Fortinet black logo

Administration Guide

Home FortiSandbox 4.4.4 Administration Guide
4.4.4
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
3.0.7
3.0.6

Administrators

Administrators

Use the Administrators menu to configure administrator user accounts.

Users with a Device Admin Profile under System > Admin Profiles can only view and edit their own information.

Only the default admin account can see and access that account. Other users cannot see the default admin account in the GUI. Only administrators with Super Admin profile can see all scan jobs, while other users can only see their own jobs.

The following options are available:

Create New

Create a new administrator account.

Edit

Edit the selected administrator account.

Delete

Delete the selected administrator account.

Test Login

Test the selected LDAP/RADIUS administrator account's login settings. A detailed debug message display any errors.

The following information is displayed:

Name

Administrator account name.

Type

 Administrator type:
  • Local
  • LDAP
  • RADIUS
  • LDAP WILDCARD
  • RADIUS WILDCARD

Profile

The Admin Profile the user belongs to.
To create a new user:
  1. Log in as a user whose Admin Profile has Full Access privileges under System > Admin , and go to System > Administrators.
  2. Click Create New.
  3. Configure the following and click OK.

    Administrator

    Name of the administrator account.

    • Local: Name must be 1 - 30 characters and may contain upper/lower-case letters, numbers, periods (.), underscores (-) and hyphens (-).
    • LDAP and RADIUS: Name must be 1 - 64 characters and may contain upper/lower-case letters, numbers, periods (.), underscores (-) and hyphens (-).

    Password, Confirm Password

    This field is only available when Type is Local.

    Password of the account. The password must be 6 to 64 characters using uppercase letters, lowercase letters, numbers, or special characters.

    Email Address

    Email address for contact information.

    Phone Number

    Phone number for contact information. Phone number must start with +<country code><mobile number>.

    Admin Profile

    Select the Admin Profile for the user: Super Admin, Read Only, Device or Netshare.

    Assigned Devices

    Assign devices and/or VDOMs/Protected Domains to the user. This applies if your selected Admin Profile has Limited Access > Device User permissions.

    Click in the Assigned Devices box to display the Available Devices panel which lists all available devices and VDOMs/Protected Domains. Use this panel to select or add devices.

    Netshare Group

    Select the Netshare Group for the user. This applies if the Admin Profile you selected has Limited Access > Netshare User permissions.

    Type

    Select administrator type.

    LDAP

    When Type is LDAP, select the LDAP Server. For more information, see LDAP Servers.

    RADIUS

    When Type is RADIUS, select the RADIUS Server. For more information, see RADIUS Servers.

    LDAP WILDCARD

    When Type is LDAP WILDCARD, select the LDAP Server. For more information, see Wildcard Admin Authentication.

    RADIUS WILDCARD

    When Type is RADIUS WILDCARD, select the Radius Server. For more information, see Wildcard Admin Authentication.

    Device User

    Enable this option to assign devices to the user. When the user logs in, only jobs belonging to the assigned devices or VDOMs/Protected Domains are visible.

    You can create device groups in System > Device Groups and then assign them to a device user.

    You can also assign devices on the fly by selecting self assigned in the Device Group dropdown list.

    Two-factor Authentication

    When administrator Type is Local, you can use two-factor authentication. Select an Authentication Type of Email, SMS, or FTM (FortiTokenMobile).

    Two-factor Authentication is only available for FortiSandbox appliances, and FSA-VM0T when FortiToken Cloud service purchased.

    Default On-Demand Submit settings

    This option is available to administrators whose Administrator Profile > Scan Job has Read Write access.

    Use this option to set the default settings in Scan Job > File On-Demand and URL On-Demand. Each administrator can have their own default settings.

    DepthThe recursive depth in which URLs are examined. Level 0 for original URL page (between 0 and 5)
    TimeoutThe time period to stop the URLs scan,in seconds (between 30 and 1200 seconds).
    Direct URLSubmit a URL directly without submitting a file.
    Possible password(s) for archive/office/pdf file:

    A maximum of 30 passwords is allowed.

    When upgrading FortiSandbox:

    If this setting contains more than 30 archive passwords at the time of upgrade, the passwords will continue to work. However, if you save any changes after upgrade, the system will prompt you to limit the number to 30 archive passwords.Editing one user setting will not affect other user's setting.

