config system global

Configure global attributes.

Description: Configure global attributes.

set language [english|french|...]

set gui-ipv6 [enable|disable]

set gui-replacement-message-groups [enable|disable]

set gui-local-out [enable|disable]

set gui-certificates [enable|disable]

set gui-custom-language [enable|disable]

set gui-wireless-opensecurity [enable|disable]

set gui-display-hostname [enable|disable]

set gui-fortigate-cloud-sandbox [enable|disable]

set gui-firmware-upgrade-warning [enable|disable]

set gui-allow-default-hostname [enable|disable]

set gui-forticare-registration-setup-warning [enable|disable]

set gui-workflow-management [enable|disable]

set gui-cdn-usage [enable|disable]

set admin-https-ssl-versions {option1}, {option2}, ...

set admin-https-ssl-ciphersuites {option1}, {option2}, ...

set admin-https-ssl-banned-ciphers {option1}, {option2}, ...

set admintimeout {integer}

set admin-console-timeout {integer}

set admin-concurrent [enable|disable]

set admin-lockout-threshold {integer}

set admin-lockout-duration {integer}

set refresh {integer}

set interval {integer}

set failtime {integer}

set daily-restart [enable|disable]

set restart-time {user}

set radius-port {integer}

set admin-login-max {integer}

set remoteauthtimeout {integer}

set ldapconntimeout {integer}

set batch-cmdb [enable|disable]

set multi-factor-authentication [optional|mandatory]

set ssl-min-proto-version [SSLv3|TLSv1|...]

set autorun-log-fsck [enable|disable]

set dst [enable|disable]

set timezone [01|02|...]

set traffic-priority [tos|dscp]

set traffic-priority-level [low|medium|...]

set anti-replay [disable|loose|...]

set send-pmtu-icmp [enable|disable]

set honor-df [enable|disable]

set pmtu-discovery [enable|disable]

set virtual-switch-vlan [enable|disable]

set revision-image-auto-backup [enable|disable]

set revision-backup-on-logout [enable|disable]

set management-vdom {string}

set hostname {string}

set alias {string}

set strong-crypto [enable|disable]

set ssl-static-key-ciphers [enable|disable]

set ssh-kex-algo {option1}, {option2}, ...

set ssh-enc-algo {option1}, {option2}, ...

set ssh-mac-algo {option1}, {option2}, ...

set snat-route-change [enable|disable]

set speedtest-server [enable|disable]

set cli-audit-log [enable|disable]

set dh-params [1024|1536|...]

set fds-statistics [enable|disable]

set fds-statistics-period {integer}

set tcp-option [enable|disable]

set lldp-transmission [enable|disable]

set lldp-reception [enable|disable]

set proxy-auth-timeout {integer}

set proxy-re-authentication-mode [session|traffic|...]

set proxy-auth-lifetime [enable|disable]

set proxy-auth-lifetime-timeout {integer}

set proxy-resource-mode [enable|disable]

set proxy-cert-use-mgmt-vdom [enable|disable]

set sys-perf-log-interval {integer}

set check-protocol-header [loose|strict]

set vip-arp-range [unlimited|restricted]

set reset-sessionless-tcp [enable|disable]

set allow-traffic-redirect [enable|disable]

set ipv6-allow-traffic-redirect [enable|disable]

set strict-dirty-session-check [enable|disable]

set tcp-halfclose-timer {integer}

set tcp-halfopen-timer {integer}

set tcp-timewait-timer {integer}

set tcp-rst-timer {integer}

set udp-idle-timer {integer}

set block-session-timer {integer}

set ip-src-port-range {user}

set pre-login-banner [enable|disable]

set post-login-banner [disable|enable]

set tftp [enable|disable]

set av-failopen [pass|off|...]

set av-failopen-session [enable|disable]

set memory-use-threshold-extreme {integer}

set memory-use-threshold-red {integer}

set memory-use-threshold-green {integer}

set cpu-use-threshold {integer}

set check-reset-range [strict|disable]

set vdom-mode [no-vdom|multi-vdom]

set long-vdom-name [enable|disable]

set edit-vdom-prompt [enable|disable]

set admin-port {integer}

set admin-sport {integer}

set admin-https-redirect [enable|disable]

set admin-hsts-max-age {integer}

set admin-ssh-password [enable|disable]

set admin-restrict-local [enable|disable]

set admin-ssh-port {integer}

set admin-ssh-grace-time {integer}

set admin-ssh-v1 [enable|disable]

set admin-telnet [enable|disable]

set admin-telnet-port {integer}

set admin-forticloud-sso-login [enable|disable]

set default-service-source-port {user}

set admin-maintainer [enable|disable]

set admin-reset-button [enable|disable]

set admin-server-cert {string}

set user-server-cert {string}

set admin-https-pki-required [enable|disable]

set wifi-certificate {string}

set wifi-ca-certificate {string}

set auth-http-port {integer}

set auth-https-port {integer}

set auth-ike-saml-port {integer}

set auth-keepalive [enable|disable]

set policy-auth-concurrent {integer}

set auth-session-limit [block-new|logout-inactive]

set auth-cert {string}

set clt-cert-req [enable|disable]

set fortiservice-port {integer}

set cfg-save [automatic|manual|...]

set cfg-revert-timeout {integer}

set reboot-upon-config-restore [enable|disable]

set admin-scp [enable|disable]

set security-rating-result-submission [enable|disable]

set security-rating-run-on-schedule [enable|disable]

set wireless-controller [enable|disable]

set wireless-controller-port {integer}

set fortiextender-data-port {integer}

set fortiextender [disable|enable]

set extender-controller-reserved-network {ipv4-classnet-host}

set fortiextender-discovery-lockdown [disable|enable]

set fortiextender-vlan-mode [enable|disable]

set switch-controller [disable|enable]

set switch-controller-reserved-network {ipv4-classnet-host}

set dnsproxy-worker-count {integer}

set url-filter-count {integer}

set proxy-worker-count {integer}

set scanunit-count {integer}

set proxy-hardware-acceleration [disable|enable]

set fgd-alert-subscription {option1}, {option2}, ...

set ipsec-hmac-offload [enable|disable]

set ipv6-accept-dad {integer}

set ipv6-allow-anycast-probe [enable|disable]

set csr-ca-attribute [enable|disable]

set wimax-4g-usb [enable|disable]

set cert-chain-max {integer}

set sslvpn-max-worker-count {integer}

set sslvpn-kxp-hardware-acceleration [enable|disable]

set sslvpn-cipher-hardware-acceleration [enable|disable]

set sslvpn-ems-sn-check [enable|disable]

set sslvpn-plugin-version-check [enable|disable]

set two-factor-ftk-expiry {integer}

set two-factor-email-expiry {integer}

set two-factor-sms-expiry {integer}

set two-factor-fac-expiry {integer}

set two-factor-ftm-expiry {integer}

set wad-worker-count {integer}

set wad-csvc-cs-count {integer}

set wad-csvc-db-count {integer}

set wad-source-affinity [disable|enable]

set wad-memory-change-granularity {integer}

set login-timestamp [enable|disable]

set miglogd-children {integer}

set special-file-23-support [disable|enable]

set log-uuid-address [enable|disable]

set log-ssl-connection [enable|disable]

set gui-rest-api-cache [enable|disable]

set arp-max-entry {integer}

set ha-affinity {string}

set cmdbsvr-affinity {string}

set ndp-max-entry {integer}

set br-fdb-max-entry {integer}

set max-route-cache-size {integer}

set ipsec-asic-offload [enable|disable]

set ipsec-soft-dec-async [enable|disable]

set device-idle-timeout {integer}

set user-device-store-max-devices {integer}

set user-device-store-max-users {integer}

set user-device-store-max-unified-mem {integer}

set gui-device-latitude {string}

set gui-device-longitude {string}

set private-data-encryption [disable|enable]

set auto-auth-extension-device [enable|disable]

set gui-theme [jade|neutrino|...]

set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]

set gui-date-time-source [system|browser]

set igmp-state-limit {integer}

set legacy-poe-device-support [enable|disable]

set cloud-communication [enable|disable]

set ipsec-ha-seqjump-rate {integer}

set fortitoken-cloud [enable|disable]

set faz-disk-buffer-size {integer}

set irq-time-accounting [auto|force]

set management-ip {string}

set management-port {integer}

set management-port-use-admin-sport [enable|disable]

set internet-service-database [mini|standard|...]

end

config system global

Parameter

Description

Type

Size

Default

language

GUI display language.

option

english

Option	Description
english	English.
french	French.
spanish	Spanish.
portuguese	Portuguese.
japanese	Japanese.
trach	Traditional Chinese.
simch	Simplified Chinese.
korean	Korean.

gui-ipv6

Enable/disable IPv6 settings on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-replacement-message-groups

Enable/disable replacement message groups on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-local-out

Enable/disable Local-out traffic on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-certificates

Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.

option

enable **

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-custom-language

Enable/disable custom languages in GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-wireless-opensecurity

Enable/disable wireless open security option on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-display-hostname

Enable/disable displaying the FortiGate's hostname on the GUI login page.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-fortigate-cloud-sandbox

Enable/disable displaying FortiGate Cloud Sandbox on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-firmware-upgrade-warning

Enable/disable the firmware upgrade warning on the GUI.

option

enable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-allow-default-hostname

Enable/disable the factory default hostname warning on the GUI setup wizard.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-forticare-registration-setup-warning

Enable/disable the FortiCare registration setup warning on the GUI.

option

enable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-workflow-management

Enable/disable Workflow management features on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-cdn-usage

Enable/disable Load GUI static files from a CDN.

option

enable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

admin-https-ssl-versions

Allowed TLS versions for web administration.

option

tlsv1-2 tlsv1-3

Option	Description
tlsv1-1	TLS 1.1.
tlsv1-2	TLS 1.2.
tlsv1-3	TLS 1.3.

admin-https-ssl-ciphersuites

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.

option

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option	Description
TLS-AES-128-GCM-SHA256	Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.
TLS-AES-256-GCM-SHA384	Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.
TLS-CHACHA20-POLY1305-SHA256	Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.
TLS-AES-128-CCM-SHA256	Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.
TLS-AES-128-CCM-8-SHA256	Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

admin-https-ssl-banned-ciphers

Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.

option

Option	Description
RSA	Ban the use of cipher suites using RSA key.
DHE	Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDHE	Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS	Ban the use of cipher suites using DSS authentication.
ECDSA	Ban the use of cipher suites using ECDSA authentication.
AES	Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM	Ban the use of cipher suites using AES in Galois Counter Mode (GCM).
CAMELLIA	Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES	Ban the use of cipher suites using triple DES.
SHA1	Ban the use of cipher suites using HMAC-SHA1.
SHA256	Ban the use of cipher suites using HMAC-SHA256.
SHA384	Ban the use of cipher suites using HMAC-SHA384.
STATIC	Ban the use of cipher suites using static keys.
CHACHA20	Ban the use of cipher suites using ChaCha20.
ARIA	Ban the use of cipher suites using ARIA.
AESCCM	Ban the use of cipher suites using AESCCM.

admintimeout

Number of minutes before an idle administrator session times out . A shorter idle timeout is more secure.

integer

Minimum value: 1 Maximum value: 480

admin-console-timeout

Console login timeout that overrides the admin timeout value .

integer

Minimum value: 15 Maximum value: 300

admin-concurrent

Enable/disable concurrent administrator logins. Use policy-auth-concurrent for firewall authenticated users.

option

enable

Option	Description
enable	Enable admin concurrent login.
disable	Disable admin concurrent login.

