Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.0.4 CLI Reference
    7.0.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config system admin

    config system admin

    Use this command to manage administrator and REST API administrator accounts.

    Administrator user accounts can be created and configured through the CLI. For details, see Administrator accounts.

    REST API administrator accounts can only be edited through the CLI but not created. You can only create a REST API administrator account through the GUI. However, once the account is created in the GUI, the REST API administrator can be edited in the CLI. For details, see REST API administrator accounts.

    Administrator accounts

    Use config system admin to create and manage administrator accounts.

    We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

    Before you begin:
    • If you want to use RADIUS or LDAP authentication, you must have already have created the RADIUS server or LDAP server configuration.
    • You must have read-write permission for system settings.

    Syntax

    config system admin

    edit <name>

    set access-profile <datasource>

    set auth-strategy {local | ldap | radius}

    set ldap-server <datasource>

    set radius-server <datasource>

    set is-system-admin {no|yes}

    set password <passwd>

    set trusted-hosts <ip&netmask>

    set vdom <datasource>

    set wildcard {disable|enable}

    next

    end

    <name>

    Name of the administrator account, such as admin1 or admin@example.com.

    Do not use spaces or special characters except the ‘at’ symbol ( @) or dot (.). The maximum length is 35 characters.

    Note: This is the user name that the administrator must provide when logging in to the CLI or web UI.

    After you initially save the configuration, you cannot edit the name.

    access-profile

    Specify a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, specifying this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

    Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

    auth-strategy
    • local—Use the local authentication server.
    • ldap—Use an LDAP authentication server. Select the LDAP server configuration.
    • radius—Use a RADIUS authentication server.

    ldap-server

    If using LDAP, specify the LDAP server configuration.

    radius-server

    If using RADIUS, specify the RADIUS server configuration.

    is-system-admin
    • yes—Can access all virtual domains.
    • no—Can access only the virtual domain specified in this configuration.

    Note: The system admin privileges enabled by this setting give the user permission to change any non-global-admin password without its current password and to change any global-admin password with the current password.

    password

    Set a strong password for all administrator accounts. The password should be at least eight characters long, be sufficiently complex, and be changed regularly.

    wildcard

    Enable/disable user wildcard for remote server authentication.

    trusted-hosts

    Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

    Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator must connect only from the computer or subnets you specify.

    Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

    If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

    To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:

    192.0.2.2/32

    2001:0db8:85a3::8a2e:0370:7334/128

    To allow login attempts from any IP address (not recommended), enter:

    0.0.0.0/0.

    Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

    Tip: If you allow login from the Internet, set a longer and more complex New Password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

    Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

    vdom

    If you have enabled the virtual domain feature, specify the virtual domain that this administrator can view and manage.

    Note: You can create multiple VDOMs separated by space.

    Example

    FortiADC-VM # config system admin

    FortiADC-VM (admin) # edit doc-admin

    Add new entry 'doc-admin' for node 78

    FortiADC-VM (doc-admin) # set access-profile doc-admin

    FortiADC-VM (doc-admin) # end

    FortiADC-VM # get system admin doc-admin

    is-system-admin : no

    vdom : root

    password : *

    trusted-hosts : 0.0.0.0/0 ::/0

    auth-strategy : local

    access-profile : doc-admin

    theme :

    role-list :

    privilege-map :

    access-token : 3p6RgrzT21ciDMdwgowh9Lwd303SoSsrhygy0Or0PDhrnuXBQrRZdnagne 6K6y9o5qU5el31WkqiMmRANIy04IfpWl91SjnXHh0TA1SukjM6DCFoidnmVCKQVRRN8cIP

    REST API administrator accounts

    Use config system admin to edit the configurable attributes of an existing REST API administrator account.

    Before you begin:
    • You must have read-write permission for system settings.
    • Created a REST API administrator account in the GUI.

    Although users can use an API request to create a REST API administrator account, the resulting token would not be properly assigned to the user. Without an assigned user this authorization token would be invalid and would not be able to access the supported FortiADC REST APIs.

    Syntax

    config system admin

    edit <name>

    set is-system-admin {no|yes}

    set trusted-hosts <ip&netmask>

    set access-profile <datasource>

    set comments <string>

    set cors-allow-origin <string>

    next

    end

    <name>

    Enter the login name of the REST API administrator account.

    is-system-admin

    Select either of the following global admin access options:

    • no — The account can access the virtual domain specified in this configuration only. This is the default option.

    • yes — The account can access all virtual domains.

    trusted-hosts

    If restricted to trusted hosts is enabled, specify the trusted host IP address and netmask allowed to log in to the REST API. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

    access-profile

    The access-profile option is configurable if is-system-admin is no.

    Specify a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, specifying this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

    Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

    comments

    		 (Optional) Enter comments about the administrator account.

    cors-allow-origin

    		 If CORS Allow Origin is enabled, then specify the URL that can access the REST API.

    Example

    config system admin

    edit "restapi_admin"

    set is-system-admin no

    set trusted-hosts 0.0.0.0/0 ::/0

    set access-profile super_admin_prof

    set comments test

    set cors-allow-origin https://fndn.fortinet.net

    next

    end

    Previous
    Next

    config system admin

    config system admin

    Use this command to manage administrator and REST API administrator accounts.

