config system settings
Configure VDOM settings.
config system settings
Description: Configure VDOM settings.
set comments {var-string}
set opmode [nat|transparent]
set ngfw-mode [profile-based|policy-based]
set http-external-dest [fortiweb|forticache]
set firewall-session-dirty [check-all|check-new|...]
set manageip {user}
set gateway {ipv4-address}
set ip {ipv4-classnet-host}
set manageip6 {ipv6-prefix}
set gateway6 {ipv6-address}
set ip6 {ipv6-prefix}
set device {string}
set bfd [enable|disable]
set bfd-desired-min-tx {integer}
set bfd-required-min-rx {integer}
set bfd-detect-mult {integer}
set bfd-dont-enforce-src-port [enable|disable]
set utf8-spam-tagging [enable|disable]
set wccp-cache-engine [enable|disable]
set vpn-stats-log {option1}, {option2}, ...
set vpn-stats-period {integer}
set v4-ecmp-mode [source-ip-based|weight-based|...]
set mac-ttl {integer}
set fw-session-hairpin [enable|disable]
set prp-trailer-action [enable|disable]
set snat-hairpin-traffic [enable|disable]
set dhcp-proxy [enable|disable]
set dhcp-proxy-interface-select-method [auto|sdwan|...]
set dhcp-proxy-interface {string}
set dhcp-server-ip {user}
set dhcp6-server-ip {user}
set central-nat [enable|disable]
set gui-default-policy-columns <name1>, <name2>, ...
set lldp-reception [enable|disable|...]
set lldp-transmission [enable|disable|...]
set link-down-access [enable|disable]
set auxiliary-session [enable|disable]
set asymroute [enable|disable]
set asymroute-icmp [enable|disable]
set tcp-session-without-syn [enable|disable]
set ses-denied-traffic [enable|disable]
set strict-src-check [enable|disable]
set allow-linkdown-path [enable|disable]
set asymroute6 [enable|disable]
set asymroute6-icmp [enable|disable]
set sctp-session-without-init [enable|disable]
set sip-expectation [enable|disable]
set sip-nat-trace [enable|disable]
set h323-direct-model [disable|enable]
set status [enable|disable]
set sip-tcp-port {integer}
set sip-udp-port {integer}
set sip-ssl-port {integer}
set sccp-port {integer}
set multicast-forward [enable|disable]
set multicast-ttl-notchange [enable|disable]
set multicast-skip-policy [enable|disable]
set allow-subnet-overlap [enable|disable]
set deny-tcp-with-icmp [enable|disable]
set ecmp-max-paths {integer}
set discovered-device-timeout {integer}
set email-portal-check-dns [disable|enable]
set default-voip-alg-mode [proxy-based|kernel-helper-based]
set gui-icap [enable|disable]
set gui-implicit-policy [enable|disable]
set gui-dns-database [enable|disable]
set gui-load-balance [enable|disable]
set gui-multicast-policy [enable|disable]
set gui-dos-policy [enable|disable]
set gui-object-colors [enable|disable]
set gui-voip-profile [enable|disable]
set gui-ap-profile [enable|disable]
set gui-security-profile-group [enable|disable]
set gui-local-in-policy [enable|disable]
set gui-explicit-proxy [enable|disable]
set gui-dynamic-routing [enable|disable]
set gui-sslvpn-personal-bookmarks [enable|disable]
set gui-sslvpn-realms [enable|disable]
set gui-policy-based-ipsec [enable|disable]
set gui-threat-weight [enable|disable]
set gui-spamfilter [enable|disable]
set gui-file-filter [enable|disable]
set gui-application-control [enable|disable]
set gui-ips [enable|disable]
set gui-endpoint-control [enable|disable]
set gui-endpoint-control-advanced [enable|disable]
set gui-dhcp-advanced [enable|disable]
set gui-vpn [enable|disable]
set gui-wireless-controller [enable|disable]
set gui-switch-controller [enable|disable]
set gui-fortiap-split-tunneling [enable|disable]
set gui-webfilter-advanced [enable|disable]
set gui-traffic-shaping [enable|disable]
set gui-wan-load-balancing [enable|disable]
set gui-antivirus [enable|disable]
set gui-webfilter [enable|disable]
set gui-videofilter [enable|disable]
set gui-dnsfilter [enable|disable]
set gui-waf-profile [enable|disable]
set gui-fortiextender-controller [enable|disable]
set gui-advanced-policy [enable|disable]
set gui-allow-unnamed-policy [enable|disable]
set gui-email-collection [enable|disable]
set gui-multiple-interface-policy [enable|disable]
set gui-policy-disclaimer [enable|disable]
set gui-ztna [enable|disable]
set location-id {ipv4-address}
set ike-session-resume [enable|disable]
set ike-quick-crash-detect [enable|disable]
set ike-dn-format [with-space|no-space]
set ike-port {integer}
set ike-policy-route [enable|disable]
set block-land-attack [disable|enable]
set application-bandwidth-tracking [disable|enable]
