Fortinet white logo
Fortinet white logo

CLI Reference

config system settings

config system settings

Configure VDOM settings.

config system settings
    Description: Configure VDOM settings.
    set allow-linkdown-path [enable|disable]
    set allow-subnet-overlap [enable|disable]
    set application-bandwidth-tracking [disable|enable]
    set asymroute [enable|disable]
    set asymroute-icmp [enable|disable]
    set asymroute6 [enable|disable]
    set asymroute6-icmp [enable|disable]
    set auxiliary-session [enable|disable]
    set bfd [enable|disable]
    set bfd-desired-min-tx {integer}
    set bfd-detect-mult {integer}
    set bfd-dont-enforce-src-port [enable|disable]
    set bfd-required-min-rx {integer}
    set block-land-attack [disable|enable]
    set central-nat [enable|disable]
    set comments {var-string}
    set default-voip-alg-mode [proxy-based|kernel-helper-based]
    set deny-tcp-with-icmp [enable|disable]
    set device {string}
    set dhcp-proxy [enable|disable]
    set dhcp-proxy-interface {string}
    set dhcp-proxy-interface-select-method [auto|sdwan|...]
    set dhcp-server-ip {user}
    set dhcp6-server-ip {user}
    set discovered-device-timeout {integer}
    set ecmp-max-paths {integer}
    set email-portal-check-dns [disable|enable]
    set firewall-session-dirty [check-all|check-new|...]
    set fw-session-hairpin [enable|disable]
    set gateway {ipv4-address}
    set gateway6 {ipv6-address}
    set gui-advanced-policy [enable|disable]
    set gui-allow-unnamed-policy [enable|disable]
    set gui-antivirus [enable|disable]
    set gui-ap-profile [enable|disable]
    set gui-application-control [enable|disable]
    set gui-default-policy-columns <name1>, <name2>, ...
    set gui-dhcp-advanced [enable|disable]
    set gui-dns-database [enable|disable]
    set gui-dnsfilter [enable|disable]
    set gui-dos-policy [enable|disable]
    set gui-dynamic-routing [enable|disable]
    set gui-email-collection [enable|disable]
    set gui-endpoint-control [enable|disable]
    set gui-endpoint-control-advanced [enable|disable]
    set gui-explicit-proxy [enable|disable]
    set gui-file-filter [enable|disable]
    set gui-fortiap-split-tunneling [enable|disable]
    set gui-fortiextender-controller [enable|disable]
    set gui-icap [enable|disable]
    set gui-implicit-policy [enable|disable]
    set gui-ips [enable|disable]
    set gui-load-balance [enable|disable]
    set gui-local-in-policy [enable|disable]
    set gui-local-reports [enable|disable]
    set gui-multicast-policy [enable|disable]
    set gui-multiple-interface-policy [enable|disable]
    set gui-object-colors [enable|disable]
    set gui-policy-based-ipsec [enable|disable]
    set gui-policy-disclaimer [enable|disable]
    set gui-security-profile-group [enable|disable]
    set gui-spamfilter [enable|disable]
    set gui-sslvpn-personal-bookmarks [enable|disable]
    set gui-sslvpn-realms [enable|disable]
    set gui-switch-controller [enable|disable]
    set gui-threat-weight [enable|disable]
    set gui-traffic-shaping [enable|disable]
    set gui-videofilter [enable|disable]
    set gui-voip-profile [enable|disable]
    set gui-vpn [enable|disable]
    set gui-waf-profile [enable|disable]
    set gui-wan-load-balancing [enable|disable]
    set gui-wanopt-cache [enable|disable]
    set gui-webfilter [enable|disable]
    set gui-webfilter-advanced [enable|disable]
    set gui-wireless-controller [enable|disable]
    set gui-ztna [enable|disable]
    set h323-direct-model [disable|enable]
    set http-external-dest [fortiweb|forticache]
    set ike-dn-format [with-space|no-space]
    set ike-policy-route [enable|disable]
    set ike-port {integer}
    set ike-quick-crash-detect [enable|disable]
    set ike-session-resume [enable|disable]
    set ip {ipv4-classnet-host}
    set ip6 {ipv6-prefix}
    set link-down-access [enable|disable]
    set lldp-reception [enable|disable|...]
    set lldp-transmission [enable|disable|...]
    set location-id {ipv4-address}
    set mac-ttl {integer}
    set manageip {user}
    set manageip6 {ipv6-prefix}
    set multicast-forward [enable|disable]
    set multicast-skip-policy [enable|disable]
    set multicast-ttl-notchange [enable|disable]
    set nat46-force-ipv4-packet-forwarding [enable|disable]
    set nat46-generate-ipv6-fragment-header [enable|disable]
    set nat64-force-ipv6-packet-forwarding [enable|disable]
    set ngfw-mode [profile-based|policy-based]
    set opmode [nat|transparent]
    set policy-offload-level [disable|dos-offload]
    set prp-trailer-action [enable|disable]
    set sccp-port {integer}
    set sctp-session-without-init [enable|disable]
    set ses-denied-traffic [enable|disable]
    set sip-expectation [enable|disable]
    set sip-nat-trace [enable|disable]
    set sip-ssl-port {integer}
    set sip-tcp-port {integer}
    set sip-udp-port {integer}
    set snat-hairpin-traffic [enable|disable]
    set status [enable|disable]
    set strict-src-check [enable|disable]
    set tcp-session-without-syn [enable|disable]
    set utf8-spam-tagging [enable|disable]
    set v4-ecmp-mode [source-ip-based|weight-based|...]
    set vpn-stats-log {option1}, {option2}, ...
    set vpn-stats-period {integer}
    set wccp-cache-engine [enable|disable]
end

config system settings

Parameter

Description

Type

Size

Default

allow-linkdown-path

Enable/disable link down path.

option

-

disable

Option

Description

enable

Allow link down path.

disable

Do not allow link down path.

allow-subnet-overlap

Enable/disable allowing interface subnets to use overlapping IP addresses.

option

-

disable

Option

Description

enable

Enable overlapping subnets.

disable

Disable overlapping subnets.

application-bandwidth-tracking

Enable/disable application bandwidth tracking.

option

-

disable

Option

Description

disable

Disable application bandwidth tracking.

enable

Enable application bandwidth tracking.

asymroute

Enable/disable IPv4 asymmetric routing.

option

-

disable

Option

Description

enable

Enable IPv4 asymmetric routing.

disable

Disable IPv4 asymmetric routing.

asymroute-icmp

Enable/disable ICMP asymmetric routing.

option

-

disable

Option

Description

enable

Enable ICMP asymmetric routing.

disable

Disable ICMP asymmetric routing.

asymroute6

Enable/disable asymmetric IPv6 routing.

option

-

disable

Option

Description

enable

Enable asymmetric IPv6 routing.

disable

Disable asymmetric IPv6 routing.

asymroute6-icmp

Enable/disable asymmetric ICMPv6 routing.

option

-

disable

Option

Description

enable

Enable asymmetric ICMPv6 routing.

disable

Disable asymmetric ICMPv6 routing.

auxiliary-session *

Enable/disable auxiliary session.

option

-

disable

Option

Description

enable

Enable auxiliary session for this VDOM.

disable

Disable auxiliary session for this VDOM.

bfd

Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.

option

-

disable

Option

Description

enable

Enable Bi-directional Forwarding Detection (BFD) on all interfaces.

disable

Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

3

bfd-dont-enforce-src-port

Enable to not enforce verifying the source port of BFD Packets.

option

-

disable

Option

Description

enable

Enable verifying the source port of BFD Packets.

disable

Disable verifying the source port of BFD Packets.

