Fortinet black logo

CLI Reference

Home FortiProxy 2.0.13 CLI Reference
2.0.13
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.0.17
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
2.0.13
2.0.12
2.0.0
1.2.4

config system global

config system global

Configure global attributes.

config system global
    Description: Configure global attributes.
    set language [english|french|...]
    set gui-ipv6 [enable|disable]
    set gui-certificates [enable|disable]
    set gui-custom-language [enable|disable]
    set gui-display-hostname [enable|disable]
    set gui-lines-per-page {integer}
    set admin-https-ssl-versions [tlsv1-0|tlsv1-1|...]
    set admin-timeout {integer}
    set admin-console-timeout {integer}
    set ssd-trim-freq [never|hourly|...]
    set ssd-trim-hour {integer}
    set ssd-trim-min {integer}
    set ssd-trim-weekday [sunday|monday|...]
    set ssd-trim-date {integer}
    set admin-concurrent [enable|disable]
    set admin-lockout-threshold {integer}
    set admin-lockout-duration {integer}
    set refresh {integer}
    set interval {integer}
    set failtime {integer}
    set daily-restart [enable|disable]
    set restart-time {user}
    set radius-port {integer}
    set admin-login-max {integer}
    set remoteauthtimeout {integer}
    set ldapconntimeout {integer}
    set ldap-server-algorithm [primary-secondary|round-robin]
    set batch-cmdb [enable|disable]
    set dst [enable|disable]
    set timezone [01|02|...]
    set ntpserver {string}
    set ntpsync [enable|disable]
    set syncinterval {integer}
    set management-vdom {string}
    set hostname {string}
    set alias {string}
    set strong-crypto [enable|disable]
    set ssh-cbc-cipher [enable|disable]
    set ssh-hmac-md5 [enable|disable]
    set ssh-kex-sha1 [enable|disable]
    set ssh-mac-weak [enable|disable]
    set ssl-static-key-ciphers [enable|disable]
    set cli-audit-log [enable|disable]
    set dh-params [1024|1536|...]
    set fds-statistics [enable|disable]
    set fds-statistics-period {integer}
    set tcp-option [enable|disable]
    set proxy-auth-timeout {integer}
    set resigned-pkey-period {integer}
    set proxy-re-authentication-mode [session|traffic|...]
    set proxy-auth-lifetime [enable|disable]
    set proxy-auth-lifetime-timeout {integer}
    set update-tls-finger-print [enable|disable]
    set sys-perf-log-interval {integer}
    set vip-arp-range [unlimited|restricted]
    set ip-src-port-range {user}
    set pre-login-banner [enable|disable]
    set post-login-banner [disable|enable]
    set tftp [enable|disable]
    set av-failopen [pass|off|...]
    set av-failopen-session [enable|disable]
    set memory-use-threshold-extreme {integer}
    set memory-use-threshold-red {integer}
    set memory-use-threshold-green {integer}
    set admin-port {integer}
    set admin-sport {integer}
    set admin-https-redirect [enable|disable]
    set admin-hsts-max-age {integer}
    set admin-ssh-password [enable|disable]
    set admin-ssh-port {integer}
    set admin-ssh-grace-time {integer}
    set admin-ssh-v1 [enable|disable]
    set admin-telnet-port {integer}
    set admin-maintainer [enable|disable]
    set admin-server-cert {string}
    set user-server-cert {string}
    set admin-https-pki-required [enable|disable]
    set auth-http-port {integer}
    set auth-https-port {integer}
    set auth-keepalive [enable|disable]
    set policy-auth-concurrent {integer}
    set auth-session-limit [block-new|logout-inactive]
    set auth-cert {string}
    set clt-cert-req [enable|disable]
    set cfg-save [automatic|manual|...]
    set cfg-revert-timeout {integer}
    set reboot-upon-config-restore [enable|disable]
    set admin-scp [enable|disable]
    set fortiguard-audit-result-submission [enable|disable]
    set scanunit-count {integer}
    set fgd-alert-subscription [advisory|latest-threat|...]
    set ipv6-accept-dad {integer}
    set csr-ca-attribute [enable|disable]
    set cert-chain-max {integer}
    set two-factor-ftk-expiry {integer}
    set two-factor-email-expiry {integer}
    set two-factor-sms-expiry {integer}
    set two-factor-fac-expiry {integer}
    set two-factor-ftm-expiry {integer}
    set max-img-cache-size {integer}
    set img-cache-mode [stop|rolling]
    set wad-worker-count {integer}
    set wad-csvc-cs-count {integer}
    set wad-csvc-db-count {integer}
    set http-view [enable|disable]
    set wad-source-affinity [disable|enable]
    set wad-memory-change-granularity {integer}
    set login-timestamp [enable|disable]
    set miglogd-children {integer}
    set special-file-23-support [disable|enable]
    set log-ssl-connection [enable|disable]
    set arp-max-entry {integer}
    set ips-affinity {string}
    set ndp-max-entry {integer}
    set gui-device-latitude {string}
    set gui-device-longitude {string}
    set private-data-encryption [disable|enable]
    set auto-auth-extension-device [enable|disable]
    set gui-theme [fpx|green|...]
    set license-overlimit [bypass|block]
    set max-session-per-user {integer}
    set conntrack {integer}
    set established-timeout {integer}
    set time-wait-timeout {integer}
    set fin-wait-timeout {integer}
    set close-wait-timeout {integer}
    set syn-sent-timeout {integer}
    set syn-recv-timeout {integer}
    set last-ack-timeout {integer}
    set udp-timeout {integer}
    set udp-stream-timeout {integer}
end

config system global

Parameter

Description

Type

Size

language

GUI display language.

option

-

Option

Description

english

English.

french

French.

spanish

Spanish.

portuguese

Portuguese.

japanese

Japanese.

trach

Traditional Chinese.

simch

Simplified Chinese.

korean

Korean.

gui-ipv6

Enable/disable IPv6 settings on the GUI.

option

-

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-certificates

Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.

option

-

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-custom-language

Enable/disable custom languages in GUI.

option

-

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-display-hostname

Enable/disable displaying the FortiProxy's hostname on the GUI login page.

option

-

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-lines-per-page

Number of lines to display per page for web administration.

integer

Minimum value: 20 Maximum value: 1000

admin-https-ssl-versions

Allowed TLS versions for web administration.

option

-

Option

Description

tlsv1-0

TLS 1.0.

tlsv1-1

TLS 1.1.

tlsv1-2

TLS 1.2.

admin-timeout

Number of minutes before an idle administrator session times out. A shorter idle timeout is more secure.

integer

Minimum value: 1 Maximum value: 480

admin-console-timeout

Console login timeout that overrides the admintimeout value.. 0 the default, disables this timeout.

integer

Minimum value: 15 Maximum value: 300

ssd-trim-freq

How often to run SSD Trim. SSD Trim prevents SSD drive data loss by finding and isolating errors.

option

-

Option

Description

never

Never Run SSD Trim.

hourly

Run SSD Trim Hourly.

daily

Run SSD Trim Daily.

weekly

Run SSD Trim Weekly.

