Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse
fortios.system.getGlobal
Explore with Pulumi AI
Use this data source to get information on fortios system global
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fortios from "@pulumi/fortios";
const sample1 = fortios.system.getGlobal({});
export const output1 = sample1.then(sample1 => sample1.hostname);
import pulumi
import pulumi_fortios as fortios
sample1 = fortios.system.get_global()
pulumi.export("output1", sample1.hostname)
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/system"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
sample1, err := system.LookupGlobal(ctx, nil, nil)
if err != nil {
return err
}
ctx.Export("output1", sample1.Hostname)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortios = Pulumi.Fortios;
return await Deployment.RunAsync(() =>
{
var sample1 = Fortios.System.GetGlobal.Invoke();
return new Dictionary<string, object?>
{
["output1"] = sample1.Apply(getGlobalResult => getGlobalResult.Hostname),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortios.system.SystemFunctions;
import com.pulumi.fortios.system.inputs.GetGlobalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var sample1 = SystemFunctions.getGlobal();
ctx.export("output1", sample1.applyValue(getGlobalResult -> getGlobalResult.hostname()));
}
}
variables:
sample1:
fn::invoke:
Function: fortios:system:getGlobal
Arguments: {}
outputs:
output1: ${sample1.hostname}
Using getGlobal
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getGlobal(args: GetGlobalArgs, opts?: InvokeOptions): Promise<GetGlobalResult>
function getGlobalOutput(args: GetGlobalOutputArgs, opts?: InvokeOptions): Output<GetGlobalResult>
def get_global(vdomparam: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetGlobalResult
def get_global_output(vdomparam: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetGlobalResult]
func LookupGlobal(ctx *Context, args *LookupGlobalArgs, opts ...InvokeOption) (*LookupGlobalResult, error)
func LookupGlobalOutput(ctx *Context, args *LookupGlobalOutputArgs, opts ...InvokeOption) LookupGlobalResultOutput
> Note: This function is named LookupGlobal
in the Go SDK.
public static class GetGlobal
{
public static Task<GetGlobalResult> InvokeAsync(GetGlobalArgs args, InvokeOptions? opts = null)
public static Output<GetGlobalResult> Invoke(GetGlobalInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetGlobalResult> getGlobal(GetGlobalArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: fortios:system/getGlobal:getGlobal
arguments:
# arguments dictionary
The following arguments are supported:
- Vdomparam string
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vdomparam string
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vdomparam String
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vdomparam string
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vdomparam str
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vdomparam String
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
getGlobal Result
The following output properties are available:
- Admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
- Admin
Console intTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- Admin
Forticloud stringSso Default Profile - Override access profile.
- Admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO.
- Admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- Admin
Hsts intMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- Admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
- Admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS.
- Admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.
- Admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.
- Admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- Admin
Lockout intDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- Admin
Lockout intThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- Admin
Login intMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- Admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
- Admin
Port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- Admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
- Admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
- Admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- Admin
Sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- Admin
Ssh intGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- Admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access.
- Admin
Ssh intPort - Administrative access port for SSH. (1 - 65535, default = 22).
- Admin
Ssh stringV1 - Enable/disable SSH v1 compatibility.
- Admin
Telnet string - Enable/disable TELNET service.
- Admin
Telnet intPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- Admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- Alias string
- Alias for your FortiGate unit.
- Allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface.
- Anti
Replay string - Level of checking for packet replay and TCP sequence checking.
- Arp
Max intEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- Asymroute string
- Enable/disable asymmetric route.
- Auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- Auth
Http intPort - User authentication HTTP port. (1 - 65535, default = 80).
- Auth
Https intPort - User authentication HTTPS port. (1 - 65535, default = 443).
- Auth
Ike intSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- Auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle.
- Auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached.
- Auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices.
- Autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown.
- Av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
- Av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
- Batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
- Bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Block
Session intTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- Br
Fdb intMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- Cert
Chain intMax - Maximum number of certificates that can be traversed in a certificate chain.
- Cfg
Revert intTimeout - Time-out for reverting to the last saved configuration.
- Cfg
Save string - Configuration file save mode for CLI changes.
- Check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
- Check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
- Cli
Audit stringLog - Enable/disable CLI audit log.
- Cloud
Communication string - Enable/disable all cloud communication.
- Clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
- Cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Compliance
Check string - Enable/disable global PCI DSS compliance check.
- Compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- Cpu
Use intThreshold - Threshold at which CPU usage is reported. (% of total CPU, default = 90).
- Csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
- Daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
- Default
Service stringSource Port - Default service source port range. (default=1-65535)
- Device
Identification intActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- Device
Idle intTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- Dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
- Dhcp
Lease intBackup Interval - DHCP leases backup interval in seconds (10 - 3600, default = 60).
- Dnsproxy
Worker intCount - DNS proxy worker count.
- Dst string
- Enable/disable daylight saving time.
- Early
Tcp stringNpu Session - Enable/disable early TCP NPU session.
- Edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt.
- Endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints.
- Endpoint
Control intPortal Port - Endpoint control portal port (1 - 65535).
- Extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- Failtime int
- Fail-time for server lost.
- Faz
Disk intBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- Fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
- Fds
Statistics intPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- Fec
Port int - Local UDP port for Forward Error Correction (49152 - 65535).
- Fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard.
- Forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter.
- Forticonverter
Integration string - Enable/disable FortiConverter integration service.
- Fortiextender string
- Enable/disable FortiExtender.
- Fortiextender
Data intPort - FortiExtender data port (1024 - 49150, default = 25246).
- Fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown.
- string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization.
- Fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode.
- Fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service.
- Fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service.
- Fortiservice
Port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- Fortitoken
Cloud string - Enable/disable FortiToken Cloud service.
- Fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud.
- Fortitoken
Cloud intSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- Gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname
- Gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.
- Gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN.
- Gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI.
- Gui
Cdn stringDomain Override - Domain of CDN server.
- Gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN.
- Gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
- Gui
Custom stringLanguage - Enable/disable custom languages in GUI.
- Gui
Date stringFormat - Default date format used throughout GUI.
- Gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries.
- Gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page.
- Gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard.
- Gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI.
- Gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI.
- Gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI.
- Gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments.
- Gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI.
- Gui
Ipv6 string - Enable/disable IPv6 settings on the GUI.
- Gui
Lines intPer Page - Number of lines to display per page for web administration.
- Gui
Local stringOut - Enable/disable Local-out traffic on the GUI.
- Gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI.
- Gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate.
- Gui
Theme string - Color scheme for the administration GUI.
- Gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI.
- Gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI.
- Ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag.
- Hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- Id string
- The provider-assigned unique ID for this managed resource.
- Igmp
State intLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- Ike
Embryonic intLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- Interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable).
- Internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- Internet
Service List<Pulumiverse.Download Lists Fortios. System. Outputs. Get Global Internet Service Download List> - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - Interval int
- Dead gateway detection interval.
- Ip
Fragment intMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- Ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- Ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- Ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
- Ipsec
Ha intSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- Ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
- Ipsec
Qat stringOffload - Enable/disable QAT offloading (Intel QuickAssist) for IPsec VPN traffic. QuickAssist can accelerate IPsec encryption and decryption.
- Ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic.
- Ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
- Ipv6Accept
Dad int - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- Ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast.
- Ipv6Allow
Local stringIn Silent Drop - Enable/disable silent drop of IPv6 local-in traffic.
- Ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic.
- Ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast.
- Ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.
- Irq
Time stringAccounting - Configure CPU IRQ time accounting mode.
- Language string
- GUI display language.
- Ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- Lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception.
- Lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
- Log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold.
- Log
Ssl stringConnection - Enable/disable logging of SSL connection events.
- Log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs.
- Log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs.
- Login
Timestamp string - Enable/disable login time recording.
- Long
Vdom stringName - Enable/disable long VDOM name support.
- Management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- Management
Port int - Overriding port for management connection (Overrides admin port).
- Management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.
- Management
Vdom string - Management virtual domain name.
- Max
Dlpstat intMemory - Maximum DLP stat memory (0 - 4294967295).
- Max
Route intCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- Mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL.
- Memory
Use intThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95).
- Memory
Use intThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82).
- Memory
Use intThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88).
- Miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- Miglogd
Children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- Multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional).
- Multicast
Forward string - Enable/disable multicast forwarding.
- Ndp
Max intEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- Npu
Neighbor stringUpdate - Enable/disable sending of probing packets to update neighbors for offloaded sessions.
- Per
User stringBal - Enable/disable per-user block/allow list filter.
- Per
User stringBwl - Enable/disable per-user black/white list filter.
- Pmtu
Discovery string - Enable/disable path MTU discovery.
- Policy
Auth intConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
- string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
- Private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key.
- Proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
- Proxy
Auth intLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- Proxy
Auth intTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- Proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests.
- Proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic.
- Proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration.
- Proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated.
- Proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic.
- Proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
- Proxy
Re intAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- Proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.
- Proxy
Worker intCount - Proxy worker count.
- Purdue
Level string - Purdue Level of this FortiGate.
- Quic
Ack intThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- Quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic).
- Quic
Max intDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- Quic
Pmtud string - Enable/disable path MTU discovery (default = enable).
- Quic
Tls intHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- Quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable).