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

250

block-land-attack

Enable/disable blocking of land attacks.

option

-

disable

Option

Description

disable

Do not block land attack.

enable

Block land attack.

central-nat

Enable/disable central NAT.

option

-

disable

Option

Description

enable

Enable central NAT.

disable

Disable central NAT.

comments

VDOM comments.

var-string

Maximum length: 255

default-voip-alg-mode

Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.

option

-

proxy-based

Option

Description

proxy-based

Use a default proxy-based VoIP ALG.

kernel-helper-based

Use the SIP session helper.

deny-tcp-with-icmp

Enable/disable denying TCP by sending an ICMP communication prohibited packet.

option

-

disable

Option

Description

enable

Deny TCP with ICMP.

disable

Disable denying TCP with ICMP.

device

Interface to use for management access for NAT mode.

string

Maximum length: 35

dhcp-proxy

Enable/disable the DHCP Proxy.

option

-

disable

Option

Description

enable

Enable the DHCP proxy.

disable

Disable the DHCP proxy.

dhcp-proxy-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-proxy-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-server-ip

DHCP Server IPv4 address.

user

Not Specified

dhcp6-server-ip

DHCPv6 server IPv6 address.

user

Not Specified

discovered-device-timeout

Timeout for discovered devices.

integer

Minimum value: 1 Maximum value: 365

28

ecmp-max-paths

Maximum number of Equal Cost Multi-Path.

integer

Minimum value: 1 Maximum value: 255

255

email-portal-check-dns

Enable/disable using DNS to validate email addresses collected by a captive portal.

option

-

enable

Option

Description

disable

Disable email address checking with DNS.

enable

Enable email address checking with DNS.

firewall-session-dirty

Select how to manage sessions affected by firewall policy configuration changes.

option

-

check-all

Option

Description

check-all

All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.

check-new

Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.

check-policy-option

Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.

fw-session-hairpin

Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.

option

-

disable

Option

Description

enable

Perform a policy check every time.

disable

Perform a policy check only the first time the session is received.

gateway

Transparent mode IPv4 default gateway IP address.

ipv4-address

Not Specified

0.0.0.0

gateway6

Transparent mode IPv4 default gateway IP address.

ipv6-address

Not Specified

::

gui-advanced-policy

Enable/disable advanced policy configuration on the GUI.

option

-

disable

Option

Description

enable

Enable advanced policy configuration on the GUI.

disable

Disable advanced policy configuration on the GUI.

gui-allow-unnamed-policy

Enable/disable the requirement for policy naming on the GUI.

option

-

disable

Option

Description

enable

Enable the requirement for policy naming on the GUI.

disable

Disable the requirement for policy naming on the GUI.

gui-antivirus

Enable/disable AntiVirus on the GUI.

option

-

enable

Option

Description

enable

Enable AntiVirus on the GUI.

disable

Disable AntiVirus on the GUI.

gui-ap-profile

Enable/disable FortiAP profiles on the GUI.

option

-

enable

Option

Description

enable

Enable FortiAP profiles on the GUI.

disable

Disable FortiAP profiles on the GUI.

gui-application-control

Enable/disable application control on the GUI.

option

-

enable

Option

Description

enable

Enable application control on the GUI.

disable

Disable application control on the GUI.

gui-default-policy-columns <name>

Default columns to display for policy lists on GUI.

Select column name.

string

Maximum length: 79

gui-dhcp-advanced

Enable/disable advanced DHCP options on the GUI.

option

-

enable

Option

Description

enable

Enable advanced DHCP options on the GUI.

disable

Disable advanced DHCP options on the GUI.

gui-dns-database

Enable/disable DNS database settings on the GUI.

option

-

disable

Option

Description

enable

Enable DNS database settings on the GUI.

disable

Disable DNS database settings on the GUI.

gui-dnsfilter

Enable/disable DNS Filtering on the GUI.

option

-

enable **

Option

Description

enable

Enable DNS Filtering on the GUI.

disable

Disable DNS Filtering on the GUI.

gui-dos-policy

Enable/disable DoS policies on the GUI.

option

-

enable **

Option

Description

enable

Enable DoS policies on the GUI.

disable

Disable DoS policies on the GUI.

gui-dynamic-routing

Enable/disable dynamic routing on the GUI.

option

-

enable **

Option

Description

enable

Enable dynamic routing on the GUI.

disable

Disable dynamic routing on the GUI.

gui-email-collection

Enable/disable email collection on the GUI.

option

-

disable

Option

Description

enable

Enable email collection on the GUI.

disable

Disable email collection on the GUI.

gui-endpoint-control

Enable/disable endpoint control on the GUI.

option

-

enable

Option

Description

enable

Enable endpoint control on the GUI.

disable

Disable endpoint control on the GUI.

gui-endpoint-control-advanced

Enable/disable advanced endpoint control options on the GUI.

option

-

disable

Option

Description

enable

Enable advanced endpoint control options on the GUI.

disable

Disable advanced endpoint control options on the GUI.

gui-explicit-proxy

Enable/disable the explicit proxy on the GUI.

option

-

disable

Option

Description

enable

Enable the explicit proxy on the GUI.

disable

Disable the explicit proxy on the GUI.

gui-file-filter

Enable/disable File-filter on the GUI.

option

-

enable **

Option

Description

enable

Enable File-filter on the GUI.

disable

Disable File-filter on the GUI.

gui-fortiap-split-tunneling

Enable/disable FortiAP split tunneling on the GUI.

option

-

disable

Option

Description

enable

Enable FortiAP split tunneling on the GUI.

disable

Disable FortiAP split tunneling on the GUI.

gui-fortiextender-controller

Enable/disable FortiExtender on the GUI.

option

-

disable **

Option

Description

enable

Enable FortiExtender on the GUI.

disable

Disable FortiExtender on the GUI.

gui-icap

Enable/disable ICAP on the GUI.

option

-

disable

Option

Description

enable

Enable ICAP on the GUI.

