Fortinet white logo
Fortinet white logo

CLI Reference

config system global

config system global

Configure global attributes.

config system global
    Description: Configure global attributes.
    set admin-concurrent [enable|disable]
    set admin-console-timeout {integer}
    set admin-forticloud-sso-login [enable|disable]
    set admin-host {string}
    set admin-hsts-max-age {integer}
    set admin-https-pki-required [enable|disable]
    set admin-https-redirect [enable|disable]
    set admin-https-ssl-banned-ciphers {option1}, {option2}, ...
    set admin-https-ssl-ciphersuites {option1}, {option2}, ...
    set admin-https-ssl-versions {option1}, {option2}, ...
    set admin-lockout-duration {integer}
    set admin-lockout-threshold {integer}
    set admin-login-max {integer}
    set admin-maintainer [enable|disable]
    set admin-port {integer}
    set admin-reset-button [enable|disable]
    set admin-restrict-local [enable|disable]
    set admin-scp [enable|disable]
    set admin-server-cert {string}
    set admin-sport {integer}
    set admin-ssh-grace-time {integer}
    set admin-ssh-password [enable|disable]
    set admin-ssh-port {integer}
    set admin-ssh-v1 [enable|disable]
    set admin-telnet [enable|disable]
    set admin-telnet-port {integer}
    set admintimeout {integer}
    set alias {string}
    set allow-traffic-redirect [enable|disable]
    set anti-replay [disable|loose|...]
    set arp-max-entry {integer}
    set auth-cert {string}
    set auth-http-port {integer}
    set auth-https-port {integer}
    set auth-keepalive [enable|disable]
    set auth-session-limit [block-new|logout-inactive]
    set auto-auth-extension-device [enable|disable]
    set autorun-log-fsck [enable|disable]
    set av-affinity {string}
    set av-failopen [pass|off|...]
    set av-failopen-session [enable|disable]
    set batch-cmdb [enable|disable]
    set block-session-timer {integer}
    set br-fdb-max-entry {integer}
    set cert-chain-max {integer}
    set cfg-revert-timeout {integer}
    set cfg-save [automatic|manual|...]
    set check-protocol-header [loose|strict]
    set check-reset-range [strict|disable]
    set cli-audit-log [enable|disable]
    set cloud-communication [enable|disable]
    set clt-cert-req [enable|disable]
    set cmdbsvr-affinity {string}
    set cpu-use-threshold {integer}
    set csr-ca-attribute [enable|disable]
    set daily-restart [enable|disable]
    set default-service-source-port {user}
    set device-idle-timeout {integer}
    set dh-params [1024|1536|...]
    set dnsproxy-worker-count {integer}
    set dst [enable|disable]
    set early-tcp-npu-session [enable|disable]
    set edit-vdom-prompt [enable|disable]
    set extender-controller-reserved-network {ipv4-classnet-host}
    set failtime {integer}
    set faz-disk-buffer-size {integer}
    set fds-statistics [enable|disable]
    set fds-statistics-period {integer}
    set fgd-alert-subscription {option1}, {option2}, ...
    set forticontroller-proxy [enable|disable]
    set forticontroller-proxy-port {integer}
    set fortiextender [disable|enable]
    set fortiextender-data-port {integer}
    set fortiextender-discovery-lockdown [disable|enable]
    set fortiextender-vlan-mode [enable|disable]
    set fortiservice-port {integer}
    set fortitoken-cloud [enable|disable]
    set gui-allow-default-hostname [enable|disable]
    set gui-allow-incompatible-fabric-fgt [enable|disable]
    set gui-cdn-domain-override {string}
    set gui-cdn-usage [enable|disable]
    set gui-certificates [enable|disable]
    set gui-custom-language [enable|disable]
    set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]
    set gui-date-time-source [system|browser]
    set gui-device-latitude {string}
    set gui-device-longitude {string}
    set gui-display-hostname [enable|disable]
    set gui-firmware-upgrade-warning [enable|disable]
    set gui-forticare-registration-setup-warning [enable|disable]
    set gui-fortigate-cloud-sandbox [enable|disable]
    set gui-fortiguard-resource-fetch [enable|disable]
    set gui-ipv6 [enable|disable]
    set gui-local-out [enable|disable]
    set gui-replacement-message-groups [enable|disable]
    set gui-rest-api-cache [enable|disable]
    set gui-theme [jade|neutrino|...]
    set gui-wireless-opensecurity [enable|disable]
    set ha-affinity {string}
    set honor-df [enable|disable]
    set hostname {string}
    set hyper-scale-vdom-num {integer}
    set igmp-state-limit {integer}
    set internal-switch-speed {option1}, {option2}, ...
    set internet-service-database [mini|standard|...]
    set interval {integer}
    set ip-fragment-mem-thresholds {integer}
    set ip-src-port-range {user}
    set ips-affinity {string}
    set ipsec-asic-offload [enable|disable]
    set ipsec-ha-seqjump-rate {integer}
    set ipsec-hmac-offload [enable|disable]
    set ipsec-soft-dec-async [enable|disable]
    set ipv6-accept-dad {integer}
    set ipv6-allow-anycast-probe [enable|disable]
    set ipv6-allow-local-in-slient-drop [enable|disable]
    set ipv6-allow-multicast-probe [enable|disable]
    set ipv6-allow-traffic-redirect [enable|disable]
    set irq-time-accounting [auto|force]
    set language [english|french|...]
    set ldapconntimeout {integer}
    set legacy-poe-device-support [enable|disable]
    set lldp-reception [enable|disable]
    set lldp-transmission [enable|disable]
    set log-ssl-connection [enable|disable]
    set log-uuid-address [enable|disable]
    set login-timestamp [enable|disable]
    set long-vdom-name [enable|disable]
    set management-ip {string}
    set management-port {integer}
    set management-port-use-admin-sport [enable|disable]
    set management-vdom {string}
    set max-route-cache-size {integer}
    set memory-use-threshold-extreme {integer}
    set memory-use-threshold-green {integer}
    set memory-use-threshold-red {integer}
    set miglog-affinity {string}
    set miglogd-children {integer}
    set multi-factor-authentication [optional|mandatory]
    set ndp-max-entry {integer}
    set per-user-bal [enable|disable]
    set pmtu-discovery [enable|disable]
    set policy-auth-concurrent {integer}
    set post-login-banner [disable|enable]
    set pre-login-banner [enable|disable]
    set private-data-encryption [disable|enable]
    set proxy-auth-lifetime [enable|disable]
    set proxy-auth-lifetime-timeout {integer}
    set proxy-auth-timeout {integer}
    set proxy-cert-use-mgmt-vdom [enable|disable]
    set proxy-hardware-acceleration [disable|enable]
    set proxy-re-authentication-mode [session|traffic|...]
    set proxy-resource-mode [enable|disable]
    set proxy-worker-count {integer}
    set radius-port {integer}
    set reboot-upon-config-restore [enable|disable]
    set refresh {integer}
    set remoteauthtimeout {integer}
    set reset-sessionless-tcp [enable|disable]
    set restart-time {user}
    set revision-backup-on-logout [enable|disable]
    set revision-image-auto-backup [enable|disable]
    set scanunit-count {integer}
    set security-rating-result-submission [enable|disable]
    set security-rating-run-on-schedule [enable|disable]
    set send-pmtu-icmp [enable|disable]
    set show-backplane-intf [enable|disable]
    set snat-route-change [enable|disable]
    set special-file-23-support [disable|enable]
    set speedtest-server [enable|disable]
    set split-port {string}
    set ssd-trim-date {integer}
    set ssd-trim-freq [never|hourly|...]
    set ssd-trim-hour {integer}
    set ssd-trim-min {integer}
    set ssd-trim-weekday [sunday|monday|...]
    set ssh-enc-algo {option1}, {option2}, ...
    set ssh-kex-algo {option1}, {option2}, ...
    set ssh-mac-algo {option1}, {option2}, ...
    set ssl-min-proto-version [SSLv3|TLSv1|...]
    set ssl-static-key-ciphers [enable|disable]
    set sslvpn-cipher-hardware-acceleration [enable|disable]
    set sslvpn-ems-sn-check [enable|disable]
    set sslvpn-kxp-hardware-acceleration [enable|disable]
    set sslvpn-max-worker-count {integer}
    set sslvpn-plugin-version-check [enable|disable]
    set strict-dirty-session-check [enable|disable]
    set strong-crypto [enable|disable]
    set switch-controller [disable|enable]
    set switch-controller-reserved-network {ipv4-classnet-host}
    set sys-perf-log-interval {integer}
    set tcp-halfclose-timer {integer}
    set tcp-halfopen-timer {integer}
    set tcp-option [enable|disable]
    set tcp-rst-timer {integer}
    set tcp-timewait-timer {integer}
    set tftp [enable|disable]
    set timezone [01|02|...]
    set traffic-priority [tos|dscp]
    set traffic-priority-level [low|medium|...]
    set two-factor-email-expiry {integer}
    set two-factor-fac-expiry {integer}
    set two-factor-ftk-expiry {integer}
    set two-factor-ftm-expiry {integer}
    set two-factor-sms-expiry {integer}
    set udp-idle-timer {integer}
    set url-filter-affinity {string}
    set url-filter-count {integer}
    set user-device-store-max-devices {integer}
    set user-device-store-max-unified-mem {integer}
    set user-device-store-max-users {integer}
    set user-server-cert {string}
    set vdom-mode [no-vdom|split-vdom|...]
    set vip-arp-range [unlimited|restricted]
    set virtual-switch-vlan [enable|disable]
    set wad-affinity {string}
    set wad-csvc-cs-count {integer}
    set wad-csvc-db-count {integer}
    set wad-memory-change-granularity {integer}
    set wad-source-affinity [disable|enable]
    set wad-worker-count {integer}
    set wifi-ca-certificate {string}
    set wifi-certificate {string}
    set wimax-4g-usb [enable|disable]
    set wireless-controller [enable|disable]
    set wireless-controller-port {integer}
    set wireless-mode [ac|client|...]
end

config system global

Parameter

Description

Type

Size

Default

admin-concurrent

Enable/disable concurrent administrator logins. Use policy-auth-concurrent for firewall authenticated users.

option

-

enable

Option

Description

enable

Enable admin concurrent login.

disable

Disable admin concurrent login.

admin-console-timeout

Console login timeout that overrides the admin timeout value.

integer

Minimum value: 15 Maximum value: 300

0

admin-forticloud-sso-login

Enable/disable FortiCloud admin login via SSO.

option

-

disable

Option

Description

enable

Enable FortiCloud admin login via SSO.

disable

Disable FortiCloud admin login via SSO.

admin-host

Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.

string

Maximum length: 255

admin-hsts-max-age

HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.

integer

Minimum value: 0 Maximum value: 2147483647

15552000

admin-https-pki-required

Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.

option

-

disable

Option

Description

enable

Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access.

disable

Admin users can login by providing a valid certificate or password.

admin-https-redirect

Enable/disable redirection of HTTP administration access to HTTPS.

option

-

enable

Option

Description

enable

Enable redirecting HTTP administration access to HTTPS.

disable

Disable redirecting HTTP administration access to HTTPS.

admin-https-ssl-banned-ciphers

Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.

option

-

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites using AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES.

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

CHACHA20

Ban the use of cipher suites using ChaCha20.

ARIA

Ban the use of cipher suites using ARIA.

