Fortinet black logo

CLI Reference

config system settings

config system settings

Configure VDOM settings.

config system settings

Description: Configure VDOM settings.

set comments {var-string}

set opmode [nat|transparent]

set ngfw-mode [profile-based|policy-based]

set implicit-allow-dns [enable|disable]

set consolidated-firewall-mode [enable|disable]

set http-external-dest [fortiweb|forticache]

set firewall-session-dirty [check-all|check-new|...]

set manageip {user}

set gateway {ipv4-address}

set ip {ipv4-classnet-host}

set manageip6 {ipv6-prefix}

set gateway6 {ipv6-address}

set ip6 {ipv6-prefix}

set device {string}

set bfd [enable|disable]

set bfd-desired-min-tx {integer}

set bfd-required-min-rx {integer}

set bfd-detect-mult {integer}

set bfd-dont-enforce-src-port [enable|disable]

set utf8-spam-tagging [enable|disable]

set wccp-cache-engine [enable|disable]

set vpn-stats-log {option1}, {option2}, ...

set vpn-stats-period {integer}

set v4-ecmp-mode [source-ip-based|weight-based|...]

set mac-ttl {integer}

set fw-session-hairpin [enable|disable]

set prp-trailer-action [enable|disable]

set snat-hairpin-traffic [enable|disable]

set dhcp-proxy [enable|disable]

set dhcp-proxy-interface-select-method [auto|sdwan|...]

set dhcp-proxy-interface {string}

set dhcp-server-ip {user}

set dhcp6-server-ip {user}

set central-nat [enable|disable]

set gui-default-policy-columns <name1>, <name2>, ...

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set link-down-access [enable|disable]

set auxiliary-session [enable|disable]

set asymroute [enable|disable]

set asymroute-icmp [enable|disable]

set tcp-session-without-syn [enable|disable]

set ses-denied-traffic [enable|disable]

set strict-src-check [enable|disable]

set allow-linkdown-path [enable|disable]

set asymroute6 [enable|disable]

set asymroute6-icmp [enable|disable]

set sctp-session-without-init [enable|disable]

set sip-expectation [enable|disable]

set sip-nat-trace [enable|disable]

set status [enable|disable]

set sip-tcp-port {integer}

set sip-udp-port {integer}

set sip-ssl-port {integer}

set sccp-port {integer}

set multicast-forward [enable|disable]

set multicast-ttl-notchange [enable|disable]

set multicast-skip-policy [enable|disable]

set allow-subnet-overlap [enable|disable]

set deny-tcp-with-icmp [enable|disable]

set ecmp-max-paths {integer}

set discovered-device-timeout {integer}

set email-portal-check-dns [disable|enable]

set default-voip-alg-mode [proxy-based|kernel-helper-based]

set gui-icap [enable|disable]

set gui-nat46-64 [enable|disable]

set gui-implicit-policy [enable|disable]

set gui-dns-database [enable|disable]

set gui-load-balance [enable|disable]

set gui-multicast-policy [enable|disable]

set gui-dos-policy [enable|disable]

set gui-object-colors [enable|disable]

set gui-replacement-message-groups [enable|disable]

set gui-voip-profile [enable|disable]

set gui-ap-profile [enable|disable]

set gui-dynamic-profile-display [enable|disable]

set gui-local-in-policy [enable|disable]

set gui-local-reports [enable|disable]

set gui-wanopt-cache [enable|disable]

set gui-explicit-proxy [enable|disable]

set gui-dynamic-routing [enable|disable]

set gui-sslvpn-personal-bookmarks [enable|disable]

set gui-sslvpn-realms [enable|disable]

set gui-policy-based-ipsec [enable|disable]

set gui-threat-weight [enable|disable]

set gui-multiple-utm-profiles [enable|disable]

set gui-spamfilter [enable|disable]

set gui-application-control [enable|disable]

set gui-ips [enable|disable]

set gui-endpoint-control [enable|disable]

set gui-endpoint-control-advanced [enable|disable]

set gui-dhcp-advanced [enable|disable]

set gui-vpn [enable|disable]

set gui-wireless-controller [enable|disable]

set gui-switch-controller [enable|disable]

set gui-fortiap-split-tunneling [enable|disable]

set gui-webfilter-advanced [enable|disable]

set gui-traffic-shaping [enable|disable]

set gui-wan-load-balancing [enable|disable]

set gui-antivirus [enable|disable]

set gui-webfilter [enable|disable]

set gui-dnsfilter [enable|disable]

set gui-waf-profile [enable|disable]

set gui-fortiextender-controller [enable|disable]

set gui-advanced-policy [enable|disable]

set gui-allow-unnamed-policy [enable|disable]

set gui-email-collection [enable|disable]

set gui-domain-ip-reputation [enable|disable]

set gui-multiple-interface-policy [enable|disable]

set gui-per-policy-disclaimer [enable|disable]

set ike-session-resume [enable|disable]

set ike-quick-crash-detect [enable|disable]

set ike-dn-format [with-space|no-space]

set block-land-attack [disable|enable]

end

config system settings

Parameter name

Description

Type

Size

comments

VDOM comments.

var-string

Maximum length: 255

opmode

Firewall operation mode (NAT or Transparent).

option

-

Option

Description

nat

Change to NAT mode.

transparent

Change to transparent mode.

ngfw-mode

Next Generation Firewall (NGFW) mode.

option

-

Option

Description

profile-based

Application and web-filtering are configured using profiles applied to policy entries.

policy-based

Application and web-filtering are configured as policy match conditions.

implicit-allow-dns

Enable/disable implicitly allowing DNS traffic.

option

-

Option

Description

enable

Enable implicitly allowing DNS traffic.

disable

Disable implicitly allowing DNS traffic.

consolidated-firewall-mode

Consolidated firewall mode.

option

-

Option

Description

enable

Enable consolidated firewall mode.

disable

Disable consolidated firewall mode.

http-external-dest

Offload HTTP traffic to FortiWeb or FortiCache.

option

-

Option

Description

fortiweb

Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.

forticache

Offload HTTP traffic to FortiCache for external web caching and WAN optimization.

firewall-session-dirty

Select how to manage sessions affected by firewall policy configuration changes.