monthly

Run SSD Trim Monthly.

ssd-trim-hour

Hour of the day on which to run SSD Trim.

integer

Minimum value: 0 Maximum value: 23

ssd-trim-min

Minute of the hour on which to run SSD Trim.

integer

Minimum value: 0 Maximum value: 60

ssd-trim-weekday

Day of week to run SSD Trim. Blank by default.

option

-

Option

Description

sunday

Sunday

monday

Monday

tuesday

Tuesday

wednesday

Wednesday

thursday

Thursday

friday

Friday

saturday

Saturday

ssd-trim-date

Date within a month to run ssd trim.

integer

Minimum value: 1 Maximum value: 31

admin-concurrent

Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)

option

-

Option

Description

enable

Enable admin concurrent login.

disable

Disable admin concurrent login.

admin-lockout-threshold

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

integer

Minimum value: 1 Maximum value: 10

admin-lockout-duration

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

integer

Minimum value: 1 Maximum value: 2147483647

refresh

Statistics refresh interval in GUI.

integer

Minimum value: 0 Maximum value: 4294967295

interval

Dead gateway detection interval.

integer

Minimum value: 0 Maximum value: 4294967295

failtime

Fail-time for server lost.

integer

Minimum value: 0 Maximum value: 4294967295

daily-restart

Enable/disable daily restart of FortiProxy unit. Use the restart-time option to set the time of day for the restart.

option

-

Option

Description

enable

Enable daily reboot of the FortiProxy.

disable

Disable daily reboot of the FortiProxy.

restart-time

Daily restart time (hh:mm).

user

Not Specified

radius-port

RADIUS service port number.

integer

Minimum value: 1 Maximum value: 65535

admin-login-max

Maximum number of administrators who can be logged in at the same time

integer

Minimum value: 1 Maximum value: 100

remoteauthtimeout

Number of seconds that the FortiProxy waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers..

integer

Minimum value: 1 Maximum value: 300

ldapconntimeout

Global timeout for connections with remote LDAP servers in milliseconds.

integer

Minimum value: 0 Maximum value: 4294967295

ldap-server-algorithm

LDAP server selection algorithm.

option

-

Option

Description

primary-secondary

Select the first healthy LDAP server in order.

round-robin

Select the next healthy server.

batch-cmdb

Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.

option

-

Option

Description

enable

Enable batch mode to execute in CMDB server.

disable

Disable batch mode to execute in CMDB server.

dst

Enable/disable daylight saving time.

option

-

Option

Description

enable

Enable daylight saving time.

disable

Disable daylight saving time.

timezone

Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.

option

-

Option

Description

01

(GMT-11:00) Midway Island, Samoa

02

(GMT-10:00) Hawaii

03

(GMT-9:00) Alaska

04

(GMT-8:00) Pacific Time (US & Canada)

05

(GMT-7:00) Arizona

81

(GMT-7:00) Baja California Sur, Chihuahua

06

(GMT-7:00) Mountain Time (US & Canada)

07

(GMT-6:00) Central America

08

(GMT-6:00) Central Time (US & Canada)

09

(GMT-6:00) Mexico City

10

(GMT-6:00) Saskatchewan

11

(GMT-5:00) Bogota, Lima,Quito

12

(GMT-5:00) Eastern Time (US & Canada)

13

(GMT-5:00) Indiana (East)

74

(GMT-4:00) Caracas

14

(GMT-4:00) Atlantic Time (Canada)

77

(GMT-4:00) Georgetown

15

(GMT-4:00) La Paz

16

(GMT-3:00) Santiago

17

(GMT-3:30) Newfoundland

18

(GMT-3:00) Brasilia

19

(GMT-3:00) Buenos Aires

20

(GMT-3:00) Nuuk (Greenland)

75

(GMT-3:00) Uruguay

87

(GMT-3:00) Paraguay

21

(GMT-2:00) Mid-Atlantic

22

(GMT-1:00) Azores

23

(GMT-1:00) Cape Verde Is.

24

(GMT) Monrovia

80

(GMT) Greenwich Mean Time

79

(GMT) Casablanca

25

(GMT) Dublin, Edinburgh, Lisbon, London

26

(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

27

(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

28

(GMT+1:00) Brussels, Copenhagen, Madrid, Paris

78

(GMT+1:00) Namibia

29

(GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb

30

(GMT+1:00) West Central Africa

31

(GMT+2:00) Athens, Sofia, Vilnius

32

(GMT+2:00) Bucharest

33

(GMT+2:00) Cairo

34

(GMT+2:00) Harare, Pretoria

35

(GMT+2:00) Helsinki, Riga, Tallinn

36

(GMT+2:00) Jerusalem

37

(GMT+3:00) Baghdad

38

(GMT+3:00) Kuwait, Riyadh

83

(GMT+3:00) Moscow

84

(GMT+3:00) Minsk

40

(GMT+3:00) Nairobi

85

(GMT+3:00) Istanbul

41

(GMT+3:30) Tehran

42

(GMT+4:00) Abu Dhabi, Muscat

43

(GMT+4:00) Baku

39

(GMT+3:00) St. Petersburg, Volgograd

44

(GMT+4:30) Kabul

46

(GMT+5:00) Islamabad, Karachi, Tashkent

47

(GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi

51

(GMT+5:30) Sri Jayawardenepara

48

(GMT+5:45) Kathmandu

45

(GMT+5:00) Ekaterinburg

49

(GMT+6:00) Almaty, Novosibirsk

50

(GMT+6:00) Astana, Dhaka

52

(GMT+6:30) Rangoon

53

(GMT+7:00) Bangkok, Hanoi, Jakarta

54

(GMT+7:00) Krasnoyarsk

55

(GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk

56

(GMT+8:00) Ulaan Bataar

57

(GMT+8:00) Kuala Lumpur, Singapore

58

(GMT+8:00) Perth

59

(GMT+8:00) Taipei

60

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

62

(GMT+9:30) Adelaide

63

(GMT+9:30) Darwin

61

(GMT+9:00) Yakutsk

64

(GMT+10:00) Brisbane

65

(GMT+10:00) Canberra, Melbourne, Sydney

66

(GMT+10:00) Guam, Port Moresby

67

(GMT+10:00) Hobart

68

(GMT+10:00) Vladivostok

69

(GMT+10:00) Magadan

70

(GMT+11:00) Solomon Is., New Caledonia

71

(GMT+12:00) Auckland, Wellington

72

(GMT+12:00) Fiji, Kamchatka, Marshall Is.

