Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config system admin

Configure admin users.

config system admin

Description: Configure admin users.

edit <name>

set wildcard [enable|disable]

set remote-auth [enable|disable]

set remote-group {string}

set password {password-2}

set peer-auth [enable|disable]

set peer-group {string}

set trusthost1 {ipv4-classnet}

set trusthost2 {ipv4-classnet}

set trusthost3 {ipv4-classnet}

set trusthost4 {ipv4-classnet}

set trusthost5 {ipv4-classnet}

set trusthost6 {ipv4-classnet}

set trusthost7 {ipv4-classnet}

set trusthost8 {ipv4-classnet}

set trusthost9 {ipv4-classnet}

set trusthost10 {ipv4-classnet}

set ip6-trusthost1 {ipv6-prefix}

set ip6-trusthost2 {ipv6-prefix}

set ip6-trusthost3 {ipv6-prefix}

set ip6-trusthost4 {ipv6-prefix}

set ip6-trusthost5 {ipv6-prefix}

set ip6-trusthost6 {ipv6-prefix}

set ip6-trusthost7 {ipv6-prefix}

set ip6-trusthost8 {ipv6-prefix}

set ip6-trusthost9 {ipv6-prefix}

set ip6-trusthost10 {ipv6-prefix}

set accprofile {string}

set allow-remove-admin-session [enable|disable]

set comments {var-string}

set vdom <name1>, <name2>, ...

set ssh-public-key1 {user}

set ssh-public-key2 {user}

set ssh-public-key3 {user}

set ssh-certificate {string}

set schedule {string}

set accprofile-override [enable|disable]

set radius-vdom-override [enable|disable]

set password-expire {user}

set force-password-change [enable|disable]

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set guest-auth [disable|enable]

set guest-usergroups <name1>, <name2>, ...

set guest-lang {string}

next

end

config system admin

Parameter

Description

Type

Size

Default

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

disable

 

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

disable

 

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Maximum length: 35

password

Admin user password.

password-2

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

disable

 

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

string

Maximum length: 35

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiGate features.

string

Maximum length: 35

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

enable

 

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Maximum length: 255

vdom <name>

Virtual domain(s) that the administrator can access.

Virtual domain name.

string

Maximum length: 79

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-certificate

Select the certificate to be used by the FortiGate for authentication with an SSH client.

string

Maximum length: 35

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Maximum length: 35

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

option

-

disable

 

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

radius-vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

disable

 

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

password-expire

Password expire time.

user

Not Specified

force-password-change

Enable/disable force password change on next login.

option

-

disable

 

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

two-factor

Enable/disable two-factor authentication.

option

-

disable

 

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

 

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

 

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

This administrator's FortiToken serial number.

string

Maximum length: 16

email-to

This administrator's email address.

string

Maximum length: 63

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

fortiguard

 

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Custom SMS server to send SMS messages to.

string

Maximum length: 35

sms-phone

Phone number on which the administrator receives SMS messages.

string

Maximum length: 15

guest-auth

Enable/disable guest authentication.

option

-

disable

 

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-usergroups <name>

Select guest user groups.

Select guest user groups.

string

Maximum length: 79

guest-lang

Guest management portal language.

string

Maximum length: 35

config system admin

Configure admin users.

config system admin

Description: Configure admin users.

edit <name>

set wildcard [enable|disable]

set remote-auth [enable|disable]

set remote-group {string}

set password {password-2}

set peer-auth [enable|disable]

set peer-group {string}

set trusthost1 {ipv4-classnet}

set trusthost2 {ipv4-classnet}

set trusthost3 {ipv4-classnet}

set trusthost4 {ipv4-classnet}

set trusthost5 {ipv4-classnet}

set trusthost6 {ipv4-classnet}

set trusthost7 {ipv4-classnet}

set trusthost8 {ipv4-classnet}

set trusthost9 {ipv4-classnet}

set trusthost10 {ipv4-classnet}

set ip6-trusthost1 {ipv6-prefix}

set ip6-trusthost2 {ipv6-prefix}

set ip6-trusthost3 {ipv6-prefix}

set ip6-trusthost4 {ipv6-prefix}

set ip6-trusthost5 {ipv6-prefix}

set ip6-trusthost6 {ipv6-prefix}

set ip6-trusthost7 {ipv6-prefix}

set ip6-trusthost8 {ipv6-prefix}

set ip6-trusthost9 {ipv6-prefix}

set ip6-trusthost10 {ipv6-prefix}

set accprofile {string}

set allow-remove-admin-session [enable|disable]

set comments {var-string}

set vdom <name1>, <name2>, ...

set ssh-public-key1 {user}

set ssh-public-key2 {user}

set ssh-public-key3 {user}

set ssh-certificate {string}

set schedule {string}

set accprofile-override [enable|disable]

set radius-vdom-override [enable|disable]

set password-expire {user}

set force-password-change [enable|disable]

set two-factor [disable|fortitoken|...]

set two-factor-authentication [fortitoken|email|...]

set two-factor-notification [email|sms]

set fortitoken {string}

set email-to {string}

set sms-server [fortiguard|custom]

set sms-custom-server {string}

set sms-phone {string}

set guest-auth [disable|enable]

set guest-usergroups <name1>, <name2>, ...

set guest-lang {string}

next

end

config system admin

Parameter

Description

Type

Size

Default

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

disable

 

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

disable

 

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Maximum length: 35

password

Admin user password.

password-2

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

disable

 

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

string

Maximum length: 35

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiGate features.

string

Maximum length: 35

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

enable

 

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Maximum length: 255

vdom <name>

Virtual domain(s) that the administrator can access.

Virtual domain name.

string

Maximum length: 79

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-certificate

Select the certificate to be used by the FortiGate for authentication with an SSH client.

string

Maximum length: 35

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Maximum length: 35

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

option

-

disable

 

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

radius-vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

disable

 

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

password-expire

Password expire time.

user

Not Specified

force-password-change

Enable/disable force password change on next login.

option

-

disable

 

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

two-factor

Enable/disable two-factor authentication.

option

-

disable

 

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

 

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

 

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

fortitoken

This administrator's FortiToken serial number.

string

Maximum length: 16

email-to

This administrator's email address.

string

Maximum length: 63

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

fortiguard

 

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Custom SMS server to send SMS messages to.

string

Maximum length: 35

sms-phone

Phone number on which the administrator receives SMS messages.

string

Maximum length: 15

guest-auth

Enable/disable guest authentication.

option

-

disable

 

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-usergroups <name>

Select guest user groups.

Select guest user groups.

string

Maximum length: 79

guest-lang

Guest management portal language.

string

Maximum length: 35