Try SpotterConfigure global attributes in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.8.20
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify system feature and global category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure global attributes.
fortios_system_global:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
system_global:
admin-concurrent: "enable"
admin-console-timeout: "4"
admin-https-pki-required: "enable"
admin-https-ssl-versions: "tlsv1-0"
admin-lockout-duration: "7"
admin-lockout-threshold: "8"
admin-login-max: "9"
admin-maintainer: "enable"
admin-port: "11"
admin-restrict-local: "enable"
admin-scp: "enable"
admin-server-cert: "<your_own_value> (source certificate.local.name)"
admin-sport: "15"
admin-ssh-grace-time: "16"
admin-ssh-password: "enable"
admin-ssh-port: "18"
admin-ssh-v1: "enable"
admin-telnet-port: "20"
admintimeout: "21"
alias: "<your_own_value>"
allow-traffic-redirect: "enable"
anti-replay: "disable"
arp-max-entry: "25"
asymroute: "enable"
auth-cert: "<your_own_value> (source certificate.local.name)"
auth-http-port: "28"
auth-https-port: "29"
auth-keepalive: "enable"
auth-session-limit: "block-new"
auto-auth-extension-device: "enable"
av-affinity: "<your_own_value>"
av-failopen: "pass"
av-failopen-session: "enable"
batch-cmdb: "enable"
block-session-timer: "37"
br-fdb-max-entry: "38"
cert-chain-max: "39"
cfg-revert-timeout: "40"
cfg-save: "automatic"
check-protocol-header: "loose"
check-reset-range: "strict"
cli-audit-log: "enable"
clt-cert-req: "enable"
compliance-check: "enable"
compliance-check-time: "<your_own_value>"
cpu-use-threshold: "48"
csr-ca-attribute: "enable"
daily-restart: "enable"
device-identification-active-scan-delay: "51"
device-idle-timeout: "52"
dh-params: "1024"
dst: "enable"
endpoint-control-fds-access: "enable"
endpoint-control-portal-port: "56"
failtime: "57"
fds-statistics: "enable"
fds-statistics-period: "59"
fgd-alert-subscription: "advisory"
fortiextender: "enable"
fortiextender-data-port: "62"
fortiextender-vlan-mode: "enable"
fortiservice-port: "64"
gui-certificates: "enable"
gui-custom-language: "enable"
gui-date-format: "yyyy/MM/dd"
gui-device-latitude: "<your_own_value>"
gui-device-longitude: "<your_own_value>"
gui-display-hostname: "enable"
gui-ipv6: "enable"
gui-lines-per-page: "72"
gui-theme: "green"
gui-wireless-opensecurity: "enable"
honor-df: "enable"
hostname: "myhostname"
igmp-state-limit: "77"
interval: "78"
ip-src-port-range: "<your_own_value>"
ips-affinity: "<your_own_value>"
ipsec-asic-offload: "enable"
ipsec-hmac-offload: "enable"
ipsec-soft-dec-async: "enable"
ipv6-accept-dad: "84"
ipv6-allow-anycast-probe: "enable"
language: "english"
ldapconntimeout: "87"
lldp-transmission: "enable"
log-ssl-connection: "enable"
log-uuid: "disable"
login-timestamp: "enable"
long-vdom-name: "enable"
management-vdom: "<your_own_value> (source system.vdom.name)"
max-dlpstat-memory: "94"
max-route-cache-size: "95"
mc-ttl-notchange: "enable"
memory-use-threshold-extreme: "97"
memory-use-threshold-green: "98"
memory-use-threshold-red: "99"
miglog-affinity: "<your_own_value>"
miglogd-children: "101"
multi-factor-authentication: "optional"
multicast-forward: "enable"
ndp-max-entry: "104"
per-user-bwl: "enable"
policy-auth-concurrent: "106"
post-login-banner: "disable"
pre-login-banner: "enable"
private-data-encryption: "disable"
proxy-auth-lifetime: "enable"
proxy-auth-lifetime-timeout: "111"
