System Configuration – Administrators – FortiOS 6.2

Administrators

Administrator profiles

Introduction

By default, the FortiGate has a super administrator account, called admin. Additional administrators can be added for various functions, each with a unique username, password, and set of access privileges.

Administrator profiles define what the administrator can do when logged into the FortiGate. When you set up an administrator account, you also assign an administrator profile which dictates what the administrator sees. Depending on the nature of the administrator’s work, access level or seniority, you can allow them to view and configure as much or as little as is required.

Super_admin profile

This profile has access to all components of FortiOS, including the ability to add and remove other system administrators. For certain administrative functions, such as backing up and restoring the configuration, super_admin access is required. To ensure that there is always a method to administer the FortiGate, the super_admin profile can’t be deleted or modified.

The super_admin profile is used by the default admin account. It is recommended that you add a password and rename this account once you have set up your FortiGate. In order to rename the default account, a second admin account is required.

Creating customized profiles

To create a profile in the GUI:

  1. Go to System > Admin Profiles.
  2. Select Create New.
  3. Configure the following settings: l l Access permissions. l Override idle timeout.
  4. Select OK.

To create a profile in the CLI:

config system accprofile

edit “sample”

set secfabgrp read-write set ftviewgrp read-write set authgrp read-write set sysgrp read-write set netgrp read-write set loggrp read-write set fwgrp read-write set vpngrp read-write set utmgrp read-write set wanoptgrp read-write set wifi read-write

next

end

Edit profiles

To edit a profile in the GUI:

  1. Go to System > Admin Profiles.
  2. Choose the profile to be edited and select Edit.
  3. Select OK to save any changes made.

To edit a profile in the CLI:

config system accprofile edit “sample”

set secfabgrp read

next

end

Delete profiles

To delete a profile in the GUI:

  1. Go to System > Admin Profiles.
  2. Choose the profile to be deleted and select Delete.
  3. Select OK.

To delete a profile in the CLI:

config system accprofile

delete “sample” end

Add a local administrator

By default, FortiGate has one super admin named admin. You can create more administrator accounts with difference privileges.

To create an administrator account in the GUI:

  1. Go to System > Administrators.
  2. Select Create New > Administrator.
  3. Specify the Username.
  4. Set Type to Local User.
  5. Set the password and other fields.
  6. Click OK.

To create an administrator account in the CLI:

config system admin edit <Admin_name>

set accprofile <Profile_name> set vdom <Vdom_name>

set password <Password for this admin>

next end

Remote authentication for administrators

Administrators can use remote authentication, such as LDAP, to connect to the FortiGate.

Setting up remote authentication for administrators includes the following steps:

  1. Configure the LDAP server on page 153
  2. Add the LDAP server to a user group on page 154
  3. Configure the administrator account on page 154

Configure the LDAP server

To configure the LDAP server in the GUI:

  1. Go to User& Device > LDAP Servers and select Create New.
  2. Enter the server Name, ServerIP address or Name.
  3. Enter the Common Name Identifier and Distinguished Name.
  4. Set the Bind Type to Regular and enter the Username and Password.
  5. Click OK.

To configure the LDAP server in the CLI:

config user ldap

edit <ldap_server_name>

set server <server_ip> set cnid “cn”

set dn “dc=XYZ,dc=fortinet,dc=COM”

set type regular

set username “cn=Administrator,dc=XYA, dc=COM” set password <password>

next

end

Add the LDAP server to a user group

After configuring the LDAP server, create a user group that include the LDAP server you configured.

To create a user group in the GUI:

  1. Go to User& Device > UserGroups and select Create New.
  2. Enter a Name for the group.
  3. In the Remote groups section, select Create New.
  4. Select the Remote Server from the dropdown list.
  5. Click OK.

To create a user group in the CLI:

config user group

edit <Group_name>

set member “ldap_server_name”

next

end

Configure the administrator account

After configuring the LDAP server and adding it to a user group, create a new administrator. For this administrator, instead of entering a password, use the new user group and the wildcard option for authentication.

To create an administrator in the GUI:

  1. Go to System > Administrators.
  2. Select Create New > Administrator.
  3. Specify the Username.
  4. Set Type to Match a useron a remote servergroup.
  5. In Remote UserGroup, select the user group you created.
  6. Select Wildcard.

The Wildcard option allows LDAP users to connect as this administrator.

  1. Select an AdministratorProfile.
  2. Click OK.

To create an administrator in the CLI:

config system admin edit <admin_name>

set remote-auth enable set accprofile super_admin set wild card enable set remote-group ldap

end

Other methods of administrator authentication

Administrator accounts can use different methods for authentication, including RADIUS, TACACS+, and PKI.

RADIUS authentication for administrators

To use a RADIUS server to authenticate administrators, you must:

  • Configure the FortiGate to access the RADIUS server. l Create the RADIUS user group. l Configure an administrator to authenticate with a RADIUS server.

TACACS+ authentication for administrators

To use a TACACS+ server to authenticate administrators, you must:

  • Configure the FortiGate to access the TACACS+ server. l Create a TACACS+ user group. l Configure an administrator to authenticate with a TACACS+ server.

PKI certificate authentication for administrators

To use PKI authentication for an administrator, you must:

  • Configure a PKI user. l Create a PKI user group. l Configure an administrator to authenticate with a PKI certificate.

Password policy

Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if p4ssw0rd is used as a password, it can be cracked.

Using secure passwords is vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

  • Do not use passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
  • Use numbers in place of letters, for example, passw0rd. l Administrator passwords can be up to 64 characters. l Include a mixture of numbers, and upper and lower case letters. l Use multiple words together, or possibly even a sentence, for example keytothehighway. l Use a password generator.
  • Change the password regularly and always make the new password unique and not a variation of the existing password, such as changing from password to password1.
  • Make note of the password and store it in a safe place away from the management computer, in case you forget it; or ensure at least two people know the password in the event one person becomes unavailable. Alternatively, have two different admin logins.

FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password policy including:

  • Minimum length between 8 and 64 characters.
  • If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l If the password must contain numbers (1, 2, 3). l If the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l Where the password applies (admin or IPsec or both). l The duration of the password before a new one must be specified.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding to log in.

To create a system password policy the GUI:

  1. Go to System > Settings.
  2. In the Password Policy section, change the Password scope to Admin, IPsec, or Both.
  3. Specify the password options.
  4. Click Apply.

To create a system password policy the CLI:

config system password-policy

status      Enable/disable setting a password policy for locally defined administrator passwords and IPsec VPN pre-shared keys. apply-to Apply password policy to administrator passwords or IPsec preshared keys or both. Separate entries with a space.

minimum-length Minimum password length (8 – 128, default = 8).
min-lower-case-letter default = 0). Minimum number of lowercase characters in password (0 – 128,
min-upper-case-letter default = 0). Minimum number of uppercase characters in password (0 – 128,
min-non-alphanumeric 128, default = 0). Minimum number of non-alphanumeric characters in password (0 –
min-number default = 0). Minimum number of numeric characters in password (0 – 128,
change-4-characters (This attribute Enable/disable changing at least 4 characters for a new password

overrides reuse-password if both are enabled). expire-status     Enable/disable password expiration.

reuse-password          Enable/disable reusing of password (if both reuse-password and

change-4-characters are enabled, change-4-characters overrides). end

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.