Fortinet black logo

CLI Reference

system settings

Configure VDOM settings.

  config system settings
      Description: Configure VDOM settings.
      set comments {var-string}
      set opmode [nat|transparent]
      set ngfw-mode [profile-based|policy-based]
      set consolidated-firewall-mode {option}
      set http-external-dest [fortiweb|forticache]
      set firewall-session-dirty [check-all|check-new|...]
      set manageip {user}
      set gateway {ipv4-address}
      set ip {ipv4-classnet-host}
      set manageip6 {ipv6-prefix}
      set gateway6 {ipv6-address}
      set ip6 {ipv6-prefix}
      set device {string}
      set bfd [enable|disable]
      set bfd-desired-min-tx {integer}
      set bfd-required-min-rx {integer}
      set bfd-detect-mult {integer}
      set bfd-dont-enforce-src-port [enable|disable]
      set utf8-spam-tagging [enable|disable]
      set wccp-cache-engine [enable|disable]
      set vpn-stats-log {option1}, {option2}, ...
      set vpn-stats-period {integer}
      set v4-ecmp-mode [source-ip-based|weight-based|...]
      set mac-ttl {integer}
      set fw-session-hairpin [enable|disable]
      set prp-trailer-action [enable|disable]
      set snat-hairpin-traffic [enable|disable]
      set dhcp-proxy [enable|disable]
      set dhcp-server-ip {user}
      set dhcp6-server-ip {user}
      set central-nat [enable|disable]
      set gui-default-policy-columns <name1>, <name2>, ...
      set lldp-reception [enable|disable|...]
      set lldp-transmission [enable|disable|...]
      set link-down-access [enable|disable]
      set auxiliary-session [enable|disable]
      set asymroute [enable|disable]
      set asymroute-icmp [enable|disable]
      set tcp-session-without-syn [enable|disable]
      set ses-denied-traffic [enable|disable]
      set strict-src-check [enable|disable]
      set allow-linkdown-path [enable|disable]
      set asymroute6 [enable|disable]
      set asymroute6-icmp [enable|disable]
      set sctp-session-without-init [enable|disable]
      set sip-expectation [enable|disable]
      set sip-nat-trace [enable|disable]
      set status [enable|disable]
      set sip-tcp-port {integer}
      set sip-udp-port {integer}
      set sip-ssl-port {integer}
      set sccp-port {integer}
      set multicast-forward [enable|disable]
      set multicast-ttl-notchange [enable|disable]
      set multicast-skip-policy [enable|disable]
      set allow-subnet-overlap [enable|disable]
      set deny-tcp-with-icmp [enable|disable]
      set ecmp-max-paths {integer}
      set discovered-device-timeout {integer}
      set email-portal-check-dns [disable|enable]
      set default-voip-alg-mode [proxy-based|kernel-helper-based]
      set gui-icap [enable|disable]
      set gui-nat46-64 [enable|disable]
      set gui-implicit-policy [enable|disable]
      set gui-dns-database [enable|disable]
      set gui-load-balance [enable|disable]
      set gui-multicast-policy [enable|disable]
      set gui-dos-policy [enable|disable]
      set gui-object-colors [enable|disable]
      set gui-replacement-message-groups [enable|disable]
      set gui-voip-profile [enable|disable]
      set gui-ap-profile [enable|disable]
      set gui-dynamic-profile-display [enable|disable]
      set gui-local-in-policy [enable|disable]
      set gui-local-reports [enable|disable]
      set gui-wanopt-cache [enable|disable]
      set gui-explicit-proxy [enable|disable]
      set gui-dynamic-routing [enable|disable]
      set gui-sslvpn-personal-bookmarks [enable|disable]
      set gui-sslvpn-realms [enable|disable]
      set gui-policy-based-ipsec [enable|disable]
      set gui-threat-weight [enable|disable]
      set gui-multiple-utm-profiles [enable|disable]
      set gui-spamfilter [enable|disable]
      set gui-application-control [enable|disable]
      set gui-ips [enable|disable]
      set gui-endpoint-control [enable|disable]
      set gui-endpoint-control-advanced [enable|disable]
      set gui-dhcp-advanced [enable|disable]
      set gui-vpn [enable|disable]
      set gui-wireless-controller [enable|disable]
      set gui-switch-controller [enable|disable]
      set gui-fortiap-split-tunneling [enable|disable]
      set gui-webfilter-advanced [enable|disable]
      set gui-traffic-shaping [enable|disable]
      set gui-wan-load-balancing [enable|disable]
      set gui-antivirus [enable|disable]
      set gui-webfilter [enable|disable]
      set gui-dnsfilter [enable|disable]
      set gui-waf-profile [enable|disable]
      set gui-fortiextender-controller [enable|disable]
      set gui-advanced-policy [enable|disable]
      set gui-allow-unnamed-policy [enable|disable]
      set gui-email-collection [enable|disable]
      set gui-domain-ip-reputation [enable|disable]
      set gui-multiple-interface-policy [enable|disable]
      set gui-policy-disclaimer [enable|disable]
      set ike-session-resume [enable|disable]
      set ike-quick-crash-detect [enable|disable]
      set ike-dn-format [with-space|no-space]
      set block-land-attack [disable|enable]
  end

config system settings

Parameter Name Description Type Size
comments VDOM comments. var-string Maximum length: 255
opmode Firewall operation mode (NAT or Transparent).
nat: Change to NAT mode.
transparent: Change to transparent mode.
option -
ngfw-mode Next Generation Firewall (NGFW) mode.
profile-based: Application and web-filtering are configured using profiles applied to policy entries.
policy-based: Application and web-filtering are configured as policy match conditions.
