config system global
Description: Configure global attributes.
set language [english|french|...]
set gui-ipv6 [enable|disable]
set gui-certificates [enable|disable]
set gui-custom-language [enable|disable]
set gui-wireless-opensecurity [enable|disable]
set gui-display-hostname [enable|disable]
set gui-fortisandbox-cloud [enable|disable]
set gui-lines-per-page {integer}
set admin-https-ssl-versions {option1}, {option2}, ...
set admintimeout {integer}
set admin-console-timeout {integer}
set ssd-trim-freq [never|hourly|...]
set ssd-trim-hour {integer}
set ssd-trim-min {integer}
set ssd-trim-weekday [sunday|monday|...]
set ssd-trim-date {integer}
set admin-concurrent [enable|disable]
set admin-lockout-threshold {integer}
set admin-lockout-duration {integer}
set refresh {integer}
set interval {integer}
set failtime {integer}
set daily-restart [enable|disable]
set restart-time {user}
set radius-port {integer}
set admin-login-max {integer}
set remoteauthtimeout {integer}
set ldapconntimeout {integer}
set batch-cmdb [enable|disable]
set max-dlpstat-memory {integer}
set multi-factor-authentication [optional|mandatory]
set ssl-min-proto-version [SSLv3|TLSv1|...]
set autorun-log-fsck [enable|disable]
set dst [enable|disable]
set timezone [01|02|...]
set traffic-priority [tos|dscp]
set traffic-priority-level [low|medium|...]
set anti-replay [disable|loose|...]
set send-pmtu-icmp [enable|disable]
set honor-df [enable|disable]
set revision-image-auto-backup [enable|disable]
set revision-backup-on-logout [enable|disable]
set management-vdom {string}
set hostname {string}
set gui-allow-default-hostname [enable|disable]
set alias {string}
set strong-crypto [enable|disable]
set ssh-cbc-cipher [enable|disable]
set ssh-hmac-md5 [enable|disable]
set ssh-kex-sha1 [enable|disable]
set ssh-mac-weak [enable|disable]
set ssl-static-key-ciphers [enable|disable]
set snat-route-change [enable|disable]
set cli-audit-log [enable|disable]
set dh-params [1024|1536|...]
set fds-statistics [enable|disable]
set fds-statistics-period {integer}
set tcp-option [enable|disable]
set lldp-transmission [enable|disable]
set lldp-reception [enable|disable]
set proxy-auth-timeout {integer}
set proxy-re-authentication-mode [session|traffic|...]
set proxy-auth-lifetime [enable|disable]
set proxy-auth-lifetime-timeout {integer}
set sys-perf-log-interval {integer}
set check-protocol-header [loose|strict]
set vip-arp-range [unlimited|restricted]
set reset-sessionless-tcp [enable|disable]
set allow-traffic-redirect [enable|disable]
set strict-dirty-session-check [enable|disable]
set tcp-halfclose-timer {integer}
set tcp-halfopen-timer {integer}
set tcp-timewait-timer {integer}
set udp-idle-timer {integer}
set block-session-timer {integer}
set ip-src-port-range {user}
set pre-login-banner [enable|disable]
set post-login-banner [disable|enable]
set tftp [enable|disable]
set av-failopen [pass|off|...]
set av-failopen-session [enable|disable]
set memory-use-threshold-extreme {integer}
set memory-use-threshold-red {integer}
set memory-use-threshold-green {integer}
set cpu-use-threshold {integer}
set check-reset-range [strict|disable]
set vdom-mode [no-vdom|split-vdom|...]
set long-vdom-name [enable|disable]
set admin-port {integer}
set admin-sport {integer}
set admin-https-redirect [enable|disable]
set admin-hsts-max-age {integer}
set admin-ssh-password [enable|disable]
set admin-restrict-local [enable|disable]
set admin-ssh-port {integer}
set admin-ssh-grace-time {integer}
set admin-ssh-v1 [enable|disable]
set admin-telnet [enable|disable]
set admin-telnet-port {integer}
set default-service-source-port {user}
set admin-maintainer [enable|disable]
set admin-server-cert {string}
set user-server-cert {string}
set admin-https-pki-required [enable|disable]
set wifi-certificate {string}
set wifi-ca-certificate {string}
set auth-http-port {integer}
set auth-https-port {integer}
set auth-keepalive [enable|disable]
set policy-auth-concurrent {integer}
set auth-session-limit [block-new|logout-inactive]
set auth-cert {string}
set clt-cert-req [enable|disable]
set fortiservice-port {integer}
set cfg-save [automatic|manual|...]
set cfg-revert-timeout {integer}
set reboot-upon-config-restore [enable|disable]
set admin-scp [enable|disable]
set security-rating-result-submission [enable|disable]
set security-rating-run-on-schedule [enable|disable]
set wireless-controller [enable|disable]
set wireless-controller-port {integer}
set fortiextender-data-port {integer}
set fortiextender [disable|enable]
set fortiextender-vlan-mode [enable|disable]
set switch-controller [disable|enable]
set switch-controller-reserved-network {ipv4-classnet}
set dnsproxy-worker-count {integer}
set url-filter-count {integer}
set proxy-worker-count {integer}
set scanunit-count {integer}
set proxy-kxp-hardware-acceleration [disable|enable]
set proxy-cipher-hardware-acceleration [disable|enable]
set fgd-alert-subscription {option1}, {option2}, ...
set ipsec-hmac-offload [enable|disable]
set ipv6-accept-dad {integer}
set ipv6-allow-anycast-probe [enable|disable]
set csr-ca-attribute [enable|disable]
set wimax-4g-usb [enable|disable]
set cert-chain-max {integer}
set sslvpn-max-worker-count {integer}
set sslvpn-kxp-hardware-acceleration [enable|disable]
set sslvpn-cipher-hardware-acceleration [enable|disable]
set sslvpn-plugin-version-check [enable|disable]
set two-factor-ftk-expiry {integer}
set two-factor-email-expiry {integer}
set two-factor-sms-expiry {integer}
set two-factor-fac-expiry {integer}
set two-factor-ftm-expiry {integer}
set per-user-bwl [enable|disable]
set wad-worker-count {integer}
set wad-csvc-cs-count {integer}
set wad-csvc-db-count {integer}
set wad-source-affinity [disable|enable]
set wad-memory-change-granularity {integer}
set login-timestamp [enable|disable]
set miglogd-children {integer}
set special-file-23-support [disable|enable]
set log-uuid-policy [enable|disable]
set log-uuid-address [enable|disable]
set log-ssl-connection [enable|disable]
set arp-max-entry {integer}
set av-affinity {string}
set wad-affinity {string}
set ips-affinity {string}
set miglog-affinity {string}
set url-filter-affinity {string}
set ndp-max-entry {integer}
set br-fdb-max-entry {integer}
set max-route-cache-size {integer}
set ipsec-asic-offload [enable|disable]
set ipsec-soft-dec-async [enable|disable]
set device-idle-timeout {integer}
set device-identification-active-scan-delay {integer}
set gui-device-latitude {string}
set gui-device-longitude {string}
set private-data-encryption [disable|enable]
set auto-auth-extension-device [enable|disable]
set gui-theme [green|neutrino|...]
