Fortinet white logo
Fortinet white logo

CLI Reference

config system settings

config system settings

Configure VDOM settings.

config system settings

Description: Configure VDOM settings.

set comments {var-string}

set opmode [nat|transparent]

set ngfw-mode [profile-based|policy-based]

set http-external-dest [fortiweb|forticache]

set firewall-session-dirty [check-all|check-new|...]

set manageip {user}

set gateway {ipv4-address}

set ip {ipv4-classnet-host}

set manageip6 {ipv6-prefix}

set gateway6 {ipv6-address}

set ip6 {ipv6-prefix}

set device {string}

set bfd [enable|disable]

set bfd-desired-min-tx {integer}

set bfd-required-min-rx {integer}

set bfd-detect-mult {integer}

set bfd-dont-enforce-src-port [enable|disable]

set utf8-spam-tagging [enable|disable]

set wccp-cache-engine [enable|disable]

set vpn-stats-log {option1}, {option2}, ...

set vpn-stats-period {integer}

set v4-ecmp-mode [source-ip-based|weight-based|...]

set mac-ttl {integer}

set fw-session-hairpin [enable|disable]

set prp-trailer-action [enable|disable]

set snat-hairpin-traffic [enable|disable]

set dhcp-proxy [enable|disable]

set dhcp-proxy-interface-select-method [auto|sdwan|...]

set dhcp-proxy-interface {string}

set dhcp-server-ip {user}

set dhcp6-server-ip {user}

set central-nat [enable|disable]

set gui-default-policy-columns <name1>, <name2>, ...

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set link-down-access [enable|disable]

set auxiliary-session [enable|disable]

set asymroute [enable|disable]

set asymroute-icmp [enable|disable]

set tcp-session-without-syn [enable|disable]

set ses-denied-traffic [enable|disable]

set strict-src-check [enable|disable]

set allow-linkdown-path [enable|disable]

set asymroute6 [enable|disable]

set asymroute6-icmp [enable|disable]

set sctp-session-without-init [enable|disable]

set sip-expectation [enable|disable]

set sip-nat-trace [enable|disable]

set h323-direct-model [disable|enable]

set status [enable|disable]

set sip-tcp-port {integer}

set sip-udp-port {integer}

set sip-ssl-port {integer}

set sccp-port {integer}

set multicast-forward [enable|disable]

set multicast-ttl-notchange [enable|disable]

set multicast-skip-policy [enable|disable]

set allow-subnet-overlap [enable|disable]

set deny-tcp-with-icmp [enable|disable]

set ecmp-max-paths {integer}

set discovered-device-timeout {integer}

set email-portal-check-dns [disable|enable]

set default-voip-alg-mode [proxy-based|kernel-helper-based]

set gui-icap [enable|disable]

set gui-implicit-policy [enable|disable]

set gui-dns-database [enable|disable]

set gui-load-balance [enable|disable]

set gui-multicast-policy [enable|disable]

set gui-dos-policy [enable|disable]

set gui-object-colors [enable|disable]

set gui-voip-profile [enable|disable]

set gui-ap-profile [enable|disable]

set gui-security-profile-group [enable|disable]

set gui-local-in-policy [enable|disable]

set gui-explicit-proxy [enable|disable]

set gui-dynamic-routing [enable|disable]

set gui-sslvpn-personal-bookmarks [enable|disable]

set gui-sslvpn-realms [enable|disable]

set gui-policy-based-ipsec [enable|disable]

set gui-threat-weight [enable|disable]

set gui-spamfilter [enable|disable]

set gui-file-filter [enable|disable]

set gui-application-control [enable|disable]

set gui-ips [enable|disable]

set gui-endpoint-control [enable|disable]

set gui-endpoint-control-advanced [enable|disable]

set gui-dhcp-advanced [enable|disable]

set gui-vpn [enable|disable]

set gui-wireless-controller [enable|disable]

set gui-switch-controller [enable|disable]

set gui-fortiap-split-tunneling [enable|disable]

set gui-webfilter-advanced [enable|disable]

set gui-traffic-shaping [enable|disable]

set gui-wan-load-balancing [enable|disable]

set gui-antivirus [enable|disable]

set gui-webfilter [enable|disable]

set gui-videofilter [enable|disable]

set gui-dnsfilter [enable|disable]

set gui-waf-profile [enable|disable]

set gui-fortiextender-controller [enable|disable]

set gui-advanced-policy [enable|disable]

set gui-allow-unnamed-policy [enable|disable]

set gui-email-collection [enable|disable]

set gui-multiple-interface-policy [enable|disable]

set gui-policy-disclaimer [enable|disable]

set gui-ztna [enable|disable]

set location-id {ipv4-address}

set ike-session-resume [enable|disable]

set ike-quick-crash-detect [enable|disable]

set ike-dn-format [with-space|no-space]

set ike-port {integer}

set ike-policy-route [enable|disable]

set block-land-attack [disable|enable]

set application-bandwidth-tracking [disable|enable]

end

config system settings

Parameter

Description

Type

Size

Default

comments

VDOM comments.

var-string

Maximum length: 255

opmode

Firewall operation mode (NAT or Transparent).

option

-

nat

Option

Description

nat

Change to NAT mode.

transparent

Change to transparent mode.

ngfw-mode

Next Generation Firewall (NGFW) mode.

option

-

profile-based

Option

Description

profile-based

Application and web-filtering are configured using profiles applied to policy entries.

policy-based

Application and web-filtering are configured as policy match conditions.

http-external-dest

Offload HTTP traffic to FortiWeb or FortiCache.

option

-

fortiweb

Option

Description

fortiweb

Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.

forticache

Offload HTTP traffic to FortiCache for external web caching and WAN optimization.

firewall-session-dirty

Select how to manage sessions affected by firewall policy configuration changes.

option

-

check-all

Option

Description

check-all

All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.

check-new

Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.

check-policy-option

Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.

manageip

Transparent mode IPv4 management IP address and netmask.

user

Not Specified

gateway

Transparent mode IPv4 default gateway IP address.

ipv4-address

Not Specified

0.0.0.0

ip

IP address and netmask.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

manageip6

Transparent mode IPv6 management IP address and netmask.

ipv6-prefix

Not Specified

::/0

gateway6

Transparent mode IPv4 default gateway IP address.

ipv6-address

Not Specified

::

ip6

IPv6 address prefix for NAT mode.

ipv6-prefix

Not Specified

::/0

device

Interface to use for management access for NAT mode.

string

Maximum length: 35

bfd

Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.

option

-

disable

Option

Description

enable

Enable Bi-directional Forwarding Detection (BFD) on all interfaces.

disable

Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

bfd-desired-min-tx

BFD desired minimal transmit interval .

integer

Minimum value: 1 Maximum value: 100000

250

bfd-required-min-rx

BFD required minimal receive interval .