admin-lockout-threshold

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

integer

Minimum value: 1 Maximum value: 10

admin-lockout-duration

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

integer

Minimum value: 1 Maximum value: 2147483647

refresh

Statistics refresh interval second(s) in GUI.

integer

Minimum value: 0 Maximum value: 4294967295

interval

Dead gateway detection interval.

integer

Minimum value: 0 Maximum value: 4294967295

failtime

Fail-time for server lost.

integer

Minimum value: 0 Maximum value: 4294967295

daily-restart

Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.

option

disable

Option	Description
enable	Enable daily reboot of the FortiGate.
disable	Disable daily reboot of the FortiGate.

restart-time

Daily restart time (hh:mm).

user

Not Specified

radius-port

RADIUS service port number.

integer

Minimum value: 1 Maximum value: 65535

1812

admin-login-max

Maximum number of administrators who can be logged in at the same time .

integer

Minimum value: 1 Maximum value: 100

100

remoteauthtimeout

Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. .

integer

Minimum value: 1 Maximum value: 300

ldapconntimeout

Global timeout for connections with remote LDAP servers in milliseconds .

integer

Minimum value: 1 Maximum value: 300000

500

batch-cmdb

Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.

option

enable

Option	Description
enable	Enable batch mode to execute in CMDB server.
disable	Disable batch mode to execute in CMDB server.

multi-factor-authentication

Enforce all login methods to require an additional authentication factor .

option

optional

Option	Description
optional	Do not enforce all login methods to require an additional authentication factor (controlled by user settings).
mandatory	Enforce all login methods to require an additional authentication factor.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections .

option

TLSv1-2

Option	Description
SSLv3	SSLv3.
TLSv1	TLSv1.
TLSv1-1	TLSv1.1.
TLSv1-2	TLSv1.2.
TLSv1-3	TLSv1.3.

autorun-log-fsck

Enable/disable automatic log partition check after ungraceful shutdown.

option

disable

Option	Description
enable	Enable automatic log partition check after ungraceful shutdown.
disable	Disable automatic log partition check after ungraceful shutdown.

dst

Enable/disable daylight saving time.

option

enable

Option	Description
enable	Enable daylight saving time.
disable	Disable daylight saving time.

timezone

Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.

option

Option	Description
01	(GMT-11:00) Midway Island, Samoa
02	(GMT-10:00) Hawaii
03	(GMT-9:00) Alaska
04	(GMT-8:00) Pacific Time (US & Canada)
05	(GMT-7:00) Arizona
81	(GMT-7:00) Baja California Sur, Chihuahua
06	(GMT-7:00) Mountain Time (US & Canada)
07	(GMT-6:00) Central America
08	(GMT-6:00) Central Time (US & Canada)
09	(GMT-6:00) Mexico City
10	(GMT-6:00) Saskatchewan
11	(GMT-5:00) Bogota, Lima,Quito
12	(GMT-5:00) Eastern Time (US & Canada)
13	(GMT-5:00) Indiana (East)
74	(GMT-4:00) Caracas
14	(GMT-4:00) Atlantic Time (Canada)
77	(GMT-4:00) Georgetown
15	(GMT-4:00) La Paz
87	(GMT-4:00) Paraguay
16	(GMT-3:00) Santiago
17	(GMT-3:30) Newfoundland
18	(GMT-3:00) Brasilia
19	(GMT-3:00) Buenos Aires
20	(GMT-3:00) Nuuk (Greenland)
75	(GMT-3:00) Uruguay
21	(GMT-2:00) Mid-Atlantic
22	(GMT-1:00) Azores
23	(GMT-1:00) Cape Verde Is.
24	(GMT) Monrovia
80	(GMT) Greenwich Mean Time
79	(GMT) Casablanca
25	(GMT) Dublin, Edinburgh, Lisbon, London, Canary Is.
26	(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
27	(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
28	(GMT+1:00) Brussels, Copenhagen, Madrid, Paris
78	(GMT+1:00) Namibia
29	(GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb
30	(GMT+1:00) West Central Africa
31	(GMT+2:00) Athens, Sofia, Vilnius
32	(GMT+2:00) Bucharest
33	(GMT+2:00) Cairo
34	(GMT+2:00) Harare, Pretoria
35	(GMT+2:00) Helsinki, Riga, Tallinn
36	(GMT+2:00) Jerusalem
37	(GMT+3:00) Baghdad
38	(GMT+3:00) Kuwait, Riyadh
83	(GMT+3:00) Moscow
84	(GMT+3:00) Minsk
40	(GMT+3:00) Nairobi
85	(GMT+3:00) Istanbul
41	(GMT+3:30) Tehran
42	(GMT+4:00) Abu Dhabi, Muscat
43	(GMT+4:00) Baku
39	(GMT+3:00) St. Petersburg, Volgograd
44	(GMT+4:30) Kabul
46	(GMT+5:00) Islamabad, Karachi, Tashkent
47	(GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi
51	(GMT+5:30) Sri Jayawardenepara
48	(GMT+5:45) Kathmandu
45	(GMT+5:00) Ekaterinburg
49	(GMT+6:00) Almaty, Novosibirsk
50	(GMT+6:00) Astana, Dhaka
52	(GMT+6:30) Rangoon
53	(GMT+7:00) Bangkok, Hanoi, Jakarta
54	(GMT+7:00) Krasnoyarsk
55	(GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk
56	(GMT+8:00) Ulaan Bataar
57	(GMT+8:00) Kuala Lumpur, Singapore
58	(GMT+8:00) Perth
59	(GMT+8:00) Taipei
60	(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul
62	(GMT+9:30) Adelaide
63	(GMT+9:30) Darwin
61	(GMT+9:00) Yakutsk
64	(GMT+10:00) Brisbane
65	(GMT+10:00) Canberra, Melbourne, Sydney
66	(GMT+10:00) Guam, Port Moresby
67	(GMT+10:00) Hobart
68	(GMT+10:00) Vladivostok
69	(GMT+10:00) Magadan
70	(GMT+11:00) Solomon Is., New Caledonia
71	(GMT+12:00) Auckland, Wellington
72	(GMT+12:00) Fiji, Kamchatka, Marshall Is.
00	(GMT+12:00) Eniwetok, Kwajalein
82	(GMT+12:45) Chatham Islands
73	(GMT+13:00) Nuku'alofa
86	(GMT+13:00) Samoa
76	(GMT+14:00) Kiritimati

traffic-priority

Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.

option

tos

Option	Description
tos	IP TOS.
dscp	DSCP (DiffServ) DS.

traffic-priority-level

Default system-wide level of priority for traffic prioritization.

option

medium

Option	Description
low	Low priority.
medium	Medium priority.
high	High priority.

anti-replay

Level of checking for packet replay and TCP sequence checking.

option

strict

Option	Description
disable	Disable anti-replay check.
loose	Loose anti-replay check.
strict	Strict anti-replay check.

send-pmtu-icmp

Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.

option

enable

Option	Description
enable	Enable sending of PMTU ICMP destination unreachable packet.
disable	Disable sending of PMTU ICMP destination unreachable packet.

honor-df

Enable/disable honoring of Don't-Fragment (DF) flag.

option

enable

Option	Description
enable	Enable honoring of Don't-Fragment flag.
disable	Disable honoring of Don't-Fragment flag.

pmtu-discovery

Enable/disable path MTU discovery.

option

disable

Option	Description
enable	Enable path MTU discovery.
disable	Disable path MTU discovery.

virtual-switch-vlan *

Enable/disable virtual switch VLAN.

option

disable

Option	Description
enable	Enable virtual switch VLAN.
disable	Disable virtual switch VLAN.

revision-image-auto-backup

Enable/disable back-up of the latest image revision after the firmware is upgraded.

option

disable

Option	Description
enable	Enable revision image backup automatically when upgrading image.
disable	Disable revision image backup automatically when upgrading image.

revision-backup-on-logout

Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.

option

disable

Option	Description
enable	Enable revision config backup automatically when logout.
disable	Disable revision config backup automatically when logout.

management-vdom

Management virtual domain name.

string

Maximum length: 31

root

hostname

FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.

string

Maximum length: 35

alias

Alias for your FortiGate unit.

string

Maximum length: 35

strong-crypto

Enable to use strong encryption and only allow strong ciphers and digest for HTTPS/SSH/TLS/SSL functions.

option

enable

Option	Description
enable	Enable strong crypto for HTTPS/SSH/TLS/SSL.
disable	Disable strong crypto for HTTPS/SSH/TLS/SSL.

ssl-static-key-ciphers

Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).

option

enable

Option	Description
enable	Enable static key ciphers in SSL/TLS connections.
disable	Disable static key ciphers in SSL/TLS connections.

ssh-kex-algo

Select one or more SSH kex algorithms.

option

diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

Option	Description
diffie-hellman-group1-sha1	diffie-hellman-group1-sha1
diffie-hellman-group14-sha1	diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1	diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256	diffie-hellman-group-exchange-sha256
curve25519-sha256@libssh.org	curve25519-sha256@libssh.org
ecdh-sha2-nistp256	ecdh-sha2-nistp256
ecdh-sha2-nistp384	ecdh-sha2-nistp384
ecdh-sha2-nistp521	ecdh-sha2-nistp521

ssh-enc-algo

Select one or more SSH ciphers.

option

chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com

Option	Description
chacha20-poly1305@openssh.com	chacha20-poly1305@openssh.com
aes128-ctr	aes128-ctr
aes192-ctr	aes192-ctr
aes256-ctr	aes256-ctr
arcfour256	arcfour256
arcfour128	arcfour128
aes128-cbc	aes128-cbc
3des-cbc	3des-cbc
blowfish-cbc	blowfish-cbc
cast128-cbc	cast128-cbc
aes192-cbc	aes192-cbc
aes256-cbc	aes256-cbc
arcfour	arcfour
rijndael-cbc@lysator.liu.se	rijndael-cbc@lysator.liu.se
aes128-gcm@openssh.com	aes128-gcm@openssh.com
aes256-gcm@openssh.com	aes256-gcm@openssh.com

ssh-mac-algo

Select one or more SSH MAC algorithms.

option

hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com

Option	Description
hmac-md5	hmac-md5
hmac-md5-etm@openssh.com	hmac-md5-etm@openssh.com
hmac-md5-96	hmac-md5-96
hmac-md5-96-etm@openssh.com	hmac-md5-96-etm@openssh.com
hmac-sha1	hmac-sha1
hmac-sha1-etm@openssh.com	hmac-sha1-etm@openssh.com
hmac-sha2-256	hmac-sha2-256
hmac-sha2-256-etm@openssh.com	hmac-sha2-256-etm@openssh.com
hmac-sha2-512	hmac-sha2-512
hmac-sha2-512-etm@openssh.com	hmac-sha2-512-etm@openssh.com
hmac-ripemd160	hmac-ripemd160
hmac-ripemd160@openssh.com	hmac-ripemd160@openssh.com
hmac-ripemd160-etm@openssh.com	hmac-ripemd160-etm@openssh.com
umac-64@openssh.com	umac-64@openssh.com
umac-128@openssh.com	umac-128@openssh.com
umac-64-etm@openssh.com	umac-64-etm@openssh.com
umac-128-etm@openssh.com	umac-128-etm@openssh.com

snat-route-change

Enable/disable the ability to change the static NAT route.

option

disable

Option	Description
enable	Enable SNAT route change.
disable	Disable SNAT route change.

speedtest-server

Enable/disable speed test server.

option

disable

Option	Description
enable	Enable speed test server service.
disable	Disable speed test server service.

cli-audit-log

Enable/disable CLI audit log.

option

disable

Option	Description
enable	Enable CLI audit log.
disable	Disable CLI audit log.

dh-params

Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.

option

2048

Option	Description
1024	1024 bits.
1536	1536 bits.
2048	2048 bits.
3072	3072 bits.
4096	4096 bits.
6144	6144 bits.
8192	8192 bits.

fds-statistics

Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.

option

enable

Option	Description
enable	Enable FortiGuard statistics.
disable	Disable FortiGuard statistics.

fds-statistics-period

FortiGuard statistics collection period in minutes. .

integer

Minimum value: 1 Maximum value: 1440

tcp-option

Enable SACK, timestamp and MSS TCP options.

option

enable

Option	Description
enable	Enable TCP option.
disable	Disable TCP option.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

disable

Option	Description
enable	Enable transmission of Link Layer Discovery Protocol (LLDP).
disable	Disable transmission of Link Layer Discovery Protocol (LLDP).

