Tag Archives: intergrated computer solutions

Fortinet FortiGate 6040E

FortiGate 6040E

In case you guys haven’t heard the news yet, Fortinet has released the FortiGate 6040E. This is a pretty handy firewall that helps Enterprise organizations achieve the level of UTM/NGFW functionality they need without having to spend obscene amounts of money on hardware capable.

Fortinet FortiGate 6040E

Fortinet FortiGate 6040E

This device is substantially stronger, has modified management capabilities and can flow 320 Gbps of firewall throughput (80 Gbps UTM/NGFW). The FortiGate 6040E has 6 available options right now that you can see in the image below.

6 options are available for the FortiGate 6040E

6 options are available for the FortiGate 6040E

Fortinet’s blog has a really good break out of the device as well as the benefits and cool features it has. Click here to see!

Event Management

Event Management

In the Event Management tab you can configure events handlers based on log type and logging filters. You can select to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all devices, or for the local FortiAnalyzer. You can create event handlers for FortiGate and FortiCarrier devices. In v5.2.0 or later, Event Management supports local FortiAnalyzer event logs.

Events can also be monitored, and the logs associated with a given event can be viewed.

Events

The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging the event.

To view events, go to the Event Management tab and select Event Management > All Events. You can also view events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.

Figure 112:Events page

 

The following information is displayed:

Time Period Select a time period from the drop-down list. Select one of: Last 30 mins, Last 1 hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N hours, Last N days, All.

If applicable, enter the number of days or hours for N in the N text box.

Show

Acknowledged

Select to show or hide acknowledged events. Acknowledged events are greyed out in the list.
Search Search for a specific event.
Count The number of log entries associated with the event. Click the heading to sort events by count.
Event Name The name of the event. Click the heading to sort events by event name.
Severity The severity level of the event. Event severity level is a user configured variable. The severity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.
Event Type The event type. For example, Traffic or Event. Click the heading to sort events by event type.
Additional Info Additional information about the event. Click the heading to sort events by additional information.
Last Occurrence The date and time that the event was created and added to the events page. Click the heading to sort events by last occurrence.
Pagination Adjust the number of logs that are listed per page and browse through the pages.

Right-click on an event in the list to open the right-click menu. The following options are available:

 View Details The Event Details page is displayed. See “Event details” on page 153.
 Acknowledge Acknowledge an event. If Show Acknowledge is not selected, the event will be hidden. See “Acknowledge events” on page 154.

Event details

Event details provides a summary of the event including the event name, severity, type, count, additional information, last occurrence, device, event handler, raw log entries, and review notes. You can also acknowledge and print events in this page.

To view log messages associated with an event:

  1. In the events list, either double-click on an event or right-click on an event then select View Details in the right-click menu.

The Event Details page opens.

Figure 113:Event details page

  1. The following information and options are available:
 Print Select the print icon to print the event details page. The log details pane is not printed.
 Return Select the return icon to return to the All Events page.
Event Name The name of the event, also displayed in the title bar.
Severity The severity level configured for the event handler.
Type The event category of the event handler.
Count The number of logged events associated with the event.
Additional Info This field either displays additional information for the event or a link to the FortiGuard Encyclopedia. A link will be displayed for AntiVirus, Application Control, and IPS event types.
Last Occurrence The date and time of the last occurrence.
Device The device hostname associated with the event.
Event Handler The name of the event handler associated with the event. Select the link to edit the event handler. See “Event handler” on page 155.
Text box Optionally, you can enter a 1023 character comment in the text field. Select the save icon, , to save the comment, or cancel, , to cancel your changes.
Logs The logs associated with the log event are displayed. The columns and log fields are dependent on the event type.
Pagination Adjust the number of logs that are listed per page and browse through the pages.
Log details Log details are shown in the lower content pane for the selected log. The details will vary based on the log type.
  1. Select the return icon, , to return to the All Events

Acknowledge events

You can select to acknowledge events to remove them from the event list. An option has been added to this page to allow you to show or hide these acknowledged events.

To acknowledge events:

  1. From the event list, select the event or events that you would like to acknowledge.
  2. Right-click and select Acknowledge in the right-click menu.

Select the Show Acknowledge checkbox in the toolbar to view acknowledged events.

