Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

admin

Use the following commands to configure admin related settings.

admin group

Use this command to add, edit, and delete admin user groups.

Syntax

config system admin group

edit <group>

set member <string>

end

Variable

Description

<group>

Enter the name of the group you are editing or enter a new name to create an entry (character limit = 63).

member <string>

Add group members.

admin ldap

Use this command to add, edit, and delete Lightweight Directory Access Protocol (LDAP) users.

Syntax

config system admin ldap

edit <server>

set adom-attr <string>

set adom <adom-name>

set attributes <filter>

set ca-cert <string>

set cnid <string>

set connect-timeout <integer>

set dn <string>

set filter <string>

set group <string>

set memberof-attr <string>

set password <passwd>

set port <integer>

set profile-attr <string>

set secondary-server <string>

set secure {disable | ldaps | starttls}

set server <string>

set tertiary-server <string>

set type {anonymous | regular | simple}

set username <string>

end

Variable

Description

<server>

Enter the name of the LDAP server or enter a new name to create an entry (character limit = 63).

adom-attr <string>

The attribute used to retrieve ADOM.

adom <adom-name>

Set the ADOM name to link to the LDAP configuration.

attributes <filter>

Attributes used for group searching (for multi-attributes, a use comma as a separator). For example:

  • member
  • uniquemember
  • member,uniquemember

ca-cert <string>

CA certificate name. This variable appears only when secure is set to ldaps or starttls.

cnid <string>

Enter the common name identifier (character limit = 20, default = cn).

connect-timeout <integer>

Set the LDAP connection timeout, in milliseconds (default = 500).

dn <string>

Enter the distinguished name.

filter <string>

Enter content for group searching. For example:

(&(objectcategory=group)(member=*))

(&(objectclass=groupofnames)(member=*))

(&(objectclass=groupofuniquenames)(uniquemember=*))

(&(objectclass=posixgroup)(memberuid=*))

group <string>

Enter an authorization group. The authentication user must be a member of this group (full DN) on the server.

memberof-attr <string>

The attribute used to retrieve memeberof.

password <passwd>

Enter a password for the username above. This variable appears only when type is set to regular.

port <integer>

Enter the port number for LDAP server communication (1 - 65535, default = 389).

profile-attr <string>

The attribute used to retrieve admin profile.

secondary-server <string>

Enter the secondary LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

secure {disable | ldaps | starttls}

Set the SSL connection type:

  • disable: no SSL (default).
  • ldaps: use LDAPS
  • starttls: use STARTTLS

server <string>

Enter the LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

tertiary-server <string>

Enter the tertiary LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

type {anonymous | regular | simple}

Set a binding type: 

  • anonymous: Bind using anonymous user search
  • regular: Bind using username/password and then search
  • simple: Simple password authentication without search (default)

username <string>

Enter a username. This variable appears only when type is set to regular.

Example

This example shows how to add the LDAP user user1 at the IPv4 address 206.205.204.203.

config system admin ldap

edit user1

set server 206.205.204.203

set dn techdoc

set type regular

set username auth1

set password auth1_pwd

set group techdoc

end

admin profile

Use this command to configure access profiles. In a newly-created access profile, no access is enabled. Setting an option to none hides it from administrators with that profile assigned.

Syntax

config system admin profile

edit <profile>

set adom-lock {none | read | read-write}

set adom-policy-packages {none | read | read-write}

set adom-switch {none | read | read-write}

set app-filter {enable | disable}

set assignment {none | read | read-write}

set change-password {enable | disable}

set config-retrieve {none | read | read-write}

set config-revert {none | read | read-write}

set consistency-check {none | read | read-write}

set datamask {enable | disable}

set datamask-custom-priority {enable | disable}

set datamask-fields <fields>

set datamask-key <passwd>

set deploy-management {none | read | read-write}

set description <string>

set device-ap {none | read | read-write}

set device-config {none | read | read-write}

set device-forticlient {none | read | read-write}

set device-fortiswitch {none | read | read-write}

set device-manager {none | read | read-write}

set device-op {none | read | read-write}

set device-policy-package-lock {none | read | read-write}

set device-profile {none | read | read-write}

set device-revision-deletion {none | read | read-write}

set device-wan-link-load-balance {none | read | read-write}

set event-management {none | read | read-write}

set fgd_center {none | read | read-write}

set fgd-center-advanced {none | read | read-write}

set fgd-center-fmw-mgmt {none | read | read-write}

set fgd-center-licensing {none | read | read-write}

set global-policy-packages {none | read | read-write}

set import-policy-packages {none | read | read-write}

set intf-mapping {none | read | read-write}

set ips-filter {enable | disable}

set log-viewer {none | read | read-write}

set policy-objects {none | read | read-write}

set read-passwd {none | read | read-write}

set realtime-monitor {none | read | read-write}

set report-viewer {none | read | read-write}

set scope (Not Applicable)

set set-install-targets {none | read | read-write}

set system-setting {none | read | read-write}

set term-access {none | read | read-write}

set type {restricted | system}

set vpn-manager {none | read | read-write}

set web-filter {enable | disable}

config datamask-custom-fields

edit <field>

set field-category {alert | all | fortiview | log | euba}

set field-status {enable | disable}

set field-type {email | ip | mac | string}

next

end

Variable

Description

<profile>

Enter the name of the access profile, enter a new name to create a new profile (character limit = 35). The pre-defined access profiles are Super_User, Standard_User, Restricted_User, and Package_User.

adom-lock {none | read | read-write}

Configure ADOM locking permissions for profile:

  • none: No permission (default).
  • read: Read permission.
  • read-write: Read-write permission.

Controlled functions: ADOM locking.

Dependencies: type must be system

adom-policy-packages {none | read | read-write}

Enter the level of access to ADOM policy packages.

This command corresponds to the Policy Packages & Objects option on the administrator profile settings page in the GUI. It is a sub-setting of policy-objects.

Controlled functions: All the operations in ADOMs

Dependencies: Install and re-install depends on Install to Devices in DVM settings, type must be system

adom-switch {none | read | read-write}

Configure administrative domain (ADOM) permissions for this profile (default = none).

This command corresponds to the Administrative Domain option in the GUI.

Controlled functions: ADOM settings in DVM, ADOM settings in All ADOMs page (under System Settings tab)

Dependencies: If system-setting is none, the All ADOMs page is not accessible, type must be system

app-filter {enable | disable}

Enable/disable IPS Sensor permission for the restricted admin profile (default = disable).

Dependencies: type must be restricted.

assignment {none | read | read-write}

Configure assignment permissions for this profile (default = none).

This command corresponds to the Assignment option in the GUI. It is a sub-setting of policy-objects.

Controlled functions: Global assignment in Global ADOM

Dependencies: type must be system

change-password {enable | disable}

Enable/disable allowing restricted users to change their password (default = disable).

config-retrieve {none | read | read-write}

Set the configuration retrieve settings for this profile (default = none).

This command corresponds to the Retrieve Configuration from Devices option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Retrieve configuration from devices

Dependencies: type must be system

config-revert {none | read | read-write}

Set the configuration revert settings for this profile (default = none).

This command corresponds to the Revert Configuration from Revision History option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Revert configuration from revision history

Dependencies: type must be system

consistency-check {none | read | read-write}

Configure Policy Check permissions for this profile (default = none).

This command corresponds to the Policy Check option in the GUI. It is a sub-setting of policy-objects.

Controlled functions: Policy check

Dependencies: type must be system

datamask {enable | disable}

Enable/disable data masking (default = disable).

datamask-custom-priority {enable | disable}

Enable/disable custom field search priority.

datamask-fields <fields>

Enter that data masking fields, separated by spaces:

  • dstip: Destination IP
  • dstname: Destination name
  • email: Email
  • message: Message
  • srcip: Source IP
  • srcmac: Source MAC
  • srcname: Source name
  • user: User name

datamask-key <passwd>

Enter the data masking encryption key.

deploy-management {none | read | read-write}

Enter the level of access to the deployment management configuration settings for this profile (default = none).

This command corresponds to the Install to Devices option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Install to devices

Dependencies: type must be system

description <string>

Enter a description for this access profile (character limit = 1023). Enclose the description in quotes if it contains spaces.

device-ap

Enter the level of access to device AP settings for this profile (default = none).

This command corresponds to the AP Manager option in the GUI.

Controlled functions: AP Manager pane

Dependencies: type must be system

device-config {none | read | read-write}

Enter the level of access to device configuration settings for this profile (default = none).

This command corresponds to the Manage Device Configuration option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Edit devices, All settings under Menu in Dashboard

Dependencies: type must be system

device-forticlient {none | read | read-write}

Enter the level of access to FortiClient settings for this profile (default = none).