set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]
set gui-date-time-source [system|browser]
set igmp-state-limit {integer}
set cloud-communication [enable|disable]
set fec-port {integer}
set fortitoken-cloud [enable|disable]
end
Parameter Name | Description | Type | Size |
---|---|---|---|
language | GUI display language. english: English. french: French. spanish: Spanish. portuguese: Portuguese. japanese: Japanese. trach: Traditional Chinese. simch: Simplified Chinese. korean: Korean. |
option | - |
gui-ipv6 | Enable/disable IPv6 settings on the GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-certificates | Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-custom-language | Enable/disable custom languages in GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-wireless-opensecurity | Enable/disable wireless open security option on the GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-display-hostname | Enable/disable displaying the FortiGate's hostname on the GUI login page. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-fortisandbox-cloud | Enable/disable displaying FortiSandbox Cloud on the GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-lines-per-page | Number of lines to display per page for web administration. | integer | Minimum value: 20 Maximum value: 1000 |
admin-https-ssl-versions | Allowed TLS versions for web administration. tlsv1-1: TLS 1.1. tlsv1-2: TLS 1.2. tlsv1-3: TLS 1.3. |
option | - |
admintimeout | Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure. | integer | Minimum value: 1 Maximum value: 480 |
admin-console-timeout | Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout. | integer | Minimum value: 15 Maximum value: 300 |
ssd-trim-freq | How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. never: Never Run SSD Trim. hourly: Run SSD Trim Hourly. daily: Run SSD Trim Daily. weekly: Run SSD Trim Weekly. monthly: Run SSD Trim Monthly. |
option | - |
ssd-trim-hour | Hour of the day on which to run SSD Trim (0 - 23, default = 1). | integer | Minimum value: 0 Maximum value: 23 |
ssd-trim-min | Minute of the hour on which to run SSD Trim (0 - 59, 60 for random). | integer | Minimum value: 0 Maximum value: 60 |
ssd-trim-weekday | Day of week to run SSD Trim. sunday: Sunday monday: Monday tuesday: Tuesday wednesday: Wednesday thursday: Thursday friday: Friday saturday: Saturday |
option | - |
ssd-trim-date | Date within a month to run ssd trim. | integer | Minimum value: 1 Maximum value: 31 |
admin-concurrent | Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) enable: Enable admin concurrent login. disable: Disable admin concurrent login. |
option | - |
admin-lockout-threshold | Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration. | integer | Minimum value: 1 Maximum value: 10 |
admin-lockout-duration | Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts. | integer | Minimum value: 1 Maximum value: 2147483647 |
refresh | Statistics refresh interval in GUI. | integer | Minimum value: 0 Maximum value: 4294967295 |
interval | Dead gateway detection interval. | integer | Minimum value: 0 Maximum value: 4294967295 |
failtime | Fail-time for server lost. | integer | Minimum value: 0 Maximum value: 4294967295 |
daily-restart | Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. enable: Enable daily reboot of the FortiGate. disable: Disable daily reboot of the FortiGate. |
option | - |
restart-time | Daily restart time (hh:mm). | user | Not Specified |
radius-port | RADIUS service port number. | integer | Minimum value: 1 Maximum value: 65535 |
admin-login-max | Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100) | integer | Minimum value: 1 Maximum value: 100 |
remoteauthtimeout | Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout). | integer | Minimum value: 1 Maximum value: 300 |
ldapconntimeout | Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500). | integer | Minimum value: 1 Maximum value: 300000 |
batch-cmdb | Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. enable: Enable batch mode to execute in CMDB server. disable: Disable batch mode to execute in CMDB server. |
option | - |
max-dlpstat-memory | Maximum DLP stat memory (0 - 4294967295). | integer | Not Specified |
multi-factor-authentication | Enforce all login methods to require an additional authentication factor (default = optional). optional: Do not enforce all login methods to require an additional authentication factor (controlled by user settings). mandatory: Enforce all login methods to require an additional authentication factor. |
option | - |
ssl-min-proto-version | Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2). SSLv3: SSLv3. TLSv1: TLSv1. TLSv1-1: TLSv1.1. TLSv1-2: TLSv1.2. TLSv1-3: TLSv1.3. |
option | - |
autorun-log-fsck | Enable/disable automatic log partition check after ungraceful shutdown. enable: Enable automatic log partition check after ungraceful shutdown. disable: Disable automatic log partition check after ungraceful shutdown. |
option | - |
dst | Enable/disable daylight saving time. enable: Enable daylight saving time. disable: Disable daylight saving time. |
option | - |
timezone | |||
traffic-priority | Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. tos: IP TOS. dscp: DSCP (DiffServ) DS. |
option | - |
traffic-priority-level | Default system-wide level of priority for traffic prioritization. low: Low priority. medium: Medium priority. high: High priority. |
option | - |
anti-replay | Level of checking for packet replay and TCP sequence checking. disable: Disable anti-replay check. loose: Loose anti-replay check. strict: Strict anti-replay check. |
option | - |
send-pmtu-icmp | Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. enable: Enable sending of PMTU ICMP destination unreachable packet. disable: Disable sending of PMTU ICMP destination unreachable packet. |
option | - |
honor-df | Enable/disable honoring of Don't-Fragment (DF) flag. enable: Enable honoring of Don't-Fragment flag. disable: Disable honoring of Don't-Fragment flag. |
option | - |
revision-image-auto-backup | Enable/disable back-up of the latest configuration revision after the firmware is upgraded. enable: Enable revision image backup automatically when upgrading image. disable: Disable revision image backup automatically when upgrading image. |
option | - |
revision-backup-on-logout | Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. enable: Enable revision config backup automatically when logout. disable: Disable revision config backup automatically when logout. |
option | - |
management-vdom | Management virtual domain name. | string | Maximum length: 31 |
hostname | FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters. | string | Maximum length: 35 |
gui-allow-default-hostname | Enable/disable the GUI warning about using a default hostname enable: Stop the warning in the GUI. disable: Show the warning in the GUI. |
option | - |
alias | Alias for your FortiGate unit. | string | Maximum length: 35 |
strong-crypto | Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. enable: Enable strong crypto for HTTPS/SSH/TLS/SSL. disable: Disable strong crypto for HTTPS/SSH/TLS/SSL. |
option | - |
ssh-cbc-cipher | Enable/disable CBC cipher for SSH access. enable: Enable CBC cipher for SSH access. disable: Disable CBC cipher for SSH access. |
option | - |
ssh-hmac-md5 | Enable/disable HMAC-MD5 for SSH access. enable: Enable HMAC-MD5 for SSH access. disable: Disable HMAC-MD5 for SSH access. |
option | - |
ssh-kex-sha1 | Enable/disable SHA1 key exchange for SSH access. enable: Enable SHA1 for SSH key exchanges. disable: Disable SHA1 for SSH key exchanges. |
option | - |
ssh-mac-weak | Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. enable: Enable HMAC-SHA1 and UMAC-64-ETM for SSH access. disable: Disable HMAC-SHA1 and UMAC-64-ETM for SSH access. |
option | - |
ssl-static-key-ciphers | Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). enable: Enable static key ciphers in SSL/TLS connections. disable: Disable static key ciphers in SSL/TLS connections. |
option | - |
snat-route-change | Enable/disable the ability to change the static NAT route. enable: Enable SNAT route change. disable: Disable SNAT route change. |
option | - |
cli-audit-log | Enable/disable CLI audit log. enable: Enable CLI audit log. disable: Disable CLI audit log. |
option | - |
dh-params | Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. 1024: 1024 bits. 1536: 1536 bits. 2048: 2048 bits. 3072: 3072 bits. 4096: 4096 bits. 6144: 6144 bits. 8192: 8192 bits. |
option | - |
fds-statistics | Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. enable: Enable FortiGuard statistics. disable: Disable FortiGuard statistics. |
option | - |
fds-statistics-period | FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60). | integer | Minimum value: 1 Maximum value: 1440 |
tcp-option | Enable SACK, timestamp and MSS TCP options. enable: Enable TCP option. disable: Disable TCP option. |
option | - |
lldp-transmission | Enable/disable Link Layer Discovery Protocol (LLDP) transmission. enable: Enable transmission of Link Layer Discovery Protocol (LLDP). disable: Disable transmission of Link Layer Discovery Protocol (LLDP). |
option | - |
lldp-reception | Enable/disable Link Layer Discovery Protocol (LLDP) reception. enable: Enable reception of Link Layer Discovery Protocol (LLDP). disable: Disable reception of Link Layer Discovery Protocol (LLDP). |
option | - |
proxy-auth-timeout | Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10). | integer | Minimum value: 1 Maximum value: 300 |
proxy-re-authentication-mode | Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. session: Proxy re-authentication timeout begins at the closure of the session. traffic: Proxy re-authentication timeout begins after traffic has not been received. absolute: Proxy re-authentication timeout begins when the user was first created. |
option | - |
proxy-auth-lifetime | Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. enable: Enable authenticated users lifetime control. disable: Disable authenticated users lifetime control. |
option | - |
