Fortinet black logo

CLI Reference

config system admin

config system admin

Configure admin users.

config system admin

Description: Configure admin users.

edit <name>

set wildcard [enable|disable]

set remote-auth [enable|disable]

set remote-group {string}

set password {password-2}

set peer-auth [enable|disable]

set peer-group {string}

set trusthost1 {ipv4-classnet}

set trusthost2 {ipv4-classnet}

set trusthost3 {ipv4-classnet}

set trusthost4 {ipv4-classnet}

set trusthost5 {ipv4-classnet}

set trusthost6 {ipv4-classnet}

set trusthost7 {ipv4-classnet}

set trusthost8 {ipv4-classnet}

set trusthost9 {ipv4-classnet}

set trusthost10 {ipv4-classnet}

set ip6-trusthost1 {ipv6-prefix}

set ip6-trusthost2 {ipv6-prefix}

set ip6-trusthost3 {ipv6-prefix}

set ip6-trusthost4 {ipv6-prefix}

set ip6-trusthost5 {ipv6-prefix}

set ip6-trusthost6 {ipv6-prefix}

set ip6-trusthost7 {ipv6-prefix}

set ip6-trusthost8 {ipv6-prefix}

set ip6-trusthost9 {ipv6-prefix}

set ip6-trusthost10 {ipv6-prefix}

set accprofile {string}

set allow-remove-admin-session [enable|disable]

set comments {var-string}

set vdom <name1>, <name2>, ...

set ssh-public-key1 {user}

set ssh-public-key2 {user}

set ssh-public-key3 {user}

set ssh-certificate {string}

set schedule {string}

set accprofile-override [enable|disable]

set radius-vdom-override [enable|disable]

set password-expire {user}

set force-password-change [enable|disable]

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set guest-auth [disable|enable]

set guest-usergroups <name1>, <name2>, ...

set guest-lang {string}

next

end

config system admin

Parameter

Description

Type

Size

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Not Specified

password

Admin user password.

password-2

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

string

Not Specified

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiGate features.

string

Not Specified

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Not Specified

vdom <name>

Virtual domain(s) that the administrator can access.

Virtual domain name.

string

Maximum length: 79

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-certificate

Select the certificate to be used by the FortiGate for authentication with an SSH client.

string

Not Specified

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Not Specified

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

option

-

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

radius-vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

password-expire

Password expire time.

user

Not Specified

force-password-change

Enable/disable force password change on next login.

option

-

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

two-factor

Enable/disable two-factor authentication.

option

-

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

This administrator's FortiToken serial number.

string

Not Specified

email-to

This administrator's email address.

string

Not Specified

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Custom SMS server to send SMS messages to.

string

Not Specified

sms-phone

Phone number on which the administrator receives SMS messages.

string

Not Specified

guest-auth

Enable/disable guest authentication.

option

-

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-usergroups <name>

Select guest user groups.

Select guest user groups.

string

Maximum length: 79

guest-lang

Guest management portal language.

string

Not Specified

config system admin

config system admin

Configure admin users.

config system admin

Description: Configure admin users.

edit <name>

set wildcard [enable|disable]

set remote-auth [enable|disable]

set remote-group {string}

set password {password-2}

set peer-auth [enable|disable]

set peer-group {string}

set trusthost1 {ipv4-classnet}

set trusthost2 {ipv4-classnet}

set trusthost3 {ipv4-classnet}

set trusthost4 {ipv4-classnet}

set trusthost5 {ipv4-classnet}

set trusthost6 {ipv4-classnet}

set trusthost7 {ipv4-classnet}

set trusthost8 {ipv4-classnet}

set trusthost9 {ipv4-classnet}

set trusthost10 {ipv4-classnet}

set ip6-trusthost1 {ipv6-prefix}

set ip6-trusthost2 {ipv6-prefix}

set ip6-trusthost3 {ipv6-prefix}

set ip6-trusthost4 {ipv6-prefix}

set ip6-trusthost5 {ipv6-prefix}

set ip6-trusthost6 {ipv6-prefix}

set ip6-trusthost7 {ipv6-prefix}

set ip6-trusthost8 {ipv6-prefix}

set ip6-trusthost9 {ipv6-prefix}

set ip6-trusthost10 {ipv6-prefix}

set accprofile {string}

set allow-remove-admin-session [enable|disable]

set comments {var-string}

set vdom <name1>, <name2>, ...

set ssh-public-key1 {user}

set ssh-public-key2 {user}

set ssh-public-key3 {user}

set ssh-certificate {string}

set schedule {string}

set accprofile-override [enable|disable]

set radius-vdom-override [enable|disable]

set password-expire {user}

set force-password-change [enable|disable]

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set guest-auth [disable|enable]

set guest-usergroups <name1>, <name2>, ...

set guest-lang {string}

next

end

config system admin

Parameter

Description

Type

Size

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Not Specified

password

Admin user password.

password-2

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

string

Not Specified

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiGate features.

string

Not Specified

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Not Specified

vdom <name>

Virtual domain(s) that the administrator can access.

Virtual domain name.

string

Maximum length: 79

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-certificate

Select the certificate to be used by the FortiGate for authentication with an SSH client.

string

Not Specified

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Not Specified

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

option

-

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

radius-vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

password-expire

Password expire time.

user

Not Specified

force-password-change

Enable/disable force password change on next login.

option

-

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

two-factor

Enable/disable two-factor authentication.

option

-

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

This administrator's FortiToken serial number.

string

Not Specified

email-to

This administrator's email address.

string

Not Specified

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Custom SMS server to send SMS messages to.

string

Not Specified

sms-phone

Phone number on which the administrator receives SMS messages.

string

Not Specified

guest-auth

Enable/disable guest authentication.

option

-

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-usergroups <name>

Select guest user groups.

Select guest user groups.

string

Maximum length: 79

guest-lang

Guest management portal language.

string

Not Specified