system : global
 
global
Use this command to configure global settings that affect various FortiGate systems and configurations.
Runtime-only config mode was introduced in FortiOS v3.0 MR2. This mode allows you to try out commands that may put your FortiGate unit into an unrecoverable state normally requiring a physical reboot. In runtime-only config mode you can set a timeout so after a period of no input activity the FortiGate unit will reboot with the last saved configuration. Another option in runtime-only configuration mode is to manually save your configuration periodically to preserve your changes. For more information see set cfg-save {automatic | manual | revert}, set cfg-revert-timeout <seconds>, and execute cfg reload.
Syntax
config system global
set admin-concurrent {enable | disable}
set admin-console-timeout <secs_int>
set admin-https-pki-required {enable | disable}
set admin-https-redirect {enable | disable}
set admin-https-ssl-versions {sslv3 tlsv1‑0 tlsv1‑1 tlsv1‑2}
set admin-lockout-duration <time_int>
set admin-lockout-threshold <failed_int>
set admin-login-max <int>
set admin-maintainer {enable | disable}
set admin-port <port_number>
set admin-reset-button {enable | disable}
set admin-scp {enable | disable}
set admin-server-cert { self‑sign | <certificate> }
set admin-sport <port_number>
set admin-ssh-grace-time <time_int>
set admin-ssh-port <port_number>
set admin-ssh-v1 {enable | disable}
set admin-telnet-port <port_number>
set admintimeout <admin_timeout_minutes>
set allow-traffic-redirect {enable | disable}
set anti-replay {disable | loose | strict}
set arp-max-entry <int>
set auth-cert <cert-name>
set auth-http-port <http_port>
set auth-https-port <https_port>
set auth-keepalive {enable | disable}
set av-failopen {idledrop | off | one‑shot | pass}
set av-failopen-session {enable | disable}
set batch-cmdb {enable | disable}
set block-session-timer <int>
set br-fdb-max-entry <int>
set cert-chain-max <int>
set cfg-save {automatic | manual | revert}
set cfg-revert-timeout <seconds>
set check-protocol-header {loose | strict}
set check-reset-range {disable | strict}
set clt-cert-req {enable | disable}
set csr-ca-attribute {enable | disable}
set daily-restart {enable | disable}
set dst {enable | disable}
set elbc-status {enable | disable}
set endpoint-control-fds-access {enable | disable}
set endpoint-control-portal-port <endpoint_port>
set explicit-proxy-auth-timeout <seconds_int>
set fds-statistics {enable | disable}
set fds-statistics-period <minutes>
set fgd-alert-subscription {advisory latest‑threat latest-virus latest‑attack new‑virus‑db new‑attack‑db}
set fmc-xg2-load-balance {disable | enable}
set forticlient-reg-port <int>
set fortiextender {enable | disable}
set fortiextender-data-port <port_int>
set fwpolicy-implicit log {enable | disable}
set fwpolicy6-implicit log {enable | disable}
set gui-antivirus {enable | disable}
set gui-application-control {enable | disable}
set gui-ap-profile {disable | enable}
set gui-central-nat-table {disable | enable}
set gui-certificates {enable | disable}
set gui-custom-language {enable | disable}
set gui-dlp {enable | disable}
set gui-dns-database {disable | enable}
set gui-dynamic-profile-display {disable | enable}
set gui-dynamic-routing {enable | disable}
set gui-endpoint-control {enable | disable}
set gui-explicit-proxy {enable | disable}
set gui-icap {disable | enable}
set gui-implicit-policy {disable | enable}
set gui-ips {enable | disable}
set gui-ipsec-manual-key {enable | disable}
set gui-ipv6 {enable | disable}
set gui-lines-per-page <gui_lines>
set gui-load-balance {disable | enable}
set gui-multicast-policy {enable | disable}
set gui-multiple-utm-profiles {enable | disable}
set gui-nat46-64 {enable | disable}
set gui-object-tags {enable | disable}
set gui-policy-based-ipsec {enable | disable}
set gui-replacement-message-groups {enable | disable}
set gui-spamfilter {enable | disable}
set gui-sslvpn-personal-bookmarks {enable | disable}
set gui-sslvpn-realms {enable | disable}
set gui-threat-weight {enable | disable}
set gui-traffic-shaping {enable | disable}
set gui-utm-monitors {enable | disable}
set gui-voip-profile {disable | enable}
set gui-vpn {enable | disable}
set gui-vulnerability-scan {enable | disable}
set gui-wanopt-cache {enable | disable}
set gui-webfilter {enable | disable}
set gui-wireless-controller {enable | disable}
set gui-wireless-opensecurity {enable | disable}
set honor-df {enable | disable}
set hostname <unithostname>
set http-obfuscate {header‑only | modified | no-error | none}
