Fortinet white logo
Fortinet white logo

Administration Guide

Administrators

Administrators

Use the Administrators menu to configure administrator user accounts.

Users with a Device Admin Profile under System > Admin Profiles can only view and edit their own information.

Only the default admin account can see and access that account. Other users cannot see the default admin account in the GUI. Only administrators with Super Admin profile can see all scan jobs, while other users can only see their own jobs.

The following options are available:

Create New

Create a new administrator account.

Edit

Edit the selected administrator account.

Delete

Delete the selected administrator account.

Test Login

Test the selected LDAP/RADIUS administrator account's login settings. A detailed debug message display any errors.

The following information is displayed:

Name

Administrator account name.

Type

Administrator type:
  • Local
  • LDAP
  • RADIUS
  • LDAP WILDCARD
  • RADIUS WILDCARD

Profile

The Admin Profile the user belongs to.

To create a new user:
  1. Log in as a user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
  2. Click Create New.

  3. Configure the following and click OK.

    Administrator

    Name of the administrator account.

    • Local and LDAP: Name must be 1 - 30 characters and may contain upper/lower-case letters, numbers, periods (.), underscores (-) and hyphens (-).
    • RAIDIUS: Name must be 1 - 64 characters and may contain upper/lower-case letters, numbers, periods (.), underscores (-) and hyphens (-).

    Password, Confirm Password

    This field is only available when Type is Local.

    Password of the account. The password must be 6 to 64 characters using uppercase letters, lowercase letters, numbers, or special characters.

    Email Address

    Email address for contact information.

    Phone Number

    Phone number for contact information. Phone number must start with +1.

    Admin Profile

    Select the Admin Profile for the user: Super Admin, Read Only, or Device.

    Assigned Devices

    Assign devices and/or VDOMs/Protected Domains to the user. This applies if you enable Device User.

    Click in the Assigned Devices box to display the Available Devices panel which lists all available devices and VDOMs/Protected Domains. Use this panel to select or add devices.

    Type

    Select administrator type.

    LDAP

    When Type is LDAP, select the LDAP Server. For more information, see LDAP Servers.

    RADIUS

    When Type is RADIUS, select the RADIUS Server. For more information, see RADIUS Servers.

    LDAP WILDCARD

    When Type is LDAP WILDCARD, select the LDAP Server. The Administrator is LDAP_WILDCARD and cannot be edited. For more information, see Wildcard Admin Authentication.

    RADIUS WILDCARD

    When Type is RADIUS WILDCARD, select the Radius Server. The Administrator is RADIUS_WILDCARD and cannot be edited. For more information, see Wildcard Admin Authentication.

    Device User

    Enable this option to assign devices to the user. When the user logs in, only jobs belonging to the assigned devices or VDOMs/Protected Domains are visible.

    You can create device groups in System > Device Groups and then assign them to a device user.

    You can also assign devices on the fly by selecting self assigned in the Device Group dropdown list.

    Two-factor Authentication

    When administrator Type is Local, you can use two-factor authentication. Select an Authentication Type of Email, SMS, or FTM (FortiTokenMobile).

    Two-factor Authentication is only available for FortiSandbox appliances, and FSA-VM0T when FortiToken Cloud service purchased.

    Default On-Demand Submit settings

    This option is available to administrators whose Administrator Profile > Scan Job has Read Write access.

    Use this option to set the default settings in Scan Job > File On-Demand and URL On-Demand. Each administrator can have their own default settings.

    For information on these settings, see File On-Demand and URL On-Demand.

    Restrict login to trusted host

    Expand to configure trusted hosts.

    Trusted Host #1

    Trusted Host #2

    Trusted Host #3

    Enter up to 50 IPv4 trusted hosts. Only users from trusted hosts can access FortiSandbox.

    Trusted IPv6 Host #1

    Trusted IPv6 Host #2

    Trusted IPv6 Host #3

    Enter up to 50 IPv6 trusted hosts. Only users from trusted hosts can access FortiSandbox.

    Comments

    Optional description comment for the administrator account.

    Language

    GUI language for the user: English, Japanese, or French.

    Setting trusted hosts for administrators limits which computers an administrator can log into from FortiSandbox. When you configure a trusted host, FortiSandbox only accepts the administrator’s login from the configured IP address or subnet. Any attempt to log in with the same credentials from any other IP address or any other subnet are dropped.

To edit a user account:
  1. Login as an user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
  2. Select the user you want to edit and click Edit.

    Only the admin account can edit its own settings.

    When editing the admin account, you must enter the old password before you can set a new password.

  3. Edit the account and then retype the new password in the confirmation field.
  4. Click OK.
To test LDAP/RADIUS user login:
  1. Login as an user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
  2. Select an LDAP/RADIUS user to test.
  3. Click Test Login.
  4. In the dialog box, enter the user's password.
  5. Click OK.

    If an error occurs, a detailed debug message appears.

    When a remote RADIUS server is configured for two-factor authentication, RADIUS users must enter a FortiToken pin code or the code from email/SMS. For example, after the user clicks Login, the user must enter the code, and click Submit to complete the login.

    A pin code is also needed to test login.

