Managing administrator users

This topic includes the following information:

• Administrator user overview
• Configuring access profiles
• Creating administrator users
• Changing user passwords
• Configuring administration settings
• Login lockout

Administrator user overview

In its factory default configuration, FortiDDoS-F has one administrator account named admin. This administrator has permissions that grant Read-Write access to all system functions.

Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin account is similar to a root administrator account. This account always has full permission to view and change all system configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.

To prevent accidental changes to the configuration, it is best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin account to configure more administrator accounts for other people. Accounts can be made with different scopes of access. You can associate each of these accounts with either all SPPs or a single SPP, and you can specify the type of profile settings that each account can access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so with access profiles. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Basic steps

1. Configure profiles to provision permissions to roles.
2. Optional. Create RADIUS or LDAP server configurations if you want to use a RADIUS or LDAP server to authenticate administrators. Otherwise, you can use local authentication.
3. Create administrator user accounts with permissions provisioned by the profiles.

Configuring access profiles

Access profiles provision permissions to roles. The following permissions can be assigned:

• Read (view access)
• Read-Write (view, change, and execute access)
• No access

When a profile includes only read access to a category, the user can access the web UI page for that category, and can use the get and show CLI command for that category, but cannot make changes to the configuration.

When a profile includes no categories with read-write permissions, the user can log into the web UI but not the CLI.

In larger companies where multiple administrators share the workload, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

The table below lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).

For complete access to all commands and abilities, you must log in with the administrator account named admin.

Areas of control in access profiles

Web UI Menus	CLI Commands
System	config system ... show full-configuration diagnose ... execute ...
Global Settings	config ddos global ...
Protection Profiles	config spp ...
Monitor	get system status get system performance show system status show system performance show full-configuration
Log & Report	config log ... config system

* For each config command, there is an equivalent get/show command, unless otherwise noted. config commands require write permission. get/show commands require read permission.

Before you begin:

• You must have Read-Write permission for System settings.

To configure administrator profiles:

1. Go to System > Admin > Access Profile.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in the table below.
4. Save the configuration.

Settings	Guidelines
Profile name	Unique name. No spaces or special characters.
Access Control	None—Do not provision access for the menu. Read Only—Provision ready-only access. Read-Write—Enable the role to make changes to the configuration.

The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account.

Creating administrator users

We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Before you begin:

• You must have Read-Write permission for System settings.

To create administrator users:

1. Go to System > Admin > Administrator.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in the table below.
4. Save the configuration.

Administrator user configuration page

Administrator user configuration guidelines

Settings	Guidelines
Name	Name of an administrator account, such as admin1 or admin@example.com, used to login to the system. Do not use spaces. Only the following special characters are allowed: _ . - @ The maximum name length is 35 characters. Names longer than 35 characters are automatically truncated to 35 characters. Note: This is the user name that an administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, the user name must be configured on the system.
System Admin	If the user is regarded as a System Administrator with access to all SPPs, select Yes or else click No.
Allow API Access	This option will only display if the user is a 'System Admin'. The option allows users to authenticate REST API instructions sent to FortiDDoS. For example, to access Security Fabric information from FortiOS on FortiGate, a matching user/password must exist in both FortiDDoS and FortiGate Security Fabric access.
SPP Admin	Yes—Administrator for all SPPs. No—Administrator for selected SPPs only. You must have SPPs configured before you can make this selection.
SPP Policy Group	If the user is not a System or SPP Admin, select the SPP Policy Group from the drop-down. You must have SPP Polices (subnets) and SPP Policy Groups configured before you can make this selection.
Service Protection Profile	If the user is an SPP Admin, select the SPP profile that the SPP Admin manages.
Strategy	Local—Use the local authentication server. When you use the local authentication server, you also configure a password. LDAP—Authenticate against an LDAP server. When you use LDAP, you do not configure a password. The system authenticates against the username and password stored in the LDAP server. RADIUS—Authenticate against a RADIUS server. When you use RADIUS, you do not configure a password. The system authenticates against the username and password stored in the RADIUS server. TACACS+—Authenticate against a TACACS+ server. When you use TACACS+, you do not configure a password. The system authenticates against the username and password stored in the TACACS+ server.
Admin Profile	Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords. Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.
Password	Type a password for the administrator account. Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters: % ^ & ! @ # $ * _ - < > ( ) = | : ; , / ? Notes: “ ? ” is not allowed as a special character in the CLI so “?” should not be used for passwords that may be needed for CLI access. “ \ ” is not allowed as a special character
Confirm Password	Type the password again to confirm its spelling.
Trusted Hosts	Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture. Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify. Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network. If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal. To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/322001:0db8:85a3:::8a2e:0370:7334/128 To allow login attempts from any IP address (not recommended), enter:0.0.0.0/0.0.0.0. Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list. Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area. Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