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

disable

Option	Description
enable	Enable reception of Link Layer Discovery Protocol (LLDP).
disable	Disable reception of Link Layer Discovery Protocol (LLDP).

proxy-auth-timeout

Authentication timeout in minutes for authenticated users .

integer

Minimum value: 1 Maximum value: 300

proxy-re-authentication-mode

Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

option

session

Option	Description
session	Proxy re-authentication timeout begins at the closure of the session.
traffic	Proxy re-authentication timeout begins after traffic has not been received.
absolute	Proxy re-authentication timeout begins when the user was first created.

proxy-auth-lifetime

Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.

option

disable

Option	Description
enable	Enable authenticated users lifetime control.
disable	Disable authenticated users lifetime control.

proxy-auth-lifetime-timeout

Lifetime timeout in minutes for authenticated users .

integer

Minimum value: 5 Maximum value: 65535

480

proxy-resource-mode

Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.

option

disable

Option	Description
enable	Enable use of the maximum memory usage.
disable	Disable use of the maximum memory usage.

proxy-cert-use-mgmt-vdom

Enable/disable using management VDOM to send requests.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

sys-perf-log-interval

Time in minutes between updates of performance statistics logging. .

integer

Minimum value: 0 Maximum value: 15

check-protocol-header

Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is OK in most cases.

option

loose

Option	Description
loose	Check protocol header loosely.
strict	Check protocol header strictly.

vip-arp-range

Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.

option

restricted

Option	Description
unlimited	Send ARPs for all addresses in VIP range.
restricted	Send ARPs for the first 8192 addresses in VIP range.

reset-sessionless-tcp

Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.

option

disable

Option	Description
enable	Enable reset session-less TCP.
disable	Disable reset session-less TCP.

allow-traffic-redirect

Disable to prevent traffic with same local ingress and egress interface from being forwarded without policy check.

option

enable

Option	Description
enable	Enable allow traffic redirect.
disable	Disable allow traffic redirect.

ipv6-allow-traffic-redirect

Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.

option

enable

Option	Description
enable	Enable allow traffic IPv6 redirect.
disable	Disable allow traffic IPv6 redirect.

strict-dirty-session-check

Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.

option

enable

Option	Description
enable	Enable strict dirty-session check.
disable	Disable strict dirty-session check.

tcp-halfclose-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded .

integer

Minimum value: 1 Maximum value: 86400

120

tcp-halfopen-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded .

integer

Minimum value: 1 Maximum value: 86400

tcp-timewait-timer

Length of the TCP TIME-WAIT state in seconds .

integer

Minimum value: 0 Maximum value: 300

tcp-rst-timer

Length of the TCP CLOSE state in seconds .

integer

Minimum value: 5 Maximum value: 300

udp-idle-timer

UDP connection session timeout. This command can be useful in managing CPU and memory resources .

integer

Minimum value: 1 Maximum value: 86400

180

block-session-timer

Duration in seconds for blocked sessions .

integer

Minimum value: 1 Maximum value: 300

ip-src-port-range

IP source port range used for traffic originating from the FortiGate unit.

user

Not Specified

1024-25000

pre-login-banner

Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.

option

disable

Option	Description
enable	Enable pre-login banner.
disable	Disable pre-login banner.

post-login-banner

Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.

option

disable

Option	Description
disable	Disable post-login banner.
enable	Enable post-login banner.

tftp

Enable/disable TFTP.

option

enable

Option	Description
enable	Enable TFTP.
disable	Disable TFTP.

av-failopen

Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.

option

pass

Option	Description
pass	Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.
off	Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
one-shot	Bypass the antivirus system when memory is low.

av-failopen-session

When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.

option

disable

Option	Description
enable	Enable AV fail open session option.
disable	Disable AV fail open session option.

memory-use-threshold-extreme

Threshold at which memory usage is considered extreme .

integer

Minimum value: 70 Maximum value: 97

memory-use-threshold-red

Threshold at which memory usage forces the FortiGate to enter conserve mode .

integer

Minimum value: 70 Maximum value: 97

memory-use-threshold-green

Threshold at which memory usage forces the FortiGate to exit conserve mode .

integer

Minimum value: 70 Maximum value: 97

cpu-use-threshold

Threshold at which CPU usage is reported .

integer

Minimum value: 50 Maximum value: 99

check-reset-range

Configure ICMP error message verification. You can either apply strict RST range checking or disable it.

option

disable

Option	Description
strict	Check RST range strictly.
disable	Disable RST range check.

vdom-mode *

Enable/disable support for multiple virtual domains (VDOMs).

option

no-vdom

Option	Description
no-vdom	Disable multiple VDOMs mode.
multi-vdom	Enable multiple VDOMs mode.

long-vdom-name *

Enable/disable long VDOM name support.

option

disable

Option	Description
enable	Enable long VDOM name support.
disable	Disable long VDOM name support.

edit-vdom-prompt *

Enable/disable edit new VDOM prompt.

option

disable

Option	Description
enable	Enable edit new VDOM prompt.
disable	Disable edit new VDOM prompt.

admin-port

Administrative access port for HTTP. .

integer

Minimum value: 1 Maximum value: 65535

admin-sport

Administrative access port for HTTPS. .

integer

Minimum value: 1 Maximum value: 65535

443

admin-https-redirect

Enable/disable redirection of HTTP administration access to HTTPS.

option

enable

Option	Description
enable	Enable redirecting HTTP administration access to HTTPS.
disable	Disable redirecting HTTP administration access to HTTPS.

admin-hsts-max-age

HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.

integer

Minimum value: 0 Maximum value: 2147483647

15552000

admin-ssh-password

Enable/disable password authentication for SSH admin access.

option

enable

Option	Description
enable	Enable password authentication for SSH admin access.
disable	Disable password authentication for SSH admin access.

admin-restrict-local

Enable/disable local admin authentication restriction when remote authenticator is up and running .

option

disable

Option	Description
enable	Enable local admin authentication restriction.
disable	Disable local admin authentication restriction.

admin-ssh-port

Administrative access port for SSH. .

integer

Minimum value: 1 Maximum value: 65535

admin-ssh-grace-time

Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating .

integer

Minimum value: 10 Maximum value: 3600

120

admin-ssh-v1

Enable/disable SSH v1 compatibility.

option

disable

Option	Description
enable	Enable SSH v1 compatibility.
disable	Disable SSH v1 compatibility.

admin-telnet

Enable/disable TELNET service.

option

enable

Option	Description
enable	Enable TELNET service.
disable	Disable TELNET service.

admin-telnet-port

Administrative access port for TELNET. .

integer

Minimum value: 1 Maximum value: 65535

admin-forticloud-sso-login

Enable/disable FortiCloud admin login via SSO.

option

disable

Option	Description
enable	Enable FortiCloud admin login via SSO.
disable	Disable FortiCloud admin login via SSO.

default-service-source-port

Default service source port range .

user

Not Specified

admin-maintainer

Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.

option

enable

Option	Description
enable	Enable login for special user (maintainer).
disable	Disable login for special user (maintainer).

admin-reset-button *

press the reset button can reset to factory default

option

enable

Option	Description
enable	press the reset button can reset to factory default
disable	press the reset button cannot reset to factory default

admin-server-cert

Server certificate that the FortiGate uses for HTTPS administrative connections.

string

Maximum length: 35

self-sign

user-server-cert

Certificate to use for https user authentication.

string

Maximum length: 35

Fortinet_Factory

admin-https-pki-required

Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.

option

disable

Option	Description
enable	Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access.
disable	Admin users can login by providing a valid certificate or password.

wifi-certificate

Certificate to use for WiFi authentication.

string

Maximum length: 35

Fortinet_Wifi

wifi-ca-certificate

CA certificate that verifies the WiFi certificate.

string

Maximum length: 79

Fortinet_Wifi_CA

auth-http-port

User authentication HTTP port. .

integer

Minimum value: 1 Maximum value: 65535

1000

auth-https-port

User authentication HTTPS port. .

integer

Minimum value: 1 Maximum value: 65535

1003

auth-ike-saml-port

User IKE SAML authentication port .

integer

Minimum value: 0 Maximum value: 65535

1001

auth-keepalive

Enable to prevent user authentication sessions from timing out when idle.

option

disable

Option	Description
enable	Enable use of keep alive to extend authentication.
disable	Disable use of keep alive to extend authentication.

policy-auth-concurrent

Number of concurrent firewall use logins from the same user .

integer

Minimum value: 0 Maximum value: 100

auth-session-limit

Action to take when the number of allowed user authenticated sessions is reached.

option

block-new

Option	Description
block-new	Block new user authentication attempts.
logout-inactive	Logout the most inactive user authenticated sessions.

auth-cert

Server certificate that the FortiGate uses for HTTPS firewall authentication connections.

string

Maximum length: 35

Fortinet_Factory

clt-cert-req

Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.

option

disable

Option	Description
enable	Enable require client certificate for GUI login.
disable	Disable require client certificate for GUI login.

fortiservice-port

FortiService port . Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.

integer

Minimum value: 1 Maximum value: 65535

8013

cfg-save

Configuration file save mode for CLI changes.

option

automatic

Option	Description
automatic	Automatically save config.
manual	Manually save config.
revert	Manually save config and revert the config when timeout.

cfg-revert-timeout

Time-out for reverting to the last saved configuration. .

integer

Minimum value: 10 Maximum value: 4294967295

600

reboot-upon-config-restore

Enable/disable reboot of system upon restoring configuration.

option

enable

Option	Description
enable	Enable reboot of system upon restoring configuration.
disable	Disable reboot of system upon restoring configuration.

admin-scp

Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.

option

disable

Option	Description
enable	Enable allow system configuration download by SCP.
disable	Disable allow system configuration download by SCP.

security-rating-result-submission

Enable/disable the submission of Security Rating results to FortiGuard.

option

enable

Option	Description
enable	Enable submission of Security Rating results to FortiGuard.
disable	Disable submission of Security Rating results to FortiGuard.

security-rating-run-on-schedule

Enable/disable scheduled runs of Security Rating.

option

enable

Option	Description
enable	Enable scheduled runs of Security Rating.
disable	Disable scheduled runs of Security Rating.

wireless-controller

Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.

option

enable

Option	Description
enable	Enable wireless controller.
disable	Disable wireless controller.

wireless-controller-port

Port used for the control channel in wireless controller mode .

integer

Minimum value: 1024 Maximum value: 49150

5246

fortiextender-data-port

FortiExtender data port .

integer

Minimum value: 1024 Maximum value: 49150

25246

fortiextender

Enable/disable FortiExtender.

option

enable **

Option	Description
disable	Disable FortiExtender controller.
enable	Enable FortiExtender controller.

extender-controller-reserved-network

Configure reserved network subnet for managed LAN extension FortiExtender units. This is available when the FortiExtender daemon is running.