Administrators

Administrators

Use the Administrators menu to configure administrator user accounts.

Users with a Device Admin Profile under System > Admin Profiles can only view and edit their own information.

Only the default admin account can see and access that account. Other users cannot see the default admin account in the GUI. Only administrators with Super Admin profile can see all scan jobs, while other users can only see their own jobs.

The following options are available:

Create New

Create a new administrator account.

Edit

Edit the selected administrator account.

Delete

Delete the selected administrator account.

Test Login

Test the selected LDAP/RADIUS administrator account's login settings. A detailed debug message display any errors.

The following information is displayed:

Name

Administrator account name.

Type

Administrator type:
  • Local
  • LDAP
  • RADIUS
  • LDAP WILDCARD
  • RADIUS WILDCARD

Profile

The Admin Profile the user belongs to.

To create a new user:
  1. Log in as a user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
  2. Click Create New.

  3. Configure the following and click OK.

    Administrator

    Name of the administrator account.

    • Local and LDAP: Name must be 1 - 30 characters and may contain upper/lower-case letters, numbers, periods (.), underscores (-) and hyphens (-).
    • RAIDIUS: Name must be 1 - 64 characters and may contain upper/lower-case letters, numbers, periods (.), underscores (-) and hyphens (-).

    Password, Confirm Password

    This field is only available when Type is Local.

    Password of the account. The password must be 6 to 64 characters using uppercase letters, lowercase letters, numbers, or special characters.

    Email Address

    Email address for contact information.

    Phone Number

    Phone number for contact information. Phone number must start with +1.

    Admin Profile

    Select the Admin Profile for the user: Super Admin, Read Only, or Device.

    Assigned Devices

    Assign devices and/or VDOMs/Protected Domains to the user. This applies if you enable Device User.

    Click in the Assigned Devices box to display the Available Devices panel which lists all available devices and VDOMs/Protected Domains. Use this panel to select or add devices.

    Type

    Select administrator type.

    LDAP

    When Type is LDAP, select the LDAP Server. For more information, see LDAP Servers.

    RADIUS

    When Type is RADIUS, select the RADIUS Server. For more information, see RADIUS Servers.

    LDAP WILDCARD

    When Type is LDAP WILDCARD, select the LDAP Server. The Administrator is LDAP_WILDCARD and cannot be edited. For more information, see Wildcard Admin Authentication.

    RADIUS WILDCARD

    When Type is RADIUS WILDCARD, select the Radius Server. The Administrator is RADIUS_WILDCARD and cannot be edited. For more information, see Wildcard Admin Authentication.

    Device User

    Enable this option to assign devices to the user. When the user logs in, only jobs belonging to the assigned devices or VDOMs/Protected Domains are visible.

    You can create device groups in System > Device Groups and then assign them to a device user.

    You can also assign devices on the fly by selecting self assigned in the Device Group dropdown list.

    Two-factor Authentication

    When administrator Type is Local, you can use two-factor authentication. Select an Authentication Type of Email, SMS, or FTM (FortiTokenMobile).

    Two-factor Authentication is only available for FortiSandbox appliances, and FSA-VM0T when FortiToken Cloud service purchased.

    Default On-Demand Submit settings

    This option is available to administrators whose Administrator Profile > Scan Job has Read Write access.

    Use this option to set the default settings in Scan Job > File On-Demand and URL On-Demand. Each administrator can have their own default settings.

    For information on these settings, see File On-Demand and URL On-Demand.

    Restrict login to trusted host

    Expand to configure trusted hosts.

    Trusted Host #1

    Trusted Host #2

    Trusted Host #3

    Enter up to 50 IPv4 trusted hosts. Only users from trusted hosts can access FortiSandbox.

    Trusted IPv6 Host #1

    Trusted IPv6 Host #2

    Trusted IPv6 Host #3

    Enter up to 50 IPv6 trusted hosts. Only users from trusted hosts can access FortiSandbox.

    Comments

    Optional description comment for the administrator account.

    Language

    GUI language for the user: English, Japanese, or French.

    Setting trusted hosts for administrators limits which computers an administrator can log into from FortiSandbox. When you configure a trusted host, FortiSandbox only accepts the administrator’s login from the configured IP address or subnet. Any attempt to log in with the same credentials from any other IP address or any other subnet are dropped.

To edit a user account:
  1. Login as an user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
  2. Select the user you want to edit and click Edit.

    Only the admin account can edit its own settings.

    When editing the admin account, you must enter the old password before you can set a new password.

  3. Edit the account and then retype the new password in the confirmation field.
  4. Click OK.
To test LDAP/RADIUS user login:
  1. Login as an user whose Admin Profile has Read/Write privileges under System > Admin Profiles, and go to System > Administrators.
  2. Select an LDAP/RADIUS user to test.
  3. Click Test Login.
  4. In the dialog box, enter the user's password.
  5. Click OK.

    If an error occurs, a detailed debug message appears.

    When a remote RADIUS server is configured for two-factor authentication, RADIUS users must enter a FortiToken pin code or the code from email/SMS. For example, after the user clicks Login, the user must enter the code, and click Submit to complete the login.

    A pin code is also needed to test login.