Tag Archives: fortinet administration guides

RADIUS Single Sign On – FortiAuthenticator 4.0

RADIUS Single Sign-On

A FortiGate or FortiMail unit can transparently identify users who have already authenticated on an external RADIUS server by parsing RADIUS accounting records. However, this approach has potential difficulties:

  • The RADIUS server is business-critical IT infrastructure, limiting the changes that can be made to the server configuration.
  • In some cases, the server can send accounting records only to a single endpoint. Some network topologies may require multiple endpoints.

The FortiAuthenticator RADIUS Accounting Proxy overcomes these limitations by proxying the RADIUS accounting records, modifying them, and replicating them to the multiple subscribing endpoints as needed.

RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and then forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On. This differs from the packet use of RADIUS accounting (RADIUS accounting on page 115).

The accounting proxy needs to know:

l Rule sets to define or derive the RADIUS attributes that the FortiGate unit requires, l The source of the RADIUS accounting records: the RADIUS server, l The destination(s) of the accounting records: the FortiGate units using this information for RADIUS SSO authentication.

General settings

General RADIUS accounting proxy settings can be configure by going to Fortinet SSO Methods > Accounting Proxy > General.

The following settings are available:

Log level Select Debug, Info, Warning, or Error as the minimum severity level of event to log from the drop-down list.
Group cache lifetime Enter the amount of time after which user group memberships will expire in the cache, from 1 to 10080 minutes (7 days). The default is 480 minutes.
Number of proxy retries Enter the number of times to retry proxy requests if they timeout, from 0 to 3 retries, where 0 disables retries. The default is 3 retries.
Proxy retry timeout Enter the retry period (timeout) of a proxy request, from 1 to 10 seconds.
Statistics update period Enter the time between statistics updates to the seconds debug log, from 1 to 3600 seconds (1 hour).

Select OK to apply your changes.

accounting proxy                                                                                                                 RADIUS

Rule sets

A rule set can contain multiple rules. Each rule can do one of:

l add an attribute with a fixed value l add an attribute retrieved from a user’s record on an LDAP server l rename an attribute to make it acceptable to the accounting proxy destination.

The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a description to each rule set to help you remember each rule set’s purpose.

Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the Default vendor. See RADIUS attributes on page 72.

To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.

To add RADIUS accounting proxy rule sets:

  1. From the rule set list, select Create New. The Create New Rule Set window opens.
  2. Enter the following information:
Name Enter a name to use when selecting this rule set for an accounting proxy destination.
Description Optionally, enter a brief description of the rule’s purpose.
Rules Enter one or more rules.

Single Sign-On                                                                                      RADIUS accounting proxy

Action The action for each rule can be either Add or Modify.

Add: add either a static value or a value derived from an LDAP server.

Modify: rename an attribute.

Attribute Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Attribute 2 If the action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute.
Value Type If the action is set to Add, select a value type from the drop-down list.

Static value: adds the attribute in the Attribute field containing the static value in the Value field.

Group names: adds attribute in the Attribute field containing “Group names” from the group membership of the Username Attribute on the remote LDAP server. l Services: adds attribute in the Attribute field containing “Services” from the group membership of the Username Attribute on the remote LDAP server.

UTM profile groups: adds attribute in the Attribute field containing “UTM profile groups” from the group membership of the Username Attribute on the remote LDAP server.

Value If the action is set to Add and Value Type is set to Static value, enter the static value.
Username

Attribute

If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Remote LDAP If the attribute addition requires an LDAP server, select one from the dropdown list. See LDAP on page 88 for information on remote LDAP servers.
Description A brief description of the rule is provided.
Add another rule Select to add another rule to the rule set.
  1. Select OK to create the new rule set.
Example rule set

The incoming accounting packets contain the following fields:

  • User-Name l NAS-IP-Address l Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

accounting proxy                                                                                                                 RADIUS

  • User-Name l NAS-IP-Address l Fortinet-Client-IP-Address l Session-Timeout: Value is always 3600 l Fortinet-Group-Name: Value is obtained from user’s group membership on remote LDAP l Service-Type: Value is obtained from user’s group membership and SSO Group Mapping

The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and Service-Type. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed.

