Chapter: system > global

global

Use this command to configure global settings that affect miscellaneous FortiManager features.

Syntax

config system global

set admin-https-pki-required {disable | enable}

set admin-lockout-duration <integer>

set admin-lockout-threshold <integer>

set adom-mode {advanced | normal}sh

set adom-rev-auto-delete {by-days | by-revisions | disable}

set adom-rev-max-backup-revisions <integer>

set adom-rev-max-days <integer>

set adom-rev-max-revisions <integer>

set adom-select {enable | disable}

set adom-status {enable | disable}

set auto-register-device {enable | disable}

set clt-cert-req {disable | enable}

set console-output {more | standard}

set create-revision {disable | enable}

set daylightsavetime {enable | disable}

set default-disk-quota <integer>

set detect-unregistred-log-device {enable | disable}

set faz-status {enable | disable}

set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2}

set enc-algorithm {default | high | low}

set hostname <string>

set language {english | japanese | simch | trach}

set ldap-cache-timeout <integer>

set ldapconntimeout <integer>

set lcdpin <integer>

set lock-preempt {enable | disable}

set log-checksum {md5 | md5-auth | none}

set max-log-forward <integer>

set max-running-reports <integer>

set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2}

set partial-install {enable | disable}

set partial-install-rev {enable | disable}

set policy-hit-count {enable | disable}

set policy-object-in-dual-pane {enable | disable}

set pre-login-banner {disable | enable}

set pre-login-banner-message <string>

set remoteauthtimeout <integer>

set search-all-adoms {enable | disable}

set ssl-low-encryption {enable | disable}

set ssl-protocol {tlsv1 | sslv3}

set swapmem {enable | disable}

set task-list-size <integer>

set timezone <integer>

set tunnel-mtu <integer>

set usg {enable | disable}

set vdom-mirror {enable | disable}

set webservice-proto {tlsv1 | sslv3 | sslv2}

set workflow-max-sessions <integer>

set workspace-mode {disabled | normal | workflow}

end

Variable

Description

admin-https-pki-required {disable | enable}

Enable/disable HTTPS login page when PKI is enabled. The following options are available:

  • disable: Admin users can login by providing a valid certificate or password.
  • enable: Admin users have to provide a valid certificate when PKI is enabled for HTTPS admin access.

When both set clt-cert-req and set admin-https-pki-required are enabled, only PKI administrators can connect to the FortiManager GUI.

admin-lockout-duration <integer>

Set the lockout duration (seconds) for FortiManager administration. Default: 60

admin-lockout-threshold <integer>

Set the lockout threshold for FortiManager administration. Range: 1 to 10. Default: 3

adom-mode {advanced | normal}

Set the ADOM mode: advanced or normal.

adom-rev-auto-delete {by-days | by-revisions | disable}

Auto delete features for old ADOM revisions:

  • by-days: Auto delete ADOM revisions by maximum days.
  • by-revisions: Auto delete ADOM revisions by maximum number of revisions.
  • disable: Disable auto delete function for ADOM revision.

adom-rev-max-backup-revisions <integer>

The maximum number of ADOM revisions to backup.

adom-rev-max-days <integer>

The maximum number of days to keep old ADOM revisions.

adom-rev-max-revisions <integer>

The maximum number of ADOM revisions to keep.

adom-status {enable | disable}

Enable/disable administrative domains (ADOMs). Default: disable

adom-select {enable | disable}

Enable/disable a pop-up window that allows administrators to select an ADOM after logging in. Default: enable

auto-register-device {enable | disable}

Enable or disable device auto registration by log message.

clt-cert-req {disable | enable}

Enable/disable requiring a client certificate for GUI login. The following options are available:

  • disable: Disable setting.
  • enable: Require client certificate for GUI login.

When both set clt-cert-req and set admin-https-pki-required are enabled, only PKI administrators can connect to the FortiManager GUI.

console-output {more | standard}

Select how the output is displayed on the console. Select more to pause the output at each full screen until keypress. Select standard for continuous output without pauses. The following options are available:

  • more: More page output.
  • standard: Standard output (default)

create-revision {disable | enable}

Enable/disable create revision by default. The following options are available:

  • disable: Disable create revision by default.
  • enable: Enable create revision by default.

daylightsavetime {enable | disable}

Enable/disable daylight saving time.

If you enable daylight saving time, the FortiManager unit automatically adjusts the system time when daylight saving time begins or ends.

