Fortinet white logo
Fortinet white logo

CLI Reference

system global

system global

Use this command to configure system-wide settings such as language, display refresh rate and listening ports of the web UI, the time zone and host name of the FortiWeb appliance, and NTP time synchronization.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system global

set admin-port <port_int>

set admin-sport <port_int>

set admin-tls-v10 {enable | disable}

set admin-tls-v11 {enable | disable}

set admin-tls-v12 {enable | disable}

set admin-tls-v13 {enable | disable}

set admin-lockout-threshold <admin-lockout-threshold_int>

set admin-lockout-duration <minutes_int>

set admintimeout <minutes_int>

set adom-admin {enable | disable}

set auth-timeout <milliseconds_int>

set cli-signature {enable | disable}

set confsync-port <port_int>

set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

set dst {enable | disable}

set fds-proxy {enable | disable}

set force-us-only {enable | disable}

set hostname "<host_name>"

set admin-https-pki-required {enable | disable}

set https-certificate "<certificate_name>"

set ie6workaround {enable | disable}

set language {english |japanese | simch | trach}

set multi-factor-authentication {optional | mandatory}

set ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}

set ntpsync {enable | disable}

set pre-login-banner {enable | disable}

set record-cli-fail-cmd {enable | disable}

set refresh <seconds_int>

set syncinterval <minutes_int>

set timezone "<time-zone-code_str>"

set tftp {enable | disable}

set ssh-fips {enable | disable}

set cert-expire-check-time <cert-expire-check-time _int>

set ipv6-dad-ha {enable | disable}

set fortiguard-anycast {enable | disable}

set updated-debug-log {enable | disable}

set power-status {enable | disable}

end

Variable Description Default

admin-port <port_int>

Enter the port number on which the FortiWeb appliance listens for HTTP access to the web UI. The valid range is 1–65,535. 80

admin-sport <port_int>

Enter the port number on which the FortiWeb appliance listens for HTTPS (SSL-secured) access to the web UI. The valid range is 1–65,535. 443

admin-tls-v10 {enable | disable}

Enable to specify TSL 1.0 clients can use to connect securely to the FortiWeb appliance.

disable

admin-tls-v11 {enable | disable}

Enable to specify TSL 1.1 clients can use to connect securely to the FortiWeb appliance.

disable

admin-tls-v12 {enable | disable}

Enable to specify TSL 1.2 clients can use to connect securely to the FortiWeb appliance.

enable

admin-tls-v13 {enable | disable}

Enable to specify TSL 1.3 clients can use to connect securely to the FortiWeb appliance.

disable

admin-lockout-threshold <admin-lockout-threshold_int>

Enter the number of invalid logon attempts before the account is locked out. The valid range is 1–10. 3

admin-lockout-duration <minutes_int>

Set the length of time the account remains locked. The valid range is 1–2147483647 seconds. 60

admintimeout <minutes_int>

Enter the amount of time (in minutes) after which an idle administrative session with the web UI or CLI will be automatically logged out. The valid range is 1–48.

To improve security, do not increase the idle timeout.

5

adom-admin {enable | disable}

Enable to be able to restrict administrator accounts to specific administrative domains. See also domains "<adom_name>".

Note: After you type end, if this setting is enabled, the CLI will terminate your session and restructure the configuration to use ADOMs. Global settings will remain in the global configuration scope, but objects that are configurable separately per ADOM such as services are moved to the root ADOM. To continue by configuring additional ADOMs, log in again, then go to Defining ADOMs.

disable

auth-timeout <milliseconds_int>

Enter the number of milliseconds that FortiWeb will wait for the remote authentication server to respond to its query. The valid range is 1–60,000.

If administrator logins often time out, and FortiWeb is configured to query an external RADIUS or LDAP server, increasing this value may help.

This setting only affects remote authentication queries for administrator accounts. To configure the query connection timeout for end-user accounts, use auth-timeout <timeout_int> instead.

2000

cli-signature {enable | disable}

Enable to be able to enter custom attack signatures via the CLI.

Typically, attack signatures should be entered using the web UI, where you can verify syntax and test matching of your regular expression. If you are sure that your expression is correct, you can enable this option to enter your custom signature via the CLI.

disable

confsync-port <port_int>

Enter the port number the local FortiWeb uses to listen for a remote (peer) FortiWeb.

Used when you have configured FortiWeb to synchronize its configuration. The valid range is 1–65,535.

Caution: The port number must be different than the port number set using server-policy custom-application application-policy.

