Version:


Table of Contents

Admin Guide

Download PDF
Copy Link

Realm

Realm

The Settings>Realm page provides tools for managing the settings of the selected realm. The page has the following tabs:

To configure or update the settings of the realm:
  1. On the main menu, click Settings>Realm.
  2. On top of the page, click the down arrow, and select a realm of interest from the drop-down list menu.
  3. Click a desired tab to open the page for that setting, make the desired changes as described in the following tables, and click Apply Changes.
  4. Repeat Step 3 above to configure or update the other settings of the realm.

General Setting

Parameter

Default value

MFA Method

Select the method that FTC uses to further authenticate your end-users upon receiving their login credentials (i.e., username and password).

  • FTM (default)—FTC sends a unique one-time passcode (OTP) to the FortiToken Mobile app on end-users' smart phones.

    Note: This option requires that your end-users must have the FortiToken Mobile app installed on their smart phones.

  • SMS—FTC sends an OTP via text message to your end-users' smart phones. Upon receiving the OTP, the end-user must enter it on the log-in page to gain access to the auth client.

    Note: To use this option, FTC must have the end-users' valid smart phone numbers in its database.

  • Email—FTC sends a unique OTP to the end-users' email addresses on file. The users then have to manually copy and past the OTP to FTC to gain access to the auth client (i.e., FGT or FAC).
  • FTK—FTC requires end-users to provide the OTP generated by their FortiToken (hardware token) for MFA.

    Note: To use this option, the FTC admin must first add the serial numbers of the FortiTokens to FTC, and assign them to the end-users. Upon receiving an end-user's username and password, FTC prompts the user for an OTP from the FortiToken device. The user must press the FortiToken to get the OTP, and then manually enters it. See Hardware Tokens. Also, when FTK is set as the MFA method for a realm, you can let FTC automatically assign FTKs to selected users by clicking the Auto-assign FTK button on the Users page. See Users.

Max Login Attempts Before Lockout

Click above the horizontal line and specify the number of failed login attempts allowed before lockout. Valid values range from 1 to 25. The default is 7.

Note: FTC does not allow locked users to authenticate. Instead, it displays the message "Locked, please try again in <lockout interval> minutes."

Lockout Period

Click above the horizontal line and specify a lockout period, which ranges from 60 to 7,200 seconds. The default is 60 seconds.

Enable Bypass

Enable or disable bypass.

  • Enable—End-users can bypass MFA. If enabled, you must also set the Bypass Expiration Time, as described below.
  • Disable (default)—End-users cannot bypass MFA.

Note: If Enable Bypass is disabled on the Settings page, the admin user can not enable bypass for FTC end-users on the Users page. See Users.

Bypass Expiration Time

(Available only when Enable Bypass is enabled.) Specify the length of time bypass remains in effect. Valid values range from 5 minutes to 72 hours. The default is 1 hour (3,600 seconds).

Auto-alias by Email

Enable or disable the Auto-alias by Email feature.

Note: The feature is disabled by default. For more information, see Enable Auto-alias by Email.

Adaptive Auth Profile

Select an adaptive auth profile.

Enable Auto-alias by Email

Many FTC end-users have different usernames in different applications and domains.  By the same token, the same FTC end-user may have different usernames in different auth clients.  For example, a user by the name of John Doe II may have the following usernames:

  • user1 in VPN
  • user_one in a web app
  • u1 as a system admin
  • user1@company.com on an email server  

FTC allows for different usernames to be attributed to the same user so that only one token needs to be assigned to that user. It does this by providing an Auto-alias by Email option, which, once turned on, enables FTC to automatically put different usernames in an alias if they use the email address. 

By default, Auto-alias by Email is disabled, you can enable it using the following procedures:

  1. On the main menu, click Settings>Realm to open the settings page of the current realm.
  2. Scroll down the page until you see the Auto-alias by Email option.
  3. Click the Auto-alias by Email button to enable it.

It is important to note that aliased users must be in the same realm. Usernames with the same email address are still set as unique users if they are in different realms, even when Auto-alias by Email is enabled.

FTM Setting

Parameter

Default value

1. Settings  
Enable Push Click the button to enable or disable push notification.

Notification Method

From the drop-down menu, select either of the following:

  • Email—Token activation/transfer codes are sent to users' email addresses.
  • SMS—Token activation/transfer codes are sent by SMS to users' mobile phone numbers.

Note: When Notification Method is set to SMS, make sure that the users' mobile phone numbers in the system are valid. Otherwise, you will get an error when requesting a new token for users on the Users page. See Users.

Note: FTC deducts one credit from your credit balance for every 250 SMS messages it sends to deliver OTPs. You may experience some problem sending OTPs by SMS when your credit balance is low, and you will get an error message when trying to send an OTP if there is no credit remaining on your account. In both cases, we strongly recommend that you purchase more credits before attempting to use this feature.

