Enter the name of the group you are editing or enter a new name to create an entry (character limit = 63).

Enter the name of the LDAP server or enter a new name to create an entry (character limit = 63).

The attribute used to retrieve ADOM.

Set the ADOM name to link to the LDAP configuration.

Attributes used for group searching (for multi-attributes, a use comma as a separator). For example:

• member
• uniquemember
• member,uniquemember

CA certificate name. This variable appears only when secure is set to ldaps or starttls.

Enter the common name identifier (character limit = 20, default = cn).

Set the LDAP connection timeout, in milliseconds (default = 500).

Enter the distinguished name.

Enter content for group searching. For example:

(&(objectcategory=group)(member=*))

(&(objectclass=groupofnames)(member=*))

(&(objectclass=groupofuniquenames)(uniquemember=*))

(&(objectclass=posixgroup)(memberuid=*))

Enter an authorization group. The authentication user must be a member of this group (full DN) on the server.

The attribute used to retrieve memeberof.

Enter a password for the username above. This variable appears only when type is set to regular.

Enter the port number for LDAP server communication (1 - 65535, default = 389).

The attribute used to retrieve admin profile.

Enter the secondary LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

Set the SSL connection type:

• disable: no SSL (default).
• ldaps: use LDAPS
• starttls: use STARTTLS

Enter the LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

Enter the tertiary LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

Set a binding type:

• anonymous: Bind using anonymous user search
• regular: Bind using username/password and then search
• simple: Simple password authentication without search (default)

Edit the access profile. Enter a new name to create a new profile (character limit = 35). The pre-defined access profiles are Super_User, Standard_User, and Restricted_User.

Configure ADOM locking permissions for profile:

• none: No permission (default).
• read: Read permission.
• read-write: Read-write permission.

Controlled functions: ADOM locking.

Dependencies: type must be system

Configure administrative domain (ADOM) permissions for this profile.

Controlled functions: ADOM settings in DVM, ADOM settings in All ADOMs page (under System Settings tab)

Dependencies: If system-setting is none, the All ADOMs page is not accessible.

Enable/disable allowing restricted users to change their password (default = disable).

Enable/disable data masking (default = disable).

Enable/disable custom field search priority.

Enter that data masking fields, separated by spaces.

• dstip: Destination IP
• dstname: Destination name
• email: Email
• message: Message
• srcip: Source IP
• srcmac: Source MAC
• srcname: Source name
• user: User name

Enter the data masking encryption key.

Enter a description for this access profile (character limit = 1023). Enclose the description in quotes if it contains spaces.

Set the AP Manager permissions (default = none).

Set the FortiClient Manager permissions (default = none).

Enter the level of access to Device Manager settings for this profile (default = none).

This command corresponds to the Device Manager option in the GUI administrator profile.

Controlled functions: Device Manager

Add the capability to add, delete, and edit devices to this profile (default = none).

This command corresponds to the Add/Delete Devices/Groups option in the GUI administrator profile. This is a sub-setting of device-manager.

Controlled functions: Add or delete devices or groups

Configure device policy package locking permissions for this profile (default = none).

Controlled functions: Policy package locking.

Dependencies: type must be system

Set the SD-WAN permissions (default = none).

Set the Event Management permissions (default = none).

This command corresponds to the Event Management option in the GUI administrator profile.

Controlled functions: Event Management tab and all its operations

Set the Log View permissions (default = none).

This command corresponds to the Log View option in the GUI administrator profile.

Controlled functions: Log View and all its operations

Enter the level of access to the Drill Down configuration settings for this profile (default = none).

Set the Reports permissions (default = none).

This command corresponds to the Reports option in the GUI administrator profile.

Controlled functions: Reports tab and all its operations

CLI command is not in use.

Configure System Settings permissions for this profile (default = none).

This command corresponds to the System Settings option in the GUI administrator profile.

Controlled functions: System Settings tab, All the settings under System setting

Variables for config datamask-custom-fields subcommand:

Enter the custom field name.

Enter the field category (default = all).

Enable/disable the field (default = enable).

