fortios.system.Global
Explore with Pulumi AI
Configure global attributes.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fortios from "@pulumiverse/fortios";
const trname = new fortios.system.Global("trname", {
adminSport: 443,
alias: "FGVM02TM20003062",
hostname: "ste11",
timezone: "04",
});
import pulumi
import pulumiverse_fortios as fortios
trname = fortios.system.Global("trname",
admin_sport=443,
alias="FGVM02TM20003062",
hostname="ste11",
timezone="04")
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/system"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := system.NewGlobal(ctx, "trname", &system.GlobalArgs{
AdminSport: pulumi.Int(443),
Alias: pulumi.String("FGVM02TM20003062"),
Hostname: pulumi.String("ste11"),
Timezone: pulumi.String("04"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortios = Pulumiverse.Fortios;
return await Deployment.RunAsync(() =>
{
var trname = new Fortios.System.Global("trname", new()
{
AdminSport = 443,
Alias = "FGVM02TM20003062",
Hostname = "ste11",
Timezone = "04",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortios.system.Global;
import com.pulumi.fortios.system.GlobalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var trname = new Global("trname", GlobalArgs.builder()
.adminSport(443)
.alias("FGVM02TM20003062")
.hostname("ste11")
.timezone("04")
.build());
}
}
resources:
trname:
type: fortios:system:Global
properties:
adminSport: 443
alias: FGVM02TM20003062
hostname: ste11
timezone: '04'
Create Global Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Global(name: string, args?: GlobalArgs, opts?: CustomResourceOptions);
@overload
def Global(resource_name: str,
args: Optional[GlobalArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def Global(resource_name: str,
opts: Optional[ResourceOptions] = None,
admin_concurrent: Optional[str] = None,
admin_console_timeout: Optional[int] = None,
admin_forticloud_sso_default_profile: Optional[str] = None,
admin_forticloud_sso_login: Optional[str] = None,
admin_host: Optional[str] = None,
admin_hsts_max_age: Optional[int] = None,
admin_https_pki_required: Optional[str] = None,
admin_https_redirect: Optional[str] = None,
admin_https_ssl_banned_ciphers: Optional[str] = None,
admin_https_ssl_ciphersuites: Optional[str] = None,
admin_https_ssl_versions: Optional[str] = None,
admin_lockout_duration: Optional[int] = None,
admin_lockout_threshold: Optional[int] = None,
admin_login_max: Optional[int] = None,
admin_maintainer: Optional[str] = None,
admin_port: Optional[int] = None,
admin_restrict_local: Optional[str] = None,
admin_scp: Optional[str] = None,
admin_server_cert: Optional[str] = None,
admin_sport: Optional[int] = None,
admin_ssh_grace_time: Optional[int] = None,
admin_ssh_password: Optional[str] = None,
admin_ssh_port: Optional[int] = None,
admin_ssh_v1: Optional[str] = None,
admin_telnet: Optional[str] = None,
admin_telnet_port: Optional[int] = None,
admintimeout: Optional[int] = None,
alias: Optional[str] = None,
allow_traffic_redirect: Optional[str] = None,
anti_replay: Optional[str] = None,
arp_max_entry: Optional[int] = None,
asymroute: Optional[str] = None,
auth_cert: Optional[str] = None,
auth_http_port: Optional[int] = None,
auth_https_port: Optional[int] = None,
auth_ike_saml_port: Optional[int] = None,
auth_keepalive: Optional[str] = None,
auth_session_limit: Optional[str] = None,
auto_auth_extension_device: Optional[str] = None,
autorun_log_fsck: Optional[str] = None,
av_affinity: Optional[str] = None,
av_failopen: Optional[str] = None,
av_failopen_session: Optional[str] = None,
batch_cmdb: Optional[str] = None,
bfd_affinity: Optional[str] = None,
block_session_timer: Optional[int] = None,
br_fdb_max_entry: Optional[int] = None,
cert_chain_max: Optional[int] = None,
cfg_revert_timeout: Optional[int] = None,
cfg_save: Optional[str] = None,
check_protocol_header: Optional[str] = None,
check_reset_range: Optional[str] = None,
cli_audit_log: Optional[str] = None,
cloud_communication: Optional[str] = None,
clt_cert_req: Optional[str] = None,
cmdbsvr_affinity: Optional[str] = None,
compliance_check: Optional[str] = None,
compliance_check_time: Optional[str] = None,
cpu_use_threshold: Optional[int] = None,
csr_ca_attribute: Optional[str] = None,
daily_restart: Optional[str] = None,
default_service_source_port: Optional[str] = None,
device_identification_active_scan_delay: Optional[int] = None,
device_idle_timeout: Optional[int] = None,
dh_params: Optional[str] = None,
dnsproxy_worker_count: Optional[int] = None,
dst: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
early_tcp_npu_session: Optional[str] = None,
edit_vdom_prompt: Optional[str] = None,
endpoint_control_fds_access: Optional[str] = None,
endpoint_control_portal_port: Optional[int] = None,
extender_controller_reserved_network: Optional[str] = None,
failtime: Optional[int] = None,
faz_disk_buffer_size: Optional[int] = None,
fds_statistics: Optional[str] = None,
fds_statistics_period: Optional[int] = None,
fec_port: Optional[int] = None,
fgd_alert_subscription: Optional[str] = None,
forticonverter_config_upload: Optional[str] = None,
forticonverter_integration: Optional[str] = None,
fortiextender: Optional[str] = None,
fortiextender_data_port: Optional[int] = None,
fortiextender_discovery_lockdown: Optional[str] = None,
fortiextender_provision_on_authorization: Optional[str] = None,
fortiextender_vlan_mode: Optional[str] = None,
fortigslb_integration: Optional[str] = None,
fortiipam_integration: Optional[str] = None,
fortiservice_port: Optional[int] = None,
fortitoken_cloud: Optional[str] = None,
fortitoken_cloud_push_status: Optional[str] = None,
fortitoken_cloud_sync_interval: Optional[int] = None,
get_all_tables: Optional[str] = None,
gui_allow_default_hostname: Optional[str] = None,
gui_allow_incompatible_fabric_fgt: Optional[str] = None,
gui_app_detection_sdwan: Optional[str] = None,
gui_auto_upgrade_setup_warning: Optional[str] = None,
gui_cdn_domain_override: Optional[str] = None,
gui_cdn_usage: Optional[str] = None,
gui_certificates: Optional[str] = None,
gui_custom_language: Optional[str] = None,
gui_date_format: Optional[str] = None,
gui_date_time_source: Optional[str] = None,
gui_device_latitude: Optional[str] = None,
gui_device_longitude: Optional[str] = None,
gui_display_hostname: Optional[str] = None,
gui_firmware_upgrade_setup_warning: Optional[str] = None,
gui_firmware_upgrade_warning: Optional[str] = None,
gui_forticare_registration_setup_warning: Optional[str] = None,
gui_fortigate_cloud_sandbox: Optional[str] = None,
gui_fortiguard_resource_fetch: Optional[str] = None,
gui_fortisandbox_cloud: Optional[str] = None,
gui_ipv6: Optional[str] = None,
gui_lines_per_page: Optional[int] = None,
gui_local_out: Optional[str] = None,
gui_replacement_message_groups: Optional[str] = None,
gui_rest_api_cache: Optional[str] = None,
gui_theme: Optional[str] = None,
gui_wireless_opensecurity: Optional[str] = None,
gui_workflow_management: Optional[str] = None,
ha_affinity: Optional[str] = None,
honor_df: Optional[str] = None,
hostname: Optional[str] = None,
igmp_state_limit: Optional[int] = None,
ike_embryonic_limit: Optional[int] = None,
interface_subnet_usage: Optional[str] = None,
internet_service_database: Optional[str] = None,
internet_service_download_lists: Optional[Sequence[GlobalInternetServiceDownloadListArgs]] = None,
interval: Optional[int] = None,
ip_fragment_mem_thresholds: Optional[int] = None,
ip_src_port_range: Optional[str] = None,
ips_affinity: Optional[str] = None,
ipsec_asic_offload: Optional[str] = None,
ipsec_ha_seqjump_rate: Optional[int] = None,
ipsec_hmac_offload: Optional[str] = None,
ipsec_round_robin: Optional[str] = None,
ipsec_soft_dec_async: Optional[str] = None,
ipv6_accept_dad: Optional[int] = None,
ipv6_allow_anycast_probe: Optional[str] = None,
ipv6_allow_local_in_slient_drop: Optional[str] = None,
ipv6_allow_multicast_probe: Optional[str] = None,
ipv6_allow_traffic_redirect: Optional[str] = None,
irq_time_accounting: Optional[str] = None,
language: Optional[str] = None,
ldapconntimeout: Optional[int] = None,
lldp_reception: Optional[str] = None,
lldp_transmission: Optional[str] = None,
log_single_cpu_high: Optional[str] = None,
log_ssl_connection: Optional[str] = None,
log_uuid_address: Optional[str] = None,
log_uuid_policy: Optional[str] = None,
login_timestamp: Optional[str] = None,
long_vdom_name: Optional[str] = None,
management_ip: Optional[str] = None,
management_port: Optional[int] = None,
management_port_use_admin_sport: Optional[str] = None,
management_vdom: Optional[str] = None,
max_dlpstat_memory: Optional[int] = None,
max_route_cache_size: Optional[int] = None,
mc_ttl_notchange: Optional[str] = None,
memory_use_threshold_extreme: Optional[int] = None,
memory_use_threshold_green: Optional[int] = None,
memory_use_threshold_red: Optional[int] = None,
miglog_affinity: Optional[str] = None,
miglogd_children: Optional[int] = None,
multi_factor_authentication: Optional[str] = None,
multicast_forward: Optional[str] = None,
ndp_max_entry: Optional[int] = None,
per_user_bal: Optional[str] = None,
per_user_bwl: Optional[str] = None,
pmtu_discovery: Optional[str] = None,
policy_auth_concurrent: Optional[int] = None,
post_login_banner: Optional[str] = None,
pre_login_banner: Optional[str] = None,
private_data_encryption: Optional[str] = None,
proxy_auth_lifetime: Optional[str] = None,
proxy_auth_lifetime_timeout: Optional[int] = None,
proxy_auth_timeout: Optional[int] = None,
proxy_cert_use_mgmt_vdom: Optional[str] = None,
proxy_cipher_hardware_acceleration: Optional[str] = None,
proxy_hardware_acceleration: Optional[str] = None,
proxy_keep_alive_mode: Optional[str] = None,
proxy_kxp_hardware_acceleration: Optional[str] = None,
proxy_re_authentication_mode: Optional[str] = None,
proxy_re_authentication_time: Optional[int] = None,
proxy_resource_mode: Optional[str] = None,
proxy_worker_count: Optional[int] = None,
purdue_level: Optional[str] = None,
quic_ack_thresold: Optional[int] = None,
quic_congestion_control_algo: Optional[str] = None,
quic_max_datagram_size: Optional[int] = None,
quic_pmtud: Optional[str] = None,
quic_tls_handshake_timeout: Optional[int] = None,
quic_udp_payload_size_shaping_per_cid: Optional[str] = None,
radius_port: Optional[int] = None,
reboot_upon_config_restore: Optional[str] = None,
refresh: Optional[int] = None,
remoteauthtimeout: Optional[int] = None,
reset_sessionless_tcp: Optional[str] = None,
restart_time: Optional[str] = None,
revision_backup_on_logout: Optional[str] = None,
revision_image_auto_backup: Optional[str] = None,
scanunit_count: Optional[int] = None,
security_rating_result_submission: Optional[str] = None,
security_rating_run_on_schedule: Optional[str] = None,
send_pmtu_icmp: Optional[str] = None,
sflowd_max_children_num: Optional[int] = None,
snat_route_change: Optional[str] = None,
special_file23_support: Optional[str] = None,
speedtest_server: Optional[str] = None,
speedtestd_ctrl_port: Optional[int] = None,
speedtestd_server_port: Optional[int] = None,
split_port: Optional[str] = None,
ssd_trim_date: Optional[int] = None,
ssd_trim_freq: Optional[str] = None,
ssd_trim_hour: Optional[int] = None,
ssd_trim_min: Optional[int] = None,
ssd_trim_weekday: Optional[str] = None,
ssh_cbc_cipher: Optional[str] = None,
ssh_enc_algo: Optional[str] = None,
ssh_hmac_md5: Optional[str] = None,
ssh_hostkey: Optional[str] = None,
ssh_hostkey_algo: Optional[str] = None,
ssh_hostkey_override: Optional[str] = None,
ssh_hostkey_password: Optional[str] = None,
ssh_kex_algo: Optional[str] = None,
ssh_kex_sha1: Optional[str] = None,
ssh_mac_algo: Optional[str] = None,
ssh_mac_weak: Optional[str] = None,
ssl_min_proto_version: Optional[str] = None,
ssl_static_key_ciphers: Optional[str] = None,
sslvpn_cipher_hardware_acceleration: Optional[str] = None,
sslvpn_ems_sn_check: Optional[str] = None,
sslvpn_kxp_hardware_acceleration: Optional[str] = None,
sslvpn_max_worker_count: Optional[int] = None,
sslvpn_plugin_version_check: Optional[str] = None,
sslvpn_web_mode: Optional[str] = None,
strict_dirty_session_check: Optional[str] = None,
strong_crypto: Optional[str] = None,
switch_controller: Optional[str] = None,
switch_controller_reserved_network: Optional[str] = None,
sys_perf_log_interval: Optional[int] = None,
syslog_affinity: Optional[str] = None,
tcp_halfclose_timer: Optional[int] = None,
tcp_halfopen_timer: Optional[int] = None,
tcp_option: Optional[str] = None,
tcp_rst_timer: Optional[int] = None,
tcp_timewait_timer: Optional[int] = None,
tftp: Optional[str] = None,
timezone: Optional[str] = None,
tp_mc_skip_policy: Optional[str] = None,
traffic_priority: Optional[str] = None,
traffic_priority_level: Optional[str] = None,
two_factor_email_expiry: Optional[int] = None,
two_factor_fac_expiry: Optional[int] = None,
two_factor_ftk_expiry: Optional[int] = None,
two_factor_ftm_expiry: Optional[int] = None,
two_factor_sms_expiry: Optional[int] = None,
udp_idle_timer: Optional[int] = None,
url_filter_affinity: Optional[str] = None,
url_filter_count: Optional[int] = None,
user_device_store_max_devices: Optional[int] = None,
user_device_store_max_unified_mem: Optional[int] = None,
user_device_store_max_users: Optional[int] = None,
user_server_cert: Optional[str] = None,
vdom_admin: Optional[str] = None,
vdom_mode: Optional[str] = None,
vdomparam: Optional[str] = None,
vip_arp_range: Optional[str] = None,
virtual_server_count: Optional[int] = None,
virtual_server_hardware_acceleration: Optional[str] = None,
virtual_switch_vlan: Optional[str] = None,
vpn_ems_sn_check: Optional[str] = None,
wad_affinity: Optional[str] = None,
wad_csvc_cs_count: Optional[int] = None,
wad_csvc_db_count: Optional[int] = None,
wad_memory_change_granularity: Optional[int] = None,
wad_restart_end_time: Optional[str] = None,
wad_restart_mode: Optional[str] = None,
wad_restart_start_time: Optional[str] = None,
wad_source_affinity: Optional[str] = None,
wad_worker_count: Optional[int] = None,
wifi_ca_certificate: Optional[str] = None,
wifi_certificate: Optional[str] = None,
wimax4g_usb: Optional[str] = None,
wireless_controller: Optional[str] = None,
wireless_controller_port: Optional[int] = None)
func NewGlobal(ctx *Context, name string, args *GlobalArgs, opts ...ResourceOption) (*Global, error)
public Global(string name, GlobalArgs? args = null, CustomResourceOptions? opts = null)
public Global(String name, GlobalArgs args)
public Global(String name, GlobalArgs args, CustomResourceOptions options)
type: fortios:system:Global
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GlobalArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GlobalArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GlobalArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GlobalArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GlobalArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var exampleglobalResourceResourceFromSystemglobal = new Fortios.System.Global("exampleglobalResourceResourceFromSystemglobal", new()
{
AdminConcurrent = "string",
AdminConsoleTimeout = 0,
AdminForticloudSsoDefaultProfile = "string",
AdminForticloudSsoLogin = "string",
AdminHost = "string",
AdminHstsMaxAge = 0,
AdminHttpsPkiRequired = "string",
AdminHttpsRedirect = "string",
AdminHttpsSslBannedCiphers = "string",
AdminHttpsSslCiphersuites = "string",
AdminHttpsSslVersions = "string",
AdminLockoutDuration = 0,
AdminLockoutThreshold = 0,
AdminLoginMax = 0,
AdminMaintainer = "string",
AdminPort = 0,
AdminRestrictLocal = "string",
AdminScp = "string",
AdminServerCert = "string",
AdminSport = 0,
AdminSshGraceTime = 0,
AdminSshPassword = "string",
AdminSshPort = 0,
AdminSshV1 = "string",
AdminTelnet = "string",
AdminTelnetPort = 0,
Admintimeout = 0,
Alias = "string",
AllowTrafficRedirect = "string",
AntiReplay = "string",
ArpMaxEntry = 0,
Asymroute = "string",
AuthCert = "string",
AuthHttpPort = 0,
AuthHttpsPort = 0,
AuthIkeSamlPort = 0,
AuthKeepalive = "string",
AuthSessionLimit = "string",
AutoAuthExtensionDevice = "string",
AutorunLogFsck = "string",
AvAffinity = "string",
AvFailopen = "string",
AvFailopenSession = "string",
BatchCmdb = "string",
BfdAffinity = "string",
BlockSessionTimer = 0,
BrFdbMaxEntry = 0,
CertChainMax = 0,
CfgRevertTimeout = 0,
CfgSave = "string",
CheckProtocolHeader = "string",
CheckResetRange = "string",
CliAuditLog = "string",
CloudCommunication = "string",
CltCertReq = "string",
CmdbsvrAffinity = "string",
ComplianceCheck = "string",
ComplianceCheckTime = "string",
CpuUseThreshold = 0,
CsrCaAttribute = "string",
DailyRestart = "string",
DefaultServiceSourcePort = "string",
DeviceIdentificationActiveScanDelay = 0,
DeviceIdleTimeout = 0,
DhParams = "string",
DnsproxyWorkerCount = 0,
Dst = "string",
DynamicSortSubtable = "string",
EarlyTcpNpuSession = "string",
EditVdomPrompt = "string",
EndpointControlFdsAccess = "string",
EndpointControlPortalPort = 0,
ExtenderControllerReservedNetwork = "string",
Failtime = 0,
FazDiskBufferSize = 0,
FdsStatistics = "string",
FdsStatisticsPeriod = 0,
FecPort = 0,
FgdAlertSubscription = "string",
ForticonverterConfigUpload = "string",
ForticonverterIntegration = "string",
Fortiextender = "string",
FortiextenderDataPort = 0,
FortiextenderDiscoveryLockdown = "string",
FortiextenderProvisionOnAuthorization = "string",
FortiextenderVlanMode = "string",
FortigslbIntegration = "string",
FortiipamIntegration = "string",
FortiservicePort = 0,
FortitokenCloud = "string",
FortitokenCloudPushStatus = "string",
FortitokenCloudSyncInterval = 0,
GetAllTables = "string",
GuiAllowDefaultHostname = "string",
GuiAllowIncompatibleFabricFgt = "string",
GuiAppDetectionSdwan = "string",
GuiAutoUpgradeSetupWarning = "string",
GuiCdnDomainOverride = "string",
GuiCdnUsage = "string",
GuiCertificates = "string",
GuiCustomLanguage = "string",
GuiDateFormat = "string",
GuiDateTimeSource = "string",
GuiDeviceLatitude = "string",
GuiDeviceLongitude = "string",
GuiDisplayHostname = "string",
GuiFirmwareUpgradeSetupWarning = "string",
GuiFirmwareUpgradeWarning = "string",
GuiForticareRegistrationSetupWarning = "string",
GuiFortigateCloudSandbox = "string",
GuiFortiguardResourceFetch = "string",
GuiFortisandboxCloud = "string",
GuiIpv6 = "string",
GuiLinesPerPage = 0,
GuiLocalOut = "string",
GuiReplacementMessageGroups = "string",
GuiRestApiCache = "string",
GuiTheme = "string",
GuiWirelessOpensecurity = "string",
GuiWorkflowManagement = "string",
HaAffinity = "string",
HonorDf = "string",
Hostname = "string",
IgmpStateLimit = 0,
IkeEmbryonicLimit = 0,
InterfaceSubnetUsage = "string",
InternetServiceDatabase = "string",
InternetServiceDownloadLists = new[]
{
new Fortios.System.Inputs.GlobalInternetServiceDownloadListArgs
{
Id = 0,
},
},
Interval = 0,
IpFragmentMemThresholds = 0,
IpSrcPortRange = "string",
IpsAffinity = "string",
IpsecAsicOffload = "string",
IpsecHaSeqjumpRate = 0,
IpsecHmacOffload = "string",
IpsecRoundRobin = "string",
IpsecSoftDecAsync = "string",
Ipv6AcceptDad = 0,
Ipv6AllowAnycastProbe = "string",
Ipv6AllowLocalInSlientDrop = "string",
Ipv6AllowMulticastProbe = "string",
Ipv6AllowTrafficRedirect = "string",
IrqTimeAccounting = "string",
Language = "string",
Ldapconntimeout = 0,
LldpReception = "string",
LldpTransmission = "string",
LogSingleCpuHigh = "string",
LogSslConnection = "string",
LogUuidAddress = "string",
LogUuidPolicy = "string",
LoginTimestamp = "string",
LongVdomName = "string",
ManagementIp = "string",
ManagementPort = 0,
ManagementPortUseAdminSport = "string",
ManagementVdom = "string",
MaxDlpstatMemory = 0,
MaxRouteCacheSize = 0,
McTtlNotchange = "string",
MemoryUseThresholdExtreme = 0,
MemoryUseThresholdGreen = 0,
MemoryUseThresholdRed = 0,
MiglogAffinity = "string",
MiglogdChildren = 0,
MultiFactorAuthentication = "string",
MulticastForward = "string",
NdpMaxEntry = 0,
PerUserBal = "string",
PerUserBwl = "string",
PmtuDiscovery = "string",
PolicyAuthConcurrent = 0,
PostLoginBanner = "string",
PreLoginBanner = "string",
PrivateDataEncryption = "string",
ProxyAuthLifetime = "string",
ProxyAuthLifetimeTimeout = 0,
ProxyAuthTimeout = 0,
ProxyCertUseMgmtVdom = "string",
ProxyCipherHardwareAcceleration = "string",
ProxyHardwareAcceleration = "string",
ProxyKeepAliveMode = "string",
ProxyKxpHardwareAcceleration = "string",
ProxyReAuthenticationMode = "string",
ProxyReAuthenticationTime = 0,
ProxyResourceMode = "string",
ProxyWorkerCount = 0,
PurdueLevel = "string",
QuicAckThresold = 0,
QuicCongestionControlAlgo = "string",
QuicMaxDatagramSize = 0,
QuicPmtud = "string",
QuicTlsHandshakeTimeout = 0,
QuicUdpPayloadSizeShapingPerCid = "string",
RadiusPort = 0,
RebootUponConfigRestore = "string",
Refresh = 0,
Remoteauthtimeout = 0,
ResetSessionlessTcp = "string",
RestartTime = "string",
RevisionBackupOnLogout = "string",
RevisionImageAutoBackup = "string",
ScanunitCount = 0,
SecurityRatingResultSubmission = "string",
SecurityRatingRunOnSchedule = "string",
SendPmtuIcmp = "string",
SflowdMaxChildrenNum = 0,
SnatRouteChange = "string",
SpecialFile23Support = "string",
SpeedtestServer = "string",
SpeedtestdCtrlPort = 0,
SpeedtestdServerPort = 0,
SplitPort = "string",
SsdTrimDate = 0,
SsdTrimFreq = "string",
SsdTrimHour = 0,
SsdTrimMin = 0,
SsdTrimWeekday = "string",
SshCbcCipher = "string",
SshEncAlgo = "string",
SshHmacMd5 = "string",
SshHostkey = "string",
SshHostkeyAlgo = "string",
SshHostkeyOverride = "string",
SshHostkeyPassword = "string",
SshKexAlgo = "string",
SshKexSha1 = "string",
SshMacAlgo = "string",
SshMacWeak = "string",
SslMinProtoVersion = "string",
SslStaticKeyCiphers = "string",
SslvpnCipherHardwareAcceleration = "string",
SslvpnEmsSnCheck = "string",
SslvpnKxpHardwareAcceleration = "string",
SslvpnMaxWorkerCount = 0,
SslvpnPluginVersionCheck = "string",
SslvpnWebMode = "string",
StrictDirtySessionCheck = "string",
StrongCrypto = "string",
SwitchController = "string",
SwitchControllerReservedNetwork = "string",
SysPerfLogInterval = 0,
SyslogAffinity = "string",
TcpHalfcloseTimer = 0,
TcpHalfopenTimer = 0,
TcpOption = "string",
TcpRstTimer = 0,
TcpTimewaitTimer = 0,
Tftp = "string",
Timezone = "string",
TpMcSkipPolicy = "string",
