Administrator settings
The Admin Settings page allows you to configure global settings for administrator access to the FortiAnalyzer unit, including:
- Ports for HTTPS and HTTP administrative access
- HTTPS & Web Service server certificate
- Idle Timeout settings
- Language of the web-based manager
- Password Policy
Only the admin administrator can configure these system options, which apply to all administrators logging onto the FortiAnalyzer unit.
To configure administrative settings:
- Go to System Settings > Admin > Admin Settings.
The Settings dialog box opens.
Figure 62:Settings dialog box
- Configure the following settings:
Administration Settings
HTTP Port | Enter the TCP port to be used for administrative HTTP access. |
Redirect to
HTTPS |
Select this option to automatically redirect to HTTPS from administrative HTTP access. |
HTTPS Port | Enter the TCP port to be used for administrative HTTPS access. |
HTTPS & Web
Service Server Certificate |
Select a certificate from the drop-down list. |
Idle Timeout | Enter the number of minutes that an administrative connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To ensure security, the idle timeout should be a short period of time to avoid the administrator inadvertently leaving the management computer logged in to the FortiAnalyzer unit, creating the possibility of someone walking up and modifying the network options. |
Language | Select a language from the drop-down list. Select either English, Simplified Chinese, Traditional Chinese, Japanese, Korean, or Auto Detect. The default value is Auto Detect. |
Password Policy | |
Enable | Select to enable administrator passwords. |
Minimum
Length |
Select the minimum length for a password. The default is eight characters. |
Must Contain | Select the types of characters that a password must contain. |
Admin
Password Expires after |
Select the number of days that a password is valid for, after which time it must be changed. |
- Select Apply to save your settings. The settings are applied to all administrator accounts.
Configure two-factor authentication for administrator login
To configure two-factor authentication for administrator login you will need the following:
- FortiAnalyzer
- FortiAuthenticator
- FortiToken
FortiAuthenticator side configuration
The following instructions describes the steps required on your FortiAuthenticator device.
Before proceeding, ensure that you have configured your FortiAuthenticator and that you have created a NAS entry for your FortiAnalyzer and created/imported FortiTokens. For more information, see the FortiAuthenticator Interoperability Guide and FortiAuthenticator Administration Guide available in the Fortinet Document Library.
To create a new local user:
- Go to Authentication > User Management > Local Users.
- Select Create New in the toolbar.
The Create New User page opens.
Figure 63:Create a new user
- Configure the following settings:
Username | Enter a user name for the local user. |
Password creation | Select Specify a password from the drop-down list. |
Password | Enter a password. The password must be a minimum of 8 characters. |
Password confirmation | Re-enter the password. |
Enable account expiration | Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide. |
- Select OK to continue.
The Change user page opens.
Figure 64:Change user
- Configure the following settings:
Password-based authentication | Leave this option selected. Select [Change Password] to change the password for this local user. |
Token-based authentication | Select to enable token-based authentication. |
Deliver token code by | Select to deliver token by FortiToken. |
FortiToken 200 | Select the FortiToken from the drop-down list. |
Enable account expiration | Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide. |
User Role | |
Role | Select either Administrator or User. |
Allow RADIUS authentication | Select to allow RADIUS authentication. |
Allow LDAP browsing. | Optionally, select to allow LDAP browsing. For more information see the FortiAuthenticator Administration Guide. |
- Select OK to save the setting.
To create a new RADIUS client:
- Go to Authentication > RADIUS Service > Clients.
- Select Create New in the toolbar.
The Create New RADIUS Client page opens.
Figure 65:Create new RADIUS client
- Configure the following settings:
Name | Enter a name for the RADIUS client entry. |
Client name/IP | Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiAnalyzer. |
Secret | Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Auth Server. |
Description | Enter an option description for the RADIUS client entry. |
Authentication method | Select Enforce two-factor authentication from the list of options. |
Username input format | Select the username input format. |
Realms | Create and define the Realm. For more information see the FortiAuthenticator Administration Guide. |
Allow MAC-based authentication | Optional configuration. For more information see the FortiAuthenticator Administration Guide. |
EAP types | Optional configuration. For more information see the FortiAuthenticator Administration Guide. |
- Select OK to save the setting.
FortiAnalyzer side configuration
The following instructions describes the steps required on your FortiAnalyzer device.
To configure the RADIUS server:
- Go to System Settings > Admin > Remote Auth Server.
- Select Create New in the toolbar and select RADIUS from the drop-down list.
The New RADIUS Server page opens.
Figure 66:New RADIUS server page
- Configure the following settings:
Name | Enter a name to identify the FortiAuthenticator. |
Server Name/IP | Enter the IP address or fully qualified domain name of your FortiAuthenticator. |
Server Secret | Enter the FortiAuthenticator secret. |
Secondary
Server Name/IP |
Enter the IP address or fully qualified domain name of the secondary FortiAuthenticator, if applicable. |
Secondary
Server Secret |
Enter the secondary FortiAuthenticator secret, if applicable. |
Port | Enter the port for FortiAuthenticator traffic. The default port is 1812. |
Auth-Type | Enter the authentication type the FortiAuthenticator requires. The default setting of ANY has the FortiAnalyzer unit try all the authentication types.
Select one of: ANY, PAP, CHAP, or MSv2. |
- Select OK to save the setting.
To create the admin users:
- Go to System Settings > Admin > Administrator.
- Select Create New in the toolbar.
The New Administrator page opens.
Figure 67:New administrator page
- Configure the following settings:
User Name | Enter the name that this administrator uses to log in. |
Description | Optionally, enter a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account. |
Type | Select RADIUS from the drop-down list. |
RADIUS Server | Select the RADIUS server from the drop-down menu. |
Wildcard | Select to enable wildcard. Wildcard authentication will allow authentication from any local user account on the
FortiAuthenticator. To restrict authentication, RADIUS service clients can be configured to only authenticate specific user groups. |
New Password | Enter the password.
This field is available if Type is RADIUS and Wildcard is not selected. |
Confirm Password | Enter the password again to confirm it.
This field is available if Type is RADIUS and Wildcard is not selected. |
Admin Profile | Select a profile from the drop-down menu. The profile selected determines the administrator’s access to the FortiAnalyzer unit’s features.
To create a new profile see “Configuring administrator profiles” on page 80. |
Administrative
Domain |
Choose the ADOMs this administrator will be able to access, or select All ADOMs. Select Specify and then select the Add icon, , to add Administrative Domains. Select the remove icon, , to remove an Administrative Domain.
This field is available only if ADOMs are enabled (see “Administrative Domains” on page 27).The Super_User profile defaults to All ADOMs access. |
Trusted Host | Optionally, enter the trusted host IPv4 or IPv6 address and netmask from which the administrator can log in to the
FortiAnalyzer unit. Select the Add icon, , to add trusted hosts. You can specify up to ten trusted hosts. Select the Delete icon, , to remove trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see “Using trusted hosts” on page 78. |
- Select OK to save the setting.
To test the configuration:
- Attempt to log into the FortiAnalyzer Web-based Manager with your new credentials.
Figure 68:FortiAnalyzer login page
- Enter your user name and password and select Login.
The FortiToken page is displayed.
Figure 69:FortiToken page
- Enter your FortiToken pin code and select Submit to finish logging in to FortiAnalyzer.