Category Archives: FortiOS

LDAP servers – FortiAnalyzer – FortiOS 6.2.3

1 Reply

LDAP servers

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. LDAP consists of a datarepresentation scheme, a set of defined operations, and a request/response network.

If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiAnalyzer unit sends the administrator’s credentials to the LDAP server for authentication. If the LDAP server can authenticate the administrator, they are successfully authenticated with the FortiAnalyzer unit. If the LDAP server cannot authenticate the administrator, the FortiAnalyzer unit refuses the connection.

To use an LDAP server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.

To add an LDAP server:

  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Select Create New > LDAP Server from the toolbar. The New LDAP Server pane opens.
  3. Configure the following settings, and then click OK to add the LDAP server.
Name Enter a name to identify the LDAP server.
Server Name/IP Enter the IP address or fully qualified domain name of the LDAP server.
Port Enter the port for LDAP traffic. The default port is 389.
Common Name Identifier The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as UID.
Distinguished Name The distinguished name is used to look up entries on the LDAP server.

The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Clicking the query distinguished name icon will query the LDAP server for the name and open the LDAP Distinguished Name Query window to display the results.
Bind Type Select the type of binding for LDAP authentication: Simple, Anonymous, or Regular.
User DN When the Bind Type is set to Regular, enter the user DN.
Password When the Bind Type is set to Regular, enter the password.
Secure Connection Select to use a secure LDAP server connection for authentication.
Protocol When Secure Connection is enabled, select either LDAPS or STARTTLS.
Certificate When Secure Connection is enabled, select the certificate from the dropdown list.
Administrative Domain Choose the ADOMs that this server will be linked to for reporting: All ADOMs (default), or Specify for specific ADOMs.
Advanced Options  
adom-attr Specify an attribute for the ADOM.
attributes Specify the attributes such as member, uniquemember, or memberuid.
connect-timeout Specify the connection timeout in millisecond.
filter Specify the filter in the format (objectclass=*)
group Specify the name of the LDAP group.
memberof-attr Specify the value for this attribute. This value must match the attribute of the group in LDAP Server. All users part of the LDAP group with the attribute matching the memberof-attr will inherit the administrative permissions specified for this group.
profile-attr Specify the attribute for this profile.
secondary-server Specify a secondary server.
tertiary-server Specify a tertiary server.

Public Key Infrastructure – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Public Key Infrastructure

Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.

To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:

  • an X.509 certificate for the FortiManager administrator (administrator certificate)
  • an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)

To get the CA certificate:

  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > Certificate Authorities > Local CAs.
  3. Select the certificate and select Export in the toolbar to save the com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.

To get the administrator certificate:

  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > End Entities > Users.
  3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is com.p12. This PCKS#12 file is password protected. You must enter a password on export.

To import the administrator certificate into your browser:

  1. In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
  2. Select the file com.p12 and enter the password used in the previous step.

To import the CA certificate into the FortiAnalyzer:

  1. Log into your FortiAnalyzer.
  2. Go to System Settings > Certificates > CA Certificates.
  3. Click Import, and browse for the com.crt file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.

To create a new PKI administrator account:

  1. Go to System Settings > Admin > Administrator.
  2. Click Create New. The New Administrator dialog box opens.

See Creating administrators on page 224 for more information.

  1. Select PKI for the Admin Type.
  2. Enter a comment in the Subject field for the PKI administrator.
  3. Select the CA certificate from the dropdown list in the CA
  4. Click OK to create the new administrator account.

Deleting administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Deleting administrator profiles

To delete a profile or profiles, you must be logged in to an account with sufficient privileges, or as a super user administrator. The predefined profiles cannot be deleted.

To delete a profile or profiles:

  1. Go to System Settings > Admin > Profile.
  2. Select the profile or profiles you need to delete.
  3. Click Delete in the toolbar, or right-click and select Delete.
  4. Select OK in the confirmation box to delete the profile or profiles.

Cloning administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Cloning administrator profiles

To clone an administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator.

To edit an administrator:

  1. Go to System Settings > Admin > Profile.
  2. Right-click on a profile and select Clone from the menu, or select the profile then click Clone in the toolbar. The Clone Profile pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.

Editing administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Editing administrator profiles

To edit an administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator. The profile’s name cannot be edited. The Super_User profile cannot be edited, and the predefined profiles cannot be deleted.

To edit an administrator:

  1. Go to System Settings > Admin > Profile.
  2. Double-click on a profile, right-click on a profile and then select Edit from the menu, or select the profile then click Edit in the toolbar. The Edit Profile pane opens.
  3. Edit the settings as required, and then select OK to apply the changes.

Creating administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Creating administrator profiles

To create a new administrator profile, you must be logged in to an account with sufficient privileges, or as a super user administrator.

