Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system admin

Configure admin users.

config system admin

Description: Configure admin users.

edit <name>

set wildcard [enable|disable]

set remote-auth [enable|disable]

set remote-group {string}

set password {password-2}

set peer-auth [enable|disable]

set peer-group {string}

set trusthost1 {ipv4-classnet}

set trusthost2 {ipv4-classnet}

set trusthost3 {ipv4-classnet}

set trusthost4 {ipv4-classnet}

set trusthost5 {ipv4-classnet}

set trusthost6 {ipv4-classnet}

set trusthost7 {ipv4-classnet}

set trusthost8 {ipv4-classnet}

set trusthost9 {ipv4-classnet}

set trusthost10 {ipv4-classnet}

set ip6-trusthost1 {ipv6-prefix}

set ip6-trusthost2 {ipv6-prefix}

set ip6-trusthost3 {ipv6-prefix}

set ip6-trusthost4 {ipv6-prefix}

set ip6-trusthost5 {ipv6-prefix}

set ip6-trusthost6 {ipv6-prefix}

set ip6-trusthost7 {ipv6-prefix}

set ip6-trusthost8 {ipv6-prefix}

set ip6-trusthost9 {ipv6-prefix}

set ip6-trusthost10 {ipv6-prefix}

set accprofile {string}

set allow-remove-admin-session [enable|disable]

set comments {var-string}

set vdom <name1>, <name2>, ...

set ssh-public-key1 {user}

set ssh-public-key2 {user}

set ssh-public-key3 {user}

set ssh-certificate {string}

set schedule {string}

set accprofile-override [enable|disable]

set radius-vdom-override [enable|disable]

set password-expire {user}

set force-password-change [enable|disable]

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set guest-auth [disable|enable]

set guest-usergroups <name1>, <name2>, ...

set guest-lang {string}

next

end

config system admin

Parameter

Description

Type

Size

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

 

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

 

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Maximum length: 35

password

Admin user password.

password-2

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

 

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

string

Maximum length: 35

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiGate features.

string

Maximum length: 35

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

 

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Maximum length: 255

vdom <name>

Virtual domain(s) that the administrator can access.

Virtual domain name.

string

Maximum length: 79

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-certificate

Select the certificate to be used by the FortiGate for authentication with an SSH client.

string

Maximum length: 35

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Maximum length: 35

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

option

-

 

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

radius-vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

 

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

password-expire

Password expire time.

user

Not Specified

force-password-change

Enable/disable force password change on next login.

option

-

 

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

two-factor

Enable/disable two-factor authentication.

option

-

 

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

 

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

 

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

This administrator's FortiToken serial number.

string

Maximum length: 16

email-to

This administrator's email address.

string

Maximum length: 63

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

 

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Custom SMS server to send SMS messages to.

string

Maximum length: 35

sms-phone

Phone number on which the administrator receives SMS messages.

string

Maximum length: 15

guest-auth

Enable/disable guest authentication.

option

-

 

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-usergroups <name>

Select guest user groups.

Select guest user groups.

string

Maximum length: 79

guest-lang

Guest management portal language.

string

Maximum length: 35

config system admin

Configure admin users.

config system admin

Description: Configure admin users.

edit <name>

set wildcard [enable|disable]

set remote-auth [enable|disable]

set remote-group {string}

set password {password-2}

set peer-auth [enable|disable]

set peer-group {string}

set trusthost1 {ipv4-classnet}

set trusthost2 {ipv4-classnet}

set trusthost3 {ipv4-classnet}

set trusthost4 {ipv4-classnet}

set trusthost5 {ipv4-classnet}

set trusthost6 {ipv4-classnet}

set trusthost7 {ipv4-classnet}

set trusthost8 {ipv4-classnet}

set trusthost9 {ipv4-classnet}

set trusthost10 {ipv4-classnet}

set ip6-trusthost1 {ipv6-prefix}

set ip6-trusthost2 {ipv6-prefix}

set ip6-trusthost3 {ipv6-prefix}

set ip6-trusthost4 {ipv6-prefix}

set ip6-trusthost5 {ipv6-prefix}

set ip6-trusthost6 {ipv6-prefix}

set ip6-trusthost7 {ipv6-prefix}

set ip6-trusthost8 {ipv6-prefix}

set ip6-trusthost9 {ipv6-prefix}

set ip6-trusthost10 {ipv6-prefix}

set accprofile {string}

set allow-remove-admin-session [enable|disable]

set comments {var-string}

set vdom <name1>, <name2>, ...

set ssh-public-key1 {user}

set ssh-public-key2 {user}

set ssh-public-key3 {user}

set ssh-certificate {string}

set schedule {string}

set accprofile-override [enable|disable]

set radius-vdom-override [enable|disable]

set password-expire {user}

set force-password-change [enable|disable]

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set guest-auth [disable|enable]

set guest-usergroups <name1>, <name2>, ...

set guest-lang {string}

next

end

config system admin

Parameter

Description

Type

Size

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

 

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

 

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Maximum length: 35

password

Admin user password.

password-2

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

 

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

string

Maximum length: 35

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiGate features.

string

Maximum length: 35

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

 

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Maximum length: 255

vdom <name>

Virtual domain(s) that the administrator can access.

Virtual domain name.

string

Maximum length: 79

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-certificate

Select the certificate to be used by the FortiGate for authentication with an SSH client.

string

Maximum length: 35

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Maximum length: 35

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

option

-

 

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

radius-vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

 

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

password-expire

Password expire time.

user

Not Specified

force-password-change

Enable/disable force password change on next login.

option

-

 

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

two-factor

Enable/disable two-factor authentication.

option

-

 

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

 

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

 

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

This administrator's FortiToken serial number.

string

Maximum length: 16

email-to

This administrator's email address.

string

Maximum length: 63

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

 

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Custom SMS server to send SMS messages to.

string

Maximum length: 35

sms-phone

Phone number on which the administrator receives SMS messages.

string

Maximum length: 15

guest-auth

Enable/disable guest authentication.

option

-

 

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-usergroups <name>

Select guest user groups.

Select guest user groups.

string

Maximum length: 79

guest-lang

Guest management portal language.

string

Maximum length: 35