admin
Use the following commands to configure admin related settings.
admin group
Use this command to add, edit, and delete admin user groups.
Syntax
config system admin group
edit <name>
set <member>
end
|
Variable |
Description |
|---|---|
|
<name> |
Enter the name of the group you are editing or enter a new name to create an entry. Character limit: 63 |
|
<member> |
Add group members. |
admin ldap
Use this command to add, edit, and delete Lightweight Directory Access Protocol (LDAP) users.
Syntax
config system admin ldap
edit <name>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set cnid <string>
set dn <string>
set port <integer>
set type {anonymous | regular | simple}
set username <string>
set memberof-attr <string>
set profile-attr <string>
set adom-attr <string>
set group <string>
set filter <string>
set attributes <filter>
set secure {disable | ldaps | starttls}
set ca-cert <string>
set connect-timeout <integer>
set adom <adom-name>
end
|
Variable |
Description |
|---|---|
|
<name> |
Enter the name of the LDAP server or enter a new name to create an entry. Character limit: 63 |
|
server <string> |
Enter the LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
|
secondary-server <string> |
Enter the secondary LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
|
tertiary-server <string> |
Enter the tertiary LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
|
cnid <string> |
Enter the common name identifier. Default: |
|
dn <string> |
Enter the distinguished name. |
|
port <integer> |
Enter the port number for LDAP server communication. Default: |
|
type {anonymous | regular | simple} |
Set a binding type. The following options are available:
|
|
username <string> |
Enter a username. This variable appears only when |
|
password <passwd> |
Enter a password for the username above. This variable appears only when |
|
memberof-attr <string> |
The attribute used to retrieve memeberof. |
|
profile-attr <string> |
The attribute used to retrieve admin profile. |
| adom-attr <string> |
The attribute used to retrieve ADOM. |
|
group <string> |
Enter an authorization group. The authentication user must be a member of this group (full DN) on the server. |
|
filter <string> |
Enter content for group searching. For example: (&(objectcategory=group)(member=*)) (&(objectclass=groupofnames)(member=*)) (&(objectclass=groupofuniquenames)(uniquemember=*)) (&(objectclass=posixgroup)(memberuid=*)) |
|
attributes <filter> |
Attributes used for group searching (for multi-attributes, a use comma as a separator). For example:
|
|
secure {disable | ldaps | starttls} |
Set the SSL connection type. |
|
ca-cert <string> |
CA certificate name. This variable appears only when |
|
connect-timeout <integer> |
Set the LDAP connection timeout (msec). |
|
adom <adom-name> |
Set the ADOM name to link to the LDAP configuration. |
Example
This example shows how to add the LDAP user user1 at the IPv4 address 206.205.204.203.
config system admin ldap
edit user1
set server 206.205.204.203
set dn techdoc
set type regular
set username auth1
set password auth1_pwd
set group techdoc
end
admin profile
Use this command to configure access profiles. In a newly-created access profile, no access is enabled.
Syntax
config system admin profile
edit <profile_name>
set adom-switch {none | read | read-write}
set change-password {enable | disable}
set datamask {enable | disable}
set datamask-fields <fields>
set datamask-key <passwd>
set description <text>
set device-ap {none | read | read-write}
set device-forticlient {none | read | read-write}
set device-fortiswitch {none | read | read-write}
set device-manager {none | read | read-write}
set device-op {none | read | read-write}
set device-wan-link-load-balance {none | read | read-write}
set event-management {none | read | read-write}
set log-viewer {none | read | read-write}
set realtime-monitor {none | read | read-write}
set report-viewer {none | read | read-write}
set scope {adom | global}
set system-setting {none | read | read-write}
config datamask-custom-fields
edit <field>
set field-category {alert | all | fortiview | log | euba}
set field-type {email | ip | mac | string}
next
end
admin radius
Use this command to add, edit, and delete administration RADIUS servers.
Syntax
config system admin radius
edit <server>
set auth-type {any | chap | mschap2 | pap}
set nas-ip <ipv4_address>
set port <integer>
set secondary-secret <passwd>
set secondary-server <string>
set secret <passwd>
set server <string>
end
|
Variable |
Description |
|---|---|
|
<server> |
Enter the name of the RADIUS server or enter a new name to create an entry. Character limit: 63 |
|
auth-type {any | chap | mschap2 | pap} |
Enter the authentication protocol the RADIUS server will use.
