Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

system global

Use this command to configure many FortiMail system-wide configurations.

Syntax

config system global

set admin-idle-timeout <timeout_int>

set admin-lockout-duration

set admin-lockout-threshold

set admin-maintainer {enable | disable}

set default-certificate <name_str>

set dh-params <params_int>

set disclaimer-per-domain {enable | disable}

set disk-monitor {enable | disable}

set email-migration-status {enable | disable}

set hostname <host_str>

set iscsi-initiator-name <name_str>

set lcd-pin <pin_int>

set lcd-protection {enable | disable}

set ldap-server-sys-status {enable | disable}

set ldap-sess-cache-state {enable | disable}

set local-domain-name <name_str>

set mailbox-service {enable | disable}

set mailstat-service {enable | disable}

set mta-adv-ctrl-status {enable | disable}

set operation mode {gateway | server | transparent}

set pki-certificate-req {yes | no}

set pki-mode {enable | disable}

set port-http <port_int>

set port-https <port_int>

set port-ssh <port_int>

set port-telnet <port_int>

set post-login-banner {admin | ibe | webmail}

set pre-login-banner admin

set rest-api {enable | disable}

set ssl-versions {ssl3 tls1_0 | tls1_1 | tls1_2 | tls1_3}

set strong-crypto {enable | disable}

set tftp {enable | disable}

end

Variable

Description

Default

admin-idle-timeout <timeout_int>

Enter the amount of time in minutes after which an idle administrative session will be automatically logged out.

The maximum idle time out is 480 minutes (eight hours). To improve security, do not increase the idle timeout.

5

admin-lockout-duration

Enter the lockout duration in minutes after the failed login threshold is reached.

3

admin-lockout-threshold

Enter the number of failed login attempts before being locked out.

4

admin-maintainer {enable | disable}

Enable or disable the maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is \'bcpb\' followed by the unit serial number.

Note that there is a limited time to complete this login.

If you attempt to disable admin-maintainer, a message appears warning that the password recovery mechanism will be lost. Do not disable this option if you do not have a backup plan for recovery.

enable

default-certificate <name_str>

Enter the name of a local certificate to use it as the “default" (that is, currently chosen for use) certificate.

FortiMail units require a local server certificate that it can present when clients request secure connections.

factory

dh-params <params_int>

Enter the minimum size of Diffie-Hellman prime for SSH/HTTPS.

1024

disclaimer-per-domain {enable | disable}

Enable to allow individualized disclaimers to be configured for each protected domain.

 

disk-monitor {enable | disable}

Enable to monitor the hard disk status of the FortiMail unit. If a problem is found, an alert email is sent to the administrator.

disable

email-migration-status {enable | disable}

Enable the email migration from external server.

 

hostname <host_str>

Enter the host name of the FortiMail unit.

Varies by model.

hsts-max-age <days>

Set the HTTP Strict Transport Security (HSTS) max-age. 0 means to disable.

365

iscsi-initiator-name <name_str>

Enter the FortiMail ISCSI client name used to communicate with the ISCSI server for centralized quarantine storage.

This is only used to change the name generated by the FortiMail unit automatically.

 

lcd-pin <pin_int>

Enter the 6-digit personal identification number (PIN) that administrators must enter in order to access the FortiMail LCD panel.

The PIN is used only when lcdprotection is enable.

Encoded value varies.

lcd-protection {enable | disable}

Enable to require that administrators enter a PIN in order to use the buttons on the front LCD panel. Also configure lcdpin.

disable

ldap-server-sys-status {enable | disable}

Enable or disable the LDAP server for serving organizational information.

enable

ldap-sess-cache-state {enable | disable}

Enable to keep the continuity of the connection sessions to the LDAP server. Repeated session connections waste network resources.

enable

local-domain-name <name_str>

Enter the local domain name of the FortiMail unit.

 

mailbox-service {enable | disable}

Note: The mailbox service feature is license based. If you do not purchase the MSSP license, this feature is not available.

Enable the mailbox service.

After you enable this service, see report mailbox for information on configuring the mailbox service.

New options also appear in the GUI under FortiView > Mail Statistics > Active Mailbox.

 

mailstat-service {enable | disable}

Enable the mail statistic service.

After you enable this service, a new tab called Top User Statistics will appear under FortiView on the GUI.

disable

mta-adv-ctrl-status {enable | disable}

Enable to configure session-specific MTA settings and overwrite the global settings configured elsewhere.

enable

operation mode {gateway | server | transparent}

Enter one of the following operation modes:

gateway: The FortiMail unit acts as an email gateway or MTA, but does not host email accounts.

server: The FortiMail unit acts as a standalone email server that hosts email accounts and acts as an MTA.

transparent: The FortiMail unit acts as an email proxy.

gateway

pki-certificate-req {yes | no}

If the administrator’s web browser does not provide a valid personal certificate for PKI authentication, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes. To allow password-style fallback, enter no.

no

pki-mode {enable | disable}

Enable to allow PKI authentication for FortiMail administrators. For more information, see user pki and system admin.