To add a RADIUS accounting proxy source:

  1. From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
  2. Enter the following information:
Name                                         Enter           the           name           of           the

This is used in FortiAuthenticator configurations.

RADIUS server.

Single Sign-On                                                                                      RADIUS accounting proxy

Source name/IP Enter the FQDN or IP address of the server.
Secret Enter the shared secret required to access the server.
Description Optionally, enter a description of the source.
  1. Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.

To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations.

To add a RADIUS accounting proxy destinations:

  1. From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
  2. Enter the following information:
Name Enter a name to identify the destination device in your configuration.
Destination name/IP Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records.
Secret Enter the preshared key of the destination.
Source Select a RADIUS client defined as a source from the drop-down list. See Sources on page 127.
Rule set Select an appropriate rule set from the drop-down list or select Create New to create a new rule set. See Rule sets on page 125.
  1. Select OK to add the RADIUS accounting proxy destination.

Port Based Network Access Control – FortiAuthenticator 4.0

Port-based Network Access Control

Port-based Network Access Control (PNAC), or 802.1X, authentication requires a client, an authenticator, and an authentication server (such as a FortiAuthenticator device).

The client is a device that wants to connect to the network. The authenticator is simply a network device, such as a wireless access point or switch. The authentication server is usually a host that supports the RADIUS and EAP protocols.

The client is not allowed access to the network until the client’s identity has been validated and authorized. Using 802.1X authentication, the client provides credentials to the authenticator, which the authenticator forwards to the authentication server for verification. If the authentication server determines that the credentials are valid, the client device is allowed access to the network.

FortiAuthenticator supports several IEEE 802.1X EAP methods.

EAP

The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. These include authentication methods most commonly used in WiFi networks.

EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.

The FortiAuthenticator unit supports the following EAP methods:

Method Server Auth Client Auth Encryption Native OS Support
PEAP (MSCHAPv2) Yes Yes Yes Windows XP, Vista, 7
EAP-TTLS Yes No Yes Windows Vista, 7
EAP-TLS Yes Yes Yes Windows (XP, 7), Mac OS X, iOS,

Linux, Android

EAP-GTC Yes Yes Yes None (external supplicant required)

In addition to providing a channel for user authentication, EAP methods also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.

For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication >

UserManagement > Local Users (see Local users on page 58) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service on page 91) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.

Port-based Network Access Control                                                                                                          EAP

The FortiAuthenticator unit and EAP

A FortiAuthenticator unit delivers all of the authentication features required for a successful EAP-TLS deployment, including:

  • Certificate Management: create and revoke certificates as a CA. See Certificate Management on page 132.
  • Simple Certificate Enrollment Protocol (SCEP) Server: exchange a Certificate Signing Request (CSR) and the resulting signed certificate, simplifying the process of obtaining a device certificate.

FortiAuthenticator unit configuration

To configure the FortiAuthenticator unit, you need to:

  1. Create a CA certificate for the FortiAuthenticator unit. See Certificate authorities on page 140.

Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs on page 147.

  1. Create a server certificate for the FortiAuthenticator unit, using the CA certificate you created or imported in the preceding step. See End entities on page 133.
  2. If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP on page 102.
  3. If SCEP will be used:
    1. Configure an SMTP server to be used for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See E-mail services on page 46.
    2. Go to Certificate Management > SCEP > General and select Enable SCEP. Then select the CA certificate that you created or imported in Step 1 in the Default CA field and select OK. See SCEP on page 147.
  4. Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP on page 88.
  5. Import users from the remote LDAP server. You can choose which specific users will be permitted to authenticate. See Remote users on page 65.
  6. Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service on page 91.

Configuring certificates for EAP

The FortiAuthenticator unit can authenticate itself to clients with a CA certificate.

  1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs on page 147.
  2. Go to Authentication > RADIUS Service > EAP.
  3. Select the EAP server certificate from the EAP ServerCertificate drop-down list.
  4. Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
  5. Select OK to apply the settings.

Configuring switches and wireless controllers to use 802.1X authentication

The 802.1X configuration will be largely vendor dependent. The key requirements are:

Device self-enrollment                                                                           Port-based Network Access Control

l RADIUS Server IP: This is the IP address of the FortiAuthenticator l Key: The preshared secret configured in the FortiAuthenticator authentication client settings l Authentication Port: By default, FortiAuthenticator listens for authentication requests on port 1812.

