Administrators

By default, the FortiGate has a super administrator account, called admin, which can't be deleted. Additional administrators can be added for various functions, each with a unique user name, password, and set of access privileges.

The following sections explain how to add and secure administrative access to a FortiGate:

• Administrator profiles
• Adding a local administrator
• LDAP authentication for administrators
• Other methods of administrator authentication
• Administrator lockout
• Monitoring administrators
• Management access
• Security precautions

Administrator profiles

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile dictating what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much, or as little, as required.

super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile can't be deleted or modified.

Lower level administrator profiles can't backup or restore the FortiOS configuration.

The super_admin profile is used by the default admin account. We recommend that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required. For more information, see Adding a local administrator.

Creating profiles

To configure administrator profiles, go to System > Admin Profiles and select Create New.

On the New Admin Profile page, select the access permissions for the admin profile you are creating. For example, you can configure a profile so that the administrator can only read/write Firewall configuration, which includes firewall policies, addresses, services, schedules, packet capture, and some other parts of the FortiGate configuration. Any other aspects of the FortiGate configuration, including VPNs and security profiles, would be hidden from this administrator.

Access control can also be set to Custom for some features. This allows for more granular control of administrator access. Using the Firewall example, you can set access to Custom and then select separate Read/Write privileges for Policy, Address, Service, and Schedule.

Administrator timeout override per access profile

You can configure administrator profiles to increase inactivity timeout and facilitate use of the GUI for central monitoring. This feature allows the admintimeout value, under config system accprofile, to be overridden per access profile.

Note that you can set this on a per-profile basis, to avoid the option from being unintentionally set globally.

CLI Syntax - Configure admin timeout

config system accprofile

edit <name>

set admintimeout-override {enable | disable}

set admintimeout <0-480> - (default = 10, 0 = unlimited)

next

end

Adding a local administrator

Only administrators with read-write privileges for User & Device can create a new administrator account.

To add an administrator - GUI

1. Go to System > Administrators.
2. Select Create New > Administrator.
3. Add a Username for the administrator.



Don't include the characters <>()#"' in the administrator's name . Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability.



4. Set Type to Local User.
5. Enter the Password for the user. This may be a temporary password that the administrator can change later. Passwords can be up to 256 characters in length.
6. Determine if you need to enable security options: SMS, Two-factor Authentication, Restrict login to trusted hosts, Restrict admin to guest account provisioning only.
7. Select OK.

You can configure guest management administrator's through the GUI.

To add an administrator - CLI

config system admin

edit <admin_name>

set password <password>

set accprofile <profile_name>

set guest-auth {enable | disable}

set user-groups <group-name>

end

The CLI command set user-groups can only be used when guest-auth is set to enable.

To add an SMS service - CLI

If you plan on sending SMS notifications to administrators, you can use the following command to add an email to SMS service to your FortiGate.

config system sms-server

edit <server-name>

set mail-server <server-name>

end

LDAP authentication for administrators

Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.

To do this, you must follow these three steps:

• configure the LDAP server
• add the LDAP server to a user group
• configure the administrator account

Configure the LDAP server

First set up the LDAP server as you normally would, and include a group to bind to.

To configure the LDAP server - GUI

1. Go to User & Device > LDAP Servers and select Create New.
2. Enter a Name for the server.
3. Enter the Server IP address or name.
4. Enter the Common Name Identifier and Distinguished Name.
5. Set the Bind Type to Regular and enter the Username and Password.
6. Select OK.

To configure the LDAP server - CLI

config user ldap

edit <ldap_server_name>

set server <server_ip>

set cnid cn

set dn DC=XYZ,DC=COM

set type regular

set user name CN=Administrator,CN=Users,DC=XYZ,DC=COM

set password <password>

set member-attr <group_binding>

end

Add the LDAP server to a user group

Next, create a user group that will include the LDAP server that was created above.

To create a user group - GUI

1. Go to User & Device > User Groups and select Create New.
2. Enter a Name for the group.
3. In the section labeled Remote groups, select Create New.
4. Select the Remote Server from the drop-down list.
5. Select OK.

