config system admin
Description: Configure admin users.
edit <name>
set wildcard [enable|disable]
set remote-auth [enable|disable]
set remote-group {string}
set password {password-2}
set peer-auth [enable|disable]
set peer-group {string}
set trusthost1 {ipv4-classnet}
set trusthost2 {ipv4-classnet}
set trusthost3 {ipv4-classnet}
set trusthost4 {ipv4-classnet}
set trusthost5 {ipv4-classnet}
set trusthost6 {ipv4-classnet}
set trusthost7 {ipv4-classnet}
set trusthost8 {ipv4-classnet}
set trusthost9 {ipv4-classnet}
set trusthost10 {ipv4-classnet}
set ip6-trusthost1 {ipv6-prefix}
set ip6-trusthost2 {ipv6-prefix}
set ip6-trusthost3 {ipv6-prefix}
set ip6-trusthost4 {ipv6-prefix}
set ip6-trusthost5 {ipv6-prefix}
set ip6-trusthost6 {ipv6-prefix}
set ip6-trusthost7 {ipv6-prefix}
set ip6-trusthost8 {ipv6-prefix}
set ip6-trusthost9 {ipv6-prefix}
set ip6-trusthost10 {ipv6-prefix}
set accprofile {string}
set allow-remove-admin-session [enable|disable]
set comments {var-string}
set vdom <name1>, <name2>, ...
set ssh-public-key1 {user}
set ssh-public-key2 {user}
set ssh-public-key3 {user}
set ssh-certificate {string}
set schedule {string}
set accprofile-override [enable|disable]
set radius-vdom-override [enable|disable]
set password-expire {user}
set force-password-change [enable|disable]
set two-factor [disable|fortitoken|...]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set fortitoken {string}
set email-to {string}
set sms-server [fortiguard|custom]
set sms-custom-server {string}
set sms-phone {string}
set guest-auth [disable|enable]
set guest-usergroups <name1>, <name2>, ...
set guest-lang {string}
next
end| Parameter Name | Description | Type | Size |
|---|---|---|---|
| wildcard | Enable/disable wildcard RADIUS authentication. enable: Enable username wildcard. disable: Disable username wildcard. |
option | - |
| remote-auth | Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server. enable: Enable remote authentication. disable: Disable remote authentication. |
option | - |
| remote-group | User group name used for remote auth. | string | Maximum length: 35 |
| password | Admin user password. | password-2 | Not Specified |
| peer-auth | Set to enable peer certificate authentication (for HTTPS admin access). enable: Enable peer. disable: Disable peer. |
option | - |
| peer-group | Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access). | string | Maximum length: 35 |
| trusthost1 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost2 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost3 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost4 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost5 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost6 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost7 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost8 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost9 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost10 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| ip6-trusthost1 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost2 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost3 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost4 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost5 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost6 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost7 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost8 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost9 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost10 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| accprofile | Access profile for this administrator. Access profiles control administrator access to FortiGate features. | string | Maximum length: 35 |
| allow-remove-admin-session | Enable/disable allow admin session to be removed by privileged admin users. enable: Enable allow-remove option. disable: Disable allow-remove option. |
option | - |
| comments | Comment. | var-string | Maximum length: 255 |
vdom <name> |
Virtual domain(s) that the administrator can access. Virtual domain name. |
string | Maximum length: 79 |
| ssh-public-key1 | Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. | user | Not Specified |
| ssh-public-key2 | Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. | user | Not Specified |
| ssh-public-key3 | Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. | user | Not Specified |
| ssh-certificate | Select the certificate to be used by the FortiGate for authentication with an SSH client. | string | Maximum length: 35 |
| schedule | Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions. | string | Maximum length: 35 |
| accprofile-override | Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access. enable: Enable access profile override. disable: Disable access profile override. |
option | - |
| radius-vdom-override | Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access. enable: Enable VDOM override. disable: Disable VDOM override. |
option | - |
| password-expire | Password expire time. | user | Not Specified |
| force-password-change | Enable/disable force password change on next login. enable: Enable force password change on next login. disable: Disable force password change on next login. |
option | - |
| two-factor | Enable/disable two-factor authentication. disable: Disable two-factor authentication. fortitoken: Use FortiToken or FortiToken mobile two-factor authentication. fortitoken-cloud: FortiToken Cloud Service. email: Send a two-factor authentication code to the configured email-to email address. sms: Send a two-factor authentication code to the configured sms-server and sms-phone. |
option | - |
| two-factor-authentication | Authentication method by FortiToken Cloud. fortitoken: FortiToken authentication. email: Email one time password. sms: SMS one time password. |
option | - |
| two-factor-notification | Notification method for user activation by FortiToken Cloud. email: Email notification for activation code. sms: SMS notification for activation code. |
option | - |
| fortitoken | This administrator's FortiToken serial number. | string | Maximum length: 16 |
| email-to | This administrator's email address. | string | Maximum length: 63 |
| sms-server | Send SMS messages using the FortiGuard SMS server or a custom server. fortiguard: Send SMS by FortiGuard. custom: Send SMS by custom server. |
option | - |
| sms-custom-server | Custom SMS server to send SMS messages to. | string | Maximum length: 35 |
| sms-phone | Phone number on which the administrator receives SMS messages. | string | Maximum length: 15 |
| guest-auth | Enable/disable guest authentication. disable: Disable guest authentication. enable: Enable guest authentication. |
option | - |
guest-usergroups <name> |
Select guest user groups. Select guest user groups. |
string | Maximum length: 79 |
| guest-lang | Guest management portal language. | string | Maximum length: 35 |
config system admin
Description: Configure admin users.
