system : settings
 
settings
Use this command to change settings that are per VDOM settings such as the operating mode and default gateway.
When changing the opmode of the VDOM, there are fields that are visible depending on which opmode you are changing to. They are only visible after you set the opmode and before you commit the changes with either ‘end or ‘next’. If you do not set these fields, the opmode change will fail.
Table 26: Fields associated with each opmode
Change from NAT to Transparent mode
Change from Transparent to NAT mode
system settings differs from system global in that system global fields apply to the entire FortiGate unit, where system settings fields apply only to the current VDOM, or the entire FortiGate unit if VDOMs are not enabled.
Bi-directional Forwarding Detection (BFD) is a protocol used by BGP and OSPF. It is used to quickly locate hardware failures in the network. Routers running BFD communicate with each other, and if a timer runs out on a connection then that router is declared down. BFD then communicates this information to the routing protocol and the routing information is updated. BFD support was added in FortiOS v3.0 MR4, and can only be configured through the CLI.
 
When asymmetric routing is enabled, through the use of asymroute field, the FortiGate unit can no longer perform stateful inspection.
Syntax
config system settings
set allow-subnet-overlap {enable | disable}
set asymroute {enable | disable}
set asymroute6 {enable | disable}
set bfd {enable | disable}
set bfd-desired-min-tx <interval_msec>
set bfd-required-min-rx <interval_msec>
set bfd-detect-mult <multiplier
set bfd-dont-enforce-src-port {enable | disable}
set default-voip-alg-mode {proxy‑based | kernel‑helper‑based}
set deny-tcp-with-icmp {enable | disable}
set device <interface_name>
set dhcp-proxy {enable | disable}
set dhcp-server-ip <ip_addr1 ... ip_addr8>
set dhcp6-server-ip <ip_addr1 ... ip_addr8>
set discovered-device-timeout <days_int>
set ecmp-max-paths <max_entries>
set firewall-session-dirty {check‑all | check‑new | check‑policy‑option}
set gateway <gw_ipv4>
set gateway6 <gw_ipv6>
set gui-default-policy-columns <column_list>
set ip <address_ipv4>
set ip6 <address_ipv6>
set lldp-transmission {enable | disable | global}
set mac-ttl <seconds_int>
set manageip <manage_ipv4>
set manageip6 <manage_ipv6>
set multicast-forward {enable | disable}
set multicast-ttl-notchange {enable | disable}
set opmode {nat | transparent}
set sccp-port <port_number>
set ses-denied-traffic {enable | disable}
set sip-helper {enable | disable}
set sip-nat-trace {enable | disable}
set sip-ssl-port <port_number>
set sip-tcp-port <port1_int> [<port2_int>]>
set sip-udp-port <port_number>
set status {enable | disable}
set strict-src-check {enable | disable}
set utf8-spam-tagging {enable | disable}
set v4-ecmp-mode {source‑ip‑based | usage‑based | weight‑based | source-dest-ip-based}
set vpn-stats-log {ipsec | l2tp | pptp | ssl}
set vpn-stats-period <period_int>
set wccp-cache-engine {enable | disable}
end
Variable
Description
Default
allow-subnet-overlap {enable | disable}
Enable limited support for interface and VLAN subinterface IP address overlap for this VDOM. Use this command to enable limited support for overlapping IP addresses in an existing network configuration.
Caution: for advanced users only. Use this only for existing network configurations that cannot be changed to eliminate IP address overlapping.
disable
asymroute {enable | disable}
Enable to turn on IPv4 asymmetric routing on your FortiGate unit, or this VDOM if you have VDOMs enabled.
This feature should only be used as a temporary check to troubleshoot a network. It is not intended to be enabled permanently. When it enabled, many security features of your FortiGate unit are not enabled.
