Setting name | Description | |
Username | Type the name of the account, such as IT, that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Note: This is the entire user name that the person must provide when logging in to the CLI or web UI. Depending on Authentication, your external authentication server may require that you enter both the user name and the domain part, such as guard@example.com. | |
Display name | Type a name for the recipient, such as FortiRecorder admin, as you want it to appear in snapshot notifications, if any, sent by FortiRecorder. | |
Email address | Type the person’s email address or an email alias, such as all-admins@example.com, that will receive snapshot notifications, if any, sent by FortiRecorder (see “Configuring FortiRecorder to send notification email”). If you do not know the email address and cannot provide it, don’t worry. The person still will be able to view camera-related notifications whenever he or she logs in to the FortiRecorder NVR. Additionally, the person can configure his or her own email address later, when he or she logs in. Note: This is not used by accounts whose Type is Viewer; they cannot receive snapshot notifications. | |
Message method | Select either Email or SMS to send notification messages to this user. For detailed about notifications, see “Notifications”. | |
Password | Type a password for the account. Tip: For improved security, the password should be at least eight characters long, be sufficiently complex, and be changed regularly. To check the strength of your password, you can use a utility such as Microsoft’s password strength meter. | |
Confirm Password | Re-enter the password to confirm its spelling. | |
Trusted hosts | Type the IP address and netmask from which the account is allowed to log in to the FortiRecorder appliance. You can specify up to 10 trusted network areas. Each area can be a single computer, a whole subnet, or a mixture. To allow login attempts from any IP address, enter 0.0.0.0/0. To allow logins only from a single computer, enter its IP address and a 32-bit netmask, such as: 172.168.1.50/32 Caution: If you configure trusted hosts, do so for all accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one account unrestricted (i.e. 0.0.0.0/0), the FortiRecorder appliance must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list. Tip: If you allow login from the Internet, set a longer and more complex Password, and enable only secure administrative access protocols (HTTPS and SSH) to minimize the security risk. For information on administrative access protocols, see “NVR configuration”. Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in. | |
Type | Select either: • Administrator — Suited to network technicians or administrators. The account has full access to configure all FortiRecorder NVR network and camera settings, create accounts, receive all notifications via email, and view live video feeds and previous recordings from all cameras. • Operator — Suited to an office manager or perhaps security guard. The account can view assigned live camera feeds and associated previous recordings, including camera-based notifications via email (“snapshot notifications”). It can change its own password, but otherwise cannot change the FortiRecorder NVR or camera configuration, reducing risk of accidental misconfiguration. • Viewer — Suited to a security guard. Only assigned live camera feeds. It cannot view previous recordings, and therefore cannot receive snapshot notifications. It can change its own password, but otherwise cannot change the FortiRecorder NVR or camera configuration. This option does not appear for the admin administrator account, which by definition is always an administrator. | |
User profile | With a user profile, you can specify which group of camera video feeds and recordings the account will be able to access. You can also use schedules to control when the user is allowed to access the video. For details, see “Configuring schedules” on page 28. To configure a user profile, click New or go to System > Administrator > User Profile. If no user profile is specified, then the user can access all of the cameras all the time. | |
Access profile | If you are creating an administrator account, you can specify an access profile to grant the account certain access privileges. To configure an access profile, go to System > Administrator > Access Profile. The administrator account can have read-only, read-write, or no access rights to the following administrative categories: • System Access — Controls settings critical to network accessibility of FortiRecorder • System Status page • GUI console • Network • Administrator • Authentication and certificates • System — Controls other system settings • Time • Remote storage • Log settings • Alert email • Camera Config — Controls camera installation and configuration • Camera View — Monitor page with video, timeline and camera control • Other — Everything else | |
Authentication | Select one of: • Local — Authenticate using an account whose name, password, and other settings are stored locally, in the FortiRecorder NVR’s configuration. • RADIUS — Authenticate by querying the remote RADIUS server that stores the account’s name and password. Also configure RADIUS profile and Check permission attribute on RADIUS server. • RADIUS+Local — Authenticate either by querying the remote RADIUS server that stores the account’s name and password, or by querying the accounts stored locally, in the FortiRecorder appliance’s configuration. Also configure RADIUS profile and Check permission attribute on RADIUS server. • LDAP — Authenticate by querying a remote LDAP server that stores the account’s name and password. Also configure LDAP profile. | |
RADIUS profile | Select a RADIUS authentication profile that defines the RADIUS connection settings. See “To configure a RADIUS query”. Caution: Secure your authentication server and, if possible, all query traffic to it. Compromise of the authentication server could allow attackers to gain administrative access to your FortiRecorder appliance. | |
Check permission attribute on RADIUS server | Enable to let the RADIUS server override Type when it replies to authentication queries, so that the RADIUS server can specify the account’s permissions. Also configure Vendor ID and Subtype ID. This option requires that: • Your RADIUS server must support vendor-specific attributes (VSAs) similar to RFC 2548. (If your server does not support them, it may reply with an “attribute not supported” error.) • Your RADIUS server’s dictionary must have: • a vendor ID for Fortinet/FortiRecorder • an attribute ID for user types (“access profile” names) • Each FortiRecorder account on your RADIUS server must have a user type attribute with a value that specifies which Type to apply. e.g. Fortinet-Access-Profile = Administrator or Fortinet-Access-Profile = Operator Some RADIUS servers already include the Fortinet vendor ID and subtype ID in their default dictionaries. In this case, no server-side configuration is necessary. Otherwise, you must configure your server. Methods varies by vendor — FreeRADIUS and Internet Authentication Services for Microsoft Windows 2008 Server, for example, are configured differently. For instructions, consult its documentation. For an example VSA dictionary, see the article FortiGate RADIUS VSA Dictionary. | |
Vendor ID | Type the vendor ID for Fortinet, as it is defined on your RADIUS server, in decimal. On many RADIUS servers, Fortinet’s default vendor ID is 12356. The vendor ID is an ID for the Fortinet client types. It should be present in Access-Request packets from FortiRecorder, telling your RADIUS server which settings are supported by accounts on FortiRecorder. It should also be present when the RADIUS server replies with an Access‑Accept packet. The default value is 0. | |
Subtype ID | Type the subtype ID for account permissions as it is defined on your RADIUS server. On many RADIUS servers, Fortinet’s default subtype ID for access profiles is 6. The subtype ID is an ID for the user type (permissions) attribute. It should be, but is not required to be, present in Access‑Accept reply packets from your RADIUS server to FortiRecorder. Packets from your RADIUS server should use this attribute’s value to refer to the name of a Type (e.g. Administrator) on FortiRecorder. If the packet does not have this attribute-value pair, FortiRecorder will use whichever permissions you defined locally for the account in Type. If the packet does not contain the attribute-value pair and you have not configured Type, when the person attempts to authenticate, even if successfully authenticated, authorization will be null, and he or she will receive a “permission denied” error message: you do not have rights to view this page The default value is 0. | |
LDAP profile | Select an LDAP authentication profile that defines the connection settings. See “To configure an LDAP query”. Caution: Secure your authentication server and, if possible, all query traffic to it. Compromise of the authentication server could allow attackers to gain administrative access to your FortiRecorder appliance. | |
Theme | Select this administrator account’s preference for the initial web UI color scheme or click Use Current to choose the theme currently in effect for your own web UI session. The administrator may switch the theme at any time after he or she logs in by clicking Next Theme in the top right corner. | |