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It is primarily used in enabling EAP-TLS for BYOD. For example:

l A user brings their tablet to a BYOD organization. l They log in to the FortiAuthenticator unit and create a certificate for the device. l With their certificate, username, and password they can authenticate to gain access to the wireless network. l Without the certificate, they are unable to access the network.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable userdevice certificate self-enrollment.

SCEP enrollment template Select a SCEP enrollment template from the drop-down list. SCEP can be configured in Certificate Management > SCEP. See SCEP on page 147 for more information.
Max. devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).

iOS devices only support two key size: 1024 and 2048.

Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.

This requires that a DNS domain name be configured, as it is used in the CRL Distribution Points (CDPs) certificate extension.

Port-based Network Access Control                                                                          Non-compliant devices

Select OK to apply any changes you have made.

Non-compliant devices

802.1X methods require interactive entry of user credentials to prove a user’s identity before allowing them access to the network. This is not possible for non-interactive devices, such as printers. MAC Authentication Bypass is supported to allow non-802.1X compliant devices to be identified and accepted onto the network using their MAC address as authentication.

This feature is only for 802.1X MAC Authentication Bypass. FortiGate Captive Portal MAC Authentication is supported by configuring the MAC address as a standard user, with the MAC address as both the username and password, and not by entering it in the MAC Devices section.

Multiple MAC devices can be imported in bulk from a CSV file. The first column of the CSV file contains the device names (maximum of 50 characters), and the second column contains the corresponding MAC addresses (0123456789AB or 01:23:45:67:89:AB).

To configure MAC-based authentication for a device:

  1. Go to Authentication > User Management > MAC Devices. The MAC device list will be shown.
  2. If you are adding a new device, select Create New to open the Create New MAC-based Authentication Device

If you are editing an already existing device, select the device from the device list.

  1. Enter the device name in the Name field, and enter the device’s MAC address in the MAC address
  2. Select OK to apply your changes.

To import MAC devices:

  1. In the MAC device list, select Import.
  2. Select Browse to locate the CSV file on your computer.
  3. Select OK to import the list.

The import will fail if the maximum number of MAC devices has already been reached, or if any of the information contained within the file does not conform, for example if the device name too long, or there is an incorrectly formatted MAC address.

FortiAuthenticator 4.0 System

System

The System tab enables you to manage and configure the basic system options for the FortiAuthenticator unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, managing and updating firmware for the device, and managing messaging servers and services.

The System tab provides access to the following menus and sub-menus:

Dashboard Select this menu to monitor, and troubleshoot your FortiAuthenticator device. Dashboard widgets include: l System Information widget l System Resources widget l Authentication Activity widget l User Inventory widget l HA Status l License Information widget l Disk Monitor l Top User Lockouts widget
Network Select this menu to configure your FortiAuthenticator interfaces and network settings. l Interfaces

l   DNS

l   Static routing l Packet capture

Administration Select this menu to configure administrative settings for the FortiAuthenticator device. l GUI access

l   High availability l Firmware l Automatic backup

l   SNMP

l   Licensing l FortiGuard l FTP servers l Administration

Messaging Select this menu to configure messaging servers and services for the FortiAuthenticator device. l SMTP servers l E-mail services l SMS gateways

Dashboard

When you select the System tab, it automatically opens at the System > Dashboard page.

The Dashboard page displays widgets that provide performance and status information and enable you to configure some basic system settings. These widgets appear on a single dashboard.

The following widgets are available:

System Information Displays basic information about the FortiAuthenticator system including host name, DNS domain name, serial number, system time, firmware version, architecture, system configuration, current administrator, and up time.

From this widget you can manually update the FortiAuthenticator firmware to a different release. For more information, see System Information widget on page 25.

System Resources Displays the usage status of the CPU and memory. For more information, see System Resources widget on page 29.
Authentication Activity Displays a customizable graph of the number of logins to the device. For more information, see Authentication Activity widget on page 29.
User Inventory Displays the numbers of users, groups, FortiTokens, FSSO users, and FortiClient users currently used or logged in, as well as the maximum allowed number, the number still available, and the number that are disabled.

For more information, see User Inventory widget on page 29.