AESCCM

Ban the use of cipher suites using AESCCM.

admin-https-ssl-ciphersuites

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.

option

-

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option

Description

TLS-AES-128-GCM-SHA256

Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

TLS-AES-256-GCM-SHA384

Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

TLS-CHACHA20-POLY1305-SHA256

Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

TLS-AES-128-CCM-SHA256

Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

TLS-AES-128-CCM-8-SHA256

Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

admin-https-ssl-versions

Allowed TLS versions for web administration.

option

-

tlsv1-2 tlsv1-3

Option

Description

tlsv1-1

TLS 1.1.

tlsv1-2

TLS 1.2.

tlsv1-3

TLS 1.3.

admin-lockout-duration

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

integer

Minimum value: 1 Maximum value: 2147483647

60

admin-lockout-threshold

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

integer

Minimum value: 1 Maximum value: 10

3

admin-login-max

Maximum number of administrators who can be logged in at the same time.

integer

Minimum value: 1 Maximum value: 100

100

admin-maintainer

Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.

option

-

enable

Option

Description

enable

Enable login for special user (maintainer).

disable

Disable login for special user (maintainer).

admin-port

Administrative access port for HTTP..

integer

Minimum value: 1 Maximum value: 65535

80

admin-reset-button *

press the reset button can reset to factory default

option

-

enable

Option

Description

enable

press the reset button can reset to factory default

disable

press the reset button cannot reset to factory default

admin-restrict-local

Enable/disable local admin authentication restriction when remote authenticator is up and running.

option

-

disable

Option

Description

enable

Enable local admin authentication restriction.

disable

Disable local admin authentication restriction.

admin-scp

Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.

option

-

disable

Option

Description

enable

Enable allow system configuration download by SCP.

disable

Disable allow system configuration download by SCP.

admin-server-cert

Server certificate that the FortiGate uses for HTTPS administrative connections.

string

Maximum length: 35

self-sign

admin-sport

Administrative access port for HTTPS..

integer

Minimum value: 1 Maximum value: 65535

443

admin-ssh-grace-time

Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating.

integer

Minimum value: 10 Maximum value: 3600

120

admin-ssh-password

Enable/disable password authentication for SSH admin access.

option

-

enable

Option

Description

enable

Enable password authentication for SSH admin access.

disable

Disable password authentication for SSH admin access.

admin-ssh-port

Administrative access port for SSH..

integer

Minimum value: 1 Maximum value: 65535

22

admin-ssh-v1

Enable/disable SSH v1 compatibility.

option

-

disable

Option

Description

enable

Enable SSH v1 compatibility.

disable

Disable SSH v1 compatibility.

admin-telnet

Enable/disable TELNET service.

option

-

enable

Option

Description

enable

Enable TELNET service.

disable

Disable TELNET service.

admin-telnet-port

Administrative access port for TELNET..

integer

Minimum value: 1 Maximum value: 65535

23

admintimeout

Number of minutes before an idle administrator session times out. A shorter idle timeout is more secure.

integer

Minimum value: 1 Maximum value: 480

5

alias

Alias for your FortiGate unit.

string

Maximum length: 35

allow-traffic-redirect

Disable to prevent traffic with same local ingress and egress interface from being forwarded without policy check.

option

-

enable

Option

Description

enable

Enable allow traffic redirect.

disable

Disable allow traffic redirect.

anti-replay

Level of checking for packet replay and TCP sequence checking.

option

-

strict

Option

Description

disable

Disable anti-replay check.

loose

Loose anti-replay check.

strict

Strict anti-replay check.

arp-max-entry

Maximum number of dynamically learned MAC addresses that can be added to the ARP table.

integer

Minimum value: 131072 Maximum value: 2147483647

131072

auth-cert

Server certificate that the FortiGate uses for HTTPS firewall authentication connections.

string

Maximum length: 35

Fortinet_Factory

auth-http-port

User authentication HTTP port..

integer

Minimum value: 1 Maximum value: 65535

1000

auth-https-port

User authentication HTTPS port..

integer

Minimum value: 1 Maximum value: 65535

1003

auth-keepalive

Enable to prevent user authentication sessions from timing out when idle.

option

-

disable

Option

Description

enable

Enable use of keep alive to extend authentication.

disable

Disable use of keep alive to extend authentication.

auth-session-limit

Action to take when the number of allowed user authenticated sessions is reached.

option

-

block-new

Option

Description

block-new

Block new user authentication attempts.

logout-inactive

Logout the most inactive user authenticated sessions.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension devices.

option

-

enable

Option

Description

enable

Enable automatic authorization of dedicated Fortinet extension device globally.

disable

Disable automatic authorization of dedicated Fortinet extension device globally.

autorun-log-fsck

Enable/disable automatic log partition check after ungraceful shutdown.

option

-

disable

Option

Description

enable

Enable automatic log partition check after ungraceful shutdown.

disable

Disable automatic log partition check after ungraceful shutdown.

av-affinity *

Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

0

av-failopen

Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.

option

-

pass

Option

Description

pass

Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.

off

Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.

one-shot

Bypass the antivirus system when memory is low.

av-failopen-session

When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.

option

-

disable

Option

Description

enable

Enable AV fail open session option.

disable

Disable AV fail open session option.

batch-cmdb

Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.

option

-

enable

Option

Description

enable

Enable batch mode to execute in CMDB server.

disable

Disable batch mode to execute in CMDB server.

block-session-timer

Duration in seconds for blocked sessions.

integer

Minimum value: 1 Maximum value: 300

30

br-fdb-max-entry

Maximum number of bridge forwarding database (FDB) entries.

integer

Minimum value: 8192 Maximum value: 2147483647

8192

cert-chain-max

Maximum number of certificates that can be traversed in a certificate chain.

integer

Minimum value: 1 Maximum value: 2147483647

8

cfg-revert-timeout

Time-out for reverting to the last saved configuration..

integer

Minimum value: 10 Maximum value: 4294967295

600

cfg-save

Configuration file save mode for CLI changes.

option

-

automatic

Option

Description

automatic

Automatically save config.

manual

Manually save config.

revert

Manually save config and revert the config when timeout.

check-protocol-header

Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is OK in most cases.

option

-

loose

Option

Description

loose

Check protocol header loosely.

strict

Check protocol header strictly.

check-reset-range

Configure ICMP error message verification. You can either apply strict RST range checking or disable it.

option

-

disable

Option

Description

strict

Check RST range strictly.

disable

Disable RST range check.

cli-audit-log

Enable/disable CLI audit log.

option

-

disable

Option

Description

enable

Enable CLI audit log.

disable

Disable CLI audit log.

cloud-communication

Enable/disable all cloud communication.

option

-

enable

Option

Description

enable

Allow cloud communication.

disable

Disable all cloud-related settings.

clt-cert-req

Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.

option

-

disable

Option

Description

enable

Enable require client certificate for GUI login.

disable

Disable require client certificate for GUI login.

cmdbsvr-affinity

Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

0

cpu-use-threshold

Threshold at which CPU usage is reported.

integer

Minimum value: 50 Maximum value: 99

90

csr-ca-attribute

Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.

option

-

enable

Option

Description

enable

Enable CA attribute in CSR.

disable

Disable CA attribute in CSR.

daily-restart

Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.

option

-

disable

Option

Description

enable

Enable daily reboot of the FortiGate.

disable

Disable daily reboot of the FortiGate.

default-service-source-port

Default service source port range.

user

Not Specified

device-idle-timeout

Time in seconds that a device must be idle to automatically log the device user out..

integer

Minimum value: 30 Maximum value: 31536000

300

dh-params

Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.

option

-

2048

Option

Description

1024

1024 bits.

1536

1536 bits.

2048

2048 bits.

3072

3072 bits.

4096

4096 bits.

6144

6144 bits.

8192

8192 bits.

dnsproxy-worker-count

DNS proxy worker count. For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.

integer

Minimum value: 1 Maximum value: 8 **

1

dst

Enable/disable daylight saving time.

option

-

enable

Option

Description

enable

Enable daylight saving time.

disable

Disable daylight saving time.

early-tcp-npu-session

Enable/disable early TCP NPU session.

option

-

disable

Option

Description

enable

Enable early TCP NPU session in order to guarantee packet order of 3-way handshake.

disable

Disable early TCP NPU session in order to guarantee packet order of 3-way handshake.

edit-vdom-prompt

Enable/disable edit new VDOM prompt.

option

-

disable

Option

Description

enable

Enable edit new VDOM prompt.

disable

Disable edit new VDOM prompt.

extender-controller-reserved-network

Configure reserved network subnet for managed LAN extension FortiExtender units. This is available when the FortiExtender daemon is running.

ipv4-classnet-host

Not Specified

10.252.0.1 255.255.0.0

failtime

Fail-time for server lost.

integer

Minimum value: 0 Maximum value: 4294967295

5

faz-disk-buffer-size

Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailable.

integer

Minimum value: 0 Maximum value: 214748364

0

fds-statistics

Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.

option

-

enable

Option

Description

enable

Enable FortiGuard statistics.

disable

Disable FortiGuard statistics.

fds-statistics-period

FortiGuard statistics collection period in minutes..

integer

Minimum value: 1 Maximum value: 1440

60

fgd-alert-subscription

Type of alert to retrieve from FortiGuard.

option

-

Option

Description

advisory

Retrieve FortiGuard advisories, report and news alerts.

latest-threat

Retrieve latest FortiGuard threats alerts.

latest-virus

Retrieve latest FortiGuard virus alerts.

latest-attack

Retrieve latest FortiGuard attack alerts.

new-antivirus-db

Retrieve FortiGuard AV database release alerts.

new-attack-db

Retrieve FortiGuard IPS database release alerts.

forticontroller-proxy *

Enable/disable FortiController proxy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticontroller-proxy-port *

FortiController proxy port.

integer

Minimum value: 1024 Maximum value: 49150

11133

fortiextender

Enable/disable FortiExtender.

option

-

disable **

Option

Description

disable

Disable FortiExtender controller.

enable

Enable FortiExtender controller.

fortiextender-data-port

FortiExtender data port.

integer

Minimum value: 1024 Maximum value: 49150

25246

fortiextender-discovery-lockdown

Enable/disable FortiExtender CAPWAP lockdown.

option

-

disable

Option

Description

disable

Unlock down new FortiExtender device discovery.

enable

Lock down new FortiExtender device discovery.

fortiextender-vlan-mode

Enable/disable FortiExtender VLAN mode.

option

-

disable

Option

Description

enable

Enable FortiExtender VLAN mode.

disable

Disable FortiExtender VLAN mode.

fortiservice-port

FortiService port. Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.

integer

Minimum value: 1 Maximum value: 65535

8013

fortitoken-cloud

Enable/disable FortiToken Cloud service.

option

-

enable

Option

Description

enable

Enable FortiToken Cloud service.

disable

Disable FortiToken Cloud service.

gui-allow-default-hostname

Enable/disable the factory default hostname warning on the GUI setup wizard.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-allow-incompatible-fabric-fgt

Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-cdn-domain-override

Domain of CDN server.

string

Maximum length: 255

gui-cdn-usage

Enable/disable Load GUI static files from a CDN.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-certificates

Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.

option

-

enable **

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-custom-language

Enable/disable custom languages in GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-date-format

Default date format used throughout GUI.

option

-

yyyy/MM/dd

Option

Description

yyyy/MM/dd

Year/Month/Day.

dd/MM/yyyy

Day/Month/Year.

MM/dd/yyyy

Month/Day/Year.

yyyy-MM-dd

Year-Month-Day.

dd-MM-yyyy

Day-Month-Year.

MM-dd-yyyy

Month-Day-Year.

gui-date-time-source

Source from which the FortiGate GUI uses to display date and time entries.

option

-

system

Option

Description

system

Use this FortiGate unit's configured timezone.

browser

Use the web browser's timezone.

gui-device-latitude

Add the latitude of the location of this FortiGate to position it on the Threat Map.

string

Maximum length: 19

gui-device-longitude

Add the longitude of the location of this FortiGate to position it on the Threat Map.

string

Maximum length: 19

gui-display-hostname

Enable/disable displaying the FortiGate's hostname on the GUI login page.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-firmware-upgrade-warning

Enable/disable the firmware upgrade warning on the GUI.

option

-

enable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-forticare-registration-setup-warning

Enable/disable the FortiCare registration setup warning on the GUI.

option

-

enable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-fortigate-cloud-sandbox

Enable/disable displaying FortiGate Cloud Sandbox on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-fortiguard-resource-fetch

Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments.

option

-

enable

Option

Description

enable

Enable retrieving static GUI resources from FortiGuard.

disable

Disable retrieving static GUI resources from FortiGuard.

gui-ipv6

Enable/disable IPv6 settings on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-local-out

Enable/disable Local-out traffic on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-replacement-message-groups

Enable/disable replacement message groups on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-rest-api-cache

Enable/disable REST API result caching on FortiGate.

option

-

enable **

Option

Description

enable

Enable REST API result caching on FortiGate.

disable

Disable REST API result caching on FortiGate.

gui-theme

Color scheme for the administration GUI.

option

-

jade

Option

Description

jade

Jade theme.

neutrino

Neutrino theme.

mariner

Mariner theme.

graphite

Graphite theme.

melongene

Melongene theme.

retro

FortiOS v3 Retro theme.

dark-matter

Dark Matter theme.

onyx

Onyx theme.

eclipse

Eclipse theme.

gui-wireless-opensecurity

Enable/disable wireless open security option on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

ha-affinity

Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

0

honor-df

Enable/disable honoring of Don't-Fragment (DF) flag.

option

-

enable

Option

Description

enable

Enable honoring of Don't-Fragment flag.

disable

Disable honoring of Don't-Fragment flag.

hostname

FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.

string

Maximum length: 35

hyper-scale-vdom-num *

Number of VDOMs for hyper scale license.

integer

Minimum value: 1 Maximum value: 250

250

igmp-state-limit

Maximum number of IGMP memberships.

integer

Minimum value: 96 Maximum value: 128000

3200

internal-switch-speed *

Internal port speed.

option

-

Option

Description

auto

auto

1000full

1000M Full

100full

100M full.

100half

100M half.

10full

10M full.