edit <name>
set wildcard [enable|disable]
set remote-auth [enable|disable]
set remote-group {string}
set password {password-2}
set peer-auth [enable|disable]
set peer-group {string}
set trusthost1 {ipv4-classnet}
set trusthost2 {ipv4-classnet}
set trusthost3 {ipv4-classnet}
set trusthost4 {ipv4-classnet}
set trusthost5 {ipv4-classnet}
set trusthost6 {ipv4-classnet}
set trusthost7 {ipv4-classnet}
set trusthost8 {ipv4-classnet}
set trusthost9 {ipv4-classnet}
set trusthost10 {ipv4-classnet}
set ip6-trusthost1 {ipv6-prefix}
set ip6-trusthost2 {ipv6-prefix}
set ip6-trusthost3 {ipv6-prefix}
set ip6-trusthost4 {ipv6-prefix}
set ip6-trusthost5 {ipv6-prefix}
set ip6-trusthost6 {ipv6-prefix}
set ip6-trusthost7 {ipv6-prefix}
set ip6-trusthost8 {ipv6-prefix}
set ip6-trusthost9 {ipv6-prefix}
set ip6-trusthost10 {ipv6-prefix}
set accprofile {string}
set allow-remove-admin-session [enable|disable]
set comments {var-string}
set vdom <name1>, <name2>, ...
set ssh-public-key1 {user}
set ssh-public-key2 {user}
set ssh-public-key3 {user}
set ssh-certificate {string}
set schedule {string}
set accprofile-override [enable|disable]
set radius-vdom-override [enable|disable]
set password-expire {user}
set force-password-change [enable|disable]
set two-factor [disable|fortitoken|...]
set two-factor-authentication [fortitoken|email|...]
set two-factor-notification [email|sms]
set fortitoken {string}
set email-to {string}
set sms-server [fortiguard|custom]
set sms-custom-server {string}
set sms-phone {string}
set guest-auth [disable|enable]
set guest-usergroups <name1>, <name2>, ...
set guest-lang {string}
next
end| Parameter Name | Description | Type | Size |
|---|---|---|---|
| wildcard | Enable/disable wildcard RADIUS authentication. enable: Enable username wildcard. disable: Disable username wildcard. |
option | - |
| remote-auth | Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server. enable: Enable remote authentication. disable: Disable remote authentication. |
option | - |
| remote-group | User group name used for remote auth. | string | Maximum length: 35 |
| password | Admin user password. | password-2 | Not Specified |
| peer-auth | Set to enable peer certificate authentication (for HTTPS admin access). enable: Enable peer. disable: Disable peer. |
option | - |
| peer-group | Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access). | string | Maximum length: 35 |
| trusthost1 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost2 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost3 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost4 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost5 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost6 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost7 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost8 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost9 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| trusthost10 | Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address. | ipv4-classnet | Not Specified |
| ip6-trusthost1 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost2 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost3 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost4 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost5 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost6 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost7 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost8 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost9 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| ip6-trusthost10 | Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address. | ipv6-prefix | Not Specified |
| accprofile | Access profile for this administrator. Access profiles control administrator access to FortiGate features. | string | Maximum length: 35 |
| allow-remove-admin-session | Enable/disable allow admin session to be removed by privileged admin users. enable: Enable allow-remove option. disable: Disable allow-remove option. |
option | - |
| comments | Comment. | var-string | Maximum length: 255 |
vdom <name> |
Virtual domain(s) that the administrator can access. Virtual domain name. |
string | Maximum length: 79 |
| ssh-public-key1 | Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. | user | Not Specified |
| ssh-public-key2 | Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. | user | Not Specified |
| ssh-public-key3 | Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application. | user | Not Specified |
| ssh-certificate | Select the certificate to be used by the FortiGate for authentication with an SSH client. | string | Maximum length: 35 |
| schedule | Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions. | string | Maximum length: 35 |
| accprofile-override | Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access. enable: Enable access profile override. disable: Disable access profile override. |
option | - |
| radius-vdom-override | Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access. enable: Enable VDOM override. disable: Disable VDOM override. |
option | - |
| password-expire | Password expire time. | user | Not Specified |
| force-password-change | Enable/disable force password change on next login. enable: Enable force password change on next login. disable: Disable force password change on next login. |
option | - |
| two-factor | Enable/disable two-factor authentication. disable: Disable two-factor authentication. fortitoken: Use FortiToken or FortiToken mobile two-factor authentication. fortitoken-cloud: FortiToken Cloud Service. email: Send a two-factor authentication code to the configured email-to email address. sms: Send a two-factor authentication code to the configured sms-server and sms-phone. |
option | - |
| two-factor-authentication | Authentication method by FortiToken Cloud. fortitoken: FortiToken authentication. email: Email one time password. sms: SMS one time password. |
option | - |
| two-factor-notification | Notification method for user activation by FortiToken Cloud. email: Email notification for activation code. sms: SMS notification for activation code. |
option | - |
| fortitoken | This administrator's FortiToken serial number. | string | Maximum length: 16 |
| email-to | This administrator's email address. | string | Maximum length: 63 |
| sms-server | Send SMS messages using the FortiGuard SMS server or a custom server. fortiguard: Send SMS by FortiGuard. custom: Send SMS by custom server. |
option | - |
| sms-custom-server | Custom SMS server to send SMS messages to. | string | Maximum length: 35 |
| sms-phone | Phone number on which the administrator receives SMS messages. | string | Maximum length: 15 |
| guest-auth | Enable/disable guest authentication. disable: Disable guest authentication. enable: Enable guest authentication. |
option | - |
guest-usergroups <name> |
Select guest user groups. Select guest user groups. |
string | Maximum length: 79 |
| guest-lang | Guest management portal language. | string | Maximum length: 35 |