This command corresponds to the FortiClient Manager option in the GUI.

Controlled functions: FortiClient Manager pane

Dependencies: type must be system

device-fortiswitch {none | read | read-write}

Enter the level of access to the FortiSwitch Manager module for this profile (default = none).

This command corresponds to the FortiSwitch Manager option in the GUI.

Controlled functions: FortiSwitch Manager pane

Dependencies: type must be system

device-manager {none | read | read-write}

Enter the level of access to Device Manager settings for this profile (default = none).

This command corresponds to the Device Manager option in the GUI.

Controlled functions: Device Manager pane

Dependencies: type must be system

device-op {none | read | read-write}

Add the capability to add, delete, and edit devices to this profile (default = none).

This command corresponds to the Add/Delete Devices/Groups option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Add or delete devices or groups

Dependencies: type must be system

device-policy-package-lock {none | read | read-write}

Configure device policy package locking permissions for this profile (default = none).

Controlled functions: Policy package locking.

Dependencies: type must be system

device-profile {none | read | read-write}

Configure device profile permissions for this profile (default = none).

This command corresponds to the Provisioning Templates option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Provisioning Templates

Dependencies: type must be system

device-revision-deletion {none | read | read-write}

Configure device revision deletion permissions for this profile (default = none).

This command corresponds to the Delete Device Revision option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Deleting device revisions

Dependencies: type must be system

device-wan-link-load-balance

Enter the level of access to wan-link-load-balance settings for this profile (default = none).

This command corresponds to SD-WAN option in the GUI. It is a sub-setting of device-manager.

Controlled functions: SD-WAN

Dependencies: type must be system

event-management {none | read | read-write}

Set the Event Management permissions (default = none).

This command corresponds to the Event Management option in the GUI.

Controlled functions: Event Management pane and all its operations

Dependencies: faz-status must be set to enable in system global, type must be system

fgd_center {none | read | read-write}

Set the FortiGuard Center permissions (default = none).

This command corresponds to the FortiGuard Center option in the GUI.

Controlled functions: FortiGuard pane, All the settings under FortiGuard

Dependencies: type must be system

fgd-center-advanced {none | read | read-write}

Set the FortiGuard Center permissions (default = none).

This command corresponds to the Advanced option in the GUI. It is a sub-setting of fgd-center.

Controlled functions: FortiGuard pane Advanced Settings options

Dependencies: type must be system

fgd-center-fmw-mgmt {none | read | read-write}

Set the FortiGuard Center permissions (default = none).

This command corresponds to the Firmware Management option in the GUI. It is a sub-setting of fgd-center.

Controlled functions: FortiGuard pane Firmware Images options

Dependencies: type must be system

fgd-center-licensing {none | read | read-write}

Set the FortiGuard Center permissions (default = none).

This command corresponds to the License Management option in the GUI. It is a sub-setting of fgd-center.

Controlled functions: FortiGuard pane Licensing Status options

Dependencies: type must be system

global-policy-packages {none | read | read-write}

Configure global policy package permissions for this profile (default = none).

This command corresponds to the Global Policy Packages & Objects option in the GUI. It is a sub-setting of policy-objects.

Controlled functions: All operations in Global ADOM

Dependencies: type must be system

import-policy-packages {none | read | read-write}

Configure importing policy package permissions for this profile (default = none).

This command corresponds to the Import Policy Package option in the GUI.

Controlled functions: Importing policy packages

Dependencies: type must be system

intf-mapping {none | read | read-write}

Configure interface mapping permissions for this profile (default = none).

This command corresponds to the Interface Mapping option in the GUI.

Controlled functions: Mapping interfaces

Dependencies: type must be system

ips-filter {enable | disable}

Enable/disable Application Sensor permission for the restricted admin profile (default = disable).

Dependencies: type must be restricted

log-viewer {none | read | read-write}

Set the Log View permissions (default = none).

This command corresponds to the Log View option in the GUI.

Controlled functions: Log View and all its operations

Dependencies: faz-status must be set to enable in system global, type must be system

policy-objects {none | read | read-write}

Set the Policy & Objects permissions (default = none).

Controlled functions: Policy & Objects pane

Dependencies: type must be system

read-passwd {none | read | read-write}

Add the capability to view the authentication password in clear text to this profile (default = none).

Dependencies: type must be system

realtime-monitor {none | read | read-write}

Enter the level of access to the Drill Down configuration settings for this profile (default = none).

Dependencies: faz-status must be set to enable in system global, type must be system

report-viewer {none | read | read-write}

Set the Reports permissions (default = none).

This command corresponds to the Reports option in the GUI.

Controlled functions: Reports pane and all its operations

Dependencies: faz-status must be set to enable in system global, type must be system

scope (Not Applicable)

CLI command is not in use.

set-install-targets {none | read | read-write}

Configure installation targets permissions (default = none).

This command corresponds to the Installation Targets option in policy packages in the GUI. It is a sub-setting of policy-objects.

Controlled functions: Installation targets

Dependencies: type must be system

system-setting {none | read | read-write}

Configure System Settings permissions for this profile (default = none).

This command corresponds to the System Settings option in the GUI.

Controlled functions: System Settings pane, all the settings under system setting

Dependencies: type must be system

term-access {none | read | read-write}

Set the terminal access permissions for this profile (default = none).

This command corresponds to the Terminal Access option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Connect to the CLI via Telnet or SSH

Dependencies: Depends on device-config option, type must be System Admin

type {restricted | system}

Enter the admin profile type:

  • restricted: Restricted admin profile
  • system: System admin profile (default)

vpn-manager {none | read | read-write}

Enter the level of access to VPN console configuration settings for this profile (default = none).

This command corresponds to the VPN Manager option in the GUI. It is a sub-setting of policy-objects.

Controlled functions: VPN Console

Dependencies: type must be System Admin

web-filter {enable | disable}

Enable/disable Web Filter Profile permission for the restricted admin profile (default = disable).

Dependencies: type must be Restricted Admin

Variables for config datamask-custom-fields subcommand:

<field>

Enter the custom field name.

field-category {alert | all | fortiview | log | euba}

Enter the field category (default = all).

field-status {enable | disable}

Enable/disable the field (default = enable).

field-type {email | ip | mac | string}

Enter the field type (default = string).

admin radius

Use this command to add, edit, and delete administration RADIUS servers.

Syntax

config system admin radius

edit <server>

set auth-type {any | chap | mschap2 | pap}

set nas-ip <ipv4_address>

set port <integer>

set secondary-secret <passwd>

set secondary-server <string>

set secret <passwd>

set server <string>

end

Variable

Description

<server>

Enter the name of the RADIUS server or enter a new name to create an entry (character limit = 63).

auth-type {any | chap | mschap2 | pap}

The authentication protocol the RADIUS server will use.

  • any: Use any supported authentication protocol (default).
  • mschap2: Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2).
  • chap: Challenge Handshake Authentication Protocol (CHAP)
  • pap: Password Authentication Protocol (PAP).

nas-ip <ipv4_address>

The network access server (NAS) IPv4 address and called station ID.

port <integer>

The RADIUS server port number (1 - 65535, default = 1812).

secondary-secret <passwd>

The password to access the RADIUS secondary-server (character limit = 64).

secondary-server <string>

The RADIUS secondary-server DNS resolvable domain name or IPv4 address.

secret <passwd>

The password to access the RADIUS server (character limit = 64).

server <string>

The RADIUS server DNS resolvable domain name or IPv4 address.

Example

This example shows how to add the RADIUS server RAID1 at the IPv4 address 206.205.204.203 and set the shared secret as R1a2D3i4U5s.

config system admin radius

edit RAID1

set server 206.205.204.203

set secret R1a2D3i4U5s

end

admin setting

Use this command to configure system administration settings, including web administration ports, timeout, and language.