- Radius
Port int - RADIUS service port number.
- Reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration.
- Refresh int
- Statistics refresh interval in GUI.
- Remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- Reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
- Restart
Time string - Daily restart time (hh:mm).
- Revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
- Revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
- Scanunit
Count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- Security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard.
- Security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating.
- Send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
- Sflowd
Max intChildren Num - Maximum number of sflowd child processes allowed to run.
- Snat
Route stringChange - Enable/disable the ability to change the static NAT route.
- Special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
- Speedtest
Server string - Enable/disable speed test server.
- Speedtestd
Ctrl intPort - Speedtest server controller port number.
- Speedtestd
Server intPort - Speedtest server port number.
- Split
Port string - Split port(s) to multiple 10Gbps ports.
- Ssd
Trim intDate - Date within a month to run ssd trim.
- Ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
- Ssd
Trim intHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- Ssd
Trim intMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- Ssd
Trim stringWeekday - Day of week to run SSD Trim.
- Ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access.
- Ssh
Enc stringAlgo - Select one or more SSH ciphers.
- Ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access.
- Ssh
Hostkey string - Config SSH host key.
- Ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- Ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon.
- Ssh
Hostkey stringPassword - Password for ssh-hostkey.
- Ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- Ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access.
- Ssh
Mac stringAlgo - Select one or more SSH MAC algorithms.
- Ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
- Ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- Ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
- Sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration.
- Sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection.
- Sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration.
- Sslvpn
Max intWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- Sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN.
- Sslvpn
Web stringMode - Enable/disable SSL-VPN web mode.
- Strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
- Strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
- Switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
- Switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- Sys
Perf intLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- Syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Tcp
Halfclose intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- Tcp
Halfopen intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- Tcp
Option string - Enable SACK, timestamp and MSS TCP options.
- Tcp
Rst intTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- Tcp
Timewait intTimer - Length of the TCP TIME-WAIT state in seconds.
- Tftp string
- Enable/disable TFTP.
- Timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- Tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through.
- Traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
- Traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization.
- Two
Factor intEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- Two
Factor intFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- Two
Factor intFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- Two
Factor intFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- Two
Factor intSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- Udp
Idle intTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- Url
Filter stringAffinity - URL filter CPU affinity.
- Url
Filter intCount - URL filter daemon count.
- User
Device intStore Max Devices - Maximum number of devices allowed in user device store.
- User
Device intStore Max Unified Mem - Maximum unified memory allowed in user device store.
- User
Device intStore Max Users - Maximum number of users allowed in user device store.
- User
Server stringCert - Certificate to use for https user authentication.
- Vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs).
- Vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs).
- Vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
- Virtual
Server intCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- Virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration.
- Virtual
Switch stringVlan - Enable/disable virtual switch VLAN.
- Vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection.
- Wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Wad
Csvc intCs Count - Number of concurrent WAD-cache-service object-cache processes.
- Wad
Csvc intDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- Wad
Memory intChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- Wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- Wad
Restart stringMode - WAD worker restart mode (default = none).
- Wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- Wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity.
- Wad
Worker intCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- Wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- Wifi
Certificate string - Certificate to use for WiFi authentication.
- Wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices.
- Wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
- Wireless
Controller intPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- Vdomparam string
- Admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
- Admin
Console intTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- Admin
Forticloud stringSso Default Profile - Override access profile.
- Admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO.
- Admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- Admin
Hsts intMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- Admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
- Admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS.
- Admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.
- Admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.
- Admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- Admin
Lockout intDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- Admin
Lockout intThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- Admin
Login intMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- Admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
- Admin
Port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- Admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
- Admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
- Admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- Admin
Sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- Admin
Ssh intGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- Admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access.
- Admin
Ssh intPort - Administrative access port for SSH. (1 - 65535, default = 22).
- Admin
Ssh stringV1 - Enable/disable SSH v1 compatibility.
- Admin
Telnet string - Enable/disable TELNET service.
- Admin
Telnet intPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- Admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- Alias string
- Alias for your FortiGate unit.
- Allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface.
- Anti
Replay string - Level of checking for packet replay and TCP sequence checking.
- Arp
Max intEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- Asymroute string
- Enable/disable asymmetric route.
- Auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- Auth
Http intPort - User authentication HTTP port. (1 - 65535, default = 80).
- Auth
Https intPort - User authentication HTTPS port. (1 - 65535, default = 443).
- Auth
Ike intSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- Auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle.
- Auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached.
- Auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices.
- Autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown.
- Av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
- Av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
- Batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
- Bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Block
Session intTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- Br
Fdb intMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- Cert
Chain intMax - Maximum number of certificates that can be traversed in a certificate chain.
- Cfg
Revert intTimeout - Time-out for reverting to the last saved configuration.
- Cfg
Save string - Configuration file save mode for CLI changes.
- Check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
- Check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
- Cli
Audit stringLog - Enable/disable CLI audit log.
- Cloud
Communication string - Enable/disable all cloud communication.
- Clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
- Cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Compliance
Check string - Enable/disable global PCI DSS compliance check.
- Compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- Cpu
Use intThreshold - Threshold at which CPU usage is reported. (% of total CPU, default = 90).
- Csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
- Daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
- Default
Service stringSource Port - Default service source port range. (default=1-65535)
- Device
Identification intActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- Device
Idle intTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- Dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
- Dhcp
Lease intBackup Interval - DHCP leases backup interval in seconds (10 - 3600, default = 60).
- Dnsproxy
Worker intCount - DNS proxy worker count.
- Dst string
- Enable/disable daylight saving time.
- Early
Tcp stringNpu Session - Enable/disable early TCP NPU session.
- Edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt.
- Endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints.
- Endpoint
Control intPortal Port - Endpoint control portal port (1 - 65535).
- Extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- Failtime int
- Fail-time for server lost.
- Faz
Disk intBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- Fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
- Fds
Statistics intPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- Fec
Port int - Local UDP port for Forward Error Correction (49152 - 65535).
- Fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard.
- Forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter.
- Forticonverter
Integration string - Enable/disable FortiConverter integration service.
- Fortiextender string
- Enable/disable FortiExtender.
- Fortiextender
Data intPort - FortiExtender data port (1024 - 49150, default = 25246).
- Fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown.
- string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization.
- Fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode.
- Fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service.
- Fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service.
- Fortiservice
Port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- Fortitoken
Cloud string - Enable/disable FortiToken Cloud service.
- Fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud.
- Fortitoken
Cloud intSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- Gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname
- Gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.
- Gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN.
- Gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI.
- Gui
Cdn stringDomain Override - Domain of CDN server.
- Gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN.
- Gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
- Gui
Custom stringLanguage - Enable/disable custom languages in GUI.
- Gui
Date stringFormat - Default date format used throughout GUI.
- Gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries.
- Gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page.
- Gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard.
- Gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI.
- Gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI.
- Gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI.
- Gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments.
- Gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI.
- Gui
Ipv6 string - Enable/disable IPv6 settings on the GUI.
- Gui
Lines intPer Page - Number of lines to display per page for web administration.
- Gui
Local stringOut - Enable/disable Local-out traffic on the GUI.
- Gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI.
- Gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate.
- Gui
Theme string - Color scheme for the administration GUI.
- Gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI.
- Gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI.
- Ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag.
- Hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- Id string
- The provider-assigned unique ID for this managed resource.
- Igmp
State intLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- Ike
Embryonic intLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- Interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable).
- Internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- Internet
Service []GetDownload Lists Global Internet Service Download List - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - Interval int
- Dead gateway detection interval.
- Ip
Fragment intMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- Ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- Ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- Ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
- Ipsec
Ha intSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- Ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
- Ipsec
Qat stringOffload - Enable/disable QAT offloading (Intel QuickAssist) for IPsec VPN traffic. QuickAssist can accelerate IPsec encryption and decryption.
- Ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic.
- Ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
- Ipv6Accept
Dad int - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- Ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast.
- Ipv6Allow
Local stringIn Silent Drop - Enable/disable silent drop of IPv6 local-in traffic.
- Ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic.
- Ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast.
- Ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.
- Irq
Time stringAccounting - Configure CPU IRQ time accounting mode.
- Language string
- GUI display language.
- Ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- Lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception.
- Lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
- Log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold.
- Log
Ssl stringConnection - Enable/disable logging of SSL connection events.
- Log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs.
- Log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs.
- Login
Timestamp string - Enable/disable login time recording.
- Long
Vdom stringName - Enable/disable long VDOM name support.
- Management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- Management
Port int - Overriding port for management connection (Overrides admin port).
- Management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.
- Management
Vdom string - Management virtual domain name.
- Max
Dlpstat intMemory - Maximum DLP stat memory (0 - 4294967295).
- Max
Route intCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- Mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL.
- Memory
Use intThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95).
- Memory
Use intThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82).
- Memory
Use intThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88).
- Miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- Miglogd
Children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- Multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional).
- Multicast
Forward string - Enable/disable multicast forwarding.
- Ndp
Max intEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- Npu
Neighbor stringUpdate - Enable/disable sending of probing packets to update neighbors for offloaded sessions.
- Per
User stringBal - Enable/disable per-user block/allow list filter.
- Per
User stringBwl - Enable/disable per-user black/white list filter.