option -
consolidated-firewall-mode Consolidated firewall mode.
option -
http-external-dest Offload HTTP traffic to FortiWeb or FortiCache.
fortiweb: Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.
forticache: Offload HTTP traffic to FortiCache for external web caching and WAN optimization.
option -
firewall-session-dirty Select how to manage sessions affected by firewall policy configuration changes.
check-all: All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.
check-new: Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.
check-policy-option: Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.
option -
manageip Transparent mode IPv4 management IP address and netmask. user Not Specified
gateway Transparent mode IPv4 default gateway IP address. ipv4-address Not Specified
ip IP address and netmask. ipv4-classnet-host Not Specified
manageip6 Transparent mode IPv6 management IP address and netmask. ipv6-prefix Not Specified
gateway6 Transparent mode IPv4 default gateway IP address. ipv6-address Not Specified
ip6 IPv6 address prefix for NAT mode. ipv6-prefix Not Specified
device Interface to use for management access for NAT mode. string Maximum length: 35
bfd Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
enable: Enable Bi-directional Forwarding Detection (BFD) on all interfaces.
disable: Disable Bi-directional Forwarding Detection (BFD) on all interfaces.
option -
bfd-desired-min-tx BFD desired minimal transmit interval (1 - 100000 ms, default = 50). integer Minimum value: 1 Maximum value: 100000
bfd-required-min-rx BFD required minimal receive interval (1 - 100000 ms, default = 50). integer Minimum value: 1 Maximum value: 100000
bfd-detect-mult BFD detection multiplier (1 - 50, default = 3). integer Minimum value: 1 Maximum value: 50
bfd-dont-enforce-src-port Enable to not enforce verifying the source port of BFD Packets.
enable: Enable verifying the source port of BFD Packets.
disable: Disable verifying the source port of BFD Packets.
option -
utf8-spam-tagging Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
enable: Convert antispam tags to UTF-8.
disable: Do not convert antispam tags.
option -
wccp-cache-engine Enable/disable WCCP cache engine.
enable: Enable WCCP cache engine.
disable: Disable WCCP cache engine.
option -
vpn-stats-log Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
ipsec: IPsec.
pptp: PPTP.
l2tp: L2TP.
ssl: SSL.
option -
vpn-stats-period Period to send VPN log statistics (0 or 60 - 86400 sec). integer Minimum value: 0 Maximum value: 4294967295
v4-ecmp-mode IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
source-ip-based: Select next hop based on source IP.
weight-based: Select next hop based on weight.
usage-based: Select next hop based on usage.
source-dest-ip-based: Select next hop based on both source and destination IPs.
option -
mac-ttl Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300). integer Minimum value: 300 Maximum value: 8640000
fw-session-hairpin Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
enable: Perform a policy check every time.
disable: Perform a policy check only the first time the session is received.
option -
prp-trailer-action Enable/disable action to take on PRP trailer.
enable: Try to keep PRP trailer.
disable: Trim PRP trailer.
option -
snat-hairpin-traffic Enable/disable source NAT (SNAT) for hairpin traffic.
enable: Enable SNAT for hairpin traffic.
disable: Disable SNAT for hairpin traffic.
option -
dhcp-proxy Enable/disable the DHCP Proxy.
enable: Enable the DHCP proxy.
disable: Disable the DHCP proxy.
option -
dhcp-server-ip DHCP Server IPv4 address. user Not Specified
dhcp6-server-ip DHCPv6 server IPv6 address. user Not Specified
central-nat Enable/disable central NAT.
enable: Enable central NAT.
disable: Disable central NAT.
option -
gui-default-policy-columns <name> Default columns to display for policy lists on GUI.
Select column name.
string Maximum length: 79
lldp-reception Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.
enable: Enable LLDP reception for this VDOM.
disable: Disable LLDP reception for this VDOM.
global: Use the global LLDP reception configuration for this VDOM.
option -
lldp-transmission Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.
enable: Enable LLDP transmission for this VDOM.
disable: Disable LLDP transmission for this VDOM.
global: Use the global LLDP transmission configuration for this VDOM.
option -
link-down-access Enable/disable link down access traffic.
enable: Allow link down access traffic.
disable: Block link down access traffic.
option -
auxiliary-session Enable/disable auxiliary session.
enable: Enable auxiliary session for this VDOM.
disable: Disable auxiliary session for this VDOM.
option -
asymroute Enable/disable IPv4 asymmetric routing.
enable: Enable IPv4 asymmetric routing.
disable: Disable IPv4 asymmetric routing.
option -
asymroute-icmp Enable/disable ICMP asymmetric routing.
enable: Enable ICMP asymmetric routing.
disable: Disable ICMP asymmetric routing.
option -
tcp-session-without-syn Enable/disable allowing TCP session without SYN flags.
enable: Allow TCP session without SYN flags.
disable: Do not allow TCP session without SYN flags.
option -
ses-denied-traffic Enable/disable including denied session in the session table.
enable: Include denied sessions in the session table.
disable: Do not add denied sessions to the session table.
option -
strict-src-check Enable/disable strict source verification.
enable: Enable strict source verification.
disable: Disable strict source verification.
option -
allow-linkdown-path Enable/disable link down path.
enable: Allow link down path.
disable: Do not allow link down path.
option -
asymroute6 Enable/disable asymmetric IPv6 routing.
enable: Enable asymmetric IPv6 routing.
disable: Disable asymmetric IPv6 routing.
option -
asymroute6-icmp Enable/disable asymmetric ICMPv6 routing.
enable: Enable asymmetric ICMPv6 routing.
disable: Disable asymmetric ICMPv6 routing.
option -
sctp-session-without-init Enable/disable SCTP session creation without SCTP INIT.