disable

Disable ICAP on the GUI.

gui-implicit-policy

Enable/disable implicit firewall policies on the GUI.

option

-

enable

Option

Description

enable

Enable implicit firewall policies on the GUI.

disable

Disable implicit firewall policies on the GUI.

gui-ips

Enable/disable IPS on the GUI.

option

-

enable **

Option

Description

enable

Enable IPS on the GUI.

disable

Disable IPS on the GUI.

gui-load-balance

Enable/disable server load balancing on the GUI.

option

-

disable

Option

Description

enable

Enable server load balancing on the GUI.

disable

Disable server load balancing on the GUI.

gui-local-in-policy

Enable/disable Local-In policies on the GUI.

option

-

disable

Option

Description

enable

Enable Local-In policies on the GUI.

disable

Disable Local-In policies on the GUI.

gui-local-reports *

Enable/disable local reports on the GUI.

option

-

disable

Option

Description

enable

Enable local reports on the GUI.

disable

Disable local reports on the GUI.

gui-multicast-policy

Enable/disable multicast firewall policies on the GUI.

option

-

disable

Option

Description

enable

Enable multicast firewall policies on the GUI.

disable

Disable multicast firewall policies on the GUI.

gui-multiple-interface-policy

Enable/disable adding multiple interfaces to a policy on the GUI.

option

-

disable

Option

Description

enable

Enable adding multiple interfaces to a policy on the GUI.

disable

Disable adding multiple interfaces to a policy on the GUI.

gui-object-colors

Enable/disable object colors on the GUI.

option

-

enable

Option

Description

enable

Enable object colors on the GUI.

disable

Disable object colors on the GUI.

gui-policy-based-ipsec

Enable/disable policy-based IPsec VPN on the GUI.

option

-

disable

Option

Description

enable

Enable policy-based IPsec VPN on the GUI.

disable

Disable policy-based IPsec VPN on the GUI.

gui-policy-disclaimer

Enable/disable policy disclaimer on the GUI.

option

-

disable

Option

Description

enable

Enable policy disclaimer on the GUI.

disable

Disable policy disclaimer on the GUI.

gui-security-profile-group

Enable/disable Security Profile Groups on the GUI.

option

-

disable

Option

Description

enable

Enable Security Profile Groups on the GUI.

disable

Disable Security Profile Groups on the GUI.

gui-spamfilter

Enable/disable Antispam on the GUI.

option

-

disable

Option

Description

enable

Enable Antispam on the GUI.

disable

Disable Antispam on the GUI.

gui-sslvpn-personal-bookmarks

Enable/disable SSL-VPN personal bookmark management on the GUI.

option

-

disable

Option

Description

enable

Enable SSL-VPN personal bookmark management on the GUI.

disable

Disable SSL-VPN personal bookmark management on the GUI.

gui-sslvpn-realms

Enable/disable SSL-VPN realms on the GUI.

option

-

disable

Option

Description

enable

Enable SSL-VPN realms on the GUI.

disable

Disable SSL-VPN realms on the GUI.

gui-switch-controller *

Enable/disable the switch controller on the GUI.

option

-

enable

Option

Description

enable

Enable the switch controller on the GUI.

disable

Disable the switch controller on the GUI.

gui-threat-weight

Enable/disable threat weight on the GUI.

option

-

enable

Option

Description

enable

Enable threat weight on the GUI.

disable

Disable threat weight on the GUI.

gui-traffic-shaping

Enable/disable traffic shaping on the GUI.

option

-

enable

Option

Description

enable

Enable traffic shaping on the GUI.

disable

Disable traffic shaping on the GUI.

gui-videofilter

Enable/disable Video filtering on the GUI.

option

-

enable **

Option

Description

enable

Enable Video filtering on the GUI.

disable

Disable Video filtering on the GUI.

gui-voip-profile

Enable/disable VoIP profiles on the GUI.

option

-

disable

Option

Description

enable

Enable VoIP profiles on the GUI.

disable

Disable VoIP profiles on the GUI.

gui-vpn

Enable/disable VPN tunnels on the GUI.

option

-

enable

Option

Description

enable

Enable VPN tunnels on the GUI.

disable

Disable VPN tunnels on the GUI.

gui-waf-profile

Enable/disable Web Application Firewall on the GUI.

option

-

disable

Option

Description

enable

Enable Web Application Firewall on the GUI.

disable

Disable Web Application Firewall on the GUI.

gui-wan-load-balancing

Enable/disable SD-WAN on the GUI.

option

-

enable

Option

Description

enable

Enable SD-WAN on the GUI.

disable

Disable SD-WAN on the GUI.

gui-wanopt-cache *

Enable/disable WAN Optimization and Web Caching on the GUI.

option

-

disable

Option

Description

enable

Enable WAN Optimization and Web Caching on the GUI.

disable

Disable WAN Optimization and Web Caching on the GUI.

gui-webfilter

Enable/disable Web filtering on the GUI.

option

-

enable **

Option

Description

enable

Enable Web filtering on the GUI.

disable

Disable Web filtering on the GUI.

gui-webfilter-advanced

Enable/disable advanced web filtering on the GUI.

option

-

disable

Option

Description

enable

Enable advanced web filtering on the GUI.

disable

Disable advanced web filtering on the GUI.

gui-wireless-controller

Enable/disable the wireless controller on the GUI.

option

-

enable

Option

Description

enable

Enable the wireless controller on the GUI.

disable

Disable the wireless controller on the GUI.

gui-ztna

Enable/disable Zero Trust Network Access features on the GUI.

option

-

enable **

Option

Description

enable

Enable Zero Trust Network Access features on the GUI.

disable

Disable Zero Trust Network Access features on the GUI.

h323-direct-model

Enable/disable H323 direct model.

option

-

disable

Option

Description

disable

Disable H323 direct model.

enable

Enable H323 direct model.

http-external-dest

Offload HTTP traffic to FortiWeb or FortiCache.

option

-

fortiweb

Option

Description

fortiweb

Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.

forticache

Offload HTTP traffic to FortiCache for external web caching and WAN optimization.

ike-dn-format

Configure IKE ASN.1 Distinguished Name format conventions.

option

-

with-space

Option

Description

with-space

Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.

no-space

Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.

ike-policy-route

Enable/disable IKE Policy Based Routing (PBR).

option

-

disable

Option

Description

enable

Enable IKE Policy Based Routing (PBR).

disable

Disable IKE Policy Based Routing (PBR).

ike-port

UDP port for IKE/IPsec traffic.

integer

Minimum value: 1024 Maximum value: 65535

500

ike-quick-crash-detect

Enable/disable IKE quick crash detection (RFC 6290).

option

-

disable

Option

Description

enable

Enable IKE quick crash detection (RFC 6290).

disable

Disable IKE quick crash detection (RFC 6290).

ike-session-resume

Enable/disable IKEv2 session resumption (RFC 5723).

option

-

disable

Option

Description

enable

Enable IKEv2 session resumption (RFC 5723).

disable

Disable IKEv2 session resumption (RFC 5723).

ip

IP address and netmask.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip6

IPv6 address prefix for NAT mode.

ipv6-prefix

Not Specified

::/0

link-down-access

Enable/disable link down access traffic.

option

-

enable

Option

Description

enable

Allow link down access traffic.

disable

Block link down access traffic.