set ie6workaround {enable | disable}
set internal-switch-mode {hub | interface | switch}
set internal-switch-speed {100full | 100half | 10full | 10half | auto}
set ip-src-port-range <start_port>-<end_port>
set ipsec-hmac-offload {disable | enable}
set ipv6-accept-dad {0|1|2}
set language <language>
set lcdpin <pin_number>
set lcdprotection {enable | disable}
set ldapconntimeout <ldaptimeout_msec>
set lldp-transmission {enable | disable}
set login-timestamp {enable | disable}
set log-user-in-upper {enable | disable}
set log-uuid {disable | policy‑only | extended}
set management-vdom <domain>
set max-dlpstat-memory <size>
set max-report-db-size <size>
set miglogd-children <int>
set ndp-max-entry <int>
set num-cpus <int>
set optimize {antivirus | throughput}
set optimize-ssl {enable | disable}
set phase1-rekey {enable | disable}
set policy-auth-concurrent <limit_int>
set per-user-bwl {enable | disable}
set pre-login-banner {enable | disable}
set proxy-worker-count <count_int>
set post-login-banner {enable | disable}
set radius-port <radius_port>
set refresh <refresh_seconds>
set registration-notification {disable | enable}
set remoteauthtimeout <timeout_sec>
set reset-sessionless-tcp {enable | disable}
set restart-time <hh:mm>
set revision-backup-on-logout {enable | disable}
set revision-image-auto-backup {enable | disable}
set scanunit-count <count_int>
set send-pmtu-icmp {enable | disable}
set service-expire-notification {disable | enable}
set show-backplane-intf {enable | disable}
set special-file-23-support {enable | disable}
set sql-logging {enable | disable}
set sp-load-balance {enable | disable}
set ssh-cbc-cipher {enable | disable}
set ssh-hmac-md5 {enable | disable}
set sslvpn-cipher-hardware-acceleration {enable | disable}
set sslvpn-kxp-hardware-acceleration {enable | disable}
set sslvpn-max-worker-count <count_int>
set sslvpn-personal-bookmark-mgmt {enable | disable}
set sslvpn-pkce2-hardware-acceleration {enable | disable}
set sslvpn-plugin-version-check {enable | disable}
set sslvpn-worker-count <count_int>
set strict-dirty-session-check {enable | disable}
set strong-crypto {enable | disable}
set switch-controller {enable | disable}
set switch-controller-reserved-network <ipv4mask>
set syncinterval <ntpsync_minutes>
set sys-perf-log-interval <int>
set tcp-halfclose-timer <seconds>
set tcp-halfopen-timer <seconds>
set tcp-option {enable | disable}
set tcp-timewait-timer <seconds_int>
set timezone <timezone_number>
set tp-mc-skip-policy {enable | disable}
set traffic-priority {tos | dscp}
set traffic-priority-level {low | medium | high}
set two-factor-email-expiry <seconds_int>
set two-factor-sms-expiry <seconds_int>
set udp-idle-timer <seconds>
set user-server-cert <cert_name>
set vdom-admin {enable | disable}
set vip-arp-range {unlimited | restricted}
set virtual-server-count <integer>
set virtual-server-hardware-acceleration {enable | disable}
set virtual-switch-vlan {enable | disable}
set wad-worker-count <int>
set wan {enable | disable}
set wifi-certificate <cert‑name>
set wifi-ca-certificate <ca_cert‑name>
set wimax-4g-usb {enable | disable}
set wireless-controller {enable | disable}
set wireless-controller-port <port_int>
set wireless-mode {ac | client}
end
 
Variable
Description
Default
admin-concurrent {enable | disable}
Enable to allow concurrent administrator logins. When disabled, the FortiGate unit restricts concurrent access from the same admin user name but on a different IP address.
Use policy-auth-concurrent for firewall authenticated users.
enable
admin-console-timeout <secs_int>
Set a console login timeout that overrides the admintimeout value. Range 15 to 300 seconds. A zero value disables this timeout.
0
admin-https-pki-required {enable | disable}
Enable to allow user to login by providing a valid certificate if PKI is enabled for HTTPS administrative access. Default setting disable allows admin users to log in by providing a valid certificate or password.
disable
admin-https-redirect {enable | disable}
Enable redirection of HTTP administration access to HTTPS. This is not available on low-crypto units.
disable
admin-https-ssl-versions {sslv3 tlsv1‑0 tlsv1‑1 tlsv1‑2}
Enter allowed versions of SSL/TLS: 1.0, 1.1, or 1.2
tlsv1‑1 tlsv1‑2
admin-lockout-duration <time_int>
Set the administration account’s lockout duration in seconds for the firewall. Repeated failed login attempts will enable the lockout. Use admin-lockout-threshold to set the number of failed attempts that will trigger the lockout.
