admin
Use the following commands to configure admin related settings.
admin group
Use this command to add, edit, and delete admin user groups.
Syntax
config system admin group
edit <name>
set <member>
end
|
Variable |
Description |
|---|---|
|
<name> |
Enter the name of the group you are editing or enter a new name to create an entry. Character limit: 63 |
|
<member> |
Add group members. |
admin ldap
Use this command to add, edit, and delete Lightweight Directory Access Protocol (LDAP) users.
Syntax
config system admin ldap
edit <name>
set server <string>
set secondary-server <string>
set tertiary-server <string>
set cnid <string>
set dn <string>
set port <integer>
set type {anonymous | regular | simple}
set username <string>
set password <passwd>
set group <string>
set filter <string>
set attributes <filter>
set secure {disable | ldaps | starttls}
set ca-cert <string>
set connect-timeout <integer>
set adom <adom-name>
end
|
Variable |
Description |
|---|---|
|
<name> |
Enter the name of the LDAP server or enter a new name to create an entry. Character limit: 63 |
|
server <string> |
Enter the LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
|
secondary-server <string> |
Enter the secondary LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
|
tertiary-server <string> |
Enter the tertiary LDAP server domain name or IPv4 address. Enter a new name to create a new entry. |
|
cnid <string> |
Enter the common name identifier. Default: |
|
dn <string> |
Enter the distinguished name. |
|
port <integer> |
Enter the port number for LDAP server communication. Default: |
|
type {anonymous | regular | simple} |
Set a binding type. The following options are available:
|
|
username <string> |
Enter a username. This variable appears only when |
|
password <passwd> |
Enter a password for the username above. This variable appears only when |
|
group <string> |
Enter an authorization group. The authentication user must be a member of this group (full DN) on the server. |
|
filter <string> |
Enter content for group searching. For example:
|
|
attributes <filter> |
Attributes used for group searching (for multi-attributes, a use comma as a separator). For example:
|
|
secure {disable | ldaps | starttls} |
Set the SSL connection type. The following options are available:
|
|
ca-cert <string> |
CA certificate name. This variable appears only when |
|
connect-timeout <integer> |
Set the LDAP connection timeout (msec). |
|
adom <adom-name> |
Set the ADOM name to link to the LDAP configuration. |
Example
This example shows how to add the LDAP user user1 at the IPv4 address 206.205.204.203.
config system admin ldap
edit user1
set server 206.205.204.203
set dn techdoc
set type regular
set username auth1
set password auth1_pwd
set group techdoc
end
admin profile
Use this command to configure access profiles. In a newly-created access profile, no access is enabled.
Syntax
config system admin profile
edit <profile>
set adom-policy-packages {none | read | read-write}
set adom-switch {none | read | read-write}
set app-filter {enable | disable}
set assignment {none | read | read-write}
set change-password {enable | disable}
set config-retrieve {none | read | read-write}
set config-revert {none | read | read-write}
set consistency-check {none | read | read-write}
set deploy-management {none | read | read-write}
set description <string>
set device-ap {none | read | read-write}
set device-config {none | read | read-write}
set device-forticlient {none | read | read-write}
set device-fortiswitch {none | read | read-write}
set device-manager {none | read | read-write}
set device-op {none | read | read-write}
set device-profile {none | read | read-write}
set device-wan-link-load-balance {none | read | read-write}
set event-management {none | read | read-write}
set fgd_center {none | read | read-write}
set fgd-center-advanced {none | read | read-write}
set fgd-center-fmw-mgmt {none | read | read-write}
set fgd-center-licensing {none | read | read-write}
set global-policy-packages {none | read | read-write}
set import-policy-packages {none | read | read-write}
set intf-mapping {none | read | read-write}
set ips-filter {enable | disable}
set log-viewer {none | read | read-write}
set policy-objects {none | read | read-write}
set read-passwd {none | read | read-write}
set realtime-monitor {none | read | read-write}
set report-viewer {none | read | read-write}
set scope (Not Applicable)
set system-setting {none | read | read-write}
set term-access {none | read | read-write}
set type {restricted | system}