To create a user group - CLI

config user group

edit <group_name>

config match

edit 1

set server-name <LDAP_server>

set group-name <group_name>

end

end

Configure the administrator account

Now you can create a new administrator, where rather than entering a password, you will use the new user group and the wildcard option for authentication.

To create an administrator - GUI

1. Go to System > Administrators and select Create New.
2. In the Administrator field, enter the name for the administrator.
3. For Type, select Match a user on a remote server group.
4. Select the User Group created above from the drop-down list.
5. Select Wildcard. The Wildcard option allows for LDAP users to connect as this administrator.
6. Select an Admin Profile.
7. Select OK.

To create an administrator - CLI

config system admin

edit <admin_name>

set remote-auth enable

set accprofile super_admin

set wild card enable

set remote-group ldap

end

Other methods of administrator authentication

Admin accounts can use a variety of methods for authentication, including RADIUS, TACACS+, and PKI.

RADIUS authentication for administrators

If you want to use a RADIUS server to authenticate administrators, you must:

• configure the FortiGate to access the RADIUS server
• create the RADIUS user group
• configure an administrator to authenticate with a RADIUS server.

TACACS+ authentication for administrators

If you want to use a TACACS+ server to authenticate administrators, you must:

• configure the FortiGate to access the TACACS+ server
• create a TACACS+ user group
• configure an administrator to authenticate with a TACACS+ server.

PKI certificate authentication for administrators

To use PKI authentication for an administrator, you must:

• configure a PKI user
• create a PKI user group
• configure an administrator to authenticate with a PKI certificate.

Administrator lockout

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

To configure the lockout options:

config system global

set admin-lockout-threshold <failed_attempts>

set admin-lockout-duration <seconds>

end

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The admin-lockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

Example:

To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

config system global

set admin-lockout-threshold 1

set admin-lockout-duration 300

end

If the time span between the first failed login attempt and the admin-lockout-threshold failed login attempt is less than admin-lockout-duration, the lockout will be triggered.

Monitoring administrators

You can view the administrators logged in using the System Information widget on the Dashboard. The Current Administrator row that shows the administrator logged in and the total number of administrators logged in. Selecting Details displays the administrators, where they are logging in from and how (CLI, GUI) and when they logged in.

You are also able to monitor the activities the administrators perform on the FortiGate using the event logging. Event logs include a number of options to track configuration changes.

To set logging - GUI

1. Go to Log & Report > Log Settings.
2. Under Event Logging, select Customize and ensure System activity event is selected.
3. Select Apply.

To set logging - CLI

config log eventfilter

set event enable

set system enable

end

To view the logs go to Log & Report > System Events.

Management access

Management access defines how administrators are able to log on to the FortiGate. In NAT mode, access is configured for each of the FortiGate's interfaces, using the interface's IP to connect. In transparent mode, a single management IP address is configured to allow access.

Management access can be via HTTP, HTTPS, Telnet, or SSH sessions. HTTPS and SSH are preferred as they are more secure. The management computer must connect to an interface that permits management access and its IP address must be on the same network. If you are using VDOMs, an administrator who is restricted to a specific VDOM must use a computer that connects to an interface on that VDOM.

You can allow remote administration of the FortiGate; however, it is not recommended, since it could compromise the security of the FortiGate. If you require remote administration, the following precautions can be taken to improve the security of a FortiGate:

• Use secure administrator passwords.
• Change these passwords regularly.
• Enable two-factor authentication for administrators.
• Enable secure administrative access to this interface using only HTTPS or SSH.
• Use Trusted Hosts to limit where the remote access can originate from.
• Don't change the system idle timeout from the default value of 5 minutes.

Security precautions

One potential point of a security breach is at the management computer. Administrators who leave their workstations for a prolonged amount of time while staying logged into the GUI or CLI leave the firewall open to malicious intent.

When logging in using a local admin with the default or empty password, a warning prompt will appear upon login. Admins will be logged out if they have no permissions.