proxy-auth-timeout: "112"
proxy-cipher-hardware-acceleration: "disable"
proxy-kxp-hardware-acceleration: "disable"
proxy-re-authentication-mode: "session"
proxy-worker-count: "116"
radius-port: "117"
reboot-upon-config-restore: "enable"
refresh: "119"
remoteauthtimeout: "120"
reset-sessionless-tcp: "enable"
restart-time: "<your_own_value>"
revision-backup-on-logout: "enable"
revision-image-auto-backup: "enable"
scanunit-count: "125"
security-rating-result-submission: "enable"
security-rating-run-on-schedule: "enable"
send-pmtu-icmp: "enable"
snat-route-change: "enable"
special-file-23-support: "disable"
ssh-cbc-cipher: "enable"
ssh-hmac-md5: "enable"
ssh-kex-sha1: "enable"
ssl-min-proto-version: "SSLv3"
ssl-static-key-ciphers: "enable"
sslvpn-cipher-hardware-acceleration: "enable"
sslvpn-kxp-hardware-acceleration: "enable"
sslvpn-max-worker-count: "138"
sslvpn-plugin-version-check: "enable"
strict-dirty-session-check: "enable"
strong-crypto: "enable"
switch-controller: "disable"
switch-controller-reserved-network: "<your_own_value>"
sys-perf-log-interval: "144"
tcp-halfclose-timer: "145"
tcp-halfopen-timer: "146"
tcp-option: "enable"
tcp-timewait-timer: "148"
tftp: "enable"
timezone: "01"
tp-mc-skip-policy: "enable"
traffic-priority: "tos"
traffic-priority-level: "low"
two-factor-email-expiry: "154"
two-factor-fac-expiry: "155"
two-factor-ftk-expiry: "156"
two-factor-ftm-expiry: "157"
two-factor-sms-expiry: "158"
udp-idle-timer: "159"
user-server-cert: "<your_own_value> (source certificate.local.name)"
vdom-admin: "enable"
vip-arp-range: "unlimited"
virtual-server-count: "163"
virtual-server-hardware-acceleration: "disable"
wad-affinity: "<your_own_value>"
wad-csvc-cs-count: "166"
wad-csvc-db-count: "167"
wad-source-affinity: "disable"
wad-worker-count: "169"
wifi-ca-certificate: "<your_own_value> (source certificate.ca.name)"
wifi-certificate: "<your_own_value> (source certificate.local.name)"
wimax-4g-usb: "enable"
wireless-controller: "enable"
wireless-controller-port: "174"
host:
description:
- FortiOS or FortiGate ip address.
required: true
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
https:
default: true
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
username:
description:
- FortiOS or FortiGate username.
required: true
system_global:
default: null
description:
- Configure global attributes.
suboptions:
admin-concurrent:
choices:
- enable
- disable
description:
- Enable/disable concurrent administrator logins. (Use policy-auth-concurrent
for firewall authenticated users.)
admin-console-timeout:
description:
- Console login timeout that overrides the admintimeout value. (15 - 300 seconds)
(15 seconds to 5 minutes). 0 the default, disables this timeout.
admin-https-pki-required:
choices:
- enable
- disable
description:
- Enable/disable admin login method. Enable to force administrators to provide
a valid certificate to log in if PKI is enabled. Disable to allow administrators
to log in with a certificate or password.
admin-https-ssl-versions:
choices:
- tlsv1-0
- tlsv1-1
- tlsv1-2
description:
- Allowed TLS versions for web administration.
admin-lockout-duration:
description:
- Amount of time in seconds that an administrator account is locked out after
reaching the admin-lockout-threshold for repeated failed login attempts.
admin-lockout-threshold:
description:
- Number of failed login attempts before an administrator account is locked out
for the admin-lockout-duration.