    Administrator user accounts can be created and configured through the CLI. For details, see Administrator accounts.

    REST API administrator accounts can only be edited through the CLI but not created. You can only create a REST API administrator account through the GUI. However, once the account is created in the GUI, the REST API administrator can be edited in the CLI. For details, see REST API administrator accounts.

    Administrator accounts

    Use config system admin to create and manage administrator accounts.

    We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

    Before you begin:
    • If you want to use RADIUS or LDAP authentication, you must have already have created the RADIUS server or LDAP server configuration.
    • You must have read-write permission for system settings.

    Syntax

    config system admin

    edit <name>

    set access-profile <datasource>

    set auth-strategy {local | ldap | radius}

    set ldap-server <datasource>

    set radius-server <datasource>

    set is-system-admin {no|yes}

    set password <passwd>

    set trusted-hosts <ip&netmask>

    set vdom <datasource>

    set wildcard {disable|enable}

    next

    end

    <name>

    Name of the administrator account, such as admin1 or admin@example.com.

    Do not use spaces or special characters except the ‘at’ symbol ( @) or dot (.). The maximum length is 35 characters.

    Note: This is the user name that the administrator must provide when logging in to the CLI or web UI.

    After you initially save the configuration, you cannot edit the name.

    access-profile

    Specify a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, specifying this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

    Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

    auth-strategy
    • local—Use the local authentication server.
    • ldap—Use an LDAP authentication server. Select the LDAP server configuration.
    • radius—Use a RADIUS authentication server.

    ldap-server

    If using LDAP, specify the LDAP server configuration.

    radius-server

    If using RADIUS, specify the RADIUS server configuration.

    is-system-admin
    • yes—Can access all virtual domains.
    • no—Can access only the virtual domain specified in this configuration.

    Note: The system admin privileges enabled by this setting give the user permission to change any non-global-admin password without its current password and to change any global-admin password with the current password.

    password

    Set a strong password for all administrator accounts. The password should be at least eight characters long, be sufficiently complex, and be changed regularly.

    wildcard

    Enable/disable user wildcard for remote server authentication.

    trusted-hosts

    Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

    Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator must connect only from the computer or subnets you specify.

    Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

    If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

    To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:

    192.0.2.2/32

    2001:0db8:85a3::8a2e:0370:7334/128

    To allow login attempts from any IP address (not recommended), enter:

    0.0.0.0/0.

    Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

    Tip: If you allow login from the Internet, set a longer and more complex New Password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

    Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

    vdom

    If you have enabled the virtual domain feature, specify the virtual domain that this administrator can view and manage.

    Note: You can create multiple VDOMs separated by space.

    Example

    FortiADC-VM # config system admin

    FortiADC-VM (admin) # edit doc-admin

    Add new entry 'doc-admin' for node 78

    FortiADC-VM (doc-admin) # set access-profile doc-admin

    FortiADC-VM (doc-admin) # end

    FortiADC-VM # get system admin doc-admin

    is-system-admin : no

    vdom : root

    password : *

    trusted-hosts : 0.0.0.0/0 ::/0

    auth-strategy : local

    access-profile : doc-admin

    theme :

    role-list :

    privilege-map :

    access-token : 3p6RgrzT21ciDMdwgowh9Lwd303SoSsrhygy0Or0PDhrnuXBQrRZdnagne 6K6y9o5qU5el31WkqiMmRANIy04IfpWl91SjnXHh0TA1SukjM6DCFoidnmVCKQVRRN8cIP

    REST API administrator accounts

    Use config system admin to edit the configurable attributes of an existing REST API administrator account.

    Before you begin:
    • You must have read-write permission for system settings.
    • Created a REST API administrator account in the GUI.

    Although users can use an API request to create a REST API administrator account, the resulting token would not be properly assigned to the user. Without an assigned user this authorization token would be invalid and would not be able to access the supported FortiADC REST APIs.

    Syntax

    config system admin

    edit <name>

    set is-system-admin {no|yes}

    set trusted-hosts <ip&netmask>

    set access-profile <datasource>

    set comments <string>

    set cors-allow-origin <string>

    next

    end

    <name>

    Enter the login name of the REST API administrator account.

    is-system-admin

    Select either of the following global admin access options:

    • no — The account can access the virtual domain specified in this configuration only. This is the default option.

    • yes — The account can access all virtual domains.

    trusted-hosts

    If restricted to trusted hosts is enabled, specify the trusted host IP address and netmask allowed to log in to the REST API. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

    access-profile

    The access-profile option is configurable if is-system-admin is no.

    Specify a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, specifying this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

    Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

    comments

    		 (Optional) Enter comments about the administrator account.

    cors-allow-origin

    		 If CORS Allow Origin is enabled, then specify the URL that can access the REST API.

    Example

    config system admin

    edit "restapi_admin"

    set is-system-admin no

    set trusted-hosts 0.0.0.0/0 ::/0

    set access-profile super_admin_prof

    set comments test

    set cors-allow-origin https://fndn.fortinet.net

    next

    end

    Previous
    Next