Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Create or edit an administrator

    Create or edit an administrator

    Select Create New > Administrator to open the New Administrator page. It provides settings for configuring an administrator account. When you are configuring an administrator account, you can enable authentication for an admin from an LDAP, RADIUS, or local server.

    Select an administrator and then click Edit to open the Edit Administrator page.

    Configure the following settings in the New Administrator page or Edit Administrator page and then click OK:

    User Name

    Enter the login name for the administrator account.

    The name of the administrator should not contain the characters <, >, (, ), #, ", or '. Using these characters in the administrator account name can result in a cross-site scripting (XSS) vulnerability.

    Type

    Select the type of administrator account.

    • Local User—Select to create a local administrator account.

    • Match a user on a remote server group—Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. See Creating an administrator that can be authenticated by an LDAP server.

    • Match all users on a remote server group—Select to authenticate all users using a specific RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. See .Creating an administrator that can be authenticated by an LDAP server

    • Use public key infrastructure (PKI) group—Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled.

    Password

    Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. Select the eye icon to view the password.

    This option is only available if Type is Local User.

    Confirm Password

    Type the password for the administrator account a second time to confirm that you have typed it correctly. Select the eye icon to view the password.

    This option is not available if Type is Use public key infrastructure (PKI) group.

    Backup Password

    Enter a backup password for the administrator account. For improved security, the password should be at least 6 characters long. Select the eye icon to view the password.

    This option is only available if Type is Match a user on a remote server group or Match all users in a remote server group.

    Comments

    Optionally, enter comments about the administrator account.

    Administrator Profile

    Select an administrator profile to use for the new administrator.

    To create an administrator profile, see Create or edit an administrator profile.

    Force Password Change

    Specifies whether to force the administrator to change the password during the next login.

    Email Address

    If email is used for two-factor authentication, provide the email address at which the user will receive token password codes.

    Two-factor Authentication

    Specifies whether to enable two-factor authentication (2FA) for the administrator, which requires the administrator to supply another factor in addition to the password during authentication.

    Note

    Before enabling 2FA, it is recommended that you create second administrator account that is configured to guarantee administrator access to the FortiProxy if you are unable to authenticate on the main account for any reason.

    FortiProxy supports the following 2FA options:

    • FortiToken—You can use hard tokens or mobile tokens.

      • Hard tokens must be registered and activated first before they appear in the dropdown list. See Registering and activating a hard token.

      • FortiProxy provides two trial mobile tokens ready for use from the dropdown list. You cannot add or import any other mobile tokens.

    • FortiToken Cloud—A Fortinet Identity and Access Management as a Service (IDaaS) cloud service that enables FortiProxy and FortiAuthenticator customers to add 2FA for their users using Mobile or hard tokens.

      You can activate a free one-month FortiToken Cloud trial subscription for registered FortiCare accounts using the following GUI option or the execute fortitoken-cloud trial command in the CLI.

      To verify the activation status, run exe fortitoken-cloud show. To view the user list, run diagnose fortitoken-cloud show users.

      Note

      The FortiToken Cloud free trial can only be activated once. The option will not be available if another FortiToken Cloud trial subscription has been activated on the FortiProxy or with the registered FortiCare accounts.

    • Email—Enter an email address to send a 2FA code to that address.

    • SMS—Select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send a 2FA code to. SMS messages can also be sent to the FortiGuard SMS server or a custom server.

    Remote User Group

    Select the administrator user group that includes the remote server/PKI (peer) users as members of the Remote User Group. The administrator user group cannot be deleted after the group is selected for authentication.

    This option is only available if Type is Match a user on a remote server group or Match all users in a remote server group.

    PKI Group

    Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators.

    This option is only available if Type is Use public key infrastructure (PKI) group.

    Restrict login to trusted hosts

    Enable to restrict this administrator login to specific trusted hosts and then enter the IPv4 or IPv6 addresses and netmasks of the trusted hosts. You can specify up to 10 trusted hosts and 10 IPv6 trusted hosts.

    Restrict admin to guest account provisioning only

    Enable to create a guest management administrator exclusively for guest user management without requiring full administrative access to FortiProxy. You can then select the guest group for the administrator (see User Groups).

    Regular (password) authentication for administrators

    You can use a password stored on the local unit to authenticate an administrator. When you select Local User for Type, you will see Local as the entry in the Type column when you view the list of administrators.

    Using trusted hosts

    Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator can connect only through the subnet or subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

    When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

    The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.

    The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a nonzero address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.