HA Status Displays whether or not HA is enabled.
License Information Displays the device’s license information, as well as SMS information. For more information, see License Information widget on page 29.
Disk Monitor Displays if RAID is enabled, and the current disk usage in GB.
Top User Lockouts Displays the top user lockouts. For more information, see Top User Lockouts widget on page 30.

Customizing the dashboard

The FortiAuthenticator system settings dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.

To move a widget

Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.

To add a widget

In the dashboard toolbar, select Add Widget, then select the name of widget that you want to show. Multiple widgets of the same type can be added. To hide a widget, in its title bar, select the Close icon.

To see the available options for a widget

Position your mouse cursor over the icons in the widget’s title bar. Options include show/hide the widget, edit the widget, refresh the widget content, and close the widget.

The following table lists the widget options.

Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
Edit Select to change settings for the widget.

This option appears only in certain widgets.

Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
To change the widget title

Widget titles can be customized by selecting the edit button in the title bar and entering a new title in the widget settings dialog box. Some widgets have more options in their respective settings dialog box.

To reset a widget title to its default name, simply leave the Custom widget title field blank.

The widget refresh interval can also be manually adjusted from this dialog box.

System Information widget

The system dashboard includes a System Information widget, which displays the current status of the FortiAuthenticator unit and enables you to configure basic system settings.

The following information is available on this widget:

Host Name The identifying name assigned to this FortiAuthenticator unit. For more information, see Changing the host name on page 26.
DNS Domain Name The DNS domain name. For more information, see Changing the DNS domain name on page 27.
Serial Number The serial number of the FortiAuthenticator unit. The serial number is unique to the FortiAuthenticator unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
System Time The current date, time, and time zone on the FortiAuthenticator internal clock or NTP server. For more information, see Configuring the system time, time zone, and date on page 27.
Firmware Version The version number and build number of the firmware installed on the FortiAuthenticator unit. To update the firmware, you must download the latest version from the Customer Service & Support portal at https://support.fortinet.com. Select Update and select the firmware image to load from your management computer.
Architecture The architecture of the device, such as 32-bit.
System Configuration The date of the last system configuration backup. Select Backup/Restore to backup or restore the system configuration. For more information, see Backing up and restoring the configuration on page 28.
Current Administrator The name of the currently logged on administrator.
Uptime The duration of time the FortiAuthenticator unit has been running since it was last started or restarted.
Shutdown/Reboot Options to shutdown or reboot the device. When rebooting or shutting down the system, you have the option to enter a message that will be added to the event log explaining the reason for the shutdown or reboot.
Changing the host name

The System Information widget will display the full host name.

To change the host name:

  1. Go to System > Dashboard.
  2. In the System Information widget, in the Host Name field, select Change. The Edit Host Name page opens.
  3. In the Host name field, type a new host name.

The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.

  1. Select OK to save the setting.

Web Based Manager

Web-based Manager

This section describes general information about using the Web-based Manager to access the FortiAnalyzer system with a web browser.

This section includes the following topics:

  • System requirements
  • Connecting to the Web-based Manager
  • Web-based Manager overview
  • Web-based Manager configuration

System requirements

Web browser support

The FortiAnalyzer Web-based Manager supports the following web browsers:

  • Microsoft Internet Explorer versions 10 and 11
  • Mozilla Firefox versions 30 and 31
  • Google Chrome version 36

Other web browsers may function correctly, but are not supported by Fortinet.

Screen resolution

Fortinet recommends setting your monitor to a screen resolution of 1280×1024. This allows for all the objects in the Web-based Manager to be properly viewed.

 

 

Connecting to the Web-based Manager

The FortiAnalyzer unit can be configured and managed using the Web-based Manager or the CLI. This section will step you through connecting to the unit via the Web-based Manager.

For more information on connecting your specific FortiAnalyzer unit, read that device’s QuickStart guide.

To connect to the Web-based Manager:

  1. Connect the unit to a management computer using an Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:
    • IP address: 192.168.1.2
    • Netmask: 255.255.255.0.
  3. On the management computer, start a supported web browser and browse to https://192.168.1.99.
  4. Type admin in the User Name field, leave the Password field blank, and select Login.

You should now be able to use the FortiAnalyzer Web-based Manager.

For information on enabling administrative access protocols and configuring IP addresses, see “To edit a network interface:” on page 71.

