Administrators
By default, the FortiGate has a super administrator account, called admin
, which cannot be deleted. Additional administrators can be added for various functions, each with a unique user name, password, and set of access privileges.
The following tasks can be done to add and secure administrative access to a FortiGate:
- Administrator profiles
- Adding a local administrator
- LDAP authentication for administrators
- Other methods of authentication
- Monitoring administrators
- Management access
- Security precautions
Administrator profiles
Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile dictating what the administrator will see. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much, or as little, as required.
super_admin profile
This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For some administrative functions, such as backing up and restoring the configuration, super_admin access is required. The super_admin profile cannot be deleted or modified, to ensure that there is always a method to administer the FortiGate.
Lower level administrator profiles cannot backup or restore the FortiOS configuration. |
The super_admin profile is used by the default admin
account. It is recommended to add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required. For more information, see Adding a local administrator.
Creating profiles
To configure administrator profiles go to System > Admin Profiles and select Create New.
On the New Administrator Profile page, you define the components of FortiOS that will be available to view and/or edit. For example, you can configure a profile so that the administrator can only access the Firewall Configuration, which includes firewall policies, addresses, services, schedules, packet capture, and some other parts of the FortiGate configuration. Any other aspects of the FortiGate configuration, including VPNs and security profiles, will be hidden from this administrator.
Adding a local administrator
Only administrators with read-write for Administrator Users can create a new administrator account.
To add an administrator - GUI
- Go to System > Administrators.
- Select Create New.
- Add a Name for the administrator.
The name of the administrator should not contain the characters <>()#"' . Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability. |
- Enter the Password for the user. This may be a temporary password that the administrator can change later. Passwords can be up to 256 characters in length. For more information on passwords, see the Passwords discussion in the Getting Started chapter.
- Set Type to Local User.
- Set the Administrator Profile and Security
- Select OK.
To add an administrator - CLI
config system admin
edit <admin_name>
set password <password>
set accprofile <profile_name>
end
LDAP authentication for administrators
Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.
To do this, requires three steps:
- configure the LDAP server
- add the LDAP server to a user group
- configure the administrator account
Configure the LDAP server
First set up the LDAP server as you normally would, and include a group to bind to.
To configure the LDAP server - GUI
- Go to User & Device > LDAP Servers and select Create New.
- Enter a Name for the server.
- Enter the Server IP address or name.
- Enter the Common Name Identifier and Distinguished Name.
- Set the Bind Type to Regular and enter the User DN and Password.
- Select OK.
To configure the LDAP server - CLI
config user ldap
edit <ldap_server_name>
set server <server_ip>
set cnid cn
set dn DC=XYZ,DC=COM
set type regular
set user name CN=Administrator,CN=Users,DC=XYZ,DC=COM
set password <password>
set member-attr <group_binding>
end
Add the LDAP server to a user group
Next, create a user group that will include the LDAP server that was created above.
To create a user group - GUI
- Go to User & Device > User Groups and select Create New.
- Enter a Name for the group.
- In the section labeled Remote groups, select Create New.
- Select the Remote Server from the drop-down list.
- Select OK.
To create a user group - CLI
config user group
edit <group_name>
config match
edit 1
set server-name <LDAP_server>
set group-name <group_name>
end
end
Configure the administrator account
Now you can create a new administrator, where rather than entering a password, you will use the new user group and the wildcard option for authentication.
To create an administrator - GUI
- Go to System > Administrators and select Create New.
- In the Administrator field, enter the name for the administrator.
- For Type, select Match a user on a remote server group.
- Select the User Group created above from the drop-down list.
- Select Wildcard. The Wildcard option allows for LDAP users to connect as this administrator.
- Select an Admin Profile.
- Select OK.
To create an administrator - CLI
config system admin
edit <admin_name>
set remote-auth enable
set accprofile super_admin
set wild card enable
set remote-group ldap
end
Other methods of authentication
Admin accounts can use a variety of methods for authentication, including RADIUS, TACACS+, and PKI.
RADIUS authentication for administrators
If you want to use a RADIUS server to authenticate administrators, you must:
- configure the FortiGate to access the RADIUS server
- create the RADIUS user group
- configure an administrator to authenticate with a RADIUS server.
TACACS+ authentication for administrators
If you want to use a TACACS+ server to authenticate administrators, you must:
- configure the FortiGate to access the TACACS+ server
- create a TACACS+ user group
- configure an administrator to authenticate with a TACACS+ server.
PKI certificate authentication for administrators
To use PKI authentication for an administrator, you must:
- configure a PKI user
- create a PKI user group
- configure an administrator to authenticate with a PKI certificate.
Monitoring administrators
You can view the administrators logged in using the System Information widget on the Dashboard. The Current Administrator row that shows the administrator logged in and the total number of administrators logged in. Selecting Details displays the administrators, where they are logging in from and how (CLI, GUI) and when they logged in.
