This topic includes the following information:
In its factory default configuration, FortiDDoS has one administrator account named admin. This administrator has permissions that grant Read-Write access to all system functions.
Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted. The admin account is similar to a root administrator account. This account always has full permission to view and change all system configuration options, including viewing and changing all other administrator accounts. Its name and permissions cannot be changed. It is the only administrator account that can reset another administrator’s password without being required to enter that administrator’s existing password.
To prevent accidental changes to the configuration, it is best if only network administrators—and if possible, only a single person—use the admin account. You can use the admin account to configure more administrator accounts for other people. Accounts can be made with different scopes of access. You can associate each of these accounts with either all SPPs or a single SPP, and you can specify the type of profile settings that each account can access. If you require such role-based access control (RBAC) restrictions, or if you simply want to harden security or prevent inadvertent changes to other administrators’ areas, you can do so with access profiles. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.
Access profiles provision permissions to roles. The following permissions can be assigned:
When a profile includes only read access to a category, the user can access the web UI page for that category, and can use the get
and show
CLI command for that category, but cannot make changes to the configuration.
When a profile includes no categories with read-write permissions, the user can log into the web UI but not the CLI.
In larger companies where multiple administrators share the workload, access profiles often reflect the specific job that each administrator does (“role”), such as account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC).
Table 80 lists the administrative areas that can be provisioned. If you provision read access, the role can view the web UI menu (or issue a CLI get command). If you provision read-write access, the role can save configuration changes (or issue a CLI set command).
For complete access to all commands and abilities, you must log in with the administrator account named admin.
Web UI Menus | CLI Commands |
---|---|
System | config system ...show full-configuration diagnose ...execute ... |
Global Settings | config ddos global ... |
Protection Profiles | config spp ...
|
Monitor | get system status
get system performance
show system status
show system performance
show full-configuration
|
Log & Report | config log ...config system |
* For each config
command, there is an equivalent get
/show
command, unless otherwise noted. config
commands require write permission. get
/show
commands require read permission.
Before you begin:
Figure 139: Admin profile configuration page
Settings | Guidelines |
---|---|
Profile name | Unique name. No spaces or special characters. |
Access Control |
|
The super_admin_prof access profile, a special access profile assigned to the admin account and required by it, appears in the list of access profiles. It exists by default and cannot be changed or deleted. The profile has permissions similar to the UNIX root account. |
We recommend that only network administrators—and if possible, only a single person—use the admin account. You can configure accounts that provision different scopes of access. For example, you can create an account for a security auditor who must only be able to view the configuration and logs, but not change them.
Before you begin:
Figure 140: Administrator user configuration page
Settings | Guidelines |
---|---|
Name | Name of the administrator account, such as admin1 or admin@example.com , that can be referenced in other parts of the configuration.Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters.If you use LDAP or RADIUS authentication, this is the username stored in the LDAP or RADIUS authentication server. Note: This is the user name that the administrator must provide when logging in to the CLI or web UI. If using an external authentication server such as RADIUS or Active Directory, this name will be passed to the server via the remote authentication query. |
System Admin |
|
Service Protection Profile | If this administrator is not a system administrator, select the profile that this account manages. |
Auth Strategy |
|
New Password | Type a password for the administrator account. Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters: _ (underscore), - (hyphen), !, @, #, $, %, ^, &, * |
Confirm Password | Type the password again to confirm its spelling. |
Trusted Hosts | Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture. Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify. Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network. If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal. To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask: 192.0.2.2/32 2001:0db8:85a3:::8a2e:0370:7334/128 To allow login attempts from any IP address (not recommended), enter: 0.0.0.0/0.0.0.0 .Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0 ), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area. Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in. |
Admin Profile | Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords. Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile. |
CLI commands: config system admin edit admin set access-profile super_admin_prof next edit admin-spp1 set is-system-admin no set domain SPP-1 set password ENC $1$0b721b38$vk7GoO147JXXqy5B3ag8z/ set access-profile admin end |
By default, this administrator account has no password. Set a strong password for the admin
administrator account. Change the password regularly.
Before you begin:
Figure 141: Administrator settings page
Settings | Guidelines |
---|---|
Old Password | Type the current password. |
New Password | Type a password for the administrator account. Passwords may have a maximum of 16 characters, may include numbers, upper and lowercase characters, and the following special characters: _ (underscore), - (hyphen), !, @, #, $, %, ^, &, * |
Confirm Password | Type the password again to confirm its spelling. |
CLI commands:
|
Before you begin:
Figure 142: Administration settings page
Settings | Guidelines |
---|---|
Web Administration Ports | |
HTTP | Specify the port for the HTTP service. Usually, HTTP uses port 80. |
HTTPS | Specify the port for the HTTPS service. Usually, HTTPS uses port 443. |
Telnet | Specify the port for the Telnet service. Usually, Telnet uses port 25. |
SSH | Specify the port for the SSH service. Usually, SSH uses port 22. |
Web Administration | |
Language | Language of the web UI. The following languages are supported:
The display’s web pages use UTF-8 encoding, regardless of which language you choose. UTF-8 supports multiple languages, and allows them to display correctly, even when multiple languages are used on the same web page. For example, your organization could have websites in both English and simplified Chinese. Your FortiDDoS administrators prefer to work in the English version of the web UI. They could use the web UI in English while writing rules to match content in both English and simplified Chinese without changing this setting. Both the rules and the web UI will display correctly, as long as all rules were input using UTF-8. Usually, your text input method or your management computer’s operating system should match the display by also using UTF-8. If they do not, your input and the web UI may not display correctly at the same time. For example, your web browser’s or operating system’s default encoding for simplified Chinese input may be GB2312. However, you usually should switch it to be UTF-8 when using the web UI, unless you are writing regular expressions that must match HTTP client’s requests, and those requests use GB2312 encoding. Note: This setting does not affect the display of the CLI. |
Timeout | Number of minutes that a web UI connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). The default is 30 minutes. |