Configuring Policies

Configuring policies

The Policy menu lets you create policies that use profiles to filter email.

It also lets you control who can send email through the FortiMail unit, and stipulate rules for how it will deliver email that it proxies or relays.

                                 •    What is a policy?

  • How to use policies
  • Controlling SMTP access and delivery
  • Controlling email based on recipient addresses
  • Controlling email based on IP addresses

What is a policy?

A policy defines which way traffic will be filtered. It may also define user account settings, such as authentication type, disk quota, and access to webmail.

After creating the antispam, antivirus, content, authentication, TLS, or resource profiles (see “Configuring profiles” on page 482), you need to apply them to policies for them to take effect.

FortiMail units support three types of policies:

  • Access control and delivery rules that are typical to SMTP relays and servers (see

“Controlling SMTP access and delivery” on page 456)

  • Recipient-based policies (see “Controlling email based on recipient addresses” on page 468)
  • IP-based policies (see “Controlling email based on IP addresses” on page 475)

Recipient-based policies versus IP-based policies

  • Recipient-based policies

The FortiMail unit applies these based on the recipient’s email address or the recipient’s user group. May also define authenticated webmail or POP3 access by that email user to their per-recipient quarantine. Since version 4.0, the recipient-based policies also check sender patterns.

  • IP-based policies

The FortiMail unit applies these based on the SMTP client’s IP address (server mode or gateway mode), or the IP addresses of both the SMTP client and SMTP server (transparent mode).

Page 453

Incoming versus outgoing email messages

There are two types of recipient-based policies: incoming and outgoing. The FortiMail unit applies incoming policies to the incoming mail messages and outgoing policies to the outgoing mail messages.

Whether the email is incoming or outgoing is decided by the domain name in the recipient’s email address. If the domain is a protected domain, the FortiMail unit considers the message to be incoming and applies the first matching incoming recipient-based policy. If the recipient domain is not a protected domain, the message is considered to be outgoing, and applies outgoing recipient-based policy.

To be more specific, the FortiMail unit actually matches the recipient domain’s IP address with the IP list of the protected SMTP servers where the protected domains reside. If there is an IP match, the domain is deemed protected and the email destined to this domain is considered to be incoming. If there is no IP match, the domain is deemed unprotected and the email destined to this domain is considered to be outgoing.

For more information on protected domains, see “Configuring protected domains” on page 380.

Managing Users

Managing users

The User menu enables you to configure email user-related settings, such as groups, PKI authentication, preferences, address mappings, and email address aliases. If the FortiMail unit is operating in server mode, the User menu also enables you to add email user accounts.

This section includes:

  • Configuring local user accounts (server mode only)
  • Configuring user preferences
  • Configuring PKI authentication
  • Configuring user groups
  • Configuring aliases
  • Configuring address mappings
  • Configuring IBE users

Configuring local user accounts (server mode only)

When operating in server mode, the FortiMail unit is a standalone email server. The FortiMail unit receives email messages, scans for viruses and spam, and then delivers email to its email users’ mailboxes. External MTAs connect to the FortiMail unit, which itself is also the protected email server.

When the FortiMail unit operates in server mode and the web UI operates in advanced mode, the User tab is available. It lets you configure email user accounts whose mailboxes are hosted on the FortiMail unit. Email users can then access their email hosted on the FortiMail unit using webmail, POP3 and/or IMAP. For information on webmail and other features used directly by email users, see “Setup for email users” on page 719.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category.

For details, see “About administrator account permissions and domains” on page 290.

To view email user accounts, go to User > User > User.

Figure 170:User tab

Page 424

 

GUI item Description
Maintenance (button) Select a user and click this button to manage that user’s mailboxes, such as Inbox, Drafts and Sent. You can check the size of each mailbox, and empty or delete mailboxes as required.

The SecureMail mailbox contains the secured email for the user.

The Bulk mailbox contains spam quarantined by the FortiMail unit.

Click Back to return to the Users tab.

Export .CSV (button) Click to download a backup of the email users list in comma-separated value (CSV) file format. The user passwords are encoded for security.

Caution: Most of the email user accounts data, such as mailboxes and preferences, is not included in the .csv file. For information on performing a complete backup, see “Backup and restore” on page 218.