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier .

integer

Minimum value: 1 Maximum value: 50

3

bfd-dont-enforce-src-port

Enable to not enforce verifying the source port of BFD Packets.

option

-

disable

Option

Description

enable

Enable verifying the source port of BFD Packets.

disable

Disable verifying the source port of BFD Packets.

utf8-spam-tagging

Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.

option

-

enable

Option

Description

enable

Convert antispam tags to UTF-8.

disable

Do not convert antispam tags.

wccp-cache-engine

Enable/disable WCCP cache engine.

option

-

disable

Option

Description

enable

Enable WCCP cache engine.

disable

Disable WCCP cache engine.

vpn-stats-log

Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.

option

-

ipsec pptp l2tp ssl

Option

Description

ipsec

IPsec.

pptp

PPTP.

l2tp

L2TP.

ssl

SSL.

vpn-stats-period

Period to send VPN log statistics .

integer

Minimum value: 0 Maximum value: 4294967295

600

v4-ecmp-mode

IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.

option

-

source-ip-based

Option

Description

source-ip-based

Select next hop based on source IP.

weight-based

Select next hop based on weight.

usage-based

Select next hop based on usage.

source-dest-ip-based

Select next hop based on both source and destination IPs.

mac-ttl

Duration of MAC addresses in Transparent mode .

integer

Minimum value: 300 Maximum value: 8640000

300

fw-session-hairpin

Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.

option

-

disable

Option

Description

enable

Perform a policy check every time.

disable

Perform a policy check only the first time the session is received.

prp-trailer-action

Enable/disable action to take on PRP trailer.

option

-

disable

Option

Description

enable

Try to keep PRP trailer.

disable

Trim PRP trailer.

snat-hairpin-traffic

Enable/disable source NAT (SNAT) for hairpin traffic.

option

-

enable

Option

Description

enable

Enable SNAT for hairpin traffic.

disable

Disable SNAT for hairpin traffic.

dhcp-proxy

Enable/disable the DHCP Proxy.

option

-

disable

Option

Description

enable

Enable the DHCP proxy.

disable

Disable the DHCP proxy.

dhcp-proxy-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-proxy-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-server-ip

DHCP Server IPv4 address.

user

Not Specified

dhcp6-server-ip

DHCPv6 server IPv6 address.

user

Not Specified

central-nat

Enable/disable central NAT.

option

-

disable

Option

Description

enable

Enable central NAT.

disable

Disable central NAT.

gui-default-policy-columns <name>

Default columns to display for policy lists on GUI.

Select column name.

string

Maximum length: 79

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.

option

-

global

Option

Description

enable

Enable LLDP reception for this VDOM.

disable

Disable LLDP reception for this VDOM.

global

Use the global LLDP reception configuration for this VDOM.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.

option

-

global

Option

Description

enable

Enable LLDP transmission for this VDOM.

disable

Disable LLDP transmission for this VDOM.

global

Use the global LLDP transmission configuration for this VDOM.

link-down-access

Enable/disable link down access traffic.

option

-

enable

Option

Description

enable

Allow link down access traffic.

disable

Block link down access traffic.

auxiliary-session

Enable/disable auxiliary session.

option

-

disable

Option

Description

enable

Enable auxiliary session for this VDOM.

disable

Disable auxiliary session for this VDOM.

asymroute

Enable/disable IPv4 asymmetric routing.

option

-

disable

Option

Description

enable

Enable IPv4 asymmetric routing.

disable

Disable IPv4 asymmetric routing.

asymroute-icmp

Enable/disable ICMP asymmetric routing.

option

-

disable

Option

Description

enable

Enable ICMP asymmetric routing.

disable

Disable ICMP asymmetric routing.

tcp-session-without-syn

Enable/disable allowing TCP session without SYN flags.

option

-

disable

Option

Description

enable

Allow TCP session without SYN flags.

disable

Do not allow TCP session without SYN flags.

ses-denied-traffic

Enable/disable including denied session in the session table.

option

-

disable

Option

Description

enable

Include denied sessions in the session table.

disable

Do not add denied sessions to the session table.

strict-src-check

Enable/disable strict source verification.

option

-

disable

Option

Description

enable

Enable strict source verification.

disable

Disable strict source verification.

allow-linkdown-path

Enable/disable link down path.

option

-

disable

Option

Description

enable

Allow link down path.

disable

Do not allow link down path.

asymroute6

Enable/disable asymmetric IPv6 routing.

option

-

disable

Option

Description

enable

Enable asymmetric IPv6 routing.

disable

Disable asymmetric IPv6 routing.

asymroute6-icmp

Enable/disable asymmetric ICMPv6 routing.

option

-

disable

Option

Description

enable

Enable asymmetric ICMPv6 routing.

disable

Disable asymmetric ICMPv6 routing.

sctp-session-without-init

Enable/disable SCTP session creation without SCTP INIT.

option

-

disable

Option

Description

enable

Enable SCTP session creation without SCTP INIT.

disable

Disable SCTP session creation without SCTP INIT.

sip-expectation

Enable/disable the SIP kernel session helper to create an expectation for port 5060.

option

-

disable

Option

Description

enable

Allow SIP session helper to create an expectation for port 5060.

disable

Prevent SIP session helper from creating an expectation for port 5060.

sip-nat-trace

Enable/disable recording the original SIP source IP address when NAT is used.

option

-

enable

Option

Description

enable

Record the original SIP source IP address when NAT is used.

disable

Do not record the original SIP source IP address when NAT is used.

h323-direct-model

Enable/disable H323 direct model.

option

-

disable

Option

Description

disable

Disable H323 direct model.

enable

Enable H323 direct model.

status

Enable/disable this VDOM.

option

-

enable

Option

Description

enable

Enable this VDOM.

disable

Disable this VDOM.

sip-tcp-port

TCP port the SIP proxy monitors for SIP traffic .

integer

Minimum value: 1 Maximum value: 65535

5060

sip-udp-port

UDP port the SIP proxy monitors for SIP traffic .

integer

Minimum value: 1 Maximum value: 65535

5060

sip-ssl-port

TCP port the SIP proxy monitors for SIP SSL/TLS traffic .