set vpn-manager {none | read | read-write}
set web-filter {enable | disable}
end
|
Variable |
Description |
|---|---|
|
<profile> |
Edit the access profile. Enter a new name to create a new profile. The pre-defined access profiles are Super_User, Standard_User, Restricted_User, and Package_User. Character limit: 35 |
|
adom-policy-packages {none | read | read-write} |
Enter the level of access to ADOM policy packages for this profile. Select
This command corresponds to the Policy Packages & Objects option on the administrator profile settings page in the GUI. It is a sub-setting of Dependencies: Install and re-install depends on Install to Devices in DVM settings, |
|
adom-switch {none | read | read-write} |
Configure administrative domain (ADOM) permissions for this profile. Select This command corresponds to the Administrative Domain option in the GUI. Controlled functions: ADOM settings in DVM, ADOM settings in All ADOMs page (under System Settings tab) Dependencies: If |
|
app-filter {enable | disable} |
Enable/disable IPS Sensor permission for the restricted admin profile. Dependencies: |
|
assignment {none | read | read-write} |
Configure assignment permissions for this profile. Select This command corresponds to the Assignment option in the GUI. It is a sub-setting of Controlled functions: Global assignment in Global ADOM. Dependencies: |
|
change-password {enable | disable} |
Enable/disable allowing restricted users to change their password |
|
config-retrieve {none | read | read-write} |
Set the configuration retrieve settings for this profile. Select This command corresponds to the Retrieve Configuration from Devices option in the GUI. It is a sub-setting of Controlled functions: Retrieve configuration from devices Dependencies: |
|
config-revert {none | read | read-write} |
Set the configuration revert settings for this profile. Select This command corresponds to the Revert Configuration from Revision History option in the GUI. It is a sub-setting of Controlled functions: Revert configuration from revision history. Dependencies: |
|
consistency-check {none | read | read-write} |
Configure Policy Check permissions for this profile. Select This command corresponds to the Policy Check option in the GUI. It is a sub-setting of Controlled functions: Policy check. Dependencies: |
|
deploy-management {none | read | read-write} |
Enter the level of access to the deployment management configuration settings for this profile. Select This command corresponds to the Install to Devices option in the GUI. It is a sub-setting of Controlled functions: Install to devices. Dependencies: |
|
description <string> |
Enter a description for this access profile. Enclose the description in quotes if it contains spaces. Character limit: 1023 |
|
device-ap |
Enter the level of access to device AP settings for this profile. Select This command corresponds to the AP Manager option in the GUI. Controlled functions: AP Manager pane. Dependencies: |
|
device-config {none | read | read-write} |
Enter the level of access to device configuration settings for this profile. Select This command corresponds to the Manage Device Configuration option in the GUI. It is a sub-setting of Controlled functions: Edit devices, All settings under Menu in Dashboard. Dependencies: |
|
device-forticlient {none | read | read-write} |
Enter the level of access to FortiClient settings for this profile. Select This command corresponds to the FortiClient Manager option in the GUI. Controlled functions: FortiClient Manager pane. Dependencies: |
|
device-fortiswitch {none | read | read-write} |
Enter the level of access to the FortiSwitch Manager module for this profile. Select This command corresponds to the FortiSwitch Manager option in the GUI. Controlled functions: FortiSwitch Manager pane. Dependencies: |
|
device-manager {none | read | read-write} |
Enter the level of access to Device Manager settings for this profile. Select This command corresponds to the Device Manager option in the GUI. Controlled functions: Device Manager pane. Dependencies: |
|
device-op {none | read | read-write} |
Add the capability to add, delete, and edit devices to this profile. Select This command corresponds to the Add/Delete Devices/Groups option in the GUI. It is a sub-setting of Controlled functions: Add or delete devices or groups. Dependencies: |
|
device-profile {none | read | read-write} |
Configure device profile permissions for this profile. Select This command corresponds to the Provisioning Templates option in the GUI. It is a sub-setting of Controlled functions: Provisioning Templates. Dependencies: |
