config system global

Configure global attributes.

config system global

Description: Configure global attributes.

set language [english|french|...]

set gui-allow-incompatible-fabric-fgt [enable|disable]

set gui-ipv6 [enable|disable]

set gui-replacement-message-groups [enable|disable]

set gui-local-out [enable|disable]

set gui-certificates [enable|disable]

set gui-custom-language [enable|disable]

set gui-wireless-opensecurity [enable|disable]

set gui-app-detection-sdwan [enable|disable]

set gui-display-hostname [enable|disable]

set gui-fortigate-cloud-sandbox [enable|disable]

set gui-firmware-upgrade-warning [enable|disable]

set gui-allow-default-hostname [enable|disable]

set gui-forticare-registration-setup-warning [enable|disable]

set gui-workflow-management [enable|disable]

set gui-cdn-usage [enable|disable]

set admin-https-ssl-versions {option1}, {option2}, ...

set admin-https-ssl-ciphersuites {option1}, {option2}, ...

set admin-https-ssl-banned-ciphers {option1}, {option2}, ...

set admintimeout {integer}

set admin-console-timeout {integer}

set admin-concurrent [enable|disable]

set admin-lockout-threshold {integer}

set admin-lockout-duration {integer}

set refresh {integer}

set interval {integer}

set failtime {integer}

set daily-restart [enable|disable]

set restart-time {user}

set radius-port {integer}

set admin-login-max {integer}

set remoteauthtimeout {integer}

set ldapconntimeout {integer}

set batch-cmdb [enable|disable]

set multi-factor-authentication [optional|mandatory]

set ssl-min-proto-version [SSLv3|TLSv1|...]

set autorun-log-fsck [enable|disable]

set timezone [01|02|...]

set traffic-priority [tos|dscp]

set traffic-priority-level [low|medium|...]

set anti-replay [disable|loose|...]

set send-pmtu-icmp [enable|disable]

set honor-df [enable|disable]

set pmtu-discovery [enable|disable]

set virtual-switch-vlan [enable|disable]

set revision-image-auto-backup [enable|disable]

set revision-backup-on-logout [enable|disable]

set management-vdom {string}

set hostname {string}

set alias {string}

set strong-crypto [enable|disable]

set ssl-static-key-ciphers [enable|disable]

set ssh-kex-algo {option1}, {option2}, ...

set ssh-enc-algo {option1}, {option2}, ...

set ssh-mac-algo {option1}, {option2}, ...

set snat-route-change [enable|disable]

set speedtest-server [enable|disable]

set cli-audit-log [enable|disable]

set dh-params [1024|1536|...]

set fds-statistics [enable|disable]

set fds-statistics-period {integer}

set tcp-option [enable|disable]

set lldp-transmission [enable|disable]

set lldp-reception [enable|disable]

set proxy-auth-timeout {integer}

set proxy-re-authentication-mode [session|traffic|...]

set proxy-auth-lifetime [enable|disable]

set proxy-auth-lifetime-timeout {integer}

set proxy-resource-mode [enable|disable]

set proxy-cert-use-mgmt-vdom [enable|disable]

set sys-perf-log-interval {integer}

set check-protocol-header [loose|strict]

set vip-arp-range [unlimited|restricted]

set reset-sessionless-tcp [enable|disable]

set allow-traffic-redirect [enable|disable]

set ipv6-allow-traffic-redirect [enable|disable]

set strict-dirty-session-check [enable|disable]

set tcp-halfclose-timer {integer}

set tcp-halfopen-timer {integer}

set tcp-timewait-timer {integer}

set tcp-rst-timer {integer}

set udp-idle-timer {integer}

set block-session-timer {integer}

set ip-src-port-range {user}

set pre-login-banner [enable|disable]

set post-login-banner [disable|enable]

set tftp [enable|disable]

set av-failopen [pass|off|...]

set av-failopen-session [enable|disable]

set memory-use-threshold-extreme {integer}

set memory-use-threshold-red {integer}

set memory-use-threshold-green {integer}

set cpu-use-threshold {integer}

set check-reset-range [strict|disable]

set vdom-mode [no-vdom|multi-vdom]

set long-vdom-name [enable|disable]

set edit-vdom-prompt [enable|disable]

set admin-port {integer}

set admin-sport {integer}

set admin-host {string}

set admin-https-redirect [enable|disable]

set admin-hsts-max-age {integer}

set admin-ssh-password [enable|disable]

set admin-restrict-local [enable|disable]

set admin-ssh-port {integer}

set admin-ssh-grace-time {integer}

set admin-ssh-v1 [enable|disable]

set admin-telnet [enable|disable]

set admin-telnet-port {integer}

set admin-forticloud-sso-login [enable|disable]

set default-service-source-port {user}

set admin-maintainer [enable|disable]

set admin-reset-button [enable|disable]

set admin-server-cert {string}

set admin-https-pki-required [enable|disable]

set wifi-certificate {string}

set wifi-ca-certificate {string}

set auth-http-port {integer}

set auth-https-port {integer}

set auth-ike-saml-port {integer}

set auth-keepalive [enable|disable]

set policy-auth-concurrent {integer}

set auth-session-limit [block-new|logout-inactive]

set auth-cert {string}

set clt-cert-req [enable|disable]

set fortiservice-port {integer}

set cfg-save [automatic|manual|...]