ipv4-classnet-host

Not Specified

10.252.0.1 255.255.0.0

fortiextender-discovery-lockdown

Enable/disable FortiExtender CAPWAP lockdown.

option

disable

Option	Description
disable	Unlock down new FortiExtender device discovery.
enable	Lock down new FortiExtender device discovery.

fortiextender-vlan-mode

Enable/disable FortiExtender VLAN mode.

option

disable

Option	Description
enable	Enable FortiExtender VLAN mode.
disable	Disable FortiExtender VLAN mode.

switch-controller

Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.

option

disable

Option	Description
disable	Disable switch controller feature.
enable	Enable switch controller feature.

switch-controller-reserved-network

Configure reserved network subnet for managed switches. This is available when the switch controller is enabled.

ipv4-classnet-host

Not Specified

10.255.0.0 255.255.0.0

dnsproxy-worker-count

DNS proxy worker count. For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.

integer

Minimum value: 1 Maximum value: The number of logical CPUs .

url-filter-count

URL filter daemon count.

integer

Minimum value: 1 Maximum value: 1 **

proxy-worker-count

Proxy worker count.

integer

Minimum value: 1 Maximum value: 4 **

scanunit-count

Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.

integer

Minimum value: 2 Maximum value: 4 **

proxy-hardware-acceleration *

Enable/disable email proxy hardware acceleration.

option

enable

Option	Description
disable	Disable email proxy hardware acceleration.
enable	Enable email proxy hardware acceleration.

fgd-alert-subscription

Type of alert to retrieve from FortiGuard.

option

Option	Description
advisory	Retrieve FortiGuard advisories, report and news alerts.
latest-threat	Retrieve latest FortiGuard threats alerts.
latest-virus	Retrieve latest FortiGuard virus alerts.
latest-attack	Retrieve latest FortiGuard attack alerts.
new-antivirus-db	Retrieve FortiGuard AV database release alerts.
new-attack-db	Retrieve FortiGuard IPS database release alerts.

ipsec-hmac-offload *

Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.

option

enable

Option	Description
enable	Enable offload IPsec HMAC processing to hardware if possible.
disable	Disable offload IPsec HMAC processing to hardware.

ipv6-accept-dad

Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).

integer

Minimum value: 0 Maximum value: 2

ipv6-allow-anycast-probe

Enable/disable IPv6 address probe through Anycast.

option

disable

Option	Description
enable	Enable probing of IPv6 address space through Anycast
disable	Disable probing of IPv6 address space through Anycast

csr-ca-attribute

Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.

option

enable

Option	Description
enable	Enable CA attribute in CSR.
disable	Disable CA attribute in CSR.

wimax-4g-usb

Enable/disable comparability with WiMAX 4G USB devices.

option

disable

Option	Description
enable	Enable WiMax 4G.
disable	Disable WiMax 4G.

cert-chain-max

Maximum number of certificates that can be traversed in a certificate chain.

integer

Minimum value: 1 Maximum value: 2147483647

sslvpn-max-worker-count

Maximum number of SSL-VPN processes. Upper limit for this value is the number of CPUs and depends on the model. Default value of zero means the SSLVPN daemon decides the number of worker processes.

integer

Minimum value: 0 Maximum value: 4 **

sslvpn-kxp-hardware-acceleration *

Enable/disable SSL-VPN KXP hardware acceleration.

option

enable

Option	Description
enable	Enable KXP SSL-VPN hardware acceleration.
disable	Disable KXP SSL-VPN hardware acceleration.

sslvpn-cipher-hardware-acceleration *

Enable/disable SSL-VPN hardware acceleration.

option

enable

Option	Description
enable	Enable SSL-VPN cipher hardware acceleration.
disable	Disable SSL-VPN cipher hardware acceleration.

sslvpn-ems-sn-check

Enable/disable verification of EMS serial number in SSL-VPN connection.

option

disable

Option	Description
enable	Enable verification of EMS serial number in SSL-VPN connection.
disable	Disable verification of EMS serial number in SSL-VPN connection.

sslvpn-plugin-version-check

Enable/disable checking browser's plugin version by SSL-VPN.

option

enable

Option	Description
enable	Enable SSL-VPN automatic checking of browser plug-in version.
disable	Disable SSL-VPN automatic checking of browser plug-in version.

two-factor-ftk-expiry

FortiToken authentication session timeout .

integer

Minimum value: 60 Maximum value: 600

two-factor-email-expiry

Email-based two-factor authentication session timeout .

integer

Minimum value: 30 Maximum value: 300

two-factor-sms-expiry

SMS-based two-factor authentication session timeout .

integer

Minimum value: 30 Maximum value: 300

two-factor-fac-expiry

FortiAuthenticator token authentication session timeout .

integer

Minimum value: 10 Maximum value: 3600

two-factor-ftm-expiry

FortiToken Mobile session timeout .

integer

Minimum value: 1 Maximum value: 168

wad-worker-count

Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.

integer

Minimum value: 0 Maximum value: 4 **

wad-csvc-cs-count

Number of concurrent WAD-cache-service object-cache processes.

integer

Minimum value: 1 Maximum value: 1

wad-csvc-db-count

Number of concurrent WAD-cache-service byte-cache processes.

integer

Minimum value: 0 Maximum value: 4 **

wad-source-affinity

Enable/disable dispatching traffic to WAD workers based on source affinity.

option

enable

Option	Description
disable	Disable dispatching traffic to WAD workers based on source affinity.
enable	Enable dispatching traffic to WAD workers based on source affinity.

wad-memory-change-granularity

Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.

integer

Minimum value: 5 Maximum value: 25

Enable/disable login time recording.

option

disable

Option	Description
enable	Enable login time recording.
disable	Disable login time recording.

miglogd-children

Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.

integer

Minimum value: 0 Maximum value: 15

special-file-23-support

Enable/disable detection of those special format files when using Data Leak Protection.

option

disable

Option	Description
disable	Disable detection of those special format files when using Data Leak Protection.
enable	Enable detection of those special format files when using Data Leak Protection.

log-uuid-address

Enable/disable insertion of address UUIDs to traffic logs.

option

disable

Option	Description
enable	Enable insertion of address UUID to traffic logs.
disable	Disable insertion of address UUID to traffic logs.

log-ssl-connection

Enable/disable logging of SSL connection events.

option

disable

Option	Description
enable	Enable logging of SSL connection events.
disable	Disable logging of SSL connection events.

gui-rest-api-cache

Enable/disable REST API result caching on FortiGate.

option

enable **

Option	Description
enable	Enable REST API result caching on FortiGate.
disable	Disable REST API result caching on FortiGate.

arp-max-entry

Maximum number of dynamically learned MAC addresses that can be added to the ARP table .

integer

Minimum value: 131072 Maximum value: 2147483647

131072

ha-affinity

Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

cmdbsvr-affinity

Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

ndp-max-entry

Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).

integer

Minimum value: 65536 Maximum value: 2147483647

br-fdb-max-entry

Maximum number of bridge forwarding database (FDB) entries.

integer

Minimum value: 8192 Maximum value: 2147483647

8192

max-route-cache-size

Maximum number of IP route cache entries .

integer

Minimum value: 0 Maximum value: 2147483647

ipsec-asic-offload *

Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.

option

enable

Option	Description
enable	Enable ASIC offload for IPsec VPN.
disable	Disable ASIC offload for IPsec VPN.

ipsec-soft-dec-async

Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.

option

disable

Option	Description
enable	Enable software decryption asynchronization for IPsec VPN.
disable	Disable software decryption asynchronization for IPsec VPN.

device-idle-timeout

Time in seconds that a device must be idle to automatically log the device user out. .

integer

Minimum value: 30 Maximum value: 31536000

300

user-device-store-max-devices

Maximum number of devices allowed in user device store.

integer

Minimum value: 15935 Maximum value: 45528 **

31870 **

user-device-store-max-users

Maximum number of users allowed in user device store.

integer

Minimum value: 15935 Maximum value: 45528 **

31870 **

user-device-store-max-unified-mem

Maximum unified memory allowed in user device store.

integer

Minimum value: 31870197 Maximum value: 318701977 **

159350988 **

gui-device-latitude

Add the latitude of the location of this FortiGate to position it on the Threat Map.

string

Maximum length: 19

gui-device-longitude

Add the longitude of the location of this FortiGate to position it on the Threat Map.

string

Maximum length: 19

private-data-encryption

Enable/disable private data encryption using an AES 128-bit key or passpharse.

option

disable

Option	Description
disable	Disable private data encryption using an AES 128-bit key.
enable	Enable private data encryption using an AES 128-bit key.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension devices.

option

enable

Option	Description
enable	Enable automatic authorization of dedicated Fortinet extension device globally.
disable	Disable automatic authorization of dedicated Fortinet extension device globally.

gui-theme

Color scheme for the administration GUI.

option

jade

Option	Description
jade	Jade theme.
neutrino	Neutrino theme.
mariner	Mariner theme.
graphite	Graphite theme.
melongene	Melongene theme.
retro	FortiOS v3 Retro theme.
dark-matter	Dark Matter theme.
onyx	Onyx theme.
eclipse	Eclipse theme.

gui-date-format

Default date format used throughout GUI.

option

yyyy/MM/dd

Option	Description
yyyy/MM/dd	Year/Month/Day.
dd/MM/yyyy	Day/Month/Year.
MM/dd/yyyy	Month/Day/Year.
yyyy-MM-dd	Year-Month-Day.
dd-MM-yyyy	Day-Month-Year.
MM-dd-yyyy	Month-Day-Year.

gui-date-time-source

Source from which the FortiGate GUI uses to display date and time entries.

option

system

Option	Description
system	Use this FortiGate unit's configured timezone.
browser	Use the web browser's timezone.

igmp-state-limit

Maximum number of IGMP memberships .

integer

Minimum value: 96 Maximum value: 128000

3200

legacy-poe-device-support *

Enable/disable legacy POE device support.

option

disable

Option	Description
enable	Enable legacy POE device support.
disable	Disable legacy POE device support.

cloud-communication

Enable/disable all cloud communication.

option

enable

Option	Description
enable	Allow cloud communication.
disable	Disable all cloud-related settings.

ipsec-ha-seqjump-rate

ESP jump ahead rate (1G - 10G pps equivalent).

integer

Minimum value: 1 Maximum value: 10

fortitoken-cloud

Enable/disable FortiToken Cloud service.

option

enable

Option	Description
enable	Enable FortiToken Cloud service.
disable	Disable FortiToken Cloud service.

faz-disk-buffer-size

Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailable.

integer

Minimum value: 0 Maximum value: 214748364

irq-time-accounting

Configure CPU IRQ time accounting mode.

option

auto

Option	Description
auto	Automatically switch CPU accounting mode.
force	Force the use of CPU IRQ time accounting mode.

management-ip

Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.

string

Maximum length: 255

management-port

Overriding port for management connection (Overrides admin port).

integer

Minimum value: 1 Maximum value: 65535

443

management-port-use-admin-sport

Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.

option

enable

Option	Description
enable	Enable use of the admin-sport setting for the management port.
disable	Disable use of the admin-sport setting for the management port.

internet-service-database

Configure which Internet Service database size to download from FortiGuard and use.

option

full **

Option	Description
mini	Small sized Internet Service database with very limited IP addresses.
standard	Medium sized Internet Service database with most IP addresses.
full	Full sized Internet Service database with all IP addresses.

* This parameter may not exist in some models.