Restrict logins from trusted hosts

Setting up trusted hosts for an administrator limits the addresses from where they can log into FortiOS. The trusted hosts configuration applies to most forms of administrative access including HTTPS, SSH, and SNMP. When you identify a trusted host for an administrator account, FortiOS accepts that administrator’s login only from one of the trusted hosts. A login, even with proper credentials, from a non-trusted host is dropped.

Even if you have configured trusted hosts, if you have enabled ping administrative access on a FortiGate interface, it will respond to ping requests from any IP address.

To identify trusted hosts, go to System > Administrators, edit the administrator account, enable Restrict login to trusted hosts, and add up to ten trusted host IP addresses.

To add two trusted hosts from the CLI:

config system admin

edit <administrator-name>

set trustedhost1 172.25.176.23 255.255.255.255

set trustedhost2 172.25.177.0 255.255.255.0

end

Trusted host IP addresses can identify individual hosts or subnets. Just like firewall policies, FortiOS searches through the list of trusted hosts in order and acts on the first match it finds. When you configure trusted hosts, start by adding specific addresses at the top of the list. Follow with more general IP addresses. You don't have to add addresses to all of the trusted hosts as long as all specific addresses are above all of the 0.0.0.0 0.0.0.0 addresses.

Prevent concurrent administrator sessions

Concurrent administrator sessions occur when multiple people concurrently access the FortiGate using the same administrator account. This is allowed by default. If you wish to prevent this behavior go to System > Settings and disable Allow multiple concurrent sessions for each administrator.

From the CLI:

config system global

set admin-concurrent disable

end

Note, if you disable concurrent sessions for an administrator, you will be allowed only one session with the same username even if it is from the same IP.

Restrict local admin authentication when remote authentication server is running

The following command can be enabled so that whenever any remote server (TACACS, LDAP, or RADIUS) is up and running, any local admin authentication will be blocked. Local admins will be allowed access only if no remote server is detected.

Syntax:

config system global

set admin-restrict-local {enable | disable} - (Default is set to disable)

end

Segregate administrative roles

To minimize the effect of an administrator causing errors to the FortiGate configuration and possibly jeopardizing the network, create individual administrative roles where none of the administrators have super_admin permissions. For example, one account is used solely to create security policies, another for users and groups, another for VPN, and so on.

SSH log in time out

You can take up to 120 seconds to log into the FortiGate when using SSH. You can use the following CLI command to reduce this time and enhance security:

config system global

set admin-ssh-grace-time <number_of_seconds>

end

The range can be between 10 and 3600 seconds.

HTTPS redirect

When configuring the Administration Settings (found at System > Settings), you can also enable HTTP to Redirect to HTTPS. When enabled, if a administrator tries to connect to an interface using HTTP, this traffic will be automatically redirected to use HTTPS instead for a more secure connection.

Administrator log in disclaimers

FortiOS can display a disclaimer before or after logging into the GUI or CLI (or both). In either case the administrator must read and accept the disclaimer before they can proceed.

Use the following command to display a disclaimer before logging in:

config system global

set pre-login-banner enable

end

Use the following command to display a disclaimer after logging in:

config system global

set post-login-banner enable

end

You can customize the replacement messages for these disclaimers by going to System > Replacement Messages. Select Extended View to view and edit the Administrator replacement messages.

From the CLI:

config system replacemsg admin pre_admin-disclaimer-text

config system replacemsg admin post_admin-disclaimer-text

Disable the console interface

You can disable your FortiGate's console interface to prevent any unwanted login attempts:

config system console

set login disable

end

Disable other interfaces

If any of the interfaces on the FortiGate aren't being used, disable traffic on that interface. This avoids someone plugging in network cables and potentially causing network bypass or loop issues.

To disable an interface - GUI

1. Go to Network > Interfaces.
2. Select the interface from the list and select Edit.
3. For Administrative Access, select Down.
4. Select OK.

To disable an interface - CLI

config system interface

edit <interface_name>

set status down

end

Self-signed GUI certificates

For increased security, the self-sign certificate is the default GUI certificate, if the BIOS certificate is using SHA-1.