Import .CSV (button) In the field to the right of Import .CSV, enter the location of a CSV-formatted email user backup file, then click Import .CSV to upload the file to your FortiMail unit.

The import feature provides a simple way to add a list of new users in one operation. See “Importing a list of users” on page 427.

Before importing a user list or adding an email user, you must first configure one or more protected domains to which the email users will belong. For more information, see “Configuring protected domains” on page 380. You may also want to back up the existing email user accounts. For details, see “Backup and restore” on page 218.

Password

(button)

Select a user and click this button to change a user’s password. A dialog appears. Choose whether to change the user password or to switch to LDAP authentication. You can create a new LDAP profile or edit an existing one. For details, see “Configuring LDAP profiles” on page 548.
Domain Select the protected domain to display its email users, or to select the protected domain to which you want to add an email user account before clicking New.

You can see only the domains that are permitted by your administrator profile.

Search user Enter the name of a user, or a partial user name with wildcards, and press Enter. The list of users redisplays with just those users that meet the search criteria.

To return to the complete user list, clear the search field and press Enter.

User Name Displays the user name of an email user, such as user1. This is also the local portion of the email user’s primary email address.
Type Displays the type of user: local, LDAP, or RADIUS.
Display Name Displays the display name of an email user, such as “J Smith”. This name appears in the From: field in the message headers of email messages sent from this email user.
Disk Usage (KB) Displays the disk space used by mailboxes for the email user in kilobytes (KB).

Configuring Mail Settings

Configuring mail settings

The Mail Settings menu lets you configure the basic email settings of the FortiMail unit (such as the port number of the FortiMail SMTP relay/proxy/server), plus how to handle connections and how to manage the mail queues.

This section includes:

  • Configuring the built-in MTA and mail server
  • Configuring protected domains
  • Managing the address book (server mode only)
  • Sharing calendars and address books (server mode only)
  • Migrating email from other mail servers (server mode only)
  • Configuring proxies (transparent mode only)

Configuring the built-in MTA and mail server

Go to Mail Settings > Settings to configure assorted settings that apply to the SMTP server and webmail server that are built into the FortiMail unit.

This section includes:

  • Configuring mail server settings
  • Configuring global disclaimers
  • Configuring disclaimer exclusion list
  • Selecting the mail data storage location

Configuring mail server settings

Use the mail server settings to configure SMTP server/relay settings of the System domain, which is located on the local host (that is, your FortiMail unit).

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure local SMTP server settings

  1. Go to Mail Settings > Settings > Mail Server Settings.

A multisection page appears.

Page 366

Figure 153:Mail Server Settings tab

  1. Configure the following sections as needed:
  • “Configuring local host settings” on page 368
  • “Configuring SMTP relay hosts” on page 373
  • “Configuring deferred message delivery” on page 371
  • “Configuring DSN options” on page 369
  • “Configuring mail queue setting” on page 370
  • “Configuring domain check options” on page 372

Configuring local host settings

Provide the name and SMTP information for the mail server.

GUI item Description
Host name Enter the host name of the FortiMail unit.

Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<host-name>.<local-domain-name>

such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name.

Note: The FQDN of the FortiMail unit should be different from that of protected SMTP servers. If the FortiMail unit uses the same FQDN as your mail server, it may become difficult to distinguish the two devices during troubleshooting.

Note: You should use a different host name for each FortiMail unit, especially when you are managing multiple FortiMail units of the same model, or when configuring a high availability (HA) cluster. This will let you to distinguish between different members of the cluster. If the FortiMail unit is in HA mode, the FortiMail unit will add the host name to the subject line of alert email messages. For details, see “Configuring alert email” on page 682.

Local domain name Enter the local domain name to which the FortiMail unit belongs.

The local domain name is used in many features such as email quarantine, Bayesian database training, quarantine report, and delivery status notification (DSN) email messages.

Displays the FortiMail unit’s fully qualified domain name (FQDN) is in the format:

<host-name>.<local-domain-name>

such as fortimail-400.example.com, where fortimail-400 is the Host name and example.com is the Local domain name.

