Fortinet white logo
Fortinet white logo

CLI Reference

system global

Configure global attributes.

  config system global
      Description: Configure global attributes.
      set language [english|french|...]
      set gui-ipv6 [enable|disable]
      set gui-certificates [enable|disable]
      set gui-custom-language [enable|disable]
      set gui-wireless-opensecurity [enable|disable]
      set gui-display-hostname [enable|disable]
      set gui-fortisandbox-cloud [enable|disable]
      set gui-firmware-upgrade-warning [enable|disable]
      set gui-allow-default-hostname [enable|disable]
      set gui-forticare-registration-setup-warning [enable|disable]
      set admin-https-ssl-versions {option1}, {option2}, ...
      set admintimeout {integer}
      set admin-console-timeout {integer}
      set ssd-trim-freq [never|hourly|...]
      set ssd-trim-hour {integer}
      set ssd-trim-min {integer}
      set ssd-trim-weekday [sunday|monday|...]
      set ssd-trim-date {integer}
      set admin-concurrent [enable|disable]
      set admin-lockout-threshold {integer}
      set admin-lockout-duration {integer}
      set refresh {integer}
      set interval {integer}
      set failtime {integer}
      set daily-restart [enable|disable]
      set restart-time {user}
      set radius-port {integer}
      set admin-login-max {integer}
      set remoteauthtimeout {integer}
      set ldapconntimeout {integer}
      set batch-cmdb [enable|disable]
      set multi-factor-authentication [optional|mandatory]
      set ssl-min-proto-version [SSLv3|TLSv1|...]
      set autorun-log-fsck [enable|disable]
      set dst [enable|disable]
      set timezone [01|02|...]
      set traffic-priority [tos|dscp]
      set traffic-priority-level [low|medium|...]
      set anti-replay [disable|loose|...]
      set send-pmtu-icmp [enable|disable]
      set honor-df [enable|disable]
      set revision-image-auto-backup [enable|disable]
      set revision-backup-on-logout [enable|disable]
      set management-vdom {string}
      set hostname {string}
      set alias {string}
      set strong-crypto [enable|disable]
      set ssh-cbc-cipher [enable|disable]
      set ssh-hmac-md5 [enable|disable]
      set ssh-kex-sha1 [enable|disable]
      set ssh-mac-weak [enable|disable]
      set ssl-static-key-ciphers [enable|disable]
      set snat-route-change [enable|disable]
      set cli-audit-log [enable|disable]
      set dh-params [1024|1536|...]
      set fds-statistics [enable|disable]
      set fds-statistics-period {integer}
      set tcp-option [enable|disable]
      set lldp-transmission [enable|disable]
      set lldp-reception [enable|disable]
      set proxy-auth-timeout {integer}
      set proxy-re-authentication-mode [session|traffic|...]
      set proxy-auth-lifetime [enable|disable]
      set proxy-auth-lifetime-timeout {integer}
      set sys-perf-log-interval {integer}
      set check-protocol-header [loose|strict]
      set vip-arp-range [unlimited|restricted]
      set reset-sessionless-tcp [enable|disable]
      set allow-traffic-redirect [enable|disable]
      set strict-dirty-session-check [enable|disable]
      set tcp-halfclose-timer {integer}
      set tcp-halfopen-timer {integer}
      set tcp-timewait-timer {integer}
      set udp-idle-timer {integer}
      set block-session-timer {integer}
      set ip-src-port-range {user}
      set pre-login-banner [enable|disable]
      set post-login-banner [disable|enable]
      set tftp [enable|disable]
      set av-failopen [pass|off|...]
      set av-failopen-session [enable|disable]
      set memory-use-threshold-extreme {integer}
      set memory-use-threshold-red {integer}
      set memory-use-threshold-green {integer}
      set cpu-use-threshold {integer}
      set check-reset-range [strict|disable]
      set vdom-mode [no-vdom|split-vdom|...]
      set long-vdom-name [enable|disable]
      set edit-vdom-prompt [enable|disable]
      set admin-port {integer}
      set admin-sport {integer}
      set admin-https-redirect [enable|disable]
      set admin-hsts-max-age {integer}
      set admin-ssh-password [enable|disable]
      set admin-restrict-local [enable|disable]
      set admin-ssh-port {integer}
      set admin-ssh-grace-time {integer}
      set admin-ssh-v1 [enable|disable]
      set admin-telnet [enable|disable]
      set admin-telnet-port {integer}
      set default-service-source-port {user}
      set admin-maintainer [enable|disable]
      set admin-server-cert {string}
      set user-server-cert {string}
      set admin-https-pki-required [enable|disable]
      set wifi-certificate {string}
      set wifi-ca-certificate {string}
      set auth-http-port {integer}
      set auth-https-port {integer}
      set auth-keepalive [enable|disable]
      set policy-auth-concurrent {integer}
      set auth-session-limit [block-new|logout-inactive]
      set auth-cert {string}
      set clt-cert-req [enable|disable]
      set fortiservice-port {integer}
      set cfg-save [automatic|manual|...]
      set cfg-revert-timeout {integer}
      set reboot-upon-config-restore [enable|disable]
      set admin-scp [enable|disable]
      set security-rating-result-submission [enable|disable]
      set security-rating-run-on-schedule [enable|disable]
      set wireless-controller [enable|disable]
      set wireless-controller-port {integer}
      set fortiextender-data-port {integer}
      set fortiextender [disable|enable]
      set fortiextender-vlan-mode [enable|disable]
      set switch-controller [disable|enable]
      set switch-controller-reserved-network {ipv4-classnet}
      set dnsproxy-worker-count {integer}
      set url-filter-count {integer}
      set proxy-worker-count {integer}
      set scanunit-count {integer}
      set proxy-hardware-acceleration [disable|enable]
      set fgd-alert-subscription {option1}, {option2}, ...
      set ipsec-hmac-offload [enable|disable]
      set ipv6-accept-dad {integer}
      set ipv6-allow-anycast-probe [enable|disable]
      set csr-ca-attribute [enable|disable]
      set wimax-4g-usb [enable|disable]
      set cert-chain-max {integer}
      set sslvpn-max-worker-count {integer}
      set sslvpn-kxp-hardware-acceleration [enable|disable]
      set sslvpn-cipher-hardware-acceleration [enable|disable]
      set sslvpn-ems-sn-check [enable|disable]
      set sslvpn-plugin-version-check [enable|disable]
      set two-factor-ftk-expiry {integer}
      set two-factor-email-expiry {integer}
      set two-factor-sms-expiry {integer}
      set two-factor-fac-expiry {integer}
      set two-factor-ftm-expiry {integer}
      set per-user-bwl [enable|disable]
      set wad-worker-count {integer}
      set wad-csvc-cs-count {integer}
      set wad-csvc-db-count {integer}
      set wad-source-affinity [disable|enable]
      set wad-memory-change-granularity {integer}
      set login-timestamp [enable|disable]
      set miglogd-children {integer}
      set special-file-23-support [disable|enable]
      set log-uuid-address [enable|disable]
      set log-ssl-connection [enable|disable]
      set arp-max-entry {integer}
      set av-affinity {string}
      set wad-affinity {string}
      set ips-affinity {string}
      set miglog-affinity {string}
      set url-filter-affinity {string}
      set ndp-max-entry {integer}
      set br-fdb-max-entry {integer}
      set max-route-cache-size {integer}
      set ipsec-asic-offload [enable|disable]
      set ipsec-soft-dec-async [enable|disable]
      set device-idle-timeout {integer}
      set user-device-store-max-devices {integer}
      set user-device-store-max-users {integer}
      set gui-device-latitude {string}
      set gui-device-longitude {string}
      set private-data-encryption [disable|enable]
      set auto-auth-extension-device [enable|disable]
      set gui-theme [green|neutrino|...]
      set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]
      set gui-date-time-source [system|browser]
      set igmp-state-limit {integer}
      set cloud-communication [enable|disable]
      set fec-port {integer}
      set fortitoken-cloud [enable|disable]
      set faz-disk-buffer-size {integer}
      set irq-time-accounting [auto|force]
      set fortiipam-integration [enable|disable]
  end

config system global

Parameter Name Description Type Size
language GUI display language.