- Pmtu
Discovery string - Enable/disable path MTU discovery.
- Policy
Auth intConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
- string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
- Private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key.
- Proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
- Proxy
Auth intLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- Proxy
Auth intTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- Proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests.
- Proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic.
- Proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration.
- Proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated.
- Proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic.
- Proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
- Proxy
Re intAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- Proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.
- Proxy
Worker intCount - Proxy worker count.
- Purdue
Level string - Purdue Level of this FortiGate.
- Quic
Ack intThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- Quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic).
- Quic
Max intDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- Quic
Pmtud string - Enable/disable path MTU discovery (default = enable).
- Quic
Tls intHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- Quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable).
- Radius
Port int - RADIUS service port number.
- Reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration.
- Refresh int
- Statistics refresh interval in GUI.
- Remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- Reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
- Restart
Time string - Daily restart time (hh:mm).
- Revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
- Revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
- Scanunit
Count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- Security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard.
- Security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating.
- Send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
- Sflowd
Max intChildren Num - Maximum number of sflowd child processes allowed to run.
- Snat
Route stringChange - Enable/disable the ability to change the static NAT route.
- Special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
- Speedtest
Server string - Enable/disable speed test server.
- Speedtestd
Ctrl intPort - Speedtest server controller port number.
- Speedtestd
Server intPort - Speedtest server port number.
- Split
Port string - Split port(s) to multiple 10Gbps ports.
- Ssd
Trim intDate - Date within a month to run ssd trim.
- Ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
- Ssd
Trim intHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- Ssd
Trim intMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- Ssd
Trim stringWeekday - Day of week to run SSD Trim.
- Ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access.
- Ssh
Enc stringAlgo - Select one or more SSH ciphers.
- Ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access.
- Ssh
Hostkey string - Config SSH host key.
- Ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- Ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon.
- Ssh
Hostkey stringPassword - Password for ssh-hostkey.
- Ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- Ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access.
- Ssh
Mac stringAlgo - Select one or more SSH MAC algorithms.
- Ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
- Ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- Ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
- Sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration.
- Sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection.
- Sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration.
- Sslvpn
Max intWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- Sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN.
- Sslvpn
Web stringMode - Enable/disable SSL-VPN web mode.
- Strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
- Strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
- Switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
- Switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- Sys
Perf intLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- Syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Tcp
Halfclose intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- Tcp
Halfopen intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- Tcp
Option string - Enable SACK, timestamp and MSS TCP options.
- Tcp
Rst intTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- Tcp
Timewait intTimer - Length of the TCP TIME-WAIT state in seconds.
- Tftp string
- Enable/disable TFTP.
- Timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- Tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through.
- Traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
- Traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization.
- Two
Factor intEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- Two
Factor intFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- Two
Factor intFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- Two
Factor intFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- Two
Factor intSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- Udp
Idle intTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- Url
Filter stringAffinity - URL filter CPU affinity.
- Url
Filter intCount - URL filter daemon count.
- User
Device intStore Max Devices - Maximum number of devices allowed in user device store.
- User
Device intStore Max Unified Mem - Maximum unified memory allowed in user device store.
- User
Device intStore Max Users - Maximum number of users allowed in user device store.
- User
Server stringCert - Certificate to use for https user authentication.
- Vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs).
- Vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs).
- Vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
- Virtual
Server intCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- Virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration.
- Virtual
Switch stringVlan - Enable/disable virtual switch VLAN.
- Vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection.
- Wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Wad
Csvc intCs Count - Number of concurrent WAD-cache-service object-cache processes.
- Wad
Csvc intDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- Wad
Memory intChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- Wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- Wad
Restart stringMode - WAD worker restart mode (default = none).
- Wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- Wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity.
- Wad
Worker intCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- Wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- Wifi
Certificate string - Certificate to use for WiFi authentication.
- Wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices.
- Wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
- Wireless
Controller intPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- Vdomparam string
- admin
Concurrent String - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
- admin
Console IntegerTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud StringSso Default Profile - Override access profile.
- admin
Forticloud StringSso Login - Enable/disable FortiCloud admin login via SSO.
- admin
Host String - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts IntegerMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https StringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
- admin
Https StringRedirect - Enable/disable redirection of HTTP administration access to HTTPS.
- admin
Https StringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.
- admin
Https StringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.
- admin
Https StringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout IntegerDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout IntegerThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login IntegerMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer String - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
- admin
Port Integer - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict StringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
- admin
Scp String - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
- admin
Server StringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport Integer - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh IntegerGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh StringPassword - Enable/disable password authentication for SSH admin access.
- admin
Ssh IntegerPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh StringV1 - Enable/disable SSH v1 compatibility.
- admin
Telnet String - Enable/disable TELNET service.
- admin
Telnet IntegerPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout Integer
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias String
- Alias for your FortiGate unit.
- allow
Traffic StringRedirect - Disable to allow traffic to be routed back on a different interface.
- anti
Replay String - Level of checking for packet replay and TCP sequence checking.
- arp
Max IntegerEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute String
- Enable/disable asymmetric route.
- auth
Cert String - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http IntegerPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https IntegerPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike IntegerSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive String - Enable to prevent user authentication sessions from timing out when idle.
- auth
Session StringLimit - Action to take when the number of allowed user authenticated sessions is reached.
- auto
Auth StringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices.
- autorun
Log StringFsck - Enable/disable automatic log partition check after ungraceful shutdown.
- av
Affinity String - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen String - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
- av
Failopen StringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
- batch
Cmdb String - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
- bfd
Affinity String - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session IntegerTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb IntegerMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain IntegerMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert IntegerTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save String - Configuration file save mode for CLI changes.
- check
Protocol StringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
- check
Reset StringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
- cli
Audit StringLog - Enable/disable CLI audit log.
- cloud
Communication String - Enable/disable all cloud communication.
- clt
Cert StringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
- cmdbsvr
Affinity String - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check String - Enable/disable global PCI DSS compliance check.
- compliance
Check StringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use IntegerThreshold - Threshold at which CPU usage is reported. (% of total CPU, default = 90).
- csr
Ca StringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
- daily
Restart String - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
- default
Service StringSource Port - Default service source port range. (default=1-65535)
- device
Identification IntegerActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle IntegerTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params String - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
- dhcp
Lease IntegerBackup Interval - DHCP leases backup interval in seconds (10 - 3600, default = 60).
- dnsproxy
Worker IntegerCount - DNS proxy worker count.
- dst String
- Enable/disable daylight saving time.
- early
Tcp StringNpu Session - Enable/disable early TCP NPU session.
- edit
Vdom StringPrompt - Enable/disable edit new VDOM prompt.
- endpoint
Control StringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints.
- endpoint
Control IntegerPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller StringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime Integer
- Fail-time for server lost.
- faz
Disk IntegerBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics String - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
- fds
Statistics IntegerPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port Integer - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert StringSubscription - Type of alert to retrieve from FortiGuard.
- forticonverter
Config StringUpload - Enable/disable config upload to FortiConverter.
- forticonverter
Integration String - Enable/disable FortiConverter integration service.
- fortiextender String
- Enable/disable FortiExtender.
- fortiextender
Data IntegerPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery StringLockdown - Enable/disable FortiExtender CAPWAP lockdown.
- String
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization.
- fortiextender
Vlan StringMode - Enable/disable FortiExtender VLAN mode.
- fortigslb
Integration String - Enable/disable integration with the FortiGSLB cloud service.
- fortiipam
Integration String - Enable/disable integration with the FortiIPAM cloud service.
- fortiservice
Port Integer - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud String - Enable/disable FortiToken Cloud service.
- fortitoken
Cloud StringPush Status - Enable/disable FTM push service of FortiToken Cloud.
- fortitoken
Cloud IntegerSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- gui
Allow StringDefault Hostname - Enable/disable the GUI warning about using a default hostname
- gui
Allow StringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.
- gui
App StringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN.
- gui
Auto StringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI.
- gui
Cdn StringDomain Override - Domain of CDN server.
- gui
Cdn StringUsage - Enable/disable Load GUI static files from a CDN.
- gui
Certificates String - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
- gui
Custom StringLanguage - Enable/disable custom languages in GUI.
- gui
Date StringFormat - Default date format used throughout GUI.
- gui
Date StringTime Source - Source from which the FortiGate GUI uses to display date and time entries.
- gui
Device StringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device StringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display StringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page.
- gui
Firmware StringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard.
- gui
Firmware StringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI.
- gui
Forticare StringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI.
- gui
Fortigate StringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI.
- gui
Fortiguard StringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments.
- gui
Fortisandbox StringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI.
- gui
Ipv6 String - Enable/disable IPv6 settings on the GUI.
- gui
Lines IntegerPer Page - Number of lines to display per page for web administration.
- gui
Local StringOut - Enable/disable Local-out traffic on the GUI.
- gui
Replacement StringMessage Groups - Enable/disable replacement message groups on the GUI.
- gui
Rest StringApi Cache - Enable/disable REST API result caching on FortiGate.
- gui
Theme String - Color scheme for the administration GUI.
- gui
Wireless StringOpensecurity - Enable/disable wireless open security option on the GUI.
- gui
Workflow StringManagement - Enable/disable Workflow management features on the GUI.
- ha
Affinity String - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df String - Enable/disable honoring of Don't-Fragment (DF) flag.