integer

Minimum value: 0 Maximum value: 65535

5061

sccp-port

TCP port the SCCP proxy monitors for SCCP traffic .

integer

Minimum value: 0 Maximum value: 65535

2000

multicast-forward

Enable/disable multicast forwarding.

option

-

enable

Option

Description

enable

Enable multicast forwarding.

disable

Disable multicast forwarding.

multicast-ttl-notchange

Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.

option

-

disable

Option

Description

enable

The multicast TTL is not changed.

disable

The multicast TTL may be changed.

multicast-skip-policy

Enable/disable allowing multicast traffic through the FortiGate without a policy check.

option

-

disable

Option

Description

enable

Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.

disable

Require a multicast policy to allow multicast traffic to pass through the FortiGate.

allow-subnet-overlap

Enable/disable allowing interface subnets to use overlapping IP addresses.

option

-

disable

Option

Description

enable

Enable overlapping subnets.

disable

Disable overlapping subnets.

deny-tcp-with-icmp

Enable/disable denying TCP by sending an ICMP communication prohibited packet.

option

-

disable

Option

Description

enable

Deny TCP with ICMP.

disable

Disable denying TCP with ICMP.

ecmp-max-paths

Maximum number of Equal Cost Multi-Path .

integer

Minimum value: 1 Maximum value: 255

255

discovered-device-timeout

Timeout for discovered devices .

integer

Minimum value: 1 Maximum value: 365

28

email-portal-check-dns

Enable/disable using DNS to validate email addresses collected by a captive portal.

option

-

enable

Option

Description

disable

Disable email address checking with DNS.

enable

Enable email address checking with DNS.

default-voip-alg-mode

Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.

option

-

proxy-based

Option

Description

proxy-based

Use a default proxy-based VoIP ALG.

kernel-helper-based

Use the SIP session helper.

gui-icap

Enable/disable ICAP on the GUI.

option

-

disable

Option

Description

enable

Enable ICAP on the GUI.

disable

Disable ICAP on the GUI.

gui-implicit-policy

Enable/disable implicit firewall policies on the GUI.

option

-

enable

Option

Description

enable

Enable implicit firewall policies on the GUI.

disable

Disable implicit firewall policies on the GUI.

gui-dns-database

Enable/disable DNS database settings on the GUI.

option

-

disable

Option

Description

enable

Enable DNS database settings on the GUI.

disable

Disable DNS database settings on the GUI.

gui-load-balance

Enable/disable server load balancing on the GUI.

option

-

disable

Option

Description

enable

Enable server load balancing on the GUI.

disable

Disable server load balancing on the GUI.

gui-multicast-policy

Enable/disable multicast firewall policies on the GUI.

option

-

disable

Option

Description

enable

Enable multicast firewall policies on the GUI.

disable

Disable multicast firewall policies on the GUI.

gui-dos-policy

Enable/disable DoS policies on the GUI.

option

-

enable **

Option

Description

enable

Enable DoS policies on the GUI.

disable

Disable DoS policies on the GUI.

gui-object-colors

Enable/disable object colors on the GUI.

option

-

enable

Option

Description

enable

Enable object colors on the GUI.

disable

Disable object colors on the GUI.

gui-voip-profile

Enable/disable VoIP profiles on the GUI.

option

-

disable

Option

Description

enable

Enable VoIP profiles on the GUI.

disable

Disable VoIP profiles on the GUI.

gui-ap-profile

Enable/disable FortiAP profiles on the GUI.

option

-

enable

Option

Description

enable

Enable FortiAP profiles on the GUI.

disable

Disable FortiAP profiles on the GUI.

gui-security-profile-group

Enable/disable Security Profile Groups on the GUI.

option

-

disable

Option

Description

enable

Enable Security Profile Groups on the GUI.

disable

Disable Security Profile Groups on the GUI.

gui-local-in-policy

Enable/disable Local-In policies on the GUI.

option

-

disable

Option

Description

enable

Enable Local-In policies on the GUI.

disable

Disable Local-In policies on the GUI.

gui-explicit-proxy

Enable/disable the explicit proxy on the GUI.

option

-

disable

Option

Description

enable

Enable the explicit proxy on the GUI.

disable

Disable the explicit proxy on the GUI.

gui-dynamic-routing

Enable/disable dynamic routing on the GUI.

option

-

enable **

Option

Description

enable

Enable dynamic routing on the GUI.

disable

Disable dynamic routing on the GUI.

gui-sslvpn-personal-bookmarks

Enable/disable SSL-VPN personal bookmark management on the GUI.

option

-

disable

Option

Description

enable

Enable SSL-VPN personal bookmark management on the GUI.

disable

Disable SSL-VPN personal bookmark management on the GUI.

gui-sslvpn-realms

Enable/disable SSL-VPN realms on the GUI.

option

-

disable

Option

Description

enable

Enable SSL-VPN realms on the GUI.

disable

Disable SSL-VPN realms on the GUI.

gui-policy-based-ipsec

Enable/disable policy-based IPsec VPN on the GUI.

option

-

disable

Option

Description

enable

Enable policy-based IPsec VPN on the GUI.

disable

Disable policy-based IPsec VPN on the GUI.

gui-threat-weight

Enable/disable threat weight on the GUI.

option

-

enable

Option

Description

enable

Enable threat weight on the GUI.

disable

Disable threat weight on the GUI.

gui-spamfilter

Enable/disable Antispam on the GUI.

option

-

disable

Option

Description

enable

Enable Antispam on the GUI.

disable

Disable Antispam on the GUI.

gui-file-filter

Enable/disable File-filter on the GUI.

option

-

enable

Option

Description

enable

Enable File-filter on the GUI.

disable

Disable File-filter on the GUI.

gui-application-control

Enable/disable application control on the GUI.

option

-

enable

Option

Description

enable

Enable application control on the GUI.

disable

Disable application control on the GUI.

gui-ips

Enable/disable IPS on the GUI.

option

-

disable **

Option

Description

enable

Enable IPS on the GUI.

disable

Disable IPS on the GUI.

gui-endpoint-control

Enable/disable endpoint control on the GUI.

option

-

enable

Option

Description

enable

Enable endpoint control on the GUI.

disable

Disable endpoint control on the GUI.

gui-endpoint-control-advanced

Enable/disable advanced endpoint control options on the GUI.

option

-

disable

Option

Description

enable

Enable advanced endpoint control options on the GUI.

disable

Disable advanced endpoint control options on the GUI.

gui-dhcp-advanced

Enable/disable advanced DHCP options on the GUI.