    Previous
    Next

    Create or edit an administrator

    Create or edit an administrator

    Select Create New > Administrator to open the New Administrator page. It provides settings for configuring an administrator account. When you are configuring an administrator account, you can enable authentication for an admin from an LDAP, RADIUS, or local server.

    Select an administrator and then click Edit to open the Edit Administrator page.

    Configure the following settings in the New Administrator page or Edit Administrator page and then click OK:

    User Name

    Enter the login name for the administrator account.

    The name of the administrator should not contain the characters <, >, (, ), #, ", or '. Using these characters in the administrator account name can result in a cross-site scripting (XSS) vulnerability.

    Type

    Select the type of administrator account.

    • Local User—Select to create a local administrator account.

    • Match a user on a remote server group—Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. See Creating an administrator that can be authenticated by an LDAP server.

    • Match all users on a remote server group—Select to authenticate all users using a specific RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. See .Creating an administrator that can be authenticated by an LDAP server

    • Use public key infrastructure (PKI) group—Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled.

    Password

    Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. Select the eye icon to view the password.

    This option is only available if Type is Local User.

    Confirm Password

    Type the password for the administrator account a second time to confirm that you have typed it correctly. Select the eye icon to view the password.

    This option is not available if Type is Use public key infrastructure (PKI) group.

    Backup Password

    Enter a backup password for the administrator account. For improved security, the password should be at least 6 characters long. Select the eye icon to view the password.

    This option is only available if Type is Match a user on a remote server group or Match all users in a remote server group.

    Comments

    Optionally, enter comments about the administrator account.

    Administrator Profile

    Select an administrator profile to use for the new administrator.

    To create an administrator profile, see Create or edit an administrator profile.

    Force Password Change

    Specifies whether to force the administrator to change the password during the next login.

    Email Address

    If email is used for two-factor authentication, provide the email address at which the user will receive token password codes.

    Two-factor Authentication

    Specifies whether to enable two-factor authentication (2FA) for the administrator, which requires the administrator to supply another factor in addition to the password during authentication.

    Note

    Before enabling 2FA, it is recommended that you create second administrator account that is configured to guarantee administrator access to the FortiProxy if you are unable to authenticate on the main account for any reason.

    FortiProxy supports the following 2FA options:

    • FortiToken—You can use hard tokens or mobile tokens.

      • Hard tokens must be registered and activated first before they appear in the dropdown list. See Registering and activating a hard token.

      • FortiProxy provides two trial mobile tokens ready for use from the dropdown list. You cannot add or import any other mobile tokens.

    • FortiToken Cloud—A Fortinet Identity and Access Management as a Service (IDaaS) cloud service that enables FortiProxy and FortiAuthenticator customers to add 2FA for their users using Mobile or hard tokens.

      You can activate a free one-month FortiToken Cloud trial subscription for registered FortiCare accounts using the following GUI option or the execute fortitoken-cloud trial command in the CLI.

      To verify the activation status, run exe fortitoken-cloud show. To view the user list, run diagnose fortitoken-cloud show users.

      Note

      The FortiToken Cloud free trial can only be activated once. The option will not be available if another FortiToken Cloud trial subscription has been activated on the FortiProxy or with the registered FortiCare accounts.

    • Email—Enter an email address to send a 2FA code to that address.

    • SMS—Select the Country Dial Code and enter the Phone Number (sms-phone in the CLI) to send a 2FA code to. SMS messages can also be sent to the FortiGuard SMS server or a custom server.

    Remote User Group

    Select the administrator user group that includes the remote server/PKI (peer) users as members of the Remote User Group. The administrator user group cannot be deleted after the group is selected for authentication.

    This option is only available if Type is Match a user on a remote server group or Match all users in a remote server group.

    PKI Group

    Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators.

    This option is only available if Type is Use public key infrastructure (PKI) group.

    Restrict login to trusted hosts

    Enable to restrict this administrator login to specific trusted hosts and then enter the IPv4 or IPv6 addresses and netmasks of the trusted hosts. You can specify up to 10 trusted hosts and 10 IPv6 trusted hosts.

    Restrict admin to guest account provisioning only

    Enable to create a guest management administrator exclusively for guest user management without requiring full administrative access to FortiProxy. You can then select the guest group for the administrator (see User Groups).

    Regular (password) authentication for administrators

    You can use a password stored on the local unit to authenticate an administrator. When you select Local User for Type, you will see Local as the entry in the Type column when you view the list of administrators.

    Using trusted hosts

    Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator can connect only through the subnet or subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

    When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

    The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.

    The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a nonzero address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.

    Previous
    Next