english: English.
french: French.
spanish: Spanish.
portuguese: Portuguese.
japanese: Japanese.
trach: Traditional Chinese.
simch: Simplified Chinese.
korean: Korean.
option -
gui-ipv6 Enable/disable IPv6 settings on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-certificates Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-custom-language Enable/disable custom languages in GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-wireless-opensecurity Enable/disable wireless open security option on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-display-hostname Enable/disable displaying the FortiGate's hostname on the GUI login page.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-fortisandbox-cloud Enable/disable displaying FortiSandbox Cloud on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-firmware-upgrade-warning Enable/disable the firmware upgrade warning on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-allow-default-hostname Enable/disable the factory default hostname warning on the GUI setup wizard.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-forticare-registration-setup-warning Enable/disable the FortiCare registration setup warning on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
admin-https-ssl-versions Allowed TLS versions for web administration.
tlsv1-1: TLS 1.1.
tlsv1-2: TLS 1.2.
tlsv1-3: TLS 1.3.
option -
admintimeout Number of minutes before an idle administrator session times out (1 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure. integer Minimum value: 1 Maximum value: 480
admin-console-timeout Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout. integer Minimum value: 15 Maximum value: 300
ssd-trim-freq How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
never: Never Run SSD Trim.
hourly: Run SSD Trim Hourly.
daily: Run SSD Trim Daily.
weekly: Run SSD Trim Weekly.
monthly: Run SSD Trim Monthly.
option -
ssd-trim-hour Hour of the day on which to run SSD Trim (0 - 23, default = 1). integer Minimum value: 0 Maximum value: 23
ssd-trim-min Minute of the hour on which to run SSD Trim (0 - 59, 60 for random). integer Minimum value: 0 Maximum value: 60
ssd-trim-weekday Day of week to run SSD Trim.
sunday: Sunday
monday: Monday
tuesday: Tuesday
wednesday: Wednesday
thursday: Thursday
friday: Friday
saturday: Saturday
option -
ssd-trim-date Date within a month to run ssd trim. integer Minimum value: 1 Maximum value: 31
admin-concurrent Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
enable: Enable admin concurrent login.
disable: Disable admin concurrent login.
option -
admin-lockout-threshold Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration. integer Minimum value: 1 Maximum value: 10
admin-lockout-duration Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts. integer Minimum value: 1 Maximum value: 2147483647
refresh Statistics refresh interval second(s) in GUI. integer Minimum value: 0 Maximum value: 4294967295
interval Dead gateway detection interval. integer Minimum value: 0 Maximum value: 4294967295
failtime Fail-time for server lost. integer Minimum value: 0 Maximum value: 4294967295
daily-restart Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
enable: Enable daily reboot of the FortiGate.
disable: Disable daily reboot of the FortiGate.
option -
restart-time Daily restart time (hh:mm). user Not Specified
radius-port RADIUS service port number. integer Minimum value: 1 Maximum value: 65535
admin-login-max Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100) integer Minimum value: 1 Maximum value: 100
remoteauthtimeout Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (1-300 sec, default = 5). integer Minimum value: 1 Maximum value: 300
ldapconntimeout Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500). integer Minimum value: 1 Maximum value: 300000
batch-cmdb Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
enable: Enable batch mode to execute in CMDB server.
disable: Disable batch mode to execute in CMDB server.
option -
multi-factor-authentication Enforce all login methods to require an additional authentication factor (default = optional).
optional: Do not enforce all login methods to require an additional authentication factor (controlled by user settings).
mandatory: Enforce all login methods to require an additional authentication factor.
option -
ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
SSLv3: SSLv3.
TLSv1: TLSv1.
TLSv1-1: TLSv1.1.
TLSv1-2: TLSv1.2.
TLSv1-3: TLSv1.3.
option -
autorun-log-fsck Enable/disable automatic log partition check after ungraceful shutdown.
enable: Enable automatic log partition check after ungraceful shutdown.
disable: Disable automatic log partition check after ungraceful shutdown.
option -
dst Enable/disable daylight saving time.
enable: Enable daylight saving time.
disable: Disable daylight saving time.
option -
timezone
traffic-priority Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
tos: IP TOS.
dscp: DSCP (DiffServ) DS.
option -
traffic-priority-level Default system-wide level of priority for traffic prioritization.
low: Low priority.
medium: Medium priority.
high: High priority.
option -
anti-replay Level of checking for packet replay and TCP sequence checking.
disable: Disable anti-replay check.
loose: Loose anti-replay check.
strict: Strict anti-replay check.
option -
send-pmtu-icmp Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
enable: Enable sending of PMTU ICMP destination unreachable packet.
disable: Disable sending of PMTU ICMP destination unreachable packet.
option -
honor-df Enable/disable honoring of Don't-Fragment (DF) flag.
enable: Enable honoring of Don't-Fragment flag.
disable: Disable honoring of Don't-Fragment flag.
option -
revision-image-auto-backup Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
enable: Enable revision image backup automatically when upgrading image.
disable: Disable revision image backup automatically when upgrading image.
option -
revision-backup-on-logout Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
enable: Enable revision config backup automatically when logout.
disable: Disable revision config backup automatically when logout.
option -
management-vdom Management virtual domain name. string Maximum length: 31
hostname FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters. string Maximum length: 35
alias Alias for your FortiGate unit. string Maximum length: 35
strong-crypto Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
enable: Enable strong crypto for HTTPS/SSH/TLS/SSL.
disable: Disable strong crypto for HTTPS/SSH/TLS/SSL.
option -
ssh-cbc-cipher Enable/disable CBC cipher for SSH access.
enable: Enable CBC cipher for SSH access.
disable: Disable CBC cipher for SSH access.
option -
ssh-hmac-md5 Enable/disable HMAC-MD5 for SSH access.
enable: Enable HMAC-MD5 for SSH access.
disable: Disable HMAC-MD5 for SSH access.
option -
ssh-kex-sha1 Enable/disable SHA1 key exchange for SSH access.
enable: Enable SHA1 for SSH key exchanges.
disable: Disable SHA1 for SSH key exchanges.
option -
ssh-mac-weak Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
enable: Enable HMAC-SHA1 and UMAC-64-ETM for SSH access.
disable: Disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
option -
ssl-static-key-ciphers Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
enable: Enable static key ciphers in SSL/TLS connections.
disable: Disable static key ciphers in SSL/TLS connections.
option -
snat-route-change Enable/disable the ability to change the static NAT route.
enable: Enable SNAT route change.
disable: Disable SNAT route change.
option -
cli-audit-log Enable/disable CLI audit log.
enable: Enable CLI audit log.
disable: Disable CLI audit log.
option -
dh-params Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
1024: 1024 bits.
1536: 1536 bits.
2048: 2048 bits.
3072: 3072 bits.
4096: 4096 bits.
6144: 6144 bits.
8192: 8192 bits.
option -
fds-statistics Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
enable: Enable FortiGuard statistics.
disable: Disable FortiGuard statistics.
option -
fds-statistics-period FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60). integer Minimum value: 1 Maximum value: 1440
tcp-option Enable SACK, timestamp and MSS TCP options.
enable: Enable TCP option.
disable: Disable TCP option.
option -
lldp-transmission Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
enable: Enable transmission of Link Layer Discovery Protocol (LLDP).
disable: Disable transmission of Link Layer Discovery Protocol (LLDP).
option -
lldp-reception Enable/disable Link Layer Discovery Protocol (LLDP) reception.
enable: Enable reception of Link Layer Discovery Protocol (LLDP).
disable: Disable reception of Link Layer Discovery Protocol (LLDP).
option -
proxy-auth-timeout Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10). integer Minimum value: 1 Maximum value: 300
proxy-re-authentication-mode Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
session: Proxy re-authentication timeout begins at the closure of the session.
traffic: Proxy re-authentication timeout begins after traffic has not been received.
absolute: Proxy re-authentication timeout begins when the user was first created.
option -
proxy-auth-lifetime Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
enable: Enable authenticated users lifetime control.
disable: Disable authenticated users lifetime control.
option -
proxy-auth-lifetime-timeout Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)). integer Minimum value: 5 Maximum value: 65535
sys-perf-log-interval Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled). integer Minimum value: 0 Maximum value: 15
check-protocol-header Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
loose: Check protocol header loosely.