** Values may differ between models.

config system global

Configure global attributes.

config system global

Description: Configure global attributes.

set language [english|french|...]

set gui-ipv6 [enable|disable]

set gui-replacement-message-groups [enable|disable]

set gui-local-out [enable|disable]

set gui-certificates [enable|disable]

set gui-custom-language [enable|disable]

set gui-wireless-opensecurity [enable|disable]

set gui-display-hostname [enable|disable]

set gui-fortigate-cloud-sandbox [enable|disable]

set gui-firmware-upgrade-warning [enable|disable]

set gui-allow-default-hostname [enable|disable]

set gui-forticare-registration-setup-warning [enable|disable]

set gui-workflow-management [enable|disable]

set gui-cdn-usage [enable|disable]

set admin-https-ssl-versions {option1}, {option2}, ...

set admin-https-ssl-ciphersuites {option1}, {option2}, ...

set admin-https-ssl-banned-ciphers {option1}, {option2}, ...

set admintimeout {integer}

set admin-console-timeout {integer}

set admin-concurrent [enable|disable]

set admin-lockout-threshold {integer}

set admin-lockout-duration {integer}

set refresh {integer}

set interval {integer}

set failtime {integer}

set daily-restart [enable|disable]

set restart-time {user}

set radius-port {integer}

set admin-login-max {integer}

set remoteauthtimeout {integer}

set ldapconntimeout {integer}

set batch-cmdb [enable|disable]

set multi-factor-authentication [optional|mandatory]

set ssl-min-proto-version [SSLv3|TLSv1|...]

set autorun-log-fsck [enable|disable]

set dst [enable|disable]

set timezone [01|02|...]

set traffic-priority [tos|dscp]

set traffic-priority-level [low|medium|...]

set anti-replay [disable|loose|...]

set send-pmtu-icmp [enable|disable]

set honor-df [enable|disable]

set pmtu-discovery [enable|disable]

set virtual-switch-vlan [enable|disable]

set revision-image-auto-backup [enable|disable]

set revision-backup-on-logout [enable|disable]

set management-vdom {string}

set hostname {string}

set alias {string}

set strong-crypto [enable|disable]

set ssl-static-key-ciphers [enable|disable]

set ssh-kex-algo {option1}, {option2}, ...

set ssh-enc-algo {option1}, {option2}, ...

set ssh-mac-algo {option1}, {option2}, ...

set snat-route-change [enable|disable]

set speedtest-server [enable|disable]

set cli-audit-log [enable|disable]

set dh-params [1024|1536|...]

set fds-statistics [enable|disable]

set fds-statistics-period {integer}

set tcp-option [enable|disable]

set lldp-transmission [enable|disable]

set lldp-reception [enable|disable]

set proxy-auth-timeout {integer}

set proxy-re-authentication-mode [session|traffic|...]

set proxy-auth-lifetime [enable|disable]

set proxy-auth-lifetime-timeout {integer}

set proxy-resource-mode [enable|disable]

set proxy-cert-use-mgmt-vdom [enable|disable]

set sys-perf-log-interval {integer}

set check-protocol-header [loose|strict]

set vip-arp-range [unlimited|restricted]

set reset-sessionless-tcp [enable|disable]

set allow-traffic-redirect [enable|disable]

set ipv6-allow-traffic-redirect [enable|disable]

set strict-dirty-session-check [enable|disable]

set tcp-halfclose-timer {integer}

set tcp-halfopen-timer {integer}

set tcp-timewait-timer {integer}

set tcp-rst-timer {integer}

set udp-idle-timer {integer}

set block-session-timer {integer}

set ip-src-port-range {user}

set pre-login-banner [enable|disable]

set post-login-banner [disable|enable]

set tftp [enable|disable]

set av-failopen [pass|off|...]

set av-failopen-session [enable|disable]

set memory-use-threshold-extreme {integer}

set memory-use-threshold-red {integer}

set memory-use-threshold-green {integer}

set cpu-use-threshold {integer}

set check-reset-range [strict|disable]

set vdom-mode [no-vdom|multi-vdom]

set long-vdom-name [enable|disable]

set edit-vdom-prompt [enable|disable]

set admin-port {integer}

set admin-sport {integer}

set admin-https-redirect [enable|disable]

set admin-hsts-max-age {integer}

set admin-ssh-password [enable|disable]

set admin-restrict-local [enable|disable]

set admin-ssh-port {integer}

set admin-ssh-grace-time {integer}

set admin-ssh-v1 [enable|disable]

set admin-telnet [enable|disable]

set admin-telnet-port {integer}

set admin-forticloud-sso-login [enable|disable]

set default-service-source-port {user}

set admin-maintainer [enable|disable]

set admin-reset-button [enable|disable]

set admin-server-cert {string}

set user-server-cert {string}

set admin-https-pki-required [enable|disable]

set wifi-certificate {string}

set wifi-ca-certificate {string}

set auth-http-port {integer}

set auth-https-port {integer}

set auth-ike-saml-port {integer}

set auth-keepalive [enable|disable]

set policy-auth-concurrent {integer}

set auth-session-limit [block-new|logout-inactive]

set auth-cert {string}

set clt-cert-req [enable|disable]

set fortiservice-port {integer}

set cfg-save [automatic|manual|...]

set cfg-revert-timeout {integer}

set reboot-upon-config-restore [enable|disable]

set admin-scp [enable|disable]

set security-rating-result-submission [enable|disable]

set security-rating-run-on-schedule [enable|disable]

set wireless-controller [enable|disable]

set wireless-controller-port {integer}

set fortiextender-data-port {integer}

set fortiextender [disable|enable]

set extender-controller-reserved-network {ipv4-classnet-host}

set fortiextender-discovery-lockdown [disable|enable]

set fortiextender-vlan-mode [enable|disable]

set switch-controller [disable|enable]

set switch-controller-reserved-network {ipv4-classnet-host}

set dnsproxy-worker-count {integer}

set url-filter-count {integer}

set proxy-worker-count {integer}

set scanunit-count {integer}

set proxy-hardware-acceleration [disable|enable]

set fgd-alert-subscription {option1}, {option2}, ...

set ipsec-hmac-offload [enable|disable]

set ipv6-accept-dad {integer}

set ipv6-allow-anycast-probe [enable|disable]

set csr-ca-attribute [enable|disable]

set wimax-4g-usb [enable|disable]

set cert-chain-max {integer}

set sslvpn-max-worker-count {integer}

set sslvpn-kxp-hardware-acceleration [enable|disable]

set sslvpn-cipher-hardware-acceleration [enable|disable]

set sslvpn-ems-sn-check [enable|disable]

set sslvpn-plugin-version-check [enable|disable]

set two-factor-ftk-expiry {integer}

set two-factor-email-expiry {integer}

set two-factor-sms-expiry {integer}

set two-factor-fac-expiry {integer}

set two-factor-ftm-expiry {integer}

set wad-worker-count {integer}

set wad-csvc-cs-count {integer}

set wad-csvc-db-count {integer}

set wad-source-affinity [disable|enable]

set wad-memory-change-granularity {integer}

set login-timestamp [enable|disable]

set miglogd-children {integer}

set special-file-23-support [disable|enable]

set log-uuid-address [enable|disable]

set log-ssl-connection [enable|disable]

set gui-rest-api-cache [enable|disable]

set arp-max-entry {integer}

set ha-affinity {string}

set cmdbsvr-affinity {string}

set ndp-max-entry {integer}

set br-fdb-max-entry {integer}

set max-route-cache-size {integer}

set ipsec-asic-offload [enable|disable]

set ipsec-soft-dec-async [enable|disable]

set device-idle-timeout {integer}

set user-device-store-max-devices {integer}

set user-device-store-max-users {integer}

set user-device-store-max-unified-mem {integer}

set gui-device-latitude {string}

set gui-device-longitude {string}

set private-data-encryption [disable|enable]

set auto-auth-extension-device [enable|disable]

set gui-theme [jade|neutrino|...]

set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]

set gui-date-time-source [system|browser]

set igmp-state-limit {integer}

set legacy-poe-device-support [enable|disable]

set cloud-communication [enable|disable]

set ipsec-ha-seqjump-rate {integer}

set fortitoken-cloud [enable|disable]

set faz-disk-buffer-size {integer}

set irq-time-accounting [auto|force]

set management-ip {string}

set management-port {integer}

set management-port-use-admin-sport [enable|disable]

set internet-service-database [mini|standard|...]

end

config system global

Parameter

Description

Type

Size

Default

language

GUI display language.

option

english

Option	Description
english	English.
french	French.
spanish	Spanish.
portuguese	Portuguese.
japanese	Japanese.
trach	Traditional Chinese.
simch	Simplified Chinese.
korean	Korean.

gui-ipv6

Enable/disable IPv6 settings on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-replacement-message-groups

Enable/disable replacement message groups on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-local-out

Enable/disable Local-out traffic on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-certificates

Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.

option

enable **

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-custom-language

Enable/disable custom languages in GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-wireless-opensecurity

Enable/disable wireless open security option on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-display-hostname

Enable/disable displaying the FortiGate's hostname on the GUI login page.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-fortigate-cloud-sandbox

Enable/disable displaying FortiGate Cloud Sandbox on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-firmware-upgrade-warning

Enable/disable the firmware upgrade warning on the GUI.

option

enable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-allow-default-hostname

Enable/disable the factory default hostname warning on the GUI setup wizard.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-forticare-registration-setup-warning

Enable/disable the FortiCare registration setup warning on the GUI.

option

enable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-workflow-management

Enable/disable Workflow management features on the GUI.

option

disable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

gui-cdn-usage

Enable/disable Load GUI static files from a CDN.

option

enable

Option	Description
enable	Display the feature in GUI.
disable	Do not display the feature in GUI.

admin-https-ssl-versions

Allowed TLS versions for web administration.

option

tlsv1-2 tlsv1-3

Option	Description
tlsv1-1	TLS 1.1.
tlsv1-2	TLS 1.2.
tlsv1-3	TLS 1.3.

admin-https-ssl-ciphersuites

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.

option

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option	Description
TLS-AES-128-GCM-SHA256	Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.
TLS-AES-256-GCM-SHA384	Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.
TLS-CHACHA20-POLY1305-SHA256	Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.
TLS-AES-128-CCM-SHA256	Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.
TLS-AES-128-CCM-8-SHA256	Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

admin-https-ssl-banned-ciphers

Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.

option

Option	Description
RSA	Ban the use of cipher suites using RSA key.
DHE	Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDHE	Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS	Ban the use of cipher suites using DSS authentication.
ECDSA	Ban the use of cipher suites using ECDSA authentication.
AES	Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM	Ban the use of cipher suites using AES in Galois Counter Mode (GCM).
CAMELLIA	Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES	Ban the use of cipher suites using triple DES.
SHA1	Ban the use of cipher suites using HMAC-SHA1.
SHA256	Ban the use of cipher suites using HMAC-SHA256.
SHA384	Ban the use of cipher suites using HMAC-SHA384.
STATIC	Ban the use of cipher suites using static keys.
CHACHA20	Ban the use of cipher suites using ChaCha20.
ARIA	Ban the use of cipher suites using ARIA.
AESCCM	Ban the use of cipher suites using AESCCM.

admintimeout

Number of minutes before an idle administrator session times out . A shorter idle timeout is more secure.

integer

Minimum value: 1 Maximum value: 480

admin-console-timeout

Console login timeout that overrides the admin timeout value .

integer

Minimum value: 15 Maximum value: 300

admin-concurrent

Enable/disable concurrent administrator logins. Use policy-auth-concurrent for firewall authenticated users.

option

enable

Option	Description
enable	Enable admin concurrent login.
disable	Disable admin concurrent login.

