Fortinet white logo
Fortinet white logo

CLI Reference

config system admin

config system admin

Configure admin users.

config system admin
    Description: Configure admin users.
    edit <name>
        set wildcard [enable|disable]
        set remote-auth [enable|disable]
        set remote-group {string}
        set password {password-2}
        set peer-auth [enable|disable]
        set peer-group {string}
        set trusthost1 {ipv4-classnet}
        set trusthost2 {ipv4-classnet}
        set trusthost3 {ipv4-classnet}
        set trusthost4 {ipv4-classnet}
        set trusthost5 {ipv4-classnet}
        set trusthost6 {ipv4-classnet}
        set trusthost7 {ipv4-classnet}
        set trusthost8 {ipv4-classnet}
        set trusthost9 {ipv4-classnet}
        set trusthost10 {ipv4-classnet}
        set ip6-trusthost1 {ipv6-prefix}
        set ip6-trusthost2 {ipv6-prefix}
        set ip6-trusthost3 {ipv6-prefix}
        set ip6-trusthost4 {ipv6-prefix}
        set ip6-trusthost5 {ipv6-prefix}
        set ip6-trusthost6 {ipv6-prefix}
        set ip6-trusthost7 {ipv6-prefix}
        set ip6-trusthost8 {ipv6-prefix}
        set ip6-trusthost9 {ipv6-prefix}
        set ip6-trusthost10 {ipv6-prefix}
        set accprofile {string}
        set allow-remove-admin-session [enable|disable]
        set comments {var-string}
        set hidden {integer}
        config vdom
            Description: Virtual domain(s) that the administrator can access.
            edit <name>
            next
        end
        set ssh-public-key1 {user}
        set ssh-public-key2 {user}
        set ssh-public-key3 {user}
        set ssh-certificate {string}
        set schedule {string}
        set accprofile-override [enable|disable]
        set radius-vdom-override [enable|disable]
        set password-expire {user}
        set force-password-change [enable|disable]
        set two-factor [disable|fortitoken|...]
        set fortitoken {string}
        set email-to {string}
        set sms-server [fortiguard|custom]
        set sms-custom-server {string}
        set sms-phone {string}
        set guest-auth [disable|enable]
        config guest-usergroups
            Description: Select guest user groups.
            edit <name>
            next
        end
        set guest-lang {string}
    next
end

config system admin

Parameter

Description

Type

Size

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Maximum length: 35

password

Admin user password.

password-2

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user peergrp or user group defined under config user group. Used for peer certificate authentication (for HTTPS admin access).

string

Maximum length: 35

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiProxy features.

string

Maximum length: 35

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Maximum length: 255

hidden

Admin user hidden attribute.

integer

Minimum value: 0 Maximum value: 255

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-certificate

Select the certificate to be used by the FortiProxy for authentication with an SSH client.

string

Maximum length: 35

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Maximum length: 35

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiProxy features that this administrator can access.

option

-

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

radius-vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

password-expire

Password expire time.

user

Not Specified

force-password-change

Enable/disable force password change on next login.

option

-

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

two-factor

Enable/disable two-factor authentication.

option

-

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

fortitoken

This administrator's FortiToken serial number.

string

Maximum length: 16

email-to

This administrator's email address.

string

Maximum length: 63

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Custom SMS server to send SMS messages to.

string

Maximum length: 35

sms-phone

Phone number on which the administrator receives SMS messages.

string

Maximum length: 15

guest-auth

Enable/disable guest authentication.

option

-

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-lang

Guest management portal language.

string

Maximum length: 35

config system admin

config system admin

Configure admin users.

config system admin
    Description: Configure admin users.
    edit <name>
        set wildcard [enable|disable]
        set remote-auth [enable|disable]
        set remote-group {string}
        set password {password-2}
        set peer-auth [enable|disable]
        set peer-group {string}
        set trusthost1 {ipv4-classnet}
        set trusthost2 {ipv4-classnet}
        set trusthost3 {ipv4-classnet}
        set trusthost4 {ipv4-classnet}
        set trusthost5 {ipv4-classnet}
        set trusthost6 {ipv4-classnet}
        set trusthost7 {ipv4-classnet}
        set trusthost8 {ipv4-classnet}
        set trusthost9 {ipv4-classnet}
        set trusthost10 {ipv4-classnet}
        set ip6-trusthost1 {ipv6-prefix}
        set ip6-trusthost2 {ipv6-prefix}
        set ip6-trusthost3 {ipv6-prefix}
        set ip6-trusthost4 {ipv6-prefix}
        set ip6-trusthost5 {ipv6-prefix}
        set ip6-trusthost6 {ipv6-prefix}
        set ip6-trusthost7 {ipv6-prefix}
        set ip6-trusthost8 {ipv6-prefix}
        set ip6-trusthost9 {ipv6-prefix}
        set ip6-trusthost10 {ipv6-prefix}
        set accprofile {string}
        set allow-remove-admin-session [enable|disable]
        set comments {var-string}
        set hidden {integer}
        config vdom
            Description: Virtual domain(s) that the administrator can access.
            edit <name>
            next
        end
        set ssh-public-key1 {user}
        set ssh-public-key2 {user}
        set ssh-public-key3 {user}
        set ssh-certificate {string}
        set schedule {string}
        set accprofile-override [enable|disable]
        set radius-vdom-override [enable|disable]
        set password-expire {user}
        set force-password-change [enable|disable]
        set two-factor [disable|fortitoken|...]
        set fortitoken {string}
        set email-to {string}
        set sms-server [fortiguard|custom]
        set sms-custom-server {string}
        set sms-phone {string}
        set guest-auth [disable|enable]
        config guest-usergroups
            Description: Select guest user groups.
            edit <name>
            next
        end
        set guest-lang {string}
    next
end

config system admin

Parameter

Description

Type

Size

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Maximum length: 35

password

Admin user password.

password-2

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user peergrp or user group defined under config user group. Used for peer certificate authentication (for HTTPS admin access).

string

Maximum length: 35

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiProxy unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiProxy features.

string

Maximum length: 35

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Maximum length: 255

hidden

Admin user hidden attribute.

integer

Minimum value: 0 Maximum value: 255

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-certificate

Select the certificate to be used by the FortiProxy for authentication with an SSH client.

string

Maximum length: 35

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Maximum length: 35

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiProxy features that this administrator can access.

option

-

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

radius-vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

password-expire

Password expire time.

user

Not Specified

force-password-change

Enable/disable force password change on next login.

option

-

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

two-factor

Enable/disable two-factor authentication.

option

-

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

fortitoken

This administrator's FortiToken serial number.

string

Maximum length: 16

email-to

This administrator's email address.

string

Maximum length: 63

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

sms-custom-server

Custom SMS server to send SMS messages to.

string

Maximum length: 35

sms-phone

Phone number on which the administrator receives SMS messages.

string

Maximum length: 15

guest-auth

Enable/disable guest authentication.

option

-

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-lang

Guest management portal language.

string

Maximum length: 35