Fortinet black logo

Administration Guide

Home FortiPolicy 7.2.2 Administration Guide
7.2.2
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0

Users

Users

Go to Configuration > Users to view, add, or edit FortiPolicy user profiles or to assign user login rules for inactivity, lockout, idle session timeout, local password expiration, and local password criteria.

The Configuration > Users page has two tabs:

Users

To create a new user profile:

  1. Go toConfiguration > Users > Users.

  2. Click the + icon in the upper right corner.

  3. Enter the login name for the users.

  4. Enter the full name of the user.

  5. Enter the email address for the user.

  6. Select the user role: GlobalAdministrator, PolicyProvisioner, or Auditor.

    Role

    Description

    GlobalAdministrator

    Global—Full access to all permissions; can assign or remove GlobalAdministrators.

    PolicyProvisioner

    Responsible for overall security of the system; configures and manages security policies, infrastructure and security-related dashboards, and alerts.

    Auditor

    A subset of the PolicyProvisioner role; has view-only access to security policies, reports, dashboards, and role-based access control (RBAC).

  7. Select the authentication type, either Local or LDAP.

  8. If you selected Local, enter the password and then confirm it.

  9. If you selected LDAP, enter the user DN.

    Go to Configuration > Setup > Authentication > LDAP to configure communication with the LDAP server.

  10. Click SAVE.

To edit a user profile, click the vertical ellipsis at the start of the user profile row in the table and select Edit or Delete.

Login rules

FortiPolicy provides PCI support for local users. PCI hygiene options are available for login password changes and lockouts. Passwords include expiry configuration, as well as inactivity, idle session timing, and local password handling.

To configure FortiPolicy local user login settings:

  1. Go to Configuration > Users > Login Rules.

  2. Check a rule checkbox to apply it to all local users (select as many checkbox options as needed) and then enter the rule criteria (default settings are displayed for reference).

    Login Rule

    Description

    Inactive accounts

    Choose an inactivity criteria. After X days with no login, either disable or delete the userʼs account. The default is 90 days of inactivity to disable the userʼs account.

    NOTE: The specified number of consecutive days of inactivity results in the disabling or automatic removal of the userʼs account, based on your selected choice. Audit logs include user ID, type of event, time stamp, success or failure indication, origination of event, and identity or name of the system component /resource accessed.

    Lockout

    Enter the number of login attempts you'll allow before locking out the user for a set number of minutes. The defaults are 6 failed logins and 30 minutes of lockout.

    Idle session timeout

    Enter the number of minutes of inactivity you will allow before logging out the user session. The default is 15 minutes.

    Local password expiration

    Enter the number of days after which user passwords will expire. The default is 90 days.

    Local password criteria

    Set variables for password configuration. Leave the setting blank if you do not want to include it.

    A minimum of 8 characters are required

    • At least 1 special character is required: !"#$%&'( )*+

    • At least 1 lower case character is required

    • At least 1 upper case character is required

    • At least 1 number is required

    • At least 3 characters must be different from last-used password

    • 1 consecutive repetition of a character is allowed

    • 4 of the most recent passwords are not allowed

  3. Click SAVE to save your changes.

Previous
Next

Users

Go to Configuration > Users to view, add, or edit FortiPolicy user profiles or to assign user login rules for inactivity, lockout, idle session timeout, local password expiration, and local password criteria.

The Configuration > Users page has two tabs:

Users

To create a new user profile:

  1. Go toConfiguration > Users > Users.

  2. Click the + icon in the upper right corner.

  3. Enter the login name for the users.

  4. Enter the full name of the user.

  5. Enter the email address for the user.

  6. Select the user role: GlobalAdministrator, PolicyProvisioner, or Auditor.

    Role

    Description

    GlobalAdministrator

    Global—Full access to all permissions; can assign or remove GlobalAdministrators.

    PolicyProvisioner

    Responsible for overall security of the system; configures and manages security policies, infrastructure and security-related dashboards, and alerts.

    Auditor

    A subset of the PolicyProvisioner role; has view-only access to security policies, reports, dashboards, and role-based access control (RBAC).

  7. Select the authentication type, either Local or LDAP.

  8. If you selected Local, enter the password and then confirm it.

  9. If you selected LDAP, enter the user DN.

    Go to Configuration > Setup > Authentication > LDAP to configure communication with the LDAP server.

  10. Click SAVE.

To edit a user profile, click the vertical ellipsis at the start of the user profile row in the table and select Edit or Delete.

Login rules

FortiPolicy provides PCI support for local users. PCI hygiene options are available for login password changes and lockouts. Passwords include expiry configuration, as well as inactivity, idle session timing, and local password handling.

To configure FortiPolicy local user login settings:

  1. Go to Configuration > Users > Login Rules.

  2. Check a rule checkbox to apply it to all local users (select as many checkbox options as needed) and then enter the rule criteria (default settings are displayed for reference).

    Login Rule

    Description

    Inactive accounts

    Choose an inactivity criteria. After X days with no login, either disable or delete the userʼs account. The default is 90 days of inactivity to disable the userʼs account.

    NOTE: The specified number of consecutive days of inactivity results in the disabling or automatic removal of the userʼs account, based on your selected choice. Audit logs include user ID, type of event, time stamp, success or failure indication, origination of event, and identity or name of the system component /resource accessed.

    Lockout

    Enter the number of login attempts you'll allow before locking out the user for a set number of minutes. The defaults are 6 failed logins and 30 minutes of lockout.

    Idle session timeout

    Enter the number of minutes of inactivity you will allow before logging out the user session. The default is 15 minutes.

    Local password expiration

    Enter the number of days after which user passwords will expire. The default is 90 days.

    Local password criteria

    Set variables for password configuration. Leave the setting blank if you do not want to include it.

    A minimum of 8 characters are required

    • At least 1 special character is required: !"#$%&'( )*+

    • At least 1 lower case character is required

    • At least 1 upper case character is required

    • At least 1 number is required

    • At least 3 characters must be different from last-used password

    • 1 consecutive repetition of a character is allowed

    • 4 of the most recent passwords are not allowed

  3. Click SAVE to save your changes.

Previous
Next