Fortinet black logo

Administration Guide

Administrator account options

Administrator account options

Options to further define the access and abilities of an administrator account include:

Multi-factor authentication

Multi-factor authentication (MFA) requires authenticating administrators to supply more than one factor to identify themselves in addition to their password, such as a FortiToken.

Tooltip

Before enabling MFA, it is recommended that you create second administrator account that is configured to guarantee administrator access to the FortiGate if you are unable to authenticate on the main account for any reason.

Multi-factor authentication options include:

FortiToken

To associate a FortiToken to an administrator account using the GUI:
  1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.

  2. Go to System > Administrators. Edit the admin account. This example assumes that the account is fully configured except forMFA.

  3. Enable Two-factor Authentication and for Authentication Type, select FortiToken.

  4. From the Token dropdown list, select the FortiToken serial number.

  5. In the Email Address field, enter the administrator's email address.

  6. Click OK.

Note

For a mobile token, click Send Activation Code to send the activation code to the configured email address. The admin uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code.

To associate a FortiToken to an administrator account using the CLI:

config system admin

edit <username>

set password "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

next

end

The fortitoken keyword is not visible until you select fortitoken for the two-factor option.

Note

Before you can use a new FortiToken, you may need to synchronize it due to clock drift.

FortiToken Cloud

FortiToken Cloud is an Identity and Access Management as a Service (IDaaS) cloud service provided by Fortinet. It enables FortiGate and FortiAuthenticator customers to add MFA for their users using Mobile or Hard tokens.

For more information, see Getting started—FGT-FTC users in the FortiToken Cloud Administration Guide.

Email

Enter an email address to send an MFA code to that address.

SMS

Enable SMS then select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send an MFA code to.

SMS messages can also be sent to the FortiGuard SMS server or a custom server.

config system admin
    edit "admin"
        ...
        set sms-server {fortiguard | custom}
        set sms-server-custom <string>
        ...
    next
end

Restricting logins to trusted hosts

Administrator accounts can be configured to only be accessible to a user using a trusted host. You can set a specific IP address for the trusted host, or use a subnet. Up to ten trusted hosts can be specified for an administrator.

When trusted hosts are defined for all of the administrators on the FortiGate, the administrative access on each interface will be restricted to the trusted hosts that are defined for the administrator, except for ping. If ping is enabled on an interface, it works regardless of the trusted hosts.

Restricting administrators to guest account provisioning

To simplify guest account creation, an administrator account can be created exclusively for guest user management. This allows new accounts to be created without requiring full administrative access to FortiOS.

When enabling this option, a guest group must be specified for the administrator to provision new accounts to. See Configuring guest user groups for information about creating such a group.

Global and VDOM administrators

When a FortiGate is in multi VDOM mode, it can be managed by either global or per-VDOM administrators. Each type of administrator will have a different view of the GUI that corresponds to their role. For more information, see Administrator roles and views.

For information about configuring per-VDOM administrators, see Create per-VDOM administrators.

Administrator account options

Options to further define the access and abilities of an administrator account include:

Multi-factor authentication

Multi-factor authentication (MFA) requires authenticating administrators to supply more than one factor to identify themselves in addition to their password, such as a FortiToken.

Tooltip

Before enabling MFA, it is recommended that you create second administrator account that is configured to guarantee administrator access to the FortiGate if you are unable to authenticate on the main account for any reason.

Multi-factor authentication options include:

FortiToken

To associate a FortiToken to an administrator account using the GUI:
  1. Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.

  2. Go to System > Administrators. Edit the admin account. This example assumes that the account is fully configured except forMFA.

  3. Enable Two-factor Authentication and for Authentication Type, select FortiToken.

  4. From the Token dropdown list, select the FortiToken serial number.

  5. In the Email Address field, enter the administrator's email address.

  6. Click OK.

Note

For a mobile token, click Send Activation Code to send the activation code to the configured email address. The admin uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code.

To associate a FortiToken to an administrator account using the CLI:

config system admin

edit <username>

set password "myPassword"

set two-factor fortitoken

set fortitoken <serial_number>

set email-to "username@example.com"

next

end

The fortitoken keyword is not visible until you select fortitoken for the two-factor option.

Note

Before you can use a new FortiToken, you may need to synchronize it due to clock drift.

FortiToken Cloud

FortiToken Cloud is an Identity and Access Management as a Service (IDaaS) cloud service provided by Fortinet. It enables FortiGate and FortiAuthenticator customers to add MFA for their users using Mobile or Hard tokens.

For more information, see Getting started—FGT-FTC users in the FortiToken Cloud Administration Guide.

Email

Enter an email address to send an MFA code to that address.

SMS

Enable SMS then select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send an MFA code to.

SMS messages can also be sent to the FortiGuard SMS server or a custom server.

config system admin
    edit "admin"
        ...
        set sms-server {fortiguard | custom}
        set sms-server-custom <string>
        ...
    next
end

Restricting logins to trusted hosts

Administrator accounts can be configured to only be accessible to a user using a trusted host. You can set a specific IP address for the trusted host, or use a subnet. Up to ten trusted hosts can be specified for an administrator.

When trusted hosts are defined for all of the administrators on the FortiGate, the administrative access on each interface will be restricted to the trusted hosts that are defined for the administrator, except for ping. If ping is enabled on an interface, it works regardless of the trusted hosts.

Restricting administrators to guest account provisioning

To simplify guest account creation, an administrator account can be created exclusively for guest user management. This allows new accounts to be created without requiring full administrative access to FortiOS.

When enabling this option, a guest group must be specified for the administrator to provision new accounts to. See Configuring guest user groups for information about creating such a group.

Global and VDOM administrators

When a FortiGate is in multi VDOM mode, it can be managed by either global or per-VDOM administrators. Each type of administrator will have a different view of the GUI that corresponds to their role. For more information, see Administrator roles and views.

For information about configuring per-VDOM administrators, see Create per-VDOM administrators.