admin-lockout-threshold

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

integer

Minimum value: 1 Maximum value: 10

admin-lockout-duration

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

integer

Minimum value: 1 Maximum value: 2147483647

refresh

Statistics refresh interval second(s) in GUI.

integer

Minimum value: 0 Maximum value: 4294967295

interval

Dead gateway detection interval.

integer

Minimum value: 0 Maximum value: 4294967295

failtime

Fail-time for server lost.

integer

Minimum value: 0 Maximum value: 4294967295

daily-restart

Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.

option

disable

Option	Description
enable	Enable daily reboot of the FortiGate.
disable	Disable daily reboot of the FortiGate.

restart-time

Daily restart time (hh:mm).

user

Not Specified

radius-port

RADIUS service port number.

integer

Minimum value: 1 Maximum value: 65535

1812

admin-login-max

Maximum number of administrators who can be logged in at the same time .

integer

Minimum value: 1 Maximum value: 100

100

remoteauthtimeout

Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. .

integer

Minimum value: 1 Maximum value: 300

ldapconntimeout

Global timeout for connections with remote LDAP servers in milliseconds .

integer

Minimum value: 1 Maximum value: 300000

500

batch-cmdb

Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.

option

enable

Option	Description
enable	Enable batch mode to execute in CMDB server.
disable	Disable batch mode to execute in CMDB server.

multi-factor-authentication

Enforce all login methods to require an additional authentication factor .

option

optional

Option	Description
optional	Do not enforce all login methods to require an additional authentication factor (controlled by user settings).
mandatory	Enforce all login methods to require an additional authentication factor.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections .

option

TLSv1-2

Option	Description
SSLv3	SSLv3.
TLSv1	TLSv1.
TLSv1-1	TLSv1.1.
TLSv1-2	TLSv1.2.
TLSv1-3	TLSv1.3.

autorun-log-fsck

Enable/disable automatic log partition check after ungraceful shutdown.

option

disable

Option	Description
enable	Enable automatic log partition check after ungraceful shutdown.
disable	Disable automatic log partition check after ungraceful shutdown.

dst

Enable/disable daylight saving time.

option

enable

Option	Description
enable	Enable daylight saving time.
disable	Disable daylight saving time.

timezone

Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.

option

Option	Description
01	(GMT-11:00) Midway Island, Samoa
02	(GMT-10:00) Hawaii
03	(GMT-9:00) Alaska
04	(GMT-8:00) Pacific Time (US & Canada)
05	(GMT-7:00) Arizona
81	(GMT-7:00) Baja California Sur, Chihuahua
06	(GMT-7:00) Mountain Time (US & Canada)
07	(GMT-6:00) Central America
08	(GMT-6:00) Central Time (US & Canada)
09	(GMT-6:00) Mexico City
10	(GMT-6:00) Saskatchewan
11	(GMT-5:00) Bogota, Lima,Quito
12	(GMT-5:00) Eastern Time (US & Canada)
13	(GMT-5:00) Indiana (East)
74	(GMT-4:00) Caracas
14	(GMT-4:00) Atlantic Time (Canada)
77	(GMT-4:00) Georgetown
15	(GMT-4:00) La Paz
87	(GMT-4:00) Paraguay
16	(GMT-3:00) Santiago
17	(GMT-3:30) Newfoundland
18	(GMT-3:00) Brasilia
19	(GMT-3:00) Buenos Aires
20	(GMT-3:00) Nuuk (Greenland)
75	(GMT-3:00) Uruguay
21	(GMT-2:00) Mid-Atlantic
22	(GMT-1:00) Azores
23	(GMT-1:00) Cape Verde Is.
24	(GMT) Monrovia
80	(GMT) Greenwich Mean Time
79	(GMT) Casablanca
25	(GMT) Dublin, Edinburgh, Lisbon, London, Canary Is.
26	(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
27	(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
28	(GMT+1:00) Brussels, Copenhagen, Madrid, Paris
78	(GMT+1:00) Namibia
29	(GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb
30	(GMT+1:00) West Central Africa
31	(GMT+2:00) Athens, Sofia, Vilnius
32	(GMT+2:00) Bucharest
33	(GMT+2:00) Cairo
34	(GMT+2:00) Harare, Pretoria
35	(GMT+2:00) Helsinki, Riga, Tallinn
36	(GMT+2:00) Jerusalem
37	(GMT+3:00) Baghdad
38	(GMT+3:00) Kuwait, Riyadh
83	(GMT+3:00) Moscow
84	(GMT+3:00) Minsk
40	(GMT+3:00) Nairobi
85	(GMT+3:00) Istanbul
41	(GMT+3:30) Tehran
42	(GMT+4:00) Abu Dhabi, Muscat
43	(GMT+4:00) Baku
39	(GMT+3:00) St. Petersburg, Volgograd
44	(GMT+4:30) Kabul
46	(GMT+5:00) Islamabad, Karachi, Tashkent
47	(GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi
51	(GMT+5:30) Sri Jayawardenepara
48	(GMT+5:45) Kathmandu
45	(GMT+5:00) Ekaterinburg
49	(GMT+6:00) Almaty, Novosibirsk
50	(GMT+6:00) Astana, Dhaka
52	(GMT+6:30) Rangoon
53	(GMT+7:00) Bangkok, Hanoi, Jakarta
54	(GMT+7:00) Krasnoyarsk
55	(GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk
56	(GMT+8:00) Ulaan Bataar
57	(GMT+8:00) Kuala Lumpur, Singapore
58	(GMT+8:00) Perth
59	(GMT+8:00) Taipei
60	(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul
62	(GMT+9:30) Adelaide
63	(GMT+9:30) Darwin
61	(GMT+9:00) Yakutsk
64	(GMT+10:00) Brisbane
65	(GMT+10:00) Canberra, Melbourne, Sydney
66	(GMT+10:00) Guam, Port Moresby
67	(GMT+10:00) Hobart
68	(GMT+10:00) Vladivostok
69	(GMT+10:00) Magadan
70	(GMT+11:00) Solomon Is., New Caledonia
71	(GMT+12:00) Auckland, Wellington
72	(GMT+12:00) Fiji, Kamchatka, Marshall Is.
00	(GMT+12:00) Eniwetok, Kwajalein
82	(GMT+12:45) Chatham Islands
73	(GMT+13:00) Nuku'alofa
86	(GMT+13:00) Samoa
76	(GMT+14:00) Kiritimati

traffic-priority

Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.

option

tos

Option	Description
tos	IP TOS.
dscp	DSCP (DiffServ) DS.

traffic-priority-level

Default system-wide level of priority for traffic prioritization.

option

medium

Option	Description
low	Low priority.
medium	Medium priority.
high	High priority.

anti-replay

Level of checking for packet replay and TCP sequence checking.

option

strict

Option	Description
disable	Disable anti-replay check.
loose	Loose anti-replay check.
strict	Strict anti-replay check.

send-pmtu-icmp

Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.

option

enable

Option	Description
enable	Enable sending of PMTU ICMP destination unreachable packet.
disable	Disable sending of PMTU ICMP destination unreachable packet.

honor-df

Enable/disable honoring of Don't-Fragment (DF) flag.

option

enable

Option	Description
enable	Enable honoring of Don't-Fragment flag.
disable	Disable honoring of Don't-Fragment flag.

pmtu-discovery

Enable/disable path MTU discovery.

option

disable

Option	Description
enable	Enable path MTU discovery.
disable	Disable path MTU discovery.

virtual-switch-vlan *

Enable/disable virtual switch VLAN.

option

disable

Option	Description
enable	Enable virtual switch VLAN.
disable	Disable virtual switch VLAN.

revision-image-auto-backup

Enable/disable back-up of the latest image revision after the firmware is upgraded.

option

disable

Option	Description
enable	Enable revision image backup automatically when upgrading image.
disable	Disable revision image backup automatically when upgrading image.

revision-backup-on-logout

Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.

option

disable

Option	Description
enable	Enable revision config backup automatically when logout.
disable	Disable revision config backup automatically when logout.

management-vdom

Management virtual domain name.

string

Maximum length: 31

root

hostname

FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.

string

Maximum length: 35

alias

Alias for your FortiGate unit.

string

Maximum length: 35

strong-crypto

Enable to use strong encryption and only allow strong ciphers and digest for HTTPS/SSH/TLS/SSL functions.

option

enable

Option	Description
enable	Enable strong crypto for HTTPS/SSH/TLS/SSL.
disable	Disable strong crypto for HTTPS/SSH/TLS/SSL.

ssl-static-key-ciphers

Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).

option

enable

Option	Description
enable	Enable static key ciphers in SSL/TLS connections.
disable	Disable static key ciphers in SSL/TLS connections.

ssh-kex-algo

Select one or more SSH kex algorithms.

option

diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

Option	Description
diffie-hellman-group1-sha1	diffie-hellman-group1-sha1
diffie-hellman-group14-sha1	diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1	diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256	diffie-hellman-group-exchange-sha256
curve25519-sha256@libssh.org	curve25519-sha256@libssh.org
ecdh-sha2-nistp256	ecdh-sha2-nistp256
ecdh-sha2-nistp384	ecdh-sha2-nistp384
ecdh-sha2-nistp521	ecdh-sha2-nistp521

ssh-enc-algo

Select one or more SSH ciphers.

option

chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com

Option	Description
chacha20-poly1305@openssh.com	chacha20-poly1305@openssh.com
aes128-ctr	aes128-ctr
aes192-ctr	aes192-ctr
aes256-ctr	aes256-ctr
arcfour256	arcfour256
arcfour128	arcfour128
aes128-cbc	aes128-cbc
3des-cbc	3des-cbc
blowfish-cbc	blowfish-cbc
cast128-cbc	cast128-cbc
aes192-cbc	aes192-cbc
aes256-cbc	aes256-cbc
arcfour	arcfour
rijndael-cbc@lysator.liu.se	rijndael-cbc@lysator.liu.se
aes128-gcm@openssh.com	aes128-gcm@openssh.com
aes256-gcm@openssh.com	aes256-gcm@openssh.com

ssh-mac-algo

Select one or more SSH MAC algorithms.

option

hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com

Option	Description
hmac-md5	hmac-md5
hmac-md5-etm@openssh.com	hmac-md5-etm@openssh.com
hmac-md5-96	hmac-md5-96
hmac-md5-96-etm@openssh.com	hmac-md5-96-etm@openssh.com
hmac-sha1	hmac-sha1
hmac-sha1-etm@openssh.com	hmac-sha1-etm@openssh.com
hmac-sha2-256	hmac-sha2-256
hmac-sha2-256-etm@openssh.com	hmac-sha2-256-etm@openssh.com
hmac-sha2-512	hmac-sha2-512
hmac-sha2-512-etm@openssh.com	hmac-sha2-512-etm@openssh.com
hmac-ripemd160	hmac-ripemd160
hmac-ripemd160@openssh.com	hmac-ripemd160@openssh.com
hmac-ripemd160-etm@openssh.com	hmac-ripemd160-etm@openssh.com
umac-64@openssh.com	umac-64@openssh.com
umac-128@openssh.com	umac-128@openssh.com
umac-64-etm@openssh.com	umac-64-etm@openssh.com
umac-128-etm@openssh.com	umac-128-etm@openssh.com

snat-route-change

Enable/disable the ability to change the static NAT route.

option

disable

Option	Description
enable	Enable SNAT route change.
disable	Disable SNAT route change.

speedtest-server

Enable/disable speed test server.

option

disable

Option	Description
enable	Enable speed test server service.
disable	Disable speed test server service.

cli-audit-log

Enable/disable CLI audit log.

option

disable

Option	Description
enable	Enable CLI audit log.
disable	Disable CLI audit log.

dh-params

Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.

option

2048

Option	Description
1024	1024 bits.
1536	1536 bits.
2048	2048 bits.
3072	3072 bits.
4096	4096 bits.
6144	6144 bits.
8192	8192 bits.

fds-statistics

option

enable

Option	Description
enable	Enable FortiGuard statistics.
disable	Disable FortiGuard statistics.

fds-statistics-period

FortiGuard statistics collection period in minutes. .

integer

Minimum value: 1 Maximum value: 1440

tcp-option

Enable SACK, timestamp and MSS TCP options.

option

enable

Option	Description
enable	Enable TCP option.
disable	Disable TCP option.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

disable

Option	Description
enable	Enable transmission of Link Layer Discovery Protocol (LLDP).
disable	Disable transmission of Link Layer Discovery Protocol (LLDP).

