global
Use this command to configure global settings that affect miscellaneous FortiManager features.
Syntax
config system global
set admin-lockout-duration <integer>
set admin-lockout-threshold <integer>
set adom-mode {advanced | normal}sh
set adom-rev-auto-delete {by-days | by-revisions | disable}
set adom-rev-max-backup-revisions <integer>
set adom-rev-max-days <integer>
set adom-rev-max-revisions <integer>
set adom-select {enable | disable}
set adom-status {enable | disable}
set clone-name-option {default | keep}
set clt-cert-req {enable | disable}
set console-output {more | standard}
set contentpack-fgt-install {enable | disable}
set country-flag {enable | disable}
set create-revision {enable | disable}
set daylightsavetime {enable | disable}
set detect-unregistred-log-device {enable | disable}
set device-view-mode {regular | tree}
set dh-params <integer>
set disable-module {fortiview-noc}
set enc-algorithm {custom | high | medium | low}
set faz-status {enable | disable}
set fgfm-ca-cert <certificate>
set fgfm-local-cert <certificate>
set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}
set gui-curl-timeout <integer>
set gui-polling-interval <integer>
set ha-member-auto-grouping {enable | disable}
set hostname <string>
set import-ignore-addr-cmt {enable | disable}
set language {english | japanese | simch | spanish | trach}
set latitude <string>
set ldap-cache-timeout <integer>
set ldapconntimeout <integer>
set lock-preempt {enable | disable}
set log-checksum {md5 | md5-auth | none}
set log-forward-cache-size <integer>
set longitude <string>
set max-log-forward <integer>
set max-running-reports <integer>
set mc-policy-disabled-adoms <adom-name>
set multiple-steps-upgrade-in-autolink {enable | disable}
set no-copy-permission-check {enable | disable}
set normalized-intf-zone-only {enable | disable}
set object-revision-db-max <integer>
set object-revision-mandatory-note {enable | disable}
set object-revision-object-max <integer>
set object-revision-status {enable | disable}
set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}
set partial-install {enable | disable}
set partial-install-force {enable | disable}
set partial-install-rev {enable | disable}
set perform-improve-by-ha {enable | disable}
set per-policy-lock {enable | disable}
set policy-object-icon {enable | disable}
set policy-object-in-dual-pane {enable | disable}
set pre-login-banner {enable | disable}
set pre-login-banner-message <string>
set private-data-encryption {enable | disable}
set remoteauthtimeout <integer>
set search-all-adoms {enable | disable}
set ssh-enc-algo {3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com arcfour arcfour128 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com rijndael-cbc@lysator.liu.se}
set ssh-hostkey-algo {ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa}
set ssh-kex-algo {curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521}
set ssh-mac-algo {hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-ripemd160 hmac-ripemd160-etm@openssh.com hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-64@openssh.com}
set ssh-strong-crypto {enable | disable}
config ssl-cipher-suites
edit <priority>
set cipher <string>
set version {tls1.2-or-below | tls1.3}
end
set ssl-low-encryption {enable | disable}
set ssl-protocol {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3}
set ssl-static-key-ciphers {enable | disable}
set swapmem {enable | disable}
set table-entry-blink {enable | disable}
set task-list-size <integer>
set timezone <integer>
set tunnel-mtu <integer>
set usg {enable | disable}
set vdom-mirror {enable | disable}
set webservice-proto {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3 | sslv2}
set workspace-mode {disabled | normal | per-adom | workflow}
end
Variable |
Description |
---|---|
admin-lockout-duration <integer> |
Set the lockout duration for FortiManager administration, in seconds (default = 60). |
admin-lockout-threshold <integer> |
Set the lockout threshold for FortiManager administration (1 - 10, default = 3). |
adom-mode {advanced | normal} |
Set the ADOM mode (default = normal). |
adom-rev-auto-delete {by-days | by-revisions | disable} |
Auto delete features for old ADOM revisions:
|
adom-rev-max-backup-revisions <integer> |
The maximum number of ADOM revisions to be included in the system configuration backup (default = 5). |
adom-rev-max-days <integer> |
The maximum number of days to keep old ADOM revisions (default = 30). |
adom-rev-max-revisions <integer> |
The maximum number of ADOM revisions to keep (default = 120). |
adom-select {enable | disable} |
Enable/disable a pop-up window that allows administrators to select an ADOM after logging in (default = enable). |
adom-status {enable | disable} |
Enable/disable administrative domains (default = disable). |
clone-name-option {default | keep} |
Set the cloned object name option:
|
clt-cert-req {enable | disable} |
Enable/disable requiring a client certificate for GUI login (default = disable). When both |
console-output {more | standard} |
Select how the output is displayed on the console (default = standard). Select |
contentpack-fgt-install {enable | disable} |
Enable/disable auto outbreak auto install for FortiGate ADOMs (default = disable). |
country-flag {enable | disable} |
Enable/disable a country flag icon beside an IP address (default = enable). |
create-revision {enable | disable} |
Enable/disable create revision by default (default = disable). |
daylightsavetime {enable | disable} |
Enable/disable daylight saving time (default = enable). If you enable daylight saving time, the FortiManager unit automatically adjusts the system time when daylight saving time begins or ends. |