proxy-auth-lifetime-timeout | Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)). | integer | Minimum value: 5 Maximum value: 65535 |
sys-perf-log-interval | Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled). | integer | Minimum value: 0 Maximum value: 15 |
check-protocol-header | Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. loose: Check protocol header loosely. strict: Check protocol header strictly. |
option | - |
vip-arp-range | Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. unlimited: Send ARPs for all addresses in VIP range. restricted: Send ARPs for the first 8192 addresses in VIP range. |
option | - |
reset-sessionless-tcp | Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. enable: Enable reset session-less TCP. disable: Disable reset session-less TCP. |
option | - |
allow-traffic-redirect | Disable to allow traffic to be routed back on a different interface. enable: Enable allow traffic redirect. disable: Disable allow traffic redirect. |
option | - |
strict-dirty-session-check | Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. enable: Enable strict dirty-session check. disable: Disable strict dirty-session check. |
option | - |
tcp-halfclose-timer | Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120). | integer | Minimum value: 1 Maximum value: 86400 |
tcp-halfopen-timer | Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10). | integer | Minimum value: 1 Maximum value: 86400 |
tcp-timewait-timer | Length of the TCP TIME-WAIT state in seconds. | integer | Minimum value: 0 Maximum value: 300 |
udp-idle-timer | UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60). | integer | Minimum value: 1 Maximum value: 86400 |
block-session-timer | Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30). | integer | Minimum value: 1 Maximum value: 300 |
ip-src-port-range | IP source port range used for traffic originating from the FortiGate unit. | user | Not Specified |
pre-login-banner | Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. enable: Enable pre-login banner. disable: Disable pre-login banner. |
option | - |
post-login-banner | Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. disable: Disable post-login banner. enable: Enable post-login banner. |
option | - |
tftp | Enable/disable TFTP. enable: Enable TFTP. disable: Disable TFTP. |
option | - |
av-failopen | Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. pass: Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved. off: Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions. one-shot: Bypass the antivirus system when memory is low. |
option | - |
av-failopen-session | When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. enable: Enable AV fail open session option. disable: Disable AV fail open session option. |
option | - |
memory-use-threshold-extreme | Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95). | integer | Minimum value: 70 Maximum value: 97 |
memory-use-threshold-red | Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88). | integer | Minimum value: 70 Maximum value: 97 |
memory-use-threshold-green | Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82). | integer | Minimum value: 70 Maximum value: 97 |
cpu-use-threshold | Threshold at which CPU usage is reported. (% of total CPU, default = 90). | integer | Minimum value: 50 Maximum value: 99 |
check-reset-range | Configure ICMP error message verification. You can either apply strict RST range checking or disable it. strict: Check RST range strictly. disable: Disable RST range check. |
option | - |
vdom-mode | Enable/disable support for split/multiple virtual domains (VDOMs). no-vdom: Disable split/multiple VDOMs mode. split-vdom: Enable split VDOMs mode. multi-vdom: Enable multiple VDOMs mode. |
option | - |
long-vdom-name | Enable/disable long VDOM name support. enable: Enable long VDOM name support. disable: Disable long VDOM name support. |
option | - |
admin-port | Administrative access port for HTTP. (1 - 65535, default = 80). | integer | Minimum value: 1 Maximum value: 65535 |
admin-sport | Administrative access port for HTTPS. (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
admin-https-redirect | Enable/disable redirection of HTTP administration access to HTTPS. enable: Enable redirecting HTTP administration access to HTTPS. disable: Disable redirecting HTTP administration access to HTTPS. |
option | - |
admin-hsts-max-age | HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0. | integer | Minimum value: 0 Maximum value: 2147483647 |
admin-ssh-password | Enable/disable password authentication for SSH admin access. enable: Enable password authentication for SSH admin access. disable: Disable password authentication for SSH admin access. |
option | - |
admin-restrict-local | Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) enable: Enable local admin authentication restriction. disable: Disable local admin authentication restriction. |
option | - |
admin-ssh-port | Administrative access port for SSH. (1 - 65535, default = 22). | integer | Minimum value: 1 Maximum value: 65535 |
admin-ssh-grace-time | Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120). | integer | Minimum value: 10 Maximum value: 3600 |
admin-ssh-v1 | Enable/disable SSH v1 compatibility. enable: Enable SSH v1 compatibility. disable: Disable SSH v1 compatibility. |
option | - |
admin-telnet | Enable/disable TELNET service. enable: Enable TELNET service. disable: Disable TELNET service. |
option | - |
admin-telnet-port | Administrative access port for TELNET. (1 - 65535, default = 23). | integer | Minimum value: 1 Maximum value: 65535 |
default-service-source-port | Default service source port range. (default=1-65535) | user | Not Specified |
admin-maintainer | Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. enable: Enable login for special user (maintainer). disable: Disable login for special user (maintainer). |
option | - |
admin-server-cert | Server certificate that the FortiGate uses for HTTPS administrative connections. | string | Maximum length: 35 |
user-server-cert | Certificate to use for https user authentication. | string | Maximum length: 35 |
admin-https-pki-required | Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. enable: Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access. disable: Admin users can login by providing a valid certificate or password. |
option | - |
wifi-certificate | Certificate to use for WiFi authentication. | string | Maximum length: 35 |
wifi-ca-certificate | CA certificate that verifies the WiFi certificate. | string | Maximum length: 79 |
auth-http-port | User authentication HTTP port. (1 - 65535, default = 80). | integer | Minimum value: 1 Maximum value: 65535 |
auth-https-port | User authentication HTTPS port. (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
auth-keepalive | Enable to prevent user authentication sessions from timing out when idle. enable: Enable use of keep alive to extend authentication. disable: Disable use of keep alive to extend authentication. |
option | - |
policy-auth-concurrent | Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit). | integer | Minimum value: 0 Maximum value: 100 |
auth-session-limit | Action to take when the number of allowed user authenticated sessions is reached. block-new: Block new user authentication attempts. logout-inactive: Logout the most inactive user authenticated sessions. |
option | - |
auth-cert | Server certificate that the FortiGate uses for HTTPS firewall authentication connections. | string | Maximum length: 35 |
clt-cert-req | Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. enable: Enable require client certificate for GUI login. disable: Disable require client certificate for GUI login. |
option | - |
fortiservice-port | FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port. | integer | Minimum value: 1 Maximum value: 65535 |
cfg-save | Configuration file save mode for CLI changes. automatic: Automatically save config. manual: Manually save config. revert: Manually save config and revert the config when timeout. |
option | - |
cfg-revert-timeout | Time-out for reverting to the last saved configuration. | integer | Minimum value: 10 Maximum value: 4294967295 |
reboot-upon-config-restore | Enable/disable reboot of system upon restoring configuration. enable: Enable reboot of system upon restoring configuration. disable: Disable reboot of system upon restoring configuration. |
option | - |
admin-scp | Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. enable: Enable allow system configuration download by SCP. disable: Disable allow system configuration download by SCP. |
option | - |
security-rating-result-submission | Enable/disable the submission of Security Rating results to FortiGuard. enable: Enable submission of Security Rating results to FortiGuard. disable: Disable submission of Security Rating results to FortiGuard. |
option | - |
security-rating-run-on-schedule | Enable/disable scheduled runs of Security Rating. enable: Enable scheduled runs of Security Rating. disable: Disable scheduled runs of Security Rating. |
option | - |
wireless-controller | Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. enable: Enable wireless controller. disable: Disable wireless controller. |
option | - |
wireless-controller-port | Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246). | integer | Minimum value: 1024 Maximum value: 49150 |
fortiextender-data-port | FortiExtender data port (1024 - 49150, default = 25246). | integer | Minimum value: 1024 Maximum value: 49150 |
fortiextender | Enable/disable FortiExtender. disable: Disable FortiExtender controller. enable: Enable FortiExtender controller. |
option | - |
fortiextender-vlan-mode | Enable/disable FortiExtender VLAN mode. enable: Enable FortiExtender VLAN mode. disable: Disable FortiExtender VLAN mode. |
option | - |
switch-controller | Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. disable: Disable switch controller feature. enable: Enable switch controller feature. |
option | - |
switch-controller-reserved-network | Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled. | ipv4-classnet | Not Specified |
