Administrators

By default, the FortiGate has a super administrator account, called admin, which cannot be deleted. Additional administrators can be added for various functions, each with a unique user name, password, and set of access privileges.

The following tasks can be done to add and secure administrative access to a FortiGate:

• Administrator profiles
• Adding a local administrator
• LDAP authentication for administrators
• Other methods of authentication
• Monitoring administrators
• Management access
• Security precautions

Administrator profiles

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile dictating what the administrator will see. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much, or as little, as required.

super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For some administrative functions, such as backing up and restoring the configuration, super_admin access is required. The super_admin profile cannot be deleted or modified, to ensure that there is always a method to administer the FortiGate.

Lower level administrator profiles cannot backup or restore the FortiOS configuration.

The super_admin profile is used by the default admin account. It is recommended to add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required. For more information, see Adding a local administrator.

Creating profiles

To configure administrator profiles go to System > Admin Profiles and select Create New.

On the New Administrator Profile page, you define the components of FortiOS that will be available to view and/or edit. For example, you can configure a profile so that the administrator can only access the Firewall Configuration, which includes firewall policies, addresses, services, schedules, packet capture, and some other parts of the FortiGate configuration. Any other aspects of the FortiGate configuration, including VPNs and security profiles, will be hidden from this administrator.

Adding a local administrator

Only administrators with read-write for Administrator Users can create a new administrator account.

To add an administrator - GUI

1. Go to System > Administrators.
2. Select Create New.
3. Add a Name for the administrator.

The name of the administrator should not contain the characters <>()#"'. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability.

4. Enter the Password for the user. This may be a temporary password that the administrator can change later. Passwords can be up to 256 characters in length. For more information on passwords, see the Passwords discussion in the Getting Started chapter.
5. Set Type to Local User.
6. Set the Administrator Profile and Security
7. Select OK.

To add an administrator - CLI

config system admin

edit <admin_name>

set password <password>

set accprofile <profile_name>

end

LDAP authentication for administrators

Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.

To do this, requires three steps:

• configure the LDAP server
• add the LDAP server to a user group
• configure the administrator account

Configure the LDAP server

First set up the LDAP server as you normally would, and include a group to bind to.

To configure the LDAP server - GUI

1. Go to User & Device > LDAP Servers and select Create New.
2. Enter a Name for the server.
3. Enter the Server IP address or name.
4. Enter the Common Name Identifier and Distinguished Name.
5. Set the Bind Type to Regular and enter the User DN and Password.
6. Select OK.

To configure the LDAP server - CLI

config user ldap

edit <ldap_server_name>

set server <server_ip>

set cnid cn

set dn DC=XYZ,DC=COM

set type regular

set user name CN=Administrator,CN=Users,DC=XYZ,DC=COM

set password <password>

set member-attr <group_binding>

end

Add the LDAP server to a user group

Next, create a user group that will include the LDAP server that was created above.

To create a user group - GUI

1. Go to User & Device > User Groups and select Create New.
2. Enter a Name for the group.
3. In the section labeled Remote groups, select Create New.
4. Select the Remote Server from the drop-down list.
5. Select OK.

To create a user group - CLI

config user group

edit <group_name>

config match

edit 1

set server-name <LDAP_server>

set group-name <group_name>

end

end

Configure the administrator account

Now you can create a new administrator, where rather than entering a password, you will use the new user group and the wildcard option for authentication.

To create an administrator - GUI

1. Go to System > Administrators and select Create New.
2. In the Administrator field, enter the name for the administrator.
3. For Type, select Match a user on a remote server group.
4. Select the User Group created above from the drop-down list.
5. Select Wildcard. The Wildcard option allows for LDAP users to connect as this administrator.
6. Select an Admin Profile.
7. Select OK.

To create an administrator - CLI

config system admin

edit <admin_name>

set remote-auth enable

set accprofile super_admin

set wild card enable

set remote-group ldap

end

Other methods of authentication

Admin accounts can use a variety of methods for authentication, including RADIUS, TACACS+, and PKI.

RADIUS authentication for administrators

If you want to use a RADIUS server to authenticate administrators, you must:

• configure the FortiGate to access the RADIUS server
• create the RADIUS user group
• configure an administrator to authenticate with a RADIUS server.

TACACS+ authentication for administrators

If you want to use a TACACS+ server to authenticate administrators, you must:

• configure the FortiGate to access the TACACS+ server
• create a TACACS+ user group
• configure an administrator to authenticate with a TACACS+ server.

PKI certificate authentication for administrators

To use PKI authentication for an administrator, you must:

• configure a PKI user
• create a PKI user group
• configure an administrator to authenticate with a PKI certificate.

Monitoring administrators

You can view the administrators logged in using the System Information widget on the Dashboard. The Current Administrator row that shows the administrator logged in and the total number of administrators logged in. Selecting Details displays the administrators, where they are logging in from and how (CLI, GUI) and when they logged in.

