Log out an idle administrator session. The default is 30 minutes.

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

The default is 60 seconds. The valid range is 1 to 2147483647 seconds.

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

The default is 3. The valid range is 1 to 10.

It is recommended to keep the number of allowable attempts lower as increasing the number of retry attempts elevates the risk of unauthorized individuals successfully guessing the password.

Enable/disable the Advanced Bot Protection Fabric Connector.

Once enabled and successfully connected, the config security waf advanced-bot-protection command becomes available to configure the Advanced Bot Protection policy. See config security waf advanced-bot-protection.

If you want to disable the Advanced Bot Protection connector, the following settings will be impacted:

• Advanced Bot Protection policies will not be able to be created or edited, however, but can be deleted via CLI.
• Existing ABP policies can be seen and deleted through CLI only.
• In the WAF Profile configuration, the Advanced Bot Protection option can only be set through CLI.

For more information, see the Handbook topic about Advanced Bot Protection.

The default is Factory.

Enable/disable hardware SSL acceleration. The setting has no effect on FortiADC-VM.

You can configure a hostname to facilitate system management. If you use SNMP, for example, the SNMP system name is derived from the configured hostname.

The hostname can be up to 35 characters in length. It can include US-ASCII letters, numbers, hyphens, and underscores, but not spaces and special characters.

The System Information widget and the get system status CLI command display the full hostname. If the hostname is longer than 16 characters, the name is truncated and ends with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.

English or Simplified Chinese.

Specify the port for the HTTP service. Usually, HTTP uses port 80.

Specify the port for the HTTPS service. Usually, HTTPS uses port 443.

Specify the port for the SSH service. Usually, SSH uses port 22.

Specify the port for the Telnet service. Usually, Telnet uses port 25.

Enable this option to share NAT IP pools/addresses between L4, L7 virtual servers, and SNAT policy.

Once enabled, SNAT across the firewall, L4 VS and L7 VS can use the same IP address, but with different port ranges that can be customized.

If share-ip-address is enabled, snat-match-local-traffics becomes configurable.

Enable/disable the SNAT rule to match with the local traffic.

If share-ip-address is enabled, ipvs-fullnat-min-port becomes configurable.

Specify the L4 VS FULLNAT port range minimum.

If share-ip-address is enabled, ipvs-fullnat-max-port becomes configurable.

Specify the L4 VS FULLNAT port range maximum.

If share-ip-address is enabled, snat-min-port becomes configurable.

Specify the SNAT port range minimum.

If share-ip-address is enabled, snat-max-port becomes configurable.

Specify the SNAT port rang maximum.

If share-ip-address is enabled, socket-min-port becomes configurable.

Specify the L7 VS port range minimum.

If share-ip-address is enabled, socket-max-port becomes configurable.

Specify the L7 VS port range maximum.

Enables the virtual domain feature.

The vdom-mode option becomes available if vdom-admin is enabled.

Select either of the following virtual domain modes:

• independent-network — each VDOM functions independently within its own network, unaffected by activity from other VDOMs on the system.
• share-network — VDOMs function as administrative domains (ADOMs), sharing the same network interface and routing between all ADOMs. There are different CLI functions available to administrators of the root ADOM and non-root ADOM. For more information, see Appendix A: Virtual domains.

The admin-bypass-vdom-check option is available if vdom-admin is enabled and the vdom-mode is independent-network.

Once enabled, all non-root VDOM administrators can login through the root VDOM interface without needing root VDOM privileges. From the root VDOM interface, the non-root VDOM administrator can access and modify the settings relating to their designated non-root VDOM.

This is disabled by default.

Note: When the Admin Bypass VDOM Check is enabled, admin event logs are recorded solely under the root VDOM, regardless of the VDOM assigned to the user. This is due to the way the log API handles event logging, allowing event logging for only one VDOM at a time.

Enables the pre-login banner feature.

Enable/disable the statistic data between the SLB and GLB.

Enable/disable the shell access. This is disabled by default.

Specify the username to login to the shell.

Specify the password to access the shell.

The expire time, in minutes, after the shell access is enabled. (Range: 1-1200 minutes).

