system admin

Use this command to add, edit, and delete administrator accounts. Administrators can control what data modules appear in the FortiGate unit system dashboard by using the config system admin command. Administrators must have read and write privileges to make dashboard web-based manager modifications.

Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Each administrator account except the default admin must include an access profile. You cannot delete the default super admin account or change the access profile (super_admin). In addition, there is also an access profile that allows read-only super admin privileges, super_admin_readonly. The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin profile. This read-only super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making changes.

You can authenticate administrators using a password stored on the FortiGate unit or you can perform authentication with RADIUS, LDAP, or TACACS+ servers. When you use RADIUS authentication, you can authenticate specific administrators or you can allow any account on the RADIUS server to access the FortiGate unit as an administrator.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command	Description
config gui-dashboard config widget edit <id> set title <name> next ...	Dashboard widget titles can be modified so that widgets with potentially different filters applied can be easily differentiated. The widget will be given a default title unless a new title is provided.

config system admin
    edit {name}
    # Configure admin users.
        set name {string}   User name. size[35]
        set wildcard {enable | disable}   Enable/disable wildcard RADIUS authentication.
        set remote-auth {enable | disable}   Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.
        set remote-group {string}   User group name used for remote auth. size[35]
        set password {password_string}   Admin user password. size[128]
        set peer-auth {enable | disable}   Set to enable peer certificate authentication (for HTTPS admin access).
        set peer-group {string}   Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access). size[35]
        set trusthost1 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost2 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost3 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost4 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost5 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost6 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost7 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost8 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost9 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set trusthost10 {ipv4 classnet}   Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.
        set ip6-trusthost1 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost2 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost3 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost4 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost5 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost6 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost7 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost8 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost9 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set ip6-trusthost10 {ipv6 prefix}   Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.
        set accprofile {string}   Access profile for this administrator. Access profiles control administrator access to FortiGate features. size[35] - datasource(s): system.accprofile.name
        set allow-remove-admin-session {enable | disable}   Enable/disable allow admin session to be removed by privileged admin users.
        set comments {string}   Comment. size[255]
        set hidden {integer}   Admin user hidden attribute. range[0-255]
        config vdom
            edit {name}
            # Virtual domain(s) that the administrator can access.
                set name {string}   Virtual domain name. size[64] - datasource(s): system.vdom.name
            next
        set ssh-public-key1 {string}   Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
        set ssh-public-key2 {string}   Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
        set ssh-public-key3 {string}   Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.
        set ssh-certificate {string}   Select the certificate to be used by the FortiGate for authentication with an SSH client. size[35] - datasource(s): certificate.local.name
        set schedule {string}   Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions. size[35]
        set accprofile-override {enable | disable}   Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.
        set radius-vdom-override {enable | disable}   Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.
        set password-expire {string}   Password expire time.
        set force-password-change {enable | disable}   Enable/disable force password change on next login.
        config gui-dashboard
            edit {id}
            # GUI dashboards.
                set id {integer}   Dashboard ID. range[0-4294967295]
                set name {string}   Dashboard name. size[35]
                set scope {global | vdom}   Dashboard scope.
                        global  Global.
                        vdom    VDOM.
                set layout-type {responsive | fixed}   Layout type.
                        responsive  Responsive.
                        fixed       Fixed grid.
                set columns {integer}   Number of columns. range[5-20]
                config widget
                    edit {id}
                    # Dashboard widgets.
                        set id {integer}   Widget ID. range[0-4294967295]
                        set type {option}   Widget type.
                                sysinfo                  System Information.
                                licinfo                  License Information.
                                forticloud               FortiCloud Licenses.
                                cpu-usage                CPU Usage.
                                memory-usage             Memory Usage.
                                disk-usage               Disk Usage.
                                log-rate                 Session Rate.
                                sessions                 Sessions.
                                session-rate             Session Rate.
                                tr-history               Traffic History.
                                analytics                FortiGuard Analytics.
                                usb-modem                USB Modem.
                                admins                   Administrators.
                                security-fabric          Security Fabric.
                                security-fabric-ranking  Security Fabric Ranking.
                                sensor-info              Sensor Information.
                                ha-status                HA Status.
                                vulnerability-summary    Vulnerability Summary.
                                host-scan-summary        Host Scan Summary.
                                fortiview                FortiView.
                                botnet-activity          Botnet Activity.
                                fortimail                FortiMail.
                        set x-pos {integer}   X position. range[0-1000]
                        set y-pos {integer}   Y position. range[0-1000]
                        set width {integer}   Width. range[1-50]
                        set height {integer}   Height. range[1-50]
                        set interface {string}   Interface to monitor. size[15] - datasource(s): system.interface.name
                        set region {default | custom}   Security Audit Rating region.
                                default  All regions.
                                custom   FortiGate region.
                        set industry {default | custom}   Security Audit Rating industry.
                                default  All industries.
                                custom   FortiCare industry.
                        set fabric-device {string}   Fabric device to monitor. size[127]
                        set title {string}   Widget title. size[127]
                        set fortiview-type {string}   FortiView type. size[35]
                        set fortiview-sort-by {string}   FortiView sort by. size[35]
                        set fortiview-timeframe {string}   FortiView timeframe. size[35]
                        set fortiview-visualization {string}   FortiView visualization. size[35]
                        config fortiview-filters
                            edit {id}
                            # FortiView filters.
                                set id {integer}   FortiView Filter ID. range[0-4294967295]
                                set key {string}   Filter key. size[127]
                                set value {string}   Filter value. size[127]
                            next
                    next
            next
        set two-factor {disable | fortitoken | email | sms}   Enable/disable two-factor authentication.
                disable     Disable two-factor authentication.
                fortitoken  Use FortiToken or FortiToken mobile two-factor authentication.
                email       Send a two-factor authentication code to the configured email-to email address.
                sms         Send a two-factor authentication code to the configured sms-server and sms-phone.
        set fortitoken {string}   This administrator's FortiToken serial number. size[16]
        set email-to {string}   This administrator's email address. size[63]
        set sms-server {fortiguard | custom}   Send SMS messages using the FortiGuard SMS server or a custom server.
                fortiguard  Send SMS by FortiGuard.
                custom      Send SMS by custom server.
        set sms-custom-server {string}   Custom SMS server to send SMS messages to. size[35] - datasource(s): system.sms-server.name
        set sms-phone {string}   Phone number on which the administrator receives SMS messages. size[15]
        set guest-auth {disable | enable}   Enable/disable guest authentication.
        config guest-usergroups
            edit {name}
            # Select guest user groups.
                set name {string}   Select guest user groups. size[64]
            next
        set guest-lang {string}   Guest management portal language. size[35] - datasource(s): system.custom-language.name
        set history0 {password_string}   history0 size[128]
        set history1 {password_string}   history1 size[128]
        config login-time
            edit {usr-name}
            # Record user login time.
                set usr-name {string}   User name. size[35]
                set last-login {datetime}   Last successful login time.
                set last-failed-login {datetime}   Last failed login time.
            next
        config gui-global-menu-favorites
            edit {id}
            # Favorite GUI menu IDs for the global VDOM.
                set id {string}   Select menu ID. size[64]
            next
        config gui-vdom-menu-favorites
            edit {id}
            # Favorite GUI menu IDs for VDOMs.
                set id {string}   Select menu ID. size[64]
            next
    next
end