strict: Check protocol header strictly.
option -
vip-arp-range Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
unlimited: Send ARPs for all addresses in VIP range.
restricted: Send ARPs for the first 8192 addresses in VIP range.
option -
reset-sessionless-tcp Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
enable: Enable reset session-less TCP.
disable: Disable reset session-less TCP.
option -
allow-traffic-redirect Disable to allow traffic to be routed back on a different interface.
enable: Enable allow traffic redirect.
disable: Disable allow traffic redirect.
option -
strict-dirty-session-check Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
enable: Enable strict dirty-session check.
disable: Disable strict dirty-session check.
option -
tcp-halfclose-timer Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120). integer Minimum value: 1 Maximum value: 86400
tcp-halfopen-timer Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10). integer Minimum value: 1 Maximum value: 86400
tcp-timewait-timer Length of the TCP TIME-WAIT state in seconds. integer Minimum value: 0 Maximum value: 300
udp-idle-timer UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60). integer Minimum value: 1 Maximum value: 86400
block-session-timer Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30). integer Minimum value: 1 Maximum value: 300
ip-src-port-range IP source port range used for traffic originating from the FortiGate unit. user Not Specified
pre-login-banner Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
enable: Enable pre-login banner.
disable: Disable pre-login banner.
option -
post-login-banner Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
disable: Disable post-login banner.
enable: Enable post-login banner.
option -
tftp Enable/disable TFTP.
enable: Enable TFTP.
disable: Disable TFTP.
option -
av-failopen Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
pass: Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.
off: Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
one-shot: Bypass the antivirus system when memory is low.
option -
av-failopen-session When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
enable: Enable AV fail open session option.
disable: Disable AV fail open session option.
option -
memory-use-threshold-extreme Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95). integer Minimum value: 70 Maximum value: 97
memory-use-threshold-red Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88). integer Minimum value: 70 Maximum value: 97
memory-use-threshold-green Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82). integer Minimum value: 70 Maximum value: 97
cpu-use-threshold Threshold at which CPU usage is reported. (% of total CPU, default = 90). integer Minimum value: 50 Maximum value: 99
check-reset-range Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
strict: Check RST range strictly.
disable: Disable RST range check.
option -
vdom-mode Enable/disable support for split/multiple virtual domains (VDOMs).
no-vdom: Disable split/multiple VDOMs mode.
split-vdom: Enable split VDOMs mode.
multi-vdom: Enable multiple VDOMs mode.
option -
long-vdom-name Enable/disable long VDOM name support.
enable: Enable long VDOM name support.
disable: Disable long VDOM name support.
option -
edit-vdom-prompt Enable/disable edit new VDOM prompt.
enable: Enable edit new VDOM prompt.
disable: Disable edit new VDOM prompt.
option -
admin-port Administrative access port for HTTP. (1 - 65535, default = 80). integer Minimum value: 1 Maximum value: 65535
admin-sport Administrative access port for HTTPS. (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
admin-https-redirect Enable/disable redirection of HTTP administration access to HTTPS.
enable: Enable redirecting HTTP administration access to HTTPS.
disable: Disable redirecting HTTP administration access to HTTPS.
option -
admin-hsts-max-age HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0. integer Minimum value: 0 Maximum value: 2147483647
admin-ssh-password Enable/disable password authentication for SSH admin access.
enable: Enable password authentication for SSH admin access.
disable: Disable password authentication for SSH admin access.
option -
admin-restrict-local Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
enable: Enable local admin authentication restriction.
disable: Disable local admin authentication restriction.
option -
admin-ssh-port Administrative access port for SSH. (1 - 65535, default = 22). integer Minimum value: 1 Maximum value: 65535
admin-ssh-grace-time Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120). integer Minimum value: 10 Maximum value: 3600
admin-ssh-v1 Enable/disable SSH v1 compatibility.
enable: Enable SSH v1 compatibility.
disable: Disable SSH v1 compatibility.
option -
admin-telnet Enable/disable TELNET service.
enable: Enable TELNET service.
disable: Disable TELNET service.
option -
admin-telnet-port Administrative access port for TELNET. (1 - 65535, default = 23). integer Minimum value: 1 Maximum value: 65535
default-service-source-port Default service source port range. (default=1-65535) user Not Specified
admin-maintainer Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
enable: Enable login for special user (maintainer).
disable: Disable login for special user (maintainer).
option -
admin-server-cert Server certificate that the FortiGate uses for HTTPS administrative connections. string Maximum length: 35
user-server-cert Certificate to use for https user authentication. string Maximum length: 35
admin-https-pki-required Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
enable: Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access.
disable: Admin users can login by providing a valid certificate or password.
option -
wifi-certificate Certificate to use for WiFi authentication. string Maximum length: 35
wifi-ca-certificate CA certificate that verifies the WiFi certificate. string Maximum length: 79
auth-http-port User authentication HTTP port. (1 - 65535, default = 1000). integer Minimum value: 1 Maximum value: 65535
auth-https-port User authentication HTTPS port. (1 - 65535, default = 1003). integer Minimum value: 1 Maximum value: 65535
auth-keepalive Enable to prevent user authentication sessions from timing out when idle.
enable: Enable use of keep alive to extend authentication.
disable: Disable use of keep alive to extend authentication.
option -
policy-auth-concurrent Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit). integer Minimum value: 0 Maximum value: 100
auth-session-limit Action to take when the number of allowed user authenticated sessions is reached.
block-new: Block new user authentication attempts.
logout-inactive: Logout the most inactive user authenticated sessions.
option -
auth-cert Server certificate that the FortiGate uses for HTTPS firewall authentication connections. string Maximum length: 35
clt-cert-req Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
enable: Enable require client certificate for GUI login.
disable: Disable require client certificate for GUI login.
option -
fortiservice-port FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port. integer Minimum value: 1 Maximum value: 65535
cfg-save Configuration file save mode for CLI changes.
automatic: Automatically save config.
manual: Manually save config.
revert: Manually save config and revert the config when timeout.
option -
cfg-revert-timeout Time-out for reverting to the last saved configuration. (10 - 4294967295 seconds, default = 600). integer Minimum value: 10 Maximum value: 4294967295
reboot-upon-config-restore Enable/disable reboot of system upon restoring configuration.
enable: Enable reboot of system upon restoring configuration.
disable: Disable reboot of system upon restoring configuration.
option -
admin-scp Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
enable: Enable allow system configuration download by SCP.
disable: Disable allow system configuration download by SCP.
option -
security-rating-result-submission Enable/disable the submission of Security Rating results to FortiGuard.
enable: Enable submission of Security Rating results to FortiGuard.
disable: Disable submission of Security Rating results to FortiGuard.
option -
security-rating-run-on-schedule Enable/disable scheduled runs of Security Rating.
enable: Enable scheduled runs of Security Rating.
disable: Disable scheduled runs of Security Rating.
option -
wireless-controller Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
enable: Enable wireless controller.
disable: Disable wireless controller.
option -
wireless-controller-port Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246). integer Minimum value: 1024 Maximum value: 49150
fortiextender-data-port FortiExtender data port (1024 - 49150, default = 25246). integer Minimum value: 1024 Maximum value: 49150
fortiextender Enable/disable FortiExtender.
disable: Disable FortiExtender controller.
enable: Enable FortiExtender controller.
option -
fortiextender-vlan-mode Enable/disable FortiExtender VLAN mode.
enable: Enable FortiExtender VLAN mode.
disable: Disable FortiExtender VLAN mode.
option -
switch-controller Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
disable: Disable switch controller feature.
enable: Enable switch controller feature.
option -
switch-controller-reserved-network Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled. ipv4-classnet Not Specified
dnsproxy-worker-count DNS proxy worker count. integer Minimum value: 1 Maximum value: 40
url-filter-count URL filter daemon count. integer Minimum value: 1 Maximum value: 4
proxy-worker-count Proxy worker count. integer Minimum value: 1 Maximum value: 40
scanunit-count Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. integer Minimum value: 2 Maximum value: 40
proxy-hardware-acceleration Enable/disable email proxy hardware acceleration.
disable: Disable email proxy hardware acceleration.
enable: Enable email proxy hardware acceleration.
option -
fgd-alert-subscription Type of alert to retrieve from FortiGuard.
