Fortinet white logo
Fortinet white logo

Handbook

Creating administrator users

Creating administrator users

We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Before you begin:
  • If you want to use RADIUS, LDAP or TACACS+ authentication, you must have already have created the RADIUS server, LDAP server or TACACS+ server configuration.
  • You must have Read-Write permission for System settings.
To create an administrator user account:
  1. Go to System > Administrator.
  2. Click the Admin tab.
  3. Click Create New > Administrator to display the configuration editor.
  4. Complete the configuration as described in Administrator user configuration.
  5. Click Save.

Administrator user configuration

Settings Guidelines

Name

Name of the administrator account, such as admin1 or admin@example.com.

Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.

If you use LDAP, RADIUS or TACACS+, specify the LDAP, RADIUS or TACACS+ username. This is the user name that the administrator must provide when logging in to the CLI or web UI. The users are authenticated against the associated LDAP, RADIUS or TACACS+ server.

After you initially save the configuration, you cannot edit the name.

Global Admin

Select whether or not to allow the administrator account to have Global access, which is required to access all virtual domains, configure Automation Stitches, and create system backup files.

  • No — This is the default option. The administrator account will only have access to the virtual domain specified in this configuration. Administrators with no Global Admin permission cannot configure Automation Stitches or create system backup files.
  • Yes — The administrator account will have access to all virtual domains. With Global Admin access, the administrator can configure Automation Stitches and create system backup files.

Profile

Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

Virtual Domain

Optional. If you have enabled the virtual domain feature, select the virtual domain that this administrator can view and manage.

Authentication Type

  • Local — Use the local administrator authentication server.
  • RADIUS — Use a RADIUS authentication server. Select the RADIUS server configuration.
  • LDAP — Use an LDAP authentication server. Select the LDAP server configuration.
  • TACACS+ — Use a TACACS+ authentication server. Select the TACACS+ server configuration.

Password

The Password is available if Authentication Type is Local.

Set a strong password for all administrator accounts. The password should be at least eight characters long, be sufficiently complex, and be changed regularly. To check the strength of your password, you can use a utility such as Microsoft’s password strength meter.

Confirm Password

The Confirm Password is available if Authentication Type is Local.

Re-enter the same password.

Two-factor Authentication

The Two-factor Authentication is available if Authentication Type is Local.

Options:

  • None
  • FortiToken Cloud
    • Email address—Set the email address registered with FortiToken Cloud
    • Country dial code—Set country dial code of mobile phone number
    • Phone number—Set mobile phone number registered with FortiToken Cloud

Note: FortiADC does not support FortiToken Cloud functionality in HA condition.

Wildcard

The Wildcard option is available if Authentication Type is RADIUS, LDAP or TACACS+.

Enable the wildcard option to allow multiple remote admin accounts to match one local admin account. This way, multiple RADIUS, LDAP or TACACS+ admin accounts can use one FortiADC admin account.

Restrict to trusted hosts

Enable/disable to restrict logins to trusted hosts only.

Trusted Hosts

The Trusted Hosts option is available if Restrict to trusted hosts is enabled.

Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator must connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:

192.0.2.1/32

2001:0db8:85a3::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter:

0.0.0.0/0

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex New Password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

Creating administrator users

Creating administrator users

We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Before you begin:
  • If you want to use RADIUS, LDAP or TACACS+ authentication, you must have already have created the RADIUS server, LDAP server or TACACS+ server configuration.
  • You must have Read-Write permission for System settings.
To create an administrator user account:
  1. Go to System > Administrator.
  2. Click the Admin tab.
  3. Click Create New > Administrator to display the configuration editor.
  4. Complete the configuration as described in Administrator user configuration.
  5. Click Save.

Administrator user configuration

Settings Guidelines

Name

Name of the administrator account, such as admin1 or admin@example.com.

Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.

If you use LDAP, RADIUS or TACACS+, specify the LDAP, RADIUS or TACACS+ username. This is the user name that the administrator must provide when logging in to the CLI or web UI. The users are authenticated against the associated LDAP, RADIUS or TACACS+ server.

After you initially save the configuration, you cannot edit the name.

Global Admin

Select whether or not to allow the administrator account to have Global access, which is required to access all virtual domains, configure Automation Stitches, and create system backup files.

  • No — This is the default option. The administrator account will only have access to the virtual domain specified in this configuration. Administrators with no Global Admin permission cannot configure Automation Stitches or create system backup files.
  • Yes — The administrator account will have access to all virtual domains. With Global Admin access, the administrator can configure Automation Stitches and create system backup files.

Profile

Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

Virtual Domain

Optional. If you have enabled the virtual domain feature, select the virtual domain that this administrator can view and manage.

Authentication Type

  • Local — Use the local administrator authentication server.
  • RADIUS — Use a RADIUS authentication server. Select the RADIUS server configuration.
  • LDAP — Use an LDAP authentication server. Select the LDAP server configuration.
  • TACACS+ — Use a TACACS+ authentication server. Select the TACACS+ server configuration.

Password

The Password is available if Authentication Type is Local.

Set a strong password for all administrator accounts. The password should be at least eight characters long, be sufficiently complex, and be changed regularly. To check the strength of your password, you can use a utility such as Microsoft’s password strength meter.

Confirm Password

The Confirm Password is available if Authentication Type is Local.

Re-enter the same password.

Two-factor Authentication

The Two-factor Authentication is available if Authentication Type is Local.

Options:

  • None
  • FortiToken Cloud
    • Email address—Set the email address registered with FortiToken Cloud
    • Country dial code—Set country dial code of mobile phone number
    • Phone number—Set mobile phone number registered with FortiToken Cloud

Note: FortiADC does not support FortiToken Cloud functionality in HA condition.

Wildcard

The Wildcard option is available if Authentication Type is RADIUS, LDAP or TACACS+.

Enable the wildcard option to allow multiple remote admin accounts to match one local admin account. This way, multiple RADIUS, LDAP or TACACS+ admin accounts can use one FortiADC admin account.

Restrict to trusted hosts

Enable/disable to restrict logins to trusted hosts only.

Trusted Hosts

The Trusted Hosts option is available if Restrict to trusted hosts is enabled.

Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator must connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:

192.0.2.1/32

2001:0db8:85a3::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter:

0.0.0.0/0

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex New Password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.