Note: The IP address should be globally resolvable into the FQDN of the FortiMail unit if it will relay outgoing email. If it is not globally resolvable, reverse DNS lookups of the FortiMail unit’s domain name by external SMTP servers will fail. For quarantine reports, if the FortiMail unit is operating in server mode or gateway mode, DNS records for the local domain name may need to be globally resolvable to the IP address of the FortiMail unit. If it is not globally resolvable, web and email release/delete for the per-recipient quarantines may fail. For more information on configuring required DNS records, see “Setting up the system” on page 25.

Note: The Local domain name is not required to be different from or identical to any protected domain. It can be a subdomain or different, external domain.

For example, a FortiMail unit whose FQDN is fortimail.example.com could be configured with the protected domains example.com and accounting.example.net.

SMTP server port number Enter the port number on which the FortiMail unit’s SMTP server will listen for SMTP connections. The default port number is 25.
GUI item Description
SMTP over SSL/TLS Enable to allow SSL- and TLS-secured connections from SMTP clients that request SSL/TLS.

When disabled, SMTP connections with the FortiMail unit’s built-in MTA must occur as clear text, unencrypted.

Note: This option must be enabled to receive SMTPS connections. However, it does not require them. To enforce client use of SMTPS, see “Configuring access control rules” on page 456.

SMTPS server port number Enter the port number on which the FortiMail unit’s built-in MTA listens for secure SMTP connections. The default port number is 465.

This option is unavailable if SMTP over SSL/TLS is disabled.

SMTP MSA

service

Enable let your email clients use SMTP for message submission on a separate TCP port number from deliveries or mail relay by MTAs.

For details on message submission by email clients as distinct from SMTP used by MTAs, see RFC 2476.

SMTP MSA port number Enter the TCP port number on which the FortiMail unit listens for email clients to submit email for delivery. The default port number is 587.
POP3 server port number Enter the port number on which the FortiMail unit’s POP3 server will listen for POP3 connections. The default port number is 110.

This option is available only if the FortiMail unit is operating in server mode.

Default domain for

authentication

If you set one domain as the default domain, users on the default domain only need to enter their user names without the domain part for webmail/SMTP/IMAP/POP3 authentication, such as user1. Users on the non-default domains must enter both the user name part and domain part to authentication, such as user2@example.com.

Webmail access Enable to redirect HTTP webmail access to HTTPS.

Configuring DSN options

Use this section to configure mail server delivery status notifications.

For information on failed deliveries, see “Managing the deferred mail queue” on page 179 and “Managing undeliverable mail” on page 181.

For more information on DSN, see “Managing the deferred mail queue” on page 179.

GUI item Description
DSN (NDR) email generation Enable to allow the FortiMail unit to send DSN messages to notify email users of delivery delays and/or failure.
GUI item Description
Sender displayname Displays the name of the sender, such as FortiMail administrator, as it should appear in DSN email.

If this field is empty, the FortiMail unit uses the default name of postmaster.

Sender address Displays the sender email address in DSN.

If this field is empty, the FortiMail unit uses the default sender email address of postmaster@<domain_str>, where <domain_str> is the domain name of the FortiMail unit, such as example.com.

Configuring Administrator Accounts and Access Profiles

Configuring administrator accounts and access profiles

The Administrator submenu configures administrator accounts and access profiles.

This topic includes:

  • About administrator account permissions and domains
  • Configuring administrator accounts
  • Configuring access profiles

About administrator account permissions and domains

Depending on the account that you use to log in to the FortiMail unit, you may not have complete access to all CLI commands or areas of the web UI.

Access profiles and domain assignments together control which commands and areas an administrator account can access. Permissions result from an interaction of the two.

The domain to which an administrator is assigned is one of:

  • System

The administrator can access areas regardless of whether an item pertains to the FortiMail unit itself or to a protected domain. Every administrator’s permissions are restricted only by their access profile.

  • a protected domain

The administrator can only access areas that are specifically assigned to that protected domain. With a few exceptions, the administrator cannot access system-wide settings, files or statistics, nor most settings that can affect other protected domains, regardless of whether access to those items would otherwise be allowed by the administrator’s access profile. The administrator cannot access the CLI, nor the basic mode of the web UI. (For more information on the display modes of the GUI, see “Basic mode versus advanced mode” on page 24.)

