Administrators
 
Administrators
In its factory default configuration, FortiADC has one administrator account named admin. This administrator has permissions that grant full access to FortiADC’s features.
To prevent accidental changes to the configuration, it’s best if only network administrators — and if possible, only a single person — use the admin account. You can use the admin administrator account to configure more accounts for other people. Accounts can be made with different scopes of access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so via access profiles. See “Restricting permissions”.
For example, you could create an account for a security auditor who must only be able to view the configuration and logs, but not change them.
Administrators may be able to access the web UI, the CLI, and use ping/traceroute through the network, depending on:
the account’s trusted hosts (“Trusted hosts”)
the protocols enabled for each of the FortiADC appliance’s network interfaces (“Configuring the physical network interfaces”)
To configure an administrator account
1. Before configuring the account, configure the access profile that will govern the account’s permissions (see “Restricting permissions”).
2. Go to System > Admin > Administrators.
To access this part of the web UI, your administrator's account access profile must have Read-Write permission to items in the System category. For details, see “Permissions”.
3. Click Add.
A dialog appears.
4. Configure these settings:
Setting name
Description
Administrator
Type the name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration.
Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.
Note: This is the user name that the administrator must provide when logging in to the CLI or web UI.
New Password
Type a password for the administrator account.
Tip: Set a strong password for all administrator accounts, and change the password regularly. Failure to maintain the password of the administrator accounts could compromise the security of your FortiADC appliance. As such, it can constitute a violation of PCI DSS compliance and is against best practices. For improved security, the password should be at least eight characters long, be sufficiently complex, and be changed regularly. To check the strength of your password, you can use a utility such as Microsoft’s password strength meter.
Confirm Password
Type the password again to confirm its spelling.
Trusted Host
Type the source IP address(es) and netmask from which the administrator is allowed to log in to the appliance. For multiple addresses, separate each entry with a space.
If PING is enabled, this is also a source IP address to which FortiADC will respond when it receives a ping or traceroute signal. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture. For more information, see “Trusted hosts”.
To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:
192.0.2.2/32
2001:0db8:85a3:::8a2e:0370:7334/128
To allow login attempts from any IP address (not recommended), enter:
0.0.0.0/0.0.0.0.
Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the FortiADC appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.
Tip: If you allow login from the Internet, set a longer and more complex New Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For information on administrative access protocols, see “Configuring the physical network interfaces”.Also restrict trusted hosts to IPs in your administrator’s geographical area.
Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.
Access Profile
Select an existing access profile that indicates the permissions for this administrator account. For more information on access profiles, see “Restricting permissions”.
You can select super_admin_prof, a special access profile used by the admin administrator account. However, selecting this access profile will not confer all permissions of the admin administrator. For example, the new administrator would not be able to reset lost administrator passwords.
This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.
5. Click OK.
See also
Changing an administrator’s password
Restricting permissions
Configuring the physical network interfaces
Trusted hosts