enable: Enable SCTP session creation without SCTP INIT.
disable: Disable SCTP session creation without SCTP INIT.
option -
sip-expectation Enable/disable the SIP kernel session helper to create an expectation for port 5060.
enable: Allow SIP session helper to create an expectation for port 5060.
disable: Prevent SIP session helper from creating an expectation for port 5060.
option -
sip-nat-trace Enable/disable recording the original SIP source IP address when NAT is used.
enable: Record the original SIP source IP address when NAT is used.
disable: Do not record the original SIP source IP address when NAT is used.
option -
status Enable/disable this VDOM.
enable: Enable this VDOM.
disable: Disable this VDOM.
option -
sip-tcp-port TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). integer Minimum value: 1 Maximum value: 65535
sip-udp-port UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). integer Minimum value: 1 Maximum value: 65535
sip-ssl-port TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061). integer Minimum value: 0 Maximum value: 65535
sccp-port TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000). integer Minimum value: 0 Maximum value: 65535
multicast-forward Enable/disable multicast forwarding.
enable: Enable multicast forwarding.
disable: Disable multicast forwarding.
option -
multicast-ttl-notchange Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
enable: The multicast TTL is not changed.
disable: The multicast TTL may be changed.
option -
multicast-skip-policy Enable/disable allowing multicast traffic through the FortiGate without a policy check.
enable: Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.
disable: Require a multicast policy to allow multicast traffic to pass through the FortiGate.
option -
allow-subnet-overlap Enable/disable allowing interface subnets to use overlapping IP addresses.
enable: Enable overlapping subnets.
disable: Disable overlapping subnets.
option -
deny-tcp-with-icmp Enable/disable denying TCP by sending an ICMP communication prohibited packet.
enable: Deny TCP with ICMP.
disable: Disable denying TCP with ICMP.
option -
ecmp-max-paths Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255). integer Minimum value: 1 Maximum value: 255
discovered-device-timeout Timeout for discovered devices (1 - 365 days, default = 28). integer Minimum value: 1 Maximum value: 365
email-portal-check-dns Enable/disable using DNS to validate email addresses collected by a captive portal.
disable: Disable email address checking with DNS.
enable: Enable email address checking with DNS.
option -
default-voip-alg-mode Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
proxy-based: Use a default proxy-based VoIP ALG.
kernel-helper-based: Use the SIP session helper.
option -
gui-icap Enable/disable ICAP on the GUI.
enable: Enable ICAP on the GUI.
disable: Disable ICAP on the GUI.
option -
gui-nat46-64 Enable/disable NAT46 and NAT64 settings on the GUI.
enable: Enable NAT46 and NAT64 settings on the GUI.
disable: Disable NAT46 and NAT64 settings on the GUI.
option -
gui-implicit-policy Enable/disable implicit firewall policies on the GUI.
enable: Enable implicit firewall policies on the GUI.
disable: Disable implicit firewall policies on the GUI.
option -
gui-dns-database Enable/disable DNS database settings on the GUI.
enable: Enable DNS database settings on the GUI.
disable: Disable DNS database settings on the GUI.
option -
gui-load-balance Enable/disable server load balancing on the GUI.
enable: Enable server load balancing on the GUI.
disable: Disable server load balancing on the GUI.
option -
gui-multicast-policy Enable/disable multicast firewall policies on the GUI.
enable: Enable multicast firewall policies on the GUI.
disable: Disable multicast firewall policies on the GUI.
option -
gui-dos-policy Enable/disable DoS policies on the GUI.
enable: Enable DoS policies on the GUI.
disable: Disable DoS policies on the GUI.
option -
gui-object-colors Enable/disable object colors on the GUI.
enable: Enable object colors on the GUI.
disable: Disable object colors on the GUI.
option -
gui-replacement-message-groups Enable/disable replacement message groups on the GUI.
enable: Enable replacement message groups on the GUI.
disable: Disable replacement message groups on the GUI.
option -
gui-voip-profile Enable/disable VoIP profiles on the GUI.
enable: Enable VoIP profiles on the GUI.
disable: Disable VoIP profiles on the GUI.
option -
gui-ap-profile Enable/disable FortiAP profiles on the GUI.
enable: Enable FortiAP profiles on the GUI.
disable: Disable FortiAP profiles on the GUI.
option -
gui-dynamic-profile-display Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
enable: Enable RADIUS Single Sign On (RSSO) on the GUI.
disable: Disable RADIUS Single Sign On (RSSO) on the GUI.
option -
gui-local-in-policy Enable/disable Local-In policies on the GUI.
enable: Enable Local-In policies on the GUI.
disable: Disable Local-In policies on the GUI.
option -
gui-local-reports Enable/disable local reports on the GUI.
enable: Enable local reports on the GUI.
disable: Disable local reports on the GUI.
option -
gui-wanopt-cache Enable/disable WAN Optimization and Web Caching on the GUI.
enable: Enable WAN Optimization and Web Caching on the GUI.
disable: Disable WAN Optimization and Web Caching on the GUI.
option -
gui-explicit-proxy Enable/disable the explicit proxy on the GUI.
enable: Enable the explicit proxy on the GUI.
disable: Disable the explicit proxy on the GUI.
option -
gui-dynamic-routing Enable/disable dynamic routing on the GUI.
enable: Enable dynamic routing on the GUI.
disable: Disable dynamic routing on the GUI.
option -
gui-sslvpn-personal-bookmarks Enable/disable SSL-VPN personal bookmark management on the GUI.
enable: Enable SSL-VPN personal bookmark management on the GUI.
disable: Disable SSL-VPN personal bookmark management on the GUI.
option -
gui-sslvpn-realms Enable/disable SSL-VPN realms on the GUI.