60
admin-lockout-threshold <failed_int>
Set the threshold, or number of failed attempts, before the account is locked out for the admin-lockout-duration.
3
admin-login-max <int>
Set the maximum number of administrators who can log in at the same time. Range 1 to 100.
100
admin-maintainer {enable | disable}
Enables or disables the special hidden “maintainer” user login, which is used for password recovery.
When enabled, the “maintainer” account can log in from the console after a hard reboot (power off, power on) using the password “bcpb” followed by the FortiGate unit serial number. You have limited time to complete this login.
enable
admin-port <port_number>
Enter the port to use for HTTP administrative access.
80
admin-reset-button {enable | disable}
Enable or disable use of FortiGate unit reset button. Even if enabled, the button is active for only 30 seconds after boot-up.
enable
admin-scp {enable | disable}
Enable to allow system configuration download by the secure copy (SCP) protocol.
disable
admin-server-cert { self‑sign | <certificate> }
Select the admin https server certificate to use. Choices include self-sign, and the filename of any installed certificate.
self‑sign
admin-sport <port_number>
Enter the port to use for HTTPS administrative access.
443
admin-ssh-grace-time <time_int>
Enter the maximum time permitted between making an SSH connection to the FortiGate unit and authenticating. Range is 10 to 3600 seconds.
120
admin-ssh-port <port_number>
Enter the port to use for SSH administrative access.
22
admin-ssh-v1 {enable | disable}
Enable compatibility with SSH v1.0.
disable
admin-telnet-port <port_number>
Enter the port to use for telnet administrative access.
23
admintimeout <admin_timeout_minutes>
Set the number of minutes before an idle administrator times out. This controls the amount of inactive time before the administrator must log in again. The maximum admintimeout interval is 480 minutes (8 hours).
To improve security keep the idle timeout at the default value of 5 minutes.
5
allow-traffic-redirect {enable | disable}
Under some conditions, it is undesirable to have traffic routed back on the same interface. In that case, set allow-traffic-redirect to disable.
enable
anti-replay {disable | loose | strict}
Set the level of checking for packet replay and TCP sequence checking (or TCP Sequence (SYN) number checking). All TCP packets contain a Sequence Number (SYN) and an Acknowledgement Number (ACK). The TCP protocol uses these numbers for error free end-to-end communications. TCP sequence checking can also be used to validate individual packets.
FortiGate units use TCP sequence checking to make sure that a packet is part of a TCP session. By default, if a packet is received with sequence numbers that fall out of the expected range, the FortiGate unit drops the packet. This is normally a desired behavior, since it means that the packet is invalid. But in some cases you may want to configure different levels of anti-replay checking if some of your network equipment uses non-RFC methods when sending packets. You can set anti-replay protection to the following settings:
disable No anti-replay protection.
loose Perform packet sequence checking and ICMP anti-replay checking with the following criteria:
The SYN, FIN, and RST bit can not appear in the same packet.
The FortiGate unit does not allow more than 1 ICMP error packet to go through the FortiGate unit before it receives a normal TCP or UDP packet.
If the FortiGate unit receives an RST packet, and check-reset-range is set to strict the FortiGate unit checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect.
strict Performs all of the loose checking but for each new session also checks to determine of the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value for each new session. Strict anti-replay checking can also help prevent SYN flooding.
If any packet fails a check it is dropped. If “log-invalid-packet {enable | disable}” is enabled a log message is written for each packet that fails a check.
strict
arp-max-entry <int>
Set maximum number of dynamically learned MAC addresses that can be added to the ARP table. Range 131 072 to 2 147 483 647. If set to 0, kernel holds 131,072 entries.
0
auth-cert <cert-name>
HTTPS server certificate for policy authentication.
Self-sign is the built in certificate but others will be listed as you add them.
self-sign
auth-http-port <http_port>
Set the HTTP authentication port. <http_port> can be from 1 to 65535.
1000
auth-https-port <https_port>
Set the HTTPS authentication port. <https_port> can be from 1 to 65535.
1003
auth-keepalive {enable | disable}
Enable to extend the authentication time of the session through periodic traffic to prevent an idle timeout.
disable
av-failopen
{idledrop | off | one‑shot | pass}
Set the action to take if the unit is running low on memory or the proxy connection limit has been reached. Valid options are idledrop, off, one-shot, and pass.
idledrop — drop connections based on the clients that have the most connections open. This is most useful for Windows applications, and can prevent malicious bots from keeping an idle connection open to a remote server.
off — stop accepting new AV sessions when entering conserve mode, but continue to process current active sessions.
one-shot bypass the antivirus system when memory is low. You must enter off or pass to restart antivirus scanning.
pass — bypass the antivirus system when memory is low. Antivirus scanning resumes when the low memory condition is resolved.
pass
av-failopen-session
{enable | disable}
When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
disable
batch-cmdb {enable | disable}
Enable/disable batch mode.