App PIN Required

Click the button to enable or disable this feature.

  • Disabled (default)—No app PIN is required.
  • Enable—If enabled, you must select a PIN Length and PIN Required Mode, as described below.

PIN Length

Click the down arrow and, from the drop-down menu, select one of the following:

  • 4
  • 6 (default)
  • 8

Note: PIN length refers to the number of digits contained in an app PIN.

PIN Required Type

Click the down arrow and, from the drop-down menu, select either of the following:

  • Anytime—App PIN is required all the time.
  • Unlock—If selected, end-users must have a PIN either on their device or FTM app to access FTC. If an end-user has a PIN on the device, FTC won't ask for a PIN when using FTM; if an end-user does not have a PIN on the device, FTC will ask for a PIN to use FTM.

OTP Algorithm

  • TOTP (default). No action is needed.

OTP Time Step

Click the down arrow and, from the drop-down menu, select either of the following:

  • 30 (default)
  • 60

Note: OTP Time Step refers to the frequency in which FTM token codes are updated. For example, FTC will update FTM token codes once every 30 seconds when OTP Time Step is set to 30.

OTP Validation Window

The number of time steps the validation server takes to validate OTPs.

Upon receiving an OTP from a client, the validation server computes the OTP using the shared secret key and its current timestamp (not the one used by the client) and compares the OTPs: if the OTPs are generated within the same time step, they match and the validation is successful.

OTP Display Length

Click the down arrow and, from the drop-down menu, select either of the following:

  • 6 (default)
  • 8

Note: OTP Display Length refers to the number of digits contained in a token activation/transfer code.

Activation Expiration Time

Click above the horizontal line and specify the length of time token activation codes remain valid. Valid values range from 1 to 336 hours. The default is 72 hours.

Note: An FTM Token code must be activated within the set Activation Expiration Time. Otherwise, it will expire and you must request a new token.

FTM Logo

This enables admin users to choose logo image displayed at the bottom of the FTM app screen on their end-users' mobile devices.

  • Upload Custom Logo—Click this button to upload a custom logo image to replace the default Fortinet logo. For instructions on how to use this feature, see Use a custom logo.
  • Restore Default Logo—Click this button to reverse to the default Fortinet logo on FTM.

2. Notification Templates

Select a desired email or SMS message template for each of the following:

Token Activation Email

An email template for FTC to send token activation notifications to your end-users.

Token Transfer Email

An email template for FTC to send token transfer notifications to your end-users.

Token Activation SMS

An SMS template for FTC to send token activation notifications to your end-users.

Token Transfer SMS

An SMS template for FTC to send token transfer notifications to your end-users.

Use a custom logo

FortiToken Cloud offers an option for admin users to upload their own logo image to replace the default Fortinet banner.

To use this feature, you must have your logo image file on your computer, and your logo image file must meet the following requirements:

  • File format: Transparent PNG or JPEG
  • Max image size: 150 kB, and 320 x 320 pixels
To upload your logo image:
  1. From the FTC GUI, select Settings.
  2. Under FTM Logo, click Import file.
  3. Browse for the logo image, select it, and click Open.

    The select image appears near the bottom of the Settings page.

    If you want to restore the use of the default Fortinet logo, after uploading a custom logo image, click the Default Logo button.

Email MFA Setting

When an end-user is enabled for MFA, FTC sends a unique OTP to the end-user's email address on file. The end-user must manually copy and past the OTP to FTC to gain access to the auth client (e.g., FGT or FAC).

Parameter Description
1. Settings  
OTP Expiration Time

Click the down arrow to select an OTP expiration time.

Note: An OTP is valid only within the specified OTP expiration time, and expires beyond that. The default is 5 minutes.

OTP Display Length Click the down arrow to select an OTP display length, which is the number of digits displayed. The default is 6.
2. Templates  
OTP Template

Click the down arrow to select an OTP email template.

Note: You can view the content of the selected template by clicking the view button on the right.

SMS MFA Setting

Once an end-user is enabled for MFA, FTC sends an OTP via text message to the end-users' smart phone. Upon receiving the OTP, the end-user must enter it on the log-in page to gain access to the auth client.

Parameter Description
1. Settings  
OTP Expiration Time

Click the down arrow to select an OTP expiration time.

Note: An OTP is valid only within the specified OTP expiration time, and expires beyond that. The default is 5 minutes.

OTP Display Length Click the down arrow to select an OTP display length, which is the number of digits displayed. The default is 6.
2. Templates  
OTP Template

Click the down arrow to select an OTP SMS template.