10half

10M half.

internet-service-database

Configure which Internet Service database size to download from FortiGuard and use.

option

-

full **

Option

Description

mini

Small sized Internet Service database with very limited IP addresses.

standard

Medium sized Internet Service database with most IP addresses.

full

Full sized Internet Service database with all IP addresses.

interval

Dead gateway detection interval.

integer

Minimum value: 0 Maximum value: 4294967295

5

ip-fragment-mem-thresholds

Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.

integer

Minimum value: 32 Maximum value: 2047

32

ip-src-port-range

IP source port range used for traffic originating from the FortiGate unit.

user

Not Specified

1024-25000

ips-affinity *

Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).

string

Maximum length: 79

0

ipsec-asic-offload *

Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.

option

-

enable

Option

Description

enable

Enable ASIC offload for IPsec VPN.

disable

Disable ASIC offload for IPsec VPN.

ipsec-ha-seqjump-rate

ESP jump ahead rate (1G - 10G pps equivalent).

integer

Minimum value: 1 Maximum value: 10

10

ipsec-hmac-offload *

Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.

option

-

enable

Option

Description

enable

Enable offload IPsec HMAC processing to hardware if possible.

disable

Disable offload IPsec HMAC processing to hardware.

ipsec-soft-dec-async

Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.

option

-

disable

Option

Description

enable

Enable software decryption asynchronization for IPsec VPN.

disable

Disable software decryption asynchronization for IPsec VPN.

ipv6-accept-dad

Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).

integer

Minimum value: 0 Maximum value: 2

1

ipv6-allow-anycast-probe

Enable/disable IPv6 address probe through Anycast.

option

-

disable

Option

Description

enable

Enable probing of IPv6 address space through Anycast

disable

Disable probing of IPv6 address space through Anycast

ipv6-allow-local-in-slient-drop

Enable/disable silent drop of IPv6 local-in traffic.

option

-

enable

Option

Description

enable

Enable slient drop of IPv6 local-in traffic.

disable

Disable slient drop of IPv6 local-in traffic.

ipv6-allow-multicast-probe

Enable/disable IPv6 address probe through Multicast.

option

-

disable

Option

Description

enable

Enable probing of IPv6 address space through Multicast.

disable

Disable probing of IPv6 address space through Multicast.

ipv6-allow-traffic-redirect

Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.

option

-

enable

Option

Description

enable

Enable allow traffic IPv6 redirect.

disable

Disable allow traffic IPv6 redirect.

irq-time-accounting

Configure CPU IRQ time accounting mode.

option

-

auto

Option

Description

auto

Automatically switch CPU accounting mode.

force

Force the use of CPU IRQ time accounting mode.

language

GUI display language.

option

-

english

Option

Description

english

English.

french

French.

spanish

Spanish.

portuguese

Portuguese.

japanese

Japanese.

trach

Traditional Chinese.

simch

Simplified Chinese.

korean

Korean.

ldapconntimeout

Global timeout for connections with remote LDAP servers in milliseconds.

integer

Minimum value: 1 Maximum value: 300000

500

legacy-poe-device-support *

Enable/disable legacy POE device support.

option

-

disable

Option

Description

enable

Enable legacy POE device support.

disable

Disable legacy POE device support.

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

-

disable

Option

Description

enable

Enable reception of Link Layer Discovery Protocol (LLDP).

disable

Disable reception of Link Layer Discovery Protocol (LLDP).

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

-

disable

Option

Description

enable

Enable transmission of Link Layer Discovery Protocol (LLDP).

disable

Disable transmission of Link Layer Discovery Protocol (LLDP).

log-ssl-connection

Enable/disable logging of SSL connection events.

option

-

disable

Option

Description

enable

Enable logging of SSL connection events.

disable

Disable logging of SSL connection events.

log-uuid-address

Enable/disable insertion of address UUIDs to traffic logs.

option

-

disable

Option

Description

enable

Enable insertion of address UUID to traffic logs.

disable

Disable insertion of address UUID to traffic logs.

login-timestamp

Enable/disable login time recording.

option

-

disable

Option

Description

enable

Enable login time recording.

disable

Disable login time recording.

long-vdom-name

Enable/disable long VDOM name support.

option

-

disable

Option

Description

enable

Enable long VDOM name support.

disable

Disable long VDOM name support.

management-ip

Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.

string

Maximum length: 255

management-port

Overriding port for management connection (Overrides admin port).

integer

Minimum value: 1 Maximum value: 65535

443

management-port-use-admin-sport

Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.

option

-

enable

Option

Description

enable

Enable use of the admin-sport setting for the management port.

disable

Disable use of the admin-sport setting for the management port.

management-vdom

Management virtual domain name.

string

Maximum length: 31

root

max-route-cache-size

Maximum number of IP route cache entries.

integer

Minimum value: 0 Maximum value: 2147483647

0

memory-use-threshold-extreme

Threshold at which memory usage is considered extreme.

integer

Minimum value: 70 Maximum value: 97

95

memory-use-threshold-green

Threshold at which memory usage forces the FortiGate to exit conserve mode.

integer

Minimum value: 70 Maximum value: 97

82

memory-use-threshold-red

Threshold at which memory usage forces the FortiGate to enter conserve mode.

integer

Minimum value: 70 Maximum value: 97

88

miglog-affinity *

Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 19

0

miglogd-children

Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.

integer

Minimum value: 0 Maximum value: 15

0

multi-factor-authentication

Enforce all login methods to require an additional authentication factor.

option

-

optional

Option

Description

optional

Do not enforce all login methods to require an additional authentication factor (controlled by user settings).

mandatory

Enforce all login methods to require an additional authentication factor.

ndp-max-entry

Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).

integer

Minimum value: 65536 Maximum value: 2147483647

0

per-user-bal *

Enable/disable per-user block/allow list filter.

option

-

disable

Option

Description

enable

Enable per-user block/allow list filter.

disable

Disable per-user block/allow list filter.

pmtu-discovery

Enable/disable path MTU discovery.

option

-

disable

Option

Description

enable

Enable path MTU discovery.

disable

Disable path MTU discovery.

policy-auth-concurrent

Number of concurrent firewall use logins from the same user.

integer

Minimum value: 0 Maximum value: 100

0

post-login-banner

Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.

option

-

disable

Option

Description

disable

Disable post-login banner.

enable

Enable post-login banner.

pre-login-banner

Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.

option

-

disable

Option

Description

enable

Enable pre-login banner.

disable

Disable pre-login banner.

private-data-encryption

Enable/disable private data encryption using an AES 128-bit key or passpharse.

option

-

disable

Option

Description

disable

Disable private data encryption using an AES 128-bit key.

enable

Enable private data encryption using an AES 128-bit key.

proxy-auth-lifetime

Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.

option

-

disable

Option

Description

enable

Enable authenticated users lifetime control.

disable

Disable authenticated users lifetime control.

proxy-auth-lifetime-timeout

Lifetime timeout in minutes for authenticated users.

integer

Minimum value: 5 Maximum value: 65535

480

proxy-auth-timeout

Authentication timeout in minutes for authenticated users.

integer

Minimum value: 1 Maximum value: 300

10

proxy-cert-use-mgmt-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

proxy-hardware-acceleration *

Enable/disable email proxy hardware acceleration.

option

-

enable

Option

Description

disable

Disable email proxy hardware acceleration.

enable

Enable email proxy hardware acceleration.

proxy-re-authentication-mode

Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

option

-

session

Option

Description

session

Proxy re-authentication timeout begins at the closure of the session.

traffic

Proxy re-authentication timeout begins after traffic has not been received.

absolute

Proxy re-authentication timeout begins when the user was first created.

proxy-resource-mode

Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.

option

-

disable

Option

Description

enable

Enable use of the maximum memory usage.

disable

Disable use of the maximum memory usage.

proxy-worker-count

Proxy worker count.

integer

Minimum value: 1 Maximum value: 8 **

0

radius-port

RADIUS service port number.

integer

Minimum value: 1 Maximum value: 65535

1812

reboot-upon-config-restore

Enable/disable reboot of system upon restoring configuration.

option

-

enable

Option

Description

enable

Enable reboot of system upon restoring configuration.

disable

Disable reboot of system upon restoring configuration.

refresh

Statistics refresh interval second(s) in GUI.

integer

Minimum value: 0 Maximum value: 4294967295

0

remoteauthtimeout

Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers..

integer

Minimum value: 1 Maximum value: 300

5

reset-sessionless-tcp

Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.

option

-

disable

Option

Description

enable

Enable reset session-less TCP.

disable

Disable reset session-less TCP.

restart-time

Daily restart time (hh:mm).

user

Not Specified

revision-backup-on-logout

Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.

option

-

disable

Option

Description

enable

Enable revision config backup automatically when logout.

disable

Disable revision config backup automatically when logout.

revision-image-auto-backup

Enable/disable back-up of the latest image revision after the firmware is upgraded.

option

-

disable

Option

Description

enable

Enable revision image backup automatically when upgrading image.

disable

Disable revision image backup automatically when upgrading image.

scanunit-count

Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.

integer

Minimum value: 1 Maximum value: 8 **

0

security-rating-result-submission

Enable/disable the submission of Security Rating results to FortiGuard.

option

-

enable

Option

Description

enable

Enable submission of Security Rating results to FortiGuard.

disable

Disable submission of Security Rating results to FortiGuard.

security-rating-run-on-schedule

Enable/disable scheduled runs of Security Rating.

option

-

enable

Option

Description

enable

Enable scheduled runs of Security Rating.

disable

Disable scheduled runs of Security Rating.

send-pmtu-icmp

Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.

option

-

enable

Option

Description

enable

Enable sending of PMTU ICMP destination unreachable packet.

disable

Disable sending of PMTU ICMP destination unreachable packet.

show-backplane-intf *

show/hide backplane interfaces

option

-

disable

Option

Description

enable

show backplane interfaces

disable

hide backplane interfaces

snat-route-change

Enable/disable the ability to change the static NAT route.

option

-

disable

Option

Description

enable

Enable SNAT route change.

disable

Disable SNAT route change.

special-file-23-support

Enable/disable detection of those special format files when using Data Leak Protection.

option

-

disable

Option

Description

disable

Disable detection of those special format files when using Data Leak Protection.

enable

Enable detection of those special format files when using Data Leak Protection.

speedtest-server

Enable/disable speed test server.

option

-

disable

Option

Description

enable

Enable speed test server service.

disable

Disable speed test server service.

split-port *

Split port(s) to multiple 10Gbps ports.

string

Maximum length: 15

ssd-trim-date *

Date within a month to run ssd trim.

integer

Minimum value: 1 Maximum value: 31

1

ssd-trim-freq *

How often to run SSD Trim. SSD Trim prevents SSD drive data loss by finding and isolating errors.

option

-

weekly

Option

Description

never

Never Run SSD Trim.

hourly

Run SSD Trim Hourly.

daily

Run SSD Trim Daily.

weekly

Run SSD Trim Weekly.

monthly

Run SSD Trim Monthly.

ssd-trim-hour *

Hour of the day on which to run SSD Trim.

integer

Minimum value: 0 Maximum value: 23

1

ssd-trim-min *

Minute of the hour on which to run SSD Trim.

integer

Minimum value: 0 Maximum value: 60

60

ssd-trim-weekday *

Day of week to run SSD Trim.

option

-

sunday

Option

Description

sunday

Sunday

monday

Monday

tuesday

Tuesday

wednesday

Wednesday

thursday

Thursday

friday

Friday

saturday

Saturday

ssh-enc-algo

Select one or more SSH ciphers.

option

-

chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com

Option

Description

chacha20-poly1305@openssh.com

chacha20-poly1305@openssh.com

aes128-ctr

aes128-ctr

aes192-ctr

aes192-ctr

aes256-ctr

aes256-ctr

arcfour256

arcfour256

arcfour128

arcfour128

aes128-cbc

aes128-cbc

3des-cbc

3des-cbc

blowfish-cbc

blowfish-cbc

cast128-cbc

cast128-cbc

aes192-cbc

aes192-cbc

aes256-cbc

aes256-cbc

arcfour

arcfour

rijndael-cbc@lysator.liu.se

rijndael-cbc@lysator.liu.se

aes128-gcm@openssh.com

aes128-gcm@openssh.com

aes256-gcm@openssh.com

aes256-gcm@openssh.com

ssh-kex-algo

Select one or more SSH kex algorithms.

option

-

diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

Option

Description

diffie-hellman-group1-sha1

diffie-hellman-group1-sha1

diffie-hellman-group14-sha1

diffie-hellman-group14-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha256

diffie-hellman-group-exchange-sha256

curve25519-sha256@libssh.org

curve25519-sha256@libssh.org

ecdh-sha2-nistp256

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp384

ecdh-sha2-nistp521

ecdh-sha2-nistp521

ssh-mac-algo

Select one or more SSH MAC algorithms.