You are also able to monitor the activities the administrators perform on the FortiGate using the event logging. Event logs include a number of options to track configuration changes.
To set logging - GUI
- Go to Log & Report > Log Settings.
- Under Event Logging, select Customize and ensure System activity event is selected.
- Select Apply.
To set logging - CLI
config log eventfilter
set event enable
set system enable
end
To view the logs go to Log & Report > System Events.
Management access
Management access defines how administrators are able to log on to the FortiGate. In NAT mode, access is configured for each of the FortiGate's interfaces, using the interface's IP to connect. In Transparent mode, a single management IP address is configured to allow access.
Management access can be via HTTP, HTTPS, Telnet, or SSH sessions. HTTPS and SSH are preferred as they are more secure. The management computer must connect to an interface that permits management access and its IP address must be on the same network. If you are using VDOMs, an administrator who is restricted to a specific VDOM must use a computer that connects to an interface on that VDOM.
You can allow remote administration of the FortiGate; however, it is not recommended, since it could compromise the security of the FortiGate. If you require remote administration, the following precautions can be taken to improve the security of a FortiGate:
- Use secure administrator passwords.
- Change these passwords regularly.
- Enable two-factor authentication for administrators.
- Enable secure administrative access to this interface using only HTTPS or SSH.
- Use Trusted Hosts to limit where the remote access can originate from.
- Do not change the system idle timeout from the default value of 5 minutes.
Security precautions
One potential point of a security breach is at the management computer. Administrators who leave their workstations for a prolonged amount of time while staying logged into the GUI or CLI leave the firewall open to malicious intent.
Preventing unwanted log in attempts
Setting trusted hosts for an administrator limits what computers an administrator can log in from, causing the FortiGate to only accept the administrator’s log in from the configured IP address. Any attempt to log in with the same credentials from any other IP address will be dropped.
Trusted hosts are configured when adding a new administrator by going to System > Administrators in the GUI or config system admin
in the CLI.
To ensure the administrator has access from different locations, you can enter up to ten IP addresses, though ideally this should be kept to a minimum. For higher security, use an IP address with a net mask of 255.255.255.255, and enter an IP address (non-zero) in each of the three default trusted host fields. Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.
The trusted hosts apply to the GUI, ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.
Prevent concurrent administrator sessions
Concurrent administrator sessions occur when multiple people concurrently access the FortiGate using the same administrator account. This is allowed by default. If you wish to prevent this behavior, use the following CLI command:.
config system global
set admin-concurrent disable
end
Note, if you disable concurrent sessions for an administrator, you will be allowed only one session with the same username even if it is from the same IP.
On 2U FortiGates, this option is also available in the GUI by going to System > Settings and disable Allow multiple concurrent sessions for each administrator.
Segregated administrative roles
To minimize the effect of an administrator causing errors to the FortiGate configuration and possibly jeopardizing the network, create individual administrative roles where none of the administrators have super_admin permissions. For example, one account is used solely to create security policies, another for users and groups, another for VPN, and so on.
SSH log in time out
You can take up to 120 seconds to log into the FortiGate when using SSH. You can use the following CLI command to reduce this time to enhance security:
config system global
set admin-ssh-grace-time <number_of_seconds>
end
The range can be between 10 and 3600 seconds.
HTTPS redirect
You can redirect an administrator's traffic from HTTP to HTTPS for a more secure connection.
To redirect HTTP to HTTPS - GUI
- Go to System > Settings.
- Under Administration Settings, enable Redirect to HTTPS.
- Select Apply.
To redirect HTTP to HTTPS - CLI
config system global
set admin-https-redirect enable
end
This command is not available on low-crypto FortiGates. The default is disable
.
Log in/out warning message
For administrators logging in and out of the FortiGate, you can include a log in disclaimer. This disclaimer provides a statement that must be accepted or declined where corporations are governed by strict usage policies for forensics and legal reasons.
This disclaimer can appear either before the log in screen loads (pre-login banner) or after an administrator enters their credentials (post-login-banner). The disclaimer is enabled through the CLI:
config system global
set pre-login-banner enable
set post-login-banner enable
end
The banner is a default message that you can customize by going to System > Replacement Messages. Select Extended View to see the Administrator category and messages.
Disable the console interface
You can disable your FortiGate's console interface to prevent any unwanted login attempts:
config system console
set login disable
end
Disable other interfaces
If any of the interfaces on the FortiGate are not being used, disable traffic on that interface. This avoids someone plugging in network cables and potentially causing network bypass or loop issues.
To disable an interface - GUI
- Go to Network > Interfaces.
- Select the interface from the list and select Edit.
- For Administrative Access, select Down.
- Select OK.
To disable an interface - CLI
config system interface
edit <inerface_name>
set status down
end