- hostname String
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- id String
- The provider-assigned unique ID for this managed resource.
- igmp
State IntegerLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic IntegerLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet StringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable).
- internet
Service StringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service List<GetDownload Lists Global Internet Service Download List> - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval Integer
- Dead gateway detection interval.
- ip
Fragment IntegerMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src StringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity String - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic StringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
- ipsec
Ha IntegerSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac StringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
- ipsec
Qat StringOffload - Enable/disable QAT offloading (Intel QuickAssist) for IPsec VPN traffic. QuickAssist can accelerate IPsec encryption and decryption.
- ipsec
Round StringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic.
- ipsec
Soft StringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
- ipv6Accept
Dad Integer - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast StringProbe - Enable/disable IPv6 address probe through Anycast.
- ipv6Allow
Local StringIn Silent Drop - Enable/disable silent drop of IPv6 local-in traffic.
- ipv6Allow
Local StringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic.
- ipv6Allow
Multicast StringProbe - Enable/disable IPv6 address probe through Multicast.
- ipv6Allow
Traffic StringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.
- irq
Time StringAccounting - Configure CPU IRQ time accounting mode.
- language String
- GUI display language.
- ldapconntimeout Integer
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception String - Enable/disable Link Layer Discovery Protocol (LLDP) reception.
- lldp
Transmission String - Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
- log
Single StringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold.
- log
Ssl StringConnection - Enable/disable logging of SSL connection events.
- log
Uuid StringAddress - Enable/disable insertion of address UUIDs to traffic logs.
- log
Uuid StringPolicy - Enable/disable insertion of policy UUIDs to traffic logs.
- login
Timestamp String - Enable/disable login time recording.
- long
Vdom StringName - Enable/disable long VDOM name support.
- management
Ip String - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port Integer - Overriding port for management connection (Overrides admin port).
- management
Port StringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.
- management
Vdom String - Management virtual domain name.
- max
Dlpstat IntegerMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route IntegerCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl StringNotchange - Enable/disable no modification of multicast TTL.
- memory
Use IntegerThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95).
- memory
Use IntegerThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82).
- memory
Use IntegerThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88).
- miglog
Affinity String - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children Integer - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor StringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional).
- multicast
Forward String - Enable/disable multicast forwarding.
- ndp
Max IntegerEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- npu
Neighbor StringUpdate - Enable/disable sending of probing packets to update neighbors for offloaded sessions.
- per
User StringBal - Enable/disable per-user block/allow list filter.
- per
User StringBwl - Enable/disable per-user black/white list filter.
- pmtu
Discovery String - Enable/disable path MTU discovery.
- policy
Auth IntegerConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- String
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
- String
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
- private
Data StringEncryption - Enable/disable private data encryption using an AES 128-bit key.
- proxy
Auth StringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
- proxy
Auth IntegerLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth IntegerTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert StringUse Mgmt Vdom - Enable/disable using management VDOM to send requests.
- proxy
Cipher StringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic.
- proxy
Hardware StringAcceleration - Enable/disable email proxy hardware acceleration.
- proxy
Keep StringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated.
- proxy
Kxp StringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic.
- proxy
Re StringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
- proxy
Re IntegerAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource StringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.
- proxy
Worker IntegerCount - Proxy worker count.
- purdue
Level String - Purdue Level of this FortiGate.
- quic
Ack IntegerThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion StringControl Algo - QUIC congestion control algorithm (default = cubic).
- quic
Max IntegerDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud String - Enable/disable path MTU discovery (default = enable).
- quic
Tls IntegerHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp StringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable).
- radius
Port Integer - RADIUS service port number.
- reboot
Upon StringConfig Restore - Enable/disable reboot of system upon restoring configuration.
- refresh Integer
- Statistics refresh interval in GUI.
- remoteauthtimeout Integer
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless StringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
- restart
Time String - Daily restart time (hh:mm).
- revision
Backup StringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
- revision
Image StringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
- scanunit
Count Integer - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating StringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard.
- security
Rating StringRun On Schedule - Enable/disable scheduled runs of Security Rating.
- send
Pmtu StringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
- sflowd
Max IntegerChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route StringChange - Enable/disable the ability to change the static NAT route.
- special
File23Support String - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
- speedtest
Server String - Enable/disable speed test server.
- speedtestd
Ctrl IntegerPort - Speedtest server controller port number.
- speedtestd
Server IntegerPort - Speedtest server port number.
- split
Port String - Split port(s) to multiple 10Gbps ports.
- ssd
Trim IntegerDate - Date within a month to run ssd trim.
- ssd
Trim StringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
- ssd
Trim IntegerHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim IntegerMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim StringWeekday - Day of week to run SSD Trim.
- ssh
Cbc StringCipher - Enable/disable CBC cipher for SSH access.
- ssh
Enc StringAlgo - Select one or more SSH ciphers.
- ssh
Hmac StringMd5 - Enable/disable HMAC-MD5 for SSH access.
- ssh
Hostkey String - Config SSH host key.
- ssh
Hostkey StringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey StringOverride - Enable/disable SSH host key override in SSH daemon.
- ssh
Hostkey StringPassword - Password for ssh-hostkey.
- ssh
Kex StringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex StringSha1 - Enable/disable SHA1 key exchange for SSH access.
- ssh
Mac StringAlgo - Select one or more SSH MAC algorithms.
- ssh
Mac StringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
- ssl
Min StringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static StringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
- sslvpn
Cipher StringHardware Acceleration - Enable/disable SSL VPN hardware acceleration.
- sslvpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection.
- sslvpn
Kxp StringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration.
- sslvpn
Max IntegerWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin StringVersion Check - Enable/disable checking browser's plugin version by SSL VPN.
- sslvpn
Web StringMode - Enable/disable SSL-VPN web mode.
- strict
Dirty StringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
- strong
Crypto String - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
- switch
Controller String - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
- switch
Controller StringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf IntegerLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity String - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose IntegerTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen IntegerTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option String - Enable SACK, timestamp and MSS TCP options.
- tcp
Rst IntegerTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait IntegerTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp String
- Enable/disable TFTP.
- timezone String
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc StringSkip Policy - Enable/disable skip policy check and allow multicast through.
- traffic
Priority String - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
- traffic
Priority StringLevel - Default system-wide level of priority for traffic prioritization.
- two
Factor IntegerEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor IntegerFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor IntegerFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor IntegerFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor IntegerSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle IntegerTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter StringAffinity - URL filter CPU affinity.
- url
Filter IntegerCount - URL filter daemon count.
- user
Device IntegerStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device IntegerStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device IntegerStore Max Users - Maximum number of users allowed in user device store.
- user
Server StringCert - Certificate to use for https user authentication.
- vdom
Admin String - Enable/disable support for multiple virtual domains (VDOMs).
- vdom
Mode String - Enable/disable support for split/multiple virtual domains (VDOMs).
- vip
Arp StringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
- virtual
Server IntegerCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server StringHardware Acceleration - Enable/disable virtual server hardware acceleration.
- virtual
Switch StringVlan - Enable/disable virtual switch VLAN.
- vpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection.
- wad
Affinity String - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc IntegerCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc IntegerDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory IntegerChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart StringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart StringMode - WAD worker restart mode (default = none).
- wad
Restart StringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source StringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity.
- wad
Worker IntegerCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca StringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate String - Certificate to use for WiFi authentication.
- wimax4g
Usb String - Enable/disable comparability with WiMAX 4G USB devices.
- wireless
Controller String - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
- wireless
Controller IntegerPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- vdomparam String
- admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
- admin
Console numberTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud stringSso Default Profile - Override access profile.
- admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO.
- admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts numberMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
- admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS.
- admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.
- admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.
- admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout numberDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout numberThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login numberMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
- admin
Port number - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
- admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
- admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport number - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh numberGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access.
- admin
Ssh numberPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh stringV1 - Enable/disable SSH v1 compatibility.
- admin
Telnet string - Enable/disable TELNET service.
- admin
Telnet numberPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout number
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias string
- Alias for your FortiGate unit.
- allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface.
- anti
Replay string - Level of checking for packet replay and TCP sequence checking.
- arp
Max numberEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute string
- Enable/disable asymmetric route.
- auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http numberPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https numberPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike numberSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle.
- auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached.
- auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices.
- autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown.
- av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
- av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
- batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
- bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session numberTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb numberMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain numberMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert numberTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save string - Configuration file save mode for CLI changes.
- check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
- check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
- cli
Audit stringLog - Enable/disable CLI audit log.
- cloud
Communication string - Enable/disable all cloud communication.
- clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
- cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check string - Enable/disable global PCI DSS compliance check.
- compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use numberThreshold - Threshold at which CPU usage is reported. (% of total CPU, default = 90).
- csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
- daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
- default
Service stringSource Port - Default service source port range. (default=1-65535)
- device
Identification numberActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle numberTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
- dhcp
Lease numberBackup Interval - DHCP leases backup interval in seconds (10 - 3600, default = 60).
- dnsproxy
Worker numberCount - DNS proxy worker count.
- dst string
- Enable/disable daylight saving time.
- early
Tcp stringNpu Session - Enable/disable early TCP NPU session.
- edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt.
- endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints.