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.

option

-

global

Option

Description

enable

Enable LLDP reception for this VDOM.

disable

Disable LLDP reception for this VDOM.

global

Use the global LLDP reception configuration for this VDOM.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.

option

-

global

Option

Description

enable

Enable LLDP transmission for this VDOM.

disable

Disable LLDP transmission for this VDOM.

global

Use the global LLDP transmission configuration for this VDOM.

location-id

Local location ID in the form of an IPv4 address.

ipv4-address

Not Specified

0.0.0.0

mac-ttl

Duration of MAC addresses in Transparent mode.

integer

Minimum value: 300 Maximum value: 8640000

300

manageip

Transparent mode IPv4 management IP address and netmask.

user

Not Specified

manageip6

Transparent mode IPv6 management IP address and netmask.

ipv6-prefix

Not Specified

::/0

multicast-forward

Enable/disable multicast forwarding.

option

-

enable

Option

Description

enable

Enable multicast forwarding.

disable

Disable multicast forwarding.

multicast-skip-policy

Enable/disable allowing multicast traffic through the FortiGate without a policy check.

option

-

disable

Option

Description

enable

Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.

disable

Require a multicast policy to allow multicast traffic to pass through the FortiGate.

multicast-ttl-notchange

Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.

option

-

disable

Option

Description

enable

The multicast TTL is not changed.

disable

The multicast TTL may be changed.

nat46-force-ipv4-packet-forwarding

Enable/disable mandatory IPv4 packet forwarding in NAT46.

option

-

disable

Option

Description

enable

Enable mandatory IPv4 packet forwarding when IPv4 DF is set to 1.

disable

Disable mandatory IPv4 packet forwarding when IPv4 DF is set to 1.

nat46-generate-ipv6-fragment-header

Enable/disable NAT46 IPv6 fragment header generation.

option

-

disable

Option

Description

enable

Enable NAT46 IPv6 fragment header generation.

disable

Disable NAT46 IPv6 fragment header generation.

nat64-force-ipv6-packet-forwarding

Enable/disable mandatory IPv6 packet forwarding in NAT64.

option

-

enable

Option

Description

enable

Enable mandatory IPv6 packet forwarding

disable

Disable mandatory IPv6 packet forwarding

ngfw-mode

Next Generation Firewall (NGFW) mode.

option

-

profile-based

Option

Description

profile-based

Application and web-filtering are configured using profiles applied to policy entries.

policy-based

Application and web-filtering are configured as policy match conditions.

opmode

Firewall operation mode (NAT or Transparent).

option

-

nat

Option

Description

nat

Change to NAT mode.

transparent

Change to transparent mode.

policy-offload-level *

Configure firewall policy offload level.

option

-

disable

Option

Description

disable

Disable policy offloading.

dos-offload

Only enable DoS policy offloading.

prp-trailer-action

Enable/disable action to take on PRP trailer.

option

-

disable

Option

Description

enable

Try to keep PRP trailer.

disable

Trim PRP trailer.

sccp-port

TCP port the SCCP proxy monitors for SCCP traffic.

integer

Minimum value: 0 Maximum value: 65535

2000

sctp-session-without-init

Enable/disable SCTP session creation without SCTP INIT.

option

-

disable

Option

Description

enable

Enable SCTP session creation without SCTP INIT.

disable

Disable SCTP session creation without SCTP INIT.

ses-denied-traffic

Enable/disable including denied session in the session table.

option

-

disable

Option

Description

enable

Include denied sessions in the session table.

disable

Do not add denied sessions to the session table.

sip-expectation

Enable/disable the SIP kernel session helper to create an expectation for port 5060.

option

-

disable

Option

Description

enable

Allow SIP session helper to create an expectation for port 5060.

disable

Prevent SIP session helper from creating an expectation for port 5060.

sip-nat-trace

Enable/disable recording the original SIP source IP address when NAT is used.

option

-

enable

Option

Description

enable

Record the original SIP source IP address when NAT is used.

disable

Do not record the original SIP source IP address when NAT is used.

sip-ssl-port *

TCP port the SIP proxy monitors for SIP SSL/TLS traffic.

integer

Minimum value: 0 Maximum value: 65535

5061

sip-tcp-port

TCP port the SIP proxy monitors for SIP traffic.

integer

Minimum value: 1 Maximum value: 65535

5060

sip-udp-port

UDP port the SIP proxy monitors for SIP traffic.

integer

Minimum value: 1 Maximum value: 65535

5060

snat-hairpin-traffic

Enable/disable source NAT (SNAT) for hairpin traffic.

option

-

enable

Option

Description

enable

Enable SNAT for hairpin traffic.

disable

Disable SNAT for hairpin traffic.

status

Enable/disable this VDOM.

option

-

enable

Option

Description

enable

Enable this VDOM.

disable

Disable this VDOM.

strict-src-check

Enable/disable strict source verification.

option

-

disable

Option

Description

enable

Enable strict source verification.

disable

Disable strict source verification.

tcp-session-without-syn

Enable/disable allowing TCP session without SYN flags.

option

-

disable

Option

Description

enable

Allow TCP session without SYN flags.

disable

Do not allow TCP session without SYN flags.

utf8-spam-tagging

Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.

option

-

enable

Option

Description

enable

Convert antispam tags to UTF-8.

disable

Do not convert antispam tags.

v4-ecmp-mode

IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.

option

-

source-ip-based

Option

Description

source-ip-based

Select next hop based on source IP.

weight-based

Select next hop based on weight.

usage-based

Select next hop based on usage.

source-dest-ip-based

Select next hop based on both source and destination IPs.

vpn-stats-log

Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.

option

-

ipsec pptp l2tp ssl

Option

Description

ipsec

IPsec.

pptp

PPTP.

l2tp

L2TP.

ssl

SSL.

vpn-stats-period

Period to send VPN log statistics.

integer

Minimum value: 0 Maximum value: 4294967295

600

wccp-cache-engine

Enable/disable WCCP cache engine.

option

-

disable

Option

Description

enable

Enable WCCP cache engine.

disable

Disable WCCP cache engine.

* This parameter may not exist in some models.

