Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

Configure admin users.

  config system admin
      Description: Configure admin users.
      edit <name>
          set wildcard [enable|disable]
          set remote-auth [enable|disable]
          set remote-group {string}
          set password {password-2}
          set peer-auth [enable|disable]
          set peer-group {string}
          set trusthost1 {ipv4-classnet}
          set trusthost2 {ipv4-classnet}
          set trusthost3 {ipv4-classnet}
          set trusthost4 {ipv4-classnet}
          set trusthost5 {ipv4-classnet}
          set trusthost6 {ipv4-classnet}
          set trusthost7 {ipv4-classnet}
          set trusthost8 {ipv4-classnet}
          set trusthost9 {ipv4-classnet}
          set trusthost10 {ipv4-classnet}
          set ip6-trusthost1 {ipv6-prefix}
          set ip6-trusthost2 {ipv6-prefix}
          set ip6-trusthost3 {ipv6-prefix}
          set ip6-trusthost4 {ipv6-prefix}
          set ip6-trusthost5 {ipv6-prefix}
          set ip6-trusthost6 {ipv6-prefix}
          set ip6-trusthost7 {ipv6-prefix}
          set ip6-trusthost8 {ipv6-prefix}
          set ip6-trusthost9 {ipv6-prefix}
          set ip6-trusthost10 {ipv6-prefix}
          set accprofile {string}
          set allow-remove-admin-session [enable|disable]
          set comments {var-string}
          set vdom <name1>, <name2>, ...
          set ssh-public-key1 {user}
          set ssh-public-key2 {user}
          set ssh-public-key3 {user}
          set ssh-certificate {string}
          set schedule {string}
          set accprofile-override [enable|disable]
          set radius-vdom-override [enable|disable]
          set password-expire {user}
          set force-password-change [enable|disable]
          set two-factor [disable|fortitoken|...]
          set fortitoken {string}
          set email-to {string}
          set sms-server [fortiguard|custom]
          set sms-custom-server {string}
          set sms-phone {string}
          set guest-auth [disable|enable]
          set guest-usergroups <name1>, <name2>, ...
          set guest-lang {string}
      next
  end

config system admin

Parameter Name Description Type Size
wildcard Enable/disable wildcard RADIUS authentication.
enable: Enable username wildcard.
disable: Disable username wildcard.
option -
remote-auth Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.
enable: Enable remote authentication.
disable: Disable remote authentication.
option -
remote-group User group name used for remote auth. string Maximum length: 35
password Admin user password. password-2 Not Specified
peer-auth Set to enable peer certificate authentication (for HTTPS admin access).
enable: Enable peer.
disable: Disable peer.
option -
peer-group Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access). string Maximum length: 35
trusthost1 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost2 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost3 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost4 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost5 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost6 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost7 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost8 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost9 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost10 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
ip6-trusthost1 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost2 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost3 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost4 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost5 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost6 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost7 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost8 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost9 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost10 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
accprofile Access profile for this administrator. Access profiles control administrator access to FortiGate features. string Maximum length: 35
allow-remove-admin-session Enable/disable allow admin session to be removed by privileged admin users.
enable: Enable allow-remove option.
disable: Disable allow-remove option.
option -
comments Comment. var-string Maximum length: 255
vdom <name> Virtual domain(s) that the administrator can access.
Virtual domain name.
string Maximum length: 79
ssh-public-key1 Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. user Not Specified
ssh-public-key2 Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. user Not Specified
ssh-public-key3 Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. user Not Specified
ssh-certificate Select the certificate to be used by the FortiGate for authentication with an SSH client. string Maximum length: 35
schedule Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions. string Maximum length: 35
accprofile-override Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.
enable: Enable access profile override.
disable: Disable access profile override.
option -
radius-vdom-override Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.
enable: Enable VDOM override.
disable: Disable VDOM override.
option -
password-expire Password expire time. user Not Specified
force-password-change Enable/disable force password change on next login.
enable: Enable force password change on next login.
disable: Disable force password change on next login.
option -
two-factor Enable/disable two-factor authentication.
disable: Disable two-factor authentication.
fortitoken: Use FortiToken or FortiToken mobile two-factor authentication.
email: Send a two-factor authentication code to the configured email-to email address.
sms: Send a two-factor authentication code to the configured sms-server and sms-phone.
fortitoken-cloud: FortiToken Cloud Service.
option -
fortitoken This administrator's FortiToken serial number. string Maximum length: 16
email-to This administrator's email address. string Maximum length: 63
sms-server Send SMS messages using the FortiGuard SMS server or a custom server.
fortiguard: Send SMS by FortiGuard.
custom: Send SMS by custom server.
option -
sms-custom-server Custom SMS server to send SMS messages to. string Maximum length: 35
sms-phone Phone number on which the administrator receives SMS messages. string Maximum length: 15
guest-auth Enable/disable guest authentication.
disable: Disable guest authentication.
enable: Enable guest authentication.
option -
guest-usergroups <name> Select guest user groups.
Select guest user groups.
string Maximum length: 79
guest-lang Guest management portal language. string Maximum length: 35

Configure admin users.

