To prevent multiple administrators from logging in simultaneously, which could allow them to inadvertently overwrite each other’s changes, enable single-admin-mode {enable | disable}. For details, see “config system global”. |
Variable | Description | Default |
<administrator_name> | Type the name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration. Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters. To display the list of existing accounts, type: edit ? Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query. | No default. |
accprofile <access-profile_name> | Type the name of an access profile that gives the permissions for this administrator account. See also “config system accprofile”. The maximum length is 35 characters. You can select prof_admin, a special access profile used by the admin administrator account. However, selecting this access profile will not confer all of the same permissions of the admin administrator. For example, the new administrator would not be able to reset lost administrator passwords. To display the list of existing profiles, type: edit ? Tip: Alternatively, if your administrator accounts authenticate via a RADIUS query, you can assign their access profile through the RADIUS server using RFC 2548 Microsoft Vendor-specific RADIUS Attributes. On the RADIUS server, create an attribute named: ATTRIBUTE FortiWeb-Access-Profile 7 then set its value to be the name of the access profile that you want to assign to this account. Finally, in the CLI, use accprofile-override {enable | disable} to enable the override. If none is assigned on the RADIUS server, or if it does not match the name of an existing access profile on FortiWeb, FortiWeb will fail back to use the one locally assigned by this setting. | No default. |
accprofile-override {enable | disable} | Enable to use the access profile indicated by the RADIUS query response, and ignore accprofile <access-profile_name>. This setting applies only if admin-usergroup <remote-auth-group_name> is configured to use a RADIUS query to authenticate this account. This setting applies only if ADOMs are enabled. See adom-admin {enable | disable} in “config system global”. | disable |
domains <adom_name> | Type the name of an administrative domain (ADOM) to assign and restrict this administrative account to it. This setting applies only if ADOMs are enabled. See adom-admin {enable | disable} in “config system global”. | No default. |
password <password_str> | Type a password for the administrator account. The maximum length is 32 characters. The minimum length is 1 character. For improved security, the password should be at least 8 characters long, be sufficiently complex, and be changed regularly. This setting applies only when type is local-user. For accounts defined on a remote authentication server, the FortiWeb appliance will instead query the server to verify whether the password given during a login attempt matches the account’s definition. | No default. |
email-address <contact_email> | Type an email address that can be used to contact this administrator. The maximum length is 35 characters. | No default. |
first-name <name_str> | Type the first name of the administrator. The maximum length is 35 characters. | No default. |
last-name <surname_str> | Type the surname of the administrator. The maximum length is 35 characters. | No default. |
mobile-number <cell‑phone_str> | Type a cell phone number that can be used to contact this administrator. The maximum length is 35 characters. | No default. |
phone-number <phone_str> | Type a phone number that can be used to contact this administrator. The maximum length is 35 characters. | No default. |
trusthost1 <management-computer_ipv4mask> | Type the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to three trusted hosts. To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0. If you allow administrators to log in from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. For information on administrative access protocols, see “config system interface”. Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in. | 0.0.0.0 0.0.0.0 |
trusthost2 <management-computer_ipv4mask> | Type a second IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0. | 0.0.0.0 0.0.0.0 |
trusthost3 <management-computer_ipv4mask> | Type a third IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. To allow login attempts from any IP address, enter 0.0.0.0/0.0.0.0. | 0.0.0.0 0.0.0.0 |
ip6trusthost1 <management-computer_ipv6mask> | Type the IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. You can specify up to three trusted hosts. To allow login attempts from any IP address, enter ::/0. Caution: If you allow logins from any IP address, consider choosing a longer and more complex password, and limiting administrative access to secure protocols to minimize the security risk. Unlike IPv4, IPv6 does not isolate public from private networks via NAT, and therefore can increase availability of your FortiWeb’s web UI/CLI to IPv6 attackers unless you have carefully configured your firewall/FortiGate and routers. For information on administrative access protocols, see “config system interface”. Note: For improved security, restrict all three trusted host addresses to the IP addresses of computers from which only this administrator will log in. | ::/0 |
ip6trusthost2 <management-computer_ipv6mask> | Type a second IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. To allow login attempts from any IP address, enter ::/0. | ::/0 |
ip6trusthost3 <management-computer_ipv6mask> | Type a third IP address and netmask of a management computer or management LAN from which the administrator is allowed to log in to the FortiWeb appliance. To allow login attempts from any IP address, enter ::/0. | ::/0 |
type {local-user | remote-user} | Select either: • local-user — Authenticate this account locally, with the FortiWeb appliance itself. • remote-user — Authenticate this account via a remote server such as an LDAP or RADIUS server. Also configure admin-usergroup <remote-auth-group_name>. | No default. |
admin-usergroup <remote-auth-group_name> | Type the name of the remote authentication group whose settings the FortiWeb appliance will use to connect to a remote authentication server when authenticating login attempts for this account. The maximum length is 35 characters. To display the list of existing groups, type: edit ? For details on configuring remote authentication groups, see “config user admin-usergrp”. | No default. |
wildcard {enable | disable} | Used when administrator accounts authenticate via a RADIUS query. This setting applies only if the value of type is remote-user. | No default. |
sshkey <sshkey_str> | The public key used for connecting to the CLI using a public-private key pair. For more information on connecting to the CLI using a public-private key pair, see “Connecting to the CLI” in the FortiWeb Administration Guide. | No default. |
To display all dashboard status and widget settings, enter: config system admin show |