|
device-wan-link-load-balance |
Enter the level of access to This command corresponds to WAN Link Load Balance option in the GUI. It is a sub-setting of Controlled functions: Wan LLB. Dependencies: |
|
event-management {none | read | read-write} |
Set the Event Management permission. Select This command corresponds to the Event Management option in the GUI. Controlled functions: Event Management pane and all its operations. Dependencies: |
|
fgd_center {none | read | read-write} |
Set the FortiGuard Center permission. Select This command corresponds to the FortiGuard Center option in the GUI. Controlled functions: FortiGuard pane, All the settings under FortiGuard. Dependencies: |
|
fgd-center-advanced {none | read | read-write} |
Set the FortiGuard Center permission. Select This command corresponds to the Advanced option in the GUI. It is a sub-setting of Controlled functions: FortiGuard pane Advanced Settings options. Dependencies: |
|
fgd-center-fmw-mgmt {none | read | read-write} |
Set the FortiGuard Center permission. Select This command corresponds to the Firmware Management option in the GUI. It is a sub-setting of Controlled functions: FortiGuard pane Firmware Images options. Dependencies: |
|
fgd-center-licensing {none | read | read-write} |
Set the FortiGuard Center permission. Select This command corresponds to the License Management option in the GUI. It is a sub-setting of Controlled functions: FortiGuard pane Licensing Status options. Dependencies: |
|
global-policy-packages {none | read | read-write} |
Configure global policy package permissions for this profile. Select This command corresponds to the Global Policy Packages & Objects option in the GUI. It is a sub-setting of Controlled functions: All operations in Global ADOM. Dependencies: |
|
import-policy-packages {none | read | read-write} |
Configure importing policy package permissions for this profile. Select This command corresponds to the Import Policy Package option in the GUI. Controlled functions: Importing policy packages. Dependencies: |
|
intf-mapping {none | read | read-write} |
Configure interface mapping permissions for this profile. Select This command corresponds to the Interface Mapping option in the GUI. Controlled functions: Mapping interfaces. Dependencies: |
|
ips-filter {enable | disable} |
Enable/disable Application Sensor permission for the restricted admin profile. Dependencies: |
|
log-viewer {none | read | read-write} |
Set the Log View permission. Select This command corresponds to the Log View option in the GUI. Controlled functions: Log View and all its operations. Dependencies: |
|
policy-objects {none | read | read-write} |
Set the Policy & Objects permission. Select Controlled functions: Policy & Objects pane. Dependencies: |
|
read-passwd {none | read | read-write} |
Add the capability to view the authentication password in clear text to this profile. Dependencies: |
|
realtime-monitor {none | read | read-write} |
Enter the level of access to the Drill Down configuration settings for this profile. Select Dependencies: |
|
report-viewer {none | read | read-write} |
Set the Reports permission. Select This command corresponds to the Reports option in the GUI. Controlled functions: Reports pane and all its operations. Dependencies: |
|
scope (Not Applicable) |
CLI command is not in use. |
|
system-setting {none | read | read-write} |
Configure System Settings permissions for this profile. Select This command corresponds to the System Settings option in the GUI. Controlled functions: System Settings pane, all the settings under system setting. Dependencies: |
|
term-access {none | read | read-write} |
Set the terminal access permissions for this profile. Select This command corresponds to the Terminal Access option in the GUI. It is a sub-setting of Controlled functions: Connect to the CLI via Telnet or SSH. Dependencies: Depends on |
|
type {restricted | system} |
Enter the admin profile type:
|
|
vpn-manager {none | read | read-write} |
Enter the level of access to VPN console configuration settings for this profile. Select This command corresponds to the VPN Manager option in the GUI. It is a sub-setting of Controlled functions: VPN Console. Dependencies: |
|
web-filter {enable | disable} |
Enable/disable Web Filter Profile permission for the restricted admin profile. Dependencies: |
admin radius
Use this command to add, edit, and delete administration RADIUS servers.