option

-

Option

Description

check-all

All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.

check-new

Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.

check-policy-option

Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.

manageip

Transparent mode IPv4 management IP address and netmask.

user

Not Specified

gateway

Transparent mode IPv4 default gateway IP address.

ipv4-address

Not Specified

ip

IP address and netmask.

ipv4-classnet-host

Not Specified

manageip6

Transparent mode IPv6 management IP address and netmask.

ipv6-prefix

Not Specified

gateway6

Transparent mode IPv4 default gateway IP address.

ipv6-address

Not Specified

ip6

IPv6 address prefix for NAT mode.

ipv6-prefix

Not Specified

device

Interface to use for management access for NAT mode.

string

Maximum length: 35

bfd

Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.

option

-

Option

Description

enable

Enable Bi-directional Forwarding Detection (BFD) on all interfaces.

disable

Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

bfd-desired-min-tx

BFD desired minimal transmit interval (1 - 100000 ms, default = 50).

integer

Minimum value: 1 Maximum value: 100000

bfd-required-min-rx

BFD required minimal receive interval (1 - 100000 ms, default = 50).

integer

Minimum value: 1 Maximum value: 100000

bfd-detect-mult

BFD detection multiplier (1 - 50, default = 3).

integer

Minimum value: 1 Maximum value: 50

bfd-dont-enforce-src-port

Enable to not enforce verifying the source port of BFD Packets.

option

-

Option

Description

enable

Enable verifying the source port of BFD Packets.

disable

Disable verifying the source port of BFD Packets.

utf8-spam-tagging

Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.

option

-

Option

Description

enable

Convert antispam tags to UTF-8.

disable

Do not convert antispam tags.

wccp-cache-engine

Enable/disable WCCP cache engine.

option

-

Option

Description

enable

Enable WCCP cache engine.

disable

Disable WCCP cache engine.

vpn-stats-log

Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.

option

-

Option

Description

ipsec

IPsec.

pptp

PPTP.

l2tp

L2TP.

ssl

SSL.

vpn-stats-period

Period to send VPN log statistics (0 or 60 - 86400 sec).

integer

Minimum value: 0 Maximum value: 4294967295

v4-ecmp-mode

IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.

option

-

Option

Description

source-ip-based

Select next hop based on source IP.

weight-based

Select next hop based on weight.

usage-based

Select next hop based on usage.

source-dest-ip-based

Select next hop based on both source and destination IPs.

mac-ttl

Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300).

integer

Minimum value: 300 Maximum value: 8640000

fw-session-hairpin

Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.

option

-

Option

Description

enable

Perform a policy check every time.

disable

Perform a policy check only the first time the session is received.

prp-trailer-action

Enable/disable action to take on PRP trailer.

option

-

Option

Description

enable

Try to keep PRP trailer.

disable

Trim PRP trailer.

snat-hairpin-traffic

Enable/disable source NAT (SNAT) for hairpin traffic.

option

-

Option

Description

enable

Enable SNAT for hairpin traffic.

disable

Disable SNAT for hairpin traffic.

dhcp-proxy

Enable/disable the DHCP Proxy.

option

-

Option

Description

enable

Enable the DHCP proxy.

disable

Disable the DHCP proxy.

dhcp-proxy-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-proxy-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-server-ip

DHCP Server IPv4 address.

user

Not Specified

dhcp6-server-ip

DHCPv6 server IPv6 address.

user

Not Specified

central-nat

Enable/disable central NAT.

option

-

Option

Description

enable

Enable central NAT.

disable

Disable central NAT.

gui-default-policy-columns <name>

Default columns to display for policy lists on GUI.

Select column name.

string

Maximum length: 79

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.

option

-

Option

Description

enable

Enable LLDP reception for this VDOM.

disable

Disable LLDP reception for this VDOM.

global

Use the global LLDP reception configuration for this VDOM.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.

option

-

Option

Description

enable

Enable LLDP transmission for this VDOM.

disable

Disable LLDP transmission for this VDOM.

global

Use the global LLDP transmission configuration for this VDOM.

link-down-access

Enable/disable link down access traffic.

option

-

Option

Description

enable

Allow link down access traffic.

disable

Block link down access traffic.

auxiliary-session

Enable/disable auxiliary session.

option

-

Option

Description

enable

Enable auxiliary session for this VDOM.

disable

Disable auxiliary session for this VDOM.

asymroute

Enable/disable IPv4 asymmetric routing.

option

-

Option

Description

enable

Enable IPv4 asymmetric routing.

disable

Disable IPv4 asymmetric routing.

asymroute-icmp

Enable/disable ICMP asymmetric routing.

option

-

Option

Description

enable

Enable ICMP asymmetric routing.

disable

Disable ICMP asymmetric routing.

tcp-session-without-syn

Enable/disable allowing TCP session without SYN flags.

option

-

Option

Description

enable

Allow TCP session without SYN flags.

disable

Do not allow TCP session without SYN flags.

ses-denied-traffic

Enable/disable including denied session in the session table.

option

-

Option

Description

enable

Include denied sessions in the session table.

disable

Do not add denied sessions to the session table.

strict-src-check

Enable/disable strict source verification.

option

-

Option

Description

enable

Enable strict source verification.

disable

Disable strict source verification.

allow-linkdown-path

Enable/disable link down path.

option

-

Option

Description

enable

Allow link down path.

disable

Do not allow link down path.

asymroute6

Enable/disable asymmetric IPv6 routing.

option

-

Option

Description

enable

Enable asymmetric IPv6 routing.

disable

Disable asymmetric IPv6 routing.

asymroute6-icmp

Enable/disable asymmetric ICMPv6 routing.

option

-

Option

Description

enable

Enable asymmetric ICMPv6 routing.

disable

Disable asymmetric ICMPv6 routing.

sctp-session-without-init

Enable/disable SCTP session creation without SCTP INIT.

option

-

Option

Description

enable

Enable SCTP session creation without SCTP INIT.

disable

Disable SCTP session creation without SCTP INIT.

sip-expectation

Enable/disable the SIP kernel session helper to create an expectation for port 5060.

option

-

Option

Description

enable

Allow SIP session helper to create an expectation for port 5060.