advisory: Retrieve FortiGuard advisories, report and news alerts.
latest-threat: Retrieve latest FortiGuard threats alerts.
latest-virus: Retrieve latest FortiGuard virus alerts.
latest-attack: Retrieve latest FortiGuard attack alerts.
new-antivirus-db: Retrieve FortiGuard AV database release alerts.
new-attack-db: Retrieve FortiGuard IPS database release alerts.
option -
ipsec-hmac-offload Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
enable: Enable offload IPsec HMAC processing to hardware if possible.
disable: Disable offload IPsec HMAC processing to hardware.
option -
ipv6-accept-dad Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD). integer Minimum value: 0 Maximum value: 2
ipv6-allow-anycast-probe Enable/disable IPv6 address probe through Anycast.
enable: Enable probing of IPv6 address space through Anycast
disable: Disable probing of IPv6 address space through Anycast
option -
csr-ca-attribute Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
enable: Enable CA attribute in CSR.
disable: Disable CA attribute in CSR.
option -
wimax-4g-usb Enable/disable comparability with WiMAX 4G USB devices.
enable: Enable WiMax 4G.
disable: Disable WiMax 4G.
option -
cert-chain-max Maximum number of certificates that can be traversed in a certificate chain. integer Minimum value: 1 Maximum value: 2147483647
sslvpn-max-worker-count Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model. Default value of zero means the SSLVPN daemon decides the number of worker processes. integer Minimum value: 0 Maximum value: 40
sslvpn-kxp-hardware-acceleration Enable/disable SSL VPN KXP hardware acceleration.
enable: Enable KXP SSL-VPN hardware acceleration.
disable: Disable KXP SSL-VPN hardware acceleration.
option -
sslvpn-cipher-hardware-acceleration Enable/disable SSL VPN hardware acceleration.
enable: Enable SSL-VPN cipher hardware acceleration.
disable: Disable SSL-VPN cipher hardware acceleration.
option -
sslvpn-ems-sn-check Enable/disable verification of EMS serial number in SSL-VPN connection.
enable: Enable verification of EMS serial number in SSL-VPN connection.
disable: Disable verification of EMS serial number in SSL-VPN connection.
option -
sslvpn-plugin-version-check Enable/disable checking browser's plugin version by SSL VPN.
enable: Enable SSL-VPN automatic checking of browser plug-in version.
disable: Disable SSL-VPN automatic checking of browser plug-in version.
option -
two-factor-ftk-expiry FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60). integer Minimum value: 60 Maximum value: 600
two-factor-email-expiry Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60). integer Minimum value: 30 Maximum value: 300
two-factor-sms-expiry SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60). integer Minimum value: 30 Maximum value: 300
two-factor-fac-expiry FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60). integer Minimum value: 10 Maximum value: 3600
two-factor-ftm-expiry FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72). integer Minimum value: 1 Maximum value: 168
per-user-bwl Enable/disable per-user black/white list filter.
enable: Enable per-user black/white list filter.
disable: Disable per-user black/white list filter.
option -
wad-worker-count Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit. integer Minimum value: 0 Maximum value: 40
wad-csvc-cs-count Number of concurrent WAD-cache-service object-cache processes. integer Minimum value: 1 Maximum value: 1
wad-csvc-db-count Number of concurrent WAD-cache-service byte-cache processes. integer Minimum value: 0 Maximum value: 40
wad-source-affinity Enable/disable dispatching traffic to WAD workers based on source affinity.
disable: Disable dispatching traffic to WAD workers based on source affinity.
enable: Enable dispatching traffic to WAD workers based on source affinity.
option -
wad-memory-change-granularity Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection. integer Minimum value: 5 Maximum value: 25
login-timestamp Enable/disable login time recording.
enable: Enable login time recording.
disable: Disable login time recording.
option -
miglogd-children Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed. integer Minimum value: 0 Maximum value: 15
special-file-23-support Enable/disable detection of those special format files when using Data Leak Protection.
disable: Disable detection of those special format files when using Data Leak Protection.
enable: Enable detection of those special format files when using Data Leak Protection.
option -
log-uuid-address Enable/disable insertion of address UUIDs to traffic logs.
enable: Enable insertion of address UUID to traffic logs.
disable: Disable insertion of address UUID to traffic logs.
option -
log-ssl-connection Enable/disable logging of SSL connection events.
enable: Enable logging of SSL connection events.
disable: Disable logging of SSL connection events.
option -
arp-max-entry Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072). integer Minimum value: 131072 Maximum value: 2147483647
av-affinity Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). string Maximum length: 79
wad-affinity Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). string Maximum length: 79
ips-affinity Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). string Maximum length: 79
miglog-affinity Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx). string Maximum length: 19
url-filter-affinity URL filter CPU affinity. string Maximum length: 79
ndp-max-entry Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries). integer Minimum value: 65536 Maximum value: 2147483647
br-fdb-max-entry Maximum number of bridge forwarding database (FDB) entries. integer Minimum value: 8192 Maximum value: 2147483647
max-route-cache-size Maximum number of IP route cache entries (0 - 2147483647). integer Minimum value: 0 Maximum value: 2147483647
ipsec-asic-offload Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
enable: Enable ASIC offload for IPsec VPN.
disable: Disable ASIC offload for IPsec VPN.
option -
ipsec-soft-dec-async Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
enable: Enable software decryption asynchronization for IPsec VPN.
disable: Disable software decryption asynchronization for IPsec VPN.
option -
device-idle-timeout Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300). integer Minimum value: 30 Maximum value: 31536000
user-device-store-max-devices Maximum number of devices allowed in user device store. integer Minimum value: 337994 Maximum value: 965697
user-device-store-max-users Maximum number of users allowed in user device store. integer Minimum value: 337994 Maximum value: 965697
gui-device-latitude Add the latitude of the location of this FortiGate to position it on the Threat Map. string Maximum length: 19
gui-device-longitude Add the longitude of the location of this FortiGate to position it on the Threat Map. string Maximum length: 19
private-data-encryption Enable/disable private data encryption using an AES 128-bit key.
disable: Disable private data encryption using an AES 128-bit key.
enable: Enable private data encryption using an AES 128-bit key.
option -
auto-auth-extension-device Enable/disable automatic authorization of dedicated Fortinet extension devices.
enable: Enable automatic authorization of dedicated Fortinet extension device globally.
disable: Disable automatic authorization of dedicated Fortinet extension device globally.
option -
gui-theme Color scheme for the administration GUI.
green: Green theme.
neutrino: Neutrino theme.
blue: Light blue theme.
melongene: Melongene theme (eggplant color).
mariner: Mariner theme (dark blue color).
option -
gui-date-format Default date format used throughout GUI.
yyyy/MM/dd: Year/Month/Day.
dd/MM/yyyy: Day/Month/Year.
MM/dd/yyyy: Month/Day/Year.
yyyy-MM-dd: Year-Month-Day.
dd-MM-yyyy: Day-Month-Year.
MM-dd-yyyy: Month-Day-Year.
option -
gui-date-time-source Source from which the FortiGate GUI uses to display date and time entries.
system: Use this FortiGate unit's configured timezone.
browser: Use the web browser's timezone.
option -
igmp-state-limit Maximum number of IGMP memberships (96 - 64000, default = 3200). integer Minimum value: 96 Maximum value: 128000
cloud-communication Enable/disable all cloud communication.
enable: Allow cloud communication.
disable: Disable all cloud communication.
option -
fec-port Local UDP port for Forward Error Correction (49152 - 65535). integer Minimum value: 49152 Maximum value: 65535
fortitoken-cloud Enable/disable FortiToken Cloud service.
enable: Enable FortiToken Cloud service.
disable: Disable FortiToken Cloud service.
option -
faz-disk-buffer-size Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble. integer Minimum value: 0 Maximum value: 161061273
irq-time-accounting Configure CPU IRQ time accounting mode.
auto: Automatically switch CPU accounting mode.
force: Force the use of CPU IRQ time accounting mode.
option -
fortiipam-integration Enable/disable integration with the FortiIPAM cloud service.
enable: Enable integration with FortiIPAM for automatic IP address management.
disable: Disable integration with FortiIPAM for automatic IP address management.
option -

system global

Configure global attributes.

