Administration settings
The Admin menu provides settings for configuring administrators and their profiles, as well as basic administrative settings such as changing the default language.
This section describes:
l Administrators l Administrative profiles l Settings
Administrators
Administrators are configured in System > Admin > Administrators. There is already a default administrator account on the unit named admin that uses the super_admin administrator profile.
You need to use the default admin account, an account with the super_admin admin profile, or an administrator with read-write access control to add new administrator accounts and control their permission levels. If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will show only the administrators for the current virtual domain.
The Administrators page lists the default super-admin administrator account, and all administrator accounts that you have created.
Create New | Creates a new administrator account. |
Edit | Modifies settings within an administrator’s account. When you select Edit, you are automatically redirected to the Edit Administrator page. |
Delete | Remove an administrator account.
You cannot delete the original admin account until you create another user with the super_admin profile, log out of the admin account, and log in with the alternate user that has the super_admin profile. To remove multiple administrator accounts, select multiple rows in the list by holding down the Ctrl of Shift keys, then select Delete. |
Name | The login name for an administrator account. |
Trusted Hosts | The IP address and netmask of trusted hosts from which the administrator can log in. |
Profile | The admin profile for the administrator. |
Type | The type of authentication for this administrator, one of:
l Local: Authentication of an account with a local password stored on the FortiCache unit. l Remote: Authentication of a specific account on a RADIUS, Lightweight Directory Access Protocol (LDAP), or Terminal Access Controller Access- Control System (TACACS+) server l Remote+Wildcard: Authentication of any account on an LDAP, RADIUS, or TACACS+ server. l PKI: PKI-based certificate authentication of an account. |
Comments | The comments about the administrator account. |
Right-click on any column heading to adjusts the visible columns or reset all the columns to their default settings.
Adding a new administrator
Select Create New to open the New Administrator page. It provides settings for configuring an administrator account. When you are configuring an administrator account, you can enable authentication for an admin from an LDAP, RADIUS, or local server.
Configure the following settings:
Administrator | Enter the login name for the administrator account.
The name of the administrator should not contain the characters <, >, (, ), #, “, or ‘. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability. |
Type | Select the type of administrator account: Regular, Remote, or PKI. |
Regular | Select to create a Local administrator account. |
Remote | Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. |
PKI | Select to enable certificate-based authentication for the administrator.
Only one administrator can be logged in with PKI authentication enabled. |
User Group | Select the administrator user group that includes the Remote server/PKI (peer) users as members of the UserGroup. The administrator user group cannot be deleted once the group is selected for authentication.
This option is only available if Type is Remote or PKI. |
Wildcard | Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators.
This option is only available if Type is Remote. |
Password | Enter a password for the administrator account. For improved security, the password should be at least 6 characters long.
This option is only available if Type is Regular. |
Backup Password | Enter a backup password for the administrator account. For improved security, the password should be at least 6 characters long. This option is only available if Type is Remote and Wildcard is not selected. |
Confirm Password | Type the password for the administrator account a second time to confirm that you have typed it correctly.
This option is not available if Type is PKI or Wildcard is selected. |
Comments | Optionally, enter comments about the administrator. |
Admin Profile | Select the admin profile for the administrator. You can also select Create New to create a new admin profile. |
Restrict this Admin Login from Trusted Hosts Only | Select to restrict this administrator login to specific trusted hosts, then enter the trusted hosts IP addresses and netmasks. You can specify up to ten trusted hosts. These addresses all default to 0.0.0.0/0 or 0.0.0.0/0.0.0.0. |
Regular (password) authentication for administrators
You can use a password stored on the local unit to authenticate an administrator. When you select Regular for Type, you will see Local as the entry in the Type column when you view the list of administrators.
Using trusted hosts
Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator can connect only through the subnet or subnets that you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access.
The trusted hosts you define apply to the GUI, Ping, SNMP, and the CLI when accessed through Telnet or SSH. CLI access through the console port is not affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the zero addresses to a non-zero address, the other zero addresses will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.
Administrative profiles
Each administrator account belongs to an admin profile. The admin profile separates FortiCache features into access control categories for which an administrator with read-write access can enable none (deny), read only, or read-write access.
