Fortinet white logo
Fortinet white logo

Handbook

Managing administrator users

Managing administrator users

This topic includes the following information:

Administrator user overview

In its factory default configuration, FortiDDoS-F has one administrator account named admin. This administrator has permissions that grant Read-Write access to all system functions.

Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin account is similar to a root administrator account. This account always has full permission to view and change all system configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.

To prevent accidental changes to the configuration, it is best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin account to configure more administrator accounts for other people. Accounts can be made with different scopes of access. You can associate each of these accounts with either all SPPs or a single SPP, and you can specify the type of profile settings that each account can access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so with access profiles. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Basic steps
  1. Configure profiles to provision permissions to roles.
  2. Optional. Create RADIUS or LDAP server configurations if you want to use a RADIUS or LDAP server to authenticate administrators. Otherwise, you can use local authentication.
  3. Create administrator user accounts with permissions provisioned by the profiles.

Configuring access profiles

Access profiles provision permissions to roles. The following permissions can be assigned:

  • Read (view access)
  • Read-Write (view, change, and execute access)
  • No access

When a profile includes only read access to a category, the user can access the web UI page for that category, and can use the get and show CLI command for that category, but cannot make changes to the configuration.

When a profile includes no categories with read-write permissions, the user can log into the web UI but not the CLI.

In larger companies where multiple administrators share the workload, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

The table below lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).

For complete access to all commands and abilities, you must log in with the administrator account named admin.

Areas of control in access profiles

Web UI Menus CLI Commands
System config system ...
show full-configuration
diagnose ...
execute ...
Global Settings config ddos global ...
Protection Profiles config spp ...
Monitor get system status
get system performance
show system status
show system performance
show full-configuration
Log & Report config log ...
config system

* For each config command, there is an equivalent get/show command, unless otherwise noted. config commands require write permission. get/show commands require read permission.

Before you begin:

  • You must have Read-Write permission for System settings.
To configure administrator profiles:
  1. Go to System > Admin > Access Profile.
  2. Click Add to display the configuration editor.
  3. Complete the configuration as described in the table below.
  4. Save the configuration.

Admin profile configuration page

Admin profile configuration guidelines

Settings Guidelines
Profile name Unique name. No spaces or special characters.
Access Control
  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account.

Creating administrator users

We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Before you begin:

  • You must have Read-Write permission for System settings.
To create administrator users:
  1. Go to System > Admin > Administrator.
  2. Click Add to display the configuration editor.
  3. Complete the configuration as described in the table below.
  4. Save the configuration.

Administrator user configuration page

Administrator user configuration guidelines

Settings Guidelines
Name Name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration.

Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.

If you use LDAP or RADIUS authentication, this is the username stored in the LDAP or RADIUS authentication server.

Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query.
System Admin If the user is regarded as a System Administrator with access to all SPPs, select Yes or else click No.
Allow API Access This option will only display if the user is a 'System Admin'. The option allows users to authenticate REST API instructions sent to FortiDDoS. For example, to access Security Fabric information from FortiOS on FortiGate, a matching user/password must exist in both FortiDDoS and FortiGate Security Fabric access.
SPP Admin Yes—Administrator for all SPPs.
No—Administrator for selected SPPs only. You must have SPPs configured before you can make this selection.
SPP Policy Group If the user is not a System or SPP Admin, select the SPP Policy Group from the drop-down. You must have SPP Polices (subnets) and SPP Policy Groups configured before you can make this selection.
Service Protection Profile If the user is an SPP Admin, select the SPP profile that the SPP Admin manages.
Strategy
  • Local—Use the local authentication server. When you use the local authentication server, you also configure a password.
  • LDAP—Authenticate against an LDAP server. When you use LDAP, you do not configure a password. The system authenticates against the username and password stored in the LDAP server.
  • RADIUS—Authenticate against a RADIUS server. When you use RADIUS, you do not configure a password. The system authenticates against the username and password stored in the RADIUS server.
  • TACACS+—Authenticate against a TACACS+ server. When you use TACACS+, you do not configure a password. The system authenticates against the username and password stored in the TACACS+ server.
Admin Profile Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.
Password

Type a password for the administrator account.

Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters:

% ^ & ! @ # $ * _ - < > ( ) = | : ; , / ?

Notes:

  • “ ? ” is not allowed as a special character in the CLI so “?” should not be used for passwords that may be needed for CLI access.
  • “ \ ” is not allowed as a special character
Confirm Password Type the password again to confirm its spelling.
Trusted Hosts Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/322001:0db8:85a3:::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter:0.0.0.0/0.0.0.0.

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

CLI commands:

config system admin

edit admin

set access-profile super_admin_prof

next

edit admin-spp1

set is-system-admin no

set domain SPP-1

set password ENC $1$0b721b38$vk7GoO147JXXqy5B3ag8z/

set access-profile admin

end

Changing user passwords

By default, this administrator account has the password fortinet. Set a strong password for the admin administrator account. Change the password regularly.