|
|
nas-ip <ipv4_address> |
Enter the network access server (NAS) IPv4 address and called station ID. |
|
port <integer> |
Enter the RADIUS server port number. Default: |
|
secondary-secret <passwd> |
Enter the password to access the RADIUS secondary-server. Character limit: 64 |
|
secondary-server <string> |
Enter the RADIUS secondary-server DNS resolvable domain name or IPv4 address. |
|
secret <passwd> |
Enter the password to access the RADIUS server. Character limit: 64 |
|
server <string> |
Enter the RADIUS server DNS resolvable domain name or IPv4 address. |
Example
This example shows how to add the RADIUS server RAID1 at the IPv4 address 206.205.204.203 and set the shared secret as R1a2D3i4U5s.
config system admin radius
edit RAID1
set server 206.205.204.203
set secret R1a2D3i4U5s
end
admin setting
Use this command to configure system administration settings, including web administration ports, timeout, and language.
Syntax
config system admin setting
set access-banner {enable | disable}
set admin-https-redirect {enable | disable}
set admin-login-max <integer>
set admin_server_cert <admin_server_certificate>
set banner-message <string>
set gui-them {aquarium | autumn | blue | city | diving | dreamy | galaxy | green | honey-bee | landscape | melongene | mountain | northern-light | purple-ink | red | skyline | snow | spring | structure-3d | succulents | summer | sunset | tree-ring | winter}
set http_port <integer>
set https_port <integer>
set idle_timeout <integer>
set objects-force-deletion {enable | disable}
set shell-access {enable | disable}
set shell-password <passwd>
set show-add-multiple {enable | disable}
set show-checkbox-in-table {enable | disable}
set show-device-import-export {enable | disable}
set show_hostname {enable | disable}
set show-log-forwarding {enable | disable}
set unreg_dev_opt {add_allow_service | add_no_service}
set webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}
end
|
Variable |
Description |
|---|---|
|
access-banner {enable | disable} |
Enable/disable the access banner. Default: |
|
admin-https-redirect {enable | disable} |
Enable/disable the redirection of HTTP admin traffic to HTTPS. |
|
admin-login-max <integer> |
Set the maximum number of admin users that be logged in at one time. Range: 1 to 256 (users) |
|
admin_server_cert <admin_server_certificate> |
Enter the name of an HTTPS server certificate to use for secure connections. FortiAnalyzer has the following certificates pre-loaded: server.crt and Fortinet_Local. |
|
banner-message <string> |
Enter a banner message. Character limit: 255 |
|
gui-theme {aquarium | autumn | blue | city | diving | dreamy | galaxy | green | honey-bee | landscape | melongene | mountain | northern-light | purple-ink | red | skyline | snow | spring | structure-3d | succulents | summer | sunset | tree-ring | winter} |
Set the color scheme or imagery to use for the administration GUI. Options include: Aquarium, Autumn, Blueberry, City, Diving, Dreamy, Galaxy, Kiwi, Honey Bee, Landscape, Plum, Mountain, Northern Light, Purple Ink, Cherry, Skyline, Snow, Spring, 3D Structure, Succulents, Summer, Sunset, Tree Ring, and Winter |
|
http_port <integer> |
Enter the HTTP port number for web administration. Default: |
|
https_port <integer> |
Enter the HTTPS port number for web administration.Default: |
|
idle_timeout <integer> |
Enter the idle timeout value. Default: |
|
objects-force-deletion {enable | disable} |
Enable/disable forced deletion of used objects. |
|
shell-access {enable | disable} |
Enable/disable shell access. |
|
shell-password <passwd> |
Enter the password to use for shell access. |
|
show-add-multiple {enable | disable} |
Enable/disable show the add multiple button in the GUI. |
|
show-checkbox-in-table {enable | disable} |
Show checkboxes in tables in the GUI. |
|
show-device-import-export {enable | disable} |
Enable/disable import/export of ADOM, device, and group lists. |
|
show_hostname {enable | disable} |
Enable/disable showing the hostname on the GUI login page (default = disable). |
|
show-log-forwarding {enable | disable} |
Enable/disable show log forwarding tab in analyzer mode. |
|
unreg_dev_opt {add_allow_service | add_no_service} |
Select action to take when an unregistered device connects to FortiAnalyzer. The following options are available:
|
|
webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese} |
Enter the language to be used for web administration. The following options are available:
|
Use the show command to display the current configuration if it has been changed from its default value:
show system admin setting
admin tacacs
Use this command to add, edit, and delete administration TACACS+ servers.