set cfg-revert-timeout {integer}

set reboot-upon-config-restore [enable|disable]

set admin-scp [enable|disable]

set security-rating-result-submission [enable|disable]

set security-rating-run-on-schedule [enable|disable]

set wireless-controller [enable|disable]

set wireless-controller-port {integer}

set fortiextender-data-port {integer}

set fortiextender [disable|enable]

set extender-controller-reserved-network {ipv4-classnet-host}

set fortiextender-discovery-lockdown [disable|enable]

set fortiextender-vlan-mode [enable|disable]

set fortiextender-provision-on-authorization [enable|disable]

set switch-controller [disable|enable]

set switch-controller-reserved-network {ipv4-classnet-host}

set dnsproxy-worker-count {integer}

set url-filter-count {integer}

set proxy-worker-count {integer}

set scanunit-count {integer}

set proxy-hardware-acceleration [disable|enable]

set fgd-alert-subscription {option1}, {option2}, ...

set ipsec-hmac-offload [enable|disable]

set ipv6-accept-dad {integer}

set ipv6-allow-anycast-probe [enable|disable]

set ipv6-allow-multicast-probe [enable|disable]

set ipv6-allow-local-in-slient-drop [enable|disable]

set csr-ca-attribute [enable|disable]

set wimax-4g-usb [enable|disable]

set cert-chain-max {integer}

set sslvpn-max-worker-count {integer}

set sslvpn-kxp-hardware-acceleration [enable|disable]

set sslvpn-cipher-hardware-acceleration [enable|disable]

set sslvpn-ems-sn-check [enable|disable]

set sslvpn-plugin-version-check [enable|disable]

set two-factor-ftk-expiry {integer}

set two-factor-email-expiry {integer}

set two-factor-sms-expiry {integer}

set two-factor-fac-expiry {integer}

set two-factor-ftm-expiry {integer}

set wad-worker-count {integer}

set wad-csvc-cs-count {integer}

set wad-csvc-db-count {integer}

set wad-source-affinity [disable|enable]

set wad-memory-change-granularity {integer}

set login-timestamp [enable|disable]

set miglogd-children {integer}

set special-file-23-support [disable|enable]

set log-uuid-address [enable|disable]

set log-ssl-connection [enable|disable]

set gui-rest-api-cache [enable|disable]

set gui-cdn-domain-override {string}

set arp-max-entry {integer}

set ha-affinity {string}

set cmdbsvr-affinity {string}

set ndp-max-entry {integer}

set br-fdb-max-entry {integer}

set max-route-cache-size {integer}

set ipsec-asic-offload [enable|disable]

set ipsec-soft-dec-async [enable|disable]

set device-idle-timeout {integer}

set user-device-store-max-devices {integer}

set user-device-store-max-users {integer}

set user-device-store-max-unified-mem {integer}

set gui-device-latitude {string}

set gui-device-longitude {string}

set private-data-encryption [disable|enable]

set auto-auth-extension-device [enable|disable]

set gui-theme [jade|neutrino|...]

set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]

set gui-date-time-source [system|browser]

set igmp-state-limit {integer}

set legacy-poe-device-support [enable|disable]

set cloud-communication [enable|disable]

set ipsec-ha-seqjump-rate {integer}

set fortitoken-cloud [enable|disable]

set faz-disk-buffer-size {integer}

set irq-time-accounting [auto|force]

set management-ip {string}

set management-port {integer}

set management-port-use-admin-sport [enable|disable]

set internet-service-database [mini|standard|...]

set early-tcp-npu-session [enable|disable]

end

config system global

Parameter

Description

Type

Size

Default

language

GUI display language.

option

-

english

 

Option

Description

english

English.

french

French.

spanish

Spanish.

portuguese

Portuguese.

japanese

Japanese.

trach

Traditional Chinese.

simch

Simplified Chinese.

korean

Korean.

gui-allow-incompatible-fabric-fgt *

Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-ipv6

Enable/disable IPv6 settings on the GUI.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-replacement-message-groups

Enable/disable replacement message groups on the GUI.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-local-out

Enable/disable Local-out traffic on the GUI.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-certificates

Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.

option

-

enable **

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-custom-language

Enable/disable custom languages in GUI.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-wireless-opensecurity

Enable/disable wireless open security option on the GUI.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-app-detection-sdwan

Enable/disable Allow app-detection based SD-WAN.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-display-hostname

Enable/disable displaying the FortiGate's hostname on the GUI login page.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-fortigate-cloud-sandbox