00

(GMT+12:00) Eniwetok, Kwajalein

82

(GMT+12:45) Chatham Islands

73

(GMT+13:00) Nuku'alofa

86

(GMT+13:00) Samoa

76

(GMT+14:00) Kiritimati

ntpserver

IP address or hostname of the NTP Server.

string

Maximum length: 63

ntpsync

Enable/disable synchronization with NTP Server.

option

-

Option

Description

enable

Enable synchronization with NTP Server.

disable

Disable synchronization with NTP Server.

syncinterval

NTP synchronization interval.

integer

Minimum value: 1 Maximum value: 1440

management-vdom

Management virtual domain name.

string

Maximum length: 31

hostname

FortiProxy unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.

string

Maximum length: 35

alias

Alias for your FortiProxy unit.

string

Maximum length: 35

strong-crypto

Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.

option

-

Option

Description

enable

Enable strong crypto for HTTPS/SSH/TLS/SSL.

disable

Disable strong crypto for HTTPS/SSH/TLS/SSL.

ssh-cbc-cipher

Enable/disable CBC cipher for SSH access.

option

-

Option

Description

enable

Enable CBC cipher for SSH access.

disable

Disable CBC cipher for SSH access.

ssh-hmac-md5

Enable/disable HMAC-MD5 for SSH access.

option

-

Option

Description

enable

Enable HMAC-MD5 for SSH access.

disable

Disable HMAC-MD5 for SSH access.

ssh-kex-sha1

Enable/disable SHA1 key exchange for SSH access.

option

-

Option

Description

enable

Enable SHA1 for SSH key exchanges.

disable

Disable SHA1 for SSH key exchanges.

ssh-mac-weak

Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.

option

-

Option

Description

enable

Enable HMAC-SHA1 and UMAC-64-ETM for SSH access.

disable

Disable HMAC-SHA1 and UMAC-64-ETM for SSH access.

ssl-static-key-ciphers

Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).

option

-

Option

Description

enable

Enable static key ciphers in SSL/TLS connections.

disable

Disable static key ciphers in SSL/TLS connections.

cli-audit-log

Enable/disable CLI audit log.

option

-

Option

Description

enable

Enable CLI audit log.

disable

Disable CLI audit log.

dh-params

Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.

option

-

Option

Description

1024

1024 bits.

1536

1536 bits.

2048

2048 bits.

3072

3072 bits.

4096

4096 bits.

6144

6144 bits.

8192

8192 bits.

fds-statistics

Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.

option

-

Option

Description

enable

Enable FortiGuard statistics.

disable

Disable FortiGuard statistics.

fds-statistics-period

FortiGuard statistics collection period in minutes..

integer

Minimum value: 1 Maximum value: 1440

tcp-option

Enable SACK, timestamp and MSS TCP options.

option

-

Option

Description

enable

Enable TCP option.

disable

Disable TCP option.

proxy-auth-timeout

Authentication timeout in minutes for authenticated users.

integer

Minimum value: 1 Maximum value: 600

resigned-pkey-period

Resigned cert private key regeration period in hours.

integer

Minimum value: 0 Maximum value: 600

proxy-re-authentication-mode

Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

option

-

Option

Description

session

Proxy re-authentication timeout begins at the closure of the session.

traffic

Proxy re-authentication timeout begins after traffic has not been received.

absolute

Proxy re-authentication timeout begins when the user was first created.

proxy-auth-lifetime

Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.

option

-

Option

Description

enable

Enable authenticated users lifetime control.

disable

Disable authenticated users lifetime control.

proxy-auth-lifetime-timeout

Lifetime timeout in minutes for authenticated users.

integer

Minimum value: 5 Maximum value: 65535

update-tls-finger-print

Enable/disable update TLS fingerprint when deep-inspection is enabled.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

sys-perf-log-interval

Time in minutes between updates of performance statistics logging..

integer

Minimum value: 0 Maximum value: 15

vip-arp-range

Controls the number of ARPs that the FortiProxy sends for a Virtual IP (VIP) address range.

option

-

Option

Description

unlimited

Send ARPs for all addresses in VIP range.

restricted

Send ARPs for the first 8192 addresses in VIP range.

ip-src-port-range

IP source port range used for traffic originating from the FortiProxy unit.

user

Not Specified

pre-login-banner

Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.

option

-

Option

Description

enable

Enable pre-login banner.

disable

Disable pre-login banner.

post-login-banner

Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.

option

-

Option

Description

disable

Disable post-login banner.

enable

Enable post-login banner.

tftp

Enable/disable TFTP.

option

-

Option

Description

enable

Enable TFTP.

disable

Disable TFTP.

av-failopen

Set the action to take if the FortiProxy is running low on memory or the proxy connection limit has been reached.

option

-

Option

Description

pass

Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.

off

Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.

one-shot

Bypass the antivirus system when memory is low.

av-failopen-session

When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.

option

-

Option

Description

enable

Enable AV fail open session option.

disable

Disable AV fail open session option.

memory-use-threshold-extreme

Threshold at which memory usage is considered extreme.

integer

Minimum value: 70 Maximum value: 97

memory-use-threshold-red

Threshold at which memory usage forces the FortiProxy to enter conserve mode.

integer

Minimum value: 70 Maximum value: 97

memory-use-threshold-green

Threshold at which memory usage forces the FortiProxy to exit conserve mode.

integer

Minimum value: 70 Maximum value: 97

admin-port

Administrative access port for HTTP..

integer

Minimum value: 1 Maximum value: 65535

admin-sport

Administrative access port for HTTPS..

integer

Minimum value: 1 Maximum value: 65535

admin-https-redirect

Enable/disable redirection of HTTP administration access to HTTPS.

option

-

Option

Description

enable

Enable redirecting HTTP administration access to HTTPS.

disable

Disable redirecting HTTP administration access to HTTPS.

admin-hsts-max-age

HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.

integer

Minimum value: 0 Maximum value: 2147483647

admin-ssh-password

Enable/disable password authentication for SSH admin access.

option

-

Option

Description

enable

Enable password authentication for SSH admin access.

disable

Disable password authentication for SSH admin access.

admin-ssh-port

Administrative access port for SSH..

integer

Minimum value: 1 Maximum value: 65535

admin-ssh-grace-time

Maximum time in seconds permitted between making an SSH connection to the FortiProxy unit and authenticating.

integer

Minimum value: 10 Maximum value: 3600

admin-ssh-v1

Enable/disable SSH v1 compatibility.

option

-

Option

Description

enable

Enable SSH v1 compatibility.

disable

Disable SSH v1 compatibility.

admin-telnet-port

Administrative access port for TELNET..

integer

Minimum value: 1 Maximum value: 65535

admin-maintainer

Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiProxy unit serial number. You have limited time to complete this login.

option

-

Option

Description

enable

Enable login for special user (maintainer).

disable

Disable login for special user (maintainer).

admin-server-cert

Server certificate that the FortiProxy uses for HTTPS administrative connections.

string

Maximum length: 35

user-server-cert

Certificate to use for https user authentication.

string

Maximum length: 35

admin-https-pki-required

Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.

option

-

Option

Description

enable

Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access.

disable

Admin users can login by providing a valid certificate or password.

auth-http-port

User authentication HTTP port..

integer

Minimum value: 1 Maximum value: 65535

auth-https-port

User authentication HTTPS port..

integer

Minimum value: 1 Maximum value: 65535

auth-keepalive

Enable to prevent user authentication sessions from timing out when idle.

option

-

Option

Description

enable

Enable use of keep alive to extend authentication.

disable

Disable use of keep alive to extend authentication.

policy-auth-concurrent

Number of concurrent firewall use logins from the same user.

