admin
Use the following commands to configure admin related settings.
admin group
Use this command to add, edit, and delete admin user groups.
Syntax
config system admin group
edit <name>
set member <string>
end
Variable |
Description |
---|---|
<name> |
Enter the name of the group you are editing or enter a new name to create an entry (character limit = 63). |
member <string> |
Add group members. |
admin ldap
Use this command to add, edit, and delete Lightweight Directory Access Protocol (LDAP) users.
Syntax
config system admin ldap
edit <server>
set adom-attr <string>
set adom <adom-name>
set attributes <filter>
set ca-cert <string>
set cnid <string>
set connect-timeout <integer>
set dn <string>
set filter <string>
set group <string>
set memberof-attr <string>
set password <passwd>
set port <integer>
set profile-attr <string>
set secondary-server <string>
set secure {disable | ldaps | starttls}
set server <string>
set tertiary-server <string>
set type {anonymous | regular | simple}
set username <string>
end
Variable |
Description |
---|---|
<server> |
Enter the name of the LDAP server or enter a new name to create an entry (character limit = 63). |
adom-attr <string> |
The attribute used to retrieve ADOM. |
adom <adom-name> |
Set the ADOM name to link to the LDAP configuration. |
attributes <filter> |
Attributes used for group searching (for multi-attributes, a use comma as a separator). For example:
|
ca-cert <string> |
CA certificate name. This variable appears only when |
cnid <string> |
Enter the common name identifier (character limit = 20, default = cn). |
connect-timeout <integer> |
Set the LDAP connection timeout, in milliseconds (default = 500). |
dn <string> |
Enter the distinguished name. |
filter <string> |
Enter content for group searching. For example: (&(objectcategory=group)(member=*)) (&(objectclass=groupofnames)(member=*)) (&(objectclass=groupofuniquenames)(uniquemember=*)) (&(objectclass=posixgroup)(memberuid=*)) |
group <string> |
Enter an authorization group. The authentication user must be a member of this group (full DN) on the server. |
memberof-attr <string> |
The attribute used to retrieve memeberof. |
password <passwd> |
Enter a password for the username above. This variable appears only when |
port <integer> |
Enter the port number for LDAP server communication (1 - 65535, default = 389). |
profile-attr <string> |
The attribute used to retrieve admin profile. |
secondary-server <string> |
Enter the secondary LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
secure {disable | ldaps | starttls} |
Set the SSL connection type:
|
server <string> |
Enter the LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
tertiary-server <string> |
Enter the tertiary LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
type {anonymous | regular | simple} |
Set a binding type:
|
username <string> |
Enter a username. This variable appears only when |
Example
This example shows how to add the LDAP user user1
at the IPv4 address 206.205.204.203
.
config system admin ldap
edit user1
set server 206.205.204.203
set dn techdoc
set type regular
set username auth1
set password auth1_pwd
set group techdoc
end
admin profile
Use this command to configure access profiles. In a newly-created access profile, no access is enabled. Setting an option to none
hides it from administrators with that profile assigned.
