Managing administrator users

This topic includes the following information:

• Administrator user overview
• Configuring access profiles
• Creating administrator users
• Changing user passwords
• Configuring administration settings
• Login lockout

Administrator user overview

In its factory default configuration, FortiDDoS-F has one administrator account named admin (globaladmin). This administrator has permissions that grant Read-Write access to all system functions. Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. This account must have a local password. Protect this password as replacing a lost admin password may require factory resetting the entire system. The admin account is similar to a root administrator account. This account always has full permission to view and change all system configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. The admin account is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password. This can only be done via CLI, not GUI which requires the old password.

To prevent accidental changes to the configuration, it is best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin account to configure more administrator accounts for other people. Accounts can be made with different scopes of access. You can specify the type of profile settings that each account can access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so with access profiles. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Basic steps

1. Configure profiles to provision permissions to roles.
2. Optional. Create RADIUS or LDAP server configurations if you want to use a RADIUS or LDAP server to authenticate administrators. Otherwise, you can use local authentication.
3. Create administrator user accounts with permissions provisioned by the profiles.

Configuring access profiles

FortiDDoS divides its GUI into five sections:

• Dashboard, FortiView, System and Network

• Global Protection (Global settings)

• Service Protection (Mitigation features and Thresholds)

• Monitor (Graphs)

• Log & Report

Access profiles define user permissions for each section. The following permissions can be assigned:

• Read (view access)
• Read-Write (view, change, and execute access)
• No access

When a profile includes only read access to a category, the user can access the web UI page for that category, and can use the get and show CLI command for that category, but cannot make changes to the configuration.

When a profile includes no categories with read-write permissions, the user can log into the web UI but not the CLI. In larger companies where multiple administrators share the workload, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).

Access Profile settings affect the users ability to interact not only with the GUI/CLI but specific permissions for working with its own and other user credentials. The table below details how different Access Profiles affect this:

Admin Class	Profile	Permissions
admin(globaladmin) (default system created admin user) with Access Profile = super_admin_prof	Full read/write	Cannot be deleted. Can create and delete other users. Can create and change access profiles for other users. Can change own (globaladmin) password via GUI/CLI. Can change password for other users (with former password) via GUI/CLI. Can change password for other users without former password via CLI. Allowed to create shell access. WARNING: if this password is lost, TFTP configuration upload may be required which deletes all system historical graphs and logs. Fortinet strongly recommends at least one other “superadmin” profile which can be used to reset the admin(globaladmin) password in an emergency (with an edited system configuration file – see FortiCare for information).
superadmin Any added user with Access Profile = super_admin_prof	Full read/write	Can be deleted. Can create new and delete existing users. Can create and change access profiles for other users. Can change its own password via GUI/CLI. Can change password for other users (with former password) via GUI/CLI. Can replace passwords for other users (without former password) via CLI Allowed to set shell access. Cannot change/replace globaladmin password. NOTE: Can restore and edited configuration file to blank the globadmin password in an emergency – see FortiCare for information
Full Read Write Any added user with an Access Profile having full Read/Write access of all categories.	Full read/write	Can be deleted. Cannot add/delete/change users or access profiles. Can change its own password via GUI or CLI. Can change password for other users (with former password) via GUI/CLI. Allowed to set shell access.
Others	Any combination of none/read/write	Can be deleted. Can change its own password via GUI. Cannot access CLI. Cannot access shell. Cannot add/change/delete other users, Profiles or passwords.

The table below lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).

For complete access to all commands and abilities, you must log in with the administrator account named admin.

Areas of control in access profiles

Web UI Menus	CLI Commands
System	config system ... show full-configuration diagnose ... execute ...
Global Settings	config ddos global ...
Protection Profiles	config spp ...
Monitor	get system status get system performance show system status show system performance show full-configuration
Log & Report	config log ... config system

* For each config command, there is an equivalent get/show command, unless otherwise noted. config commands require write permission. get/show commands require read permission.

Before you begin:

• You must have Read-Write permission for System settings.

To configure administrator profiles:

1. Go to System > Admin > Access Profile.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in the table below.
4. Save the configuration.

Settings	Guidelines
Profile name	Unique name. No spaces or special characters.
Access Control	None—Do not provision access for the menu. Read Only—Provision ready-only access. Read-Write—Enable the role to make changes to the configuration.

The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account.

Creating administrator users

We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.

Before you begin:

• You must have Read-Write permission for System settings.

To create administrator users:

1. Go to System > Admin > Administrator.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in the table below.
4. Save the configuration.