enable: Enable SSL-VPN realms on the GUI.
disable: Disable SSL-VPN realms on the GUI.
option -
gui-policy-based-ipsec Enable/disable policy-based IPsec VPN on the GUI.
enable: Enable policy-based IPsec VPN on the GUI.
disable: Disable policy-based IPsec VPN on the GUI.
option -
gui-threat-weight Enable/disable threat weight on the GUI.
enable: Enable threat weight on the GUI.
disable: Disable threat weight on the GUI.
option -
gui-multiple-utm-profiles Enable/disable multiple UTM profiles on the GUI.
enable: Enable multiple UTM profiles on the GUI.
disable: Disable multiple UTM profiles on the GUI.
option -
gui-spamfilter Enable/disable Antispam on the GUI.
enable: Enable Antispam on the GUI.
disable: Disable Antispam on the GUI.
option -
gui-application-control Enable/disable application control on the GUI.
enable: Enable application control on the GUI.
disable: Disable application control on the GUI.
option -
gui-ips Enable/disable IPS on the GUI.
enable: Enable IPS on the GUI.
disable: Disable IPS on the GUI.
option -
gui-endpoint-control Enable/disable endpoint control on the GUI.
enable: Enable endpoint control on the GUI.
disable: Disable endpoint control on the GUI.
option -
gui-endpoint-control-advanced Enable/disable advanced endpoint control options on the GUI.
enable: Enable advanced endpoint control options on the GUI.
disable: Disable advanced endpoint control options on the GUI.
option -
gui-dhcp-advanced Enable/disable advanced DHCP options on the GUI.
enable: Enable advanced DHCP options on the GUI.
disable: Disable advanced DHCP options on the GUI.
option -
gui-vpn Enable/disable VPN tunnels on the GUI.
enable: Enable VPN tunnels on the GUI.
disable: Disable VPN tunnels on the GUI.
option -
gui-wireless-controller Enable/disable the wireless controller on the GUI.
enable: Enable the wireless controller on the GUI.
disable: Disable the wireless controller on the GUI.
option -
gui-switch-controller Enable/disable the switch controller on the GUI.
enable: Enable the switch controller on the GUI.
disable: Disable the switch controller on the GUI.
option -
gui-fortiap-split-tunneling Enable/disable FortiAP split tunneling on the GUI.
enable: Enable FortiAP split tunneling on the GUI.
disable: Disable FortiAP split tunneling on the GUI.
option -
gui-webfilter-advanced Enable/disable advanced web filtering on the GUI.
enable: Enable advanced web filtering on the GUI.
disable: Disable advanced web filtering on the GUI.
option -
gui-traffic-shaping Enable/disable traffic shaping on the GUI.
enable: Enable traffic shaping on the GUI.
disable: Disable traffic shaping on the GUI.
option -
gui-wan-load-balancing Enable/disable SD-WAN on the GUI.
enable: Enable SD-WAN on the GUI.
disable: Disable SD-WAN on the GUI.
option -
gui-antivirus Enable/disable AntiVirus on the GUI.
enable: Enable AntiVirus on the GUI.
disable: Disable AntiVirus on the GUI.
option -
gui-webfilter Enable/disable Web filtering on the GUI.
enable: Enable Web filtering on the GUI.
disable: Disable Web filtering on the GUI.
option -
gui-dnsfilter Enable/disable DNS Filtering on the GUI.
enable: Enable DNS Filtering on the GUI.
disable: Disable DNS Filtering on the GUI.
option -
gui-waf-profile Enable/disable Web Application Firewall on the GUI.
enable: Enable Web Application Firewall on the GUI.
disable: Disable Web Application Firewall on the GUI.
option -
gui-fortiextender-controller Enable/disable FortiExtender on the GUI.
enable: Enable FortiExtender on the GUI.
disable: Disable FortiExtender on the GUI.
option -
gui-advanced-policy Enable/disable advanced policy configuration on the GUI.
enable: Enable advanced policy configuration on the GUI.
disable: Disable advanced policy configuration on the GUI.
option -
gui-allow-unnamed-policy Enable/disable the requirement for policy naming on the GUI.
enable: Enable the requirement for policy naming on the GUI.
disable: Disable the requirement for policy naming on the GUI.
option -
gui-email-collection Enable/disable email collection on the GUI.
enable: Enable email collection on the GUI.
disable: Disable email collection on the GUI.
option -
gui-domain-ip-reputation Enable/disable Domain and IP Reputation on the GUI.
enable: Enable Domain and IP Reputation on the GUI.
disable: Disable Domain and IP Reputation on the GUI.
option -
gui-multiple-interface-policy Enable/disable adding multiple interfaces to a policy on the GUI.
enable: Enable adding multiple interfaces to a policy on the GUI.
disable: Disable adding multiple interfaces to a policy on the GUI.
option -
gui-policy-disclaimer Enable/disable policy disclaimer on the GUI.
enable: Enable policy disclaimer on the GUI.
disable: Disable policy disclaimer on the GUI.
option -
ike-session-resume Enable/disable IKEv2 session resumption (RFC 5723).
enable: Enable IKEv2 session resumption (RFC 5723).
disable: Disable IKEv2 session resumption (RFC 5723).
option -
ike-quick-crash-detect Enable/disable IKE quick crash detection (RFC 6290).
enable: Enable IKE quick crash detection (RFC 6290).
disable: Disable IKE quick crash detection (RFC 6290).
option -
ike-dn-format Configure IKE ASN.1 Distinguished Name format conventions.
with-space: Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.
no-space: Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.
option -
block-land-attack Enable/disable blocking of land attacks.
disable: Do not block land attack.
enable: Block land attack.
option -

Configure VDOM settings.

