Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiADC 7.6.5 CLI Reference
    7.6.5
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config system global

    config system global

    Use this command to manage system settings.

    Before you begin:
    • You must have read-write permission for system settings.

    Syntax

    config system global

    set admin-idle-timeout <integer>

    set admin-lockout-duration <integer>

    set admin-lockout-threshold <integer>

    set advanced-bot-status {enable|disable}

    set config-sync {enable|disable}

    set default-certificate <certname>

    set hardware-ssl {enable|disable}

    set hostname <string>

    set language {english|chinese-simplified}

    set port-http <integer>

    set port-https <integer>

    set port-ssh <integer>

    set port-telnet <integer>

    set share-ip-address {enable|disable}

    set snat-match-local-traffics {enable|disable}

    set ipvs-fullnat-min-port <integer>

    set ipvs-fullnat-max-port <integer>

    set snat-min-port <integer>

    set snat-max-port <integer>

    set socket-min-port <integer>

    set socket-max-port <integer>

    set ssh-cbc-cipher {enable|disable}

    set ssh-hmac-md5 {enable|disable}

    set vdom-admin {enable|disable}

    set vdom-mode {independent-network|share-network}

    set admin-bypass-vdom-check {enable|disable}

    set pre-login-banner {enable|disable}

    set sync-slb-statistics {enable|disable}

    set shell-access {enable|disable}

    set shell-username <username>

    set shell-password <password>

    set shell-timeout <integer>

    set threat-analytics {enable|disable}

    set owasp-compliance {enable|disable}

    set fds-statistics {enable|disable}

    set fds-statistics-period <integer>

    set lldp-reception {enable|disable}

    set lldp-transmission {enable|disable}

    end

    admin-idle-timeout

    Log out an idle administrator session. The default is 30 minutes.

    admin-lockout-duration

    Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

    The default is 60 seconds. The valid range is 1 to 2147483647 seconds.

    admin-lockout-threshold

    Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

    The default is 3. The valid range is 1 to 10.

    It is recommended to keep the number of allowable attempts lower as increasing the number of retry attempts elevates the risk of unauthorized individuals successfully guessing the password.

    advanced-bot-status

    Enable/disable the Advanced Bot Protection Fabric Connector.

    Once enabled and successfully connected, the config security waf advanced-bot-protection command becomes available to configure the Advanced Bot Protection policy. See config security waf advanced-bot-protection.

    If you want to disable the Advanced Bot Protection connector, the following settings will be impacted:

    • Advanced Bot Protection policies will not be able to be created or edited, however, but can be deleted via CLI.
    • Existing ABP policies can be seen and deleted through CLI only.
    • In the WAF Profile configuration, the Advanced Bot Protection option can only be set through CLI.

    For more information, see the Handbook topic about Advanced Bot Protection.

    config-sync

    		 Enable/disable the configuration synchronization feature. This feature is related to the execute config-sync command, not HA synchronization. Disabled by default.

    default-certificate

    The default is Factory.

    hardware-ssl

    Enable/disable hardware SSL acceleration. The setting has no effect on FortiADC-VM.

    hostname

    You can configure a hostname to facilitate system management. If you use SNMP, for example, the SNMP system name is derived from the configured hostname.

    The hostname can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters.

    The System Information widget and the get system status CLI command display the full hostname. If the hostname is longer than 16 characters, the name is truncated and ends with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

    language

    English or Simplified Chinese.

    port-http

    Specify the port for the HTTP service. Usually, HTTP uses port 80.

    port-https

    Specify the port for the HTTPS service. Usually, HTTPS uses port 443.

    port-ssh

    Specify the port for the SSH service. Usually, SSH uses port 22.

    port-telnet

    Specify the port for the Telnet service. Usually, Telnet uses port 25.

    share-ip-address

    Enable this option to share NAT IP pools/addresses between L4, L7 virtual servers, and SNAT policy.

    Once enabled, SNAT across the firewall, L4 VS and L7 VS can use the same IP address, but with different port ranges that can be customized.

    snat-match-local-traffics

    If share-ip-address is enabled, snat-match-local-traffics becomes configurable.

