system admin
Use this command to add, edit, and delete administrator accounts. Administrators can control what data modules appear in the FortiGate unit system dashboard by using the config system admin command. Administrators must have read and write privileges to make dashboard web-based manager modifications.
Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Each administrator account except the default admin must include an access profile. You cannot delete the default super admin account or change the access profile (super_admin). In addition, there is also an access profile that allows read-only super admin privileges, super_admin_readonly
. The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin
profile. This read-only super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making changes.
You can authenticate administrators using a password stored on the FortiGate unit or you can perform authentication with RADIUS, LDAP, or TACACS+ servers. When you use RADIUS authentication, you can authenticate specific administrators or you can allow any account on the RADIUS server to access the FortiGate unit as an administrator.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
config gui-dashboard config widget edit <id> set title <name> next ... |
Dashboard widget titles can be modified so that widgets with potentially different filters applied can be easily differentiated. The widget will be given a default title unless a new title is provided. |
config system admin edit {name} # Configure admin users. set name {string} User name. size[35] set wildcard {enable | disable} Enable/disable wildcard RADIUS authentication. set remote-auth {enable | disable} Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server. set remote-group {string} User group name used for remote auth. size[35] set password {password_string} Admin user password. size[128] set peer-auth {enable | disable} Set to enable peer certificate authentication (for HTTPS admin access). set peer-group {string} Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access). size[35] set trusthost1 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost2 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost3 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost4 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost5 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost6 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost7 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost8 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost9 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set trusthost10 {ipv4 classnet} Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. set ip6-trusthost1 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost2 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost3 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost4 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost5 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost6 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost7 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost8 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost9 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set ip6-trusthost10 {ipv6 prefix} Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. set accprofile {string} Access profile for this administrator. Access profiles control administrator access to FortiGate features. size[35] - datasource(s): system.accprofile.name set allow-remove-admin-session {enable | disable} Enable/disable allow admin session to be removed by privileged admin users. set comments {string} Comment. size[255] set hidden {integer} Admin user hidden attribute. range[0-255] config vdom edit {name} # Virtual domain(s) that the administrator can access. set name {string} Virtual domain name. size[64] - datasource(s): system.vdom.name next set ssh-public-key1 {string} Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. set ssh-public-key2 {string} Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. set ssh-public-key3 {string} Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. set ssh-certificate {string} Select the certificate to be used by the FortiGate for authentication with an SSH client. size[35] - datasource(s): certificate.local.name set schedule {string} Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions. size[35] set accprofile-override {enable | disable} Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access. set radius-vdom-override {enable | disable} Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access. set password-expire {string} Password expire time. set force-password-change {enable | disable} Enable/disable force password change on next login. config gui-dashboard edit {id} # GUI dashboards. set id {integer} Dashboard ID. range[0-4294967295] set name {string} Dashboard name. size[35] set scope {global | vdom} Dashboard scope. global Global. vdom VDOM. set layout-type {responsive | fixed} Layout type. responsive Responsive. fixed Fixed grid. set columns {integer} Number of columns. range[5-20] config widget edit {id} # Dashboard widgets. set id {integer} Widget ID. range[0-4294967295] set type {option} Widget type. sysinfo System Information. licinfo License Information. forticloud FortiCloud Licenses. cpu-usage CPU Usage. memory-usage Memory Usage. disk-usage Disk Usage. log-rate Session Rate. sessions Sessions. session-rate Session Rate. tr-history Traffic History. analytics FortiGuard Analytics. usb-modem USB Modem. admins Administrators. security-fabric Security Fabric. security-fabric-ranking Security Fabric Ranking. sensor-info Sensor Information. ha-status HA Status. vulnerability-summary Vulnerability Summary. host-scan-summary Host Scan Summary. fortiview FortiView. botnet-activity Botnet Activity. fortimail FortiMail. set x-pos {integer} X position. range[0-1000] set y-pos {integer} Y position. range[0-1000] set width {integer} Width. range[1-50] set height {integer} Height. range[1-50] set interface {string} Interface to monitor. size[15] - datasource(s): system.interface.name set region {default | custom} Security Audit Rating region. default All regions. custom FortiGate region. set industry {default | custom} Security Audit Rating industry. default All industries. custom FortiCare industry. set fabric-device {string} Fabric device to monitor. size[127] set title {string} Widget title. size[127] set fortiview-type {string} FortiView type. size[35] set fortiview-sort-by {string} FortiView sort by. size[35] set fortiview-timeframe {string} FortiView timeframe. size[35] set fortiview-visualization {string} FortiView visualization. size[35] config fortiview-filters edit {id} # FortiView filters. set id {integer} FortiView Filter ID. range[0-4294967295] set key {string} Filter key. size[127] set value {string} Filter value. size[127] next next next set two-factor {disable | fortitoken | email | sms} Enable/disable two-factor authentication. disable Disable two-factor authentication. fortitoken Use FortiToken or FortiToken mobile two-factor authentication. email Send a two-factor authentication code to the configured email-to email address. sms Send a two-factor authentication code to the configured sms-server and sms-phone. set fortitoken {string} This administrator's FortiToken serial number. size[16] set email-to {string} This administrator's email address. size[63] set sms-server {fortiguard | custom} Send SMS messages using the FortiGuard SMS server or a custom server. fortiguard Send SMS by FortiGuard. custom Send SMS by custom server. set sms-custom-server {string} Custom SMS server to send SMS messages to. size[35] - datasource(s): system.sms-server.name set sms-phone {string} Phone number on which the administrator receives SMS messages. size[15] set guest-auth {disable | enable} Enable/disable guest authentication. config guest-usergroups edit {name} # Select guest user groups. set name {string} Select guest user groups. size[64] next set guest-lang {string} Guest management portal language. size[35] - datasource(s): system.custom-language.name set history0 {password_string} history0 size[128] set history1 {password_string} history1 size[128] config login-time edit {usr-name} # Record user login time. set usr-name {string} User name. size[35] set last-login {datetime} Last successful login time. set last-failed-login {datetime} Last failed login time. next config gui-global-menu-favorites edit {id} # Favorite GUI menu IDs for the global VDOM. set id {string} Select menu ID. size[64] next config gui-vdom-menu-favorites edit {id} # Favorite GUI menu IDs for VDOMs. set id {string} Select menu ID. size[64] next next end
remote-auth {enable | disable}
Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server. Disabled by default.
wildcard {enable | disable}
Enable or disable wildcard RADIUS authentication. Disabled by default. This option only appears when remote-auth
is enabled.
remote-group <name>
Group name used for remote authentication. This option only appears when remote-auth
is enabled.
password <string>
Set the password for the administrator account.
peer-auth {enable | disable}
Enable or disable peer authentication. Disabled by default.
peer-group <name>
Group name for peer authentication. This option only appears when peer-auth
is enabled.
{trusthost1 ... trusthost10} <ip_address>
Set up to ten IPv4 addresses as trusted IPs for authentication.
{ip6-trusthost1 ... ip6-trusthost10} <ip_address>
Set up to ten IPv6 addresses as trusted IPs for authentication.
accprofile <profile-name>
Set the access profile (also known as admin profile) for the account. Access profiles control administrator access to FortiGate features. Two default profiles are available: prof_admin
and super_admin
.
accprofile-override {enable | disable}
Enable or disable allowing the remote server to override the administrator's access profile. Disabled by default. This option only appears when remote-auth
is enabled.
radius-vdom-override {enable | disable}
Enable or disable allowing the remote server to override VDOM access. Only available with wildcard RADIUS authentication. Disabled by default. This option only appears when remote-auth
is enabled.
allow-remove-admin-session {enable | disable}
Enable or disable allowing session initiated by this administrator to be removed by a privileged administrator. Enabled by default. This field is available for accounts with the super_admin
profile.
comments <string>
Add comments.
vdom <vdom-name>
Select the virtual domain(s) that the administrator can access.
{ssh-public-key1 | ssh-public-key2 | ssh-public-key3} <key-type> <key-value>
Set up to three SSH public keys.
ssh-certificate <certificate-name>
Set a certificate for PKI authentication of the administrator.
schedule <schedule-name>
Set a schedule for the account.
password-expire
Enter the date and time that this administrator’s password expires. Enter zero values for no expiry (this is set by default). Date format is YYYY-MM-DD. Time format is HH:MM:SS. This is available only if config system password-policy
is enabled.
force-password-change {enable | disable}
Enable or disable requiring this administrator to change password at next login. Disabled by default. Disabling this option does not prevent required password changes due to password policy violation or expiry.This is available only if config system password-policy
is enabled.
two-factor {enable | disable}
Enable or disable two-factor authentication. Disabled by default.
email-to <email-address>
Set an email address to use for two-factor authentication.
sms-server <server>
Set provider to use to send SMS messages for two-factor authentication. This list of available providers is configured using config system sms-server
.
sms-phone <phone-number>
Set a phone number to use for two-factor authentication.
guest-auth {enable | disable}
Enable to restrict the admin account to guest account provisioning. Disabled by default.
guest-usergroups <group-name>
Set the user group(s) to be used for guest user accounts created by this administrator account. This option only appears when the account is restricted to guest account provisioning.
guest-lang <language>
Select a language to use for the guest management portal.