option

-

enable

Option

Description

enable

Enable advanced DHCP options on the GUI.

disable

Disable advanced DHCP options on the GUI.

gui-vpn

Enable/disable VPN tunnels on the GUI.

option

-

enable

Option

Description

enable

Enable VPN tunnels on the GUI.

disable

Disable VPN tunnels on the GUI.

gui-wireless-controller

Enable/disable the wireless controller on the GUI.

option

-

enable

Option

Description

enable

Enable the wireless controller on the GUI.

disable

Disable the wireless controller on the GUI.

gui-switch-controller

Enable/disable the switch controller on the GUI.

option

-

enable

Option

Description

enable

Enable the switch controller on the GUI.

disable

Disable the switch controller on the GUI.

gui-fortiap-split-tunneling

Enable/disable FortiAP split tunneling on the GUI.

option

-

disable

Option

Description

enable

Enable FortiAP split tunneling on the GUI.

disable

Disable FortiAP split tunneling on the GUI.

gui-webfilter-advanced

Enable/disable advanced web filtering on the GUI.

option

-

disable

Option

Description

enable

Enable advanced web filtering on the GUI.

disable

Disable advanced web filtering on the GUI.

gui-traffic-shaping

Enable/disable traffic shaping on the GUI.

option

-

enable

Option

Description

enable

Enable traffic shaping on the GUI.

disable

Disable traffic shaping on the GUI.

gui-wan-load-balancing

Enable/disable SD-WAN on the GUI.

option

-

enable

Option

Description

enable

Enable SD-WAN on the GUI.

disable

Disable SD-WAN on the GUI.

gui-antivirus

Enable/disable AntiVirus on the GUI.

option

-

enable

Option

Description

enable

Enable AntiVirus on the GUI.

disable

Disable AntiVirus on the GUI.

gui-webfilter

Enable/disable Web filtering on the GUI.

option

-

enable

Option

Description

enable

Enable Web filtering on the GUI.

disable

Disable Web filtering on the GUI.

gui-videofilter

Enable/disable Video filtering on the GUI.

option

-

enable

Option

Description

enable

Enable Video filtering on the GUI.

disable

Disable Video filtering on the GUI.

gui-dnsfilter

Enable/disable DNS Filtering on the GUI.

option

-

enable

Option

Description

enable

Enable DNS Filtering on the GUI.

disable

Disable DNS Filtering on the GUI.

gui-waf-profile

Enable/disable Web Application Firewall on the GUI.

option

-

disable

Option

Description

enable

Enable Web Application Firewall on the GUI.

disable

Disable Web Application Firewall on the GUI.

gui-fortiextender-controller

Enable/disable FortiExtender on the GUI.

option

-

enable **

Option

Description

enable

Enable FortiExtender on the GUI.

disable

Disable FortiExtender on the GUI.

gui-advanced-policy

Enable/disable advanced policy configuration on the GUI.

option

-

disable

Option

Description

enable

Enable advanced policy configuration on the GUI.

disable

Disable advanced policy configuration on the GUI.

gui-allow-unnamed-policy

Enable/disable the requirement for policy naming on the GUI.

option

-

disable

Option

Description

enable

Enable the requirement for policy naming on the GUI.

disable

Disable the requirement for policy naming on the GUI.

gui-email-collection

Enable/disable email collection on the GUI.

option

-

disable

Option

Description

enable

Enable email collection on the GUI.

disable

Disable email collection on the GUI.

gui-multiple-interface-policy

Enable/disable adding multiple interfaces to a policy on the GUI.

option

-

disable

Option

Description

enable

Enable adding multiple interfaces to a policy on the GUI.

disable

Disable adding multiple interfaces to a policy on the GUI.

gui-policy-disclaimer

Enable/disable policy disclaimer on the GUI.

option

-

disable

Option

Description

enable

Enable policy disclaimer on the GUI.

disable

Disable policy disclaimer on the GUI.

gui-ztna

Enable/disable Zero Trust Network Access features on the GUI.

option

-

disable

Option

Description

enable

Enable Zero Trust Network Access features on the GUI.

disable

Disable Zero Trust Network Access features on the GUI.

location-id

Local location ID in the form of an IPv4 address.

ipv4-address

Not Specified

0.0.0.0

ike-session-resume

Enable/disable IKEv2 session resumption (RFC 5723).

option

-

disable

Option

Description

enable

Enable IKEv2 session resumption (RFC 5723).

disable

Disable IKEv2 session resumption (RFC 5723).

ike-quick-crash-detect

Enable/disable IKE quick crash detection (RFC 6290).

option

-

disable

Option

Description

enable

Enable IKE quick crash detection (RFC 6290).

disable

Disable IKE quick crash detection (RFC 6290).

ike-dn-format

Configure IKE ASN.1 Distinguished Name format conventions.

option

-

with-space

Option

Description

with-space

Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.

no-space

Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.

ike-port

UDP port for IKE/IPsec traffic .

integer

Minimum value: 1024 Maximum value: 65535

500

ike-policy-route

Enable/disable IKE Policy Based Routing (PBR).

option

-

disable

Option

Description

enable

Enable IKE Policy Based Routing (PBR).

disable

Disable IKE Policy Based Routing (PBR).

block-land-attack

Enable/disable blocking of land attacks.

option

-

disable

Option

Description

disable

Do not block land attack.

enable

Block land attack.

application-bandwidth-tracking

Enable/disable application bandwidth tracking.

option

-

disable

Option

Description

disable

Disable application bandwidth tracking.

enable

Enable application bandwidth tracking.