TrafficPriority = "string",
TrafficPriorityLevel = "string",
TwoFactorEmailExpiry = 0,
TwoFactorFacExpiry = 0,
TwoFactorFtkExpiry = 0,
TwoFactorFtmExpiry = 0,
TwoFactorSmsExpiry = 0,
UdpIdleTimer = 0,
UrlFilterAffinity = "string",
UrlFilterCount = 0,
UserDeviceStoreMaxDevices = 0,
UserDeviceStoreMaxUnifiedMem = 0,
UserDeviceStoreMaxUsers = 0,
UserServerCert = "string",
VdomAdmin = "string",
VdomMode = "string",
Vdomparam = "string",
VipArpRange = "string",
VirtualServerCount = 0,
VirtualServerHardwareAcceleration = "string",
VirtualSwitchVlan = "string",
VpnEmsSnCheck = "string",
WadAffinity = "string",
WadCsvcCsCount = 0,
WadCsvcDbCount = 0,
WadMemoryChangeGranularity = 0,
WadRestartEndTime = "string",
WadRestartMode = "string",
WadRestartStartTime = "string",
WadSourceAffinity = "string",
WadWorkerCount = 0,
WifiCaCertificate = "string",
WifiCertificate = "string",
Wimax4gUsb = "string",
WirelessController = "string",
WirelessControllerPort = 0,
});
example, err := system.NewGlobal(ctx, "exampleglobalResourceResourceFromSystemglobal", &system.GlobalArgs{
AdminConcurrent: pulumi.String("string"),
AdminConsoleTimeout: pulumi.Int(0),
AdminForticloudSsoDefaultProfile: pulumi.String("string"),
AdminForticloudSsoLogin: pulumi.String("string"),
AdminHost: pulumi.String("string"),
AdminHstsMaxAge: pulumi.Int(0),
AdminHttpsPkiRequired: pulumi.String("string"),
AdminHttpsRedirect: pulumi.String("string"),
AdminHttpsSslBannedCiphers: pulumi.String("string"),
AdminHttpsSslCiphersuites: pulumi.String("string"),
AdminHttpsSslVersions: pulumi.String("string"),
AdminLockoutDuration: pulumi.Int(0),
AdminLockoutThreshold: pulumi.Int(0),
AdminLoginMax: pulumi.Int(0),
AdminMaintainer: pulumi.String("string"),
AdminPort: pulumi.Int(0),
AdminRestrictLocal: pulumi.String("string"),
AdminScp: pulumi.String("string"),
AdminServerCert: pulumi.String("string"),
AdminSport: pulumi.Int(0),
AdminSshGraceTime: pulumi.Int(0),
AdminSshPassword: pulumi.String("string"),
AdminSshPort: pulumi.Int(0),
AdminSshV1: pulumi.String("string"),
AdminTelnet: pulumi.String("string"),
AdminTelnetPort: pulumi.Int(0),
Admintimeout: pulumi.Int(0),
Alias: pulumi.String("string"),
AllowTrafficRedirect: pulumi.String("string"),
AntiReplay: pulumi.String("string"),
ArpMaxEntry: pulumi.Int(0),
Asymroute: pulumi.String("string"),
AuthCert: pulumi.String("string"),
AuthHttpPort: pulumi.Int(0),
AuthHttpsPort: pulumi.Int(0),
AuthIkeSamlPort: pulumi.Int(0),
AuthKeepalive: pulumi.String("string"),
AuthSessionLimit: pulumi.String("string"),
AutoAuthExtensionDevice: pulumi.String("string"),
AutorunLogFsck: pulumi.String("string"),
AvAffinity: pulumi.String("string"),
AvFailopen: pulumi.String("string"),
AvFailopenSession: pulumi.String("string"),
BatchCmdb: pulumi.String("string"),
BfdAffinity: pulumi.String("string"),
BlockSessionTimer: pulumi.Int(0),
BrFdbMaxEntry: pulumi.Int(0),
CertChainMax: pulumi.Int(0),
CfgRevertTimeout: pulumi.Int(0),
CfgSave: pulumi.String("string"),
CheckProtocolHeader: pulumi.String("string"),
CheckResetRange: pulumi.String("string"),
CliAuditLog: pulumi.String("string"),
CloudCommunication: pulumi.String("string"),
CltCertReq: pulumi.String("string"),
CmdbsvrAffinity: pulumi.String("string"),
ComplianceCheck: pulumi.String("string"),
ComplianceCheckTime: pulumi.String("string"),
CpuUseThreshold: pulumi.Int(0),
CsrCaAttribute: pulumi.String("string"),
DailyRestart: pulumi.String("string"),
DefaultServiceSourcePort: pulumi.String("string"),
DeviceIdentificationActiveScanDelay: pulumi.Int(0),
DeviceIdleTimeout: pulumi.Int(0),
DhParams: pulumi.String("string"),
DnsproxyWorkerCount: pulumi.Int(0),
Dst: pulumi.String("string"),
DynamicSortSubtable: pulumi.String("string"),
EarlyTcpNpuSession: pulumi.String("string"),
EditVdomPrompt: pulumi.String("string"),
EndpointControlFdsAccess: pulumi.String("string"),
EndpointControlPortalPort: pulumi.Int(0),
ExtenderControllerReservedNetwork: pulumi.String("string"),
Failtime: pulumi.Int(0),
FazDiskBufferSize: pulumi.Int(0),
FdsStatistics: pulumi.String("string"),
FdsStatisticsPeriod: pulumi.Int(0),
FecPort: pulumi.Int(0),
FgdAlertSubscription: pulumi.String("string"),
ForticonverterConfigUpload: pulumi.String("string"),
ForticonverterIntegration: pulumi.String("string"),
Fortiextender: pulumi.String("string"),
FortiextenderDataPort: pulumi.Int(0),
FortiextenderDiscoveryLockdown: pulumi.String("string"),
FortiextenderProvisionOnAuthorization: pulumi.String("string"),
FortiextenderVlanMode: pulumi.String("string"),
FortigslbIntegration: pulumi.String("string"),
FortiipamIntegration: pulumi.String("string"),
FortiservicePort: pulumi.Int(0),
FortitokenCloud: pulumi.String("string"),
FortitokenCloudPushStatus: pulumi.String("string"),
FortitokenCloudSyncInterval: pulumi.Int(0),
GetAllTables: pulumi.String("string"),
GuiAllowDefaultHostname: pulumi.String("string"),
GuiAllowIncompatibleFabricFgt: pulumi.String("string"),
GuiAppDetectionSdwan: pulumi.String("string"),
GuiAutoUpgradeSetupWarning: pulumi.String("string"),
GuiCdnDomainOverride: pulumi.String("string"),
GuiCdnUsage: pulumi.String("string"),
GuiCertificates: pulumi.String("string"),
GuiCustomLanguage: pulumi.String("string"),
GuiDateFormat: pulumi.String("string"),
GuiDateTimeSource: pulumi.String("string"),
GuiDeviceLatitude: pulumi.String("string"),
GuiDeviceLongitude: pulumi.String("string"),
GuiDisplayHostname: pulumi.String("string"),
GuiFirmwareUpgradeSetupWarning: pulumi.String("string"),
GuiFirmwareUpgradeWarning: pulumi.String("string"),
GuiForticareRegistrationSetupWarning: pulumi.String("string"),
GuiFortigateCloudSandbox: pulumi.String("string"),
GuiFortiguardResourceFetch: pulumi.String("string"),
GuiFortisandboxCloud: pulumi.String("string"),
GuiIpv6: pulumi.String("string"),
GuiLinesPerPage: pulumi.Int(0),
GuiLocalOut: pulumi.String("string"),
GuiReplacementMessageGroups: pulumi.String("string"),
GuiRestApiCache: pulumi.String("string"),
GuiTheme: pulumi.String("string"),
GuiWirelessOpensecurity: pulumi.String("string"),
GuiWorkflowManagement: pulumi.String("string"),
HaAffinity: pulumi.String("string"),
HonorDf: pulumi.String("string"),
Hostname: pulumi.String("string"),
IgmpStateLimit: pulumi.Int(0),
IkeEmbryonicLimit: pulumi.Int(0),
InterfaceSubnetUsage: pulumi.String("string"),
InternetServiceDatabase: pulumi.String("string"),
InternetServiceDownloadLists: system.GlobalInternetServiceDownloadListArray{
&system.GlobalInternetServiceDownloadListArgs{
Id: pulumi.Int(0),
},
},
Interval: pulumi.Int(0),
IpFragmentMemThresholds: pulumi.Int(0),
IpSrcPortRange: pulumi.String("string"),
IpsAffinity: pulumi.String("string"),
IpsecAsicOffload: pulumi.String("string"),
IpsecHaSeqjumpRate: pulumi.Int(0),
IpsecHmacOffload: pulumi.String("string"),
IpsecRoundRobin: pulumi.String("string"),
IpsecSoftDecAsync: pulumi.String("string"),
Ipv6AcceptDad: pulumi.Int(0),
Ipv6AllowAnycastProbe: pulumi.String("string"),
Ipv6AllowLocalInSlientDrop: pulumi.String("string"),
Ipv6AllowMulticastProbe: pulumi.String("string"),
Ipv6AllowTrafficRedirect: pulumi.String("string"),
IrqTimeAccounting: pulumi.String("string"),
Language: pulumi.String("string"),
Ldapconntimeout: pulumi.Int(0),
LldpReception: pulumi.String("string"),
LldpTransmission: pulumi.String("string"),
LogSingleCpuHigh: pulumi.String("string"),
LogSslConnection: pulumi.String("string"),
LogUuidAddress: pulumi.String("string"),
LogUuidPolicy: pulumi.String("string"),
LoginTimestamp: pulumi.String("string"),
LongVdomName: pulumi.String("string"),
ManagementIp: pulumi.String("string"),
ManagementPort: pulumi.Int(0),
ManagementPortUseAdminSport: pulumi.String("string"),
ManagementVdom: pulumi.String("string"),
MaxDlpstatMemory: pulumi.Int(0),
MaxRouteCacheSize: pulumi.Int(0),
McTtlNotchange: pulumi.String("string"),
MemoryUseThresholdExtreme: pulumi.Int(0),
MemoryUseThresholdGreen: pulumi.Int(0),
MemoryUseThresholdRed: pulumi.Int(0),
MiglogAffinity: pulumi.String("string"),
MiglogdChildren: pulumi.Int(0),
MultiFactorAuthentication: pulumi.String("string"),
MulticastForward: pulumi.String("string"),
NdpMaxEntry: pulumi.Int(0),
PerUserBal: pulumi.String("string"),
PerUserBwl: pulumi.String("string"),
PmtuDiscovery: pulumi.String("string"),
PolicyAuthConcurrent: pulumi.Int(0),
PostLoginBanner: pulumi.String("string"),
PreLoginBanner: pulumi.String("string"),
PrivateDataEncryption: pulumi.String("string"),
ProxyAuthLifetime: pulumi.String("string"),
ProxyAuthLifetimeTimeout: pulumi.Int(0),
ProxyAuthTimeout: pulumi.Int(0),
ProxyCertUseMgmtVdom: pulumi.String("string"),
ProxyCipherHardwareAcceleration: pulumi.String("string"),
ProxyHardwareAcceleration: pulumi.String("string"),
ProxyKeepAliveMode: pulumi.String("string"),
ProxyKxpHardwareAcceleration: pulumi.String("string"),
ProxyReAuthenticationMode: pulumi.String("string"),
ProxyReAuthenticationTime: pulumi.Int(0),
ProxyResourceMode: pulumi.String("string"),
ProxyWorkerCount: pulumi.Int(0),
PurdueLevel: pulumi.String("string"),
QuicAckThresold: pulumi.Int(0),
QuicCongestionControlAlgo: pulumi.String("string"),
QuicMaxDatagramSize: pulumi.Int(0),
QuicPmtud: pulumi.String("string"),
QuicTlsHandshakeTimeout: pulumi.Int(0),
QuicUdpPayloadSizeShapingPerCid: pulumi.String("string"),
RadiusPort: pulumi.Int(0),
RebootUponConfigRestore: pulumi.String("string"),
Refresh: pulumi.Int(0),
Remoteauthtimeout: pulumi.Int(0),
ResetSessionlessTcp: pulumi.String("string"),
RestartTime: pulumi.String("string"),
RevisionBackupOnLogout: pulumi.String("string"),
RevisionImageAutoBackup: pulumi.String("string"),
ScanunitCount: pulumi.Int(0),
SecurityRatingResultSubmission: pulumi.String("string"),
SecurityRatingRunOnSchedule: pulumi.String("string"),
SendPmtuIcmp: pulumi.String("string"),
SflowdMaxChildrenNum: pulumi.Int(0),
SnatRouteChange: pulumi.String("string"),
SpecialFile23Support: pulumi.String("string"),
SpeedtestServer: pulumi.String("string"),
SpeedtestdCtrlPort: pulumi.Int(0),
SpeedtestdServerPort: pulumi.Int(0),
SplitPort: pulumi.String("string"),
SsdTrimDate: pulumi.Int(0),
SsdTrimFreq: pulumi.String("string"),
SsdTrimHour: pulumi.Int(0),
SsdTrimMin: pulumi.Int(0),
SsdTrimWeekday: pulumi.String("string"),
SshCbcCipher: pulumi.String("string"),
SshEncAlgo: pulumi.String("string"),
SshHmacMd5: pulumi.String("string"),
SshHostkey: pulumi.String("string"),
SshHostkeyAlgo: pulumi.String("string"),
SshHostkeyOverride: pulumi.String("string"),
SshHostkeyPassword: pulumi.String("string"),
SshKexAlgo: pulumi.String("string"),
SshKexSha1: pulumi.String("string"),
SshMacAlgo: pulumi.String("string"),
SshMacWeak: pulumi.String("string"),
SslMinProtoVersion: pulumi.String("string"),
SslStaticKeyCiphers: pulumi.String("string"),
SslvpnCipherHardwareAcceleration: pulumi.String("string"),
SslvpnEmsSnCheck: pulumi.String("string"),
SslvpnKxpHardwareAcceleration: pulumi.String("string"),
SslvpnMaxWorkerCount: pulumi.Int(0),
SslvpnPluginVersionCheck: pulumi.String("string"),
SslvpnWebMode: pulumi.String("string"),
StrictDirtySessionCheck: pulumi.String("string"),
StrongCrypto: pulumi.String("string"),
SwitchController: pulumi.String("string"),
SwitchControllerReservedNetwork: pulumi.String("string"),
SysPerfLogInterval: pulumi.Int(0),
SyslogAffinity: pulumi.String("string"),
TcpHalfcloseTimer: pulumi.Int(0),
TcpHalfopenTimer: pulumi.Int(0),
TcpOption: pulumi.String("string"),
TcpRstTimer: pulumi.Int(0),
TcpTimewaitTimer: pulumi.Int(0),
Tftp: pulumi.String("string"),
Timezone: pulumi.String("string"),
TpMcSkipPolicy: pulumi.String("string"),
TrafficPriority: pulumi.String("string"),
TrafficPriorityLevel: pulumi.String("string"),
TwoFactorEmailExpiry: pulumi.Int(0),
TwoFactorFacExpiry: pulumi.Int(0),
TwoFactorFtkExpiry: pulumi.Int(0),
TwoFactorFtmExpiry: pulumi.Int(0),
TwoFactorSmsExpiry: pulumi.Int(0),
UdpIdleTimer: pulumi.Int(0),
UrlFilterAffinity: pulumi.String("string"),
UrlFilterCount: pulumi.Int(0),
UserDeviceStoreMaxDevices: pulumi.Int(0),
UserDeviceStoreMaxUnifiedMem: pulumi.Int(0),
UserDeviceStoreMaxUsers: pulumi.Int(0),
UserServerCert: pulumi.String("string"),
VdomAdmin: pulumi.String("string"),
VdomMode: pulumi.String("string"),
Vdomparam: pulumi.String("string"),
VipArpRange: pulumi.String("string"),
VirtualServerCount: pulumi.Int(0),
VirtualServerHardwareAcceleration: pulumi.String("string"),
VirtualSwitchVlan: pulumi.String("string"),
VpnEmsSnCheck: pulumi.String("string"),
WadAffinity: pulumi.String("string"),
WadCsvcCsCount: pulumi.Int(0),
WadCsvcDbCount: pulumi.Int(0),
WadMemoryChangeGranularity: pulumi.Int(0),
WadRestartEndTime: pulumi.String("string"),
WadRestartMode: pulumi.String("string"),
WadRestartStartTime: pulumi.String("string"),
WadSourceAffinity: pulumi.String("string"),
WadWorkerCount: pulumi.Int(0),
WifiCaCertificate: pulumi.String("string"),
WifiCertificate: pulumi.String("string"),
Wimax4gUsb: pulumi.String("string"),
WirelessController: pulumi.String("string"),
WirelessControllerPort: pulumi.Int(0),
})
var exampleglobalResourceResourceFromSystemglobal = new Global("exampleglobalResourceResourceFromSystemglobal", GlobalArgs.builder()
.adminConcurrent("string")
.adminConsoleTimeout(0)
.adminForticloudSsoDefaultProfile("string")
.adminForticloudSsoLogin("string")
.adminHost("string")
.adminHstsMaxAge(0)
.adminHttpsPkiRequired("string")
.adminHttpsRedirect("string")
.adminHttpsSslBannedCiphers("string")
.adminHttpsSslCiphersuites("string")
.adminHttpsSslVersions("string")
.adminLockoutDuration(0)
.adminLockoutThreshold(0)
.adminLoginMax(0)
.adminMaintainer("string")
.adminPort(0)
.adminRestrictLocal("string")
.adminScp("string")
.adminServerCert("string")
.adminSport(0)
.adminSshGraceTime(0)
.adminSshPassword("string")
.adminSshPort(0)
.adminSshV1("string")
.adminTelnet("string")
.adminTelnetPort(0)
.admintimeout(0)
.alias("string")
.allowTrafficRedirect("string")
.antiReplay("string")
.arpMaxEntry(0)
.asymroute("string")
.authCert("string")
.authHttpPort(0)
.authHttpsPort(0)
.authIkeSamlPort(0)
.authKeepalive("string")
.authSessionLimit("string")
.autoAuthExtensionDevice("string")
.autorunLogFsck("string")
.avAffinity("string")
.avFailopen("string")
.avFailopenSession("string")
.batchCmdb("string")
.bfdAffinity("string")
.blockSessionTimer(0)
.brFdbMaxEntry(0)
.certChainMax(0)
.cfgRevertTimeout(0)
.cfgSave("string")
.checkProtocolHeader("string")
.checkResetRange("string")
.cliAuditLog("string")
.cloudCommunication("string")
.cltCertReq("string")
.cmdbsvrAffinity("string")
.complianceCheck("string")
.complianceCheckTime("string")
.cpuUseThreshold(0)
.csrCaAttribute("string")
.dailyRestart("string")
.defaultServiceSourcePort("string")
.deviceIdentificationActiveScanDelay(0)
.deviceIdleTimeout(0)
.dhParams("string")
.dnsproxyWorkerCount(0)
.dst("string")
.dynamicSortSubtable("string")
.earlyTcpNpuSession("string")
.editVdomPrompt("string")
.endpointControlFdsAccess("string")
.endpointControlPortalPort(0)
.extenderControllerReservedNetwork("string")
.failtime(0)
.fazDiskBufferSize(0)
.fdsStatistics("string")
.fdsStatisticsPeriod(0)
.fecPort(0)
.fgdAlertSubscription("string")
.forticonverterConfigUpload("string")
.forticonverterIntegration("string")
.fortiextender("string")
.fortiextenderDataPort(0)
.fortiextenderDiscoveryLockdown("string")
.fortiextenderProvisionOnAuthorization("string")
.fortiextenderVlanMode("string")
.fortigslbIntegration("string")
.fortiipamIntegration("string")
.fortiservicePort(0)
.fortitokenCloud("string")
.fortitokenCloudPushStatus("string")
.fortitokenCloudSyncInterval(0)
.getAllTables("string")
.guiAllowDefaultHostname("string")
.guiAllowIncompatibleFabricFgt("string")
.guiAppDetectionSdwan("string")
.guiAutoUpgradeSetupWarning("string")
.guiCdnDomainOverride("string")
.guiCdnUsage("string")
.guiCertificates("string")
.guiCustomLanguage("string")
.guiDateFormat("string")
.guiDateTimeSource("string")
.guiDeviceLatitude("string")
.guiDeviceLongitude("string")
.guiDisplayHostname("string")
.guiFirmwareUpgradeSetupWarning("string")
.guiFirmwareUpgradeWarning("string")
.guiForticareRegistrationSetupWarning("string")
.guiFortigateCloudSandbox("string")
.guiFortiguardResourceFetch("string")
.guiFortisandboxCloud("string")
.guiIpv6("string")
.guiLinesPerPage(0)
.guiLocalOut("string")
.guiReplacementMessageGroups("string")
.guiRestApiCache("string")
.guiTheme("string")
.guiWirelessOpensecurity("string")
.guiWorkflowManagement("string")
.haAffinity("string")
.honorDf("string")
.hostname("string")
.igmpStateLimit(0)
.ikeEmbryonicLimit(0)
.interfaceSubnetUsage("string")
.internetServiceDatabase("string")
.internetServiceDownloadLists(GlobalInternetServiceDownloadListArgs.builder()
.id(0)
.build())
.interval(0)
.ipFragmentMemThresholds(0)
.ipSrcPortRange("string")
.ipsAffinity("string")
.ipsecAsicOffload("string")
.ipsecHaSeqjumpRate(0)
.ipsecHmacOffload("string")
.ipsecRoundRobin("string")
.ipsecSoftDecAsync("string")
.ipv6AcceptDad(0)
.ipv6AllowAnycastProbe("string")
.ipv6AllowLocalInSlientDrop("string")
.ipv6AllowMulticastProbe("string")
.ipv6AllowTrafficRedirect("string")
.irqTimeAccounting("string")
.language("string")
.ldapconntimeout(0)
.lldpReception("string")
.lldpTransmission("string")
.logSingleCpuHigh("string")
.logSslConnection("string")
.logUuidAddress("string")
.logUuidPolicy("string")
.loginTimestamp("string")
.longVdomName("string")
.managementIp("string")
.managementPort(0)
.managementPortUseAdminSport("string")
.managementVdom("string")
.maxDlpstatMemory(0)
.maxRouteCacheSize(0)
.mcTtlNotchange("string")
.memoryUseThresholdExtreme(0)
.memoryUseThresholdGreen(0)
.memoryUseThresholdRed(0)
.miglogAffinity("string")
.miglogdChildren(0)
.multiFactorAuthentication("string")
.multicastForward("string")
.ndpMaxEntry(0)
.perUserBal("string")
.perUserBwl("string")
.pmtuDiscovery("string")
.policyAuthConcurrent(0)
.postLoginBanner("string")
.preLoginBanner("string")
.privateDataEncryption("string")
.proxyAuthLifetime("string")
.proxyAuthLifetimeTimeout(0)
.proxyAuthTimeout(0)
.proxyCertUseMgmtVdom("string")
.proxyCipherHardwareAcceleration("string")
.proxyHardwareAcceleration("string")
.proxyKeepAliveMode("string")
.proxyKxpHardwareAcceleration("string")
.proxyReAuthenticationMode("string")
.proxyReAuthenticationTime(0)
.proxyResourceMode("string")
.proxyWorkerCount(0)
.purdueLevel("string")
.quicAckThresold(0)
.quicCongestionControlAlgo("string")
.quicMaxDatagramSize(0)
.quicPmtud("string")
.quicTlsHandshakeTimeout(0)
.quicUdpPayloadSizeShapingPerCid("string")
.radiusPort(0)
.rebootUponConfigRestore("string")
.refresh(0)
.remoteauthtimeout(0)
.resetSessionlessTcp("string")
.restartTime("string")
.revisionBackupOnLogout("string")
.revisionImageAutoBackup("string")
.scanunitCount(0)
.securityRatingResultSubmission("string")
.securityRatingRunOnSchedule("string")
.sendPmtuIcmp("string")
.sflowdMaxChildrenNum(0)
.snatRouteChange("string")
.specialFile23Support("string")
.speedtestServer("string")
.speedtestdCtrlPort(0)
.speedtestdServerPort(0)
.splitPort("string")
.ssdTrimDate(0)
.ssdTrimFreq("string")
.ssdTrimHour(0)
.ssdTrimMin(0)
.ssdTrimWeekday("string")
.sshCbcCipher("string")
.sshEncAlgo("string")
.sshHmacMd5("string")
.sshHostkey("string")
.sshHostkeyAlgo("string")
.sshHostkeyOverride("string")
.sshHostkeyPassword("string")
.sshKexAlgo("string")
.sshKexSha1("string")
.sshMacAlgo("string")
.sshMacWeak("string")
.sslMinProtoVersion("string")
.sslStaticKeyCiphers("string")
.sslvpnCipherHardwareAcceleration("string")
.sslvpnEmsSnCheck("string")
.sslvpnKxpHardwareAcceleration("string")
.sslvpnMaxWorkerCount(0)
.sslvpnPluginVersionCheck("string")
.sslvpnWebMode("string")
.strictDirtySessionCheck("string")
.strongCrypto("string")
.switchController("string")
.switchControllerReservedNetwork("string")
.sysPerfLogInterval(0)
.syslogAffinity("string")
.tcpHalfcloseTimer(0)
.tcpHalfopenTimer(0)
.tcpOption("string")
.tcpRstTimer(0)
.tcpTimewaitTimer(0)
.tftp("string")
.timezone("string")
.tpMcSkipPolicy("string")
.trafficPriority("string")
.trafficPriorityLevel("string")
.twoFactorEmailExpiry(0)
.twoFactorFacExpiry(0)
.twoFactorFtkExpiry(0)
.twoFactorFtmExpiry(0)
.twoFactorSmsExpiry(0)
.udpIdleTimer(0)
.urlFilterAffinity("string")
.urlFilterCount(0)
.userDeviceStoreMaxDevices(0)
.userDeviceStoreMaxUnifiedMem(0)
.userDeviceStoreMaxUsers(0)
.userServerCert("string")
.vdomAdmin("string")
.vdomMode("string")
.vdomparam("string")
.vipArpRange("string")
.virtualServerCount(0)
.virtualServerHardwareAcceleration("string")
.virtualSwitchVlan("string")
.vpnEmsSnCheck("string")
.wadAffinity("string")
.wadCsvcCsCount(0)
.wadCsvcDbCount(0)
.wadMemoryChangeGranularity(0)
.wadRestartEndTime("string")
.wadRestartMode("string")
.wadRestartStartTime("string")
.wadSourceAffinity("string")
.wadWorkerCount(0)
.wifiCaCertificate("string")
.wifiCertificate("string")
.wimax4gUsb("string")
.wirelessController("string")
.wirelessControllerPort(0)
.build());
exampleglobal_resource_resource_from_systemglobal = fortios.system.Global("exampleglobalResourceResourceFromSystemglobal",
admin_concurrent="string",
admin_console_timeout=0,
admin_forticloud_sso_default_profile="string",
admin_forticloud_sso_login="string",
admin_host="string",
admin_hsts_max_age=0,
admin_https_pki_required="string",
admin_https_redirect="string",
admin_https_ssl_banned_ciphers="string",
admin_https_ssl_ciphersuites="string",
admin_https_ssl_versions="string",
admin_lockout_duration=0,
admin_lockout_threshold=0,
admin_login_max=0,
admin_maintainer="string",
admin_port=0,
admin_restrict_local="string",
admin_scp="string",
admin_server_cert="string",
admin_sport=0,
admin_ssh_grace_time=0,
admin_ssh_password="string",
admin_ssh_port=0,
admin_ssh_v1="string",
admin_telnet="string",
admin_telnet_port=0,
admintimeout=0,
alias="string",
allow_traffic_redirect="string",
anti_replay="string",
arp_max_entry=0,
asymroute="string",
auth_cert="string",
auth_http_port=0,
auth_https_port=0,
auth_ike_saml_port=0,
auth_keepalive="string",
auth_session_limit="string",
auto_auth_extension_device="string",
autorun_log_fsck="string",
av_affinity="string",
av_failopen="string",
av_failopen_session="string",
batch_cmdb="string",
bfd_affinity="string",
block_session_timer=0,