Syntax

config system admin setting

set access-banner {enable | disable}

set admin-https-redirect {enable | disable}

set admin-login-max <integer>

set admin_server_cert <admin_server_cert>

set allow_register {enable | disable}

set auto-update {enable | disable}

set banner-message <string>

set chassis-mgmt {enable | disable}

set chassis-update-interval <integer>

set device_sync_status {enable | disable}

set gui-theme <theme>

set http_port <integer>

set https_port <integer>

set idle_timeout <integer>

set install-ifpolicy-only {enable | disable}

set mgmt-addr <string>

set mgmt-fqdn <string>

set objects-force-deletion {enable | disable}

set offline_mode {enable | disable}

set register_passwd <passwd>

set shell-access {enable | disable}

set shell-password <passwd>

set show-add-multiple {enable | disable}

set show-adom-devman {enable | disable}

set show-device-import-export {enable | disable}

set show_automatic_script {enable | disable}

set show-checkbox-in-table {enable | disable}

set show_grouping_script {enable | disable}

set show_hostname {enable | disable}

set show_schedule_script {enable | disable}

set show_tcl_script {enable | disable}

set unreg_dev_opt {add_allow_service | add_no_service | ignore}

set webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}

end

Variable

Description

access-banner {enable | disable}

Enable/disable the access banner (default= disable).

admin-https-redirect {enable | disable}

Enable/disable redirection of HTTP admin traffic to HTTPS (default= enable).

admin-login-max <integer>

Set the maximum number of admin users that be logged in at one time (1 - 256, default = 256).

admin_server_cert <admin_server_cert>

Enter the name of an https server certificate to use for secure connections (default = server.crt).

allow_register {enable | disable}

Enable/disable the ability an unregistered device to be registered (default= disable).

auto-update {enable | disable}

Enable/disable device config automatic update (default= enable).

banner-message <string>

Set the banner messages (character limit = 255).

chassis-mgmt {enable | disable}

Enable/disable chassis management (default= disable).

chassis-update-interval <integer>

Set the chassis background update interval, in minutes (4 - 1440, default = 15).

device_sync_status {enable | disable}

Enable/disable device synchronization status indication (default= enable).

gui-theme <theme>

Configure the GUI theme (default = blue).

http_port <integer>

Enter the HTTP port number for web administration (1 - 65535, default = 80).

https_port <integer>

Enter the HTTPS port number for web administration (1 - 65535, default = 443).

idle_timeout <integer>

Enter the idle timeout value, in minutes (1 - 480, default = 15).

install-ifpolicy-only {enable | disable}

Enable/disable allowing only the interface policy to be installed (default = disable).

mgmt-addr <string>

FQDN/IPv4 of FortiManager used by FGFM.

If the FortiManager is behind a NAT device, and a device is added in the FortiManager GUI, the FortiManager will not add its IP address to the FortiGate. Configure mgmt-addr with the fixed, public-facing IP address if you need FortiManager to configure the set fmg <ip> command on managed FortiGates.

mgmt-fqdn <string>

FQDN of FortiManager used by FGFM.

objects-force-deletion {enable | disable}

Enable/disable forced deletion of used objects (default = enable).

offline_mode {enable | disable}

Enable/disable offline mode to shut down the protocol used to communicate with managed devices (default = disable).

register_passwd <passwd>

Enter the password to use when registering a device (character limit = 19).

shell-access {enable | disable}

Enable/disable shell access (default = disable).

shell-password <passwd>

Enter the password to use for shell access.

show-add-multiple {enable | disable}

Enable/disable show the add multiple button in the GUI (default = disable).

show-adom-devman {enable | disable}

Enable/disable device manager tools on the GUI (default = enable).

show-checkbox-in-table {enable | disable}

Show checkboxes in tables in the GUI (default = disable).

show-device-import-export {enable | disable}

Enable/disable import/export of ADOM, device, and group lists (default = disable).

show_automatic_script {enable | disable}

Enable/disable automatic script (default = disable).

show_grouping_script {enable | disable}

Enable/disable grouping script (default = enable).

show_hostname {enable | disable}

Enable/disable showing the hostname on the GUI login page (default = disable).

show_schedule_script {enable | disable}

Enable/disable schedule script (default = disable).

show_tcl_script {enable | disable}

Enable/disable TCL script (default = disable).

unreg_dev_opt {add_allow_service | add_no_service | ignore}

Select action to take when an unregistered device connects to FortiManager:

  • add_allow_service: Add unregistered devices and allow service requests (default).
  • add_no_service: Add unregistered devices and deny service requests.
  • ignore: Ignore unregistered devices.

webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}

Select the language to be used for web administration:

  • auto_detect: Automatically detect language (default).
  • english: English.
  • japanese: Japanese.
  • korean: Korean.
  • simplified_chinese: Simplified Chinese.
  • traditional_chinese: Traditional Chinese.

admin tacacs

Use this command to add, edit, and delete administration TACACS+ servers.

Syntax

config system admin tacacs

edit <server>

set authen-type {ascii | auto |chap | mschap | pap}

set authorization {enable | disable}

set key <passwd>

set port <integer>

set secondary-key <passwd>

set secondary-server <string>

set server <string>

set tertiary-key <passwd>

set tertiary-server <string>

end

Variable

Description

<server>

Enter the name of the TACACS+ server or enter a new name to create an entry (character limit = 63).

authen-type {ascii | auto |chap | mschap | pap}

Choose which authentication type to use:

  • ascii: ASCII
  • auto: Uses PAP, MSCHAP, and CHAP (in that order) (default).
  • chap: Challenge Handshake Authentication Protocol (CHAP)
  • mschap: Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
  • pap: Password Authentication Protocol (PAP).

authorization {enable | disable}

Enable/disable TACACS+ authorization (default = disable).

key <passwd>

Key to access the server (character limit = 128).

port <integer>

Port number of the TACACS+ server (1 - 65535, default = 49).

secondary-key <passwd>

Key to access the secondary server (character limit = 128).

secondary-server <string>

Secondary server domain name or IPv4 address.

server <string>

The server domain name or IPv4 address.

tertiary-key <passwd>

Key to access the tertiary server (character limit = 128).

tertiary-server <string>

Tertiary server domain name or IPv4 address.

Example

This example shows how to add the TACACS+ server TAC1 at the IPv4 address 206.205.204.203 and set the key as R1a2D3i4U5s.

config system admin tacacs

edit TAC1

set server 206.205.204.203

set key R1a2D3i4U5s

end

admin user

Use this command to add, edit, and delete administrator accounts.

Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User. You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on.

You can create meta-data fields for administrator accounts. These objects must be created using the FortiManager GUI. The only information you can add to the object is the value of the field (pre-determined text/numbers). For more information, see System Settings in the FortiManager Administration Guide.

Syntax

config system admin user

edit <name_str>

set password <passwd>

set change-password {enable | disable}

set trusthost1 <ipv4_mask>

set trusthost2 <ipv4_mask>

set trusthost3 <ipv4_mask>

...

set trusthost10 <ipv4_mask>

set ipv6_trusthost1 <ipv6_mask>

set ipv6_trusthost2 <ipv6_mask>

set ipv6_trusthost3 <ipv6_mask>

...

set ipv6_trusthost10 <ipv6_mask>

set profileid <profile-name>

set adom <adom_name(s)>

set dev-group <group-name>

set adom-exclude <adom_name(s)>

set web-filter <Web Filter profile name>

set ips-filter <IPS Sensor name>

set app-filter <Application Sensor name>

set policy-package {<adom name>: <policy package id> <adom policy folder name>/ <package name> | all_policy_packages}

set restrict-access {enable | disable}

set description <string>

set user_type {group | ldap | local | pki-auth | radius | tacacs-plus}

set group <string>

set ldap-server <string>

set radius_server <string>

set tacacs-plus-server <string>

set ssh-public-key1 <key-type> <key-value>

set ssh-public-key2 <key-type> <key-value>

set ssh-public-key3 <key-type> <key-value>

set avatar <string>

set wildcard {enable | disable}

set ext-auth-accprofile-override {enable | disable}

set ext-auth-adom-override {enable | disable}

set ext-auth-group-match <string>

set password-expire <yyyy-mm-dd>

set force-password-change {enable | disable}

set subject <string>

set ca <string>

set two-factor-auth {enable | disable}

set rpc-permit {none | read-only | read-write}

set last-name <string>

set first-name <string>

set email-address <string>

set phone-number <string>

set mobile-number <string>

set pager-number <string>

config meta-data

edit <fieldname>

set fieldlength

set fieldvalue <string>

set importance

set status

end

config dashboard-tabs

edit tabid <integer>

set name <string>

end

config dashboard

edit moduleid

set name <string>

set column <column_pos>

set diskio-content-type

set diskio-period {1hour | 24hour | 8hour}

set refresh-inverval <integer>

set status {close | open}

set tabid <integer>

set widget-type <string>

set log-rate-type {device | log}

set log-rate-topn {1 | 2 | 3 | 4 | 5}

set log-rate-period {1hour | 2min | 6hours}

set res-view-type {history | real-time}

set res-period {10min | day | hour}

set res-cpu-display {average | each}

set num-entries <integer>

set time-period {1hour | 24hour | 8hour}

end

config restrict-dev-vdom

edit dev-vdom <string>

end

end

Variable

Description

<name_string>

Enter the name of the admin user or enter a new name to create a new user (character limit = 35).

password <passwd>

Enter a password for the administrator account (character limit = 128). For improved security, the password should be at least 6 characters long.