Note: You can view the content of the selected template by clicking the view button on the right.

Realm

Realm

The Settings>Realm page provides tools for managing the settings of the selected realm. The page has the following tabs:

To configure or update the settings of the realm:
  1. On the main menu, click Settings>Realm.
  2. On top of the page, click the down arrow, and select a realm of interest from the drop-down list menu.
  3. Click a desired tab to open the page for that setting, make the desired changes as described in the following tables, and click Apply Changes.
  4. Repeat Step 3 above to configure or update the other settings of the realm.

General Setting

Parameter

Default value

MFA Method

Select the method that FTC uses to further authenticate your end-users upon receiving their login credentials (i.e., username and password).

  • FTM (default)—FTC sends a unique one-time passcode (OTP) to the FortiToken Mobile app on end-users' smart phones.

    Note: This option requires that your end-users must have the FortiToken Mobile app installed on their smart phones.

  • SMS—FTC sends an OTP via text message to your end-users' smart phones. Upon receiving the OTP, the end-user must enter it on the log-in page to gain access to the auth client.

    Note: To use this option, FTC must have the end-users' valid smart phone numbers in its database.

  • Email—FTC sends a unique OTP to the end-users' email addresses on file. The users then have to manually copy and past the OTP to FTC to gain access to the auth client (i.e., FGT or FAC).
  • FTK—FTC requires end-users to provide the OTP generated by their FortiToken (hardware token) for MFA.

    Note: To use this option, the FTC admin must first add the serial numbers of the FortiTokens to FTC, and assign them to the end-users. Upon receiving an end-user's username and password, FTC prompts the user for an OTP from the FortiToken device. The user must press the FortiToken to get the OTP, and then manually enters it. See Hardware Tokens. Also, when FTK is set as the MFA method for a realm, you can let FTC automatically assign FTKs to selected users by clicking the Auto-assign FTK button on the Users page. See Users.

Max Login Attempts Before Lockout

Click above the horizontal line and specify the number of failed login attempts allowed before lockout. Valid values range from 1 to 25. The default is 7.

Note: FTC does not allow locked users to authenticate. Instead, it displays the message "Locked, please try again in <lockout interval> minutes."

Lockout Period

Click above the horizontal line and specify a lockout period, which ranges from 60 to 7,200 seconds. The default is 60 seconds.

Enable Bypass

Enable or disable bypass.

  • Enable—End-users can bypass MFA. If enabled, you must also set the Bypass Expiration Time, as described below.
  • Disable (default)—End-users cannot bypass MFA.

Note: If Enable Bypass is disabled on the Settings page, the admin user can not enable bypass for FTC end-users on the Users page. See Users.

Bypass Expiration Time

(Available only when Enable Bypass is enabled.) Specify the length of time bypass remains in effect. Valid values range from 5 minutes to 72 hours. The default is 1 hour (3,600 seconds).

Auto-alias by Email

Enable or disable the Auto-alias by Email feature.

Note: The feature is disabled by default. For more information, see Enable Auto-alias by Email.

Adaptive Auth Profile

Select an adaptive auth profile.

Enable Auto-alias by Email

Many FTC end-users have different usernames in different applications and domains.  By the same token, the same FTC end-user may have different usernames in different auth clients.  For example, a user by the name of John Doe II may have the following usernames:

  • user1 in VPN
  • user_one in a web app
  • u1 as a system admin
  • user1@company.com on an email server  

FTC allows for different usernames to be attributed to the same user so that only one token needs to be assigned to that user. It does this by providing an Auto-alias by Email option, which, once turned on, enables FTC to automatically put different usernames in an alias if they use the email address. 

By default, Auto-alias by Email is disabled, you can enable it using the following procedures:

  1. On the main menu, click Settings>Realm to open the settings page of the current realm.
  2. Scroll down the page until you see the Auto-alias by Email option.
  3. Click the Auto-alias by Email button to enable it.

It is important to note that aliased users must be in the same realm. Usernames with the same email address are still set as unique users if they are in different realms, even when Auto-alias by Email is enabled.

FTM Setting

Parameter

Default value

1. Settings  
Enable Push Click the button to enable or disable push notification.

Notification Method

From the drop-down menu, select either of the following:

  • Email—Token activation/transfer codes are sent to users' email addresses.
  • SMS—Token activation/transfer codes are sent by SMS to users' mobile phone numbers.

Note: When Notification Method is set to SMS, make sure that the users' mobile phone numbers in the system are valid. Otherwise, you will get an error when requesting a new token for users on the Users page. See Users.

Note: FTC deducts one credit from your credit balance for every 250 SMS messages it sends to deliver OTPs. You may experience some problem sending OTPs by SMS when your credit balance is low, and you will get an error message when trying to send an OTP if there is no credit remaining on your account. In both cases, we strongly recommend that you purchase more credits before attempting to use this feature.