- endpoint
Control numberPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime number
- Fail-time for server lost.
- faz
Disk numberBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
- fds
Statistics numberPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port number - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard.
- forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter.
- forticonverter
Integration string - Enable/disable FortiConverter integration service.
- fortiextender string
- Enable/disable FortiExtender.
- fortiextender
Data numberPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown.
- string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization.
- fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode.
- fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service.
- fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service.
- fortiservice
Port number - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud string - Enable/disable FortiToken Cloud service.
- fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud.
- fortitoken
Cloud numberSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname
- gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.
- gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN.
- gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI.
- gui
Cdn stringDomain Override - Domain of CDN server.
- gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN.
- gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
- gui
Custom stringLanguage - Enable/disable custom languages in GUI.
- gui
Date stringFormat - Default date format used throughout GUI.
- gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries.
- gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page.
- gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard.
- gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI.
- gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI.
- gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI.
- gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments.
- gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI.
- gui
Ipv6 string - Enable/disable IPv6 settings on the GUI.
- gui
Lines numberPer Page - Number of lines to display per page for web administration.
- gui
Local stringOut - Enable/disable Local-out traffic on the GUI.
- gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI.
- gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate.
- gui
Theme string - Color scheme for the administration GUI.
- gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI.
- gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI.
- ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag.
- hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- id string
- The provider-assigned unique ID for this managed resource.
- igmp
State numberLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic numberLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable).
- internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service GetDownload Lists Global Internet Service Download List[] - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval number
- Dead gateway detection interval.
- ip
Fragment numberMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
- ipsec
Ha numberSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
- ipsec
Qat stringOffload - Enable/disable QAT offloading (Intel QuickAssist) for IPsec VPN traffic. QuickAssist can accelerate IPsec encryption and decryption.
- ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic.
- ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
- ipv6Accept
Dad number - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast.
- ipv6Allow
Local stringIn Silent Drop - Enable/disable silent drop of IPv6 local-in traffic.
- ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic.
- ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast.
- ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.
- irq
Time stringAccounting - Configure CPU IRQ time accounting mode.
- language string
- GUI display language.
- ldapconntimeout number
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception.
- lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
- log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold.
- log
Ssl stringConnection - Enable/disable logging of SSL connection events.
- log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs.
- log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs.
- login
Timestamp string - Enable/disable login time recording.
- long
Vdom stringName - Enable/disable long VDOM name support.
- management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port number - Overriding port for management connection (Overrides admin port).
- management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.
- management
Vdom string - Management virtual domain name.
- max
Dlpstat numberMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route numberCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL.
- memory
Use numberThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95).
- memory
Use numberThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82).
- memory
Use numberThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88).
- miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children number - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional).
- multicast
Forward string - Enable/disable multicast forwarding.
- ndp
Max numberEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- npu
Neighbor stringUpdate - Enable/disable sending of probing packets to update neighbors for offloaded sessions.
- per
User stringBal - Enable/disable per-user block/allow list filter.
- per
User stringBwl - Enable/disable per-user black/white list filter.
- pmtu
Discovery string - Enable/disable path MTU discovery.
- policy
Auth numberConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
- string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
- private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key.
- proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
- proxy
Auth numberLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth numberTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests.
- proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic.
- proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration.
- proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated.
- proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic.
- proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
- proxy
Re numberAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.
- proxy
Worker numberCount - Proxy worker count.
- purdue
Level string - Purdue Level of this FortiGate.
- quic
Ack numberThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic).
- quic
Max numberDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud string - Enable/disable path MTU discovery (default = enable).
- quic
Tls numberHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable).
- radius
Port number - RADIUS service port number.
- reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration.
- refresh number
- Statistics refresh interval in GUI.
- remoteauthtimeout number
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
- restart
Time string - Daily restart time (hh:mm).
- revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
- revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
- scanunit
Count number - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard.
- security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating.
- send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
- sflowd
Max numberChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route stringChange - Enable/disable the ability to change the static NAT route.
- special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
- speedtest
Server string - Enable/disable speed test server.
- speedtestd
Ctrl numberPort - Speedtest server controller port number.
- speedtestd
Server numberPort - Speedtest server port number.
- split
Port string - Split port(s) to multiple 10Gbps ports.
- ssd
Trim numberDate - Date within a month to run ssd trim.
- ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
- ssd
Trim numberHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim numberMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim stringWeekday - Day of week to run SSD Trim.
- ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access.
- ssh
Enc stringAlgo - Select one or more SSH ciphers.
- ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access.
- ssh
Hostkey string - Config SSH host key.
- ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon.
- ssh
Hostkey stringPassword - Password for ssh-hostkey.
- ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access.
- ssh
Mac stringAlgo - Select one or more SSH MAC algorithms.
- ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
- ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
- sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration.
- sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection.
- sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration.
- sslvpn
Max numberWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN.
- sslvpn
Web stringMode - Enable/disable SSL-VPN web mode.
- strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
- strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
- switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
- switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf numberLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose numberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen numberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option string - Enable SACK, timestamp and MSS TCP options.
- tcp
Rst numberTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait numberTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp string
- Enable/disable TFTP.
- timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through.
- traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
- traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization.
- two
Factor numberEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor numberFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor numberFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor numberFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor numberSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle numberTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter stringAffinity - URL filter CPU affinity.
- url
Filter numberCount - URL filter daemon count.
- user
Device numberStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device numberStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device numberStore Max Users - Maximum number of users allowed in user device store.
- user
Server stringCert - Certificate to use for https user authentication.
- vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs).
- vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs).
- vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
- virtual
Server numberCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration.
- virtual
Switch stringVlan - Enable/disable virtual switch VLAN.
- vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection.
- wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc numberCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc numberDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory numberChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart stringMode - WAD worker restart mode (default = none).
- wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity.
- wad
Worker numberCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate string - Certificate to use for WiFi authentication.
- wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices.
- wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
- wireless
Controller numberPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- vdomparam string
- admin_
concurrent str - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
- admin_
console_ inttimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin_
forticloud_ strsso_ default_ profile - Override access profile.
- admin_
forticloud_ strsso_ login - Enable/disable FortiCloud admin login via SSO.
- admin_
host str - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin_
hsts_ intmax_ age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin_
https_ strpki_ required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
- admin_
https_ strredirect - Enable/disable redirection of HTTP administration access to HTTPS.
- admin_
https_ strssl_ banned_ ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.
- admin_
https_ strssl_ ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.
- admin_
https_ strssl_ versions - Allowed TLS versions for web administration.
- admin_
lockout_ intduration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin_
lockout_ intthreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin_
login_ intmax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin_
maintainer str - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
- admin_
port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin_
restrict_ strlocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
- admin_
scp str - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
- admin_
server_ strcert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin_
sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin_
ssh_ intgrace_ time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin_
ssh_ strpassword - Enable/disable password authentication for SSH admin access.
- admin_
ssh_ intport - Administrative access port for SSH. (1 - 65535, default = 22).
- admin_
ssh_ strv1 - Enable/disable SSH v1 compatibility.
- admin_
telnet str - Enable/disable TELNET service.
- admin_
telnet_ intport - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias str
- Alias for your FortiGate unit.
- allow_
traffic_ strredirect - Disable to allow traffic to be routed back on a different interface.
- anti_
replay str - Level of checking for packet replay and TCP sequence checking.
- arp_
max_ intentry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute str
- Enable/disable asymmetric route.
- auth_
cert str - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth_
http_ intport - User authentication HTTP port. (1 - 65535, default = 80).
- auth_
https_ intport - User authentication HTTPS port. (1 - 65535, default = 443).
- auth_
ike_ intsaml_ port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth_
keepalive str - Enable to prevent user authentication sessions from timing out when idle.
- auth_
session_ strlimit - Action to take when the number of allowed user authenticated sessions is reached.
- auto_
auth_ strextension_ device - Enable/disable automatic authorization of dedicated Fortinet extension devices.
- autorun_
log_ strfsck - Enable/disable automatic log partition check after ungraceful shutdown.
- av_
affinity str - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av_
failopen str - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
- av_
failopen_ strsession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
- batch_
cmdb str - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
- bfd_
affinity str - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block_
session_ inttimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br_
fdb_ intmax_ entry - Maximum number of bridge forwarding database (FDB) entries.
- cert_
chain_ intmax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg_
revert_ inttimeout - Time-out for reverting to the last saved configuration.
- cfg_
save str - Configuration file save mode for CLI changes.
- check_
protocol_ strheader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
- check_
reset_ strrange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
- cli_
audit_ strlog - Enable/disable CLI audit log.
- cloud_
communication str - Enable/disable all cloud communication.
- clt_
cert_ strreq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
- cmdbsvr_
affinity str - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance_
check str - Enable/disable global PCI DSS compliance check.
- compliance_
check_ strtime - Time of day to run scheduled PCI DSS compliance checks.
- cpu_
use_ intthreshold - Threshold at which CPU usage is reported. (% of total CPU, default = 90).