** Values may differ between models.

config system settings

config system settings

Configure VDOM settings.

config system settings
    Description: Configure VDOM settings.
    set allow-linkdown-path [enable|disable]
    set allow-subnet-overlap [enable|disable]
    set application-bandwidth-tracking [disable|enable]
    set asymroute [enable|disable]
    set asymroute-icmp [enable|disable]
    set asymroute6 [enable|disable]
    set asymroute6-icmp [enable|disable]
    set auxiliary-session [enable|disable]
    set bfd [enable|disable]
    set bfd-desired-min-tx {integer}
    set bfd-detect-mult {integer}
    set bfd-dont-enforce-src-port [enable|disable]
    set bfd-required-min-rx {integer}
    set block-land-attack [disable|enable]
    set central-nat [enable|disable]
    set comments {var-string}
    set default-voip-alg-mode [proxy-based|kernel-helper-based]
    set deny-tcp-with-icmp [enable|disable]
    set device {string}
    set dhcp-proxy [enable|disable]
    set dhcp-proxy-interface {string}
    set dhcp-proxy-interface-select-method [auto|sdwan|...]
    set dhcp-server-ip {user}
    set dhcp6-server-ip {user}
    set discovered-device-timeout {integer}
    set ecmp-max-paths {integer}
    set email-portal-check-dns [disable|enable]
    set firewall-session-dirty [check-all|check-new|...]
    set fw-session-hairpin [enable|disable]
    set gateway {ipv4-address}
    set gateway6 {ipv6-address}
    set gui-advanced-policy [enable|disable]
    set gui-allow-unnamed-policy [enable|disable]
    set gui-antivirus [enable|disable]
    set gui-ap-profile [enable|disable]
    set gui-application-control [enable|disable]
    set gui-default-policy-columns <name1>, <name2>, ...
    set gui-dhcp-advanced [enable|disable]
    set gui-dns-database [enable|disable]
    set gui-dnsfilter [enable|disable]
    set gui-dos-policy [enable|disable]
    set gui-dynamic-routing [enable|disable]
    set gui-email-collection [enable|disable]
    set gui-endpoint-control [enable|disable]
    set gui-endpoint-control-advanced [enable|disable]
    set gui-explicit-proxy [enable|disable]
    set gui-file-filter [enable|disable]
    set gui-fortiap-split-tunneling [enable|disable]
    set gui-fortiextender-controller [enable|disable]
    set gui-icap [enable|disable]
    set gui-implicit-policy [enable|disable]
    set gui-ips [enable|disable]
    set gui-load-balance [enable|disable]
    set gui-local-in-policy [enable|disable]
    set gui-local-reports [enable|disable]
    set gui-multicast-policy [enable|disable]
    set gui-multiple-interface-policy [enable|disable]
    set gui-object-colors [enable|disable]
    set gui-policy-based-ipsec [enable|disable]
    set gui-policy-disclaimer [enable|disable]
    set gui-security-profile-group [enable|disable]
    set gui-spamfilter [enable|disable]
    set gui-sslvpn-personal-bookmarks [enable|disable]
    set gui-sslvpn-realms [enable|disable]
    set gui-switch-controller [enable|disable]
    set gui-threat-weight [enable|disable]
    set gui-traffic-shaping [enable|disable]
    set gui-videofilter [enable|disable]
    set gui-voip-profile [enable|disable]
    set gui-vpn [enable|disable]
    set gui-waf-profile [enable|disable]
    set gui-wan-load-balancing [enable|disable]
    set gui-wanopt-cache [enable|disable]
    set gui-webfilter [enable|disable]
    set gui-webfilter-advanced [enable|disable]
    set gui-wireless-controller [enable|disable]
    set gui-ztna [enable|disable]
    set h323-direct-model [disable|enable]
    set http-external-dest [fortiweb|forticache]
    set ike-dn-format [with-space|no-space]
    set ike-policy-route [enable|disable]
    set ike-port {integer}
    set ike-quick-crash-detect [enable|disable]
    set ike-session-resume [enable|disable]
    set ip {ipv4-classnet-host}
    set ip6 {ipv6-prefix}
    set link-down-access [enable|disable]
    set lldp-reception [enable|disable|...]
    set lldp-transmission [enable|disable|...]
    set location-id {ipv4-address}
    set mac-ttl {integer}
    set manageip {user}
    set manageip6 {ipv6-prefix}
    set multicast-forward [enable|disable]
    set multicast-skip-policy [enable|disable]
    set multicast-ttl-notchange [enable|disable]
    set nat46-force-ipv4-packet-forwarding [enable|disable]
    set nat46-generate-ipv6-fragment-header [enable|disable]
    set nat64-force-ipv6-packet-forwarding [enable|disable]
    set ngfw-mode [profile-based|policy-based]
    set opmode [nat|transparent]
    set policy-offload-level [disable|dos-offload]
    set prp-trailer-action [enable|disable]
    set sccp-port {integer}
    set sctp-session-without-init [enable|disable]
    set ses-denied-traffic [enable|disable]
    set sip-expectation [enable|disable]
    set sip-nat-trace [enable|disable]
    set sip-ssl-port {integer}
    set sip-tcp-port {integer}
    set sip-udp-port {integer}
    set snat-hairpin-traffic [enable|disable]
    set status [enable|disable]
    set strict-src-check [enable|disable]
    set tcp-session-without-syn [enable|disable]
    set utf8-spam-tagging [enable|disable]
    set v4-ecmp-mode [source-ip-based|weight-based|...]
    set vpn-stats-log {option1}, {option2}, ...
    set vpn-stats-period {integer}
    set wccp-cache-engine [enable|disable]
end

config system settings

Parameter

Description

Type

Size

Default

allow-linkdown-path

Enable/disable link down path.

option

-

disable

Option

Description

enable

Allow link down path.

disable

Do not allow link down path.

allow-subnet-overlap

Enable/disable allowing interface subnets to use overlapping IP addresses.

option

-

disable

Option

Description

enable

Enable overlapping subnets.

disable

Disable overlapping subnets.

application-bandwidth-tracking

Enable/disable application bandwidth tracking.

option

-

disable

Option

Description

disable

Disable application bandwidth tracking.

enable

Enable application bandwidth tracking.

asymroute

Enable/disable IPv4 asymmetric routing.

option

-

disable

Option

Description

enable

Enable IPv4 asymmetric routing.

disable

Disable IPv4 asymmetric routing.

asymroute-icmp

Enable/disable ICMP asymmetric routing.

option

-

disable

Option

Description

enable

Enable ICMP asymmetric routing.

disable

Disable ICMP asymmetric routing.

asymroute6

Enable/disable asymmetric IPv6 routing.

option

-

disable

Option

Description

enable

Enable asymmetric IPv6 routing.

disable

Disable asymmetric IPv6 routing.

asymroute6-icmp

Enable/disable asymmetric ICMPv6 routing.

option

-

disable

Option

Description

enable

Enable asymmetric ICMPv6 routing.

disable

Disable asymmetric ICMPv6 routing.

auxiliary-session *

Enable/disable auxiliary session.

option

-

disable

Option

Description

enable

Enable auxiliary session for this VDOM.

disable

Disable auxiliary session for this VDOM.

bfd

Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.

option

-

disable

Option

Description

enable

Enable Bi-directional Forwarding Detection (BFD) on all interfaces.

disable

Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

bfd-desired-min-tx

BFD desired minimal transmit interval.