dnsproxy-worker-count | DNS proxy worker count. | integer | Minimum value: 1 Maximum value: 40 |
url-filter-count | URL filter daemon count. | integer | Minimum value: 1 Maximum value: 4 |
proxy-worker-count | Proxy worker count. | integer | Minimum value: 1 Maximum value: 40 |
scanunit-count | Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. | integer | Minimum value: 2 Maximum value: 40 |
proxy-kxp-hardware-acceleration | Enable/disable using the content processor to accelerate KXP traffic. disable: Disable using the content processor to accelerate KXP traffic. enable: Enable using the content processor to accelerate KXP traffic. |
option | - |
proxy-cipher-hardware-acceleration | Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. disable: Disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. enable: Enable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. |
option | - |
fgd-alert-subscription | Type of alert to retrieve from FortiGuard. advisory: Retrieve FortiGuard advisories, report and news alerts. latest-threat: Retrieve latest FortiGuard threats alerts. latest-virus: Retrieve latest FortiGuard virus alerts. latest-attack: Retrieve latest FortiGuard attack alerts. new-antivirus-db: Retrieve FortiGuard AV database release alerts. new-attack-db: Retrieve FortiGuard IPS database release alerts. |
option | - |
ipsec-hmac-offload | Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. enable: Enable offload IPsec HMAC processing to hardware if possible. disable: Disable offload IPsec HMAC processing to hardware. |
option | - |
ipv6-accept-dad | Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD). | integer | Minimum value: 0 Maximum value: 2 |
ipv6-allow-anycast-probe | Enable/disable IPv6 address probe through Anycast. enable: Enable probing of IPv6 address space through Anycast disable: Disable probing of IPv6 address space through Anycast |
option | - |
csr-ca-attribute | Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. enable: Enable CA attribute in CSR. disable: Disable CA attribute in CSR. |
option | - |
wimax-4g-usb | Enable/disable comparability with WiMAX 4G USB devices. enable: Enable WiMax 4G. disable: Disable WiMax 4G. |
option | - |
cert-chain-max | Maximum number of certificates that can be traversed in a certificate chain. | integer | Minimum value: 1 Maximum value: 2147483647 |
sslvpn-max-worker-count | Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model. | integer | Minimum value: 0 Maximum value: 40 |
sslvpn-kxp-hardware-acceleration | Enable/disable SSL VPN KXP hardware acceleration. enable: Enable KXP SSL-VPN hardware acceleration. disable: Disable KXP SSL-VPN hardware acceleration. |
option | - |
sslvpn-cipher-hardware-acceleration | Enable/disable SSL VPN hardware acceleration. enable: Enable SSL-VPN cipher hardware acceleration. disable: Disable SSL-VPN cipher hardware acceleration. |
option | - |
sslvpn-plugin-version-check | Enable/disable checking browser's plugin version by SSL VPN. enable: Enable SSL-VPN automatic checking of browser plug-in version. disable: Disable SSL-VPN automatic checking of browser plug-in version. |
option | - |
two-factor-ftk-expiry | FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60). | integer | Minimum value: 60 Maximum value: 600 |
two-factor-email-expiry | Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60). | integer | Minimum value: 30 Maximum value: 300 |
two-factor-sms-expiry | SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60). | integer | Minimum value: 30 Maximum value: 300 |
two-factor-fac-expiry | FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60). | integer | Minimum value: 10 Maximum value: 3600 |
two-factor-ftm-expiry | FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72). | integer | Minimum value: 1 Maximum value: 168 |
per-user-bwl | Enable/disable per-user black/white list filter. enable: Enable per-user black/white list filter. disable: Disable per-user black/white list filter. |
option | - |
wad-worker-count | Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit. | integer | Minimum value: 0 Maximum value: 40 |
wad-csvc-cs-count | Number of concurrent WAD-cache-service object-cache processes. | integer | Minimum value: 1 Maximum value: 1 |
wad-csvc-db-count | Number of concurrent WAD-cache-service byte-cache processes. | integer | Minimum value: 0 Maximum value: 40 |
wad-source-affinity | Enable/disable dispatching traffic to WAD workers based on source affinity. disable: Disable dispatching traffic to WAD workers based on source affinity. enable: Enable dispatching traffic to WAD workers based on source affinity. |
option | - |
wad-memory-change-granularity | Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection. | integer | Minimum value: 5 Maximum value: 25 |
login-timestamp | Enable/disable login time recording. enable: Enable login time recording. disable: Disable login time recording. |
option | - |
miglogd-children | Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed. | integer | Minimum value: 0 Maximum value: 15 |
special-file-23-support | Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. disable: Disable using IPS detection of HIBUN format files when using Data Leak Protection. enable: Enable using IPS detection of HIBUN format files when using Data Leak Protection. |
option | - |
log-uuid-policy | Enable/disable insertion of policy UUIDs to traffic logs. enable: Enable insertion of policy UUID to traffic logs. disable: Disable insertion of policy UUID to traffic logs. |
option | - |
log-uuid-address | Enable/disable insertion of address UUIDs to traffic logs. enable: Enable insertion of address UUID to traffic logs. disable: Disable insertion of address UUID to traffic logs. |
option | - |
log-ssl-connection | Enable/disable logging of SSL connection events. enable: Enable logging of SSL connection events. disable: Disable logging of SSL connection events. |
option | - |
arp-max-entry | Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072). | integer | Minimum value: 131072 Maximum value: 2147483647 |
av-affinity | Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). | string | Maximum length: 79 |
wad-affinity | Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). | string | Maximum length: 79 |
ips-affinity | Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). | string | Maximum length: 79 |
miglog-affinity | Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx). | string | Maximum length: 19 |
url-filter-affinity | URL filter CPU affinity. | string | Maximum length: 79 |
ndp-max-entry | Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries). | integer | Minimum value: 65536 Maximum value: 2147483647 |
br-fdb-max-entry | Maximum number of bridge forwarding database (FDB) entries. | integer | Minimum value: 8192 Maximum value: 2147483647 |
max-route-cache-size | Maximum number of IP route cache entries (0 - 2147483647). | integer | Minimum value: 0 Maximum value: 2147483647 |
ipsec-asic-offload | Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. enable: Enable ASIC offload for IPsec VPN. disable: Disable ASIC offload for IPsec VPN. |
option | - |
ipsec-soft-dec-async | Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. enable: Enable software decryption asynchronization for IPsec VPN. disable: Disable software decryption asynchronization for IPsec VPN. |
option | - |
device-idle-timeout | Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300). | integer | Minimum value: 30 Maximum value: 31536000 |
device-identification-active-scan-delay | Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90). | integer | Minimum value: 20 Maximum value: 3600 |
gui-device-latitude | Add the latitude of the location of this FortiGate to position it on the Threat Map. | string | Maximum length: 19 |
gui-device-longitude | Add the longitude of the location of this FortiGate to position it on the Threat Map. | string | Maximum length: 19 |
private-data-encryption | Enable/disable private data encryption using an AES 128-bit key. disable: Disable private data encryption using an AES 128-bit key. enable: Enable private data encryption using an AES 128-bit key. |
option | - |
auto-auth-extension-device | Enable/disable automatic authorization of dedicated Fortinet extension devices. enable: Enable automatic authorization of dedicated Fortinet extension device globally. disable: Disable automatic authorization of dedicated Fortinet extension device globally. |
option | - |
gui-theme | Color scheme for the administration GUI. green: Green theme. neutrino: Neutrino theme. blue: Light blue theme. melongene: Melongene theme (eggplant color). mariner: Mariner theme (dark blue color). |
option | - |
gui-date-format | Default date format used throughout GUI. yyyy/MM/dd: Year/Month/Day. dd/MM/yyyy: Day/Month/Year. MM/dd/yyyy: Month/Day/Year. yyyy-MM-dd: Year-Month-Day. dd-MM-yyyy: Day-Month-Year. MM-dd-yyyy: Month-Day-Year. |
option | - |
gui-date-time-source | Source from which the FortiGate GUI uses to display date and time entries. system: Use this FortiGate unit's configured timezone. browser: Use the web browser's timezone. |
option | - |
igmp-state-limit | Maximum number of IGMP memberships (96 - 64000, default = 3200). | integer | Minimum value: 96 Maximum value: 128000 |
cloud-communication | Enable/disable all cloud communication. enable: Allow cloud communication. disable: Disable all cloud communication. Note: When set to disable , cloud-related settings (for example, config system autoupdate tunneling status) will be disabled. When a user issues the command to change one of these settings, it will fail with a message that says cloud communication is disabled in 'system.global' . |
option | - |
fec-port | Local UDP port for Forward Error Correction (49152 - 65535). | integer | Minimum value: 49152 Maximum value: 65535 |
fortitoken-cloud | Enable/disable FortiToken Cloud service. enable: Enable FortiToken Cloud service. disable: Disable FortiToken Cloud service. |
option | - |
config system global
Description: Configure global attributes.
