Fortinet black logo

CLI Reference

system admin

system admin

Use this command to configure FortiWeb administrator accounts. In its factory default configuration, a FortiWeb appliance has one administrator account, named admin. That administrator has permissions that grant full access to the FortiWeb configuration and firmware. After connecting to the web UI or the CLI using the admin administrator account, you can configure additional administrator accounts with various levels of access to different parts of the FortiWeb configuration.

Administrators can access the web UI and the CLI through the network, depending on administrator account’s trusted hosts, ADOMs, and the administrative access protocols enabled for each of the FortiWeb appliance’s network interfaces. For details, see system interface, , and Connecting to the CLI.

To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each other’s changes, enable . For details, see .

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system admin

edit "<administrator_name>"

set accprofile "<access-profile_name>"

set accprofile-override {enable | disable}

set domains "<adom_name>"

set password "<password_str>"

set email-address "<contact_email>"

set first-name "<name_str>"

set last-name "<surname_str>"

set mobile-number "<cell-phone_str>"

set phone-number "<phone_str>"

set trusthost1 "<management-computer_ipv4mask>"

set trusthost2 "<management-computer_ipv4mask>"

set trusthost3 "<management-computer_ipv4mask>"

set ip6trusthost1 "<management-computer_ipv6mask>"

set ip6trusthost2 "<management-computer_ipv6mask>"

set ip6trusthost3 "<management-computer_ipv6mask>"

set type {local-user | remote-user}

set admin-usergroup "<remote-auth-group_name>"

set wildcard {enable | disable}

set sshkey "<sshkey_str>"

set force-password-change {enable | disable}

next

end

Variable Description Default

"<administrator_name>"

Enter the name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration.

Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 63 characters.

To display the list of existing accounts, enter:

edit ?

Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query.

No default.

accprofile "<access-profile_name>"

Enter the name of an access profile that gives the permissions for this administrator account. See also system accprofile. The maximum length is 63 characters.

You can select prof_admin, a special access profile used by the admin administrator account. However, selecting this access profile will not confer all of the same permissions of the admin administrator. For example, the new administrator would not be able to reset lost administrator passwords.

To display the list of existing profiles, enter:

edit ?

Tip: Alternatively, if your administrator accounts authenticate via a RADIUS query, you can assign their access profile through the RADIUS server using RFC 2548 (http://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes.

On the RADIUS server, create an attribute named:

ATTRIBUTE FortiWeb-Access-Profile 7

then set its value to be the name of the access profile that you want to assign to this account. Finally, in the CLI, use accprofile-override {enable | disable} to enable the override.

If none is assigned on the RADIUS server, or if it does not match the name of an existing access profile on FortiWeb, FortiWeb will fail back to use the one locally assigned by this setting.

No default.

accprofile-override {enable | disable}

Enable to use the access profile indicated by the RADIUS query response, and ignore accprofile "<access-profile_name>".

This setting applies only if admin-usergroup "<remote-auth-group_name>" is configured to use a RADIUS query to authenticate this account.

This setting applies only if ADOMs are enabled. See .

disable

domains "<adom_name>"

Enter the name of an administrative domain (ADOM) to assign and restrict this administrative account to it.

This setting applies only if ADOMs are enabled. See .

No default.

password "<password_str>"

Enter a password for the administrator account. The maximum length is 32 characters. The minimum length is 1 character.

For improved security, the password should be at least 8 characters long, be sufficiently complex, and be changed regularly.

This setting applies only when type is local-user. For accounts defined on a remote authentication server, the FortiWeb appliance will instead query the server to verify whether the password given during a login attempt matches the account’s definition.

No default.

email-address "<contact_email>"

Enter an email address that can be used to contact this administrator. The maximum length is 63 characters. No default.

first-name "<name_str>"

Enter the first name of the administrator. The maximum length is 63 characters. No default.

last-name "<surname_str>"

Enter the surname of the administrator. The maximum length is 63 characters. No default.

mobile-number "<cell-phone_str>"

Enter a cell phone number that can be used to contact this administrator. The maximum length is 63 characters. No default.

phone-number "<phone_str>"

Enter a phone number that can be used to contact this administrator. The maximum length is 63 characters. No default.

trusthost1 "<management-computer_ipv4mask>"

Enter the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to three trusted hosts.

To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0. If you allow administrators to log in from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. For details about administrative access protocols, see system interface.

Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in.

0.0.0.0 0.0.0.0

trusthost2 "<management-computer_ipv4mask>"

Enter a second IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.

To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0.

0.0.0.0 0.0.0.0

trusthost3 "<management-computer_ipv4mask>"

Enter a third IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.

To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0.

0.0.0.0 0.0.0.0

ip6trusthost1 "<management-computer_ipv6mask>"

Enter the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to three trusted hosts.

To allow login attempts from any IP address, enter ::/0.