8333

dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

Specifies the key length that FortiWeb presents in Diffie-Hellman exchanges. Most web browsers require a key length of at least 2048. 2048

dst {enable | disable}

Enable to automatically adjust the FortiWeb appliance’s clock for daylight savings time (DST). disable

fds-proxy {enable | disable}

Enable to configure FortiWeb to act as a proxy for the FDN. FortiWeb proxy will obtain FortiGuard service packages from the default list of FDN servers and distribute the packages to other FortiWeb devices. On FortiWeb proxy, port 8989 is used as the listening port for the package update requests from other FortiWeb devices, and the concurrent connection limit is 128. When FortiWeb proxy receives downloading requests from several devices at the same time, the requests will be queued and processed one by one.

With this option enabled, you can configure system autoupdate overrideon other FortiWeb devices so that they can connect with this FortiWeb proxy to update FortiGuard service packages.

If you want to override the default FDN servers and specify a new address for the FortiWeb proxy to obtain FortiGuard service packages, see system fds proxy.

disable

force-us-only {enable | disable}

Enable so that FortiWeb will receive FortiGuard service updates from FortiGuard servers located only in the United States.

disable

hostname "<host_name>"

Enter the host name of this FortiWeb appliance. Host names may include US-ASCII letters, numbers, hyphens, and underscores. The maximum length is 63 characters. Spaces and special characters are not allowed.

The host name of the FortiWeb appliance is used in several places.

  • It appears in the System Information widget on the Status tab of the web UI, and in the router all CLI command.
  • It is used in the command prompt of the CLI.
  • It is used as the SNMP system name. For details about SNMP, see system snmp sysinfo.

The System Information widget and the router all CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

For example, if the host name is FortiWeb1234567890, the CLI prompt would be FortiWeb123456789~#.

Note: You can also configure the local domain name. For details, see system dns.

FortiWeb

admin-https-pki-required {enable | disable}

Enable to use certificate-based Web UI login.

Before enabling this, please make sure the related configurations are set correctly. For details, see system admin-certificate ca, user pki-user, and user admin-usergrp.

disable

https-certificate "<certificate_name>"

Specifies the certificate that FortiWeb uses for the accesses to its Web UI through HTTPS. This must be one of the certificates stored locally on the FortiWeb for administration. For details, see system admin-certificate local. defaultcert

ie6workaround {enable | disable}

Enable to use the work around for a navigation bar freeze issue caused by using the web UI with Microsoft Internet Explorer 6. disable

language {english |japanese | simch | trach}

Select which language to use when displaying the web UI.

The display’s web pages will use UTF-8 encoding, regardless of which language you choose. UTF-8 supports multiple languages, and allows all of them to be displayed correctly, even when multiple languages are used on the same web page.

For example, your organization could have websites in both English and simplified Chinese. Your FortiWeb administrators prefer to work in the English version of the web UI. They could use the web UI in English while writing rules to match content in both English and simplified Chinese without changing this setting. Both the rules and the web UI will display correctly, as long as all rules were input using UTF-8.

Usually, your text input method or your management computer’s operating system should match the display, and also use UTF-8. If they do not, you may not be able to correctly display both your input and the web UI at the same time.

For example, your web browser’s or operating system’s default encoding for simplified Chinese input may be GB2312. However, you usually should switch it to be UTF-8 when using the web UI, unless you are writing regular expressions that must match HTTP client’s requests, and those requests use GB2312 encoding.

For more information on language support in the web UI and CLI, see Language support & regular expressions.

Note: This setting does not affect the display of the CLI.

english

multi-factor-authentication {optional | mandatory}

Configure to set 2FA for admin account security.

  • optional: only when an admin user enters correct username and password, the Token Code window pops up to require the token code for account security.
  • mandatory: only when an admin user enters correct username and password as well as the token code, the authentication can succeed for login.

optional

ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}

Enter the IP address or fully qualified domain name (FQDN) of a Network Time Protocol (NTP) server or pool, such as pool.ntp.org, to query in order to synchronize the FortiWeb appliance’s clock. The maximum length is 63 characters.

For details about NTP and to find the IP address of an NTP server that you can use, go to:

http://www.ntp.org/

pool.ntp.org

ntpsync {enable | disable}

Enable to automatically update the system date and time by connecting to a NTP server. Also configure ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}, syncinterval <minutes_int> and timezone "<time-zone-code_str>". enable

pre-login-banner {enable | disable}

Enable to add a login disclaimer message for administrators logging in to FortiWeb.

This disclaimer is a statement that a user accepts or declines. It is useful for environments such as corporations that are governed by strict usage policies for forensics and legal reasons.
disable

record-cli-fail-cmd {enable | disable}

Enable so that FortiWeb will generate an event log if a CLI command fails or is executed incorrectly.

disable

refresh <seconds_int>

Enter the automatic refresh interval (in seconds) for the web UI’s System Status Monitor widget.