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier.

integer

Minimum value: 1 Maximum value: 50

3

bfd-dont-enforce-src-port

Enable to not enforce verifying the source port of BFD Packets.

option

-

disable

Option

Description

enable

Enable verifying the source port of BFD Packets.

disable

Disable verifying the source port of BFD Packets.

bfd-required-min-rx

BFD required minimal receive interval.

integer

Minimum value: 1 Maximum value: 100000

250

block-land-attack

Enable/disable blocking of land attacks.

option

-

disable

Option

Description

disable

Do not block land attack.

enable

Block land attack.

central-nat

Enable/disable central NAT.

option

-

disable

Option

Description

enable

Enable central NAT.

disable

Disable central NAT.

comments

VDOM comments.

var-string

Maximum length: 255

default-voip-alg-mode

Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.

option

-

proxy-based

Option

Description

proxy-based

Use a default proxy-based VoIP ALG.

kernel-helper-based

Use the SIP session helper.

deny-tcp-with-icmp

Enable/disable denying TCP by sending an ICMP communication prohibited packet.

option

-

disable

Option

Description

enable

Deny TCP with ICMP.

disable

Disable denying TCP with ICMP.

device

Interface to use for management access for NAT mode.

string

Maximum length: 35

dhcp-proxy

Enable/disable the DHCP Proxy.

option

-

disable

Option

Description

enable

Enable the DHCP proxy.

disable

Disable the DHCP proxy.

dhcp-proxy-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-proxy-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-server-ip

DHCP Server IPv4 address.

user

Not Specified

dhcp6-server-ip

DHCPv6 server IPv6 address.

user

Not Specified

discovered-device-timeout

Timeout for discovered devices.

integer

Minimum value: 1 Maximum value: 365

28

ecmp-max-paths

Maximum number of Equal Cost Multi-Path.

integer

Minimum value: 1 Maximum value: 255

255

email-portal-check-dns

Enable/disable using DNS to validate email addresses collected by a captive portal.

option

-

enable

Option

Description

disable

Disable email address checking with DNS.

enable

Enable email address checking with DNS.

firewall-session-dirty

Select how to manage sessions affected by firewall policy configuration changes.

option

-

check-all

Option

Description

check-all

All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.

check-new

Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.

check-policy-option

Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.

fw-session-hairpin

Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.

option

-

disable

Option

Description

enable

Perform a policy check every time.

disable

Perform a policy check only the first time the session is received.

gateway

Transparent mode IPv4 default gateway IP address.

ipv4-address

Not Specified

0.0.0.0

gateway6

Transparent mode IPv4 default gateway IP address.

ipv6-address

Not Specified

::

gui-advanced-policy

Enable/disable advanced policy configuration on the GUI.

option

-

disable

Option

Description

enable

Enable advanced policy configuration on the GUI.

disable

Disable advanced policy configuration on the GUI.

gui-allow-unnamed-policy

Enable/disable the requirement for policy naming on the GUI.

option

-

disable

Option

Description

enable

Enable the requirement for policy naming on the GUI.

disable

Disable the requirement for policy naming on the GUI.

gui-antivirus

Enable/disable AntiVirus on the GUI.

option

-

enable

Option

Description

enable

Enable AntiVirus on the GUI.

disable

Disable AntiVirus on the GUI.

gui-ap-profile

Enable/disable FortiAP profiles on the GUI.

option

-

enable

Option

Description

enable

Enable FortiAP profiles on the GUI.

disable

Disable FortiAP profiles on the GUI.

gui-application-control

Enable/disable application control on the GUI.

option

-

enable

Option

Description

enable

Enable application control on the GUI.

disable

Disable application control on the GUI.

gui-default-policy-columns <name>

Default columns to display for policy lists on GUI.

Select column name.

string

Maximum length: 79

gui-dhcp-advanced

Enable/disable advanced DHCP options on the GUI.

option

-

enable

Option

Description

enable

Enable advanced DHCP options on the GUI.

disable

Disable advanced DHCP options on the GUI.

gui-dns-database

Enable/disable DNS database settings on the GUI.

option

-

disable

Option

Description

enable

Enable DNS database settings on the GUI.

disable

Disable DNS database settings on the GUI.

gui-dnsfilter

Enable/disable DNS Filtering on the GUI.

option

-

enable **

Option

Description

enable

Enable DNS Filtering on the GUI.

disable

Disable DNS Filtering on the GUI.

gui-dos-policy

Enable/disable DoS policies on the GUI.

option

-

enable **

Option

Description

enable

Enable DoS policies on the GUI.

disable

Disable DoS policies on the GUI.

gui-dynamic-routing

Enable/disable dynamic routing on the GUI.

option

-

enable **

Option

Description

enable

Enable dynamic routing on the GUI.

disable

Disable dynamic routing on the GUI.

gui-email-collection

Enable/disable email collection on the GUI.

option

-

disable

Option

Description

enable

Enable email collection on the GUI.

disable

Disable email collection on the GUI.

gui-endpoint-control

Enable/disable endpoint control on the GUI.

option

-

enable

Option

Description

enable

Enable endpoint control on the GUI.

disable

Disable endpoint control on the GUI.

gui-endpoint-control-advanced

Enable/disable advanced endpoint control options on the GUI.

option

-

disable

Option

Description

enable

Enable advanced endpoint control options on the GUI.

disable

Disable advanced endpoint control options on the GUI.

gui-explicit-proxy

Enable/disable the explicit proxy on the GUI.

option

-

disable

Option

Description

enable

Enable the explicit proxy on the GUI.

disable

Disable the explicit proxy on the GUI.

gui-file-filter

Enable/disable File-filter on the GUI.

option

-

enable **

Option

Description

enable

Enable File-filter on the GUI.

disable

Disable File-filter on the GUI.

gui-fortiap-split-tunneling

Enable/disable FortiAP split tunneling on the GUI.

option

-

disable

Option

Description

enable

Enable FortiAP split tunneling on the GUI.

disable

Disable FortiAP split tunneling on the GUI.

gui-fortiextender-controller

Enable/disable FortiExtender on the GUI.

option

-

disable **

Option

Description

enable

Enable FortiExtender on the GUI.

disable

Disable FortiExtender on the GUI.