set language [english|french|...]
set gui-ipv6 [enable|disable]
set gui-certificates [enable|disable]
set gui-custom-language [enable|disable]
set gui-wireless-opensecurity [enable|disable]
set gui-display-hostname [enable|disable]
set gui-fortisandbox-cloud [enable|disable]
set gui-lines-per-page {integer}
set admin-https-ssl-versions {option1}, {option2}, ...
set admintimeout {integer}
set admin-console-timeout {integer}
set ssd-trim-freq [never|hourly|...]
set ssd-trim-hour {integer}
set ssd-trim-min {integer}
set ssd-trim-weekday [sunday|monday|...]
set ssd-trim-date {integer}
set admin-concurrent [enable|disable]
set admin-lockout-threshold {integer}
set admin-lockout-duration {integer}
set refresh {integer}
set interval {integer}
set failtime {integer}
set daily-restart [enable|disable]
set restart-time {user}
set radius-port {integer}
set admin-login-max {integer}
set remoteauthtimeout {integer}
set ldapconntimeout {integer}
set batch-cmdb [enable|disable]
set max-dlpstat-memory {integer}
set multi-factor-authentication [optional|mandatory]
set ssl-min-proto-version [SSLv3|TLSv1|...]
set autorun-log-fsck [enable|disable]
set dst [enable|disable]
set timezone [01|02|...]
set traffic-priority [tos|dscp]
set traffic-priority-level [low|medium|...]
set anti-replay [disable|loose|...]
set send-pmtu-icmp [enable|disable]
set honor-df [enable|disable]
set revision-image-auto-backup [enable|disable]
set revision-backup-on-logout [enable|disable]
set management-vdom {string}
set hostname {string}
set gui-allow-default-hostname [enable|disable]
set alias {string}
set strong-crypto [enable|disable]
set ssh-cbc-cipher [enable|disable]
set ssh-hmac-md5 [enable|disable]
set ssh-kex-sha1 [enable|disable]
set ssh-mac-weak [enable|disable]
set ssl-static-key-ciphers [enable|disable]
set snat-route-change [enable|disable]
set cli-audit-log [enable|disable]
set dh-params [1024|1536|...]
set fds-statistics [enable|disable]
set fds-statistics-period {integer}
set tcp-option [enable|disable]
set lldp-transmission [enable|disable]
set lldp-reception [enable|disable]
set proxy-auth-timeout {integer}
set proxy-re-authentication-mode [session|traffic|...]
set proxy-auth-lifetime [enable|disable]
set proxy-auth-lifetime-timeout {integer}
set sys-perf-log-interval {integer}
set check-protocol-header [loose|strict]
set vip-arp-range [unlimited|restricted]
set reset-sessionless-tcp [enable|disable]
set allow-traffic-redirect [enable|disable]
set strict-dirty-session-check [enable|disable]
set tcp-halfclose-timer {integer}
set tcp-halfopen-timer {integer}
set tcp-timewait-timer {integer}
set udp-idle-timer {integer}
set block-session-timer {integer}
set ip-src-port-range {user}
set pre-login-banner [enable|disable]
set post-login-banner [disable|enable]
set tftp [enable|disable]
set av-failopen [pass|off|...]
set av-failopen-session [enable|disable]
set memory-use-threshold-extreme {integer}
set memory-use-threshold-red {integer}
set memory-use-threshold-green {integer}
set cpu-use-threshold {integer}
set check-reset-range [strict|disable]
set vdom-mode [no-vdom|split-vdom|...]
set long-vdom-name [enable|disable]
set admin-port {integer}
set admin-sport {integer}
set admin-https-redirect [enable|disable]
set admin-hsts-max-age {integer}
set admin-ssh-password [enable|disable]
set admin-restrict-local [enable|disable]
set admin-ssh-port {integer}
set admin-ssh-grace-time {integer}
set admin-ssh-v1 [enable|disable]
set admin-telnet [enable|disable]
set admin-telnet-port {integer}
set default-service-source-port {user}
set admin-maintainer [enable|disable]
set admin-server-cert {string}
set user-server-cert {string}
set admin-https-pki-required [enable|disable]
set wifi-certificate {string}
set wifi-ca-certificate {string}
set auth-http-port {integer}
set auth-https-port {integer}
set auth-keepalive [enable|disable]
set policy-auth-concurrent {integer}
set auth-session-limit [block-new|logout-inactive]
set auth-cert {string}
set clt-cert-req [enable|disable]
set fortiservice-port {integer}
set cfg-save [automatic|manual|...]
set cfg-revert-timeout {integer}
set reboot-upon-config-restore [enable|disable]
set admin-scp [enable|disable]
set security-rating-result-submission [enable|disable]
set security-rating-run-on-schedule [enable|disable]
set wireless-controller [enable|disable]
set wireless-controller-port {integer}
set fortiextender-data-port {integer}
set fortiextender [disable|enable]
set fortiextender-vlan-mode [enable|disable]
set switch-controller [disable|enable]
set switch-controller-reserved-network {ipv4-classnet}
set dnsproxy-worker-count {integer}
set url-filter-count {integer}
set proxy-worker-count {integer}
set scanunit-count {integer}
set proxy-kxp-hardware-acceleration [disable|enable]
set proxy-cipher-hardware-acceleration [disable|enable]
set fgd-alert-subscription {option1}, {option2}, ...
set ipsec-hmac-offload [enable|disable]
set ipv6-accept-dad {integer}
set ipv6-allow-anycast-probe [enable|disable]
set csr-ca-attribute [enable|disable]
set wimax-4g-usb [enable|disable]
set cert-chain-max {integer}
set sslvpn-max-worker-count {integer}
set sslvpn-kxp-hardware-acceleration [enable|disable]
set sslvpn-cipher-hardware-acceleration [enable|disable]
set sslvpn-plugin-version-check [enable|disable]
set two-factor-ftk-expiry {integer}
set two-factor-email-expiry {integer}
set two-factor-sms-expiry {integer}
set two-factor-fac-expiry {integer}
set two-factor-ftm-expiry {integer}
set per-user-bwl [enable|disable]
set wad-worker-count {integer}
set wad-csvc-cs-count {integer}
set wad-csvc-db-count {integer}
set wad-source-affinity [disable|enable]
set wad-memory-change-granularity {integer}
set login-timestamp [enable|disable]
set miglogd-children {integer}
set special-file-23-support [disable|enable]
set log-uuid-policy [enable|disable]
set log-uuid-address [enable|disable]
set log-ssl-connection [enable|disable]
set arp-max-entry {integer}
set av-affinity {string}
set wad-affinity {string}
set ips-affinity {string}
set miglog-affinity {string}
set url-filter-affinity {string}
set ndp-max-entry {integer}
set br-fdb-max-entry {integer}
set max-route-cache-size {integer}
set ipsec-asic-offload [enable|disable]
set ipsec-soft-dec-async [enable|disable]
set device-idle-timeout {integer}
set device-identification-active-scan-delay {integer}
set gui-device-latitude {string}
set gui-device-longitude {string}
set private-data-encryption [disable|enable]
set auto-auth-extension-device [enable|disable]
set gui-theme [green|neutrino|...]