admin-login-max:
description:
- Maximum number of administrators who can be logged in at the same time (1 -
100, default = 100)
admin-maintainer:
choices:
- enable
- disable
description:
- Enable/disable maintainer administrator login. When enabled, the maintainer
account can be used to log in from the console after a hard reboot. The password
is "bcpb" followed by the FortiGate unit serial number. You have limited time
to complete this login.
admin-port:
description:
- Administrative access port for HTTP. (1 - 65535, default = 80).
admin-restrict-local:
choices:
- enable
- disable
description:
- Enable/disable local admin authentication restriction when remote authenticator
is up and running. (default = disable)
admin-scp:
choices:
- enable
- disable
description:
- Enable/disable using SCP to download the system configuration. You can use SCP
as an alternative method for backing up the configuration.
admin-server-cert:
description:
- Server certificate that the FortiGate uses for HTTPS administrative connections.
Source certificate.local.name.
admin-sport:
description:
- Administrative access port for HTTPS. (1 - 65535, default = 443).
admin-ssh-grace-time:
description:
- Maximum time in seconds permitted between making an SSH connection to the FortiGate
unit and authenticating (10 - 3600 sec (1 hour), default 120).
admin-ssh-password:
choices:
- enable
- disable
description:
- Enable/disable password authentication for SSH admin access.
admin-ssh-port:
description:
- Administrative access port for SSH. (1 - 65535, default = 22).
admin-ssh-v1:
choices:
- enable
- disable
description:
- Enable/disable SSH v1 compatibility.
admin-telnet-port:
description:
- Administrative access port for TELNET. (1 - 65535, default = 23).
admintimeout:
description:
- Number of minutes before an idle administrator session times out (5 - 480 minutes
(8 hours), default = 5). A shorter idle timeout is more secure.
alias:
description:
- Alias for your FortiGate unit.
allow-traffic-redirect:
choices:
- enable
- disable
description:
- Disable to allow traffic to be routed back on a different interface.
anti-replay:
choices:
- disable
- loose
- strict
description:
- Level of checking for packet replay and TCP sequence checking.
arp-max-entry:
description:
- Maximum number of dynamically learned MAC addresses that can be added to the
ARP table (131072 - 2147483647, default = 131072).
asymroute:
choices:
- enable
- disable
description:
- Enable/disable asymmetric route.
auth-cert:
description:
- Server certificate that the FortiGate uses for HTTPS firewall authentication
connections. Source certificate.local.name.
auth-http-port:
description:
- User authentication HTTP port. (1 - 65535, default = 80).
auth-https-port:
description:
- User authentication HTTPS port. (1 - 65535, default = 443).
auth-keepalive:
choices:
- enable
- disable
description:
- Enable to prevent user authentication sessions from timing out when idle.
auth-session-limit:
choices:
- block-new
- logout-inactive
description:
- Action to take when the number of allowed user authenticated sessions is reached.
auto-auth-extension-device:
choices:
- enable
- disable
description:
- Enable/disable automatic authorization of dedicated Fortinet extension devices.
av-affinity:
description:
- Affinity setting for AV scanning (hexadecimal value up to 256 bits in the format
of xxxxxxxxxxxxxxxx).
av-failopen:
choices:
- pass
- false
- one-shot
description:
- Set the action to take if the FortiGate is running low on memory or the proxy
connection limit has been reached.
av-failopen-session:
choices:
- enable
- disable
description:
- When enabled and a proxy for a protocol runs out of room in its session table,
that protocol goes into failopen mode and enacts the action specified by av-failopen.
batch-cmdb:
choices:
- enable
- disable
description:
- Enable/disable batch mode, allowing you to enter a series of CLI commands that
will execute as a group once they are loaded.
block-session-timer:
description:
- Duration in seconds for blocked sessions (1 - 300 sec (5 minutes), default
= 30).
br-fdb-max-entry:
description:
- Maximum number of bridge forwarding database (FDB) entries.