Also configure pki-certificate-req {yes | no}.

Caution: Before disabling PKI authentication, select another mode of authentication for FortiMail administrators and email users that are currently using PKI authentication. Failure to first select another authentication method before disabling PKI authentication will prevent them from being able to log in.

disable

port-http <port_int>

Enter the HTTP port number for administrative access on all interfaces.

80

port-https <port_int>

Enter the HTTPS port number for administrative access on all interfaces.

443

port-ssh <port_int>

Enter the SSH port number for administrative access on all interfaces.

22

port-telnet <port_int>

Enter the TELNET port number for administrative access on all interfaces.

23

post-login-banner {admin | ibe | webmail}

Enable or disable the legal disclaimer.

admin: Select to display the disclaimer message after the administrator logs into the FortiMail web UI.

webmail: Select to display the disclaimer message after the user logs into the FortiMail webmail.

ibe: Select to display the disclaimer message after the user logs into the FortiMail unit to view IBE encrypted email.

admin

 

pre-login-banner admin

Enable or disable the legal disclaimer before the administrator logs into the FortiMail web UI.

admin

rest-api {enable | disable}

Enable or disable REST API support.

disable

ssl-versions {ssl3 tls1_0 | tls1_1 | tls1_2 | tls1_3}

Specify which SSL/TLS versions you want to support for the HTTPS and SMTP access to FortiMail. Currently, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are supported.

In 6.0.0 release, strong-crypto is enabled and TLS 1.0 is disabled by default. Because some old versions of email clients (for example, MS Outlook 2007 and older) and MTAs only support TLS 1.0, they may have issues connecting to FortiMail. To fix the issue, disable strong-crypto and add TLS 1.0 support.

Starting from 6.0.1 release, both strong-crypto and TLS 1.0 are enabled by default.

Starting from 6.2.0, when strong-crypto is enabled, TLS 1.0 is disabled.

When strong-crypto is enabled, SSL 3.0 is only supported in 5.4 releases, not in 6.0 and 6.2 releases.

ssl3
tls1_0, tls1_1, tls1_2
tls1_3

strong-crypto {enable | disable}

Enable to use strong encryption and only allow strong ciphers (AES) and digest (SHA1) for HTTPS/SSH admin access.

When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta) and higher.

Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.

enable

tftp {enable | disable}

Enable to allow use of TFTP in FIPS mode.

enable

Related topics

config domain-setting

system global

Use this command to configure many FortiMail system-wide configurations.

Syntax

config system global

set admin-idle-timeout <timeout_int>

set admin-lockout-duration

set admin-lockout-threshold

set admin-maintainer {enable | disable}

set default-certificate <name_str>

set dh-params <params_int>

set disclaimer-per-domain {enable | disable}

set disk-monitor {enable | disable}

set email-migration-status {enable | disable}

set hostname <host_str>

set iscsi-initiator-name <name_str>

set lcd-pin <pin_int>

set lcd-protection {enable | disable}

set ldap-server-sys-status {enable | disable}

set ldap-sess-cache-state {enable | disable}

set local-domain-name <name_str>

set mailbox-service {enable | disable}

set mailstat-service {enable | disable}

set mta-adv-ctrl-status {enable | disable}

set operation mode {gateway | server | transparent}

set pki-certificate-req {yes | no}

set pki-mode {enable | disable}

set port-http <port_int>

set port-https <port_int>

set port-ssh <port_int>

set port-telnet <port_int>

set post-login-banner {admin | ibe | webmail}

set pre-login-banner admin

set rest-api {enable | disable}

set ssl-versions {ssl3 tls1_0 | tls1_1 | tls1_2 | tls1_3}

set strong-crypto {enable | disable}

set tftp {enable | disable}

end

Variable

Description

Default

admin-idle-timeout <timeout_int>

Enter the amount of time in minutes after which an idle administrative session will be automatically logged out.

The maximum idle time out is 480 minutes (eight hours). To improve security, do not increase the idle timeout.

5

admin-lockout-duration

Enter the lockout duration in minutes after the failed login threshold is reached.

3

admin-lockout-threshold

Enter the number of failed login attempts before being locked out.

4

admin-maintainer {enable | disable}

Enable or disable the maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is \'bcpb\' followed by the unit serial number.

Note that there is a limited time to complete this login.

If you attempt to disable admin-maintainer, a message appears warning that the password recovery mechanism will be lost. Do not disable this option if you do not have a backup plan for recovery.

enable

default-certificate <name_str>

Enter the name of a local certificate to use it as the “default" (that is, currently chosen for use) certificate.

FortiMail units require a local server certificate that it can present when clients request secure connections.

factory

dh-params <params_int>

Enter the minimum size of Diffie-Hellman prime for SSH/HTTPS.

1024

disclaimer-per-domain {enable | disable}

Enable to allow individualized disclaimers to be configured for each protected domain.

