system : admin
 
admin
Use this command to add, edit, and delete administrator accounts. Administrators can control what data modules appear in the FortiGate unit system dashboard by using the config system admin command. Administrators must have read and write privileges to make dashboard web‑based manager modifications.
Use the default admin account or an account with system configuration read and write privileges to add new administrator accounts and control their permission levels. Each administrator account except the default admin must include an access profile. You cannot delete the default super admin account or change the access profile (super_admin). In addition, there is also an access profile that allows read-only super admin privileges, super_admin_readonly. The super_admin_readonly profile cannot be deleted or changed, similar to the super_admin profile. This read-only super-admin may be used in a situation where it is necessary to troubleshoot a customer configuration without making changes.
You can authenticate administrators using a password stored on the FortiGate unit or you can perform authentication with RADIUS, LDAP, or TACACS+ servers. When you use RADIUS authentication, you can authenticate specific administrators or you can allow any account on the RADIUS server to access the FortiGate unit as an administrator.
 
For users with super_admin access profile, you can reset the password in the CLI.
For a user ITAdmin with the access profile super_admin, to set the password to 123456:
config system admin
edit ITAdmin
set password 123456
end
For a user ITAdmin with the access profile super_admin, to reset the password from 123456 to the default ‘empty’ or ‘null’:
config system admin
edit ITAdmin
unset password 123456
end
If you type ‘set password ?’ in the CLI, you will have to enter the new password and the old password in order for the change to be effective. In this case, you will NOT be able to reset the password to ‘empty’ or ‘null’.
You can configure an administrator to only be allowed to log in at certain times. The default setting allows administrators to log in any time.
A vdom/access profile override feature supports authentication of administrators via RADIUS. The admin user will be have access depending on which vdom they are restricted to and their associated access profile. This feature is only available to wildcard admins. There can only be one vdom-override user per system.
You can define trusted hosts for all of your administrators to increase the security of your network by further restricting administrative access. When you set trusted hosts for all administrators, the FortiGate unit does not respond to administrative access attempts from any other hosts. The trusted hosts you define apply both to the web-based manager and to the CLI when accessed through Telnet or SSH. CLI access through the console connector is not affected.
Syntax
config system admin
edit <name_str>
set accprofile <profile‑name>
set accprofile-override {enable | disable}
set allow-remove-admin-session {enable | disable}
set comments <comments_string>
set force-password-change {enable | disable}
set guest-auth {enable | disable}
set guest-lang <lang_name>
set guest-usergroups <groups_list>
set gui-log-display {| fortianalyzer | fortiguard | memory |disk}
set {ip6-trusthost1 | ip6‑trusthost2 | ip6‑trusthost3 | ip6‑trusthost4 | ip6‑trusthost5 | ip6‑trusthost6 | ip6‑trusthost7 | ip6‑trusthost8 | ip6‑trusthost9 | ip6‑trusthost10} <address_ipv6mask>
set password <admin_password>
set password-expire <date> <time>
set peer-auth {disable | enable}
set peer-group <peer-grp>
set radius-vdom-override {enable | disable}
set remote-auth {enable | disable}
set remote-group <name>
set schedule <schedule‑name>
set sms-phone <cell_phone_number>
set sms-provider <string>
set ssh-certificate <cert_name>
set ssh-public-key1 "<key‑type> <key‑value>"
set ssh-public-key2 "<key‑type> <key‑value>"
set ssh-public-key3 "<key‑type> <key‑value>"
set {trusthost1 | trusthost2 | trusthost3 | trusthost4 | trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9 | trusthost10} <address_ipv4mask>
set two-factor {enable | disable}
set vdom <vdom_name>
set wildcard {enable | disable}
config dashboard
edit <id>
set widget-type <module_name>
set column <column_number>
set sort-by {bandwidth | session}
set status {close | open}
set <custom_options>
end
config dashboard-tab
edit <tab_int>
set columns {1 | 2}
set name <name_str>
end
end
Variable
Description
Default
accprofile <profile‑name>
Enter the name of the access profile to assign to this administrator account. Access profiles control administrator access to FortiGate features.
No default.
accprofile-override {enable | disable}
Enable authentication server override of the administrator access profile. Note: This redirection will not occur if HTTPS & SSL-VPN are enabled on the same port.
disable
allow-remove-admin-session {enable | disable}
Disable to prevent other administrators from closing the session. This field is available for accounts with the super_admin profile.
enable
comments <comments_string>
Enter the last name, first name, email address, phone number, mobile phone number, and pager number for this administrator. Separate each attribute with a comma, and enclose the string in double-quotes. The total length of the string can be up to 128 characters. (Optional)
null
force-password-change {enable | disable}
Enable to require this administrator to change password at next login. Disabling this option does not prevent required password change due to password policy violation or expiry.
This is available only if password policy is enabled. See system password-policy.
disable
guest-auth {enable | disable}
Enable guest authentication.
disable
guest-lang <lang_name>
Select the language for the guest administrator. To view the list of available languages, enter set guest‑lang ?
This is available if guest-auth is enabled.
null
guest-usergroups <groups_list>
Enter the user groups used for guests.
No default.
gui-log-display {| fortianalyzer | fortiguard | memory |disk}
Select the device from which logs are displayed in the web-based manager.
disk or memory, depending on model
{ip6-trusthost1 | ip6‑trusthost2 | ip6‑trusthost3 | ip6‑trusthost4 | ip6‑trusthost5 | ip6‑trusthost6 | ip6‑trusthost7 | ip6‑trusthost8 | ip6‑trusthost9 | ip6‑trusthost10} <address_ipv6mask>
Any IPv6 address and netmask from which the administrator can connect to the FortiGate unit.
If you want the administrator to be able to access the FortiGate unit from any address, set the trusted hosts to ::/0.
 