Web-based Manager overview

The FortiAnalyzer Web-based Manager consists of four primary parts: the tab bar, the main menu bar, the tree menu, and the content pane. The content pane includes a toolbar and, in some tabs, is horizontally split into two sections. The main menu bar is only visible in certain tabs when ADOMs are disabled (see “System Information widget” on page 46).

You can use the Web-based Manager menus, lists, and configuration pages to configure most FortiAnalyzer settings. Configuration changes made using the Web-based Manager take effect immediately without resetting the FortiAnalyzer system or interrupting service.

The Web-based Manager also includes online help, accessed by selecting the help icon in the right side of the tab bar.

Tab bar

The Web-based Manager tab bar contains the device model, the available tabs, the Help button and the Log Out button.

Figure 3: The tab bar

Device Manager Manage groups, devices, and VDOMs, and view real-time monitor data.

See “Device Manager” on page 32.

FortiView Drill down top sources, top applications, top destinations, top web sites, top threats, and top cloud applications. This tab was implemented to match the FortiView implementation in FortiGate.

The Log View tab is found in the FortiView tab. View logs for managed devices. You can display, download, import, and delete logs on this page.

See “FortiView” on page 115.

Event Management Configure and view events for managed log devices.

See “Event Management” on page 151.

This tab is not available when the unit is in Collector mode. See “Operation modes” on page 15 for more information.

Reports Configure report templates, schedules, and output profiles, and manage charts and datasets.

See “Reports” on page 165.

This tab is not available when the unit is in Collector mode. See “Operation modes” on page 15 for more information.

System Settings Configure system settings such as network interfaces,

administrators, system time, server settings, and others. You can also perform maintenance and firmware operations.

See “System Settings” on page 42.

 Change Password Select to change the password. Restricted_User and Standard_User admin profiles do not have access to the System Settings tab. An administrator with either of these admin profiles will see the change password icon in the navigation pane.
 Help Open the FortiAnalyzer online help.
 Log Out Log out of the Web-based Manager.

Tree menu

The Web-based Manager tree menu is on the left side of the window. The content in the menu varies depending on which tab is selected and how your FortiAnalyzer unit is configured.

Some elements in the tree menu can be right-clicked to access different configuration options.

Content pane

The content pane is on the right side of the window. The information changes depending on which tab is being viewed and what element is selected in the tree menu. The content pane of the Log View and Reports tabs are split horizontally into two frames.

Web-based Manager configuration

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts, the network interface(s) on which it listens, and the language of its display.

This section includes the following topics:

  • Language support
  • Administrative access
  • Restricting access by trusted hosts
  • Idle timeout

Language support

The Web-based Manager supports multiple languages; the default language setting is Auto Detect. Auto Detect uses the language configured on your management computer. If that language is not supported, the Web-based Manager will default to English.

You can change the Web-based Manager language to English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses.

To change the Web-based Manager language:

  1. Go to System Settings > Admin > Admin Settings.

Figure 4: Administration settings

  1. In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your management computer.
  2. Select Apply.

The following table lists FortiAnalyzer language support information.

Table 3: Language support

Language Web-based Manager Reports Documentation
English a a a
French   a  
Spanish   a  
Portuguese   a  
Korean a a  
Chinese (Simplified) a a  
Chinese (Traditional) a a  
Japanese a a  
Russian   a  
Hebrew   a  
Hungarian   a  

To change the FortiAnalyzer language setting, go to System Settings > Admin > Admin Settings, in Administrative Settings > Language select the desired language on the drop-down menu. The default value is Auto Detect.

Russian, Hebrew, and Hungarian are not included in the default report languages. You can import language translation files for these languages via the command line interface using one of the following commands:

execute sql-report import-lang <language name> <ftp> <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <sftp <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <scp> <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <tftp> <server IP address> <file name>

For more information, see the FortiAnalyzer CLI Reference available from the Fortinet Document Library.

Administrative access

Administrative access enables an administrator to connect to the system to view and change configuration settings. The default configuration of your system allows administrative access to one or more of the interfaces of the unit as described in the QuickStart and installation guides for your device.

Administrative access can be configured in IPv4 or IPv6 and includes settings for: HTTPS, HTTP, PING, SSH (Secure Shell), TELNET, SNMP, Web Service, and Aggregator.