Read-only access for a GUI page enables the administrator to view that page. However, the administrator needs write access to change the settings on the page.
The admin profile has a similar effect on administrator access to CLI commands. You can access get and show commands with Read Only access, but access to config commands requires Read-Write access.
When an administrator has read-only access to a feature, the administrator can access the GUI page for that feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display only the View icon instead of icons for Edit, Delete, or other modification commands.
You need to use the admin account or an account with read-write access to create or edit admin profiles.
Administrative profile settings
The Admin Profile page lists all administration profiles that you created as well as the default admin profiles. On this page, you can edit, delete, or create a new admin profile.
To view administrator profiles, go to System > Admin > Admin Profile.
The following options are available:
Create New | Creates a new profile. See Adding an administrator profile on page 52. |
Edit | Modifies the selected admin profile’s settings. When you select Edit, you are automatically redirected to the Edit Admin Profile page. |
Delete | Removes the admin profile from the list on the page.
You cannot delete an admin profile that has administrators assigned to it. To remove multiple admin profiles, select multiple rows in the list by holding down the Ctrl of Shift keys, then select Delete. |
Name | The name of the admin profile. |
Comments | Comments about the admin profile. |
Ref. | Displays the number of times the object is referenced to other objects. To view the location of the referenced object, select the number in Ref.; the Object Usage window opens and displays the various locations of the referenced object. |
Adding an administrator profile
Select Create New to open the New Admin Profile page. It provides settings for configuring an administrator profile. When you are editing an existing admin profile, you are automatically redirected to the Edit Admin Profile page.
Configure the following settings, then select OK to create the new administrator profile:
Profile Name | Enter a name for the new admin profile. |
Comments | Optionally, add comments about the admin profile. |
Access Control | List of the items that can customize access control settings if configured. |
None | Deny access to all Access Control categories. |
Read Only | Enable read only access in all Access Control categories. |
Read-Write | Select to allow read-write access in all Access Control categories. |
Access Control (categories) | Make specific access control selections as required.
l System Configuration l Network Configuration l Administrator Users l FortiGuad Update l Maintenance l Router Configuration l Firewall Configuration l Policy Configuration l Address Configuration l Service Configuration l Schedule Configuration l Other Configuration l Security Profile Configuration l AntiVirus l Web Filter l Data Leak Prevention l ICAP l Content Analysis l User & Device l WAN Opt & Cache l Log & Report l Configuration l Data Access |
Settings
Use admin settings to configure general settings for web administration access, password policies, idle timeout settings, and display settings. You can also configure FortiCache Manager support.
Go to System > Admin > Settings to configure administrator settings.
Configure the following settings:
Central Management | |
FortiCache Manager > IP/ Domain Name | Provides support for the upcoming FortiCache Manager. You can enable the communication in FortiCache the same way you would handle a FortiGate connecting to a FortiManager. |
FortiCloud | Enable this option to use FortiCloud for all FortiGuard communications. |
None | Enable this option to have no central management. |
Administration Settings | |
HTTP Port | TCP port to be used for administrative HTTP access. The default is 80. Select Redirect to HTTPS to force redirection to HTTPS. |
HTTPS Port | TCP port to be used for administrative HTTPS access. The default is 443. |
Telnet Port | TCP port to be used for administrative telnet access. The default is 23. |
SSH Port | TCP port to be used for administrative SSH access. The default is 22. |
Idle Timeout | Change the time after which the GUI logs out idle system administration settings, from 1 to 480 minutes. |
Enable Password Policy | Select to enable a password policy. |
Minimum Length | Set the minimum acceptable length for passwords, from 8 to 128 characters. |
Must Contain at Least | Select to enable special character types, upper or lower case letters, or numbers.
Enter information for one or all of the following. Each selected type must occur at least once in the password. l UpperCase Letters – A, B, C, … Z l LowerCase Letters – a, b, c, … z l Numbers (0-9) – 0, 1, 2, … 9 l Special characters – @, ?, #, … % |
Apply Password Policy to | Select to apply the password policy to the Administrator Password. If any password does not conform to the policy, require that administrator to change the password at the next login. |
Enable Password
Expiration |
Require administrators to change password after a specified number of days. Enter the number of days in the field. The default is 90 days. |
View Settings | |
Language | The language the GUI uses: English, French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean.
