System Settings

Diagnostic tools

Diagnostic tools allows you to run available diagnostic tools, including Ping, Traceroute, and View logs.

Figure 51:Diagnostic tools

Figure 52 provides an example Ping diagnostic output of an internal network device. Figure 52:Example ping diagnostics output

Admin

The System Settings > Admin menu enables you to configure administrator accounts, access profiles, and adjust global administrative settings for the FortiAnalyzer unit. The following sub-menu options are available:

Administrator Select to configure administrative users accounts. For more information, see “Administrator” on page 75.
Profile Select to set up access profiles for the administrative users. For more information, see “Profile” on page 78.
Remote Auth Server Select to configure authentication server settings for administrative log in. For more information, see “Remote authentication server” on page 81.
Admin Settings Select to configure connection options for the administrator including port number, language of the Web-based Manager and idle timeout.

For more information, see “Administrator settings” on page 86.

Monitoring administrator sessions

The Current Administrators view enables you to view the list of administrators logged into the FortiAnalyzer unit. From this window you can also disconnect users if necessary.

To view logged in administrators on the FortiAnalyzer unit, go to System Settings > Dashboard. In the System Information widget, under Current Administrators, select Detail.

The list of current administrator sessions opens.

Figure 53:Administrator session list

The following information is displayed:

User Name The name of the administrator account. Your session is indicated by (current).
IP Address The login type (GUI, jsconsole, SSH, telnet) and IP address where the administrator is logging in from.
Start Time The date and time the administrator logged in.
Time Out (mins) The maximum duration of the session in minutes (1 to 480 minutes).

The following option is available in the toolbar:

Delete                    Select the check box next to the user and select Delete to drop their connection to the FortiAnalyzer unit. Select OK in the confirmation dialog box to proceed with the delete action.

To disconnect an administrator:

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, in the Current Administrators field, select Detail. The list of current administrator sessions appears; see Figure 53.
  3. Select the check box for each administrator session that you want to disconnect, and select Delete.
  4. Select OK to confirm deletion of the session.

The disconnected administrator will see the FortiAnalyzer login screen when disconnected. They will not have any additional warning. If possible, it is advisable to inform the administrator before disconnecting them, in case they are in the middle of important configurations for the FortiAnalyzer or another device.

Administrator

Go to System Settings > Admin > Administrator to view the list of administrators and configure administrator accounts. Only the default admin administrator account can see the complete administrators list. If you do not have certain viewing privileges, you will not see the administrator list.

Figure 54:Administrator list

The following information is displayed:

User Name The name this administrator uses to log in. Select the administrator name to edit the administrator settings.
Type The type of administrator account, one of: LOCAL, RADIUS, LDAP, TACACS+, or PKI.
Profile The administrator profile for this user that determines the privileges of this administrator. The profile can be one of: Restricted_User,

Standard_User, Super_User, or a custom defined profile. For information on administrator profiles, see “Profile” on page 78.

ADOM The ADOMs to which the user has access. ADOM access can be to all ADOMs or specific ADOMs which are assigned to the profile.
Status Indicates whether the administrator is currently logged into the

FortiAnalyzer unit not. A green circle with an up arrow indicates that the administrator is logged in, a red circle with a down arrow indicates that they are not.

Comments Descriptive text about the administrator account.

The following options are available:

 Create New Select to create a new administrator. For more information, see “To create a new administrator account:” on page 76.
 Delete Select the check box next to the administrator you want to remove from the list and select Delete. Delete is also available in the right-click menu.
Edit Select the administrator in the table, right-click, and select Edit in the right-click menu to edit the entry. Alternatively, you can double-click the entry to open the Edit Administrator page.

To create a new administrator account:

  1. Go to System Settings > Admin > Administrator and select Create New.

The New Administrator dialog box appears.

Figure 55:New administrator

  1. Configure the following settings:
User Name Enter the name that this administrator uses to log in.
Description Optionally, enter a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.
Type Select the type of authentication the administrator will use when logging into the FortiAnalyzer unit. Select one of: LOCAL, RADIUS, LDAP, TACACS+, or PKI. If you select LOCAL, you will need to add a password.
Subject If Type is set to PKI, enter a description.
CA If Type is set to PKI, select a certificate in the drop-down list.
Require two-factor authentication If Type is set to PKI, you can select the checkbox to enforce two-factor authentication. Enter a password and confirm.
New Password Enter the password.
Confirm Password Enter the password again to confirm it.
Server Select the RADIUS, LDAP, or TACACS+ server, as appropriate. This option is only available if Type is not LOCAL or PKI.
wildcard Select this option to set the password as a wildcard. This option is only available if Type is not LOCAL or PKI.
Admin Profile Select a profile from the list. The profile selected determines the administrator’s access to the FortiAnalyzer unit’s features.