  config system admin
      Description: Configure admin users.
      edit <name>
          set wildcard [enable|disable]
          set remote-auth [enable|disable]
          set remote-group {string}
          set password {password-2}
          set peer-auth [enable|disable]
          set peer-group {string}
          set trusthost1 {ipv4-classnet}
          set trusthost2 {ipv4-classnet}
          set trusthost3 {ipv4-classnet}
          set trusthost4 {ipv4-classnet}
          set trusthost5 {ipv4-classnet}
          set trusthost6 {ipv4-classnet}
          set trusthost7 {ipv4-classnet}
          set trusthost8 {ipv4-classnet}
          set trusthost9 {ipv4-classnet}
          set trusthost10 {ipv4-classnet}
          set ip6-trusthost1 {ipv6-prefix}
          set ip6-trusthost2 {ipv6-prefix}
          set ip6-trusthost3 {ipv6-prefix}
          set ip6-trusthost4 {ipv6-prefix}
          set ip6-trusthost5 {ipv6-prefix}
          set ip6-trusthost6 {ipv6-prefix}
          set ip6-trusthost7 {ipv6-prefix}
          set ip6-trusthost8 {ipv6-prefix}
          set ip6-trusthost9 {ipv6-prefix}
          set ip6-trusthost10 {ipv6-prefix}
          set accprofile {string}
          set allow-remove-admin-session [enable|disable]
          set comments {var-string}
          set vdom <name1>, <name2>, ...
          set ssh-public-key1 {user}
          set ssh-public-key2 {user}
          set ssh-public-key3 {user}
          set ssh-certificate {string}
          set schedule {string}
          set accprofile-override [enable|disable]
          set radius-vdom-override [enable|disable]
          set password-expire {user}
          set force-password-change [enable|disable]
          set two-factor [disable|fortitoken|...]
          set fortitoken {string}
          set email-to {string}
          set sms-server [fortiguard|custom]
          set sms-custom-server {string}
          set sms-phone {string}
          set guest-auth [disable|enable]
          set guest-usergroups <name1>, <name2>, ...
          set guest-lang {string}
      next
  end

config system admin

Parameter Name Description Type Size
wildcard Enable/disable wildcard RADIUS authentication.
enable: Enable username wildcard.
disable: Disable username wildcard.
option -
remote-auth Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.
enable: Enable remote authentication.
disable: Disable remote authentication.
option -
remote-group User group name used for remote auth. string Maximum length: 35
password Admin user password. password-2 Not Specified
peer-auth Set to enable peer certificate authentication (for HTTPS admin access).
enable: Enable peer.
disable: Disable peer.
option -
peer-group Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access). string Maximum length: 35
trusthost1 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost2 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost3 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost4 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost5 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost6 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost7 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost8 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost9 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
trusthost10 Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. ipv4-classnet Not Specified
ip6-trusthost1 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost2 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost3 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost4 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost5 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost6 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost7 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost8 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost9 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
ip6-trusthost10 Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. ipv6-prefix Not Specified
accprofile Access profile for this administrator. Access profiles control administrator access to FortiGate features. string Maximum length: 35
allow-remove-admin-session Enable/disable allow admin session to be removed by privileged admin users.
enable: Enable allow-remove option.
disable: Disable allow-remove option.
option -
comments Comment. var-string Maximum length: 255
vdom <name> Virtual domain(s) that the administrator can access.
Virtual domain name.
string Maximum length: 79
ssh-public-key1 Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. user Not Specified
ssh-public-key2 Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. user Not Specified
ssh-public-key3 Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. user Not Specified
ssh-certificate Select the certificate to be used by the FortiGate for authentication with an SSH client. string Maximum length: 35
schedule Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions. string Maximum length: 35
accprofile-override Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.
enable: Enable access profile override.
disable: Disable access profile override.
option -
radius-vdom-override Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.
enable: Enable VDOM override.
disable: Disable VDOM override.
option -
password-expire Password expire time. user Not Specified
force-password-change Enable/disable force password change on next login.
enable: Enable force password change on next login.
disable: Disable force password change on next login.
option -
two-factor Enable/disable two-factor authentication.
disable: Disable two-factor authentication.
fortitoken: Use FortiToken or FortiToken mobile two-factor authentication.
email: Send a two-factor authentication code to the configured email-to email address.
sms: Send a two-factor authentication code to the configured sms-server and sms-phone.
fortitoken-cloud: FortiToken Cloud Service.
option -
fortitoken This administrator's FortiToken serial number. string Maximum length: 16
email-to This administrator's email address. string Maximum length: 63
sms-server Send SMS messages using the FortiGuard SMS server or a custom server.
fortiguard: Send SMS by FortiGuard.
custom: Send SMS by custom server.
option -
sms-custom-server Custom SMS server to send SMS messages to. string Maximum length: 35
sms-phone Phone number on which the administrator receives SMS messages. string Maximum length: 15
guest-auth Enable/disable guest authentication.
disable: Disable guest authentication.
enable: Enable guest authentication.
option -
guest-usergroups <name> Select guest user groups.
Select guest user groups.
string Maximum length: 79
guest-lang Guest management portal language. string Maximum length: 35