Syntax
config system admin radius
edit <server>
set auth-type {any | chap | mschap2 | pap}
set nas-ip <ipv4_address>
set port <integer>
set secondary-secret <passwd>
set secondary-server <string>
set secret <passwd>
set server <string>
end
|
Variable |
Description |
|---|---|
|
<server> |
Enter the name of the RADIUS server or enter a new name to create an entry. Character limit: 63 |
|
auth-type {any | chap | mschap2 | pap} |
Enter the authentication protocol the RADIUS server will use:
|
|
nas-ip <ipv4_address> |
Enter the network access server (NAS) IPv4 address and called station ID. |
|
port <integer> |
Enter the RADIUS server port number.Default: |
|
secondary-secret <passwd> |
Enter the password to access the RADIUS secondary-server. Character limit: 64 |
|
secondary-server <string> |
Enter the RADIUS secondary-server DNS resolvable domain name or IPv4 address. |
|
secret <passwd> |
Enter the password to access the RADIUS server. Character limit: 64 |
|
server <string> |
Enter the RADIUS server DNS resolvable domain name or IPv4 address. |
Example
This example shows how to add the RADIUS server RAID1 at the IPv4 address 206.205.204.203 and set the shared secret as R1a2D3i4U5s.
config system admin radius
edit RAID1
set server 206.205.204.203
set secret R1a2D3i4U5s
end
admin setting
Use this command to configure system administration settings, including web administration ports, timeout, and language.
Syntax
config system admin setting
set access-banner {enable | disable}
set admin-https-redirect {enable | disable}
set admin-login-max <integer>
set admin_server_cert <admin_server_cert>
set allow_register {enable | disable}
set auto-update {enable | disable}
set banner-message <string>
set chassis-mgmt {enable | disable}
set chassis-update-interval <integer>
set device_sync_status {enable | disable}
set gui-theme
set http_port <integer>
set https_port <integer>
set idle_timeout <integer>
set install-ifpolicy-only {enable | disable}
set mgmt-addr <string>
set mgmt-fqdn <string>
set offline_mode {enable | disable}
set register_passwd <passwd>
set shell-access {enable | disable}
set shell-password <passwd>
set show-add-multiple {enable | disable}
set show-adom-devman {enable | disable}
set show-device-import-export {enable | disable}
set show_automatic_script {enable | disable}
set show-checkbox-in-table {enable | disable}
set show_grouping_script {enable | disable}
set show_schedule_script {enable | disable}
set show_tcl_script {enable | disable}
set unreg_dev_opt {add_allow_service | add_no_service | ignore}
set webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese}
end
|
Variable |
Description |
|---|---|
|
access-banner {enable | disable} |
Enable/disable the access banner. Default: |
|
admin-https-redirect {enable | disable} |
Enable/disable redirection of HTTP admin traffic to HTTPS. |
|
admin-login-max <integer> |
Set the maximum number of admin users that be logged in at one time. Range: 1 to 256 (users) |
|
admin_server_cert <admin_server_cert> |
Enter the name of an https server certificate to use for secure connections. Default: |
|
allow_register {enable | disable} |
Enable/disable the ability an unregistered device to be registered. Default: |
|
auto-update {enable | disable} |
Enable/disable device config automatic update. |
|
banner-message <string> |
Set the banner messages. Default: |
|
chassis-mgmt {enable | disable} |
Enable/disable chassis management. Default: |
|
chassis-update-interval <integer> |
Set the chassis background update interval. Range: 4 to 1440 minutes. Default: |
|
device_sync_status {enable | disable} |
Enable/disable device synchronization status indication.
Default: |
|
gui-theme |
Configure the GUI theme. |
|
http_port <integer> |
Enter the HTTP port number for web administration. Default: |
|
https_port <integer> |
Enter the HTTPS port number for web administration. Default: |
|
idle_timeout <integer> |
Enter the idle timeout value. Range: 1 to 480 (minutes). Default: |
|
install-ifpolicy-only {enable | disable} |
Enable to allow only the interface policy to be installed. Default: |
|
mgmt-addr <string> |
FQDN/IPv4 of FortiManager used by FGFM. If the FortiManager is behind a NAT device, and a device is added in the FortiManager GUI, the FortiManager will not add its IP address to the FortiGate. Configure |
|
mgmt-fqdn <string> |
FQDN of FortiManager used by FGFM. |
|
offline_mode {enable | disable} |
Enable offline mode to shut down the protocol used to communicate with managed devices.