gui-icap

Enable/disable ICAP on the GUI.

option

-

disable

Option

Description

enable

Enable ICAP on the GUI.

disable

Disable ICAP on the GUI.

gui-implicit-policy

Enable/disable implicit firewall policies on the GUI.

option

-

enable

Option

Description

enable

Enable implicit firewall policies on the GUI.

disable

Disable implicit firewall policies on the GUI.

gui-ips

Enable/disable IPS on the GUI.

option

-

enable **

Option

Description

enable

Enable IPS on the GUI.

disable

Disable IPS on the GUI.

gui-load-balance

Enable/disable server load balancing on the GUI.

option

-

disable

Option

Description

enable

Enable server load balancing on the GUI.

disable

Disable server load balancing on the GUI.

gui-local-in-policy

Enable/disable Local-In policies on the GUI.

option

-

disable

Option

Description

enable

Enable Local-In policies on the GUI.

disable

Disable Local-In policies on the GUI.

gui-local-reports *

Enable/disable local reports on the GUI.

option

-

disable

Option

Description

enable

Enable local reports on the GUI.

disable

Disable local reports on the GUI.

gui-multicast-policy

Enable/disable multicast firewall policies on the GUI.

option

-

disable

Option

Description

enable

Enable multicast firewall policies on the GUI.

disable

Disable multicast firewall policies on the GUI.

gui-multiple-interface-policy

Enable/disable adding multiple interfaces to a policy on the GUI.

option

-

disable

Option

Description

enable

Enable adding multiple interfaces to a policy on the GUI.

disable

Disable adding multiple interfaces to a policy on the GUI.

gui-object-colors

Enable/disable object colors on the GUI.

option

-

enable

Option

Description

enable

Enable object colors on the GUI.

disable

Disable object colors on the GUI.

gui-policy-based-ipsec

Enable/disable policy-based IPsec VPN on the GUI.

option

-

disable

Option

Description

enable

Enable policy-based IPsec VPN on the GUI.

disable

Disable policy-based IPsec VPN on the GUI.

gui-policy-disclaimer

Enable/disable policy disclaimer on the GUI.

option

-

disable

Option

Description

enable

Enable policy disclaimer on the GUI.

disable

Disable policy disclaimer on the GUI.

gui-security-profile-group

Enable/disable Security Profile Groups on the GUI.

option

-

disable

Option

Description

enable

Enable Security Profile Groups on the GUI.

disable

Disable Security Profile Groups on the GUI.

gui-spamfilter

Enable/disable Antispam on the GUI.

option

-

disable

Option

Description

enable

Enable Antispam on the GUI.

disable

Disable Antispam on the GUI.

gui-sslvpn-personal-bookmarks

Enable/disable SSL-VPN personal bookmark management on the GUI.

option

-

disable

Option

Description

enable

Enable SSL-VPN personal bookmark management on the GUI.

disable

Disable SSL-VPN personal bookmark management on the GUI.

gui-sslvpn-realms

Enable/disable SSL-VPN realms on the GUI.

option

-

disable

Option

Description

enable

Enable SSL-VPN realms on the GUI.

disable

Disable SSL-VPN realms on the GUI.

gui-switch-controller *

Enable/disable the switch controller on the GUI.

option

-

enable

Option

Description

enable

Enable the switch controller on the GUI.

disable

Disable the switch controller on the GUI.

gui-threat-weight

Enable/disable threat weight on the GUI.

option

-

enable

Option

Description

enable

Enable threat weight on the GUI.

disable

Disable threat weight on the GUI.

gui-traffic-shaping

Enable/disable traffic shaping on the GUI.

option

-

enable

Option

Description

enable

Enable traffic shaping on the GUI.

disable

Disable traffic shaping on the GUI.

gui-videofilter

Enable/disable Video filtering on the GUI.

option

-

enable **

Option

Description

enable

Enable Video filtering on the GUI.

disable

Disable Video filtering on the GUI.

gui-voip-profile

Enable/disable VoIP profiles on the GUI.

option

-

disable

Option

Description

enable

Enable VoIP profiles on the GUI.

disable

Disable VoIP profiles on the GUI.

gui-vpn

Enable/disable VPN tunnels on the GUI.

option

-

enable

Option

Description

enable

Enable VPN tunnels on the GUI.

disable

Disable VPN tunnels on the GUI.

gui-waf-profile

Enable/disable Web Application Firewall on the GUI.

option

-

disable

Option

Description

enable

Enable Web Application Firewall on the GUI.

disable

Disable Web Application Firewall on the GUI.

gui-wan-load-balancing

Enable/disable SD-WAN on the GUI.

option

-

enable

Option

Description

enable

Enable SD-WAN on the GUI.

disable

Disable SD-WAN on the GUI.

gui-wanopt-cache *

Enable/disable WAN Optimization and Web Caching on the GUI.

option

-

disable

Option

Description

enable

Enable WAN Optimization and Web Caching on the GUI.

disable

Disable WAN Optimization and Web Caching on the GUI.

gui-webfilter

Enable/disable Web filtering on the GUI.

option

-

enable **

Option

Description

enable

Enable Web filtering on the GUI.

disable

Disable Web filtering on the GUI.

gui-webfilter-advanced

Enable/disable advanced web filtering on the GUI.

option

-

disable

Option

Description

enable

Enable advanced web filtering on the GUI.

disable

Disable advanced web filtering on the GUI.

gui-wireless-controller

Enable/disable the wireless controller on the GUI.

option

-

enable

Option

Description

enable

Enable the wireless controller on the GUI.

disable

Disable the wireless controller on the GUI.

gui-ztna

Enable/disable Zero Trust Network Access features on the GUI.

option

-

enable **

Option

Description

enable

Enable Zero Trust Network Access features on the GUI.

disable

Disable Zero Trust Network Access features on the GUI.

h323-direct-model

Enable/disable H323 direct model.

option

-

disable

Option

Description

disable

Disable H323 direct model.

enable

Enable H323 direct model.

http-external-dest

Offload HTTP traffic to FortiWeb or FortiCache.

option

-

fortiweb

Option

Description

fortiweb

Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.

forticache

Offload HTTP traffic to FortiCache for external web caching and WAN optimization.

ike-dn-format

Configure IKE ASN.1 Distinguished Name format conventions.

option

-

with-space

Option

Description

with-space

Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.

no-space

Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.

ike-policy-route

Enable/disable IKE Policy Based Routing (PBR).

option

-

disable

Option

Description

enable

Enable IKE Policy Based Routing (PBR).

disable

Disable IKE Policy Based Routing (PBR).

ike-port

UDP port for IKE/IPsec traffic.

integer

Minimum value: 1024 Maximum value: 65535

500

ike-quick-crash-detect

Enable/disable IKE quick crash detection (RFC 6290).

option

-

disable

Option

Description

enable

Enable IKE quick crash detection (RFC 6290).

disable

Disable IKE quick crash detection (RFC 6290).

ike-session-resume

Enable/disable IKEv2 session resumption (RFC 5723).

option

-

disable

Option

Description

enable

Enable IKEv2 session resumption (RFC 5723).

disable

Disable IKEv2 session resumption (RFC 5723).

ip

IP address and netmask.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

ip6

IPv6 address prefix for NAT mode.

ipv6-prefix

Not Specified

::/0

link-down-access

Enable/disable link down access traffic.

option

-

enable

Option

Description

enable

Allow link down access traffic.

disable

Block link down access traffic.