  config system settings
      Description: Configure VDOM settings.
      set comments {var-string}
      set opmode [nat|transparent]
      set ngfw-mode [profile-based|policy-based]
      set consolidated-firewall-mode {option}
      set http-external-dest [fortiweb|forticache]
      set firewall-session-dirty [check-all|check-new|...]
      set manageip {user}
      set gateway {ipv4-address}
      set ip {ipv4-classnet-host}
      set manageip6 {ipv6-prefix}
      set gateway6 {ipv6-address}
      set ip6 {ipv6-prefix}
      set device {string}
      set bfd [enable|disable]
      set bfd-desired-min-tx {integer}
      set bfd-required-min-rx {integer}
      set bfd-detect-mult {integer}
      set bfd-dont-enforce-src-port [enable|disable]
      set utf8-spam-tagging [enable|disable]
      set wccp-cache-engine [enable|disable]
      set vpn-stats-log {option1}, {option2}, ...
      set vpn-stats-period {integer}
      set v4-ecmp-mode [source-ip-based|weight-based|...]
      set mac-ttl {integer}
      set fw-session-hairpin [enable|disable]
      set prp-trailer-action [enable|disable]
      set snat-hairpin-traffic [enable|disable]
      set dhcp-proxy [enable|disable]
      set dhcp-server-ip {user}
      set dhcp6-server-ip {user}
      set central-nat [enable|disable]
      set gui-default-policy-columns <name1>, <name2>, ...
      set lldp-reception [enable|disable|...]
      set lldp-transmission [enable|disable|...]
      set link-down-access [enable|disable]
      set auxiliary-session [enable|disable]
      set asymroute [enable|disable]
      set asymroute-icmp [enable|disable]
      set tcp-session-without-syn [enable|disable]
      set ses-denied-traffic [enable|disable]
      set strict-src-check [enable|disable]
      set allow-linkdown-path [enable|disable]
      set asymroute6 [enable|disable]
      set asymroute6-icmp [enable|disable]
      set sctp-session-without-init [enable|disable]
      set sip-expectation [enable|disable]
      set sip-nat-trace [enable|disable]
      set status [enable|disable]
      set sip-tcp-port {integer}
      set sip-udp-port {integer}
      set sip-ssl-port {integer}
      set sccp-port {integer}
      set multicast-forward [enable|disable]
      set multicast-ttl-notchange [enable|disable]
      set multicast-skip-policy [enable|disable]
      set allow-subnet-overlap [enable|disable]
      set deny-tcp-with-icmp [enable|disable]
      set ecmp-max-paths {integer}
      set discovered-device-timeout {integer}
      set email-portal-check-dns [disable|enable]
      set default-voip-alg-mode [proxy-based|kernel-helper-based]
      set gui-icap [enable|disable]
      set gui-nat46-64 [enable|disable]
      set gui-implicit-policy [enable|disable]
      set gui-dns-database [enable|disable]
      set gui-load-balance [enable|disable]
      set gui-multicast-policy [enable|disable]
      set gui-dos-policy [enable|disable]
      set gui-object-colors [enable|disable]
      set gui-replacement-message-groups [enable|disable]
      set gui-voip-profile [enable|disable]
      set gui-ap-profile [enable|disable]
      set gui-dynamic-profile-display [enable|disable]
      set gui-local-in-policy [enable|disable]
      set gui-local-reports [enable|disable]
      set gui-wanopt-cache [enable|disable]
      set gui-explicit-proxy [enable|disable]
      set gui-dynamic-routing [enable|disable]
      set gui-sslvpn-personal-bookmarks [enable|disable]
      set gui-sslvpn-realms [enable|disable]
      set gui-policy-based-ipsec [enable|disable]
      set gui-threat-weight [enable|disable]
      set gui-multiple-utm-profiles [enable|disable]
      set gui-spamfilter [enable|disable]
      set gui-application-control [enable|disable]
      set gui-ips [enable|disable]
      set gui-endpoint-control [enable|disable]
      set gui-endpoint-control-advanced [enable|disable]
      set gui-dhcp-advanced [enable|disable]
      set gui-vpn [enable|disable]
      set gui-wireless-controller [enable|disable]
      set gui-switch-controller [enable|disable]
      set gui-fortiap-split-tunneling [enable|disable]
      set gui-webfilter-advanced [enable|disable]
      set gui-traffic-shaping [enable|disable]
      set gui-wan-load-balancing [enable|disable]
      set gui-antivirus [enable|disable]
      set gui-webfilter [enable|disable]
      set gui-dnsfilter [enable|disable]
      set gui-waf-profile [enable|disable]
      set gui-fortiextender-controller [enable|disable]
      set gui-advanced-policy [enable|disable]
      set gui-allow-unnamed-policy [enable|disable]
      set gui-email-collection [enable|disable]
      set gui-domain-ip-reputation [enable|disable]
      set gui-multiple-interface-policy [enable|disable]
      set gui-policy-disclaimer [enable|disable]
      set ike-session-resume [enable|disable]
      set ike-quick-crash-detect [enable|disable]
      set ike-dn-format [with-space|no-space]
      set block-land-attack [disable|enable]
  end

config system settings

Parameter Name Description Type Size
comments VDOM comments. var-string Maximum length: 255
opmode Firewall operation mode (NAT or Transparent).
nat: Change to NAT mode.
transparent: Change to transparent mode.
option -
ngfw-mode Next Generation Firewall (NGFW) mode.
profile-based: Application and web-filtering are configured using profiles applied to policy entries.
policy-based: Application and web-filtering are configured as policy match conditions.
option -
consolidated-firewall-mode Consolidated firewall mode.