disable

Prevent SIP session helper from creating an expectation for port 5060.

sip-nat-trace

Enable/disable recording the original SIP source IP address when NAT is used.

option

-

Option

Description

enable

Record the original SIP source IP address when NAT is used.

disable

Do not record the original SIP source IP address when NAT is used.

status

Enable/disable this VDOM.

option

-

Option

Description

enable

Enable this VDOM.

disable

Disable this VDOM.

sip-tcp-port

TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).

integer

Minimum value: 1 Maximum value: 65535

sip-udp-port

UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).

integer

Minimum value: 1 Maximum value: 65535

sip-ssl-port

TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061).

integer

Minimum value: 0 Maximum value: 65535

sccp-port

TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000).

integer

Minimum value: 0 Maximum value: 65535

multicast-forward

Enable/disable multicast forwarding.

option

-

Option

Description

enable

Enable multicast forwarding.

disable

Disable multicast forwarding.

multicast-ttl-notchange

Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.

option

-

Option

Description

enable

The multicast TTL is not changed.

disable

The multicast TTL may be changed.

multicast-skip-policy

Enable/disable allowing multicast traffic through the FortiGate without a policy check.

option

-

Option

Description

enable

Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.

disable

Require a multicast policy to allow multicast traffic to pass through the FortiGate.

allow-subnet-overlap

Enable/disable allowing interface subnets to use overlapping IP addresses.

option

-

Option

Description

enable

Enable overlapping subnets.

disable

Disable overlapping subnets.

deny-tcp-with-icmp

Enable/disable denying TCP by sending an ICMP communication prohibited packet.

option

-

Option

Description

enable

Deny TCP with ICMP.

disable

Disable denying TCP with ICMP.

ecmp-max-paths

Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255).

integer

Minimum value: 1 Maximum value: 255

discovered-device-timeout

Timeout for discovered devices (1 - 365 days, default = 28).

integer

Minimum value: 1 Maximum value: 365

email-portal-check-dns

Enable/disable using DNS to validate email addresses collected by a captive portal.

option

-

Option

Description

disable

Disable email address checking with DNS.

enable

Enable email address checking with DNS.

default-voip-alg-mode

Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.

option

-

Option

Description

proxy-based

Use a default proxy-based VoIP ALG.

kernel-helper-based

Use the SIP session helper.

gui-icap

Enable/disable ICAP on the GUI.

option

-

Option

Description

enable

Enable ICAP on the GUI.

disable

Disable ICAP on the GUI.

gui-nat46-64

Enable/disable NAT46 and NAT64 settings on the GUI.

option

-

Option

Description

enable

Enable NAT46 and NAT64 settings on the GUI.

disable

Disable NAT46 and NAT64 settings on the GUI.

gui-implicit-policy

Enable/disable implicit firewall policies on the GUI.

option

-

Option

Description

enable

Enable implicit firewall policies on the GUI.

disable

Disable implicit firewall policies on the GUI.

gui-dns-database

Enable/disable DNS database settings on the GUI.

option

-

Option

Description

enable

Enable DNS database settings on the GUI.

disable

Disable DNS database settings on the GUI.

gui-load-balance

Enable/disable server load balancing on the GUI.

option

-

Option

Description

enable

Enable server load balancing on the GUI.

disable

Disable server load balancing on the GUI.

gui-multicast-policy

Enable/disable multicast firewall policies on the GUI.

option

-

Option

Description

enable

Enable multicast firewall policies on the GUI.

disable

Disable multicast firewall policies on the GUI.

gui-dos-policy

Enable/disable DoS policies on the GUI.

option

-

Option

Description

enable

Enable DoS policies on the GUI.

disable

Disable DoS policies on the GUI.

gui-object-colors

Enable/disable object colors on the GUI.

option

-

Option

Description

enable

Enable object colors on the GUI.

disable

Disable object colors on the GUI.

gui-replacement-message-groups

Enable/disable replacement message groups on the GUI.

option

-

Option

Description

enable

Enable replacement message groups on the GUI.

disable

Disable replacement message groups on the GUI.

gui-voip-profile

Enable/disable VoIP profiles on the GUI.

option

-

Option

Description

enable

Enable VoIP profiles on the GUI.

disable

Disable VoIP profiles on the GUI.

gui-ap-profile

Enable/disable FortiAP profiles on the GUI.

option

-

Option

Description

enable

Enable FortiAP profiles on the GUI.

disable

Disable FortiAP profiles on the GUI.

gui-dynamic-profile-display

Enable/disable RADIUS Single Sign On (RSSO) on the GUI.

option

-

Option

Description

enable

Enable RADIUS Single Sign On (RSSO) on the GUI.

disable

Disable RADIUS Single Sign On (RSSO) on the GUI.

gui-local-in-policy

Enable/disable Local-In policies on the GUI.

option

-

Option

Description

enable

Enable Local-In policies on the GUI.

disable

Disable Local-In policies on the GUI.

gui-local-reports

Enable/disable local reports on the GUI.

option

-

Option

Description

enable

Enable local reports on the GUI.

disable

Disable local reports on the GUI.

gui-wanopt-cache

Enable/disable WAN Optimization and Web Caching on the GUI.

option

-

Option

Description

enable

Enable WAN Optimization and Web Caching on the GUI.

disable

Disable WAN Optimization and Web Caching on the GUI.

gui-explicit-proxy

Enable/disable the explicit proxy on the GUI.

option

-

Option

Description

enable

Enable the explicit proxy on the GUI.

disable

Disable the explicit proxy on the GUI.

gui-dynamic-routing

Enable/disable dynamic routing on the GUI.

option

-

Option

Description

enable

Enable dynamic routing on the GUI.

disable

Disable dynamic routing on the GUI.

gui-sslvpn-personal-bookmarks

Enable/disable SSL-VPN personal bookmark management on the GUI.

option

-

Option

Description

enable

Enable SSL-VPN personal bookmark management on the GUI.

disable

Disable SSL-VPN personal bookmark management on the GUI.

gui-sslvpn-realms

Enable/disable SSL-VPN realms on the GUI.

option

-

Option

Description

enable

Enable SSL-VPN realms on the GUI.

