Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 3.2.3 Administration Guide
    3.2.3
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Administrators

    Administrators

    Use the Administrators menu to configure administrator user accounts.

    Users whose Admin Profile does not have Read Write privilege under System > Admin Profiles can only view and edit their own information.

    Only the default admin account can see and access that account. Other users cannot see the default admin account in the GUI.

    The following options are available:

    Create New

    Create a new administrator account.

    Edit

    Edit the selected administrator account.

    Delete

    Delete the selected administrator account.

    Test Login

    Test the selected LDAP/RADIUS administrator account's login settings. A detailed debug message display any errors.

    The following information is displayed:

    Name

    Administrator account name.

    Type

    		 Administrator type:
    • Local
    • LDAP
    • RADIUS
    • LDAP WILDCARD
    • RADIUS WILDCARD

    Profile

    The Admin Profile the user belongs to.
    To create a new user:
    1. Log in as a user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
    2. Click Create New.

    3. Configure the following and click OK.

      Administrator

      Name of the administrator account. The administrator name must be 1 to 30 characters using uppercase letters, lowercase letters, numbers, or the underscore character (_).

      Password, Confirm Password

      This field is only available when Type is Local.

      Password of the account. The password must be 6 to 64 characters using uppercase letters, lowercase letters, numbers, or special characters.

      Email Address

      Email address for contact information.

      Phone Number

      Phone number for contact information. Phone number must start with +1.

      Admin Profile

      Select the Admin Profile for the user: Super Admin, Read Only, or Device.

      Assigned Devices

      Assign devices and/or VDOMs/Protected Domains to the user. This applies if you enable Device User.

      Click in the Assigned Devices box to display the Available Devices panel which lists all available devices and VDOMs/Protected Domains. Use this panel to select or add devices.

      Type

      Select administrator type.

      LDAP

      When Type is LDAP, select the LDAP Server. For more information, see LDAP Servers.

      RADIUS

      When Type is RADIUS, select the RADIUS Server. For more information, see RADIUS Servers.

      LDAP WILDCARD

      When Type is LDAP WILDCARD, select the LDAP Server. The Administrator is LDAP_WILDCARD and cannot be edited. For more information, see Wildcard Admin Authentication.

      RADIUS WILDCARD

      When Type is RADIUS WILDCARD, select the Radius Server. The Administrator is RADIUS_WILDCARD and cannot be edited. For more information, see Wildcard Admin Authentication.

      Device User

      Enable this option to assign devices to the user. When the user logs in, only jobs belonging to the assigned devices or VDOMs/Protected Domains are visible.

      You can create device groups in System > Device Groups and then assign them to a device user.

      You can also assign devices on the fly by selecting self assigned in the Device Group dropdown list.

      Two-factor Authentication

      When administrator Type is Local, you can use two-factor authentication. Select an Authentication Type of Email, SMS, or FTM (FortiTokenMobile).

      Two-factor Authentication is only available for FortiSandbox appliances and FortiSandbox VMs with a serial number starting with FSA-VM0T.

      Default On-Demand Submit settings

      This option is available to administrators whose Administrator Profile > Scan Job has Read Write access.

      Use this option to set the default settings in Scan Job > File On-Demand and URL On-Demand. Each administrator can have their own default settings.

      For information on these settings, see File On-Demand and URL On-Demand.

      Restrict login to trusted host

      Expand to configure trusted hosts.

      Trusted Host 1, Trusted Host 2, Trusted Host 3

      Enter up to three IPv4 trusted hosts. Only users from trusted hosts can access FortiSandbox.

      Trusted IPv6 Host 1, Trusted IPv6 Host 2, Trusted IPv6 Host 3

      Enter up to three IPv6 trusted hosts. Only users from trusted hosts can access FortiSandbox.

      Comments

      Optional description comment for the administrator account.

      Language

      GUI language for the user: English, Japanese, or French.

      Setting trusted hosts for administrators limits which computers an administrator can log into from FortiSandbox. When you configure a trusted host, FortiSandbox only accepts the administrator’s login from the configured IP address or subnet. Any attempt to log in with the same credentials from any other IP address or any other subnet are dropped.
    To edit a user account:
    1. Login as an user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
    2. Select the user you want to edit and click Edit.

      Only the admin account can edit its own settings.

      When editing the admin account, you must enter the old password before you can set a new password.

    3. Edit the account and then retype the new password in the confirmation field.
    4. Click OK.
    To test LDAP/RADIUS user login:
    1. Login as an user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
    2. Select an LDAP/RADIUS user to test.
    3. Click Test Login.
    4. In the dialog box, enter the user's password.
    5. Click OK.

      If an error occurs, a detailed debug message appears.

      When a remote RADIUS server is configured for two-factor authentication, RADIUS users must enter a FortiToken pin code or the code from email/SMS. For example, after the user clicks Login, the user must enter the code, and click Submit to complete the login.