option -
http-external-dest Offload HTTP traffic to FortiWeb or FortiCache.
fortiweb: Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.
forticache: Offload HTTP traffic to FortiCache for external web caching and WAN optimization.
option -
firewall-session-dirty Select how to manage sessions affected by firewall policy configuration changes.
check-all: All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.
check-new: Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.
check-policy-option: Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.
option -
manageip Transparent mode IPv4 management IP address and netmask. user Not Specified
gateway Transparent mode IPv4 default gateway IP address. ipv4-address Not Specified
ip IP address and netmask. ipv4-classnet-host Not Specified
manageip6 Transparent mode IPv6 management IP address and netmask. ipv6-prefix Not Specified
gateway6 Transparent mode IPv4 default gateway IP address. ipv6-address Not Specified
ip6 IPv6 address prefix for NAT mode. ipv6-prefix Not Specified
device Interface to use for management access for NAT mode. string Maximum length: 35
bfd Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.
enable: Enable Bi-directional Forwarding Detection (BFD) on all interfaces.
disable: Disable Bi-directional Forwarding Detection (BFD) on all interfaces.
option -
bfd-desired-min-tx BFD desired minimal transmit interval (1 - 100000 ms, default = 50). integer Minimum value: 1 Maximum value: 100000
bfd-required-min-rx BFD required minimal receive interval (1 - 100000 ms, default = 50). integer Minimum value: 1 Maximum value: 100000
bfd-detect-mult BFD detection multiplier (1 - 50, default = 3). integer Minimum value: 1 Maximum value: 50
bfd-dont-enforce-src-port Enable to not enforce verifying the source port of BFD Packets.
enable: Enable verifying the source port of BFD Packets.
disable: Disable verifying the source port of BFD Packets.
option -
utf8-spam-tagging Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.
enable: Convert antispam tags to UTF-8.
disable: Do not convert antispam tags.
option -
wccp-cache-engine Enable/disable WCCP cache engine.
enable: Enable WCCP cache engine.
disable: Disable WCCP cache engine.
option -
vpn-stats-log Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.
ipsec: IPsec.
pptp: PPTP.
l2tp: L2TP.
ssl: SSL.
option -
vpn-stats-period Period to send VPN log statistics (0 or 60 - 86400 sec). integer Minimum value: 0 Maximum value: 4294967295
v4-ecmp-mode IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.
source-ip-based: Select next hop based on source IP.
weight-based: Select next hop based on weight.
usage-based: Select next hop based on usage.
source-dest-ip-based: Select next hop based on both source and destination IPs.
option -
mac-ttl Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300). integer Minimum value: 300 Maximum value: 8640000
fw-session-hairpin Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.
enable: Perform a policy check every time.
disable: Perform a policy check only the first time the session is received.
option -
prp-trailer-action Enable/disable action to take on PRP trailer.
enable: Try to keep PRP trailer.
disable: Trim PRP trailer.
option -
snat-hairpin-traffic Enable/disable source NAT (SNAT) for hairpin traffic.
enable: Enable SNAT for hairpin traffic.
disable: Disable SNAT for hairpin traffic.
option -
dhcp-proxy Enable/disable the DHCP Proxy.
enable: Enable the DHCP proxy.
disable: Disable the DHCP proxy.
option -
dhcp-server-ip DHCP Server IPv4 address. user Not Specified
dhcp6-server-ip DHCPv6 server IPv6 address. user Not Specified
central-nat Enable/disable central NAT.
enable: Enable central NAT.
disable: Disable central NAT.
option -
gui-default-policy-columns <name> Default columns to display for policy lists on GUI.
Select column name.
string Maximum length: 79
lldp-reception Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.
enable: Enable LLDP reception for this VDOM.
disable: Disable LLDP reception for this VDOM.
global: Use the global LLDP reception configuration for this VDOM.
option -
lldp-transmission Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.
enable: Enable LLDP transmission for this VDOM.
disable: Disable LLDP transmission for this VDOM.
global: Use the global LLDP transmission configuration for this VDOM.
option -
link-down-access Enable/disable link down access traffic.
enable: Allow link down access traffic.
disable: Block link down access traffic.
option -
auxiliary-session Enable/disable auxiliary session.
enable: Enable auxiliary session for this VDOM.
disable: Disable auxiliary session for this VDOM.
option -
asymroute Enable/disable IPv4 asymmetric routing.
enable: Enable IPv4 asymmetric routing.
disable: Disable IPv4 asymmetric routing.
option -
asymroute-icmp Enable/disable ICMP asymmetric routing.
enable: Enable ICMP asymmetric routing.
disable: Disable ICMP asymmetric routing.
option -
tcp-session-without-syn Enable/disable allowing TCP session without SYN flags.
enable: Allow TCP session without SYN flags.
disable: Do not allow TCP session without SYN flags.
option -
ses-denied-traffic Enable/disable including denied session in the session table.
enable: Include denied sessions in the session table.
disable: Do not add denied sessions to the session table.
option -
strict-src-check Enable/disable strict source verification.
enable: Enable strict source verification.
disable: Disable strict source verification.
option -
allow-linkdown-path Enable/disable link down path.
enable: Allow link down path.
disable: Do not allow link down path.
option -
asymroute6 Enable/disable asymmetric IPv6 routing.
enable: Enable asymmetric IPv6 routing.
disable: Disable asymmetric IPv6 routing.
option -
asymroute6-icmp Enable/disable asymmetric ICMPv6 routing.
enable: Enable asymmetric ICMPv6 routing.
disable: Disable asymmetric ICMPv6 routing.
option -
sctp-session-without-init Enable/disable SCTP session creation without SCTP INIT.
enable: Enable SCTP session creation without SCTP INIT.