    Enable/disable the SNAT rule to match with the local traffic.

    ipvs-fullnat-min-port

    If share-ip-address is enabled, ipvs-fullnat-min-port becomes configurable.

    Specify the L4 VS FULLNAT port range minimum.

    ipvs-fullnat-max-port

    If share-ip-address is enabled, ipvs-fullnat-max-port becomes configurable.

    Specify the L4 VS FULLNAT port range maximum.

    snat-min-port

    If share-ip-address is enabled, snat-min-port becomes configurable.

    Specify the SNAT port range minimum.

    snat-max-port

    If share-ip-address is enabled, snat-max-port becomes configurable.

    Specify the SNAT port rang maximum.

    socket-min-port

    If share-ip-address is enabled, socket-min-port becomes configurable.

    Specify the L7 VS port range minimum.

    socket-max-port

    If share-ip-address is enabled, socket-max-port becomes configurable.

    Specify the L7 VS port range maximum.

    ssh-cbc-cipher

    		 Disabled by default. Enable if you want to use this cipher.

    ssh-hmac-md5

    		 Disabled by default. Enable if you want to use this cipher.

    vdom-admin

    Enables the virtual domain feature.

    vdom-mode

    The vdom-mode option becomes available if vdom-admin is enabled.

    Select either of the following virtual domain modes:

    • independent-network — each VDOM functions independently within its own network, unaffected by activity from other VDOMs on the system.
    • share-network — VDOMs function as administrative domains (ADOMs), sharing the same network interface and routing between all ADOMs. There are different CLI functions available to administrators of the root ADOM and non-root ADOM. For more information, see Appendix A: Virtual domains.

    admin-bypass-vdom-check

    The admin-bypass-vdom-check option is available if vdom-admin is enabled and the vdom-mode is independent-network.

    Once enabled, all non-root VDOM administrators can login through the root VDOM interface without needing root VDOM privileges. From the root VDOM interface, the non-root VDOM administrator can access and modify the settings relating to their designated non-root VDOM.

    This is disabled by default.

    Note: When the Admin Bypass VDOM Check is enabled, admin event logs are recorded solely under the root VDOM, regardless of the VDOM assigned to the user. This is due to the way the log API handles event logging, allowing event logging for only one VDOM at a time.

    pre-login-banner

    Enables the pre-login banner feature.

    sync-slb-statistics

    Enable/disable the statistic data between the SLB and GLB.

    shell-access

    Enable/disable the shell access. This is disabled by default.

    shell-username

    Specify the username to login to the shell.

    shell-password

    Specify the password to access the shell.

    shell-timeout

    The expire time, in minutes, after the shell access is enabled. (Range: 1-1200 minutes).

    threat-analytics

    Enable/disable the Threat Analytics connector.

    If you do not already have a license for the Fortinet AI Threat Analytic service, FortiADC offers a 14-day Evaluation license to evaluate the Fortinet AI Threat Analytics service. During this 14-day trial period, you can disable and re-enable AI Threat Analytics anytime. The 14-day trial period starts from the first time AI Threat Analytics is enabled.

    For more information about the AI Threat Analytics integration with FortiADC, see the FortiADC Handbook topic on AI Threat Analytics.

    owasp-compliance

    Enable OWASP Top10 Compliance to view the security compliance rate for each SLB virtual server in FortiView.

    This is disabled by default.

    fds-statistics

    		 Enable or disable FortiADC detection statistics upload to FortiGuard. This is enabled by default.

    fds-statistics-period

    Specify the FortiGuard statistics collection period in minutes. The default value is 60 minutes, and the valid range is 1-1440 minutes.

    lldp-reception

    Controls whether Link Layer Discovery Protocol (LLDP) packet reception is globally enabled or disabled across all VDOMs. Select from the following options:

    • enable — Explicitly enables LLDP packet reception globally, allowing FortiADC to process LLDP frames from all directly connected devices across all VDOMs.