Batch mode is used to enter a series of commands, and executing the commands as a group once they are loaded. For more information, see execute batch.
enable
block-session-timer <int>
Enter the time duration for blocked sessions. Range: 1 to 300 seconds.
30
br-fdb-max-entry <int>
Set the maximum number of bridge forwarding database entries. Range 8192 to 2 147 483 647. If set to 0, kernel holds 8192 entries.
0
cert-chain-max <int>
Set maximum depth for a certificate chain.
8
cfg-save {automatic | manual | revert}
Set the method for saving the FortiGate system configuration and enter into runtime-only configuration mode. Methods for saving the configuration are:
automatic automatically save the configuration after every change.
manual manually save the configuration using the execute cfg save command.
revert manually save the current configuration and then revert to that saved configuration after cfg-revert-timeout expires.
Switching to automatic mode disconnects your session.
This command is used as part of the runtime-only configuration mode.
See execute cfg reload for more information.
automatic
cfg-revert-timeout <seconds>
Enter the timeout interval in seconds. If the administrator makes a change and there is no activity for the timeout period, the FortiGate unit will automatically revert to the last saved configuration. Default timeout is 600 seconds.
This command is available only when cfg-save is set to revert.
This command is part of the runtime-only configuration mode. See execute cfg reload for more information.
600
check-protocol-header {loose | strict}
Select the level of checking performed on protocol headers.
loose the FortiGate unit performs basic header checking to verify that a packet is part of a session and should be processed. Basic header checking includes verifying that the layer-4 protocol header length, the IP header length, the IP version, the IP checksum, IP options are correct, etc.
strict the FortiGate unit does the same checking as above plus it verifies that ESP packets have the correct sequence number, SPI, and data length. Note: this setting disables hardware acceleration.
If the packet fails header checking it is dropped by the FortiGate unit and logged if “log-invalid-packet {enable | disable}” is enabled.
loose
check-reset-range {disable | strict}
Configure ICMP error message verification.
disable the FortiGate unit does not validate ICMP error messages.
strict If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If “log-invalid-packet {enable | disable}” is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
disable
clt-cert-req {enable | disable}
Enable to require a client certificate before an administrator logs on to the web-based manager using HTTPS.
disable
csr-ca-attribute {enable | disable}
Enable to use the CA attribute in your certificate. Some CA servers reject CSRs that have the CA attribute.
enable
daily-restart {enable | disable}
Enable to restart the FortiGate unit every day.
The time of the restart is controlled by restart-time.
disable
dst {enable | disable}
Enable or disable daylight saving time.
If you enable daylight saving time, the FortiGate unit adjusts the system time when the time zone changes to daylight saving time and back to standard time.
enable
elbc-status {enable | disable}
This attribute is enabled by default. When enabled the system will await the base channel heartbeat that will configure the system into ELBCv3 mode. Disabling this command will not disable ELBCv3 mode once the FortiGate has already configured itself for ELBCv3 mode. See system elbc.
enable
endpoint-control-fds-access {enable | disable}
Enable or disable access to FortiGuard servers for non-compliant endpoints.
enable
endpoint-control-portal-port <endpoint_port>
Enter the port number from 1 to 65535 for the endpoint control portal port for FortiClient downloads.
8009
explicit-proxy-auth-timeout <seconds_int>
Enter the timeout, in seconds, for idle explicit web proxy sessions. Range: 1 to 600 seconds.
300
fds-statistics {enable | disable}
Enable or disable AV/IPS signature reporting.
If necessary, disable to avoid error messages on HA subordinate units during an AV/IPS update.
enable
fds-statistics-period <minutes>
Select the number of minutes in the FDS report period. Range is 1 to 1440 minutes.
60
fgd-alert-subscription {advisory latest‑threat latest-virus latest‑attack new‑virus‑db new‑attack‑db}
Select what to retrieve from FortiGuard:
advisory — FortiGuard advisories, report and news alerts
latest-attack — latest FortiGuard attack alerts
latest-threat — latest FortiGuard threats alerts
latest-virus — latest FortiGuard virus alerts
new-antivirus-db — FortiGuard AV database release alerts
new-attack-db — FortiGuard IPS database release alerts.
null
fmc-xg2-load-balance {disable | enable}
Enable to start XG2 load balancing.
disable
forticlient-reg-port <int>
Change the FortiClient registration port. This might be necessary if the default port is used for some other purpose.
The registration IP address is the IP address of the interface whose listen-for-forticlient-registration is enabled.
8010
fortiextender {enable | disable}
Enable or disable the FortiExtender controller.
disable
fortiextender-data-port <port_int>
Set the FortiExtender data port.