You are also able to monitor the activities the administrators perform on the FortiGate using the event logging. Event logs include a number of options to track configuration changes.

To set logging - GUI

1. Go to Log & Report > Log Settings.
2. Under Event Logging, select Customize and ensure System activity event is selected.
3. Select Apply.

To set logging - CLI

config log eventfilter

set event enable

set system enable

end

 

To view the logs go to Log & Report > System Events.

Management access

Management access defines how administrators are able to log on to the FortiGate. In NAT mode, access is configured for each of the FortiGate's interfaces, using the interface's IP to connect. In Transparent mode, a single management IP address is configured to allow access.

Management access can be via HTTP, HTTPS, Telnet, or SSH sessions. HTTPS and SSH are preferred as they are more secure. The management computer must connect to an interface that permits management access and its IP address must be on the same network. If you are using VDOMs, an administrator who is restricted to a specific VDOM must use a computer that connects to an interface on that VDOM.

You can allow remote administration of the FortiGate; however, it is not recommended, since it could compromise the security of the FortiGate. If you require remote administration, the following precautions can be taken to improve the security of a FortiGate:

• Use secure administrator passwords.
• Change these passwords regularly.
• Enable two-factor authentication for administrators.
• Enable secure administrative access to this interface using only HTTPS or SSH.
• Use Trusted Hosts to limit where the remote access can originate from.
• Do not change the system idle timeout from the default value of 5 minutes.

Security precautions

One potential point of a security breach is at the management computer. Administrators who leave their workstations for a prolonged amount of time while staying logged into the GUI or CLI leave the firewall open to malicious intent.

Preventing unwanted log in attempts

Setting trusted hosts for an administrator limits what computers an administrator can log in from, causing the FortiGate to only accept the administrator’s log in from the configured IP address. Any attempt to log in with the same credentials from any other IP address will be dropped.

Trusted hosts are configured when adding a new administrator by going to System > Administrators in the GUI or config system admin in the CLI.

To ensure the administrator has access from different locations, you can enter up to ten IP addresses, though ideally this should be kept to a minimum. For higher security, use an IP address with a net mask of 255.255.255.255, and enter an IP address (non-zero) in each of the three default trusted host fields. Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.

The trusted hosts apply to the GUI, ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.

Prevent concurrent administrator sessions

Concurrent administrator sessions occur when multiple people concurrently access the FortiGate using the same administrator account. This is allowed by default. If you wish to prevent this behavior, use the following CLI command:.

config system global

set admin-concurrent disable

end

 

Note, if you disable concurrent sessions for an administrator, you will be allowed only one session with the same username even if it is from the same IP.

On 2U FortiGates, this option is also available in the GUI by going to System > Settings and disable Allow multiple concurrent sessions for each administrator.

Segregated administrative roles

To minimize the effect of an administrator causing errors to the FortiGate configuration and possibly jeopardizing the network, create individual administrative roles where none of the administrators have super_admin permissions. For example, one account is used solely to create security policies, another for users and groups, another for VPN, and so on.

SSH log in time out

You can take up to 120 seconds to log into the FortiGate when using SSH. You can use the following CLI command to reduce this time to enhance security:

config system global

set admin-ssh-grace-time <number_of_seconds>

end

 

The range can be between 10 and 3600 seconds.

HTTPS redirect

You can redirect an administrator's traffic from HTTP to HTTPS for a more secure connection.

To redirect HTTP to HTTPS - GUI

1. Go to System > Settings.
2. Under Administration Settings, enable Redirect to HTTPS.
3. Select Apply.

To redirect HTTP to HTTPS - CLI

config system global

set admin-https-redirect enable

end

This command is not available on low-crypto FortiGates. The default is disable.

Log in/out warning message

For administrators logging in and out of the FortiGate, you can include a log in disclaimer. This disclaimer provides a statement that must be accepted or declined where corporations are governed by strict usage policies for forensics and legal reasons.

This disclaimer can appear either before the log in screen loads (pre-login banner) or after an administrator enters their credentials (post-login-banner). The disclaimer is enabled through the CLI:

config system global

set pre-login-banner enable

set post-login-banner enable

end

 

The banner is a default message that you can customize by going to System > Replacement Messages. Select Extended View to see the Administrator category and messages.

Disable the console interface

You can disable your FortiGate's console interface to prevent any unwanted login attempts:

config system console

set login disable

end

Disable other interfaces

If any of the interfaces on the FortiGate are not being used, disable traffic on that interface. This avoids someone plugging in network cables and potentially causing network bypass or loop issues.

To disable an interface - GUI

1. Go to Network > Interfaces.
2. Select the interface from the list and select Edit.
3. For Administrative Access, select Down.
4. Select OK.

To disable an interface - CLI

config system interface

edit <inerface_name>

set status down

end