Fortinet black logo

CLI Reference

Permissions

Permissions

Depending on the account that you use to log in to the FortiWeb appliance, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles control which commands and areas an administrator account can access. Access profiles assign either:

  • Read (view access)
  • Write (change and execute access)
  • Both Read and Write
  • No access

to each area of the FortiWeb software. For details about configuring the access profile for an administrator account to use, see system accprofile.

Access profile permissions

Admin Users

System > Admin ... except Settings

Web UI

admingrp

config system admin

config system accprofile

CLI
Auth Users

User ...

Web UI

authusergrp

config user ...

CLI
Log & Report

Log&Report ...

Web UI

loggrp

config log ...

execute formatlogdisk

CLI
Maintenance

System > Maintenance except System Time tab

Web UI

mntgrp

diagnose system ...

execute backup ...

execute factoryreset

execute reboot

execute restore ...

execute shutdown

diagnose system flash ...

CLI
Network Configuration

System > Network ...

Web UI

netgrp

config router ...

config system interface

config system dns

config system v-zone

diagnose network ... except sniffer ...

CLI
System Configuration

System ... except Network, Admin, and Maintenance tabs

Web UI

sysgrp

config system except accprofile, admin, dns, interface, and v-zone

diagnose hardware ...

diagnose network sniffer ...

diagnose system ... except flash ...

execute date ...

execute ha ...

execute ping ...

execute ping-option ...

execute traceroute ...

execute time ...

CLI
Server Policy Configuration

Policy > Server Policy ...

Server Objects ...

Application Delivery ...

Web UI

traroutegrp

config server-policy ... except custom-application ...

config waf file-compress-rule

config waf http-authen ...

config waf url-rewrite ...

diagnose policy ...

CLI
Web Anti-Defacement Management

Web Anti-Defacement ...

Web UI

wadgrp

config wad ...

CLI
Web Protection Configuration

Policy > Web Protection ...

Web Protection ...

DoS Protection ...

Web UI

wafgrp

config system dos-prevention

config waf except:

  • config waf file-compress-rule
  • config waf http-authen ...
  • config waf url-rewrite ...
  • config waf web-custom-robot
  • config waf web-robot
  • config waf x-forwarded-for
CLI
Web Vulnerability Scan Configuration

Web Vulnerability Scan ...

Web UI

wvsgrp

config wvs ...

CLI

* For each config command, there is an equivalent get/show command, unless otherwise noted.

config access requires write permission.

get/show access requires read permission.

Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiWeb configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.

Set a strong password for the admin administrator account, and change the password regularly. By default, this administrator account has no password. Failure to maintain the password of the admin administrator account could compromise the security of your FortiWeb appliance.

For complete access to all commands, you must log in with the admin administrator account.

Permissions

Depending on the account that you use to log in to the FortiWeb appliance, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles control which commands and areas an administrator account can access. Access profiles assign either:

  • Read (view access)
  • Write (change and execute access)
  • Both Read and Write
  • No access

to each area of the FortiWeb software. For details about configuring the access profile for an administrator account to use, see system accprofile.

Access profile permissions

Admin Users

System > Admin ... except Settings

Web UI

admingrp

config system admin

config system accprofile

CLI
Auth Users

User ...

Web UI

authusergrp

config user ...

CLI
Log & Report

Log&Report ...

Web UI

loggrp

config log ...

execute formatlogdisk

CLI
Maintenance

System > Maintenance except System Time tab

Web UI

mntgrp

diagnose system ...

execute backup ...

execute factoryreset

execute reboot

execute restore ...

execute shutdown

diagnose system flash ...

CLI
Network Configuration

System > Network ...

Web UI

netgrp

config router ...

config system interface

config system dns

config system v-zone

diagnose network ... except sniffer ...

CLI
System Configuration

System ... except Network, Admin, and Maintenance tabs

Web UI

sysgrp

config system except accprofile, admin, dns, interface, and v-zone

diagnose hardware ...

diagnose network sniffer ...

diagnose system ... except flash ...

execute date ...

execute ha ...

execute ping ...

execute ping-option ...

execute traceroute ...

execute time ...

CLI
Server Policy Configuration

Policy > Server Policy ...

Server Objects ...

Application Delivery ...

Web UI

traroutegrp

config server-policy ... except custom-application ...

config waf file-compress-rule

config waf http-authen ...

config waf url-rewrite ...

diagnose policy ...

CLI
Web Anti-Defacement Management

Web Anti-Defacement ...

Web UI

wadgrp

config wad ...

CLI
Web Protection Configuration

Policy > Web Protection ...

Web Protection ...

DoS Protection ...

Web UI

wafgrp

config system dos-prevention

config waf except:

  • config waf file-compress-rule
  • config waf http-authen ...
  • config waf url-rewrite ...
  • config waf web-custom-robot
  • config waf web-robot
  • config waf x-forwarded-for
CLI
Web Vulnerability Scan Configuration

Web Vulnerability Scan ...

Web UI

wvsgrp

config wvs ...

CLI

* For each config command, there is an equivalent get/show command, unless otherwise noted.

config access requires write permission.

get/show access requires read permission.

Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiWeb configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.

Set a strong password for the admin administrator account, and change the password regularly. By default, this administrator account has no password. Failure to maintain the password of the admin administrator account could compromise the security of your FortiWeb appliance.

For complete access to all commands, you must log in with the admin administrator account.