- csr_
ca_ strattribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
- daily_
restart str - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
- default_
service_ strsource_ port - Default service source port range. (default=1-65535)
- device_
identification_ intactive_ scan_ delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device_
idle_ inttimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh_
params str - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
- dhcp_
lease_ intbackup_ interval - DHCP leases backup interval in seconds (10 - 3600, default = 60).
- dnsproxy_
worker_ intcount - DNS proxy worker count.
- dst str
- Enable/disable daylight saving time.
- early_
tcp_ strnpu_ session - Enable/disable early TCP NPU session.
- edit_
vdom_ strprompt - Enable/disable edit new VDOM prompt.
- endpoint_
control_ strfds_ access - Enable/disable access to the FortiGuard network for non-compliant endpoints.
- endpoint_
control_ intportal_ port - Endpoint control portal port (1 - 65535).
- extender_
controller_ strreserved_ network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime int
- Fail-time for server lost.
- faz_
disk_ intbuffer_ size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds_
statistics str - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
- fds_
statistics_ intperiod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec_
port int - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd_
alert_ strsubscription - Type of alert to retrieve from FortiGuard.
- forticonverter_
config_ strupload - Enable/disable config upload to FortiConverter.
- forticonverter_
integration str - Enable/disable FortiConverter integration service.
- fortiextender str
- Enable/disable FortiExtender.
- fortiextender_
data_ intport - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender_
discovery_ strlockdown - Enable/disable FortiExtender CAPWAP lockdown.
- str
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization.
- fortiextender_
vlan_ strmode - Enable/disable FortiExtender VLAN mode.
- fortigslb_
integration str - Enable/disable integration with the FortiGSLB cloud service.
- fortiipam_
integration str - Enable/disable integration with the FortiIPAM cloud service.
- fortiservice_
port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken_
cloud str - Enable/disable FortiToken Cloud service.
- fortitoken_
cloud_ strpush_ status - Enable/disable FTM push service of FortiToken Cloud.
- fortitoken_
cloud_ intsync_ interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- gui_
allow_ strdefault_ hostname - Enable/disable the GUI warning about using a default hostname
- gui_
allow_ strincompatible_ fabric_ fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.
- gui_
app_ strdetection_ sdwan - Enable/disable Allow app-detection based SD-WAN.
- gui_
auto_ strupgrade_ setup_ warning - Enable/disable the automatic patch upgrade setup prompt on the GUI.
- gui_
cdn_ strdomain_ override - Domain of CDN server.
- gui_
cdn_ strusage - Enable/disable Load GUI static files from a CDN.
- gui_
certificates str - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
- gui_
custom_ strlanguage - Enable/disable custom languages in GUI.
- gui_
date_ strformat - Default date format used throughout GUI.
- gui_
date_ strtime_ source - Source from which the FortiGate GUI uses to display date and time entries.
- gui_
device_ strlatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui_
device_ strlongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui_
display_ strhostname - Enable/disable displaying the FortiGate's hostname on the GUI login page.
- gui_
firmware_ strupgrade_ setup_ warning - Enable/disable the firmware upgrade warning on GUI setup wizard.
- gui_
firmware_ strupgrade_ warning - Enable/disable the firmware upgrade warning on the GUI.
- gui_
forticare_ strregistration_ setup_ warning - Enable/disable the FortiCare registration setup warning on the GUI.
- gui_
fortigate_ strcloud_ sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI.
- gui_
fortiguard_ strresource_ fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments.
- gui_
fortisandbox_ strcloud - Enable/disable displaying FortiSandbox Cloud on the GUI.
- gui_
ipv6 str - Enable/disable IPv6 settings on the GUI.
- gui_
lines_ intper_ page - Number of lines to display per page for web administration.
- gui_
local_ strout - Enable/disable Local-out traffic on the GUI.
- gui_
replacement_ strmessage_ groups - Enable/disable replacement message groups on the GUI.
- gui_
rest_ strapi_ cache - Enable/disable REST API result caching on FortiGate.
- gui_
theme str - Color scheme for the administration GUI.
- gui_
wireless_ stropensecurity - Enable/disable wireless open security option on the GUI.
- gui_
workflow_ strmanagement - Enable/disable Workflow management features on the GUI.
- ha_
affinity str - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor_
df str - Enable/disable honoring of Don't-Fragment (DF) flag.
- hostname str
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- id str
- The provider-assigned unique ID for this managed resource.
- igmp_
state_ intlimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike_
embryonic_ intlimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface_
subnet_ strusage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable).
- internet_
service_ strdatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet_
service_ Sequence[Getdownload_ lists Global Internet Service Download List] - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval int
- Dead gateway detection interval.
- ip_
fragment_ intmem_ thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip_
src_ strport_ range - IP source port range used for traffic originating from the FortiGate unit.
- ips_
affinity str - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec_
asic_ stroffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
- ipsec_
ha_ intseqjump_ rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec_
hmac_ stroffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
- ipsec_
qat_ stroffload - Enable/disable QAT offloading (Intel QuickAssist) for IPsec VPN traffic. QuickAssist can accelerate IPsec encryption and decryption.
- ipsec_
round_ strrobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic.
- ipsec_
soft_ strdec_ async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
- ipv6_
accept_ intdad - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6_
allow_ stranycast_ probe - Enable/disable IPv6 address probe through Anycast.
- ipv6_
allow_ strlocal_ in_ silent_ drop - Enable/disable silent drop of IPv6 local-in traffic.
- ipv6_
allow_ strlocal_ in_ slient_ drop - Enable/disable silent drop of IPv6 local-in traffic.
- ipv6_
allow_ strmulticast_ probe - Enable/disable IPv6 address probe through Multicast.
- ipv6_
allow_ strtraffic_ redirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.
- irq_
time_ straccounting - Configure CPU IRQ time accounting mode.
- language str
- GUI display language.
- ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp_
reception str - Enable/disable Link Layer Discovery Protocol (LLDP) reception.
- lldp_
transmission str - Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
- log_
single_ strcpu_ high - Enable/disable logging the event of a single CPU core reaching CPU usage threshold.
- log_
ssl_ strconnection - Enable/disable logging of SSL connection events.
- log_
uuid_ straddress - Enable/disable insertion of address UUIDs to traffic logs.
- log_
uuid_ strpolicy - Enable/disable insertion of policy UUIDs to traffic logs.
- login_
timestamp str - Enable/disable login time recording.
- long_
vdom_ strname - Enable/disable long VDOM name support.
- management_
ip str - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management_
port int - Overriding port for management connection (Overrides admin port).
- management_
port_ struse_ admin_ sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.
- management_
vdom str - Management virtual domain name.
- max_
dlpstat_ intmemory - Maximum DLP stat memory (0 - 4294967295).
- max_
route_ intcache_ size - Maximum number of IP route cache entries (0 - 2147483647).
- mc_
ttl_ strnotchange - Enable/disable no modification of multicast TTL.
- memory_
use_ intthreshold_ extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95).
- memory_
use_ intthreshold_ green - Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82).
- memory_
use_ intthreshold_ red - Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88).
- miglog_
affinity str - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd_
children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi_
factor_ strauthentication - Enforce all login methods to require an additional authentication factor (default = optional).
- multicast_
forward str - Enable/disable multicast forwarding.
- ndp_
max_ intentry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- npu_
neighbor_ strupdate - Enable/disable sending of probing packets to update neighbors for offloaded sessions.
- per_
user_ strbal - Enable/disable per-user block/allow list filter.
- per_
user_ strbwl - Enable/disable per-user black/white list filter.
- pmtu_
discovery str - Enable/disable path MTU discovery.
- policy_
auth_ intconcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- str
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
- str
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
- private_
data_ strencryption - Enable/disable private data encryption using an AES 128-bit key.
- proxy_
auth_ strlifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
- proxy_
auth_ intlifetime_ timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy_
auth_ inttimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy_
cert_ struse_ mgmt_ vdom - Enable/disable using management VDOM to send requests.
- proxy_
cipher_ strhardware_ acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic.
- proxy_
hardware_ stracceleration - Enable/disable email proxy hardware acceleration.
- proxy_
keep_ stralive_ mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated.
- proxy_
kxp_ strhardware_ acceleration - Enable/disable using the content processor to accelerate KXP traffic.
- proxy_
re_ strauthentication_ mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
- proxy_
re_ intauthentication_ time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy_
resource_ strmode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.
- proxy_
worker_ intcount - Proxy worker count.
- purdue_
level str - Purdue Level of this FortiGate.
- quic_
ack_ intthresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic_
congestion_ strcontrol_ algo - QUIC congestion control algorithm (default = cubic).
- quic_
max_ intdatagram_ size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic_
pmtud str - Enable/disable path MTU discovery (default = enable).
- quic_
tls_ inthandshake_ timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic_
udp_ strpayload_ size_ shaping_ per_ cid - Enable/disable UDP payload size shaping per connection ID (default = enable).
- radius_
port int - RADIUS service port number.
- reboot_
upon_ strconfig_ restore - Enable/disable reboot of system upon restoring configuration.
- refresh int
- Statistics refresh interval in GUI.
- remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset_
sessionless_ strtcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
- restart_
time str - Daily restart time (hh:mm).
- revision_
backup_ stron_ logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
- revision_
image_ strauto_ backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
- scanunit_
count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security_
rating_ strresult_ submission - Enable/disable the submission of Security Rating results to FortiGuard.