Default: enable

default-disk-quota <integer>

Default disk quota (MB) for registered device. Range: 100 to 100 000 (MB).

detect-unregistered-log-device

Enable/disable unregistered log device detection.

faz-status {enable | disable}

Enable/disable FortiAnalyzer features in FortiManager. This command is not available on the FMG-100C.

fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2}

Set the lowest SSL protocols for fgfmsd. Default: tlsv1.0

enc-algorithm {default | high | low}

Set SSL communication encryption algorithms. The following options are available:

  • high: SSL communication using high encryption algorithms.
  • low: SSL communication using all available encryption algorithms.
  • medium: SSL communication using high and medium encryption algorithms.

Default: default

hostname <string>

FortiManager host name.

language {english | japanese | simch | trach}

GUI language. The following options are available:

  • english: English (default)
  • japanese: Japanese
  • simch: Simplified Chinese
  • trach: Traditional Chinese

ldap-cache-timeout <integer>

LDAP cache timeout, in seconds. Default: 86400

ldapconntimeout <integer>

LDAP connection timeout (in milliseconds). Default: 60000

lcdpin <integer>

Set the 6-digit PIN administrators must enter to use the LCD panel.

lock-preempt {enable | disable}

Enable/disable the ADOM lock override.

log-checksum {md5 | md5-auth | none}

Record log file hash value, timestamp, and authentication code at transmission or rolling. The following options are available:

  • md5: Record log file’s MD5 hash value only
  • md5-auth: Record log file’s MD5 hash value and authentication code
  • none: Do not record the log file checksum

max-log-forward <integer>

Set the maximum log forwarding and aggregation number, from 5 to 20.

max-running-reports <integer>

Maximum running reports number. Range: 1 to 10

oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2}

Set the lowest SSL protocols for oftpd. Default: tlsv1.0

partial-install {enable | disable}

Enable/disable partial install (install only some objects).

Use this command to enable pushing individual objects of the policy package down to all FortiGates in the Policy Package.

Once enabled, in the GUI you can right-click an object and choose to install it.

partial-install-rev {enable | disable}

Enable/disable partial install revision.

policy-hit-count {enable | disable}

Enable/disable show policy hit count. Default: disable

The policy hit count is the number of sessions that match to a firewall policy on a FortiGate. When policy-hit-count is enabled, it collects all hits from all managed FortiGate devices. FortiManager sums up all hit counts for each policy package from the assigned FortiGate devices, and displays the hit count for each of the firewall rules.

policy-object-in-dual-pane {enable | disable}

Enable/disable show policies and objects in dual pane. Default: disable

pre-login-banner {disable | enable}

Enable/disable pre-login banner.

pre-login-banner-message <string>

Set the pre-login banner message.

remoteauthtimeout <integer>

Remote authentication (RADIUS/LDAP) timeout (in seconds). Default: 10

search-all-adoms {enable | disable}

Enable/disable search all ADOMs for where-used queries.

ssl-low-encryption {enable | disable}

Enable/disable SSL low-grade (40-bit) encryption. Default: enable

ssl-protocol {tlsv1 | sslv3}

Set the SSL protocols: tlsv1 or sslv3.

swapmem {enable | disable}

Enable/disable virtual memory.

task-list-size <integer>

Set the maximum number of completed tasks to keep. Default: 2000

timezone <integer>

The time zone for the FortiManager unit. Default: (GMT-8)Pacific Time(US & Canada)

tunnel-mtu <integer>

Set the maximum transportation unit, from 68 to 9000. Default: 1500

usg {enable | disable}

Enable to contact FortiGuard servers only in the USA. Disable to contact any FortiGuard server.

vdom-mirror {enable | disable}

Enable/disable VDOM mirror. Once enabled in the CLI, you can select to enable VDOM Mirror when editing a virtual domain in the System > Virtual Domain device tab in Device Manager. You can then add devices and VDOMs to the list so they may be mirrored. A icon is displayed in the Mirror column of this page to indicate that the VDOM is being mirrored to another device/VDOM.

When changes are made to the master device’s VDOM database, a copy is applied to the mirror device’s VDOM database. A revision is created and then installed to the devices.

Default: disable

VDOM mirror is intended to be used by MSSP or enterprise companies who need to provide a backup VDOM for their customers.

webservice-proto {tlsv1 | sslv3 | sslv2}

Web Service connection: tlsv1, sslv3, or sslv2.

workflow-max-sessions <integer>

Maximum number of workflow sessions per ADOM. Range: 100 to 1000. Default: 500

workspace-mode {disabled | normal | workflow}

Enable/disable Workspace and Workflow (ADOM locking). The following options are available:

  • disabled: Workspace is disabled.
  • normal: Workspace lock mode enabled.
  • workspace: Workspace workflow mode enabled.