option

-

hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com

Option

Description

hmac-md5

hmac-md5

hmac-md5-etm@openssh.com

hmac-md5-etm@openssh.com

hmac-md5-96

hmac-md5-96

hmac-md5-96-etm@openssh.com

hmac-md5-96-etm@openssh.com

hmac-sha1

hmac-sha1

hmac-sha1-etm@openssh.com

hmac-sha1-etm@openssh.com

hmac-sha2-256

hmac-sha2-256

hmac-sha2-256-etm@openssh.com

hmac-sha2-256-etm@openssh.com

hmac-sha2-512

hmac-sha2-512

hmac-sha2-512-etm@openssh.com

hmac-sha2-512-etm@openssh.com

hmac-ripemd160

hmac-ripemd160

hmac-ripemd160@openssh.com

hmac-ripemd160@openssh.com

hmac-ripemd160-etm@openssh.com

hmac-ripemd160-etm@openssh.com

umac-64@openssh.com

umac-64@openssh.com

umac-128@openssh.com

umac-128@openssh.com

umac-64-etm@openssh.com

umac-64-etm@openssh.com

umac-128-etm@openssh.com

umac-128-etm@openssh.com

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

TLSv1-2

Option

Description

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

ssl-static-key-ciphers

Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).

option

-

enable

Option

Description

enable

Enable static key ciphers in SSL/TLS connections.

disable

Disable static key ciphers in SSL/TLS connections.

sslvpn-cipher-hardware-acceleration

Enable/disable SSL-VPN hardware acceleration.

option

-

disable **

Option

Description

enable

Enable SSL-VPN cipher hardware acceleration.

disable

Disable SSL-VPN cipher hardware acceleration.

sslvpn-ems-sn-check

Enable/disable verification of EMS serial number in SSL-VPN connection.

option

-

disable

Option

Description

enable

Enable verification of EMS serial number in SSL-VPN connection.

disable

Disable verification of EMS serial number in SSL-VPN connection.

sslvpn-kxp-hardware-acceleration

Enable/disable SSL-VPN KXP hardware acceleration.

option

-

disable **

Option

Description

enable

Enable KXP SSL-VPN hardware acceleration.

disable

Disable KXP SSL-VPN hardware acceleration.

sslvpn-max-worker-count

Maximum number of SSL-VPN processes. Upper limit for this value is the number of CPUs and depends on the model. Default value of zero means the SSLVPN daemon decides the number of worker processes.

integer

Minimum value: 0 Maximum value: 8 **

0

sslvpn-plugin-version-check

Enable/disable checking browser's plugin version by SSL-VPN.

option

-

enable

Option

Description

enable

Enable SSL-VPN automatic checking of browser plug-in version.

disable

Disable SSL-VPN automatic checking of browser plug-in version.

strict-dirty-session-check

Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.

option

-

enable

Option

Description

enable

Enable strict dirty-session check.

disable

Disable strict dirty-session check.

strong-crypto

Enable to use strong encryption and only allow strong ciphers and digest for HTTPS/SSH/TLS/SSL functions.

option

-

enable

Option

Description

enable

Enable strong crypto for HTTPS/SSH/TLS/SSL.

disable

Disable strong crypto for HTTPS/SSH/TLS/SSL.

switch-controller *

Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.

option

-

disable

Option

Description

disable

Disable switch controller feature.

enable

Enable switch controller feature.

switch-controller-reserved-network *

Configure reserved network subnet for managed switches. This is available when the switch controller is enabled.

ipv4-classnet-host

Not Specified

10.255.0.0 255.255.0.0

sys-perf-log-interval

Time in minutes between updates of performance statistics logging..

integer

Minimum value: 0 Maximum value: 15

5

tcp-halfclose-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded.

integer

Minimum value: 1 Maximum value: 86400

120

tcp-halfopen-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded.

integer

Minimum value: 1 Maximum value: 86400

10

tcp-option

Enable SACK, timestamp and MSS TCP options.

option

-

enable

Option

Description

enable

Enable TCP option.

disable

Disable TCP option.

tcp-rst-timer

Length of the TCP CLOSE state in seconds.

integer

Minimum value: 5 Maximum value: 300

5

tcp-timewait-timer

Length of the TCP TIME-WAIT state in seconds.

integer

Minimum value: 0 Maximum value: 300

1

tftp

Enable/disable TFTP.

option

-

enable

Option

Description

enable

Enable TFTP.

disable

Disable TFTP.

timezone

Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.

option

-

00

Option

Description

01

(GMT-11:00) Midway Island, Samoa

02

(GMT-10:00) Hawaii

03

(GMT-9:00) Alaska

04

(GMT-8:00) Pacific Time (US & Canada)

05

(GMT-7:00) Arizona

81

(GMT-7:00) Baja California Sur, Chihuahua

06

(GMT-7:00) Mountain Time (US & Canada)

07

(GMT-6:00) Central America

08

(GMT-6:00) Central Time (US & Canada)

09

(GMT-6:00) Mexico City

10

(GMT-6:00) Saskatchewan

11

(GMT-5:00) Bogota, Lima,Quito

12

(GMT-5:00) Eastern Time (US & Canada)

13

(GMT-5:00) Indiana (East)

74

(GMT-4:00) Caracas

14

(GMT-4:00) Atlantic Time (Canada)

77

(GMT-4:00) Georgetown

15

(GMT-4:00) La Paz

87

(GMT-4:00) Paraguay

16

(GMT-3:00) Santiago

17

(GMT-3:30) Newfoundland

18

(GMT-3:00) Brasilia

19

(GMT-3:00) Buenos Aires

20

(GMT-3:00) Nuuk (Greenland)

75

(GMT-3:00) Uruguay

21

(GMT-2:00) Mid-Atlantic

22

(GMT-1:00) Azores

23

(GMT-1:00) Cape Verde Is.

24

(GMT) Monrovia

80

(GMT) Greenwich Mean Time

79

(GMT) Casablanca

25

(GMT) Dublin, Edinburgh, Lisbon, London, Canary Is.

26

(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

27

(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

28

(GMT+1:00) Brussels, Copenhagen, Madrid, Paris

78

(GMT+1:00) Namibia

29

(GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb

30

(GMT+1:00) West Central Africa

31

(GMT+2:00) Athens, Sofia, Vilnius

32

(GMT+2:00) Bucharest

33

(GMT+2:00) Cairo

34

(GMT+2:00) Harare, Pretoria

35

(GMT+2:00) Helsinki, Riga, Tallinn

36

(GMT+2:00) Jerusalem

37

(GMT+3:00) Baghdad

38

(GMT+3:00) Kuwait, Riyadh

83

(GMT+3:00) Moscow

84

(GMT+3:00) Minsk

40

(GMT+3:00) Nairobi

85

(GMT+3:00) Istanbul

41

(GMT+3:30) Tehran

42

(GMT+4:00) Abu Dhabi, Muscat

43

(GMT+4:00) Baku

39

(GMT+3:00) St. Petersburg, Volgograd

44

(GMT+4:30) Kabul

46

(GMT+5:00) Islamabad, Karachi, Tashkent

47

(GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi

51

(GMT+5:30) Sri Jayawardenepara

48

(GMT+5:45) Kathmandu

45

(GMT+5:00) Ekaterinburg

49

(GMT+6:00) Almaty, Novosibirsk

50

(GMT+6:00) Astana, Dhaka

52

(GMT+6:30) Rangoon

53

(GMT+7:00) Bangkok, Hanoi, Jakarta

54

(GMT+7:00) Krasnoyarsk

55

(GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk

56

(GMT+8:00) Ulaan Bataar

57

(GMT+8:00) Kuala Lumpur, Singapore

58

(GMT+8:00) Perth

59

(GMT+8:00) Taipei

60

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

62

(GMT+9:30) Adelaide

63

(GMT+9:30) Darwin

61

(GMT+9:00) Yakutsk

64

(GMT+10:00) Brisbane

65

(GMT+10:00) Canberra, Melbourne, Sydney

66

(GMT+10:00) Guam, Port Moresby

67

(GMT+10:00) Hobart

68

(GMT+10:00) Vladivostok

69

(GMT+10:00) Magadan

70

(GMT+11:00) Solomon Is., New Caledonia

71

(GMT+12:00) Auckland, Wellington

72

(GMT+12:00) Fiji, Kamchatka, Marshall Is.

00

(GMT+12:00) Eniwetok, Kwajalein

82

(GMT+12:45) Chatham Islands

73

(GMT+13:00) Nuku'alofa

86

(GMT+13:00) Samoa

76

(GMT+14:00) Kiritimati

traffic-priority

Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.

option

-

tos

Option

Description

tos

IP TOS.

dscp

DSCP (DiffServ) DS.

traffic-priority-level

Default system-wide level of priority for traffic prioritization.

option

-

medium

Option

Description

low

Low priority.

medium

Medium priority.

high

High priority.

two-factor-email-expiry

Email-based two-factor authentication session timeout.

integer

Minimum value: 30 Maximum value: 300

60

two-factor-fac-expiry

FortiAuthenticator token authentication session timeout.

integer

Minimum value: 10 Maximum value: 3600

60

two-factor-ftk-expiry

FortiToken authentication session timeout.

integer

Minimum value: 60 Maximum value: 600

60

two-factor-ftm-expiry

FortiToken Mobile session timeout.

integer

Minimum value: 1 Maximum value: 168

72

two-factor-sms-expiry

SMS-based two-factor authentication session timeout.

integer

Minimum value: 30 Maximum value: 300

60

udp-idle-timer

UDP connection session timeout. This command can be useful in managing CPU and memory resources.

integer

Minimum value: 1 Maximum value: 86400

180

url-filter-affinity *

URL filter CPU affinity.

string

Maximum length: 79

0

url-filter-count

URL filter daemon count.

integer

Minimum value: 1 Maximum value: 1 **

1

user-device-store-max-devices

Maximum number of devices allowed in user device store.

integer

Minimum value: 84220 Maximum value: 240629 **

168440 **

user-device-store-max-unified-mem

Maximum unified memory allowed in user device store.

integer

Minimum value: 168440954 Maximum value: 1684409548 **

842204774 **

user-device-store-max-users

Maximum number of users allowed in user device store.

integer

Minimum value: 84220 Maximum value: 240629 **

168440 **

user-server-cert

Certificate to use for https user authentication.

string

Maximum length: 35

Fortinet_Factory

vdom-mode

Enable/disable support for split/multiple virtual domains (VDOMs).

option

-

no-vdom

Option

Description

no-vdom

Disable split/multiple VDOMs mode.

split-vdom

Enable split VDOMs mode.

multi-vdom

Enable multiple VDOMs mode.

vip-arp-range

Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.

option

-

restricted

Option

Description

unlimited

Send ARPs for all addresses in VIP range.

restricted

Send ARPs for the first 8192 addresses in VIP range.

virtual-switch-vlan *

Enable/disable virtual switch VLAN.

option

-

disable

Option

Description

enable

Enable virtual switch VLAN.

disable

Disable virtual switch VLAN.

wad-affinity *

Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

0

wad-csvc-cs-count

Number of concurrent WAD-cache-service object-cache processes.

integer

Minimum value: 1 Maximum value: 1

1

wad-csvc-db-count

Number of concurrent WAD-cache-service byte-cache processes.

integer

Minimum value: 0 Maximum value: 8 **

0

wad-memory-change-granularity

Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.

integer

Minimum value: 5 Maximum value: 25

10

wad-source-affinity

Enable/disable dispatching traffic to WAD workers based on source affinity.

option

-

enable

Option

Description

disable

Disable dispatching traffic to WAD workers based on source affinity.

enable

Enable dispatching traffic to WAD workers based on source affinity.

wad-worker-count

Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.

integer

Minimum value: 0 Maximum value: 8 **

0

wifi-ca-certificate

CA certificate that verifies the WiFi certificate.

string

Maximum length: 79

Fortinet_Wifi_CA

wifi-certificate

Certificate to use for WiFi authentication.

string

Maximum length: 35

Fortinet_Wifi

wimax-4g-usb

Enable/disable comparability with WiMAX 4G USB devices.

option

-

disable

Option

Description

enable

Enable WiMax 4G.

disable

Disable WiMax 4G.

wireless-controller

Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.

option

-

enable

Option

Description

enable

Enable wireless controller.

disable

Disable wireless controller.

wireless-controller-port

Port used for the control channel in wireless controller mode.

integer

Minimum value: 1024 Maximum value: 49150

5246

wireless-mode *

Wireless mode setting.

option

-

ac

Option

Description

ac

Wireless controller with local wireless.

client

Wireless client mode.

fwfap

Obsolete wireless AP mode.

* This parameter may not exist in some models.

