config system settings
Description: Configure VDOM settings.
set comments {var-string}
set opmode [nat|transparent]
set ngfw-mode [profile-based|policy-based]
set implicit-allow-dns [enable|disable]
set consolidated-firewall-mode [enable|disable]
set http-external-dest [fortiweb|forticache]
set firewall-session-dirty [check-all|check-new|...]
set manageip {user}
set gateway {ipv4-address}
set ip {ipv4-classnet-host}
set manageip6 {ipv6-prefix}
set gateway6 {ipv6-address}
set ip6 {ipv6-prefix}
set device {string}
set bfd [enable|disable]
set bfd-desired-min-tx {integer}
set bfd-required-min-rx {integer}
set bfd-detect-mult {integer}
set bfd-dont-enforce-src-port [enable|disable]
set utf8-spam-tagging [enable|disable]
set wccp-cache-engine [enable|disable]
set vpn-stats-log {option1}, {option2}, ...
set vpn-stats-period {integer}
set v4-ecmp-mode [source-ip-based|weight-based|...]
set mac-ttl {integer}
set fw-session-hairpin [enable|disable]
set prp-trailer-action [enable|disable]
set snat-hairpin-traffic [enable|disable]
set dhcp-proxy [enable|disable]
set dhcp-server-ip {user}
set dhcp6-server-ip {user}
set central-nat [enable|disable]
set gui-default-policy-columns <name1>, <name2>, ...
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set link-down-access [enable|disable]
set auxiliary-session [enable|disable]
set asymroute [enable|disable]
set asymroute-icmp [enable|disable]
set tcp-session-without-syn [enable|disable]
set ses-denied-traffic [enable|disable]
set strict-src-check [enable|disable]
set allow-linkdown-path [enable|disable]
set asymroute6 [enable|disable]
set asymroute6-icmp [enable|disable]
set sctp-session-without-init [enable|disable]
set sip-expectation [enable|disable]
set sip-nat-trace [enable|disable]
set status [enable|disable]
set sip-tcp-port {integer}
set sip-udp-port {integer}
set sip-ssl-port {integer}
set sccp-port {integer}
set multicast-forward [enable|disable]
set multicast-ttl-notchange [enable|disable]
set multicast-skip-policy [enable|disable]
set allow-subnet-overlap [enable|disable]
set deny-tcp-with-icmp [enable|disable]
set ecmp-max-paths {integer}
set discovered-device-timeout {integer}
set email-portal-check-dns [disable|enable]
set default-voip-alg-mode [proxy-based|kernel-helper-based]
set gui-icap [enable|disable]
set gui-nat46-64 [enable|disable]
set gui-implicit-policy [enable|disable]
set gui-dns-database [enable|disable]
set gui-load-balance [enable|disable]
set gui-multicast-policy [enable|disable]
set gui-dos-policy [enable|disable]
set gui-object-colors [enable|disable]
set gui-replacement-message-groups [enable|disable]
set gui-voip-profile [enable|disable]
set gui-ap-profile [enable|disable]
set gui-dynamic-profile-display [enable|disable]
set gui-local-in-policy [enable|disable]
set gui-local-reports [enable|disable]
set gui-wanopt-cache [enable|disable]
set gui-explicit-proxy [enable|disable]
set gui-dynamic-routing [enable|disable]
set gui-sslvpn-personal-bookmarks [enable|disable]
set gui-sslvpn-realms [enable|disable]
set gui-policy-based-ipsec [enable|disable]
set gui-threat-weight [enable|disable]
set gui-multiple-utm-profiles [enable|disable]
set gui-spamfilter [enable|disable]
set gui-application-control [enable|disable]
set gui-ips [enable|disable]
set gui-endpoint-control [enable|disable]
set gui-endpoint-control-advanced [enable|disable]
set gui-dhcp-advanced [enable|disable]
set gui-vpn [enable|disable]
set gui-wireless-controller [enable|disable]
set gui-switch-controller [enable|disable]
set gui-fortiap-split-tunneling [enable|disable]
set gui-webfilter-advanced [enable|disable]
set gui-traffic-shaping [enable|disable]
set gui-wan-load-balancing [enable|disable]
set gui-antivirus [enable|disable]
set gui-webfilter [enable|disable]
set gui-dnsfilter [enable|disable]
set gui-waf-profile [enable|disable]
set gui-fortiextender-controller [enable|disable]
set gui-advanced-policy [enable|disable]
set gui-allow-unnamed-policy [enable|disable]
set gui-email-collection [enable|disable]
set gui-domain-ip-reputation [enable|disable]
set gui-multiple-interface-policy [enable|disable]
set gui-per-policy-disclaimer [enable|disable]
set ike-session-resume [enable|disable]
set ike-quick-crash-detect [enable|disable]
set ike-dn-format [with-space|no-space]
set block-land-attack [disable|enable]
end
Parameter Name | Description | Type | Size |
---|---|---|---|
comments | VDOM comments. | var-string | Maximum length: 255 |
opmode | Firewall operation mode (NAT or Transparent). nat: Change to NAT mode. transparent: Change to transparent mode. |
option | - |
ngfw-mode | Next Generation Firewall (NGFW) mode. profile-based: Application and web-filtering are configured using profiles applied to policy entries. policy-based: Application and web-filtering are configured as policy match conditions. |
option | - |
implicit-allow-dns | Enable/disable implicitly allowing DNS traffic. enable: Enable implicitly allowing DNS traffic. disable: Disable implicitly allowing DNS traffic. |
option | - |
consolidated-firewall-mode | Consolidated firewall mode. enable: Enable consolidated firewall mode. disable: Disable consolidated firewall mode. |
option | - |
http-external-dest | Offload HTTP traffic to FortiWeb or FortiCache. fortiweb: Offload HTTP traffic to FortiWeb for Web Application Firewall inspection. forticache: Offload HTTP traffic to FortiCache for external web caching and WAN optimization. |
option | - |
firewall-session-dirty | Select how to manage sessions affected by firewall policy configuration changes. check-all: All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table. check-new: Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration. check-policy-option: Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue. |
option | - |
manageip | Transparent mode IPv4 management IP address and netmask. | user | Not Specified |
gateway | Transparent mode IPv4 default gateway IP address. | ipv4-address | Not Specified |