Enter the name of the RADIUS server or enter a new name to create an entry (character limit = 63 ).

The authentication protocol the RADIUS server will use.

• any: Use any supported authentication protocol (default).
• mschap2: Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2).
• chap: Challenge Handshake Authentication Protocol (CHAP)
• pap: Password Authentication Protocol (PAP).

The network access server (NAS) IPv4 address and called station ID.

The RADIUS server port number (1 - 65535 , default = 1812).

The password to access the RADIUS secondary-server (character limit = 64 ).

The RADIUS secondary-server DNS resolvable domain name or IPv4 address.

The password to access the RADIUS server (character limit = 64 ).

Enable/disable the access banner (default= disable).

Enable/disable redirection of HTTP admin traffic to HTTPS (default= enable).

Set the maximum number of admin users that be logged in at one time (1 - 256, default = 256).

Enter the name of an https server certificate to use for secure connections (default = server.crt). FortiAnalyzer has server.crt and Fortinet_Local certificates pre-loaded.

Set the banner messages (character limit = 255).

Configure the GUI theme (default = blue).

Enter the HTTP port number for web administration (1 - 65535, default = 80).

Enter the HTTPS port number for web administration (1 - 65535, default = 443).

Enter the idle timeout value, in minutes (1 - 480, default = 15).

Enable/disable forced deletion of used objects (default = enable).

Enter the password to use for shell access.

Enable/disable show the add multiple button in the GUI (default = disable).

Enable/disable show checkboxes in tables in the GUI (default = disable).

Enable/disable import/export of ADOM, device, and group lists (default = disable).

Enable/disable showing the hostname on the GUI login page (default = disable).

Enable/disable show log forwarding tab in analyzer mode (default= enable).

Select action to take when an unregistered device connects to FortiAnalyzer:

• add_allow_service: Add unregistered devices and allow service requests (default).
• add_no_service: Add unregistered devices and deny service requests.

Enter the name of the TACACS+ server or enter a new name to create an entry (character limit = 63).

Choose which authentication type to use:

• ascii: ASCII
• auto: Uses PAP, MSCHAP, and CHAP (in that order) (default).
• chap: Challenge Handshake Authentication Protocol (CHAP)
• mschap: Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
• pap: Password Authentication Protocol (PAP).

Enable/disable TACACS+ authorization (default = disable).

Key to access the server (character limit = 128).

Port number of the TACACS+ server (1 - 65535, default = 49).

Key to access the secondary server (character limit = 128).

Secondary server domain name or IPv4 address.

The server domain name or IPv4 address.

Key to access the tertiary server (character limit = 128).

Enter the name of the admin user or enter a new name to create a new user (character limit = 35).

Enter a password for the administrator account (character limit = 128). For improved security, the password should be at least 6 characters long.

This variable is available only if user_type is local.

Enable/disable allowing restricted users to change their password (default = disable).

Optionally, type the trusted host IPv4 address and network mask from which the administrator can log in to the FortiAnalyzer system. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system.

Defaults:

trusthost1: 0.0.0.0 0.0.0.0 for all

others: 255.255.255.255 255.255.255.255 for none

Optionally, type the trusted host IPv6 address from which the administrator can log in to the FortiAnalyzer system. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system.

Defaults:

ipv6_trusthost1: ::/0 for all

others: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 for none

Enter the name of the access profile to assign to this administrator account (character limit = 35, default = Restricted_User). Access profiles control administrator access to FortiAnalyzer features.

Enter the name(s) of the ADOM(s) the administrator belongs to. Any configuration of ADOMs takes place via the FortiAnalyzer GUI.

Enter the device group that the admin use can access. This option can only be used for administrators with access to only one ADOM.

Enter the name(s) of the excluding ADOM(s).

Policy package access

Enable/disable restricted access to the development VDOM (dev-vdom) (default = disable).

Enter a description for this administrator account (character limit = 127). Enclose the description in quotes if it contains spaces.

