Fortinet white logo
Fortinet white logo

CLI Reference

config system admin

config system admin

Configure admin users.

config system admin
    Description: Configure admin users.
    edit <name>
        set accprofile {string}
        set accprofile-override [enable|disable]
        set allow-remove-admin-session [enable|disable]
        set comments {var-string}
        set email-to {string}
        set force-password-change [enable|disable]
        set fortitoken {string}
        set guest-auth [disable|enable]
        set guest-lang {string}
        set guest-usergroups <name1>, <name2>, ...
        set ip6-trusthost1 {ipv6-prefix}
        set ip6-trusthost10 {ipv6-prefix}
        set ip6-trusthost2 {ipv6-prefix}
        set ip6-trusthost3 {ipv6-prefix}
        set ip6-trusthost4 {ipv6-prefix}
        set ip6-trusthost5 {ipv6-prefix}
        set ip6-trusthost6 {ipv6-prefix}
        set ip6-trusthost7 {ipv6-prefix}
        set ip6-trusthost8 {ipv6-prefix}
        set ip6-trusthost9 {ipv6-prefix}
        set password {password-2}
        set password-expire {user}
        set peer-auth [enable|disable]
        set peer-group {string}
        set remote-auth [enable|disable]
        set remote-group {string}
        set schedule {string}
        set sms-custom-server {string}
        set sms-phone {string}
        set sms-server [fortiguard|custom]
        set ssh-certificate {string}
        set ssh-public-key1 {user}
        set ssh-public-key2 {user}
        set ssh-public-key3 {user}
        set trusthost1 {ipv4-classnet}
        set trusthost10 {ipv4-classnet}
        set trusthost2 {ipv4-classnet}
        set trusthost3 {ipv4-classnet}
        set trusthost4 {ipv4-classnet}
        set trusthost5 {ipv4-classnet}
        set trusthost6 {ipv4-classnet}
        set trusthost7 {ipv4-classnet}
        set trusthost8 {ipv4-classnet}
        set trusthost9 {ipv4-classnet}
        set two-factor [disable|fortitoken|...]
        set two-factor-authentication [fortitoken|email|...]
        set two-factor-notification [email|sms]
        set vdom <name1>, <name2>, ...
        set vdom-override [enable|disable]
        set wildcard [enable|disable]
    next
end

config system admin

Parameter

Description

Type

Size

Default

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiGate features.

string

Maximum length: 35

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

option

-

disable

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

enable

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Maximum length: 255

email-to

This administrator's email address.

string

Maximum length: 63

force-password-change

Enable/disable force password change on next login.

option

-

disable

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

fortitoken

This administrator's FortiToken serial number.

string

Maximum length: 16

guest-auth

Enable/disable guest authentication.

option

-

disable

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-lang

Guest management portal language.

string

Maximum length: 35

guest-usergroups <name>

Select guest user groups.

Select guest user groups.

string

Maximum length: 79

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

name

User name.

string

Maximum length: 64

password

Admin user password.

password-2

Not Specified

password-expire

Password expire time.

user

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

disable

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

string

Maximum length: 35

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

disable

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Maximum length: 35

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Maximum length: 35

sms-custom-server

Custom SMS server to send SMS messages to.

string

Maximum length: 35

sms-phone

Phone number on which the administrator receives SMS messages.

string

Maximum length: 15

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

fortiguard

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

ssh-certificate

Select the certificate to be used by the FortiGate for authentication with an SSH client.

string

Maximum length: 35

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

vdom <name>

Virtual domain(s) that the administrator can access.

Virtual domain name.

string

Maximum length: 79

vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

disable

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

disable

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.

config system admin

config system admin

Configure admin users.

config system admin
    Description: Configure admin users.
    edit <name>
        set accprofile {string}
        set accprofile-override [enable|disable]
        set allow-remove-admin-session [enable|disable]
        set comments {var-string}
        set email-to {string}
        set force-password-change [enable|disable]
        set fortitoken {string}
        set guest-auth [disable|enable]
        set guest-lang {string}
        set guest-usergroups <name1>, <name2>, ...
        set ip6-trusthost1 {ipv6-prefix}
        set ip6-trusthost10 {ipv6-prefix}
        set ip6-trusthost2 {ipv6-prefix}
        set ip6-trusthost3 {ipv6-prefix}
        set ip6-trusthost4 {ipv6-prefix}
        set ip6-trusthost5 {ipv6-prefix}
        set ip6-trusthost6 {ipv6-prefix}
        set ip6-trusthost7 {ipv6-prefix}
        set ip6-trusthost8 {ipv6-prefix}
        set ip6-trusthost9 {ipv6-prefix}
        set password {password-2}
        set password-expire {user}
        set peer-auth [enable|disable]
        set peer-group {string}
        set remote-auth [enable|disable]
        set remote-group {string}
        set schedule {string}
        set sms-custom-server {string}
        set sms-phone {string}
        set sms-server [fortiguard|custom]
        set ssh-certificate {string}
        set ssh-public-key1 {user}
        set ssh-public-key2 {user}
        set ssh-public-key3 {user}
        set trusthost1 {ipv4-classnet}
        set trusthost10 {ipv4-classnet}
        set trusthost2 {ipv4-classnet}
        set trusthost3 {ipv4-classnet}
        set trusthost4 {ipv4-classnet}
        set trusthost5 {ipv4-classnet}
        set trusthost6 {ipv4-classnet}
        set trusthost7 {ipv4-classnet}
        set trusthost8 {ipv4-classnet}
        set trusthost9 {ipv4-classnet}
        set two-factor [disable|fortitoken|...]
        set two-factor-authentication [fortitoken|email|...]
        set two-factor-notification [email|sms]
        set vdom <name1>, <name2>, ...
        set vdom-override [enable|disable]
        set wildcard [enable|disable]
    next
end