ip | IP address and netmask. | ipv4-classnet-host | Not Specified |
manageip6 | Transparent mode IPv6 management IP address and netmask. | ipv6-prefix | Not Specified |
gateway6 | Transparent mode IPv4 default gateway IP address. | ipv6-address | Not Specified |
ip6 | IPv6 address prefix for NAT mode. | ipv6-prefix | Not Specified |
device | Interface to use for management access for NAT mode. | string | Maximum length: 35 |
bfd | Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. enable: Enable Bi-directional Forwarding Detection (BFD) on all interfaces. disable: Disable Bi-directional Forwarding Detection (BFD) on all interfaces. |
option | - |
bfd-desired-min-tx | BFD desired minimal transmit interval (1 - 100000 ms, default = 50). | integer | Minimum value: 1 Maximum value: 100000 |
bfd-required-min-rx | BFD required minimal receive interval (1 - 100000 ms, default = 50). | integer | Minimum value: 1 Maximum value: 100000 |
bfd-detect-mult | BFD detection multiplier (1 - 50, default = 3). | integer | Minimum value: 1 Maximum value: 50 |
bfd-dont-enforce-src-port | Enable to not enforce verifying the source port of BFD Packets. enable: Enable verifying the source port of BFD Packets. disable: Disable verifying the source port of BFD Packets. |
option | - |
utf8-spam-tagging | Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. enable: Convert antispam tags to UTF-8. disable: Do not convert antispam tags. |
option | - |
wccp-cache-engine | Enable/disable WCCP cache engine. enable: Enable WCCP cache engine. disable: Disable WCCP cache engine. |
option | - |
vpn-stats-log | Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. ipsec: IPsec. pptp: PPTP. l2tp: L2TP. ssl: SSL. |
option | - |
vpn-stats-period | Period to send VPN log statistics (0 or 60 - 86400 sec). | integer | Minimum value: 0 Maximum value: 4294967295 |
v4-ecmp-mode | IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. source-ip-based: Select next hop based on source IP. weight-based: Select next hop based on weight. usage-based: Select next hop based on usage. source-dest-ip-based: Select next hop based on both source and destination IPs. |
option | - |
mac-ttl | Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300). | integer | Minimum value: 300 Maximum value: 8640000 |
fw-session-hairpin | Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. enable: Perform a policy check every time. disable: Perform a policy check only the first time the session is received. |
option | - |
prp-trailer-action | Enable/disable action to take on PRP trailer. enable: Try to keep PRP trailer. disable: Trim PRP trailer. |
option | - |
snat-hairpin-traffic | Enable/disable source NAT (SNAT) for hairpin traffic. enable: Enable SNAT for hairpin traffic. disable: Disable SNAT for hairpin traffic. |
option | - |
dhcp-proxy | Enable/disable the DHCP Proxy. enable: Enable the DHCP proxy. disable: Disable the DHCP proxy. |
option | - |
dhcp-server-ip | DHCP Server IPv4 address. | user | Not Specified |
dhcp6-server-ip | DHCPv6 server IPv6 address. | user | Not Specified |
central-nat | Enable/disable central NAT. enable: Enable central NAT. disable: Disable central NAT. |
option | - |
gui-default-policy-columns <name> |
Default columns to display for policy lists on GUI. Select column name. |
string | Maximum length: 79 |
lldp-reception | Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM. enable: Enable LLDP reception for this VDOM. disable: Disable LLDP reception for this VDOM. global: Use the global LLDP reception configuration for this VDOM. |
option | - |
lldp-transmission | Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM. enable: Enable LLDP transmission for this VDOM. disable: Disable LLDP transmission for this VDOM. global: Use the global LLDP transmission configuration for this VDOM. |
option | - |
link-down-access | Enable/disable link down access traffic. enable: Allow link down access traffic. disable: Block link down access traffic. |
option | - |
auxiliary-session | Enable/disable auxiliary session. enable: Enable auxiliary session for this VDOM. disable: Disable auxiliary session for this VDOM. |
option | - |
asymroute | Enable/disable IPv4 asymmetric routing. enable: Enable IPv4 asymmetric routing. disable: Disable IPv4 asymmetric routing. |
option | - |
asymroute-icmp | Enable/disable ICMP asymmetric routing. enable: Enable ICMP asymmetric routing. disable: Disable ICMP asymmetric routing. |
option | - |
tcp-session-without-syn | Enable/disable allowing TCP session without SYN flags. enable: Allow TCP session without SYN flags. disable: Do not allow TCP session without SYN flags. |
option | - |
ses-denied-traffic | Enable/disable including denied session in the session table. enable: Include denied sessions in the session table. disable: Do not add denied sessions to the session table. |
option | - |
strict-src-check | Enable/disable strict source verification. enable: Enable strict source verification. disable: Disable strict source verification. |
option | - |
allow-linkdown-path | Enable/disable link down path. enable: Allow link down path. disable: Do not allow link down path. |
option | - |
asymroute6 | Enable/disable asymmetric IPv6 routing. enable: Enable asymmetric IPv6 routing. disable: Disable asymmetric IPv6 routing. |
option | - |
asymroute6-icmp | Enable/disable asymmetric ICMPv6 routing. enable: Enable asymmetric ICMPv6 routing. disable: Disable asymmetric ICMPv6 routing. |
option | - |
sctp-session-without-init | Enable/disable SCTP session creation without SCTP INIT. enable: Enable SCTP session creation without SCTP INIT. disable: Disable SCTP session creation without SCTP INIT. |
option | - |
sip-expectation | Enable/disable the SIP kernel session helper to create an expectation for port 5060. enable: Allow SIP session helper to create an expectation for port 5060. disable: Prevent SIP session helper from creating an expectation for port 5060. |
option | - |