    Force to scan the file inside VMForce to scan the file inside VM.
    Record scan process in video if VMs involve

    Select to enable video recording. After scan finishes, a video icon will show in the File On-Demand second level detail page. Clicking it will trigger a download or play the video.

    Add sample to threat packageIf result matches malware package requirement, add scan result to threat package.
    Enable Deep-AIUse AI engine to scan the file.

    Restrict login to trusted host

    Expand to configure trusted hosts.

    Trusted Host #1

    Trusted Host #2

    Trusted Host #3

    Enter up to 50 IPv4 trusted hosts. Only users from trusted hosts can access FortiSandbox.

    Trusted IPv6 Host #1

    Trusted IPv6 Host #2

    Trusted IPv6 Host #3

    Enter up to 50 IPv6 trusted hosts. Only users from trusted hosts can access FortiSandbox.

    Comments

    Optional description comment for the administrator account.

    Language

    GUI language for the user: English, Japanese, or French.

    Setting trusted hosts for administrators limits which computers an administrator can log into from FortiSandbox. When you configure a trusted host, FortiSandbox only accepts the administrator’s login from the configured IP address or subnet. Any attempt to log in with the same credentials from any other IP address or any other subnet are dropped.

To edit a user account:
  1. Login as a user whose Admin Profile has Full Access privileges under System > Admin , and go to System > Administrators.
  2. Select the user you want to edit and click Edit.

    Only the admin account can edit its own settings.

    When editing the admin account, you must enter the old password before you can set a new password.

  3. Edit the account and then retype the new password in the confirmation field.
  4. Click OK.
To test LDAP/RADIUS user login:
  1. Login as a user whose Admin Profile has Full Access privileges under System > Admin , and go to System > Administrators.
  2. Select the LDAP/RADIUS user you want to test.
  3. Click Test Login.
  4. In the dialog box, enter the user's password.
  5. Click OK.

    If an error occurs, a detailed debug message appears.

    When the remote RADIUS server is configured for two-factor authentication, RADIUS users must enter a Token code from FortiToken/email/SMS. For example, after the user clicks Login, the user must enter the Token code, and then click Submit to complete the login. The token code is not required when you click Test login on the FortiSandbox Administrators page

Previous
Next

Administrators

Use the Administrators menu to configure administrator user accounts.

Users with a Device Admin Profile under System > Admin Profiles can only view and edit their own information.

Only the default admin account can see and access that account. Other users cannot see the default admin account in the GUI. Only administrators with Super Admin profile can see all scan jobs, while other users can only see their own jobs.

The following options are available:

Create New

Create a new administrator account.

Edit

Edit the selected administrator account.

Delete

Delete the selected administrator account.

Test Login

Test the selected LDAP/RADIUS administrator account's login settings. A detailed debug message display any errors.

The following information is displayed:

Name

Administrator account name.

Type

 Administrator type:
  • Local
  • LDAP
  • RADIUS
  • LDAP WILDCARD
  • RADIUS WILDCARD

Profile

The Admin Profile the user belongs to.
To create a new user:
  1. Log in as a user whose Admin Profile has Full Access privileges under System > Admin , and go to System > Administrators.
  2. Click Create New.
  3. Configure the following and click OK.

    Administrator

    Name of the administrator account.

    • Local: Name must be 1 - 30 characters and may contain upper/lower-case letters, numbers, periods (.), underscores (-) and hyphens (-).
    • LDAP and RADIUS: Name must be 1 - 64 characters and may contain upper/lower-case letters, numbers, periods (.), underscores (-) and hyphens (-).

    Password, Confirm Password

    This field is only available when Type is Local.

    Password of the account. The password must be 6 to 64 characters using uppercase letters, lowercase letters, numbers, or special characters.

    Email Address

    Email address for contact information.

    Phone Number

    Phone number for contact information. Phone number must start with +<country code><mobile number>.

    Admin Profile

    Select the Admin Profile for the user: Super Admin, Read Only, Device or Netshare.

    Assigned Devices

    Assign devices and/or VDOMs/Protected Domains to the user. This applies if your selected Admin Profile has Limited Access > Device User permissions.

    Click in the Assigned Devices box to display the Available Devices panel which lists all available devices and VDOMs/Protected Domains. Use this panel to select or add devices.