Syntax
config system admin profile
edit <profile_name>
set adom-lock {none | read | read-write}
set adom-switch {none | read | read-write}
set change-password {enable | disable}
set datamask {enable | disable}
set datamask-custom-priority {enable | disable}
set datamask-fields <fields>
set datamask-key <passwd>
set description <text>
set device-ap {none | read | read-write}
set device-forticlient {none | read | read-write}
set device-fortiswitch {none | read | read-write}
set device-manager {none | read | read-write}
set device-op {none | read | read-write}
set device-policy-package-lock {none | read | read-write}
set device-wan-link-load-balance {none | read | read-write}
set event-management {none | read | read-write}
set fortirecorder-setting {none | read | read-write}
set log-viewer {none | read | read-write}
set realtime-monitor {none | read | read-write}
set report-viewer {none | read | read-write}
set scope {adom | global}
set system-setting {none | read | read-write}
config datamask-custom-fields
edit <field>
set field-category {alert | all | fortiview | log | euba}
set field-status {enable | disable}
set field-type {email | ip | mac | string}
next
end
Variable |
Description |
---|---|
<profile> |
Edit the access profile. Enter a new name to create a new profile (character limit = 35). The pre-defined access profiles are Super_User, Standard_User, and Restricted_User. |
adom-lock {none | read | read-write} |
Configure ADOM locking permissions for profile:
Controlled functions: ADOM locking. Dependencies: |
adom-switch {none | read | read-write} |
Configure administrative domain (ADOM) permissions for this profile. Controlled functions: ADOM settings in DVM, ADOM settings in All ADOMs page (under System Settings tab) Dependencies: If |
change-password {enable | disable} |
Enable/disable allowing restricted users to change their password (default = disable). |
datamask {enable | disable} |
Enable/disable data masking (default = disable). |
datamask-custom-priority {enable | disable} |
Enable/disable custom field search priority. |
datamask-fields <fields> |
Enter that data masking fields, separated by spaces.
|
datamask-key <passwd> |
Enter the data masking encryption key. |
description <string> |
Enter a description for this access profile (character limit = 1023). Enclose the description in quotes if it contains spaces. |
device-ap {none | read | read-write} |
Set the AP Manager permissions (default = none). |
device-forticlient {none | read | read-write} |
Set the FortiClient Manager permissions (default = none). |
device-fortiswitch {none | read | read-write} |
Set the FortiSwitch Manager permissions (default = none). |
device-manager {none | read | read-write} |
Enter the level of access to Device Manager settings for this profile (default = none). This command corresponds to the Device Manager option in the GUI administrator profile. Controlled functions: Device Manager |
device-op {none | read | read-write} |
Add the capability to add, delete, and edit devices to this profile (default = none). This command corresponds to the Add/Delete Devices/Groups option in the GUI administrator profile. This is a sub-setting of Controlled functions: Add or delete devices or groups |
device-policy-package-lock {none | read | read-write} |
Configure device policy package locking permissions for this profile (default = none). Controlled functions: Policy package locking. Dependencies: |
device-wan-link-load-balance {none | read | read-write} |
Set the SD-WAN permissions (default = none). |
event-management {none | read | read-write} |
Set the Event Management permissions (default = none). This command corresponds to the Event Management option in the GUI administrator profile. Controlled functions: Event Management tab and all its operations |
fortirecorder-setting {none | read | read-write} |
Set the FortiRecorder permissions (default = none). This command corresponds to the FortiRecorder option in the GUI administrator profile. Controlled functions: FortiRecorder tab and all its operations Note: This command is only functional on hardware FortiAnalyzer devices. |
log-viewer {none | read | read-write} |
Set the Log View permissions (default = none). This command corresponds to the Log View option in the GUI administrator profile. Controlled functions: Log View and all its operations |
realtime-monitor {none | read | read-write} |
Enter the level of access to the Drill Down configuration settings for this profile (default = none). |
report-viewer {none | read | read-write} |
Set the Reports permissions (default = none). This command corresponds to the Reports option in the GUI administrator profile. Controlled functions: Reports tab and all its operations |
scope (Not Applicable) |
CLI command is not in use. |
system-setting {none | read | read-write} |
Configure System Settings permissions for this profile (default = none). This command corresponds to the System Settings option in the GUI administrator profile. Controlled functions: System Settings tab, All the settings under System setting |
Variables for |
|
<field> |
Enter the custom field name. |
field-category {alert | all | fortiview | log | euba} |
Enter the field category (default = all). |
field-status {enable | disable} |
Enable/disable the field (default = enable). |
field-type {email | ip | mac | string} |
Enter the field type (default = string). |
admin radius
Use this command to add, edit, and delete administration RADIUS servers.
Syntax
config system admin radius
edit <server>
set auth-type {any | chap | mschap2 | pap}
set nas-ip <ipv4_address>
set port <integer>
set secondary-secret <passwd>
set secondary-server <string>
set secret <passwd>
set server <string>
end
Variable |
Description |
---|---|
<server> |
Enter the name of the RADIUS server or enter a new name to create an entry (character limit = 63). |
auth-type {any | chap | mschap2 | pap} |
The authentication protocol the RADIUS server will use.
|
nas-ip <ipv4_address> |
The network access server (NAS) IPv4 address and called station ID. |
port <integer> |
The RADIUS server port number (1 - 65535, default = 1812). |
secondary-secret <passwd> |
The password to access the RADIUS secondary-server (character limit = 64). |
secondary-server <string> |
The RADIUS secondary-server DNS resolvable domain name or IPv4 address. |
secret <passwd> |
The password to access the RADIUS server (character limit = 64). |
server <string> |
The RADIUS server DNS resolvable domain name or IPv4 address. |
Example
This example shows how to add the RADIUS server RAID1
at the IPv4 address 206.205.204.203
and set the shared secret as R1a2D3i4U5s
.
config system admin radius
edit RAID1
set server 206.205.204.203
set secret R1a2D3i4U5s
end
admin setting
Use this command to configure system administration settings, including web administration ports, timeout, and language.
Syntax
config system admin setting
set access-banner {enable | disable}
set admin-https-redirect {enable | disable}
set admin-login-max <integer>
set admin_server_cert <admin_server_certificate>
set banner-message <string>
set gui-them <theme>
set http_port <integer>
set https_port <integer>
set idle_timeout <integer>
set objects-force-deletion {enable | disable}
set shell-access {enable | disable}
set shell-password <passwd>
set show-add-multiple {enable | disable}
set show-checkbox-in-table {enable | disable}
set show-device-import-export {enable | disable}
set show_hostname {enable | disable}
set show-log-forwarding {enable | disable}
set unreg_dev_opt {add_allow_service | add_no_service}
set webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | spanish | traditional_chinese}
end
Variable |
Description |
---|---|
access-banner {enable | disable} |
Enable/disable the access banner (default= disable). |
admin-https-redirect {enable | disable} |
Enable/disable redirection of HTTP admin traffic to HTTPS (default= enable). |
admin-login-max <integer> |
Set the maximum number of admin users that be logged in at one time (1 - 256, default = 256). |
admin_server_cert <admin_server_certificate> |
Enter the name of an https server certificate to use for secure connections (default = server.crt). FortiAnalyzer has server.crt and Fortinet_Local certificates pre-loaded. |
banner-message <string> |
Set the banner messages (character limit = 255). |
gui-theme <theme> |
Configure the GUI theme (default = blue). |
http_port <integer> |
Enter the HTTP port number for web administration (1 - 65535, default = 80). |
https_port <integer> |
Enter the HTTPS port number for web administration (1 - 65535, default = 443). |
idle_timeout <integer> |
Enter the idle timeout value, in minutes (1 - 480, default = 15). |
objects-force-deletion {enable | disable} |
Enable/disable forced deletion of used objects (default = enable). |
shell-access {enable | disable} |
Enable/disable shell access (default = disable). |
shell-password <passwd> |
Enter the password to use for shell access. |
show-add-multiple {enable | disable} |
Enable/disable show the add multiple button in the GUI (default = disable). |
show-checkbox-in-table {enable | disable} |
Enable/disable show checkboxes in tables in the GUI (default = disable). |
show-device-import-export {enable | disable} |
Enable/disable import/export of ADOM, device, and group lists (default = disable). |
show_hostname {enable | disable} |
Enable/disable showing the hostname on the GUI login page (default = disable). |
show-log-forwarding {enable | disable} |
Enable/disable show log forwarding tab in analyzer mode (default= enable). |
unreg_dev_opt {add_allow_service | add_no_service} |
Select action to take when an unregistered device connects to FortiAnalyzer:
|
webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | spanish | traditional_chinese} |
Enter the language to be used for web administration. The following options are available:
|
Use the show command to display the current configuration if it has been changed from its default value:
show system admin setting
admin tacacs
Use this command to add, edit, and delete administration TACACS+ servers.