  config system global
      Description: Configure global attributes.
      set language [english|french|...]
      set gui-ipv6 [enable|disable]
      set gui-certificates [enable|disable]
      set gui-custom-language [enable|disable]
      set gui-wireless-opensecurity [enable|disable]
      set gui-display-hostname [enable|disable]
      set gui-fortisandbox-cloud [enable|disable]
      set gui-firmware-upgrade-warning [enable|disable]
      set gui-allow-default-hostname [enable|disable]
      set gui-forticare-registration-setup-warning [enable|disable]
      set admin-https-ssl-versions {option1}, {option2}, ...
      set admintimeout {integer}
      set admin-console-timeout {integer}
      set ssd-trim-freq [never|hourly|...]
      set ssd-trim-hour {integer}
      set ssd-trim-min {integer}
      set ssd-trim-weekday [sunday|monday|...]
      set ssd-trim-date {integer}
      set admin-concurrent [enable|disable]
      set admin-lockout-threshold {integer}
      set admin-lockout-duration {integer}
      set refresh {integer}
      set interval {integer}
      set failtime {integer}
      set daily-restart [enable|disable]
      set restart-time {user}
      set radius-port {integer}
      set admin-login-max {integer}
      set remoteauthtimeout {integer}
      set ldapconntimeout {integer}
      set batch-cmdb [enable|disable]
      set multi-factor-authentication [optional|mandatory]
      set ssl-min-proto-version [SSLv3|TLSv1|...]
      set autorun-log-fsck [enable|disable]
      set dst [enable|disable]
      set timezone [01|02|...]
      set traffic-priority [tos|dscp]
      set traffic-priority-level [low|medium|...]
      set anti-replay [disable|loose|...]
      set send-pmtu-icmp [enable|disable]
      set honor-df [enable|disable]
      set revision-image-auto-backup [enable|disable]
      set revision-backup-on-logout [enable|disable]
      set management-vdom {string}
      set hostname {string}
      set alias {string}
      set strong-crypto [enable|disable]
      set ssh-cbc-cipher [enable|disable]
      set ssh-hmac-md5 [enable|disable]
      set ssh-kex-sha1 [enable|disable]
      set ssh-mac-weak [enable|disable]
      set ssl-static-key-ciphers [enable|disable]
      set snat-route-change [enable|disable]
      set cli-audit-log [enable|disable]
      set dh-params [1024|1536|...]
      set fds-statistics [enable|disable]
      set fds-statistics-period {integer}
      set tcp-option [enable|disable]
      set lldp-transmission [enable|disable]
      set lldp-reception [enable|disable]
      set proxy-auth-timeout {integer}
      set proxy-re-authentication-mode [session|traffic|...]
      set proxy-auth-lifetime [enable|disable]
      set proxy-auth-lifetime-timeout {integer}
      set sys-perf-log-interval {integer}
      set check-protocol-header [loose|strict]
      set vip-arp-range [unlimited|restricted]
      set reset-sessionless-tcp [enable|disable]
      set allow-traffic-redirect [enable|disable]
      set strict-dirty-session-check [enable|disable]
      set tcp-halfclose-timer {integer}
      set tcp-halfopen-timer {integer}
      set tcp-timewait-timer {integer}
      set udp-idle-timer {integer}
      set block-session-timer {integer}
      set ip-src-port-range {user}
      set pre-login-banner [enable|disable]
      set post-login-banner [disable|enable]
      set tftp [enable|disable]
      set av-failopen [pass|off|...]
      set av-failopen-session [enable|disable]
      set memory-use-threshold-extreme {integer}
      set memory-use-threshold-red {integer}
      set memory-use-threshold-green {integer}
      set cpu-use-threshold {integer}
      set check-reset-range [strict|disable]
      set vdom-mode [no-vdom|split-vdom|...]
      set long-vdom-name [enable|disable]
      set edit-vdom-prompt [enable|disable]
      set admin-port {integer}
      set admin-sport {integer}
      set admin-https-redirect [enable|disable]
      set admin-hsts-max-age {integer}
      set admin-ssh-password [enable|disable]
      set admin-restrict-local [enable|disable]
      set admin-ssh-port {integer}
      set admin-ssh-grace-time {integer}
      set admin-ssh-v1 [enable|disable]
      set admin-telnet [enable|disable]
      set admin-telnet-port {integer}
      set default-service-source-port {user}
      set admin-maintainer [enable|disable]
      set admin-server-cert {string}
      set user-server-cert {string}
      set admin-https-pki-required [enable|disable]
      set wifi-certificate {string}
      set wifi-ca-certificate {string}
      set auth-http-port {integer}
      set auth-https-port {integer}
      set auth-keepalive [enable|disable]
      set policy-auth-concurrent {integer}
      set auth-session-limit [block-new|logout-inactive]
      set auth-cert {string}
      set clt-cert-req [enable|disable]
      set fortiservice-port {integer}
      set cfg-save [automatic|manual|...]
      set cfg-revert-timeout {integer}
      set reboot-upon-config-restore [enable|disable]
      set admin-scp [enable|disable]
      set security-rating-result-submission [enable|disable]
      set security-rating-run-on-schedule [enable|disable]
      set wireless-controller [enable|disable]
      set wireless-controller-port {integer}
      set fortiextender-data-port {integer}
      set fortiextender [disable|enable]
      set fortiextender-vlan-mode [enable|disable]
      set switch-controller [disable|enable]
      set switch-controller-reserved-network {ipv4-classnet}
      set dnsproxy-worker-count {integer}
      set url-filter-count {integer}
      set proxy-worker-count {integer}
      set scanunit-count {integer}
      set proxy-hardware-acceleration [disable|enable]
      set fgd-alert-subscription {option1}, {option2}, ...
      set ipsec-hmac-offload [enable|disable]
      set ipv6-accept-dad {integer}
      set ipv6-allow-anycast-probe [enable|disable]
      set csr-ca-attribute [enable|disable]
      set wimax-4g-usb [enable|disable]
      set cert-chain-max {integer}
      set sslvpn-max-worker-count {integer}
      set sslvpn-kxp-hardware-acceleration [enable|disable]
      set sslvpn-cipher-hardware-acceleration [enable|disable]
      set sslvpn-ems-sn-check [enable|disable]
      set sslvpn-plugin-version-check [enable|disable]
      set two-factor-ftk-expiry {integer}
      set two-factor-email-expiry {integer}
      set two-factor-sms-expiry {integer}
      set two-factor-fac-expiry {integer}
      set two-factor-ftm-expiry {integer}
      set per-user-bwl [enable|disable]
      set wad-worker-count {integer}
      set wad-csvc-cs-count {integer}
      set wad-csvc-db-count {integer}
      set wad-source-affinity [disable|enable]
      set wad-memory-change-granularity {integer}
      set login-timestamp [enable|disable]
      set miglogd-children {integer}
      set special-file-23-support [disable|enable]
      set log-uuid-address [enable|disable]
      set log-ssl-connection [enable|disable]
      set arp-max-entry {integer}
      set av-affinity {string}
      set wad-affinity {string}
      set ips-affinity {string}
      set miglog-affinity {string}
      set url-filter-affinity {string}
      set ndp-max-entry {integer}
      set br-fdb-max-entry {integer}
      set max-route-cache-size {integer}
      set ipsec-asic-offload [enable|disable]
      set ipsec-soft-dec-async [enable|disable]
      set device-idle-timeout {integer}
      set user-device-store-max-devices {integer}
      set user-device-store-max-users {integer}
      set gui-device-latitude {string}
      set gui-device-longitude {string}
      set private-data-encryption [disable|enable]
      set auto-auth-extension-device [enable|disable]
      set gui-theme [green|neutrino|...]
      set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]
      set gui-date-time-source [system|browser]
      set igmp-state-limit {integer}
      set cloud-communication [enable|disable]
      set fec-port {integer}
      set fortitoken-cloud [enable|disable]
      set faz-disk-buffer-size {integer}
      set irq-time-accounting [auto|force]
      set fortiipam-integration [enable|disable]
  end

config system global

Parameter Name Description Type Size
language GUI display language.
english: English.
french: French.
spanish: Spanish.
portuguese: Portuguese.