This variable is available only if user_type is local.

change-password {enable | disable}

Enable/disable allowing restricted users to change their password (default = disable).

trusthost1 <ipv4_mask>

trusthost2 <ipv4_mask>

trusthost3 <ipv4_mask>

...

trusthost10 <ipv4_mask>

Optionally, type the trusted host IPv4 address and network mask from which the administrator can log in to the FortiManager system. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system.

Defaults:

trusthost1: 0.0.0.0 0.0.0.0 for all

others: 255.255.255.255 255.255.255.255 for none

ipv6_trusthost1 <ipv6_mask>

ipv6_trusthost2 <ipv6_mask>

ipv6_trusthost3 <ipv6_mask>

...

ipv6_trusthost10 <ipv6_mask>

Optionally, type the trusted host IPv6 address from which the administrator can log in to the FortiManager system. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system.

Defaults:

ipv6_trusthost1: ::/0 for all

others: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 for none

profileid <profile-name>

Enter the name of the access profile to assign to this administrator account (character limit = 35, default = Restricted_User). Access profiles control administrator access to FortiManager features.

adom <adom_name(s)>

Enter the name(s) of the ADOM(s) the administrator belongs to. Any configuration of ADOMs takes place via the FortiManager GUI.

dev-group <group-name>

Enter the device group that the admin use can access. This option can only be used for administrators with access to only one ADOM.

adom-exclude <adom_name(s)>

Enter the name(s) of the excluding ADOM(s).

web-filter <Web Filter profile name>

Enter the Web Filter profile to associate with the restricted admin profile.

Dependencies: admin user must be associated with a restricted admin profile.

ips-filter <IPS Sensor name>

Enter the IPS Sensor to associate with the restricted admin profile.

Dependencies: The admin user must be associated with a restricted admin profile.

app-filter <Application Sensor name>

Enter the Application Sensor to associate with the restricted admin profile.

Dependencies: The admin user must be associated with a restricted admin profile.

policy-package {<adom name>: <policy package id> <adom policy folder name>/ <package name> | all_policy_packages}

Policy package access.

restrict-access {enable | disable}

Enable/disable restricted access to the development VDOM (dev-vdom) (default = disable).

description <string>

Enter a description for this administrator account (character limit = 127). Enclose the description in quotes if it contains spaces.

user_type {group | ldap | local | pki-auth | radius | tacacs-plus}

Select the administrator type:

  • group: The administratoris a member of a administrator group.
  • ldap: An LDAP server verifies the administrator’s password.
  • local: The FortiManager system verifies the administrator’s password (default).
  • pki-auth: The administrator uses PKI.
  • radius: A RADIUS server verifies the administrator’s password.
  • tacacs-plus: A TACACS+ server verifies the administrator’s password.

group <string>

Enter the group name.

This option is only available when user_type is group.

ldap-server <string>

Enter the LDAP server name if the user type is set to LDAP.

This option is only available when user_type is ldap.

radius_server <string>

Enter the RADIUS server name if the user type is set t o RADIUS.

This option is only available when user_type is radius.

tacacs-plus-server <string>

Enter the TACACS+ server name if the user type is set to TACACS+.

This option is only available when user_type is tacacs-plus.

ssh-public-key1 <key-type> <key-value>

ssh-public-key2 <key-type> <key-value>

ssh-public-key3 <key-type> <key-value>

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

<key type> is ssh-dss for a DSA key, ssh-rsa for an RSA key.

<key-value> is the public key string of the SSH client.

avatar <string>

Image file for the administrator's avatar (maximum 4K base64 encode).

wildcard {enable | disable}

Enable/disable wildcard remote authentication (default = disable).

ext-auth-accprofile-override {enable | disable}

Enable/disable allowing the use of the access profile provided by the remote authentication server (default = disable).

ext-auth-adom-override {enable | disable}

Enable/disable allowing the use of the ADOM provided by the remote authentication server (default = disable).

In order to support vendor specific attributes (VSA), the authentication server requires a dictionary to define which VSAs to support. The Fortinet RADIUS vendor ID is 12365. The Fortinet-Vdom-Name attribute is used by this command.

ext-auth-group-match <string>

Only admin users that belong to this group are allowed to log in.

password-expire <yyyy-mm-dd>

When enforcing the password policy, enter the date that the current password will expire.

force-password-change {enable | disable}

Enable/disable force password change on next log in.

subject <string>

PKI user certificate name constraints.

This command is available when a PKI administrator account is configured.

ca <string>

PKI user certificate CA (CA name in local).

This command is available when a PKI administrator account is configured.

two-factor-auth {enable | disable}

Enable/disable two-factor authentication (certificate + password) (default = disable).

This command is available when a PKI administrator account is configured.

rpc-permit {none | read-only | read-write}

Set the permission level for log in via Remote Procedure Call (RPC) (default = none).

last-name <string>

Administrator's last name (character limit = 63).

first-name <string>

Administrator's first name (character limit = 63).

email-address <string>

Administrator's email address.

phone-number <string>

Administrator's phone number.

mobile-number <string>

Administrator's mobile phone number.

pager-number <string>

Administrator's pager number.

Variables for config meta-data subcommand:

This subcommand can only change the value of an existing field. To create a new metadata field, use the config system metadata command.

fieldname

The label/name of the field (read-only, default = 50). Enclose the name in quotes if it contains spaces.

fieldlength

The maximum number of characters allowed for this field (read-only, default = 50).

fieldvalue <string>

Enter a pre-determined value for the field. This is the only value that can be changed with the config meta-data subcommand (character limit = 255).

importance

Indicates whether the field is compulsory (required) or optional (optional) (read-only, default = optional).

status

The status of the field (read-only, default = enable).

Variables for config dashboard-tabs subcommand:

tabid <integer>

Tab ID.

name <string>

Tab name.

Variables for config dashboard subcommand:

moduleid

Widget ID.

name <string>

Widget name (character limit = 63).

column <column_pos>

Widget column ID (default = 0).

diskio-content-type {blks | iops | util}

Set the Disk I/O Monitor widget's chart type.

  • blks: the amount of data of I/O requests.
  • iops: the number of I/O requests.
  • util: bandwidth utilization (default).

diskio-period {1hour | 24hour | 8hour}

Set the Disk I/O Monitor widget's data period (default = 1hour).

refresh-inverval <integer>

Widget refresh interval (default = 300).

status {close | open}

Widget opened/closed status (default = open).

tabid <integer>

ID of the tab where the widget is displayed (default = 0).

widget-type <string>

Widget type:

  • alert: Alert Message Console
  • devsummary: Device Summary
  • disk-io: Disk I/O
  • jsconsole: CLI Console
  • licinfo: License Information
  • log-rcvd-fwdReceive Rate v. Forwarding Rate
  • logdb-lag: Log Insert Lag Time
  • logdb-perf: Insert Rate vs Receive Rate
  • logrecv: Logs/Data Received (this widget has been deprecated)
  • raid: Disk Monitor
  • rpteng: Report Engine (this widget has been deprecated)
  • statistics: Statistics (this widget has been deprecated)
  • sysinfo: System Information
  • sysop: Unit Operation
  • sysres: System Resources
  • top-lograte: Log Receive Monitor

log-rate-type {device | log}

Log receive monitor widget’s statistics breakdown options (default = device).

log-rate-topn {1 | 2 | 3 | 4 | 5}

Log receive monitor widgets’s number of top items to display (default = 5).

log-rate-period {1hour | 2min | 6hours}

Log receive monitor widget’s data period (default = 2min).

res-view-type {history | real-time}

Widget’s data view type (default = history).

res-period {10min | day | hour}

Widget data period:

  • 10min: Last 10 minutes (default).
  • day: Last day.
  • hour: Last hour.

res-cpu-display {average | each}

Widget CPU display type:

  • average: Average usage of CPU (default).
  • each: Each usage of CPU.

num-entries <integer>

Number of entries (default = 10).

time-period {1hour | 24hour | 8hour}

Set the Log Database Monitor widget's data period (default = 1hour).

Variable for config restrict-dev-vdom subcommand:

dev-vdom <string>

Enter device or VDOM to edit.

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IPv4 address if you define only one trusted host IPv4 address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiManager system does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply both to the GUI and to the CLI when accessed through SSH. CLI access through the console connector is not affected.

Example

Use the following commands to add a new administrator account named admin_2 with the password set to p8ssw0rd and the Super_User access profile. Administrators that log in to this account will have administrator access to the FortiManager system from any IPv4 address.

config system admin user

edit admin_2

set description "Backup administrator"

set password p8ssw0rd

set profileid Super_User

end

admin

Use the following commands to configure admin related settings.

admin group

Use this command to add, edit, and delete admin user groups.