Note: Enabling asymmetric routing disables stateful inspection. Your FortiGate unit can only perform stateless inspection in this state.
disable
asymroute6 {enable | disable}
Enable to turn on IPv6 asymmetric routing on your FortiGate unit, or this VDOM if you have VDOMs enabled.
disable
bfd {enable | disable}
Enable to turn on bi-directional forwarding detection (BFD) for this virtual domain, or the whole FortiGate unit. BFD can be used with OSPF and BGP configurations, and overridden on a per interface basis.
disable
bfd-desired-min-tx <interval_msec>
Enter a value from 1 to 100 000 msec as the preferred minimum transmit interval for BFD packets. If possible this will be the minimum used.
This variable is only available when bfd is enabled.
50
bfd-required-min-rx <interval_msec>
Enter a value from 1 to 100 000 msec as the required minimum receive interval for BFD packets. The FortiGate unit will not transmit BFD packets at a slower rate than this.
This variable is only available when bfd is enabled.
50
bfd-detect-mult <multiplier
Enter a value from 1 to 50 for the BFD detection multiplier.
3
bfd-dont-enforce-src-port {enable | disable}
Enable to not enforce the BFD source port.
disable
default-voip-alg-mode {proxy‑based | kernel‑helper‑based}
Set default SIP behavior for VOIP:
proxy-based — VOIP traffic goes to proxy SIP ALG, and default VOIP profile applies
kernel-helper-based — VOIP traffic is handled by kernel SIP helper. If SIP helper does not exist in system, no SIP processing occurs.
If an explicit VOIP profile is defined in the policy, VOIP traffic is redirected to proxy SIP ALG, regardless default-voip-alg-mode setting.
proxy‑based
deny-tcp-with-icmp {enable | disable}
Enable to deny TCP by sending an ICMP Communication Prohibited packet. Firewall policies will enable send‑deny‑packet.
disable
device <interface_name>
Enter the interface to use for management access. This is the interface to which ip applies.
This field is visible only after you change opmode from transparent to nat, before you commit the change.
 
No default.
dhcp-proxy {enable | disable}
Enable DHCP proxy. This is required for IPsec VPN with mode-cfg to use DHCP to assign VPN client IP addresses.
disable
dhcp-server-ip <ip_addr1 ... ip_addr8>
Enter up to 8 IPv4 DHCP server IP addresses. This is available when dhcp-proxy is enabled.
null
dhcp6-server-ip <ip_addr1 ... ip_addr8>
Enter up to 8 IPv6 DHCP server IP addresses. This is available when dhcp-proxy is enabled.
null
discovered-device-timeout <days_int>
Enter the timeout for discovered devices. Range: 1 to 365 days.
28
ecmp-max-paths <max_entries>
Enter the maximum number of routes allowed to be included in an Equal Cost Multi-Path (ECMP) configuration. Set to 1 to disable ECMP routing.
ECMP routes have the same distance and the same priority, and can be used in load balancing.
10
email-portal-check-dns {enable | disable}
Enable to have the email collection portal verify that the domain name part of email address can be resolved using a DNS lookup.
enable
firewall-session-dirty {check‑all | check‑new | check‑policy‑option}
Select how to manage changes to a firewall policy:
check‑all — flush all current sessions and re-evaluate them
check‑new — keep existing sessions and apply policy change to new sessions only. This reduces CPU load and the possibility of packet loss.
check‑policy‑option — use the option selected in the firewall-session-dirty field of the firewall policy. See firewall policy, policy6.
check‑all
gateway <gw_ipv4>
Enter the default gateway IP address.
This field is visible only after you change opmode from nat to transparent or from transparent to nat, before you commit the change.
No default.
gateway6 <gw_ipv6>
Enter the default gateway IPv6 address.
This field is visible only after you change opmode from nat to transparent or from transparent to nat, before you commit the change.
No default.
gui-default-policy-columns <column_list>
Optionally, override the web-based manager’s default displayed column set for firewall policies. <column_list> is a space-delimited list containing any of the following column names in the desired order of appearance from left to right:#, policyid, srcintf, dstintf, srcaddr, dstaddr, schedule, service, action, logtraffic, nat, status, authentication, count, profile, vpntunnel, comments
(null)
ip <address_ipv4>
Enter the IP address to use after switching to nat mode.
This field is visible only after you change opmode from transparent to nat, before you commit the change.
