Administrator account options
Options to further define the access and abilities of an administrator account include:
Multi-factor authentication
Multi-factor authentication (MFA) requires authenticating administrators to supply more than one factor to identify themselves in addition to their password, such as a FortiToken.
Before enabling MFA, it is recommended that you create second administrator account that is configured to guarantee administrator access to the FortiGate if you are unable to authenticate on the main account for any reason. |
Multi-factor authentication options include:
FortiToken
To associate a FortiToken to an administrator account using the GUI:
-
Ensure that you have successfully added your FortiToken serial number to FortiOS and that its status is Available.
-
Go to System > Administrators. Edit the admin account. This example assumes that the account is fully configured except forMFA.
-
Enable Two-factor Authentication and for Authentication Type, select FortiToken.
-
From the Token dropdown list, select the FortiToken serial number.
-
In the Email Address field, enter the administrator's email address.
-
Click OK.
For a mobile token, click Send Activation Code to send the activation code to the configured email address. The admin uses this code to activate their mobile token. You must have configured an email service in System > Settings to send the activation code. |
To associate a FortiToken to an administrator account using the CLI:
config system admin
edit <username>
set password "myPassword"
set two-factor fortitoken
set fortitoken <serial_number>
set email-to "username@example.com"
next
end
The fortitoken
keyword is not visible until you select fortitoken
for the two-factor
option.
Before you can use a new FortiToken, you may need to synchronize it due to clock drift. |
FortiToken Cloud
FortiToken Cloud is an Identity and Access Management as a Service (IDaaS) cloud service provided by Fortinet. It enables FortiGate and FortiAuthenticator customers to add MFA for their users using Mobile or Hard tokens.
For more information, see Getting started—FGT-FTC users in the FortiToken Cloud Administration Guide.
Enter an email address to send an MFA code to that address.
SMS
Enable SMS then select the Country Dial Code and enter the Phone Number (sms-phone
in the CLI) to send an MFA code to.
SMS messages can also be sent to the FortiGuard SMS server or a custom server.
config system admin edit "admin" ... set sms-server {fortiguard | custom} set sms-server-custom <string> ... next end
Restricting logins to trusted hosts
Administrator accounts can be configured to only be accessible to a user using a trusted host. You can set a specific IP address for the trusted host, or use a subnet. Up to ten trusted hosts can be specified for an administrator.
When trusted hosts are defined for all of the administrators on the FortiGate, the administrative access on each interface will be restricted to the trusted hosts that are defined for the administrator, except for ping. If ping is enabled on an interface, it works regardless of the trusted hosts.
Restricting administrators to guest account provisioning
To simplify guest account creation, an administrator account can be created exclusively for guest user management. This allows new accounts to be created without requiring full administrative access to FortiOS.
When enabling this option, a guest group must be specified for the administrator to provision new accounts to. See Configuring guest user groups for information about creating such a group.
Global and VDOM administrators
When a FortiGate is in multi VDOM mode, it can be managed by either global or per-VDOM administrators. Each type of administrator will have a different view of the GUI that corresponds to their role. For more information, see Administrator roles and views.
For information about configuring per-VDOM administrators, see Create per-VDOM administrators.