25246
fwpolicy-implicit log {enable | disable}
Enable to log when a session uses an implicit policy (IPv4).
disable
fwpolicy6-implicit log {enable | disable}
Enable to log when a session uses an implicit policy (IPv6).
disable
gui-antivirus {enable | disable}
Enable or disable antivirus profiles in the web-based manager.
enable
gui-application-control {enable | disable}
Enable or disable application control options in the web-based manager.
enable
gui-ap-profile {disable | enable}
Enable or disable custom AP profile configuration options on the web-based manager.
enable, except disable on model 30D
gui-central-nat-table {disable | enable}
Enable or disable central NAT table configuration options and display on the web-based manager.
disable
gui-certificates {enable | disable}
Enable or disable display of certificate configuration in the web-based manager.
Enabled on rack-mount units.
gui-custom-language {enable | disable}
Enable or disable custom language configuration in the web-based manager.
disable
gui-dlp {enable | disable}
Enables Data Leak Prevention in the web-based manager.
Depends on model.
gui-dns-database {disable | enable}
Enable to display the DNS database menu in the web-based manager interface.
disable
gui-dynamic-profile-display {disable | enable}
Enable to display dynamic profile feature controls in the web-based manager.
enable
gui-dynamic-routing {enable | disable}
Enable dynamic routing in the web-based manager. If disabled, the Routing menu is removed. Static routing is available in System > Network > Routing and route monitoring in System > Monitor > Routing Monitor.
Depends on model.
gui-endpoint-control {enable | disable}
Enable to display the endpoint control feature in the web-based manager.
enable
gui-explicit-proxy {enable | disable}
Enable or disable display of Explicit Proxy configuration options on the web-based manager.
Enabled on rack-mount units.
gui-icap {disable | enable}
Enable or disable ICAP configuration options on the web-based manager.
disable
gui-implicit-policy {disable | enable}
Enable or disable implicit firewall policy configuration options on the web-based manager.
enable
gui-ips {enable | disable}
Enable or disable display of the IPS sensors in the web-based manager
enable
gui-ipsec-manual-key {enable | disable}
Enable to display the IPsec manual key page on the web-based manager.
disable
gui-ipv6 {enable | disable}
Enable or disable IPv6 configuration options on the web-based manager.
disable
gui-lines-per-page <gui_lines>
Set the number of lines displayed on table lists. Range is from 20 - 1000 lines per page.
50
gui-load-balance {disable | enable}
Enable or disable display of Load Balance in web-based manager Firewall Objects menu.
disable
 
gui-multicast-policy {enable | disable}
Enables or disables display of multicast firewall policies in the web-based manager.
disable
gui-multiple-utm-profiles {enable | disable}
Enables or disables display of multiple UTM profiles in the web-based manager.
enable
gui-nat46-64 {enable | disable}
Enables or disables display of NAT46 and NAT64 settings in the web-based manager.
disable
gui-object-tags {enable | disable}
Enable or disable object tagging and object coloring configuration options on the web-based manager.
disable
gui-policy-based-ipsec {enable | disable}
Enable or disable display of policy-based IPsec VPN options in the web-based manager.
disable
gui-replacement-message-groups {enable | disable}
Enable or disable display of Replacement Message Groups feature in the web-based manager.
Enabled on rack-mount units.
gui-spamfilter {enable | disable}
Enable or disable display of spamfilter profiles in the web-based manager.
enable
gui-sslvpn-personal-bookmarks {enable | disable}
Enable personal SSL VPN bookmark management in the SSLVPN portal.
Depends on model.
gui-sslvpn-realms {enable | disable}
Enable SSL VPN realms in the web-based manager.
disable
gui-threat-weight {enable | disable}
Enable or disable display of threat-weight configuration in the web-based manager.
enable
gui-traffic-shaping {enable | disable}
Enable or disable traffic shaping configuration options in the web-based manager.
enable
gui-utm-monitors {enable | disable}
Enable or disable UTM monitors in GUI.
disable
gui-voip-profile {disable | enable}
Enable or disable VoIP profile configuration options in the web-based manager.
disable
gui-vpn {enable | disable}
Enable or disable VPN tunnel configuration in the web-based manager.
enable
gui-vulnerability-scan {enable | disable}
Enable or disable display of the vulnerability scan in the web-based manager.
enable
gui-wanopt-cache {enable | disable}
Enable or disable display of WAN Optimization configuration options on the web-based manager.
Enabled on rack-mount units.
gui-webfilter {enable | disable}
Enable or disable display of webfilter profiles in the web-based manager
enable
gui-wireless-controller {enable | disable}
Enable or disable display of the wireless controller configuration in the web-based manager.
enable, except disable on model 30D
gui-wireless-opensecurity {enable | disable}
Enable or disable display of open security option for SSID in the web-based manager.
disable
honor-df {enable | disable}
Enable or disable honoring of DF (Don’t Fragment) bit.
enable
hostname <unithostname>
Enter a name to identify this FortiGate unit. A hostname can only include letters, numbers, hyphens, and underlines. No spaces are allowed.