Administrator user configuration page

Administrator user configuration guidelines

Settings	Guidelines
Name	Name of an administrator account, such as admin1 or admin@example.com, used to login to the system. Do not use spaces. Only the following special characters are allowed: _ . - @ The maximum name length is 35 characters. Names longer than 35 characters are automatically truncated to 35 characters with no warning. Note: This is the username that an administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS, or TACACS+, the username and Administrator settings are not required. For Active Directory / LDAP only password authentication is available, so local username, Admin Profile and Trusted Hosts (optional) must be configured on the system.
Strategy	Local—Uses the FortiDDoS internal authentication server. When you use the local authentication, you must also configure a password. LDAP—Authenticate against an LDAP server. When you use LDAP, you do not configure a password. The system authenticates against the username and password stored in the LDAP server. You must configure Admin Profile and Trusted Hosts (optional) on FortiDDoS. RADIUS—Authenticate against a RADIUS server. When you use RADIUS, you have two options: Do not configure a local password. The system authenticates against the username and password stored in the RADIUS server. Local Name, Admin Profile and Trusted Hosts (optional) are still required. Do not configure any local Administrator settings, using Fortinet VSAs to provide additional authentication. See Configuring RADIUS authentication. When using RADIUS with VSAs for Admin Profile and Trusted Hosts (optional) you do not need to configure Name, Password Admin Profile or Trusted Hosts on FortiDDoS. TACACS+—Authenticate against a TACACS+ server. When you use TACACS+, you have two options: Do not configure a local password. The system authenticates against the username and password stored in the TACACS+ server. You can also use TACACS+ with no local settings, using Shell Profiles and Custom Attributes to provide additional authentication. In that case no local settings for Name, Password Admin Profile or Trusted Hosts on FortiDDoS are required.
Admin Profile	Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords. Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.
Password	Type a password for the administrator account. Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters: % ^ & ! @ # $ * _ - < > ( ) = | : ; , / ? Notes: “ ? ” is not allowed as a special character in the CLI so “?” should not be used for passwords that may be needed for CLI access. “ \ ” is not allowed as a special character
Confirm Password	Type the password again to confirm its spelling.
Trusted Hosts	The Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted subnets, separated by spaces. They can be mixed IPv4 /32 or IPv6 /128 or larger subnets. Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify. Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the GUI CLI console widget. Local physical console port access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network. If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal. To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/322001:0db8:85a3:::8a2e:0370:7334/128 To allow login attempts from any IP address (not recommended), enter: 0.0.0.0/0 ::/0 (default). Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list. Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area. Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

CLI commands: config system admin edit <username> set access-profile <access profile> (Note, pre-configured before adding to user account) set password <password> set trusted-hosts <IP/netmask IP/netmask etc.> set auth-strategy <local | radius | ldap | TACACS+ > (Case-sensitive; note capitalization above) end

Changing user passwords

By default, the admin (globaladmin) account has the password fortinet. When logging in for the first time, you will be required to change the password before proceeding. Set a strong password for the admin administrator account. Change the password regularly. Keep the password in a safe place because if lost, the recovery process may require significant effort.

Note 1: Only the admin (globaladmin) user is allowed to delete users. Non-admin users may be able to add users and change passwords provided they know the original password.

Note 2: Typically, the old password is required in order to change passwords even for oneself. However, the admin (globaladmin) user can change passwords via CLI without the original password. Please see below. Non-admin users are required to supply the old password via CLI as well.

Before you begin:

• You must have Read-Write permission for System settings.

To change your own password:

1. Navigate to the Administrative User drop-down menu at the top right of the Web UI (displaying yoru login username).
2. Click Change Password.
3. Complete the Old (current) Password, New Password, and Confirm Password fields.
4. Click OK.

To change passwords:

1. Go to System > Admin > Administrator.
2. Click Change Password icon.
3. Complete the configuration as described in the table below.
4. Save the configuration.

Note: Only users with Profile “super_admin_prof” can change the password for the admin (globaladmin) user.

Settings	Guidelines
Old Password	Type the current password.
New Password	Type a password for the administrator account. Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters: % ^ & ! @ # $ * _ - < > ( ) = | : ; , / ?
Confirm Password	Type the password again to confirm its spelling.

CLI commands: config system admin edit <any-username> set password <new-password_str> current password for <any-username>: This validation will not be requested for admin (globaladmin) end

Configuring administration settings

Before you begin:

• You must have Read-Write permission for System settings.

To change the administration settings:

1. Go to System > Admin > Settings.
2. Complete the configuration as described in the table below.
3. Save the configuration.

Settings	Guidelines
Hostname	1-35 characters. a-Z, 0-9, “-“, “_” only
Web Administration Ports
HTTP Port	HTTP is not supported. Any traffic directed to the HTTP Port set here or to HTTP Port 80 will be redirected to the HTTPS port.
Telnet Port	Specify the port for the Telnet service. Usually, Telnet uses port 23.
SSH Port	Specify the port for the SSH service. Usually, SSH uses port 22.
Web Administration
Language	Language of the web UI. English Simplified Chinese Korean Japanese Spanish Portuguese List of languages are not fully supported in 6.x.x. Fuller translations will be added in the future. Note: This setting does not affect the display of the CLI.
Idle Timeout	Number of minutes that a web UI connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). The default is 30 minutes.
Remote Authentication Timeout	When using slow servers or authentication proxies, it may be necessary to lengthen the time FortiDDoS waits for a response. Default is 5 seconds with range of 1 – 300 seconds.
Private Data Encryption	The FortiDDoS Administrator can create a private encryption Key to replace the default static key used by Fortinet for external API credentials like RADIUS and REST API. If after creating and using the Key, the Administrator disables it, the system will re-encrypt credentials with its default key. Note: This key will not be seen in the Configuration File. HA Deployments: Private Key on Primary and Secondary should be exactly same. It will not be synced automatically. Any Changes to Private Key Encryption should be done in standalone mode. To create this key: Enable Private Data Encryption Enter a 32-character hexadecimal number (0-9, a-f?) in the Private Data Encryption Key field Save the page
TLS Versions	All Transport Layer Security (TLS) versions are allowed by default. Disable TLS versions 1.1, 1.2, or 1.3 if you want to prevent users from accessing Mgmt ports using any of these TLS versions.

Login lockout

To protect from intrusion attempts, the system temporarily blocks the Source IP of any user who makes five failed login attempts. The login page will display 'IP has been blocked'. The user may try to login again in few minutes.