Syntax
config system admin tacacs
edit <server>
set authen-type {ascii | auto |chap | mschap | pap}
set authorization {enable | disable}
set key <passwd>
set port <integer>
set secondary-key <passwd>
set secondary-server <string>
set server <string>
set tertiary-key <passwd>
set tertiary-server <string>
end
Variable |
Description |
---|---|
<server> |
Enter the name of the TACACS+ server or enter a new name to create an entry (character limit = 63). |
authen-type {ascii | auto |chap | mschap | pap} |
Choose which authentication type to use:
|
authorization {enable | disable} |
Enable/disable TACACS+ authorization (default = disable). |
key <passwd> |
Key to access the server (character limit = 128). |
port <integer> |
Port number of the TACACS+ server (1 - 65535, default = 49). |
secondary-key <passwd> |
Key to access the secondary server (character limit = 128). |
secondary-server <string> |
Secondary server domain name or IPv4 address. |
server <string> |
The server domain name or IPv4 address. |
tertiary-key <passwd> |
Key to access the tertiary server (character limit = 128). |
tertiary-server <string> |
Tertiary server domain name or IPv4 address. |
Example
This example shows how to add the TACACS+ server TAC1
at the IPv4 address 206.205.204.203
and set the key as R1a2D3i4U5s
.
config system admin tacacs
edit TAC1
set server 206.205.204.203
set key R1a2D3i4U5s
end
admin user
Use this command to add, edit, and delete administrator accounts.
Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User. You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on.
You can create meta-data fields for administrator accounts. These objects must be created using the FortiAnalyzer GUI. The only information you can add to the object is the value of the field (pre-determined text/numbers). For more information, see System Settings in the FortiAnalyzer Administration Guide. |
Syntax
config system admin user
edit <name_str>
set password <passwd>
set change-password {enable | disable}
set trusthost1 <ipv4_mask>
set trusthost2 <ipv4_mask>
set trusthost3 <ipv4_mask>
...
set trusthost10 <ipv4_mask>
set ipv6_trusthost1 <ipv6_mask>
set ipv6_trusthost2 <ipv6_mask>
set ipv6_trusthost3 <ipv6_mask>
...
set ipv6_trusthost10 <ipv6_mask>
set profileid <profile-name>
set adom <adom_name(s)>
set dev-group <group-name>
set adom-exclude <adom_name(s)>
set policy-package <policy-package-name>
set restrict-access {enable | disable}
set description <string>
set user_type {group | ldap | local | pki-auth | radius | tacacs-plus}
set group <string>
set ldap-server <string>
set radius_server <string>
set tacacs-plus-server <string>
set ssh-public-key1 <key-type> <key-value>
set ssh-public-key2 <key-type>, <key-value>
set ssh-public-key3 <key-type> <key-value>
set avatar <string>
set wildcard <enable | disable>
set ext-auth-accprofile-override <enable | disable>
set ext-auth-adom-override <enable | disable>
set ext-auth-group-match <string>
set password-expire <yyyy-mm-dd>
set force-password-change {enable | disable}
set subject <string>
set ca <string>
set two-factor-auth {enable | disable}
set rpc-permit {none | read-only | read-write}
set last-name <string>
set first-name <string>
set email-address <string>
set phone-number <string>
set mobile-number <string>
set pager-number <string>
config meta-data
edit <fieldname>
set fieldlength
set fieldvalue <string>
set importance
set status
end
config dashboard-tabs
edit tabid <integer>
set name <string>
end
config dashboard