    Netshare Group

    Select the Netshare Group for the user. This applies if the Admin Profile you selected has Limited Access > Netshare User permissions.

    Type

    Select administrator type.

    LDAP

    When Type is LDAP, select the LDAP Server. For more information, see LDAP Servers.

    RADIUS

    When Type is RADIUS, select the RADIUS Server. For more information, see RADIUS Servers.

    LDAP WILDCARD

    When Type is LDAP WILDCARD, select the LDAP Server. For more information, see Wildcard Admin Authentication.

    RADIUS WILDCARD

    When Type is RADIUS WILDCARD, select the Radius Server. For more information, see Wildcard Admin Authentication.

    Device User

    Enable this option to assign devices to the user. When the user logs in, only jobs belonging to the assigned devices or VDOMs/Protected Domains are visible.

    You can create device groups in System > Device Groups and then assign them to a device user.

    You can also assign devices on the fly by selecting self assigned in the Device Group dropdown list.

    Two-factor Authentication

    When administrator Type is Local, you can use two-factor authentication. Select an Authentication Type of Email, SMS, or FTM (FortiTokenMobile).

    Two-factor Authentication is only available for FortiSandbox appliances, and FSA-VM0T when FortiToken Cloud service purchased.

    Default On-Demand Submit settings

    This option is available to administrators whose Administrator Profile > Scan Job has Read Write access.

    Use this option to set the default settings in Scan Job > File On-Demand and URL On-Demand. Each administrator can have their own default settings.

    DepthThe recursive depth in which URLs are examined. Level 0 for original URL page (between 0 and 5)
    TimeoutThe time period to stop the URLs scan,in seconds (between 30 and 1200 seconds).
    Direct URLSubmit a URL directly without submitting a file.
    Possible password(s) for archive/office/pdf file:

    A maximum of 30 passwords is allowed.

    When upgrading FortiSandbox:

    If this setting contains more than 30 archive passwords at the time of upgrade, the passwords will continue to work. However, if you save any changes after upgrade, the system will prompt you to limit the number to 30 archive passwords.Editing one user setting will not affect other user's setting.

    Force to scan the file inside VMForce to scan the file inside VM.
    Record scan process in video if VMs involve

    Select to enable video recording. After scan finishes, a video icon will show in the File On-Demand second level detail page. Clicking it will trigger a download or play the video.

    Add sample to threat packageIf result matches malware package requirement, add scan result to threat package.
    Enable Deep-AIUse AI engine to scan the file.

    Restrict login to trusted host

    Expand to configure trusted hosts.

    Trusted Host #1

    Trusted Host #2

    Trusted Host #3

    Enter up to 50 IPv4 trusted hosts. Only users from trusted hosts can access FortiSandbox.

    Trusted IPv6 Host #1

    Trusted IPv6 Host #2

    Trusted IPv6 Host #3

    Enter up to 50 IPv6 trusted hosts. Only users from trusted hosts can access FortiSandbox.

    Comments

    Optional description comment for the administrator account.

    Language

    GUI language for the user: English, Japanese, or French.

    Setting trusted hosts for administrators limits which computers an administrator can log into from FortiSandbox. When you configure a trusted host, FortiSandbox only accepts the administrator’s login from the configured IP address or subnet. Any attempt to log in with the same credentials from any other IP address or any other subnet are dropped.

To edit a user account:
  1. Login as a user whose Admin Profile has Full Access privileges under System > Admin , and go to System > Administrators.
  2. Select the user you want to edit and click Edit.

    Only the admin account can edit its own settings.

    When editing the admin account, you must enter the old password before you can set a new password.

  3. Edit the account and then retype the new password in the confirmation field.
  4. Click OK.
To test LDAP/RADIUS user login:
  1. Login as a user whose Admin Profile has Full Access privileges under System > Admin , and go to System > Administrators.
  2. Select the LDAP/RADIUS user you want to test.
  3. Click Test Login.
  4. In the dialog box, enter the user's password.
  5. Click OK.

    If an error occurs, a detailed debug message appears.

    When the remote RADIUS server is configured for two-factor authentication, RADIUS users must enter a Token code from FortiToken/email/SMS. For example, after the user clicks Login, the user must enter the Token code, and then click Submit to complete the login. The token code is not required when you click Test login on the FortiSandbox Administrators page

Previous
Next