The valid range is 0– 9,223,372,036,854,775,807. To disable automatic refreshes, type 0.

80

syncinterval <minutes_int>

Enter how often (in minutes) the FortiWeb appliance should synchronize its time with the Network Time Protocol (NTP) server.

The valid range is 1–1440. To disable time synchronization, type 0.

60

tftp {enable | disable}

Specify whether FortiWeb can perform backups, restoration, firmware updates and other tasks using TFTP. enable

timezone "<time-zone-code_str>"

Enter the two-digit code for the time zone in which the FortiWeb appliance is located.

The valid range is from 00 to 75. To display a list of time zone codes, their associated the GMT time zone offset, and contained major cities, type set timezone ?.

04

ssh-fips {enable | disable}

A setting used with Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

When the FIPS-CC certification process is complete, a separate document will provide detailed information about this command.
disable

cert-expire-check-time <cert-expire-check-time _int>

Set the notification time ( the days) before the certificate expires. The valid value range is 0-365. When the value is 0, it means no certificate expiration will be checked. When the value is 100, it means notification will be sent 100 days before the certificate expires.

0

ipv6-dad-ha {enable | disable}

Enable to perform IPv6 DAD detection on the primary appliance in Active-Passive and standard Active-Active HA groups.

disable

updated-debug-log {enable | disable}

Diasble it if too many FDS disconnection logs are generated.

enable

fortiguard-anycast {enable | disable}

If enabled, FortiWeb will be upgraded from the Anycast server. The default domain is globalupdate.fortinet.net and the corresponding USG domain name is usupdate.fortinet.net.

If disabled, FortiWeb will upgraded from the original server, the default domain is update.fortiguard.net and the corresponding USG domain name is usupdate.fortiguard.net.

disable

power-status {enable | disable}

Enable to show the power status.

disable

Example

This example configures time synchronization with a public NTP server pool. The FortiWeb appliance is located in the Pacific Time zone (code 04) and will synchronize its time with the NTP server pool every 60 minutes.

config system global

set timezone 08

set ntpsync enable

set ntpserver "pool.ntp.org"

set syncinterval 30

end

For an example that includes a hostname, see system dns.

Related topics

system global

system global

Use this command to configure system-wide settings such as language, display refresh rate and listening ports of the web UI, the time zone and host name of the FortiWeb appliance, and NTP time synchronization.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system global

set admin-port <port_int>

set admin-sport <port_int>

set admin-tls-v10 {enable | disable}

set admin-tls-v11 {enable | disable}

set admin-tls-v12 {enable | disable}

set admin-tls-v13 {enable | disable}

set admin-lockout-threshold <admin-lockout-threshold_int>

set admin-lockout-duration <minutes_int>

set admintimeout <minutes_int>

set adom-admin {enable | disable}

set auth-timeout <milliseconds_int>

set cli-signature {enable | disable}

set confsync-port <port_int>

set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

set dst {enable | disable}

set fds-proxy {enable | disable}

set force-us-only {enable | disable}

set hostname "<host_name>"

set admin-https-pki-required {enable | disable}

set https-certificate "<certificate_name>"

set ie6workaround {enable | disable}

set language {english |japanese | simch | trach}

set multi-factor-authentication {optional | mandatory}

set ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}

set ntpsync {enable | disable}

set pre-login-banner {enable | disable}

set record-cli-fail-cmd {enable | disable}

set refresh <seconds_int>

set syncinterval <minutes_int>

set timezone "<time-zone-code_str>"

set tftp {enable | disable}

set ssh-fips {enable | disable}

set cert-expire-check-time <cert-expire-check-time _int>

set ipv6-dad-ha {enable | disable}

set fortiguard-anycast {enable | disable}

set updated-debug-log {enable | disable}

set power-status {enable | disable}

end

Variable Description Default

admin-port <port_int>

Enter the port number on which the FortiWeb appliance listens for HTTP access to the web UI. The valid range is 1–65,535. 80

admin-sport <port_int>

Enter the port number on which the FortiWeb appliance listens for HTTPS (SSL-secured) access to the web UI. The valid range is 1–65,535. 443

admin-tls-v10 {enable | disable}

Enable to specify TSL 1.0 clients can use to connect securely to the FortiWeb appliance.

disable

admin-tls-v11 {enable | disable}

Enable to specify TSL 1.1 clients can use to connect securely to the FortiWeb appliance.

disable

admin-tls-v12 {enable | disable}

Enable to specify TSL 1.2 clients can use to connect securely to the FortiWeb appliance.

enable

admin-tls-v13 {enable | disable}

Enable to specify TSL 1.3 clients can use to connect securely to the FortiWeb appliance.

disable

admin-lockout-threshold <admin-lockout-threshold_int>

Enter the number of invalid logon attempts before the account is locked out. The valid range is 1–10. 3

admin-lockout-duration <minutes_int>

Set the length of time the account remains locked. The valid range is 1–2147483647 seconds. 60

admintimeout <minutes_int>

Enter the amount of time (in minutes) after which an idle administrative session with the web UI or CLI will be automatically logged out. The valid range is 1–48.