cert-chain-max:
description:
- Maximum number of certificates that can be traversed in a certificate chain.
cfg-revert-timeout:
description:
- Time-out for reverting to the last saved configuration.
cfg-save:
choices:
- automatic
- manual
- revert
description:
- Configuration file save mode for CLI changes.
check-protocol-header:
choices:
- loose
- strict
description:
- Level of checking performed on protocol headers. Strict checking is more thorough
but may affect performance. Loose checking is ok in most cases.
check-reset-range:
choices:
- strict
- disable
description:
- Configure ICMP error message verification. You can either apply strict RST range
checking or disable it.
cli-audit-log:
choices:
- enable
- disable
description:
- Enable/disable CLI audit log.
clt-cert-req:
choices:
- enable
- disable
description:
- Enable/disable requiring administrators to have a client certificate to log
into the GUI using HTTPS.
compliance-check:
choices:
- enable
- disable
description:
- Enable/disable global PCI DSS compliance check.
compliance-check-time:
description:
- Time of day to run scheduled PCI DSS compliance checks.
cpu-use-threshold:
description:
- Threshold at which CPU usage is reported. (% of total CPU, default = 90).
csr-ca-attribute:
choices:
- enable
- disable
description:
- Enable/disable the CA attribute in certificates. Some CA servers reject CSRs
that have the CA attribute.
daily-restart:
choices:
- enable
- disable
description:
- Enable/disable daily restart of FortiGate unit. Use the restart-time option
to set the time of day for the restart.
device-identification-active-scan-delay:
description:
- Number of seconds to passively scan a device before performing an active scan.
(20 - 3600 sec, (20 sec to 1 hour), default = 90).
device-idle-timeout:
description:
- Time in seconds that a device must be idle to automatically log the device user
out. (30 - 31536000 sec (30 sec to 1 year), default = 300).
dh-params:
choices:
- 1024
- 1536
- 2048
- 3072
- 4096
- 6144
- 8192
description:
- Number of bits to use in the Diffie-Hellman exchange for HTTPS/SSH protocols.
dst:
choices:
- enable
- disable
description:
- Enable/disable daylight saving time.
endpoint-control-fds-access:
choices:
- enable
- disable
description:
- Enable/disable access to the FortiGuard network for non-compliant endpoints.
endpoint-control-portal-port:
description:
- Endpoint control portal port (1 - 65535).
failtime:
description:
- Fail-time for server lost.
fds-statistics:
choices:
- enable
- disable
description:
- Enable/disable sending IPS, Application Control, and AntiVirus data to FortiGuard.
This data is used to improve FortiGuard services and is not shared with external
parties and is protected by Fortinet's privacy policy.
fds-statistics-period:
description:
- FortiGuard statistics collection period in minutes. (1 - 1440 min (1 min to
24 hours), default = 60).
fgd-alert-subscription:
choices:
- advisory
- latest-threat
- latest-virus
- latest-attack
- new-antivirus-db
- new-attack-db
description:
- Type of alert to retrieve from FortiGuard.
fortiextender:
choices:
- enable
- disable
description:
- Enable/disable FortiExtender.
fortiextender-data-port:
description:
- FortiExtender data port (1024 - 49150, default = 25246).
fortiextender-vlan-mode:
choices:
- enable
- disable
description:
- Enable/disable FortiExtender VLAN mode.
fortiservice-port:
description:
- FortiService port (1 - 65535, default = 8013). Used by FortiClient endpoint
compliance. Older versions of FortiClient used a different port.
gui-certificates:
choices:
- enable
- disable
description:
- Enable/disable the System > Certificate GUI page, allowing you to add and configure
certificates from the GUI.
gui-custom-language:
choices:
- enable
- disable
description:
- Enable/disable custom languages in GUI.