sip-nat-trace | Enable/disable recording the original SIP source IP address when NAT is used. enable: Record the original SIP source IP address when NAT is used. disable: Do not record the original SIP source IP address when NAT is used. |
option | - |
status | Enable/disable this VDOM. enable: Enable this VDOM. disable: Disable this VDOM. |
option | - |
sip-tcp-port | TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). | integer | Minimum value: 1 Maximum value: 65535 |
sip-udp-port | UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). | integer | Minimum value: 1 Maximum value: 65535 |
sip-ssl-port | TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061). | integer | Minimum value: 0 Maximum value: 65535 |
sccp-port | TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000). | integer | Minimum value: 0 Maximum value: 65535 |
multicast-forward | Enable/disable multicast forwarding. enable: Enable multicast forwarding. disable: Disable multicast forwarding. |
option | - |
multicast-ttl-notchange | Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. enable: The multicast TTL is not changed. disable: The multicast TTL may be changed. |
option | - |
multicast-skip-policy | Enable/disable allowing multicast traffic through the FortiGate without a policy check. enable: Allowing multicast traffic through the FortiGate without creating a multicast firewall policy. disable: Require a multicast policy to allow multicast traffic to pass through the FortiGate. |
option | - |
allow-subnet-overlap | Enable/disable allowing interface subnets to use overlapping IP addresses. enable: Enable overlapping subnets. disable: Disable overlapping subnets. |
option | - |
deny-tcp-with-icmp | Enable/disable denying TCP by sending an ICMP communication prohibited packet. enable: Deny TCP with ICMP. disable: Disable denying TCP with ICMP. |
option | - |
ecmp-max-paths | Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255). | integer | Minimum value: 1 Maximum value: 255 |
discovered-device-timeout | Timeout for discovered devices (1 - 365 days, default = 28). | integer | Minimum value: 1 Maximum value: 365 |
email-portal-check-dns | Enable/disable using DNS to validate email addresses collected by a captive portal. disable: Disable email address checking with DNS. enable: Enable email address checking with DNS. |
option | - |
default-voip-alg-mode | Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile. proxy-based: Use a default proxy-based VoIP ALG. kernel-helper-based: Use the SIP session helper. |
option | - |
gui-icap | Enable/disable ICAP on the GUI. enable: Enable ICAP on the GUI. disable: Disable ICAP on the GUI. |
option | - |
gui-nat46-64 | Enable/disable NAT46 and NAT64 settings on the GUI. enable: Enable NAT46 and NAT64 settings on the GUI. disable: Disable NAT46 and NAT64 settings on the GUI. |
option | - |
gui-implicit-policy | Enable/disable implicit firewall policies on the GUI. enable: Enable implicit firewall policies on the GUI. disable: Disable implicit firewall policies on the GUI. |
option | - |
gui-dns-database | Enable/disable DNS database settings on the GUI. enable: Enable DNS database settings on the GUI. disable: Disable DNS database settings on the GUI. |
option | - |
gui-load-balance | Enable/disable server load balancing on the GUI. enable: Enable server load balancing on the GUI. disable: Disable server load balancing on the GUI. |
option | - |
gui-multicast-policy | Enable/disable multicast firewall policies on the GUI. enable: Enable multicast firewall policies on the GUI. disable: Disable multicast firewall policies on the GUI. |
option | - |
gui-dos-policy | Enable/disable DoS policies on the GUI. enable: Enable DoS policies on the GUI. disable: Disable DoS policies on the GUI. |
option | - |
gui-object-colors | Enable/disable object colors on the GUI. enable: Enable object colors on the GUI. disable: Disable object colors on the GUI. |
option | - |
gui-replacement-message-groups | Enable/disable replacement message groups on the GUI. enable: Enable replacement message groups on the GUI. disable: Disable replacement message groups on the GUI. |
option | - |
gui-voip-profile | Enable/disable VoIP profiles on the GUI. enable: Enable VoIP profiles on the GUI. disable: Disable VoIP profiles on the GUI. |
option | - |
gui-ap-profile | Enable/disable FortiAP profiles on the GUI. enable: Enable FortiAP profiles on the GUI. disable: Disable FortiAP profiles on the GUI. |
option | - |
gui-dynamic-profile-display | Enable/disable RADIUS Single Sign On (RSSO) on the GUI. enable: Enable RADIUS Single Sign On (RSSO) on the GUI. disable: Disable RADIUS Single Sign On (RSSO) on the GUI. |
option | - |
gui-local-in-policy | Enable/disable Local-In policies on the GUI. enable: Enable Local-In policies on the GUI. disable: Disable Local-In policies on the GUI. |
option | - |
gui-local-reports | Enable/disable local reports on the GUI. enable: Enable local reports on the GUI. disable: Disable local reports on the GUI. |
option | - |
gui-wanopt-cache | Enable/disable WAN Optimization and Web Caching on the GUI. enable: Enable WAN Optimization and Web Caching on the GUI. disable: Disable WAN Optimization and Web Caching on the GUI. |
option | - |
gui-explicit-proxy | Enable/disable the explicit proxy on the GUI. enable: Enable the explicit proxy on the GUI. disable: Disable the explicit proxy on the GUI. |
option | - |
gui-dynamic-routing | Enable/disable dynamic routing on the GUI. enable: Enable dynamic routing on the GUI. disable: Disable dynamic routing on the GUI. |
option | - |
gui-sslvpn-personal-bookmarks | Enable/disable SSL-VPN personal bookmark management on the GUI. enable: Enable SSL-VPN personal bookmark management on the GUI. disable: Disable SSL-VPN personal bookmark management on the GUI. |
option | - |
gui-sslvpn-realms | Enable/disable SSL-VPN realms on the GUI. enable: Enable SSL-VPN realms on the GUI. disable: Disable SSL-VPN realms on the GUI. |
option | - |