    • disable — Explicitly disables LLDP packet reception globally, preventing FortiADC from processing any incoming LLDP frames, regardless of VDOM configurations.

    Global LLDP packet reception is disabled by default.

    lldp-transmission

    Controls whether Link Layer Discovery Protocol (LLDP) packet transmission is globally enabled or disabled across all VDOMs. Select from the following options:

    • enable — Explicitly enables LLDP packet transmission globally, allowing FortiADC to send LLDP packets containing identity and capability information to all directly connected devices across all VDOMs.

    • disable — Explicitly disables LLDP packet transmission globally, preventing FortiADC from transmitting any LLDP packets, regardless of VDOM configurations.

    Global LLDP packet transmission is disabled by default.

    Example

    FortiADC-VM # get system global
				default-certificate           : Factory
				hostname                      : FortiADC-VM
				vdom-admin                    : disable
				admin-idle-timeout            : 480
				admin-lockout-duration	      : 60
				admin-lockout-threshold       : 3
				port-http                     : 80
				port-https                    : 443
				port-ssh                      : 22
				port-telnet                   : 23
				share-ip-address	      : enable
				snat-match-local-traffics     : enable
				ipvs-fullnat-min-port	      : 5000
				ipvs-fullnat-max-port	      : 21846
				snat-min-port		      : 21847
				snat-max-port		      : 43690
				socket-min-port		      : 43691
				socket-max-port		      : 65535
				language                      : english
				hardware-ssl                  : enable
				gui-system                    : enable
				gui-router                    : enable
				gui-log                       : enable
				ssh-cbc-cipher                : disable
				ssh-hmac-md5                  : disable
				config-sync-enable            : disable
				pre-login-banner              : enable
				sync-slb-statistics	      : enable
				shell-access		      : enable
				shell-username		      : user
				shell-password		      : 123456
				shell-expire-time	      : 10
				threat-analytics	      : enable
                                owasp-compliance              : enable
                                fds-statistics                : enable
                                fds-statistics-period         : 60
                                lldp-reception                : disable
                                lldp-transmission             : disable
    Previous
    Next

    config system global

    config system global

    Use this command to manage system settings.

    Before you begin:
    • You must have read-write permission for system settings.

    Syntax

    config system global

    set admin-idle-timeout <integer>

    set admin-lockout-duration <integer>

    set admin-lockout-threshold <integer>

    set advanced-bot-status {enable|disable}

    set config-sync {enable|disable}

    set default-certificate <certname>

    set hardware-ssl {enable|disable}

    set hostname <string>

    set language {english|chinese-simplified}

    set port-http <integer>

    set port-https <integer>

    set port-ssh <integer>

    set port-telnet <integer>

    set share-ip-address {enable|disable}

    set snat-match-local-traffics {enable|disable}

    set ipvs-fullnat-min-port <integer>

    set ipvs-fullnat-max-port <integer>

    set snat-min-port <integer>

    set snat-max-port <integer>

    set socket-min-port <integer>

    set socket-max-port <integer>

    set ssh-cbc-cipher {enable|disable}

    set ssh-hmac-md5 {enable|disable}

    set vdom-admin {enable|disable}

    set vdom-mode {independent-network|share-network}

    set admin-bypass-vdom-check {enable|disable}

    set pre-login-banner {enable|disable}

    set sync-slb-statistics {enable|disable}

    set shell-access {enable|disable}

    set shell-username <username>

    set shell-password <password>

    set shell-timeout <integer>

    set threat-analytics {enable|disable}

    set owasp-compliance {enable|disable}

    set fds-statistics {enable|disable}

    set fds-statistics-period <integer>

    set lldp-reception {enable|disable}

    set lldp-transmission {enable|disable}

    end

    admin-idle-timeout

    Log out an idle administrator session. The default is 30 minutes.

    admin-lockout-duration

    Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

    The default is 60 seconds. The valid range is 1 to 2147483647 seconds.

    admin-lockout-threshold

    Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

    The default is 3. The valid range is 1 to 10.

