Configuring administrator settings
You can edit the default administrator account named admin. Alternately you can create a new administrator account, and delete the existing admin account. This topic describes how to edit the default admin account.
To configure administrator settings in the GUI:
- Go to System > Administrators, and double-click the admin account to open it for editing.
- Enable Two-factor Authentication, and select FortiToken.
- Set Token to one of the available FortiTokens.
FortiGate comes with two (2) free FortiTokens. If you need to apply multi-factor authentication (MFA) to additional users, consider purchasing more tokens or using FortiToken Cloud.
- Provide an email address or phone number for the activation code:
- Enter an email address in the Email Address box.
- Enable SMS and enter a phone number.
A popup appears at the bottom-right of the pane, indicating the activation code has been sent.
- Enable Restrict login to trusted hosts, and enter your management network, for example, 172.16.0.0/24.
This ensures that only users from the trusted network are allowed to log in to the FortiGate.
- Click OK.
The remaining settings must be configured using the command line interface.
|
Setting |
Description |
|---|---|
| Lockout duration |
How long the admin account is locked after repeated, failed login attempts FW_FLR1 # config sys global FW_FLR1 (global) # set admin-lockout-duration 1800 FW_FLR1 (global) # end |
|
Number of failures to trigger the lockout duration |
How many failed login attempts before an admin account is locked out FW_FLR1 # config sys global FW_FLR1 (global) # set admin-lockout-threshold [1-10] FW_FLR1 (global) # end |
|
Disable maintainer account |
A maintenance account allows users with physical access and knowledge of the FortiGate to log in and perform password resets. FW_FLR1 # config sys global FW_FLR1 (global) # set admin-maintainer disable FW_FLR1 (global) # end |