To improve security, do not increase the idle timeout.

5

adom-admin {enable | disable}

Enable to be able to restrict administrator accounts to specific administrative domains. See also domains "<adom_name>".

Note: After you type end, if this setting is enabled, the CLI will terminate your session and restructure the configuration to use ADOMs. Global settings will remain in the global configuration scope, but objects that are configurable separately per ADOM such as services are moved to the root ADOM. To continue by configuring additional ADOMs, log in again, then go to Defining ADOMs.

disable

auth-timeout <milliseconds_int>

Enter the number of milliseconds that FortiWeb will wait for the remote authentication server to respond to its query. The valid range is 1–60,000.

If administrator logins often time out, and FortiWeb is configured to query an external RADIUS or LDAP server, increasing this value may help.

This setting only affects remote authentication queries for administrator accounts. To configure the query connection timeout for end-user accounts, use auth-timeout <timeout_int> instead.

2000

cli-signature {enable | disable}

Enable to be able to enter custom attack signatures via the CLI.

Typically, attack signatures should be entered using the web UI, where you can verify syntax and test matching of your regular expression. If you are sure that your expression is correct, you can enable this option to enter your custom signature via the CLI.

disable

confsync-port <port_int>

Enter the port number the local FortiWeb uses to listen for a remote (peer) FortiWeb.

Used when you have configured FortiWeb to synchronize its configuration. The valid range is 1–65,535.

Caution: The port number must be different than the port number set using server-policy custom-application application-policy.

8333

dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

Specifies the key length that FortiWeb presents in Diffie-Hellman exchanges. Most web browsers require a key length of at least 2048. 2048

dst {enable | disable}

Enable to automatically adjust the FortiWeb appliance’s clock for daylight savings time (DST). disable

fds-proxy {enable | disable}

Enable to configure FortiWeb to act as a proxy for the FDN. FortiWeb proxy will obtain FortiGuard service packages from the default list of FDN servers and distribute the packages to other FortiWeb devices. On FortiWeb proxy, port 8989 is used as the listening port for the package update requests from other FortiWeb devices, and the concurrent connection limit is 128. When FortiWeb proxy receives downloading requests from several devices at the same time, the requests will be queued and processed one by one.

With this option enabled, you can configure system autoupdate overrideon other FortiWeb devices so that they can connect with this FortiWeb proxy to update FortiGuard service packages.

If you want to override the default FDN servers and specify a new address for the FortiWeb proxy to obtain FortiGuard service packages, see system fds proxy.

disable

force-us-only {enable | disable}

Enable so that FortiWeb will receive FortiGuard service updates from FortiGuard servers located only in the United States.

disable

hostname "<host_name>"

Enter the host name of this FortiWeb appliance. Host names may include US-ASCII letters, numbers, hyphens, and underscores. The maximum length is 63 characters. Spaces and special characters are not allowed.

The host name of the FortiWeb appliance is used in several places.

  • It appears in the System Information widget on the Status tab of the web UI, and in the router all CLI command.
  • It is used in the command prompt of the CLI.
  • It is used as the SNMP system name. For details about SNMP, see system snmp sysinfo.

The System Information widget and the router all CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

For example, if the host name is FortiWeb1234567890, the CLI prompt would be FortiWeb123456789~#.

Note: You can also configure the local domain name. For details, see system dns.

FortiWeb

admin-https-pki-required {enable | disable}

Enable to use certificate-based Web UI login.

Before enabling this, please make sure the related configurations are set correctly. For details, see system admin-certificate ca, user pki-user, and user admin-usergrp.

disable

https-certificate "<certificate_name>"

Specifies the certificate that FortiWeb uses for the accesses to its Web UI through HTTPS. This must be one of the certificates stored locally on the FortiWeb for administration. For details, see system admin-certificate local. defaultcert

ie6workaround {enable | disable}

Enable to use the work around for a navigation bar freeze issue caused by using the web UI with Microsoft Internet Explorer 6. disable

language {english |japanese | simch | trach}

Select which language to use when displaying the web UI.