end
config system settings
Parameter |
Description |
Type |
Size |
Default |
||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
comments |
VDOM comments. |
var-string |
Maximum length: 255 |
|
||||||||||
opmode |
Firewall operation mode (NAT or Transparent). |
option |
- |
nat |
||||||||||
|
|
|||||||||||||
ngfw-mode |
Next Generation Firewall (NGFW) mode. |
option |
- |
profile-based |
||||||||||
|
|
|||||||||||||
http-external-dest |
Offload HTTP traffic to FortiWeb or FortiCache. |
option |
- |
fortiweb |
||||||||||
|
|
|||||||||||||
firewall-session-dirty |
Select how to manage sessions affected by firewall policy configuration changes. |
option |
- |
check-all |
||||||||||
|
|
|||||||||||||
manageip |
Transparent mode IPv4 management IP address and netmask. |
user |
Not Specified |
|
||||||||||
gateway |
Transparent mode IPv4 default gateway IP address. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||
ip |
IP address and netmask. |
ipv4-classnet-host |
Not Specified |
0.0.0.0 0.0.0.0 |
||||||||||
manageip6 |
Transparent mode IPv6 management IP address and netmask. |
ipv6-prefix |
Not Specified |
::/0 |
||||||||||
gateway6 |
Transparent mode IPv4 default gateway IP address. |
ipv6-address |
Not Specified |
:: |
||||||||||
ip6 |
IPv6 address prefix for NAT mode. |
ipv6-prefix |
Not Specified |
::/0 |
||||||||||
device |
Interface to use for management access for NAT mode. |
string |
Maximum length: 35 |
|
||||||||||
bfd |
Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
bfd-desired-min-tx |
BFD desired minimal transmit interval . |
integer |
Minimum value: 1 Maximum value: 100000 |
250 |
||||||||||
bfd-required-min-rx |
BFD required minimal receive interval . |
integer |
Minimum value: 1 Maximum value: 100000 |
250 |
||||||||||
bfd-detect-mult |
BFD detection multiplier . |
integer |
Minimum value: 1 Maximum value: 50 |
3 |
||||||||||
bfd-dont-enforce-src-port |
Enable to not enforce verifying the source port of BFD Packets. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
utf8-spam-tagging |
Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
wccp-cache-engine |
Enable/disable WCCP cache engine. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
vpn-stats-log |
Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space. |
option |
- |
ipsec pptp l2tp ssl |
||||||||||
|
|
|||||||||||||
vpn-stats-period |
Period to send VPN log statistics . |
integer |
Minimum value: 0 Maximum value: 4294967295 |
600 |
||||||||||
v4-ecmp-mode |
IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode. |
option |
- |
source-ip-based |
||||||||||
|
|
|||||||||||||
mac-ttl |
Duration of MAC addresses in Transparent mode . |
integer |
Minimum value: 300 Maximum value: 8640000 |
300 |
||||||||||
fw-session-hairpin |
Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
prp-trailer-action |
Enable/disable action to take on PRP trailer. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
snat-hairpin-traffic |
Enable/disable source NAT (SNAT) for hairpin traffic. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
dhcp-proxy |
Enable/disable the DHCP Proxy. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
dhcp-proxy-interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||
|
|
|||||||||||||
dhcp-proxy-interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||||
dhcp-server-ip |
DHCP Server IPv4 address. |
user |
Not Specified |
|
||||||||||
dhcp6-server-ip |
DHCPv6 server IPv6 address. |
user |
Not Specified |
|
||||||||||
central-nat |
Enable/disable central NAT. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-default-policy-columns |
Default columns to display for policy lists on GUI. Select column name. |
string |
Maximum length: 79 |
|
||||||||||
lldp-reception |
Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM. |
option |
- |
global |
||||||||||
|
|
|||||||||||||
lldp-transmission |
Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM. |
option |
- |
global |
||||||||||
|
|
|||||||||||||
link-down-access |
Enable/disable link down access traffic. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
auxiliary-session |
Enable/disable auxiliary session. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
asymroute |
Enable/disable IPv4 asymmetric routing. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
asymroute-icmp |
Enable/disable ICMP asymmetric routing. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
