Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.3.3 Administration Guide
    6.3.3
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    System access

    System access

    To adjust system access settings:
    1. Go to System > Administration > System Access. The Edit System Access Settings page will open.

    2. The following settings are available:
      Administrative Access
      Require strong cryptography

      Enable this option to restrict administrative access using stronger cryptographic algorithms.

      FortiAuthenticator supports the following cryptographic protocols:

      • TLS 1.2: AES128/256 GCM/CBC, SHA256/384, DHE2048, and ECDHx25519.

      • TLS 1.3: AES128/256 GCM, SHA256/384, and ECDHx25519.

      Enable pre-authentication warning messagePre-authentication warning messages can be found under Authentication > Portals > Replacement Messages.
      CLI Access
      CLI idle timeoutEnter the amount of time before the CLI times out due to inactivity, from 0 to 480 minutes (maximum of eight hours).
      GUI Access

      Site title

      Specify the string to display as the page title in web browsers. The following variables are available for the construction of the string:

      • {{:hostname}}: Host name

      • {{:fqdn}}: Device FQDN

      The default is set to FortiAuthenticator.

      GUI idle timeoutEnter the amount of time before the GUI times out due to inactivity, from 1 to 480 minutes (maximum of eight hours).
      Maximum HTTP header lengthEnter the maximum HTTP header length, from 4 to 16 KB.
      HTTPS CertificateSelect an HTTPS certificate from the dropdown menu.
      HTTP Strict Transport Security (HSTS) ExpiryEnable or disable HSTS enforcement, to avoid SSL sniffing attacks, and set an expiry from 0 to 730 days (where 0 means no expiry, maximum of two years). The default is set to 180.
      Certificate authority typeSelect the selected certificate’s authority type, either Local CA or Trusted CA.
      CA certificate that issued the server certificateSelect the issuing server certificate from the dropdown menu.

      Allow all hosts/domain names

      Enable to allow all the hosts/domain names.

      Additional allowed hosts/domain names

      Specify any additional hosts that this site can serve, separated by commas or line breaks.

      This option is only available when Allow all hosts/domain names is disabled.

      Public IP/FQDN for FortiToken Mobile

      Enter the IP, or FQDN, of the FortiAuthenticator for external access.

      The mobile device running the FortiToken Mobile app requires access to the FortiAuthenticator interface for push to operate.

      Enter the IPs/FQDNs in the following format:
      ip_addr[:port] or FQDN[:port]

      Legacy Self-Service Portal And OAuth Access Control Settings

      Username input format

      Select one of the following three username input formats:

      • username@realm

      • realm\username

      • realm/username

      Note: When authenticating against the default realm, the realm name is optional.

      Use default realm when user-provided realm is different from all configured realms

      When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

      Realms

      Add realms to which the client will be associated.

      • Select a realm from the dropdown menu in the Realm column.

      • Select whether or not to allow local users to override remote users for the selected realm.

      • Edit the group filter as needed to filter users based on the groups they are in.

      • If necessary, add more realms to the list.

      • Select the realm that will be the default realm for this client.

      REST API

      Restrict number of requests to

      Enter the maximum number of REST API requests sent, from 1 to 2880 requests. The default is set to 360.

      For duration

      Enter the amount of time for which the maximum number of requests is restricted, from 1 to 480 minutes. The default is set to 60.

      Inbound Proxy

      End-user source IP origin when going through a proxy (in order of priority)

      Get proxy IP from FORWARDED HTTP header (if available)

      Enable to get the proxy IP address from the FORWARDED HTTP header when available.

      Configure valid FORWARDED "by" values

      Enable to specify a list of valid "by" identifiers for the FORWARDED header, separated by a comma or a new line.

      This determines the client IP address used while logging in and can be used to determine if a proxy IP address is trusted in some security features (e.g. trusted subnets for SAML IdP and admin GUI access and user portal adaptive authentication, etc).

      Note: This option provides a way to select the correct source IP address in case of a chain of inbound proxy. It also provides additional protection against spoofing.

      Get proxy IP from X_FORWARDED_FOR HTTP header (if available)

      Enable to get the proxy IP address from the X-FORWARDED_FOR HTTP (non-standard equivalent of FORWARDED+ "for") header when available.

      Note: When Get proxy IP from FORWARDED HTTP header (if available) and Get proxy IP from X_FORWARDED_FOR HTTP header (if available) options are enabled, FortiAuthenticator looks for a matching "FORWARDED" header and only uses the "X_FORWARDED_FOR" header if a valid "FORWARDED" header is not present.