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.

option

-

global

Option

Description

enable

Enable LLDP reception for this VDOM.

disable

Disable LLDP reception for this VDOM.

global

Use the global LLDP reception configuration for this VDOM.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.

option

-

global

Option

Description

enable

Enable LLDP transmission for this VDOM.

disable

Disable LLDP transmission for this VDOM.

global

Use the global LLDP transmission configuration for this VDOM.

location-id

Local location ID in the form of an IPv4 address.

ipv4-address

Not Specified

0.0.0.0

mac-ttl

Duration of MAC addresses in Transparent mode.

integer

Minimum value: 300 Maximum value: 8640000

300

manageip

Transparent mode IPv4 management IP address and netmask.

user

Not Specified

manageip6

Transparent mode IPv6 management IP address and netmask.

ipv6-prefix

Not Specified

::/0

multicast-forward

Enable/disable multicast forwarding.

option

-

enable

Option

Description

enable

Enable multicast forwarding.

disable

Disable multicast forwarding.

multicast-skip-policy

Enable/disable allowing multicast traffic through the FortiGate without a policy check.

option

-

disable

Option

Description

enable

Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.

disable

Require a multicast policy to allow multicast traffic to pass through the FortiGate.

multicast-ttl-notchange

Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.

option

-

disable

Option

Description

enable

The multicast TTL is not changed.

disable

The multicast TTL may be changed.

nat46-force-ipv4-packet-forwarding

Enable/disable mandatory IPv4 packet forwarding in NAT46.

option

-

disable

Option

Description

enable

Enable mandatory IPv4 packet forwarding when IPv4 DF is set to 1.

disable

Disable mandatory IPv4 packet forwarding when IPv4 DF is set to 1.

nat46-generate-ipv6-fragment-header

Enable/disable NAT46 IPv6 fragment header generation.

option

-

disable

Option

Description

enable

Enable NAT46 IPv6 fragment header generation.

disable

Disable NAT46 IPv6 fragment header generation.

nat64-force-ipv6-packet-forwarding

Enable/disable mandatory IPv6 packet forwarding in NAT64.

option

-

enable

Option

Description

enable

Enable mandatory IPv6 packet forwarding

disable

Disable mandatory IPv6 packet forwarding

ngfw-mode

Next Generation Firewall (NGFW) mode.

option

-

profile-based

Option

Description

profile-based

Application and web-filtering are configured using profiles applied to policy entries.

policy-based

Application and web-filtering are configured as policy match conditions.

opmode

Firewall operation mode (NAT or Transparent).

option

-

nat

Option

Description

nat

Change to NAT mode.

transparent

Change to transparent mode.

policy-offload-level *

Configure firewall policy offload level.

option

-

disable

Option

Description

disable

Disable policy offloading.

dos-offload

Only enable DoS policy offloading.

prp-trailer-action

Enable/disable action to take on PRP trailer.

option

-

disable

Option

Description

enable

Try to keep PRP trailer.

disable

Trim PRP trailer.

sccp-port

TCP port the SCCP proxy monitors for SCCP traffic.

integer

Minimum value: 0 Maximum value: 65535

2000

sctp-session-without-init

Enable/disable SCTP session creation without SCTP INIT.

option

-

disable

Option

Description

enable

Enable SCTP session creation without SCTP INIT.

disable

Disable SCTP session creation without SCTP INIT.

ses-denied-traffic

Enable/disable including denied session in the session table.

option

-

disable

Option

Description

enable

Include denied sessions in the session table.

disable

Do not add denied sessions to the session table.

sip-expectation

Enable/disable the SIP kernel session helper to create an expectation for port 5060.

option

-

disable

Option

Description

enable

Allow SIP session helper to create an expectation for port 5060.

disable

Prevent SIP session helper from creating an expectation for port 5060.

sip-nat-trace

Enable/disable recording the original SIP source IP address when NAT is used.

option

-

enable

Option

Description

enable

Record the original SIP source IP address when NAT is used.

disable

Do not record the original SIP source IP address when NAT is used.

sip-ssl-port *

TCP port the SIP proxy monitors for SIP SSL/TLS traffic.

integer

Minimum value: 0 Maximum value: 65535

5061

sip-tcp-port

TCP port the SIP proxy monitors for SIP traffic.

integer

Minimum value: 1 Maximum value: 65535

5060

sip-udp-port

UDP port the SIP proxy monitors for SIP traffic.

integer

Minimum value: 1 Maximum value: 65535

5060

snat-hairpin-traffic

Enable/disable source NAT (SNAT) for hairpin traffic.

option

-

enable

Option

Description

enable

Enable SNAT for hairpin traffic.

disable

Disable SNAT for hairpin traffic.

status

Enable/disable this VDOM.

option

-

enable

Option

Description

enable

Enable this VDOM.

disable

Disable this VDOM.

strict-src-check

Enable/disable strict source verification.

option

-

disable

Option

Description

enable

Enable strict source verification.

disable

Disable strict source verification.

tcp-session-without-syn

Enable/disable allowing TCP session without SYN flags.

option

-

disable

Option

Description

enable

Allow TCP session without SYN flags.

disable

Do not allow TCP session without SYN flags.

utf8-spam-tagging

Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.

option

-

enable

Option

Description

enable

Convert antispam tags to UTF-8.

disable

Do not convert antispam tags.

v4-ecmp-mode

IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.

option

-

source-ip-based

Option

Description

source-ip-based

Select next hop based on source IP.

weight-based

Select next hop based on weight.

usage-based

Select next hop based on usage.

source-dest-ip-based

Select next hop based on both source and destination IPs.

vpn-stats-log

Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.

option

-

ipsec pptp l2tp ssl

Option

Description

ipsec

IPsec.

pptp

PPTP.

l2tp

L2TP.

ssl

SSL.

vpn-stats-period

Period to send VPN log statistics.

integer

Minimum value: 0 Maximum value: 4294967295

600

wccp-cache-engine

Enable/disable WCCP cache engine.

option

-

disable

Option

Description

enable

Enable WCCP cache engine.

disable

Disable WCCP cache engine.

* This parameter may not exist in some models.

** Values may differ between models.