FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 11 - Hardening > Hardening your FortiGate > Add new administrator accounts

Add new administrator accounts

Rather than allowing all administrators to access the FortiGate unit with the admin administrator account you should create administrator accounts for each person that requires administrative access. That way you can track who has made configuration changes and performed other administrative activities. Keep the number of administrative accounts to a minimum to keep better control on who can access the device.

To add administrators go to System > Admin > Administrators and select Create New.

If you want administrators to have access to all FortiGate configuration options, their accounts should have the prof_admin admin profile. Administrators with this profile can do anything except add new administrator accounts.

At least one account should always have the super_admin profile as this profile is required to add and remove administrators. To improve security only a very few administrators (usually one) should be able to add new administrators.

If you want some administrator accounts to have limited access to the FortiGate configuration you can create custom admin profiles that only allow access to selected parts of the configuration. To add custom admin profiles, go to System > Admin > Admin Profiles and select Create New.

For example, if you want to add an admin profile that does not allow changing firewall policies, when you configure the admin profile set Firewall Configuration to None or Read Only.