disable

Disable SSL-VPN realms on the GUI.

gui-policy-based-ipsec

Enable/disable policy-based IPsec VPN on the GUI.

option

-

Option

Description

enable

Enable policy-based IPsec VPN on the GUI.

disable

Disable policy-based IPsec VPN on the GUI.

gui-threat-weight

Enable/disable threat weight on the GUI.

option

-

Option

Description

enable

Enable threat weight on the GUI.

disable

Disable threat weight on the GUI.

gui-multiple-utm-profiles

Enable/disable multiple UTM profiles on the GUI.

option

-

Option

Description

enable

Enable multiple UTM profiles on the GUI.

disable

Disable multiple UTM profiles on the GUI.

gui-spamfilter

Enable/disable Antispam on the GUI.

option

-

Option

Description

enable

Enable Antispam on the GUI.

disable

Disable Antispam on the GUI.

gui-application-control

Enable/disable application control on the GUI.

option

-

Option

Description

enable

Enable application control on the GUI.

disable

Disable application control on the GUI.

gui-ips

Enable/disable IPS on the GUI.

option

-

Option

Description

enable

Enable IPS on the GUI.

disable

Disable IPS on the GUI.

gui-endpoint-control

Enable/disable endpoint control on the GUI.

option

-

Option

Description

enable

Enable endpoint control on the GUI.

disable

Disable endpoint control on the GUI.

gui-endpoint-control-advanced

Enable/disable advanced endpoint control options on the GUI.

option

-

Option

Description

enable

Enable advanced endpoint control options on the GUI.

disable

Disable advanced endpoint control options on the GUI.

gui-dhcp-advanced

Enable/disable advanced DHCP options on the GUI.

option

-

Option

Description

enable

Enable advanced DHCP options on the GUI.

disable

Disable advanced DHCP options on the GUI.

gui-vpn

Enable/disable VPN tunnels on the GUI.

option

-

Option

Description

enable

Enable VPN tunnels on the GUI.

disable

Disable VPN tunnels on the GUI.

gui-wireless-controller

Enable/disable the wireless controller on the GUI.

option

-

Option

Description

enable

Enable the wireless controller on the GUI.

disable

Disable the wireless controller on the GUI.

gui-switch-controller

Enable/disable the switch controller on the GUI.

option

-

Option

Description

enable

Enable the switch controller on the GUI.

disable

Disable the switch controller on the GUI.

gui-fortiap-split-tunneling

Enable/disable FortiAP split tunneling on the GUI.

option

-

Option

Description

enable

Enable FortiAP split tunneling on the GUI.

disable

Disable FortiAP split tunneling on the GUI.

gui-webfilter-advanced

Enable/disable advanced web filtering on the GUI.

option

-

Option

Description

enable

Enable advanced web filtering on the GUI.

disable

Disable advanced web filtering on the GUI.

gui-traffic-shaping

Enable/disable traffic shaping on the GUI.

option

-

Option

Description

enable

Enable traffic shaping on the GUI.

disable

Disable traffic shaping on the GUI.

gui-wan-load-balancing

Enable/disable SD-WAN on the GUI.

option

-

Option

Description

enable

Enable SD-WAN on the GUI.

disable

Disable SD-WAN on the GUI.

gui-antivirus

Enable/disable AntiVirus on the GUI.

option

-

Option

Description

enable

Enable AntiVirus on the GUI.

disable

Disable AntiVirus on the GUI.

gui-webfilter

Enable/disable Web filtering on the GUI.

option

-

Option

Description

enable

Enable Web filtering on the GUI.

disable

Disable Web filtering on the GUI.

gui-dnsfilter

Enable/disable DNS Filtering on the GUI.

option

-

Option

Description

enable

Enable DNS Filtering on the GUI.

disable

Disable DNS Filtering on the GUI.

gui-waf-profile

Enable/disable Web Application Firewall on the GUI.

option

-

Option

Description

enable

Enable Web Application Firewall on the GUI.

disable

Disable Web Application Firewall on the GUI.

gui-fortiextender-controller

Enable/disable FortiExtender on the GUI.

option

-

Option

Description

enable

Enable FortiExtender on the GUI.

disable

Disable FortiExtender on the GUI.

gui-advanced-policy

Enable/disable advanced policy configuration on the GUI.

option

-

Option

Description

enable

Enable advanced policy configuration on the GUI.

disable

Disable advanced policy configuration on the GUI.

gui-allow-unnamed-policy

Enable/disable the requirement for policy naming on the GUI.

option

-

Option

Description

enable

Enable the requirement for policy naming on the GUI.

disable

Disable the requirement for policy naming on the GUI.

gui-email-collection

Enable/disable email collection on the GUI.

option

-

Option

Description

enable

Enable email collection on the GUI.

disable

Disable email collection on the GUI.

gui-domain-ip-reputation

Enable/disable Domain and IP Reputation on the GUI.

option

-

Option

Description

enable

Enable Domain and IP Reputation on the GUI.

disable

Disable Domain and IP Reputation on the GUI.

gui-multiple-interface-policy

Enable/disable adding multiple interfaces to a policy on the GUI.

option

-

Option

Description

enable

Enable adding multiple interfaces to a policy on the GUI.

disable

Disable adding multiple interfaces to a policy on the GUI.

gui-per-policy-disclaimer

Enable/disable policy disclaimer on the GUI.

option

-

Option

Description

enable

Enable policy disclaimer on the GUI.

disable

Disable policy disclaimer on the GUI.

ike-session-resume

Enable/disable IKEv2 session resumption (RFC 5723).

option

-

Option

Description

enable

Enable IKEv2 session resumption (RFC 5723).

disable

Disable IKEv2 session resumption (RFC 5723).

ike-quick-crash-detect

Enable/disable IKE quick crash detection (RFC 6290).

option

-

Option

Description

enable

Enable IKE quick crash detection (RFC 6290).

disable

Disable IKE quick crash detection (RFC 6290).

ike-dn-format

Configure IKE ASN.1 Distinguished Name format conventions.

option

-

Option

Description

with-space

Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.

no-space

Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.

block-land-attack

Enable/disable blocking of land attacks.

option

-

Option

Description

disable

Do not block land attack.