Default: |
|
register_passwd <passwd> |
Enter the password to use when registering a device. Character limit: 19 |
|
shell-access {enable | disable} |
Enable shell access. |
|
shell-password <passwd> |
Enter the password to use for shell access. |
|
show-add-multiple {enable | disable} |
Show the add multiple button. |
|
show-adom-devman {enable | disable} |
Enable/disable device manager tools on the GUI. Default: |
|
show-checkbox-in-table {enable | disable} |
Show checkboxes in tables in the GUI. |
|
show-device-import-export {enable | disable} |
Enable import/export of ADOM, device, and group lists. |
|
show_automatic_script {enable | disable} |
Enable/disable automatic script. |
|
show_grouping_script {enable | disable} |
Enable/disable grouping script. |
|
show_schedule_script {enable | disable} |
Enable/disable schedule script. |
|
show_tcl_script {enable | disable} |
Enable/disable TCL script. |
|
unreg_dev_opt {add_allow_service | add_no_service | ignore} |
Select action to take when an unregistered device connects to FortiManager. The following options are available:
|
|
webadmin_language {auto_detect | english | japanese | korean | simplified_chinese | traditional_chinese} |
Select the language to be used for web administration. The following options are available:
Default: |
admin tacacs
Use this command to add, edit, and delete administration TACACS+ servers.
Syntax
config system admin tacacs
edit <name>
set authen-type {ascii | auto |chap | mschap | pap}
set authorization {enable | disable}
set key <passwd>
set port <integer>
set secondary-key <passwd>
set secondary-server <string>
set server <string>
set tertiary-key <passwd>
set tertiary-server <string>
end
|
Variable |
Description |
|---|---|
|
<name> |
Enter the name of the TACACS+ server or enter a new name to create an entry. Character limit: 63 |
|
authen-type {ascii | auto |chap | mschap | pap} |
Choose which authentication type to use. The following options are available:
|
|
authorization {enable | disable} |
Enable/disable TACACS+ authorization. The following options are available:
|
|
key <passwd> |
Key to access the server. Character limit: 128 |
|
port <integer> |
Port number of the TACACS+ server. Range: 1 to 65535 |
|
secondary-key <passwd> |
Key to access the secondary server. Character limit: 128 |
|
secondary-server <string> |
Secondary server domain name or IPv4 address. |
|
server <string> |
The server domain name or IPv4 address. |
|
tertiary-key <passwd> |
Key to access the tertiary server. Character limit: 128 |
|
tertiary-server <string> |
Tertiary server domain name or IPv4 address. |
Example
This example shows how to add the TACACS+ server TAC1 at the IPv4 address 206.205.204.203 and set the key as R1a2D3i4U5s.
config system admin tacacs
edit TAC1
set server 206.205.204.203
set key R1a2D3i4U5s
end
admin user
Use this command to add, edit, and delete administrator accounts.
Use the admin account or an account with System Settings read and write privileges to add new administrator accounts and control their permission levels. Each administrator account must include a minimum of an access profile. The access profile list is ordered alphabetically, capitals first. If custom profiles are defined, it may change the default profile from Restricted_User. You cannot delete the admin administrator account. You cannot delete an administrator account if that user is logged on.
|
You can create meta-data fields for administrator accounts. These objects must be created using the FortiManager GUI. The only information you can add to the object is the value of the field (pre-determined text/numbers). For more information, see System Settings in the FortiManager Administration Guide. |
Syntax
config system admin user
edit <name_str>
set password <passwd>
set change-password {enable | disable}
set trusthost1 <ipv4_mask>
set trusthost2 <ipv4_mask>
set trusthost3 <ipv4_mask>
...