remote-auth {enable | disable}

Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server. Disabled by default.

wildcard {enable | disable}

Enable or disable wildcard RADIUS authentication. Disabled by default. This option only appears when remote-auth is enabled.

remote-group <name>

Group name used for remote authentication. This option only appears when remote-auth is enabled.

password <string>

Set the password for the administrator account.

peer-auth {enable | disable}

Enable or disable peer authentication. Disabled by default.

peer-group <name>

Group name for peer authentication. This option only appears when peer-auth is enabled.

{trusthost1 ... trusthost10} <ip_address>

Set up to ten IPv4 addresses as trusted IPs for authentication.

{ip6-trusthost1 ... ip6-trusthost10} <ip_address>

Set up to ten IPv6 addresses as trusted IPs for authentication.

accprofile <profile-name>

Set the access profile (also known as admin profile) for the account. Access profiles control administrator access to FortiGate features. Two default profiles are available: prof_admin and super_admin.

accprofile-override {enable | disable}

Enable or disable allowing the remote server to override the administrator's access profile. Disabled by default. This option only appears when remote-auth is enabled.

radius-vdom-override {enable | disable}

Enable or disable allowing the remote server to override VDOM access. Only available with wildcard RADIUS authentication. Disabled by default. This option only appears when remote-auth is enabled.

allow-remove-admin-session {enable | disable}

Enable or disable allowing session initiated by this administrator to be removed by a privileged administrator. Enabled by default. This field is available for accounts with the super_admin profile.

comments <string>

Add comments.

vdom <vdom-name>

Select the virtual domain(s) that the administrator can access.

{ssh-public-key1 | ssh-public-key2 | ssh-public-key3} <key-type> <key-value>

Set up to three SSH public keys.

ssh-certificate <certificate-name>

Set a certificate for PKI authentication of the administrator.

schedule <schedule-name>

Set a schedule for the account.

password-expire

Enter the date and time that this administrator’s password expires. Enter zero values for no expiry (this is set by default). Date format is YYYY-MM-DD. Time format is HH:MM:SS. This is available only if config system password-policy is enabled.

force-password-change {enable | disable}

Enable or disable requiring this administrator to change password at next login. Disabled by default. Disabling this option does not prevent required password changes due to password policy violation or expiry.This is available only if config system password-policy is enabled.

two-factor {enable | disable}

Enable or disable two-factor authentication. Disabled by default.

email-to <email-address>

Set an email address to use for two-factor authentication.

sms-server <server>

Set provider to use to send SMS messages for two-factor authentication. This list of available providers is configured using config system sms-server.

sms-phone <phone-number>

Set a phone number to use for two-factor authentication.

guest-auth {enable | disable}

Enable to restrict the admin account to guest account provisioning. Disabled by default.

guest-usergroups <group-name>

Set the user group(s) to be used for guest user accounts created by this administrator account. This option only appears when the account is restricted to guest account provisioning.

guest-lang <language>

Select a language to use for the guest management portal.