integer

Minimum value: 0 Maximum value: 100

auth-session-limit

Action to take when the number of allowed user authenticated sessions is reached.

option

-

Option

Description

block-new

Block new user authentication attempts.

logout-inactive

Logout the most inactive user authenticated sessions.

auth-cert

Server certificate that the FortiProxy uses for HTTPS firewall authentication connections.

string

Maximum length: 35

clt-cert-req

Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.

option

-

Option

Description

enable

Enable require client certificate for GUI login.

disable

Disable require client certificate for GUI login.

cfg-save

Configuration file save mode for CLI changes.

option

-

Option

Description

automatic

Automatically save config.

manual

Manually save config.

revert

Manually save config and revert the config when timeout.

cfg-revert-timeout

Time-out for reverting to the last saved configuration.

integer

Minimum value: 10 Maximum value: 4294967295

reboot-upon-config-restore

Enable/disable reboot of system upon restoring configuration.

option

-

Option

Description

enable

Enable reboot of system upon restoring configuration.

disable

Disable reboot of system upon restoring configuration.

admin-scp

Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.

option

-

Option

Description

enable

Enable allow system configuration download by SCP.

disable

Disable allow system configuration download by SCP.

fortiguard-audit-result-submission

Enable/disable the submission of security audit results to FortiGuard.

option

-

Option

Description

enable

Enable submission of security audit results to FortiGuard.

disable

Disable submission of security audit results to FortiGuard.

scanunit-count

Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiProxy units with multiple CPUs.

integer

Minimum value: 2 Maximum value: 2

fgd-alert-subscription

Type of alert to retrieve from FortiGuard.

option

-

Option

Description

advisory

Retrieve FortiGuard advisories, report and news alerts.

latest-threat

Retrieve latest FortiGuard threats alerts.

latest-virus

Retrieve latest FortiGuard virus alerts.

latest-attack

Retrieve latest FortiGuard attack alerts.

new-antivirus-db

Retrieve FortiGuard AV database release alerts.

new-attack-db

Retrieve FortiGuard IPS database release alerts.

ipv6-accept-dad

Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).

integer

Minimum value: 0 Maximum value: 2

csr-ca-attribute

Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.

option

-

Option

Description

enable

Enable CA attribute in CSR.

disable

Disable CA attribute in CSR.

cert-chain-max

Maximum number of certificates that can be traversed in a certificate chain.

integer

Minimum value: 1 Maximum value: 2147483647

two-factor-ftk-expiry

FortiToken authentication session timeout.

integer

Minimum value: 60 Maximum value: 600

two-factor-email-expiry

Email-based two-factor authentication session timeout.

integer

Minimum value: 30 Maximum value: 300

two-factor-sms-expiry

SMS-based two-factor authentication session timeout.

integer

Minimum value: 30 Maximum value: 300

two-factor-fac-expiry

FortiAuthenticator token authentication session timeout.

integer

Minimum value: 10 Maximum value: 3600

two-factor-ftm-expiry

FortiToken Mobile session timeout.

integer

Minimum value: 1 Maximum value: 168

max-img-cache-size

Maximum space (MB) can be used by image-analyzer to store blocked images into ram disk.

integer

Minimum value: 30 Maximum value: 300

img-cache-mode

Select image cache mode for image-analyzer

option

-

Option

Description

stop

Stop caching blocked images into ram disk when limit reaches.

rolling

Evict old cached images when limit reaches.

wad-worker-count

Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy and web caching is handled by half of the CPU cores in a FortiProxy unit.

integer

Minimum value: 1 Maximum value: 1

wad-csvc-cs-count

Number of concurrent WAD-cache-service object-cache processes.

integer

Minimum value: 1 Maximum value: 1

wad-csvc-db-count

Number of concurrent WAD-cache-service byte-cache processes.

integer

Minimum value: 1 Maximum value: 1

http-view

Enable/disable logging and viewing of HTTP/S cache traffic.

option

-

Option

Description

enable

Enable logging and viewing of HTTP/S cache traffic.

disable

Disable logging and viewing of HTTP/S cache traffic.

wad-source-affinity

Enable/disable dispatching traffic to WAD workers based on source affinity.

option

-

Option

Description

disable

Disable dispatching traffic to WAD workers based on source affinity.

enable

Enable dispatching traffic to WAD workers based on source affinity.

wad-memory-change-granularity

Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.

integer

Minimum value: 5 Maximum value: 25

login-timestamp

Enable/disable login time recording.

option

-

Option

Description

enable

Enable login time recording.

disable

Disable login time recording.

miglogd-children

Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.

integer

Minimum value: 0 Maximum value: 15

special-file-23-support

Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.

option

-

Option

Description

disable

Disable using IPS detection of HIBUN format files when using Data Leak Protection.

enable

Enable using IPS detection of HIBUN format files when using Data Leak Protection.

log-ssl-connection

Enable/disable logging of SSL connection events.

option

-

Option

Description

enable

Enable logging of SSL connection events.

disable

Disable logging of SSL connection events.

arp-max-entry

Maximum number of dynamically learned MAC addresses that can be added to the ARP table.

integer

Minimum value: 131072 Maximum value: 2147483647

ips-affinity

Affinity setting for IPS (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).

string

Maximum length: 79

ndp-max-entry

Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).

integer

Minimum value: 65536 Maximum value: 2147483647

gui-device-latitude

Add the latitude of the location of this FortiProxy to position it on the Threat Map.

string

Maximum length: 19

gui-device-longitude

Add the longitude of the location of this FortiProxy to position it on the Threat Map.

string

Maximum length: 19

private-data-encryption

Enable/disable private data encryption using an AES 128-bit key.

option

-

Option

Description

disable

Disable private data encryption using an AES 128-bit key.

enable

Enable private data encryption using an AES 128-bit key.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension devices.

option

-

Option

Description

enable

Enable automatic authorization of dedicated Fortinet extension device globally.

disable

Disable automatic authorization of dedicated Fortinet extension device globally.

gui-theme

Color scheme for the administration GUI.

option

-

Option

Description

fpx

FortiProxy theme.

green

Green theme.

red

Red theme.

blue

Light blue theme.

melongene

Melongene theme (eggplant color).

mariner

Mariner theme (dark blue color).

license-overlimit

System behaviour when max licensed proxy user is reached.

option

-

Option

Description

bypass

Bypass further traffic when licensed user is reached.

block

Block further traffic when licensed user is reached.

max-session-per-user

Max UTM sessions per user.

integer

Minimum value: 0 Maximum value: 4294967295

conntrack

Max numbers of conntrack.

integer

Minimum value: 60000 Maximum value: 10000000

established-timeout

Default established session timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

time-wait-timeout

Default time-wait timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

fin-wait-timeout

Default fin-wait timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

close-wait-timeout

Default close-wait timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

syn-sent-timeout

Default syn-sent timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

syn-recv-timeout

Default syn-recv timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

last-ack-timeout

Default last-ack timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

udp-timeout

Default last-ack timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

udp-stream-timeout

Default last-ack timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000
Previous
Next

config system global

Configure global attributes.

config system global
    Description: Configure global attributes.
    set language [english|french|...]
    set gui-ipv6 [enable|disable]
    set gui-certificates [enable|disable]
    set gui-custom-language [enable|disable]
    set gui-display-hostname [enable|disable]
    set gui-lines-per-page {integer}
    set admin-https-ssl-versions [tlsv1-0|tlsv1-1|...]
    set admin-timeout {integer}
    set admin-console-timeout {integer}
    set ssd-trim-freq [never|hourly|...]
    set ssd-trim-hour {integer}
    set ssd-trim-min {integer}
    set ssd-trim-weekday [sunday|monday|...]
    set ssd-trim-date {integer}
    set admin-concurrent [enable|disable]
    set admin-lockout-threshold {integer}
    set admin-lockout-duration {integer}
    set refresh {integer}
    set interval {integer}
    set failtime {integer}
    set daily-restart [enable|disable]
    set restart-time {user}
    set radius-port {integer}
    set admin-login-max {integer}
    set remoteauthtimeout {integer}
    set ldapconntimeout {integer}
    set ldap-server-algorithm [primary-secondary|round-robin]
    set batch-cmdb [enable|disable]
    set dst [enable|disable]
    set timezone [01|02|...]
    set ntpserver {string}
    set ntpsync [enable|disable]
    set syncinterval {integer}
    set management-vdom {string}
    set hostname {string}
    set alias {string}
    set strong-crypto [enable|disable]
    set ssh-cbc-cipher [enable|disable]
    set ssh-hmac-md5 [enable|disable]
    set ssh-kex-sha1 [enable|disable]
    set ssh-mac-weak [enable|disable]
    set ssl-static-key-ciphers [enable|disable]
    set cli-audit-log [enable|disable]
    set dh-params [1024|1536|...]
    set fds-statistics [enable|disable]
    set fds-statistics-period {integer}
    set tcp-option [enable|disable]
    set proxy-auth-timeout {integer}
    set resigned-pkey-period {integer}
    set proxy-re-authentication-mode [session|traffic|...]
    set proxy-auth-lifetime [enable|disable]
    set proxy-auth-lifetime-timeout {integer}
    set update-tls-finger-print [enable|disable]
    set sys-perf-log-interval {integer}
    set vip-arp-range [unlimited|restricted]
    set ip-src-port-range {user}
    set pre-login-banner [enable|disable]
    set post-login-banner [disable|enable]
    set tftp [enable|disable]
    set av-failopen [pass|off|...]
    set av-failopen-session [enable|disable]
    set memory-use-threshold-extreme {integer}
    set memory-use-threshold-red {integer}
    set memory-use-threshold-green {integer}
    set admin-port {integer}
    set admin-sport {integer}
    set admin-https-redirect [enable|disable]
    set admin-hsts-max-age {integer}
    set admin-ssh-password [enable|disable]
    set admin-ssh-port {integer}
    set admin-ssh-grace-time {integer}
    set admin-ssh-v1 [enable|disable]
    set admin-telnet-port {integer}
    set admin-maintainer [enable|disable]
    set admin-server-cert {string}
    set user-server-cert {string}
    set admin-https-pki-required [enable|disable]
    set auth-http-port {integer}
    set auth-https-port {integer}
    set auth-keepalive [enable|disable]
    set policy-auth-concurrent {integer}
    set auth-session-limit [block-new|logout-inactive]
    set auth-cert {string}
    set clt-cert-req [enable|disable]
    set cfg-save [automatic|manual|...]
    set cfg-revert-timeout {integer}
    set reboot-upon-config-restore [enable|disable]
    set admin-scp [enable|disable]
    set fortiguard-audit-result-submission [enable|disable]
    set scanunit-count {integer}
    set fgd-alert-subscription [advisory|latest-threat|...]
    set ipv6-accept-dad {integer}
    set csr-ca-attribute [enable|disable]
    set cert-chain-max {integer}
    set two-factor-ftk-expiry {integer}
    set two-factor-email-expiry {integer}
    set two-factor-sms-expiry {integer}
    set two-factor-fac-expiry {integer}
    set two-factor-ftm-expiry {integer}
    set max-img-cache-size {integer}
    set img-cache-mode [stop|rolling]
    set wad-worker-count {integer}
    set wad-csvc-cs-count {integer}
    set wad-csvc-db-count {integer}
    set http-view [enable|disable]
    set wad-source-affinity [disable|enable]
    set wad-memory-change-granularity {integer}
    set login-timestamp [enable|disable]
    set miglogd-children {integer}
    set special-file-23-support [disable|enable]
    set log-ssl-connection [enable|disable]
    set arp-max-entry {integer}
    set ips-affinity {string}
    set ndp-max-entry {integer}
    set gui-device-latitude {string}
    set gui-device-longitude {string}
    set private-data-encryption [disable|enable]
    set auto-auth-extension-device [enable|disable]
    set gui-theme [fpx|green|...]
    set license-overlimit [bypass|block]
    set max-session-per-user {integer}
    set conntrack {integer}
    set established-timeout {integer}
    set time-wait-timeout {integer}
    set fin-wait-timeout {integer}
    set close-wait-timeout {integer}
    set syn-sent-timeout {integer}
    set syn-recv-timeout {integer}
    set last-ack-timeout {integer}
    set udp-timeout {integer}
    set udp-stream-timeout {integer}
end

config system global

Parameter

Description

Type

Size

language

GUI display language.

option

-

Option

Description

english

English.

french

French.

spanish

Spanish.

portuguese

Portuguese.

japanese

Japanese.

trach

Traditional Chinese.

simch

Simplified Chinese.

korean

Korean.

gui-ipv6

Enable/disable IPv6 settings on the GUI.

option

-

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-certificates

Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.

option

-

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-custom-language

Enable/disable custom languages in GUI.

option

-

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-display-hostname

Enable/disable displaying the FortiProxy's hostname on the GUI login page.

option

-

Option

Description

enable

Display the feature in GUI.

disable

Do not display the feature in GUI.

gui-lines-per-page

Number of lines to display per page for web administration.

integer

Minimum value: 20 Maximum value: 1000

admin-https-ssl-versions

Allowed TLS versions for web administration.

option

-

Option

Description

tlsv1-0

TLS 1.0.

tlsv1-1

TLS 1.1.

tlsv1-2

TLS 1.2.

admin-timeout

Number of minutes before an idle administrator session times out. A shorter idle timeout is more secure.

integer

Minimum value: 1 Maximum value: 480

admin-console-timeout

Console login timeout that overrides the admintimeout value.. 0 the default, disables this timeout.

integer

Minimum value: 15 Maximum value: 300

ssd-trim-freq

How often to run SSD Trim. SSD Trim prevents SSD drive data loss by finding and isolating errors.

option

-

Option

Description

never

Never Run SSD Trim.

hourly

Run SSD Trim Hourly.

daily

Run SSD Trim Daily.

weekly

Run SSD Trim Weekly.

monthly

Run SSD Trim Monthly.

ssd-trim-hour

Hour of the day on which to run SSD Trim.

integer

Minimum value: 0 Maximum value: 23

ssd-trim-min

Minute of the hour on which to run SSD Trim.

integer

Minimum value: 0 Maximum value: 60

ssd-trim-weekday

Day of week to run SSD Trim. Blank by default.

option

-

Option

Description

sunday

Sunday

monday

Monday

tuesday

Tuesday

wednesday

Wednesday

thursday

Thursday

friday

Friday

saturday

Saturday

ssd-trim-date

Date within a month to run ssd trim.

integer

Minimum value: 1 Maximum value: 31

admin-concurrent

Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)

option

-

Option

Description

enable

Enable admin concurrent login.

disable

Disable admin concurrent login.

admin-lockout-threshold

Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.

integer

Minimum value: 1 Maximum value: 10

admin-lockout-duration

Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.

integer

Minimum value: 1 Maximum value: 2147483647

refresh

Statistics refresh interval in GUI.

integer

Minimum value: 0 Maximum value: 4294967295

interval

Dead gateway detection interval.

integer

Minimum value: 0 Maximum value: 4294967295

failtime

Fail-time for server lost.

integer

Minimum value: 0 Maximum value: 4294967295

daily-restart

Enable/disable daily restart of FortiProxy unit. Use the restart-time option to set the time of day for the restart.

option

-

Option

Description

enable

Enable daily reboot of the FortiProxy.

disable

Disable daily reboot of the FortiProxy.

restart-time

Daily restart time (hh:mm).

user

Not Specified

radius-port

RADIUS service port number.

integer

Minimum value: 1 Maximum value: 65535

admin-login-max

Maximum number of administrators who can be logged in at the same time

integer

Minimum value: 1 Maximum value: 100

remoteauthtimeout

Number of seconds that the FortiProxy waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers..

integer

Minimum value: 1 Maximum value: 300

ldapconntimeout

Global timeout for connections with remote LDAP servers in milliseconds.

integer

Minimum value: 0 Maximum value: 4294967295

ldap-server-algorithm

LDAP server selection algorithm.

option

-

Option

Description

primary-secondary

Select the first healthy LDAP server in order.

round-robin

Select the next healthy server.

batch-cmdb

Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.

option

-

Option

Description

enable

Enable batch mode to execute in CMDB server.

disable

Disable batch mode to execute in CMDB server.

dst

Enable/disable daylight saving time.

option

-

Option

Description

enable

Enable daylight saving time.

disable

Disable daylight saving time.

timezone

Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.

option

-

Option

Description

01

(GMT-11:00) Midway Island, Samoa

02

(GMT-10:00) Hawaii

03

(GMT-9:00) Alaska

04

(GMT-8:00) Pacific Time (US & Canada)

05

(GMT-7:00) Arizona

81

(GMT-7:00) Baja California Sur, Chihuahua

06

(GMT-7:00) Mountain Time (US & Canada)

07

(GMT-6:00) Central America

08

(GMT-6:00) Central Time (US & Canada)

09

(GMT-6:00) Mexico City

10

(GMT-6:00) Saskatchewan

11

(GMT-5:00) Bogota, Lima,Quito

12

(GMT-5:00) Eastern Time (US & Canada)

13

(GMT-5:00) Indiana (East)

74

(GMT-4:00) Caracas

14

(GMT-4:00) Atlantic Time (Canada)

77

(GMT-4:00) Georgetown

15

(GMT-4:00) La Paz

16

(GMT-3:00) Santiago

17

(GMT-3:30) Newfoundland

18

(GMT-3:00) Brasilia

19

(GMT-3:00) Buenos Aires

20

(GMT-3:00) Nuuk (Greenland)

75

(GMT-3:00) Uruguay

87

(GMT-3:00) Paraguay

21

(GMT-2:00) Mid-Atlantic

22

(GMT-1:00) Azores

23

(GMT-1:00) Cape Verde Is.

24

(GMT) Monrovia

80

(GMT) Greenwich Mean Time

79

(GMT) Casablanca

25

(GMT) Dublin, Edinburgh, Lisbon, London

26

(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

27

(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

28

(GMT+1:00) Brussels, Copenhagen, Madrid, Paris

78

(GMT+1:00) Namibia

29

(GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb

30

(GMT+1:00) West Central Africa

31

(GMT+2:00) Athens, Sofia, Vilnius

32

(GMT+2:00) Bucharest

33

(GMT+2:00) Cairo

34

(GMT+2:00) Harare, Pretoria

35

(GMT+2:00) Helsinki, Riga, Tallinn

36

(GMT+2:00) Jerusalem

37

(GMT+3:00) Baghdad

38

(GMT+3:00) Kuwait, Riyadh

83

(GMT+3:00) Moscow

84

(GMT+3:00) Minsk

40

(GMT+3:00) Nairobi

85

(GMT+3:00) Istanbul

41

(GMT+3:30) Tehran

42

(GMT+4:00) Abu Dhabi, Muscat

43

(GMT+4:00) Baku

39

(GMT+3:00) St. Petersburg, Volgograd

44

(GMT+4:30) Kabul

46

(GMT+5:00) Islamabad, Karachi, Tashkent

47

(GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi

51

(GMT+5:30) Sri Jayawardenepara

48

(GMT+5:45) Kathmandu

45

(GMT+5:00) Ekaterinburg

49

(GMT+6:00) Almaty, Novosibirsk

50

(GMT+6:00) Astana, Dhaka

52

(GMT+6:30) Rangoon

53

(GMT+7:00) Bangkok, Hanoi, Jakarta

54

(GMT+7:00) Krasnoyarsk

55

(GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk

56

(GMT+8:00) Ulaan Bataar

57

(GMT+8:00) Kuala Lumpur, Singapore

58

(GMT+8:00) Perth

59

(GMT+8:00) Taipei

60

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

62

(GMT+9:30) Adelaide

63

(GMT+9:30) Darwin

61

(GMT+9:00) Yakutsk

64

(GMT+10:00) Brisbane

65

(GMT+10:00) Canberra, Melbourne, Sydney

66

(GMT+10:00) Guam, Port Moresby

67

(GMT+10:00) Hobart

68

(GMT+10:00) Vladivostok

69

(GMT+10:00) Magadan

70

(GMT+11:00) Solomon Is., New Caledonia

71

(GMT+12:00) Auckland, Wellington

72

(GMT+12:00) Fiji, Kamchatka, Marshall Is.

00

(GMT+12:00) Eniwetok, Kwajalein

82

(GMT+12:45) Chatham Islands

73

(GMT+13:00) Nuku'alofa

86

(GMT+13:00) Samoa

76

(GMT+14:00) Kiritimati

ntpserver

IP address or hostname of the NTP Server.

string

Maximum length: 63

ntpsync

Enable/disable synchronization with NTP Server.

option

-

Option

Description

enable

Enable synchronization with NTP Server.

disable

Disable synchronization with NTP Server.

syncinterval

NTP synchronization interval.

integer

Minimum value: 1 Maximum value: 1440

management-vdom

Management virtual domain name.

string

Maximum length: 31

hostname

FortiProxy unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.

string

Maximum length: 35

alias

Alias for your FortiProxy unit.

string

Maximum length: 35

strong-crypto

Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.

option

-

Option

Description

enable

Enable strong crypto for HTTPS/SSH/TLS/SSL.

disable

Disable strong crypto for HTTPS/SSH/TLS/SSL.

ssh-cbc-cipher

Enable/disable CBC cipher for SSH access.

option

-

Option

Description

enable

Enable CBC cipher for SSH access.

disable

Disable CBC cipher for SSH access.

ssh-hmac-md5

Enable/disable HMAC-MD5 for SSH access.

option

-

Option

Description

enable

Enable HMAC-MD5 for SSH access.

disable

Disable HMAC-MD5 for SSH access.

ssh-kex-sha1

Enable/disable SHA1 key exchange for SSH access.

option

-

Option

Description

enable

Enable SHA1 for SSH key exchanges.

disable

Disable SHA1 for SSH key exchanges.

ssh-mac-weak

Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.

option

-

Option

Description

enable

Enable HMAC-SHA1 and UMAC-64-ETM for SSH access.

disable

Disable HMAC-SHA1 and UMAC-64-ETM for SSH access.

ssl-static-key-ciphers

Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).

option

-

Option

Description

enable

Enable static key ciphers in SSL/TLS connections.

disable

Disable static key ciphers in SSL/TLS connections.

cli-audit-log

Enable/disable CLI audit log.

option

-

Option

Description

enable

Enable CLI audit log.

disable

Disable CLI audit log.

dh-params

Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.

option

-

Option

Description

1024

1024 bits.

1536

1536 bits.

2048

2048 bits.

3072

3072 bits.

4096

4096 bits.

6144

6144 bits.

8192

8192 bits.

fds-statistics

Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.

option

-

Option

Description

enable

Enable FortiGuard statistics.

disable

Disable FortiGuard statistics.

fds-statistics-period

FortiGuard statistics collection period in minutes..

integer

Minimum value: 1 Maximum value: 1440

tcp-option

Enable SACK, timestamp and MSS TCP options.

option

-

Option

Description

enable

Enable TCP option.

disable

Disable TCP option.

proxy-auth-timeout

Authentication timeout in minutes for authenticated users.

integer

Minimum value: 1 Maximum value: 600

resigned-pkey-period

Resigned cert private key regeration period in hours.

integer

Minimum value: 0 Maximum value: 600

proxy-re-authentication-mode

Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.

option

-

Option

Description

session

Proxy re-authentication timeout begins at the closure of the session.

traffic

Proxy re-authentication timeout begins after traffic has not been received.

absolute

Proxy re-authentication timeout begins when the user was first created.

proxy-auth-lifetime

Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.

option

-

Option

Description

enable

Enable authenticated users lifetime control.

disable

Disable authenticated users lifetime control.

proxy-auth-lifetime-timeout

Lifetime timeout in minutes for authenticated users.

integer

Minimum value: 5 Maximum value: 65535

update-tls-finger-print

Enable/disable update TLS fingerprint when deep-inspection is enabled.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

sys-perf-log-interval

Time in minutes between updates of performance statistics logging..

integer

Minimum value: 0 Maximum value: 15

vip-arp-range

Controls the number of ARPs that the FortiProxy sends for a Virtual IP (VIP) address range.

option

-

Option

Description

unlimited

Send ARPs for all addresses in VIP range.

restricted

Send ARPs for the first 8192 addresses in VIP range.

ip-src-port-range

IP source port range used for traffic originating from the FortiProxy unit.

user

Not Specified

pre-login-banner

Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.

option

-

Option

Description

enable

Enable pre-login banner.

disable

Disable pre-login banner.

post-login-banner

Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.

option

-

Option

Description

disable

Disable post-login banner.

enable

Enable post-login banner.

tftp

Enable/disable TFTP.

option

-

Option

Description

enable

Enable TFTP.

disable

Disable TFTP.

av-failopen

Set the action to take if the FortiProxy is running low on memory or the proxy connection limit has been reached.

option

-

Option

Description

pass

Bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.

off

Stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.

one-shot

Bypass the antivirus system when memory is low.

av-failopen-session

When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.

option

-

Option

Description

enable

Enable AV fail open session option.

disable

Disable AV fail open session option.

memory-use-threshold-extreme

Threshold at which memory usage is considered extreme.

integer

Minimum value: 70 Maximum value: 97

memory-use-threshold-red

Threshold at which memory usage forces the FortiProxy to enter conserve mode.

integer

Minimum value: 70 Maximum value: 97

memory-use-threshold-green

Threshold at which memory usage forces the FortiProxy to exit conserve mode.

integer

Minimum value: 70 Maximum value: 97

admin-port

Administrative access port for HTTP..

integer

Minimum value: 1 Maximum value: 65535

admin-sport

Administrative access port for HTTPS..

integer

Minimum value: 1 Maximum value: 65535

admin-https-redirect

Enable/disable redirection of HTTP administration access to HTTPS.

option

-

Option

Description

enable

Enable redirecting HTTP administration access to HTTPS.

disable

Disable redirecting HTTP administration access to HTTPS.

admin-hsts-max-age

HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.

integer

Minimum value: 0 Maximum value: 2147483647

admin-ssh-password

Enable/disable password authentication for SSH admin access.

option

-

Option

Description

enable

Enable password authentication for SSH admin access.

disable

Disable password authentication for SSH admin access.

admin-ssh-port

Administrative access port for SSH..

integer

Minimum value: 1 Maximum value: 65535

admin-ssh-grace-time

Maximum time in seconds permitted between making an SSH connection to the FortiProxy unit and authenticating.

integer

Minimum value: 10 Maximum value: 3600

admin-ssh-v1

Enable/disable SSH v1 compatibility.

option

-

Option

Description

enable

Enable SSH v1 compatibility.

disable

Disable SSH v1 compatibility.

admin-telnet-port

Administrative access port for TELNET..

integer

Minimum value: 1 Maximum value: 65535

admin-maintainer

Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiProxy unit serial number. You have limited time to complete this login.

option

-

Option

Description

enable

Enable login for special user (maintainer).

disable

Disable login for special user (maintainer).

admin-server-cert

Server certificate that the FortiProxy uses for HTTPS administrative connections.

string

Maximum length: 35

user-server-cert

Certificate to use for https user authentication.

string

Maximum length: 35

admin-https-pki-required

Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.

option

-

Option

Description

enable

Admin users must provide a valid certificate when PKI is enabled for HTTPS admin access.

disable

Admin users can login by providing a valid certificate or password.

auth-http-port

User authentication HTTP port..

integer

Minimum value: 1 Maximum value: 65535

auth-https-port

User authentication HTTPS port..

integer

Minimum value: 1 Maximum value: 65535

auth-keepalive

Enable to prevent user authentication sessions from timing out when idle.

option

-

Option

Description

enable

Enable use of keep alive to extend authentication.

disable

Disable use of keep alive to extend authentication.

policy-auth-concurrent

Number of concurrent firewall use logins from the same user.

integer

Minimum value: 0 Maximum value: 100

auth-session-limit

Action to take when the number of allowed user authenticated sessions is reached.