There are exceptions. Domain administrators can configure IP-based policies, the global black list, the global white list, the blacklist action, and the global Bayesian database. If you do not want to allow this, do not provide Read-Write permission to those categories in domain administrators’ access profiles.

Table 28:Areas of the GUI that domain administrators cannot access

Maintenance
Monitor except for the Personal quarantine tab
System except for the Administrator tab
Mail Settings except for the domain, its subdomains, and associated domains
User > User > PKI User
Policy > Access Control > Receive

Policy > Access Control > Delivery

Profile > Authentication
AntiSpam except for AntiSpam > Bayesian > User and AntiSpam > Black/White List
Email Archiving
Log and Report

Access profiles assign either read, read/write, or no access to each area of the FortiMail software. To view configurations, you must have read access. To make changes, you must have write access. For more information on configuring an administrator access profile, see “Configuring access profiles” on page 297.

Table 29:Areas of control in access profiles

Access control area name Grants access to

(For each config command, there is an equivalent get/show command, unless otherwise noted.

config access requires write permission. get/show access requires read permission.)

In the web UI In the CLI
Black/White List black-whit e-lis t Monitor > Endpoint Reputation > Auto Blacklist

Maintenance > AntiSpam > Black/White List Maintenance AntiSpam > Black/White List …

 N/A
Quarantine quarantine Monitor > Quarantine …

AntiSpam > Quarantine > Quarantine Report

AntiSpam > Quarantine > System Quarantine Setting

AntiSpam > Quarantine > Control Account

config antispam quarantine-report config mailsetting systemquarantine
Policy policy Monitor > Mail Queue …

Monitor > Greylist …

Monitor > Sender Reputation > Display

Mail Settings > Domains > Domains

Mail Settings > Proxies > Proxies User > User …

Policy …

Profile

AntiSpam > Greylist …

AntiSpam > Bounce Verification > Settings AntiSpam > Endpoint Reputation …

AntiSpam > Bayesian …

config antispam greylist exempt config antispam bounce-verification key config antispam settings config domain

config mailsetting proxy-smtp config policy … config profile … config user …

Table 29:Areas of control in access profiles

Archive archive Email Archiving

Monitor > Archive

config archive
Greylist greylist Monitor > Greylist …

AntiSpam > Greylist …

config antispam greylist… get antispam greylist …
Others others Monitor > System Status …

Monitor > Archive > Email Archives Monitor > Log …

Monitor > Report …

Maintenanceexcept the Black/White List Maintenance tab

System

Mail Settings > Settings

Mail Settings > Address Book > Address Book

User > User Alias > User Alias User > Address Map > Address Map Email Archiving

Log and Report

config archive … config log …

config mailsetting relayserver config mailsetting storage config report config system … config user alias config user map diagnose … execute …

get system status

About the “admin” account

Unlike other administrator accounts whose access profile is super_admin_prof and domain is System, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. Its name, permissions, and assignment to the System domain cannot be changed.

The admin administrator account always has full permission to view and change all FortiMail configuration options, including viewing and changing all other administrator accounts. It is the only administrator account that can reset another administrator’s password without having to enter the existing password. As such, it is the only account that can reset another administrator’s password if the existing password is unknown or forgotten. (Other administrators can change an administrator’s password if they know the current password.

About the “remote_wildcard” account

In previous FortiMail releases (older than v5.1), when you add remote RADIUS or LDAP accounts to FortiMail for account authentication purpose, you must add them one by one on FortiMail. Starting from FortiMail v5.1, you can use the wildcard to add RADIUS accounts (LDAP accounts will be supported in future releases) all at once.

To achieve this, you can enable the preconfigured “remote_wildcard” account and specify which RADIUS profile to use. Then every account on the RADIUS server will be able to log on to FortiMail.

To add all accounts on a RADIUS server to FortiMail

  1. Go to System > Administrator > Administrator.
  2. Double click the built-in “remote_wildcard” account.
  3. Configure the following and click OK.
GUI item Description
Enable Select it to enable the wildcard account.
Administrator The default name is remote_wildcard and it is not editable.
Domain Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Note: If you enable domain override in the RADIUS profile, this setting will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing protected domain. For details, see “Configuring authentication profiles” on page 542.

