config : system admin
 
system admin
Use this command to configure FortiWeb administrator accounts. In its factory default configuration, a FortiWeb appliance has one administrator account, named admin. That administrator has permissions that grant full access to the FortiWeb configuration and firmware. After connecting to the web UI or the CLI using the admin administrator account, you can configure additional administrator accounts with various levels of access to different parts of the FortiWeb configuration.
Administrators can access the web UI and the CLI through the network, depending on administrator account’s trusted hosts, ADOMs, and the administrative access protocols enabled for each of the FortiWeb appliance’s network interfaces. For details, see “config system interface”, “config system global”, and “Connecting to the CLI”.
To see which administrators are logged in, use the CLI command get system logged-users.
 
To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each other’s changes, enable single-admin-mode {enable | disable}. For details, see “config system global”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For more information, see “Permissions”.
Syntax
config system admin
edit <administrator_name>
set accprofile <access-profile_name>
set accprofile-override {enable | disable}
set domains <adom_name>
set password <password_str>
set email-address <contact_email>
set first-name <name_str>
set last-name <surname_str>
set mobile-number <cell‑phone_str>
set phone-number <phone_str>
set trusthost1 <management-computer_ipv4mask>
set trusthost2 <management-computer_ipv4mask>
set trusthost3 <management-computer_ipv4mask>
set ip6trusthost1 <management-computer_ipv6mask>
set ip6trusthost2 <management-computer_ipv6mask>
set ip6trusthost3 <management-computer_ipv6mask>
set type {local-user | remote-user}
set admin-usergroup <remote-auth-group_name>
set wildcard {enable | disable}
next
end
Variable
Description
Default
<administrator_name>
Type the name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration.
Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.
To display the list of existing accounts, type:
edit ?
Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query.
No default.
accprofile <access-profile_name>
Type the name of an access profile that gives the permissions for this administrator account. See also “config system accprofile”. The maximum length is 35 characters.
You can select prof_admin, a special access profile used by the admin administrator account. However, selecting this access profile will not confer all of the same permissions of the admin administrator. For example, the new administrator would not be able to reset lost administrator passwords.
To display the list of existing profiles, type:
edit ?
Tip: Alternatively, if your administrator accounts authenticate via a RADIUS query, you can assign their access profile through the RADIUS server using RFC 2548 Microsoft Vendor-specific RADIUS Attributes.
On the RADIUS server, create an attribute named:
ATTRIBUTE FortiWeb-Access-Profile 7
then set its value to be the name of the access profile that you want to assign to this account. Finally, in the CLI, use accprofile-override {enable | disable} to enable the override.
If none is assigned on the RADIUS server, or if it does not match the name of an existing access profile on FortiWeb, FortiWeb will fail back to use the one locally assigned by this setting.
No default.
accprofile-override {enable | disable}
Enable to use the access profile indicated by the RADIUS query response, and ignore accprofile <access-profile_name>.
This setting applies only if admin-usergroup <remote-auth-group_name> is configured to use a RADIUS query to authenticate this account.
This setting applies only if ADOMs are enabled. See adom-admin {enable | disable} in “config system global”.
disable
domains <adom_name>
Type the name of an administrative domain (ADOM) to assign and restrict this administrative account to it.
This setting applies only if ADOMs are enabled. See adom-admin {enable | disable} in “config system global”.
No default.
password <password_str>
Type a password for the administrator account. The maximum length is 32 characters. The minimum length is 1 character.
For improved security, the password should be at least 8 characters long, be sufficiently complex, and be changed regularly.
This setting applies only when type is local-user. For accounts defined on a remote authentication server, the FortiWeb appliance will instead query the server to verify whether the password given during a login attempt matches the account’s definition.
No default.
email-address <contact_email>
Type an email address that can be used to contact this administrator. The maximum length is 35 characters.
No default.
first-name <name_str>
Type the first name of the administrator. The maximum length is 35 characters.
No default.
last-name <surname_str>
Type the surname of the administrator. The maximum length is 35 characters.
No default.
mobile-number <cell‑phone_str>
Type a cell phone number that can be used to contact this administrator. The maximum length is 35 characters.
No default.
phone-number <phone_str>
Type a phone number that can be used to contact this administrator. The maximum length is 35 characters.
No default.
trusthost1 <management-computer_ipv4mask>
Type the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to three trusted hosts.
To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0. If you allow administrators to log in from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. For information on administrative access protocols, see “config system interface”.
Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in.
0.0.0.0 0.0.0.0
trusthost2 <management-computer_ipv4mask>
Type a second IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.
To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0.
0.0.0.0 0.0.0.0
trusthost3 <management-computer_ipv4mask>
Type a third IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.
To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0.
0.0.0.0 0.0.0.0
ip6trusthost1 <management-computer_ipv6mask>
Type the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to three trusted hosts.
To allow login attempts from any IP address, enter ::/0.
Caution: If you allow logins from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. Unlike IPv4, IPv6 does not isolate public from private networks via NAT, and therefore can increase availability of your FortiWeb’s web UI/CLI to IPv6 attackers unless you have carefully configured your firewall/FortiGate and routers. For information on administrative access protocols, see “config system interface”.
Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in.
::/0
ip6trusthost2 <management-computer_ipv6mask>
Type a second IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.
To allow login attempts from any IP address, enter ::/0.
::/0
ip6trusthost3 <management-computer_ipv6mask>
Type a third IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance.
To allow login attempts from any IP address, enter ::/0.
::/0
type {local-user | remote-user}
Select either:
local-user — Authenticate this account locally, with the FortiWeb appliance itself.
remote-user — Authenticate this account via a remote server such as an LDAP or RADIUS server. Also configure admin-usergroup <remote-auth-group_name>.
No default.
admin-usergroup <remote-auth-group_name>
Type the name of the remote authentication group whose settings the FortiWeb appliance will use to connect to a remote authentication server when authenticating login attempts for this account. The maximum length is 35 characters.
To display the list of existing groups, type:
edit ?
For details on configuring remote authentication groups, see “config user admin-usergrp”.
No default.
wildcard {enable | disable}
Used when administrator accounts authenticate via a RADIUS query.
This setting applies only if the value of type is remote-user.
No default.
Example
This example configures an administrator account with an access profile that grants only permission to read logs. This account can log in only from an IP address on the management LAN (172.16.2.0/24), or from one of two specific IP addresses (172.16.3.15 and 192.168.1.50).
config system admin
edit "log-auditor"
set accprofile "log_read_access"
set password P@ssw0rd
set email-address log-admin@example.com
set trusthost1 172.16.2.0 255.255.255.0
set trusthost2 172.16.3.15 255.255.255.255
set trusthost3 192.168.1.50 255.255.255.255
next
end
 
To display all dashboard status and widget settings, enter:
config system admin
show
Related topics
config system accprofile
config system global
config user admin-usergrp