The display’s web pages will use UTF-8 encoding, regardless of which language you choose. UTF-8 supports multiple languages, and allows all of them to be displayed correctly, even when multiple languages are used on the same web page.

For example, your organization could have websites in both English and simplified Chinese. Your FortiWeb administrators prefer to work in the English version of the web UI. They could use the web UI in English while writing rules to match content in both English and simplified Chinese without changing this setting. Both the rules and the web UI will display correctly, as long as all rules were input using UTF-8.

Usually, your text input method or your management computer’s operating system should match the display, and also use UTF-8. If they do not, you may not be able to correctly display both your input and the web UI at the same time.

For example, your web browser’s or operating system’s default encoding for simplified Chinese input may be GB2312. However, you usually should switch it to be UTF-8 when using the web UI, unless you are writing regular expressions that must match HTTP client’s requests, and those requests use GB2312 encoding.

For more information on language support in the web UI and CLI, see Language support & regular expressions.

Note: This setting does not affect the display of the CLI.

english

multi-factor-authentication {optional | mandatory}

Configure to set 2FA for admin account security.

  • optional: only when an admin user enters correct username and password, the Token Code window pops up to require the token code for account security.
  • mandatory: only when an admin user enters correct username and password as well as the token code, the authentication can succeed for login.

optional

ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}

Enter the IP address or fully qualified domain name (FQDN) of a Network Time Protocol (NTP) server or pool, such as pool.ntp.org, to query in order to synchronize the FortiWeb appliance’s clock. The maximum length is 63 characters.

For details about NTP and to find the IP address of an NTP server that you can use, go to:

http://www.ntp.org/

pool.ntp.org

ntpsync {enable | disable}

Enable to automatically update the system date and time by connecting to a NTP server. Also configure ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}, syncinterval <minutes_int> and timezone "<time-zone-code_str>". enable

pre-login-banner {enable | disable}

Enable to add a login disclaimer message for administrators logging in to FortiWeb.

This disclaimer is a statement that a user accepts or declines. It is useful for environments such as corporations that are governed by strict usage policies for forensics and legal reasons.
disable

record-cli-fail-cmd {enable | disable}

Enable so that FortiWeb will generate an event log if a CLI command fails or is executed incorrectly.

disable

refresh <seconds_int>

Enter the automatic refresh interval (in seconds) for the web UI’s System Status Monitor widget.

The valid range is 0– 9,223,372,036,854,775,807. To disable automatic refreshes, type 0.

80

syncinterval <minutes_int>

Enter how often (in minutes) the FortiWeb appliance should synchronize its time with the Network Time Protocol (NTP) server.

The valid range is 1–1440. To disable time synchronization, type 0.

60

tftp {enable | disable}

Specify whether FortiWeb can perform backups, restoration, firmware updates and other tasks using TFTP. enable

timezone "<time-zone-code_str>"

Enter the two-digit code for the time zone in which the FortiWeb appliance is located.

The valid range is from 00 to 75. To display a list of time zone codes, their associated the GMT time zone offset, and contained major cities, type set timezone ?.

04

ssh-fips {enable | disable}

A setting used with Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

When the FIPS-CC certification process is complete, a separate document will provide detailed information about this command.
disable

cert-expire-check-time <cert-expire-check-time _int>

Set the notification time ( the days) before the certificate expires. The valid value range is 0-365. When the value is 0, it means no certificate expiration will be checked. When the value is 100, it means notification will be sent 100 days before the certificate expires.

0

ipv6-dad-ha {enable | disable}

Enable to perform IPv6 DAD detection on the primary appliance in Active-Passive and standard Active-Active HA groups.

disable

updated-debug-log {enable | disable}

Diasble it if too many FDS disconnection logs are generated.

enable

fortiguard-anycast {enable | disable}

If enabled, FortiWeb will be upgraded from the Anycast server. The default domain is globalupdate.fortinet.net and the corresponding USG domain name is usupdate.fortinet.net.

If disabled, FortiWeb will upgraded from the original server, the default domain is update.fortiguard.net and the corresponding USG domain name is usupdate.fortiguard.net.

disable

power-status {enable | disable}

Enable to show the power status.

disable

Example

This example configures time synchronization with a public NTP server pool. The FortiWeb appliance is located in the Pacific Time zone (code 04) and will synchronize its time with the NTP server pool every 60 minutes.

config system global

set timezone 08

set ntpsync enable

set ntpserver "pool.ntp.org"

set syncinterval 30

end

For an example that includes a hostname, see system dns.

Related topics