set trusthost10 <ipv4_mask>
set ipv6_trusthost1 <ipv6_mask>
set ipv6_trusthost2 <ipv6_mask>
set ipv6_trusthost3 <ipv6_mask>
...
set ipv6_trusthost10 <ipv6_mask>
set profileid <profile-name>
set adom <adom_name(s)>
set adom-exclude <adom_name(s)>
set web-filter <Web Filter profile name>
set ips-filter <IPS Sensor name>
set app-filter <Application Sensor name>
set policy-package {<adom name>: <policy package id> <adom policy folder name>/ <package name> | all_policy_packages}
set restrict-access {enable | disable}
set rpc-permit {none | read-only | read-write}
set description <string>
set user_type {group | ldap | local | pki-auth | radius | tacacs-plus}
set group <string>
set ldap-server <string>
set radius_server <string>
set tacacs-plus-server <string>
set ssh-public-key1 <key-type> <key-value>
set ssh-public-key2 <key-type>, <key-value>
set ssh-public-key3 <key-type> <key-value>
set wildcard <enable | disable>
set ext‑auth-accprofile-override <enable | disable>
set ext‑auth-adom-override <enable | disable>
set ext‑auth-group-match <string>
set password-expire <yyyy-mm-dd>
set force-password-change {enable | disable}
set subject <string>
set ca <string>
set two-factor-auth {enable | disable}
set last-name <string>
set first-name <string>
set email-address <string>
set phone-number <string>
set mobile-number <string>
set pager-number <string>
set avatar <string>
end
config meta-data
edit <fieldname>
set fieldlength
set fieldvalue <string>
set importance
set status
end
end
config dashboard-tabs
edit tabid <integer>
set name <string>
end
end
config dashboard
edit moduleid
set name <string>
set column <column_pos>
set refresh-inverval <integer>
set status {close | open}
set tabid <integer>
set widget-type <string>
set log-rate-type {device | log}
set log-rate-topn {1 | 2 | 3 | 4 | 5}
set log-rate-period {1hour | 2min | 6hours}
set res-view-type {history | real-time}
set res-period {10min | day | hour}
set res-cpu-display {average | each}
set num-entries <integer>
set time-period {1hour | 24hour | 8hour}
set diskio-content-type
set diskio-period {1hour | 24hour | 8hour}
end
end
config restrict-dev-vdom
edit dev-vdom <string>
end
end
|
Variable |
Description |
|---|---|
|
<name_string> |
Enter the name of the admin user or enter a new name to create a new user. Character limit: 35 |
|
password <passwd> |
Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This variable is available only if |
|
change-password {enable | disable} |
Enable/disable allowing restricted users to change their password. |
|
trusthost1 <ipv4_mask> trusthost2 <ipv4_mask> trusthost3 <ipv4_mask> ... trusthost10 <ipv4_mask> |
Optionally, type the trusted host IPv4 address and network mask from which the administrator can log in to the FortiManager system. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system. See Using trusted hosts. Defaults:
others: |
|
ipv6_trusthost1 <ipv6_mask> ipv6_trusthost2 <ipv6_mask> ipv6_trusthost3 <ipv6_mask> ... ipv6_trusthost10 <ipv6_mask> |
Optionally, type the trusted host IPv6 address from which the administrator can log in to the FortiManager system. You can specify up to ten trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system. See Using trusted hosts. Defaults:
others: |
|
profileid <profile-name> |
Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiManager features.
