language

GUI display language.

option

gui-ipv6

Enable/disable IPv6 settings on the GUI.

option

gui-certificates

Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.

option

gui-custom-language

Enable/disable custom languages in GUI.

option

gui-wireless-opensecurity

Enable/disable wireless open security option on the GUI.

option

gui-display-hostname

Enable/disable displaying the FortiGate's hostname on the GUI login page.

option

gui-fortisandbox-cloud

Enable/disable displaying FortiSandbox Cloud on the GUI.

option

gui-firmware-upgrade-warning

Enable/disable the firmware upgrade warning on the GUI.

option

gui-allow-default-hostname

Enable/disable the factory default hostname warning on the GUI setup wizard.

option

gui-forticare-registration-setup-warning

Enable/disable the FortiCare registration setup warning on the GUI.

option

admin-https-ssl-versions

Allowed TLS versions for web administration.

option

admintimeout

Number of minutes before an idle administrator session times out (1 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.

integer

admin-console-timeout

Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.

integer

ssd-trim-freq

How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.

option

ssd-trim-hour

Hour of the day on which to run SSD Trim (0 - 23, default = 1).

integer

ssd-trim-min

Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).

integer

ssd-trim-weekday

Day of week to run SSD Trim.

option

ssd-trim-date

Date within a month to run ssd trim.

integer

admin-concurrent

Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)

option

admin-lockout-threshold

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

integer

admin-lockout-duration

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

integer

refresh

Statistics refresh interval second(s) in GUI.

integer

interval

Dead gateway detection interval.

integer

failtime

Fail-time for server lost.

integer

daily-restart

Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.

option

restart-time

Daily restart time (hh:mm).

user

radius-port

RADIUS service port number.

integer

admin-login-max

Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)

integer

remoteauthtimeout

Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (1-300 sec, default = 5).

integer

ldapconntimeout

Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).

integer

batch-cmdb

Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.

option

multi-factor-authentication

Enforce all login methods to require an additional authentication factor (default = optional).

option

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).

option

autorun-log-fsck

Enable/disable automatic log partition check after ungraceful shutdown.

option

dst

Enable/disable daylight saving time.

option

timezone

Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.

option

traffic-priority

Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.

option

traffic-priority-level

Default system-wide level of priority for traffic prioritization.

option

anti-replay

Level of checking for packet replay and TCP sequence checking.

option

send-pmtu-icmp

Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.

option

honor-df

Enable/disable honoring of Don't-Fragment (DF) flag.

option

revision-image-auto-backup

Enable/disable back-up of the latest configuration revision after the firmware is upgraded.

option

revision-backup-on-logout

Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.

option

management-vdom

Management virtual domain name.

string

hostname

FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.

string

alias

Alias for your FortiGate unit.

string

strong-crypto

Enable to use strong encryption and only allow strong ciphers (AES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.

option

ssh-cbc-cipher

Enable/disable CBC cipher for SSH access.

option

ssh-hmac-md5

Enable/disable HMAC-MD5 for SSH access.

option

ssh-kex-sha1

Enable/disable SHA1 key exchange for SSH access.

option

ssh-mac-weak

Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.

option

ssl-static-key-ciphers

Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).

option

snat-route-change

Enable/disable the ability to change the static NAT route.

option

cli-audit-log

Enable/disable CLI audit log.

option

dh-params

Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.

option

fds-statistics

Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.

option

fds-statistics-period

FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).

integer

tcp-option

Enable SACK, timestamp and MSS TCP options.

option

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

proxy-auth-timeout

Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).

integer

proxy-re-authentication-mode

Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

option

proxy-auth-lifetime

Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.

option

proxy-auth-lifetime-timeout

Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).

integer

sys-perf-log-interval

Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).

integer

check-protocol-header

Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.

option

vip-arp-range

Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.

option

reset-sessionless-tcp

Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.

option

allow-traffic-redirect

Disable to allow traffic to be routed back on a different interface.

option

strict-dirty-session-check

Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.