Syntax
config system admin tacacs
edit <name>
set authen-type {ascii | auto |chap | mschap | pap}
set authorization {enable | disable}
set key <passwd>
set port <integer>
set secondary-key <passwd>
set secondary-server <string>
set server <string>
set tertiary-key <passwd>
set tertiary-server <string>
end
|
Variable |
Description |
|---|---|
|
<name> |
Enter the name of the TACACS+ server or enter a new name to create an entry. Character limit: 63 |
|
authen-type {ascii | auto |chap | mschap | pap} |
Choose which authentication type to use. The following options are available:
|
|
authorization {enable | disable} |
Enable/disable TACACS+ authorization. The following options are available:
|
|
key <passwd> |
Key to access the server. Character limit: 128 |
|
port <integer> |
Port number of the TACACS+ server. Range: 1 to 65535 |
|
secondary-key <passwd> |
Key to access the secondary server. Character limit: 128 |
|
secondary-server <string> |
Secondary server domain name or IPv4 address. |
|
server <string> |
The server domain name or IPv4 address. |
|
tertiary-key <passwd> |
Key to access the tertiary server. Character limit: 128 |
|
tertiary-server <string> |
Tertiary server domain name or IPv4 address. |
Example
This example shows how to add the TACACS+ server TAC1 at the IPv4 address 206.205.204.203 and set the key as R1a2D3i4U5s.
config system admin tacacs
edit TAC1
set server 206.205.204.203
set key R1a2D3i4U5s
end
admin user
Use this command to add, edit, and delete administrator accounts.
Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User. You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on.
|
You can create meta-data fields for administrator accounts. These objects must be created using the FortiAnalyzer GUI. The only information you can add to the object is the value of the field (pre-determined text/numbers). For more information, see System Settings in the FortiAnalyzer Administration Guide. |
Syntax
config system admin user
edit <name_str>
set password <passwd>
set change-password {enable | disable}
set trusthost1 <ipv4_mask>
set trusthost2 <ipv4_mask>
set trusthost3 <ipv4_mask>
...
set trusthost10 <ipv4_mask>
set ipv6_trusthost1 <ipv6_mask>
set ipv6_trusthost2 <ipv6_mask>
set ipv6_trusthost3 <ipv6_mask>
...
set ipv6_trusthost10 <ipv6_mask>
set profileid <profile-name>
set adom <adom_name(s)>
set dev-group <group-name>
set adom-exclude <adom_name(s)>
set policy-package <policy-package-name>
set restrict-access {enable | disable}
set description <string>
set user_type {group | ldap | local | pki-auth | radius | tacacs-plus}
set ldap-server <string>
set radius_server <string>
set tacacs-plus-server <string>
set ssh-public-key1 <key-type> <key-value>
set ssh-public-key2 <key-type>, <key-value>
set ssh-public-key3 <key-type> <key-value>
set wildcard <enable | disable>
set radius-accprofile-override <enable | disable>
set radius-adom-override <enable | disable>
set radius-group-match <string>
set password-expire <yyyy-mm-dd>
set force-password-change {enable | disable}
set subject <string>
set ca <string>
set two-factor-auth {enable | disable}
set rpc-permit {enable | disable}
set last-name <string>
set first-name <string>
set email-address <string>
set phone-number <string>
set mobile-number <string>
set pager-number <string>
set avatar <string>
end
config meta-data
edit <fieldname>
set fieldlength
set fieldvalue <string>
set importance
set status
end
end
config dashboard-tabs
edit tabid <integer>
set name <string>
end
end
config dashboard
edit moduleid
set name <string>
set column <column_pos>
set diskio-content-type
set diskio-period {1hour | 24hour | 8hour}
set refresh-inverval <integer>
set status {close | open}
set tabid <integer>
set widget-type <string>
set log-rate-type {device | log}
set log-rate-topn {1 | 2 | 3 | 4 | 5}
set log-rate-period {1hour | 2min | 6hours}
set res-view-type {history | real-time}
set res-period {10min | day | hour}
set res-cpu-display {average | each}
set num-entries <integer>
set time-period {1hour | 24hour | 8hour}
end
end
config restrict-dev-vdom
edit dev-vdom <string>
end
end
Using trusted hosts
Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IPv4 address if you define only one trusted host IPv4 address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the FortiAnalyzer system does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.
The trusted hosts you define apply both to the GUI and to the CLI when accessed through SSH. CLI access through the console connector is not affected.
Example
Use the following commands to add a new administrator account named admin_2 with the password set to p8ssw0rd and the Super_User access profile. Administrators that log in to this account will have administrator access to the FortiAnalyzer system from any IPv4 address.
config system admin user
edit admin_2
set description "Backup administrator"
set password p8ssw0rd
set profileid Super_User
end