Enable/disable displaying FortiGate Cloud Sandbox on the GUI.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-firmware-upgrade-warning

Enable/disable the firmware upgrade warning on the GUI.

option

-

enable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-allow-default-hostname

Enable/disable the factory default hostname warning on the GUI setup wizard.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-forticare-registration-setup-warning

Enable/disable the FortiCare registration setup warning on the GUI.

option

-

enable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-workflow-management

Enable/disable Workflow management features on the GUI.

option

-

disable

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-cdn-usage

Enable/disable Load GUI static files from a CDN.

option

-

disable **

 

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

admin-https-ssl-versions

Allowed TLS versions for web administration.

option

-

tlsv1-2 tlsv1-3

 

Option

Description

tlsv1-1

TLS 1.1.

tlsv1-2

TLS 1.2.

tlsv1-3

TLS 1.3.

admin-https-ssl-ciphersuites

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.

option

-

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

 

Option

Description

TLS-AES-128-GCM-SHA256

Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

TLS-AES-256-GCM-SHA384

Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

TLS-CHACHA20-POLY1305-SHA256

Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

TLS-AES-128-CCM-SHA256

Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

TLS-AES-128-CCM-8-SHA256

Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

admin-https-ssl-banned-ciphers

Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.

option

-

 

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites using AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES.

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

CHACHA20

Ban the use of cipher suites using ChaCha20.

ARIA

Ban the use of cipher suites using ARIA.

AESCCM

Ban the use of cipher suites using AESCCM.

admintimeout

Number of minutes before an idle administrator session times out . A shorter idle timeout is more secure.

integer

Minimum value: 1 Maximum value: 480

5

admin-console-timeout

Console login timeout that overrides the admin timeout value .

integer

Minimum value: 15 Maximum value: 300

0

admin-concurrent

Enable/disable concurrent administrator logins. Use policy-auth-concurrent for firewall authenticated users.

option

-

enable

 

Option

Description

enable

Enable admin concurrent login.

disable

Disable admin concurrent login.

admin-lockout-threshold

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

integer

Minimum value: 1 Maximum value: 10

3

admin-lockout-duration

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

integer

Minimum value: 1 Maximum value: 2147483647

60

refresh

Statistics refresh interval second(s) in GUI.

integer

Minimum value: 0 Maximum value: 4294967295

0

interval

Dead gateway detection interval.

integer

Minimum value: 0 Maximum value: 4294967295

5

failtime

Fail-time for server lost.

integer

Minimum value: 0 Maximum value: 4294967295

5

daily-restart

Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.

option

-

disable

 

Option

Description

enable

Enable daily reboot of the FortiGate.

disable

Disable daily reboot of the FortiGate.

restart-time

Daily restart time (hh:mm).

user

Not Specified

radius-port

RADIUS service port number.

integer

Minimum value: 1 Maximum value: 65535

1812

admin-login-max

Maximum number of administrators who can be logged in at the same time .

integer

Minimum value: 1 Maximum value: 100

100

remoteauthtimeout

Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. .

integer

Minimum value: 1 Maximum value: 300

5

ldapconntimeout

Global timeout for connections with remote LDAP servers in milliseconds .

integer

Minimum value: 1 Maximum value: 300000

500

batch-cmdb

Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.

option

-

enable

 

Option

Description

enable

Enable batch mode to execute in CMDB server.

disable

Disable batch mode to execute in CMDB server.

multi-factor-authentication

Enforce all login methods to require an additional authentication factor .

option

-

optional

 

Option

Description

optional

Do not enforce all login methods to require an additional authentication factor (controlled by user settings).

mandatory

Enforce all login methods to require an additional authentication factor.

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections .

option

-

TLSv1-2

 

Option

Description

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

autorun-log-fsck

Enable/disable automatic log partition check after ungraceful shutdown.

option

-

disable

 

Option

Description

enable

Enable automatic log partition check after ungraceful shutdown.

disable

Disable automatic log partition check after ungraceful shutdown.

timezone

Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.

option

-

00

 

Option

Description

01

(GMT-11:00) Midway Island, Samoa

02

(GMT-10:00) Hawaii

03

(GMT-9:00) Alaska

04

(GMT-8:00) Pacific Time (US & Canada)

05

(GMT-7:00) Arizona

81

(GMT-7:00) Baja California Sur, Chihuahua

06

(GMT-7:00) Mountain Time (US & Canada)

07

(GMT-6:00) Central America

08

(GMT-6:00) Central Time (US & Canada)

09

(GMT-6:00) Mexico City

10

(GMT-6:00) Saskatchewan

11

(GMT-5:00) Bogota, Lima,Quito

12

(GMT-5:00) Eastern Time (US & Canada)

13

(GMT-5:00) Indiana (East)

74

(GMT-4:00) Caracas

14

(GMT-4:00) Atlantic Time (Canada)

77

(GMT-4:00) Georgetown

15

(GMT-4:00) La Paz

87

(GMT-4:00) Paraguay