tcp-session-without-syn |
Enable/disable allowing TCP session without SYN flags. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
ses-denied-traffic |
Enable/disable including denied session in the session table. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
strict-src-check |
Enable/disable strict source verification. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
allow-linkdown-path |
Enable/disable link down path. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
asymroute6 |
Enable/disable asymmetric IPv6 routing. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
asymroute6-icmp |
Enable/disable asymmetric ICMPv6 routing. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
sctp-session-without-init |
Enable/disable SCTP session creation without SCTP INIT. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
sip-expectation |
Enable/disable the SIP kernel session helper to create an expectation for port 5060. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
sip-nat-trace |
Enable/disable recording the original SIP source IP address when NAT is used. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
h323-direct-model |
Enable/disable H323 direct model. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
status |
Enable/disable this VDOM. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
sip-tcp-port |
TCP port the SIP proxy monitors for SIP traffic . |
integer |
Minimum value: 1 Maximum value: 65535 |
5060 |
||||||||||
sip-udp-port |
UDP port the SIP proxy monitors for SIP traffic . |
integer |
Minimum value: 1 Maximum value: 65535 |
5060 |
||||||||||
sip-ssl-port |
TCP port the SIP proxy monitors for SIP SSL/TLS traffic . |
integer |
Minimum value: 0 Maximum value: 65535 |
5061 |
||||||||||
sccp-port |
TCP port the SCCP proxy monitors for SCCP traffic . |
integer |
Minimum value: 0 Maximum value: 65535 |
2000 |
||||||||||
multicast-forward |
Enable/disable multicast forwarding. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
multicast-ttl-notchange |
Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
multicast-skip-policy |
Enable/disable allowing multicast traffic through the FortiGate without a policy check. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
allow-subnet-overlap |
Enable/disable allowing interface subnets to use overlapping IP addresses. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
deny-tcp-with-icmp |
Enable/disable denying TCP by sending an ICMP communication prohibited packet. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
ecmp-max-paths |
Maximum number of Equal Cost Multi-Path . |
integer |
Minimum value: 1 Maximum value: 255 |
255 |
||||||||||
discovered-device-timeout |
Timeout for discovered devices . |
integer |
Minimum value: 1 Maximum value: 365 |
28 |
||||||||||
email-portal-check-dns |
Enable/disable using DNS to validate email addresses collected by a captive portal. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
default-voip-alg-mode |
Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile. |
option |
- |
proxy-based |
||||||||||
|
|
|||||||||||||
gui-icap |
Enable/disable ICAP on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-implicit-policy |
Enable/disable implicit firewall policies on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-dns-database |
Enable/disable DNS database settings on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-load-balance |
Enable/disable server load balancing on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-multicast-policy |
Enable/disable multicast firewall policies on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-dos-policy |
Enable/disable DoS policies on the GUI. |
option |
- |
enable ** |
||||||||||
|
|
|||||||||||||
gui-object-colors |
Enable/disable object colors on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-voip-profile |
Enable/disable VoIP profiles on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-ap-profile |
Enable/disable FortiAP profiles on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-security-profile-group |
Enable/disable Security Profile Groups on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-local-in-policy |
Enable/disable Local-In policies on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-explicit-proxy |
Enable/disable the explicit proxy on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-dynamic-routing |