Select the administrator type:

• group: The administratoris a member of a administrator group.
• ldap: An LDAP server verifies the administrator’s password.
• local: The FortiAnalyzer system verifies the administrator’s password (default).
• pki-auth: The administrator uses PKI.
• radius: A RADIUS server verifies the administrator’s password.
• tacacs-plus: A TACACS+ server verifies the administrator’s password.

Enter the group name.

Enter the LDAP server name if the user type is set to LDAP.

Enter the RADIUS server name if the user type is set t o RADIUS.

Enter the TACACS+ server name if the user type is set to TACACS+.

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

<key type> is ssh-dss for a DSA key, ssh-rsa for an RSA key.

<key-value> is the public key string of the SSH client.

Image file for the administrator's avatar (maximum 4K base64 encode).

Enable/disable wildcard remote authentication (default = disable).

Enable/disable allowing the use of the ADOM provided by the remote authentication server (default = disable).

In order to support vendor specific attributes (VSA), the authentication server requires a dictionary to define which VSAs to support. The Fortinet RADIUS vendor ID is 12365. The Fortinet-Vdom-Name attribute is used by this command.

Only admin users that belong to this group are allowed to log in.

When enforcing the password policy, enter the date that the current password will expire.

Enable/disable force password change on next log in.

PKI user certificate name constraints.

This command is available when a PKI administrator account is configured.

PKI user certificate CA (CA name in local).

This command is available when a PKI administrator account is configured.

Enable/disable two-factor authentication (certificate + password) (default = disable).

This command is available when a PKI administrator account is configured.

Set the permission level for log in via Remote Procedure Call (RPC) (default = none).

Administrator's last name (character limit = 63).

Administrator's first name (character limit = 63).

Administrator's email address.

Administrator's phone number.

Administrator's mobile phone number.

Administrator's pager number.

Variables for config meta-data subcommand:

This subcommand can only change the value of an existing field. To create a new metadata field, use the config system metadata command.

The label/name of the field (read-only, default = 50). Enclose the name in quotes if it contains spaces.

The maximum number of characters allowed for this field (read-only, default = 50).

Enter a pre-determined value for the field. This is the only value that can be changed with the config meta-data subcommand (character limit = 255).

Indicates whether the field is compulsory (required) or optional (optional) (read-only, default = optional).

The status of the field (read-only, default = enable).

Variables for config dashboard-tabs subcommand:

Tab ID.

Tab name.

Variables for config dashboard subcommand:

Widget ID.

Widget name (character limit = 63).

Widget column ID (default = 0).

Set the Disk I/O Monitor widget's chart type.

• blks: the amount of data of I/O requests.
• iops: the number of I/O requests.
• util: bandwidth utilization (default).

Set the Disk I/O Monitor widget's data period (default = 1hour).

Widget refresh interval (default = 300).

Widget opened/closed status (default = open).

ID of the tab where the widget is displayed (default = 0).

Widget type:

• alert: Alert Message Console
• devsummary: Device Summary
• disk-io: Disk I/O
• jsconsole: CLI Console
• licinfo: License Information
• log-rcvd-fwdReceive Rate v. Forwarding Rate
• logdb-lag: Log Insert Lag Time
• logdb-perf: Insert Rate vs Receive Rate
• logrecv: Logs/Data Received (this widget has been deprecated)
• raid: Disk Monitor
• rpteng: Report Engine (this widget has been deprecated)
• statistics: Statistics (this widget has been deprecated)
• sysinfo: System Information
• sysop: Unit Operation
• sysres: System Resources
• top-lograte: Log Receive Monitor

Log receive monitor widget’s statistics breakdown options (default = device).

Log receive monitor widgets’s number of top items to display (default = 5).

Log receive monitor widget’s data period (default = 2min).

Widget’s data view type (default = history).

Widget data period:

• 10min: Last 10 minutes (default).
• day: Last day.
• hour: Last hour.

Widget CPU display type:

• average: Average usage of CPU (default).
• each: Each usage of CPU.

Number of entries (default = 10).

Set the Log Database Monitor widget's data period (default = 1hour).

Variable for config restrict-dev-vdom subcommand: