system global
Use this command to configure system-wide settings such as language, display refresh rate and listening ports of the web UI, the time zone and host name of the FortiWeb appliance, and NTP time synchronization.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the sysgrp
area. For details, see Permissions.
Syntax
config system global
set admin-tls-v10 {enable | disable}
set admin-tls-v11 {enable | disable}
set admin-tls-v12 {enable | disable}
set admin-tls-v13 {enable | disable}
set admin-lockout-threshold <admin-lockout-threshold_int>
set admin-lockout-duration <minutes_int>
set admintimeout <minutes_int>
set adom-admin {enable | disable}
set auth-timeout <milliseconds_int>
set cli-signature {enable | disable}
set dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}
set fds-proxy {enable | disable}
set force-us-only {enable | disable}
set admin-HTTPS-pki-required {enable | disable}
set HTTPS-certificate "<certificate_name>"
set HTTPS-intermediate-certificate "<certificate_group_name>"
set ie6workaround {enable | disable}
set language {english |japanese | simch | trach}
set multi-factor-authentication {optional | mandatory}
set ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}
set ntpsync {enable | disable}
set pre-login-banner {enable | disable}
set record-cli-fail-cmd {enable | disable}
set syncinterval <minutes_int>
set timezone "<time-zone-code_str>"
set ssh-fips {enable | disable}
set cert-expire-check-time <cert-expire-check-time _int>
set ipv6-dad-ha {enable | disable}
set fortiguard-anycast {enable | disable}
set updated-debug-log {enable | disable}
set power-status {enable | disable}
set shell-access {enable | disable}
set shell-username <user_name>
end
Variable | Description | Default |
Enter the port number on which the FortiWeb appliance listens for HTTP access to the web UI. The valid range is 1–65,535. | 80
|
|
Enter the port number on which the FortiWeb appliance listens for HTTPS (SSL-secured) access to the web UI. The valid range is 1–65,535. | 443
|
|
Enable to specify TSL 1.0 clients can use to connect securely to the FortiWeb appliance. |
|
|
Enable to specify TSL 1.1 clients can use to connect securely to the FortiWeb appliance. |
|
|
Enable to specify TSL 1.2 clients can use to connect securely to the FortiWeb appliance. |
|
|
Enable to specify TSL 1.3 clients can use to connect securely to the FortiWeb appliance. |
|
|
Enter the number of invalid logon attempts before the account is locked out. The valid range is 1–10. | 3
|
|
Set the length of time the account remains locked. The valid range is 1–2147483647 seconds. | 60
|
|
Enter the amount of time (in minutes) after which an idle administrative session with the web UI or CLI will be automatically logged out. The valid range is 1–48. To improve security, do not increase the idle timeout. |
5
|
|
Enable to be able to restrict administrator accounts to specific administrative domains. See also domains "<adom_name>". Note: After you type |
disable
|
|
Enter the number of milliseconds that FortiWeb will wait for the remote authentication server to respond to its query. The valid range is 1–60,000. If administrator logins often time out, and FortiWeb is configured to query an external RADIUS or LDAP server, increasing this value may help. This setting only affects remote authentication queries for administrator accounts. To configure the query connection timeout for end-user accounts, use auth-timeout <timeout_int> instead. |
2000
|
|
Enable to be able to enter custom attack signatures via the CLI. Typically, attack signatures should be entered using the web UI, where you can verify syntax and test matching of your regular expression. If you are sure that your expression is correct, you can enable this option to enter your custom signature via the CLI. |
disable
|
|
Enter the port number the local FortiWeb uses to listen for a remote (peer) FortiWeb. Caution: The port number must be different than the port number set using server-policy custom-application application-policy. |
8333
|
|
Specifies the key length that FortiWeb presents in Diffie-Hellman exchanges. Most web browsers require a key length of at least 2048. | 2048
|
|
Enable to automatically adjust the FortiWeb appliance’s clock for daylight savings time (DST). | disable
|
|
Enable to configure FortiWeb to act as a proxy for the FDN. FortiWeb proxy will obtain FortiGuard service packages from the default list of FDN servers and distribute the packages to other FortiWeb devices. On FortiWeb proxy, port 8989 is used as the listening port for the package update requests from other FortiWeb devices, and the concurrent connection limit is 128. When FortiWeb proxy receives downloading requests from several devices at the same time, the requests will be queued and processed one by one. With this option enabled, you can configure system autoupdate overrideon other FortiWeb devices so that they can connect with this FortiWeb proxy to update FortiGuard service packages. If you want to override the default FDN servers and specify a new address for the FortiWeb proxy to obtain FortiGuard service packages, see system fds proxy. |
disable |
|
Enable so that FortiWeb will receive FortiGuard service updates from FortiGuard servers located only in the United States. |
disable |
|
Enter the host name of this FortiWeb appliance. Host names may include US-ASCII letters, numbers, hyphens, and underscores. The maximum length is 63 characters. Spaces and special characters are not allowed. The host name of the FortiWeb appliance is used in several places.