Default: |
|
adom <adom_name(s)> |
Enter the name(s) of the ADOM(s) the administrator belongs to. Any configuration of ADOMs takes place via the FortiManager GUI. |
|
adom-exclude <adom_name(s)> |
Enter the name(s) of the excluding ADOM(s). |
|
web-filter <Web Filter profile name> |
Enter the Web Filter profile to associate with the restricted admin profile. Dependencies: admin user must be associated with a restricted admin profile. |
|
ips-filter <IPS Sensor name> |
Enter the IPS Sensor to associate with the restricted admin profile. Dependencies: The admin user must be associated with a restricted admin profile. |
|
app-filter <Application Sensor name> |
Enter the Application Sensor to associate with the restricted admin profile. Dependencies: The admin user must be associated with a restricted admin profile. |
|
policy-package {<adom name>: <policy package id> <adom policy folder name>/ <package name> | all_policy_packages} |
Policy package access |
|
restrict-access {enable | disable} |
Enable/disable restricted access to the development VDOM ( |
|
rpc-permit {none | read-only | read-write} |
Set the permission level for login via Remote Procedure Call (RPC). The following options are available:
|
|
description <string> |
Enter a description for this administrator account. When using spaces, enclose description in quotes. Character limit: 127 |
|
user_type {group | ldap | local | pki-auth | radius | tacacs-plus} |
Enter
Default: |
|
group <string> |
Enter the group name. |
|
ldap-server <string> |
Enter the LDAP server name if the user type is set to LDAP. |
|
radius_server <string> |
Enter the RADIUS server name if the user type is set t o RADIUS. |
|
tacacs-plus-server <string> |
Enter the TACACS+ server name if the user type is set to TACACS+. |
|
ssh-public-key1 <key-type> <key-value> |
You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.
|
|
ssh-public-key2 <key-type>, <key-value> |
|
|
ssh-public-key3 <key-type> <key-value> |
|
|
wildcard <enable | disable> |
Enable/disable wildcard remote authentication. |
|
ext‑auth-accprofile-override <enable | disable> |
Enable/disable use of the access profile provided by the remote authentication server. |
|
ext‑auth-adom-override <enable | disable> |
Enable/disable use of the ADOM provided by the remote authentication server. In order to support vendor specific attributes (VSA), the server requires a dictionary to define which VSAs to support. The Fortinet RADIUS vendor ID is |
|
ext‑auth-group-match <string> |
Only administrators that belong to this group can log in. |
|
password-expire <yyyy-mm-dd> |
When enforcing the password policy, enter the date that the current password will expire. |
|
force-password-change {enable | disable} |
Enable/disable force password change on next log in. |
|
subject <string> |
PKI user certificate name constraints. This command is available when a PKI administrator account is configured. |
|
ca <string> |
PKI user certificate CA (CA name in local). This command is available when a PKI administrator account is configured. |
|
two-factor-auth {enable | disable} |
Enable/disable two-factor authentication (certificate + password). This command is available when a PKI administrator account is configured. |
|
last-name <string> |
Administrators last name. Character limit: 63 |
|
first-name <string> |
Administrators first name. Character limit: 63 |
|
email-address <string> |
Administrators email address. |
|
phone-number <string> |
Administrators phone number. |
|
mobile-number <string> |
Administrators mobile phone number. |
|
pager-number <string> |
Administrators pager number. |
|
avatar <string> |
Image file for the administrator's avatar (maximum 4K base64 encode). |
|
Variables for This subcommand can only change the value of an existing field. To create a new metadata field, use the |
|
|
fieldname |
The label/name of the field. Read-only.
Default: |
|
fieldlength |
The maximum number of characters allowed for this field. Read-only. |
|
fieldvalue <string> |
Enter a pre-determined value for the field. This is the only value that can be changed with the |
|
importance |
Indicates whether the field is compulsory ( |
|
status |
For display only. Value cannot be changed.
Default: |
|
Variables for |
|
|
tabid <integer> |
Tab ID. |
|
name <string> |
Tab name. |
|
Variables for |
|
|
moduleid |
Widget ID.
|
|
name <string> |
Widget name. Character limit: 63 |
|
column <column_pos> |
Widget’s column ID. |
|
refresh-inverval <integer> |
Widget’s refresh interval.
Default: |
|
status {close | open} |
Widget’s opened/closed status.
Default: |
|
tabid <integer> |
ID of the tab where the widget is displayed.
Default: |
|
widget-type <string> |
Widget type. The following options are available:
|
|
log-rate-type {device | log} |
Log receive monitor widget’s statistics breakdown options. |
|
log-rate-topn {1 | 2 | 3 | 4 | 5} |
|