Enable/disable the Threat Analytics connector.

If you do not already have a license for the Fortinet AI Threat Analytic service, FortiADC offers a 14-day Evaluation license to evaluate the Fortinet AI Threat Analytics service. During this 14-day trial period, you can disable and re-enable AI Threat Analytics anytime. The 14-day trial period starts from the first time AI Threat Analytics is enabled.

For more information about the AI Threat Analytics integration with FortiADC, see the FortiADC Handbook topic on AI Threat Analytics.

Enable OWASP Top10 Compliance to view the security compliance rate for each SLB virtual server in FortiView.

This is disabled by default.

Specify the FortiGuard statistics collection period in minutes. The default value is 60 minutes, and the valid range is 1-1440 minutes.

Controls whether Link Layer Discovery Protocol (LLDP) packet reception is globally enabled or disabled across all VDOMs. Select from the following options:

• enable — Explicitly enables LLDP packet reception globally, allowing FortiADC to process LLDP frames from all directly connected devices across all VDOMs.

• disable — Explicitly disables LLDP packet reception globally, preventing FortiADC from processing any incoming LLDP frames, regardless of VDOM configurations.

Global LLDP packet reception is disabled by default.

Controls whether Link Layer Discovery Protocol (LLDP) packet transmission is globally enabled or disabled across all VDOMs. Select from the following options:

• enable — Explicitly enables LLDP packet transmission globally, allowing FortiADC to send LLDP packets containing identity and capability information to all directly connected devices across all VDOMs.

• disable — Explicitly disables LLDP packet transmission globally, preventing FortiADC from transmitting any LLDP packets, regardless of VDOM configurations.

Global LLDP packet transmission is disabled by default.

Trusted Platform Module (TPM) secures passwords and cryptographic keys by storing and authenticating them using AES-128-CBC encryption. This feature ensures that private data is encrypted when displayed in the CLI and saved in configuration files, reducing the risk of data tampering or interception.

This setting controls whether FortiADC uses TPM-backed encryption for private data.

• enable — When enabled, FortiADC generates a random AES-128-CBC encryption key. If the system is equipped with a TPM, the encryption key is securely stored inside the TPM chip, providing hardware-backed protection. For systems without TPM, the key is stored in a secure file on the system. This key is used to encrypt sensitive data, such as passwords. If private data encryption is enabled, backup files will contain an encrypted private_key header, which includes an HMAC hash of the encryption key. This key hash must match the local key in order to successfully restore the system.

• disable — TPM is disabled by default. When disabled, the system defaults to using the predefined or user-inputted 32-bit encryption key for private data storage, restoring previous behavior without TPM-based encryption. If restoring to a factory reset device, ensure private-data-encryption is disabled in the configuration file before restoring. To prevent password unset during restore, disable encryption before backup and re-enable it after the restore is completed.

A new encryption key is generated only when disabling and re-enabling the setting. Reboots and upgrades do not trigger key regeneration.

In HA setups, configuration must be applied to the primary node in HA-AP and HA-AA setups; The configuration is then synchronized to the peer nodes. No restriction for HA-VRRP.

TPM-based encrypted key storage is available on the following FortiADC hardware models: 220F, 320F, 420F, 1200F, 2200F, 4200F.

To verify the private encryption key, use execute private-encryption-key sample and verify commands. See execute private-encryption-key.

Enable or disable the built-in admin account.

• enable — (default) The admin account remains active.

• disable — Prevents login with the admin account. Any active admin sessions are terminated immediately when the account is disabled.

By default, the admin account remains enabled. Disabling it requires another global administrator, ensuring that at least one administrator retains unrestricted control of the system. The admin account cannot disable itself, and enabling or disabling must be performed through the CLI. The GUI displays the current status of the account but does not provide configuration controls for this option.

Control how sessions with the same source IP, destination IP, and destination port (sip+dip+dport) are hashed across sockets.

• enable — (default) Sessions with the same tuple are directed to the same CPU, httproxy process, and listening socket.

• disable — Sessions with the same tuple may be distributed across different CPUs, processes, and sockets.