    It is recommended to keep the number of allowable attempts lower as increasing the number of retry attempts elevates the risk of unauthorized individuals successfully guessing the password.

    advanced-bot-status

    Enable/disable the Advanced Bot Protection Fabric Connector.

    Once enabled and successfully connected, the config security waf advanced-bot-protection command becomes available to configure the Advanced Bot Protection policy. See config security waf advanced-bot-protection.

    If you want to disable the Advanced Bot Protection connector, the following settings will be impacted:

    • Advanced Bot Protection policies will not be able to be created or edited, however, but can be deleted via CLI.
    • Existing ABP policies can be seen and deleted through CLI only.
    • In the WAF Profile configuration, the Advanced Bot Protection option can only be set through CLI.

    For more information, see the Handbook topic about Advanced Bot Protection.

    config-sync

    		 Enable/disable the configuration synchronization feature. This feature is related to the execute config-sync command, not HA synchronization. Disabled by default.

    default-certificate

    The default is Factory.

    hardware-ssl

    Enable/disable hardware SSL acceleration. The setting has no effect on FortiADC-VM.

    hostname

    You can configure a hostname to facilitate system management. If you use SNMP, for example, the SNMP system name is derived from the configured hostname.

    The hostname can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters.

    The System Information widget and the get system status CLI command display the full hostname. If the hostname is longer than 16 characters, the name is truncated and ends with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

    language

    English or Simplified Chinese.

    port-http

    Specify the port for the HTTP service. Usually, HTTP uses port 80.

    port-https

    Specify the port for the HTTPS service. Usually, HTTPS uses port 443.

    port-ssh

    Specify the port for the SSH service. Usually, SSH uses port 22.

    port-telnet

    Specify the port for the Telnet service. Usually, Telnet uses port 25.

    share-ip-address

    Enable this option to share NAT IP pools/addresses between L4, L7 virtual servers, and SNAT policy.

    Once enabled, SNAT across the firewall, L4 VS and L7 VS can use the same IP address, but with different port ranges that can be customized.

    snat-match-local-traffics

    If share-ip-address is enabled, snat-match-local-traffics becomes configurable.

    Enable/disable the SNAT rule to match with the local traffic.

    ipvs-fullnat-min-port

    If share-ip-address is enabled, ipvs-fullnat-min-port becomes configurable.

    Specify the L4 VS FULLNAT port range minimum.

    ipvs-fullnat-max-port

    If share-ip-address is enabled, ipvs-fullnat-max-port becomes configurable.

    Specify the L4 VS FULLNAT port range maximum.

    snat-min-port

    If share-ip-address is enabled, snat-min-port becomes configurable.

    Specify the SNAT port range minimum.

    snat-max-port

    If share-ip-address is enabled, snat-max-port becomes configurable.

    Specify the SNAT port rang maximum.

    socket-min-port

    If share-ip-address is enabled, socket-min-port becomes configurable.

    Specify the L7 VS port range minimum.

    socket-max-port

    If share-ip-address is enabled, socket-max-port becomes configurable.

    Specify the L7 VS port range maximum.

    ssh-cbc-cipher

    		 Disabled by default. Enable if you want to use this cipher.

    ssh-hmac-md5

    		 Disabled by default. Enable if you want to use this cipher.

    vdom-admin

    Enables the virtual domain feature.

    vdom-mode

    The vdom-mode option becomes available if vdom-admin is enabled.

    Select either of the following virtual domain modes:

    • independent-network — each VDOM functions independently within its own network, unaffected by activity from other VDOMs on the system.
    • share-network — VDOMs function as administrative domains (ADOMs), sharing the same network interface and routing between all ADOMs. There are different CLI functions available to administrators of the root ADOM and non-root ADOM. For more information, see Appendix A: Virtual domains.

    admin-bypass-vdom-check

    The admin-bypass-vdom-check option is available if vdom-admin is enabled and the vdom-mode is independent-network.

    Once enabled, all non-root VDOM administrators can login through the root VDOM interface without needing root VDOM privileges. From the root VDOM interface, the non-root VDOM administrator can access and modify the settings relating to their designated non-root VDOM.