Access profile Select the name of an access profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile. For details, see “Configuring access profiles” on page 297.

Note: If you enable remote access override in the RADIUS profile, this access profile will be overwritten by the value of the remote attribute returned from the RADIUS server, if the returned value matches an existing access profile. For details, see “Configuring authentication profiles” on page 542.

Authentication type For the v5.1 release, only RADIUS is supported. For details, see “Configuring authentication profiles” on page 542.
GUI item Description
Trusted hosts Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248.

Language Select this administrator account’s preference for the display language of the web UI.
Theme Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.

The administrator may switch the theme at any time during a session by clicking Next Theme.

Configuring administrator accounts

The Administrator tab displays a list of the FortiMail unit’s administrator accounts and the trusted host IP addresses administrators use to log in (if configured).

By default, FortiMail units have a single administrator account, admin. For more granular control over administrative access, you can create additional administrator accounts that are restricted to a specific protected domain and with restricted permissions. For more information, see “About administrator account permissions and domains” on page 290.

Depending on the permission and assigned domain of your account, this list may not display all administrator accounts. For more information, see “About administrator account permissions and domains” on page 290.

If you configured a system quarantine administrator account, this account does not appear in the list of standard FortiMail administrator accounts. For more information on the system quarantine administrator account, see “Configuring the system quarantine administrator account and disk quota” on page 611.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Others category.

For details, see “About administrator account permissions and domains” on page 290.

To configure administrator accounts

  1. Go to System > Administrator > Administrator.
  2. Either click New to add an account or double-click an account to modify it.

A dialog appears.

Figure 121:New Administrator dialog

  1. Configure the following and then click Create:
GUI item Description
Enable Select it to enable the new account. If disabled, the account will not be able to access FortiMail.
Administrator Enter the name for this administrator account.

The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), hyphens ( – ), and underscores ( _ ). Other special characters and spaces are not allowed.

Domain Select System for the entire FortiMail unit or the name of a protected domain, such as example.com, to which this administrator account will be assigned.

For more information on protected domain assignments, see “About administrator account permissions and domains” on page 290.

Note: If Domain is a protected domain, the administrator cannot use the CLI, or the basic mode of the web UI.

Access profile Select the name of an access profile that determines which functional areas the administrator account may view or affect.

Click New to create a new profile or Edit to modify the selected profile.

For details, see “Configuring access profiles” on page 297.

 

GUI item Description
Authentication type Select the local or remote type of authentication that the administrator will use:

•      Local

•      RADIUS

•      PKI

•      LDAP

Note: RADIUS, LDAP and PKI authentication require that you first configure a RADIUS authentication profile, LDAP authentication profile, or PKI user. For more information, see “Configuring authentication profiles” on page 542 and “Configuring PKI authentication” on page 435.

Password If you select Local as the authentication type, enter a secure password for this administrator account.

The password can contain any character except spaces.

This field does not appear if Authentication type is not Local or RADIUS+Local.

Confirm password Enter this account’s password again to confirm it.

This field does not appear if Authentication type is not Local or RADIUS+Local.

LDAP profile If you choose to use LDAP authentication, select an LDAP profile you want to use.
RADIUS profile If you choose to use RADIUS or RADIUS + Local authentication, select a RADIUS profile you want to use.
PKI profile If you choose to use PKI authentication, select a PKI profile you want to use.
Trusted hosts Enter an IPv4 or IPv6 address or subnet from which this administrator can log in. You can add up to 10 trusted hosts.

If you want the administrator to access the FortiMail unit from any IP address, use 0.0.0.0/0.0.0.0.

Enter the IP address and netmask in dotted decimal format. For example, you might permit the administrator to log in to the FortiMail unit from your private network by typing 192.168.1.0/255.255.255.0.

Note: For additional security, restrict all trusted host entries to administrative hosts on your trusted private network.

Note: For information on restricting administrative access protocols that can be used by these hosts, see “Editing network interfaces” on page 248.

GUI item Description
Language Select this administrator account’s preference for the display language of the web UI.
Theme Select this administrator account’s preference for the display theme or click Use Current to choose the theme currently in effect.

The administrator may switch the theme at any time during a session by clicking Next Theme.