While the hostname can be longer than 24 characters, if it is longer than 24 characters it will be truncated with a "~". The trailing 3-characters preceded by the "~" truncation character and the first N-3 characters are shown. This shortened hostname will be displayed in the CLI, and other locations the hostname is used.
Some models support hostnames up to 35 characters.
By default the hostname of your FortiGate unit is its serial number which includes the model.
FortiGate serial number.
http-obfuscate {header‑only | modified | no-error | none}
Set the level at which the identity of the FortiGate web server is hidden or obfuscated in the browser address field, including URLs provided via SSL VPN Bookmarks (web mode only).
none — do not hide the FortiGate web server identity.
header-only — hides the HTTP server banner.
modified — provides modified error responses.
no-error — suppresses error responses.
none
 
ie6workaround {enable | disable}
Enable or disable the work around for a navigation bar freeze issue caused by using the FortiGate web‑based manager with Internet Explorer 6.
disable
internal-switch-mode {hub | interface | switch}
Set the mode for the internal switch to be one of hub, interface, or switch.
Switch mode combines FortiGate unit interfaces into one switch with one address. Interface mode gives each internal interface its own address.
On some FortiGate models you can also select Hub Mode. Hub mode is similar to switch mode except that in hub mode the interfaces do not learn the MAC addresses of the devices on the network they are connected to and may also respond quicker to network changes in some circumstances. You should only select Hub Mode if you are having network performance issues when operating with switch mode. The configuration of the FortiGate unit is the same whether in switch mode or hub mode.
Before switching modes, all configuration settings for the interfaces affected by the switch must be set to defaults.
switch
internal-switch-speed {100full | 100half | 10full | 10half | auto}
Set the speed of the switch used for the internal interface. Choose one of:
100full
100half
10full
10half
auto
100 and 10 refer to 100M or 10M bandwidth. Full and half refer to full or half duplex.
auto
ip-src-port-range <start_port>-<end_port>
Specify the IP source port range used for traffic originating from the FortiGate unit. The valid range for <start_port> and <end_port> is from 1 to 65535 inclusive.
You can use this setting to avoid problems with networks that block some ports, such as FDN ports.
1024-4999
ipsec-hmac-offload {disable | enable}
Enable to offload IPsec HMAC processing to hardware or disable to perform IPsec HMAC processing in software.
enable
ipv6-accept-dad {0|1|2}
Configure ipv6 DAD (Duplicate Address Detection) operation:
0 — Disable DAD
1 — Enable DAD
2 — Enable DAD and disable IPv6 operation if MAC-based duplicate link-local address has been found.
1
language <language>
Set the web‑based manager display language. You can set <language> to one of english, french, japanese, korean, portuguese, spanish, simch (Simplified Chinese) or trach (Traditional Chinese).
english
lcdpin <pin_number>
Set the 6 digit PIN administrators must enter to use the LCD panel. This applies only to models with an LCD panel.
123456
lcdprotection {enable | disable}
Enable or disable LCD panel PIN protection. This applies only to models with an LCD panel.
disable
ldapconntimeout <ldaptimeout_msec>
LDAP connection timeout in msec
500
lldp-transmission {enable | disable}
Enable or disable Link Layer Discovery Protocol (LLDP) for all interfaces in this VDOM. To enable LLDP only on specific interfaces, set this field to disable and use set lldp-transmission in system interface.
disable
login-timestamp {enable | disable}
Enable or disable logging of login timestamps.
disable
log-user-in-upper {enable | disable}
Log username in uppercase letters.
disable
log-uuid {disable | policy‑only | extended}
Select Universally Unique Identifier (UUID) log option:
disable — Disable UUID in traffic log
policy-only — Enable only policy UUID in traffic log.
extended — Enable all UUIDs in traffic log.
policy‑only
management-vdom <domain>
Enter the name of the management virtual domain. Management traffic such as FortiGuard traffic originates from the management VDOM.
root
max-dlpstat-memory <size>
Enter the memory limit (1 to 15% of system memory) for the DLP stat daemon.
5
max-report-db-size <size>
Set the maximum size in MBytes for the log report database.
1024
miglogd-children <int>
Set the number of miglogd process to run. Range 0 to 15.
0
ndp-max-entry <int>
Set the maximum number of Neighbor Discovery Protocol (NDP) table entries. Set to 65,536 or higher; if set to 0, kernel holds 65,536 entries.
0
num-cpus <int>
Enter the number of active CPUs.
 
optimize {antivirus | throughput}
NOTE: Do not use this command. It is obsolete and can severely affect performance. The command will be removed in a later firmware release.