    This is disabled by default.

    Note: When the Admin Bypass VDOM Check is enabled, admin event logs are recorded solely under the root VDOM, regardless of the VDOM assigned to the user. This is due to the way the log API handles event logging, allowing event logging for only one VDOM at a time.

    pre-login-banner

    Enables the pre-login banner feature.

    sync-slb-statistics

    Enable/disable the statistic data between the SLB and GLB.

    shell-access

    Enable/disable the shell access. This is disabled by default.

    shell-username

    Specify the username to login to the shell.

    shell-password

    Specify the password to access the shell.

    shell-timeout

    The expire time, in minutes, after the shell access is enabled. (Range: 1-1200 minutes).

    threat-analytics

    Enable/disable the Threat Analytics connector.

    If you do not already have a license for the Fortinet AI Threat Analytic service, FortiADC offers a 14-day Evaluation license to evaluate the Fortinet AI Threat Analytics service. During this 14-day trial period, you can disable and re-enable AI Threat Analytics anytime. The 14-day trial period starts from the first time AI Threat Analytics is enabled.

    For more information about the AI Threat Analytics integration with FortiADC, see the FortiADC Handbook topic on AI Threat Analytics.

    owasp-compliance

    Enable OWASP Top10 Compliance to view the security compliance rate for each SLB virtual server in FortiView.

    This is disabled by default.

    fds-statistics

    		 Enable or disable FortiADC detection statistics upload to FortiGuard. This is enabled by default.

    fds-statistics-period

    Specify the FortiGuard statistics collection period in minutes. The default value is 60 minutes, and the valid range is 1-1440 minutes.

    lldp-reception

    Controls whether Link Layer Discovery Protocol (LLDP) packet reception is globally enabled or disabled across all VDOMs. Select from the following options:

    • enable — Explicitly enables LLDP packet reception globally, allowing FortiADC to process LLDP frames from all directly connected devices across all VDOMs.

    • disable — Explicitly disables LLDP packet reception globally, preventing FortiADC from processing any incoming LLDP frames, regardless of VDOM configurations.

    Global LLDP packet reception is disabled by default.

    lldp-transmission

    Controls whether Link Layer Discovery Protocol (LLDP) packet transmission is globally enabled or disabled across all VDOMs. Select from the following options:

    • enable — Explicitly enables LLDP packet transmission globally, allowing FortiADC to send LLDP packets containing identity and capability information to all directly connected devices across all VDOMs.

    • disable — Explicitly disables LLDP packet transmission globally, preventing FortiADC from transmitting any LLDP packets, regardless of VDOM configurations.

    Global LLDP packet transmission is disabled by default.

    Example

    FortiADC-VM # get system global
				default-certificate           : Factory
				hostname                      : FortiADC-VM
				vdom-admin                    : disable
				admin-idle-timeout            : 480
				admin-lockout-duration	      : 60
				admin-lockout-threshold       : 3
				port-http                     : 80
				port-https                    : 443
				port-ssh                      : 22
				port-telnet                   : 23
				share-ip-address	      : enable
				snat-match-local-traffics     : enable
				ipvs-fullnat-min-port	      : 5000
				ipvs-fullnat-max-port	      : 21846
				snat-min-port		      : 21847
				snat-max-port		      : 43690
				socket-min-port		      : 43691
				socket-max-port		      : 65535
				language                      : english
				hardware-ssl                  : enable
				gui-system                    : enable
				gui-router                    : enable
				gui-log                       : enable
				ssh-cbc-cipher                : disable
				ssh-hmac-md5                  : disable
				config-sync-enable            : disable
				pre-login-banner              : enable
				sync-slb-statistics	      : enable
				shell-access		      : enable
				shell-username		      : user
				shell-password		      : 123456
				shell-expire-time	      : 10
				threat-analytics	      : enable
                                owasp-compliance              : enable
                                fds-statistics                : enable
                                fds-statistics-period         : 60
                                lldp-reception                : disable
                                lldp-transmission             : disable
    Previous
    Next