

option

-

 

Option

Description

enable

Enable strict source verification.

disable

Disable strict source verification.

allow-linkdown-path

Enable/disable link down path.

option

-

 

Option

Description

enable

Allow link down path.

disable

Do not allow link down path.

asymroute6

Enable/disable asymmetric IPv6 routing.

option

-

 

Option

Description

enable

Enable asymmetric IPv6 routing.

disable

Disable asymmetric IPv6 routing.

asymroute6-icmp

Enable/disable asymmetric ICMPv6 routing.

option

-

 

Option

Description

enable

Enable asymmetric ICMPv6 routing.

disable

Disable asymmetric ICMPv6 routing.

sctp-session-without-init

Enable/disable SCTP session creation without SCTP INIT.

option

-

 

Option

Description

enable

Enable SCTP session creation without SCTP INIT.

disable

Disable SCTP session creation without SCTP INIT.

sip-expectation

Enable/disable the SIP kernel session helper to create an expectation for port 5060.

option

-

 

Option

Description

enable

Allow SIP session helper to create an expectation for port 5060.

disable

Prevent SIP session helper from creating an expectation for port 5060.

sip-nat-trace

Enable/disable recording the original SIP source IP address when NAT is used.

option

-

 

Option

Description

enable

Record the original SIP source IP address when NAT is used.

disable

Do not record the original SIP source IP address when NAT is used.

status

Enable/disable this VDOM.

option

-

 

Option

Description

enable

Enable this VDOM.

disable

Disable this VDOM.

sip-tcp-port

TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).

integer

Minimum value: 1 Maximum value: 65535

sip-udp-port

UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).

integer

Minimum value: 1 Maximum value: 65535

sip-ssl-port

TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061).

integer

Minimum value: 0 Maximum value: 65535

sccp-port

TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000).

integer

Minimum value: 0 Maximum value: 65535

multicast-forward

Enable/disable multicast forwarding.

option

-

 

Option

Description

enable

Enable multicast forwarding.

disable

Disable multicast forwarding.

multicast-ttl-notchange

Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.

option

-

 

Option

Description

enable

The multicast TTL is not changed.

disable

The multicast TTL may be changed.

multicast-skip-policy

Enable/disable allowing multicast traffic through the FortiGate without a policy check.

option

-

 

Option

Description

enable

Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.

disable

Require a multicast policy to allow multicast traffic to pass through the FortiGate.

allow-subnet-overlap

Enable/disable allowing interface subnets to use overlapping IP addresses.

option

-

 

Option

Description

enable

Enable overlapping subnets.

disable

Disable overlapping subnets.

deny-tcp-with-icmp

Enable/disable denying TCP by sending an ICMP communication prohibited packet.

option

-

 

Option

Description

enable

Deny TCP with ICMP.

disable

Disable denying TCP with ICMP.

ecmp-max-paths

Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255).

integer

Minimum value: 1 Maximum value: 255

discovered-device-timeout

Timeout for discovered devices (1 - 365 days, default = 28).

integer

Minimum value: 1 Maximum value: 365

email-portal-check-dns

Enable/disable using DNS to validate email addresses collected by a captive portal.

option

-

 

Option

Description

disable

Disable email address checking with DNS.

enable

Enable email address checking with DNS.

default-voip-alg-mode

Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.

option

-

 

Option

Description

proxy-based

Use a default proxy-based VoIP ALG.

kernel-helper-based

Use the SIP session helper.

gui-icap

Enable/disable ICAP on the GUI.

option

-

 

Option

Description

enable

Enable ICAP on the GUI.

disable

Disable ICAP on the GUI.

gui-nat46-64

Enable/disable NAT46 and NAT64 settings on the GUI.

option

-

 

Option

Description

enable

Enable NAT46 and NAT64 settings on the GUI.

disable

Disable NAT46 and NAT64 settings on the GUI.

gui-implicit-policy

Enable/disable implicit firewall policies on the GUI.

option

-

 

Option

Description

enable

Enable implicit firewall policies on the GUI.

disable

Disable implicit firewall policies on the GUI.

gui-dns-database

Enable/disable DNS database settings on the GUI.

option

-

 

Option

Description

enable

Enable DNS database settings on the GUI.

disable

Disable DNS database settings on the GUI.

gui-load-balance

Enable/disable server load balancing on the GUI.

option

-

 

Option

Description

enable

Enable server load balancing on the GUI.

disable

Disable server load balancing on the GUI.

gui-multicast-policy

Enable/disable multicast firewall policies on the GUI.

option

-

 

Option

Description

enable

Enable multicast firewall policies on the GUI.

disable

Disable multicast firewall policies on the GUI.

gui-dos-policy

Enable/disable DoS policies on the GUI.

option

-

 

Option

Description

enable

Enable DoS policies on the GUI.

disable

Disable DoS policies on the GUI.

gui-object-colors

Enable/disable object colors on the GUI.

option

-

 

Option

Description

enable

Enable object colors on the GUI.

disable

Disable object colors on the GUI.

gui-replacement-message-groups

Enable/disable replacement message groups on the GUI.

option

-

 

Option

Description

enable

Enable replacement message groups on the GUI.

disable

Disable replacement message groups on the GUI.

gui-voip-profile

Enable/disable VoIP profiles on the GUI.

option

-

 

Option

Description

enable

Enable VoIP profiles on the GUI.

disable

Disable VoIP profiles on the GUI.

gui-ap-profile

Enable/disable FortiAP profiles on the GUI.

option

-

 

Option

Description

enable

Enable FortiAP profiles on the GUI.

disable

Disable FortiAP profiles on the GUI.

gui-dynamic-profile-display

Enable/disable RADIUS Single Sign On (RSSO) on the GUI.

option

-

 

Option

Description

enable

Enable RADIUS Single Sign On (RSSO) on the GUI.

disable

Disable RADIUS Single Sign On (RSSO) on the GUI.

gui-local-in-policy

Enable/disable Local-In policies on the GUI.

option

-

 

Option

Description

enable

Enable Local-In policies on the GUI.

disable

Disable Local-In policies on the GUI.

gui-local-reports

Enable/disable local reports on the GUI.

option

-

 

Option

Description

enable

Enable local reports on the GUI.

disable

Disable local reports on the GUI.

gui-wanopt-cache

Enable/disable WAN Optimization and Web Caching on the GUI.

option

-

 

Option

Description

enable

Enable WAN Optimization and Web Caching on the GUI.

disable

Disable WAN Optimization and Web Caching on the GUI.

gui-explicit-proxy

Enable/disable the explicit proxy on the GUI.

option

-