gui-policy-based-ipsec | Enable/disable policy-based IPsec VPN on the GUI. enable: Enable policy-based IPsec VPN on the GUI. disable: Disable policy-based IPsec VPN on the GUI. |
option | - |
gui-threat-weight | Enable/disable threat weight on the GUI. enable: Enable threat weight on the GUI. disable: Disable threat weight on the GUI. |
option | - |
gui-multiple-utm-profiles | Enable/disable multiple UTM profiles on the GUI. enable: Enable multiple UTM profiles on the GUI. disable: Disable multiple UTM profiles on the GUI. |
option | - |
gui-spamfilter | Enable/disable Antispam on the GUI. enable: Enable Antispam on the GUI. disable: Disable Antispam on the GUI. |
option | - |
gui-application-control | Enable/disable application control on the GUI. enable: Enable application control on the GUI. disable: Disable application control on the GUI. |
option | - |
gui-ips | Enable/disable IPS on the GUI. enable: Enable IPS on the GUI. disable: Disable IPS on the GUI. |
option | - |
gui-endpoint-control | Enable/disable endpoint control on the GUI. enable: Enable endpoint control on the GUI. disable: Disable endpoint control on the GUI. |
option | - |
gui-endpoint-control-advanced | Enable/disable advanced endpoint control options on the GUI. enable: Enable advanced endpoint control options on the GUI. disable: Disable advanced endpoint control options on the GUI. |
option | - |
gui-dhcp-advanced | Enable/disable advanced DHCP options on the GUI. enable: Enable advanced DHCP options on the GUI. disable: Disable advanced DHCP options on the GUI. |
option | - |
gui-vpn | Enable/disable VPN tunnels on the GUI. enable: Enable VPN tunnels on the GUI. disable: Disable VPN tunnels on the GUI. |
option | - |
gui-wireless-controller | Enable/disable the wireless controller on the GUI. enable: Enable the wireless controller on the GUI. disable: Disable the wireless controller on the GUI. |
option | - |
gui-switch-controller | Enable/disable the switch controller on the GUI. enable: Enable the switch controller on the GUI. disable: Disable the switch controller on the GUI. |
option | - |
gui-fortiap-split-tunneling | Enable/disable FortiAP split tunneling on the GUI. enable: Enable FortiAP split tunneling on the GUI. disable: Disable FortiAP split tunneling on the GUI. |
option | - |
gui-webfilter-advanced | Enable/disable advanced web filtering on the GUI. enable: Enable advanced web filtering on the GUI. disable: Disable advanced web filtering on the GUI. |
option | - |
gui-traffic-shaping | Enable/disable traffic shaping on the GUI. enable: Enable traffic shaping on the GUI. disable: Disable traffic shaping on the GUI. |
option | - |
gui-wan-load-balancing | Enable/disable SD-WAN on the GUI. enable: Enable SD-WAN on the GUI. disable: Disable SD-WAN on the GUI. |
option | - |
gui-antivirus | Enable/disable AntiVirus on the GUI. enable: Enable AntiVirus on the GUI. disable: Disable AntiVirus on the GUI. |
option | - |
gui-webfilter | Enable/disable Web filtering on the GUI. enable: Enable Web filtering on the GUI. disable: Disable Web filtering on the GUI. |
option | - |
gui-dnsfilter | Enable/disable DNS Filtering on the GUI. enable: Enable DNS Filtering on the GUI. disable: Disable DNS Filtering on the GUI. |
option | - |
gui-waf-profile | Enable/disable Web Application Firewall on the GUI. enable: Enable Web Application Firewall on the GUI. disable: Disable Web Application Firewall on the GUI. |
option | - |
gui-fortiextender-controller | Enable/disable FortiExtender on the GUI. enable: Enable FortiExtender on the GUI. disable: Disable FortiExtender on the GUI. |
option | - |
gui-advanced-policy | Enable/disable advanced policy configuration on the GUI. enable: Enable advanced policy configuration on the GUI. disable: Disable advanced policy configuration on the GUI. |
option | - |
gui-allow-unnamed-policy | Enable/disable the requirement for policy naming on the GUI. enable: Enable the requirement for policy naming on the GUI. disable: Disable the requirement for policy naming on the GUI. |
option | - |
gui-email-collection | Enable/disable email collection on the GUI. enable: Enable email collection on the GUI. disable: Disable email collection on the GUI. |
option | - |
gui-domain-ip-reputation | Enable/disable Domain and IP Reputation on the GUI. enable: Enable Domain and IP Reputation on the GUI. disable: Disable Domain and IP Reputation on the GUI. |
option | - |
gui-multiple-interface-policy | Enable/disable adding multiple interfaces to a policy on the GUI. enable: Enable adding multiple interfaces to a policy on the GUI. disable: Disable adding multiple interfaces to a policy on the GUI. |
option | - |
gui-per-policy-disclaimer | Enable/disable policy disclaimer on the GUI. enable: Enable policy disclaimer on the GUI. disable: Disable policy disclaimer on the GUI. |
option | - |
ike-session-resume | Enable/disable IKEv2 session resumption (RFC 5723). enable: Enable IKEv2 session resumption (RFC 5723). disable: Disable IKEv2 session resumption (RFC 5723). |
option | - |
ike-quick-crash-detect | Enable/disable IKE quick crash detection (RFC 6290). enable: Enable IKE quick crash detection (RFC 6290). disable: Disable IKE quick crash detection (RFC 6290). |
option | - |
ike-dn-format | Configure IKE ASN.1 Distinguished Name format conventions. with-space: Format IKE ASN.1 Distinguished Names with spaces between attribute names and values. no-space: Format IKE ASN.1 Distinguished Names without spaces between attribute names and values. |
option | - |
block-land-attack | Enable/disable blocking of land attacks. disable: Do not block land attack. enable: Block land attack. |
option | - |
config system settings
Description: Configure VDOM settings.
set comments {var-string}
set opmode [nat|transparent]
set ngfw-mode [profile-based|policy-based]
set implicit-allow-dns [enable|disable]
set consolidated-firewall-mode [enable|disable]
set http-external-dest [fortiweb|forticache]
set firewall-session-dirty [check-all|check-new|...]