You should select the language that the operating system of the management computer uses. |
Lines per Page | Number of lines per page to display in table lists. From 20 to 1000, default = 50. |
Certificates
The FortiCache unit generates a certificate request based on the information you entered to identify the FortiCache unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiCache unit and then forward the request to a CA.
The certificate window also enables you to export certificates for authentication, importing, and viewing.
This section includes:
l Local CA Certificates l Certificates l External CA Certificates
Local CA Certificates
Local certificates are issued for a specific server or website. Generally they are very specific, and often for an internal enterprise network.
To manage local certificates, go to System > Certificates.
The following information is available:
Generate | Generate a CSR. See To generate a CSR: on page 56. |
Edit | Highlight a certificate and select to edit the certificate. |
Delete | Select the checkbox next to a certificate entry and select Delete to remove the selected certificate or CSR. Select OK in the confirmation dialog box to proceed with the delete action. |
Import | Import a certificate. Select any of the options under the dropdown:
l Local Certificate l Remote Certificate l CA Certificate l CRL See Import a certificate on page 58. |
View Details | View a certificate. See View certificate details on page 59. |
Download | Select a certificate or CSR, then select Download to download that certificate or CSR to your management computer. |
Certificates
Name | The name of the certificate. |
Subject | The subject of the certificate. |
Comments | Comments. |
Issuer | The issuer of the certificate. |
Expires | Displays the certificate’s expiry date and time. |
Status | The status of the certificate or CSR.
l OK: the certificate is okay. l NOT AVAILABLE: the certificate is not available, or the request was rejected. l PENDING: the certificate request is pending. |
Ref. | Displays the number of times the certificate or CSRis referenced to other objects.
To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object. |
Whether you create certificates locally or obtain them from an external certificate service, a Certificate Signing Request (CSR) will need to be generated.
When a CSR is generated, a private and public key pair is created for the FortiCache unit. The generated request includes the public key of the device, and information such as the unit’s public static IP address, domain name, or email address. The device’s private key remains confidential on the unit.
After the request is submitted to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate, after which you can install the certificate on the FortiCache device.
To generate a CSR:
- From the local certificates list, select Generate.
The Generate Certificate Signing Request page opens.
- Enter the following information:
Certificate Name | Enter a unique name for the certificate request, such as the host name, or the serial number of the device.
Do not include spaces in the certificate to ensure compatibility as a PKCS12 file. |
Subject Information | Select the ID type from the drop-down list:
l Host IP: Select if the unit has a static IP address. Enter the device’s IP address in the IP Address field. l Domain Name: Enter the device’s domain name or FQDN in the Domain Name field. l E-mail: Enter the email address of the device’s administrator in the Email field. |
Optional Information | Optional information to further identify the device. |
Organization Unit | The name of the department. Up to 5 OUs can be added. |
Organization | The legal name of the company or organization. |
Locality (City) | The name of the city where the unit is located. |
State/Province | The name of the state or province where the unit is located. |
Country/Region | The country where the unit is located. Select from the drop-down list. |
The contact email address. |
Certificates
Subject
Alternative Name |
One or more alternative names, seperate by commas, for which the certificate is also valid.
An alternative name can be: email address, IP address, URI, DNS name, or a directory name. Each name must be preceded by it’s type, for example: IP:1/2/3/4, or URL: http://your.url.here/. |
Key Type | The key type is RSA. It cannot be changed. |
Key Size | Select the key size from the drop-down list: 1024, 1536, or 2048 bits. Larger key sizes are more secure, but slower to generate. |
Enrollment Method | Select the enrollment method:
l File Based: Generate the certificate request. l Online SCEP: Obtain a signed, Simple Certificate Enrollment Protocol (SCEP) based certificate automatically over the network. Enter CA server URL and challenge password in their respective fields. |
- Select OK to generate the CSR.