Set firmware performance optimization to either antivirus or throughput.
antivirus
optimize-ssl {enable | disable}
Enable optimization of SSL by using multiple processes.
disable
phase1-rekey
{enable | disable}
Enable or disable automatic rekeying between IKE peers before the phase 1 keylife expires.
enable
policy-auth-concurrent <limit_int>
Limit the number of concurrent logins from the same user. Range 1 to 100. 0 means no limit.
For admin accounts use admin-concurrent.
0
per-user-bwl {enable | disable}
Enable or disable the webfilter per-user black/white list feature.
disable
pre-login-banner {enable | disable}
Enable to display the admin access disclaimer message prior to logon.
For more information see system replacemsg admin.
disable
proxy-worker-count <count_int>
Set the number of proxy worker processes. Range 1 to 8.
4
post-login-banner {enable | disable}
Enable to display the admin access disclaimer message after successful logon.
disable
radius-port <radius_port>
Change the default RADIUS port. The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645 you can use the CLI to change the default RADIUS port on your FortiGate unit.
1812
refresh <refresh_seconds>
Set the Automatic Refresh Interval, in seconds, for the web‑based manager System Status Monitor.
Enter 0 for no automatic refresh.
0
registration-notification {disable | enable}
Enable or disable displaying the registration notification on the web‑based manager if the FortiGate unit is not registered.
enable
remoteauthtimeout <timeout_sec>
The number of seconds that the FortiGate unit waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. The range is 0 to 300 seconds, 0 means no timeout.
To improve security keep the remote authentication timeout at the default value of 5 seconds. However, if a RADIUS request needs to traverse multiple hops or several RADIUS requests are made, the default timeout of 5 seconds may not be long enough to receive a response.
5
reset-sessionless-tcp {enable | disable}
Enabling this option may help resolve issues with a problematic server, but it can make the FortiGate unit more vulnerable to denial of service attacks. In most cases you should leave reset-sessionless-tcp disabled.
The reset-sessionless-tcp command determines what action the FortiGate unit performs if it receives a TCP packet but cannot find a corresponding session in its session table. This happens most often because the session has timed out.
If you disable reset-sessionless-tcp, the FortiGate unit silently drops the packet. The packet originator does not know that the session has expired and might re-transmit the packet several times before attempting to start a new session. This is normal network operation.
If you enable reset-sessionless-tcp, the FortiGate unit sends a RESET packet to the packet originator. The packet originator ends the current session, but it can try to establish a new session.
This is available in NAT/Route mode only.
disable
restart-time <hh:mm>
Enter daily restart time in hh:mm format (hours and minutes).
This is available only when daily-restart is enabled.
No default.
revision-backup-on-logout {enable | disable}
Enable or disable back up of the latest configuration revision when the administrator logs out of the CLI or web‑based manager.
disable
revision-image-auto-backup {enable | disable}
Enable or disable back up of the latest configuration revision when firmware is upgraded.
disable
scanunit-count <count_int>
Tune the number of scanunits. The range and default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs. Recommended for advanced users.
Depends on model.
send-pmtu-icmp {enable | disable}
Select enable to send a path maximum transmission unit (PMTU) - ICMP destination unreachable packet. Enable if you need to support PTMUD protocol on your network to reduce fragmentation of packets.
Disabling this command will likely result PMTUD packets being blocked by the unit.
enable
service-expire-notification {disable | enable}
Enable or disable displaying a notification on the web‑based manager 30 days before the FortiGate unit support contract expires.
enable
show-backplane-intf {enable | disable}
Select enable to show FortiGate-5000 backplane interfaces as port9 and port10. Once these backplanes are visible they can be treated as regular physical interfaces.
disable
special-file-23-support {enable | disable}
Select to enable IPS detection of Hibun format files in DLP.
disable
sql-logging {enable | disable}
Enable for SQL logging. This option is present only on models that have hard disks rather than SSDs. Report generation on these models can be slow.
disable
sp-load-balance {enable | disable}
Enable or disable SP load balancing on models 3950B, 3951B, or 3140B.
Not available if npu-cascade-cluster is enabled in system npu.
disable
ssh-cbc-cipher {enable | disable}
Enable or disable the use of CBC-cipher for SSH access.
enable
ssh-hmac-md5 {enable | disable}
Enable or disable the use of HMAC-MD5 for SSH access.
enable
sslvpn-cipher-hardware-acceleration {enable | disable}
Enable or disable SSLVPN hardware acceleration.
Depends on model.
sslvpn-kxp-hardware-acceleration {enable | disable}
Enable or disable SSLVPN KXP hardware acceleration.
Depends on model.
sslvpn-max-worker-count <count_int>
Set the maximum number of SSL VPN processes. The actual maximum is the number of CPUs or this value, whichever is smaller.
Depends on number of CPUs
sslvpn-personal-bookmark-mgmt {enable | disable}
Enable or disable management of SSLVPN user personal bookmarks in the web-based manager.