set manageip {user}
set gateway {ipv4-address}
set ip {ipv4-classnet-host}
set manageip6 {ipv6-prefix}
set gateway6 {ipv6-address}
set ip6 {ipv6-prefix}
set device {string}
set bfd [enable|disable]
set bfd-desired-min-tx {integer}
set bfd-required-min-rx {integer}
set bfd-detect-mult {integer}
set bfd-dont-enforce-src-port [enable|disable]
set utf8-spam-tagging [enable|disable]
set wccp-cache-engine [enable|disable]
set vpn-stats-log {option1}, {option2}, ...
set vpn-stats-period {integer}
set v4-ecmp-mode [source-ip-based|weight-based|...]
set mac-ttl {integer}
set fw-session-hairpin [enable|disable]
set prp-trailer-action [enable|disable]
set snat-hairpin-traffic [enable|disable]
set dhcp-proxy [enable|disable]
set dhcp-server-ip {user}
set dhcp6-server-ip {user}
set central-nat [enable|disable]
set gui-default-policy-columns <name1>, <name2>, ...
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set link-down-access [enable|disable]
set auxiliary-session [enable|disable]
set asymroute [enable|disable]
set asymroute-icmp [enable|disable]
set tcp-session-without-syn [enable|disable]
set ses-denied-traffic [enable|disable]
set strict-src-check [enable|disable]
set allow-linkdown-path [enable|disable]
set asymroute6 [enable|disable]
set asymroute6-icmp [enable|disable]
set sctp-session-without-init [enable|disable]
set sip-expectation [enable|disable]
set sip-nat-trace [enable|disable]
set status [enable|disable]
set sip-tcp-port {integer}
set sip-udp-port {integer}
set sip-ssl-port {integer}
set sccp-port {integer}
set multicast-forward [enable|disable]
set multicast-ttl-notchange [enable|disable]
set multicast-skip-policy [enable|disable]
set allow-subnet-overlap [enable|disable]
set deny-tcp-with-icmp [enable|disable]
set ecmp-max-paths {integer}
set discovered-device-timeout {integer}
set email-portal-check-dns [disable|enable]
set default-voip-alg-mode [proxy-based|kernel-helper-based]
set gui-icap [enable|disable]
set gui-nat46-64 [enable|disable]
set gui-implicit-policy [enable|disable]
set gui-dns-database [enable|disable]
set gui-load-balance [enable|disable]
set gui-multicast-policy [enable|disable]
set gui-dos-policy [enable|disable]
set gui-object-colors [enable|disable]
set gui-replacement-message-groups [enable|disable]
set gui-voip-profile [enable|disable]
set gui-ap-profile [enable|disable]
set gui-dynamic-profile-display [enable|disable]
set gui-local-in-policy [enable|disable]
set gui-local-reports [enable|disable]
set gui-wanopt-cache [enable|disable]
set gui-explicit-proxy [enable|disable]
set gui-dynamic-routing [enable|disable]
set gui-sslvpn-personal-bookmarks [enable|disable]
set gui-sslvpn-realms [enable|disable]
set gui-policy-based-ipsec [enable|disable]
set gui-threat-weight [enable|disable]
set gui-multiple-utm-profiles [enable|disable]
set gui-spamfilter [enable|disable]
set gui-application-control [enable|disable]
set gui-ips [enable|disable]
set gui-endpoint-control [enable|disable]
set gui-endpoint-control-advanced [enable|disable]
set gui-dhcp-advanced [enable|disable]
set gui-vpn [enable|disable]
set gui-wireless-controller [enable|disable]
set gui-switch-controller [enable|disable]
set gui-fortiap-split-tunneling [enable|disable]
set gui-webfilter-advanced [enable|disable]
set gui-traffic-shaping [enable|disable]
set gui-wan-load-balancing [enable|disable]
set gui-antivirus [enable|disable]
set gui-webfilter [enable|disable]
set gui-dnsfilter [enable|disable]
set gui-waf-profile [enable|disable]
set gui-fortiextender-controller [enable|disable]
set gui-advanced-policy [enable|disable]
set gui-allow-unnamed-policy [enable|disable]
set gui-email-collection [enable|disable]
set gui-domain-ip-reputation [enable|disable]
set gui-multiple-interface-policy [enable|disable]
set gui-per-policy-disclaimer [enable|disable]
set ike-session-resume [enable|disable]
set ike-quick-crash-detect [enable|disable]
set ike-dn-format [with-space|no-space]
set block-land-attack [disable|enable]
end
Parameter Name | Description | Type | Size |
---|---|---|---|
comments | VDOM comments. | var-string | Maximum length: 255 |
opmode | Firewall operation mode (NAT or Transparent). nat: Change to NAT mode. transparent: Change to transparent mode. |
option | - |
ngfw-mode | Next Generation Firewall (NGFW) mode. profile-based: Application and web-filtering are configured using profiles applied to policy entries. policy-based: Application and web-filtering are configured as policy match conditions. |
option | - |
implicit-allow-dns | Enable/disable implicitly allowing DNS traffic. enable: Enable implicitly allowing DNS traffic. disable: Disable implicitly allowing DNS traffic. |
option | - |
consolidated-firewall-mode | Consolidated firewall mode. enable: Enable consolidated firewall mode. disable: Disable consolidated firewall mode. |
option | - |
http-external-dest | Offload HTTP traffic to FortiWeb or FortiCache. fortiweb: Offload HTTP traffic to FortiWeb for Web Application Firewall inspection. forticache: Offload HTTP traffic to FortiCache for external web caching and WAN optimization. |
option | - |
firewall-session-dirty | Select how to manage sessions affected by firewall policy configuration changes. check-all: All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table. check-new: Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration. check-policy-option: Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue. |
option | - |
manageip | Transparent mode IPv4 management IP address and netmask. | user | Not Specified |
gateway | Transparent mode IPv4 default gateway IP address. | ipv4-address | Not Specified |
ip | IP address and netmask. | ipv4-classnet-host | Not Specified |
manageip6 | Transparent mode IPv6 management IP address and netmask. | ipv6-prefix | Not Specified |
gateway6 | Transparent mode IPv4 default gateway IP address. | ipv6-address | Not Specified |