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

disable

Option	Description
enable	Enable reception of Link Layer Discovery Protocol (LLDP).
disable	Disable reception of Link Layer Discovery Protocol (LLDP).

proxy-auth-timeout

Authentication timeout in minutes for authenticated users .

integer

Minimum value: 1 Maximum value: 300

proxy-re-authentication-mode

Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

option

session

Option	Description
session	Proxy re-authentication timeout begins at the closure of the session.
traffic	Proxy re-authentication timeout begins after traffic has not been received.
absolute	Proxy re-authentication timeout begins when the user was first created.

proxy-auth-lifetime

Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.

option

disable

Option	Description
enable	Enable authenticated users lifetime control.
disable	Disable authenticated users lifetime control.

proxy-auth-lifetime-timeout

Lifetime timeout in minutes for authenticated users .

integer

Minimum value: 5 Maximum value: 65535

480

proxy-resource-mode

Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.

option

disable

Option	Description
enable	Enable use of the maximum memory usage.
disable	Disable use of the maximum memory usage.

proxy-cert-use-mgmt-vdom

Enable/disable using management VDOM to send requests.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

sys-perf-log-interval

Time in minutes between updates of performance statistics logging. .

integer

Minimum value: 0 Maximum value: 15

check-protocol-header

Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is OK in most cases.

option

loose

Option	Description
loose	Check protocol header loosely.
strict	Check protocol header strictly.

vip-arp-range

Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.

option

restricted

Option	Description
unlimited	Send ARPs for all addresses in VIP range.
restricted	Send ARPs for the first 8192 addresses in VIP range.

reset-sessionless-tcp

Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.

option

disable

Option	Description
enable	Enable reset session-less TCP.
disable	Disable reset session-less TCP.

allow-traffic-redirect

Disable to prevent traffic with same local ingress and egress interface from being forwarded without policy check.

option

enable

Option	Description
enable	Enable allow traffic redirect.
disable	Disable allow traffic redirect.

ipv6-allow-traffic-redirect

Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.

option

enable

Option	Description
enable	Enable allow traffic IPv6 redirect.
disable	Disable allow traffic IPv6 redirect.

strict-dirty-session-check

option

enable

Option	Description
enable	Enable strict dirty-session check.
disable	Disable strict dirty-session check.

tcp-halfclose-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded .

integer

Minimum value: 1 Maximum value: 86400

120

tcp-halfopen-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded .

integer

Minimum value: 1 Maximum value: 86400

tcp-timewait-timer

Length of the TCP TIME-WAIT state in seconds .

integer

Minimum value: 0 Maximum value: 300

tcp-rst-timer

Length of the TCP CLOSE state in seconds .

integer

Minimum value: 5 Maximum value: 300

udp-idle-timer

UDP connection session timeout. This command can be useful in managing CPU and memory resources .

integer

Minimum value: 1 Maximum value: 86400

180

block-session-timer

Duration in seconds for blocked sessions .

integer

Minimum value: 1 Maximum value: 300

ip-src-port-range

IP source port range used for traffic originating from the FortiGate unit.

user

Not Specified

1024-25000

pre-login-banner

Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.

option

disable

Option	Description
enable	Enable pre-login banner.
disable	Disable pre-login banner.

post-login-banner

Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.

option

disable

Option	Description
disable	Disable post-login banner.
enable	Enable post-login banner.

tftp

Enable/disable TFTP.

option

enable

Option	Description
enable	Enable TFTP.
disable	Disable TFTP.

av-failopen

Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.

option

pass

Option	Description
pass	Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.
off	Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
one-shot	Bypass the antivirus system when memory is low.

av-failopen-session

When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.

option

disable

Option	Description
enable	Enable AV fail open session option.
disable	Disable AV fail open session option.

memory-use-threshold-extreme

Threshold at which memory usage is considered extreme .

integer

Minimum value: 70 Maximum value: 97

memory-use-threshold-red

Threshold at which memory usage forces the FortiGate to enter conserve mode .

integer

Minimum value: 70 Maximum value: 97

memory-use-threshold-green

Threshold at which memory usage forces the FortiGate to exit conserve mode .

integer

Minimum value: 70 Maximum value: 97

cpu-use-threshold

Threshold at which CPU usage is reported .

integer

Minimum value: 50 Maximum value: 99

check-reset-range

Configure ICMP error message verification. You can either apply strict RST range checking or disable it.

option

disable

Option	Description
strict	Check RST range strictly.
disable	Disable RST range check.

vdom-mode *

Enable/disable support for multiple virtual domains (VDOMs).

option

no-vdom

Option	Description
no-vdom	Disable multiple VDOMs mode.
multi-vdom	Enable multiple VDOMs mode.

long-vdom-name *

Enable/disable long VDOM name support.

option

disable

Option	Description
enable	Enable long VDOM name support.
disable	Disable long VDOM name support.

edit-vdom-prompt *

Enable/disable edit new VDOM prompt.

option

disable

Option	Description
enable	Enable edit new VDOM prompt.
disable	Disable edit new VDOM prompt.

admin-port

Administrative access port for HTTP. .

integer

Minimum value: 1 Maximum value: 65535

admin-sport

Administrative access port for HTTPS. .

integer

Minimum value: 1 Maximum value: 65535

443

admin-https-redirect

Enable/disable redirection of HTTP administration access to HTTPS.

option

enable

Option	Description
enable	Enable redirecting HTTP administration access to HTTPS.
disable	Disable redirecting HTTP administration access to HTTPS.

admin-hsts-max-age

HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.

integer

Minimum value: 0 Maximum value: 2147483647

15552000

admin-ssh-password

Enable/disable password authentication for SSH admin access.

option

enable

Option	Description
enable	Enable password authentication for SSH admin access.
disable	Disable password authentication for SSH admin access.

admin-restrict-local

Enable/disable local admin authentication restriction when remote authenticator is up and running .

option

disable

Option	Description
enable	Enable local admin authentication restriction.
disable	Disable local admin authentication restriction.

admin-ssh-port

Administrative access port for SSH. .

integer

Minimum value: 1 Maximum value: 65535

admin-ssh-grace-time

Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating .

integer

Minimum value: 10 Maximum value: 3600

120

admin-ssh-v1

Enable/disable SSH v1 compatibility.

option

disable

Option	Description
enable	Enable SSH v1 compatibility.
disable	Disable SSH v1 compatibility.

admin-telnet

Enable/disable TELNET service.

option

enable

Option	Description
enable	Enable TELNET service.
disable	Disable TELNET service.

admin-telnet-port

Administrative access port for TELNET. .

integer

Minimum value: 1 Maximum value: 65535

admin-forticloud-sso-login

Enable/disable FortiCloud admin login via SSO.

option

disable

Option	Description
enable	Enable FortiCloud admin login via SSO.
disable	Disable FortiCloud admin login via SSO.

default-service-source-port

Default service source port range .

user

Not Specified

admin-maintainer

option

enable

Option	Description
enable	Enable login for special user (maintainer).
disable	Disable login for special user (maintainer).

admin-reset-button *

press the reset button can reset to factory default

option

enable

Option	Description
enable	press the reset button can reset to factory default
disable	press the reset button cannot reset to factory default

admin-server-cert

Server certificate that the FortiGate uses for HTTPS administrative connections.

string

Maximum length: 35

self-sign

user-server-cert

Certificate to use for https user authentication.

string

Maximum length: 35

Fortinet_Factory

admin-https-pki-required

Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.

option

disable

Option	Description
enable	Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access.
disable	Admin users can login by providing a valid certificate or password.

wifi-certificate

Certificate to use for WiFi authentication.

string

Maximum length: 35

Fortinet_Wifi

wifi-ca-certificate

CA certificate that verifies the WiFi certificate.

string

Maximum length: 79

Fortinet_Wifi_CA

auth-http-port

User authentication HTTP port. .

integer

Minimum value: 1 Maximum value: 65535

1000

auth-https-port

User authentication HTTPS port. .

integer

Minimum value: 1 Maximum value: 65535

1003

auth-ike-saml-port

User IKE SAML authentication port .

integer

Minimum value: 0 Maximum value: 65535

1001

auth-keepalive

Enable to prevent user authentication sessions from timing out when idle.

option

disable

Option	Description
enable	Enable use of keep alive to extend authentication.
disable	Disable use of keep alive to extend authentication.

policy-auth-concurrent

Number of concurrent firewall use logins from the same user .

integer

Minimum value: 0 Maximum value: 100

auth-session-limit

Action to take when the number of allowed user authenticated sessions is reached.

option

block-new

Option	Description
block-new	Block new user authentication attempts.
logout-inactive	Logout the most inactive user authenticated sessions.

auth-cert

Server certificate that the FortiGate uses for HTTPS firewall authentication connections.

string

Maximum length: 35

Fortinet_Factory

clt-cert-req

Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.

option

disable

Option	Description
enable	Enable require client certificate for GUI login.
disable	Disable require client certificate for GUI login.

fortiservice-port

FortiService port . Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.

integer

Minimum value: 1 Maximum value: 65535

8013

cfg-save

Configuration file save mode for CLI changes.

option

automatic

Option	Description
automatic	Automatically save config.
manual	Manually save config.
revert	Manually save config and revert the config when timeout.

cfg-revert-timeout

Time-out for reverting to the last saved configuration. .

integer

Minimum value: 10 Maximum value: 4294967295

600

reboot-upon-config-restore

Enable/disable reboot of system upon restoring configuration.

option

enable

Option	Description
enable	Enable reboot of system upon restoring configuration.
disable	Disable reboot of system upon restoring configuration.

admin-scp

Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.

option

disable

Option	Description
enable	Enable allow system configuration download by SCP.
disable	Disable allow system configuration download by SCP.

security-rating-result-submission

Enable/disable the submission of Security Rating results to FortiGuard.

option

enable

Option	Description
enable	Enable submission of Security Rating results to FortiGuard.
disable	Disable submission of Security Rating results to FortiGuard.

security-rating-run-on-schedule

Enable/disable scheduled runs of Security Rating.

option

enable

Option	Description
enable	Enable scheduled runs of Security Rating.
disable	Disable scheduled runs of Security Rating.

wireless-controller

Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.

option

enable

Option	Description
enable	Enable wireless controller.
disable	Disable wireless controller.

wireless-controller-port

Port used for the control channel in wireless controller mode .

integer

Minimum value: 1024 Maximum value: 49150

5246

fortiextender-data-port

FortiExtender data port .

integer

Minimum value: 1024 Maximum value: 49150

25246

fortiextender

Enable/disable FortiExtender.

option

enable **

Option	Description
disable	Disable FortiExtender controller.
enable	Enable FortiExtender controller.