br_fdb_max_entry=0,
cert_chain_max=0,
cfg_revert_timeout=0,
cfg_save="string",
check_protocol_header="string",
check_reset_range="string",
cli_audit_log="string",
cloud_communication="string",
clt_cert_req="string",
cmdbsvr_affinity="string",
compliance_check="string",
compliance_check_time="string",
cpu_use_threshold=0,
csr_ca_attribute="string",
daily_restart="string",
default_service_source_port="string",
device_identification_active_scan_delay=0,
device_idle_timeout=0,
dh_params="string",
dnsproxy_worker_count=0,
dst="string",
dynamic_sort_subtable="string",
early_tcp_npu_session="string",
edit_vdom_prompt="string",
endpoint_control_fds_access="string",
endpoint_control_portal_port=0,
extender_controller_reserved_network="string",
failtime=0,
faz_disk_buffer_size=0,
fds_statistics="string",
fds_statistics_period=0,
fec_port=0,
fgd_alert_subscription="string",
forticonverter_config_upload="string",
forticonverter_integration="string",
fortiextender="string",
fortiextender_data_port=0,
fortiextender_discovery_lockdown="string",
fortiextender_provision_on_authorization="string",
fortiextender_vlan_mode="string",
fortigslb_integration="string",
fortiipam_integration="string",
fortiservice_port=0,
fortitoken_cloud="string",
fortitoken_cloud_push_status="string",
fortitoken_cloud_sync_interval=0,
get_all_tables="string",
gui_allow_default_hostname="string",
gui_allow_incompatible_fabric_fgt="string",
gui_app_detection_sdwan="string",
gui_auto_upgrade_setup_warning="string",
gui_cdn_domain_override="string",
gui_cdn_usage="string",
gui_certificates="string",
gui_custom_language="string",
gui_date_format="string",
gui_date_time_source="string",
gui_device_latitude="string",
gui_device_longitude="string",
gui_display_hostname="string",
gui_firmware_upgrade_setup_warning="string",
gui_firmware_upgrade_warning="string",
gui_forticare_registration_setup_warning="string",
gui_fortigate_cloud_sandbox="string",
gui_fortiguard_resource_fetch="string",
gui_fortisandbox_cloud="string",
gui_ipv6="string",
gui_lines_per_page=0,
gui_local_out="string",
gui_replacement_message_groups="string",
gui_rest_api_cache="string",
gui_theme="string",
gui_wireless_opensecurity="string",
gui_workflow_management="string",
ha_affinity="string",
honor_df="string",
hostname="string",
igmp_state_limit=0,
ike_embryonic_limit=0,
interface_subnet_usage="string",
internet_service_database="string",
internet_service_download_lists=[fortios.system.GlobalInternetServiceDownloadListArgs(
id=0,
)],
interval=0,
ip_fragment_mem_thresholds=0,
ip_src_port_range="string",
ips_affinity="string",
ipsec_asic_offload="string",
ipsec_ha_seqjump_rate=0,
ipsec_hmac_offload="string",
ipsec_round_robin="string",
ipsec_soft_dec_async="string",
ipv6_accept_dad=0,
ipv6_allow_anycast_probe="string",
ipv6_allow_local_in_slient_drop="string",
ipv6_allow_multicast_probe="string",
ipv6_allow_traffic_redirect="string",
irq_time_accounting="string",
language="string",
ldapconntimeout=0,
lldp_reception="string",
lldp_transmission="string",
log_single_cpu_high="string",
log_ssl_connection="string",
log_uuid_address="string",
log_uuid_policy="string",
login_timestamp="string",
long_vdom_name="string",
management_ip="string",
management_port=0,
management_port_use_admin_sport="string",
management_vdom="string",
max_dlpstat_memory=0,
max_route_cache_size=0,
mc_ttl_notchange="string",
memory_use_threshold_extreme=0,
memory_use_threshold_green=0,
memory_use_threshold_red=0,
miglog_affinity="string",
miglogd_children=0,
multi_factor_authentication="string",
multicast_forward="string",
ndp_max_entry=0,
per_user_bal="string",
per_user_bwl="string",
pmtu_discovery="string",
policy_auth_concurrent=0,
post_login_banner="string",
pre_login_banner="string",
private_data_encryption="string",
proxy_auth_lifetime="string",
proxy_auth_lifetime_timeout=0,
proxy_auth_timeout=0,
proxy_cert_use_mgmt_vdom="string",
proxy_cipher_hardware_acceleration="string",
proxy_hardware_acceleration="string",
proxy_keep_alive_mode="string",
proxy_kxp_hardware_acceleration="string",
proxy_re_authentication_mode="string",
proxy_re_authentication_time=0,
proxy_resource_mode="string",
proxy_worker_count=0,
purdue_level="string",
quic_ack_thresold=0,
quic_congestion_control_algo="string",
quic_max_datagram_size=0,
quic_pmtud="string",
quic_tls_handshake_timeout=0,
quic_udp_payload_size_shaping_per_cid="string",
radius_port=0,
reboot_upon_config_restore="string",
refresh=0,
remoteauthtimeout=0,
reset_sessionless_tcp="string",
restart_time="string",
revision_backup_on_logout="string",
revision_image_auto_backup="string",
scanunit_count=0,
security_rating_result_submission="string",
security_rating_run_on_schedule="string",
send_pmtu_icmp="string",
sflowd_max_children_num=0,
snat_route_change="string",
special_file23_support="string",
speedtest_server="string",
speedtestd_ctrl_port=0,
speedtestd_server_port=0,
split_port="string",
ssd_trim_date=0,
ssd_trim_freq="string",
ssd_trim_hour=0,
ssd_trim_min=0,
ssd_trim_weekday="string",
ssh_cbc_cipher="string",
ssh_enc_algo="string",
ssh_hmac_md5="string",
ssh_hostkey="string",
ssh_hostkey_algo="string",
ssh_hostkey_override="string",
ssh_hostkey_password="string",
ssh_kex_algo="string",
ssh_kex_sha1="string",
ssh_mac_algo="string",
ssh_mac_weak="string",
ssl_min_proto_version="string",
ssl_static_key_ciphers="string",
sslvpn_cipher_hardware_acceleration="string",
sslvpn_ems_sn_check="string",
sslvpn_kxp_hardware_acceleration="string",
sslvpn_max_worker_count=0,
sslvpn_plugin_version_check="string",
sslvpn_web_mode="string",
strict_dirty_session_check="string",
strong_crypto="string",
switch_controller="string",
switch_controller_reserved_network="string",
sys_perf_log_interval=0,
syslog_affinity="string",
tcp_halfclose_timer=0,
tcp_halfopen_timer=0,
tcp_option="string",
tcp_rst_timer=0,
tcp_timewait_timer=0,
tftp="string",
timezone="string",
tp_mc_skip_policy="string",
traffic_priority="string",
traffic_priority_level="string",
two_factor_email_expiry=0,
two_factor_fac_expiry=0,
two_factor_ftk_expiry=0,
two_factor_ftm_expiry=0,
two_factor_sms_expiry=0,
udp_idle_timer=0,
url_filter_affinity="string",
url_filter_count=0,
user_device_store_max_devices=0,
user_device_store_max_unified_mem=0,
user_device_store_max_users=0,
user_server_cert="string",
vdom_admin="string",
vdom_mode="string",
vdomparam="string",
vip_arp_range="string",
virtual_server_count=0,
virtual_server_hardware_acceleration="string",
virtual_switch_vlan="string",
vpn_ems_sn_check="string",
wad_affinity="string",
wad_csvc_cs_count=0,
wad_csvc_db_count=0,
wad_memory_change_granularity=0,
wad_restart_end_time="string",
wad_restart_mode="string",
wad_restart_start_time="string",
wad_source_affinity="string",
wad_worker_count=0,
wifi_ca_certificate="string",
wifi_certificate="string",
wimax4g_usb="string",
wireless_controller="string",
wireless_controller_port=0)
const exampleglobalResourceResourceFromSystemglobal = new fortios.system.Global("exampleglobalResourceResourceFromSystemglobal", {
adminConcurrent: "string",
adminConsoleTimeout: 0,
adminForticloudSsoDefaultProfile: "string",
adminForticloudSsoLogin: "string",
adminHost: "string",
adminHstsMaxAge: 0,
adminHttpsPkiRequired: "string",
adminHttpsRedirect: "string",
adminHttpsSslBannedCiphers: "string",
adminHttpsSslCiphersuites: "string",
adminHttpsSslVersions: "string",
adminLockoutDuration: 0,
adminLockoutThreshold: 0,
adminLoginMax: 0,
adminMaintainer: "string",
adminPort: 0,
adminRestrictLocal: "string",
adminScp: "string",
adminServerCert: "string",
adminSport: 0,
adminSshGraceTime: 0,
adminSshPassword: "string",
adminSshPort: 0,
adminSshV1: "string",
adminTelnet: "string",
adminTelnetPort: 0,
admintimeout: 0,
alias: "string",
allowTrafficRedirect: "string",
antiReplay: "string",
arpMaxEntry: 0,
asymroute: "string",
authCert: "string",
authHttpPort: 0,
authHttpsPort: 0,
authIkeSamlPort: 0,
authKeepalive: "string",
authSessionLimit: "string",
autoAuthExtensionDevice: "string",
autorunLogFsck: "string",
avAffinity: "string",
avFailopen: "string",
avFailopenSession: "string",
batchCmdb: "string",
bfdAffinity: "string",
blockSessionTimer: 0,
brFdbMaxEntry: 0,
certChainMax: 0,
cfgRevertTimeout: 0,
cfgSave: "string",
checkProtocolHeader: "string",
checkResetRange: "string",
cliAuditLog: "string",
cloudCommunication: "string",
cltCertReq: "string",
cmdbsvrAffinity: "string",
complianceCheck: "string",
complianceCheckTime: "string",
cpuUseThreshold: 0,
csrCaAttribute: "string",
dailyRestart: "string",
defaultServiceSourcePort: "string",
deviceIdentificationActiveScanDelay: 0,
deviceIdleTimeout: 0,
dhParams: "string",
dnsproxyWorkerCount: 0,
dst: "string",
dynamicSortSubtable: "string",
earlyTcpNpuSession: "string",
editVdomPrompt: "string",
endpointControlFdsAccess: "string",
endpointControlPortalPort: 0,
extenderControllerReservedNetwork: "string",
failtime: 0,
fazDiskBufferSize: 0,
fdsStatistics: "string",
fdsStatisticsPeriod: 0,
fecPort: 0,
fgdAlertSubscription: "string",
forticonverterConfigUpload: "string",
forticonverterIntegration: "string",
fortiextender: "string",
fortiextenderDataPort: 0,
fortiextenderDiscoveryLockdown: "string",
fortiextenderProvisionOnAuthorization: "string",
fortiextenderVlanMode: "string",
fortigslbIntegration: "string",
fortiipamIntegration: "string",
fortiservicePort: 0,
fortitokenCloud: "string",
fortitokenCloudPushStatus: "string",
fortitokenCloudSyncInterval: 0,
getAllTables: "string",
guiAllowDefaultHostname: "string",
guiAllowIncompatibleFabricFgt: "string",
guiAppDetectionSdwan: "string",
guiAutoUpgradeSetupWarning: "string",
guiCdnDomainOverride: "string",
guiCdnUsage: "string",
guiCertificates: "string",
guiCustomLanguage: "string",
guiDateFormat: "string",
guiDateTimeSource: "string",
guiDeviceLatitude: "string",
guiDeviceLongitude: "string",
guiDisplayHostname: "string",
guiFirmwareUpgradeSetupWarning: "string",
guiFirmwareUpgradeWarning: "string",
guiForticareRegistrationSetupWarning: "string",
guiFortigateCloudSandbox: "string",
guiFortiguardResourceFetch: "string",
guiFortisandboxCloud: "string",
guiIpv6: "string",
guiLinesPerPage: 0,
guiLocalOut: "string",
guiReplacementMessageGroups: "string",
guiRestApiCache: "string",
guiTheme: "string",
guiWirelessOpensecurity: "string",
guiWorkflowManagement: "string",
haAffinity: "string",
honorDf: "string",
hostname: "string",
igmpStateLimit: 0,
ikeEmbryonicLimit: 0,
interfaceSubnetUsage: "string",
internetServiceDatabase: "string",
internetServiceDownloadLists: [{
id: 0,
}],
interval: 0,
ipFragmentMemThresholds: 0,
ipSrcPortRange: "string",
ipsAffinity: "string",
ipsecAsicOffload: "string",
ipsecHaSeqjumpRate: 0,
ipsecHmacOffload: "string",
ipsecRoundRobin: "string",
ipsecSoftDecAsync: "string",
ipv6AcceptDad: 0,
ipv6AllowAnycastProbe: "string",
ipv6AllowLocalInSlientDrop: "string",
ipv6AllowMulticastProbe: "string",
ipv6AllowTrafficRedirect: "string",
irqTimeAccounting: "string",
language: "string",
ldapconntimeout: 0,
lldpReception: "string",
lldpTransmission: "string",
logSingleCpuHigh: "string",
logSslConnection: "string",
logUuidAddress: "string",
logUuidPolicy: "string",
loginTimestamp: "string",
longVdomName: "string",
managementIp: "string",
managementPort: 0,
managementPortUseAdminSport: "string",
managementVdom: "string",
maxDlpstatMemory: 0,
maxRouteCacheSize: 0,
mcTtlNotchange: "string",
memoryUseThresholdExtreme: 0,
memoryUseThresholdGreen: 0,
memoryUseThresholdRed: 0,
miglogAffinity: "string",
miglogdChildren: 0,
multiFactorAuthentication: "string",
multicastForward: "string",
ndpMaxEntry: 0,
perUserBal: "string",
perUserBwl: "string",
pmtuDiscovery: "string",
policyAuthConcurrent: 0,
postLoginBanner: "string",
preLoginBanner: "string",
privateDataEncryption: "string",
proxyAuthLifetime: "string",
proxyAuthLifetimeTimeout: 0,
proxyAuthTimeout: 0,
proxyCertUseMgmtVdom: "string",
proxyCipherHardwareAcceleration: "string",
proxyHardwareAcceleration: "string",
proxyKeepAliveMode: "string",
proxyKxpHardwareAcceleration: "string",
proxyReAuthenticationMode: "string",
proxyReAuthenticationTime: 0,
proxyResourceMode: "string",
proxyWorkerCount: 0,
purdueLevel: "string",
quicAckThresold: 0,
quicCongestionControlAlgo: "string",
quicMaxDatagramSize: 0,
quicPmtud: "string",
quicTlsHandshakeTimeout: 0,
quicUdpPayloadSizeShapingPerCid: "string",
radiusPort: 0,
rebootUponConfigRestore: "string",
refresh: 0,
remoteauthtimeout: 0,
resetSessionlessTcp: "string",
restartTime: "string",
revisionBackupOnLogout: "string",
revisionImageAutoBackup: "string",
scanunitCount: 0,
securityRatingResultSubmission: "string",
securityRatingRunOnSchedule: "string",
sendPmtuIcmp: "string",
sflowdMaxChildrenNum: 0,
snatRouteChange: "string",
specialFile23Support: "string",
speedtestServer: "string",
speedtestdCtrlPort: 0,
speedtestdServerPort: 0,
splitPort: "string",
ssdTrimDate: 0,
ssdTrimFreq: "string",
ssdTrimHour: 0,
ssdTrimMin: 0,
ssdTrimWeekday: "string",
sshCbcCipher: "string",
sshEncAlgo: "string",
sshHmacMd5: "string",
sshHostkey: "string",
sshHostkeyAlgo: "string",
sshHostkeyOverride: "string",
sshHostkeyPassword: "string",
sshKexAlgo: "string",
sshKexSha1: "string",
sshMacAlgo: "string",
sshMacWeak: "string",
sslMinProtoVersion: "string",
sslStaticKeyCiphers: "string",
sslvpnCipherHardwareAcceleration: "string",
sslvpnEmsSnCheck: "string",
sslvpnKxpHardwareAcceleration: "string",
sslvpnMaxWorkerCount: 0,
sslvpnPluginVersionCheck: "string",
sslvpnWebMode: "string",
strictDirtySessionCheck: "string",
strongCrypto: "string",
switchController: "string",
switchControllerReservedNetwork: "string",
sysPerfLogInterval: 0,
syslogAffinity: "string",
tcpHalfcloseTimer: 0,
tcpHalfopenTimer: 0,
tcpOption: "string",
tcpRstTimer: 0,
tcpTimewaitTimer: 0,
tftp: "string",
timezone: "string",
tpMcSkipPolicy: "string",
trafficPriority: "string",
trafficPriorityLevel: "string",
twoFactorEmailExpiry: 0,
twoFactorFacExpiry: 0,
twoFactorFtkExpiry: 0,
twoFactorFtmExpiry: 0,
twoFactorSmsExpiry: 0,
udpIdleTimer: 0,
urlFilterAffinity: "string",
urlFilterCount: 0,
userDeviceStoreMaxDevices: 0,
userDeviceStoreMaxUnifiedMem: 0,
userDeviceStoreMaxUsers: 0,
userServerCert: "string",
vdomAdmin: "string",
vdomMode: "string",
vdomparam: "string",
vipArpRange: "string",
virtualServerCount: 0,
virtualServerHardwareAcceleration: "string",
virtualSwitchVlan: "string",
vpnEmsSnCheck: "string",
wadAffinity: "string",
wadCsvcCsCount: 0,
wadCsvcDbCount: 0,
wadMemoryChangeGranularity: 0,
wadRestartEndTime: "string",
wadRestartMode: "string",
wadRestartStartTime: "string",
wadSourceAffinity: "string",
wadWorkerCount: 0,
wifiCaCertificate: "string",
wifiCertificate: "string",
wimax4gUsb: "string",
wirelessController: "string",
wirelessControllerPort: 0,
});
type: fortios:system:Global
properties:
adminConcurrent: string
adminConsoleTimeout: 0
adminForticloudSsoDefaultProfile: string
adminForticloudSsoLogin: string
adminHost: string
adminHstsMaxAge: 0
adminHttpsPkiRequired: string
adminHttpsRedirect: string
adminHttpsSslBannedCiphers: string
adminHttpsSslCiphersuites: string
adminHttpsSslVersions: string
adminLockoutDuration: 0
adminLockoutThreshold: 0
adminLoginMax: 0
adminMaintainer: string
adminPort: 0
adminRestrictLocal: string
adminScp: string
adminServerCert: string
adminSport: 0
adminSshGraceTime: 0
adminSshPassword: string
adminSshPort: 0
adminSshV1: string
adminTelnet: string
adminTelnetPort: 0
admintimeout: 0
alias: string
allowTrafficRedirect: string
antiReplay: string
arpMaxEntry: 0
asymroute: string
authCert: string
authHttpPort: 0
authHttpsPort: 0
authIkeSamlPort: 0
authKeepalive: string
authSessionLimit: string
autoAuthExtensionDevice: string
autorunLogFsck: string
avAffinity: string
avFailopen: string
avFailopenSession: string
batchCmdb: string
bfdAffinity: string
blockSessionTimer: 0
brFdbMaxEntry: 0
certChainMax: 0
cfgRevertTimeout: 0
cfgSave: string
checkProtocolHeader: string
checkResetRange: string
cliAuditLog: string
cloudCommunication: string
cltCertReq: string
cmdbsvrAffinity: string
complianceCheck: string
complianceCheckTime: string
cpuUseThreshold: 0
csrCaAttribute: string
dailyRestart: string
defaultServiceSourcePort: string
deviceIdentificationActiveScanDelay: 0
deviceIdleTimeout: 0
dhParams: string
dnsproxyWorkerCount: 0
dst: string
dynamicSortSubtable: string
earlyTcpNpuSession: string
editVdomPrompt: string
endpointControlFdsAccess: string
endpointControlPortalPort: 0
extenderControllerReservedNetwork: string
failtime: 0
fazDiskBufferSize: 0
fdsStatistics: string
fdsStatisticsPeriod: 0
fecPort: 0
fgdAlertSubscription: string
forticonverterConfigUpload: string
forticonverterIntegration: string
fortiextender: string
fortiextenderDataPort: 0
fortiextenderDiscoveryLockdown: string
fortiextenderProvisionOnAuthorization: string
fortiextenderVlanMode: string
fortigslbIntegration: string
fortiipamIntegration: string
fortiservicePort: 0
fortitokenCloud: string
fortitokenCloudPushStatus: string
fortitokenCloudSyncInterval: 0
getAllTables: string
guiAllowDefaultHostname: string
guiAllowIncompatibleFabricFgt: string
guiAppDetectionSdwan: string
guiAutoUpgradeSetupWarning: string
guiCdnDomainOverride: string
guiCdnUsage: string
guiCertificates: string
guiCustomLanguage: string
guiDateFormat: string
guiDateTimeSource: string
guiDeviceLatitude: string
guiDeviceLongitude: string
guiDisplayHostname: string
guiFirmwareUpgradeSetupWarning: string
guiFirmwareUpgradeWarning: string
guiForticareRegistrationSetupWarning: string
guiFortigateCloudSandbox: string
guiFortiguardResourceFetch: string
guiFortisandboxCloud: string
guiIpv6: string
guiLinesPerPage: 0
guiLocalOut: string
guiReplacementMessageGroups: string
guiRestApiCache: string
guiTheme: string
guiWirelessOpensecurity: string
guiWorkflowManagement: string
haAffinity: string
honorDf: string
hostname: string
igmpStateLimit: 0
ikeEmbryonicLimit: 0
interfaceSubnetUsage: string
internetServiceDatabase: string
internetServiceDownloadLists:
- id: 0
interval: 0
ipFragmentMemThresholds: 0
ipSrcPortRange: string
ipsAffinity: string
ipsecAsicOffload: string
ipsecHaSeqjumpRate: 0
ipsecHmacOffload: string
ipsecRoundRobin: string
ipsecSoftDecAsync: string
ipv6AcceptDad: 0
ipv6AllowAnycastProbe: string
ipv6AllowLocalInSlientDrop: string
ipv6AllowMulticastProbe: string
ipv6AllowTrafficRedirect: string
irqTimeAccounting: string
language: string
ldapconntimeout: 0
lldpReception: string
lldpTransmission: string
logSingleCpuHigh: string
logSslConnection: string
logUuidAddress: string
logUuidPolicy: string
loginTimestamp: string
longVdomName: string
managementIp: string
managementPort: 0
managementPortUseAdminSport: string
managementVdom: string
maxDlpstatMemory: 0
maxRouteCacheSize: 0
mcTtlNotchange: string
memoryUseThresholdExtreme: 0
memoryUseThresholdGreen: 0
memoryUseThresholdRed: 0
miglogAffinity: string
miglogdChildren: 0
multiFactorAuthentication: string
multicastForward: string
ndpMaxEntry: 0
perUserBal: string
perUserBwl: string
pmtuDiscovery: string
policyAuthConcurrent: 0
postLoginBanner: string
preLoginBanner: string
privateDataEncryption: string
proxyAuthLifetime: string
proxyAuthLifetimeTimeout: 0
proxyAuthTimeout: 0
proxyCertUseMgmtVdom: string
proxyCipherHardwareAcceleration: string
proxyHardwareAcceleration: string
proxyKeepAliveMode: string
proxyKxpHardwareAcceleration: string
proxyReAuthenticationMode: string
proxyReAuthenticationTime: 0
proxyResourceMode: string
proxyWorkerCount: 0
purdueLevel: string
quicAckThresold: 0
quicCongestionControlAlgo: string
quicMaxDatagramSize: 0
quicPmtud: string
quicTlsHandshakeTimeout: 0
quicUdpPayloadSizeShapingPerCid: string
radiusPort: 0
rebootUponConfigRestore: string
refresh: 0
remoteauthtimeout: 0
resetSessionlessTcp: string
restartTime: string
revisionBackupOnLogout: string
revisionImageAutoBackup: string
scanunitCount: 0
securityRatingResultSubmission: string
securityRatingRunOnSchedule: string
sendPmtuIcmp: string
sflowdMaxChildrenNum: 0
snatRouteChange: string
specialFile23Support: string
speedtestServer: string
speedtestdCtrlPort: 0
speedtestdServerPort: 0
splitPort: string
ssdTrimDate: 0
ssdTrimFreq: string
ssdTrimHour: 0
ssdTrimMin: 0
ssdTrimWeekday: string
sshCbcCipher: string
sshEncAlgo: string
sshHmacMd5: string
sshHostkey: string
sshHostkeyAlgo: string
sshHostkeyOverride: string
sshHostkeyPassword: string
sshKexAlgo: string
sshKexSha1: string
sshMacAlgo: string
sshMacWeak: string
sslMinProtoVersion: string
sslStaticKeyCiphers: string
sslvpnCipherHardwareAcceleration: string
sslvpnEmsSnCheck: string
sslvpnKxpHardwareAcceleration: string
sslvpnMaxWorkerCount: 0
sslvpnPluginVersionCheck: string
sslvpnWebMode: string
strictDirtySessionCheck: string
strongCrypto: string
switchController: string
switchControllerReservedNetwork: string
sysPerfLogInterval: 0
syslogAffinity: string
tcpHalfcloseTimer: 0
tcpHalfopenTimer: 0
tcpOption: string
tcpRstTimer: 0
tcpTimewaitTimer: 0
tftp: string
timezone: string
tpMcSkipPolicy: string
trafficPriority: string
trafficPriorityLevel: string
twoFactorEmailExpiry: 0
twoFactorFacExpiry: 0
twoFactorFtkExpiry: 0
twoFactorFtmExpiry: 0
twoFactorSmsExpiry: 0
udpIdleTimer: 0
urlFilterAffinity: string
urlFilterCount: 0
userDeviceStoreMaxDevices: 0
userDeviceStoreMaxUnifiedMem: 0
userDeviceStoreMaxUsers: 0
userServerCert: string
vdomAdmin: string
vdomMode: string
vdomparam: string
vipArpRange: string
virtualServerCount: 0
virtualServerHardwareAcceleration: string
virtualSwitchVlan: string
vpnEmsSnCheck: string
wadAffinity: string
wadCsvcCsCount: 0
wadCsvcDbCount: 0
wadMemoryChangeGranularity: 0
wadRestartEndTime: string
wadRestartMode: string
wadRestartStartTime: string
wadSourceAffinity: string
wadWorkerCount: 0
wifiCaCertificate: string
wifiCertificate: string
wimax4gUsb: string
wirelessController: string
wirelessControllerPort: 0
Global Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Global resource accepts the following input properties:
- Admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - Admin
Console intTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- Admin
Forticloud stringSso Default Profile - Override access profile.
- Admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - Admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- Admin
Hsts intMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- Admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - Admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - Admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - Admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - Admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- Admin
Lockout intDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- Admin
Lockout intThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- Admin
Login intMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- Admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - Admin
Port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- Admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - Admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - Admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- Admin
Sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- Admin
Ssh intGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- Admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - Admin
Ssh intPort - Administrative access port for SSH. (1 - 65535, default = 22).
- Admin
Ssh stringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - Admin
Telnet string - Enable/disable TELNET service. Valid values:
enable
,disable
. - Admin
Telnet intPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- Admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- Alias string
- Alias for your FortiGate unit.
- Allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - Anti
Replay string - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - Arp
Max intEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- Asymroute string
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - Auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- Auth
Http intPort - User authentication HTTP port. (1 - 65535, default = 80).
- Auth
Https intPort - User authentication HTTPS port. (1 - 65535, default = 443).
- Auth
Ike intSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- Auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - Auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - Auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - Autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - Av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - Av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - Batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - Bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Block
Session intTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- Br
Fdb intMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- Cert
Chain intMax - Maximum number of certificates that can be traversed in a certificate chain.
- Cfg
Revert intTimeout - Time-out for reverting to the last saved configuration.
- Cfg
Save string - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - Check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - Check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - Cli
Audit stringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - Cloud
Communication string - Enable/disable all cloud communication. Valid values:
enable
,disable
. - Clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - Cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Compliance
Check string - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - Compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- Cpu
Use intThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- Csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - Daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - Default
Service stringSource Port - Default service source port range. (default=1-65535)
- Device
Identification intActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- Device
Idle intTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- Dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - Dnsproxy
Worker intCount - DNS proxy worker count.
- Dst string
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Early
Tcp stringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - Edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - Endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - Endpoint
Control intPortal Port - Endpoint control portal port (1 - 65535).
- Extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- Failtime int
- Fail-time for server lost.
- Faz
Disk intBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- Fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - Fds
Statistics intPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- Fec
Port int - Local UDP port for Forward Error Correction (49152 - 65535).
- Fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - Forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - Forticonverter
Integration string - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - Fortiextender string
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - Fortiextender
Data intPort - FortiExtender data port (1024 - 49150, default = 25246).
- Fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - Fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - Fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - Fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - Fortiservice
Port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- Fortitoken
Cloud string - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - Fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - Fortitoken
Cloud intSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - Gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - Gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - Gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - Gui
Cdn stringDomain Override - Domain of CDN server.
- Gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - Gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - Gui
Custom stringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - Gui
Date stringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - Gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - Gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - Gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - Gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - Gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - Gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - Gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - Gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - Gui
Ipv6 string - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - Gui
Lines intPer Page - Number of lines to display per page for web administration.
- Gui
Local stringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - Gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - Gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - Gui
Theme string - Color scheme for the administration GUI.
- Gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - Gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - Ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - Hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- Igmp
State intLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- Ike
Embryonic intLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- Interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - Internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- Internet
Service List<Pulumiverse.Download Lists Fortios. System. Inputs. Global Internet Service Download List> - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - Interval int
- Dead gateway detection interval.
- Ip
Fragment intMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- Ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- Ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- Ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - Ipsec
Ha intSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- Ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - Ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - Ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - Ipv6Accept
Dad int - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- Ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - Ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - Ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - Ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - Irq
Time stringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - Language string
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - Ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- Lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - Lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - Log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - Log
Ssl stringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - Log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - Log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - Login
Timestamp string - Enable/disable login time recording. Valid values:
enable
,disable
. - Long
Vdom stringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - Management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- Management
Port int - Overriding port for management connection (Overrides admin port).
- Management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - Management
Vdom string - Management virtual domain name.
- Max
Dlpstat intMemory - Maximum DLP stat memory (0 - 4294967295).
- Max
Route intCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- Mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - Memory
Use intThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- Memory
Use intThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- Memory
Use intThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- Miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- Miglogd
Children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- Multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - Multicast
Forward string - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - Ndp
Max intEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- Per
User stringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - Per
User stringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - Pmtu
Discovery string - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - Policy
Auth intConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - Private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - Proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - Proxy
Auth intLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- Proxy
Auth intTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- Proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - Proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - Proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - Proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - Proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - Proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - Proxy
Re intAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- Proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - Proxy
Worker intCount - Proxy worker count.
- Purdue
Level string - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - Quic
Ack intThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- Quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - Quic
Max intDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- Quic
Pmtud string - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - Quic
Tls intHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- Quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - Radius
Port int - RADIUS service port number.
- Reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - Refresh int
- Statistics refresh interval in GUI.
- Remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- Reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - Restart
Time string - Daily restart time (hh:mm).
- Revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - Revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - Scanunit
Count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- Security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - Security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - Send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - Sflowd
Max intChildren Num - Maximum number of sflowd child processes allowed to run.
- Snat
Route stringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - Special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - Speedtest
Server string - Enable/disable speed test server. Valid values:
enable
,disable
. - Speedtestd
Ctrl intPort - Speedtest server controller port number.
- Speedtestd
Server intPort - Speedtest server port number.
- Split
Port string - Split port(s) to multiple 10Gbps ports.
- Ssd
Trim intDate - Date within a month to run ssd trim.
- Ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - Ssd
Trim intHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- Ssd
Trim intMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- Ssd
Trim stringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - Ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - Ssh
Enc stringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - Ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - Ssh
Hostkey string - Config SSH host key.
- Ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- Ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - Ssh
Hostkey stringPassword - Password for ssh-hostkey.
- Ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- Ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - Ssh
Mac stringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - Ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - Ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- Ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - Sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - Sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - Sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - Sslvpn
Max intWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- Sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - Sslvpn
Web stringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - Strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - Strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - Switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - Switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- Sys
Perf intLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- Syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Tcp
Halfclose intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- Tcp
Halfopen intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- Tcp
Option string - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - Tcp
Rst intTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- Tcp
Timewait intTimer - Length of the TCP TIME-WAIT state in seconds.
- Tftp string
- Enable/disable TFTP. Valid values:
enable
,disable
. - Timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- Tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - Traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - Traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - Two
Factor intEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- Two
Factor intFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- Two
Factor intFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- Two
Factor intFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- Two
Factor intSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- Udp
Idle intTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- Url
Filter stringAffinity - URL filter CPU affinity.
- Url
Filter intCount - URL filter daemon count.
- User
Device intStore Max Devices - Maximum number of devices allowed in user device store.
- User
Device intStore Max Unified Mem - Maximum unified memory allowed in user device store.
- User
Device intStore Max Users - Maximum number of users allowed in user device store.
- User
Server stringCert - Certificate to use for https user authentication.
- Vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - Vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - Virtual
Server intCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- Virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - Virtual
Switch stringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - Vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - Wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Wad
Csvc intCs Count - Number of concurrent WAD-cache-service object-cache processes.
- Wad
Csvc intDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- Wad
Memory intChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- Wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- Wad
Restart stringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - Wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- Wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - Wad
Worker intCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- Wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- Wifi
Certificate string - Certificate to use for WiFi authentication.
- Wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - Wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - Wireless
Controller intPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- Admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - Admin
Console intTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- Admin
Forticloud stringSso Default Profile - Override access profile.
- Admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - Admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- Admin
Hsts intMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- Admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - Admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - Admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - Admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - Admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- Admin
Lockout intDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- Admin
Lockout intThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- Admin
Login intMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- Admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - Admin
Port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- Admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - Admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - Admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- Admin
Sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- Admin
Ssh intGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- Admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - Admin
Ssh intPort - Administrative access port for SSH. (1 - 65535, default = 22).
- Admin
Ssh stringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - Admin
Telnet string - Enable/disable TELNET service. Valid values:
enable
,disable
. - Admin
Telnet intPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- Admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- Alias string
- Alias for your FortiGate unit.
- Allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - Anti
Replay string - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - Arp
Max intEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- Asymroute string
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - Auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- Auth
Http intPort - User authentication HTTP port. (1 - 65535, default = 80).
- Auth
Https intPort - User authentication HTTPS port. (1 - 65535, default = 443).
- Auth
Ike intSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- Auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - Auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - Auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - Autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - Av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - Av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - Batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - Bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Block
Session intTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- Br
Fdb intMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- Cert
Chain intMax - Maximum number of certificates that can be traversed in a certificate chain.
- Cfg
Revert intTimeout - Time-out for reverting to the last saved configuration.
- Cfg
Save string - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - Check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - Check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - Cli
Audit stringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - Cloud
Communication string - Enable/disable all cloud communication. Valid values:
enable
,disable
. - Clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - Cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Compliance
Check string - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - Compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- Cpu
Use intThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- Csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - Daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - Default
Service stringSource Port - Default service source port range. (default=1-65535)
- Device
Identification intActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- Device
Idle intTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- Dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - Dnsproxy
Worker intCount - DNS proxy worker count.
- Dst string
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Early
Tcp stringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - Edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - Endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - Endpoint
Control intPortal Port - Endpoint control portal port (1 - 65535).
- Extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- Failtime int
- Fail-time for server lost.
- Faz
Disk intBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- Fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - Fds
Statistics intPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- Fec
Port int - Local UDP port for Forward Error Correction (49152 - 65535).
- Fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - Forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - Forticonverter
Integration string - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - Fortiextender string
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - Fortiextender
Data intPort - FortiExtender data port (1024 - 49150, default = 25246).
- Fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - Fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - Fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - Fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - Fortiservice
Port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- Fortitoken
Cloud string - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - Fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - Fortitoken
Cloud intSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - Gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - Gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - Gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - Gui
Cdn stringDomain Override - Domain of CDN server.
- Gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - Gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - Gui
Custom stringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - Gui
Date stringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - Gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - Gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - Gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - Gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - Gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - Gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - Gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - Gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - Gui
Ipv6 string - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - Gui
Lines intPer Page - Number of lines to display per page for web administration.
- Gui
Local stringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - Gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - Gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - Gui
Theme string - Color scheme for the administration GUI.
- Gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - Gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - Ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - Hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- Igmp
State intLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- Ike
Embryonic intLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- Interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - Internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- Internet
Service []GlobalDownload Lists Internet Service Download List Args - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - Interval int
- Dead gateway detection interval.
- Ip
Fragment intMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- Ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- Ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- Ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - Ipsec
Ha intSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- Ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - Ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - Ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - Ipv6Accept
Dad int - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- Ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - Ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - Ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - Ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - Irq
Time stringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - Language string
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - Ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- Lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - Lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - Log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - Log
Ssl stringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - Log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - Log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - Login
Timestamp string - Enable/disable login time recording. Valid values:
enable
,disable
. - Long
Vdom stringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - Management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- Management
Port int - Overriding port for management connection (Overrides admin port).
- Management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - Management
Vdom string - Management virtual domain name.
- Max
Dlpstat intMemory - Maximum DLP stat memory (0 - 4294967295).
- Max
Route intCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- Mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - Memory
Use intThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- Memory
Use intThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- Memory
Use intThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- Miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- Miglogd
Children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- Multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - Multicast
Forward string - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - Ndp
Max intEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- Per
User stringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - Per
User stringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - Pmtu
Discovery string - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - Policy
Auth intConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - Private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - Proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - Proxy
Auth intLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- Proxy
Auth intTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- Proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - Proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - Proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - Proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - Proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - Proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - Proxy
Re intAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- Proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - Proxy
Worker intCount - Proxy worker count.
- Purdue
Level string - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - Quic
Ack intThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- Quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - Quic
Max intDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- Quic
Pmtud string - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - Quic
Tls intHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- Quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - Radius
Port int - RADIUS service port number.
- Reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - Refresh int
- Statistics refresh interval in GUI.
- Remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- Reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - Restart
Time string - Daily restart time (hh:mm).
- Revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - Revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - Scanunit
Count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- Security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - Security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - Send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - Sflowd
Max intChildren Num - Maximum number of sflowd child processes allowed to run.
- Snat
Route stringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - Special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - Speedtest
Server string - Enable/disable speed test server. Valid values:
enable
,disable
. - Speedtestd
Ctrl intPort - Speedtest server controller port number.
- Speedtestd
Server intPort - Speedtest server port number.
- Split
Port string - Split port(s) to multiple 10Gbps ports.
- Ssd
Trim intDate - Date within a month to run ssd trim.
- Ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - Ssd
Trim intHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- Ssd
Trim intMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- Ssd
Trim stringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - Ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - Ssh
Enc stringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - Ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - Ssh
Hostkey string - Config SSH host key.
- Ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- Ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - Ssh
Hostkey stringPassword - Password for ssh-hostkey.
- Ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- Ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - Ssh
Mac stringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - Ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - Ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- Ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - Sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - Sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - Sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - Sslvpn
Max intWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- Sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - Sslvpn
Web stringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - Strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - Strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - Switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - Switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- Sys
Perf intLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- Syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Tcp
Halfclose intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- Tcp
Halfopen intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- Tcp
Option string - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - Tcp
Rst intTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- Tcp
Timewait intTimer - Length of the TCP TIME-WAIT state in seconds.
- Tftp string
- Enable/disable TFTP. Valid values:
enable
,disable
. - Timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- Tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - Traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - Traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - Two
Factor intEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- Two
Factor intFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- Two
Factor intFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- Two
Factor intFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- Two
Factor intSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- Udp
Idle intTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- Url
Filter stringAffinity - URL filter CPU affinity.
- Url
Filter intCount - URL filter daemon count.
- User
Device intStore Max Devices - Maximum number of devices allowed in user device store.
- User
Device intStore Max Unified Mem - Maximum unified memory allowed in user device store.
- User
Device intStore Max Users - Maximum number of users allowed in user device store.
- User
Server stringCert - Certificate to use for https user authentication.
- Vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - Vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - Virtual
Server intCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- Virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - Virtual
Switch stringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - Vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - Wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Wad
Csvc intCs Count - Number of concurrent WAD-cache-service object-cache processes.
- Wad
Csvc intDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- Wad
Memory intChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- Wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- Wad
Restart stringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - Wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- Wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - Wad
Worker intCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- Wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- Wifi
Certificate string - Certificate to use for WiFi authentication.
- Wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - Wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - Wireless
Controller intPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- admin
Concurrent String - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - admin
Console IntegerTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud StringSso Default Profile - Override access profile.
- admin
Forticloud StringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - admin
Host String - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts IntegerMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https StringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - admin
Https StringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - admin
Https StringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - admin
Https StringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - admin
Https StringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout IntegerDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout IntegerThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login IntegerMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer String - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - admin
Port Integer - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict StringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - admin
Scp String - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - admin
Server StringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport Integer - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh IntegerGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh StringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - admin
Ssh IntegerPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh StringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - admin
Telnet String - Enable/disable TELNET service. Valid values:
enable
,disable
. - admin
Telnet IntegerPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout Integer
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias String
- Alias for your FortiGate unit.
- allow
Traffic StringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - anti
Replay String - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - arp
Max IntegerEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute String
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - auth
Cert String - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http IntegerPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https IntegerPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike IntegerSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive String - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - auth
Session StringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - auto
Auth StringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - autorun
Log StringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - av
Affinity String - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen String - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - av
Failopen StringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - batch
Cmdb String - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - bfd
Affinity String - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session IntegerTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb IntegerMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain IntegerMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert IntegerTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save String - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - check
Protocol StringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - check
Reset StringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - cli
Audit StringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - cloud
Communication String - Enable/disable all cloud communication. Valid values:
enable
,disable
. - clt
Cert StringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - cmdbsvr
Affinity String - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check String - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - compliance
Check StringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use IntegerThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- csr
Ca StringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - daily
Restart String - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - default
Service StringSource Port - Default service source port range. (default=1-65535)
- device
Identification IntegerActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle IntegerTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params String - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - dnsproxy
Worker IntegerCount - DNS proxy worker count.
- dst String
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- early
Tcp StringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - edit
Vdom StringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - endpoint
Control StringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - endpoint
Control IntegerPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller StringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime Integer
- Fail-time for server lost.
- faz
Disk IntegerBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics String - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - fds
Statistics IntegerPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port Integer - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert StringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - forticonverter
Config StringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - forticonverter
Integration String - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - fortiextender String
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - fortiextender
Data IntegerPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery StringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - String
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - fortiextender
Vlan StringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - fortigslb
Integration String - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - fortiipam
Integration String - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - fortiservice
Port Integer - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud String - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - fortitoken
Cloud StringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - fortitoken
Cloud IntegerSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- gui
Allow StringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - gui
Allow StringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - gui
App StringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - gui
Auto StringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - gui
Cdn StringDomain Override - Domain of CDN server.
- gui
Cdn StringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - gui
Certificates String - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - gui
Custom StringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - gui
Date StringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - gui
Date StringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - gui
Device StringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device StringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display StringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - gui
Firmware StringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - gui
Firmware StringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - gui
Forticare StringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - gui
Fortigate StringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - gui
Fortiguard StringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - gui
Fortisandbox StringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - gui
Ipv6 String - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - gui
Lines IntegerPer Page - Number of lines to display per page for web administration.
- gui
Local StringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - gui
Replacement StringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - gui
Rest StringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - gui
Theme String - Color scheme for the administration GUI.
- gui
Wireless StringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - gui
Workflow StringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - ha
Affinity String - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df String - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - hostname String
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- igmp
State IntegerLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic IntegerLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet StringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - internet
Service StringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service List<GlobalDownload Lists Internet Service Download List> - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval Integer
- Dead gateway detection interval.
- ip
Fragment IntegerMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src StringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity String - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic StringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - ipsec
Ha IntegerSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac StringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - ipsec
Round StringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - ipsec
Soft StringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - ipv6Accept
Dad Integer - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast StringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - ipv6Allow
Local StringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - ipv6Allow
Multicast StringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - ipv6Allow
Traffic StringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - irq
Time StringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - language String
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - ldapconntimeout Integer
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception String - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - lldp
Transmission String - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - log
Single StringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - log
Ssl StringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - log
Uuid StringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - log
Uuid StringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - login
Timestamp String - Enable/disable login time recording. Valid values:
enable
,disable
. - long
Vdom StringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - management
Ip String - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port Integer - Overriding port for management connection (Overrides admin port).
- management
Port StringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - management
Vdom String - Management virtual domain name.
- max
Dlpstat IntegerMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route IntegerCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl StringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - memory
Use IntegerThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- memory
Use IntegerThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- memory
Use IntegerThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- miglog
Affinity String - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children Integer - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor StringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - multicast
Forward String - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - ndp
Max IntegerEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- per
User StringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - per
User StringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - pmtu
Discovery String - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - policy
Auth IntegerConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- String
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - String
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - private
Data StringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - proxy
Auth StringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - proxy
Auth IntegerLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth IntegerTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert StringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - proxy
Cipher StringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - proxy
Hardware StringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - proxy
Keep StringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - proxy
Kxp StringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - proxy
Re StringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - proxy
Re IntegerAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource StringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - proxy
Worker IntegerCount - Proxy worker count.
- purdue
Level String - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - quic
Ack IntegerThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion StringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - quic
Max IntegerDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud String - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - quic
Tls IntegerHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp StringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - radius
Port Integer - RADIUS service port number.
- reboot
Upon StringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - refresh Integer
- Statistics refresh interval in GUI.
- remoteauthtimeout Integer
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless StringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - restart
Time String - Daily restart time (hh:mm).
- revision
Backup StringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - revision
Image StringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - scanunit
Count Integer - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating StringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - security
Rating StringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - send
Pmtu StringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - sflowd
Max IntegerChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route StringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - special
File23Support String - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - speedtest
Server String - Enable/disable speed test server. Valid values:
enable
,disable
. - speedtestd
Ctrl IntegerPort - Speedtest server controller port number.
- speedtestd
Server IntegerPort - Speedtest server port number.
- split
Port String - Split port(s) to multiple 10Gbps ports.
- ssd
Trim IntegerDate - Date within a month to run ssd trim.
- ssd
Trim StringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - ssd
Trim IntegerHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim IntegerMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim StringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - ssh
Cbc StringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - ssh
Enc StringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - ssh
Hmac StringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - ssh
Hostkey String - Config SSH host key.
- ssh
Hostkey StringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey StringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - ssh
Hostkey StringPassword - Password for ssh-hostkey.
- ssh
Kex StringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex StringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - ssh
Mac StringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - ssh
Mac StringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - ssl
Min StringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static StringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - sslvpn
Cipher StringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - sslvpn
Kxp StringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Max IntegerWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin StringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - sslvpn
Web StringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - strict
Dirty StringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - strong
Crypto String - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - switch
Controller String - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - switch
Controller StringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf IntegerLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity String - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose IntegerTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen IntegerTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option String - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - tcp
Rst IntegerTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait IntegerTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp String
- Enable/disable TFTP. Valid values:
enable
,disable
. - timezone String
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc StringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - traffic
Priority String - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - traffic
Priority StringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - two
Factor IntegerEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor IntegerFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor IntegerFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor IntegerFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor IntegerSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle IntegerTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter StringAffinity - URL filter CPU affinity.
- url
Filter IntegerCount - URL filter daemon count.
- user
Device IntegerStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device IntegerStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device IntegerStore Max Users - Maximum number of users allowed in user device store.
- user
Server StringCert - Certificate to use for https user authentication.
- vdom
Admin String - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - vdom
Mode String - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vip
Arp StringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - virtual
Server IntegerCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server StringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - virtual
Switch StringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - vpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - wad
Affinity String - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc IntegerCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc IntegerDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory IntegerChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart StringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart StringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - wad
Restart StringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source StringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - wad
Worker IntegerCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca StringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate String - Certificate to use for WiFi authentication.
- wimax4g
Usb String - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - wireless
Controller String - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - wireless
Controller IntegerPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - admin
Console numberTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud stringSso Default Profile - Override access profile.
- admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts numberMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout numberDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout numberThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login numberMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - admin
Port number - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport number - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh numberGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - admin
Ssh numberPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh stringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - admin
Telnet string - Enable/disable TELNET service. Valid values:
enable
,disable
. - admin
Telnet numberPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout number
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias string
- Alias for your FortiGate unit.
- allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - anti
Replay string - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - arp
Max numberEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute string
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http numberPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https numberPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike numberSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session numberTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb numberMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain numberMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert numberTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save string - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - cli
Audit stringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - cloud
Communication string - Enable/disable all cloud communication. Valid values:
enable
,disable
. - clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check string - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use numberThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - default
Service stringSource Port - Default service source port range. (default=1-65535)
- device
Identification numberActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle numberTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - dnsproxy
Worker numberCount - DNS proxy worker count.
- dst string
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- early
Tcp stringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - endpoint
Control numberPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime number
- Fail-time for server lost.
- faz
Disk numberBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - fds
Statistics numberPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port number - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - forticonverter
Integration string - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - fortiextender string
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - fortiextender
Data numberPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - fortiservice
Port number - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud string - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - fortitoken
Cloud numberSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - gui
Cdn stringDomain Override - Domain of CDN server.
- gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - gui
Custom stringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - gui
Date stringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - gui
Ipv6 string - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - gui
Lines numberPer Page - Number of lines to display per page for web administration.
- gui
Local stringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - gui
Theme string - Color scheme for the administration GUI.
- gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- igmp
State numberLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic numberLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service GlobalDownload Lists Internet Service Download List[] - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval number
- Dead gateway detection interval.
- ip
Fragment numberMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - ipsec
Ha numberSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - ipv6Accept
Dad number - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - irq
Time stringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - language string
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - ldapconntimeout number
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - log
Ssl stringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - login
Timestamp string - Enable/disable login time recording. Valid values:
enable
,disable
. - long
Vdom stringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port number - Overriding port for management connection (Overrides admin port).
- management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - management
Vdom string - Management virtual domain name.
- max
Dlpstat numberMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route numberCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - memory
Use numberThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- memory
Use numberThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- memory
Use numberThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children number - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - multicast
Forward string - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - ndp
Max numberEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- per
User stringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - per
User stringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - pmtu
Discovery string - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - policy
Auth numberConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - proxy
Auth numberLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth numberTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - proxy
Re numberAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - proxy
Worker numberCount - Proxy worker count.
- purdue
Level string - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - quic
Ack numberThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - quic
Max numberDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud string - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - quic
Tls numberHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - radius
Port number - RADIUS service port number.
- reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - refresh number
- Statistics refresh interval in GUI.
- remoteauthtimeout number
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - restart
Time string - Daily restart time (hh:mm).
- revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - scanunit
Count number - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - sflowd
Max numberChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route stringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - speedtest
Server string - Enable/disable speed test server. Valid values:
enable
,disable
. - speedtestd
Ctrl numberPort - Speedtest server controller port number.
- speedtestd
Server numberPort - Speedtest server port number.
- split
Port string - Split port(s) to multiple 10Gbps ports.
- ssd
Trim numberDate - Date within a month to run ssd trim.
- ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - ssd
Trim numberHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim numberMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim stringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - ssh
Enc stringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - ssh
Hostkey string - Config SSH host key.
- ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - ssh
Hostkey stringPassword - Password for ssh-hostkey.
- ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - ssh
Mac stringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Max numberWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - sslvpn
Web stringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf numberLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose numberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen numberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option string - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - tcp
Rst numberTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait numberTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp string
- Enable/disable TFTP. Valid values:
enable
,disable
. - timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - two
Factor numberEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor numberFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor numberFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor numberFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor numberSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle numberTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter stringAffinity - URL filter CPU affinity.
- url
Filter numberCount - URL filter daemon count.
- user
Device numberStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device numberStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device numberStore Max Users - Maximum number of users allowed in user device store.
- user
Server stringCert - Certificate to use for https user authentication.
- vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - virtual
Server numberCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - virtual
Switch stringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc numberCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc numberDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory numberChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart stringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - wad
Worker numberCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate string - Certificate to use for WiFi authentication.
- wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - wireless
Controller numberPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- admin_
concurrent str - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - admin_
console_ inttimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin_
forticloud_ strsso_ default_ profile - Override access profile.
- admin_
forticloud_ strsso_ login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - admin_
host str - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin_
hsts_ intmax_ age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin_
https_ strpki_ required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - admin_
https_ strredirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - admin_
https_ strssl_ banned_ ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - admin_
https_ strssl_ ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - admin_
https_ strssl_ versions - Allowed TLS versions for web administration.
- admin_
lockout_ intduration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin_
lockout_ intthreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin_
login_ intmax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin_
maintainer str - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - admin_
port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin_
restrict_ strlocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - admin_
scp str - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - admin_
server_ strcert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin_
sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin_
ssh_ intgrace_ time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin_
ssh_ strpassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - admin_
ssh_ intport - Administrative access port for SSH. (1 - 65535, default = 22).
- admin_
ssh_ strv1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - admin_
telnet str - Enable/disable TELNET service. Valid values:
enable
,disable
. - admin_
telnet_ intport - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias str
- Alias for your FortiGate unit.