Example

The following command turns on daylight saving time, sets the FortiManager unit name to FMG3k, and chooses the Eastern time zone for US & Canada.

config system global

set daylightsavetime enable

set hostname FMG3k

set timezone 12

end

Time zones

Integer

Time zone

Integer

Time zone

00

(GMT-12:00) Eniwetak, Kwajalein

40

(GMT+3:00) Nairobi

01

(GMT-11:00) Midway Island, Samoa

41

(GMT+3:30) Tehran

02

(GMT-10:00) Hawaii

42

(GMT+4:00) Abu Dhabi, Muscat

03

(GMT-9:00) Alaska

43

(GMT+4:00) Baku

04

(GMT-8:00) Pacific Time (US & Canada)

44

(GMT+4:30) Kabul

05

(GMT-7:00) Arizona

45

(GMT+5:00) Ekaterinburg

06

(GMT-7:00) Mountain Time (US & Canada)

46

(GMT+5:00) Islamabad, Karachi,Tashkent

07

(GMT-6:00) Central America

47

(GMT+5:30) Calcutta, Chennai, Mumbai, New Delhi

08

(GMT-6:00) Central Time (US & Canada)

48

(GMT+5:45) Kathmandu

09

(GMT-6:00) Mexico City

49

(GMT+6:00) Almaty, Novosibirsk

10

(GMT-6:00) Saskatchewan

50

(GMT+6:00) Astana, Dhaka

11

(GMT-5:00) Bogota, Lima, Quito

51

(GMT+6:00) Sri Jayawardenapura

12

(GMT-5:00) Eastern Time (US & Canada)

52

(GMT+6:30) Rangoon

13

(GMT-5:00) Indiana (East)

53

(GMT+7:00) Bangkok, Hanoi, Jakarta

14

(GMT-4:00) Atlantic Time (Canada)

54

(GMT+7:00) Krasnoyarsk

15

(GMT-4:00) La Paz

55

(GMT+8:00) Beijing,ChongQing, HongKong,Urumqi

16

(GMT-4:00) Santiago

56

(GMT+8:00) Irkutsk, Ulaanbaatar

17

(GMT-3:30) Newfoundland

57

(GMT+8:00) Kuala Lumpur, Singapore

18

(GMT-3:00) Brasilia

58

(GMT+8:00) Perth

19

(GMT-3:00) Buenos Aires, Georgetown

59

(GMT+8:00) Taipei

20

(GMT-3:00) Nuuk (Greenland)

60

(GMT+9:00) Osaka, Sapporo, Tokyo, Seoul

21

(GMT-2:00) Mid-Atlantic

61

(GMT+9:00) Yakutsk

22

(GMT-1:00) Azores

62

(GMT+9:30) Adelaide

23

(GMT-1:00) Cape Verde Is

63

(GMT+9:30) Darwin

24

(GMT) Casablanca, Monrovia

64

(GMT+10:00) Brisbane

25

(GMT) Greenwich Mean Time:Dublin, Edinburgh, Lisbon, London

65

(GMT+10:00) Canberra, Melbourne, Sydney

26

(GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

66

(GMT+10:00) Guam, Port Moresby

27

(GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

67

(GMT+10:00) Hobart

28

(GMT+1:00) Brussels, Copenhagen, Madrid, Paris

68

(GMT+10:00) Vladivostok

29

(GMT+1:00) Sarajevo, Skopje, Sofija, Vilnius, Warsaw, Zagreb

69

(GMT+11:00) Magadan

30

(GMT+1:00) West Central Africa

70

(GMT+11:00) Solomon Is., New Caledonia

31

(GMT+2:00) Athens, Istanbul, Minsk

71

(GMT+12:00) Auckland, Wellington

32

(GMT+2:00) Bucharest

72

(GMT+12:00) Fiji, Kamchatka, Marshall Is

33

(GMT+2:00) Cairo

73

(GMT+13:00) Nuku'alofa

34

(GMT+2:00) Harare, Pretoria

74

(GMT-4:30) Caracas

35

(GMT+2:00) Helsinki, Riga,Tallinn

75

(GMT+1:00) Namibia

36

(GMT+2:00) Jerusalem

76

(GMT-5:00) Brazil-Acre)

37

(GMT+3:00) Baghdad

77

(GMT-4:00) Brazil-West

38

(GMT+3:00) Kuwait, Riyadh

78

(GMT-3:00) Brazil-East

39

(GMT+3:00) Moscow, St.Petersburg, Volgograd

79

(GMT-2:00) Brazil-DeNoronha