set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]
set gui-date-time-source [system|browser]
set igmp-state-limit {integer}
set cloud-communication [enable|disable]
set fec-port {integer}
set fortitoken-cloud [enable|disable]
end
Parameter Name | Description | Type | Size |
---|---|---|---|
language | GUI display language. english: English. french: French. spanish: Spanish. portuguese: Portuguese. japanese: Japanese. trach: Traditional Chinese. simch: Simplified Chinese. korean: Korean. |
option | - |
gui-ipv6 | Enable/disable IPv6 settings on the GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-certificates | Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-custom-language | Enable/disable custom languages in GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-wireless-opensecurity | Enable/disable wireless open security option on the GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-display-hostname | Enable/disable displaying the FortiGate's hostname on the GUI login page. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-fortisandbox-cloud | Enable/disable displaying FortiSandbox Cloud on the GUI. enable: Display the feature in GUI. disable: Do not display the feature in GUI. |
option | - |
gui-lines-per-page | Number of lines to display per page for web administration. | integer | Minimum value: 20 Maximum value: 1000 |
admin-https-ssl-versions | Allowed TLS versions for web administration. tlsv1-1: TLS 1.1. tlsv1-2: TLS 1.2. tlsv1-3: TLS 1.3. |
option | - |
admintimeout | Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure. | integer | Minimum value: 1 Maximum value: 480 |
admin-console-timeout | Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout. | integer | Minimum value: 15 Maximum value: 300 |
ssd-trim-freq | How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. never: Never Run SSD Trim. hourly: Run SSD Trim Hourly. daily: Run SSD Trim Daily. weekly: Run SSD Trim Weekly. monthly: Run SSD Trim Monthly. |
option | - |
ssd-trim-hour | Hour of the day on which to run SSD Trim (0 - 23, default = 1). | integer | Minimum value: 0 Maximum value: 23 |
ssd-trim-min | Minute of the hour on which to run SSD Trim (0 - 59, 60 for random). | integer | Minimum value: 0 Maximum value: 60 |
ssd-trim-weekday | Day of week to run SSD Trim. sunday: Sunday monday: Monday tuesday: Tuesday wednesday: Wednesday thursday: Thursday friday: Friday saturday: Saturday |
option | - |
ssd-trim-date | Date within a month to run ssd trim. | integer | Minimum value: 1 Maximum value: 31 |
admin-concurrent | Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) enable: Enable admin concurrent login. disable: Disable admin concurrent login. |
option | - |
admin-lockout-threshold | Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration. | integer | Minimum value: 1 Maximum value: 10 |
admin-lockout-duration | Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts. | integer | Minimum value: 1 Maximum value: 2147483647 |
refresh | Statistics refresh interval in GUI. | integer | Minimum value: 0 Maximum value: 4294967295 |
interval | Dead gateway detection interval. | integer | Minimum value: 0 Maximum value: 4294967295 |
failtime | Fail-time for server lost. | integer | Minimum value: 0 Maximum value: 4294967295 |
daily-restart | Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. enable: Enable daily reboot of the FortiGate. disable: Disable daily reboot of the FortiGate. |
option | - |
restart-time | Daily restart time (hh:mm). | user | Not Specified |
radius-port | RADIUS service port number. | integer | Minimum value: 1 Maximum value: 65535 |
admin-login-max | Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100) | integer | Minimum value: 1 Maximum value: 100 |
remoteauthtimeout | Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout). | integer | Minimum value: 1 Maximum value: 300 |
ldapconntimeout | Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500). | integer | Minimum value: 1 Maximum value: 300000 |
batch-cmdb | Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. enable: Enable batch mode to execute in CMDB server. disable: Disable batch mode to execute in CMDB server. |
option | - |
max-dlpstat-memory | Maximum DLP stat memory (0 - 4294967295). | integer | Not Specified |
multi-factor-authentication | Enforce all login methods to require an additional authentication factor (default = optional). optional: Do not enforce all login methods to require an additional authentication factor (controlled by user settings). mandatory: Enforce all login methods to require an additional authentication factor. |
option | - |
ssl-min-proto-version | Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2). SSLv3: SSLv3. TLSv1: TLSv1. TLSv1-1: TLSv1.1. TLSv1-2: TLSv1.2. TLSv1-3: TLSv1.3. |
option | - |
autorun-log-fsck | Enable/disable automatic log partition check after ungraceful shutdown. enable: Enable automatic log partition check after ungraceful shutdown. disable: Disable automatic log partition check after ungraceful shutdown. |
option | - |
dst | Enable/disable daylight saving time. enable: Enable daylight saving time. disable: Disable daylight saving time. |
option | - |
timezone | |||
traffic-priority | Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. tos: IP TOS. dscp: DSCP (DiffServ) DS. |
option | - |
traffic-priority-level | Default system-wide level of priority for traffic prioritization. low: Low priority. medium: Medium priority. high: High priority. |
option | - |
anti-replay | Level of checking for packet replay and TCP sequence checking. disable: Disable anti-replay check. loose: Loose anti-replay check. strict: Strict anti-replay check. |
option | - |
send-pmtu-icmp | Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. enable: Enable sending of PMTU ICMP destination unreachable packet. disable: Disable sending of PMTU ICMP destination unreachable packet. |
option | - |
honor-df | Enable/disable honoring of Don't-Fragment (DF) flag. enable: Enable honoring of Don't-Fragment flag. disable: Disable honoring of Don't-Fragment flag. |
option | - |
revision-image-auto-backup | Enable/disable back-up of the latest configuration revision after the firmware is upgraded. enable: Enable revision image backup automatically when upgrading image. disable: Disable revision image backup automatically when upgrading image. |
option | - |
revision-backup-on-logout | Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. enable: Enable revision config backup automatically when logout. disable: Disable revision config backup automatically when logout. |
option | - |
management-vdom | Management virtual domain name. | string | Maximum length: 31 |
hostname | FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters. | string | Maximum length: 35 |
gui-allow-default-hostname | Enable/disable the GUI warning about using a default hostname enable: Stop the warning in the GUI. disable: Show the warning in the GUI. |
option | - |
alias | Alias for your FortiGate unit. | string | Maximum length: 35 |
strong-crypto | Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. enable: Enable strong crypto for HTTPS/SSH/TLS/SSL. disable: Disable strong crypto for HTTPS/SSH/TLS/SSL. |
option | - |
ssh-cbc-cipher | Enable/disable CBC cipher for SSH access. enable: Enable CBC cipher for SSH access. disable: Disable CBC cipher for SSH access. |
option | - |
ssh-hmac-md5 | Enable/disable HMAC-MD5 for SSH access. enable: Enable HMAC-MD5 for SSH access. disable: Disable HMAC-MD5 for SSH access. |
option | - |
ssh-kex-sha1 | Enable/disable SHA1 key exchange for SSH access. enable: Enable SHA1 for SSH key exchanges. disable: Disable SHA1 for SSH key exchanges. |
option | - |
ssh-mac-weak | Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. enable: Enable HMAC-SHA1 and UMAC-64-ETM for SSH access. disable: Disable HMAC-SHA1 and UMAC-64-ETM for SSH access. |
option | - |
ssl-static-key-ciphers | Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). enable: Enable static key ciphers in SSL/TLS connections. disable: Disable static key ciphers in SSL/TLS connections. |
option | - |
snat-route-change | Enable/disable the ability to change the static NAT route. enable: Enable SNAT route change. disable: Disable SNAT route change. |
option | - |
cli-audit-log | Enable/disable CLI audit log. enable: Enable CLI audit log. disable: Disable CLI audit log. |
option | - |
dh-params | Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. 1024: 1024 bits. 1536: 1536 bits. 2048: 2048 bits. 3072: 3072 bits. 4096: 4096 bits. 6144: 6144 bits. 8192: 8192 bits. |
option | - |
fds-statistics | Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. enable: Enable FortiGuard statistics. disable: Disable FortiGuard statistics. |
option | - |
fds-statistics-period | FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60). | integer | Minimum value: 1 Maximum value: 1440 |
tcp-option | Enable SACK, timestamp and MSS TCP options. enable: Enable TCP option. disable: Disable TCP option. |
option | - |
lldp-transmission | Enable/disable Link Layer Discovery Protocol (LLDP) transmission. enable: Enable transmission of Link Layer Discovery Protocol (LLDP). disable: Disable transmission of Link Layer Discovery Protocol (LLDP). |
option | - |
lldp-reception | Enable/disable Link Layer Discovery Protocol (LLDP) reception. enable: Enable reception of Link Layer Discovery Protocol (LLDP). disable: Disable reception of Link Layer Discovery Protocol (LLDP). |
option | - |
proxy-auth-timeout | Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10). | integer | Minimum value: 1 Maximum value: 300 |
proxy-re-authentication-mode | Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. session: Proxy re-authentication timeout begins at the closure of the session. traffic: Proxy re-authentication timeout begins after traffic has not been received. absolute: Proxy re-authentication timeout begins when the user was first created. |
option | - |
proxy-auth-lifetime | Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. enable: Enable authenticated users lifetime control. disable: Disable authenticated users lifetime control. |