No default.
ip6 <address_ipv6>
Enter the IPv6 address to use after switching to nat mode.
This field is visible only after you change opmode from transparent to nat, before you commit the change.
No default.
lldp-transmission {enable | disable | global}
Enable or disable Link Layer Discovery Protocol (LLDP) for this VDOM, or apply global setting specified by lldp-transmission in system global.
global
mac-ttl <seconds_int>
Set duration of MAC addresses during transparent mode. Range: 300 to 8 640 000 seconds (100days).
300
manageip <manage_ipv4>
Set the IP address and netmask of the Transparent mode management interface. You must set this when you change opmode from nat to transparent.
No default.
manageip6 <manage_ipv6>
Set the IPv6 management address prefix for Transparent mode.
No default.
multicast-forward {enable | disable}
Enable or disable multicast forwarding to forward any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1.
When multiple VDOMs are configured, this option is available within each VDOM.
enable
multicast-ttl-notchange {enable | disable}
Enable to alter multicast forwarding so that it does not decrement the time-to-live (TTL) in the packet header.
Disable for normal multicast forwarding behavior.
In multiple VDOM mode, this option is only available within VDOMs. It is not available at the global level.
disable
opmode {nat | transparent}
Enter the required operating mode.
If you change opmode from nat to transparent, you must set manageip and gateway.
If you change opmode from transparent to nat, you must set device, ip, gateway-device and gateway.
nat
sccp-port <port_number>
Enter the port number from 1 to 65535 of the TCP port to use to monitor Skinny Client Call protocol (SCCP) traffic. SCCP is a Cisco proprietary protocol for VoIP.
2000
ses-denied-traffic {enable | disable}
Enable or disable including denied traffic in session table.
disable
sip-helper {enable | disable}
Enable or disable the SIP session helper. The SIP session helper will process SIP sessions unless the SIP sessions are accepted by the SIP ALG.
enable
sip-nat-trace {enable | disable}
Select enable to record the original IP address of the phone.
enable
sip-ssl-port <port_number>
Enter the port number from 1 to 65535 that the SIP proxy monitors for SIP traffic.
5061
sip-tcp-port <port1_int> [<port2_int>]>
Enter of one or two port numbers (range 1 to 65535) that the SIP ALG monitors for SIP TCP sessions.
5060
sip-udp-port <port_number>
Enter the port number from 1 to 65535 that the SIP ALG monitors for SIP UDP sessions.
5060
status {enable | disable}
Disable or enable this VDOM. Disabled VDOMs keep all their configuration, but the resources of that VDOM are not accessible.
To leave VDOM mode, all disabled VDOMs must be deleted - to leave VDOM mode there can be only the root VDOM configured.
Only available when VDOMs are enabled.
enable
strict-src-check {enable | disable}
Enable to refuse packets from a source IP range if there is a specific route in the routing table for this network (RFC 3704).
disable
utf8-spam-tagging {enable | disable}
Enable converts spam tags to UTF8 for better non-ascii character support.
enable
v4-ecmp-mode {source‑ip‑based | usage‑based | weight‑based | source-dest-ip-based}
Set the ECMP route failover and load balance method, which controls how the FortiGate unit assigns a route to a session when multiple equal-cost routes to the sessions’s destination are available. You can select:
source-ip-based — the FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. No other settings can be configured to support source IP load balancing.
weight-based — the FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights. Use the weight field of the config router static command to add weights to static routes. See router static.
usage-based — the FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are. After selecting usage-based you use the spillover-threshold field of the config system interface command to add spillover thresholds to interfaces added to ECMP routes. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. See system interface.
source-dest-ip-based — select next hop based on both source and destination IPs.
source-ip-based
vpn-stats-log {ipsec | l2tp | pptp | ssl}
Enable periodic VPN log statistics for one or more types of VPN.
 
vpn-stats-period <period_int>
Enter the interval in seconds for vpn-stats-log to collect statistics.
0
wccp-cache-engine {enable | disable}
Configure the FortiGate unit to operate as a WCCP cache engine. Use the config system wccp command to configure WCCP cache engine settings.
disable