japanese: Japanese.
trach: Traditional Chinese.
simch: Simplified Chinese.
korean: Korean.
option -
gui-ipv6 Enable/disable IPv6 settings on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-certificates Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-custom-language Enable/disable custom languages in GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-wireless-opensecurity Enable/disable wireless open security option on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-display-hostname Enable/disable displaying the FortiGate's hostname on the GUI login page.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-fortisandbox-cloud Enable/disable displaying FortiSandbox Cloud on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-firmware-upgrade-warning Enable/disable the firmware upgrade warning on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-allow-default-hostname Enable/disable the factory default hostname warning on the GUI setup wizard.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
gui-forticare-registration-setup-warning Enable/disable the FortiCare registration setup warning on the GUI.
enable: Display the feature in GUI.
disable: Do not display the feature in GUI.
option -
admin-https-ssl-versions Allowed TLS versions for web administration.
tlsv1-1: TLS 1.1.
tlsv1-2: TLS 1.2.
tlsv1-3: TLS 1.3.
option -
admintimeout Number of minutes before an idle administrator session times out (1 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure. integer Minimum value: 1 Maximum value: 480
admin-console-timeout Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout. integer Minimum value: 15 Maximum value: 300
ssd-trim-freq How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
never: Never Run SSD Trim.
hourly: Run SSD Trim Hourly.
daily: Run SSD Trim Daily.
weekly: Run SSD Trim Weekly.
monthly: Run SSD Trim Monthly.
option -
ssd-trim-hour Hour of the day on which to run SSD Trim (0 - 23, default = 1). integer Minimum value: 0 Maximum value: 23
ssd-trim-min Minute of the hour on which to run SSD Trim (0 - 59, 60 for random). integer Minimum value: 0 Maximum value: 60
ssd-trim-weekday Day of week to run SSD Trim.
sunday: Sunday
monday: Monday
tuesday: Tuesday
wednesday: Wednesday
thursday: Thursday
friday: Friday
saturday: Saturday
option -
ssd-trim-date Date within a month to run ssd trim. integer Minimum value: 1 Maximum value: 31
admin-concurrent Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
enable: Enable admin concurrent login.
disable: Disable admin concurrent login.
option -
admin-lockout-threshold Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration. integer Minimum value: 1 Maximum value: 10
admin-lockout-duration Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts. integer Minimum value: 1 Maximum value: 2147483647
refresh Statistics refresh interval second(s) in GUI. integer Minimum value: 0 Maximum value: 4294967295
interval Dead gateway detection interval. integer Minimum value: 0 Maximum value: 4294967295
failtime Fail-time for server lost. integer Minimum value: 0 Maximum value: 4294967295
daily-restart Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
enable: Enable daily reboot of the FortiGate.
disable: Disable daily reboot of the FortiGate.
option -
restart-time Daily restart time (hh:mm). user Not Specified
radius-port RADIUS service port number. integer Minimum value: 1 Maximum value: 65535
admin-login-max Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100) integer Minimum value: 1 Maximum value: 100
remoteauthtimeout Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (1-300 sec, default = 5). integer Minimum value: 1 Maximum value: 300
ldapconntimeout Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500). integer Minimum value: 1 Maximum value: 300000
batch-cmdb Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
enable: Enable batch mode to execute in CMDB server.
disable: Disable batch mode to execute in CMDB server.
option -
multi-factor-authentication Enforce all login methods to require an additional authentication factor (default = optional).
optional: Do not enforce all login methods to require an additional authentication factor (controlled by user settings).
mandatory: Enforce all login methods to require an additional authentication factor.
option -
ssl-min-proto-version Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
SSLv3: SSLv3.
TLSv1: TLSv1.
TLSv1-1: TLSv1.1.
TLSv1-2: TLSv1.2.
TLSv1-3: TLSv1.3.
option -
autorun-log-fsck Enable/disable automatic log partition check after ungraceful shutdown.
enable: Enable automatic log partition check after ungraceful shutdown.
disable: Disable automatic log partition check after ungraceful shutdown.
option -
dst Enable/disable daylight saving time.
enable: Enable daylight saving time.
disable: Disable daylight saving time.
option -
timezone
traffic-priority Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
tos: IP TOS.
dscp: DSCP (DiffServ) DS.
option -
traffic-priority-level Default system-wide level of priority for traffic prioritization.
low: Low priority.
medium: Medium priority.
high: High priority.
option -
anti-replay Level of checking for packet replay and TCP sequence checking.
disable: Disable anti-replay check.
loose: Loose anti-replay check.
strict: Strict anti-replay check.
option -
send-pmtu-icmp Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
enable: Enable sending of PMTU ICMP destination unreachable packet.
disable: Disable sending of PMTU ICMP destination unreachable packet.
option -
honor-df Enable/disable honoring of Don't-Fragment (DF) flag.
enable: Enable honoring of Don't-Fragment flag.
disable: Disable honoring of Don't-Fragment flag.
option -
revision-image-auto-backup Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
enable: Enable revision image backup automatically when upgrading image.
disable: Disable revision image backup automatically when upgrading image.
option -
revision-backup-on-logout Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
enable: Enable revision config backup automatically when logout.
disable: Disable revision config backup automatically when logout.
option -
management-vdom Management virtual domain name. string Maximum length: 31
hostname FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters. string Maximum length: 35
alias Alias for your FortiGate unit. string Maximum length: 35
strong-crypto Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
enable: Enable strong crypto for HTTPS/SSH/TLS/SSL.
disable: Disable strong crypto for HTTPS/SSH/TLS/SSL.
option -
ssh-cbc-cipher Enable/disable CBC cipher for SSH access.
enable: Enable CBC cipher for SSH access.
disable: Disable CBC cipher for SSH access.
option -
ssh-hmac-md5 Enable/disable HMAC-MD5 for SSH access.
enable: Enable HMAC-MD5 for SSH access.
disable: Disable HMAC-MD5 for SSH access.
option -
ssh-kex-sha1 Enable/disable SHA1 key exchange for SSH access.
enable: Enable SHA1 for SSH key exchanges.
disable: Disable SHA1 for SSH key exchanges.
option -
ssh-mac-weak Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
enable: Enable HMAC-SHA1 and UMAC-64-ETM for SSH access.
disable: Disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
option -
ssl-static-key-ciphers Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
enable: Enable static key ciphers in SSL/TLS connections.
disable: Disable static key ciphers in SSL/TLS connections.
option -
snat-route-change Enable/disable the ability to change the static NAT route.
enable: Enable SNAT route change.
disable: Disable SNAT route change.
option -
cli-audit-log Enable/disable CLI audit log.
enable: Enable CLI audit log.
disable: Disable CLI audit log.
option -
dh-params Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
1024: 1024 bits.
1536: 1536 bits.
2048: 2048 bits.
3072: 3072 bits.
4096: 4096 bits.
6144: 6144 bits.
8192: 8192 bits.
option -
fds-statistics Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
enable: Enable FortiGuard statistics.
disable: Disable FortiGuard statistics.
option -
fds-statistics-period FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60). integer Minimum value: 1 Maximum value: 1440
tcp-option Enable SACK, timestamp and MSS TCP options.
enable: Enable TCP option.
disable: Disable TCP option.
option -
lldp-transmission Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
enable: Enable transmission of Link Layer Discovery Protocol (LLDP).
disable: Disable transmission of Link Layer Discovery Protocol (LLDP).
option -
lldp-reception Enable/disable Link Layer Discovery Protocol (LLDP) reception.
enable: Enable reception of Link Layer Discovery Protocol (LLDP).
disable: Disable reception of Link Layer Discovery Protocol (LLDP).
option -
proxy-auth-timeout Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10). integer Minimum value: 1 Maximum value: 300
proxy-re-authentication-mode Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
session: Proxy re-authentication timeout begins at the closure of the session.
traffic: Proxy re-authentication timeout begins after traffic has not been received.
absolute: Proxy re-authentication timeout begins when the user was first created.
option -
proxy-auth-lifetime Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
enable: Enable authenticated users lifetime control.
disable: Disable authenticated users lifetime control.
option -
proxy-auth-lifetime-timeout Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)). integer Minimum value: 5 Maximum value: 65535
sys-perf-log-interval Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled). integer Minimum value: 0 Maximum value: 15
check-protocol-header Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
loose: Check protocol header loosely.