::/0
password <admin_password>
Enter the password for this administrator. It can be up to 64 characters in length.
null
password-expire <date> <time>
Enter the date and time that this administrator’s password expires. Enter zero values for no expiry.
Date format is YYYY-MM-DD. Time format is HH:MM:SS.
0000‑00‑00 00:00:00
peer-auth {disable | enable}
Set to enable peer certificate authentication (for HTTPS admin access). If peer‑auth is enabled, two‑factor is not available.
disable
peer-group <peer-grp>
Name of peer group defined under config user peergrp or user group defined under config user group. Used for peer certificate authentication (for HTTPS admin access).
null
radius-vdom-override {enable | disable}
Enable RADIUS authentication override for the (wildcard only) administrator.
disable
remote-auth {enable | disable}
Enable or disable authentication of this administrator using a remote RADIUS, LDAP, or TACACS+ server.
disable
remote-group <name>
Enter the administrator user group name, if you are using RADIUS, LDAP, or TACACS+ authentication.
This is only available when remote-auth is enabled.
No default.
schedule <schedule‑name>
Restrict times that an administrator can log in. Defined in config firewall schedule. Null indicates that the administrator can log in at any time.
null
sms-phone <cell_phone_number>
Enter the telephone number of the cellular phone where the SMS text message will be sent containing the token code for two-factor authentication.
Typically the format does not include the country code, but does include the other digits of the cell phone number. Verify the correct format with the cell phone provider.
null
sms-provider <string>
Select an SMS provider from the list of configured entries.
This is the cell phone service provider, and the list of providers is configured with the command system sms-server.
No default.
ssh-certificate <cert_name>
Select the certificate to use for PKI authentication of the administrator.
null
ssh-public-key1 "<key‑type> <key‑value>"
You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.
<key type> is ssh-dss for a DSA key or ssh-rsa for an RSA key.
<key-value> is the public key string of the SSH client.
No default.
ssh-public-key2 "<key‑type> <key‑value>"
No default.
ssh-public-key3 "<key‑type> <key‑value>"
No default.
{trusthost1 | trusthost2 | trusthost3 | trusthost4 | trusthost5 | trusthost6 | trusthost7 | trusthost8 | trusthost9 | trusthost10} <address_ipv4mask>
Any IPv4 address or subnet address and netmask from which the administrator can connect to the FortiGate unit.
If you want the administrator to be able to access the FortiGate unit from any address, set the trusted hosts to 0.0.0.0 and the netmask to 0.0.0.0.
 
0.0.0.0 0.0.0.0
two-factor {enable | disable}
Enable to use two-factor authentication with this admin account. When enabled, one of FortiToken, email, or SMS text message to a cellular phone is used as the second factor.
disable
vdom <vdom_name>
Enter the name of the VDOM this account belongs to. (Optional)
No default.
wildcard {enable | disable}
Enable wildcard to allow all accounts on an authentication server to log on to the FortiGate unit as administrator. Disable wildcard if you want to allow only the specified administrator to log on.
This is available when remote-auth is enabled.
disable
config dashboard variables
<module_id>
Enter the number of this widget. Use 0 to create a new widget instance.
 
widget-type <module_name>
Name of the system dashboard or usage widget to configure. For a list of the available widget types, enter:
set widget-type ?
No default.
column <column_number>
Column in which the dashboard module appears. Values 1 or 2. Available for all dashboard modules.
0
status {close | open}
Set whether the widget is open or closed on the dashboard.
Depends on widget
<custom_options>
The custom options for the usage and dashboard widgets are listed in the “Dashboard and usage widget variables” section.
 