** Values may differ between models.

config system settings

config system settings

Configure VDOM settings.

config system settings

Description: Configure VDOM settings.

set comments {var-string}

set opmode [nat|transparent]

set ngfw-mode [profile-based|policy-based]

set http-external-dest [fortiweb|forticache]

set firewall-session-dirty [check-all|check-new|...]

set manageip {user}

set gateway {ipv4-address}

set ip {ipv4-classnet-host}

set manageip6 {ipv6-prefix}

set gateway6 {ipv6-address}

set ip6 {ipv6-prefix}

set device {string}

set bfd [enable|disable]

set bfd-desired-min-tx {integer}

set bfd-required-min-rx {integer}

set bfd-detect-mult {integer}

set bfd-dont-enforce-src-port [enable|disable]

set utf8-spam-tagging [enable|disable]

set wccp-cache-engine [enable|disable]

set vpn-stats-log {option1}, {option2}, ...

set vpn-stats-period {integer}

set v4-ecmp-mode [source-ip-based|weight-based|...]

set mac-ttl {integer}

set fw-session-hairpin [enable|disable]

set prp-trailer-action [enable|disable]

set snat-hairpin-traffic [enable|disable]

set dhcp-proxy [enable|disable]

set dhcp-proxy-interface-select-method [auto|sdwan|...]

set dhcp-proxy-interface {string}

set dhcp-server-ip {user}

set dhcp6-server-ip {user}

set central-nat [enable|disable]

set gui-default-policy-columns <name1>, <name2>, ...

set lldp-reception [enable|disable|...]

set lldp-transmission [enable|disable|...]

set link-down-access [enable|disable]

set auxiliary-session [enable|disable]

set asymroute [enable|disable]

set asymroute-icmp [enable|disable]

set tcp-session-without-syn [enable|disable]

set ses-denied-traffic [enable|disable]

set strict-src-check [enable|disable]

set allow-linkdown-path [enable|disable]

set asymroute6 [enable|disable]

set asymroute6-icmp [enable|disable]

set sctp-session-without-init [enable|disable]

set sip-expectation [enable|disable]

set sip-nat-trace [enable|disable]

set h323-direct-model [disable|enable]

set status [enable|disable]

set sip-tcp-port {integer}

set sip-udp-port {integer}

set sip-ssl-port {integer}

set sccp-port {integer}

set multicast-forward [enable|disable]

set multicast-ttl-notchange [enable|disable]

set multicast-skip-policy [enable|disable]

set allow-subnet-overlap [enable|disable]

set deny-tcp-with-icmp [enable|disable]

set ecmp-max-paths {integer}

set discovered-device-timeout {integer}

set email-portal-check-dns [disable|enable]

set default-voip-alg-mode [proxy-based|kernel-helper-based]

set gui-icap [enable|disable]

set gui-implicit-policy [enable|disable]

set gui-dns-database [enable|disable]

set gui-load-balance [enable|disable]

set gui-multicast-policy [enable|disable]

set gui-dos-policy [enable|disable]

set gui-object-colors [enable|disable]

set gui-voip-profile [enable|disable]

set gui-ap-profile [enable|disable]

set gui-security-profile-group [enable|disable]

set gui-local-in-policy [enable|disable]

set gui-explicit-proxy [enable|disable]

set gui-dynamic-routing [enable|disable]

set gui-sslvpn-personal-bookmarks [enable|disable]

set gui-sslvpn-realms [enable|disable]

set gui-policy-based-ipsec [enable|disable]

set gui-threat-weight [enable|disable]

set gui-spamfilter [enable|disable]

set gui-file-filter [enable|disable]

set gui-application-control [enable|disable]

set gui-ips [enable|disable]

set gui-endpoint-control [enable|disable]

set gui-endpoint-control-advanced [enable|disable]

set gui-dhcp-advanced [enable|disable]

set gui-vpn [enable|disable]

set gui-wireless-controller [enable|disable]

set gui-switch-controller [enable|disable]

set gui-fortiap-split-tunneling [enable|disable]

set gui-webfilter-advanced [enable|disable]

set gui-traffic-shaping [enable|disable]

set gui-wan-load-balancing [enable|disable]

set gui-antivirus [enable|disable]

set gui-webfilter [enable|disable]

set gui-videofilter [enable|disable]

set gui-dnsfilter [enable|disable]

set gui-waf-profile [enable|disable]

set gui-fortiextender-controller [enable|disable]

set gui-advanced-policy [enable|disable]

set gui-allow-unnamed-policy [enable|disable]

set gui-email-collection [enable|disable]

set gui-multiple-interface-policy [enable|disable]

set gui-policy-disclaimer [enable|disable]

set gui-ztna [enable|disable]

set location-id {ipv4-address}

set ike-session-resume [enable|disable]

set ike-quick-crash-detect [enable|disable]

set ike-dn-format [with-space|no-space]

set ike-port {integer}

set ike-policy-route [enable|disable]

set block-land-attack [disable|enable]

set application-bandwidth-tracking [disable|enable]

end

config system settings

Parameter

Description

Type

Size

Default

comments

VDOM comments.

var-string

Maximum length: 255

opmode

Firewall operation mode (NAT or Transparent).

option

-

nat

Option

Description

nat

Change to NAT mode.

transparent

Change to transparent mode.

ngfw-mode

Next Generation Firewall (NGFW) mode.

option

-

profile-based

Option

Description

profile-based

Application and web-filtering are configured using profiles applied to policy entries.

policy-based

Application and web-filtering are configured as policy match conditions.

http-external-dest

Offload HTTP traffic to FortiWeb or FortiCache.

option

-

fortiweb

Option

Description

fortiweb

Offload HTTP traffic to FortiWeb for Web Application Firewall inspection.

forticache

Offload HTTP traffic to FortiCache for external web caching and WAN optimization.

firewall-session-dirty

Select how to manage sessions affected by firewall policy configuration changes.

option

-

check-all

Option

Description

check-all

All sessions affected by a firewall policy change are flushed from the session table. When new packets are recived they are re-evaluated by stateful inspection and re-added to the session table.

check-new

Estabished sessions for changed firewall policies continue without being affected by the policy configuration change. New sessions are evaluated according to the new firewall policy configuration.

check-policy-option

Sessions are managed individually depending on the firewall policy. Some sessions may restart. Some may continue.

manageip

Transparent mode IPv4 management IP address and netmask.

user

Not Specified

gateway

Transparent mode IPv4 default gateway IP address.

ipv4-address

Not Specified

0.0.0.0

ip

IP address and netmask.

ipv4-classnet-host

Not Specified

0.0.0.0 0.0.0.0

manageip6

Transparent mode IPv6 management IP address and netmask.

ipv6-prefix

Not Specified

::/0

gateway6

Transparent mode IPv4 default gateway IP address.

ipv6-address

Not Specified

::

ip6

IPv6 address prefix for NAT mode.

ipv6-prefix

Not Specified

::/0

device

Interface to use for management access for NAT mode.

string

Maximum length: 35

bfd

Enable/disable Bi-directional Forwarding Detection (BFD) on all interfaces.

option

-

disable

Option

Description

enable

Enable Bi-directional Forwarding Detection (BFD) on all interfaces.

disable

Disable Bi-directional Forwarding Detection (BFD) on all interfaces.

bfd-desired-min-tx

BFD desired minimal transmit interval .