Enabled on rack-mount units.
sslvpn-pkce2-hardware-acceleration {enable | disable}
Enable or disable SSLVPN PKCE2 hardware acceleration.
Depends on model.
sslvpn-plugin-version-check {enable | disable}
Enable or disable checking browser plugin version.
enable
sslvpn-worker-count <count_int>
Set the number of processes used to optimize SSL inspection. The actual maximum is the number of CPUs minus one or this value, whichever is smaller.
Depends on number of CPUs
strict-dirty-session-check {enable | disable}
Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together.
enable
strong-crypto {enable | disable}
Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access.
When strong encryption is enabled, HTTPS is supported by the following web browsers: Netscape 7.2, Netscape 8.0, Firefox, and Microsoft Internet Explorer 7.0 (beta).
Note that Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.
disable
switch-controller {enable | disable}
Enable switch controller feature. This is available on models that support the switch controller.
disable
switch-controller-reserved-network <ipv4mask>
Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
169.254.254.0 255.255.254.0
syncinterval <ntpsync_minutes>
Enter how often, in minutes, the FortiGate unit should synchronize its time with the Network Time Protocol (NTP) server. The syncinterval number can be from 1 to 1440 minutes. Setting to 0 disables time synchronization.
0
sys-perf-log-interval <int>
Set the performance statistics logging interval. Range 1 to 15 minutes. 0 disables performance logging.
5
tcp-halfclose-timer <seconds>
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds.
120
tcp-halfopen-timer <seconds>
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds.
10
tcp-option {enable | disable}
Enable SACK, timestamp and MSS TCP options. For normal operation tcp-option should be enabled. Disable for performance testing or in rare cases where it impairs performance.
enable
tcp-timewait-timer <seconds_int>
Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”.
Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached.
The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds
1
timezone <timezone_number>
The number corresponding to your time zone from 00 to 72. Press ? to list time zones and their numbers. Choose the time zone for the FortiGate unit from the list and enter the correct number.
00
tp-mc-skip-policy {enable | disable}
Enable to allow skipping of the policy check, and to enable multicast through.
disable
traffic-priority {tos | dscp}
Choose TOS or DSCP for traffic prioritzation.
tos
traffic-priority-level {low | medium | high}
Select the default system-wide level of priority for traffic prioritzation. This determines the priority of traffic for scheduling, typically set on a per service type level. For more information, see system tos-based-priority or system dscp-based-priority.
The value of this field is the default setting for when traffic prioirtization is not configured per-service.
medium
two-factor-email-expiry <seconds_int>
Set the timeout period for email-based two-factor authentication. Range 30 to 300 seconds.
60
two-factor-sms-expiry <seconds_int>
Set the timeout period for sms-based two-factor authentication. Range 30 to 300 seconds.
60
udp-idle-timer <seconds>
Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds.
180
user-server-cert <cert_name>
Select the certificate to use for https user authentication.
Default setting is Fortinet_Factory, if available, otherwise self-sign.
See definition under Description.
vdom-admin {enable | disable}
Enable to configure multiple virtual domains.
disable
vip-arp-range {unlimited | restricted}
vip-arp-range controls the number of ARP packets the FortiGate unit sends for a VIP range.
If restricted, the FortiGate unit sends ARP packets for only the first 8192 addresses in a VIP range.
If unlimited, the FortiGate unit sends ARP packets for every address in the VIP range.
restricted
virtual-server-count <integer>
Enter the number of virtual server processes to create. The maximum is the number of CPU cores. Thisis not available on single-core CPUs.
1
virtual-server-hardware-acceleration {enable | disable}
Enable or disable hardware acceleration.
enable
virtual-switch-vlan {enable | disable}
Enable or disable virtual switch VLAN feature.
disable
wad-worker-count <int>
Set the number of explicit proxy WAD processes. Range: 1 to the number of CPU cores.
No. of CPUs / 2
wan {enable | disable}
On models FWF-20C-ADSL and FGT-20C-ADSL enables one of the switch port interfaces to act as a WAN port.
disable
wifi-certificate <cert‑name>
Select the certificate to use for WiFi authentication.
No default.
wifi-ca-certificate <ca_cert‑name>
Select the CA certificate that verifies the WiFi certificate.
No default.
wimax-4g-usb {enable | disable}
Enable to allow access to a WIMAX 4G USB device.
disable
wireless-controller {enable | disable}
Enable or disable the wireless (WiFi) daemon.
enable
wireless-controller-port <port_int>
Select the port used for the control channel in wireless controller mode (wireless-mode is ac). The range is 1024 through 49150. The data channel port is the control channel port number plus one.
5246
wireless-mode {ac | client}
Set the wireless mode (for FortiWiFi units):
ac—Wireless controller with local wireless
client—Wireless client
ac