Before you begin:
  • You must have Read-Write permission for System settings.
To change the password:
  1. Go to System > Admin > Administrator.
  2. Click Change Password icon.
  3. Complete the configuration as described in the table below.
  4. Save the configuration.

Administrator settings page

Password configuration

Settings Guidelines
Old Password Type the current password.
New Password Type a password for the administrator account.

Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters:

_ (underscore), - (hyphen), !, @, #, $, %, ^, &, *
Confirm Password Type the password again to confirm its spelling.

CLI commands:

config system admin

edit <any-username>

set password <new-password_str>

end

Configuring administration settings

Before you begin:
  • You must have Read-Write permission for System settings.
To change the administration settings:
  1. Go to System > Admin > Settings.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Administration settings page

Administration settings guidelines

Settings Guidelines
Web Administration Ports
HTTP Port HTTP is not supported. Any traffic directed to the HTTP Port set here or to HTTP Port 80 will be redirected to the HTTPS port.
Telnet Port Specify the port for the Telnet service. Usually, Telnet uses port 23.
SSH Port Specify the port for the SSH service. Usually, SSH uses port 22.
Web Administration
Language Language of the web UI.

  • English
  • Simplified Chinese
  • Korean
  • Japanese
  • Spanish
  • Portuguese

List of languages are not fully supported in 6.x.x. Fuller translations will be added in the future.



Note: This setting does not affect the display of the CLI.
Idle Timeout Number of minutes that a web UI connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). The default is 30 minutes.
Remote Authentication Timeout When using slow servers or authentication proxies, it may be necessary to lengthen the time FortiDDoS waits for a response. Default is 5 seconds with range of 1 – 300 seconds.
Private Data Encryption The FortiDDoS Administrator can create a private encryption Key to replace the default static key used by Fortinet for external API credentials like RADIUS and REST API. If after creating and using the Key, the Administrator disables it, the system will re-encrypt credentials with its default key.

Note: This key will not be seen in the Configuration File.

HA Deployments: Private Key on Primary and Secondary should be exactly same. It will not be synced automatically. Any Changes to Private Key Encryption should be done in standalone mode.

To create this key:

Enable Private Data Encryption

Enter a 32-character hexadecimal number (0-9, a-f?) in the Private Data Encryption Key field

Save the page


Login lockout

To protect from intrusion attempts, the system temporarily blocks the Source IP of any user who makes five failed login attempts. The login page will display 'IP has been blocked'. The user may try to login again in few minutes.

Managing administrator users

Managing administrator users

This topic includes the following information:

Administrator user overview

In its factory default configuration, FortiDDoS-F has one administrator account named admin. This administrator has permissions that grant Read-Write access to all system functions.

Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin account is similar to a root administrator account. This account always has full permission to view and change all system configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.

To prevent accidental changes to the configuration, it is best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin account to configure more administrator accounts for other people. Accounts can be made with different scopes of access. You can associate each of these accounts with either all SPPs or a single SPP, and you can specify the type of profile settings that each account can access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so with access profiles. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Basic steps
  1. Configure profiles to provision permissions to roles.
  2. Optional. Create RADIUS or LDAP server configurations if you want to use a RADIUS or LDAP server to authenticate administrators. Otherwise, you can use local authentication.
  3. Create administrator user accounts with permissions provisioned by the profiles.

Configuring access profiles

Access profiles provision permissions to roles. The following permissions can be assigned:

  • Read (view access)
  • Read-Write (view, change, and execute access)
  • No access

When a profile includes only read access to a category, the user can access the web UI page for that category, and can use the get and show CLI command for that category, but cannot make changes to the configuration.

When a profile includes no categories with read-write permissions, the user can log into the web UI but not the CLI.

In larger companies where multiple administrators share the workload, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

The table below lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).

For complete access to all commands and abilities, you must log in with the administrator account named admin.

Areas of control in access profiles

Web UI Menus CLI Commands
System config system ...
show full-configuration
diagnose ...
execute ...
Global Settings config ddos global ...
Protection Profiles config spp ...
Monitor get system status
get system performance
show system status
show system performance
show full-configuration
Log & Report config log ...
config system

* For each config command, there is an equivalent get/show command, unless otherwise noted. config commands require write permission. get/show commands require read permission.

Before you begin:

  • You must have Read-Write permission for System settings.
To configure administrator profiles:
  1. Go to System > Admin > Access Profile.
  2. Click Add to display the configuration editor.
  3. Complete the configuration as described in the table below.
  4. Save the configuration.

Admin profile configuration page

Admin profile configuration guidelines

Settings Guidelines
Profile name Unique name. No spaces or special characters.
Access Control
  • None—Do not provision access for the menu.
  • Read Only—Provision ready-only access.
  • Read-Write—Enable the role to make changes to the configuration.

The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account.

Creating administrator users

We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Before you begin:

  • You must have Read-Write permission for System settings.
To create administrator users:
  1. Go to System > Admin > Administrator.
  2. Click Add to display the configuration editor.
  3. Complete the configuration as described in the table below.
  4. Save the configuration.