gui-date-format:
choices:
- yyyy/MM/dd
- dd/MM/yyyy
- MM/dd/yyyy
- yyyy-MM-dd
- dd-MM-yyyy
- MM-dd-yyyy
description:
- Default date format used throughout GUI.
gui-device-latitude:
description:
- Add the latitude of the location of this FortiGate to position it on the Threat
Map.
gui-device-longitude:
description:
- Add the longitude of the location of this FortiGate to position it on the Threat
Map.
gui-display-hostname:
choices:
- enable
- disable
description:
- Enable/disable displaying the FortiGate's hostname on the GUI login page.
gui-ipv6:
choices:
- enable
- disable
description:
- Enable/disable IPv6 settings on the GUI.
gui-lines-per-page:
description:
- Number of lines to display per page for web administration.
gui-theme:
choices:
- green
- red
- blue
- melongene
- mariner
description:
- Color scheme for the administration GUI.
gui-wireless-opensecurity:
choices:
- enable
- disable
description:
- Enable/disable wireless open security option on the GUI.
honor-df:
choices:
- enable
- disable
description:
- Enable/disable honoring of Don't-Fragment (DF) flag.
hostname:
description:
- FortiGate unit's hostname. Most models will truncate names longer than 24 characters.
Some models support hostnames up to 35 characters.
igmp-state-limit:
description:
- Maximum number of IGMP memberships (96 - 64000, default = 3200).
interval:
description:
- Dead gateway detection interval.
ip-src-port-range:
description:
- IP source port range used for traffic originating from the FortiGate unit.
ips-affinity:
description:
- Affinity setting for IPS (hexadecimal value up to 256 bits in the format of
xxxxxxxxxxxxxxxx; allowed CPUs must be less than total number of IPS engine
daemons).
ipsec-asic-offload:
choices:
- enable
- disable
description:
- Enable/disable ASIC offloading (hardware acceleration) for IPsec VPN traffic.
Hardware acceleration can offload IPsec VPN sessions and accelerate encryption
and decryption.
ipsec-hmac-offload:
choices:
- enable
- disable
description:
- Enable/disable offloading (hardware acceleration) of HMAC processing for IPsec
VPN.
ipsec-soft-dec-async:
choices:
- enable
- disable
description:
- Enable/disable software decryption asynchronization (using multiple CPUs to
do decryption) for IPsec VPN traffic.
ipv6-accept-dad:
description:
- Enable/disable acceptance of IPv6 Duplicate Address Detection (DAD).
ipv6-allow-anycast-probe:
choices:
- enable
- disable
description:
- Enable/disable IPv6 address probe through Anycast.
language:
choices:
- english
- french
- spanish
- portuguese
- japanese
- trach
- simch
- korean
description:
- GUI display language.
ldapconntimeout:
description:
- Global timeout for connections with remote LDAP servers in milliseconds (0 -
4294967295, default 500).
lldp-transmission:
choices:
- enable
- disable
description:
- Enable/disable Link Layer Discovery Protocol (LLDP) transmission.
log-ssl-connection:
choices:
- enable
- disable
description:
- Enable/disable logging of SSL connection events.
log-uuid:
choices:
- disable
- policy-only
- extended
description:
- Whether UUIDs are added to traffic logs. You can disable UUIDs, add firewall
policy UUIDs to traffic logs, or add all UUIDs to traffic logs.
login-timestamp:
choices:
- enable
- disable
description:
- Enable/disable login time recording.
long-vdom-name:
choices:
- enable
- disable
description:
- Enable/disable long VDOM name support.
management-vdom:
description:
- Management virtual domain name. Source system.vdom.name.
max-dlpstat-memory:
description:
- Maximum DLP stat memory (0 - 4294967295).
max-route-cache-size:
description:
- Maximum number of IP route cache entries (0 - 2147483647).
mc-ttl-notchange:
choices:
- enable
- disable
description:
- Enable/disable no modification of multicast TTL.
memory-use-threshold-extreme:
description:
- Threshold at which memory usage is considered extreme (new sessions are dropped)
(% of total RAM, default = 95).