To change administrative access:

  1. Go to System Settings > Network.

By default, port1 settings will be presented. To configure administrative access for a different interface, select All Interfaces, and then select the interface from the list.

  1. Set the IPv4 IP/Netmask or the IPv6 Address, select one or more Administrative Access types for the interface, and set the default gateway and Domain Name System (DNS) servers.

Figure 5: Network management interface

  1. Select Apply to finish changing the access settings.

For more information, see “Network” on page 69.

Restricting access by trusted hosts

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted hosts. With trusted hosts configured, the admin user can only log in to the Web-based Manager when working on a computer with the trusted host as defined in the admin account.

For more information, see “Administrator” on page 75.

Idle timeout

By default, the Web-based Manager disconnects administrative sessions if no activity takes place for fifteen minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged in and then left unattended.

To change the Web-based Manager idle timeout:

  1. Go to System Settings > Admin > Admin Settings (see Figure 4 on page 22).
  2. Change the Idle Timeout minutes as required.
  3. Select Apply to save the setting.

For more information, see “Administrator settings” on page 86.

Reboot and shutdown the FortiAnalyzer unit

Always reboot and shutdown the FortiAnalyzer system using the unit operation options in the Web-based Manager or the CLI to avoid potential configuration problems.

Figure 6: Unit operation actions in the Web-based Manager

To reboot the FortiAnalyzer unit:

  1. In the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget, select Reboot or, in the CLI Console widget, enter: execute reboot The system will be rebooted.

Do you want to continue? (y/n)

  1. Select y to continue. The FortiAnalyzer system will be rebooted.

To shutdown the FortiAnalyzer unit:

  1. In the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget, select Shutdown or, in the CLI Console widget, enter: execute shutdown The system will be halted.

Do you want to continue? (y/n)

  1. Select y to continue. The FortiAnalyzer system will be shut down.

To reset the FortiAnalyzer unit:

  1. In the CLI Console widget, enter:

execute reset all-settings This operation will reset all settings to factory defaults

Do you want to continue? (y/n)

  1. Select y to continue. The device will reset to factory default settings and reboot.

To reset logs and re-transfer all logs into the database:

  1. In the CLI Console widget, enter:

execute reset-sqllog-transfer WARNING: This operation will re-transfer all logs into database.

Do you want to continue? (y/n)

  1. Select y to continue.

Managing Users

Managing users

The User menu enables you to configure email user-related settings, such as groups, PKI authentication, preferences, address mappings, and email address aliases. If the FortiMail unit is operating in server mode, the User menu also enables you to add email user accounts.

This section includes:

  • Configuring local user accounts (server mode only)
  • Configuring user preferences
  • Configuring PKI authentication
  • Configuring user groups
  • Configuring aliases
  • Configuring address mappings
  • Configuring IBE users

Configuring local user accounts (server mode only)

When operating in server mode, the FortiMail unit is a standalone email server. The FortiMail unit receives email messages, scans for viruses and spam, and then delivers email to its email users’ mailboxes. External MTAs connect to the FortiMail unit, which itself is also the protected email server.

When the FortiMail unit operates in server mode and the web UI operates in advanced mode, the User tab is available. It lets you configure email user accounts whose mailboxes are hosted on the FortiMail unit. Email users can then access their email hosted on the FortiMail unit using webmail, POP3 and/or IMAP. For information on webmail and other features used directly by email users, see “Setup for email users” on page 719.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

For details, see “About administrator account permissions and domains” on page 290.

To view email user accounts, go to User > User > User.

Figure 170:User tab

Page 424

 

GUI item Description
Maintenance (button) Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of each mailbox, and empty or delete mailboxes as required.

The SecureMail mailbox contains the secured email for the user.

The Bulk mailbox contains spam quarantined by the FortiMail unit.

Click Back to return to the Users tab.

Export .CSV (button) Click to download a backup of the email users list in comma-separated value (CSV) file format. The user passwords are encoded for security.

Caution: Most of the email user accounts data, such as mailboxes and preferences, is not included in the .csv file. For information on performing a complete backup, see “Backup and restore” on page 218.

Import .CSV (button) In the field to the right of Import .CSV, enter the location of a CSV-formatted email user backup file, then click Import .CSV to upload the file to your FortiMail unit.