 

disk-monitor {enable | disable}

Enable to monitor the hard disk status of the FortiMail unit. If a problem is found, an alert email is sent to the administrator.

disable

email-migration-status {enable | disable}

Enable the email migration from external server.

 

hostname <host_str>

Enter the host name of the FortiMail unit.

Varies by model.

hsts-max-age <days>

Set the HTTP Strict Transport Security (HSTS) max-age. 0 means to disable.

365

iscsi-initiator-name <name_str>

Enter the FortiMail ISCSI client name used to communicate with the ISCSI server for centralized quarantine storage.

This is only used to change the name generated by the FortiMail unit automatically.

 

lcd-pin <pin_int>

Enter the 6-digit personal identification number (PIN) that administrators must enter in order to access the FortiMail LCD panel.

The PIN is used only when lcdprotection is enable.

Encoded value varies.

lcd-protection {enable | disable}

Enable to require that administrators enter a PIN in order to use the buttons on the front LCD panel. Also configure lcdpin.

disable

ldap-server-sys-status {enable | disable}

Enable or disable the LDAP server for serving organizational information.

enable

ldap-sess-cache-state {enable | disable}

Enable to keep the continuity of the connection sessions to the LDAP server. Repeated session connections waste network resources.

enable

local-domain-name <name_str>

Enter the local domain name of the FortiMail unit.

 

mailbox-service {enable | disable}

Note: The mailbox service feature is license based. If you do not purchase the MSSP license, this feature is not available.

Enable the mailbox service.

After you enable this service, see report mailbox for information on configuring the mailbox service.

New options also appear in the GUI under FortiView > Mail Statistics > Active Mailbox.

 

mailstat-service {enable | disable}

Enable the mail statistic service.

After you enable this service, a new tab called Top User Statistics will appear under FortiView on the GUI.

disable

mta-adv-ctrl-status {enable | disable}

Enable to configure session-specific MTA settings and overwrite the global settings configured elsewhere.

enable

operation mode {gateway | server | transparent}

Enter one of the following operation modes:

gateway: The FortiMail unit acts as an email gateway or MTA, but does not host email accounts.

server: The FortiMail unit acts as a standalone email server that hosts email accounts and acts as an MTA.

transparent: The FortiMail unit acts as an email proxy.

gateway

pki-certificate-req {yes | no}

If the administrator’s web browser does not provide a valid personal certificate for PKI authentication, the FortiMail unit will fall back to standard user name and password-style authentication. To require valid certificates only and disallow password-style fallback, enter yes. To allow password-style fallback, enter no.

no

pki-mode {enable | disable}

Enable to allow PKI authentication for FortiMail administrators. For more information, see user pki and system admin.

Also configure pki-certificate-req {yes | no}.

Caution: Before disabling PKI authentication, select another mode of authentication for FortiMail administrators and email users that are currently using PKI authentication. Failure to first select another authentication method before disabling PKI authentication will prevent them from being able to log in.

disable

port-http <port_int>

Enter the HTTP port number for administrative access on all interfaces.

80

port-https <port_int>

Enter the HTTPS port number for administrative access on all interfaces.

443

port-ssh <port_int>

Enter the SSH port number for administrative access on all interfaces.

22

port-telnet <port_int>

Enter the TELNET port number for administrative access on all interfaces.

23

post-login-banner {admin | ibe | webmail}

Enable or disable the legal disclaimer.

admin: Select to display the disclaimer message after the administrator logs into the FortiMail web UI.

webmail: Select to display the disclaimer message after the user logs into the FortiMail webmail.

ibe: Select to display the disclaimer message after the user logs into the FortiMail unit to view IBE encrypted email.

admin

 

pre-login-banner admin

Enable or disable the legal disclaimer before the administrator logs into the FortiMail web UI.

admin

rest-api {enable | disable}

Enable or disable REST API support.

disable

ssl-versions {ssl3 tls1_0 | tls1_1 | tls1_2 | tls1_3}

Specify which SSL/TLS versions you want to support for the HTTPS and SMTP access to FortiMail. Currently, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are supported.

In 6.0.0 release, strong-crypto is enabled and TLS 1.0 is disabled by default. Because some old versions of email clients (for example, MS Outlook 2007 and older) and MTAs only support TLS 1.0, they may have issues connecting to FortiMail. To fix the issue, disable strong-crypto and add TLS 1.0 support.

Starting from 6.0.1 release, both strong-crypto and TLS 1.0 are enabled by default.

Starting from 6.2.0, when strong-crypto is enabled, TLS 1.0 is disabled.

When strong-crypto is enabled, SSL 3.0 is only supported in 5.4 releases, not in 6.0 and 6.2 releases.

ssl3
tls1_0, tls1_1, tls1_2
tls1_3

strong-crypto {enable | disable}

Enable to use strong encryption and only allow strong ciphers (AES) and digest (SHA1) for HTTPS/SSH admin access.

When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta) and higher.

Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.

enable

tftp {enable | disable}

Enable to allow use of TFTP in FIPS mode.

enable

Related topics

config domain-setting