memory-use-threshold-green:
description:
- Threshold at which memory usage forces the FortiGate to exit conserve mode (%
of total RAM, default = 82).
memory-use-threshold-red:
description:
- Threshold at which memory usage forces the FortiGate to enter conserve mode
(% of total RAM, default = 88).
miglog-affinity:
description:
- Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxxxxxxxxxx).
miglogd-children:
description:
- Number of logging (miglogd) processes to be allowed to run. Higher number can
reduce performance; lower number can slow log processing time. No logs will
be dropped or lost if the number is changed.
multi-factor-authentication:
choices:
- optional
- mandatory
description:
- Enforce all login methods to require an additional authentication factor (default
= optional).
multicast-forward:
choices:
- enable
- disable
description:
- Enable/disable multicast forwarding.
ndp-max-entry:
description:
- Maximum number of NDP table entries (set to 65,536 or higher; if set to 0, kernel
holds 65,536 entries).
per-user-bwl:
choices:
- enable
- disable
description:
- Enable/disable per-user black/white list filter.
policy-auth-concurrent:
description:
- Number of concurrent firewall use logins from the same user (1 - 100, default
= 0 means no limit).
post-login-banner:
choices:
- disable
- enable
description:
- Enable/disable displaying the administrator access disclaimer message after
an administrator successfully logs in.
pre-login-banner:
choices:
- enable
- disable
description:
- Enable/disable displaying the administrator access disclaimer message on the
login page before an administrator logs in.
private-data-encryption:
choices:
- disable
- enable
description:
- Enable/disable private data encryption using an AES 128-bit key.
proxy-auth-lifetime:
choices:
- enable
- disable
description:
- Enable/disable authenticated users lifetime control. This is a cap on the total
time a proxy user can be authenticated for after which re-authentication will
take place.
proxy-auth-lifetime-timeout:
description:
- Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480
(8 hours)).
proxy-auth-timeout:
description:
- Authentication timeout in minutes for authenticated users (1 - 3600 sec, default
= 300).
proxy-cipher-hardware-acceleration:
choices:
- disable
- enable
description:
- Enable/disable using content processor (CP8 or CP9) hardware acceleration to
encrypt and decrypt IPsec and SSL traffic.
proxy-kxp-hardware-acceleration:
choices:
- disable
- enable
description:
- Enable/disable using the content processor to accelerate KXP traffic.
proxy-re-authentication-mode:
choices:
- session
- traffic
- absolute
description:
- Control if users must re-authenticate after a session is closed, traffic has
been idle, or from the point at which the user was first created.
proxy-worker-count:
description:
- Proxy worker count.
radius-port:
description:
- RADIUS service port number.
reboot-upon-config-restore:
choices:
- enable
- disable
description:
- Enable/disable reboot of system upon restoring configuration.
refresh:
description:
- Statistics refresh interval in GUI.
remoteauthtimeout:
description:
- Number of seconds that the FortiGate waits for responses from remote RADIUS,
LDAP, or TACACS+ authentication servers. (0-300 sec, default = 5, 0 means no
timeout).
reset-sessionless-tcp:
choices:
- enable
- disable
description:
- Action to perform if the FortiGate receives a TCP packet but cannot find a corresponding
session in its session table. NAT/Route mode only.
restart-time:
description:
- Daily restart time (hh:mm).
revision-backup-on-logout:
choices:
- enable
- disable
description:
- Enable/disable back-up of the latest configuration revision when an administrator
logs out of the CLI or GUI.
revision-image-auto-backup:
choices:
- enable
- disable
description:
- Enable/disable back-up of the latest configuration revision after the firmware
is upgraded.
scanunit-count:
description:
- Number of scanunits. The range and the default depend on the number of CPUs.