- security_
rating_ strrun_ on_ schedule - Enable/disable scheduled runs of Security Rating.
- send_
pmtu_ stricmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
- sflowd_
max_ intchildren_ num - Maximum number of sflowd child processes allowed to run.
- snat_
route_ strchange - Enable/disable the ability to change the static NAT route.
- special_
file23_ strsupport - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
- speedtest_
server str - Enable/disable speed test server.
- speedtestd_
ctrl_ intport - Speedtest server controller port number.
- speedtestd_
server_ intport - Speedtest server port number.
- split_
port str - Split port(s) to multiple 10Gbps ports.
- ssd_
trim_ intdate - Date within a month to run ssd trim.
- ssd_
trim_ strfreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
- ssd_
trim_ inthour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd_
trim_ intmin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd_
trim_ strweekday - Day of week to run SSD Trim.
- ssh_
cbc_ strcipher - Enable/disable CBC cipher for SSH access.
- ssh_
enc_ stralgo - Select one or more SSH ciphers.
- ssh_
hmac_ strmd5 - Enable/disable HMAC-MD5 for SSH access.
- ssh_
hostkey str - Config SSH host key.
- ssh_
hostkey_ stralgo - Select one or more SSH hostkey algorithms.
- ssh_
hostkey_ stroverride - Enable/disable SSH host key override in SSH daemon.
- ssh_
hostkey_ strpassword - Password for ssh-hostkey.
- ssh_
kex_ stralgo - Select one or more SSH kex algorithms.
- ssh_
kex_ strsha1 - Enable/disable SHA1 key exchange for SSH access.
- ssh_
mac_ stralgo - Select one or more SSH MAC algorithms.
- ssh_
mac_ strweak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
- ssl_
min_ strproto_ version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl_
static_ strkey_ ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
- sslvpn_
cipher_ strhardware_ acceleration - Enable/disable SSL VPN hardware acceleration.
- sslvpn_
ems_ strsn_ check - Enable/disable verification of EMS serial number in SSL-VPN connection.
- sslvpn_
kxp_ strhardware_ acceleration - Enable/disable SSL VPN KXP hardware acceleration.
- sslvpn_
max_ intworker_ count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn_
plugin_ strversion_ check - Enable/disable checking browser's plugin version by SSL VPN.
- sslvpn_
web_ strmode - Enable/disable SSL-VPN web mode.
- strict_
dirty_ strsession_ check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
- strong_
crypto str - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
- switch_
controller str - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
- switch_
controller_ strreserved_ network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys_
perf_ intlog_ interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog_
affinity str - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp_
halfclose_ inttimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp_
halfopen_ inttimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp_
option str - Enable SACK, timestamp and MSS TCP options.
- tcp_
rst_ inttimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp_
timewait_ inttimer - Length of the TCP TIME-WAIT state in seconds.
- tftp str
- Enable/disable TFTP.
- timezone str
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp_
mc_ strskip_ policy - Enable/disable skip policy check and allow multicast through.
- traffic_
priority str - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
- traffic_
priority_ strlevel - Default system-wide level of priority for traffic prioritization.
- two_
factor_ intemail_ expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two_
factor_ intfac_ expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two_
factor_ intftk_ expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two_
factor_ intftm_ expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two_
factor_ intsms_ expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp_
idle_ inttimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url_
filter_ straffinity - URL filter CPU affinity.
- url_
filter_ intcount - URL filter daemon count.
- user_
device_ intstore_ max_ devices - Maximum number of devices allowed in user device store.
- user_
device_ intstore_ max_ unified_ mem - Maximum unified memory allowed in user device store.
- user_
device_ intstore_ max_ users - Maximum number of users allowed in user device store.
- user_
server_ strcert - Certificate to use for https user authentication.
- vdom_
admin str - Enable/disable support for multiple virtual domains (VDOMs).
- vdom_
mode str - Enable/disable support for split/multiple virtual domains (VDOMs).
- vip_
arp_ strrange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
- virtual_
server_ intcount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual_
server_ strhardware_ acceleration - Enable/disable virtual server hardware acceleration.
- virtual_
switch_ strvlan - Enable/disable virtual switch VLAN.
- vpn_
ems_ strsn_ check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection.
- wad_
affinity str - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad_
csvc_ intcs_ count - Number of concurrent WAD-cache-service object-cache processes.
- wad_
csvc_ intdb_ count - Number of concurrent WAD-cache-service byte-cache processes.
- wad_
memory_ intchange_ granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad_
restart_ strend_ time - WAD workers daily restart end time (hh:mm).
- wad_
restart_ strmode - WAD worker restart mode (default = none).
- wad_
restart_ strstart_ time - WAD workers daily restart time (hh:mm).
- wad_
source_ straffinity - Enable/disable dispatching traffic to WAD workers based on source affinity.
- wad_
worker_ intcount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi_
ca_ strcertificate - CA certificate that verifies the WiFi certificate.
- wifi_
certificate str - Certificate to use for WiFi authentication.
- wimax4g_
usb str - Enable/disable comparability with WiMAX 4G USB devices.
- wireless_
controller str - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
- wireless_
controller_ intport - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- vdomparam str
- admin
Concurrent String - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.)
- admin
Console NumberTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud StringSso Default Profile - Override access profile.
- admin
Forticloud StringSso Login - Enable/disable FortiCloud admin login via SSO.
- admin
Host String - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts NumberMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https StringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password.
- admin
Https StringRedirect - Enable/disable redirection of HTTP administration access to HTTPS.
- admin
Https StringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.
- admin
Https StringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.
- admin
Https StringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout NumberDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout NumberThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login NumberMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer String - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login.
- admin
Port Number - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict StringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable)
- admin
Scp String - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration.
- admin
Server StringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport Number - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh NumberGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh StringPassword - Enable/disable password authentication for SSH admin access.
- admin
Ssh NumberPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh StringV1 - Enable/disable SSH v1 compatibility.
- admin
Telnet String - Enable/disable TELNET service.
- admin
Telnet NumberPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout Number
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias String
- Alias for your FortiGate unit.
- allow
Traffic StringRedirect - Disable to allow traffic to be routed back on a different interface.
- anti
Replay String - Level of checking for packet replay and TCP sequence checking.
- arp
Max NumberEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute String
- Enable/disable asymmetric route.
- auth
Cert String - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http NumberPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https NumberPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike NumberSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive String - Enable to prevent user authentication sessions from timing out when idle.
- auth
Session StringLimit - Action to take when the number of allowed user authenticated sessions is reached.
- auto
Auth StringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices.
- autorun
Log StringFsck - Enable/disable automatic log partition check after ungraceful shutdown.
- av
Affinity String - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen String - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached.
- av
Failopen StringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen.
- batch
Cmdb String - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded.
- bfd
Affinity String - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session NumberTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb NumberMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain NumberMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert NumberTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save String - Configuration file save mode for CLI changes.
- check
Protocol StringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases.
- check
Reset StringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it.
- cli
Audit StringLog - Enable/disable CLI audit log.
- cloud
Communication String - Enable/disable all cloud communication.
- clt
Cert StringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS.
- cmdbsvr
Affinity String - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check String - Enable/disable global PCI DSS compliance check.
- compliance
Check StringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use NumberThreshold - Threshold at which CPU usage is reported. (% of total CPU, default = 90).
- csr
Ca StringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute.
- daily
Restart String - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart.
- default
Service StringSource Port - Default service source port range. (default=1-65535)
- device
Identification NumberActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle NumberTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params String - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
- dhcp
Lease NumberBackup Interval - DHCP leases backup interval in seconds (10 - 3600, default = 60).
- dnsproxy
Worker NumberCount - DNS proxy worker count.
- dst String
- Enable/disable daylight saving time.
- early
Tcp StringNpu Session - Enable/disable early TCP NPU session.
- edit
Vdom StringPrompt - Enable/disable edit new VDOM prompt.
- endpoint
Control StringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints.
- endpoint
Control NumberPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller StringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime Number
- Fail-time for server lost.
- faz
Disk NumberBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics String - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy.
- fds
Statistics NumberPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port Number - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert StringSubscription - Type of alert to retrieve from FortiGuard.
- forticonverter
Config StringUpload - Enable/disable config upload to FortiConverter.
- forticonverter
Integration String - Enable/disable FortiConverter integration service.
- fortiextender String
- Enable/disable FortiExtender.
- fortiextender
Data NumberPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery StringLockdown - Enable/disable FortiExtender CAPWAP lockdown.
- String
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization.
- fortiextender
Vlan StringMode - Enable/disable FortiExtender VLAN mode.
- fortigslb
Integration String - Enable/disable integration with the FortiGSLB cloud service.
- fortiipam
Integration String - Enable/disable integration with the FortiIPAM cloud service.
- fortiservice
Port Number - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud String - Enable/disable FortiToken Cloud service.
- fortitoken
Cloud StringPush Status - Enable/disable FTM push service of FortiToken Cloud.
- fortitoken
Cloud NumberSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- gui
Allow StringDefault Hostname - Enable/disable the GUI warning about using a default hostname
- gui
Allow StringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error.
- gui
App StringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN.
- gui
Auto StringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI.
- gui
Cdn StringDomain Override - Domain of CDN server.