option

tcp-halfclose-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).

integer

tcp-halfopen-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).

integer

tcp-timewait-timer

Length of the TCP TIME-WAIT state in seconds.

integer

udp-idle-timer

UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).

integer

block-session-timer

Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).

integer

ip-src-port-range

IP source port range used for traffic originating from the FortiGate unit.

user

pre-login-banner

Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.

option

post-login-banner

Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.

option

tftp

Enable/disable TFTP.

option

av-failopen

Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.

option

av-failopen-session

When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.

option

memory-use-threshold-extreme

Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95).

integer

memory-use-threshold-red

Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88).

integer

memory-use-threshold-green

Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82).

integer

cpu-use-threshold

Threshold at which CPU usage is reported. (% of total CPU, default = 90).

integer

check-reset-range

Configure ICMP error message verification. You can either apply strict RST range checking or disable it.

option

vdom-mode

Enable/disable support for split/multiple virtual domains (VDOMs).

option

long-vdom-name

Enable/disable long VDOM name support.

option

edit-vdom-prompt

Enable/disable edit new VDOM prompt.

option

admin-port

Administrative access port for HTTP. (1 - 65535, default = 80).

integer

admin-sport

Administrative access port for HTTPS. (1 - 65535, default = 443).

integer

admin-https-redirect

Enable/disable redirection of HTTP administration access to HTTPS.

option

admin-hsts-max-age

HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.

integer

admin-ssh-password

Enable/disable password authentication for SSH admin access.

option

admin-restrict-local

Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)

option

admin-ssh-port

Administrative access port for SSH. (1 - 65535, default = 22).

integer

admin-ssh-grace-time

Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).

integer

admin-ssh-v1

Enable/disable SSH v1 compatibility.

option

admin-telnet

Enable/disable TELNET service.

option

admin-telnet-port

Administrative access port for TELNET. (1 - 65535, default = 23).

integer

default-service-source-port

Default service source port range. (default=1-65535)

user

admin-maintainer

Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.

option

admin-server-cert

Server certificate that the FortiGate uses for HTTPS administrative connections.

string

user-server-cert

Certificate to use for https user authentication.

string

admin-https-pki-required

Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.

option

wifi-certificate

Certificate to use for WiFi authentication.

string

wifi-ca-certificate

CA certificate that verifies the WiFi certificate.

string

auth-http-port

User authentication HTTP port. (1 - 65535, default = 1000).

integer

auth-https-port

User authentication HTTPS port. (1 - 65535, default = 1003).

integer

auth-keepalive

Enable to prevent user authentication sessions from timing out when idle.

option

policy-auth-concurrent

Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).

integer

auth-session-limit

Action to take when the number of allowed user authenticated sessions is reached.

option

auth-cert

Server certificate that the FortiGate uses for HTTPS firewall authentication connections.

string

clt-cert-req

Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.

option

fortiservice-port

FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.

integer

cfg-save

Configuration file save mode for CLI changes.

option

cfg-revert-timeout

Time-out for reverting to the last saved configuration. (10 - 4294967295 seconds, default = 600).

integer

reboot-upon-config-restore

Enable/disable reboot of system upon restoring configuration.

option

admin-scp

Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.

option

security-rating-result-submission

Enable/disable the submission of Security Rating results to FortiGuard.

option

security-rating-run-on-schedule

Enable/disable scheduled runs of Security Rating.

option

wireless-controller

Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.

option

wireless-controller-port

Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).

integer

fortiextender-data-port

FortiExtender data port (1024 - 49150, default = 25246).

integer

fortiextender

Enable/disable FortiExtender.

option

fortiextender-vlan-mode

Enable/disable FortiExtender VLAN mode.

option

switch-controller

Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.

option

switch-controller-reserved-network

Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.

ipv4-classnet

dnsproxy-worker-count

DNS proxy worker count. For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.

integer

url-filter-count

URL filter daemon count.

integer

proxy-worker-count

Proxy worker count.