strict: Check protocol header strictly.
option -
vip-arp-range Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
unlimited: Send ARPs for all addresses in VIP range.
restricted: Send ARPs for the first 8192 addresses in VIP range.
option -
reset-sessionless-tcp Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
enable: Enable reset session-less TCP.
disable: Disable reset session-less TCP.
option -
allow-traffic-redirect Disable to allow traffic to be routed back on a different interface.
enable: Enable allow traffic redirect.
disable: Disable allow traffic redirect.
option -
strict-dirty-session-check Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
enable: Enable strict dirty-session check.
disable: Disable strict dirty-session check.
option -
tcp-halfclose-timer Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120). integer Minimum value: 1 Maximum value: 86400
tcp-halfopen-timer Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10). integer Minimum value: 1 Maximum value: 86400
tcp-timewait-timer Length of the TCP TIME-WAIT state in seconds. integer Minimum value: 0 Maximum value: 300
udp-idle-timer UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60). integer Minimum value: 1 Maximum value: 86400
block-session-timer Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30). integer Minimum value: 1 Maximum value: 300
ip-src-port-range IP source port range used for traffic originating from the FortiGate unit. user Not Specified
pre-login-banner Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
enable: Enable pre-login banner.
disable: Disable pre-login banner.
option -
post-login-banner Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
disable: Disable post-login banner.
enable: Enable post-login banner.
option -
tftp Enable/disable TFTP.
enable: Enable TFTP.
disable: Disable TFTP.
option -
av-failopen Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
pass: Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.
off: Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
one-shot: Bypass the antivirus system when memory is low.
option -
av-failopen-session When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
enable: Enable AV fail open session option.
disable: Disable AV fail open session option.
option -
memory-use-threshold-extreme Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95). integer Minimum value: 70 Maximum value: 97
memory-use-threshold-red Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88). integer Minimum value: 70 Maximum value: 97
memory-use-threshold-green Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82). integer Minimum value: 70 Maximum value: 97
cpu-use-threshold Threshold at which CPU usage is reported. (% of total CPU, default = 90). integer Minimum value: 50 Maximum value: 99
check-reset-range Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
strict: Check RST range strictly.
disable: Disable RST range check.
option -
vdom-mode Enable/disable support for split/multiple virtual domains (VDOMs).
no-vdom: Disable split/multiple VDOMs mode.
split-vdom: Enable split VDOMs mode.
multi-vdom: Enable multiple VDOMs mode.
option -
long-vdom-name Enable/disable long VDOM name support.
enable: Enable long VDOM name support.
disable: Disable long VDOM name support.
option -
edit-vdom-prompt Enable/disable edit new VDOM prompt.
enable: Enable edit new VDOM prompt.
disable: Disable edit new VDOM prompt.
option -
admin-port Administrative access port for HTTP. (1 - 65535, default = 80). integer Minimum value: 1 Maximum value: 65535
admin-sport Administrative access port for HTTPS. (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
admin-https-redirect Enable/disable redirection of HTTP administration access to HTTPS.
enable: Enable redirecting HTTP administration access to HTTPS.
disable: Disable redirecting HTTP administration access to HTTPS.
option -
admin-hsts-max-age HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0. integer Minimum value: 0 Maximum value: 2147483647
admin-ssh-password Enable/disable password authentication for SSH admin access.
enable: Enable password authentication for SSH admin access.
disable: Disable password authentication for SSH admin access.
option -
admin-restrict-local Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
enable: Enable local admin authentication restriction.
disable: Disable local admin authentication restriction.
option -
admin-ssh-port Administrative access port for SSH. (1 - 65535, default = 22). integer Minimum value: 1 Maximum value: 65535
admin-ssh-grace-time Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120). integer Minimum value: 10 Maximum value: 3600
admin-ssh-v1 Enable/disable SSH v1 compatibility.
enable: Enable SSH v1 compatibility.
disable: Disable SSH v1 compatibility.
option -
admin-telnet Enable/disable TELNET service.
enable: Enable TELNET service.
disable: Disable TELNET service.
option -
admin-telnet-port Administrative access port for TELNET. (1 - 65535, default = 23). integer Minimum value: 1 Maximum value: 65535
default-service-source-port Default service source port range. (default=1-65535) user Not Specified
admin-maintainer Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
enable: Enable login for special user (maintainer).
disable: Disable login for special user (maintainer).
option -
admin-server-cert Server certificate that the FortiGate uses for HTTPS administrative connections. string Maximum length: 35
user-server-cert Certificate to use for https user authentication. string Maximum length: 35
admin-https-pki-required Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
enable: Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access.
disable: Admin users can login by providing a valid certificate or password.
option -
wifi-certificate Certificate to use for WiFi authentication. string Maximum length: 35
wifi-ca-certificate CA certificate that verifies the WiFi certificate. string Maximum length: 79
auth-http-port User authentication HTTP port. (1 - 65535, default = 1000). integer Minimum value: 1 Maximum value: 65535
auth-https-port User authentication HTTPS port. (1 - 65535, default = 1003). integer Minimum value: 1 Maximum value: 65535
auth-keepalive Enable to prevent user authentication sessions from timing out when idle.
enable: Enable use of keep alive to extend authentication.
disable: Disable use of keep alive to extend authentication.
option -
policy-auth-concurrent Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit). integer Minimum value: 0 Maximum value: 100
auth-session-limit Action to take when the number of allowed user authenticated sessions is reached.
block-new: Block new user authentication attempts.
logout-inactive: Logout the most inactive user authenticated sessions.
option -
auth-cert Server certificate that the FortiGate uses for HTTPS firewall authentication connections. string Maximum length: 35
clt-cert-req Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
enable: Enable require client certificate for GUI login.
disable: Disable require client certificate for GUI login.
option -
fortiservice-port FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port. integer Minimum value: 1 Maximum value: 65535
cfg-save Configuration file save mode for CLI changes.
automatic: Automatically save config.
manual: Manually save config.
revert: Manually save config and revert the config when timeout.
option -
cfg-revert-timeout Time-out for reverting to the last saved configuration. (10 - 4294967295 seconds, default = 600). integer Minimum value: 10 Maximum value: 4294967295
reboot-upon-config-restore Enable/disable reboot of system upon restoring configuration.
enable: Enable reboot of system upon restoring configuration.
disable: Disable reboot of system upon restoring configuration.
option -
admin-scp Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
enable: Enable allow system configuration download by SCP.
disable: Disable allow system configuration download by SCP.
option -
security-rating-result-submission Enable/disable the submission of Security Rating results to FortiGuard.
enable: Enable submission of Security Rating results to FortiGuard.
disable: Disable submission of Security Rating results to FortiGuard.
option -
security-rating-run-on-schedule Enable/disable scheduled runs of Security Rating.
enable: Enable scheduled runs of Security Rating.
disable: Disable scheduled runs of Security Rating.
option -
wireless-controller Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
enable: Enable wireless controller.
disable: Disable wireless controller.
option -
wireless-controller-port Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246). integer Minimum value: 1024 Maximum value: 49150
fortiextender-data-port FortiExtender data port (1024 - 49150, default = 25246). integer Minimum value: 1024 Maximum value: 49150
fortiextender Enable/disable FortiExtender.
disable: Disable FortiExtender controller.
enable: Enable FortiExtender controller.
option -
fortiextender-vlan-mode Enable/disable FortiExtender VLAN mode.
enable: Enable FortiExtender VLAN mode.
disable: Disable FortiExtender VLAN mode.
option -
switch-controller Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
disable: Disable switch controller feature.
enable: Enable switch controller feature.
option -
switch-controller-reserved-network Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled. ipv4-classnet Not Specified
dnsproxy-worker-count DNS proxy worker count. integer Minimum value: 1 Maximum value: 40
url-filter-count URL filter daemon count. integer Minimum value: 1 Maximum value: 4
proxy-worker-count Proxy worker count. integer Minimum value: 1 Maximum value: 40
scanunit-count Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. integer Minimum value: 2 Maximum value: 40
proxy-hardware-acceleration Enable/disable email proxy hardware acceleration.
disable: Disable email proxy hardware acceleration.
enable: Enable email proxy hardware acceleration.