Syntax

config system admin group

edit <group>

set member <string>

end

Variable

Description

<group>

Enter the name of the group you are editing or enter a new name to create an entry (character limit = 63).

member <string>

Add group members.

admin ldap

Use this command to add, edit, and delete Lightweight Directory Access Protocol (LDAP) users.

Syntax

config system admin ldap

edit <server>

set adom-attr <string>

set adom <adom-name>

set attributes <filter>

set ca-cert <string>

set cnid <string>

set connect-timeout <integer>

set dn <string>

set filter <string>

set group <string>

set memberof-attr <string>

set password <passwd>

set port <integer>

set profile-attr <string>

set secondary-server <string>

set secure {disable | ldaps | starttls}

set server <string>

set tertiary-server <string>

set type {anonymous | regular | simple}

set username <string>

end

Variable

Description

<server>

Enter the name of the LDAP server or enter a new name to create an entry (character limit = 63).

adom-attr <string>

The attribute used to retrieve ADOM.

adom <adom-name>

Set the ADOM name to link to the LDAP configuration.

attributes <filter>

Attributes used for group searching (for multi-attributes, a use comma as a separator). For example:

  • member
  • uniquemember
  • member,uniquemember

ca-cert <string>

CA certificate name. This variable appears only when secure is set to ldaps or starttls.

cnid <string>

Enter the common name identifier (character limit = 20, default = cn).

connect-timeout <integer>

Set the LDAP connection timeout, in milliseconds (default = 500).

dn <string>

Enter the distinguished name.

filter <string>

Enter content for group searching. For example:

(&(objectcategory=group)(member=*))

(&(objectclass=groupofnames)(member=*))

(&(objectclass=groupofuniquenames)(uniquemember=*))

(&(objectclass=posixgroup)(memberuid=*))

group <string>

Enter an authorization group. The authentication user must be a member of this group (full DN) on the server.

memberof-attr <string>

The attribute used to retrieve memeberof.

password <passwd>

Enter a password for the username above. This variable appears only when type is set to regular.

port <integer>

Enter the port number for LDAP server communication (1 - 65535, default = 389).

profile-attr <string>

The attribute used to retrieve admin profile.

secondary-server <string>

Enter the secondary LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

secure {disable | ldaps | starttls}

Set the SSL connection type:

  • disable: no SSL (default).
  • ldaps: use LDAPS
  • starttls: use STARTTLS

server <string>

Enter the LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

tertiary-server <string>

Enter the tertiary LDAP server domain name or IPv4 address. Enter a new name to create a new entry.

type {anonymous | regular | simple}

Set a binding type: 

  • anonymous: Bind using anonymous user search
  • regular: Bind using username/password and then search
  • simple: Simple password authentication without search (default)

username <string>

Enter a username. This variable appears only when type is set to regular.

Example

This example shows how to add the LDAP user user1 at the IPv4 address 206.205.204.203.

config system admin ldap

edit user1

set server 206.205.204.203

set dn techdoc

set type regular

set username auth1

set password auth1_pwd

set group techdoc

end

admin profile

Use this command to configure access profiles. In a newly-created access profile, no access is enabled. Setting an option to none hides it from administrators with that profile assigned.

Syntax

config system admin profile

edit <profile>

set adom-lock {none | read | read-write}

set adom-policy-packages {none | read | read-write}

set adom-switch {none | read | read-write}

set app-filter {enable | disable}

set assignment {none | read | read-write}

set change-password {enable | disable}

set config-retrieve {none | read | read-write}

set config-revert {none | read | read-write}

set consistency-check {none | read | read-write}

set datamask {enable | disable}

set datamask-custom-priority {enable | disable}

set datamask-fields <fields>

set datamask-key <passwd>

set deploy-management {none | read | read-write}

set description <string>

set device-ap {none | read | read-write}

set device-config {none | read | read-write}

set device-forticlient {none | read | read-write}

set device-fortiswitch {none | read | read-write}

set device-manager {none | read | read-write}

set device-op {none | read | read-write}

set device-policy-package-lock {none | read | read-write}

set device-profile {none | read | read-write}

set device-revision-deletion {none | read | read-write}

set device-wan-link-load-balance {none | read | read-write}

set event-management {none | read | read-write}

set fgd_center {none | read | read-write}

set fgd-center-advanced {none | read | read-write}

set fgd-center-fmw-mgmt {none | read | read-write}

set fgd-center-licensing {none | read | read-write}

set global-policy-packages {none | read | read-write}

set import-policy-packages {none | read | read-write}

set intf-mapping {none | read | read-write}

set ips-filter {enable | disable}

set log-viewer {none | read | read-write}

set policy-objects {none | read | read-write}

set read-passwd {none | read | read-write}

set realtime-monitor {none | read | read-write}

set report-viewer {none | read | read-write}

set scope (Not Applicable)

set set-install-targets {none | read | read-write}

set system-setting {none | read | read-write}

set term-access {none | read | read-write}

set type {restricted | system}

set vpn-manager {none | read | read-write}

set web-filter {enable | disable}

config datamask-custom-fields

edit <field>

set field-category {alert | all | fortiview | log | euba}

set field-status {enable | disable}

set field-type {email | ip | mac | string}

next

end

Variable

Description

<profile>

Enter the name of the access profile, enter a new name to create a new profile (character limit = 35). The pre-defined access profiles are Super_User, Standard_User, Restricted_User, and Package_User.

adom-lock {none | read | read-write}

Configure ADOM locking permissions for profile:

  • none: No permission (default).
  • read: Read permission.
  • read-write: Read-write permission.

Controlled functions: ADOM locking.

Dependencies: type must be system

adom-policy-packages {none | read | read-write}

Enter the level of access to ADOM policy packages.

This command corresponds to the Policy Packages & Objects option on the administrator profile settings page in the GUI. It is a sub-setting of policy-objects.

Controlled functions: All the operations in ADOMs

Dependencies: Install and re-install depends on Install to Devices in DVM settings, type must be system

adom-switch {none | read | read-write}

Configure administrative domain (ADOM) permissions for this profile (default = none).

This command corresponds to the Administrative Domain option in the GUI.

Controlled functions: ADOM settings in DVM, ADOM settings in All ADOMs page (under System Settings tab)

Dependencies: If system-setting is none, the All ADOMs page is not accessible, type must be system

app-filter {enable | disable}

Enable/disable IPS Sensor permission for the restricted admin profile (default = disable).

Dependencies: type must be restricted.

assignment {none | read | read-write}

Configure assignment permissions for this profile (default = none).

This command corresponds to the Assignment option in the GUI. It is a sub-setting of policy-objects.

Controlled functions: Global assignment in Global ADOM

Dependencies: type must be system

change-password {enable | disable}

Enable/disable allowing restricted users to change their password (default = disable).

config-retrieve {none | read | read-write}

Set the configuration retrieve settings for this profile (default = none).

This command corresponds to the Retrieve Configuration from Devices option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Retrieve configuration from devices

Dependencies: type must be system

config-revert {none | read | read-write}

Set the configuration revert settings for this profile (default = none).

This command corresponds to the Revert Configuration from Revision History option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Revert configuration from revision history

Dependencies: type must be system

consistency-check {none | read | read-write}

Configure Policy Check permissions for this profile (default = none).

This command corresponds to the Policy Check option in the GUI. It is a sub-setting of policy-objects.

Controlled functions: Policy check

Dependencies: type must be system

datamask {enable | disable}

Enable/disable data masking (default = disable).

datamask-custom-priority {enable | disable}

Enable/disable custom field search priority.

datamask-fields <fields>

Enter that data masking fields, separated by spaces:

  • dstip: Destination IP
  • dstname: Destination name
  • email: Email
  • message: Message
  • srcip: Source IP
  • srcmac: Source MAC
  • srcname: Source name
  • user: User name

datamask-key <passwd>

Enter the data masking encryption key.

deploy-management {none | read | read-write}

Enter the level of access to the deployment management configuration settings for this profile (default = none).

This command corresponds to the Install to Devices option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Install to devices

Dependencies: type must be system

description <string>

Enter a description for this access profile (character limit = 1023). Enclose the description in quotes if it contains spaces.

device-ap

Enter the level of access to device AP settings for this profile (default = none).

This command corresponds to the AP Manager option in the GUI.

Controlled functions: AP Manager pane

Dependencies: type must be system

device-config {none | read | read-write}

Enter the level of access to device configuration settings for this profile (default = none).

This command corresponds to the Manage Device Configuration option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Edit devices, All settings under Menu in Dashboard

Dependencies: type must be system

device-forticlient {none | read | read-write}

Enter the level of access to FortiClient settings for this profile (default = none).