- allow_
traffic_ strredirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - anti_
replay str - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - arp_
max_ intentry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute str
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - auth_
cert str - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth_
http_ intport - User authentication HTTP port. (1 - 65535, default = 80).
- auth_
https_ intport - User authentication HTTPS port. (1 - 65535, default = 443).
- auth_
ike_ intsaml_ port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth_
keepalive str - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - auth_
session_ strlimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - auto_
auth_ strextension_ device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - autorun_
log_ strfsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - av_
affinity str - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av_
failopen str - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - av_
failopen_ strsession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - batch_
cmdb str - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - bfd_
affinity str - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block_
session_ inttimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br_
fdb_ intmax_ entry - Maximum number of bridge forwarding database (FDB) entries.
- cert_
chain_ intmax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg_
revert_ inttimeout - Time-out for reverting to the last saved configuration.
- cfg_
save str - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - check_
protocol_ strheader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - check_
reset_ strrange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - cli_
audit_ strlog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - cloud_
communication str - Enable/disable all cloud communication. Valid values:
enable
,disable
. - clt_
cert_ strreq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - cmdbsvr_
affinity str - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance_
check str - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - compliance_
check_ strtime - Time of day to run scheduled PCI DSS compliance checks.
- cpu_
use_ intthreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- csr_
ca_ strattribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - daily_
restart str - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - default_
service_ strsource_ port - Default service source port range. (default=1-65535)
- device_
identification_ intactive_ scan_ delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device_
idle_ inttimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh_
params str - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - dnsproxy_
worker_ intcount - DNS proxy worker count.
- dst str
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- early_
tcp_ strnpu_ session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - edit_
vdom_ strprompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - endpoint_
control_ strfds_ access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - endpoint_
control_ intportal_ port - Endpoint control portal port (1 - 65535).
- extender_
controller_ strreserved_ network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime int
- Fail-time for server lost.
- faz_
disk_ intbuffer_ size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds_
statistics str - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - fds_
statistics_ intperiod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec_
port int - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd_
alert_ strsubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - forticonverter_
config_ strupload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - forticonverter_
integration str - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - fortiextender str
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - fortiextender_
data_ intport - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender_
discovery_ strlockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - str
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - fortiextender_
vlan_ strmode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - fortigslb_
integration str - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - fortiipam_
integration str - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - fortiservice_
port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken_
cloud str - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - fortitoken_
cloud_ strpush_ status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - fortitoken_
cloud_ intsync_ interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- gui_
allow_ strdefault_ hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - gui_
allow_ strincompatible_ fabric_ fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - gui_
app_ strdetection_ sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - gui_
auto_ strupgrade_ setup_ warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - gui_
cdn_ strdomain_ override - Domain of CDN server.
- gui_
cdn_ strusage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - gui_
certificates str - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - gui_
custom_ strlanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - gui_
date_ strformat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - gui_
date_ strtime_ source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - gui_
device_ strlatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui_
device_ strlongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui_
display_ strhostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - gui_
firmware_ strupgrade_ setup_ warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - gui_
firmware_ strupgrade_ warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - gui_
forticare_ strregistration_ setup_ warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - gui_
fortigate_ strcloud_ sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - gui_
fortiguard_ strresource_ fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - gui_
fortisandbox_ strcloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - gui_
ipv6 str - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - gui_
lines_ intper_ page - Number of lines to display per page for web administration.
- gui_
local_ strout - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - gui_
replacement_ strmessage_ groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - gui_
rest_ strapi_ cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - gui_
theme str - Color scheme for the administration GUI.
- gui_
wireless_ stropensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - gui_
workflow_ strmanagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - ha_
affinity str - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor_
df str - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - hostname str
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- igmp_
state_ intlimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike_
embryonic_ intlimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface_
subnet_ strusage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - internet_
service_ strdatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet_
service_ Sequence[Globaldownload_ lists Internet Service Download List Args] - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval int
- Dead gateway detection interval.
- ip_
fragment_ intmem_ thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip_
src_ strport_ range - IP source port range used for traffic originating from the FortiGate unit.
- ips_
affinity str - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec_
asic_ stroffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - ipsec_
ha_ intseqjump_ rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec_
hmac_ stroffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - ipsec_
round_ strrobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - ipsec_
soft_ strdec_ async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - ipv6_
accept_ intdad - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6_
allow_ stranycast_ probe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - ipv6_
allow_ strlocal_ in_ slient_ drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - ipv6_
allow_ strmulticast_ probe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - ipv6_
allow_ strtraffic_ redirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - irq_
time_ straccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - language str
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp_
reception str - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - lldp_
transmission str - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - log_
single_ strcpu_ high - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - log_
ssl_ strconnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - log_
uuid_ straddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - log_
uuid_ strpolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - login_
timestamp str - Enable/disable login time recording. Valid values:
enable
,disable
. - long_
vdom_ strname - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - management_
ip str - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management_
port int - Overriding port for management connection (Overrides admin port).
- management_
port_ struse_ admin_ sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - management_
vdom str - Management virtual domain name.
- max_
dlpstat_ intmemory - Maximum DLP stat memory (0 - 4294967295).
- max_
route_ intcache_ size - Maximum number of IP route cache entries (0 - 2147483647).
- mc_
ttl_ strnotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - memory_
use_ intthreshold_ extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- memory_
use_ intthreshold_ green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- memory_
use_ intthreshold_ red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- miglog_
affinity str - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd_
children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi_
factor_ strauthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - multicast_
forward str - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - ndp_
max_ intentry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- per_
user_ strbal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - per_
user_ strbwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - pmtu_
discovery str - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - policy_
auth_ intconcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- str
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - str
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - private_
data_ strencryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - proxy_
auth_ strlifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - proxy_
auth_ intlifetime_ timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy_
auth_ inttimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy_
cert_ struse_ mgmt_ vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - proxy_
cipher_ strhardware_ acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - proxy_
hardware_ stracceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - proxy_
keep_ stralive_ mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - proxy_
kxp_ strhardware_ acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - proxy_
re_ strauthentication_ mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - proxy_
re_ intauthentication_ time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy_
resource_ strmode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - proxy_
worker_ intcount - Proxy worker count.
- purdue_
level str - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - quic_
ack_ intthresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic_
congestion_ strcontrol_ algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - quic_
max_ intdatagram_ size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic_
pmtud str - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - quic_
tls_ inthandshake_ timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic_
udp_ strpayload_ size_ shaping_ per_ cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - radius_
port int - RADIUS service port number.
- reboot_
upon_ strconfig_ restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - refresh int
- Statistics refresh interval in GUI.
- remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset_
sessionless_ strtcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - restart_
time str - Daily restart time (hh:mm).
- revision_
backup_ stron_ logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - revision_
image_ strauto_ backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - scanunit_
count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security_
rating_ strresult_ submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - security_
rating_ strrun_ on_ schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - send_
pmtu_ stricmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - sflowd_
max_ intchildren_ num - Maximum number of sflowd child processes allowed to run.
- snat_
route_ strchange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - special_
file23_ strsupport - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - speedtest_
server str - Enable/disable speed test server. Valid values:
enable
,disable
. - speedtestd_
ctrl_ intport - Speedtest server controller port number.
- speedtestd_
server_ intport - Speedtest server port number.
- split_
port str - Split port(s) to multiple 10Gbps ports.
- ssd_
trim_ intdate - Date within a month to run ssd trim.
- ssd_
trim_ strfreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - ssd_
trim_ inthour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd_
trim_ intmin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd_
trim_ strweekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - ssh_
cbc_ strcipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - ssh_
enc_ stralgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - ssh_
hmac_ strmd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - ssh_
hostkey str - Config SSH host key.
- ssh_
hostkey_ stralgo - Select one or more SSH hostkey algorithms.
- ssh_
hostkey_ stroverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - ssh_
hostkey_ strpassword - Password for ssh-hostkey.
- ssh_
kex_ stralgo - Select one or more SSH kex algorithms.
- ssh_
kex_ strsha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - ssh_
mac_ stralgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - ssh_
mac_ strweak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - ssl_
min_ strproto_ version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl_
static_ strkey_ ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - sslvpn_
cipher_ strhardware_ acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - sslvpn_
ems_ strsn_ check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - sslvpn_
kxp_ strhardware_ acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - sslvpn_
max_ intworker_ count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn_
plugin_ strversion_ check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - sslvpn_
web_ strmode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - strict_
dirty_ strsession_ check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - strong_
crypto str - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - switch_
controller str - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - switch_
controller_ strreserved_ network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys_
perf_ intlog_ interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog_
affinity str - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp_
halfclose_ inttimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp_
halfopen_ inttimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp_
option str - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - tcp_
rst_ inttimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp_
timewait_ inttimer - Length of the TCP TIME-WAIT state in seconds.
- tftp str
- Enable/disable TFTP. Valid values:
enable
,disable
. - timezone str
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp_
mc_ strskip_ policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - traffic_
priority str - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - traffic_
priority_ strlevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - two_
factor_ intemail_ expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two_
factor_ intfac_ expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two_
factor_ intftk_ expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two_
factor_ intftm_ expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two_
factor_ intsms_ expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp_
idle_ inttimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url_
filter_ straffinity - URL filter CPU affinity.
- url_
filter_ intcount - URL filter daemon count.
- user_
device_ intstore_ max_ devices - Maximum number of devices allowed in user device store.
- user_
device_ intstore_ max_ unified_ mem - Maximum unified memory allowed in user device store.
- user_
device_ intstore_ max_ users - Maximum number of users allowed in user device store.
- user_
server_ strcert - Certificate to use for https user authentication.
- vdom_
admin str - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - vdom_
mode str - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vip_
arp_ strrange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - virtual_
server_ intcount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual_
server_ strhardware_ acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - virtual_
switch_ strvlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - vpn_
ems_ strsn_ check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - wad_
affinity str - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad_
csvc_ intcs_ count - Number of concurrent WAD-cache-service object-cache processes.
- wad_
csvc_ intdb_ count - Number of concurrent WAD-cache-service byte-cache processes.
- wad_
memory_ intchange_ granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad_
restart_ strend_ time - WAD workers daily restart end time (hh:mm).
- wad_
restart_ strmode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - wad_
restart_ strstart_ time - WAD workers daily restart time (hh:mm).
- wad_
source_ straffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - wad_
worker_ intcount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi_
ca_ strcertificate - CA certificate that verifies the WiFi certificate.
- wifi_
certificate str - Certificate to use for WiFi authentication.
- wimax4g_
usb str - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - wireless_
controller str - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - wireless_
controller_ intport - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- admin
Concurrent String - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - admin
Console NumberTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud StringSso Default Profile - Override access profile.
- admin
Forticloud StringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - admin
Host String - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts NumberMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https StringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - admin
Https StringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - admin
Https StringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - admin
Https StringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - admin
Https StringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout NumberDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout NumberThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login NumberMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer String - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - admin
Port Number - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict StringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - admin
Scp String - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - admin
Server StringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport Number - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh NumberGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh StringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - admin
Ssh NumberPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh StringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - admin
Telnet String - Enable/disable TELNET service. Valid values:
enable
,disable
. - admin
Telnet NumberPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout Number
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias String
- Alias for your FortiGate unit.
- allow
Traffic StringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - anti
Replay String - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - arp
Max NumberEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute String
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - auth
Cert String - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http NumberPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https NumberPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike NumberSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive String - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - auth
Session StringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - auto
Auth StringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - autorun
Log StringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - av
Affinity String - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen String - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - av
Failopen StringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - batch
Cmdb String - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - bfd
Affinity String - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session NumberTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb NumberMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain NumberMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert NumberTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save String - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - check
Protocol StringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - check
Reset StringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - cli
Audit StringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - cloud
Communication String - Enable/disable all cloud communication. Valid values:
enable
,disable
. - clt
Cert StringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - cmdbsvr
Affinity String - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check String - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - compliance
Check StringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use NumberThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- csr
Ca StringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - daily
Restart String - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - default
Service StringSource Port - Default service source port range. (default=1-65535)
- device
Identification NumberActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle NumberTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params String - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - dnsproxy
Worker NumberCount - DNS proxy worker count.
- dst String
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- early
Tcp StringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - edit
Vdom StringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - endpoint
Control StringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - endpoint
Control NumberPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller StringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime Number
- Fail-time for server lost.
- faz
Disk NumberBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics String - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - fds
Statistics NumberPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port Number - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert StringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - forticonverter
Config StringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - forticonverter
Integration String - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - fortiextender String
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - fortiextender
Data NumberPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery StringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - String
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - fortiextender
Vlan StringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - fortigslb
Integration String - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - fortiipam
Integration String - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - fortiservice
Port Number - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud String - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - fortitoken
Cloud StringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - fortitoken
Cloud NumberSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- gui
Allow StringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - gui
Allow StringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - gui
App StringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - gui
Auto StringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - gui
Cdn StringDomain Override - Domain of CDN server.
- gui
Cdn StringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - gui
Certificates String - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - gui
Custom StringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - gui
Date StringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - gui
Date StringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - gui
Device StringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device StringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display StringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - gui
Firmware StringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - gui
Firmware StringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - gui
Forticare StringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - gui
Fortigate StringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - gui
Fortiguard StringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - gui
Fortisandbox StringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - gui
Ipv6 String - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - gui
Lines NumberPer Page - Number of lines to display per page for web administration.
- gui
Local StringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - gui
Replacement StringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - gui
Rest StringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - gui
Theme String - Color scheme for the administration GUI.
- gui
Wireless StringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - gui
Workflow StringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - ha
Affinity String - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df String - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - hostname String
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- igmp
State NumberLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic NumberLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet StringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - internet
Service StringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service List<Property Map>Download Lists - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval Number
- Dead gateway detection interval.
- ip
Fragment NumberMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src StringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity String - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic StringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - ipsec
Ha NumberSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac StringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - ipsec
Round StringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - ipsec
Soft StringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - ipv6Accept
Dad Number - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast StringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - ipv6Allow
Local StringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - ipv6Allow
Multicast StringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - ipv6Allow
Traffic StringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - irq
Time StringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - language String
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - ldapconntimeout Number
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception String - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - lldp
Transmission String - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - log
Single StringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - log
Ssl StringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - log
Uuid StringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - log
Uuid StringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - login
Timestamp String - Enable/disable login time recording. Valid values:
enable
,disable
. - long
Vdom StringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - management
Ip String - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port Number - Overriding port for management connection (Overrides admin port).
- management
Port StringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - management
Vdom String - Management virtual domain name.
- max
Dlpstat NumberMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route NumberCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl StringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - memory
Use NumberThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- memory
Use NumberThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- memory
Use NumberThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- miglog
Affinity String - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children Number - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor StringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - multicast
Forward String - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - ndp
Max NumberEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- per
User StringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - per
User StringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - pmtu
Discovery String - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - policy
Auth NumberConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- String
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - String
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - private
Data StringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - proxy
Auth StringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - proxy
Auth NumberLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth NumberTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert StringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - proxy
Cipher StringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - proxy
Hardware StringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - proxy
Keep StringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - proxy
Kxp StringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - proxy
Re StringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - proxy
Re NumberAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource StringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - proxy
Worker NumberCount - Proxy worker count.
- purdue
Level String - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - quic
Ack NumberThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion StringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - quic
Max NumberDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud String - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - quic
Tls NumberHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp StringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - radius
Port Number - RADIUS service port number.
- reboot
Upon StringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - refresh Number
- Statistics refresh interval in GUI.
- remoteauthtimeout Number
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless StringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - restart
Time String - Daily restart time (hh:mm).
- revision
Backup StringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - revision
Image StringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - scanunit
Count Number - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating StringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - security
Rating StringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - send
Pmtu StringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - sflowd
Max NumberChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route StringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - special
File23Support String - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - speedtest
Server String - Enable/disable speed test server. Valid values:
enable
,disable
. - speedtestd
Ctrl NumberPort - Speedtest server controller port number.
- speedtestd
Server NumberPort - Speedtest server port number.
- split
Port String - Split port(s) to multiple 10Gbps ports.
- ssd
Trim NumberDate - Date within a month to run ssd trim.
- ssd
Trim StringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - ssd
Trim NumberHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim NumberMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim StringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - ssh
Cbc StringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - ssh
Enc StringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - ssh
Hmac StringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - ssh
Hostkey String - Config SSH host key.
- ssh
Hostkey StringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey StringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - ssh
Hostkey StringPassword - Password for ssh-hostkey.
- ssh
Kex StringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex StringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - ssh
Mac StringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - ssh
Mac StringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - ssl
Min StringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static StringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - sslvpn
Cipher StringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - sslvpn
Kxp StringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Max NumberWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin StringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - sslvpn
Web StringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - strict
Dirty StringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - strong
Crypto String - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - switch
Controller String - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - switch
Controller StringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf NumberLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity String - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose NumberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen NumberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option String - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - tcp
Rst NumberTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait NumberTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp String
- Enable/disable TFTP. Valid values:
enable
,disable
. - timezone String
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc StringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - traffic
Priority String - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - traffic
Priority StringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - two
Factor NumberEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor NumberFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor NumberFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor NumberFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor NumberSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle NumberTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter StringAffinity - URL filter CPU affinity.
- url
Filter NumberCount - URL filter daemon count.
- user
Device NumberStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device NumberStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device NumberStore Max Users - Maximum number of users allowed in user device store.
- user
Server StringCert - Certificate to use for https user authentication.
- vdom
Admin String - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - vdom
Mode String - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vip
Arp StringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - virtual
Server NumberCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server StringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - virtual
Switch StringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - vpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - wad
Affinity String - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc NumberCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc NumberDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory NumberChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart StringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart StringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - wad
Restart StringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source StringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - wad
Worker NumberCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca StringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate String - Certificate to use for WiFi authentication.
- wimax4g
Usb String - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - wireless
Controller String - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - wireless
Controller NumberPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
Outputs
All input properties are implicitly available as output properties. Additionally, the Global resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Global Resource
Get an existing Global resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GlobalState, opts?: CustomResourceOptions): Global
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
admin_concurrent: Optional[str] = None,
admin_console_timeout: Optional[int] = None,
admin_forticloud_sso_default_profile: Optional[str] = None,
admin_forticloud_sso_login: Optional[str] = None,
admin_host: Optional[str] = None,
admin_hsts_max_age: Optional[int] = None,
admin_https_pki_required: Optional[str] = None,
admin_https_redirect: Optional[str] = None,
admin_https_ssl_banned_ciphers: Optional[str] = None,
admin_https_ssl_ciphersuites: Optional[str] = None,
admin_https_ssl_versions: Optional[str] = None,
admin_lockout_duration: Optional[int] = None,
admin_lockout_threshold: Optional[int] = None,
admin_login_max: Optional[int] = None,
admin_maintainer: Optional[str] = None,
admin_port: Optional[int] = None,
admin_restrict_local: Optional[str] = None,
admin_scp: Optional[str] = None,
admin_server_cert: Optional[str] = None,
admin_sport: Optional[int] = None,
admin_ssh_grace_time: Optional[int] = None,
admin_ssh_password: Optional[str] = None,
admin_ssh_port: Optional[int] = None,
admin_ssh_v1: Optional[str] = None,
admin_telnet: Optional[str] = None,
admin_telnet_port: Optional[int] = None,
admintimeout: Optional[int] = None,
alias: Optional[str] = None,
allow_traffic_redirect: Optional[str] = None,
anti_replay: Optional[str] = None,
arp_max_entry: Optional[int] = None,
asymroute: Optional[str] = None,
auth_cert: Optional[str] = None,
auth_http_port: Optional[int] = None,
auth_https_port: Optional[int] = None,
auth_ike_saml_port: Optional[int] = None,
auth_keepalive: Optional[str] = None,
auth_session_limit: Optional[str] = None,
auto_auth_extension_device: Optional[str] = None,
autorun_log_fsck: Optional[str] = None,
av_affinity: Optional[str] = None,
av_failopen: Optional[str] = None,
av_failopen_session: Optional[str] = None,
batch_cmdb: Optional[str] = None,
bfd_affinity: Optional[str] = None,
block_session_timer: Optional[int] = None,
br_fdb_max_entry: Optional[int] = None,
cert_chain_max: Optional[int] = None,
cfg_revert_timeout: Optional[int] = None,
cfg_save: Optional[str] = None,
check_protocol_header: Optional[str] = None,
check_reset_range: Optional[str] = None,
cli_audit_log: Optional[str] = None,
cloud_communication: Optional[str] = None,
clt_cert_req: Optional[str] = None,
cmdbsvr_affinity: Optional[str] = None,
compliance_check: Optional[str] = None,
compliance_check_time: Optional[str] = None,
cpu_use_threshold: Optional[int] = None,
csr_ca_attribute: Optional[str] = None,
daily_restart: Optional[str] = None,
default_service_source_port: Optional[str] = None,
device_identification_active_scan_delay: Optional[int] = None,
device_idle_timeout: Optional[int] = None,
dh_params: Optional[str] = None,
dnsproxy_worker_count: Optional[int] = None,
dst: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
early_tcp_npu_session: Optional[str] = None,
edit_vdom_prompt: Optional[str] = None,
endpoint_control_fds_access: Optional[str] = None,
endpoint_control_portal_port: Optional[int] = None,
extender_controller_reserved_network: Optional[str] = None,
failtime: Optional[int] = None,
faz_disk_buffer_size: Optional[int] = None,
fds_statistics: Optional[str] = None,
fds_statistics_period: Optional[int] = None,
fec_port: Optional[int] = None,
fgd_alert_subscription: Optional[str] = None,
forticonverter_config_upload: Optional[str] = None,
forticonverter_integration: Optional[str] = None,
fortiextender: Optional[str] = None,
fortiextender_data_port: Optional[int] = None,
fortiextender_discovery_lockdown: Optional[str] = None,
fortiextender_provision_on_authorization: Optional[str] = None,
fortiextender_vlan_mode: Optional[str] = None,
fortigslb_integration: Optional[str] = None,
fortiipam_integration: Optional[str] = None,
fortiservice_port: Optional[int] = None,
fortitoken_cloud: Optional[str] = None,
fortitoken_cloud_push_status: Optional[str] = None,
fortitoken_cloud_sync_interval: Optional[int] = None,
get_all_tables: Optional[str] = None,
gui_allow_default_hostname: Optional[str] = None,
gui_allow_incompatible_fabric_fgt: Optional[str] = None,
gui_app_detection_sdwan: Optional[str] = None,
gui_auto_upgrade_setup_warning: Optional[str] = None,
gui_cdn_domain_override: Optional[str] = None,
gui_cdn_usage: Optional[str] = None,
gui_certificates: Optional[str] = None,
gui_custom_language: Optional[str] = None,
gui_date_format: Optional[str] = None,
gui_date_time_source: Optional[str] = None,
gui_device_latitude: Optional[str] = None,
gui_device_longitude: Optional[str] = None,
gui_display_hostname: Optional[str] = None,
gui_firmware_upgrade_setup_warning: Optional[str] = None,
gui_firmware_upgrade_warning: Optional[str] = None,
gui_forticare_registration_setup_warning: Optional[str] = None,
gui_fortigate_cloud_sandbox: Optional[str] = None,
gui_fortiguard_resource_fetch: Optional[str] = None,
gui_fortisandbox_cloud: Optional[str] = None,
gui_ipv6: Optional[str] = None,
gui_lines_per_page: Optional[int] = None,
gui_local_out: Optional[str] = None,
gui_replacement_message_groups: Optional[str] = None,
gui_rest_api_cache: Optional[str] = None,
gui_theme: Optional[str] = None,
gui_wireless_opensecurity: Optional[str] = None,
gui_workflow_management: Optional[str] = None,
ha_affinity: Optional[str] = None,
honor_df: Optional[str] = None,
hostname: Optional[str] = None,
igmp_state_limit: Optional[int] = None,
ike_embryonic_limit: Optional[int] = None,
interface_subnet_usage: Optional[str] = None,
internet_service_database: Optional[str] = None,
internet_service_download_lists: Optional[Sequence[GlobalInternetServiceDownloadListArgs]] = None,
interval: Optional[int] = None,
ip_fragment_mem_thresholds: Optional[int] = None,
ip_src_port_range: Optional[str] = None,
ips_affinity: Optional[str] = None,
ipsec_asic_offload: Optional[str] = None,
ipsec_ha_seqjump_rate: Optional[int] = None,
ipsec_hmac_offload: Optional[str] = None,
ipsec_round_robin: Optional[str] = None,
ipsec_soft_dec_async: Optional[str] = None,
ipv6_accept_dad: Optional[int] = None,
ipv6_allow_anycast_probe: Optional[str] = None,
ipv6_allow_local_in_slient_drop: Optional[str] = None,
ipv6_allow_multicast_probe: Optional[str] = None,
ipv6_allow_traffic_redirect: Optional[str] = None,
irq_time_accounting: Optional[str] = None,
language: Optional[str] = None,
ldapconntimeout: Optional[int] = None,
lldp_reception: Optional[str] = None,
lldp_transmission: Optional[str] = None,
log_single_cpu_high: Optional[str] = None,
log_ssl_connection: Optional[str] = None,
log_uuid_address: Optional[str] = None,
log_uuid_policy: Optional[str] = None,
login_timestamp: Optional[str] = None,
long_vdom_name: Optional[str] = None,
management_ip: Optional[str] = None,
management_port: Optional[int] = None,
management_port_use_admin_sport: Optional[str] = None,
management_vdom: Optional[str] = None,
max_dlpstat_memory: Optional[int] = None,
max_route_cache_size: Optional[int] = None,
mc_ttl_notchange: Optional[str] = None,
memory_use_threshold_extreme: Optional[int] = None,
memory_use_threshold_green: Optional[int] = None,
memory_use_threshold_red: Optional[int] = None,
miglog_affinity: Optional[str] = None,
miglogd_children: Optional[int] = None,
multi_factor_authentication: Optional[str] = None,
multicast_forward: Optional[str] = None,
ndp_max_entry: Optional[int] = None,
per_user_bal: Optional[str] = None,
per_user_bwl: Optional[str] = None,
pmtu_discovery: Optional[str] = None,
policy_auth_concurrent: Optional[int] = None,
post_login_banner: Optional[str] = None,
pre_login_banner: Optional[str] = None,
private_data_encryption: Optional[str] = None,
proxy_auth_lifetime: Optional[str] = None,
proxy_auth_lifetime_timeout: Optional[int] = None,
proxy_auth_timeout: Optional[int] = None,
proxy_cert_use_mgmt_vdom: Optional[str] = None,
proxy_cipher_hardware_acceleration: Optional[str] = None,
proxy_hardware_acceleration: Optional[str] = None,
proxy_keep_alive_mode: Optional[str] = None,
proxy_kxp_hardware_acceleration: Optional[str] = None,
proxy_re_authentication_mode: Optional[str] = None,
proxy_re_authentication_time: Optional[int] = None,
proxy_resource_mode: Optional[str] = None,
proxy_worker_count: Optional[int] = None,
purdue_level: Optional[str] = None,
quic_ack_thresold: Optional[int] = None,
quic_congestion_control_algo: Optional[str] = None,
quic_max_datagram_size: Optional[int] = None,
quic_pmtud: Optional[str] = None,
quic_tls_handshake_timeout: Optional[int] = None,
quic_udp_payload_size_shaping_per_cid: Optional[str] = None,
radius_port: Optional[int] = None,
reboot_upon_config_restore: Optional[str] = None,
refresh: Optional[int] = None,
remoteauthtimeout: Optional[int] = None,
reset_sessionless_tcp: Optional[str] = None,
restart_time: Optional[str] = None,
revision_backup_on_logout: Optional[str] = None,
revision_image_auto_backup: Optional[str] = None,
scanunit_count: Optional[int] = None,
security_rating_result_submission: Optional[str] = None,
security_rating_run_on_schedule: Optional[str] = None,
send_pmtu_icmp: Optional[str] = None,
sflowd_max_children_num: Optional[int] = None,
snat_route_change: Optional[str] = None,
special_file23_support: Optional[str] = None,
speedtest_server: Optional[str] = None,
speedtestd_ctrl_port: Optional[int] = None,
speedtestd_server_port: Optional[int] = None,
split_port: Optional[str] = None,
ssd_trim_date: Optional[int] = None,
ssd_trim_freq: Optional[str] = None,
ssd_trim_hour: Optional[int] = None,
ssd_trim_min: Optional[int] = None,
ssd_trim_weekday: Optional[str] = None,
ssh_cbc_cipher: Optional[str] = None,
ssh_enc_algo: Optional[str] = None,
ssh_hmac_md5: Optional[str] = None,
ssh_hostkey: Optional[str] = None,
ssh_hostkey_algo: Optional[str] = None,
ssh_hostkey_override: Optional[str] = None,
ssh_hostkey_password: Optional[str] = None,
ssh_kex_algo: Optional[str] = None,
ssh_kex_sha1: Optional[str] = None,
ssh_mac_algo: Optional[str] = None,
ssh_mac_weak: Optional[str] = None,
ssl_min_proto_version: Optional[str] = None,
ssl_static_key_ciphers: Optional[str] = None,
sslvpn_cipher_hardware_acceleration: Optional[str] = None,
sslvpn_ems_sn_check: Optional[str] = None,
sslvpn_kxp_hardware_acceleration: Optional[str] = None,
sslvpn_max_worker_count: Optional[int] = None,
sslvpn_plugin_version_check: Optional[str] = None,
sslvpn_web_mode: Optional[str] = None,
strict_dirty_session_check: Optional[str] = None,
strong_crypto: Optional[str] = None,
switch_controller: Optional[str] = None,
switch_controller_reserved_network: Optional[str] = None,
sys_perf_log_interval: Optional[int] = None,
syslog_affinity: Optional[str] = None,
tcp_halfclose_timer: Optional[int] = None,
tcp_halfopen_timer: Optional[int] = None,
tcp_option: Optional[str] = None,
tcp_rst_timer: Optional[int] = None,
tcp_timewait_timer: Optional[int] = None,
tftp: Optional[str] = None,
timezone: Optional[str] = None,
tp_mc_skip_policy: Optional[str] = None,
traffic_priority: Optional[str] = None,
traffic_priority_level: Optional[str] = None,
two_factor_email_expiry: Optional[int] = None,
two_factor_fac_expiry: Optional[int] = None,
two_factor_ftk_expiry: Optional[int] = None,
two_factor_ftm_expiry: Optional[int] = None,
two_factor_sms_expiry: Optional[int] = None,
udp_idle_timer: Optional[int] = None,
url_filter_affinity: Optional[str] = None,
url_filter_count: Optional[int] = None,
user_device_store_max_devices: Optional[int] = None,
user_device_store_max_unified_mem: Optional[int] = None,
user_device_store_max_users: Optional[int] = None,
user_server_cert: Optional[str] = None,
vdom_admin: Optional[str] = None,
vdom_mode: Optional[str] = None,
vdomparam: Optional[str] = None,
vip_arp_range: Optional[str] = None,
virtual_server_count: Optional[int] = None,
virtual_server_hardware_acceleration: Optional[str] = None,
virtual_switch_vlan: Optional[str] = None,
vpn_ems_sn_check: Optional[str] = None,
wad_affinity: Optional[str] = None,
wad_csvc_cs_count: Optional[int] = None,
wad_csvc_db_count: Optional[int] = None,
wad_memory_change_granularity: Optional[int] = None,
wad_restart_end_time: Optional[str] = None,
wad_restart_mode: Optional[str] = None,
wad_restart_start_time: Optional[str] = None,
wad_source_affinity: Optional[str] = None,
wad_worker_count: Optional[int] = None,
wifi_ca_certificate: Optional[str] = None,
wifi_certificate: Optional[str] = None,
wimax4g_usb: Optional[str] = None,
wireless_controller: Optional[str] = None,
wireless_controller_port: Optional[int] = None) -> Global
func GetGlobal(ctx *Context, name string, id IDInput, state *GlobalState, opts ...ResourceOption) (*Global, error)
public static Global Get(string name, Input<string> id, GlobalState? state, CustomResourceOptions? opts = null)
public static Global get(String name, Output<String> id, GlobalState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - Admin
Console intTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- Admin
Forticloud stringSso Default Profile - Override access profile.
- Admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - Admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- Admin
Hsts intMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- Admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - Admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - Admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - Admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - Admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- Admin
Lockout intDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- Admin
Lockout intThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- Admin
Login intMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- Admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - Admin
Port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- Admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - Admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - Admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- Admin
Sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- Admin
Ssh intGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- Admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - Admin
Ssh intPort - Administrative access port for SSH. (1 - 65535, default = 22).
- Admin
Ssh stringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - Admin
Telnet string - Enable/disable TELNET service. Valid values:
enable
,disable
. - Admin
Telnet intPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- Admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- Alias string
- Alias for your FortiGate unit.
- Allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - Anti
Replay string - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - Arp
Max intEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- Asymroute string
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - Auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- Auth
Http intPort - User authentication HTTP port. (1 - 65535, default = 80).
- Auth
Https intPort - User authentication HTTPS port. (1 - 65535, default = 443).
- Auth
Ike intSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- Auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - Auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - Auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - Autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - Av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - Av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - Batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - Bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Block
Session intTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- Br
Fdb intMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- Cert
Chain intMax - Maximum number of certificates that can be traversed in a certificate chain.
- Cfg
Revert intTimeout - Time-out for reverting to the last saved configuration.
- Cfg
Save string - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - Check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - Check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - Cli
Audit stringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - Cloud
Communication string - Enable/disable all cloud communication. Valid values:
enable
,disable
. - Clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - Cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Compliance
Check string - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - Compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- Cpu
Use intThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- Csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - Daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - Default
Service stringSource Port - Default service source port range. (default=1-65535)
- Device
Identification intActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- Device
Idle intTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- Dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - Dnsproxy
Worker intCount - DNS proxy worker count.
- Dst string
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Early
Tcp stringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - Edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - Endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - Endpoint
Control intPortal Port - Endpoint control portal port (1 - 65535).
- Extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- Failtime int
- Fail-time for server lost.
- Faz
Disk intBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- Fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - Fds
Statistics intPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- Fec
Port int - Local UDP port for Forward Error Correction (49152 - 65535).
- Fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - Forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - Forticonverter
Integration string - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - Fortiextender string
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - Fortiextender
Data intPort - FortiExtender data port (1024 - 49150, default = 25246).
- Fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - Fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - Fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - Fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - Fortiservice
Port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- Fortitoken
Cloud string - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - Fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - Fortitoken
Cloud intSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - Gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - Gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - Gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - Gui
Cdn stringDomain Override - Domain of CDN server.
- Gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - Gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - Gui
Custom stringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - Gui
Date stringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - Gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - Gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - Gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - Gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - Gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - Gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - Gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - Gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - Gui
Ipv6 string - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - Gui
Lines intPer Page - Number of lines to display per page for web administration.
- Gui
Local stringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - Gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - Gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - Gui
Theme string - Color scheme for the administration GUI.
- Gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - Gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - Ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - Hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- Igmp
State intLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- Ike
Embryonic intLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- Interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - Internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- Internet
Service List<Pulumiverse.Download Lists Fortios. System. Inputs. Global Internet Service Download List> - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - Interval int
- Dead gateway detection interval.
- Ip
Fragment intMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- Ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- Ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- Ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - Ipsec
Ha intSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- Ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - Ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - Ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - Ipv6Accept
Dad int - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- Ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - Ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - Ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - Ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - Irq
Time stringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - Language string
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - Ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- Lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - Lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - Log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - Log
Ssl stringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - Log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - Log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - Login
Timestamp string - Enable/disable login time recording. Valid values:
enable
,disable
. - Long
Vdom stringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - Management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- Management
Port int - Overriding port for management connection (Overrides admin port).
- Management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - Management
Vdom string - Management virtual domain name.
- Max
Dlpstat intMemory - Maximum DLP stat memory (0 - 4294967295).
- Max
Route intCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- Mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - Memory
Use intThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- Memory
Use intThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- Memory
Use intThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- Miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- Miglogd
Children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- Multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - Multicast
Forward string - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - Ndp
Max intEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- Per
User stringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - Per
User stringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - Pmtu
Discovery string - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - Policy
Auth intConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - Private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - Proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - Proxy
Auth intLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- Proxy
Auth intTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- Proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - Proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - Proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - Proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - Proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - Proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - Proxy
Re intAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- Proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - Proxy
Worker intCount - Proxy worker count.
- Purdue
Level string - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - Quic
Ack intThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- Quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - Quic
Max intDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- Quic
Pmtud string - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - Quic
Tls intHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- Quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - Radius
Port int - RADIUS service port number.
- Reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - Refresh int
- Statistics refresh interval in GUI.
- Remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- Reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - Restart
Time string - Daily restart time (hh:mm).
- Revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - Revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - Scanunit
Count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- Security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - Security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - Send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - Sflowd
Max intChildren Num - Maximum number of sflowd child processes allowed to run.
- Snat
Route stringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - Special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - Speedtest
Server string - Enable/disable speed test server. Valid values:
enable
,disable
. - Speedtestd
Ctrl intPort - Speedtest server controller port number.
- Speedtestd
Server intPort - Speedtest server port number.
- Split
Port string - Split port(s) to multiple 10Gbps ports.
- Ssd
Trim intDate - Date within a month to run ssd trim.
- Ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - Ssd
Trim intHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- Ssd
Trim intMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- Ssd
Trim stringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - Ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - Ssh
Enc stringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - Ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - Ssh
Hostkey string - Config SSH host key.
- Ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- Ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - Ssh
Hostkey stringPassword - Password for ssh-hostkey.
- Ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- Ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - Ssh
Mac stringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - Ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - Ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- Ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - Sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - Sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - Sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - Sslvpn
Max intWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- Sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - Sslvpn
Web stringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - Strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - Strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - Switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - Switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- Sys
Perf intLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- Syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Tcp
Halfclose intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- Tcp
Halfopen intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- Tcp
Option string - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - Tcp
Rst intTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- Tcp
Timewait intTimer - Length of the TCP TIME-WAIT state in seconds.
- Tftp string
- Enable/disable TFTP. Valid values:
enable
,disable
. - Timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- Tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - Traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - Traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - Two
Factor intEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- Two
Factor intFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- Two
Factor intFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- Two
Factor intFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- Two
Factor intSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- Udp
Idle intTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- Url
Filter stringAffinity - URL filter CPU affinity.
- Url
Filter intCount - URL filter daemon count.
- User
Device intStore Max Devices - Maximum number of devices allowed in user device store.
- User
Device intStore Max Unified Mem - Maximum unified memory allowed in user device store.
- User
Device intStore Max Users - Maximum number of users allowed in user device store.
- User
Server stringCert - Certificate to use for https user authentication.
- Vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - Vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - Virtual
Server intCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- Virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - Virtual
Switch stringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - Vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - Wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Wad
Csvc intCs Count - Number of concurrent WAD-cache-service object-cache processes.
- Wad
Csvc intDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- Wad
Memory intChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- Wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- Wad
Restart stringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - Wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- Wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - Wad
Worker intCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- Wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- Wifi
Certificate string - Certificate to use for WiFi authentication.
- Wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - Wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - Wireless
Controller intPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- Admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - Admin
Console intTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- Admin
Forticloud stringSso Default Profile - Override access profile.
- Admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - Admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- Admin
Hsts intMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- Admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - Admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - Admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - Admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - Admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- Admin
Lockout intDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- Admin
Lockout intThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- Admin
Login intMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- Admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - Admin
Port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- Admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - Admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - Admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- Admin
Sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- Admin
Ssh intGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- Admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - Admin
Ssh intPort - Administrative access port for SSH. (1 - 65535, default = 22).
- Admin
Ssh stringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - Admin
Telnet string - Enable/disable TELNET service. Valid values:
enable
,disable
. - Admin
Telnet intPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- Admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- Alias string
- Alias for your FortiGate unit.
- Allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - Anti
Replay string - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - Arp
Max intEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- Asymroute string
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - Auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- Auth
Http intPort - User authentication HTTP port. (1 - 65535, default = 80).
- Auth
Https intPort - User authentication HTTPS port. (1 - 65535, default = 443).
- Auth
Ike intSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- Auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - Auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - Auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - Autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - Av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - Av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - Batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - Bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Block
Session intTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- Br
Fdb intMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- Cert
Chain intMax - Maximum number of certificates that can be traversed in a certificate chain.
- Cfg
Revert intTimeout - Time-out for reverting to the last saved configuration.
- Cfg
Save string - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - Check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - Check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - Cli
Audit stringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - Cloud
Communication string - Enable/disable all cloud communication. Valid values:
enable
,disable
. - Clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - Cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Compliance
Check string - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - Compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- Cpu
Use intThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- Csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - Daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - Default
Service stringSource Port - Default service source port range. (default=1-65535)
- Device
Identification intActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- Device
Idle intTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- Dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - Dnsproxy
Worker intCount - DNS proxy worker count.
- Dst string
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Early
Tcp stringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - Edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - Endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - Endpoint
Control intPortal Port - Endpoint control portal port (1 - 65535).
- Extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- Failtime int
- Fail-time for server lost.
- Faz
Disk intBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- Fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - Fds
Statistics intPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- Fec
Port int - Local UDP port for Forward Error Correction (49152 - 65535).
- Fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - Forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - Forticonverter
Integration string - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - Fortiextender string
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - Fortiextender
Data intPort - FortiExtender data port (1024 - 49150, default = 25246).
- Fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - Fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - Fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - Fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - Fortiservice
Port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- Fortitoken
Cloud string - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - Fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - Fortitoken
Cloud intSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - Gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - Gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - Gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - Gui
Cdn stringDomain Override - Domain of CDN server.
- Gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - Gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - Gui
Custom stringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - Gui
Date stringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - Gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - Gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- Gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - Gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - Gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - Gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - Gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - Gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - Gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - Gui
Ipv6 string - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - Gui
Lines intPer Page - Number of lines to display per page for web administration.
- Gui
Local stringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - Gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - Gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - Gui
Theme string - Color scheme for the administration GUI.
- Gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - Gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - Ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - Hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- Igmp
State intLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- Ike
Embryonic intLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- Interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - Internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- Internet
Service []GlobalDownload Lists Internet Service Download List Args - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - Interval int
- Dead gateway detection interval.
- Ip
Fragment intMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- Ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- Ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- Ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - Ipsec
Ha intSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- Ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - Ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - Ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - Ipv6Accept
Dad int - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- Ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - Ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - Ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - Ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - Irq
Time stringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - Language string
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - Ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- Lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - Lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - Log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - Log
Ssl stringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - Log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - Log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - Login
Timestamp string - Enable/disable login time recording. Valid values:
enable
,disable
. - Long
Vdom stringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - Management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- Management
Port int - Overriding port for management connection (Overrides admin port).
- Management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - Management
Vdom string - Management virtual domain name.
- Max
Dlpstat intMemory - Maximum DLP stat memory (0 - 4294967295).
- Max
Route intCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- Mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - Memory
Use intThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- Memory
Use intThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- Memory
Use intThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- Miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- Miglogd
Children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- Multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - Multicast
Forward string - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - Ndp
Max intEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- Per
User stringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - Per
User stringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - Pmtu
Discovery string - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - Policy
Auth intConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - Private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - Proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - Proxy
Auth intLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- Proxy
Auth intTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- Proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - Proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - Proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - Proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - Proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - Proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - Proxy
Re intAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- Proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - Proxy
Worker intCount - Proxy worker count.
- Purdue
Level string - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - Quic
Ack intThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- Quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - Quic
Max intDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- Quic
Pmtud string - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - Quic
Tls intHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- Quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - Radius
Port int - RADIUS service port number.
- Reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - Refresh int
- Statistics refresh interval in GUI.
- Remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- Reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - Restart
Time string - Daily restart time (hh:mm).
- Revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - Revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - Scanunit
Count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- Security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - Security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - Send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - Sflowd
Max intChildren Num - Maximum number of sflowd child processes allowed to run.
- Snat
Route stringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - Special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - Speedtest
Server string - Enable/disable speed test server. Valid values:
enable
,disable
. - Speedtestd
Ctrl intPort - Speedtest server controller port number.
- Speedtestd
Server intPort - Speedtest server port number.
- Split
Port string - Split port(s) to multiple 10Gbps ports.
- Ssd
Trim intDate - Date within a month to run ssd trim.
- Ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - Ssd
Trim intHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- Ssd
Trim intMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- Ssd
Trim stringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - Ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - Ssh
Enc stringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - Ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - Ssh
Hostkey string - Config SSH host key.
- Ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- Ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - Ssh
Hostkey stringPassword - Password for ssh-hostkey.
- Ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- Ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - Ssh
Mac stringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - Ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - Ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- Ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - Sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - Sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - Sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - Sslvpn
Max intWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- Sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - Sslvpn
Web stringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - Strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - Strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - Switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - Switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- Sys
Perf intLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- Syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Tcp
Halfclose intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- Tcp
Halfopen intTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- Tcp
Option string - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - Tcp
Rst intTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- Tcp
Timewait intTimer - Length of the TCP TIME-WAIT state in seconds.
- Tftp string
- Enable/disable TFTP. Valid values:
enable
,disable
. - Timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- Tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - Traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - Traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - Two
Factor intEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- Two
Factor intFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- Two
Factor intFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- Two
Factor intFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- Two
Factor intSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- Udp
Idle intTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- Url
Filter stringAffinity - URL filter CPU affinity.
- Url
Filter intCount - URL filter daemon count.
- User
Device intStore Max Devices - Maximum number of devices allowed in user device store.
- User
Device intStore Max Unified Mem - Maximum unified memory allowed in user device store.
- User
Device intStore Max Users - Maximum number of users allowed in user device store.
- User
Server stringCert - Certificate to use for https user authentication.
- Vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - Vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - Virtual
Server intCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- Virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - Virtual
Switch stringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - Vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - Wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- Wad
Csvc intCs Count - Number of concurrent WAD-cache-service object-cache processes.
- Wad
Csvc intDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- Wad
Memory intChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- Wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- Wad
Restart stringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - Wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- Wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - Wad
Worker intCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- Wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- Wifi
Certificate string - Certificate to use for WiFi authentication.
- Wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - Wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - Wireless
Controller intPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- admin
Concurrent String - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - admin
Console IntegerTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud StringSso Default Profile - Override access profile.
- admin
Forticloud StringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - admin
Host String - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts IntegerMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https StringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - admin
Https StringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - admin
Https StringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - admin
Https StringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - admin
Https StringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout IntegerDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout IntegerThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login IntegerMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer String - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - admin
Port Integer - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict StringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - admin
Scp String - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - admin
Server StringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport Integer - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh IntegerGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh StringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - admin
Ssh IntegerPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh StringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - admin
Telnet String - Enable/disable TELNET service. Valid values:
enable
,disable
. - admin
Telnet IntegerPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout Integer
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias String
- Alias for your FortiGate unit.
- allow
Traffic StringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - anti
Replay String - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - arp
Max IntegerEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute String
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - auth
Cert String - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http IntegerPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https IntegerPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike IntegerSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive String - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - auth
Session StringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - auto
Auth StringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - autorun
Log StringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - av
Affinity String - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen String - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - av
Failopen StringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - batch
Cmdb String - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - bfd
Affinity String - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session IntegerTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb IntegerMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain IntegerMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert IntegerTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save String - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - check
Protocol StringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - check
Reset StringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - cli
Audit StringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - cloud
Communication String - Enable/disable all cloud communication. Valid values:
enable
,disable
. - clt
Cert StringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - cmdbsvr
Affinity String - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check String - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - compliance
Check StringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use IntegerThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- csr
Ca StringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - daily
Restart String - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - default
Service StringSource Port - Default service source port range. (default=1-65535)
- device
Identification IntegerActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle IntegerTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params String - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - dnsproxy
Worker IntegerCount - DNS proxy worker count.
- dst String
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- early
Tcp StringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - edit
Vdom StringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - endpoint
Control StringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - endpoint
Control IntegerPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller StringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime Integer
- Fail-time for server lost.
- faz
Disk IntegerBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics String - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - fds
Statistics IntegerPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port Integer - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert StringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - forticonverter
Config StringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - forticonverter
Integration String - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - fortiextender String
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - fortiextender
Data IntegerPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery StringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - String
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - fortiextender
Vlan StringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - fortigslb
Integration String - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - fortiipam
Integration String - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - fortiservice
Port Integer - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud String - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - fortitoken
Cloud StringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - fortitoken
Cloud IntegerSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- gui
Allow StringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - gui
Allow StringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - gui
App StringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - gui
Auto StringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - gui
Cdn StringDomain Override - Domain of CDN server.
- gui
Cdn StringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - gui
Certificates String - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - gui
Custom StringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - gui
Date StringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - gui
Date StringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - gui
Device StringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device StringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display StringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - gui
Firmware StringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - gui
Firmware StringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - gui
Forticare StringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - gui
Fortigate StringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - gui
Fortiguard StringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - gui
Fortisandbox StringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - gui
Ipv6 String - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - gui
Lines IntegerPer Page - Number of lines to display per page for web administration.
- gui
Local StringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - gui
Replacement StringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - gui
Rest StringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - gui
Theme String - Color scheme for the administration GUI.
- gui
Wireless StringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - gui
Workflow StringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - ha
Affinity String - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df String - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - hostname String
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- igmp
State IntegerLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic IntegerLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet StringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - internet
Service StringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service List<GlobalDownload Lists Internet Service Download List> - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval Integer
- Dead gateway detection interval.
- ip
Fragment IntegerMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src StringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity String - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic StringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - ipsec
Ha IntegerSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac StringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - ipsec
Round StringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - ipsec
Soft StringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - ipv6Accept
Dad Integer - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast StringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - ipv6Allow
Local StringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - ipv6Allow
Multicast StringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - ipv6Allow
Traffic StringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - irq
Time StringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - language String
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - ldapconntimeout Integer
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception String - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - lldp
Transmission String - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - log
Single StringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - log
Ssl StringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - log
Uuid StringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - log
Uuid StringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - login
Timestamp String - Enable/disable login time recording. Valid values:
enable
,disable
. - long
Vdom StringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - management
Ip String - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port Integer - Overriding port for management connection (Overrides admin port).
- management
Port StringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - management
Vdom String - Management virtual domain name.
- max
Dlpstat IntegerMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route IntegerCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl StringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - memory
Use IntegerThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- memory
Use IntegerThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- memory
Use IntegerThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- miglog
Affinity String - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children Integer - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor StringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - multicast
Forward String - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - ndp
Max IntegerEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- per
User StringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - per
User StringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - pmtu
Discovery String - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - policy
Auth IntegerConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- String
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - String
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - private
Data StringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - proxy
Auth StringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - proxy
Auth IntegerLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth IntegerTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert StringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - proxy
Cipher StringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - proxy
Hardware StringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - proxy
Keep StringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - proxy
Kxp StringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - proxy
Re StringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - proxy
Re IntegerAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource StringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - proxy
Worker IntegerCount - Proxy worker count.
- purdue
Level String - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - quic
Ack IntegerThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion StringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - quic
Max IntegerDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud String - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - quic
Tls IntegerHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp StringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - radius
Port Integer - RADIUS service port number.
- reboot
Upon StringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - refresh Integer
- Statistics refresh interval in GUI.
- remoteauthtimeout Integer
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless StringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - restart
Time String - Daily restart time (hh:mm).
- revision
Backup StringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - revision
Image StringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - scanunit
Count Integer - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating StringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - security
Rating StringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - send
Pmtu StringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - sflowd
Max IntegerChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route StringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - special
File23Support String - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - speedtest
Server String - Enable/disable speed test server. Valid values:
enable
,disable
. - speedtestd
Ctrl IntegerPort - Speedtest server controller port number.
- speedtestd
Server IntegerPort - Speedtest server port number.
- split
Port String - Split port(s) to multiple 10Gbps ports.
- ssd
Trim IntegerDate - Date within a month to run ssd trim.
- ssd
Trim StringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - ssd
Trim IntegerHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim IntegerMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim StringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - ssh
Cbc StringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - ssh
Enc StringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - ssh
Hmac StringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - ssh
Hostkey String - Config SSH host key.
- ssh
Hostkey StringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey StringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - ssh
Hostkey StringPassword - Password for ssh-hostkey.
- ssh
Kex StringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex StringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - ssh
Mac StringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - ssh
Mac StringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - ssl
Min StringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static StringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - sslvpn
Cipher StringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - sslvpn
Kxp StringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Max IntegerWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin StringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - sslvpn
Web StringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - strict
Dirty StringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - strong
Crypto String - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - switch
Controller String - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - switch
Controller StringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf IntegerLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity String - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose IntegerTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen IntegerTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option String - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - tcp
Rst IntegerTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait IntegerTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp String
- Enable/disable TFTP. Valid values:
enable
,disable
. - timezone String
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc StringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - traffic
Priority String - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - traffic
Priority StringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - two
Factor IntegerEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor IntegerFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor IntegerFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor IntegerFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor IntegerSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle IntegerTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter StringAffinity - URL filter CPU affinity.
- url
Filter IntegerCount - URL filter daemon count.
- user
Device IntegerStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device IntegerStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device IntegerStore Max Users - Maximum number of users allowed in user device store.
- user
Server StringCert - Certificate to use for https user authentication.
- vdom
Admin String - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - vdom
Mode String - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vip
Arp StringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - virtual
Server IntegerCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server StringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - virtual
Switch StringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - vpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - wad
Affinity String - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc IntegerCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc IntegerDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory IntegerChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart StringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart StringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - wad
Restart StringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source StringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - wad
Worker IntegerCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca StringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate String - Certificate to use for WiFi authentication.