detect-unregistered-log-device {enable | disable} |
Enable/disable unregistered log device detection (default = enable). |
device-view-mode {regular | tree} |
Set the devices/groups view mode (default = regular). |
dh-params <integer> |
Set the minimum size of the Diffie-Hellman prime for SSH/HTTPS, in bits (default = 2048). |
disable-module {fortiview-noc} |
Disable module list. |
enc-algorithm {custom | high | medium | low} |
Set SSL communication encryption algorithms:
|
faz-status {enable | disable} |
Enable/disable FortiAnalyzer features in FortiManager (default = disable). This command is not available on the FMG-100C. Note: With FortiManager 7.0.0, you can enable FortiAnalyzer features, or you can have FortiManager HA, but not both at the same time. |
fgfm-ca-cert <certificate> |
Set the extra FGFM CA certificates ("" = default certificate will be used). |
fgfm-local-cert <certificate> |
Set the FGFM local certificate ("" = default certificate will be used). |
fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} |
Set the lowest SSL protocols for fgfmsd (default = tlsv1.2). |
gui-curl-timeout <integer> |
Set the GUI cURL timeout in seconds (5-300 default = 30). |
gui-polling-interval <integer> |
Set the GUI polling interval in seconds (1-288000, default = 5). |
ha-member-auto-grouping {enable | disable} |
Enable/disable automatically grouping HA members when the group name is unique in your network (default = enable). |
hostname <string> |
FortiManager host name. |
import-ignore-addr-cmt {enable | disable} |
Enable/disable import ignore of address comments (default = disable). |
language {english | japanese | simch | spanish | trach} |
GUI language:
|
latitude <string> |
Set the FortiManager device's latitude. |
ldap-cache-timeout <integer> |
LDAP cache timeout, in seconds (default =86400). |
ldapconntimeout <integer> |
LDAP connection timeout, in milliseconds (default = 60000). |
lock-preempt {enable | disable} |
Enable/disable the ADOM lock override (default = disable). |
log-checksum {md5 | md5-auth | none} |
Record log file hash value, timestamp, and authentication code at transmission or rolling:
|
log-forward-cache-size <integer> |
Set the log forwarding disk cache size, in gigabytes (default = 0). |
longitude <string> |
Set the FortiManager device's longitude. |
max-log-forward <integer> |
Set the maximum log forwarding and aggregation number (5 - 20). |
max-running-reports <integer> |
Maximum running reports number (1 - 10, default = 1). |
mc-policy-disabled-adoms <adom-name> |
Set the multicast policy disabled ADOMs, separated by spaces. Only ADOMs below version 6.0 can be included. |
multiple-steps-upgrade-in-autolink {enable | disable} |
Enable/disable multiple steps upgrade in an autolink process (default = disable). |
no-copy-permission-check {enable | disable} |
Do not perform permission check to block object changes in different adom during copy and install (default = disable). When set to |
normalized-intf-zone-only {enable | disable} |
Allow the normalized interface to be zone only (default = disable). |
object-revision-db-max <integer> |
Maximum revisions for a single database (10000 - 1000000, default = 100000). |
object-revision-mandatory-note {enable | disable} |
Enable/disable mandatory note when creating a revision (default = enable). |
object-revision-object-max <integer> |
Set the maximum revisions for a single object (10 - 1000, default = 100). |
object-revision-status {enable | disable} |
Enable/disable creating revisions when modifying objects (default = enable). |
oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} |
Set the lowest SSL protocols for oftpd (default = tlsv1.2). |
partial-install {enable | disable} |
Enable/disable partial install (install only some objects) (default= disable). Use this command to enable pushing individual objects of the policy package down to all FortiGates in the Policy Package. Once enabled, in the GUI you can right-click an object and choose to install it. |
partial-install-force {enable | disable} |
Enable/disable partial install when the Dev database is modified (default= disable). This option is only available when partial-install is enabled. |
partial-install-rev {enable | disable} |
Enable/disable partial install revision (default= disable). This option is only available when partial-install is enabled. |
perform-improve-by-ha {enable | disable} |
Enable/disable performance improvement by distributing tasks to secondary HA units (default= disable). |
per-policy-lock {enable | disable} |
Enable/disable per policy lock (default= disable). This option is only available in workspace lock mode. |
policy-object-icon {enable | disable} |
Enable/disable show icons of policy objects (default= disable). |
policy-object-in-dual-pane {enable | disable} |
Enable/disable show policies and objects in dual pane (default= disable). |
pre-login-banner {enable | disable} |
Enable/disable pre-login banner (default= disable). |
pre-login-banner-message <string> |
Set the pre-login banner message. |
private-data-encryption {enable | disable} |
Enable/disable private data encryption using an AES 128 bit key (default = disable). |
remoteauthtimeout <integer> |
Remote authentication (RADIUS/LDAP) timeout, in seconds (default = 10). |
search-all-adoms {enable | disable} |
Enable/disable search all ADOMs for where-used queries (default= disable). |
set ssh-enc-algo {3des-cbc aes128-cbc aes128-ctr aes128-gcm@openssh.com aes192-cbc aes192-ctr aes256-cbc aes256-ctr aes256-gcm@openssh.com arcfour arcfour128 blowfish-cbc cast128-cbc chacha20-poly1305@openssh.com rijndael-cbc@lysator.liu.se} |
Select one or more SSH ciphers.