option | - |
proxy-auth-lifetime-timeout | Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)). | integer | Minimum value: 5 Maximum value: 65535 |
sys-perf-log-interval | Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled). | integer | Minimum value: 0 Maximum value: 15 |
check-protocol-header | Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. loose: Check protocol header loosely. strict: Check protocol header strictly. |
option | - |
vip-arp-range | Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. unlimited: Send ARPs for all addresses in VIP range. restricted: Send ARPs for the first 8192 addresses in VIP range. |
option | - |
reset-sessionless-tcp | Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. enable: Enable reset session-less TCP. disable: Disable reset session-less TCP. |
option | - |
allow-traffic-redirect | Disable to allow traffic to be routed back on a different interface. enable: Enable allow traffic redirect. disable: Disable allow traffic redirect. |
option | - |
strict-dirty-session-check | Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. enable: Enable strict dirty-session check. disable: Disable strict dirty-session check. |
option | - |
tcp-halfclose-timer | Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120). | integer | Minimum value: 1 Maximum value: 86400 |
tcp-halfopen-timer | Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10). | integer | Minimum value: 1 Maximum value: 86400 |
tcp-timewait-timer | Length of the TCP TIME-WAIT state in seconds. | integer | Minimum value: 0 Maximum value: 300 |
udp-idle-timer | UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60). | integer | Minimum value: 1 Maximum value: 86400 |
block-session-timer | Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30). | integer | Minimum value: 1 Maximum value: 300 |
ip-src-port-range | IP source port range used for traffic originating from the FortiGate unit. | user | Not Specified |
pre-login-banner | Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. enable: Enable pre-login banner. disable: Disable pre-login banner. |
option | - |
post-login-banner | Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. disable: Disable post-login banner. enable: Enable post-login banner. |
option | - |
tftp | Enable/disable TFTP. enable: Enable TFTP. disable: Disable TFTP. |
option | - |
av-failopen | Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. pass: Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved. off: Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions. one-shot: Bypass the antivirus system when memory is low. |
option | - |
av-failopen-session | When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. enable: Enable AV fail open session option. disable: Disable AV fail open session option. |
option | - |
memory-use-threshold-extreme | Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95). | integer | Minimum value: 70 Maximum value: 97 |
memory-use-threshold-red | Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88). | integer | Minimum value: 70 Maximum value: 97 |
memory-use-threshold-green | Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82). | integer | Minimum value: 70 Maximum value: 97 |
cpu-use-threshold | Threshold at which CPU usage is reported. (% of total CPU, default = 90). | integer | Minimum value: 50 Maximum value: 99 |
check-reset-range | Configure ICMP error message verification. You can either apply strict RST range checking or disable it. strict: Check RST range strictly. disable: Disable RST range check. |
option | - |
vdom-mode | Enable/disable support for split/multiple virtual domains (VDOMs). no-vdom: Disable split/multiple VDOMs mode. split-vdom: Enable split VDOMs mode. multi-vdom: Enable multiple VDOMs mode. |
option | - |
long-vdom-name | Enable/disable long VDOM name support. enable: Enable long VDOM name support. disable: Disable long VDOM name support. |
option | - |
admin-port | Administrative access port for HTTP. (1 - 65535, default = 80). | integer | Minimum value: 1 Maximum value: 65535 |
admin-sport | Administrative access port for HTTPS. (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
admin-https-redirect | Enable/disable redirection of HTTP administration access to HTTPS. enable: Enable redirecting HTTP administration access to HTTPS. disable: Disable redirecting HTTP administration access to HTTPS. |
option | - |
admin-hsts-max-age | HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0. | integer | Minimum value: 0 Maximum value: 2147483647 |
admin-ssh-password | Enable/disable password authentication for SSH admin access. enable: Enable password authentication for SSH admin access. disable: Disable password authentication for SSH admin access. |
option | - |
admin-restrict-local | Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) enable: Enable local admin authentication restriction. disable: Disable local admin authentication restriction. |
option | - |
admin-ssh-port | Administrative access port for SSH. (1 - 65535, default = 22). | integer | Minimum value: 1 Maximum value: 65535 |
admin-ssh-grace-time | Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120). | integer | Minimum value: 10 Maximum value: 3600 |
admin-ssh-v1 | Enable/disable SSH v1 compatibility. enable: Enable SSH v1 compatibility. disable: Disable SSH v1 compatibility. |
option | - |
admin-telnet | Enable/disable TELNET service. enable: Enable TELNET service. disable: Disable TELNET service. |
option | - |
admin-telnet-port | Administrative access port for TELNET. (1 - 65535, default = 23). | integer | Minimum value: 1 Maximum value: 65535 |
default-service-source-port | Default service source port range. (default=1-65535) | user | Not Specified |
admin-maintainer | Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. enable: Enable login for special user (maintainer). disable: Disable login for special user (maintainer). |
option | - |
admin-server-cert | Server certificate that the FortiGate uses for HTTPS administrative connections. | string | Maximum length: 35 |
user-server-cert | Certificate to use for https user authentication. | string | Maximum length: 35 |
admin-https-pki-required | Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. enable: Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access. disable: Admin users can login by providing a valid certificate or password. |
option | - |
wifi-certificate | Certificate to use for WiFi authentication. | string | Maximum length: 35 |
wifi-ca-certificate | CA certificate that verifies the WiFi certificate. | string | Maximum length: 79 |
auth-http-port | User authentication HTTP port. (1 - 65535, default = 80). | integer | Minimum value: 1 Maximum value: 65535 |
auth-https-port | User authentication HTTPS port. (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
auth-keepalive | Enable to prevent user authentication sessions from timing out when idle. enable: Enable use of keep alive to extend authentication. disable: Disable use of keep alive to extend authentication. |
option | - |
policy-auth-concurrent | Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit). | integer | Minimum value: 0 Maximum value: 100 |
auth-session-limit | Action to take when the number of allowed user authenticated sessions is reached. block-new: Block new user authentication attempts. logout-inactive: Logout the most inactive user authenticated sessions. |
option | - |
auth-cert | Server certificate that the FortiGate uses for HTTPS firewall authentication connections. | string | Maximum length: 35 |
clt-cert-req | Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. enable: Enable require client certificate for GUI login. disable: Disable require client certificate for GUI login. |
option | - |
fortiservice-port | FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port. | integer | Minimum value: 1 Maximum value: 65535 |
cfg-save | Configuration file save mode for CLI changes. automatic: Automatically save config. manual: Manually save config. revert: Manually save config and revert the config when timeout. |
option | - |
cfg-revert-timeout | Time-out for reverting to the last saved configuration. | integer | Minimum value: 10 Maximum value: 4294967295 |
reboot-upon-config-restore | Enable/disable reboot of system upon restoring configuration. enable: Enable reboot of system upon restoring configuration. disable: Disable reboot of system upon restoring configuration. |
option | - |
admin-scp | Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. enable: Enable allow system configuration download by SCP. disable: Disable allow system configuration download by SCP. |
option | - |
security-rating-result-submission | Enable/disable the submission of Security Rating results to FortiGuard. enable: Enable submission of Security Rating results to FortiGuard. disable: Disable submission of Security Rating results to FortiGuard. |
option | - |
security-rating-run-on-schedule | Enable/disable scheduled runs of Security Rating. enable: Enable scheduled runs of Security Rating. disable: Disable scheduled runs of Security Rating. |
option | - |
wireless-controller | Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. enable: Enable wireless controller. disable: Disable wireless controller. |
option | - |
wireless-controller-port | Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246). | integer | Minimum value: 1024 Maximum value: 49150 |
fortiextender-data-port | FortiExtender data port (1024 - 49150, default = 25246). | integer | Minimum value: 1024 Maximum value: 49150 |
fortiextender | Enable/disable FortiExtender. disable: Disable FortiExtender controller. enable: Enable FortiExtender controller. |
option | - |
fortiextender-vlan-mode | Enable/disable FortiExtender VLAN mode. enable: Enable FortiExtender VLAN mode. disable: Disable FortiExtender VLAN mode. |
option | - |
switch-controller | Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. disable: Disable switch controller feature. enable: Enable switch controller feature. |
option | - |