This command corresponds to the FortiClient Manager option in the GUI.

Controlled functions: FortiClient Manager pane

Dependencies: type must be system

device-fortiswitch {none | read | read-write}

Enter the level of access to the FortiSwitch Manager module for this profile (default = none).

This command corresponds to the FortiSwitch Manager option in the GUI.

Controlled functions: FortiSwitch Manager pane

Dependencies: type must be system

device-manager {none | read | read-write}

Enter the level of access to Device Manager settings for this profile (default = none).

This command corresponds to the Device Manager option in the GUI.

Controlled functions: Device Manager pane

Dependencies: type must be system

device-op {none | read | read-write}

Add the capability to add, delete, and edit devices to this profile (default = none).

This command corresponds to the Add/Delete Devices/Groups option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Add or delete devices or groups

Dependencies: type must be system

device-policy-package-lock {none | read | read-write}

Configure device policy package locking permissions for this profile (default = none).

Controlled functions: Policy package locking.

Dependencies: type must be system

device-profile {none | read | read-write}

Configure device profile permissions for this profile (default = none).

This command corresponds to the Provisioning Templates option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Provisioning Templates

Dependencies: type must be system

device-revision-deletion {none | read | read-write}

Configure device revision deletion permissions for this profile (default = none).

This command corresponds to the Delete Device Revision option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Deleting device revisions

Dependencies: type must be system

device-wan-link-load-balance

Enter the level of access to wan-link-load-balance settings for this profile (default = none).

This command corresponds to SD-WAN option in the GUI. It is a sub-setting of device-manager.

Controlled functions: SD-WAN

Dependencies: type must be system

event-management {none | read | read-write}

Set the Event Management permissions (default = none).

This command corresponds to the Event Management option in the GUI.

Controlled functions: Event Management pane and all its operations

Dependencies: faz-status must be set to enable in system global, type must be system

fgd_center {none | read | read-write}

Set the FortiGuard Center permissions (default = none).

This command corresponds to the FortiGuard Center option in the GUI.

Controlled functions: FortiGuard pane, All the settings under FortiGuard

Dependencies: type must be system

fgd-center-advanced {none | read | read-write}

Set the FortiGuard Center permissions (default = none).

This command corresponds to the Advanced option in the GUI. It is a sub-setting of fgd-center.

Controlled functions: FortiGuard pane Advanced Settings options

Dependencies: type must be system

fgd-center-fmw-mgmt {none | read | read-write}

Set the FortiGuard Center permissions (default = none).

This command corresponds to the Firmware Management option in the GUI. It is a sub-setting of fgd-center.

Controlled functions: FortiGuard pane Firmware Images options

Dependencies: type must be system

fgd-center-licensing {none | read | read-write}

Set the FortiGuard Center permissions (default = none).

This command corresponds to the License Management option in the GUI. It is a sub-setting of fgd-center.

Controlled functions: FortiGuard pane Licensing Status options

Dependencies: type must be system

global-policy-packages {none | read | read-write}

Configure global policy package permissions for this profile (default = none).

This command corresponds to the Global Policy Packages & Objects option in the GUI. It is a sub-setting of policy-objects.

Controlled functions: All operations in Global ADOM

Dependencies: type must be system

import-policy-packages {none | read | read-write}

Configure importing policy package permissions for this profile (default = none).

This command corresponds to the Import Policy Package option in the GUI.

Controlled functions: Importing policy packages

Dependencies: type must be system

intf-mapping {none | read | read-write}

Configure interface mapping permissions for this profile (default = none).

This command corresponds to the Interface Mapping option in the GUI.

Controlled functions: Mapping interfaces

Dependencies: type must be system

ips-filter {enable | disable}

Enable/disable Application Sensor permission for the restricted admin profile (default = disable).

Dependencies: type must be restricted

log-viewer {none | read | read-write}

Set the Log View permissions (default = none).

This command corresponds to the Log View option in the GUI.

Controlled functions: Log View and all its operations

Dependencies: faz-status must be set to enable in system global, type must be system

policy-objects {none | read | read-write}

Set the Policy & Objects permissions (default = none).

Controlled functions: Policy & Objects pane

Dependencies: type must be system

read-passwd {none | read | read-write}

Add the capability to view the authentication password in clear text to this profile (default = none).

Dependencies: type must be system

realtime-monitor {none | read | read-write}

Enter the level of access to the Drill Down configuration settings for this profile (default = none).

Dependencies: faz-status must be set to enable in system global, type must be system

report-viewer {none | read | read-write}

Set the Reports permissions (default = none).

This command corresponds to the Reports option in the GUI.

Controlled functions: Reports pane and all its operations

Dependencies: faz-status must be set to enable in system global, type must be system

scope (Not Applicable)

CLI command is not in use.

set-install-targets {none | read | read-write}

Configure installation targets permissions (default = none).

This command corresponds to the Installation Targets option in policy packages in the GUI. It is a sub-setting of policy-objects.

Controlled functions: Installation targets

Dependencies: type must be system

system-setting {none | read | read-write}

Configure System Settings permissions for this profile (default = none).

This command corresponds to the System Settings option in the GUI.

Controlled functions: System Settings pane, all the settings under system setting

Dependencies: type must be system

term-access {none | read | read-write}

Set the terminal access permissions for this profile (default = none).

This command corresponds to the Terminal Access option in the GUI. It is a sub-setting of device-manager.

Controlled functions: Connect to the CLI via Telnet or SSH

Dependencies: Depends on device-config option, type must be System Admin

type {restricted | system}

Enter the admin profile type:

  • restricted: Restricted admin profile
  • system: System admin profile (default)

vpn-manager {none | read | read-write}

Enter the level of access to VPN console configuration settings for this profile (default = none).

This command corresponds to the VPN Manager option in the GUI. It is a sub-setting of policy-objects.

Controlled functions: VPN Console

Dependencies: type must be System Admin

web-filter {enable | disable}

Enable/disable Web Filter Profile permission for the restricted admin profile (default = disable).

Dependencies: type must be Restricted Admin

Variables for config datamask-custom-fields subcommand:

<field>

Enter the custom field name.

field-category {alert | all | fortiview | log | euba}

Enter the field category (default = all).

field-status {enable | disable}

Enable/disable the field (default = enable).

field-type {email | ip | mac | string}

Enter the field type (default = string).

admin radius

Use this command to add, edit, and delete administration RADIUS servers.

Syntax

config system admin radius

edit <server>

set auth-type {any | chap | mschap2 | pap}

set nas-ip <ipv4_address>

set port <integer>

set secondary-secret <passwd>

set secondary-server <string>

set secret <passwd>

set server <string>

end

Variable

Description

<server>

Enter the name of the RADIUS server or enter a new name to create an entry (character limit = 63).

auth-type {any | chap | mschap2 | pap}

The authentication protocol the RADIUS server will use.

  • any: Use any supported authentication protocol (default).
  • mschap2: Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2).
  • chap: Challenge Handshake Authentication Protocol (CHAP)
  • pap: Password Authentication Protocol (PAP).

nas-ip <ipv4_address>

The network access server (NAS) IPv4 address and called station ID.

port <integer>

The RADIUS server port number (1 - 65535, default = 1812).

secondary-secret <passwd>

The password to access the RADIUS secondary-server (character limit = 64).

secondary-server <string>

The RADIUS secondary-server DNS resolvable domain name or IPv4 address.

secret <passwd>

The password to access the RADIUS server (character limit = 64).

server <string>

The RADIUS server DNS resolvable domain name or IPv4 address.

Example

This example shows how to add the RADIUS server RAID1 at the IPv4 address 206.205.204.203 and set the shared secret as R1a2D3i4U5s.

config system admin radius

edit RAID1

set server 206.205.204.203

set secret R1a2D3i4U5s

end

admin setting

Use this command to configure system administration settings, including web administration ports, timeout, and language.