** Values may differ between models.

config system global

config system global

Configure global attributes.

config system global
    Description: Configure global attributes.
    set admin-concurrent [enable|disable]
    set admin-console-timeout {integer}
    set admin-forticloud-sso-login [enable|disable]
    set admin-host {string}
    set admin-hsts-max-age {integer}
    set admin-https-pki-required [enable|disable]
    set admin-https-redirect [enable|disable]
    set admin-https-ssl-banned-ciphers {option1}, {option2}, ...
    set admin-https-ssl-ciphersuites {option1}, {option2}, ...
    set admin-https-ssl-versions {option1}, {option2}, ...
    set admin-lockout-duration {integer}
    set admin-lockout-threshold {integer}
    set admin-login-max {integer}
    set admin-maintainer [enable|disable]
    set admin-port {integer}
    set admin-reset-button [enable|disable]
    set admin-restrict-local [enable|disable]
    set admin-scp [enable|disable]
    set admin-server-cert {string}
    set admin-sport {integer}
    set admin-ssh-grace-time {integer}
    set admin-ssh-password [enable|disable]
    set admin-ssh-port {integer}
    set admin-ssh-v1 [enable|disable]
    set admin-telnet [enable|disable]
    set admin-telnet-port {integer}
    set admintimeout {integer}
    set alias {string}
    set allow-traffic-redirect [enable|disable]
    set anti-replay [disable|loose|...]
    set arp-max-entry {integer}
    set auth-cert {string}
    set auth-http-port {integer}
    set auth-https-port {integer}
    set auth-keepalive [enable|disable]
    set auth-session-limit [block-new|logout-inactive]
    set auto-auth-extension-device [enable|disable]
    set autorun-log-fsck [enable|disable]
    set av-affinity {string}
    set av-failopen [pass|off|...]
    set av-failopen-session [enable|disable]
    set batch-cmdb [enable|disable]
    set block-session-timer {integer}
    set br-fdb-max-entry {integer}
    set cert-chain-max {integer}
    set cfg-revert-timeout {integer}
    set cfg-save [automatic|manual|...]
    set check-protocol-header [loose|strict]
    set check-reset-range [strict|disable]
    set cli-audit-log [enable|disable]
    set cloud-communication [enable|disable]
    set clt-cert-req [enable|disable]
    set cmdbsvr-affinity {string}
    set cpu-use-threshold {integer}
    set csr-ca-attribute [enable|disable]
    set daily-restart [enable|disable]
    set default-service-source-port {user}
    set device-idle-timeout {integer}
    set dh-params [1024|1536|...]
    set dnsproxy-worker-count {integer}
    set dst [enable|disable]
    set early-tcp-npu-session [enable|disable]
    set edit-vdom-prompt [enable|disable]
    set extender-controller-reserved-network {ipv4-classnet-host}
    set failtime {integer}
    set faz-disk-buffer-size {integer}
    set fds-statistics [enable|disable]
    set fds-statistics-period {integer}
    set fgd-alert-subscription {option1}, {option2}, ...
    set forticontroller-proxy [enable|disable]
    set forticontroller-proxy-port {integer}
    set fortiextender [disable|enable]
    set fortiextender-data-port {integer}
    set fortiextender-discovery-lockdown [disable|enable]
    set fortiextender-vlan-mode [enable|disable]
    set fortiservice-port {integer}
    set fortitoken-cloud [enable|disable]
    set gui-allow-default-hostname [enable|disable]
    set gui-allow-incompatible-fabric-fgt [enable|disable]
    set gui-cdn-domain-override {string}
    set gui-cdn-usage [enable|disable]
    set gui-certificates [enable|disable]
    set gui-custom-language [enable|disable]
    set gui-date-format [yyyy/MM/dd|dd/MM/yyyy|...]
    set gui-date-time-source [system|browser]
    set gui-device-latitude {string}
    set gui-device-longitude {string}
    set gui-display-hostname [enable|disable]
    set gui-firmware-upgrade-warning [enable|disable]
    set gui-forticare-registration-setup-warning [enable|disable]
    set gui-fortigate-cloud-sandbox [enable|disable]
    set gui-fortiguard-resource-fetch [enable|disable]
    set gui-ipv6 [enable|disable]
    set gui-local-out [enable|disable]
    set gui-replacement-message-groups [enable|disable]
    set gui-rest-api-cache [enable|disable]
    set gui-theme [jade|neutrino|...]
    set gui-wireless-opensecurity [enable|disable]
    set ha-affinity {string}
    set honor-df [enable|disable]
    set hostname {string}
    set hyper-scale-vdom-num {integer}
    set igmp-state-limit {integer}
    set internal-switch-speed {option1}, {option2}, ...
    set internet-service-database [mini|standard|...]
    set interval {integer}
    set ip-fragment-mem-thresholds {integer}
    set ip-src-port-range {user}
    set ips-affinity {string}
    set ipsec-asic-offload [enable|disable]
    set ipsec-ha-seqjump-rate {integer}
    set ipsec-hmac-offload [enable|disable]
    set ipsec-soft-dec-async [enable|disable]
    set ipv6-accept-dad {integer}
    set ipv6-allow-anycast-probe [enable|disable]
    set ipv6-allow-local-in-slient-drop [enable|disable]
    set ipv6-allow-multicast-probe [enable|disable]
    set ipv6-allow-traffic-redirect [enable|disable]
    set irq-time-accounting [auto|force]
    set language [english|french|...]
    set ldapconntimeout {integer}
    set legacy-poe-device-support [enable|disable]
    set lldp-reception [enable|disable]
    set lldp-transmission [enable|disable]
    set log-ssl-connection [enable|disable]
    set log-uuid-address [enable|disable]
    set login-timestamp [enable|disable]
    set long-vdom-name [enable|disable]
    set management-ip {string}
    set management-port {integer}
    set management-port-use-admin-sport [enable|disable]
    set management-vdom {string}
    set max-route-cache-size {integer}
    set memory-use-threshold-extreme {integer}
    set memory-use-threshold-green {integer}
    set memory-use-threshold-red {integer}
    set miglog-affinity {string}
    set miglogd-children {integer}
    set multi-factor-authentication [optional|mandatory]
    set ndp-max-entry {integer}
    set per-user-bal [enable|disable]
    set pmtu-discovery [enable|disable]
    set policy-auth-concurrent {integer}
    set post-login-banner [disable|enable]
    set pre-login-banner [enable|disable]
    set private-data-encryption [disable|enable]
    set proxy-auth-lifetime [enable|disable]
    set proxy-auth-lifetime-timeout {integer}
    set proxy-auth-timeout {integer}
    set proxy-cert-use-mgmt-vdom [enable|disable]
    set proxy-hardware-acceleration [disable|enable]
    set proxy-re-authentication-mode [session|traffic|...]
    set proxy-resource-mode [enable|disable]
    set proxy-worker-count {integer}
    set radius-port {integer}
    set reboot-upon-config-restore [enable|disable]
    set refresh {integer}
    set remoteauthtimeout {integer}
    set reset-sessionless-tcp [enable|disable]
    set restart-time {user}
    set revision-backup-on-logout [enable|disable]
    set revision-image-auto-backup [enable|disable]
    set scanunit-count {integer}
    set security-rating-result-submission [enable|disable]
    set security-rating-run-on-schedule [enable|disable]
    set send-pmtu-icmp [enable|disable]
    set show-backplane-intf [enable|disable]
    set snat-route-change [enable|disable]
    set special-file-23-support [disable|enable]
    set speedtest-server [enable|disable]
    set split-port {string}
    set ssd-trim-date {integer}
    set ssd-trim-freq [never|hourly|...]
    set ssd-trim-hour {integer}
    set ssd-trim-min {integer}
    set ssd-trim-weekday [sunday|monday|...]
    set ssh-enc-algo {option1}, {option2}, ...
    set ssh-kex-algo {option1}, {option2}, ...
    set ssh-mac-algo {option1}, {option2}, ...
    set ssl-min-proto-version [SSLv3|TLSv1|...]
    set ssl-static-key-ciphers [enable|disable]
    set sslvpn-cipher-hardware-acceleration [enable|disable]
    set sslvpn-ems-sn-check [enable|disable]
    set sslvpn-kxp-hardware-acceleration [enable|disable]
    set sslvpn-max-worker-count {integer}
    set sslvpn-plugin-version-check [enable|disable]
    set strict-dirty-session-check [enable|disable]
    set strong-crypto [enable|disable]
    set switch-controller [disable|enable]
    set switch-controller-reserved-network {ipv4-classnet-host}
    set sys-perf-log-interval {integer}
    set tcp-halfclose-timer {integer}
    set tcp-halfopen-timer {integer}
    set tcp-option [enable|disable]
    set tcp-rst-timer {integer}
    set tcp-timewait-timer {integer}
    set tftp [enable|disable]
    set timezone [01|02|...]
    set traffic-priority [tos|dscp]
    set traffic-priority-level [low|medium|...]
    set two-factor-email-expiry {integer}
    set two-factor-fac-expiry {integer}
    set two-factor-ftk-expiry {integer}
    set two-factor-ftm-expiry {integer}
    set two-factor-sms-expiry {integer}
    set udp-idle-timer {integer}
    set url-filter-affinity {string}
    set url-filter-count {integer}
    set user-device-store-max-devices {integer}
    set user-device-store-max-unified-mem {integer}
    set user-device-store-max-users {integer}
    set user-server-cert {string}
    set vdom-mode [no-vdom|split-vdom|...]
    set vip-arp-range [unlimited|restricted]
    set virtual-switch-vlan [enable|disable]
    set wad-affinity {string}
    set wad-csvc-cs-count {integer}
    set wad-csvc-db-count {integer}
    set wad-memory-change-granularity {integer}
    set wad-source-affinity [disable|enable]
    set wad-worker-count {integer}
    set wifi-ca-certificate {string}
    set wifi-certificate {string}
    set wimax-4g-usb [enable|disable]
    set wireless-controller [enable|disable]
    set wireless-controller-port {integer}
    set wireless-mode [ac|client|...]
end

config system global

Parameter

Description

Type

Size

Default

admin-concurrent

Enable/disable concurrent administrator logins. Use policy-auth-concurrent for firewall authenticated users.

option

-

enable

Option

Description

enable

Enable admin concurrent login.

disable

Disable admin concurrent login.

admin-console-timeout

Console login timeout that overrides the admin timeout value.

integer

Minimum value: 15 Maximum value: 300

0

admin-forticloud-sso-login

Enable/disable FortiCloud admin login via SSO.

option

-

disable

Option

Description

enable

Enable FortiCloud admin login via SSO.

disable

Disable FortiCloud admin login via SSO.

admin-host

Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.

string

Maximum length: 255

admin-hsts-max-age

HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.

integer

Minimum value: 0 Maximum value: 2147483647

15552000

admin-https-pki-required

Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.

option

-

disable

Option

Description

enable

Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access.

disable

Admin users can login by providing a valid certificate or password.

admin-https-redirect

Enable/disable redirection of HTTP administration access to HTTPS.

option

-

enable

Option

Description

enable

Enable redirecting HTTP administration access to HTTPS.

disable

Disable redirecting HTTP administration access to HTTPS.

admin-https-ssl-banned-ciphers

Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.

option

-

Option

Description

RSA

Ban the use of cipher suites using RSA key.

DHE

Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDHE

Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS

Ban the use of cipher suites using DSS authentication.

ECDSA

Ban the use of cipher suites using ECDSA authentication.

AES

Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM

Ban the use of cipher suites using AES in Galois Counter Mode (GCM).

CAMELLIA

Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES

Ban the use of cipher suites using triple DES.

SHA1

Ban the use of cipher suites using HMAC-SHA1.

SHA256

Ban the use of cipher suites using HMAC-SHA256.

SHA384

Ban the use of cipher suites using HMAC-SHA384.

STATIC

Ban the use of cipher suites using static keys.

CHACHA20

Ban the use of cipher suites using ChaCha20.

ARIA

Ban the use of cipher suites using ARIA.

AESCCM

Ban the use of cipher suites using AESCCM.

admin-https-ssl-ciphersuites

Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.

option

-

TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

Option

Description

TLS-AES-128-GCM-SHA256

Enable TLS-AES-128-GCM-SHA256 in TLS 1.3.

TLS-AES-256-GCM-SHA384

Enable TLS-AES-256-GCM-SHA384 in TLS 1.3.

TLS-CHACHA20-POLY1305-SHA256

Enable TLS-CHACHA20-POLY1305-SHA256 in TLS 1.3.

TLS-AES-128-CCM-SHA256

Enable TLS-AES-128-CCM-SHA256 in TLS 1.3.