integer

Minimum value: 1 Maximum value: 100000

250

bfd-required-min-rx

BFD required minimal receive interval .

integer

Minimum value: 1 Maximum value: 100000

250

bfd-detect-mult

BFD detection multiplier .

integer

Minimum value: 1 Maximum value: 50

3

bfd-dont-enforce-src-port

Enable to not enforce verifying the source port of BFD Packets.

option

-

disable

Option

Description

enable

Enable verifying the source port of BFD Packets.

disable

Disable verifying the source port of BFD Packets.

utf8-spam-tagging

Enable/disable converting antispam tags to UTF-8 for better non-ASCII character support.

option

-

enable

Option

Description

enable

Convert antispam tags to UTF-8.

disable

Do not convert antispam tags.

wccp-cache-engine

Enable/disable WCCP cache engine.

option

-

disable

Option

Description

enable

Enable WCCP cache engine.

disable

Disable WCCP cache engine.

vpn-stats-log

Enable/disable periodic VPN log statistics for one or more types of VPN. Separate names with a space.

option

-

ipsec pptp l2tp ssl

Option

Description

ipsec

IPsec.

pptp

PPTP.

l2tp

L2TP.

ssl

SSL.

vpn-stats-period

Period to send VPN log statistics .

integer

Minimum value: 0 Maximum value: 4294967295

600

v4-ecmp-mode

IPv4 Equal-cost multi-path (ECMP) routing and load balancing mode.

option

-

source-ip-based

Option

Description

source-ip-based

Select next hop based on source IP.

weight-based

Select next hop based on weight.

usage-based

Select next hop based on usage.

source-dest-ip-based

Select next hop based on both source and destination IPs.

mac-ttl

Duration of MAC addresses in Transparent mode .

integer

Minimum value: 300 Maximum value: 8640000

300

fw-session-hairpin

Enable/disable checking for a matching policy each time hairpin traffic goes through the FortiGate.

option

-

disable

Option

Description

enable

Perform a policy check every time.

disable

Perform a policy check only the first time the session is received.

prp-trailer-action

Enable/disable action to take on PRP trailer.

option

-

disable

Option

Description

enable

Try to keep PRP trailer.

disable

Trim PRP trailer.

snat-hairpin-traffic

Enable/disable source NAT (SNAT) for hairpin traffic.

option

-

enable

Option

Description

enable

Enable SNAT for hairpin traffic.

disable

Disable SNAT for hairpin traffic.

dhcp-proxy

Enable/disable the DHCP Proxy.

option

-

disable

Option

Description

enable

Enable the DHCP proxy.

disable

Disable the DHCP proxy.

dhcp-proxy-interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

dhcp-proxy-interface

Specify outgoing interface to reach server.

string

Maximum length: 15

dhcp-server-ip

DHCP Server IPv4 address.

user

Not Specified

dhcp6-server-ip

DHCPv6 server IPv6 address.

user

Not Specified

central-nat

Enable/disable central NAT.

option

-

disable

Option

Description

enable

Enable central NAT.

disable

Disable central NAT.

gui-default-policy-columns <name>

Default columns to display for policy lists on GUI.

Select column name.

string

Maximum length: 79

lldp-reception

Enable/disable Link Layer Discovery Protocol (LLDP) reception for this VDOM or apply global settings to this VDOM.

option

-

global

Option

Description

enable

Enable LLDP reception for this VDOM.

disable

Disable LLDP reception for this VDOM.

global

Use the global LLDP reception configuration for this VDOM.

lldp-transmission

Enable/disable Link Layer Discovery Protocol (LLDP) transmission for this VDOM or apply global settings to this VDOM.

option

-

global

Option

Description

enable

Enable LLDP transmission for this VDOM.

disable

Disable LLDP transmission for this VDOM.

global

Use the global LLDP transmission configuration for this VDOM.

link-down-access

Enable/disable link down access traffic.

option

-

enable

Option

Description

enable

Allow link down access traffic.

disable

Block link down access traffic.

auxiliary-session

Enable/disable auxiliary session.

option

-

disable

Option

Description

enable

Enable auxiliary session for this VDOM.

disable

Disable auxiliary session for this VDOM.

asymroute

Enable/disable IPv4 asymmetric routing.

option

-

disable

Option

Description

enable

Enable IPv4 asymmetric routing.

disable

Disable IPv4 asymmetric routing.

asymroute-icmp

Enable/disable ICMP asymmetric routing.

option

-

disable

Option

Description

enable

Enable ICMP asymmetric routing.

disable

Disable ICMP asymmetric routing.

tcp-session-without-syn

Enable/disable allowing TCP session without SYN flags.

option

-

disable

Option

Description

enable

Allow TCP session without SYN flags.

disable

Do not allow TCP session without SYN flags.

ses-denied-traffic

Enable/disable including denied session in the session table.

option

-

disable

Option

Description

enable

Include denied sessions in the session table.

disable

Do not add denied sessions to the session table.

strict-src-check

Enable/disable strict source verification.

option

-

disable

Option

Description

enable

Enable strict source verification.

disable

Disable strict source verification.

allow-linkdown-path

Enable/disable link down path.

option

-

disable

Option

Description

enable

Allow link down path.

disable

Do not allow link down path.

asymroute6

Enable/disable asymmetric IPv6 routing.

option

-

disable

Option

Description

enable

Enable asymmetric IPv6 routing.

disable

Disable asymmetric IPv6 routing.

asymroute6-icmp

Enable/disable asymmetric ICMPv6 routing.

option

-

disable

Option

Description

enable

Enable asymmetric ICMPv6 routing.

disable

Disable asymmetric ICMPv6 routing.

sctp-session-without-init

Enable/disable SCTP session creation without SCTP INIT.

option

-

disable

Option

Description

enable

Enable SCTP session creation without SCTP INIT.

disable

Disable SCTP session creation without SCTP INIT.

sip-expectation

Enable/disable the SIP kernel session helper to create an expectation for port 5060.

option

-

disable

Option

Description

enable

Allow SIP session helper to create an expectation for port 5060.

disable

Prevent SIP session helper from creating an expectation for port 5060.

sip-nat-trace

Enable/disable recording the original SIP source IP address when NAT is used.

option

-

enable

Option

Description

enable

Record the original SIP source IP address when NAT is used.

disable

Do not record the original SIP source IP address when NAT is used.

h323-direct-model

Enable/disable H323 direct model.

option

-

disable

Option

Description

disable

Disable H323 direct model.

enable

Enable H323 direct model.