CLI commands: config system admin edit admin set access-profile super_admin_prof next edit admin-spp1 set is-system-admin no set domain SPP-1 set password ENC $1$0b721b38$vk7GoO147JXXqy5B3ag8z/ set access-profile admin end

Changing user passwords

By default, this administrator account has the password fortinet. When logging in for the first time, you will be required to change the password before proceeding. Set a strong password for the admin administrator account. Change the password regularly.

Before you begin:

• You must have Read-Write permission for System settings.

To change your own password:

1. Navigate to the Administrative User drop-down menu at the top right of the Web UI (displaying yoru login username).
2. Click Change Password.
3. Complete the Old (current) Password, New Password, and Confirm Password fields.
4. Click OK.

To change passwords:

1. Go to System > Admin > Administrator.
2. Click Change Password icon.
3. Complete the configuration as described in the table below.
4. Save the configuration.

Note: Only users with Profile “super_admin_prof” can change the password for the admin (globaladmin) user.

Settings	Guidelines
Old Password	Type the current password.
New Password	Type a password for the administrator account. Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters: _ (underscore), - (hyphen), !, @, #, $, %, ^, &, *
Confirm Password	Type the password again to confirm its spelling.

CLI commands: config system admin edit <any-username> set password <new-password_str> end

Configuring administration settings

Before you begin:

• You must have Read-Write permission for System settings.

To change the administration settings:

1. Go to System > Admin > Settings.
2. Complete the configuration as described in the table below.
3. Save the configuration.

Settings	Guidelines
Hostname	1-35 characters. a-Z, 0-9, “-“, “_” only
Web Administration Ports
HTTP Port	HTTP is not supported. Any traffic directed to the HTTP Port set here or to HTTP Port 80 will be redirected to the HTTPS port.
Telnet Port	Specify the port for the Telnet service. Usually, Telnet uses port 23.
SSH Port	Specify the port for the SSH service. Usually, SSH uses port 22.
Web Administration
Language	Language of the web UI. English Simplified Chinese Korean Japanese Spanish Portuguese List of languages are not fully supported in 6.x.x. Fuller translations will be added in the future. Note: This setting does not affect the display of the CLI.
Idle Timeout	Number of minutes that a web UI connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). The default is 30 minutes.
Remote Authentication Timeout	When using slow servers or authentication proxies, it may be necessary to lengthen the time FortiDDoS waits for a response. Default is 5 seconds with range of 1 – 300 seconds.
Private Data Encryption	The FortiDDoS Administrator can create a private encryption Key to replace the default static key used by Fortinet for external API credentials like RADIUS and REST API. If after creating and using the Key, the Administrator disables it, the system will re-encrypt credentials with its default key. Note: This key will not be seen in the Configuration File. HA Deployments: Private Key on Primary and Secondary should be exactly same. It will not be synced automatically. Any Changes to Private Key Encryption should be done in standalone mode. To create this key: Enable Private Data Encryption Enter a 32-character hexadecimal number (0-9, a-f?) in the Private Data Encryption Key field Save the page

Login lockout

To protect from intrusion attempts, the system temporarily blocks the Source IP of any user who makes five failed login attempts. The login page will display 'IP has been blocked'. The user may try to login again in few minutes.