TLS-AES-128-CCM-8-SHA256

Enable TLS-AES-128-CCM-8-SHA256 in TLS 1.3.

admin-https-ssl-versions

Allowed TLS versions for web administration.

option

-

tlsv1-2 tlsv1-3

Option

Description

tlsv1-1

TLS 1.1.

tlsv1-2

TLS 1.2.

tlsv1-3

TLS 1.3.

admin-lockout-duration

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

integer

Minimum value: 1 Maximum value: 2147483647

60

admin-lockout-threshold

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

integer

Minimum value: 1 Maximum value: 10

3

admin-login-max

Maximum number of administrators who can be logged in at the same time.

integer

Minimum value: 1 Maximum value: 100

100

admin-maintainer

Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.

option

-

enable

Option

Description

enable

Enable login for special user (maintainer).

disable

Disable login for special user (maintainer).

admin-port

Administrative access port for HTTP..

integer

Minimum value: 1 Maximum value: 65535

80

admin-reset-button *

press the reset button can reset to factory default

option

-

enable

Option

Description

enable

press the reset button can reset to factory default

disable

press the reset button cannot reset to factory default

admin-restrict-local

Enable/disable local admin authentication restriction when remote authenticator is up and running.

option

-

disable

Option

Description

enable

Enable local admin authentication restriction.

disable

Disable local admin authentication restriction.

admin-scp

Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.

option

-

disable

Option

Description

enable

Enable allow system configuration download by SCP.

disable

Disable allow system configuration download by SCP.

admin-server-cert

Server certificate that the FortiGate uses for HTTPS administrative connections.

string

Maximum length: 35

self-sign

admin-sport

Administrative access port for HTTPS..

integer

Minimum value: 1 Maximum value: 65535

443

admin-ssh-grace-time

Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating.

integer

Minimum value: 10 Maximum value: 3600

120

admin-ssh-password

Enable/disable password authentication for SSH admin access.

option

-

enable

Option

Description

enable

Enable password authentication for SSH admin access.

disable

Disable password authentication for SSH admin access.

admin-ssh-port

Administrative access port for SSH..

integer

Minimum value: 1 Maximum value: 65535

22

admin-ssh-v1

Enable/disable SSH v1 compatibility.

option

-

disable

Option

Description

enable

Enable SSH v1 compatibility.

disable

Disable SSH v1 compatibility.

admin-telnet

Enable/disable TELNET service.

option

-

enable

Option

Description

enable

Enable TELNET service.

disable

Disable TELNET service.

admin-telnet-port

Administrative access port for TELNET..

integer

Minimum value: 1 Maximum value: 65535

23

admintimeout

Number of minutes before an idle administrator session times out. A shorter idle timeout is more secure.

integer

Minimum value: 1 Maximum value: 480

5

alias

Alias for your FortiGate unit.

string

Maximum length: 35

allow-traffic-redirect

Disable to prevent traffic with same local ingress and egress interface from being forwarded without policy check.

option

-

enable

Option

Description

enable

Enable allow traffic redirect.

disable

Disable allow traffic redirect.

anti-replay

Level of checking for packet replay and TCP sequence checking.

option

-

strict

Option

Description

disable

Disable anti-replay check.

loose

Loose anti-replay check.

strict

Strict anti-replay check.

arp-max-entry

Maximum number of dynamically learned MAC addresses that can be added to the ARP table.

integer

Minimum value: 131072 Maximum value: 2147483647

131072

auth-cert

Server certificate that the FortiGate uses for HTTPS firewall authentication connections.

string

Maximum length: 35

Fortinet_Factory

auth-http-port

User authentication HTTP port..

integer

Minimum value: 1 Maximum value: 65535

1000

auth-https-port

User authentication HTTPS port..

integer

Minimum value: 1 Maximum value: 65535

1003

auth-keepalive

Enable to prevent user authentication sessions from timing out when idle.

option

-

disable

Option

Description

enable

Enable use of keep alive to extend authentication.

disable

Disable use of keep alive to extend authentication.

auth-session-limit

Action to take when the number of allowed user authenticated sessions is reached.

option

-

block-new

Option

Description

block-new

Block new user authentication attempts.

logout-inactive

Logout the most inactive user authenticated sessions.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension devices.

option

-

enable

Option

Description

enable

Enable automatic authorization of dedicated Fortinet extension device globally.

disable

Disable automatic authorization of dedicated Fortinet extension device globally.

autorun-log-fsck

Enable/disable automatic log partition check after ungraceful shutdown.

option

-

disable

Option

Description

enable

Enable automatic log partition check after ungraceful shutdown.

disable

Disable automatic log partition check after ungraceful shutdown.

av-affinity *

Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

0

av-failopen

Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.

option

-

pass

Option

Description

pass

Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.

off

Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.

one-shot

Bypass the antivirus system when memory is low.

av-failopen-session

When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.

option

-

disable

Option

Description

enable

Enable AV fail open session option.

disable

Disable AV fail open session option.

batch-cmdb

Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.

option

-

enable

Option

Description

enable

Enable batch mode to execute in CMDB server.

disable

Disable batch mode to execute in CMDB server.

block-session-timer

Duration in seconds for blocked sessions.

integer

Minimum value: 1 Maximum value: 300

30

br-fdb-max-entry

Maximum number of bridge forwarding database (FDB) entries.

integer

Minimum value: 8192 Maximum value: 2147483647

8192

cert-chain-max

Maximum number of certificates that can be traversed in a certificate chain.

integer

Minimum value: 1 Maximum value: 2147483647

8

cfg-revert-timeout

Time-out for reverting to the last saved configuration..

integer

Minimum value: 10 Maximum value: 4294967295

600

cfg-save

Configuration file save mode for CLI changes.

option

-

automatic

Option

Description

automatic

Automatically save config.

manual

Manually save config.

revert

Manually save config and revert the config when timeout.

check-protocol-header

Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is OK in most cases.

option

-

loose

Option

Description

loose

Check protocol header loosely.

strict

Check protocol header strictly.

check-reset-range

Configure ICMP error message verification. You can either apply strict RST range checking or disable it.

option

-

disable

Option

Description

strict

Check RST range strictly.

disable

Disable RST range check.

cli-audit-log

Enable/disable CLI audit log.

option

-

disable

Option

Description

enable

Enable CLI audit log.

disable

Disable CLI audit log.

cloud-communication

Enable/disable all cloud communication.

option

-

enable

Option

Description

enable

Allow cloud communication.

disable

Disable all cloud-related settings.

clt-cert-req

Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.

option

-

disable

Option

Description

enable

Enable require client certificate for GUI login.

disable

Disable require client certificate for GUI login.

cmdbsvr-affinity

Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

0

cpu-use-threshold

Threshold at which CPU usage is reported.

integer

Minimum value: 50 Maximum value: 99

90

csr-ca-attribute

Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.

option

-

enable

Option

Description

enable

Enable CA attribute in CSR.

disable

Disable CA attribute in CSR.

daily-restart

Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.

option

-

disable

Option

Description

enable

Enable daily reboot of the FortiGate.

disable

Disable daily reboot of the FortiGate.

default-service-source-port

Default service source port range.

user

Not Specified

device-idle-timeout

Time in seconds that a device must be idle to automatically log the device user out..

integer

Minimum value: 30 Maximum value: 31536000

300

dh-params

Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.

option

-

2048

Option

Description

1024

1024 bits.

1536

1536 bits.

2048

2048 bits.

3072

3072 bits.

4096

4096 bits.

6144

6144 bits.

8192

8192 bits.

dnsproxy-worker-count

DNS proxy worker count. For a FortiGate with multiple logical CPUs, you can set the DNS process number from 1 to the number of logical CPUs.

integer

Minimum value: 1 Maximum value: 8 **

1

dst

Enable/disable daylight saving time.

option

-

enable

Option

Description

enable

Enable daylight saving time.

disable

Disable daylight saving time.

early-tcp-npu-session

Enable/disable early TCP NPU session.

option

-

disable

Option

Description

enable

Enable early TCP NPU session in order to guarantee packet order of 3-way handshake.

disable

Disable early TCP NPU session in order to guarantee packet order of 3-way handshake.

edit-vdom-prompt

Enable/disable edit new VDOM prompt.

option

-

disable

Option

Description

enable

Enable edit new VDOM prompt.

disable

Disable edit new VDOM prompt.

extender-controller-reserved-network

Configure reserved network subnet for managed LAN extension FortiExtender units. This is available when the FortiExtender daemon is running.

ipv4-classnet-host

Not Specified

10.252.0.1 255.255.0.0

failtime

Fail-time for server lost.

integer

Minimum value: 0 Maximum value: 4294967295

5

faz-disk-buffer-size

Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailable.

integer

Minimum value: 0 Maximum value: 214748364

0

fds-statistics

Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.

option

-

enable

Option

Description

enable

Enable FortiGuard statistics.

disable

Disable FortiGuard statistics.

fds-statistics-period

FortiGuard statistics collection period in minutes..

integer

Minimum value: 1 Maximum value: 1440

60

fgd-alert-subscription

Type of alert to retrieve from FortiGuard.

option

-

Option

Description

advisory

Retrieve FortiGuard advisories, report and news alerts.

latest-threat

Retrieve latest FortiGuard threats alerts.

latest-virus

Retrieve latest FortiGuard virus alerts.

latest-attack

Retrieve latest FortiGuard attack alerts.

new-antivirus-db

Retrieve FortiGuard AV database release alerts.

new-attack-db

Retrieve FortiGuard IPS database release alerts.

forticontroller-proxy *

Enable/disable FortiController proxy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

forticontroller-proxy-port *

FortiController proxy port.

integer

Minimum value: 1024 Maximum value: 49150

11133

fortiextender

Enable/disable FortiExtender.

option

-

disable **

Option

Description

disable

Disable FortiExtender controller.

enable

Enable FortiExtender controller.

fortiextender-data-port

FortiExtender data port.

integer

Minimum value: 1024 Maximum value: 49150

25246

fortiextender-discovery-lockdown

Enable/disable FortiExtender CAPWAP lockdown.

option

-

disable

Option

Description

disable

Unlock down new FortiExtender device discovery.

enable

Lock down new FortiExtender device discovery.

fortiextender-vlan-mode

Enable/disable FortiExtender VLAN mode.

option

-

disable

Option

Description

enable

Enable FortiExtender VLAN mode.

disable

Disable FortiExtender VLAN mode.

fortiservice-port

FortiService port. Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.

integer

Minimum value: 1 Maximum value: 65535

8013

fortitoken-cloud

Enable/disable FortiToken Cloud service.

option

-

enable

Option

Description

enable

Enable FortiToken Cloud service.

disable

Disable FortiToken Cloud service.

gui-allow-default-hostname

Enable/disable the factory default hostname warning on the GUI setup wizard.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-allow-incompatible-fabric-fgt

Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-cdn-domain-override

Domain of CDN server.

string

Maximum length: 255

gui-cdn-usage

Enable/disable Load GUI static files from a CDN.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-certificates

Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.

option

-

enable **

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-custom-language

Enable/disable custom languages in GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-date-format

Default date format used throughout GUI.

option

-

yyyy/MM/dd

Option

Description

yyyy/MM/dd

Year/Month/Day.

dd/MM/yyyy

Day/Month/Year.

MM/dd/yyyy

Month/Day/Year.

yyyy-MM-dd

Year-Month-Day.

dd-MM-yyyy

Day-Month-Year.

MM-dd-yyyy

Month-Day-Year.

gui-date-time-source

Source from which the FortiGate GUI uses to display date and time entries.

option

-

system

Option

Description

system

Use this FortiGate unit's configured timezone.

browser

Use the web browser's timezone.

gui-device-latitude

Add the latitude of the location of this FortiGate to position it on the Threat Map.

string

Maximum length: 19

gui-device-longitude

Add the longitude of the location of this FortiGate to position it on the Threat Map.

string

Maximum length: 19

gui-display-hostname

Enable/disable displaying the FortiGate's hostname on the GUI login page.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-firmware-upgrade-warning

Enable/disable the firmware upgrade warning on the GUI.

option

-

enable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-forticare-registration-setup-warning

Enable/disable the FortiCare registration setup warning on the GUI.

option

-

enable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-fortigate-cloud-sandbox

Enable/disable displaying FortiGate Cloud Sandbox on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-fortiguard-resource-fetch

Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments.

option

-

enable

Option

Description

enable

Enable retrieving static GUI resources from FortiGuard.

disable

Disable retrieving static GUI resources from FortiGuard.

gui-ipv6

Enable/disable IPv6 settings on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-local-out

Enable/disable Local-out traffic on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-replacement-message-groups

Enable/disable replacement message groups on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-rest-api-cache

Enable/disable REST API result caching on FortiGate.

option

-

enable **

Option

Description

enable

Enable REST API result caching on FortiGate.

disable

Disable REST API result caching on FortiGate.

gui-theme

Color scheme for the administration GUI.

option

-

jade

Option

Description

jade

Jade theme.

neutrino

Neutrino theme.

mariner

Mariner theme.

graphite

Graphite theme.

melongene

Melongene theme.

retro

FortiOS v3 Retro theme.

dark-matter

Dark Matter theme.

onyx

Onyx theme.

eclipse

Eclipse theme.

gui-wireless-opensecurity

Enable/disable wireless open security option on the GUI.

option

-

disable

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

ha-affinity

Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

0

honor-df

Enable/disable honoring of Don't-Fragment (DF) flag.

option

-

enable

Option

Description

enable

Enable honoring of Don't-Fragment flag.

disable

Disable honoring of Don't-Fragment flag.

hostname

FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.

string

Maximum length: 35

hyper-scale-vdom-num *

Number of VDOMs for hyper scale license.

integer

Minimum value: 1 Maximum value: 250

250

igmp-state-limit

Maximum number of IGMP memberships.

integer

Minimum value: 96 Maximum value: 128000

3200

internal-switch-speed *

Internal port speed.

option

-

Option

Description

auto

auto

1000full

1000M Full

100full

100M full.

100half

100M half.

10full

10M full.