status

Enable/disable this VDOM.

option

-

enable

Option

Description

enable

Enable this VDOM.

disable

Disable this VDOM.

sip-tcp-port

TCP port the SIP proxy monitors for SIP traffic .

integer

Minimum value: 1 Maximum value: 65535

5060

sip-udp-port

UDP port the SIP proxy monitors for SIP traffic .

integer

Minimum value: 1 Maximum value: 65535

5060

sip-ssl-port

TCP port the SIP proxy monitors for SIP SSL/TLS traffic .

integer

Minimum value: 0 Maximum value: 65535

5061

sccp-port

TCP port the SCCP proxy monitors for SCCP traffic .

integer

Minimum value: 0 Maximum value: 65535

2000

multicast-forward

Enable/disable multicast forwarding.

option

-

enable

Option

Description

enable

Enable multicast forwarding.

disable

Disable multicast forwarding.

multicast-ttl-notchange

Enable/disable preventing the FortiGate from changing the TTL for forwarded multicast packets.

option

-

disable

Option

Description

enable

The multicast TTL is not changed.

disable

The multicast TTL may be changed.

multicast-skip-policy

Enable/disable allowing multicast traffic through the FortiGate without a policy check.

option

-

disable

Option

Description

enable

Allowing multicast traffic through the FortiGate without creating a multicast firewall policy.

disable

Require a multicast policy to allow multicast traffic to pass through the FortiGate.

allow-subnet-overlap

Enable/disable allowing interface subnets to use overlapping IP addresses.

option

-

disable

Option

Description

enable

Enable overlapping subnets.

disable

Disable overlapping subnets.

deny-tcp-with-icmp

Enable/disable denying TCP by sending an ICMP communication prohibited packet.

option

-

disable

Option

Description

enable

Deny TCP with ICMP.

disable

Disable denying TCP with ICMP.

ecmp-max-paths

Maximum number of Equal Cost Multi-Path .

integer

Minimum value: 1 Maximum value: 255

255

discovered-device-timeout

Timeout for discovered devices .

integer

Minimum value: 1 Maximum value: 365

28

email-portal-check-dns

Enable/disable using DNS to validate email addresses collected by a captive portal.

option

-

enable

Option

Description

disable

Disable email address checking with DNS.

enable

Enable email address checking with DNS.

default-voip-alg-mode

Configure how the FortiGate handles VoIP traffic when a policy that accepts the traffic doesn't include a VoIP profile.

option

-

proxy-based

Option

Description

proxy-based

Use a default proxy-based VoIP ALG.

kernel-helper-based

Use the SIP session helper.

gui-icap

Enable/disable ICAP on the GUI.

option

-

disable

Option

Description

enable

Enable ICAP on the GUI.

disable

Disable ICAP on the GUI.

gui-implicit-policy

Enable/disable implicit firewall policies on the GUI.

option

-

enable

Option

Description

enable

Enable implicit firewall policies on the GUI.

disable

Disable implicit firewall policies on the GUI.

gui-dns-database

Enable/disable DNS database settings on the GUI.

option

-

disable

Option

Description

enable

Enable DNS database settings on the GUI.

disable

Disable DNS database settings on the GUI.

gui-load-balance

Enable/disable server load balancing on the GUI.

option

-

disable

Option

Description

enable

Enable server load balancing on the GUI.

disable

Disable server load balancing on the GUI.

gui-multicast-policy

Enable/disable multicast firewall policies on the GUI.

option

-

disable

Option

Description

enable

Enable multicast firewall policies on the GUI.

disable

Disable multicast firewall policies on the GUI.

gui-dos-policy

Enable/disable DoS policies on the GUI.

option

-

enable **

Option

Description

enable

Enable DoS policies on the GUI.

disable

Disable DoS policies on the GUI.

gui-object-colors

Enable/disable object colors on the GUI.

option

-

enable

Option

Description

enable

Enable object colors on the GUI.

disable

Disable object colors on the GUI.

gui-voip-profile

Enable/disable VoIP profiles on the GUI.

option

-

disable

Option

Description

enable

Enable VoIP profiles on the GUI.

disable

Disable VoIP profiles on the GUI.

gui-ap-profile

Enable/disable FortiAP profiles on the GUI.

option

-

enable

Option

Description

enable

Enable FortiAP profiles on the GUI.

disable

Disable FortiAP profiles on the GUI.

gui-security-profile-group

Enable/disable Security Profile Groups on the GUI.

option

-

disable

Option

Description

enable

Enable Security Profile Groups on the GUI.

disable

Disable Security Profile Groups on the GUI.

gui-local-in-policy

Enable/disable Local-In policies on the GUI.

option

-

disable

Option

Description

enable

Enable Local-In policies on the GUI.

disable

Disable Local-In policies on the GUI.

gui-explicit-proxy

Enable/disable the explicit proxy on the GUI.

option

-

disable

Option

Description

enable

Enable the explicit proxy on the GUI.

disable

Disable the explicit proxy on the GUI.

gui-dynamic-routing

Enable/disable dynamic routing on the GUI.

option

-

enable **

Option

Description

enable

Enable dynamic routing on the GUI.

disable

Disable dynamic routing on the GUI.

gui-sslvpn-personal-bookmarks

Enable/disable SSL-VPN personal bookmark management on the GUI.

option

-

disable

Option

Description

enable

Enable SSL-VPN personal bookmark management on the GUI.

disable

Disable SSL-VPN personal bookmark management on the GUI.

gui-sslvpn-realms

Enable/disable SSL-VPN realms on the GUI.

option

-

disable

Option

Description

enable

Enable SSL-VPN realms on the GUI.

disable

Disable SSL-VPN realms on the GUI.

gui-policy-based-ipsec

Enable/disable policy-based IPsec VPN on the GUI.

option

-

disable

Option

Description

enable

Enable policy-based IPsec VPN on the GUI.

disable

Disable policy-based IPsec VPN on the GUI.

gui-threat-weight

Enable/disable threat weight on the GUI.

option

-

enable

Option

Description

enable

Enable threat weight on the GUI.

disable

Disable threat weight on the GUI.

gui-spamfilter

Enable/disable Antispam on the GUI.

option

-

disable

Option

Description

enable

Enable Antispam on the GUI.

disable

Disable Antispam on the GUI.

gui-file-filter

Enable/disable File-filter on the GUI.

option

-

enable

Option

Description

enable

Enable File-filter on the GUI.

disable

Disable File-filter on the GUI.

gui-application-control

Enable/disable application control on the GUI.