Restricted_User and Standard_User admin profiles do not have access to the System Settings tab. An administrator with either of these admin profiles will see a change password icon, , in the navigation pane.

To create a new profile see “Configuring administrator profiles” on page 80.

Admin Domain Choose the ADOMs this administrator will be able to access, or select All ADOMs. Select Specify and then select the Add icon, , to add Administrative Domains. Select the remove icon, , to remove an Administrative Domain.

This field is available only if ADOMs are enabled (see

“Administrative Domains” on page 27).The Super_User profile defaults to All ADOMs access.

Trusted Host Optionally, enter the trusted host IPv4 or IPv6 address and network mask from which the administrator can log in to the FortiAnalyzer unit. You can specify up to ten trusted hosts in the Web-based Manager or in the CLI.

Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see “Using trusted hosts” on page 78.

  1. Select OK to create the new administrator account.

To edit an administrator account:

  1. From the administrator list, either double-click on an administrator, or right-click and select Edit.

The Edit Administrator window opens.

  1. Edit the settings as required.
  2. Optionally, select Change Password to change the password associated with the account.
  3. Select OK to save your changes.

To delete an existing administrator account:

  1. From the administrator list, select the check box of the administrator account or accounts that you need to delete, then select Delete in the toolbar.
  2. Select OK in the confirmation dialog box to delete the administrator account.
Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.

When you set trusted hosts for all administrators, the FortiAnalyzer unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.

The trusted hosts you define apply both to the Web-based Manager and to the CLI when accessed through SSH. CLI access through the console connector is not affected.

Profile

The profile list allows you to create and edit administrator profiles. Administrator profiles are used to limit administrator access privileges to devices or system features. The administrator profiles restrict access to both the Web-based Manager and CLI.

To view the list of administrator profiles, go to the System Settings > Admin > Profile page.

Figure 56:Administrator profile list

The following information is displayed:

Profile The administrator profile name. Select the profile name to view or modify existing settings. For more information about profile settings, see “Configuring administrator profiles” on page 80.
Description Provides a brief description of the system and device access privileges allowed for the selected profile.

The following options are available:

 Create New Select to create a custom administrator profile. See “To create a new profile:” on page 80.
 Delete Select the check box next to the profile you want to delete and select Delete. Predefined profiles cannot be deleted. You can only delete custom profiles when they are not applied to any administrators. Delete is also available in the right-click menu.
Edit Right-click on a profile and select Edit in the right-click menu, or double-click on a profile to open the Edit Profile page. See “To edit a profile:” on page 81.
Predefined profiles

There are three predefined profiles:

Restricted_User Restricted user profiles have no System Privileges enabled, and have read-only access for all Device Privileges.
Standard_User Standard user profiles have no System Privileges enabled, but have read/write access for all Device Privileges.
Super_User Super user profiles have all system and device privileges enabled.

Table 5 lists permissions for the three predefined administrator profiles.

When Read-Write is selected, the user can view and make changes to the FortiAnalyzer system. When Read-Only is selected, the user can only view information. When None is selected, the user can neither view or make changes to the FortiAnalyzer system.

Table 5: Predefined profiles, FortiAnalyzer features, and permissions

Feature Predefined Administrator Profiles
Super User Standard User Restricted User
System Settings / system-setting Read-Write None None
Administrator Domain / adom-switch Read-Write Read-Write None
Device Manager / device-manager Read-Write Read-Write Read-Only
  Add/Delete Devices/Groups / device-op Read-Write Read-Write None
FortiView / realtime-monitor Read-Write Read-Write Read-Only
Log View / log-viewer Read-Write Read-Write Read-Only
Reports / report-viewer Read-Write Read-Write Read-Only

Table 5: Predefined profiles, FortiAnalyzer features, and permissions (continued)

Feature   Predefined Administrator Profiles
Super User Standard User Restricted User
Event Management / event-management   Read-Write Read-Write Read-Only
  CLI Only Settings
profileid   Super_User Standard_User Restricted_User
scope   global global global

You cannot delete these profiles, but you can edit them. You can also create new profiles as required.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.