Managing administrator users
This topic includes the following information:
- Administrator user overview
- Configuring access profiles
- Creating administrator users
- Changing user passwords
- Configuring administration settings
- Login lockout
Administrator user overview
In its factory default configuration, FortiDDoS-F has one administrator account named admin. This administrator has permissions that grant Read-Write access to all system functions.
Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin account is similar to a root administrator account. This account always has full permission to view and change all system configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.
To prevent accidental changes to the configuration, it is best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin account to configure more administrator accounts for other people. Accounts can be made with different scopes of access. You can associate each of these accounts with either all SPPs or a single SPP, and you can specify the type of profile settings that each account can access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so with access profiles. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.
Basic steps
- Configure profiles to provision permissions to roles.
- Optional. Create RADIUS or LDAP server configurations if you want to use a RADIUS or LDAP server to authenticate administrators. Otherwise, you can use local authentication.
- Create administrator user accounts with permissions provisioned by the profiles.
Configuring access profiles
Access profiles provision permissions to roles. The following permissions can be assigned:
- Read (view access)
- Read-Write (view, change, and execute access)
- No access
When a profile includes only read access to a category, the user can access the web UI page for that category, and can use the get
and show
CLI command for that category, but cannot make changes to the configuration.
When a profile includes no categories with read-write permissions, the user can log into the web UI but not the CLI.
In larger companies where multiple administrators share the workload, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
The table below lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).
For complete access to all commands and abilities, you must log in with the administrator account named admin.
Areas of control in access profiles
Web UI Menus | CLI Commands |
---|---|
System |
config system ...show full-configuration diagnose ...execute ... |
Global Settings |
config ddos global ... |
Protection Profiles |
config spp ...
|
Monitor |
get system status
get system performance
show system status
show system performance
show full-configuration
|
Log & Report |
config log ...config system
|
* For each config
command, there is an equivalent get
/show
command, unless otherwise noted. config
commands require write permission. get
/show
commands require read permission.
Before you begin:
- You must have Read-Write permission for System settings.
To configure administrator profiles:
- Go to System > Admin > Access Profile.
- Click Add to display the configuration editor.
- Complete the configuration as described in the table below.
- Save the configuration.
Admin profile configuration page
Admin profile configuration guidelines
Settings | Guidelines |
---|---|
Profile name | Unique name. No spaces or special characters. |
Access Control |
|
The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account. |
Creating administrator users
We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.
Before you begin:
- You must have Read-Write permission for System settings.
To create administrator users:
- Go to System > Admin > Administrator.
- Click Add to display the configuration editor.
- Complete the configuration as described in the table below.
- Save the configuration.
Administrator user configuration page
Administrator user configuration guidelines
Settings | Guidelines |
---|---|
Name | Name of the administrator account, such as admin1 or admin@example.com , that can be referenced in other parts of the configuration.Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.If you use LDAP or RADIUS authentication, this is the username stored in the LDAP or RADIUS authentication server. Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query. |
System Admin | If the user is regarded as a System Administrator with access to all SPPs, select Yes or else click No. |
Allow API Access | This option will only display if the user is a 'System Admin'. The option allows users to authenticate REST API instructions sent to FortiDDoS. For example, to access Security Fabric information from FortiOS on FortiGate, a matching user/password must exist in both FortiDDoS and FortiGate Security Fabric access. |
SPP Admin |
Yes—Administrator for all SPPs. No—Administrator for selected SPPs only. You must have SPPs configured before you can make this selection. |
SPP Policy Group | If the user is not a System or SPP Admin, select the SPP Policy Group from the drop-down. You must have SPP Polices (subnets) and SPP Policy Groups configured before you can make this selection. |
Service Protection Profile | If the user is an SPP Admin, select the SPP profile that the SPP Admin manages. |
Strategy |
|
Admin Profile | Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords. Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile. |
Password |
Type a password for the administrator account. % ^ & ! @ # $ * _ - < > ( ) = | : ; , / ? Notes:
|
Confirm Password | Type the password again to confirm its spelling. |
Trusted Hosts | Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture. Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify. Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network. If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal. To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask: 192.0.2.2/32 2001:0db8:85a3:::8a2e:0370:7334/128 To allow login attempts from any IP address (not recommended), enter: 0.0.0.0/0.0.0.0 .Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0 ), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area. Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in. |
CLI commands: config system admin edit admin set access-profile super_admin_prof next edit admin-spp1 set is-system-admin no set domain SPP-1 set password ENC $1$0b721b38$vk7GoO147JXXqy5B3ag8z/ set access-profile admin end |
Changing user passwords
By default, this administrator account has the password fortinet
. Set a strong password for the admin
administrator account. Change the password regularly.
Before you begin:
- You must have Read-Write permission for System settings.
To change the password:
- Go to System > Admin > Administrator.
- Click Change Password icon.
- Complete the configuration as described in the table below.
- Save the configuration.
Administrator settings page
Password configuration
Settings | Guidelines |
---|---|
Old Password | Type the current password. |
New Password | Type a password for the administrator account. Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters: _ (underscore), - (hyphen), !, @, #, $, %, ^, &, * |
Confirm Password | Type the password again to confirm its spelling. |
CLI commands:
|
Configuring administration settings
Before you begin:
- You must have Read-Write permission for System settings.
To change the administration settings:
- Go to System > Admin > Settings.
- Complete the configuration as described in the table below.
- Save the configuration.
Administration settings page
Administration settings guidelines
Settings | Guidelines |
---|---|
Web Administration Ports | |
HTTP Port | HTTP is not supported. Any traffic directed to the HTTP Port set here or to HTTP Port 80 will be redirected to the HTTPS port. |
Telnet Port | Specify the port for the Telnet service. Usually, Telnet uses port 23. |
SSH Port | Specify the port for the SSH service. Usually, SSH uses port 22. |
Web Administration | |
Language | Language of the web UI.
List of languages are not fully supported in 6.x.x. Fuller translations will be added in the future. Note: This setting does not affect the display of the CLI. |
Idle Timeout | Number of minutes that a web UI connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). The default is 30 minutes. |
Remote Authentication Timeout | When using slow servers or authentication proxies, it may be necessary to lengthen the time FortiDDoS waits for a response. Default is 5 seconds with range of 1 – 300 seconds. |
Private Data Encryption | The FortiDDoS Administrator can create a private encryption Key to replace the default static key used by Fortinet for external API credentials like RADIUS and REST API. If after creating and using the Key, the Administrator disables it, the system will re-encrypt credentials with its default key.
Note: This key will not be seen in the Configuration File. HA Deployments: Private Key on Primary and Secondary should be exactly same. It will not be synced automatically. Any Changes to Private Key Encryption should be done in standalone mode. To create this key: Enable Private Data Encryption Enter a 32-character hexadecimal number (0-9, a-f?) in the Private Data Encryption Key field Save the page |
Login lockout
To protect from intrusion attempts, the system temporarily blocks the Source IP of any user who makes five failed login attempts. The login page will display 'IP has been blocked'. The user may try to login again in few minutes.