App PIN Required

Click the button to enable or disable this feature.

  • Disabled (default)—No app PIN is required.
  • Enable—If enabled, you must select a PIN Length and PIN Required Mode, as described below.

PIN Length

Click the down arrow and, from the drop-down menu, select one of the following:

  • 4
  • 6 (default)
  • 8

Note: PIN length refers to the number of digits contained in an app PIN.

PIN Required Type

Click the down arrow and, from the drop-down menu, select either of the following:

  • Anytime—App PIN is required all the time.
  • Unlock—If selected, end-users must have a PIN either on their device or FTM app to access FTC. If an end-user has a PIN on the device, FTC won't ask for a PIN when using FTM; if an end-user does not have a PIN on the device, FTC will ask for a PIN to use FTM.

OTP Algorithm

  • TOTP (default). No action is needed.

OTP Time Step

Click the down arrow and, from the drop-down menu, select either of the following:

  • 30 (default)
  • 60

Note: OTP Time Step refers to the frequency in which FTM token codes are updated. For example, FTC will update FTM token codes once every 30 seconds when OTP Time Step is set to 30.

OTP Validation Window

The number of time steps the validation server takes to validate OTPs.

Upon receiving an OTP from a client, the validation server computes the OTP using the shared secret key and its current timestamp (not the one used by the client) and compares the OTPs: if the OTPs are generated within the same time step, they match and the validation is successful.

OTP Display Length

Click the down arrow and, from the drop-down menu, select either of the following:

  • 6 (default)
  • 8

Note: OTP Display Length refers to the number of digits contained in a token activation/transfer code.

Activation Expiration Time

Click above the horizontal line and specify the length of time token activation codes remain valid. Valid values range from 1 to 336 hours. The default is 72 hours.

Note: An FTM Token code must be activated within the set Activation Expiration Time. Otherwise, it will expire and you must request a new token.

FTM Logo

This enables admin users to choose logo image displayed at the bottom of the FTM app screen on their end-users' mobile devices.

  • Upload Custom Logo—Click this button to upload a custom logo image to replace the default Fortinet logo. For instructions on how to use this feature, see Use a custom logo.
  • Restore Default Logo—Click this button to reverse to the default Fortinet logo on FTM.

2. Notification Templates

Select a desired email or SMS message template for each of the following:

Token Activation Email

An email template for FTC to send token activation notifications to your end-users.

Token Transfer Email

An email template for FTC to send token transfer notifications to your end-users.

Token Activation SMS

An SMS template for FTC to send token activation notifications to your end-users.

Token Transfer SMS

An SMS template for FTC to send token transfer notifications to your end-users.

Use a custom logo

FortiToken Cloud offers an option for admin users to upload their own logo image to replace the default Fortinet banner.

To use this feature, you must have your logo image file on your computer, and your logo image file must meet the following requirements:

  • File format: Transparent PNG or JPEG
  • Max image size: 150 kB, and 320 x 320 pixels
To upload your logo image:
  1. From the FTC GUI, select Settings.
  2. Under FTM Logo, click Import file.
  3. Browse for the logo image, select it, and click Open.

    The select image appears near the bottom of the Settings page.

    If you want to restore the use of the default Fortinet logo, after uploading a custom logo image, click the Default Logo button.

Email MFA Setting

When an end-user is enabled for MFA, FTC sends a unique OTP to the end-user's email address on file. The end-user must manually copy and past the OTP to FTC to gain access to the auth client (e.g., FGT or FAC).

Parameter Description
1. Settings  
OTP Expiration Time

Click the down arrow to select an OTP expiration time.

Note: An OTP is valid only within the specified OTP expiration time, and expires beyond that. The default is 5 minutes.

OTP Display Length Click the down arrow to select an OTP display length, which is the number of digits displayed. The default is 6.
2. Templates  
OTP Template

Click the down arrow to select an OTP email template.

Note: You can view the content of the selected template by clicking the view button on the right.

SMS MFA Setting

Once an end-user is enabled for MFA, FTC sends an OTP via text message to the end-users' smart phone. Upon receiving the OTP, the end-user must enter it on the log-in page to gain access to the auth client.

Parameter Description
1. Settings  
OTP Expiration Time

Click the down arrow to select an OTP expiration time.

Note: An OTP is valid only within the specified OTP expiration time, and expires beyond that. The default is 5 minutes.

OTP Display Length Click the down arrow to select an OTP display length, which is the number of digits displayed. The default is 6.
2. Templates  
OTP Template

Click the down arrow to select an OTP SMS template.

Note: You can view the content of the selected template by clicking the view button on the right.