- wimax4g
Usb String - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - wireless
Controller String - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - wireless
Controller IntegerPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- admin
Concurrent string - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - admin
Console numberTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud stringSso Default Profile - Override access profile.
- admin
Forticloud stringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - admin
Host string - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts numberMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https stringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - admin
Https stringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - admin
Https stringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - admin
Https stringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - admin
Https stringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout numberDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout numberThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login numberMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer string - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - admin
Port number - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict stringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - admin
Scp string - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - admin
Server stringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport number - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh numberGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh stringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - admin
Ssh numberPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh stringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - admin
Telnet string - Enable/disable TELNET service. Valid values:
enable
,disable
. - admin
Telnet numberPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout number
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias string
- Alias for your FortiGate unit.
- allow
Traffic stringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - anti
Replay string - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - arp
Max numberEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute string
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - auth
Cert string - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http numberPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https numberPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike numberSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive string - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - auth
Session stringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - auto
Auth stringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - autorun
Log stringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - av
Affinity string - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen string - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - av
Failopen stringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - batch
Cmdb string - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - bfd
Affinity string - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session numberTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb numberMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain numberMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert numberTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save string - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - check
Protocol stringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - check
Reset stringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - cli
Audit stringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - cloud
Communication string - Enable/disable all cloud communication. Valid values:
enable
,disable
. - clt
Cert stringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - cmdbsvr
Affinity string - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check string - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - compliance
Check stringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use numberThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- csr
Ca stringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - daily
Restart string - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - default
Service stringSource Port - Default service source port range. (default=1-65535)
- device
Identification numberActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle numberTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params string - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - dnsproxy
Worker numberCount - DNS proxy worker count.
- dst string
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- early
Tcp stringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - edit
Vdom stringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - endpoint
Control stringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - endpoint
Control numberPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller stringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime number
- Fail-time for server lost.
- faz
Disk numberBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics string - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - fds
Statistics numberPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port number - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert stringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - forticonverter
Config stringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - forticonverter
Integration string - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - fortiextender string
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - fortiextender
Data numberPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery stringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - string
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - fortiextender
Vlan stringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - fortigslb
Integration string - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - fortiipam
Integration string - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - fortiservice
Port number - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud string - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - fortitoken
Cloud stringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - fortitoken
Cloud numberSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- gui
Allow stringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - gui
Allow stringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - gui
App stringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - gui
Auto stringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - gui
Cdn stringDomain Override - Domain of CDN server.
- gui
Cdn stringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - gui
Certificates string - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - gui
Custom stringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - gui
Date stringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - gui
Date stringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - gui
Device stringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device stringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display stringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - gui
Firmware stringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - gui
Firmware stringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - gui
Forticare stringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - gui
Fortigate stringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - gui
Fortiguard stringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - gui
Fortisandbox stringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - gui
Ipv6 string - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - gui
Lines numberPer Page - Number of lines to display per page for web administration.
- gui
Local stringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - gui
Replacement stringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - gui
Rest stringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - gui
Theme string - Color scheme for the administration GUI.
- gui
Wireless stringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - gui
Workflow stringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - ha
Affinity string - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df string - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - hostname string
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- igmp
State numberLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic numberLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet stringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - internet
Service stringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service GlobalDownload Lists Internet Service Download List[] - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval number
- Dead gateway detection interval.
- ip
Fragment numberMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src stringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity string - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic stringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - ipsec
Ha numberSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac stringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - ipsec
Round stringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - ipsec
Soft stringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - ipv6Accept
Dad number - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast stringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - ipv6Allow
Local stringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - ipv6Allow
Multicast stringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - ipv6Allow
Traffic stringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - irq
Time stringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - language string
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - ldapconntimeout number
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception string - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - lldp
Transmission string - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - log
Single stringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - log
Ssl stringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - log
Uuid stringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - log
Uuid stringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - login
Timestamp string - Enable/disable login time recording. Valid values:
enable
,disable
. - long
Vdom stringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - management
Ip string - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port number - Overriding port for management connection (Overrides admin port).
- management
Port stringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - management
Vdom string - Management virtual domain name.
- max
Dlpstat numberMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route numberCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl stringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - memory
Use numberThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- memory
Use numberThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- memory
Use numberThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- miglog
Affinity string - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children number - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor stringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - multicast
Forward string - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - ndp
Max numberEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- per
User stringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - per
User stringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - pmtu
Discovery string - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - policy
Auth numberConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- string
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - string
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - private
Data stringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - proxy
Auth stringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - proxy
Auth numberLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth numberTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert stringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - proxy
Cipher stringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - proxy
Hardware stringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - proxy
Keep stringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - proxy
Kxp stringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - proxy
Re stringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - proxy
Re numberAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource stringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - proxy
Worker numberCount - Proxy worker count.
- purdue
Level string - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - quic
Ack numberThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion stringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - quic
Max numberDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud string - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - quic
Tls numberHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp stringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - radius
Port number - RADIUS service port number.
- reboot
Upon stringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - refresh number
- Statistics refresh interval in GUI.
- remoteauthtimeout number
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless stringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - restart
Time string - Daily restart time (hh:mm).
- revision
Backup stringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - revision
Image stringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - scanunit
Count number - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating stringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - security
Rating stringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - send
Pmtu stringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - sflowd
Max numberChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route stringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - special
File23Support string - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - speedtest
Server string - Enable/disable speed test server. Valid values:
enable
,disable
. - speedtestd
Ctrl numberPort - Speedtest server controller port number.
- speedtestd
Server numberPort - Speedtest server port number.
- split
Port string - Split port(s) to multiple 10Gbps ports.
- ssd
Trim numberDate - Date within a month to run ssd trim.
- ssd
Trim stringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - ssd
Trim numberHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim numberMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim stringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - ssh
Cbc stringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - ssh
Enc stringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - ssh
Hmac stringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - ssh
Hostkey string - Config SSH host key.
- ssh
Hostkey stringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey stringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - ssh
Hostkey stringPassword - Password for ssh-hostkey.
- ssh
Kex stringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex stringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - ssh
Mac stringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - ssh
Mac stringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - ssl
Min stringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static stringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - sslvpn
Cipher stringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - sslvpn
Kxp stringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Max numberWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin stringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - sslvpn
Web stringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - strict
Dirty stringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - strong
Crypto string - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - switch
Controller string - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - switch
Controller stringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf numberLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity string - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose numberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen numberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option string - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - tcp
Rst numberTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait numberTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp string
- Enable/disable TFTP. Valid values:
enable
,disable
. - timezone string
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc stringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - traffic
Priority string - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - traffic
Priority stringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - two
Factor numberEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor numberFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor numberFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor numberFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor numberSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle numberTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter stringAffinity - URL filter CPU affinity.
- url
Filter numberCount - URL filter daemon count.
- user
Device numberStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device numberStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device numberStore Max Users - Maximum number of users allowed in user device store.
- user
Server stringCert - Certificate to use for https user authentication.
- vdom
Admin string - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - vdom
Mode string - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vip
Arp stringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - virtual
Server numberCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server stringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - virtual
Switch stringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - vpn
Ems stringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - wad
Affinity string - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc numberCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc numberDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory numberChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart stringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart stringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - wad
Restart stringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source stringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - wad
Worker numberCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca stringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate string - Certificate to use for WiFi authentication.
- wimax4g
Usb string - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - wireless
Controller string - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - wireless
Controller numberPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- admin_
concurrent str - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - admin_
console_ inttimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin_
forticloud_ strsso_ default_ profile - Override access profile.
- admin_
forticloud_ strsso_ login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - admin_
host str - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin_
hsts_ intmax_ age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin_
https_ strpki_ required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - admin_
https_ strredirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - admin_
https_ strssl_ banned_ ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - admin_
https_ strssl_ ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - admin_
https_ strssl_ versions - Allowed TLS versions for web administration.
- admin_
lockout_ intduration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin_
lockout_ intthreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin_
login_ intmax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin_
maintainer str - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - admin_
port int - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin_
restrict_ strlocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - admin_
scp str - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - admin_
server_ strcert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin_
sport int - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin_
ssh_ intgrace_ time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin_
ssh_ strpassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - admin_
ssh_ intport - Administrative access port for SSH. (1 - 65535, default = 22).
- admin_
ssh_ strv1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - admin_
telnet str - Enable/disable TELNET service. Valid values:
enable
,disable
. - admin_
telnet_ intport - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout int
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias str
- Alias for your FortiGate unit.
- allow_
traffic_ strredirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - anti_
replay str - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - arp_
max_ intentry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute str
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - auth_
cert str - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth_
http_ intport - User authentication HTTP port. (1 - 65535, default = 80).
- auth_
https_ intport - User authentication HTTPS port. (1 - 65535, default = 443).
- auth_
ike_ intsaml_ port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth_
keepalive str - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - auth_
session_ strlimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - auto_
auth_ strextension_ device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - autorun_
log_ strfsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - av_
affinity str - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av_
failopen str - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - av_
failopen_ strsession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - batch_
cmdb str - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - bfd_
affinity str - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block_
session_ inttimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br_
fdb_ intmax_ entry - Maximum number of bridge forwarding database (FDB) entries.
- cert_
chain_ intmax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg_
revert_ inttimeout - Time-out for reverting to the last saved configuration.
- cfg_
save str - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - check_
protocol_ strheader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - check_
reset_ strrange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - cli_
audit_ strlog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - cloud_
communication str - Enable/disable all cloud communication. Valid values:
enable
,disable
. - clt_
cert_ strreq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - cmdbsvr_
affinity str - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance_
check str - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - compliance_
check_ strtime - Time of day to run scheduled PCI DSS compliance checks.
- cpu_
use_ intthreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- csr_
ca_ strattribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - daily_
restart str - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - default_
service_ strsource_ port - Default service source port range. (default=1-65535)
- device_
identification_ intactive_ scan_ delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device_
idle_ inttimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh_
params str - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - dnsproxy_
worker_ intcount - DNS proxy worker count.
- dst str
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- early_
tcp_ strnpu_ session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - edit_
vdom_ strprompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - endpoint_
control_ strfds_ access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - endpoint_
control_ intportal_ port - Endpoint control portal port (1 - 65535).
- extender_
controller_ strreserved_ network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime int
- Fail-time for server lost.
- faz_
disk_ intbuffer_ size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds_
statistics str - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - fds_
statistics_ intperiod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec_
port int - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd_
alert_ strsubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - forticonverter_
config_ strupload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - forticonverter_
integration str - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - fortiextender str
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - fortiextender_
data_ intport - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender_
discovery_ strlockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - str
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - fortiextender_
vlan_ strmode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - fortigslb_
integration str - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - fortiipam_
integration str - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - fortiservice_
port int - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken_
cloud str - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - fortitoken_
cloud_ strpush_ status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - fortitoken_
cloud_ intsync_ interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- gui_
allow_ strdefault_ hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - gui_
allow_ strincompatible_ fabric_ fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - gui_
app_ strdetection_ sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - gui_
auto_ strupgrade_ setup_ warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - gui_
cdn_ strdomain_ override - Domain of CDN server.
- gui_
cdn_ strusage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - gui_
certificates str - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - gui_
custom_ strlanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - gui_
date_ strformat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - gui_
date_ strtime_ source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - gui_
device_ strlatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui_
device_ strlongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui_
display_ strhostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - gui_
firmware_ strupgrade_ setup_ warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - gui_
firmware_ strupgrade_ warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - gui_
forticare_ strregistration_ setup_ warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - gui_
fortigate_ strcloud_ sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - gui_
fortiguard_ strresource_ fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - gui_
fortisandbox_ strcloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - gui_
ipv6 str - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - gui_
lines_ intper_ page - Number of lines to display per page for web administration.
- gui_
local_ strout - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - gui_
replacement_ strmessage_ groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - gui_
rest_ strapi_ cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - gui_
theme str - Color scheme for the administration GUI.
- gui_
wireless_ stropensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - gui_
workflow_ strmanagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - ha_
affinity str - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor_
df str - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - hostname str
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- igmp_
state_ intlimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike_
embryonic_ intlimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface_
subnet_ strusage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - internet_
service_ strdatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet_
service_ Sequence[Globaldownload_ lists Internet Service Download List Args] - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval int
- Dead gateway detection interval.
- ip_
fragment_ intmem_ thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip_
src_ strport_ range - IP source port range used for traffic originating from the FortiGate unit.
- ips_
affinity str - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec_
asic_ stroffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - ipsec_
ha_ intseqjump_ rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec_
hmac_ stroffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - ipsec_
round_ strrobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - ipsec_
soft_ strdec_ async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - ipv6_
accept_ intdad - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6_
allow_ stranycast_ probe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - ipv6_
allow_ strlocal_ in_ slient_ drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - ipv6_
allow_ strmulticast_ probe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - ipv6_
allow_ strtraffic_ redirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - irq_
time_ straccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - language str
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - ldapconntimeout int
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp_
reception str - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - lldp_
transmission str - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - log_
single_ strcpu_ high - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - log_
ssl_ strconnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - log_
uuid_ straddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - log_
uuid_ strpolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - login_
timestamp str - Enable/disable login time recording. Valid values:
enable
,disable
. - long_
vdom_ strname - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - management_
ip str - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management_
port int - Overriding port for management connection (Overrides admin port).
- management_
port_ struse_ admin_ sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - management_
vdom str - Management virtual domain name.
- max_
dlpstat_ intmemory - Maximum DLP stat memory (0 - 4294967295).
- max_
route_ intcache_ size - Maximum number of IP route cache entries (0 - 2147483647).
- mc_
ttl_ strnotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - memory_
use_ intthreshold_ extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- memory_
use_ intthreshold_ green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- memory_
use_ intthreshold_ red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- miglog_
affinity str - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd_
children int - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi_
factor_ strauthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - multicast_
forward str - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - ndp_
max_ intentry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- per_
user_ strbal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - per_
user_ strbwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - pmtu_
discovery str - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - policy_
auth_ intconcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- str
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - str
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - private_
data_ strencryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - proxy_
auth_ strlifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - proxy_
auth_ intlifetime_ timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy_
auth_ inttimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy_
cert_ struse_ mgmt_ vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - proxy_
cipher_ strhardware_ acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - proxy_
hardware_ stracceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - proxy_
keep_ stralive_ mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - proxy_
kxp_ strhardware_ acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - proxy_
re_ strauthentication_ mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - proxy_
re_ intauthentication_ time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy_
resource_ strmode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - proxy_
worker_ intcount - Proxy worker count.
- purdue_
level str - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - quic_
ack_ intthresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic_
congestion_ strcontrol_ algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - quic_
max_ intdatagram_ size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic_
pmtud str - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - quic_
tls_ inthandshake_ timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic_
udp_ strpayload_ size_ shaping_ per_ cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - radius_
port int - RADIUS service port number.
- reboot_
upon_ strconfig_ restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - refresh int
- Statistics refresh interval in GUI.
- remoteauthtimeout int
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset_
sessionless_ strtcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - restart_
time str - Daily restart time (hh:mm).
- revision_
backup_ stron_ logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - revision_
image_ strauto_ backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - scanunit_
count int - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security_
rating_ strresult_ submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - security_
rating_ strrun_ on_ schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - send_
pmtu_ stricmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - sflowd_
max_ intchildren_ num - Maximum number of sflowd child processes allowed to run.
- snat_
route_ strchange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - special_
file23_ strsupport - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - speedtest_
server str - Enable/disable speed test server. Valid values:
enable
,disable
. - speedtestd_
ctrl_ intport - Speedtest server controller port number.
- speedtestd_
server_ intport - Speedtest server port number.
- split_
port str - Split port(s) to multiple 10Gbps ports.
- ssd_
trim_ intdate - Date within a month to run ssd trim.
- ssd_
trim_ strfreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - ssd_
trim_ inthour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd_
trim_ intmin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd_
trim_ strweekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - ssh_
cbc_ strcipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - ssh_
enc_ stralgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - ssh_
hmac_ strmd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - ssh_
hostkey str - Config SSH host key.
- ssh_
hostkey_ stralgo - Select one or more SSH hostkey algorithms.
- ssh_
hostkey_ stroverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - ssh_
hostkey_ strpassword - Password for ssh-hostkey.
- ssh_
kex_ stralgo - Select one or more SSH kex algorithms.
- ssh_
kex_ strsha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - ssh_
mac_ stralgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - ssh_
mac_ strweak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - ssl_
min_ strproto_ version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl_
static_ strkey_ ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - sslvpn_
cipher_ strhardware_ acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - sslvpn_
ems_ strsn_ check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - sslvpn_
kxp_ strhardware_ acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - sslvpn_
max_ intworker_ count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn_
plugin_ strversion_ check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - sslvpn_
web_ strmode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - strict_
dirty_ strsession_ check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - strong_
crypto str - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - switch_
controller str - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - switch_
controller_ strreserved_ network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys_
perf_ intlog_ interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog_
affinity str - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp_
halfclose_ inttimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp_
halfopen_ inttimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp_
option str - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - tcp_
rst_ inttimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp_
timewait_ inttimer - Length of the TCP TIME-WAIT state in seconds.
- tftp str
- Enable/disable TFTP. Valid values:
enable
,disable
. - timezone str
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp_
mc_ strskip_ policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - traffic_
priority str - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - traffic_
priority_ strlevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - two_
factor_ intemail_ expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two_
factor_ intfac_ expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two_
factor_ intftk_ expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two_
factor_ intftm_ expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two_
factor_ intsms_ expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp_
idle_ inttimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url_
filter_ straffinity - URL filter CPU affinity.
- url_
filter_ intcount - URL filter daemon count.
- user_
device_ intstore_ max_ devices - Maximum number of devices allowed in user device store.
- user_
device_ intstore_ max_ unified_ mem - Maximum unified memory allowed in user device store.
- user_
device_ intstore_ max_ users - Maximum number of users allowed in user device store.
- user_
server_ strcert - Certificate to use for https user authentication.
- vdom_
admin str - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - vdom_
mode str - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vip_
arp_ strrange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - virtual_
server_ intcount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual_
server_ strhardware_ acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - virtual_
switch_ strvlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - vpn_
ems_ strsn_ check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - wad_
affinity str - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad_
csvc_ intcs_ count - Number of concurrent WAD-cache-service object-cache processes.
- wad_
csvc_ intdb_ count - Number of concurrent WAD-cache-service byte-cache processes.
- wad_
memory_ intchange_ granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad_
restart_ strend_ time - WAD workers daily restart end time (hh:mm).
- wad_
restart_ strmode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - wad_
restart_ strstart_ time - WAD workers daily restart time (hh:mm).
- wad_
source_ straffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - wad_
worker_ intcount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi_
ca_ strcertificate - CA certificate that verifies the WiFi certificate.
- wifi_
certificate str - Certificate to use for WiFi authentication.
- wimax4g_
usb str - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - wireless_
controller str - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - wireless_
controller_ intport - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
- admin
Concurrent String - Enable/disable concurrent administrator logins. (Use policy-auth-concurrent for firewall authenticated users.) Valid values:
enable
,disable
. - admin
Console NumberTimeout - Console login timeout that overrides the admintimeout value. (15 - 300 seconds) (15 seconds to 5 minutes). 0 the default, disables this timeout.
- admin
Forticloud StringSso Default Profile - Override access profile.
- admin
Forticloud StringSso Login - Enable/disable FortiCloud admin login via SSO. Valid values:
enable
,disable
. - admin
Host String - Administrative host for HTTP and HTTPS. When set, will be used in lieu of the client's Host header for any redirection.
- admin
Hsts NumberMax Age - HTTPS Strict-Transport-Security header max-age in seconds. A value of 0 will reset any HSTS records in the browser.When admin-https-redirect is disabled the header max-age will be 0.
- admin
Https StringPki Required - Enable/disable admin login method. Enable to force administrators to provide a valid certificate to log in if PKI is enabled. Disable to allow administrators to log in with a certificate or password. Valid values:
enable
,disable
. - admin
Https StringRedirect - Enable/disable redirection of HTTP administration access to HTTPS. Valid values:
enable
,disable
. - admin
Https StringSsl Banned Ciphers - Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below. Valid values:
RSA
,DHE
,ECDHE
,DSS
,ECDSA
,AES
,AESGCM
,CAMELLIA
,3DES
,SHA1
,SHA256
,SHA384
,STATIC
,CHACHA20
,ARIA
,AESCCM
. - admin
Https StringSsl Ciphersuites - Select one or more TLS 1.3 ciphersuites to enable. Does not affect ciphers in TLS 1.2 and below. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. Valid values:
TLS-AES-128-GCM-SHA256
,TLS-AES-256-GCM-SHA384
,TLS-CHACHA20-POLY1305-SHA256
,TLS-AES-128-CCM-SHA256
,TLS-AES-128-CCM-8-SHA256
. - admin
Https StringSsl Versions - Allowed TLS versions for web administration.
- admin
Lockout NumberDuration - Amount of time in seconds that an administrator account is locked out after reaching the admin-lockout-threshold for repeated failed login attempts.
- admin
Lockout NumberThreshold - Number of failed login attempts before an administrator account is locked out for the admin-lockout-duration.
- admin
Login NumberMax - Maximum number of administrators who can be logged in at the same time (1 - 100, default = 100)
- admin
Maintainer String - Enable/disable maintainer administrator login. When enabled, the maintainer account can be used to log in from the console after a hard reboot. The password is "bcpb" followed by the FortiGate unit serial number. You have limited time to complete this login. Valid values:
enable
,disable
. - admin
Port Number - Administrative access port for HTTP. (1 - 65535, default = 80).
- admin
Restrict StringLocal - Enable/disable local admin authentication restriction when remote authenticator is up and running. (default = disable) Valid values:
enable
,disable
. - admin
Scp String - Enable/disable using SCP to download the system configuration. You can use SCP as an alternative method for backing up the configuration. Valid values:
enable
,disable
. - admin
Server StringCert - Server certificate that the FortiGate uses for HTTPS administrative connections.
- admin
Sport Number - Administrative access port for HTTPS. (1 - 65535, default = 443).
- admin
Ssh NumberGrace Time - Maximum time in seconds permitted between making an SSH connection to the FortiGate unit and authenticating (10 - 3600 sec (1 hour), default 120).
- admin
Ssh StringPassword - Enable/disable password authentication for SSH admin access. Valid values:
enable
,disable
. - admin
Ssh NumberPort - Administrative access port for SSH. (1 - 65535, default = 22).
- admin
Ssh StringV1 - Enable/disable SSH v1 compatibility. Valid values:
enable
,disable
. - admin
Telnet String - Enable/disable TELNET service. Valid values:
enable
,disable
. - admin
Telnet NumberPort - Administrative access port for TELNET. (1 - 65535, default = 23).
- admintimeout Number
- Number of minutes before an idle administrator session times out (5 - 480 minutes (8 hours), default = 5). A shorter idle timeout is more secure.
- alias String
- Alias for your FortiGate unit.
- allow
Traffic StringRedirect - Disable to allow traffic to be routed back on a different interface. Valid values:
enable
,disable
. - anti
Replay String - Level of checking for packet replay and TCP sequence checking. Valid values:
disable
,loose
,strict
. - arp
Max NumberEntry - Maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 - 2147483647, default = 131072).
- asymroute String
- Enable/disable asymmetric route. Valid values:
enable
,disable
. - auth
Cert String - Server certificate that the FortiGate uses for HTTPS firewall authentication connections.
- auth
Http NumberPort - User authentication HTTP port. (1 - 65535, default = 80).
- auth
Https NumberPort - User authentication HTTPS port. (1 - 65535, default = 443).
- auth
Ike NumberSaml Port - User IKE SAML authentication port (0 - 65535, default = 1001).
- auth
Keepalive String - Enable to prevent user authentication sessions from timing out when idle. Valid values:
enable
,disable
. - auth
Session StringLimit - Action to take when the number of allowed user authenticated sessions is reached. Valid values:
block-new
,logout-inactive
. - auto
Auth StringExtension Device - Enable/disable automatic authorization of dedicated Fortinet extension devices. Valid values:
enable
,disable
. - autorun
Log StringFsck - Enable/disable automatic log partition check after ungraceful shutdown. Valid values:
enable
,disable
. - av
Affinity String - Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- av
Failopen String - Set the action to take if the FortiGate is running low on memory or the proxy connection limit has been reached. Valid values:
pass
,off
,one-shot
. - av
Failopen StringSession - When enabled and a proxy for a protocol runs out of room in its session table, that protocol goes into failopen mode and enacts the action specified by av-failopen. Valid values:
enable
,disable
. - batch
Cmdb String - Enable/disable batch mode, allowing you to enter a series of CLI commands that will execute as a group once they are loaded. Valid values:
enable
,disable
. - bfd
Affinity String - Affinity setting for BFD daemon (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- block
Session NumberTimer - Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default = 30).
- br
Fdb NumberMax Entry - Maximum number of bridge forwarding database (FDB) entries.
- cert
Chain NumberMax - Maximum number of certificates that can be traversed in a certificate chain.
- cfg
Revert NumberTimeout - Time-out for reverting to the last saved configuration.
- cfg
Save String - Configuration file save mode for CLI changes. Valid values:
automatic
,manual
,revert
. - check
Protocol StringHeader - Level of checking performed on protocol headers. Strict checking is more thorough but may affect performance. Loose checking is ok in most cases. Valid values:
loose
,strict
. - check
Reset StringRange - Configure ICMP error message verification. You can either apply strict RST range checking or disable it. Valid values:
strict
,disable
. - cli
Audit StringLog - Enable/disable CLI audit log. Valid values:
enable
,disable
. - cloud
Communication String - Enable/disable all cloud communication. Valid values:
enable
,disable
. - clt
Cert StringReq - Enable/disable requiring administrators to have a client certificate to log into the GUI using HTTPS. Valid values:
enable
,disable
. - cmdbsvr
Affinity String - Affinity setting for cmdbsvr (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- compliance
Check String - Enable/disable global PCI DSS compliance check. Valid values:
enable
,disable
. - compliance
Check StringTime - Time of day to run scheduled PCI DSS compliance checks.
- cpu
Use NumberThreshold - Threshold at which CPU usage is reported. (%!o(MISSING)f total CPU, default = 90).
- csr
Ca StringAttribute - Enable/disable the CA attribute in certificates. Some CA servers reject CSRs that have the CA attribute. Valid values:
enable
,disable
. - daily
Restart String - Enable/disable daily restart of FortiGate unit. Use the restart-time option to set the time of day for the restart. Valid values:
enable
,disable
. - default
Service StringSource Port - Default service source port range. (default=1-65535)
- device
Identification NumberActive Scan Delay - Number of seconds to passively scan a device before performing an active scan. (20 - 3600 sec, (20 sec to 1 hour), default = 90).