option

-

enable

Option

Description

enable

Enable application control on the GUI.

disable

Disable application control on the GUI.

gui-ips

Enable/disable IPS on the GUI.

option

-

disable **

Option

Description

enable

Enable IPS on the GUI.

disable

Disable IPS on the GUI.

gui-endpoint-control

Enable/disable endpoint control on the GUI.

option

-

enable

Option

Description

enable

Enable endpoint control on the GUI.

disable

Disable endpoint control on the GUI.

gui-endpoint-control-advanced

Enable/disable advanced endpoint control options on the GUI.

option

-

disable

Option

Description

enable

Enable advanced endpoint control options on the GUI.

disable

Disable advanced endpoint control options on the GUI.

gui-dhcp-advanced

Enable/disable advanced DHCP options on the GUI.

option

-

enable

Option

Description

enable

Enable advanced DHCP options on the GUI.

disable

Disable advanced DHCP options on the GUI.

gui-vpn

Enable/disable VPN tunnels on the GUI.

option

-

enable

Option

Description

enable

Enable VPN tunnels on the GUI.

disable

Disable VPN tunnels on the GUI.

gui-wireless-controller

Enable/disable the wireless controller on the GUI.

option

-

enable

Option

Description

enable

Enable the wireless controller on the GUI.

disable

Disable the wireless controller on the GUI.

gui-switch-controller

Enable/disable the switch controller on the GUI.

option

-

enable

Option

Description

enable

Enable the switch controller on the GUI.

disable

Disable the switch controller on the GUI.

gui-fortiap-split-tunneling

Enable/disable FortiAP split tunneling on the GUI.

option

-

disable

Option

Description

enable

Enable FortiAP split tunneling on the GUI.

disable

Disable FortiAP split tunneling on the GUI.

gui-webfilter-advanced

Enable/disable advanced web filtering on the GUI.

option

-

disable

Option

Description

enable

Enable advanced web filtering on the GUI.

disable

Disable advanced web filtering on the GUI.

gui-traffic-shaping

Enable/disable traffic shaping on the GUI.

option

-

enable

Option

Description

enable

Enable traffic shaping on the GUI.

disable

Disable traffic shaping on the GUI.

gui-wan-load-balancing

Enable/disable SD-WAN on the GUI.

option

-

enable

Option

Description

enable

Enable SD-WAN on the GUI.

disable

Disable SD-WAN on the GUI.

gui-antivirus

Enable/disable AntiVirus on the GUI.

option

-

enable

Option

Description

enable

Enable AntiVirus on the GUI.

disable

Disable AntiVirus on the GUI.

gui-webfilter

Enable/disable Web filtering on the GUI.

option

-

enable

Option

Description

enable

Enable Web filtering on the GUI.

disable

Disable Web filtering on the GUI.

gui-videofilter

Enable/disable Video filtering on the GUI.

option

-

enable

Option

Description

enable

Enable Video filtering on the GUI.

disable

Disable Video filtering on the GUI.

gui-dnsfilter

Enable/disable DNS Filtering on the GUI.

option

-

enable

Option

Description

enable

Enable DNS Filtering on the GUI.

disable

Disable DNS Filtering on the GUI.

gui-waf-profile

Enable/disable Web Application Firewall on the GUI.

option

-

disable

Option

Description

enable

Enable Web Application Firewall on the GUI.

disable

Disable Web Application Firewall on the GUI.

gui-fortiextender-controller

Enable/disable FortiExtender on the GUI.

option

-

enable **

Option

Description

enable

Enable FortiExtender on the GUI.

disable

Disable FortiExtender on the GUI.

gui-advanced-policy

Enable/disable advanced policy configuration on the GUI.

option

-

disable

Option

Description

enable

Enable advanced policy configuration on the GUI.

disable

Disable advanced policy configuration on the GUI.

gui-allow-unnamed-policy

Enable/disable the requirement for policy naming on the GUI.

option

-

disable

Option

Description

enable

Enable the requirement for policy naming on the GUI.

disable

Disable the requirement for policy naming on the GUI.

gui-email-collection

Enable/disable email collection on the GUI.

option

-

disable

Option

Description

enable

Enable email collection on the GUI.

disable

Disable email collection on the GUI.

gui-multiple-interface-policy

Enable/disable adding multiple interfaces to a policy on the GUI.

option

-

disable

Option

Description

enable

Enable adding multiple interfaces to a policy on the GUI.

disable

Disable adding multiple interfaces to a policy on the GUI.

gui-policy-disclaimer

Enable/disable policy disclaimer on the GUI.

option

-

disable

Option

Description

enable

Enable policy disclaimer on the GUI.

disable

Disable policy disclaimer on the GUI.

gui-ztna

Enable/disable Zero Trust Network Access features on the GUI.

option

-

disable

Option

Description

enable

Enable Zero Trust Network Access features on the GUI.

disable

Disable Zero Trust Network Access features on the GUI.

location-id

Local location ID in the form of an IPv4 address.

ipv4-address

Not Specified

0.0.0.0

ike-session-resume

Enable/disable IKEv2 session resumption (RFC 5723).

option

-

disable

Option

Description

enable

Enable IKEv2 session resumption (RFC 5723).

disable

Disable IKEv2 session resumption (RFC 5723).

ike-quick-crash-detect

Enable/disable IKE quick crash detection (RFC 6290).

option

-

disable

Option

Description

enable

Enable IKE quick crash detection (RFC 6290).

disable

Disable IKE quick crash detection (RFC 6290).

ike-dn-format

Configure IKE ASN.1 Distinguished Name format conventions.

option

-

with-space

Option

Description

with-space

Format IKE ASN.1 Distinguished Names with spaces between attribute names and values.

no-space

Format IKE ASN.1 Distinguished Names without spaces between attribute names and values.

ike-port

UDP port for IKE/IPsec traffic .

integer

Minimum value: 1024 Maximum value: 65535

500

ike-policy-route

Enable/disable IKE Policy Based Routing (PBR).

option

-

disable

Option

Description

enable

Enable IKE Policy Based Routing (PBR).

disable

Disable IKE Policy Based Routing (PBR).

block-land-attack

Enable/disable blocking of land attacks.

option

-

disable

Option

Description

disable

Do not block land attack.

enable

Block land attack.

application-bandwidth-tracking

Enable/disable application bandwidth tracking.

option

-

disable

Option

Description

disable

Disable application bandwidth tracking.

enable

Enable application bandwidth tracking.

** Values may differ between models.