enable

Block land attack.

config system settings

Configure VDOM settings.

config system settings

Description: Configure VDOM settings.

set comments {var-string}

set opmode [nat|transparent]

set ngfw-mode [profile-based|policy-based]

set implicit-allow-dns [enable|disable]

set consolidated-firewall-mode [enable|disable]

set http-external-dest [fortiweb|forticache]

set firewall-session-dirty [check-all|check-new|...]

set manageip {user}

set gateway {ipv4-address}

set ip {ipv4-classnet-host}

set manageip6 {ipv6-prefix}

set gateway6 {ipv6-address}

set ip6 {ipv6-prefix}

set device {string}

set bfd [enable|disable]

set bfd-desired-min-tx {integer}

set bfd-required-min-rx {integer}

set bfd-detect-mult {integer}

set bfd-dont-enforce-src-port [enable|disable]

set utf8-spam-tagging [enable|disable]

set wccp-cache-engine [enable|disable]

set vpn-stats-log {option1}, {option2}, ...

set vpn-stats-period {integer}

set v4-ecmp-mode [source-ip-based|weight-based|...]

set mac-ttl {integer}

set fw-session-hairpin [enable|disable]

set prp-trailer-action [enable|disable]

set snat-hairpin-traffic [enable|disable]

set dhcp-proxy [enable|disable]

set dhcp-proxy-interface-select-method [auto|sdwan|...]

set dhcp-proxy-interface {string}

set dhcp-server-ip {user}

set dhcp6-server-ip {user}

set central-nat [enable|disable]

set gui-default-policy-columns <name1>, <name2>, ...

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set link-down-access [enable|disable]

set auxiliary-session [enable|disable]

set asymroute [enable|disable]

set asymroute-icmp [enable|disable]

set tcp-session-without-syn [enable|disable]

set ses-denied-traffic [enable|disable]

set strict-src-check [enable|disable]

set allow-linkdown-path [enable|disable]

set asymroute6 [enable|disable]

set asymroute6-icmp [enable|disable]

set sctp-session-without-init [enable|disable]

set sip-expectation [enable|disable]

set sip-nat-trace [enable|disable]

set status [enable|disable]

set sip-tcp-port {integer}

set sip-udp-port {integer}

set sip-ssl-port {integer}

set sccp-port {integer}

set multicast-forward [enable|disable]

set multicast-ttl-notchange [enable|disable]

set multicast-skip-policy [enable|disable]

set allow-subnet-overlap [enable|disable]

set deny-tcp-with-icmp [enable|disable]

set ecmp-max-paths {integer}

set discovered-device-timeout {integer}

set email-portal-check-dns [disable|enable]

set default-voip-alg-mode [proxy-based|kernel-helper-based]

set gui-icap [enable|disable]

set gui-nat46-64 [enable|disable]

set gui-implicit-policy [enable|disable]

set gui-dns-database [enable|disable]

set gui-load-balance [enable|disable]

set gui-multicast-policy [enable|disable]

set gui-dos-policy [enable|disable]

set gui-object-colors [enable|disable]

set gui-replacement-message-groups [enable|disable]

set gui-voip-profile [enable|disable]

set gui-ap-profile [enable|disable]

set gui-dynamic-profile-display [enable|disable]

set gui-local-in-policy [enable|disable]

set gui-local-reports [enable|disable]

set gui-wanopt-cache [enable|disable]

set gui-explicit-proxy [enable|disable]

set gui-dynamic-routing [enable|disable]

set gui-sslvpn-personal-bookmarks [enable|disable]

set gui-sslvpn-realms [enable|disable]

set gui-policy-based-ipsec [enable|disable]

set gui-threat-weight [enable|disable]

set gui-multiple-utm-profiles [enable|disable]

set gui-spamfilter [enable|disable]

set gui-application-control [enable|disable]

set gui-ips [enable|disable]

set gui-endpoint-control [enable|disable]

set gui-endpoint-control-advanced [enable|disable]

set gui-dhcp-advanced [enable|disable]

set gui-vpn [enable|disable]

set gui-wireless-controller [enable|disable]

set gui-switch-controller [enable|disable]

set gui-fortiap-split-tunneling [enable|disable]

set gui-webfilter-advanced [enable|disable]

set gui-traffic-shaping [enable|disable]

set gui-wan-load-balancing [enable|disable]

set gui-antivirus [enable|disable]

set gui-webfilter [enable|disable]

set gui-dnsfilter [enable|disable]

set gui-waf-profile [enable|disable]

set gui-fortiextender-controller [enable|disable]

set gui-advanced-policy [enable|disable]

set gui-allow-unnamed-policy [enable|disable]

set gui-email-collection [enable|disable]

set gui-domain-ip-reputation [enable|disable]

set gui-multiple-interface-policy [enable|disable]

set gui-per-policy-disclaimer [enable|disable]

set ike-session-resume [enable|disable]

set ike-quick-crash-detect [enable|disable]

set ike-dn-format [with-space|no-space]

set block-land-attack [disable|enable]

end

config system settings

Parameter name

Description

Type

Size

comments

VDOM comments.

var-string

Maximum length: 255

opmode

Firewall operation mode (NAT or Transparent).

option

-

Option

Description

nat

Change to NAT mode.

transparent

Change to transparent mode.

ngfw-mode

Next Generation Firewall (NGFW) mode.

option

-

Option

Description

profile-based

Application and web-filtering are configured using profiles applied to policy entries.

policy-based

Application and web-filtering are configured as policy match conditions.

implicit-allow-dns

Enable/disable implicitly allowing DNS traffic.

option

-

Option

Description

enable

Enable implicitly allowing DNS traffic.

disable

Disable implicitly allowing DNS traffic.

consolidated-firewall-mode

Consolidated firewall mode.

option

-

Option

Description

enable

Enable consolidated firewall mode.

disable

Disable consolidated firewall mode.

http-external-dest

Offload HTTP traffic to FortiWeb or FortiCache.

option

-

Option

Description

fortiweb

Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.

forticache

Offload HTTP traffic to FortiCache for external web caching and WAN optimization.

firewall-session-dirty

Select how to manage sessions affected by firewall policy configuration changes.