10half

10M half.

internet-service-database

Configure which Internet Service database size to download from FortiGuard and use.

option

-

full **

Option

Description

mini

Small sized Internet Service database with very limited IP addresses.

standard

Medium sized Internet Service database with most IP addresses.

full

Full sized Internet Service database with all IP addresses.

interval

Dead gateway detection interval.

integer

Minimum value: 0 Maximum value: 4294967295

5

ip-fragment-mem-thresholds

Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.

integer

Minimum value: 32 Maximum value: 2047

32

ip-src-port-range

IP source port range used for traffic originating from the FortiGate unit.

user

Not Specified

1024-25000

ips-affinity *

Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).

string

Maximum length: 79

0

ipsec-asic-offload *

Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.

option

-

enable

Option

Description

enable

Enable ASIC offload for IPsec VPN.

disable

Disable ASIC offload for IPsec VPN.

ipsec-ha-seqjump-rate

ESP jump ahead rate (1G - 10G pps equivalent).

integer

Minimum value: 1 Maximum value: 10

10

ipsec-hmac-offload *

Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.

option

-

enable

Option

Description

enable

Enable offload IPsec HMAC processing to hardware if possible.

disable

Disable offload IPsec HMAC processing to hardware.

ipsec-soft-dec-async

Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.

option

-

disable

Option

Description

enable

Enable software decryption asynchronization for IPsec VPN.

disable

Disable software decryption asynchronization for IPsec VPN.

ipv6-accept-dad

Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).

integer

Minimum value: 0 Maximum value: 2

1

ipv6-allow-anycast-probe

Enable/disable IPv6 address probe through Anycast.

option

-

disable

Option

Description

enable

Enable probing of IPv6 address space through Anycast

disable

Disable probing of IPv6 address space through Anycast

ipv6-allow-local-in-slient-drop

Enable/disable silent drop of IPv6 local-in traffic.

option

-

enable

Option

Description

enable

Enable slient drop of IPv6 local-in traffic.

disable

Disable slient drop of IPv6 local-in traffic.

ipv6-allow-multicast-probe

Enable/disable IPv6 address probe through Multicast.

option

-

disable

Option

Description

enable

Enable probing of IPv6 address space through Multicast.

disable

Disable probing of IPv6 address space through Multicast.

ipv6-allow-traffic-redirect

Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.

option

-

enable

Option

Description

enable

Enable allow traffic IPv6 redirect.

disable

Disable allow traffic IPv6 redirect.

irq-time-accounting

Configure CPU IRQ time accounting mode.

option

-

auto

Option

Description

auto

Automatically switch CPU accounting mode.

force

Force the use of CPU IRQ time accounting mode.

language

GUI display language.

option

-

english

Option

Description

english

English.

french

French.

spanish

Spanish.

portuguese

Portuguese.

japanese

Japanese.

trach

Traditional Chinese.

simch

Simplified Chinese.

korean

Korean.

ldapconntimeout

Global timeout for connections with remote LDAP servers in milliseconds.

integer

Minimum value: 1 Maximum value: 300000

500

legacy-poe-device-support *

Enable/disable legacy POE device support.

option

-

disable

Option

Description

enable

Enable legacy POE device support.

disable

Disable legacy POE device support.

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception.

option

-

disable

Option

Description

enable

Enable reception of Link Layer Discovery Protocol (LLDP).

disable

Disable reception of Link Layer Discovery Protocol (LLDP).

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission.

option

-

disable

Option

Description

enable

Enable transmission of Link Layer Discovery Protocol (LLDP).

disable

Disable transmission of Link Layer Discovery Protocol (LLDP).

log-ssl-connection

Enable/disable logging of SSL connection events.

option

-

disable

Option

Description

enable

Enable logging of SSL connection events.

disable

Disable logging of SSL connection events.

log-uuid-address

Enable/disable insertion of address UUIDs to traffic logs.

option

-

disable

Option

Description

enable

Enable insertion of address UUID to traffic logs.

disable

Disable insertion of address UUID to traffic logs.

login-timestamp

Enable/disable login time recording.

option

-

disable

Option

Description

enable

Enable login time recording.

disable

Disable login time recording.

long-vdom-name

Enable/disable long VDOM name support.

option

-

disable

Option

Description

enable

Enable long VDOM name support.

disable

Disable long VDOM name support.

management-ip

Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.

string

Maximum length: 255

management-port

Overriding port for management connection (Overrides admin port).

integer

Minimum value: 1 Maximum value: 65535

443

management-port-use-admin-sport

Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.

option

-

enable

Option

Description

enable

Enable use of the admin-sport setting for the management port.

disable

Disable use of the admin-sport setting for the management port.

management-vdom

Management virtual domain name.

string

Maximum length: 31

root

max-route-cache-size

Maximum number of IP route cache entries.

integer

Minimum value: 0 Maximum value: 2147483647

0

memory-use-threshold-extreme

Threshold at which memory usage is considered extreme.

integer

Minimum value: 70 Maximum value: 97

95

memory-use-threshold-green

Threshold at which memory usage forces the FortiGate to exit conserve mode.

integer

Minimum value: 70 Maximum value: 97

82

memory-use-threshold-red

Threshold at which memory usage forces the FortiGate to enter conserve mode.

integer

Minimum value: 70 Maximum value: 97

88

miglog-affinity *

Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 19

0

miglogd-children

Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.

integer

Minimum value: 0 Maximum value: 15

0

multi-factor-authentication

Enforce all login methods to require an additional authentication factor.

option

-

optional

Option

Description

optional

Do not enforce all login methods to require an additional authentication factor (controlled by user settings).

mandatory

Enforce all login methods to require an additional authentication factor.

ndp-max-entry

Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).

integer

Minimum value: 65536 Maximum value: 2147483647

0

per-user-bal *

Enable/disable per-user block/allow list filter.

option

-

disable

Option

Description

enable

Enable per-user block/allow list filter.

disable

Disable per-user block/allow list filter.

pmtu-discovery

Enable/disable path MTU discovery.

option

-

disable

Option

Description

enable

Enable path MTU discovery.

disable

Disable path MTU discovery.

policy-auth-concurrent

Number of concurrent firewall use logins from the same user.

integer

Minimum value: 0 Maximum value: 100

0

post-login-banner

Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.

option

-

disable

Option

Description

disable

Disable post-login banner.

enable

Enable post-login banner.

pre-login-banner

Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.

option

-

disable

Option

Description

enable

Enable pre-login banner.

disable

Disable pre-login banner.

private-data-encryption

Enable/disable private data encryption using an AES 128-bit key or passpharse.

option

-

disable

Option

Description

disable

Disable private data encryption using an AES 128-bit key.

enable

Enable private data encryption using an AES 128-bit key.

proxy-auth-lifetime

Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.

option

-

disable

Option

Description

enable

Enable authenticated users lifetime control.

disable

Disable authenticated users lifetime control.

proxy-auth-lifetime-timeout

Lifetime timeout in minutes for authenticated users.

integer

Minimum value: 5 Maximum value: 65535

480

proxy-auth-timeout

Authentication timeout in minutes for authenticated users.

integer

Minimum value: 1 Maximum value: 300

10

proxy-cert-use-mgmt-vdom

Enable/disable using management VDOM to send requests.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

proxy-hardware-acceleration *

Enable/disable email proxy hardware acceleration.

option

-

enable

Option

Description

disable

Disable email proxy hardware acceleration.

enable

Enable email proxy hardware acceleration.

proxy-re-authentication-mode

Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

option

-

session

Option

Description

session

Proxy re-authentication timeout begins at the closure of the session.

traffic

Proxy re-authentication timeout begins after traffic has not been received.

absolute

Proxy re-authentication timeout begins when the user was first created.

proxy-resource-mode

Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.

option

-

disable

Option

Description

enable

Enable use of the maximum memory usage.

disable

Disable use of the maximum memory usage.

proxy-worker-count

Proxy worker count.

integer

Minimum value: 1 Maximum value: 8 **

0

radius-port

RADIUS service port number.

integer

Minimum value: 1 Maximum value: 65535

1812

reboot-upon-config-restore

Enable/disable reboot of system upon restoring configuration.

option

-

enable

Option

Description

enable

Enable reboot of system upon restoring configuration.

disable

Disable reboot of system upon restoring configuration.

refresh

Statistics refresh interval second(s) in GUI.

integer

Minimum value: 0 Maximum value: 4294967295

0

remoteauthtimeout

Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers..

integer

Minimum value: 1 Maximum value: 300

5

reset-sessionless-tcp

Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.

option

-

disable

Option

Description

enable

Enable reset session-less TCP.

disable

Disable reset session-less TCP.

restart-time

Daily restart time (hh:mm).

user

Not Specified

revision-backup-on-logout

Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.

option

-

disable

Option

Description

enable

Enable revision config backup automatically when logout.

disable

Disable revision config backup automatically when logout.

revision-image-auto-backup

Enable/disable back-up of the latest image revision after the firmware is upgraded.

option

-

disable

Option

Description

enable

Enable revision image backup automatically when upgrading image.

disable

Disable revision image backup automatically when upgrading image.

scanunit-count

Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.

integer

Minimum value: 1 Maximum value: 8 **

0

security-rating-result-submission

Enable/disable the submission of Security Rating results to FortiGuard.

option

-

enable

Option

Description

enable

Enable submission of Security Rating results to FortiGuard.

disable

Disable submission of Security Rating results to FortiGuard.

security-rating-run-on-schedule

Enable/disable scheduled runs of Security Rating.

option

-

enable

Option

Description

enable

Enable scheduled runs of Security Rating.

disable

Disable scheduled runs of Security Rating.

send-pmtu-icmp

Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.

option

-

enable

Option

Description

enable

Enable sending of PMTU ICMP destination unreachable packet.

disable

Disable sending of PMTU ICMP destination unreachable packet.

show-backplane-intf *

show/hide backplane interfaces

option

-

disable

Option

Description

enable

show backplane interfaces

disable

hide backplane interfaces

snat-route-change

Enable/disable the ability to change the static NAT route.

option

-

disable

Option

Description

enable

Enable SNAT route change.

disable

Disable SNAT route change.

special-file-23-support

Enable/disable detection of those special format files when using Data Leak Protection.

option

-

disable

Option

Description

disable

Disable detection of those special format files when using Data Leak Protection.

enable

Enable detection of those special format files when using Data Leak Protection.

speedtest-server

Enable/disable speed test server.

option

-

disable

Option

Description

enable

Enable speed test server service.

disable

Disable speed test server service.

split-port *

Split port(s) to multiple 10Gbps ports.

string

Maximum length: 15

ssd-trim-date *

Date within a month to run ssd trim.

integer

Minimum value: 1 Maximum value: 31

1

ssd-trim-freq *

How often to run SSD Trim. SSD Trim prevents SSD drive data loss by finding and isolating errors.

option

-

weekly

Option

Description

never

Never Run SSD Trim.

hourly

Run SSD Trim Hourly.

daily

Run SSD Trim Daily.

weekly

Run SSD Trim Weekly.

monthly

Run SSD Trim Monthly.

ssd-trim-hour *

Hour of the day on which to run SSD Trim.

integer

Minimum value: 0 Maximum value: 23

1

ssd-trim-min *

Minute of the hour on which to run SSD Trim.

integer

Minimum value: 0 Maximum value: 60

60

ssd-trim-weekday *

Day of week to run SSD Trim.

option

-

sunday

Option

Description

sunday

Sunday

monday

Monday

tuesday

Tuesday

wednesday

Wednesday

thursday

Thursday

friday

Friday

saturday

Saturday

ssh-enc-algo

Select one or more SSH ciphers.

option

-

chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com

Option

Description

chacha20-poly1305@openssh.com

chacha20-poly1305@openssh.com

aes128-ctr

aes128-ctr

aes192-ctr

aes192-ctr

aes256-ctr

aes256-ctr

arcfour256

arcfour256

arcfour128

arcfour128

aes128-cbc

aes128-cbc

3des-cbc

3des-cbc

blowfish-cbc

blowfish-cbc

cast128-cbc

cast128-cbc

aes192-cbc

aes192-cbc

aes256-cbc

aes256-cbc

arcfour

arcfour

rijndael-cbc@lysator.liu.se

rijndael-cbc@lysator.liu.se

aes128-gcm@openssh.com

aes128-gcm@openssh.com

aes256-gcm@openssh.com

aes256-gcm@openssh.com

ssh-kex-algo

Select one or more SSH kex algorithms.

option

-

diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

Option

Description

diffie-hellman-group1-sha1

diffie-hellman-group1-sha1

diffie-hellman-group14-sha1

diffie-hellman-group14-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha256

diffie-hellman-group-exchange-sha256

curve25519-sha256@libssh.org

curve25519-sha256@libssh.org

ecdh-sha2-nistp256

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp384

ecdh-sha2-nistp521

ecdh-sha2-nistp521

ssh-mac-algo

Select one or more SSH MAC algorithms.

option

-

hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com

Option

Description

hmac-md5

hmac-md5

hmac-md5-etm@openssh.com

hmac-md5-etm@openssh.com

hmac-md5-96

hmac-md5-96

hmac-md5-96-etm@openssh.com

hmac-md5-96-etm@openssh.com

hmac-sha1

hmac-sha1

hmac-sha1-etm@openssh.com

hmac-sha1-etm@openssh.com

hmac-sha2-256

hmac-sha2-256

hmac-sha2-256-etm@openssh.com

hmac-sha2-256-etm@openssh.com

hmac-sha2-512

hmac-sha2-512

hmac-sha2-512-etm@openssh.com

hmac-sha2-512-etm@openssh.com

hmac-ripemd160

hmac-ripemd160

hmac-ripemd160@openssh.com

hmac-ripemd160@openssh.com

hmac-ripemd160-etm@openssh.com

hmac-ripemd160-etm@openssh.com

umac-64@openssh.com

umac-64@openssh.com

umac-128@openssh.com

umac-128@openssh.com

umac-64-etm@openssh.com

umac-64-etm@openssh.com

umac-128-etm@openssh.com

umac-128-etm@openssh.com

ssl-min-proto-version

Minimum supported protocol version for SSL/TLS connections.

option

-

TLSv1-2

Option

Description

SSLv3

SSLv3.

