Fortinet white logo
Fortinet white logo

Administration Guide

Create or edit an administrator

Create or edit an administrator

Select Create New > Administrator to open the New Administrator page. It provides settings for configuring an administrator account. When you are configuring an administrator account, you can enable authentication for an admin from an LDAP, RADIUS, or local server.

Select an administrator and then click Edit to open the Edit Administrator page.

Configure the following settings in the New Administrator page or Edit Administrator page and then click OK:

User Name

Enter the login name for the administrator account.

The name of the administrator should not contain the characters <, >, (, ), #, ", or '. Using these characters in the administrator account name can result in a cross-site scripting (XSS) vulnerability.

Type

Select the type of administrator account.

  • Local User—Select to create a local administrator account.

  • Match a user on a remote server group—Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first.

  • Match all users on a remote server group—Select to authenticate all users using a specific RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first.

  • Use public key infrastructure (PKI) group—Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled.

Password

Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. Select the eye icon to view the password.

This option is only available if Type is Local User.

Confirm Password

Type the password for the administrator account a second time to confirm that you have typed it correctly. Select the eye icon to view the password.

This option is not available if Type is Use public key infrastructure (PKI) group.

Backup Password

Enter a backup password for the administrator account. For improved security, the password should be at least 6 characters long. Select the eye icon to view the password.

This option is only available if Type is Match a user on a remote server group or Match all users in a remote server group.

Comments

Optionally, enter comments about the administrator account.

Administrator Profile

Select an administrator profile to use for the new administrator.

To create an administrator profile, see Create or edit an administrator profile.

Email Address

If email is used for two-factor authentication, provide the email address at which the user will receive token password codes.

Remote User Group

Select the administrator user group that includes the remote server/PKI (peer) users as members of the Remote User Group. The administrator user group cannot be deleted after the group is selected for authentication.

This option is only available if Type is Match a user on a remote server group or Match all users in a remote server group.

PKI Group

Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators.

This option is only available if Type is Use public key infrastructure (PKI) group.

SMS

If SMS is used for two-factor authentication, enable SMS and provide the country dial code and SMS cell phone number at which the user will receive token password codes.

Restrict login to trusted hosts

Enable to restrict this administrator login to specific trusted hosts and then enter the IPv4 or IPv6 addresses and netmasks of the trusted hosts. You can specify up to 10 trusted hosts and 10 IPv6 trusted hosts.

Restrict admin to guest account provisioning only

Enable to create a guest management administrator and then select the name of the guest group.

Regular (password) authentication for administrators

You can use a password stored on the local unit to authenticate an administrator. When you select Local User for Type, you will see Local as the entry in the Type column when you view the list of administrators.

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator can connect only through the subnet or subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.

The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a nonzero address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.

Create or edit an administrator

Create or edit an administrator

Select Create New > Administrator to open the New Administrator page. It provides settings for configuring an administrator account. When you are configuring an administrator account, you can enable authentication for an admin from an LDAP, RADIUS, or local server.

Select an administrator and then click Edit to open the Edit Administrator page.

Configure the following settings in the New Administrator page or Edit Administrator page and then click OK:

User Name

Enter the login name for the administrator account.

The name of the administrator should not contain the characters <, >, (, ), #, ", or '. Using these characters in the administrator account name can result in a cross-site scripting (XSS) vulnerability.

Type

Select the type of administrator account.

  • Local User—Select to create a local administrator account.

  • Match a user on a remote server group—Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first.

  • Match all users on a remote server group—Select to authenticate all users using a specific RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first.

  • Use public key infrastructure (PKI) group—Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled.

Password

Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. Select the eye icon to view the password.

This option is only available if Type is Local User.

Confirm Password

Type the password for the administrator account a second time to confirm that you have typed it correctly. Select the eye icon to view the password.

This option is not available if Type is Use public key infrastructure (PKI) group.

Backup Password

Enter a backup password for the administrator account. For improved security, the password should be at least 6 characters long. Select the eye icon to view the password.

This option is only available if Type is Match a user on a remote server group or Match all users in a remote server group.

Comments

Optionally, enter comments about the administrator account.

Administrator Profile

Select an administrator profile to use for the new administrator.

To create an administrator profile, see Create or edit an administrator profile.

Email Address

If email is used for two-factor authentication, provide the email address at which the user will receive token password codes.

Remote User Group

Select the administrator user group that includes the remote server/PKI (peer) users as members of the Remote User Group. The administrator user group cannot be deleted after the group is selected for authentication.

This option is only available if Type is Match a user on a remote server group or Match all users in a remote server group.

PKI Group

Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators.

This option is only available if Type is Use public key infrastructure (PKI) group.

SMS

If SMS is used for two-factor authentication, enable SMS and provide the country dial code and SMS cell phone number at which the user will receive token password codes.

Restrict login to trusted hosts

Enable to restrict this administrator login to specific trusted hosts and then enter the IPv4 or IPv6 addresses and netmasks of the trusted hosts. You can specify up to 10 trusted hosts and 10 IPv6 trusted hosts.

Restrict admin to guest account provisioning only

Enable to create a guest management administrator and then select the name of the guest group.

Regular (password) authentication for administrators

You can use a password stored on the local unit to authenticate an administrator. When you select Local User for Type, you will see Local as the entry in the Type column when you view the list of administrators.

Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator can connect only through the subnet or subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.

The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a nonzero address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.