Syntax

config system admin setting

set access-banner {enable | disable}

set admin-https-redirect {enable | disable}

set admin-login-max <integer>

set admin_server_cert <admin_server_cert>

set allow_register {enable | disable}

set auto-update {enable | disable}

set banner-message <string>

set chassis-mgmt {enable | disable}

set chassis-update-interval <integer>

set device_sync_status {enable | disable}

set gui-theme <theme>

set http_port <integer>

set https_port <integer>

set idle_timeout <integer>

set install-ifpolicy-only {enable | disable}

set mgmt-addr <string>

set mgmt-fqdn <string>

set objects-force-deletion {enable | disable}

set offline_mode {enable | disable}

set register_passwd <passwd>

set shell-access {enable | disable}

set shell-password <passwd>

set show-add-multiple {enable | disable}

set show-adom-devman {enable | disable}

set show-device-import-export {enable | disable}

set show_automatic_script {enable | disable}

set show-checkbox-in-table {enable | disable}

set show_grouping_script {enable | disable}

set show_hostname {enable | disable}

set show_schedule_script {enable | disable}

set show_tcl_script {enable | disable}

set unreg_dev_opt {add_allow_service | add_no_service | ignore}

set webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}

end

Variable

Description

access-banner {enable | disable}

Enable/disable the access banner (default= disable).

admin-https-redirect {enable | disable}

Enable/disable redirection of HTTP admin traffic to HTTPS (default= enable).

admin-login-max <integer>

Set the maximum number of admin users that be logged in at one time (1 - 256, default = 256).

admin_server_cert <admin_server_cert>

Enter the name of an https server certificate to use for secure connections (default = server.crt).

allow_register {enable | disable}

Enable/disable the ability an unregistered device to be registered (default= disable).

auto-update {enable | disable}

Enable/disable device config automatic update (default= enable).

banner-message <string>

Set the banner messages (character limit = 255).

chassis-mgmt {enable | disable}

Enable/disable chassis management (default= disable).

chassis-update-interval <integer>

Set the chassis background update interval, in minutes (4 - 1440, default = 15).

device_sync_status {enable | disable}

Enable/disable device synchronization status indication (default= enable).

gui-theme <theme>

Configure the GUI theme (default = blue).

http_port <integer>

Enter the HTTP port number for web administration (1 - 65535, default = 80).

https_port <integer>

Enter the HTTPS port number for web administration (1 - 65535, default = 443).

idle_timeout <integer>

Enter the idle timeout value, in minutes (1 - 480, default = 15).

install-ifpolicy-only {enable | disable}

Enable/disable allowing only the interface policy to be installed (default = disable).

mgmt-addr <string>

FQDN/IPv4 of FortiManager used by FGFM.

If the FortiManager is behind a NAT device, and a device is added in the FortiManager GUI, the FortiManager will not add its IP address to the FortiGate. Configure mgmt-addr with the fixed, public-facing IP address if you need FortiManager to configure the set fmg <ip> command on managed FortiGates.

mgmt-fqdn <string>

FQDN of FortiManager used by FGFM.

objects-force-deletion {enable | disable}

Enable/disable forced deletion of used objects (default = enable).

offline_mode {enable | disable}

Enable/disable offline mode to shut down the protocol used to communicate with managed devices (default = disable).

register_passwd <passwd>

Enter the password to use when registering a device (character limit = 19).

shell-access {enable | disable}

Enable/disable shell access (default = disable).

shell-password <passwd>

Enter the password to use for shell access.

show-add-multiple {enable | disable}

Enable/disable show the add multiple button in the GUI (default = disable).

show-adom-devman {enable | disable}

Enable/disable device manager tools on the GUI (default = enable).

show-checkbox-in-table {enable | disable}

Show checkboxes in tables in the GUI (default = disable).

show-device-import-export {enable | disable}

Enable/disable import/export of ADOM, device, and group lists (default = disable).

show_automatic_script {enable | disable}

Enable/disable automatic script (default = disable).

show_grouping_script {enable | disable}

Enable/disable grouping script (default = enable).

show_hostname {enable | disable}

Enable/disable showing the hostname on the GUI login page (default = disable).

show_schedule_script {enable | disable}

Enable/disable schedule script (default = disable).

show_tcl_script {enable | disable}

Enable/disable TCL script (default = disable).

unreg_dev_opt {add_allow_service | add_no_service | ignore}

Select action to take when an unregistered device connects to FortiManager:

  • add_allow_service: Add unregistered devices and allow service requests (default).
  • add_no_service: Add unregistered devices and deny service requests.
  • ignore: Ignore unregistered devices.

webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}

Select the language to be used for web administration:

  • auto_detect: Automatically detect language (default).
  • english: English.
  • japanese: Japanese.
  • korean: Korean.
  • simplified_chinese: Simplified Chinese.
  • traditional_chinese: Traditional Chinese.

admin tacacs

Use this command to add, edit, and delete administration TACACS+ servers.

Syntax

config system admin tacacs

edit <server>

set authen-type {ascii | auto |chap | mschap | pap}

set authorization {enable | disable}

set key <passwd>

set port <integer>

set secondary-key <passwd>

set secondary-server <string>

set server <string>

set tertiary-key <passwd>

set tertiary-server <string>

end

Variable

Description

<server>

Enter the name of the TACACS+ server or enter a new name to create an entry (character limit = 63).

authen-type {ascii | auto |chap | mschap | pap}

Choose which authentication type to use:

  • ascii: ASCII
  • auto: Uses PAP, MSCHAP, and CHAP (in that order) (default).
  • chap: Challenge Handshake Authentication Protocol (CHAP)
  • mschap: Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
  • pap: Password Authentication Protocol (PAP).

authorization {enable | disable}

Enable/disable TACACS+ authorization (default = disable).

key <passwd>

Key to access the server (character limit = 128).

port <integer>

Port number of the TACACS+ server (1 - 65535, default = 49).

secondary-key <passwd>

Key to access the secondary server (character limit = 128).

secondary-server <string>

Secondary server domain name or IPv4 address.

server <string>

The server domain name or IPv4 address.

tertiary-key <passwd>

Key to access the tertiary server (character limit = 128).

tertiary-server <string>

Tertiary server domain name or IPv4 address.

Example

This example shows how to add the TACACS+ server TAC1 at the IPv4 address 206.205.204.203 and set the key as R1a2D3i4U5s.

config system admin tacacs

edit TAC1

set server 206.205.204.203

set key R1a2D3i4U5s

end

admin user

Use this command to add, edit, and delete administrator accounts.

Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User. You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on.

You can create meta-data fields for administrator accounts. These objects must be created using the FortiManager GUI. The only information you can add to the object is the value of the field (pre-determined text/numbers). For more information, see System Settings in the FortiManager Administration Guide.

Syntax

config system admin user

edit <name_str>

set password <passwd>

set change-password {enable | disable}

set trusthost1 <ipv4_mask>

set trusthost2 <ipv4_mask>

set trusthost3 <ipv4_mask>

...

set trusthost10 <ipv4_mask>

set ipv6_trusthost1 <ipv6_mask>

set ipv6_trusthost2 <ipv6_mask>

set ipv6_trusthost3 <ipv6_mask>

...

set ipv6_trusthost10 <ipv6_mask>

set profileid <profile-name>

set adom <adom_name(s)>

set dev-group <group-name>

set adom-exclude <adom_name(s)>

set web-filter <Web Filter profile name>

set ips-filter <IPS Sensor name>

set app-filter <Application Sensor name>

set policy-package {<adom name>: <policy package id> <adom policy folder name>/ <package name> | all_policy_packages}

set restrict-access {enable | disable}

set description <string>

set user_type {group | ldap | local | pki-auth | radius | tacacs-plus}

set group <string>

set ldap-server <string>

set radius_server <string>

set tacacs-plus-server <string>

set ssh-public-key1 <key-type> <key-value>

set ssh-public-key2 <key-type> <key-value>

set ssh-public-key3 <key-type> <key-value>

set avatar <string>

set wildcard {enable | disable}

set ext-auth-accprofile-override {enable | disable}

set ext-auth-adom-override {enable | disable}

set ext-auth-group-match <string>

set password-expire <yyyy-mm-dd>

set force-password-change {enable | disable}

set subject <string>

set ca <string>

set two-factor-auth {enable | disable}

set rpc-permit {none | read-only | read-write}

set last-name <string>

set first-name <string>

set email-address <string>

set phone-number <string>

set mobile-number <string>

set pager-number <string>

config meta-data

edit <fieldname>

set fieldlength

set fieldvalue <string>

set importance

set status

end

config dashboard-tabs

edit tabid <integer>

set name <string>

end

config dashboard

edit moduleid

set name <string>

set column <column_pos>

set diskio-content-type

set diskio-period {1hour | 24hour | 8hour}

set refresh-inverval <integer>

set status {close | open}

set tabid <integer>

set widget-type <string>

set log-rate-type {device | log}

set log-rate-topn {1 | 2 | 3 | 4 | 5}

set log-rate-period {1hour | 2min | 6hours}

set res-view-type {history | real-time}

set res-period {10min | day | hour}

set res-cpu-display {average | each}

set num-entries <integer>

set time-period {1hour | 24hour | 8hour}

end

config restrict-dev-vdom

edit dev-vdom <string>

end

end

Variable

Description

<name_string>

Enter the name of the admin user or enter a new name to create a new user (character limit = 35).

password <passwd>

Enter a password for the administrator account (character limit = 128). For improved security, the password should be at least 6 characters long.