Note that the following are only available when
Default = |
set ssh-hostkey-algo {ecdsa-sha2-nistp521 rsa-sha2-256 rsa-sha2-512 ssh-ed25519 ssh-rsa} |
Select one or more SSH hostkey algorithms.
Default = |
set ssh-kex-algo {curve25519-sha256@libssh.org diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521} |
Select one or more SSH kex algorithms.
Default = |
set ssh-mac-algo {hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-ripemd160 hmac-ripemd160-etm@openssh.com hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-etm@openssh.com hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com umac-128-etm@openssh.com umac-128@openssh.com umac-64-etm@openssh.com umac-64@openssh.com} |
Select one or more SSH MAC algorithms.
Note that the following are only available when
Default = |
ssl-low-encryption {enable | disable} |
Enable/disable SSL low-grade (40-bit) encryption (default= disable). |
ssl-protocol {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3} |
Set the SSL protocols (default = tlsv1.3 tlsv1.2). |
ssl-static-key-ciphers {enable | disable} |
Enable/disable SSL static key ciphers (default = enable). |
swapmem {enable | disable} |
Enable/disable virtual memory. |
table-entry-blink {enable | disable} |
Enable/disable table entry blink in GUI (default = enable). |
task-list-size <integer> |
Set the maximum number of completed tasks to keep (default = 2000). |
timezone <integer> |
The time zone for the FortiManager unit (default = Pacific Time). See Time zones |
tunnel-mtu <integer> |
Set the maximum transportation unit (68 - 9000, default = 1500). |
usg {enable | disable} |
Enable/disable contacting only FortiGuard servers in the USA (default = enable). |
vdom-mirror {enable | disable} |
Enable/disable VDOM mirror (default = disable). Once enabled in the CLI, you can select to enable VDOM Mirror when editing a virtual domain in the When changes are made to the primary device’s VDOM database, a copy is applied to the mirror device’s VDOM database. A revision is created and then installed to the devices. VDOM mirror is intended to be used by MSSP or enterprise companies who need to provide a backup VDOM for their customers. |
webservice-proto {tlsv1.3 | tlsv1.2 | tlsv1.1 | tlsv1.0 | sslv3 | sslv2} |
Web Service connection (default = tlsv1.3 tlsv1.2). |
workspace-mode {disabled | normal | per-adom | workflow} |
Enable/disable Workspace and Workflow (ADOM locking):
|
ssl-cipher-suites |
Configure the ssl-cipher-suites table to enforce the user specified preferred cipher order in the incoming SSL connections. Note: This command is only available if |
Variables for |
|
<priority> |
Set the order of the ciphers in the ssl-cipher-suites table. |
cipher <string> |
Enter the SSL cipher name from the list. |
version {tls1.2-or-below | tls1.3} |
Set the SSL/TLS version the cipher suite can be used with (default = tls1.2-or-below). |
Example
The following command turns on daylight saving time, sets the FortiManager unit name to FMG3k, and chooses the Eastern time zone for US & Canada.