option

-

Option

Description

block-new

Block new user authentication attempts.

logout-inactive

Logout the most inactive user authenticated sessions.

auth-cert

Server certificate that the FortiProxy uses for HTTPS firewall authentication connections.

string

Maximum length: 35

clt-cert-req

Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.

option

-

Option

Description

enable

Enable require client certificate for GUI login.

disable

Disable require client certificate for GUI login.

cfg-save

Configuration file save mode for CLI changes.

option

-

Option

Description

automatic

Automatically save config.

manual

Manually save config.

revert

Manually save config and revert the config when timeout.

cfg-revert-timeout

Time-out for reverting to the last saved configuration.

integer

Minimum value: 10 Maximum value: 4294967295

reboot-upon-config-restore

Enable/disable reboot of system upon restoring configuration.

option

-

Option

Description

enable

Enable reboot of system upon restoring configuration.

disable

Disable reboot of system upon restoring configuration.

admin-scp

Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.

option

-

Option

Description

enable

Enable allow system configuration download by SCP.

disable

Disable allow system configuration download by SCP.

fortiguard-audit-result-submission

Enable/disable the submission of security audit results to FortiGuard.

option

-

Option

Description

enable

Enable submission of security audit results to FortiGuard.

disable

Disable submission of security audit results to FortiGuard.

scanunit-count

Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiProxy units with multiple CPUs.

integer

Minimum value: 2 Maximum value: 2

fgd-alert-subscription

Type of alert to retrieve from FortiGuard.

option

-

Option

Description

advisory

Retrieve FortiGuard advisories, report and news alerts.

latest-threat

Retrieve latest FortiGuard threats alerts.

latest-virus

Retrieve latest FortiGuard virus alerts.

latest-attack

Retrieve latest FortiGuard attack alerts.

new-antivirus-db

Retrieve FortiGuard AV database release alerts.

new-attack-db

Retrieve FortiGuard IPS database release alerts.

ipv6-accept-dad

Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).

integer

Minimum value: 0 Maximum value: 2

csr-ca-attribute

Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.

option

-

Option

Description

enable

Enable CA attribute in CSR.

disable

Disable CA attribute in CSR.

cert-chain-max

Maximum number of certificates that can be traversed in a certificate chain.

integer

Minimum value: 1 Maximum value: 2147483647

two-factor-ftk-expiry

FortiToken authentication session timeout.

integer

Minimum value: 60 Maximum value: 600

two-factor-email-expiry

Email-based two-factor authentication session timeout.

integer

Minimum value: 30 Maximum value: 300

two-factor-sms-expiry

SMS-based two-factor authentication session timeout.

integer

Minimum value: 30 Maximum value: 300

two-factor-fac-expiry

FortiAuthenticator token authentication session timeout.

integer

Minimum value: 10 Maximum value: 3600

two-factor-ftm-expiry

FortiToken Mobile session timeout.

integer

Minimum value: 1 Maximum value: 168

max-img-cache-size

Maximum space (MB) can be used by image-analyzer to store blocked images into ram disk.

integer

Minimum value: 30 Maximum value: 300

img-cache-mode

Select image cache mode for image-analyzer

option

-

Option

Description

stop

Stop caching blocked images into ram disk when limit reaches.

rolling

Evict old cached images when limit reaches.

wad-worker-count

Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy and web caching is handled by half of the CPU cores in a FortiProxy unit.

integer

Minimum value: 1 Maximum value: 1

wad-csvc-cs-count

Number of concurrent WAD-cache-service object-cache processes.

integer

Minimum value: 1 Maximum value: 1

wad-csvc-db-count

Number of concurrent WAD-cache-service byte-cache processes.

integer

Minimum value: 1 Maximum value: 1

http-view

Enable/disable logging and viewing of HTTP/S cache traffic.

option

-

Option

Description

enable

Enable logging and viewing of HTTP/S cache traffic.

disable

Disable logging and viewing of HTTP/S cache traffic.

wad-source-affinity

Enable/disable dispatching traffic to WAD workers based on source affinity.

option

-

Option

Description

disable

Disable dispatching traffic to WAD workers based on source affinity.

enable

Enable dispatching traffic to WAD workers based on source affinity.

wad-memory-change-granularity

Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.

integer

Minimum value: 5 Maximum value: 25

login-timestamp

Enable/disable login time recording.

option

-

Option

Description

enable

Enable login time recording.

disable

Disable login time recording.

miglogd-children

Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.

integer

Minimum value: 0 Maximum value: 15

special-file-23-support

Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.

option

-

Option

Description

disable

Disable using IPS detection of HIBUN format files when using Data Leak Protection.

enable

Enable using IPS detection of HIBUN format files when using Data Leak Protection.

log-ssl-connection

Enable/disable logging of SSL connection events.

option

-

Option

Description

enable

Enable logging of SSL connection events.

disable

Disable logging of SSL connection events.

arp-max-entry

Maximum number of dynamically learned MAC addresses that can be added to the ARP table.

integer

Minimum value: 131072 Maximum value: 2147483647

ips-affinity

Affinity setting for IPS (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).

string

Maximum length: 79

ndp-max-entry

Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).

integer

Minimum value: 65536 Maximum value: 2147483647

gui-device-latitude

Add the latitude of the location of this FortiProxy to position it on the Threat Map.

string

Maximum length: 19

gui-device-longitude

Add the longitude of the location of this FortiProxy to position it on the Threat Map.

string

Maximum length: 19

private-data-encryption

Enable/disable private data encryption using an AES 128-bit key.

option

-

Option

Description

disable

Disable private data encryption using an AES 128-bit key.

enable

Enable private data encryption using an AES 128-bit key.

auto-auth-extension-device

Enable/disable automatic authorization of dedicated Fortinet extension devices.

option

-

Option

Description

enable

Enable automatic authorization of dedicated Fortinet extension device globally.

disable

Disable automatic authorization of dedicated Fortinet extension device globally.

gui-theme

Color scheme for the administration GUI.

option

-

Option

Description

fpx

FortiProxy theme.

green

Green theme.

red

Red theme.

blue

Light blue theme.

melongene

Melongene theme (eggplant color).

mariner

Mariner theme (dark blue color).

license-overlimit

System behaviour when max licensed proxy user is reached.

option

-

Option

Description

bypass

Bypass further traffic when licensed user is reached.

block

Block further traffic when licensed user is reached.

max-session-per-user

Max UTM sessions per user.

integer

Minimum value: 0 Maximum value: 4294967295

conntrack

Max numbers of conntrack.

integer

Minimum value: 60000 Maximum value: 10000000

established-timeout

Default established session timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

time-wait-timeout

Default time-wait timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

fin-wait-timeout

Default fin-wait timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

close-wait-timeout

Default close-wait timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

syn-sent-timeout

Default syn-sent timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

syn-recv-timeout

Default syn-recv timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

last-ack-timeout

Default last-ack timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

udp-timeout

Default last-ack timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000

udp-stream-timeout

Default last-ack timeout (seconds).

integer

Minimum value: 10 Maximum value: 432000
Previous
Next