This variable is available only if user_type is local.

change-password {enable | disable}

Enable/disable allowing restricted users to change their password (default = disable).

trusthost1 <ipv4_mask>

trusthost2 <ipv4_mask>

trusthost3 <ipv4_mask>

...

trusthost10 <ipv4_mask>

Optionally, type the trusted host IPv4 address and network mask from which the administrator can log in to the FortiManager system. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system.

Defaults:

trusthost1: 0.0.0.0 0.0.0.0 for all

others: 255.255.255.255 255.255.255.255 for none

ipv6_trusthost1 <ipv6_mask>

ipv6_trusthost2 <ipv6_mask>

ipv6_trusthost3 <ipv6_mask>

...

ipv6_trusthost10 <ipv6_mask>

Optionally, type the trusted host IPv6 address from which the administrator can log in to the FortiManager system. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system.

Defaults:

ipv6_trusthost1: ::/0 for all

others: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128 for none

profileid <profile-name>

Enter the name of the access profile to assign to this administrator account (character limit = 35, default = Restricted_User). Access profiles control administrator access to FortiManager features.

adom <adom_name(s)>

Enter the name(s) of the ADOM(s) the administrator belongs to. Any configuration of ADOMs takes place via the FortiManager GUI.

dev-group <group-name>

Enter the device group that the admin use can access. This option can only be used for administrators with access to only one ADOM.

adom-exclude <adom_name(s)>

Enter the name(s) of the excluding ADOM(s).

web-filter <Web Filter profile name>

Enter the Web Filter profile to associate with the restricted admin profile.

Dependencies: admin user must be associated with a restricted admin profile.

ips-filter <IPS Sensor name>

Enter the IPS Sensor to associate with the restricted admin profile.

Dependencies: The admin user must be associated with a restricted admin profile.

app-filter <Application Sensor name>

Enter the Application Sensor to associate with the restricted admin profile.

Dependencies: The admin user must be associated with a restricted admin profile.

policy-package {<adom name>: <policy package id> <adom policy folder name>/ <package name> | all_policy_packages}

Policy package access.

restrict-access {enable | disable}

Enable/disable restricted access to the development VDOM (dev-vdom) (default = disable).

description <string>

Enter a description for this administrator account (character limit = 127). Enclose the description in quotes if it contains spaces.

user_type {group | ldap | local | pki-auth | radius | tacacs-plus}

Select the administrator type:

  • group: The administratoris a member of a administrator group.
  • ldap: An LDAP server verifies the administrator’s password.
  • local: The FortiManager system verifies the administrator’s password (default).
  • pki-auth: The administrator uses PKI.
  • radius: A RADIUS server verifies the administrator’s password.
  • tacacs-plus: A TACACS+ server verifies the administrator’s password.

group <string>

Enter the group name.

This option is only available when user_type is group.

ldap-server <string>

Enter the LDAP server name if the user type is set to LDAP.

This option is only available when user_type is ldap.

radius_server <string>

Enter the RADIUS server name if the user type is set t o RADIUS.

This option is only available when user_type is radius.

tacacs-plus-server <string>

Enter the TACACS+ server name if the user type is set to TACACS+.

This option is only available when user_type is tacacs-plus.

ssh-public-key1 <key-type> <key-value>

ssh-public-key2 <key-type> <key-value>

ssh-public-key3 <key-type> <key-value>

You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.

<key type> is ssh-dss for a DSA key, ssh-rsa for an RSA key.

<key-value> is the public key string of the SSH client.

avatar <string>

Image file for the administrator's avatar (maximum 4K base64 encode).

wildcard {enable | disable}

Enable/disable wildcard remote authentication (default = disable).

ext-auth-accprofile-override {enable | disable}

Enable/disable allowing the use of the access profile provided by the remote authentication server (default = disable).

ext-auth-adom-override {enable | disable}

Enable/disable allowing the use of the ADOM provided by the remote authentication server (default = disable).

In order to support vendor specific attributes (VSA), the authentication server requires a dictionary to define which VSAs to support. The Fortinet RADIUS vendor ID is 12365. The Fortinet-Vdom-Name attribute is used by this command.

ext-auth-group-match <string>

Only admin users that belong to this group are allowed to log in.

password-expire <yyyy-mm-dd>

When enforcing the password policy, enter the date that the current password will expire.

force-password-change {enable | disable}

Enable/disable force password change on next log in.

subject <string>

PKI user certificate name constraints.

This command is available when a PKI administrator account is configured.

ca <string>

PKI user certificate CA (CA name in local).

This command is available when a PKI administrator account is configured.

two-factor-auth {enable | disable}

Enable/disable two-factor authentication (certificate + password) (default = disable).

This command is available when a PKI administrator account is configured.

rpc-permit {none | read-only | read-write}

Set the permission level for log in via Remote Procedure Call (RPC) (default = none).

last-name <string>

Administrator's last name (character limit = 63).

first-name <string>

Administrator's first name (character limit = 63).

email-address <string>

Administrator's email address.

phone-number <string>

Administrator's phone number.

mobile-number <string>

Administrator's mobile phone number.

pager-number <string>

Administrator's pager number.

Variables for config meta-data subcommand:

This subcommand can only change the value of an existing field. To create a new metadata field, use the config system metadata command.

fieldname

The label/name of the field (read-only, default = 50). Enclose the name in quotes if it contains spaces.

fieldlength

The maximum number of characters allowed for this field (read-only, default = 50).

fieldvalue <string>

Enter a pre-determined value for the field. This is the only value that can be changed with the config meta-data subcommand (character limit = 255).

importance

Indicates whether the field is compulsory (required) or optional (optional) (read-only, default = optional).

status

The status of the field (read-only, default = enable).

Variables for config dashboard-tabs subcommand:

tabid <integer>

Tab ID.

name <string>

Tab name.

Variables for config dashboard subcommand:

moduleid

Widget ID.

name <string>

Widget name (character limit = 63).

column <column_pos>

Widget column ID (default = 0).

diskio-content-type {blks | iops | util}

Set the Disk I/O Monitor widget's chart type.

  • blks: the amount of data of I/O requests.
  • iops: the number of I/O requests.
  • util: bandwidth utilization (default).

diskio-period {1hour | 24hour | 8hour}

Set the Disk I/O Monitor widget's data period (default = 1hour).

refresh-inverval <integer>

Widget refresh interval (default = 300).

status {close | open}

Widget opened/closed status (default = open).

tabid <integer>

ID of the tab where the widget is displayed (default = 0).

widget-type <string>

Widget type:

  • alert: Alert Message Console
  • devsummary: Device Summary
  • disk-io: Disk I/O
  • jsconsole: CLI Console
  • licinfo: License Information
  • log-rcvd-fwdReceive Rate v. Forwarding Rate
  • logdb-lag: Log Insert Lag Time
  • logdb-perf: Insert Rate vs Receive Rate
  • logrecv: Logs/Data Received (this widget has been deprecated)
  • raid: Disk Monitor
  • rpteng: Report Engine (this widget has been deprecated)
  • statistics: Statistics (this widget has been deprecated)
  • sysinfo: System Information
  • sysop: Unit Operation
  • sysres: System Resources
  • top-lograte: Log Receive Monitor

log-rate-type {device | log}

Log receive monitor widget’s statistics breakdown options (default = device).

log-rate-topn {1 | 2 | 3 | 4 | 5}

Log receive monitor widgets’s number of top items to display (default = 5).

log-rate-period {1hour | 2min | 6hours}

Log receive monitor widget’s data period (default = 2min).

res-view-type {history | real-time}

Widget’s data view type (default = history).

res-period {10min | day | hour}

Widget data period:

  • 10min: Last 10 minutes (default).
  • day: Last day.
  • hour: Last hour.

res-cpu-display {average | each}

Widget CPU display type:

  • average: Average usage of CPU (default).
  • each: Each usage of CPU.

num-entries <integer>

Number of entries (default = 10).

time-period {1hour | 24hour | 8hour}

Set the Log Database Monitor widget's data period (default = 1hour).

Variable for config restrict-dev-vdom subcommand:

dev-vdom <string>

Enter device or VDOM to edit.

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IPv4 address if you define only one trusted host IPv4 address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiManager system does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply both to the GUI and to the CLI when accessed through SSH. CLI access through the console connector is not affected.

Example

Use the following commands to add a new administrator account named admin_2 with the password set to p8ssw0rd and the Super_User access profile. Administrators that log in to this account will have administrator access to the FortiManager system from any IPv4 address.

config system admin user

edit admin_2

set description "Backup administrator"

set password p8ssw0rd

set profileid Super_User

end