- gui
Cdn StringUsage - Enable/disable Load GUI static files from a CDN.
- gui
Certificates String - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI.
- gui
Custom StringLanguage - Enable/disable custom languages in GUI.
- gui
Date StringFormat - Default date format used throughout GUI.
- gui
Date StringTime Source - Source from which the FortiGate GUI uses to display date and time entries.
- gui
Device StringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device StringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display StringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page.
- gui
Firmware StringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard.
- gui
Firmware StringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI.
- gui
Forticare StringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI.
- gui
Fortigate StringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI.
- gui
Fortiguard StringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments.
- gui
Fortisandbox StringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI.
- gui
Ipv6 String - Enable/disable IPv6 settings on the GUI.
- gui
Lines NumberPer Page - Number of lines to display per page for web administration.
- gui
Local StringOut - Enable/disable Local-out traffic on the GUI.
- gui
Replacement StringMessage Groups - Enable/disable replacement message groups on the GUI.
- gui
Rest StringApi Cache - Enable/disable REST API result caching on FortiGate.
- gui
Theme String - Color scheme for the administration GUI.
- gui
Wireless StringOpensecurity - Enable/disable wireless open security option on the GUI.
- gui
Workflow StringManagement - Enable/disable Workflow management features on the GUI.
- ha
Affinity String - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df String - Enable/disable honoring of Don't-Fragment (DF) flag.
- hostname String
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- id String
- The provider-assigned unique ID for this managed resource.
- igmp
State NumberLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic NumberLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet StringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable).
- internet
Service StringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service List<Property Map>Download Lists - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval Number
- Dead gateway detection interval.
- ip
Fragment NumberMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src StringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity String - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic StringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption.
- ipsec
Ha NumberSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac StringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN.
- ipsec
Qat StringOffload - Enable/disable QAT offloading (Intel QuickAssist) for IPsec VPN traffic. QuickAssist can accelerate IPsec encryption and decryption.
- ipsec
Round StringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic.
- ipsec
Soft StringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic.
- ipv6Accept
Dad Number - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast StringProbe - Enable/disable IPv6 address probe through Anycast.
- ipv6Allow
Local StringIn Silent Drop - Enable/disable silent drop of IPv6 local-in traffic.
- ipv6Allow
Local StringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic.
- ipv6Allow
Multicast StringProbe - Enable/disable IPv6 address probe through Multicast.
- ipv6Allow
Traffic StringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check.
- irq
Time StringAccounting - Configure CPU IRQ time accounting mode.
- language String
- GUI display language.
- ldapconntimeout Number
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception String - Enable/disable Link Layer Discovery Protocol (LLDP) reception.
- lldp
Transmission String - Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
- log
Single StringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold.
- log
Ssl StringConnection - Enable/disable logging of SSL connection events.
- log
Uuid StringAddress - Enable/disable insertion of address UUIDs to traffic logs.
- log
Uuid StringPolicy - Enable/disable insertion of policy UUIDs to traffic logs.
- login
Timestamp String - Enable/disable login time recording.
- long
Vdom StringName - Enable/disable long VDOM name support.
- management
Ip String - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port Number - Overriding port for management connection (Overrides admin port).
- management
Port StringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port.
- management
Vdom String - Management virtual domain name.
- max
Dlpstat NumberMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route NumberCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl StringNotchange - Enable/disable no modification of multicast TTL.
- memory
Use NumberThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (% of total RAM, default = 95).
- memory
Use NumberThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (% of total RAM, default = 82).
- memory
Use NumberThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (% of total RAM, default = 88).
- miglog
Affinity String - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children Number - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor StringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional).
- multicast
Forward String - Enable/disable multicast forwarding.
- ndp
Max NumberEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- npu
Neighbor StringUpdate - Enable/disable sending of probing packets to update neighbors for offloaded sessions.
- per
User StringBal - Enable/disable per-user block/allow list filter.
- per
User StringBwl - Enable/disable per-user black/white list filter.
- pmtu
Discovery String - Enable/disable path MTU discovery.
- policy
Auth NumberConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- String
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in.
- String
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in.
- private
Data StringEncryption - Enable/disable private data encryption using an AES 128-bit key.
- proxy
Auth StringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place.
- proxy
Auth NumberLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth NumberTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert StringUse Mgmt Vdom - Enable/disable using management VDOM to send requests.
- proxy
Cipher StringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic.
- proxy
Hardware StringAcceleration - Enable/disable email proxy hardware acceleration.
- proxy
Keep StringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated.
- proxy
Kxp StringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic.
- proxy
Re StringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created.
- proxy
Re NumberAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource StringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources.
- proxy
Worker NumberCount - Proxy worker count.
- purdue
Level String - Purdue Level of this FortiGate.
- quic
Ack NumberThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion StringControl Algo - QUIC congestion control algorithm (default = cubic).
- quic
Max NumberDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud String - Enable/disable path MTU discovery (default = enable).
- quic
Tls NumberHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp StringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable).
- radius
Port Number - RADIUS service port number.
- reboot
Upon StringConfig Restore - Enable/disable reboot of system upon restoring configuration.
- refresh Number
- Statistics refresh interval in GUI.
- remoteauthtimeout Number
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless StringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only.
- restart
Time String - Daily restart time (hh:mm).
- revision
Backup StringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI.
- revision
Image StringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded.
- scanunit
Count Number - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating StringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard.
- security
Rating StringRun On Schedule - Enable/disable scheduled runs of Security Rating.
- send
Pmtu StringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets.
- sflowd
Max NumberChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route StringChange - Enable/disable the ability to change the static NAT route.
- special
File23Support String - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
- speedtest
Server String - Enable/disable speed test server.
- speedtestd
Ctrl NumberPort - Speedtest server controller port number.
- speedtestd
Server NumberPort - Speedtest server port number.
- split
Port String - Split port(s) to multiple 10Gbps ports.
- ssd
Trim NumberDate - Date within a month to run ssd trim.
- ssd
Trim StringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors.
- ssd
Trim NumberHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim NumberMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim StringWeekday - Day of week to run SSD Trim.
- ssh
Cbc StringCipher - Enable/disable CBC cipher for SSH access.
- ssh
Enc StringAlgo - Select one or more SSH ciphers.
- ssh
Hmac StringMd5 - Enable/disable HMAC-MD5 for SSH access.
- ssh
Hostkey String - Config SSH host key.
- ssh
Hostkey StringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey StringOverride - Enable/disable SSH host key override in SSH daemon.
- ssh
Hostkey StringPassword - Password for ssh-hostkey.
- ssh
Kex StringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex StringSha1 - Enable/disable SHA1 key exchange for SSH access.
- ssh
Mac StringAlgo - Select one or more SSH MAC algorithms.
- ssh
Mac StringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access.
- ssl
Min StringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static StringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256).
- sslvpn
Cipher StringHardware Acceleration - Enable/disable SSL VPN hardware acceleration.
- sslvpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection.
- sslvpn
Kxp StringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration.
- sslvpn
Max NumberWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin StringVersion Check - Enable/disable checking browser's plugin version by SSL VPN.
- sslvpn
Web StringMode - Enable/disable SSL-VPN web mode.
- strict
Dirty StringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session.
- strong
Crypto String - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
- switch
Controller String - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself.
- switch
Controller StringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf NumberLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity String - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose NumberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen NumberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option String - Enable SACK, timestamp and MSS TCP options.
- tcp
Rst NumberTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait NumberTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp String
- Enable/disable TFTP.
- timezone String
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc StringSkip Policy - Enable/disable skip policy check and allow multicast through.
- traffic
Priority String - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping.
- traffic
Priority StringLevel - Default system-wide level of priority for traffic prioritization.
- two
Factor NumberEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor NumberFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor NumberFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor NumberFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor NumberSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle NumberTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter StringAffinity - URL filter CPU affinity.
- url
Filter NumberCount - URL filter daemon count.
- user
Device NumberStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device NumberStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device NumberStore Max Users - Maximum number of users allowed in user device store.
- user
Server StringCert - Certificate to use for https user authentication.
- vdom
Admin String - Enable/disable support for multiple virtual domains (VDOMs).
- vdom
Mode String - Enable/disable support for split/multiple virtual domains (VDOMs).
- vip
Arp StringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range.
- virtual
Server NumberCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server StringHardware Acceleration - Enable/disable virtual server hardware acceleration.
- virtual
Switch StringVlan - Enable/disable virtual switch VLAN.
- vpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection.
- wad
Affinity String - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc NumberCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc NumberDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory NumberChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart StringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart StringMode - WAD worker restart mode (default = none).
- wad
Restart StringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source StringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity.
- wad
Worker NumberCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca StringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate String - Certificate to use for WiFi authentication.
- wimax4g
Usb String - Enable/disable comparability with WiMAX 4G USB devices.
- wireless
Controller String - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs.
- wireless
Controller NumberPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- vdomparam String
Supporting Types
GetGlobalInternetServiceDownloadList
- Id int
- Internet Service ID.
- Id int
- Internet Service ID.
- id Integer
- Internet Service ID.
- id number
- Internet Service ID.
- id int
- Internet Service ID.
- id Number
- Internet Service ID.
Package Details
- Repository
- fortios pulumiverse/pulumi-fortios
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
fortios
Terraform Provider.