The System Information widget and the router all CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is FortiWeb1234567890, the CLI prompt would be Note: You can also configure the local domain name. For details, see system dns. |
FortiWeb
|
|
Enable to use certificate-based Web UI login. Before enabling this, please make sure the related configurations are set correctly. For details, see system admin-certificate ca, user pki-user, and user admin-usergrp. |
disable
|
|
Specifies the certificate that FortiWeb uses for the accesses to its Web UI through HTTPS. This must be one of the certificates stored locally on the FortiWeb for administration. For details, see system admin-certificate local. | defaultcert
|
|
Specifies the intermediate CA group if any. See system admin-certificate intermediate-ca-group. |
|
|
Enable to use the work around for a navigation bar freeze issue caused by using the web UI with Microsoft Internet Explorer 6. | disable
|
|
Select which language to use when displaying the web UI. The display’s web pages will use UTF-8 encoding, regardless of which language you choose. UTF-8 supports multiple languages, and allows all of them to be displayed correctly, even when multiple languages are used on the same web page. For example, your organization could have websites in both English and simplified Chinese. Your FortiWeb administrators prefer to work in the English version of the web UI. They could use the web UI in English while writing rules to match content in both English and simplified Chinese without changing this setting. Both the rules and the web UI will display correctly, as long as all rules were input using UTF-8. Usually, your text input method or your management computer’s operating system should match the display, and also use UTF-8. If they do not, you may not be able to correctly display both your input and the web UI at the same time. For example, your web browser’s or operating system’s default encoding for simplified Chinese input may be GB2312. However, you usually should switch it to be UTF-8 when using the web UI, unless you are writing regular expressions that must match HTTP client’s requests, and those requests use GB2312 encoding. For more information on language support in the web UI and CLI, see Language support & regular expressions. Note: This setting does not affect the display of the CLI. |
english
|
|
Configure to set 2FA for admin account security.
|
|
|
Enter the IP address or fully qualified domain name (FQDN) of a Network Time Protocol (NTP) server or pool, such as For details about NTP and to find the IP address of an NTP server that you can use, go to: |
pool.ntp.org
|
|
Enable to automatically update the system date and time by connecting to a NTP server. Also configure ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}, syncinterval <minutes_int> and timezone "<time-zone-code_str>". | enable
|
|
Enable to add a login disclaimer message for administrators logging in to FortiWeb. This disclaimer is a statement that a user accepts or declines. It is useful for environments such as corporations that are governed by strict usage policies for forensics and legal reasons. |
disable
|
|
Enable so that FortiWeb will generate an event log if a CLI command fails or is executed incorrectly. |
disable |
|
Enter the automatic refresh interval (in seconds) for the web UI’s System Status Monitor widget. The valid range is 0– 9,223,372,036,854,775,807. To disable automatic refreshes, type |
80
|
|
Enter how often (in minutes) the FortiWeb appliance should synchronize its time with the Network Time Protocol (NTP) server. The valid range is 1–1440. To disable time synchronization, type |
60
|
|
Specify whether FortiWeb can perform backups, restoration, firmware updates and other tasks using TFTP. | enable
|
|
Enter the two-digit code for the time zone in which the FortiWeb appliance is located. The valid range is from |
04
|
|
A setting used with Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.
When the FIPS-CC certification process is complete, a separate document will provide detailed information about this command. |
disable
|
|
Set the notification time ( the days) before the certificate expires. The valid value range is 0-365. When the value is 0, it means no certificate expiration will be checked. When the value is 100, it means notification will be sent 100 days before the certificate expires. |
|
|
Enable to perform IPv6 DAD detection on the primary appliance in Active-Passive and standard Active-Active HA groups. |
|
|
Diasble it if too many FDS disconnection logs are generated. |
|
|
If enabled, FortiWeb will be upgraded from the Anycast server. The default domain is globalupdate.fortinet.net and the corresponding USG domain name is usupdate.fortinet.net. If disabled, FortiWeb will upgraded from the original server, the default domain is update.fortiguard.net and the corresponding USG domain name is usupdate.fortiguard.net. |
|
|
Enable to show the power status. |
|
|
Enable Shell access through SSH. |
|
|
Enter the user name for Shell access. |
N/A |
|
Enter the password for Shell access. |
N/A |
|
Enter the time period after which the Shell access will be expired. The valid range is 1-1200 minutes. |
10 |
|
Specify the size of the command history file which is stored in "$HOME/.ash_history". Using The valid range is 1-4096 lines. |
1024 |
|
Specify the IPv4 addresses or range of the trust-hosts who are allowed to access FortiWeb through Shell. |
0.0.0.0/0 |
|
Specify the IPv6 addresses or range of the trust-hosts who are allowed to access FortiWeb through Shell. |
::/0 |
|
<admin_name> |
You can assign multiple ADOM to one admin user. Enter the name of the |
|
Example
This example configures time synchronization with a public NTP server pool. The FortiWeb appliance is located in the Pacific Time zone (code 04
) and will synchronize its time with the NTP server pool every 60 minutes.
config system global
set timezone 08
set ntpsync enable
set ntpserver "pool.ntp.org"
set syncinterval 30
end
For an example that includes a hostname, see system dns.