    3. Select OK to apply any changes. See Certificate management for more information about certificates.
    Previous
    Next

    System access

    System access

    To adjust system access settings:
    1. Go to System > Administration > System Access. The Edit System Access Settings page will open.

    2. The following settings are available:
      Administrative Access
      Require strong cryptography

      Enable this option to restrict administrative access using stronger cryptographic algorithms.

      FortiAuthenticator supports the following cryptographic protocols:

      • TLS 1.2: AES128/256 GCM/CBC, SHA256/384, DHE2048, and ECDHx25519.

      • TLS 1.3: AES128/256 GCM, SHA256/384, and ECDHx25519.

      Enable pre-authentication warning messagePre-authentication warning messages can be found under Authentication > Portals > Replacement Messages.
      CLI Access
      CLI idle timeoutEnter the amount of time before the CLI times out due to inactivity, from 0 to 480 minutes (maximum of eight hours).
      GUI Access

      Site title

      Specify the string to display as the page title in web browsers. The following variables are available for the construction of the string:

      • {{:hostname}}: Host name

      • {{:fqdn}}: Device FQDN

      The default is set to FortiAuthenticator.

      GUI idle timeoutEnter the amount of time before the GUI times out due to inactivity, from 1 to 480 minutes (maximum of eight hours).
      Maximum HTTP header lengthEnter the maximum HTTP header length, from 4 to 16 KB.
      HTTPS CertificateSelect an HTTPS certificate from the dropdown menu.
      HTTP Strict Transport Security (HSTS) ExpiryEnable or disable HSTS enforcement, to avoid SSL sniffing attacks, and set an expiry from 0 to 730 days (where 0 means no expiry, maximum of two years). The default is set to 180.
      Certificate authority typeSelect the selected certificate’s authority type, either Local CA or Trusted CA.
      CA certificate that issued the server certificateSelect the issuing server certificate from the dropdown menu.

      Allow all hosts/domain names

      Enable to allow all the hosts/domain names.

      Additional allowed hosts/domain names

      Specify any additional hosts that this site can serve, separated by commas or line breaks.

      This option is only available when Allow all hosts/domain names is disabled.

      Public IP/FQDN for FortiToken Mobile

      Enter the IP, or FQDN, of the FortiAuthenticator for external access.

      The mobile device running the FortiToken Mobile app requires access to the FortiAuthenticator interface for push to operate.

      Enter the IPs/FQDNs in the following format:
      ip_addr[:port] or FQDN[:port]

      Legacy Self-Service Portal And OAuth Access Control Settings

      Username input format

      Select one of the following three username input formats:

      • username@realm

      • realm\username

      • realm/username

      Note: When authenticating against the default realm, the realm name is optional.

      Use default realm when user-provided realm is different from all configured realms

      When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

      Realms

      Add realms to which the client will be associated.

      • Select a realm from the dropdown menu in the Realm column.

      • Select whether or not to allow local users to override remote users for the selected realm.

      • Edit the group filter as needed to filter users based on the groups they are in.

      • If necessary, add more realms to the list.

      • Select the realm that will be the default realm for this client.

      REST API

      Restrict number of requests to

      Enter the maximum number of REST API requests sent, from 1 to 2880 requests. The default is set to 360.

      For duration

      Enter the amount of time for which the maximum number of requests is restricted, from 1 to 480 minutes. The default is set to 60.

      Inbound Proxy

      End-user source IP origin when going through a proxy (in order of priority)

      Get proxy IP from FORWARDED HTTP header (if available)

      Enable to get the proxy IP address from the FORWARDED HTTP header when available.

      Configure valid FORWARDED "by" values

      Enable to specify a list of valid "by" identifiers for the FORWARDED header, separated by a comma or a new line.

      This determines the client IP address used while logging in and can be used to determine if a proxy IP address is trusted in some security features (e.g. trusted subnets for SAML IdP and admin GUI access and user portal adaptive authentication, etc).

      Note: This option provides a way to select the correct source IP address in case of a chain of inbound proxy. It also provides additional protection against spoofing.

      Get proxy IP from X_FORWARDED_FOR HTTP header (if available)

      Enable to get the proxy IP address from the X-FORWARDED_FOR HTTP (non-standard equivalent of FORWARDED+ "for") header when available.

      Note: When Get proxy IP from FORWARDED HTTP header (if available) and Get proxy IP from X_FORWARDED_FOR HTTP header (if available) options are enabled, FortiAuthenticator looks for a matching "FORWARDED" header and only uses the "X_FORWARDED_FOR" header if a valid "FORWARDED" header is not present.

    3. Select OK to apply any changes. See Certificate management for more information about certificates.
    Previous
    Next