admin-port <port_int>

admin-sport <port_int>

admin-tls-v10 {enable | disable}

Enable to specify TSL 1.0 clients can use to connect securely to the FortiWeb appliance.

admin-tls-v11 {enable | disable}

Enable to specify TSL 1.1 clients can use to connect securely to the FortiWeb appliance.

admin-tls-v12 {enable | disable}

Enable to specify TSL 1.2 clients can use to connect securely to the FortiWeb appliance.

admin-tls-v13 {enable | disable}

Enable to specify TSL 1.3 clients can use to connect securely to the FortiWeb appliance.

admin-lockout-threshold <admin-lockout-threshold_int>

admin-lockout-duration <minutes_int>

admintimeout <minutes_int>

Enter the amount of time (in minutes) after which an idle administrative session with the web UI or CLI will be automatically logged out. The valid range is 1–480.

To improve security, do not increase the idle timeout.

adom-admin {enable | disable}

Enable to be able to restrict administrator accounts to specific administrative domains. See also domains <adom_name> in config system admin.

Note: After you type end, if this setting is enabled, the CLI will terminate your session and restructure the configuration to use ADOMs. Global settings will remain in the global configuration scope, but objects that are configurable separately per ADOM such as services are moved to the root ADOM. To continue by configuring additional ADOMs, log in again, then go to Defining ADOMs.

auth-timeout <milliseconds_int>

Enter the number of milliseconds that FortiWeb will wait for the remote authentication server to respond to its query. The valid range is 1–60,000.

If administrator logins often time out, and FortiWeb is configured to query an external RADIUS or LDAP server, increasing this value may help.

This setting only affects remote authentication queries for administrator accounts. To configure the query connection timeout for end-user accounts, use auth-timeout <timeout_int> instead.

cli-signature {enable | disable}

Enable to be able to enter custom attack signatures via the CLI.

Typically, attack signatures should be entered using the web UI, where you can verify syntax and test matching of your regular expression. If you are sure that your expression is correct, you can enable this option to enter your custom signature via the CLI.

confsync-port <port_int>

Enter the port number the local FortiWeb uses to listen for a remote (peer) FortiWeb.

Used when you have configured FortiWeb to synchronize its configuration. The valid range is 1–65,535.

Caution: The port number must be different than the port number set using server-policy custom-application application-policy.

debug-monitor-interval <int>

It controls the frequency in minutes for collecting debug information.

The valid range is 1 - 65535.

debug-memory-boundary <int>

The configuration sets the memory usage threshold (boundary) for collecting debug information. If memory usage exceeds the defined boundary and the top 10 processes include proxyd or ml_daemon, then the system will enable jemalloc debugging to generate jeprof.out files.

The valid range is 1 - 100 (%).

dh-params {1024 | 1536 | 2048 | 3072 | 4096 | 6144 | 8192}

dst {enable | disable}

fds-proxy {enable | disable}

Enable to configure FortiWeb to act as a proxy for the FDN. FortiWeb proxy will obtain FortiGuard service packages from the default list of FDN servers and distribute the packages to other FortiWeb devices. On FortiWeb proxy, port 8989 is used as the listening port for the package update requests from other FortiWeb devices, and the concurrent connection limit is 128. When FortiWeb proxy receives downloading requests from several devices at the same time, the requests will be queued and processed one by one.

With this option enabled, you can configure system autoupdate overrideon other FortiWeb devices so that they can connect with this FortiWeb proxy to update FortiGuard service packages.

If you want to override the default FDN servers and specify a new address for the FortiWeb proxy to obtain FortiGuard service packages, see system fds proxy.

force-us-only {enable | disable}

Enable so that FortiWeb will receive FortiGuard service updates from FortiGuard servers located only in the United States.

hostname "<host_name>"

Enter the host name of this FortiWeb appliance. Host names may include US-ASCII letters, numbers, hyphens, and underscores. The maximum length is 63 characters. Spaces and special characters are not allowed.

The host name of the FortiWeb appliance is used in several places.

• It appears in the System Information widget on the Status tab of the web UI, and in the router all CLI command.
• It is used in the command prompt of the CLI.
• It is used as the SNMP system name. For details about SNMP, see system snmp sysinfo.

The System Information widget and the router all CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

For example, if the host name is FortiWeb1234567890, the CLI prompt would be FortiWeb123456789~#.

Note: You can also configure the local domain name. For details, see system dns.

admin-HTTPS-pki-required {enable | disable}

Enable to use certificate-based Web UI login.

Before enabling this, please make sure the related configurations are set correctly. For details, see system admin-certificate ca, user pki-user, and user admin-usergrp.

HTTPS-certificate "<certificate_name>"

HTTPS-intermediate-certificate "<certificate_group_name>"

Specifies the intermediate CA group if any. See system admin-certificate intermediate-ca-group.

ie6workaround {enable | disable}

language {english |japanese | simch | trach}

Select which language to use when displaying the web UI.

The display’s web pages will use UTF-8 encoding, regardless of which language you choose. UTF-8 supports multiple languages, and allows all of them to be displayed correctly, even when multiple languages are used on the same web page.