switch-controller-reserved-network | Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled. | ipv4-classnet | Not Specified |
dnsproxy-worker-count | DNS proxy worker count. | integer | Minimum value: 1 Maximum value: 40 |
url-filter-count | URL filter daemon count. | integer | Minimum value: 1 Maximum value: 4 |
proxy-worker-count | Proxy worker count. | integer | Minimum value: 1 Maximum value: 40 |
scanunit-count | Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. | integer | Minimum value: 2 Maximum value: 40 |
proxy-kxp-hardware-acceleration | Enable/disable using the content processor to accelerate KXP traffic. disable: Disable using the content processor to accelerate KXP traffic. enable: Enable using the content processor to accelerate KXP traffic. |
option | - |
proxy-cipher-hardware-acceleration | Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. disable: Disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. enable: Enable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. |
option | - |
fgd-alert-subscription | Type of alert to retrieve from FortiGuard. advisory: Retrieve FortiGuard advisories, report and news alerts. latest-threat: Retrieve latest FortiGuard threats alerts. latest-virus: Retrieve latest FortiGuard virus alerts. latest-attack: Retrieve latest FortiGuard attack alerts. new-antivirus-db: Retrieve FortiGuard AV database release alerts. new-attack-db: Retrieve FortiGuard IPS database release alerts. |
option | - |
ipsec-hmac-offload | Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. enable: Enable offload IPsec HMAC processing to hardware if possible. disable: Disable offload IPsec HMAC processing to hardware. |
option | - |
ipv6-accept-dad | Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD). | integer | Minimum value: 0 Maximum value: 2 |
ipv6-allow-anycast-probe | Enable/disable IPv6 address probe through Anycast. enable: Enable probing of IPv6 address space through Anycast disable: Disable probing of IPv6 address space through Anycast |
option | - |
csr-ca-attribute | Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. enable: Enable CA attribute in CSR. disable: Disable CA attribute in CSR. |
option | - |
wimax-4g-usb | Enable/disable comparability with WiMAX 4G USB devices. enable: Enable WiMax 4G. disable: Disable WiMax 4G. |
option | - |
cert-chain-max | Maximum number of certificates that can be traversed in a certificate chain. | integer | Minimum value: 1 Maximum value: 2147483647 |
sslvpn-max-worker-count | Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model. | integer | Minimum value: 0 Maximum value: 40 |
sslvpn-kxp-hardware-acceleration | Enable/disable SSL VPN KXP hardware acceleration. enable: Enable KXP SSL-VPN hardware acceleration. disable: Disable KXP SSL-VPN hardware acceleration. |
option | - |
sslvpn-cipher-hardware-acceleration | Enable/disable SSL VPN hardware acceleration. enable: Enable SSL-VPN cipher hardware acceleration. disable: Disable SSL-VPN cipher hardware acceleration. |
option | - |
sslvpn-plugin-version-check | Enable/disable checking browser's plugin version by SSL VPN. enable: Enable SSL-VPN automatic checking of browser plug-in version. disable: Disable SSL-VPN automatic checking of browser plug-in version. |
option | - |
two-factor-ftk-expiry | FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60). | integer | Minimum value: 60 Maximum value: 600 |
two-factor-email-expiry | Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60). | integer | Minimum value: 30 Maximum value: 300 |
two-factor-sms-expiry | SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60). | integer | Minimum value: 30 Maximum value: 300 |
two-factor-fac-expiry | FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60). | integer | Minimum value: 10 Maximum value: 3600 |
two-factor-ftm-expiry | FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72). | integer | Minimum value: 1 Maximum value: 168 |
per-user-bwl | Enable/disable per-user black/white list filter. enable: Enable per-user black/white list filter. disable: Disable per-user black/white list filter. |
option | - |
wad-worker-count | Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit. | integer | Minimum value: 0 Maximum value: 40 |
wad-csvc-cs-count | Number of concurrent WAD-cache-service object-cache processes. | integer | Minimum value: 1 Maximum value: 1 |
wad-csvc-db-count | Number of concurrent WAD-cache-service byte-cache processes. | integer | Minimum value: 0 Maximum value: 40 |
wad-source-affinity | Enable/disable dispatching traffic to WAD workers based on source affinity. disable: Disable dispatching traffic to WAD workers based on source affinity. enable: Enable dispatching traffic to WAD workers based on source affinity. |
option | - |
wad-memory-change-granularity | Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection. | integer | Minimum value: 5 Maximum value: 25 |
login-timestamp | Enable/disable login time recording. enable: Enable login time recording. disable: Disable login time recording. |
option | - |
miglogd-children | Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed. | integer | Minimum value: 0 Maximum value: 15 |
special-file-23-support | Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. disable: Disable using IPS detection of HIBUN format files when using Data Leak Protection. enable: Enable using IPS detection of HIBUN format files when using Data Leak Protection. |
option | - |
log-uuid-policy | Enable/disable insertion of policy UUIDs to traffic logs. enable: Enable insertion of policy UUID to traffic logs. disable: Disable insertion of policy UUID to traffic logs. |
option | - |
log-uuid-address | Enable/disable insertion of address UUIDs to traffic logs. enable: Enable insertion of address UUID to traffic logs. disable: Disable insertion of address UUID to traffic logs. |
option | - |
log-ssl-connection | Enable/disable logging of SSL connection events. enable: Enable logging of SSL connection events. disable: Disable logging of SSL connection events. |
option | - |
arp-max-entry | Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072). | integer | Minimum value: 131072 Maximum value: 2147483647 |
av-affinity | Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). | string | Maximum length: 79 |
wad-affinity | Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). | string | Maximum length: 79 |
ips-affinity | Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). | string | Maximum length: 79 |
miglog-affinity | Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx). | string | Maximum length: 19 |
url-filter-affinity | URL filter CPU affinity. | string | Maximum length: 79 |
ndp-max-entry | Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries). | integer | Minimum value: 65536 Maximum value: 2147483647 |
br-fdb-max-entry | Maximum number of bridge forwarding database (FDB) entries. | integer | Minimum value: 8192 Maximum value: 2147483647 |
max-route-cache-size | Maximum number of IP route cache entries (0 - 2147483647). | integer | Minimum value: 0 Maximum value: 2147483647 |
ipsec-asic-offload | Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. enable: Enable ASIC offload for IPsec VPN. disable: Disable ASIC offload for IPsec VPN. |
option | - |
ipsec-soft-dec-async | Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. enable: Enable software decryption asynchronization for IPsec VPN. disable: Disable software decryption asynchronization for IPsec VPN. |
option | - |
device-idle-timeout | Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300). | integer | Minimum value: 30 Maximum value: 31536000 |
device-identification-active-scan-delay | Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90). | integer | Minimum value: 20 Maximum value: 3600 |
gui-device-latitude | Add the latitude of the location of this FortiGate to position it on the Threat Map. | string | Maximum length: 19 |
gui-device-longitude | Add the longitude of the location of this FortiGate to position it on the Threat Map. | string | Maximum length: 19 |
private-data-encryption | Enable/disable private data encryption using an AES 128-bit key. disable: Disable private data encryption using an AES 128-bit key. enable: Enable private data encryption using an AES 128-bit key. |
option | - |
auto-auth-extension-device | Enable/disable automatic authorization of dedicated Fortinet extension devices. enable: Enable automatic authorization of dedicated Fortinet extension device globally. disable: Disable automatic authorization of dedicated Fortinet extension device globally. |
option | - |
gui-theme | Color scheme for the administration GUI. green: Green theme. neutrino: Neutrino theme. blue: Light blue theme. melongene: Melongene theme (eggplant color). mariner: Mariner theme (dark blue color). |
option | - |
gui-date-format | Default date format used throughout GUI. yyyy/MM/dd: Year/Month/Day. dd/MM/yyyy: Day/Month/Year. MM/dd/yyyy: Month/Day/Year. yyyy-MM-dd: Year-Month-Day. dd-MM-yyyy: Day-Month-Year. MM-dd-yyyy: Month-Day-Year. |
option | - |
gui-date-time-source | Source from which the FortiGate GUI uses to display date and time entries. system: Use this FortiGate unit's configured timezone. browser: Use the web browser's timezone. |
option | - |
igmp-state-limit | Maximum number of IGMP memberships (96 - 64000, default = 3200). | integer | Minimum value: 96 Maximum value: 128000 |
cloud-communication | Enable/disable all cloud communication. enable: Allow cloud communication. disable: Disable all cloud communication. Note: When set to disable , cloud-related settings (for example, config system autoupdate tunneling status) will be disabled. When a user issues the command to change one of these settings, it will fail with a message that says cloud communication is disabled in 'system.global' . |
option | - |
fec-port | Local UDP port for Forward Error Correction (49152 - 65535). | integer | Minimum value: 49152 Maximum value: 65535 |
fortitoken-cloud | Enable/disable FortiToken Cloud service. enable: Enable FortiToken Cloud service. disable: Disable FortiToken Cloud service. |
option | - |