option

-

Option

Description

check-all

All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.

check-new

Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.

check-policy-option

Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.

manageip

Transparent mode IPv4 management IP address and netmask.

user

Not Specified

gateway

Transparent mode IPv4 default gateway IP address.

ipv4-address

Not Specified

ip

IP address and netmask.

ipv4-classnet-host

Not Specified

manageip6

Transparent mode IPv6 management IP address and netmask.

ipv6-prefix

Not Specified

gateway6

Transparent mode IPv4 default gateway IP address.

ipv6-address

Not Specified

ip6

IPv6 address prefix for NAT mode.

ipv6-prefix

Not Specified

device

Interface to use for management access for NAT mode.

string

Maximum length: 35

bfd

Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.

option

-

Option

Description

enable

Enable Bi-directional Forwarding Detection (BFD) on all interfaces.

disable

Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

bfd-desired-min-tx

BFD desired minimal transmit interval (1 - 100000 ms, default = 50).

integer

Minimum value: 1 Maximum value: 100000

bfd-required-min-rx

BFD required minimal receive interval (1 - 100000 ms, default = 50).

integer

Minimum value: 1 Maximum value: 100000

bfd-detect-mult

BFD detection multiplier (1 - 50, default = 3).

integer

Minimum value: 1 Maximum value: 50

bfd-dont-enforce-src-port

Enable to not enforce verifying the source port of BFD Packets.

option

-

Option

Description

enable

Enable verifying the source port of BFD Packets.

disable

Disable verifying the source port of BFD Packets.

utf8-spam-tagging

Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.

option

-

Option

Description

enable

Convert antispam tags to UTF-8.

disable

Do not convert antispam tags.

wccp-cache-engine

Enable/disable WCCP cache engine.

option

-

Option

Description

enable

Enable WCCP cache engine.

disable

Disable WCCP cache engine.

vpn-stats-log

Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.

option

-

Option

Description

ipsec

IPsec.

pptp

PPTP.

l2tp

L2TP.

ssl

SSL.

vpn-stats-period

Period to send VPN log statistics (0 or 60 - 86400 sec).

integer

Minimum value: 0 Maximum value: 4294967295

v4-ecmp-mode

IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.

option

-

Option

Description

source-ip-based

Select next hop based on source IP.

weight-based

Select next hop based on weight.

usage-based

Select next hop based on usage.

source-dest-ip-based

Select next hop based on both source and destination IPs.

mac-ttl

Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300).

integer

Minimum value: 300 Maximum value: 8640000

fw-session-hairpin

Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.

option

-

Option

Description

enable

Perform a policy check every time.

disable

Perform a policy check only the first time the session is received.

prp-trailer-action

Enable/disable action to take on PRP trailer.

option

-

Option

Description

enable

Try to keep PRP trailer.

disable

Trim PRP trailer.

snat-hairpin-traffic

Enable/disable source NAT (SNAT) for hairpin traffic.

option

-

Option

Description

enable

Enable SNAT for hairpin traffic.

disable

Disable SNAT for hairpin traffic.

dhcp-proxy

Enable/disable the DHCP Proxy.

option

-

Option

Description

enable

Enable the DHCP proxy.

disable

Disable the DHCP proxy.

dhcp-proxy-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-proxy-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-server-ip

DHCP Server IPv4 address.

user

Not Specified

dhcp6-server-ip

DHCPv6 server IPv6 address.

user

Not Specified

central-nat

Enable/disable central NAT.

option

-

Option

Description

enable

Enable central NAT.

disable

Disable central NAT.

gui-default-policy-columns <name>

Default columns to display for policy lists on GUI.

Select column name.

string

Maximum length: 79

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.

option

-

Option

Description

enable

Enable LLDP reception for this VDOM.

disable

Disable LLDP reception for this VDOM.

global

Use the global LLDP reception configuration for this VDOM.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.

option

-

Option

Description

enable

Enable LLDP transmission for this VDOM.

disable

Disable LLDP transmission for this VDOM.

global

Use the global LLDP transmission configuration for this VDOM.

link-down-access

Enable/disable link down access traffic.

option

-

Option

Description

enable

Allow link down access traffic.

disable

Block link down access traffic.

auxiliary-session

Enable/disable auxiliary session.

option

-

Option

Description

enable

Enable auxiliary session for this VDOM.

disable

Disable auxiliary session for this VDOM.

asymroute

Enable/disable IPv4 asymmetric routing.

option

-

Option

Description

enable

Enable IPv4 asymmetric routing.

disable

Disable IPv4 asymmetric routing.

asymroute-icmp

Enable/disable ICMP asymmetric routing.

option

-

Option

Description

enable

Enable ICMP asymmetric routing.

disable

Disable ICMP asymmetric routing.

tcp-session-without-syn

Enable/disable allowing TCP session without SYN flags.

option

-

Option

Description

enable

Allow TCP session without SYN flags.

disable

Do not allow TCP session without SYN flags.

ses-denied-traffic

Enable/disable including denied session in the session table.

option

-

Option

Description

enable

Include denied sessions in the session table.

disable

Do not add denied sessions to the session table.

strict-src-check

Enable/disable strict source verification.

option

-

Option

Description

enable

Enable strict source verification.

disable

Disable strict source verification.

allow-linkdown-path

Enable/disable link down path.

option

-

Option

Description

enable

Allow link down path.

disable

Do not allow link down path.

asymroute6

Enable/disable asymmetric IPv6 routing.

option

-

Option

Description

enable

Enable asymmetric IPv6 routing.

disable

Disable asymmetric IPv6 routing.

asymroute6-icmp

Enable/disable asymmetric ICMPv6 routing.

option

-

Option

Description

enable

Enable asymmetric ICMPv6 routing.

disable

Disable asymmetric ICMPv6 routing.

sctp-session-without-init

Enable/disable SCTP session creation without SCTP INIT.

option

-

Option

Description

enable

Enable SCTP session creation without SCTP INIT.

disable

Disable SCTP session creation without SCTP INIT.

sip-expectation

Enable/disable the SIP kernel session helper to create an expectation for port 5060.

option

-

Option

Description

enable

Allow SIP session helper to create an expectation for port 5060.