- device
Idle NumberTimeout - Time in seconds that a device must be idle to automatically log the device user out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
- dh
Params String - Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols. Valid values:
1024
,1536
,2048
,3072
,4096
,6144
,8192
. - dnsproxy
Worker NumberCount - DNS proxy worker count.
- dst String
- Enable/disable daylight saving time. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- early
Tcp StringNpu Session - Enable/disable early TCP NPU session. Valid values:
enable
,disable
. - edit
Vdom StringPrompt - Enable/disable edit new VDOM prompt. Valid values:
enable
,disable
. - endpoint
Control StringFds Access - Enable/disable access to the FortiGuard network for non-compliant endpoints. Valid values:
enable
,disable
. - endpoint
Control NumberPortal Port - Endpoint control portal port (1 - 65535).
- extender
Controller StringReserved Network - Configure reserved network subnet for managed LAN extension FortiExtenders. This is available when the extender daemon is running.
- failtime Number
- Fail-time for server lost.
- faz
Disk NumberBuffer Size - Maximum disk buffer size to temporarily store logs destined for FortiAnalyzer. To be used in the event that FortiAnalyzer is unavailalble.
- fds
Statistics String - Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard. This data is used to improve FortiGuard services and is not shared with external parties and is protected by Fortinet's privacy policy. Valid values:
enable
,disable
. - fds
Statistics NumberPeriod - FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to 24 hours), default = 60).
- fec
Port Number - Local UDP port for Forward Error Correction (49152 - 65535).
- fgd
Alert StringSubscription - Type of alert to retrieve from FortiGuard. Valid values:
advisory
,latest-threat
,latest-virus
,latest-attack
,new-antivirus-db
,new-attack-db
. - forticonverter
Config StringUpload - Enable/disable config upload to FortiConverter. Valid values:
once
,disable
. - forticonverter
Integration String - Enable/disable FortiConverter integration service. Valid values:
enable
,disable
. - fortiextender String
- Enable/disable FortiExtender. Valid values:
enable
,disable
. - fortiextender
Data NumberPort - FortiExtender data port (1024 - 49150, default = 25246).
- fortiextender
Discovery StringLockdown - Enable/disable FortiExtender CAPWAP lockdown. Valid values:
disable
,enable
. - String
- Enable/disable automatic provisioning of latest FortiExtender firmware on authorization. Valid values:
enable
,disable
. - fortiextender
Vlan StringMode - Enable/disable FortiExtender VLAN mode. Valid values:
enable
,disable
. - fortigslb
Integration String - Enable/disable integration with the FortiGSLB cloud service. Valid values:
disable
,enable
. - fortiipam
Integration String - Enable/disable integration with the FortiIPAM cloud service. Valid values:
enable
,disable
. - fortiservice
Port Number - FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint compliance. Older versions of FortiClient used a different port.
- fortitoken
Cloud String - Enable/disable FortiToken Cloud service. Valid values:
enable
,disable
. - fortitoken
Cloud StringPush Status - Enable/disable FTM push service of FortiToken Cloud. Valid values:
enable
,disable
. - fortitoken
Cloud NumberSync Interval - Interval in which to clean up remote users in FortiToken Cloud (0 - 336 hours (14 days), default = 24, disable = 0).
- get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwish conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- gui
Allow StringDefault Hostname - Enable/disable the GUI warning about using a default hostname Valid values:
enable
,disable
. - gui
Allow StringIncompatible Fabric Fgt - Enable/disable Allow FGT with incompatible firmware to be treated as compatible in security fabric on the GUI. May cause unexpected error. Valid values:
enable
,disable
. - gui
App StringDetection Sdwan - Enable/disable Allow app-detection based SD-WAN. Valid values:
enable
,disable
. - gui
Auto StringUpgrade Setup Warning - Enable/disable the automatic patch upgrade setup prompt on the GUI. Valid values:
enable
,disable
. - gui
Cdn StringDomain Override - Domain of CDN server.
- gui
Cdn StringUsage - Enable/disable Load GUI static files from a CDN. Valid values:
enable
,disable
. - gui
Certificates String - Enable/disable the System > Certificate GUI page, allowing you to add and configure certificates from the GUI. Valid values:
enable
,disable
. - gui
Custom StringLanguage - Enable/disable custom languages in GUI. Valid values:
enable
,disable
. - gui
Date StringFormat - Default date format used throughout GUI. Valid values:
yyyy/MM/dd
,dd/MM/yyyy
,MM/dd/yyyy
,yyyy-MM-dd
,dd-MM-yyyy
,MM-dd-yyyy
. - gui
Date StringTime Source - Source from which the FortiGate GUI uses to display date and time entries. Valid values:
system
,browser
. - gui
Device StringLatitude - Add the latitude of the location of this FortiGate to position it on the Threat Map.
- gui
Device StringLongitude - Add the longitude of the location of this FortiGate to position it on the Threat Map.
- gui
Display StringHostname - Enable/disable displaying the FortiGate's hostname on the GUI login page. Valid values:
enable
,disable
. - gui
Firmware StringUpgrade Setup Warning - Enable/disable the firmware upgrade warning on GUI setup wizard. Valid values:
enable
,disable
. - gui
Firmware StringUpgrade Warning - Enable/disable the firmware upgrade warning on the GUI. Valid values:
enable
,disable
. - gui
Forticare StringRegistration Setup Warning - Enable/disable the FortiCare registration setup warning on the GUI. Valid values:
enable
,disable
. - gui
Fortigate StringCloud Sandbox - Enable/disable displaying FortiGate Cloud Sandbox on the GUI. Valid values:
enable
,disable
. - gui
Fortiguard StringResource Fetch - Enable/disable retrieving static GUI resources from FortiGuard. Disabling it will improve GUI load time for air-gapped environments. Valid values:
enable
,disable
. - gui
Fortisandbox StringCloud - Enable/disable displaying FortiSandbox Cloud on the GUI. Valid values:
enable
,disable
. - gui
Ipv6 String - Enable/disable IPv6 settings on the GUI. Valid values:
enable
,disable
. - gui
Lines NumberPer Page - Number of lines to display per page for web administration.
- gui
Local StringOut - Enable/disable Local-out traffic on the GUI. Valid values:
enable
,disable
. - gui
Replacement StringMessage Groups - Enable/disable replacement message groups on the GUI. Valid values:
enable
,disable
. - gui
Rest StringApi Cache - Enable/disable REST API result caching on FortiGate. Valid values:
enable
,disable
. - gui
Theme String - Color scheme for the administration GUI.
- gui
Wireless StringOpensecurity - Enable/disable wireless open security option on the GUI. Valid values:
enable
,disable
. - gui
Workflow StringManagement - Enable/disable Workflow management features on the GUI. Valid values:
enable
,disable
. - ha
Affinity String - Affinity setting for HA daemons (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- honor
Df String - Enable/disable honoring of Don't-Fragment (DF) flag. Valid values:
enable
,disable
. - hostname String
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters. Some models support hostnames up to 35 characters.
- igmp
State NumberLimit - Maximum number of IGMP memberships (96 - 64000, default = 3200).
- ike
Embryonic NumberLimit - Maximum number of IPsec tunnels to negotiate simultaneously.
- interface
Subnet StringUsage - Enable/disable allowing use of interface-subnet setting in firewall addresses (default = enable). Valid values:
disable
,enable
. - internet
Service StringDatabase - Configure which Internet Service database size to download from FortiGuard and use.
- internet
Service List<Property Map>Download Lists - Configure which on-demand Internet Service IDs are to be downloaded. The structure of
internet_service_download_list
block is documented below. - interval Number
- Dead gateway detection interval.
- ip
Fragment NumberMem Thresholds - Maximum memory (MB) used to reassemble IPv4/IPv6 fragments.
- ip
Src StringPort Range - IP source port range used for traffic originating from the FortiGate unit.
- ips
Affinity String - Affinity setting for IPS (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons).
- ipsec
Asic StringOffload - Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic. Hardware acceleration can offload IPsec VPN sessions and accelerate encryption and decryption. Valid values:
enable
,disable
. - ipsec
Ha NumberSeqjump Rate - ESP jump ahead rate (1G - 10G pps equivalent).
- ipsec
Hmac StringOffload - Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec VPN. Valid values:
enable
,disable
. - ipsec
Round StringRobin - Enable/disable round-robin redistribution to multiple CPUs for IPsec VPN traffic. Valid values:
enable
,disable
. - ipsec
Soft StringDec Async - Enable/disable software decryption asynchronization (using multiple CPUs to do decryption) for IPsec VPN traffic. Valid values:
enable
,disable
. - ipv6Accept
Dad Number - Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
- ipv6Allow
Anycast StringProbe - Enable/disable IPv6 address probe through Anycast. Valid values:
enable
,disable
. - ipv6Allow
Local StringIn Slient Drop - Enable/disable silent drop of IPv6 local-in traffic. Valid values:
enable
,disable
. - ipv6Allow
Multicast StringProbe - Enable/disable IPv6 address probe through Multicast. Valid values:
enable
,disable
. - ipv6Allow
Traffic StringRedirect - Disable to prevent IPv6 traffic with same local ingress and egress interface from being forwarded without policy check. Valid values:
enable
,disable
. - irq
Time StringAccounting - Configure CPU IRQ time accounting mode. Valid values:
auto
,force
. - language String
- GUI display language. Valid values:
english
,french
,spanish
,portuguese
,japanese
,trach
,simch
,korean
. - ldapconntimeout Number
- Global timeout for connections with remote LDAP servers in milliseconds (1 - 300000, default 500).
- lldp
Reception String - Enable/disable Link Layer Discovery Protocol (LLDP) reception. Valid values:
enable
,disable
. - lldp
Transmission String - Enable/disable Link Layer Discovery Protocol (LLDP) transmission. Valid values:
enable
,disable
. - log
Single StringCpu High - Enable/disable logging the event of a single CPU core reaching CPU usage threshold. Valid values:
enable
,disable
. - log
Ssl StringConnection - Enable/disable logging of SSL connection events. Valid values:
enable
,disable
. - log
Uuid StringAddress - Enable/disable insertion of address UUIDs to traffic logs. Valid values:
enable
,disable
. - log
Uuid StringPolicy - Enable/disable insertion of policy UUIDs to traffic logs. Valid values:
enable
,disable
. - login
Timestamp String - Enable/disable login time recording. Valid values:
enable
,disable
. - long
Vdom StringName - Enable/disable long VDOM name support. Valid values:
enable
,disable
. - management
Ip String - Management IP address of this FortiGate. Used to log into this FortiGate from another FortiGate in the Security Fabric.
- management
Port Number - Overriding port for management connection (Overrides admin port).
- management
Port StringUse Admin Sport - Enable/disable use of the admin-sport setting for the management port. If disabled, FortiGate will allow user to specify management-port. Valid values:
enable
,disable
. - management
Vdom String - Management virtual domain name.
- max
Dlpstat NumberMemory - Maximum DLP stat memory (0 - 4294967295).
- max
Route NumberCache Size - Maximum number of IP route cache entries (0 - 2147483647).
- mc
Ttl StringNotchange - Enable/disable no modification of multicast TTL. Valid values:
enable
,disable
. - memory
Use NumberThreshold Extreme - Threshold at which memory usage is considered extreme (new sessions are dropped) (%!o(MISSING)f total RAM, default = 95).
- memory
Use NumberThreshold Green - Threshold at which memory usage forces the FortiGate to exit conserve mode (%!o(MISSING)f total RAM, default = 82).
- memory
Use NumberThreshold Red - Threshold at which memory usage forces the FortiGate to enter conserve mode (%!o(MISSING)f total RAM, default = 88).
- miglog
Affinity String - Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
- miglogd
Children Number - Number of logging (miglogd) processes to be allowed to run. Higher number can reduce performance; lower number can slow log processing time. No logs will be dropped or lost if the number is changed.
- multi
Factor StringAuthentication - Enforce all login methods to require an additional authentication factor (default = optional). Valid values:
optional
,mandatory
. - multicast
Forward String - Enable/disable multicast forwarding. Valid values:
enable
,disable
. - ndp
Max NumberEntry - Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel holds 65,536 entries).
- per
User StringBal - Enable/disable per-user block/allow list filter. Valid values:
enable
,disable
. - per
User StringBwl - Enable/disable per-user black/white list filter. Valid values:
enable
,disable
. - pmtu
Discovery String - Enable/disable path MTU discovery. Valid values:
enable
,disable
. - policy
Auth NumberConcurrent - Number of concurrent firewall use logins from the same user (1 - 100, default = 0 means no limit).
- String
- Enable/disable displaying the administrator access disclaimer message after an administrator successfully logs in. Valid values:
disable
,enable
. - String
- Enable/disable displaying the administrator access disclaimer message on the login page before an administrator logs in. Valid values:
enable
,disable
. - private
Data StringEncryption - Enable/disable private data encryption using an AES 128-bit key. Valid values:
disable
,enable
. - proxy
Auth StringLifetime - Enable/disable authenticated users lifetime control. This is a cap on the total time a proxy user can be authenticated for after which re-authentication will take place. Valid values:
enable
,disable
. - proxy
Auth NumberLifetime Timeout - Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 (8 hours)).
- proxy
Auth NumberTimeout - Authentication timeout in minutes for authenticated users (1 - 300 min, default = 10).
- proxy
Cert StringUse Mgmt Vdom - Enable/disable using management VDOM to send requests. Valid values:
enable
,disable
. - proxy
Cipher StringHardware Acceleration - Enable/disable using content processor (CP8 or CP9) hardware acceleration to encrypt and decrypt IPsec and SSL traffic. Valid values:
disable
,enable
. - proxy
Hardware StringAcceleration - Enable/disable email proxy hardware acceleration. Valid values:
disable
,enable
. - proxy
Keep StringAlive Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was authenticated. Valid values:
session
,traffic
,re-authentication
. - proxy
Kxp StringHardware Acceleration - Enable/disable using the content processor to accelerate KXP traffic. Valid values:
disable
,enable
. - proxy
Re StringAuthentication Mode - Control if users must re-authenticate after a session is closed, traffic has been idle, or from the point at which the user was first created. Valid values:
session
,traffic
,absolute
. - proxy
Re NumberAuthentication Time - The time limit that users must re-authenticate if proxy-keep-alive-mode is set to re-authenticate (1 - 86400 sec, default=30s.
- proxy
Resource StringMode - Enable/disable use of the maximum memory usage on the FortiGate unit's proxy processing of resources, such as block lists, allow lists, and external resources. Valid values:
enable
,disable
. - proxy
Worker NumberCount - Proxy worker count.
- purdue
Level String - Purdue Level of this FortiGate. Valid values:
1
,1.5
,2
,2.5
,3
,3.5
,4
,5
,5.5
. - quic
Ack NumberThresold - Maximum number of unacknowledged packets before sending ACK (2 - 5, default = 3).
- quic
Congestion StringControl Algo - QUIC congestion control algorithm (default = cubic). Valid values:
cubic
,bbr
,bbr2
,reno
. - quic
Max NumberDatagram Size - Maximum transmit datagram size (1200 - 1500, default = 1500).
- quic
Pmtud String - Enable/disable path MTU discovery (default = enable). Valid values:
enable
,disable
. - quic
Tls NumberHandshake Timeout - Time-to-live (TTL) for TLS handshake in seconds (1 - 60, default = 5).
- quic
Udp StringPayload Size Shaping Per Cid - Enable/disable UDP payload size shaping per connection ID (default = enable). Valid values:
enable
,disable
. - radius
Port Number - RADIUS service port number.
- reboot
Upon StringConfig Restore - Enable/disable reboot of system upon restoring configuration. Valid values:
enable
,disable
. - refresh Number
- Statistics refresh interval in GUI.
- remoteauthtimeout Number
- Number of seconds that the FortiGate waits for responses from remote RADIUS, LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no timeout).
- reset
Sessionless StringTcp - Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding session in its session table. NAT/Route mode only. Valid values:
enable
,disable
. - restart
Time String - Daily restart time (hh:mm).
- revision
Backup StringOn Logout - Enable/disable back-up of the latest configuration revision when an administrator logs out of the CLI or GUI. Valid values:
enable
,disable
. - revision
Image StringAuto Backup - Enable/disable back-up of the latest configuration revision after the firmware is upgraded. Valid values:
enable
,disable
. - scanunit
Count Number - Number of scanunits. The range and the default depend on the number of CPUs. Only available on FortiGate units with multiple CPUs.
- security
Rating StringResult Submission - Enable/disable the submission of Security Rating results to FortiGuard. Valid values:
enable
,disable
. - security
Rating StringRun On Schedule - Enable/disable scheduled runs of Security Rating. Valid values:
enable
,disable
. - send
Pmtu StringIcmp - Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination unreachable packet and to support PMTUD protocol on your network to reduce fragmentation of packets. Valid values:
enable
,disable
. - sflowd
Max NumberChildren Num - Maximum number of sflowd child processes allowed to run.
- snat
Route StringChange - Enable/disable the ability to change the static NAT route. Valid values:
enable
,disable
. - special
File23Support String - Enable/disable IPS detection of HIBUN format files when using Data Leak Protection. Valid values:
disable
,enable
. - speedtest
Server String - Enable/disable speed test server. Valid values:
enable
,disable
. - speedtestd
Ctrl NumberPort - Speedtest server controller port number.
- speedtestd
Server NumberPort - Speedtest server port number.
- split
Port String - Split port(s) to multiple 10Gbps ports.
- ssd
Trim NumberDate - Date within a month to run ssd trim.
- ssd
Trim StringFreq - How often to run SSD Trim (default = weekly). SSD Trim prevents SSD drive data loss by finding and isolating errors. Valid values:
never
,hourly
,daily
,weekly
,monthly
. - ssd
Trim NumberHour - Hour of the day on which to run SSD Trim (0 - 23, default = 1).
- ssd
Trim NumberMin - Minute of the hour on which to run SSD Trim (0 - 59, 60 for random).
- ssd
Trim StringWeekday - Day of week to run SSD Trim. Valid values:
sunday
,monday
,tuesday
,wednesday
,thursday
,friday
,saturday
. - ssh
Cbc StringCipher - Enable/disable CBC cipher for SSH access. Valid values:
enable
,disable
. - ssh
Enc StringAlgo - Select one or more SSH ciphers. Valid values:
chacha20-poly1305@openssh.com
,aes128-ctr
,aes192-ctr
,aes256-ctr
,arcfour256
,arcfour128
,aes128-cbc
,3des-cbc
,blowfish-cbc
,cast128-cbc
,aes192-cbc
,aes256-cbc
,arcfour
,rijndael-cbc@lysator.liu.se
,aes128-gcm@openssh.com
,aes256-gcm@openssh.com
. - ssh
Hmac StringMd5 - Enable/disable HMAC-MD5 for SSH access. Valid values:
enable
,disable
. - ssh
Hostkey String - Config SSH host key.
- ssh
Hostkey StringAlgo - Select one or more SSH hostkey algorithms.
- ssh
Hostkey StringOverride - Enable/disable SSH host key override in SSH daemon. Valid values:
disable
,enable
. - ssh
Hostkey StringPassword - Password for ssh-hostkey.
- ssh
Kex StringAlgo - Select one or more SSH kex algorithms.
- ssh
Kex StringSha1 - Enable/disable SHA1 key exchange for SSH access. Valid values:
enable
,disable
. - ssh
Mac StringAlgo - Select one or more SSH MAC algorithms. Valid values:
hmac-md5
,hmac-md5-etm@openssh.com
,hmac-md5-96
,hmac-md5-96-etm@openssh.com
,hmac-sha1
,hmac-sha1-etm@openssh.com
,hmac-sha2-256
,hmac-sha2-256-etm@openssh.com
,hmac-sha2-512
,hmac-sha2-512-etm@openssh.com
,hmac-ripemd160
,hmac-ripemd160@openssh.com
,hmac-ripemd160-etm@openssh.com
,umac-64@openssh.com
,umac-128@openssh.com
,umac-64-etm@openssh.com
,umac-128-etm@openssh.com
. - ssh
Mac StringWeak - Enable/disable HMAC-SHA1 and UMAC-64-ETM for SSH access. Valid values:
enable
,disable
. - ssl
Min StringProto Version - Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
- ssl
Static StringKey Ciphers - Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). Valid values:
enable
,disable
. - sslvpn
Cipher StringHardware Acceleration - Enable/disable SSL VPN hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN connection. Valid values:
enable
,disable
. - sslvpn
Kxp StringHardware Acceleration - Enable/disable SSL VPN KXP hardware acceleration. Valid values:
enable
,disable
. - sslvpn
Max NumberWorker Count - Maximum number of SSL VPN processes. Upper limit for this value is the number of CPUs and depends on the model.
- sslvpn
Plugin StringVersion Check - Enable/disable checking browser's plugin version by SSL VPN. Valid values:
enable
,disable
. - sslvpn
Web StringMode - Enable/disable SSL-VPN web mode. Valid values:
enable
,disable
. - strict
Dirty StringSession Check - Enable to check the session against the original policy when revalidating. This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together. If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. Valid values:
enable
,disable
. - strong
Crypto String - Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH/TLS/SSL functions. Valid values:
enable
,disable
. - switch
Controller String - Enable/disable switch controller feature. Switch controller allows you to manage FortiSwitch from the FortiGate itself. Valid values:
disable
,enable
. - switch
Controller StringReserved Network - Enable reserved network subnet for controlled switches. This is available when the switch controller is enabled.
- sys
Perf NumberLog Interval - Time in minutes between updates of performance statistics logging. (1 - 15 min, default = 5, 0 = disabled).
- syslog
Affinity String - Affinity setting for syslog (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- tcp
Halfclose NumberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1 day), default = 120).
- tcp
Halfopen NumberTimer - Number of seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded (1 - 86400 sec (1 day), default = 10).
- tcp
Option String - Enable SACK, timestamp and MSS TCP options. Valid values:
enable
,disable
. - tcp
Rst NumberTimer - Length of the TCP CLOSE state in seconds (5 - 300 sec, default = 5).
- tcp
Timewait NumberTimer - Length of the TCP TIME-WAIT state in seconds.
- tftp String
- Enable/disable TFTP. Valid values:
enable
,disable
. - timezone String
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to view the list of time zones and the numbers that represent them.
- tp
Mc StringSkip Policy - Enable/disable skip policy check and allow multicast through. Valid values:
enable
,disable
. - traffic
Priority String - Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for traffic prioritization in traffic shaping. Valid values:
tos
,dscp
. - traffic
Priority StringLevel - Default system-wide level of priority for traffic prioritization. Valid values:
low
,medium
,high
. - two
Factor NumberEmail Expiry - Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes), default = 60).
- two
Factor NumberFac Expiry - FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1 hour), default = 60).
- two
Factor NumberFtk Expiry - FortiToken authentication session timeout (60 - 600 sec (10 minutes), default = 60).
- two
Factor NumberFtm Expiry - FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
- two
Factor NumberSms Expiry - SMS-based two-factor authentication session timeout (30 - 300 sec, default = 60).
- udp
Idle NumberTimer - UDP connection session timeout. This command can be useful in managing CPU and memory resources (1 - 86400 seconds (1 day), default = 60).
- url
Filter StringAffinity - URL filter CPU affinity.
- url
Filter NumberCount - URL filter daemon count.
- user
Device NumberStore Max Devices - Maximum number of devices allowed in user device store.
- user
Device NumberStore Max Unified Mem - Maximum unified memory allowed in user device store.
- user
Device NumberStore Max Users - Maximum number of users allowed in user device store.
- user
Server StringCert - Certificate to use for https user authentication.
- vdom
Admin String - Enable/disable support for multiple virtual domains (VDOMs). Valid values:
enable
,disable
. - vdom
Mode String - Enable/disable support for split/multiple virtual domains (VDOMs). Valid values:
no-vdom
,split-vdom
,multi-vdom
. - vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- vip
Arp StringRange - Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP) address range. Valid values:
unlimited
,restricted
. - virtual
Server NumberCount - Maximum number of virtual server processes to create. The maximum is the number of CPU cores. This is not available on single-core CPUs.
- virtual
Server StringHardware Acceleration - Enable/disable virtual server hardware acceleration. Valid values:
disable
,enable
. - virtual
Switch StringVlan - Enable/disable virtual switch VLAN. Valid values:
enable
,disable
. - vpn
Ems StringSn Check - Enable/disable verification of EMS serial number in SSL-VPN and IPsec VPN connection. Valid values:
enable
,disable
. - wad
Affinity String - Affinity setting for wad (hexadecimal value up to 256 bits in the format of xxxxxxxxxxxxxxxx).
- wad
Csvc NumberCs Count - Number of concurrent WAD-cache-service object-cache processes.
- wad
Csvc NumberDb Count - Number of concurrent WAD-cache-service byte-cache processes.
- wad
Memory NumberChange Granularity - Minimum percentage change in system memory usage detected by the wad daemon prior to adjusting TCP window size for any active connection.
- wad
Restart StringEnd Time - WAD workers daily restart end time (hh:mm).
- wad
Restart StringMode - WAD worker restart mode (default = none). Valid values:
none
,time
,memory
. - wad
Restart StringStart Time - WAD workers daily restart time (hh:mm).
- wad
Source StringAffinity - Enable/disable dispatching traffic to WAD workers based on source affinity. Valid values:
disable
,enable
. - wad
Worker NumberCount - Number of explicit proxy WAN optimization daemon (WAD) processes. By default WAN optimization, explicit proxy, and web caching is handled by all of the CPU cores in a FortiGate unit.
- wifi
Ca StringCertificate - CA certificate that verifies the WiFi certificate.
- wifi
Certificate String - Certificate to use for WiFi authentication.
- wimax4g
Usb String - Enable/disable comparability with WiMAX 4G USB devices. Valid values:
enable
,disable
. - wireless
Controller String - Enable/disable the wireless controller feature to use the FortiGate unit to manage FortiAPs. Valid values:
enable
,disable
. - wireless
Controller NumberPort - Port used for the control channel in wireless controller mode (wireless-mode is ac). The data channel port is the control channel port number plus one (1024 - 49150, default = 5246).
Supporting Types
GlobalInternetServiceDownloadList, GlobalInternetServiceDownloadListArgs
- Id int
- Internet Service ID.
- Id int
- Internet Service ID.
- id Integer
- Internet Service ID.
- id number
- Internet Service ID.
- id int
- Internet Service ID.
- id Number
- Internet Service ID.
Import
System Global can be imported using any of these accepted formats:
$ pulumi import fortios:system/global:Global labelname SystemGlobal
If you do not want to import arguments of block:
$ export “FORTIOS_IMPORT_TABLE”=“false”
$ pulumi import fortios:system/global:Global labelname SystemGlobal
$ unset “FORTIOS_IMPORT_TABLE”
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- fortios pulumiverse/pulumi-fortios
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
fortios
Terraform Provider.