config dashboard-tab variables
edit <tab_int>
Enter tab number of new dashboard.
No default.
columns {1 | 2}
Select one or two-column format.
2
name <name_str>
Enter a name for the tab.
No default.
Dashboard and usage widget variables
 
alert
Configure the information displayed on the alert message console by enabling or disabling the following options:
show-admin-auth — admin authentication failures
show-amc-bypass — AMC interface bypasses
show-conserve-mode — conserve mode alerts
show-device-update — device updates
show-disk-failure — disk failure alerts
show-fds-quota — FortiGuard alerts
show-fds-update — FortiGuard updates
show-firmware-change — firmware images
show-policy-overflow — policy too large (> 64kB)
show-power-supply — power supply alerts
show-system-restart — system restart alerts


enable
enable
enable
enable
enable
disable
enable
enable
enable
enable
enable
app-usage
Configure the operation of the top application usage widget:
display-format {chart | table}— display data in a chart or a table.
refresh-interval <interval_int> — set the time interval for updating the widget display in the range 10 to 240 seconds or 0 to disable
report-by {application | destination | protocol | source}— set the attribute by which to report application usage.
resolve-host {disable | enable}— display host names (instead of IP addresses).
show-auth-use {disable | enable}— include the user name of authenticated users.
sort-by {bytes | msg-counts}— sort information by data (bytes) or number of session (msg-counts).
top-n <results_int> — set the number of results to display. The default value displays the top 10 results.
vdom <vdom_str> — display results for a specific VDOM.

chart
0

source

disable
disable
bytes
10
No default.
jsconsole
Set the dashboard column and open and closed status of the CLI console widget.
 
licinfo
Set the dashboard column and open and closed status of the License information widget.
 
protocol-usage
For the top protocol usage widget set the column and open and closed status and set the following options:
display-format {chart | line}— display data as a bytes-per-protocol bar chart or a color-coded bytes-over-time line graph.
protocols <integer> — select the protocols to display by entering the sum of the desired protocol values:
    1 Browsing
    2 DNS
    4 Email
    8 FTP
   16 Gaming
   32 Instant Messaging
   64 Newsgroups
  128 P2P
  256 Streaming
  512 TFTP
 1024 VoIP
 2048 Generic TCP
 4096 Generic UDP
 8192 Generic ICMP
16384 Generic IP
time-period — the time period in minutes that the display covers. The default is 1440 (24 hours).


chart

0

 
 
 
 
 
 
 
 
 
 
 
 
 
 
1440
sessions
For the top session dashboard widget set the dashboard column and open and closed status and set the following options:
aggregate-hosts {enable | disable} — enable or disable aggregation of hosts in the widget.
display-format {chart | table} — display data in a chart or a table.
dst-interface — set destination interface filter for session display
ip-version — set Internet Protocol version of sessions to display: IPv4, IPv6, or ipboth.
refresh-interval <interval_int> — set the time interval for updating the widget display in the range 10 to 240 seconds or 0 to disable.
sort-by {bytes | msg-counts} — sort information by the amount of data (bytes) or the number of session (msg-counts).
top-n <results_int> — set the number of results to display. The default value displays the top 10 results.
vdom <vdom_str> — display results for a specific VDOM.



chart
(null)
ipboth
0

bytes

10
No default.
sessions-history
Set the dashboard column, chart color, and view-type.
 
show-forward-traffic {enable | disable}
Enable or disable display of forward traffic in Sessions widget. Forward traffic is any traffic through the FortiGate that has a policy id.
disable
show-local-traffic {enable | disable}
Enable or disable display of local traffic in Sessions widget. Local traffic is traffic to/from the FortiGate unit (no policy id).
disable
sort-by {bandwidth | session}
Choose sort by bandwidth or session for sessions-bandwidth widget.
bytes
statistics
Set the dashboard column and open and closed status of the log and archive statistics dashboard widget.
 
storage
Set the dashboard column and open and closed status of the log and archive storage dashboard widget.
 
sysinfo
Set the dashboard column and open and closed status of the system information dashboard widget.
 
sysop
Set the dashboard column and open and closed status of the unit operation dashboard widget.
 
sysres
For the system resources dashboard widget set the dashboard column and open and closed status and set the following options:
chart-color <color_int> — select the chart color for the historical display. Default is 1.
cpu-display-type {average | each} — select display of each core or average of all cores on multicore processor models.
view-type {historical | real-time} — select historical graph or current value dial display.
time-period <minutes_int> — set time period in minutes for historical display
 
 
tr-history
For the traffic history dashboard widget set the dashboard column and open and closed status and set the following options:
refresh {disable | enable} — enable automatically refreshing the display
interface <interface_name> — name of interface monitored for traffic history data.
tr-history-period1, tr-history-period2, tr‑history‑period3 — time period (seconds) for each of the three history graphs. To disable a graph, set its period to 0.