The import feature provides a simple way to add a list of new users in one operation. See “Importing a list of users” on page 427.

Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see “Configuring protected domains” on page 380. You may also want to back up the existing email user accounts. For details, see “Backup and restore” on page 218.

Password

(button)

Select a user and click this button to change a user’s password. A dialog appears. Choose whether to change the user password or to switch to LDAP authentication. You can create a new LDAP profile or edit an existing one. For details, see “Configuring LDAP profiles” on page 548.
Domain Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New.

You can see only the domains that are permitted by your administrator profile.

Search user Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

To return to the complete user list, clear the search field and press Enter.

User Name Displays the user name of an email user, such as user1. This is also the local portion of the email user’s primary email address.
Type Displays the type of user: local, LDAP, or RADIUS.
Display Name Displays the display name of an email user, such as “J Smith”. This name appears in the From: field in the message headers of email messages sent from this email user.
Disk Usage (KB) Displays the disk space used by mailboxes for the email user in kilobytes (KB).

Configuring IBE Encryption

Configuring IBE encryption

The System > Encryption > IBE Encryption submenu lets you configure the Identity Based Encryption (IBE) service. With IBE, you can send secured email through the FortiMail unit.

This section contains the following topics:

  • About IBE
  • About FortiMail IBE
  • FortiMail IBE configuration workflow
  • Configuring IBE services

About IBE

IBE is a type of public-key encryption. IBE uses identities (such as email addresses) to calculate encryption keys that can be used for encrypting and decrypting electronic messages. Compared with traditional public-key cryptography, IBE greatly simplifies the encryption process for both users and administrators. Another advantage is that a message recipient does not need any certificate or key pre-enrollment or specialized software to access the email.

About FortiMail IBE

The FortiMail unit encrypts an email message using the public key generated with the recipient’s email address. The email recipient does not need to install any software or generate a pair of keys in order to access the email.

What happens is that when an email reaches the FortiMail unit, the FortiMail unit applies its IP-based policies and recipient-based policies containing IBE-related content profiles as well as the message delivery rules to the email. If a policy or rule match is found, the FortiMail unit encrypts the email using the public key before sending a notification to the recipient. Figure 148 shows a sample notification.

The notification email contains an HTML attachment, which contains instructions and links telling the recipient how to access the encrypted email.

If this is the first time the recipient receives such a notification, the recipient must follow the instructions and links to register on the FortiMail unit before reading email.

If this is not the first time the recipient receives such a notification and the recipient has already registered on the FortiMail unit, the recipient only needs to log in to the FortiMail unit to read email.

When the recipient opens the mail on the FortiMail unit, the email is decrypted automatically. Figure  shows how FortiMail IBE works:

Figure 147:How FortiMail works with IBE

  1. The FortiMail unit applies its IBE-related IP-based policies ,

Figure 148:Sample secure message notification

FortiMail IBE configuration workflow

Follow the general steps below to use the FortiMail IBE function:

  • Configure and enable the IBE service. See “Configuring IBE services” on page 359.
  • Manage IBE users. See “Configuring IBE users” on page 447.
  • Configure an IBE encryption profile. See “Configuring encryption profiles” on page 594.

If you want to encrypt email based on the email contents:

  • Add the IBE encryption profile to the content action profile. See “Configuring content action profiles” on page 535.
  • Add the content action profile to the content profile and configure the scan criteria in the content profile, such as attachment filtering, file type filtering, and content monitor and filtering including the dictionary and action profiles. See “Configuring content profiles” on page 526.
  • Add the content profile to the IP-based and recipient-based policies to determine email that needs to be encrypted with IBE. See “Controlling email based on recipient addresses” on page 468, and “Controlling email based on IP addresses” on page 475.

For example, on the FortiMail unit, you have:

  • configured a dictionary profile that contains a pattern called “Confidential”, and enabled Search header (see “Configuring dictionary profiles” on page 586)
  • added the dictionary profile to a content profile which also includes a content action profile that has an encryption profile in it
  • included the content profile to IP and recipient policies

You then notify your email users on how to mark the email subject line and header if they want to send encrypted email.

