Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Admin Guide

    Home 26.1.0 Admin Guide

    General settings

    General settings

    To configure the General settings of a realm:

    1. Click Settings > Realm.
    2. Select the realm.
    3. Click General.
    4. Set or update the parameters as described in the following table.
    5. Click Apply Changes.

    Parameter

    Default value

    Max Login Attempts Before Lockout

    Click above the horizontal line and specify the number of failed login attempts allowed before lockout. Valid values range from 1 to 25. The default is 7.

    Note: FIC does not allow locked users to authenticate. Instead, it displays the message "Locked, please try again in <lockout interval> minutes."

    Lockout Period

    Click above the horizontal line and specify a lockout period, which ranges from 60 to 7,200 seconds. The default is 60 seconds.

    Enable Bypass

    Enable or disable bypass.

    • Enable—End-users can bypass MFA. If enabled, you must also set the Bypass Expiration Time, as described below.
    • Disable (default)—End-users cannot bypass MFA.

    Note: If Enable Bypass is disabled on the Settings page, the admin user can not enable bypass for FIC end-users on the Users page. See Managing users.

    Bypass Expiration Time

    (Available only when Enable Bypass is enabled.) Specify the length of time in seconds that bypass remains in effect. Valid values range from 5 minutes to 72 hours. The default is 1 hour (3,600 seconds).

    Auto-alias by Email

    Enable or disable the Auto-alias by Email feature.

    Note: The feature is disabled by default. For more information, see Enabling Auto-alias by Email.

    Allow Rooted Device

    This option is enabled by default. When it is disabled, FIC will remove all the tokens it has issued for rooted devices when end users are trying to activate new tokens using the devices. This will render the devices unusable with FIC.

    When you re-enale the option, rooted devices can be used to activate new tokens.

    Remember Known Device

    Enable or disable remembering known devices.

    • Enable — FortiIdentity Cloud can remember known devices. When users log in, they have the option to select a Remember this Device checkbox. On subsequent logins from the same device, they can bypass the multi-factor authentication step.
    • Disable — FortiIdentity Cloud does not remember known devices.

    Note: Once you enable this option, you must configure both the Forget Device After and the Auth Interval time frame.

    Forget Device

    Enable this if you want to configure Forget Device After.

    If disabled, the known device will never be forgotten.

    Forget Device After

    Specify how long a device remains in the known devices list (1 hour to 90 days).

    Auth Interval

    Specify how frequently a user must log in to maintain their known device status (5 minutes to 3 days).

    Note: The time frame set for Auth Interval should not exceed the time frame configured in Forget Device After.

    Replay Protection

    HIGH (forbid all replays) — The authentication follows the current mechanism and does not allow any OTP replay.

    MEDIUM (ignore FTM push replay) — The authentication counts OTP replays for manual input only. All the requests from push authentications are not counted and are not restricted by OTP replay protection.

    LOW (ignore FTM/FTK auth replay) — OTP replay protection is disabled.

    Note: For email and SMS, OTP replay are always rejected no matter what the setting is.

    Adaptive Auth Profile

    Select an adaptive auth profile.

    Enable Mobile Number Self-Enrollment

    Enable this option to allow end users to enroll their mobile numbers on the End-User Portal.

    Caution

    This option is available only when the Auth Method is set to SMS and the user does not have a phone number set.

    Invitation Link Expiration

    Select a user-onboarding email invitation link expiration time.
    Previous
    Next

    General settings

    General settings

    To configure the General settings of a realm:

    1. Click Settings > Realm.
    2. Select the realm.
    3. Click General.
    4. Set or update the parameters as described in the following table.
    5. Click Apply Changes.

    Parameter

    Default value

    Max Login Attempts Before Lockout

    Click above the horizontal line and specify the number of failed login attempts allowed before lockout. Valid values range from 1 to 25. The default is 7.

    Note: FIC does not allow locked users to authenticate. Instead, it displays the message "Locked, please try again in <lockout interval> minutes."

    Lockout Period

    Click above the horizontal line and specify a lockout period, which ranges from 60 to 7,200 seconds. The default is 60 seconds.

    Enable Bypass

    Enable or disable bypass.

    • Enable—End-users can bypass MFA. If enabled, you must also set the Bypass Expiration Time, as described below.
    • Disable (default)—End-users cannot bypass MFA.

    Note: If Enable Bypass is disabled on the Settings page, the admin user can not enable bypass for FIC end-users on the Users page. See Managing users.

    Bypass Expiration Time

    (Available only when Enable Bypass is enabled.) Specify the length of time in seconds that bypass remains in effect. Valid values range from 5 minutes to 72 hours. The default is 1 hour (3,600 seconds).

    Auto-alias by Email

    Enable or disable the Auto-alias by Email feature.

    Note: The feature is disabled by default. For more information, see Enabling Auto-alias by Email.

    Allow Rooted Device

    This option is enabled by default. When it is disabled, FIC will remove all the tokens it has issued for rooted devices when end users are trying to activate new tokens using the devices. This will render the devices unusable with FIC.

    When you re-enale the option, rooted devices can be used to activate new tokens.

    Remember Known Device

    Enable or disable remembering known devices.

    • Enable — FortiIdentity Cloud can remember known devices. When users log in, they have the option to select a Remember this Device checkbox. On subsequent logins from the same device, they can bypass the multi-factor authentication step.
    • Disable — FortiIdentity Cloud does not remember known devices.

    Note: Once you enable this option, you must configure both the Forget Device After and the Auth Interval time frame.

    Forget Device

    Enable this if you want to configure Forget Device After.

    If disabled, the known device will never be forgotten.

    Forget Device After

    Specify how long a device remains in the known devices list (1 hour to 90 days).

    Auth Interval

    Specify how frequently a user must log in to maintain their known device status (5 minutes to 3 days).

    Note: The time frame set for Auth Interval should not exceed the time frame configured in Forget Device After.

    Replay Protection

    HIGH (forbid all replays) — The authentication follows the current mechanism and does not allow any OTP replay.

    MEDIUM (ignore FTM push replay) — The authentication counts OTP replays for manual input only. All the requests from push authentications are not counted and are not restricted by OTP replay protection.

    LOW (ignore FTM/FTK auth replay) — OTP replay protection is disabled.

    Note: For email and SMS, OTP replay are always rejected no matter what the setting is.

    Adaptive Auth Profile

    Select an adaptive auth profile.

    Enable Mobile Number Self-Enrollment

    Enable this option to allow end users to enroll their mobile numbers on the End-User Portal.

    Caution

    This option is available only when the Auth Method is set to SMS and the user does not have a phone number set.

    Invitation Link Expiration

    Select a user-onboarding email invitation link expiration time.
    Previous
    Next