extender-controller-reserved-network

Configure reserved network subnet for managed LAN extension FortiExtender units. This is available when the FortiExtender daemon is running.

ipv4-classnet-host

Not Specified

10.252.0.1 255.255.0.0

fortiextender-discovery-lockdown

Enable/disable FortiExtender CAPWAP lockdown.

option

disable

Option	Description
disable	Unlock down new FortiExtender device discovery.
enable	Lock down new FortiExtender device discovery.

fortiextender-vlan-mode

Enable/disable FortiExtender VLAN mode.

option

disable

Option	Description
enable	Enable FortiExtender VLAN mode.
disable	Disable FortiExtender VLAN mode.

switch-controller

Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.

option

disable

Option	Description
disable	Disable switch controller feature.
enable	Enable switch controller feature.

switch-controller-reserved-network

Configure reserved network subnet for managed switches. This is available when the switch controller is enabled.

ipv4-classnet-host

Not Specified

10.255.0.0 255.255.0.0

dnsproxy-worker-count

DNS proxy worker count. For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.

integer

Minimum value: 1 Maximum value: The number of logical CPUs .

url-filter-count

URL filter daemon count.

integer

Minimum value: 1 Maximum value: 1 **

proxy-worker-count

Proxy worker count.

integer

Minimum value: 1 Maximum value: 4 **

scanunit-count

Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.

integer

Minimum value: 2 Maximum value: 4 **

proxy-hardware-acceleration *

Enable/disable email proxy hardware acceleration.

option

enable

Option	Description
disable	Disable email proxy hardware acceleration.
enable	Enable email proxy hardware acceleration.

fgd-alert-subscription

Type of alert to retrieve from FortiGuard.

option

Option	Description
advisory	Retrieve FortiGuard advisories, report and news alerts.
latest-threat	Retrieve latest FortiGuard threats alerts.
latest-virus	Retrieve latest FortiGuard virus alerts.
latest-attack	Retrieve latest FortiGuard attack alerts.
new-antivirus-db	Retrieve FortiGuard AV database release alerts.
new-attack-db	Retrieve FortiGuard IPS database release alerts.

ipsec-hmac-offload *

Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.

option

enable

Option	Description
enable	Enable offload IPsec HMAC processing to hardware if possible.
disable	Disable offload IPsec HMAC processing to hardware.

ipv6-accept-dad

Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).

integer

Minimum value: 0 Maximum value: 2

ipv6-allow-anycast-probe

Enable/disable IPv6 address probe through Anycast.

option

disable

Option	Description
enable	Enable probing of IPv6 address space through Anycast
disable	Disable probing of IPv6 address space through Anycast

csr-ca-attribute

Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.

option

enable

Option	Description
enable	Enable CA attribute in CSR.
disable	Disable CA attribute in CSR.

wimax-4g-usb

Enable/disable comparability with WiMAX 4G USB devices.

option

disable

Option	Description
enable	Enable WiMax 4G.
disable	Disable WiMax 4G.

cert-chain-max

Maximum number of certificates that can be traversed in a certificate chain.

integer

Minimum value: 1 Maximum value: 2147483647

sslvpn-max-worker-count

Maximum number of SSL-VPN processes. Upper limit for this value is the number of CPUs and depends on the model. Default value of zero means the SSLVPN daemon decides the number of worker processes.

integer

Minimum value: 0 Maximum value: 4 **

sslvpn-kxp-hardware-acceleration *

Enable/disable SSL-VPN KXP hardware acceleration.

option

enable

Option	Description
enable	Enable KXP SSL-VPN hardware acceleration.
disable	Disable KXP SSL-VPN hardware acceleration.

sslvpn-cipher-hardware-acceleration *

Enable/disable SSL-VPN hardware acceleration.

option

enable

Option	Description
enable	Enable SSL-VPN cipher hardware acceleration.
disable	Disable SSL-VPN cipher hardware acceleration.

sslvpn-ems-sn-check

Enable/disable verification of EMS serial number in SSL-VPN connection.

option

disable

Option	Description
enable	Enable verification of EMS serial number in SSL-VPN connection.
disable	Disable verification of EMS serial number in SSL-VPN connection.

sslvpn-plugin-version-check

Enable/disable checking browser's plugin version by SSL-VPN.

option

enable

Option	Description
enable	Enable SSL-VPN automatic checking of browser plug-in version.
disable	Disable SSL-VPN automatic checking of browser plug-in version.

two-factor-ftk-expiry

FortiToken authentication session timeout .

integer

Minimum value: 60 Maximum value: 600

two-factor-email-expiry

Email-based two-factor authentication session timeout .

integer

Minimum value: 30 Maximum value: 300

two-factor-sms-expiry

SMS-based two-factor authentication session timeout .

integer

Minimum value: 30 Maximum value: 300

two-factor-fac-expiry

FortiAuthenticator token authentication session timeout .

integer

Minimum value: 10 Maximum value: 3600

two-factor-ftm-expiry

FortiToken Mobile session timeout .

integer

Minimum value: 1 Maximum value: 168

wad-worker-count

Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.

integer

Minimum value: 0 Maximum value: 4 **

wad-csvc-cs-count

Number of concurrent WAD-cache-service object-cache processes.

integer

Minimum value: 1 Maximum value: 1

wad-csvc-db-count

Number of concurrent WAD-cache-service byte-cache processes.

integer

Minimum value: 0 Maximum value: 4 **

wad-source-affinity

Enable/disable dispatching traffic to WAD workers based on source affinity.

option

enable

Option	Description
disable	Disable dispatching traffic to WAD workers based on source affinity.
enable	Enable dispatching traffic to WAD workers based on source affinity.

wad-memory-change-granularity

Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.

integer

Minimum value: 5 Maximum value: 25

Enable/disable login time recording.

option

disable

Option	Description
enable	Enable login time recording.
disable	Disable login time recording.

miglogd-children

Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.

integer

Minimum value: 0 Maximum value: 15

special-file-23-support

Enable/disable detection of those special format files when using Data Leak Protection.

option

disable

Option	Description
disable	Disable detection of those special format files when using Data Leak Protection.
enable	Enable detection of those special format files when using Data Leak Protection.

log-uuid-address

Enable/disable insertion of address UUIDs to traffic logs.

option

disable

Option	Description
enable	Enable insertion of address UUID to traffic logs.
disable	Disable insertion of address UUID to traffic logs.

log-ssl-connection

Enable/disable logging of SSL connection events.

option

disable

Option	Description
enable	Enable logging of SSL connection events.
disable	Disable logging of SSL connection events.

gui-rest-api-cache

Enable/disable REST API result caching on FortiGate.

option

enable **

Option	Description
enable	Enable REST API result caching on FortiGate.
disable	Disable REST API result caching on FortiGate.

arp-max-entry

Maximum number of dynamically learned MAC addresses that can be added to the ARP table .

integer

Minimum value: 131072 Maximum value: 2147483647

131072

ha-affinity

Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

cmdbsvr-affinity

Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

ndp-max-entry

Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).

integer

Minimum value: 65536 Maximum value: 2147483647

br-fdb-max-entry

Maximum number of bridge forwarding database (FDB) entries.

integer

Minimum value: 8192 Maximum value: 2147483647

8192

max-route-cache-size

Maximum number of IP route cache entries .

integer

Minimum value: 0 Maximum value: 2147483647

ipsec-asic-offload *

Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.

option

enable

Option	Description
enable	Enable ASIC offload for IPsec VPN.
disable	Disable ASIC offload for IPsec VPN.

ipsec-soft-dec-async

Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.

option

disable

Option	Description
enable	Enable software decryption asynchronization for IPsec VPN.
disable	Disable software decryption asynchronization for IPsec VPN.

device-idle-timeout

Time in seconds that a device must be idle to automatically log the device user out. .

integer

Minimum value: 30 Maximum value: 31536000

300

user-device-store-max-devices

Maximum number of devices allowed in user device store.

integer

Minimum value: 15935 Maximum value: 45528 **

31870 **

user-device-store-max-users

Maximum number of users allowed in user device store.

integer

Minimum value: 15935 Maximum value: 45528 **

31870 **

user-device-store-max-unified-mem

Maximum unified memory allowed in user device store.

integer

Minimum value: 31870197 Maximum value: 318701977 **

159350988 **

gui-device-latitude

Add the latitude of the location of this FortiGate to position it on the Threat Map.

string

Maximum length: 19

gui-device-longitude

Add the longitude of the location of this FortiGate to position it on the Threat Map.

string

Maximum length: 19

private-data-encryption

Enable/disable private data encryption using an AES 128-bit key or passpharse.

option

disable

Option	Description
disable	Disable private data encryption using an AES 128-bit key.
enable	Enable private data encryption using an AES 128-bit key.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension devices.

option

enable

Option	Description
enable	Enable automatic authorization of dedicated Fortinet extension device globally.
disable	Disable automatic authorization of dedicated Fortinet extension device globally.

gui-theme

Color scheme for the administration GUI.

option

jade

Option	Description
jade	Jade theme.
neutrino	Neutrino theme.
mariner	Mariner theme.
graphite	Graphite theme.
melongene	Melongene theme.
retro	FortiOS v3 Retro theme.
dark-matter	Dark Matter theme.
onyx	Onyx theme.
eclipse	Eclipse theme.

gui-date-format

Default date format used throughout GUI.

option

yyyy/MM/dd

Option	Description
yyyy/MM/dd	Year/Month/Day.
dd/MM/yyyy	Day/Month/Year.
MM/dd/yyyy	Month/Day/Year.
yyyy-MM-dd	Year-Month-Day.
dd-MM-yyyy	Day-Month-Year.
MM-dd-yyyy	Month-Day-Year.

gui-date-time-source

Source from which the FortiGate GUI uses to display date and time entries.

option

system

Option	Description
system	Use this FortiGate unit's configured timezone.
browser	Use the web browser's timezone.

igmp-state-limit

Maximum number of IGMP memberships .

integer

Minimum value: 96 Maximum value: 128000

3200

legacy-poe-device-support *

Enable/disable legacy POE device support.

option

disable

Option	Description
enable	Enable legacy POE device support.
disable	Disable legacy POE device support.

cloud-communication

Enable/disable all cloud communication.

option

enable

Option	Description
enable	Allow cloud communication.
disable	Disable all cloud-related settings.

ipsec-ha-seqjump-rate

ESP jump ahead rate (1G - 10G pps equivalent).

integer

Minimum value: 1 Maximum value: 10

fortitoken-cloud

Enable/disable FortiToken Cloud service.

option

enable

Option	Description
enable	Enable FortiToken Cloud service.
disable	Disable FortiToken Cloud service.

faz-disk-buffer-size

Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailable.

integer

Minimum value: 0 Maximum value: 214748364

irq-time-accounting

Configure CPU IRQ time accounting mode.

option

auto

Option	Description
auto	Automatically switch CPU accounting mode.
force	Force the use of CPU IRQ time accounting mode.

management-ip

Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.

string

Maximum length: 255

management-port

Overriding port for management connection (Overrides admin port).

integer

Minimum value: 1 Maximum value: 65535

443

management-port-use-admin-sport

Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.

option

enable

Option	Description
enable	Enable use of the admin-sport setting for the management port.
disable	Disable use of the admin-sport setting for the management port.

internet-service-database

Configure which Internet Service database size to download from FortiGuard and use.

option

full **

Option	Description
mini	Small sized Internet Service database with very limited IP addresses.
standard	Medium sized Internet Service database with most IP addresses.
full	Full sized Internet Service database with all IP addresses.

* This parameter may not exist in some models.

** Values may differ between models.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

config system global

config system global

config system global

config system global

config system global

config system global