Administrator user configuration page

Administrator user configuration guidelines

Settings Guidelines
Name Name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration.

Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.

If you use LDAP or RADIUS authentication, this is the username stored in the LDAP or RADIUS authentication server.

Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query.
System Admin If the user is regarded as a System Administrator with access to all SPPs, select Yes or else click No.
Allow API Access This option will only display if the user is a 'System Admin'. The option allows users to authenticate REST API instructions sent to FortiDDoS. For example, to access Security Fabric information from FortiOS on FortiGate, a matching user/password must exist in both FortiDDoS and FortiGate Security Fabric access.
SPP Admin Yes—Administrator for all SPPs.
No—Administrator for selected SPPs only. You must have SPPs configured before you can make this selection.
SPP Policy Group If the user is not a System or SPP Admin, select the SPP Policy Group from the drop-down. You must have SPP Polices (subnets) and SPP Policy Groups configured before you can make this selection.
Service Protection Profile If the user is an SPP Admin, select the SPP profile that the SPP Admin manages.
Strategy
  • Local—Use the local authentication server. When you use the local authentication server, you also configure a password.
  • LDAP—Authenticate against an LDAP server. When you use LDAP, you do not configure a password. The system authenticates against the username and password stored in the LDAP server.
  • RADIUS—Authenticate against a RADIUS server. When you use RADIUS, you do not configure a password. The system authenticates against the username and password stored in the RADIUS server.
  • TACACS+—Authenticate against a TACACS+ server. When you use TACACS+, you do not configure a password. The system authenticates against the username and password stored in the TACACS+ server.
Admin Profile Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.
Password

Type a password for the administrator account.

Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters:

% ^ & ! @ # $ * _ - < > ( ) = | : ; , / ?

Notes:

  • “ ? ” is not allowed as a special character in the CLI so “?” should not be used for passwords that may be needed for CLI access.
  • “ \ ” is not allowed as a special character
Confirm Password Type the password again to confirm its spelling.
Trusted Hosts Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify.

Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/322001:0db8:85a3:::8a2e:0370:7334/128

To allow login attempts from any IP address (not recommended), enter:0.0.0.0/0.0.0.0.

Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

CLI commands:

config system admin

edit admin

set access-profile super_admin_prof

next

edit admin-spp1

set is-system-admin no

set domain SPP-1

set password ENC $1$0b721b38$vk7GoO147JXXqy5B3ag8z/

set access-profile admin

end

Changing user passwords

By default, this administrator account has the password fortinet. Set a strong password for the admin administrator account. Change the password regularly.

Before you begin:
  • You must have Read-Write permission for System settings.
To change the password:
  1. Go to System > Admin > Administrator.
  2. Click Change Password icon.
  3. Complete the configuration as described in the table below.
  4. Save the configuration.

Administrator settings page

Password configuration

Settings Guidelines
Old Password Type the current password.
New Password Type a password for the administrator account.

Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters:

_ (underscore), - (hyphen), !, @, #, $, %, ^, &, *
Confirm Password Type the password again to confirm its spelling.

CLI commands:

config system admin

edit <any-username>

set password <new-password_str>

end

Configuring administration settings

Before you begin:
  • You must have Read-Write permission for System settings.
To change the administration settings:
  1. Go to System > Admin > Settings.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Administration settings page

Administration settings guidelines

Settings Guidelines
Web Administration Ports
HTTP Port HTTP is not supported. Any traffic directed to the HTTP Port set here or to HTTP Port 80 will be redirected to the HTTPS port.
Telnet Port Specify the port for the Telnet service. Usually, Telnet uses port 23.
SSH Port Specify the port for the SSH service. Usually, SSH uses port 22.
Web Administration
Language Language of the web UI.

  • English
  • Simplified Chinese
  • Korean
  • Japanese
  • Spanish
  • Portuguese

List of languages are not fully supported in 6.x.x. Fuller translations will be added in the future.



Note: This setting does not affect the display of the CLI.
Idle Timeout Number of minutes that a web UI connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). The default is 30 minutes.
Remote Authentication Timeout When using slow servers or authentication proxies, it may be necessary to lengthen the time FortiDDoS waits for a response. Default is 5 seconds with range of 1 – 300 seconds.
Private Data Encryption The FortiDDoS Administrator can create a private encryption Key to replace the default static key used by Fortinet for external API credentials like RADIUS and REST API. If after creating and using the Key, the Administrator disables it, the system will re-encrypt credentials with its default key.

Note: This key will not be seen in the Configuration File.

HA Deployments: Private Key on Primary and Secondary should be exactly same. It will not be synced automatically. Any Changes to Private Key Encryption should be done in standalone mode.

To create this key:

Enable Private Data Encryption

Enter a 32-character hexadecimal number (0-9, a-f?) in the Private Data Encryption Key field

Save the page


Login lockout

To protect from intrusion attempts, the system temporarily blocks the Source IP of any user who makes five failed login attempts. The login page will display 'IP has been blocked'. The user may try to login again in few minutes.