To create a custom administrator profile:

  1. Go to System Settings > Admin > Profile.
  2. Click Create New in the toolbar. The New Profile pane is displayed.
  3. Configure the following settings:
Profile Name                                            Enter a name for this profile.
Description                                              Optionally, enter a description for this profile. While not a

requirement, a description can help to know what the profiles is for, or the levels it is set to.
Permissions Select None, Read Only, or Read-Write access for the categories as required.
Privacy Masking                                      Enable/disable privacy masking.
Masked Data Fields Select the fields to mask: Destination Name, Source IP, Destination IP, User, Source Name, Email, Message, and/or Source MAC.
                          Data Mask Key                       Enter the data masking encryption key. You need the Data Mask

Key to see the original data.
                          Data Unmasked Time(0-        Enter the number of days the user assigned to this profile can see

365 Days)                             all logs without masking.

The logs are masked if the time period in the Log View toolbar is greater than the number of days in the Data Masked Time field.

l  Only integers between 0-365 are supported.

l  Time frame masking does not apply to real time logs.

l  Time frame masking applies to custom view and drill-down data.
  1. Click OK to create the new administrator profile.

To apply a profile to an administrator:

  1. Go to System Settings > Administrators.
  2. Create a new administrator or edit an existing administrator. The Edit Administrator pane is displayed.
  3. From the Admin Profile list, select a profile.

Privacy Masking – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Privacy Masking

Use Privacy Masking to help protect user privacy by masking or anonymizing user information. You can select which fields to mask. Masked fields show anonymous data. You can unmask and see the original data by entering the Data Mask Key that you specify in the administrator profile.

When Privacy Masking is enabled in an administrator profile, accounts using that profile have a See Original Data button in the banner.

To turn privacy masking on:

  1. In System Settings > Profile, create or edit a profile.
  2. In the Privacy Masking section, set the toggle to ON
  3. In the Masked Data Fields section, select the fields you want to mask.

The fields you select are masked in all modules that display those fields.

  1. In the Data Mask Key field, type the key that will allow users to unmask the data.
  2. In the Data Unmasked Time field, type the number of days the data is unmasked.

You can enter a number between 0-365. Logs that are older than the number of days appear masked.

To see the original, unmasked data:

  1. In any list showing masked data, click See Original Data in the banner and select Screen Picker or Manual Input.
  2. If you select Screen Picker, click a masked field, for example, 75.196.35.21.

The Unmask Protected Data dialog box displays with the field you clicked already entered. If you select Manual Input, enter the masked text, for example, 75.196.35.21.

  1. Enter the Data Mask Key that was set up in the administrator profile and click OK.

Administrator profiles – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Administrator profiles

Administrator profiles are used to control administrator access privileges to devices or system features. Profiles are assigned to administrator accounts when an administrator is created. The profile controls access to both the FortiAnalyzer GUI and CLI.

There are three predefined system profiles:

Restricted_User Restricted user profiles have no system privileges enabled, and have read-only access for all device privileges.
Standard_User Standard user profiles have no system privileges enabled, and have read/write access for all device privileges.
Super_User Super user profiles have all system and device privileges enabled. It cannot be edited.

These profiles cannot be deleted, but standard and restricted profiles can be edited. New profiles can also be created as required. Only super user administrators can manage administrator profiles.

Go to System Settings > Admin > Profile to view and manage administrator profiles.

The following options are available:

Create New Create a new administrator profile. See Creating administrator profiles on page 231.
Edit Edit the selected profile. See Editing administrator profiles on page 233.
Clone Clone the selected profile. See Cloning administrator profiles on page 233.
Delete Delete the selected profile or profiles. See Deleting administrator profiles on page 233.
Search Search the administrator profiles list.

The following information is shown:

Name The name the administrator uses to log in.
Type The profile type.
Description A description of the system and device access permissions allowed for the selected profile.

Permissions

The below table lists the default permissions for the predefined administrator profiles.

When Read-Write is selected, the user can view and make changes to the FortiAnalyzer system. When Read-Only is selected, the user can only view information. When None is selected, the user can neither view or make changes to the FortiAnalyzer system.

Setting   Predefined Administrator Profile
  Super User Standard User Restricted User
System Settings system-setting Read-Write None None
Administrative Domain adom-switch Read-Write Read-Write None
Device Manager device-manager Read-Write Read-Write Read-Only
Add/Delete/Edit

Devices/Groups device-op

 Read-Write Read-Write None
Log View/FortiView/SOC log-viewer Read-Write Read-Write Read-Only
Incidents & Events event-management Read-Write Read-Write Read-Only
Reports report-viewer Read-Write Read-Write Read-Only
FortiRecorder Read-Write Read-Write None
CLI only settings      
device-wan-link-load-balance Read-Write Read-Write Read-Only
device-ap Read-Write Read-Write Read-Only
device-forticlient Read-Write Read-Write Read-Only
device-fortiswitch Read-Write Read-Write Read-Only
realtime-monitor Read-Write Read-Write Read-Only