disable

Prevent SIP session helper from creating an expectation for port 5060.

sip-nat-trace

Enable/disable recording the original SIP source IP address when NAT is used.

option

-

Option

Description

enable

Record the original SIP source IP address when NAT is used.

disable

Do not record the original SIP source IP address when NAT is used.

status

Enable/disable this VDOM.

option

-

Option

Description

enable

Enable this VDOM.

disable

Disable this VDOM.

sip-tcp-port

TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).

integer

Minimum value: 1 Maximum value: 65535

sip-udp-port

UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060).

integer

Minimum value: 1 Maximum value: 65535

sip-ssl-port

TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061).

integer

Minimum value: 0 Maximum value: 65535

sccp-port

TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000).

integer

Minimum value: 0 Maximum value: 65535

multicast-forward

Enable/disable multicast forwarding.

option

-

Option

Description

enable

Enable multicast forwarding.

disable

Disable multicast forwarding.

multicast-ttl-notchange

Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.

option

-

Option

Description

enable

The multicast TTL is not changed.

disable

The multicast TTL may be changed.

multicast-skip-policy

Enable/disable allowing multicast traffic through the FortiGate without a policy check.

option

-

Option

Description

enable

Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.

disable

Require a multicast policy to allow multicast traffic to pass through the FortiGate.

allow-subnet-overlap

Enable/disable allowing interface subnets to use overlapping IP addresses.

option

-

Option

Description

enable

Enable overlapping subnets.

disable

Disable overlapping subnets.

deny-tcp-with-icmp

Enable/disable denying TCP by sending an ICMP communication prohibited packet.

option

-

Option

Description

enable

Deny TCP with ICMP.

disable

Disable denying TCP with ICMP.

ecmp-max-paths

Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255).

integer

Minimum value: 1 Maximum value: 255

discovered-device-timeout

Timeout for discovered devices (1 - 365 days, default = 28).

integer

Minimum value: 1 Maximum value: 365

email-portal-check-dns

Enable/disable using DNS to validate email addresses collected by a captive portal.

option

-

Option

Description

disable

Disable email address checking with DNS.

enable

Enable email address checking with DNS.

default-voip-alg-mode

Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.

option

-

Option

Description

proxy-based

Use a default proxy-based VoIP ALG.

kernel-helper-based

Use the SIP session helper.

gui-icap

Enable/disable ICAP on the GUI.

option

-

Option

Description

enable

Enable ICAP on the GUI.

disable

Disable ICAP on the GUI.

gui-nat46-64

Enable/disable NAT46 and NAT64 settings on the GUI.

option

-

Option

Description

enable

Enable NAT46 and NAT64 settings on the GUI.

disable

Disable NAT46 and NAT64 settings on the GUI.

gui-implicit-policy

Enable/disable implicit firewall policies on the GUI.

option

-

Option

Description

enable

Enable implicit firewall policies on the GUI.

disable

Disable implicit firewall policies on the GUI.

gui-dns-database

Enable/disable DNS database settings on the GUI.

option

-

Option

Description

enable

Enable DNS database settings on the GUI.

disable

Disable DNS database settings on the GUI.

gui-load-balance

Enable/disable server load balancing on the GUI.

option

-

Option

Description

enable

Enable server load balancing on the GUI.

disable

Disable server load balancing on the GUI.

gui-multicast-policy

Enable/disable multicast firewall policies on the GUI.

option

-

Option

Description

enable

Enable multicast firewall policies on the GUI.

disable

Disable multicast firewall policies on the GUI.

gui-dos-policy

Enable/disable DoS policies on the GUI.

option

-

Option

Description

enable

Enable DoS policies on the GUI.

disable

Disable DoS policies on the GUI.

gui-object-colors

Enable/disable object colors on the GUI.

option

-

Option

Description

enable

Enable object colors on the GUI.

disable

Disable object colors on the GUI.

gui-replacement-message-groups

Enable/disable replacement message groups on the GUI.

option

-

Option

Description

enable

Enable replacement message groups on the GUI.

disable

Disable replacement message groups on the GUI.

gui-voip-profile

Enable/disable VoIP profiles on the GUI.

option

-

Option

Description

enable

Enable VoIP profiles on the GUI.

disable

Disable VoIP profiles on the GUI.

gui-ap-profile

Enable/disable FortiAP profiles on the GUI.

option

-

Option

Description

enable

Enable FortiAP profiles on the GUI.

disable

Disable FortiAP profiles on the GUI.

gui-dynamic-profile-display

Enable/disable RADIUS Single Sign On (RSSO) on the GUI.

option

-

Option

Description

enable

Enable RADIUS Single Sign On (RSSO) on the GUI.

disable

Disable RADIUS Single Sign On (RSSO) on the GUI.

gui-local-in-policy

Enable/disable Local-In policies on the GUI.

option

-

Option

Description

enable

Enable Local-In policies on the GUI.

disable

Disable Local-In policies on the GUI.

gui-local-reports

Enable/disable local reports on the GUI.

option

-

Option

Description

enable

Enable local reports on the GUI.

disable

Disable local reports on the GUI.

gui-wanopt-cache

Enable/disable WAN Optimization and Web Caching on the GUI.

option

-

Option

Description

enable

Enable WAN Optimization and Web Caching on the GUI.

disable

Disable WAN Optimization and Web Caching on the GUI.

gui-explicit-proxy

Enable/disable the explicit proxy on the GUI.

option

-

Option

Description

enable

Enable the explicit proxy on the GUI.

disable

Disable the explicit proxy on the GUI.

gui-dynamic-routing

Enable/disable dynamic routing on the GUI.

option

-

Option

Description

enable

Enable dynamic routing on the GUI.

disable

Disable dynamic routing on the GUI.

gui-sslvpn-personal-bookmarks

Enable/disable SSL-VPN personal bookmark management on the GUI.

option

-

Option

Description

enable

Enable SSL-VPN personal bookmark management on the GUI.

disable

Disable SSL-VPN personal bookmark management on the GUI.

gui-sslvpn-realms

Enable/disable SSL-VPN realms on the GUI.

option

-

Option

Description

enable

Enable SSL-VPN realms on the GUI.

disable

Disable SSL-VPN realms on the GUI.