Only available on FortiGate units with multiple CPUs.
security-rating-result-submission:
choices:
- enable
- disable
description:
- Enable/disable the submission of Security Rating results to FortiGuard.
security-rating-run-on-schedule:
choices:
- enable
- disable
description:
- Enable/disable scheduled runs of Security Rating.
send-pmtu-icmp:
choices:
- enable
- disable
description:
- Enable/disable sending of path maximum transmission unit (PMTU) - ICMP destination
unreachable packet and to support PMTUD protocol on your network to reduce fragmentation
of packets.
snat-route-change:
choices:
- enable
- disable
description:
- Enable/disable the ability to change the static NAT route.
special-file-23-support:
choices:
- disable
- enable
description:
- Enable/disable IPS detection of HIBUN format files when using Data Leak Protection.
ssh-cbc-cipher:
choices:
- enable
- disable
description:
- Enable/disable CBC cipher for SSH access.
ssh-hmac-md5:
choices:
- enable
- disable
description:
- Enable/disable HMAC-MD5 for SSH access.
ssh-kex-sha1:
choices:
- enable
- disable
description:
- Enable/disable SHA1 key exchange for SSH access.
ssl-min-proto-version:
choices:
- SSLv3
- TLSv1
- TLSv1-1
- TLSv1-2
description:
- Minimum supported protocol version for SSL/TLS connections (default = TLSv1.2).
ssl-static-key-ciphers:
choices:
- enable
- disable
description:
- Enable/disable static key ciphers in SSL/TLS connections (e.g. AES128-SHA, AES256-SHA,
AES128-SHA256, AES256-SHA256).
sslvpn-cipher-hardware-acceleration:
choices:
- enable
- disable
description:
- Enable/disable SSL VPN hardware acceleration.
sslvpn-kxp-hardware-acceleration:
choices:
- enable
- disable
description:
- Enable/disable SSL VPN KXP hardware acceleration.
sslvpn-max-worker-count:
description:
- Maximum number of SSL VPN processes. Upper limit for this value is the number
of CPUs and depends on the model.
sslvpn-plugin-version-check:
choices:
- enable
- disable
description:
- Enable/disable checking browser's plugin version by SSL VPN.
strict-dirty-session-check:
choices:
- enable
- disable
description:
- Enable to check the session against the original policy when revalidating. This
can prevent dropping of redirected sessions when web-filtering and authentication
are enabled together. If this option is enabled, the FortiGate unit deletes
a session if a routing or policy change causes the session to no longer match
the policy that originally allowed the session.
strong-crypto:
choices:
- enable
- disable
description:
- Enable to use strong encryption and only allow strong ciphers (AES, 3DES) and
digest (SHA1) for HTTPS/SSH/TLS/SSL functions.
switch-controller:
choices:
- disable
- enable
description:
- Enable/disable switch controller feature. Switch controller allows you to manage
FortiSwitch from the FortiGate itself.
switch-controller-reserved-network:
description:
- Enable reserved network subnet for controlled switches. This is available when
the switch controller is enabled.
sys-perf-log-interval:
description:
- Time in minutes between updates of performance statistics logging. (1 - 15 min,
default = 5, 0 = disabled).
tcp-halfclose-timer:
description:
- Number of seconds the FortiGate unit should wait to close a session after one
peer has sent a FIN packet but the other has not responded (1 - 86400 sec (1
day), default = 120).
tcp-halfopen-timer:
description:
- Number of seconds the FortiGate unit should wait to close a session after one
peer has sent an open session packet but the other has not responded (1 - 86400
sec (1 day), default = 10).
tcp-option:
choices:
- enable
- disable
description:
- Enable SACK, timestamp and MSS TCP options.
tcp-timewait-timer:
description:
- Length of the TCP TIME-WAIT state in seconds.
tftp:
choices:
- enable
- disable
description:
- Enable/disable TFTP.