config system global
set daylightsavetime enable
set hostname FMG3k
set timezone 12
end
Time zones
Integer |
Time zone |
Integer |
Time zone |
---|---|---|---|
00 |
(GMT-12:00) Eniwetak, Kwajalein |
40 |
(GMT+3:00) Nairobi |
01 |
(GMT-11:00) Midway Island, Samoa |
41 |
(GMT+3:30) Tehran |
02 |
(GMT-10:00) Hawaii |
42 |
(GMT+4:00) Abu Dhabi, Muscat |
03 |
(GMT-9:00) Alaska |
43 |
(GMT+4:00) Baku |
04 |
(GMT-8:00) Pacific Time (US & Canada) |
44 |
(GMT+4:30) Kabul |
05 |
(GMT-7:00) Arizona |
45 |
(GMT+5:00) Ekaterinburg |
06 |
(GMT-7:00) Mountain Time (US & Canada) |
46 |
(GMT+5:00) Islamabad, Karachi,Tashkent |
07 |
(GMT-6:00) Central America |
47 |
(GMT+5:30) Calcutta, Chennai, Mumbai, New Delhi |
08 |
(GMT-6:00) Central Time (US & Canada) |
48 |
(GMT+5:45) Kathmandu |
09 |
(GMT-6:00) Mexico City |
49 |
(GMT+6:00) Almaty, Novosibirsk |
10 |
(GMT-6:00) Saskatchewan |
50 |
(GMT+6:00) Astana, Dhaka |
11 |
(GMT-5:00) Bogota, Lima, Quito |
51 |
(GMT+6:00) Sri Jayawardenapura |
12 |
(GMT-5:00) Eastern Time (US & Canada) |
52 |
(GMT+6:30) Rangoon |
13 |
(GMT-5:00) Indiana (East) |
53 |
(GMT+7:00) Bangkok, Hanoi, Jakarta |
14 |
(GMT-4:00) Atlantic Time (Canada) |
54 |
(GMT+7:00) Krasnoyarsk |
15 |
(GMT-4:00) La Paz |
55 |
(GMT+8:00) Beijing,ChongQing, HongKong,Urumqi |
16 |
(GMT-4:00) Santiago |
56 |
(GMT+8:00) Irkutsk, Ulaanbaatar |
17 |
(GMT-3:30) Newfoundland |
57 |
(GMT+8:00) Kuala Lumpur, Singapore |
18 |
(GMT-3:00) Brasilia |
58 |
(GMT+8:00) Perth |
19 |
(GMT-3:00) Buenos Aires, Georgetown |
59 |
(GMT+8:00) Taipei |
20 |
(GMT-3:00) Nuuk (Greenland) |
60 |
(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul |
21 |
(GMT-2:00) Mid-Atlantic |
61 |
(GMT+9:00) Yakutsk |
22 |
(GMT-1:00) Azores |
62 |
(GMT+9:30) Adelaide |
23 |
(GMT-1:00) Cape Verde Is |
63 |
(GMT+9:30) Darwin |
24 |
(GMT) Casablanca, Monrovia |
64 |
(GMT+10:00) Brisbane |
25 |
(GMT) Greenwich Mean Time:Dublin, Edinburgh, Lisbon, London |
65 |
(GMT+10:00) Canberra, Melbourne, Sydney |
26 |
(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna |
66 |
(GMT+10:00) Guam, Port Moresby |
27 |
(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague |
67 |
(GMT+10:00) Hobart |
28 |
(GMT+1:00) Brussels, Copenhagen, Madrid, Paris |
68 |
(GMT+10:00) Vladivostok |
29 |
(GMT+1:00) Sarajevo, Skopje, Sofija, Vilnius, Warsaw, Zagreb |
69 |
(GMT+11:00) Magadan |
30 |
(GMT+1:00) West Central Africa |
70 |
(GMT+11:00) Solomon Is., New Caledonia |
31 |
(GMT+2:00) Athens, Istanbul, Minsk |
71 |
(GMT+12:00) Auckland, Wellington |
32 |
(GMT+2:00) Bucharest |
72 |
(GMT+12:00) Fiji, Kamchatka, Marshall Is |
33 |
(GMT+2:00) Cairo |
73 |
(GMT+13:00) Nuku'alofa |
34 |
(GMT+2:00) Harare, Pretoria |
74 |
(GMT-4:30) Caracas |
35 |
(GMT+2:00) Helsinki, Riga,Tallinn |
75 |
(GMT+1:00) Namibia |
36 |
(GMT+2:00) Jerusalem |
76 |
(GMT-5:00) Brazil-Acre) |
37 |
(GMT+3:00) Baghdad |
77 |
(GMT-4:00) Brazil-West |
38 |
(GMT+3:00) Kuwait, Riyadh |
78 |
(GMT-3:00) Brazil-East |
39 |
(GMT+3:00) Moscow, St.Petersburg, Volgograd |
79 |
(GMT-2:00) Brazil-DeNoronha |