Caution: If you allow logins from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. Unlike IPv4, IPv6 does not isolate public from private networks via NAT, and therefore can increase availability of your FortiWeb’s web UI/CLI to IPv6 attackers unless you have carefully configured your firewall/FortiGate and routers. For details about administrative access protocols, see system interface.

Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in.

::/0

ip6trusthost2 "<management-computer_ipv6mask>"

Enter a second IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.

To allow login attempts from any IP address, enter ::/0.

::/0

ip6trusthost3 "<management-computer_ipv6mask>"

Enter a third IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.

To allow login attempts from any IP address, enter ::/0.

::/0

type {local-user | remote-user}

Select either:

  • local-user—Authenticate this account locally, with the FortiWeb appliance itself.
  • remote-user—Authenticate this account via a remote server such as an LDAP or RADIUS server. Also configure admin-usergroup "<remote-auth-group_name>".
No default.

admin-usergroup "<remote-auth-group_name>"

Enter the name of the remote authentication group whose settings the FortiWeb appliance will use to connect to a remote authentication server when authenticating login attempts for this account. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

For details about configuring remote authentication groups, see user admin-usergrp.

No default.

wildcard {enable | disable}

Used when administrator accounts authenticate via a RADIUS query.

This setting applies only if the value of type {local-user | remote-user} is remote-user.

No default.

sshkey "<sshkey_str>"

The public key used for connecting to the CLI using a public-private key pair.

For more information on connecting to the CLI using a public-private key pair, see “Connecting to the CLI” in the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

No default.

force-password-change {enable | disable}

Enable/disable force password change for next login.
This field can be configured only when Password Policy is enabled in System > Admin > Settings.
Disable

Example

This example configures an administrator account with an access profile that grants only permission to read logs. This account can log in only from an IP address on the management LAN (192.0.2.1/24), or from one of two specific IP addresses (192.0.2.15 and 192.0.2.50).

config system admin

edit "log-auditor"

set accprofile "log_read_access"

set password "P@ssw0rd"

set email-address "log-admin@example.com"

set trusthost1 "192.0.2.1 256.256.256.0"

set trusthost2 "192.0.2.15 256.256.256.256"

set trusthost3 "192.0.2.50 256.256.256.256"

set force-password-change enable

end


To display all dashboard status and widget settings, enter:

config system admin

show

Related topics

system admin

Use this command to configure FortiWeb administrator accounts. In its factory default configuration, a FortiWeb appliance has one administrator account, named admin. That administrator has permissions that grant full access to the FortiWeb configuration and firmware. After connecting to the web UI or the CLI using the admin administrator account, you can configure additional administrator accounts with various levels of access to different parts of the FortiWeb configuration.

Administrators can access the web UI and the CLI through the network, depending on administrator account’s trusted hosts, ADOMs, and the administrative access protocols enabled for each of the FortiWeb appliance’s network interfaces. For details, see system interface, , and Connecting to the CLI.

To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each other’s changes, enable . For details, see .

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config system admin

edit "<administrator_name>"

set accprofile "<access-profile_name>"

set accprofile-override {enable | disable}

set domains "<adom_name>"

set password "<password_str>"

set email-address "<contact_email>"

set first-name "<name_str>"

set last-name "<surname_str>"

set mobile-number "<cell-phone_str>"

set phone-number "<phone_str>"

set trusthost1 "<management-computer_ipv4mask>"

set trusthost2 "<management-computer_ipv4mask>"

set trusthost3 "<management-computer_ipv4mask>"

set ip6trusthost1 "<management-computer_ipv6mask>"

set ip6trusthost2 "<management-computer_ipv6mask>"

set ip6trusthost3 "<management-computer_ipv6mask>"

set type {local-user | remote-user}

set admin-usergroup "<remote-auth-group_name>"

set wildcard {enable | disable}

set sshkey "<sshkey_str>"

set force-password-change {enable | disable}

next

end

Variable Description Default

"<administrator_name>"

Enter the name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration.

Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 63 characters.

To display the list of existing accounts, enter:

edit ?

Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query.

No default.

accprofile "<access-profile_name>"

Enter the name of an access profile that gives the permissions for this administrator account. See also system accprofile. The maximum length is 63 characters.

You can select prof_admin, a special access profile used by the admin administrator account. However, selecting this access profile will not confer all of the same permissions of the admin administrator. For example, the new administrator would not be able to reset lost administrator passwords.

To display the list of existing profiles, enter:

edit ?

Tip: Alternatively, if your administrator accounts authenticate via a RADIUS query, you can assign their access profile through the RADIUS server using RFC 2548 (http://www.ietf.org/rfc/rfc2548.txt) Microsoft Vendor-specific RADIUS Attributes.