timezone:
choices:
- 1
- 2
- 3
- 4
- 5
- 81
- 6
- 7
- 08
- 09
- 10
- 11
- 12
- 13
- 74
- 14
- 77
- 15
- 87
- 16
- 17
- 18
- 19
- 20
- 75
- 21
- 22
- 23
- 24
- 80
- 79
- 25
- 26
- 27
- 28
- 78
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 83
- 84
- 40
- 85
- 41
- 42
- 43
- 39
- 44
- 46
- 47
- 51
- 48
- 45
- 49
- 50
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 62
- 63
- 61
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 0
- 82
- 73
- 86
- 76
description:
- Number corresponding to your time zone from 00 to 86. Enter set timezone ? to
view the list of time zones and the numbers that represent them.
tp-mc-skip-policy:
choices:
- enable
- disable
description:
- Enable/disable skip policy check and allow multicast through.
traffic-priority:
choices:
- tos
- dscp
description:
- Choose Type of Service (ToS) or Differentiated Services Code Point (DSCP) for
traffic prioritization in traffic shaping.
traffic-priority-level:
choices:
- low
- medium
- high
description:
- Default system-wide level of priority for traffic prioritization.
two-factor-email-expiry:
description:
- Email-based two-factor authentication session timeout (30 - 300 seconds (5 minutes),
default = 60).
two-factor-fac-expiry:
description:
- FortiAuthenticator token authentication session timeout (10 - 3600 seconds (1
hour), default = 60).
two-factor-ftk-expiry:
description:
- FortiToken authentication session timeout (60 - 600 sec (10 minutes), default
= 60).
two-factor-ftm-expiry:
description:
- FortiToken Mobile session timeout (1 - 168 hours (7 days), default = 72).
two-factor-sms-expiry:
description:
- SMS-based two-factor authentication session timeout (30 - 300 sec, default =
60).
udp-idle-timer:
description:
- UDP connection session timeout. This command can be useful in managing CPU and
memory resources (1 - 86400 seconds (1 day), default = 60).
user-server-cert:
description:
- Certificate to use for https user authentication. Source certificate.local.name.
vdom-admin:
choices:
- enable
- disable
description:
- Enable/disable support for multiple virtual domains (VDOMs).
vip-arp-range:
choices:
- unlimited
- restricted
description:
- Controls the number of ARPs that the FortiGate sends for a Virtual IP (VIP)
address range.
virtual-server-count:
description:
- Maximum number of virtual server processes to create. The maximum is the number
of CPU cores. This is not available on single-core CPUs.
virtual-server-hardware-acceleration:
choices:
- disable
- enable
description:
- Enable/disable virtual server hardware acceleration.
wad-affinity:
description:
- Affinity setting for wad (hexadecimal value up to 256 bits in the format of
xxxxxxxxxxxxxxxx).
wad-csvc-cs-count:
description:
- Number of concurrent WAD-cache-service object-cache processes.
wad-csvc-db-count:
description:
- Number of concurrent WAD-cache-service byte-cache processes.
wad-source-affinity:
choices:
- disable
- enable
description:
- Enable/disable dispatching traffic to WAD workers based on source affinity.
wad-worker-count:
description:
- Number of explicit proxy WAN optimization daemon (WAD) processes. By default
WAN optimization, explicit proxy, and web caching is handled by all of the CPU
cores in a FortiGate unit.
wifi-ca-certificate:
description:
- CA certificate that verifies the WiFi certificate. Source certificate.ca.name.
wifi-certificate:
description:
- Certificate to use for WiFi authentication. Source certificate.local.name.
wimax-4g-usb:
choices:
- enable
- disable
description:
- Enable/disable comparability with WiMAX 4G USB devices.
wireless-controller:
choices:
- enable
- disable
description:
- Enable/disable the wireless controller feature to use the FortiGate unit to
manage FortiAPs.
wireless-controller-port:
description:
- Port used for the control channel in wireless controller mode (wireless-mode
is ac). The data channel port is the control channel port number plus one (1024
- 49150, default = 5246).
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str