config system admin

Parameter

Description

Type

Size

Default

accprofile

Access profile for this administrator. Access profiles control administrator access to FortiGate features.

string

Maximum length: 35

accprofile-override

Enable to use the name of an access profile provided by the remote authentication server to control the FortiGate features that this administrator can access.

option

-

disable

Option

Description

enable

Enable access profile override.

disable

Disable access profile override.

allow-remove-admin-session

Enable/disable allow admin session to be removed by privileged admin users.

option

-

enable

Option

Description

enable

Enable allow-remove option.

disable

Disable allow-remove option.

comments

Comment.

var-string

Maximum length: 255

email-to

This administrator's email address.

string

Maximum length: 63

force-password-change

Enable/disable force password change on next login.

option

-

disable

Option

Description

enable

Enable force password change on next login.

disable

Disable force password change on next login.

fortitoken

This administrator's FortiToken serial number.

string

Maximum length: 16

guest-auth

Enable/disable guest authentication.

option

-

disable

Option

Description

disable

Disable guest authentication.

enable

Enable guest authentication.

guest-lang

Guest management portal language.

string

Maximum length: 35

guest-usergroups <name>

Select guest user groups.

Select guest user groups.

string

Maximum length: 79

ip6-trusthost1

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost10

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost2

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost3

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost4

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost5

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost6

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost7

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost8

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

ip6-trusthost9

Any IPv6 address from which the administrator can connect to the FortiGate unit. Default allows access from any IPv6 address.

ipv6-prefix

Not Specified

::/0

name

User name.

string

Maximum length: 64

password

Admin user password.

password-2

Not Specified

password-expire

Password expire time.

user

Not Specified

peer-auth

Set to enable peer certificate authentication (for HTTPS admin access).

option

-

disable

Option

Description

enable

Enable peer.

disable

Disable peer.

peer-group

Name of peer group defined under config user group which has PKI members. Used for peer certificate authentication (for HTTPS admin access).

string

Maximum length: 35

remote-auth

Enable/disable authentication using a remote RADIUS, LDAP, or TACACS+ server.

option

-

disable

Option

Description

enable

Enable remote authentication.

disable

Disable remote authentication.

remote-group

User group name used for remote auth.

string

Maximum length: 35

schedule

Firewall schedule used to restrict when the administrator can log in. No schedule means no restrictions.

string

Maximum length: 35

sms-custom-server

Custom SMS server to send SMS messages to.

string

Maximum length: 35

sms-phone

Phone number on which the administrator receives SMS messages.

string

Maximum length: 15

sms-server

Send SMS messages using the FortiGuard SMS server or a custom server.

option

-

fortiguard

Option

Description

fortiguard

Send SMS by FortiGuard.

custom

Send SMS by custom server.

ssh-certificate

Select the certificate to be used by the FortiGate for authentication with an SSH client.

string

Maximum length: 35

ssh-public-key1

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key2

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

ssh-public-key3

Public key of an SSH client. The client is authenticated without being asked for credentials. Create the public-private key pair in the SSH client application.

user

Not Specified

trusthost1

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost10

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost2

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost3

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost4

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost5

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost6

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost7

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost8

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

trusthost9

Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit. Default allows access from any IPv4 address.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

two-factor

Enable/disable two-factor authentication.

option

-

disable

Option

Description

disable

Disable two-factor authentication.

fortitoken

Use FortiToken or FortiToken mobile two-factor authentication.

fortitoken-cloud

FortiToken Cloud Service.

email

Send a two-factor authentication code to the configured email-to email address.

sms

Send a two-factor authentication code to the configured sms-server and sms-phone.

two-factor-authentication

Authentication method by FortiToken Cloud.

option

-

Option

Description

fortitoken

FortiToken authentication.

email

Email one time password.

sms

SMS one time password.

two-factor-notification

Notification method for user activation by FortiToken Cloud.

option

-

Option

Description

email

Email notification for activation code.

sms

SMS notification for activation code.

vdom <name>

Virtual domain(s) that the administrator can access.

Virtual domain name.

string

Maximum length: 79

vdom-override

Enable to use the names of VDOMs provided by the remote authentication server to control the VDOMs that this administrator can access.

option

-

disable

Option

Description

enable

Enable VDOM override.

disable

Disable VDOM override.

wildcard

Enable/disable wildcard RADIUS authentication.

option

-

disable

Option

Description

enable

Enable username wildcard.

disable

Disable username wildcard.