ip6 | IPv6 address prefix for NAT mode. | ipv6-prefix | Not Specified |
device | Interface to use for management access for NAT mode. | string | Maximum length: 35 |
bfd | Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. enable: Enable Bi-directional Forwarding Detection (BFD) on all interfaces. disable: Disable Bi-directional Forwarding Detection (BFD) on all interfaces. |
option | - |
bfd-desired-min-tx | BFD desired minimal transmit interval (1 - 100000 ms, default = 50). | integer | Minimum value: 1 Maximum value: 100000 |
bfd-required-min-rx | BFD required minimal receive interval (1 - 100000 ms, default = 50). | integer | Minimum value: 1 Maximum value: 100000 |
bfd-detect-mult | BFD detection multiplier (1 - 50, default = 3). | integer | Minimum value: 1 Maximum value: 50 |
bfd-dont-enforce-src-port | Enable to not enforce verifying the source port of BFD Packets. enable: Enable verifying the source port of BFD Packets. disable: Disable verifying the source port of BFD Packets. |
option | - |
utf8-spam-tagging | Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. enable: Convert antispam tags to UTF-8. disable: Do not convert antispam tags. |
option | - |
wccp-cache-engine | Enable/disable WCCP cache engine. enable: Enable WCCP cache engine. disable: Disable WCCP cache engine. |
option | - |
vpn-stats-log | Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. ipsec: IPsec. pptp: PPTP. l2tp: L2TP. ssl: SSL. |
option | - |
vpn-stats-period | Period to send VPN log statistics (0 or 60 - 86400 sec). | integer | Minimum value: 0 Maximum value: 4294967295 |
v4-ecmp-mode | IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. source-ip-based: Select next hop based on source IP. weight-based: Select next hop based on weight. usage-based: Select next hop based on usage. source-dest-ip-based: Select next hop based on both source and destination IPs. |
option | - |
mac-ttl | Duration of MAC addresses in Transparent mode (300 - 8640000 sec, default = 300). | integer | Minimum value: 300 Maximum value: 8640000 |
fw-session-hairpin | Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. enable: Perform a policy check every time. disable: Perform a policy check only the first time the session is received. |
option | - |
prp-trailer-action | Enable/disable action to take on PRP trailer. enable: Try to keep PRP trailer. disable: Trim PRP trailer. |
option | - |
snat-hairpin-traffic | Enable/disable source NAT (SNAT) for hairpin traffic. enable: Enable SNAT for hairpin traffic. disable: Disable SNAT for hairpin traffic. |
option | - |
dhcp-proxy | Enable/disable the DHCP Proxy. enable: Enable the DHCP proxy. disable: Disable the DHCP proxy. |
option | - |
dhcp-server-ip | DHCP Server IPv4 address. | user | Not Specified |
dhcp6-server-ip | DHCPv6 server IPv6 address. | user | Not Specified |
central-nat | Enable/disable central NAT. enable: Enable central NAT. disable: Disable central NAT. |
option | - |
gui-default-policy-columns <name> |
Default columns to display for policy lists on GUI. Select column name. |
string | Maximum length: 79 |
lldp-reception | Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM. enable: Enable LLDP reception for this VDOM. disable: Disable LLDP reception for this VDOM. global: Use the global LLDP reception configuration for this VDOM. |
option | - |
lldp-transmission | Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM. enable: Enable LLDP transmission for this VDOM. disable: Disable LLDP transmission for this VDOM. global: Use the global LLDP transmission configuration for this VDOM. |
option | - |
link-down-access | Enable/disable link down access traffic. enable: Allow link down access traffic. disable: Block link down access traffic. |
option | - |
auxiliary-session | Enable/disable auxiliary session. enable: Enable auxiliary session for this VDOM. disable: Disable auxiliary session for this VDOM. |
option | - |
asymroute | Enable/disable IPv4 asymmetric routing. enable: Enable IPv4 asymmetric routing. disable: Disable IPv4 asymmetric routing. |
option | - |
asymroute-icmp | Enable/disable ICMP asymmetric routing. enable: Enable ICMP asymmetric routing. disable: Disable ICMP asymmetric routing. |
option | - |
tcp-session-without-syn | Enable/disable allowing TCP session without SYN flags. enable: Allow TCP session without SYN flags. disable: Do not allow TCP session without SYN flags. |
option | - |
ses-denied-traffic | Enable/disable including denied session in the session table. enable: Include denied sessions in the session table. disable: Do not add denied sessions to the session table. |
option | - |
strict-src-check | Enable/disable strict source verification. enable: Enable strict source verification. disable: Disable strict source verification. |
option | - |
allow-linkdown-path | Enable/disable link down path. enable: Allow link down path. disable: Do not allow link down path. |
option | - |
asymroute6 | Enable/disable asymmetric IPv6 routing. enable: Enable asymmetric IPv6 routing. disable: Disable asymmetric IPv6 routing. |
option | - |
asymroute6-icmp | Enable/disable asymmetric ICMPv6 routing. enable: Enable asymmetric ICMPv6 routing. disable: Disable asymmetric ICMPv6 routing. |
option | - |
sctp-session-without-init | Enable/disable SCTP session creation without SCTP INIT. enable: Enable SCTP session creation without SCTP INIT. disable: Disable SCTP session creation without SCTP INIT. |
option | - |
sip-expectation | Enable/disable the SIP kernel session helper to create an expectation for port 5060. enable: Allow SIP session helper to create an expectation for port 5060. disable: Prevent SIP session helper from creating an expectation for port 5060. |
option | - |