gui-policy-based-ipsec

Enable/disable policy-based IPsec VPN on the GUI.

option

-

Option

Description

enable

Enable policy-based IPsec VPN on the GUI.

disable

Disable policy-based IPsec VPN on the GUI.

gui-threat-weight

Enable/disable threat weight on the GUI.

option

-

Option

Description

enable

Enable threat weight on the GUI.

disable

Disable threat weight on the GUI.

gui-multiple-utm-profiles

Enable/disable multiple UTM profiles on the GUI.

option

-

Option

Description

enable

Enable multiple UTM profiles on the GUI.

disable

Disable multiple UTM profiles on the GUI.

gui-spamfilter

Enable/disable Antispam on the GUI.

option

-

Option

Description

enable

Enable Antispam on the GUI.

disable

Disable Antispam on the GUI.

gui-application-control

Enable/disable application control on the GUI.

option

-

Option

Description

enable

Enable application control on the GUI.

disable

Disable application control on the GUI.

gui-ips

Enable/disable IPS on the GUI.

option

-

Option

Description

enable

Enable IPS on the GUI.

disable

Disable IPS on the GUI.

gui-endpoint-control

Enable/disable endpoint control on the GUI.

option

-

Option

Description

enable

Enable endpoint control on the GUI.

disable

Disable endpoint control on the GUI.

gui-endpoint-control-advanced

Enable/disable advanced endpoint control options on the GUI.

option

-

Option

Description

enable

Enable advanced endpoint control options on the GUI.

disable

Disable advanced endpoint control options on the GUI.

gui-dhcp-advanced

Enable/disable advanced DHCP options on the GUI.

option

-

Option

Description

enable

Enable advanced DHCP options on the GUI.

disable

Disable advanced DHCP options on the GUI.

gui-vpn

Enable/disable VPN tunnels on the GUI.

option

-

Option

Description

enable

Enable VPN tunnels on the GUI.

disable

Disable VPN tunnels on the GUI.

gui-wireless-controller

Enable/disable the wireless controller on the GUI.

option

-

Option

Description

enable

Enable the wireless controller on the GUI.

disable

Disable the wireless controller on the GUI.

gui-switch-controller

Enable/disable the switch controller on the GUI.

option

-

Option

Description

enable

Enable the switch controller on the GUI.

disable

Disable the switch controller on the GUI.

gui-fortiap-split-tunneling

Enable/disable FortiAP split tunneling on the GUI.

option

-

Option

Description

enable

Enable FortiAP split tunneling on the GUI.

disable

Disable FortiAP split tunneling on the GUI.

gui-webfilter-advanced

Enable/disable advanced web filtering on the GUI.

option

-

Option

Description

enable

Enable advanced web filtering on the GUI.

disable

Disable advanced web filtering on the GUI.

gui-traffic-shaping

Enable/disable traffic shaping on the GUI.

option

-

Option

Description

enable

Enable traffic shaping on the GUI.

disable

Disable traffic shaping on the GUI.

gui-wan-load-balancing

Enable/disable SD-WAN on the GUI.

option

-

Option

Description

enable

Enable SD-WAN on the GUI.

disable

Disable SD-WAN on the GUI.

gui-antivirus

Enable/disable AntiVirus on the GUI.

option

-

Option

Description

enable

Enable AntiVirus on the GUI.

disable

Disable AntiVirus on the GUI.

gui-webfilter

Enable/disable Web filtering on the GUI.

option

-

Option

Description

enable

Enable Web filtering on the GUI.

disable

Disable Web filtering on the GUI.

gui-dnsfilter

Enable/disable DNS Filtering on the GUI.

option

-

Option

Description

enable

Enable DNS Filtering on the GUI.

disable

Disable DNS Filtering on the GUI.

gui-waf-profile

Enable/disable Web Application Firewall on the GUI.

option

-

Option

Description

enable

Enable Web Application Firewall on the GUI.

disable

Disable Web Application Firewall on the GUI.

gui-fortiextender-controller

Enable/disable FortiExtender on the GUI.

option

-

Option

Description

enable

Enable FortiExtender on the GUI.

disable

Disable FortiExtender on the GUI.

gui-advanced-policy

Enable/disable advanced policy configuration on the GUI.

option

-

Option

Description

enable

Enable advanced policy configuration on the GUI.

disable

Disable advanced policy configuration on the GUI.

gui-allow-unnamed-policy

Enable/disable the requirement for policy naming on the GUI.

option

-

Option

Description

enable

Enable the requirement for policy naming on the GUI.

disable

Disable the requirement for policy naming on the GUI.

gui-email-collection

Enable/disable email collection on the GUI.

option

-

Option

Description

enable

Enable email collection on the GUI.

disable

Disable email collection on the GUI.

gui-domain-ip-reputation

Enable/disable Domain and IP Reputation on the GUI.

option

-

Option

Description

enable

Enable Domain and IP Reputation on the GUI.

disable

Disable Domain and IP Reputation on the GUI.

gui-multiple-interface-policy

Enable/disable adding multiple interfaces to a policy on the GUI.

option

-

Option

Description

enable

Enable adding multiple interfaces to a policy on the GUI.

disable

Disable adding multiple interfaces to a policy on the GUI.

gui-per-policy-disclaimer

Enable/disable policy disclaimer on the GUI.

option

-

Option

Description

enable

Enable policy disclaimer on the GUI.

disable

Disable policy disclaimer on the GUI.

ike-session-resume

Enable/disable IKEv2 session resumption (RFC 5723).

option

-

Option

Description

enable

Enable IKEv2 session resumption (RFC 5723).

disable

Disable IKEv2 session resumption (RFC 5723).

ike-quick-crash-detect

Enable/disable IKE quick crash detection (RFC 6290).

option

-

Option

Description

enable

Enable IKE quick crash detection (RFC 6290).

disable

Disable IKE quick crash detection (RFC 6290).

ike-dn-format

Configure IKE ASN.1 Distinguished Name format conventions.

option

-

Option

Description

with-space

Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.

no-space

Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.

block-land-attack

Enable/disable blocking of land attacks.

option

-

Option

Description

disable

Do not block land attack.

enable

Block land attack.