integer

scanunit-count

Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.

integer

proxy-hardware-acceleration

Enable/disable email proxy hardware acceleration.

option

fgd-alert-subscription

Type of alert to retrieve from FortiGuard.

option

ipsec-hmac-offload

Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.

option

ipv6-accept-dad

Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).

integer

ipv6-allow-anycast-probe

Enable/disable IPv6 address probe through Anycast.

option

csr-ca-attribute

Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.

option

wimax-4g-usb

Enable/disable comparability with WiMAX 4G USB devices.

option

cert-chain-max

Maximum number of certificates that can be traversed in a certificate chain.

integer

sslvpn-max-worker-count

Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model. Default value of zero means the SSLVPN daemon decides the number of worker processes.

integer

sslvpn-kxp-hardware-acceleration

Enable/disable SSL VPN KXP hardware acceleration.

option

sslvpn-cipher-hardware-acceleration

Enable/disable SSL VPN hardware acceleration.

option

sslvpn-ems-sn-check

Enable/disable verification of EMS serial number in SSL-VPN connection.

option

sslvpn-plugin-version-check

Enable/disable checking browser's plugin version by SSL VPN.

option

two-factor-ftk-expiry

FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).

integer

two-factor-email-expiry

Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).

integer

two-factor-sms-expiry

SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).

integer

two-factor-fac-expiry

FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).

integer

two-factor-ftm-expiry

FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).

integer

per-user-bwl

Enable/disable per-user black/white list filter.

option

wad-worker-count

Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.

integer

wad-csvc-cs-count

Number of concurrent WAD-cache-service object-cache processes.

integer

wad-csvc-db-count

Number of concurrent WAD-cache-service byte-cache processes.

integer

wad-source-affinity

Enable/disable dispatching traffic to WAD workers based on source affinity.

option

wad-memory-change-granularity

Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.

integer

login-timestamp

Enable/disable login time recording.

option

miglogd-children

Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.

integer

special-file-23-support

Enable/disable detection of those special format files when using Data Leak Protection.

option

log-uuid-address

Enable/disable insertion of address UUIDs to traffic logs.

option

log-ssl-connection

Enable/disable logging of SSL connection events.

option

arp-max-entry

Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).

integer

av-affinity

Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

wad-affinity

Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

ips-affinity

Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).

string

miglog-affinity

Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).

string

url-filter-affinity

URL filter CPU affinity.

string

ndp-max-entry

Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).

integer

br-fdb-max-entry

Maximum number of bridge forwarding database (FDB) entries.

integer

max-route-cache-size

Maximum number of IP route cache entries (0 - 2147483647).

integer

ipsec-asic-offload

Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.

option

ipsec-soft-dec-async

Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.

option

device-idle-timeout

Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).

integer

user-device-store-max-devices

Maximum number of devices allowed in user device store.

integer

user-device-store-max-users

Maximum number of users allowed in user device store.

integer

gui-device-latitude

Add the latitude of the location of this FortiGate to position it on the Threat Map.

string

gui-device-longitude

Add the longitude of the location of this FortiGate to position it on the Threat Map.

string

private-data-encryption

Enable/disable private data encryption using an AES 128-bit key.

option

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension devices.

option

gui-theme

Color scheme for the administration GUI.

option

gui-date-format

Default date format used throughout GUI.

option

gui-date-time-source

Source from which the FortiGate GUI uses to display date and time entries.

option

igmp-state-limit

Maximum number of IGMP memberships (96 - 64000, default = 3200).

integer

cloud-communication

Enable/disable all cloud communication.

option

fec-port

Local UDP port for Forward Error Correction (49152 - 65535).

integer

fortitoken-cloud

Enable/disable FortiToken Cloud service.

option

faz-disk-buffer-size

Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.

integer

irq-time-accounting

Configure CPU IRQ time accounting mode.

option

fortiipam-integration

Enable/disable integration with the FortiIPAM cloud service.

option