sip-nat-trace | Enable/disable recording the original SIP source IP address when NAT is used. enable: Record the original SIP source IP address when NAT is used. disable: Do not record the original SIP source IP address when NAT is used. |
option | - |
status | Enable/disable this VDOM. enable: Enable this VDOM. disable: Disable this VDOM. |
option | - |
sip-tcp-port | TCP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). | integer | Minimum value: 1 Maximum value: 65535 |
sip-udp-port | UDP port the SIP proxy monitors for SIP traffic (0 - 65535, default = 5060). | integer | Minimum value: 1 Maximum value: 65535 |
sip-ssl-port | TCP port the SIP proxy monitors for SIP SSL/TLS traffic (0 - 65535, default = 5061). | integer | Minimum value: 0 Maximum value: 65535 |
sccp-port | TCP port the SCCP proxy monitors for SCCP traffic (0 - 65535, default = 2000). | integer | Minimum value: 0 Maximum value: 65535 |
multicast-forward | Enable/disable multicast forwarding. enable: Enable multicast forwarding. disable: Disable multicast forwarding. |
option | - |
multicast-ttl-notchange | Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. enable: The multicast TTL is not changed. disable: The multicast TTL may be changed. |
option | - |
multicast-skip-policy | Enable/disable allowing multicast traffic through the FortiGate without a policy check. enable: Allowing multicast traffic through the FortiGate without creating a multicast firewall policy. disable: Require a multicast policy to allow multicast traffic to pass through the FortiGate. |
option | - |
allow-subnet-overlap | Enable/disable allowing interface subnets to use overlapping IP addresses. enable: Enable overlapping subnets. disable: Disable overlapping subnets. |
option | - |
deny-tcp-with-icmp | Enable/disable denying TCP by sending an ICMP communication prohibited packet. enable: Deny TCP with ICMP. disable: Disable denying TCP with ICMP. |
option | - |
ecmp-max-paths | Maximum number of Equal Cost Multi-Path (ECMP) next-hops. Set to 1 to disable ECMP routing (1 - 255, default = 255). | integer | Minimum value: 1 Maximum value: 255 |
discovered-device-timeout | Timeout for discovered devices (1 - 365 days, default = 28). | integer | Minimum value: 1 Maximum value: 365 |
email-portal-check-dns | Enable/disable using DNS to validate email addresses collected by a captive portal. disable: Disable email address checking with DNS. enable: Enable email address checking with DNS. |
option | - |
default-voip-alg-mode | Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile. proxy-based: Use a default proxy-based VoIP ALG. kernel-helper-based: Use the SIP session helper. |
option | - |
gui-icap | Enable/disable ICAP on the GUI. enable: Enable ICAP on the GUI. disable: Disable ICAP on the GUI. |
option | - |
gui-nat46-64 | Enable/disable NAT46 and NAT64 settings on the GUI. enable: Enable NAT46 and NAT64 settings on the GUI. disable: Disable NAT46 and NAT64 settings on the GUI. |
option | - |
gui-implicit-policy | Enable/disable implicit firewall policies on the GUI. enable: Enable implicit firewall policies on the GUI. disable: Disable implicit firewall policies on the GUI. |
option | - |
gui-dns-database | Enable/disable DNS database settings on the GUI. enable: Enable DNS database settings on the GUI. disable: Disable DNS database settings on the GUI. |
option | - |
gui-load-balance | Enable/disable server load balancing on the GUI. enable: Enable server load balancing on the GUI. disable: Disable server load balancing on the GUI. |
option | - |
gui-multicast-policy | Enable/disable multicast firewall policies on the GUI. enable: Enable multicast firewall policies on the GUI. disable: Disable multicast firewall policies on the GUI. |
option | - |
gui-dos-policy | Enable/disable DoS policies on the GUI. enable: Enable DoS policies on the GUI. disable: Disable DoS policies on the GUI. |
option | - |
gui-object-colors | Enable/disable object colors on the GUI. enable: Enable object colors on the GUI. disable: Disable object colors on the GUI. |
option | - |
gui-replacement-message-groups | Enable/disable replacement message groups on the GUI. enable: Enable replacement message groups on the GUI. disable: Disable replacement message groups on the GUI. |
option | - |
gui-voip-profile | Enable/disable VoIP profiles on the GUI. enable: Enable VoIP profiles on the GUI. disable: Disable VoIP profiles on the GUI. |
option | - |
gui-ap-profile | Enable/disable FortiAP profiles on the GUI. enable: Enable FortiAP profiles on the GUI. disable: Disable FortiAP profiles on the GUI. |
option | - |
gui-dynamic-profile-display | Enable/disable RADIUS Single Sign On (RSSO) on the GUI. enable: Enable RADIUS Single Sign On (RSSO) on the GUI. disable: Disable RADIUS Single Sign On (RSSO) on the GUI. |
option | - |
gui-local-in-policy | Enable/disable Local-In policies on the GUI. enable: Enable Local-In policies on the GUI. disable: Disable Local-In policies on the GUI. |
option | - |
gui-local-reports | Enable/disable local reports on the GUI. enable: Enable local reports on the GUI. disable: Disable local reports on the GUI. |
option | - |
gui-wanopt-cache | Enable/disable WAN Optimization and Web Caching on the GUI. enable: Enable WAN Optimization and Web Caching on the GUI. disable: Disable WAN Optimization and Web Caching on the GUI. |
option | - |
gui-explicit-proxy | Enable/disable the explicit proxy on the GUI. enable: Enable the explicit proxy on the GUI. disable: Disable the explicit proxy on the GUI. |
option | - |
gui-dynamic-routing | Enable/disable dynamic routing on the GUI. enable: Enable dynamic routing on the GUI. disable: Disable dynamic routing on the GUI. |
option | - |
gui-sslvpn-personal-bookmarks | Enable/disable SSL-VPN personal bookmark management on the GUI. enable: Enable SSL-VPN personal bookmark management on the GUI. disable: Disable SSL-VPN personal bookmark management on the GUI. |