TLSv1

TLSv1.

TLSv1-1

TLSv1.1.

TLSv1-2

TLSv1.2.

TLSv1-3

TLSv1.3.

ssl-static-key-ciphers

Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).

option

-

enable

Option

Description

enable

Enable static key ciphers in SSL/TLS connections.

disable

Disable static key ciphers in SSL/TLS connections.

sslvpn-cipher-hardware-acceleration

Enable/disable SSL-VPN hardware acceleration.

option

-

disable **

Option

Description

enable

Enable SSL-VPN cipher hardware acceleration.

disable

Disable SSL-VPN cipher hardware acceleration.

sslvpn-ems-sn-check

Enable/disable verification of EMS serial number in SSL-VPN connection.

option

-

disable

Option

Description

enable

Enable verification of EMS serial number in SSL-VPN connection.

disable

Disable verification of EMS serial number in SSL-VPN connection.

sslvpn-kxp-hardware-acceleration

Enable/disable SSL-VPN KXP hardware acceleration.

option

-

disable **

Option

Description

enable

Enable KXP SSL-VPN hardware acceleration.

disable

Disable KXP SSL-VPN hardware acceleration.

sslvpn-max-worker-count

Maximum number of SSL-VPN processes. Upper limit for this value is the number of CPUs and depends on the model. Default value of zero means the SSLVPN daemon decides the number of worker processes.

integer

Minimum value: 0 Maximum value: 8 **

0

sslvpn-plugin-version-check

Enable/disable checking browser's plugin version by SSL-VPN.

option

-

enable

Option

Description

enable

Enable SSL-VPN automatic checking of browser plug-in version.

disable

Disable SSL-VPN automatic checking of browser plug-in version.

strict-dirty-session-check

Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.

option

-

enable

Option

Description

enable

Enable strict dirty-session check.

disable

Disable strict dirty-session check.

strong-crypto

Enable to use strong encryption and only allow strong ciphers and digest for HTTPS/SSH/TLS/SSL functions.

option

-

enable

Option

Description

enable

Enable strong crypto for HTTPS/SSH/TLS/SSL.

disable

Disable strong crypto for HTTPS/SSH/TLS/SSL.

switch-controller *

Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.

option

-

disable

Option

Description

disable

Disable switch controller feature.

enable

Enable switch controller feature.

switch-controller-reserved-network *

Configure reserved network subnet for managed switches. This is available when the switch controller is enabled.

ipv4-classnet-host

Not Specified

10.255.0.0 255.255.0.0

sys-perf-log-interval

Time in minutes between updates of performance statistics logging..

integer

Minimum value: 0 Maximum value: 15

5

tcp-halfclose-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded.

integer

Minimum value: 1 Maximum value: 86400

120

tcp-halfopen-timer

Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded.

integer

Minimum value: 1 Maximum value: 86400

10

tcp-option

Enable SACK, timestamp and MSS TCP options.

option

-

enable

Option

Description

enable

Enable TCP option.

disable

Disable TCP option.

tcp-rst-timer

Length of the TCP CLOSE state in seconds.

integer

Minimum value: 5 Maximum value: 300

5

tcp-timewait-timer

Length of the TCP TIME-WAIT state in seconds.

integer

Minimum value: 0 Maximum value: 300

1

tftp

Enable/disable TFTP.

option

-

enable

Option

Description

enable

Enable TFTP.

disable

Disable TFTP.

timezone

Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.

option

-

00

Option

Description

01

(GMT-11:00) Midway Island, Samoa

02

(GMT-10:00) Hawaii

03

(GMT-9:00) Alaska

04

(GMT-8:00) Pacific Time (US & Canada)

05

(GMT-7:00) Arizona

81

(GMT-7:00) Baja California Sur, Chihuahua

06

(GMT-7:00) Mountain Time (US & Canada)

07

(GMT-6:00) Central America

08

(GMT-6:00) Central Time (US & Canada)

09

(GMT-6:00) Mexico City

10

(GMT-6:00) Saskatchewan

11

(GMT-5:00) Bogota, Lima,Quito

12

(GMT-5:00) Eastern Time (US & Canada)

13

(GMT-5:00) Indiana (East)

74

(GMT-4:00) Caracas

14

(GMT-4:00) Atlantic Time (Canada)

77

(GMT-4:00) Georgetown

15

(GMT-4:00) La Paz

87

(GMT-4:00) Paraguay

16

(GMT-3:00) Santiago

17

(GMT-3:30) Newfoundland

18

(GMT-3:00) Brasilia

19

(GMT-3:00) Buenos Aires

20

(GMT-3:00) Nuuk (Greenland)

75

(GMT-3:00) Uruguay

21

(GMT-2:00) Mid-Atlantic

22

(GMT-1:00) Azores

23

(GMT-1:00) Cape Verde Is.

24

(GMT) Monrovia

80

(GMT) Greenwich Mean Time

79

(GMT) Casablanca

25

(GMT) Dublin, Edinburgh, Lisbon, London, Canary Is.

26

(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

27

(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

28

(GMT+1:00) Brussels, Copenhagen, Madrid, Paris

78

(GMT+1:00) Namibia

29

(GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb

30

(GMT+1:00) West Central Africa

31

(GMT+2:00) Athens, Sofia, Vilnius

32

(GMT+2:00) Bucharest

33

(GMT+2:00) Cairo

34

(GMT+2:00) Harare, Pretoria

35

(GMT+2:00) Helsinki, Riga, Tallinn

36

(GMT+2:00) Jerusalem

37

(GMT+3:00) Baghdad

38

(GMT+3:00) Kuwait, Riyadh

83

(GMT+3:00) Moscow

84

(GMT+3:00) Minsk

40

(GMT+3:00) Nairobi

85

(GMT+3:00) Istanbul

41

(GMT+3:30) Tehran

42

(GMT+4:00) Abu Dhabi, Muscat

43

(GMT+4:00) Baku

39

(GMT+3:00) St. Petersburg, Volgograd

44

(GMT+4:30) Kabul

46

(GMT+5:00) Islamabad, Karachi, Tashkent

47

(GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi

51

(GMT+5:30) Sri Jayawardenepara

48

(GMT+5:45) Kathmandu

45

(GMT+5:00) Ekaterinburg

49

(GMT+6:00) Almaty, Novosibirsk

50

(GMT+6:00) Astana, Dhaka

52

(GMT+6:30) Rangoon

53

(GMT+7:00) Bangkok, Hanoi, Jakarta

54

(GMT+7:00) Krasnoyarsk

55

(GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk

56

(GMT+8:00) Ulaan Bataar

57

(GMT+8:00) Kuala Lumpur, Singapore

58

(GMT+8:00) Perth

59

(GMT+8:00) Taipei

60

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

62

(GMT+9:30) Adelaide

63

(GMT+9:30) Darwin

61

(GMT+9:00) Yakutsk

64

(GMT+10:00) Brisbane

65

(GMT+10:00) Canberra, Melbourne, Sydney

66

(GMT+10:00) Guam, Port Moresby

67

(GMT+10:00) Hobart

68

(GMT+10:00) Vladivostok

69

(GMT+10:00) Magadan

70

(GMT+11:00) Solomon Is., New Caledonia

71

(GMT+12:00) Auckland, Wellington

72

(GMT+12:00) Fiji, Kamchatka, Marshall Is.

00

(GMT+12:00) Eniwetok, Kwajalein

82

(GMT+12:45) Chatham Islands

73

(GMT+13:00) Nuku'alofa

86

(GMT+13:00) Samoa

76

(GMT+14:00) Kiritimati

traffic-priority

Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.

option

-

tos

Option

Description

tos

IP TOS.

dscp

DSCP (DiffServ) DS.

traffic-priority-level

Default system-wide level of priority for traffic prioritization.

option

-

medium

Option

Description

low

Low priority.

medium

Medium priority.

high

High priority.

two-factor-email-expiry

Email-based two-factor authentication session timeout.

integer

Minimum value: 30 Maximum value: 300

60

two-factor-fac-expiry

FortiAuthenticator token authentication session timeout.

integer

Minimum value: 10 Maximum value: 3600

60

two-factor-ftk-expiry

FortiToken authentication session timeout.

integer

Minimum value: 60 Maximum value: 600

60

two-factor-ftm-expiry

FortiToken Mobile session timeout.

integer

Minimum value: 1 Maximum value: 168

72

two-factor-sms-expiry

SMS-based two-factor authentication session timeout.

integer

Minimum value: 30 Maximum value: 300

60

udp-idle-timer

UDP connection session timeout. This command can be useful in managing CPU and memory resources.

integer

Minimum value: 1 Maximum value: 86400

180

url-filter-affinity *

URL filter CPU affinity.

string

Maximum length: 79

0

url-filter-count

URL filter daemon count.

integer

Minimum value: 1 Maximum value: 1 **

1

user-device-store-max-devices

Maximum number of devices allowed in user device store.

integer

Minimum value: 84220 Maximum value: 240629 **

168440 **

user-device-store-max-unified-mem

Maximum unified memory allowed in user device store.

integer

Minimum value: 168440954 Maximum value: 1684409548 **

842204774 **

user-device-store-max-users

Maximum number of users allowed in user device store.

integer

Minimum value: 84220 Maximum value: 240629 **

168440 **

user-server-cert

Certificate to use for https user authentication.

string

Maximum length: 35

Fortinet_Factory

vdom-mode

Enable/disable support for split/multiple virtual domains (VDOMs).

option

-

no-vdom

Option

Description

no-vdom

Disable split/multiple VDOMs mode.

split-vdom

Enable split VDOMs mode.

multi-vdom

Enable multiple VDOMs mode.

vip-arp-range

Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.

option

-

restricted

Option

Description

unlimited

Send ARPs for all addresses in VIP range.

restricted

Send ARPs for the first 8192 addresses in VIP range.

virtual-switch-vlan *

Enable/disable virtual switch VLAN.

option

-

disable

Option

Description

enable

Enable virtual switch VLAN.

disable

Disable virtual switch VLAN.

wad-affinity *

Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).

string

Maximum length: 79

0

wad-csvc-cs-count

Number of concurrent WAD-cache-service object-cache processes.

integer

Minimum value: 1 Maximum value: 1

1

wad-csvc-db-count

Number of concurrent WAD-cache-service byte-cache processes.

integer

Minimum value: 0 Maximum value: 8 **

0

wad-memory-change-granularity

Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.

integer

Minimum value: 5 Maximum value: 25

10

wad-source-affinity

Enable/disable dispatching traffic to WAD workers based on source affinity.

option

-

enable

Option

Description

disable

Disable dispatching traffic to WAD workers based on source affinity.

enable

Enable dispatching traffic to WAD workers based on source affinity.

wad-worker-count

Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.

integer

Minimum value: 0 Maximum value: 8 **

0

wifi-ca-certificate

CA certificate that verifies the WiFi certificate.

string

Maximum length: 79

Fortinet_Wifi_CA

wifi-certificate

Certificate to use for WiFi authentication.

string

Maximum length: 35

Fortinet_Wifi

wimax-4g-usb

Enable/disable comparability with WiMAX 4G USB devices.

option

-

disable

Option

Description

enable

Enable WiMax 4G.

disable

Disable WiMax 4G.

wireless-controller

Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.

option

-

enable

Option

Description

enable

Enable wireless controller.

disable

Disable wireless controller.

wireless-controller-port

Port used for the control channel in wireless controller mode.

integer

Minimum value: 1024 Maximum value: 49150

5246

wireless-mode *

Wireless mode setting.

option

-

ac

Option

Description

ac

Wireless controller with local wireless.

client

Wireless client mode.

fwfap

Obsolete wireless AP mode.

* This parameter may not exist in some models.

** Values may differ between models.