disable: Disable SCTP session creation without SCTP INIT.
option -
sip-expectation Enable/disable the SIP kernel session helper to create an expectation for port 5060.
enable: Allow SIP session helper to create an expectation for port 5060.
disable: Prevent SIP session helper from creating an expectation for port 5060.
option -
sip-nat-trace Enable/disable recording the original SIP source IP address when NAT is used.
enable: Record the original SIP source IP address when NAT is used.
disable: Do not record the original SIP source IP address when NAT is used.
option -
status Enable/disable this VDOM.
enable: Enable this VDOM.
disable: Disable this VDOM.
option -
sip-tcp-port TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). integer Minimum value: 1 Maximum value: 65535
sip-udp-port UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). integer Minimum value: 1 Maximum value: 65535
sip-ssl-port TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061). integer Minimum value: 0 Maximum value: 65535
sccp-port TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000). integer Minimum value: 0 Maximum value: 65535
multicast-forward Enable/disable multicast forwarding.
enable: Enable multicast forwarding.
disable: Disable multicast forwarding.
option -
multicast-ttl-notchange Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.
enable: The multicast TTL is not changed.
disable: The multicast TTL may be changed.
option -
multicast-skip-policy Enable/disable allowing multicast traffic through the FortiGate without a policy check.
enable: Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.
disable: Require a multicast policy to allow multicast traffic to pass through the FortiGate.
option -
allow-subnet-overlap Enable/disable allowing interface subnets to use overlapping IP addresses.
enable: Enable overlapping subnets.
disable: Disable overlapping subnets.
option -
deny-tcp-with-icmp Enable/disable denying TCP by sending an ICMP communication prohibited packet.
enable: Deny TCP with ICMP.
disable: Disable denying TCP with ICMP.
option -
ecmp-max-paths Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255). integer Minimum value: 1 Maximum value: 255
discovered-device-timeout Timeout for discovered devices (1 - 365 days, default = 28). integer Minimum value: 1 Maximum value: 365
email-portal-check-dns Enable/disable using DNS to validate email addresses collected by a captive portal.
disable: Disable email address checking with DNS.
enable: Enable email address checking with DNS.
option -
default-voip-alg-mode Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.
proxy-based: Use a default proxy-based VoIP ALG.
kernel-helper-based: Use the SIP session helper.
option -
gui-icap Enable/disable ICAP on the GUI.
enable: Enable ICAP on the GUI.
disable: Disable ICAP on the GUI.
option -
gui-nat46-64 Enable/disable NAT46 and NAT64 settings on the GUI.
enable: Enable NAT46 and NAT64 settings on the GUI.
disable: Disable NAT46 and NAT64 settings on the GUI.
option -
gui-implicit-policy Enable/disable implicit firewall policies on the GUI.
enable: Enable implicit firewall policies on the GUI.
disable: Disable implicit firewall policies on the GUI.
option -
gui-dns-database Enable/disable DNS database settings on the GUI.
enable: Enable DNS database settings on the GUI.
disable: Disable DNS database settings on the GUI.
option -
gui-load-balance Enable/disable server load balancing on the GUI.
enable: Enable server load balancing on the GUI.
disable: Disable server load balancing on the GUI.
option -
gui-multicast-policy Enable/disable multicast firewall policies on the GUI.
enable: Enable multicast firewall policies on the GUI.
disable: Disable multicast firewall policies on the GUI.
option -
gui-dos-policy Enable/disable DoS policies on the GUI.
enable: Enable DoS policies on the GUI.
disable: Disable DoS policies on the GUI.
option -
gui-object-colors Enable/disable object colors on the GUI.
enable: Enable object colors on the GUI.
disable: Disable object colors on the GUI.
option -
gui-replacement-message-groups Enable/disable replacement message groups on the GUI.
enable: Enable replacement message groups on the GUI.
disable: Disable replacement message groups on the GUI.
option -
gui-voip-profile Enable/disable VoIP profiles on the GUI.
enable: Enable VoIP profiles on the GUI.
disable: Disable VoIP profiles on the GUI.
option -
gui-ap-profile Enable/disable FortiAP profiles on the GUI.
enable: Enable FortiAP profiles on the GUI.
disable: Disable FortiAP profiles on the GUI.
option -
gui-dynamic-profile-display Enable/disable RADIUS Single Sign On (RSSO) on the GUI.
enable: Enable RADIUS Single Sign On (RSSO) on the GUI.
disable: Disable RADIUS Single Sign On (RSSO) on the GUI.
option -
gui-local-in-policy Enable/disable Local-In policies on the GUI.
enable: Enable Local-In policies on the GUI.
disable: Disable Local-In policies on the GUI.
option -
gui-local-reports Enable/disable local reports on the GUI.
enable: Enable local reports on the GUI.
disable: Disable local reports on the GUI.
option -
gui-wanopt-cache Enable/disable WAN Optimization and Web Caching on the GUI.
enable: Enable WAN Optimization and Web Caching on the GUI.
disable: Disable WAN Optimization and Web Caching on the GUI.
option -
gui-explicit-proxy Enable/disable the explicit proxy on the GUI.
enable: Enable the explicit proxy on the GUI.
disable: Disable the explicit proxy on the GUI.
option -
gui-dynamic-routing Enable/disable dynamic routing on the GUI.
enable: Enable dynamic routing on the GUI.
disable: Disable dynamic routing on the GUI.
option -
gui-sslvpn-personal-bookmarks Enable/disable SSL-VPN personal bookmark management on the GUI.
enable: Enable SSL-VPN personal bookmark management on the GUI.
disable: Disable SSL-VPN personal bookmark management on the GUI.
option -
gui-sslvpn-realms Enable/disable SSL-VPN realms on the GUI.