option | - |
gui-sslvpn-realms | Enable/disable SSL-VPN realms on the GUI. enable: Enable SSL-VPN realms on the GUI. disable: Disable SSL-VPN realms on the GUI. |
option | - |
gui-policy-based-ipsec | Enable/disable policy-based IPsec VPN on the GUI. enable: Enable policy-based IPsec VPN on the GUI. disable: Disable policy-based IPsec VPN on the GUI. |
option | - |
gui-threat-weight | Enable/disable threat weight on the GUI. enable: Enable threat weight on the GUI. disable: Disable threat weight on the GUI. |
option | - |
gui-multiple-utm-profiles | Enable/disable multiple UTM profiles on the GUI. enable: Enable multiple UTM profiles on the GUI. disable: Disable multiple UTM profiles on the GUI. |
option | - |
gui-spamfilter | Enable/disable Antispam on the GUI. enable: Enable Antispam on the GUI. disable: Disable Antispam on the GUI. |
option | - |
gui-application-control | Enable/disable application control on the GUI. enable: Enable application control on the GUI. disable: Disable application control on the GUI. |
option | - |
gui-ips | Enable/disable IPS on the GUI. enable: Enable IPS on the GUI. disable: Disable IPS on the GUI. |
option | - |
gui-endpoint-control | Enable/disable endpoint control on the GUI. enable: Enable endpoint control on the GUI. disable: Disable endpoint control on the GUI. |
option | - |
gui-endpoint-control-advanced | Enable/disable advanced endpoint control options on the GUI. enable: Enable advanced endpoint control options on the GUI. disable: Disable advanced endpoint control options on the GUI. |
option | - |
gui-dhcp-advanced | Enable/disable advanced DHCP options on the GUI. enable: Enable advanced DHCP options on the GUI. disable: Disable advanced DHCP options on the GUI. |
option | - |
gui-vpn | Enable/disable VPN tunnels on the GUI. enable: Enable VPN tunnels on the GUI. disable: Disable VPN tunnels on the GUI. |
option | - |
gui-wireless-controller | Enable/disable the wireless controller on the GUI. enable: Enable the wireless controller on the GUI. disable: Disable the wireless controller on the GUI. |
option | - |
gui-switch-controller | Enable/disable the switch controller on the GUI. enable: Enable the switch controller on the GUI. disable: Disable the switch controller on the GUI. |
option | - |
gui-fortiap-split-tunneling | Enable/disable FortiAP split tunneling on the GUI. enable: Enable FortiAP split tunneling on the GUI. disable: Disable FortiAP split tunneling on the GUI. |
option | - |
gui-webfilter-advanced | Enable/disable advanced web filtering on the GUI. enable: Enable advanced web filtering on the GUI. disable: Disable advanced web filtering on the GUI. |
option | - |
gui-traffic-shaping | Enable/disable traffic shaping on the GUI. enable: Enable traffic shaping on the GUI. disable: Disable traffic shaping on the GUI. |
option | - |
gui-wan-load-balancing | Enable/disable SD-WAN on the GUI. enable: Enable SD-WAN on the GUI. disable: Disable SD-WAN on the GUI. |
option | - |
gui-antivirus | Enable/disable AntiVirus on the GUI. enable: Enable AntiVirus on the GUI. disable: Disable AntiVirus on the GUI. |
option | - |
gui-webfilter | Enable/disable Web filtering on the GUI. enable: Enable Web filtering on the GUI. disable: Disable Web filtering on the GUI. |
option | - |
gui-dnsfilter | Enable/disable DNS Filtering on the GUI. enable: Enable DNS Filtering on the GUI. disable: Disable DNS Filtering on the GUI. |
option | - |
gui-waf-profile | Enable/disable Web Application Firewall on the GUI. enable: Enable Web Application Firewall on the GUI. disable: Disable Web Application Firewall on the GUI. |
option | - |
gui-fortiextender-controller | Enable/disable FortiExtender on the GUI. enable: Enable FortiExtender on the GUI. disable: Disable FortiExtender on the GUI. |
option | - |
gui-advanced-policy | Enable/disable advanced policy configuration on the GUI. enable: Enable advanced policy configuration on the GUI. disable: Disable advanced policy configuration on the GUI. |
option | - |
gui-allow-unnamed-policy | Enable/disable the requirement for policy naming on the GUI. enable: Enable the requirement for policy naming on the GUI. disable: Disable the requirement for policy naming on the GUI. |
option | - |
gui-email-collection | Enable/disable email collection on the GUI. enable: Enable email collection on the GUI. disable: Disable email collection on the GUI. |
option | - |
gui-domain-ip-reputation | Enable/disable Domain and IP Reputation on the GUI. enable: Enable Domain and IP Reputation on the GUI. disable: Disable Domain and IP Reputation on the GUI. |
option | - |
gui-multiple-interface-policy | Enable/disable adding multiple interfaces to a policy on the GUI. enable: Enable adding multiple interfaces to a policy on the GUI. disable: Disable adding multiple interfaces to a policy on the GUI. |
option | - |
gui-per-policy-disclaimer | Enable/disable policy disclaimer on the GUI. enable: Enable policy disclaimer on the GUI. disable: Disable policy disclaimer on the GUI. |
option | - |
ike-session-resume | Enable/disable IKEv2 session resumption (RFC 5723). enable: Enable IKEv2 session resumption (RFC 5723). disable: Disable IKEv2 session resumption (RFC 5723). |
option | - |
ike-quick-crash-detect | Enable/disable IKE quick crash detection (RFC 6290). enable: Enable IKE quick crash detection (RFC 6290). disable: Disable IKE quick crash detection (RFC 6290). |
option | - |
ike-dn-format | Configure IKE ASN.1 Distinguished Name format conventions. with-space: Format IKE ASN.1 Distinguished Names with spaces between attribute names and values. no-space: Format IKE ASN.1 Distinguished Names without spaces between attribute names and values. |
option | - |
block-land-attack | Enable/disable blocking of land attacks. disable: Do not block land attack. enable: Block land attack. |
option | - |