Enable/disable dynamic routing on the GUI. |
option |
- |
enable ** |
||||||||||
|
|
|||||||||||||
gui-sslvpn-personal-bookmarks |
Enable/disable SSL-VPN personal bookmark management on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-sslvpn-realms |
Enable/disable SSL-VPN realms on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-policy-based-ipsec |
Enable/disable policy-based IPsec VPN on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-threat-weight |
Enable/disable threat weight on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-spamfilter |
Enable/disable Antispam on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-file-filter |
Enable/disable File-filter on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-application-control |
Enable/disable application control on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-ips |
Enable/disable IPS on the GUI. |
option |
- |
disable ** |
||||||||||
|
|
|||||||||||||
gui-endpoint-control |
Enable/disable endpoint control on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-endpoint-control-advanced |
Enable/disable advanced endpoint control options on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-dhcp-advanced |
Enable/disable advanced DHCP options on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-vpn |
Enable/disable VPN tunnels on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-wireless-controller |
Enable/disable the wireless controller on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-switch-controller |
Enable/disable the switch controller on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-fortiap-split-tunneling |
Enable/disable FortiAP split tunneling on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-webfilter-advanced |
Enable/disable advanced web filtering on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-traffic-shaping |
Enable/disable traffic shaping on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-wan-load-balancing |
Enable/disable SD-WAN on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-antivirus |
Enable/disable AntiVirus on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-webfilter |
Enable/disable Web filtering on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-videofilter |
Enable/disable Video filtering on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-dnsfilter |
Enable/disable DNS Filtering on the GUI. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
gui-waf-profile |
Enable/disable Web Application Firewall on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-fortiextender-controller |
Enable/disable FortiExtender on the GUI. |
option |
- |
enable ** |
||||||||||
|
|
|||||||||||||
gui-advanced-policy |
Enable/disable advanced policy configuration on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-allow-unnamed-policy |
Enable/disable the requirement for policy naming on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-email-collection |
Enable/disable email collection on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-multiple-interface-policy |
Enable/disable adding multiple interfaces to a policy on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-policy-disclaimer |
Enable/disable policy disclaimer on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
gui-ztna |
Enable/disable Zero Trust Network Access features on the GUI. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
location-id |
Local location ID in the form of an IPv4 address. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||
ike-session-resume |
Enable/disable IKEv2 session resumption (RFC 5723). |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
ike-quick-crash-detect |
Enable/disable IKE quick crash detection (RFC 6290). |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
ike-dn-format |
Configure IKE ASN.1 Distinguished Name format conventions. |
option |
- |
with-space |
||||||||||
|
|
|||||||||||||
ike-port |
UDP port for IKE/IPsec traffic . |
integer |
Minimum value: 1024 Maximum value: 65535 |
500 |
||||||||||
ike-policy-route |
Enable/disable IKE Policy Based Routing (PBR). |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
block-land-attack |
Enable/disable blocking of land attacks. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
application-bandwidth-tracking |
Enable/disable application bandwidth tracking. |
option |
- |
disable |
||||||||||
|
|
** Values may differ between models.