enable: Enable SSL-VPN realms on the GUI.
disable: Disable SSL-VPN realms on the GUI.
option -
gui-policy-based-ipsec Enable/disable policy-based IPsec VPN on the GUI.
enable: Enable policy-based IPsec VPN on the GUI.
disable: Disable policy-based IPsec VPN on the GUI.
option -
gui-threat-weight Enable/disable threat weight on the GUI.
enable: Enable threat weight on the GUI.
disable: Disable threat weight on the GUI.
option -
gui-multiple-utm-profiles Enable/disable multiple UTM profiles on the GUI.
enable: Enable multiple UTM profiles on the GUI.
disable: Disable multiple UTM profiles on the GUI.
option -
gui-spamfilter Enable/disable Antispam on the GUI.
enable: Enable Antispam on the GUI.
disable: Disable Antispam on the GUI.
option -
gui-application-control Enable/disable application control on the GUI.
enable: Enable application control on the GUI.
disable: Disable application control on the GUI.
option -
gui-ips Enable/disable IPS on the GUI.
enable: Enable IPS on the GUI.
disable: Disable IPS on the GUI.
option -
gui-endpoint-control Enable/disable endpoint control on the GUI.
enable: Enable endpoint control on the GUI.
disable: Disable endpoint control on the GUI.
option -
gui-endpoint-control-advanced Enable/disable advanced endpoint control options on the GUI.
enable: Enable advanced endpoint control options on the GUI.
disable: Disable advanced endpoint control options on the GUI.
option -
gui-dhcp-advanced Enable/disable advanced DHCP options on the GUI.
enable: Enable advanced DHCP options on the GUI.
disable: Disable advanced DHCP options on the GUI.
option -
gui-vpn Enable/disable VPN tunnels on the GUI.
enable: Enable VPN tunnels on the GUI.
disable: Disable VPN tunnels on the GUI.
option -
gui-wireless-controller Enable/disable the wireless controller on the GUI.
enable: Enable the wireless controller on the GUI.
disable: Disable the wireless controller on the GUI.
option -
gui-switch-controller Enable/disable the switch controller on the GUI.
enable: Enable the switch controller on the GUI.
disable: Disable the switch controller on the GUI.
option -
gui-fortiap-split-tunneling Enable/disable FortiAP split tunneling on the GUI.
enable: Enable FortiAP split tunneling on the GUI.
disable: Disable FortiAP split tunneling on the GUI.
option -
gui-webfilter-advanced Enable/disable advanced web filtering on the GUI.
enable: Enable advanced web filtering on the GUI.
disable: Disable advanced web filtering on the GUI.
option -
gui-traffic-shaping Enable/disable traffic shaping on the GUI.
enable: Enable traffic shaping on the GUI.
disable: Disable traffic shaping on the GUI.
option -
gui-wan-load-balancing Enable/disable SD-WAN on the GUI.
enable: Enable SD-WAN on the GUI.
disable: Disable SD-WAN on the GUI.
option -
gui-antivirus Enable/disable AntiVirus on the GUI.
enable: Enable AntiVirus on the GUI.
disable: Disable AntiVirus on the GUI.
option -
gui-webfilter Enable/disable Web filtering on the GUI.
enable: Enable Web filtering on the GUI.
disable: Disable Web filtering on the GUI.
option -
gui-dnsfilter Enable/disable DNS Filtering on the GUI.
enable: Enable DNS Filtering on the GUI.
disable: Disable DNS Filtering on the GUI.
option -
gui-waf-profile Enable/disable Web Application Firewall on the GUI.
enable: Enable Web Application Firewall on the GUI.
disable: Disable Web Application Firewall on the GUI.
option -
gui-fortiextender-controller Enable/disable FortiExtender on the GUI.
enable: Enable FortiExtender on the GUI.
disable: Disable FortiExtender on the GUI.
option -
gui-advanced-policy Enable/disable advanced policy configuration on the GUI.
enable: Enable advanced policy configuration on the GUI.
disable: Disable advanced policy configuration on the GUI.
option -
gui-allow-unnamed-policy Enable/disable the requirement for policy naming on the GUI.
enable: Enable the requirement for policy naming on the GUI.
disable: Disable the requirement for policy naming on the GUI.
option -
gui-email-collection Enable/disable email collection on the GUI.
enable: Enable email collection on the GUI.
disable: Disable email collection on the GUI.
option -
gui-domain-ip-reputation Enable/disable Domain and IP Reputation on the GUI.
enable: Enable Domain and IP Reputation on the GUI.
disable: Disable Domain and IP Reputation on the GUI.
option -
gui-multiple-interface-policy Enable/disable adding multiple interfaces to a policy on the GUI.
enable: Enable adding multiple interfaces to a policy on the GUI.
disable: Disable adding multiple interfaces to a policy on the GUI.
option -
gui-policy-disclaimer Enable/disable policy disclaimer on the GUI.
enable: Enable policy disclaimer on the GUI.
disable: Disable policy disclaimer on the GUI.
option -
ike-session-resume Enable/disable IKEv2 session resumption (RFC 5723).
enable: Enable IKEv2 session resumption (RFC 5723).
disable: Disable IKEv2 session resumption (RFC 5723).
option -
ike-quick-crash-detect Enable/disable IKE quick crash detection (RFC 6290).
enable: Enable IKE quick crash detection (RFC 6290).
disable: Disable IKE quick crash detection (RFC 6290).
option -
ike-dn-format Configure IKE ASN.1 Distinguished Name format conventions.
with-space: Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.
no-space: Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.
option -
block-land-attack Enable/disable blocking of land attacks.
disable: Do not block land attack.
enable: Block land attack.
option -