option -
fgd-alert-subscription Type of alert to retrieve from FortiGuard.
advisory: Retrieve FortiGuard advisories, report and news alerts.
latest-threat: Retrieve latest FortiGuard threats alerts.
latest-virus: Retrieve latest FortiGuard virus alerts.
latest-attack: Retrieve latest FortiGuard attack alerts.
new-antivirus-db: Retrieve FortiGuard AV database release alerts.
new-attack-db: Retrieve FortiGuard IPS database release alerts.
option -
ipsec-hmac-offload Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
enable: Enable offload IPsec HMAC processing to hardware if possible.
disable: Disable offload IPsec HMAC processing to hardware.
option -
ipv6-accept-dad Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD). integer Minimum value: 0 Maximum value: 2
ipv6-allow-anycast-probe Enable/disable IPv6 address probe through Anycast.
enable: Enable probing of IPv6 address space through Anycast
disable: Disable probing of IPv6 address space through Anycast
option -
csr-ca-attribute Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
enable: Enable CA attribute in CSR.
disable: Disable CA attribute in CSR.
option -
wimax-4g-usb Enable/disable comparability with WiMAX 4G USB devices.
enable: Enable WiMax 4G.
disable: Disable WiMax 4G.
option -
cert-chain-max Maximum number of certificates that can be traversed in a certificate chain. integer Minimum value: 1 Maximum value: 2147483647
sslvpn-max-worker-count Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model. Default value of zero means the SSLVPN daemon decides the number of worker processes. integer Minimum value: 0 Maximum value: 40
sslvpn-kxp-hardware-acceleration Enable/disable SSL VPN KXP hardware acceleration.
enable: Enable KXP SSL-VPN hardware acceleration.
disable: Disable KXP SSL-VPN hardware acceleration.
option -
sslvpn-cipher-hardware-acceleration Enable/disable SSL VPN hardware acceleration.
enable: Enable SSL-VPN cipher hardware acceleration.
disable: Disable SSL-VPN cipher hardware acceleration.
option -
sslvpn-ems-sn-check Enable/disable verification of EMS serial number in SSL-VPN connection.
enable: Enable verification of EMS serial number in SSL-VPN connection.
disable: Disable verification of EMS serial number in SSL-VPN connection.
option -
sslvpn-plugin-version-check Enable/disable checking browser's plugin version by SSL VPN.
enable: Enable SSL-VPN automatic checking of browser plug-in version.
disable: Disable SSL-VPN automatic checking of browser plug-in version.
option -
two-factor-ftk-expiry FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60). integer Minimum value: 60 Maximum value: 600
two-factor-email-expiry Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60). integer Minimum value: 30 Maximum value: 300
two-factor-sms-expiry SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60). integer Minimum value: 30 Maximum value: 300
two-factor-fac-expiry FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60). integer Minimum value: 10 Maximum value: 3600
two-factor-ftm-expiry FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72). integer Minimum value: 1 Maximum value: 168
per-user-bwl Enable/disable per-user black/white list filter.
enable: Enable per-user black/white list filter.
disable: Disable per-user black/white list filter.
option -
wad-worker-count Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit. integer Minimum value: 0 Maximum value: 40
wad-csvc-cs-count Number of concurrent WAD-cache-service object-cache processes. integer Minimum value: 1 Maximum value: 1
wad-csvc-db-count Number of concurrent WAD-cache-service byte-cache processes. integer Minimum value: 0 Maximum value: 40
wad-source-affinity Enable/disable dispatching traffic to WAD workers based on source affinity.
disable: Disable dispatching traffic to WAD workers based on source affinity.
enable: Enable dispatching traffic to WAD workers based on source affinity.
option -
wad-memory-change-granularity Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection. integer Minimum value: 5 Maximum value: 25
login-timestamp Enable/disable login time recording.
enable: Enable login time recording.
disable: Disable login time recording.
option -
miglogd-children Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed. integer Minimum value: 0 Maximum value: 15
special-file-23-support Enable/disable detection of those special format files when using Data Leak Protection.
disable: Disable detection of those special format files when using Data Leak Protection.
enable: Enable detection of those special format files when using Data Leak Protection.
option -
log-uuid-address Enable/disable insertion of address UUIDs to traffic logs.
enable: Enable insertion of address UUID to traffic logs.
disable: Disable insertion of address UUID to traffic logs.
option -
log-ssl-connection Enable/disable logging of SSL connection events.
enable: Enable logging of SSL connection events.
disable: Disable logging of SSL connection events.
option -
arp-max-entry Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072). integer Minimum value: 131072 Maximum value: 2147483647
av-affinity Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). string Maximum length: 79
wad-affinity Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx). string Maximum length: 79
ips-affinity Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). string Maximum length: 79
miglog-affinity Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx). string Maximum length: 19
url-filter-affinity URL filter CPU affinity. string Maximum length: 79
ndp-max-entry Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries). integer Minimum value: 65536 Maximum value: 2147483647
br-fdb-max-entry Maximum number of bridge forwarding database (FDB) entries. integer Minimum value: 8192 Maximum value: 2147483647
max-route-cache-size Maximum number of IP route cache entries (0 - 2147483647). integer Minimum value: 0 Maximum value: 2147483647
ipsec-asic-offload Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
enable: Enable ASIC offload for IPsec VPN.
disable: Disable ASIC offload for IPsec VPN.
option -
ipsec-soft-dec-async Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
enable: Enable software decryption asynchronization for IPsec VPN.
disable: Disable software decryption asynchronization for IPsec VPN.
option -
device-idle-timeout Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300). integer Minimum value: 30 Maximum value: 31536000
user-device-store-max-devices Maximum number of devices allowed in user device store. integer Minimum value: 337994 Maximum value: 965697
user-device-store-max-users Maximum number of users allowed in user device store. integer Minimum value: 337994 Maximum value: 965697
gui-device-latitude Add the latitude of the location of this FortiGate to position it on the Threat Map. string Maximum length: 19
gui-device-longitude Add the longitude of the location of this FortiGate to position it on the Threat Map. string Maximum length: 19
private-data-encryption Enable/disable private data encryption using an AES 128-bit key.
disable: Disable private data encryption using an AES 128-bit key.
enable: Enable private data encryption using an AES 128-bit key.
option -
auto-auth-extension-device Enable/disable automatic authorization of dedicated Fortinet extension devices.
enable: Enable automatic authorization of dedicated Fortinet extension device globally.
disable: Disable automatic authorization of dedicated Fortinet extension device globally.
option -
gui-theme Color scheme for the administration GUI.
green: Green theme.
neutrino: Neutrino theme.
blue: Light blue theme.
melongene: Melongene theme (eggplant color).
mariner: Mariner theme (dark blue color).
option -
gui-date-format Default date format used throughout GUI.
yyyy/MM/dd: Year/Month/Day.
dd/MM/yyyy: Day/Month/Year.
MM/dd/yyyy: Month/Day/Year.
yyyy-MM-dd: Year-Month-Day.
dd-MM-yyyy: Day-Month-Year.
MM-dd-yyyy: Month-Day-Year.
option -
gui-date-time-source Source from which the FortiGate GUI uses to display date and time entries.
system: Use this FortiGate unit's configured timezone.
browser: Use the web browser's timezone.
option -
igmp-state-limit Maximum number of IGMP memberships (96 - 64000, default = 3200). integer Minimum value: 96 Maximum value: 128000
cloud-communication Enable/disable all cloud communication.
enable: Allow cloud communication.
disable: Disable all cloud communication.
option -
fec-port Local UDP port for Forward Error Correction (49152 - 65535). integer Minimum value: 49152 Maximum value: 65535
fortitoken-cloud Enable/disable FortiToken Cloud service.
enable: Enable FortiToken Cloud service.
disable: Disable FortiToken Cloud service.
option -
faz-disk-buffer-size Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble. integer Minimum value: 0 Maximum value: 161061273
irq-time-accounting Configure CPU IRQ time accounting mode.
auto: Automatically switch CPU accounting mode.
force: Force the use of CPU IRQ time accounting mode.
option -
fortiipam-integration Enable/disable integration with the FortiIPAM cloud service.
enable: Enable integration with FortiIPAM for automatic IP address management.
disable: Disable integration with FortiIPAM for automatic IP address management.
option -