On the RADIUS server, create an attribute named:

ATTRIBUTE FortiWeb-Access-Profile 7

then set its value to be the name of the access profile that you want to assign to this account. Finally, in the CLI, use accprofile-override {enable | disable} to enable the override.

If none is assigned on the RADIUS server, or if it does not match the name of an existing access profile on FortiWeb, FortiWeb will fail back to use the one locally assigned by this setting.

No default.

accprofile-override {enable | disable}

Enable to use the access profile indicated by the RADIUS query response, and ignore accprofile "<access-profile_name>".

This setting applies only if admin-usergroup "<remote-auth-group_name>" is configured to use a RADIUS query to authenticate this account.

This setting applies only if ADOMs are enabled. See .

disable

domains "<adom_name>"

Enter the name of an administrative domain (ADOM) to assign and restrict this administrative account to it.

This setting applies only if ADOMs are enabled. See .

No default.

password "<password_str>"

Enter a password for the administrator account. The maximum length is 32 characters. The minimum length is 1 character.

For improved security, the password should be at least 8 characters long, be sufficiently complex, and be changed regularly.

This setting applies only when type is local-user. For accounts defined on a remote authentication server, the FortiWeb appliance will instead query the server to verify whether the password given during a login attempt matches the account’s definition.

No default.

email-address "<contact_email>"

Enter an email address that can be used to contact this administrator. The maximum length is 63 characters. No default.

first-name "<name_str>"

Enter the first name of the administrator. The maximum length is 63 characters. No default.

last-name "<surname_str>"

Enter the surname of the administrator. The maximum length is 63 characters. No default.

mobile-number "<cell-phone_str>"

Enter a cell phone number that can be used to contact this administrator. The maximum length is 63 characters. No default.

phone-number "<phone_str>"

Enter a phone number that can be used to contact this administrator. The maximum length is 63 characters. No default.

trusthost1 "<management-computer_ipv4mask>"

Enter the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to three trusted hosts.

To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0. If you allow administrators to log in from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. For details about administrative access protocols, see system interface.

Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in.

0.0.0.0 0.0.0.0

trusthost2 "<management-computer_ipv4mask>"

Enter a second IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.

To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0.

0.0.0.0 0.0.0.0

trusthost3 "<management-computer_ipv4mask>"

Enter a third IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.

To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0.

0.0.0.0 0.0.0.0

ip6trusthost1 "<management-computer_ipv6mask>"

Enter the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to three trusted hosts.

To allow login attempts from any IP address, enter ::/0.

Caution: If you allow logins from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. Unlike IPv4, IPv6 does not isolate public from private networks via NAT, and therefore can increase availability of your FortiWeb’s web UI/CLI to IPv6 attackers unless you have carefully configured your firewall/FortiGate and routers. For details about administrative access protocols, see system interface.

Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in.

::/0

ip6trusthost2 "<management-computer_ipv6mask>"

Enter a second IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.

To allow login attempts from any IP address, enter ::/0.

::/0

ip6trusthost3 "<management-computer_ipv6mask>"

Enter a third IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.

To allow login attempts from any IP address, enter ::/0.

::/0

type {local-user | remote-user}

Select either:

  • local-user—Authenticate this account locally, with the FortiWeb appliance itself.
  • remote-user—Authenticate this account via a remote server such as an LDAP or RADIUS server. Also configure admin-usergroup "<remote-auth-group_name>".
No default.

admin-usergroup "<remote-auth-group_name>"

Enter the name of the remote authentication group whose settings the FortiWeb appliance will use to connect to a remote authentication server when authenticating login attempts for this account. The maximum length is 63 characters.

To display the list of existing groups, enter:

edit ?

For details about configuring remote authentication groups, see user admin-usergrp.

No default.

wildcard {enable | disable}

Used when administrator accounts authenticate via a RADIUS query.

This setting applies only if the value of type {local-user | remote-user} is remote-user.

No default.

sshkey "<sshkey_str>"

The public key used for connecting to the CLI using a public-private key pair.

For more information on connecting to the CLI using a public-private key pair, see “Connecting to the CLI” in the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

No default.

force-password-change {enable | disable}

Enable/disable force password change for next login.
This field can be configured only when Password Policy is enabled in System > Admin > Settings.
Disable

Example

This example configures an administrator account with an access profile that grants only permission to read logs. This account can log in only from an IP address on the management LAN (192.0.2.1/24), or from one of two specific IP addresses (192.0.2.15 and 192.0.2.50).

config system admin

edit "log-auditor"

set accprofile "log_read_access"

set password "P@ssw0rd"

set email-address "log-admin@example.com"

set trusthost1 "192.0.2.1 256.256.256.0"

set trusthost2 "192.0.2.15 256.256.256.256"

set trusthost3 "192.0.2.50 256.256.256.256"

set force-password-change enable

end


To display all dashboard status and widget settings, enter:

config system admin

show

Related topics