For example, your organization could have websites in both English and simplified Chinese. Your FortiWeb administrators prefer to work in the English version of the web UI. They could use the web UI in English while writing rules to match content in both English and simplified Chinese without changing this setting. Both the rules and the web UI will display correctly, as long as all rules were input using UTF-8.

Usually, your text input method or your management computer’s operating system should match the display, and also use UTF-8. If they do not, you may not be able to correctly display both your input and the web UI at the same time.

For example, your web browser’s or operating system’s default encoding for simplified Chinese input may be GB2312. However, you usually should switch it to be UTF-8 when using the web UI, unless you are writing regular expressions that must match HTTP client’s requests, and those requests use GB2312 encoding.

For more information on language support in the web UI and CLI, see Language support & regular expressions.

Note: This setting does not affect the display of the CLI.

multi-factor-authentication {optional | mandatory}

Configure to set 2FA for admin account security.

• optional: only when an admin user enters correct username and password, the Token Code window pops up to require the token code for account security.
• mandatory: only when an admin user enters correct username and password as well as the token code, the authentication can succeed for login.

ntpserver {"<ntp_fqdn>" | "<ntp_ipv4>"}

Enter the IP address or fully qualified domain name (FQDN) of a Network Time Protocol (NTP) server or pool, such as pool.ntp.org, to query in order to synchronize the FortiWeb appliance’s clock. The maximum length is 63 characters.

For details about NTP and to find the IP address of an NTP server that you can use, go to:

http://www.ntp.org/

ntpsync {enable | disable}

pre-login-banner {enable | disable}

record-cli-fail-cmd {enable | disable}

Enable so that FortiWeb will generate an event log if a CLI command fails or is executed incorrectly.

refresh <seconds_int>

Enter the automatic refresh interval (in seconds) for the web UI’s System Status Monitor widget.

The valid range is 0– 9,223,372,036,854,775,807. To disable automatic refreshes, type 0.

syncinterval <minutes_int>

Enter how often (in minutes) the FortiWeb appliance should synchronize its time with the Network Time Protocol (NTP) server.

The valid range is 1–1440. To disable time synchronization, type 0.

tftp {enable | disable}

timezone "<time-zone-code_str>"

Enter the two-digit code for the time zone in which the FortiWeb appliance is located.

The valid range is from 00 to 75. To display a list of time zone codes, their associated the GMT time zone offset, and contained major cities, type set timezone ?.

ssh-fips {enable | disable}

cert-expire-check-time <cert-expire-check-time _int>

Set the notification time ( the days) before the certificate expires. The valid value range is 0-365. When the value is 0, it means no certificate expiration will be checked. When the value is 100, it means notification will be sent 100 days before the certificate expires.

ipv6-dad-ha {enable | disable}

Enable to perform IPv6 DAD detection on the primary appliance in Active-Passive and standard Active-Active HA groups.

updated-debug-log {enable | disable}

Diasble it if too many FDS disconnection logs are generated.

fortiguard-anycast {enable | disable}

If enabled, FortiWeb will be upgraded from the Anycast server. The default domain is globalupdate.fortinet.net and the corresponding USG domain name is usupdate.fortinet.net.

If disabled, FortiWeb will upgraded from the original server, the default domain is update.fortiguard.net and the corresponding USG domain name is usupdate.fortiguard.net.

power-status {enable | disable}

Enable to show the power status.

shell-access {enable | disable}

Enable Shell access through SSH.

shell-username <user_name>

Enter the user name for Shell access.

shell-password <password>

Enter the password for Shell access.

shell-timeout <int>

Enter the time period after which the Shell access will be expired.

The valid range is 1-1200 minutes.

shell-history-size

Specify the size of the command history file which is stored in "$HOME/.ash_history".

Using diag cli commmand to view the history of the commands executed in Shell.

The valid range is 1-4096 lines.

shell-trusthostv4

Specify the IPv4 addresses or range of the trust-hosts who are allowed to access FortiWeb through Shell.

shell-trusthostv6

Specify the IPv6 addresses or range of the trust-hosts who are allowed to access FortiWeb through Shell.

admin-forticloud-sso-login {enable | disable}

Enable this option to allow accounts created in FortiCloud Account Services to access FortiWeb.

Once enabled, the following option will show on the FortiWeb Login page.

The permission of these accounts in FortiWeb will be consistent with the ones in FortiCloud Account Services, either Read-Only or Read-Write for all the areas of configurations.

advanced-bot-protection {enable | disable}

Enable the bot detection service provided by FortiGuard Advanced Bot Protection. For more information on this service, see fortiabp.forticloud.com.

For the whole process of the FortiGuard ABP integration configuration, refer to "Configuring Advanced Bot Protection policy" in FortiWeb Administration Guide.

advanced-bot-protection-portal-domain <fortiabp.forticloud.com>

Enter the address of FortiGuard Advanced Bot Protection. This is a fixed address, which should be set as us.mtls.fortiabp.forticloud.com.