For example, Alice wants to send an encrypted email to Bob through the FortiMail unit. She can add “Confidential” in the email subject line, or “Confidential” in the header (in MS Outlook, when compiling a new mail, go to Options > Message settings > Sensitivity, and select Confidential in the list). The FortiMail unit will apply the policies you configured to the email by checking the email’s subject line and header. If one of them matches the patterns defined in the dictionary profile, the email will be encrypted.

  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

If you want to encrypt email using message delivery rules:

  • Configure message delivery rules using encryption profiles to determine email that need to be encrypted with IBE. See “Configuring delivery rules” on page 464.
  • Configure IBE email storage. See “Selecting the mail data storage location” on page 376.
  • Configure log settings for IBE encryption. See “Configuring logging” on page 671.
  • View logs of IBE encryption. See “Viewing log messages” on page 206.

Configuring IBE services

You can configure, enable, or disable IBE services which control how secured mail recipients use the FortiMail IBE function. For details about how to use IBE service, see “FortiMail IBE configuration workflow” on page 358.

To configure IBE service

  1. Go to System > Encryption > IBE Encryption.

Figure 149:IBE encryption tab

  1. Configure the following:

GUI item                   Description

Enable IBE service Select to enable the IBE service you configured.

IBE service name Enter the name for the IBE service. This is the name the secure mail recipients will see once they access the FortiMail unit to view the mail.
User registration expiry time (days) Enter the number of days that the secure mail recipient has to register on the FortiMail unit to view the mail before the registration expires. The starting date is the date when the FortiMail unit sends out the first notification to a mail recipient.
User inactivity expiry time (days) Enter the number of days the secure mail recipient can access the FortiMail unit without registration.

For example, if you set the value to 30 days and if the mail recipient did not access the FortiMail unit for 30 days after the user registers on the unit, the recipient will need to register again if another secure mail is sent to the user. If the recipient accessed the FortiMail unit on the 15th days, the 30-day limit will be recalculated from the 15th day onwards.

Encrypted email    Enter the number of days that the secured mail will be saved on the storage expiry time FortiMail unit. (days)

Password reset     Enter the password reset expiry time in hours. expiry time (hours)

This is for the recipients who have forgotten their login passwords and request for new ones. The secured mail recipient must reset the password within this time limit to access the FortiMail unit.

 

GUI item Description
Allow secure replying Select to allow the secure mail recipient to reply the email with encryption.
Allow secure forwarding Select to allow the secure mail recipient to forward the email with encryption.
Allow secure composing Select to allow the secure mail recipient to compose an email. The FortiMail unit will use policies and mail delivery rules to determine if this mail needs to be encrypted.

For encrypted email, the domain of the composed mail’s recipient must be a protected one, otherwise an error message will appear and the mail will not be delivered.

IBE base URL Enter the FortiMail unit URL, for example, https://192.168.100.20, on which a mail recipient can register or authenticate to access the secure mail.
“Help” content

URL

You can create a help file on how to access the FortiMail secure email and enter the URL for the file. The mail recipient can click the “Help” link from the secure mail notification to view the file.

If you leave this field empty, a default help file link will be added to the secure mail notification.

“About” content

URL

You can create a file about the FortiMail IBE encryption and enter the URL for the file. The mail recipient can click the “About” link from the secure mail notification to view the file.

If you leave this field empty, a link for a default file about the FortiMail IBE encryption will be added to the secure mail notification.

GUI item                   Description

Allow custom user control If your corporation has its own user authentication tools, enable this option and enter the URL.

“Custom user control” URL: This is the URL where you can check for user existence.

“Custom forgot password” URL: This is the URL where users get authenticated.

Notification Settings You can choose to send notification to the sender or recipient when the secure email is read or remains unread for a specified period of time.

Click the Edit link to modify the email template. For details, see “Customizing email templates” on page 288.

Depending on the IBE email access method (either PUSH or PULL) you defined in “Configuring encryption profiles” on page 594, the notification settings behave differently.

•      If the IBE message is stored on FortiMail PULL access method), the “read” notification will only be sent the first time the message is read.

•      If the IBE message is not stored on FortiMail (PUSH access method), the “read” notification will be sent every time the message is read, that is, after the user pushes the message to FortiMail and FortiMail decrypts the message.

•      There is no “unread” notification for IBE PUSH messages.