      A pin code is also needed to test login.
    Previous
    Next

    Administrators

    Administrators

    Use the Administrators menu to configure administrator user accounts.

    Users whose Admin Profile does not have Read Write privilege under System > Admin Profiles can only view and edit their own information.

    Only the default admin account can see and access that account. Other users cannot see the default admin account in the GUI.

    The following options are available:

    Create New

    Create a new administrator account.

    Edit

    Edit the selected administrator account.

    Delete

    Delete the selected administrator account.

    Test Login

    Test the selected LDAP/RADIUS administrator account's login settings. A detailed debug message display any errors.

    The following information is displayed:

    Name

    Administrator account name.

    Type

    		 Administrator type:
    • Local
    • LDAP
    • RADIUS
    • LDAP WILDCARD
    • RADIUS WILDCARD

    Profile

    The Admin Profile the user belongs to.
    To create a new user:
    1. Log in as a user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
    2. Click Create New.

    3. Configure the following and click OK.

      Administrator

      Name of the administrator account. The administrator name must be 1 to 30 characters using uppercase letters, lowercase letters, numbers, or the underscore character (_).

      Password, Confirm Password

      This field is only available when Type is Local.

      Password of the account. The password must be 6 to 64 characters using uppercase letters, lowercase letters, numbers, or special characters.

      Email Address

      Email address for contact information.

      Phone Number

      Phone number for contact information. Phone number must start with +1.

      Admin Profile

      Select the Admin Profile for the user: Super Admin, Read Only, or Device.

      Assigned Devices

      Assign devices and/or VDOMs/Protected Domains to the user. This applies if you enable Device User.

      Click in the Assigned Devices box to display the Available Devices panel which lists all available devices and VDOMs/Protected Domains. Use this panel to select or add devices.

      Type

      Select administrator type.

      LDAP

      When Type is LDAP, select the LDAP Server. For more information, see LDAP Servers.

      RADIUS

      When Type is RADIUS, select the RADIUS Server. For more information, see RADIUS Servers.

      LDAP WILDCARD

      When Type is LDAP WILDCARD, select the LDAP Server. The Administrator is LDAP_WILDCARD and cannot be edited. For more information, see Wildcard Admin Authentication.

      RADIUS WILDCARD

      When Type is RADIUS WILDCARD, select the Radius Server. The Administrator is RADIUS_WILDCARD and cannot be edited. For more information, see Wildcard Admin Authentication.

      Device User

      Enable this option to assign devices to the user. When the user logs in, only jobs belonging to the assigned devices or VDOMs/Protected Domains are visible.

      You can create device groups in System > Device Groups and then assign them to a device user.

      You can also assign devices on the fly by selecting self assigned in the Device Group dropdown list.

      Two-factor Authentication

      When administrator Type is Local, you can use two-factor authentication. Select an Authentication Type of Email, SMS, or FTM (FortiTokenMobile).

      Two-factor Authentication is only available for FortiSandbox appliances and FortiSandbox VMs with a serial number starting with FSA-VM0T.

      Default On-Demand Submit settings

      This option is available to administrators whose Administrator Profile > Scan Job has Read Write access.

      Use this option to set the default settings in Scan Job > File On-Demand and URL On-Demand. Each administrator can have their own default settings.

      For information on these settings, see File On-Demand and URL On-Demand.

      Restrict login to trusted host

      Expand to configure trusted hosts.

      Trusted Host 1, Trusted Host 2, Trusted Host 3

      Enter up to three IPv4 trusted hosts. Only users from trusted hosts can access FortiSandbox.

      Trusted IPv6 Host 1, Trusted IPv6 Host 2, Trusted IPv6 Host 3

      Enter up to three IPv6 trusted hosts. Only users from trusted hosts can access FortiSandbox.

      Comments

      Optional description comment for the administrator account.

      Language

      GUI language for the user: English, Japanese, or French.

      Setting trusted hosts for administrators limits which computers an administrator can log into from FortiSandbox. When you configure a trusted host, FortiSandbox only accepts the administrator’s login from the configured IP address or subnet. Any attempt to log in with the same credentials from any other IP address or any other subnet are dropped.
    To edit a user account:
    1. Login as an user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
    2. Select the user you want to edit and click Edit.

      Only the admin account can edit its own settings.

      When editing the admin account, you must enter the old password before you can set a new password.

    3. Edit the account and then retype the new password in the confirmation field.
    4. Click OK.
    To test LDAP/RADIUS user login:
    1. Login as an user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
    2. Select an LDAP/RADIUS user to test.
    3. Click Test Login.
    4. In the dialog box, enter the user's password.
    5. Click OK.

      If an error occurs, a detailed debug message appears.

      When a remote RADIUS server is configured for two-factor authentication, RADIUS users must enter a FortiToken pin code or the code from email/SMS. For example, after the user clicks Login, the user must enter the code, and click Submit to complete the login.

      A pin code is also needed to test login.
    Previous
    Next